security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'master' into devel

Browse Source
This commit is contained in:
Florian Roth
2019-12-12 09:40:02 +01:00
parent 065df363dc c25b902add
commit 9c59e3cf13
41 changed files with 474 additions and 352 deletions
Download Patch File Download Diff File Expand all files Collapse all files
CHANGELOG.md
+16 -1
View File
@@ -10,12 +10,27 @@ from version 0.14.0.
### Added
* sigma-uuid tool
* Proxy field names to ECS mapping (ecs-proxy) configuration
## 0.15.0
### Added
* sigma-uuid tool for addition and check of Sigma rule identifiers
* Default configurations
* Restriction of compared rules in sigma-similarity
* Regular expression support in es-dsl backend
* LimaCharlie support for proxy rule category
* Source distribution for PyPI
### Changed
* Type errors are now ignored with -I
### Fixed
* Removed wrong mapping of CommandLine field mapping in THOR config
## 0.14
### Added
Makefile
+2 -1
View File
@@ -51,6 +51,7 @@ test-sigmac:
! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'level=xcritical' rules/ > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'foo=bar' rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/logstash-windows.yml -t es-qs rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c ecs-proxy -t es-qs rules/proxy > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c sysmon -c logstash-windows -t es-qs rules/ > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c sysmon -c logstash-windows -t splunk rules/ > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/logstash-windows.yml -c tools/config/generic/sysmon.yml -t es-qs rules/ > /dev/null
@@ -92,7 +93,7 @@ test-backend-es-qs:
tests/test-backend-es-qs.py
build: tools/sigmac tools/merge_sigma tools/sigma/*.py tools/setup.py tools/setup.cfg
cd tools && python3 setup.py bdist_wheel
cd tools && python3 setup.py bdist_wheel sdist
upload-test: build
twine upload --repository-url https://test.pypi.org/legacy/ tools/dist/*
rules/proxy/proxy_apt40.yml
+2 -2
View File
@@ -9,12 +9,12 @@ logsource:
category: proxy
detection:
selection:
UserAgent: 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36'
c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36'
r-dns: 'api.dropbox.com'
condition: selection
fields:
- c-ip
- cs-uri
- c-uri
falsepositives:
- Old browsers
level: high
rules/proxy/proxy_chafer_malware.yml
+2 -2
View File
@@ -14,8 +14,8 @@ detection:
condition: selection
fields:
- ClientIP
- URL
- UserAgent
- c-uri
- c-useragent
falsepositives:
- Unknown
level: critical
rules/proxy/proxy_cobalt_amazon.yml
+17 -17
View File
@@ -3,26 +3,26 @@ id: 953b895e-5cc9-454b-b183-7f3db555452e
status: experimental
description: Detects Malleable Amazon Profile
references:
- https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/amazon.profile
- https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100
- https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/amazon.profile
- https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100
author: Markus Neis
tags:
- attack.t1102
- attack.t1102
logsource:
category: proxy
category: proxy
detection:
selection1:
UserAgent: "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
HttpMethod: 'GET'
URL: '/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books'
Host: 'www.amazon.com'
Cookie: '*=csm-hit=s-24KU11BB82RZSYGJ3BDK|1419899012996'
selection2:
UserAgent: "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
HttpMethod: 'POST'
URL: '/N4215/adj/amzn.us.sr.aps'
Host: 'www.amazon.com'
condition: selection1 or selection2
selection1:
c-useragent: "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
cs-method: 'GET'
c-uri: '/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books'
cs-host: 'www.amazon.com'
cs-cookie: '*=csm-hit=s-24KU11BB82RZSYGJ3BDK|1419899012996'
selection2:
c-useragent: "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
cs-method: 'POST'
c-uri: '/N4215/adj/amzn.us.sr.aps'
cs-host: 'www.amazon.com'
condition: selection1 or selection2
falsepositives:
- Unknown
- Unknown
level: high
rules/proxy/proxy_cobalt_ocsp.yml
+2 -2
View File
@@ -11,8 +11,8 @@ logsource:
category: proxy
detection:
selection:
URL: '*/oscp/*'
Host: 'ocsp.verisign.com'
c-uri: '*/oscp/*'
cs-host: 'ocsp.verisign.com'
condition: selection
falsepositives:
rules/proxy/proxy_cobalt_onedrive.yml
+4 -4
View File
@@ -11,11 +11,11 @@ logsource:
category: proxy
detection:
selection:
HttpMethod: 'GET'
URL: '*?manifest=wac'
Host: 'onedrive.live.com'
cs-method: 'GET'
c-uri: '*?manifest=wac'
cs-host: 'onedrive.live.com'
filter:
URL: 'http*://onedrive.live.com/*'
c-uri: 'http*://onedrive.live.com/*'
condition: selection and not filter
falsepositives:
- Unknown
rules/proxy/proxy_download_susp_tlds_blacklist.yml
+1 -1
View File
@@ -102,7 +102,7 @@ detection:
condition: selection
fields:
- ClientIP
- URL
- c-uri
falsepositives:
- All kinds of software downloads
level: low
rules/proxy/proxy_download_susp_tlds_whitelist.yml
+1 -1
View File
@@ -50,7 +50,7 @@ detection:
condition: selection and not filter
fields:
- ClientIP
- URL
- c-uri
falsepositives:
- All kind of software downloads
level: low
rules/proxy/proxy_downloadcradle_webdav.yml
+5 -5
View File
@@ -10,14 +10,14 @@ logsource:
category: proxy
detection:
selection:
UserAgent: 'Microsoft-WebDAV-MiniRedir/*'
HttpMethod: 'GET'
c-useragent: 'Microsoft-WebDAV-MiniRedir/*'
cs-method: 'GET'
condition: selection
fields:
- ClientIP
- URL
- UserAgent
- HttpMethod
- c-uri
- c-useragent
- cs-method
falsepositives:
- Administrative scripts that download files from the Internet
- Administrative scripts that retrieve certain website contents
rules/proxy/proxy_empty_ua.yml
+3 -3
View File
@@ -10,12 +10,12 @@ logsource:
detection:
selection:
# Empty string - as used by Powershell's (New-Object Net.WebClient).DownloadString
UserAgent: ''
c-useragent: ''
condition: selection
fields:
- ClientIP
- URL
- UserAgent
- c-uri
- c-useragent
falsepositives:
- Unknown
level: medium
rules/proxy/proxy_ios_implant.yml
+2 -2
View File
@@ -15,8 +15,8 @@ detection:
condition: selection
fields:
- ClientIP
- URL
- UserAgent
- c-uri
- c-useragent
falsepositives:
- Unknown
level: critical
rules/proxy/proxy_powershell_ua.yml
+3 -3
View File
@@ -9,12 +9,12 @@ logsource:
category: proxy
detection:
selection:
UserAgent: '* WindowsPowerShell/*'
c-useragent: '* WindowsPowerShell/*'
condition: selection
fields:
- ClientIP
- URL
- UserAgent
- c-uri
- c-useragent
falsepositives:
- Administrative scripts that download files from the Internet
- Administrative scripts that retrieve certain website contents
rules/proxy/proxy_raw_paste_service_access.yml
+3 -2
View File
@@ -16,11 +16,12 @@ detection:
c-uri|contains:
- '.paste.ee/r/'
- '.pastebin.com/raw/'
- '.hastebin.com/raw/'
condition: selection
fields:
- ClientIP
- URL
- UserAgent
- c-uri
- c-useragent
falsepositives:
- User activity (e.g. developer that shared and copied code snippets and used the raw link instead of just copy & paste)
level: high
rules/proxy/proxy_susp_flash_download_loc.yml
+2 -3
View File
@@ -9,13 +9,12 @@ logsource:
category: proxy
detection:
selection:
cs-uri-query:
c-uri-query:
- '*/install_flash_player.exe'
- '*/flash_install.php*'
filter:
cs-uri-stem: '*.adobe.com/*'
c-uri-stem: '*.adobe.com/*'
condition: selection and not filter
falsepositives:
- Unknown flash download locations
level: high
rules/proxy/proxy_telegram_api.yml
+3 -3
View File
@@ -15,15 +15,15 @@ detection:
r-dns:
- 'api.telegram.org' # Often used by Bots
filter:
UserAgent:
c-useragent:
# Used https://core.telegram.org/bots/samples for this list
- '*Telegram*'
- '*Bot*'
condition: selection and not filter
fields:
- ClientIP
- URL
- UserAgent
- c-uri
- c-useragent
falsepositives:
- Legitimate use of Telegram bots in the company
level: medium
rules/proxy/proxy_ua_apt.yml
+3 -3
View File
@@ -9,7 +9,7 @@ logsource:
category: proxy
detection:
selection:
UserAgent:
c-useragent:
# APT Related
- 'SJZJ (compatible; MSIE 6.0; Win32)' # APT Backspace
- 'Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0' # APT GrizzlySteppe - ChopStick - US CERT https://goo.gl/1DTHwi
@@ -46,8 +46,8 @@ detection:
condition: selection
fields:
- ClientIP
- URL
- UserAgent
- c-uri
- c-useragent
falsepositives:
- Old browsers
level: high
rules/proxy/proxy_ua_bitsadmin_susp_tld.yml
+3 -3
View File
@@ -8,7 +8,7 @@ logsource:
category: proxy
detection:
selection:
UserAgent:
c-useragent:
- 'Microsoft BITS/*'
falsepositives:
r-dns:
@@ -18,8 +18,8 @@ detection:
condition: selection and not falsepositives
fields:
- ClientIP
- URL
- UserAgent
- c-uri
- c-useragent
falsepositives:
- Rare programs that use Bitsadmin and update from regional TLDs e.g. .uk or .ca
level: high
rules/proxy/proxy_ua_cryptominer.yml
+3 -3
View File
@@ -11,7 +11,7 @@ logsource:
category: proxy
detection:
selection:
UserAgent:
c-useragent:
# XMRig
- 'XMRig *'
# CCMiner
@@ -19,8 +19,8 @@ detection:
condition: selection
fields:
- ClientIP
- URL
- UserAgent
- c-uri
- c-useragent
falsepositives:
- Unknown
level: high
rules/proxy/proxy_ua_frameworks.yml
+3 -3
View File
@@ -9,7 +9,7 @@ logsource:
category: proxy
detection:
selection:
UserAgent:
c-useragent:
# Cobalt Strike https://www.cobaltstrike.com/help-malleable-c2
- 'Internet Explorer *'
- 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)' # https://goo.gl/f4H5Ez
@@ -46,8 +46,8 @@ detection:
condition: selection
fields:
- ClientIP
- URL
- UserAgent
- c-uri
- c-useragent
falsepositives:
- Unknown
level: high
rules/proxy/proxy_ua_hacktool.yml
+3 -3
View File
@@ -10,7 +10,7 @@ logsource:
category: proxy
detection:
selection:
UserAgent:
c-useragent:
# Vulnerbility scanner and brute force tools
- '*(hydra)*'
- '* arachni/*'
@@ -65,8 +65,8 @@ detection:
condition: selection
fields:
- ClientIP
- URL
- UserAgent
- c-uri
- c-useragent
falsepositives:
- Unknown
level: high
rules/proxy/proxy_ua_malware.yml
+3 -3
View File
@@ -13,7 +13,7 @@ logsource:
category: proxy
detection:
selection:
UserAgent:
c-useragent:
# RATs
- 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Chrome /53.0' # DargonOK
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)' # Used by PlugX - base-lining recommended - https://community.rsa.com/thread/185439
@@ -70,8 +70,8 @@ detection:
condition: selection
fields:
- ClientIP
- URL
- UserAgent
- c-uri
- c-useragent
falsepositives:
- Unknown
level: high
rules/proxy/proxy_ua_suspicious.yml
+4 -4
View File
@@ -9,7 +9,7 @@ logsource:
category: proxy
detection:
selection:
UserAgent:
c-useragent:
# Badly scripted UA
- 'user-agent' # User-Agent: User-Agent:
- '* (compatible;MSIE *' # typical typo - missing space
@@ -25,13 +25,13 @@ detection:
- 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0)' # CobaltStrike Beacon https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/
- 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0' # used by APT28 malware https://threatvector.cylance.com/en_us/home/inside-the-apt28-dll-backdoor-blitz.html
falsepositives:
UserAgent:
c-useragent:
- 'Mozilla/3.0 * Acrobat *' # Acrobat with linked content
condition: selection and not falsepositives
fields:
- ClientIP
- URL
- UserAgent
- c-uri
- c-useragent
falsepositives:
- Unknown
level: high
rules/proxy/proxy_ursnif_malware.yml
+48
View File
@@ -0,0 +1,48 @@
title: Ursnif Malware Download URL Pattern
id: a36ce77e-30db-4ea0-8795-644d7af5dfb4
status: stable
description: Detects download of Ursnif malware done by dropper documents.
author: Thomas Patzke
logsource:
category: proxy
detection:
selection:
c-uri: '*/*.php?l=*.cab'
sc-status: 200
condition: selection
fields:
- c-ip
- c-uri
- sc-bytes
- c-ua
falsepositives:
- Unknown
level: critical
---
title: Ursnif Malware C2 URL Pattern
id: 932ac737-33ca-4afd-9869-0d48b391fcc9
status: stable
description: Detects Ursnif C2 traffic.
references:
- https://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html
author: Thomas Patzke
logsource:
category: proxy
detection:
b64encoding:
c-uri:
- "*_2f*"
- "*_2b*"
urlpatterns:
c-uri|all:
- "*.avi"
- "*/images/*"
condition: b64encoding and urlpatterns
fields:
- c-ip
- c-uri
- sc-bytes
- c-ua
falsepositives:
- Unknown
level: critical
rules/windows/builtin/win_susp_wmi_login.yml
+20
View File
@@ -0,0 +1,20 @@
title: Login with WMI
id: 5af54681-df95-4c26-854f-2565e13cfab0
status: stable
description: Detection of logins performed with WMI
author: Thomas Patzke
tags:
- attack.execution
- attack.t1047
logsource:
product: windows
service: security
detection:
selection:
EventID: 4624
ProcessName: "*\\WmiPrvSE.exe"
condition: selection
falsepositives:
- Monitoring tools
- Legitimate system administration
level: low
rules/windows/process_creation/win_susp_exec_folder.yml
+3
View File
@@ -9,6 +9,7 @@ references:
- https://github.com/mbevilacqua/appcompatprocessor/blob/master/AppCompatSearch.txt
- https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses
- https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
- https://github.com/ThreatHuntingProject/ThreatHunting/blob/master/hunts/suspicious_process_creation_via_windows_event_logs.md
tags:
- attack.defense_evasion
- attack.t1036
@@ -33,6 +34,8 @@ detection:
- C:\Windows\security\\*
- '*\RSA\MachineKeys\\*'
- C:\Windows\system32\config\systemprofile\\*
- C:\Windows\Tasks\\*
- C:\Windows\System32\Tasks\\*
condition: selection
falsepositives:
- Unknown
rules/windows/process_creation/win_susp_svchost.yml
+1
View File
@@ -19,6 +19,7 @@ detection:
- '*\MsMpEng.exe'
- '*\Mrt.exe'
- '*\rpcnet.exe'
- '*\svchost.exe'
filter_null:
ParentImage: null
condition: selection and not filter and not filter_null
tools/config/arcsight.yml
+1 -1
View File
@@ -53,7 +53,7 @@ logsources:
windows-dhcp:
product: windows
service: dhcp
conditions:
conditions:
deviceVendor: Microsoft
windows-system:
product: windows
tools/config/ecs-proxy.yml
+24
View File
@@ -0,0 +1,24 @@
title: Elastic Common Schema mapping for proxy logs
order: 20
backends:
- es-qs
- es-dsl
- kibana
- xpack-watcher
- elastalert
- elastalert-dsl
logsources:
proxy:
category: proxy
index: filebeat-*
fieldmappings:
c-uri: url.original
c-uri-extension: url.extension
c-uri-query: url.query
c-uri-stem: url.original
c-useragent: user_agent.original
cs-cookie: http.cookie
cs-host: url.domain
cs-method: http.request.method
r-dns: url.domain
sc-status: http.response.status_code
tools/config/netwitness.yml
+7 -7
View File
@@ -37,7 +37,7 @@ logsources:
windows-dhcp:
product: windows
service: dhcp
conditions:
conditions:
device.type: winevent_nic
event.source: microsoft-windows-dhcp-server
windows-sec:
@@ -52,7 +52,7 @@ logsources:
conditions:
device.type: winevent_nic
fieldmappings:
dst:
dst:
- ip.dst
dst_ip:
- ip.dst
@@ -72,21 +72,21 @@ fieldmappings:
- user.dst
c-uri-extension:
- extension
UserAgent:
c-useragent:
- user.agent
r-dns:
- alias.host
DestinationHostname:
- alias.host
Host:
cs-host:
- alias.host
c-uri-query:
- web.page
URL:
c-uri:
- web.page
HttpMethod:
cs-method:
- action
Cookie:
cs-cookie:
- web.cookie
SubjectUserName:
- user.dst
tools/config/powershell.yml
+3 -3
View File
@@ -22,12 +22,12 @@ logsources:
product: windows
service: sysmon
conditions:
LogName: 'Microsoft-Windows-Sysmon/Operational'
LogName: 'Microsoft-Windows-Sysmon/Operational'
windows-powershell:
product: windows
service: powershell
conditions:
LogName: 'Microsoft-Windows-PowerShell/Operational'
LogName: 'Microsoft-Windows-PowerShell/Operational'
windows-classicpowershell:
product: windows
service: powershell-classic
@@ -67,5 +67,5 @@ logsources:
windows-dhcp:
product: windows
service: dhcp
conditions:
conditions:
LogName: 'Microsoft-Windows-DHCP-Server/Operational'
tools/config/qradar.yml
+22 -24
View File
@@ -26,29 +26,27 @@ logsources:
index: flows
flow:
category: flow
index: flows
category: flow
index: flows
fieldmappings:
EventID:
- Event ID Code
dst:
- destinationIP
dst_ip:
- destinationIP
src:
- sourceIP
src_ip:
- sourceIP
c-ip: sourceIP
cs-ip: sourceIP
cs-uri: url
c-uri: sourceIP
c-uri-extension: file_extension
UserAgent: user_agent
c-uri-query: uri_query
HttpMethod: Method
URL: URL
r-dns: FQDN
ClientIP: sourceIP
ServiceFileName: Service Name
EventID:
- Event ID Code
dst:
- destinationIP
dst_ip:
- destinationIP
src:
- sourceIP
src_ip:
- sourceIP
c-ip: sourceIP
cs-ip: sourceIP
c-uri: url
c-uri-extension: file_extension
c-useragent: user_agent
c-uri-query: uri_query
cs-method: Method
r-dns: FQDN
ClientIP: sourceIP
ServiceFileName: Service Name
tools/config/qualys.yml
+15 -16
View File
@@ -3,19 +3,18 @@ order: 20
backends:
- qualys
fieldmappings:
dst:
- network.remote.address.ip
dst_ip:
- network.remote.address.ip
src:
- network.local.address.ip
src_ip:
- network.local.address.ip
file_hash:
- file.hash.md5
- file.hash.sha256
NewProcessName: process.name
ServiceName: process.name
ServiceFileName: process.name
TargetObject: registry.path
dst:
- network.remote.address.ip
dst_ip:
- network.remote.address.ip
src:
- network.local.address.ip
src_ip:
- network.local.address.ip
file_hash:
- file.hash.md5
- file.hash.sha256
NewProcessName: process.name
ServiceName: process.name
ServiceFileName: process.name
TargetObject: registry.path
tools/config/splunk-windows.yml
+2 -2
View File
@@ -68,7 +68,7 @@ logsources:
windows-dhcp:
product: windows
service: dhcp
conditions:
conditions:
source: 'Microsoft-Windows-DHCP-Server/Operational'
fieldmappings:
EventID: EventCode
EventID: EventCode
tools/config/sumologic.yml
+1 -5
View File
@@ -54,7 +54,7 @@ logsources:
windows-dhcp:
product: windows
service: dhcp
conditions:
conditions:
EventChannel: Microsoft-Windows-DHCP-Server
index: WINDOWS
apache:
@@ -97,10 +97,6 @@ logsources:
application-rails:
product: rails
index: RAILS
application-rails:
category: application
product: ruby_on_rails
index: RAILS
application-spring:
product: spring
index: SPRING
tools/config/thor.yml
+8 -8
View File
@@ -29,42 +29,42 @@ logsources:
windows-application:
product: windows
service: application
sources:
sources:
- 'WinEventLog:Application'
windows-security:
product: windows
service: security
sources:
sources:
- 'WinEventLog:Security'
windows-system:
product: windows
service: system
sources:
sources:
- 'WinEventLog:System'
windows-sysmon:
product: windows
service: sysmon
sources:
sources:
- 'WinEventLog:Microsoft-Windows-Sysmon/Operational'
windows-powershell:
product: windows
service: powershell
sources:
sources:
- 'WinEventLog:Microsoft-Windows-PowerShell/Operational'
windows-taskscheduler:
product: windows
service: taskscheduler
sources:
sources:
- 'WinEventLog:Microsoft-Windows-TaskScheduler/Operational'
windows-wmi:
product: windows
service: wmi
sources:
sources:
- 'WinEventLog:Microsoft-Windows-WMI-Activity/Operational'
windows-dhcp:
product: windows
service: dhcp
sources:
sources:
- 'WinEventLog:Microsoft-Windows-DHCP-Server/Operational'
apache:
category: webserver
tools/config/winlogbeat-modules-enabled.yml
+77 -77
View File
@@ -46,80 +46,80 @@ defaultindex: winlogbeat-*
# yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g'
# Keep EventID! Clean up the list afterwards!
fieldmappings:
EventID: winlog.event_id
AccessMask: winlog.event_data.AccessMask
AccountName: winlog.event_data.AccountName
AllowedToDelegateTo: winlog.event_data.AllowedToDelegateTo
AttributeLDAPDisplayName: winlog.event_data.AttributeLDAPDisplayName
AuditPolicyChanges: winlog.event_data.AuditPolicyChanges
AuthenticationPackageName: winlog.event_data.AuthenticationPackageName
CallingProcessName: winlog.event_data.CallingProcessName
CallTrace: winlog.event_data.CallTrace
CommandLine: process.args
ComputerName: winlog.ComputerName
CurrentDirectory: process.working_directory
Description: winlog.event_data.Description
DestinationHostname: destination.domain
DestinationIp: destination.ip
#DestinationIsIpv6: winlog.event_data.DestinationIsIpv6 #=gets deleted and not boolean...https://github.com/elastic/beats/blob/71eee76e7cfb8d5b18dfacad64864370ddb14ce7/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js#L278-L279
DestinationPort: destination.port
DestinationPortName: network.protocol
Details: winlog.event_data.Details
EngineVersion: winlog.event_data.EngineVersion
EventType: winlog.event_data.EventType
FailureCode: winlog.event_data.FailureCode
FileName: file.path
GrantedAccess: winlog.event_data.GrantedAccess
GroupName: winlog.event_data.GroupName
GroupSid: winlog.event_data.GroupSid
Hashes: winlog.event_data.Hashes
HiveName: winlog.event_data.HiveName
HostVersion: winlog.event_data.HostVersion
Image: process.executable
ImageLoaded: file.path
ImagePath: winlog.event_data.ImagePath
Imphash: winlog.event_data.Imphash
IpAddress: source.ip
IpPort: source.port
KeyLength: winlog.event_data.KeyLength
LogonProcessName: winlog.event_data.LogonProcessName
LogonType: winlog.event_data.LogonType
NewProcessName: winlog.event_data.NewProcessName
ObjectClass: winlog.event_data.ObjectClass
ObjectName: winlog.event_data.ObjectName
ObjectType: winlog.event_data.ObjectType
ObjectValueName: winlog.event_data.ObjectValueName
ParentCommandLine: process.parent.args
ParentProcessName: process.parent.name
ParentImage: process.parent.executable
Path: winlog.event_data.Path
PipeName: file.name
ProcessCommandLine: winlog.event_data.ProcessCommandLine
ProcessName: process.executable
Properties: winlog.event_data.Properties
SecurityID: winlog.event_data.SecurityID
ServiceFileName: winlog.event_data.ServiceFileName
ServiceName: winlog.event_data.ServiceName
ShareName: winlog.event_data.ShareName
Signature: winlog.event_data.Signature
Source: winlog.event_data.Source
SourceHostname: source.domain
SourceImage: process.executable
SourceIp: source.ip
SourcePort: source.port
#SourceIsIpv6: winlog.event_data.SourceIsIpv6 #=gets deleted and not boolean...https://github.com/elastic/beats/blob/71eee76e7cfb8d5b18dfacad64864370ddb14ce7/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js#L278-L279
StartModule: winlog.event_data.StartModule
Status: winlog.event_data.Status
SubjectDomainName: user.domain
SubjectUserName: user.name
SubjectUserSid: user.id
TargetFilename: file.path
TargetImage: winlog.event_data.TargetImage
TargetObject: winlog.event_data.TargetObject
TicketEncryptionType: winlog.event_data.TicketEncryptionType
TicketOptions: winlog.event_data.TicketOptions
TargetDomainName: user.domain
TargetUserName: user.name
TargetUserSid: user.id
User: user.name
WorkstationName: source.domain
EventID: winlog.event_id
AccessMask: winlog.event_data.AccessMask
AccountName: winlog.event_data.AccountName
AllowedToDelegateTo: winlog.event_data.AllowedToDelegateTo
AttributeLDAPDisplayName: winlog.event_data.AttributeLDAPDisplayName
AuditPolicyChanges: winlog.event_data.AuditPolicyChanges
AuthenticationPackageName: winlog.event_data.AuthenticationPackageName
CallingProcessName: winlog.event_data.CallingProcessName
CallTrace: winlog.event_data.CallTrace
CommandLine: process.args
ComputerName: winlog.ComputerName
CurrentDirectory: process.working_directory
Description: winlog.event_data.Description
DestinationHostname: destination.domain
DestinationIp: destination.ip
#DestinationIsIpv6: winlog.event_data.DestinationIsIpv6 #=gets deleted and not boolean...https://github.com/elastic/beats/blob/71eee76e7cfb8d5b18dfacad64864370ddb14ce7/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js#L278-L279
DestinationPort: destination.port
DestinationPortName: network.protocol
Details: winlog.event_data.Details
EngineVersion: winlog.event_data.EngineVersion
EventType: winlog.event_data.EventType
FailureCode: winlog.event_data.FailureCode
FileName: file.path
GrantedAccess: winlog.event_data.GrantedAccess
GroupName: winlog.event_data.GroupName
GroupSid: winlog.event_data.GroupSid
Hashes: winlog.event_data.Hashes
HiveName: winlog.event_data.HiveName
HostVersion: winlog.event_data.HostVersion
Image: process.executable
ImageLoaded: file.path
ImagePath: winlog.event_data.ImagePath
Imphash: winlog.event_data.Imphash
IpAddress: source.ip
IpPort: source.port
KeyLength: winlog.event_data.KeyLength
LogonProcessName: winlog.event_data.LogonProcessName
LogonType: winlog.event_data.LogonType
NewProcessName: winlog.event_data.NewProcessName
ObjectClass: winlog.event_data.ObjectClass
ObjectName: winlog.event_data.ObjectName
ObjectType: winlog.event_data.ObjectType
ObjectValueName: winlog.event_data.ObjectValueName
ParentCommandLine: process.parent.args
ParentProcessName: process.parent.name
ParentImage: process.parent.executable
Path: winlog.event_data.Path
PipeName: file.name
ProcessCommandLine: winlog.event_data.ProcessCommandLine
ProcessName: process.executable
Properties: winlog.event_data.Properties
SecurityID: winlog.event_data.SecurityID
ServiceFileName: winlog.event_data.ServiceFileName
ServiceName: winlog.event_data.ServiceName
ShareName: winlog.event_data.ShareName
Signature: winlog.event_data.Signature
Source: winlog.event_data.Source
SourceHostname: source.domain
SourceImage: process.executable
SourceIp: source.ip
SourcePort: source.port
#SourceIsIpv6: winlog.event_data.SourceIsIpv6 #=gets deleted and not boolean...https://github.com/elastic/beats/blob/71eee76e7cfb8d5b18dfacad64864370ddb14ce7/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js#L278-L279
StartModule: winlog.event_data.StartModule
Status: winlog.event_data.Status
SubjectDomainName: user.domain
SubjectUserName: user.name
SubjectUserSid: user.id
TargetFilename: file.path
TargetImage: winlog.event_data.TargetImage
TargetObject: winlog.event_data.TargetObject
TicketEncryptionType: winlog.event_data.TicketEncryptionType
TicketOptions: winlog.event_data.TicketOptions
TargetDomainName: user.domain
TargetUserName: user.name
TargetUserSid: user.id
User: user.name
WorkstationName: source.domain
tools/config/winlogbeat-old.yml
+67 -67
View File
@@ -46,70 +46,70 @@ defaultindex: winlogbeat-*
# yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g'
# Keep EventID! Clean up the list afterwards!
fieldmappings:
EventID: event_id
AccessMask: event_data.AccessMask
AccountName: event_data.AccountName
AllowedToDelegateTo: event_data.AllowedToDelegateTo
AttributeLDAPDisplayName: event_data.AttributeLDAPDisplayName
AuditPolicyChanges: event_data.AuditPolicyChanges
AuthenticationPackageName: event_data.AuthenticationPackageName
CallingProcessName: event_data.CallingProcessName
CallTrace: event_data.CallTrace
CommandLine: event_data.CommandLine
ComputerName: event_data.ComputerName
CurrentDirectory: event_data.CurrentDirectory
Description: event_data.Description
DestinationHostname: event_data.DestinationHostname
DestinationIp: event_data.DestinationIp
DestinationIsIpv6: event_data.DestinationIsIpv6
DestinationPort: event_data.DestinationPort
Details: event_data.Details
EngineVersion: event_data.EngineVersion
EventType: event_data.EventType
FailureCode: event_data.FailureCode
FileName: event_data.FileName
GrantedAccess: event_data.GrantedAccess
GroupName: event_data.GroupName
GroupSid: event_data.GroupSid
Hashes: event_data.Hashes
HiveName: event_data.HiveName
HostVersion: event_data.HostVersion
Image: event_data.Image
ImageLoaded: event_data.ImageLoaded
ImagePath: event_data.ImagePath
Imphash: event_data.Imphash
IpAddress: event_data.IpAddress
KeyLength: event_data.KeyLength
LogonProcessName: event_data.LogonProcessName
LogonType: event_data.LogonType
NewProcessName: event_data.NewProcessName
ObjectClass: event_data.ObjectClass
ObjectName: event_data.ObjectName
ObjectType: event_data.ObjectType
ObjectValueName: event_data.ObjectValueName
ParentCommandLine: event_data.ParentCommandLine
ParentProcessName: event_data.ParentProcessName
ParentImage: event_data.ParentImage
Path: event_data.Path
PipeName: event_data.PipeName
ProcessCommandLine: event_data.ProcessCommandLine
ProcessName: event_data.ProcessName
Properties: event_data.Properties
SecurityID: event_data.SecurityID
ServiceFileName: event_data.ServiceFileName
ServiceName: event_data.ServiceName
ShareName: event_data.ShareName
Signature: event_data.Signature
Source: event_data.Source
SourceImage: event_data.SourceImage
StartModule: event_data.StartModule
Status: event_data.Status
SubjectUserName: event_data.SubjectUserName
SubjectUserSid: event_data.SubjectUserSid
TargetFilename: event_data.TargetFilename
TargetImage: event_data.TargetImage
TargetObject: event_data.TargetObject
TicketEncryptionType: event_data.TicketEncryptionType
TicketOptions: event_data.TicketOptions
User: event_data.User
WorkstationName: event_data.WorkstationName
EventID: event_id
AccessMask: event_data.AccessMask
AccountName: event_data.AccountName
AllowedToDelegateTo: event_data.AllowedToDelegateTo
AttributeLDAPDisplayName: event_data.AttributeLDAPDisplayName
AuditPolicyChanges: event_data.AuditPolicyChanges
AuthenticationPackageName: event_data.AuthenticationPackageName
CallingProcessName: event_data.CallingProcessName
CallTrace: event_data.CallTrace
CommandLine: event_data.CommandLine
ComputerName: event_data.ComputerName
CurrentDirectory: event_data.CurrentDirectory
Description: event_data.Description
DestinationHostname: event_data.DestinationHostname
DestinationIp: event_data.DestinationIp
DestinationIsIpv6: event_data.DestinationIsIpv6
DestinationPort: event_data.DestinationPort
Details: event_data.Details
EngineVersion: event_data.EngineVersion
EventType: event_data.EventType
FailureCode: event_data.FailureCode
FileName: event_data.FileName
GrantedAccess: event_data.GrantedAccess
GroupName: event_data.GroupName
GroupSid: event_data.GroupSid
Hashes: event_data.Hashes
HiveName: event_data.HiveName
HostVersion: event_data.HostVersion
Image: event_data.Image
ImageLoaded: event_data.ImageLoaded
ImagePath: event_data.ImagePath
Imphash: event_data.Imphash
IpAddress: event_data.IpAddress
KeyLength: event_data.KeyLength
LogonProcessName: event_data.LogonProcessName
LogonType: event_data.LogonType
NewProcessName: event_data.NewProcessName
ObjectClass: event_data.ObjectClass
ObjectName: event_data.ObjectName
ObjectType: event_data.ObjectType
ObjectValueName: event_data.ObjectValueName
ParentCommandLine: event_data.ParentCommandLine
ParentProcessName: event_data.ParentProcessName
ParentImage: event_data.ParentImage
Path: event_data.Path
PipeName: event_data.PipeName
ProcessCommandLine: event_data.ProcessCommandLine
ProcessName: event_data.ProcessName
Properties: event_data.Properties
SecurityID: event_data.SecurityID
ServiceFileName: event_data.ServiceFileName
ServiceName: event_data.ServiceName
ShareName: event_data.ShareName
Signature: event_data.Signature
Source: event_data.Source
SourceImage: event_data.SourceImage
StartModule: event_data.StartModule
Status: event_data.Status
SubjectUserName: event_data.SubjectUserName
SubjectUserSid: event_data.SubjectUserSid
TargetFilename: event_data.TargetFilename
TargetImage: event_data.TargetImage
TargetObject: event_data.TargetObject
TicketEncryptionType: event_data.TicketEncryptionType
TicketOptions: event_data.TicketOptions
User: event_data.User
WorkstationName: event_data.WorkstationName
tools/config/winlogbeat.yml
+67 -67
View File
@@ -46,70 +46,70 @@ defaultindex: winlogbeat-*
# yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g'
# Keep EventID! Clean up the list afterwards!
fieldmappings:
EventID: winlog.event_id
AccessMask: winlog.event_data.AccessMask
AccountName: winlog.event_data.AccountName
AllowedToDelegateTo: winlog.event_data.AllowedToDelegateTo
AttributeLDAPDisplayName: winlog.event_data.AttributeLDAPDisplayName
AuditPolicyChanges: winlog.event_data.AuditPolicyChanges
AuthenticationPackageName: winlog.event_data.AuthenticationPackageName
CallingProcessName: winlog.event_data.CallingProcessName
CallTrace: winlog.event_data.CallTrace
CommandLine: winlog.event_data.CommandLine
ComputerName: winlog.ComputerName
CurrentDirectory: winlog.event_data.CurrentDirectory
Description: winlog.event_data.Description
DestinationHostname: winlog.event_data.DestinationHostname
DestinationIp: winlog.event_data.DestinationIp
DestinationIsIpv6: winlog.event_data.DestinationIsIpv6
DestinationPort: winlog.event_data.DestinationPort
Details: winlog.event_data.Details
EngineVersion: winlog.event_data.EngineVersion
EventType: winlog.event_data.EventType
FailureCode: winlog.event_data.FailureCode
FileName: winlog.event_data.FileName
GrantedAccess: winlog.event_data.GrantedAccess
GroupName: winlog.event_data.GroupName
GroupSid: winlog.event_data.GroupSid
Hashes: winlog.event_data.Hashes
HiveName: winlog.event_data.HiveName
HostVersion: winlog.event_data.HostVersion
Image: winlog.event_data.Image
ImageLoaded: winlog.event_data.ImageLoaded
ImagePath: winlog.event_data.ImagePath
Imphash: winlog.event_data.Imphash
IpAddress: winlog.event_data.IpAddress
KeyLength: winlog.event_data.KeyLength
LogonProcessName: winlog.event_data.LogonProcessName
LogonType: winlog.event_data.LogonType
NewProcessName: winlog.event_data.NewProcessName
ObjectClass: winlog.event_data.ObjectClass
ObjectName: winlog.event_data.ObjectName
ObjectType: winlog.event_data.ObjectType
ObjectValueName: winlog.event_data.ObjectValueName
ParentCommandLine: winlog.event_data.ParentCommandLine
ParentProcessName: winlog.event_data.ParentProcessName
ParentImage: winlog.event_data.ParentImage
Path: winlog.event_data.Path
PipeName: winlog.event_data.PipeName
ProcessCommandLine: winlog.event_data.ProcessCommandLine
ProcessName: winlog.event_data.ProcessName
Properties: winlog.event_data.Properties
SecurityID: winlog.event_data.SecurityID
ServiceFileName: winlog.event_data.ServiceFileName
ServiceName: winlog.event_data.ServiceName
ShareName: winlog.event_data.ShareName
Signature: winlog.event_data.Signature
Source: winlog.event_data.Source
SourceImage: winlog.event_data.SourceImage
StartModule: winlog.event_data.StartModule
Status: winlog.event_data.Status
SubjectUserName: winlog.event_data.SubjectUserName
SubjectUserSid: winlog.event_data.SubjectUserSid
TargetFilename: winlog.event_data.TargetFilename
TargetImage: winlog.event_data.TargetImage
TargetObject: winlog.event_data.TargetObject
TicketEncryptionType: winlog.event_data.TicketEncryptionType
TicketOptions: winlog.event_data.TicketOptions
User: winlog.event_data.User
WorkstationName: winlog.event_data.WorkstationName
EventID: winlog.event_id
AccessMask: winlog.event_data.AccessMask
AccountName: winlog.event_data.AccountName
AllowedToDelegateTo: winlog.event_data.AllowedToDelegateTo
AttributeLDAPDisplayName: winlog.event_data.AttributeLDAPDisplayName
AuditPolicyChanges: winlog.event_data.AuditPolicyChanges
AuthenticationPackageName: winlog.event_data.AuthenticationPackageName
CallingProcessName: winlog.event_data.CallingProcessName
CallTrace: winlog.event_data.CallTrace
CommandLine: winlog.event_data.CommandLine
ComputerName: winlog.ComputerName
CurrentDirectory: winlog.event_data.CurrentDirectory
Description: winlog.event_data.Description
DestinationHostname: winlog.event_data.DestinationHostname
DestinationIp: winlog.event_data.DestinationIp
DestinationIsIpv6: winlog.event_data.DestinationIsIpv6
DestinationPort: winlog.event_data.DestinationPort
Details: winlog.event_data.Details
EngineVersion: winlog.event_data.EngineVersion
EventType: winlog.event_data.EventType
FailureCode: winlog.event_data.FailureCode
FileName: winlog.event_data.FileName
GrantedAccess: winlog.event_data.GrantedAccess
GroupName: winlog.event_data.GroupName
GroupSid: winlog.event_data.GroupSid
Hashes: winlog.event_data.Hashes
HiveName: winlog.event_data.HiveName
HostVersion: winlog.event_data.HostVersion
Image: winlog.event_data.Image
ImageLoaded: winlog.event_data.ImageLoaded
ImagePath: winlog.event_data.ImagePath
Imphash: winlog.event_data.Imphash
IpAddress: winlog.event_data.IpAddress
KeyLength: winlog.event_data.KeyLength
LogonProcessName: winlog.event_data.LogonProcessName
LogonType: winlog.event_data.LogonType
NewProcessName: winlog.event_data.NewProcessName
ObjectClass: winlog.event_data.ObjectClass
ObjectName: winlog.event_data.ObjectName
ObjectType: winlog.event_data.ObjectType
ObjectValueName: winlog.event_data.ObjectValueName
ParentCommandLine: winlog.event_data.ParentCommandLine
ParentProcessName: winlog.event_data.ParentProcessName
ParentImage: winlog.event_data.ParentImage
Path: winlog.event_data.Path
PipeName: winlog.event_data.PipeName
ProcessCommandLine: winlog.event_data.ProcessCommandLine
ProcessName: winlog.event_data.ProcessName
Properties: winlog.event_data.Properties
SecurityID: winlog.event_data.SecurityID
ServiceFileName: winlog.event_data.ServiceFileName
ServiceName: winlog.event_data.ServiceName
ShareName: winlog.event_data.ShareName
Signature: winlog.event_data.Signature
Source: winlog.event_data.Source
SourceImage: winlog.event_data.SourceImage
StartModule: winlog.event_data.StartModule
Status: winlog.event_data.Status
SubjectUserName: winlog.event_data.SubjectUserName
SubjectUserSid: winlog.event_data.SubjectUserSid
TargetFilename: winlog.event_data.TargetFilename
TargetImage: winlog.event_data.TargetImage
TargetObject: winlog.event_data.TargetObject
TicketEncryptionType: winlog.event_data.TicketEncryptionType
TicketOptions: winlog.event_data.TicketOptions
User: winlog.event_data.User
WorkstationName: winlog.event_data.WorkstationName
tools/setup.py
+2 -1
View File
@@ -13,7 +13,7 @@ with open(path.join(here, 'README.md'), encoding='utf-8') as f:
setup(
name='sigmatools',
version='0.14',
version='0.15.0',
description='Tools for the Generic Signature Format for SIEM Systems',
long_description=long_description,
long_description_content_type="text/markdown",
@@ -66,6 +66,7 @@ setup(
'config/winlogbeat-modules-enabled.yml',
'config/winlogbeat.yml',
'config/winlogbeat-old.yml',
'config/ecs-proxy.yml',
'config/limacharlie.yml',
]),
('etc/sigma/generic', [
tools/sigma/backends/limacharlie.py
+16
View File
@@ -177,6 +177,22 @@ _allFieldMappings = {
keywordField = None,
postOpMapper = None
),
"/proxy/": SigmaLCConfig(
topLevelParams = {
"event": "HTTP_REQUEST",
},
preConditions = None,
fieldMappings = {
"c-uri|contains": "event/URL",
"c-uri": "event/URL",
"URL": "event/URL",
"cs-uri-query": "event/URL",
"cs-uri-stem": "event/URL",
},
isAllStringValues = False,
keywordField = None,
postOpMapper = None
),
}
class LimaCharlieBackend(BaseBackend):