From ad7d5d2a396b6ff57c614e25d055deba29b8873a Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Wed, 4 Dec 2019 11:13:04 +0100 Subject: [PATCH 01/11] Added WMI login rule --- rules/windows/builtin/win_susp_wmi_login.yml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 rules/windows/builtin/win_susp_wmi_login.yml diff --git a/rules/windows/builtin/win_susp_wmi_login.yml b/rules/windows/builtin/win_susp_wmi_login.yml new file mode 100644 index 000000000..9d7e71e2d --- /dev/null +++ b/rules/windows/builtin/win_susp_wmi_login.yml @@ -0,0 +1,20 @@ +title: Login with WMI +id: 5af54681-df95-4c26-854f-2565e13cfab0 +status: stable +description: Detection of logins performed with WMI +author: Thomas Patzke +tags: + - attack.execution + - attack.t1047 +logsource: + product: windows + service: security +detection: + selection: + EventID: 4624 + ProcessName: "*\\WmiPrvSE.exe" + condition: selection +falsepositives: + - Monitoring tools + - Legitimate system administration +level: low From 27bb07b74e3cee433882f73b406f5d5ed1470769 Mon Sep 17 00:00:00 2001 From: Maxime Lamothe-Brassard Date: Thu, 5 Dec 2019 09:35:09 -0800 Subject: [PATCH 02/11] Adding support for basic proxy rules using the HTTP_REQUEST events from the Chrome LC Agent. --- tools/sigma/backends/limacharlie.py | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/tools/sigma/backends/limacharlie.py b/tools/sigma/backends/limacharlie.py index d5682d492..ce0412b38 100644 --- a/tools/sigma/backends/limacharlie.py +++ b/tools/sigma/backends/limacharlie.py @@ -177,6 +177,22 @@ _allFieldMappings = { keywordField = None, postOpMapper = None ), + "/proxy/": SigmaLCConfig( + topLevelParams = { + "event": "HTTP_REQUEST", + }, + preConditions = None, + fieldMappings = { + "c-uri|contains": "event/URL", + "c-uri": "event/URL", + "URL": "event/URL", + "cs-uri-query": "event/URL", + "cs-uri-stem": "event/URL", + }, + isAllStringValues = False, + keywordField = None, + postOpMapper = None + ), } class LimaCharlieBackend(BaseBackend): From 865251238f66d567688552748f7638802018d1cc Mon Sep 17 00:00:00 2001 From: Kevin Dienst Date: Thu, 5 Dec 2019 14:16:20 -0600 Subject: [PATCH 03/11] Add hastebin raw URI to contains selection --- rules/proxy/proxy_raw_paste_service_access.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/proxy/proxy_raw_paste_service_access.yml b/rules/proxy/proxy_raw_paste_service_access.yml index f0e7587a4..5d2f2b688 100644 --- a/rules/proxy/proxy_raw_paste_service_access.yml +++ b/rules/proxy/proxy_raw_paste_service_access.yml @@ -16,6 +16,7 @@ detection: c-uri|contains: - '.paste.ee/r/' - '.pastebin.com/raw/' + - '.hastebin.com/raw/' condition: selection fields: - ClientIP From d8e1f56219f0d4ada254af9a46b6ca6f24a371d7 Mon Sep 17 00:00:00 2001 From: Johan Berggren Date: Fri, 6 Dec 2019 15:45:28 +0100 Subject: [PATCH 04/11] Add source distribution for PyPi when building Add sdist when building. This makes it easier to build packages from PyPi for example Debian PPA pkgs etc. This will not affect anything else, just make the source distribution available in PyPi as a tar.gz archive. If this gets merged, please bump the version and push to PyPi as well. --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 6594f1676..b5a6a04c0 100644 --- a/Makefile +++ b/Makefile @@ -92,7 +92,7 @@ test-backend-es-qs: tests/test-backend-es-qs.py build: tools/sigmac tools/merge_sigma tools/sigma/*.py tools/setup.py tools/setup.cfg - cd tools && python3 setup.py bdist_wheel + cd tools && python3 setup.py bdist_wheel sdist upload-test: build twine upload --repository-url https://test.pypi.org/legacy/ tools/dist/* From 51e9689425d2b83585ee5f0b4458ee0ab9226bd9 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Fri, 6 Dec 2019 22:13:44 +0100 Subject: [PATCH 05/11] Sigmatool release 0.15.0 --- CHANGELOG.md | 13 +++++++++++-- tools/setup.py | 2 +- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9eb37089d..0c3e48d37 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,16 +6,25 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html) from version 0.14.0. -## Unreleased +## 0.15.0 ### Added -* sigma-uuid tool +* sigma-uuid tool for addition and check of Sigma rule identifiers +* Default configurations +* Restriction of compared rules in sigma-similarity +* Regular expression support in es-dsl backend +* LimaCharlie support for proxy rule category +* Source distribution for PyPI ### Changed * Type errors are now ignored with -I +### Fixed + +* Removed wrong mapping of CommandLine field mapping in THOR config + ## 0.14 ### Added diff --git a/tools/setup.py b/tools/setup.py index ef57f9bec..f192eb806 100644 --- a/tools/setup.py +++ b/tools/setup.py @@ -13,7 +13,7 @@ with open(path.join(here, 'README.md'), encoding='utf-8') as f: setup( name='sigmatools', - version='0.14', + version='0.15.0', description='Tools for the Generic Signature Format for SIEM Systems', long_description=long_description, long_description_content_type="text/markdown", From dd8442590f39b044226eb91331612edd1e22d1c1 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Sat, 7 Dec 2019 00:11:33 +0100 Subject: [PATCH 06/11] Fixed proxy rule field names --- rules/proxy/proxy_apt40.yml | 2 +- rules/proxy/proxy_chafer_malware.yml | 4 +-- rules/proxy/proxy_cobalt_amazon.yml | 34 +++++++++---------- rules/proxy/proxy_cobalt_ocsp.yml | 4 +-- rules/proxy/proxy_cobalt_onedrive.yml | 8 ++--- .../proxy_download_susp_tlds_blacklist.yml | 2 +- .../proxy_download_susp_tlds_whitelist.yml | 2 +- rules/proxy/proxy_downloadcradle_webdav.yml | 10 +++--- rules/proxy/proxy_empty_ua.yml | 6 ++-- rules/proxy/proxy_ios_implant.yml | 4 +-- rules/proxy/proxy_powershell_ua.yml | 6 ++-- .../proxy/proxy_raw_paste_service_access.yml | 4 +-- rules/proxy/proxy_telegram_api.yml | 6 ++-- rules/proxy/proxy_ua_apt.yml | 6 ++-- rules/proxy/proxy_ua_bitsadmin_susp_tld.yml | 6 ++-- rules/proxy/proxy_ua_cryptominer.yml | 6 ++-- rules/proxy/proxy_ua_frameworks.yml | 6 ++-- rules/proxy/proxy_ua_hacktool.yml | 6 ++-- rules/proxy/proxy_ua_malware.yml | 6 ++-- rules/proxy/proxy_ua_suspicious.yml | 8 ++--- 20 files changed, 68 insertions(+), 68 deletions(-) diff --git a/rules/proxy/proxy_apt40.yml b/rules/proxy/proxy_apt40.yml index c3fcbb0fa..9bb8b316d 100644 --- a/rules/proxy/proxy_apt40.yml +++ b/rules/proxy/proxy_apt40.yml @@ -9,7 +9,7 @@ logsource: category: proxy detection: selection: - UserAgent: 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36' + c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36' r-dns: 'api.dropbox.com' condition: selection fields: diff --git a/rules/proxy/proxy_chafer_malware.yml b/rules/proxy/proxy_chafer_malware.yml index 550a6d65d..062f9013e 100644 --- a/rules/proxy/proxy_chafer_malware.yml +++ b/rules/proxy/proxy_chafer_malware.yml @@ -14,8 +14,8 @@ detection: condition: selection fields: - ClientIP - - URL - - UserAgent + - c-uri + - c-useragent falsepositives: - Unknown level: critical diff --git a/rules/proxy/proxy_cobalt_amazon.yml b/rules/proxy/proxy_cobalt_amazon.yml index 6c178c3f6..d991ba232 100644 --- a/rules/proxy/proxy_cobalt_amazon.yml +++ b/rules/proxy/proxy_cobalt_amazon.yml @@ -3,26 +3,26 @@ id: 953b895e-5cc9-454b-b183-7f3db555452e status: experimental description: Detects Malleable Amazon Profile references: - - https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/amazon.profile - - https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100 + - https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/amazon.profile + - https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100 author: Markus Neis tags: - - attack.t1102 + - attack.t1102 logsource: - category: proxy + category: proxy detection: - selection1: - UserAgent: "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" - HttpMethod: 'GET' - URL: '/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books' - Host: 'www.amazon.com' - Cookie: '*=csm-hit=s-24KU11BB82RZSYGJ3BDK|1419899012996' - selection2: - UserAgent: "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" - HttpMethod: 'POST' - URL: '/N4215/adj/amzn.us.sr.aps' - Host: 'www.amazon.com' - condition: selection1 or selection2 + selection1: + c-useragent: "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" + cs-method: 'GET' + c-uri: '/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books' + cs-host: 'www.amazon.com' + cs-cookie: '*=csm-hit=s-24KU11BB82RZSYGJ3BDK|1419899012996' + selection2: + c-useragent: "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" + cs-method: 'POST' + c-uri: '/N4215/adj/amzn.us.sr.aps' + cs-host: 'www.amazon.com' + condition: selection1 or selection2 falsepositives: - - Unknown + - Unknown level: high diff --git a/rules/proxy/proxy_cobalt_ocsp.yml b/rules/proxy/proxy_cobalt_ocsp.yml index 5bcf706d9..b85b71698 100644 --- a/rules/proxy/proxy_cobalt_ocsp.yml +++ b/rules/proxy/proxy_cobalt_ocsp.yml @@ -11,8 +11,8 @@ logsource: category: proxy detection: selection: - URL: '*/oscp/*' - Host: 'ocsp.verisign.com' + c-uri: '*/oscp/*' + cs-host: 'ocsp.verisign.com' condition: selection falsepositives: diff --git a/rules/proxy/proxy_cobalt_onedrive.yml b/rules/proxy/proxy_cobalt_onedrive.yml index 53bd1f059..73ead895c 100644 --- a/rules/proxy/proxy_cobalt_onedrive.yml +++ b/rules/proxy/proxy_cobalt_onedrive.yml @@ -11,11 +11,11 @@ logsource: category: proxy detection: selection: - HttpMethod: 'GET' - URL: '*?manifest=wac' - Host: 'onedrive.live.com' + cs-method: 'GET' + c-uri: '*?manifest=wac' + cs-host: 'onedrive.live.com' filter: - URL: 'http*://onedrive.live.com/*' + c-uri: 'http*://onedrive.live.com/*' condition: selection and not filter falsepositives: - Unknown diff --git a/rules/proxy/proxy_download_susp_tlds_blacklist.yml b/rules/proxy/proxy_download_susp_tlds_blacklist.yml index fae2afddb..f006d78e3 100644 --- a/rules/proxy/proxy_download_susp_tlds_blacklist.yml +++ b/rules/proxy/proxy_download_susp_tlds_blacklist.yml @@ -102,7 +102,7 @@ detection: condition: selection fields: - ClientIP - - URL + - c-uri falsepositives: - All kinds of software downloads level: low diff --git a/rules/proxy/proxy_download_susp_tlds_whitelist.yml b/rules/proxy/proxy_download_susp_tlds_whitelist.yml index db73cb99c..4ffee0fe9 100644 --- a/rules/proxy/proxy_download_susp_tlds_whitelist.yml +++ b/rules/proxy/proxy_download_susp_tlds_whitelist.yml @@ -50,7 +50,7 @@ detection: condition: selection and not filter fields: - ClientIP - - URL + - c-uri falsepositives: - All kind of software downloads level: low diff --git a/rules/proxy/proxy_downloadcradle_webdav.yml b/rules/proxy/proxy_downloadcradle_webdav.yml index b3920a644..6d0c562d7 100644 --- a/rules/proxy/proxy_downloadcradle_webdav.yml +++ b/rules/proxy/proxy_downloadcradle_webdav.yml @@ -10,14 +10,14 @@ logsource: category: proxy detection: selection: - UserAgent: 'Microsoft-WebDAV-MiniRedir/*' - HttpMethod: 'GET' + c-useragent: 'Microsoft-WebDAV-MiniRedir/*' + cs-method: 'GET' condition: selection fields: - ClientIP - - URL - - UserAgent - - HttpMethod + - c-uri + - c-useragent + - cs-method falsepositives: - Administrative scripts that download files from the Internet - Administrative scripts that retrieve certain website contents diff --git a/rules/proxy/proxy_empty_ua.yml b/rules/proxy/proxy_empty_ua.yml index a616d3869..baf3b1e07 100644 --- a/rules/proxy/proxy_empty_ua.yml +++ b/rules/proxy/proxy_empty_ua.yml @@ -10,12 +10,12 @@ logsource: detection: selection: # Empty string - as used by Powershell's (New-Object Net.WebClient).DownloadString - UserAgent: '' + c-useragent: '' condition: selection fields: - ClientIP - - URL - - UserAgent + - c-uri + - c-useragent falsepositives: - Unknown level: medium diff --git a/rules/proxy/proxy_ios_implant.yml b/rules/proxy/proxy_ios_implant.yml index 58bc53617..ce45ca853 100644 --- a/rules/proxy/proxy_ios_implant.yml +++ b/rules/proxy/proxy_ios_implant.yml @@ -15,8 +15,8 @@ detection: condition: selection fields: - ClientIP - - URL - - UserAgent + - c-uri + - c-useragent falsepositives: - Unknown level: critical diff --git a/rules/proxy/proxy_powershell_ua.yml b/rules/proxy/proxy_powershell_ua.yml index fe6a71773..ff1185681 100644 --- a/rules/proxy/proxy_powershell_ua.yml +++ b/rules/proxy/proxy_powershell_ua.yml @@ -9,12 +9,12 @@ logsource: category: proxy detection: selection: - UserAgent: '* WindowsPowerShell/*' + c-useragent: '* WindowsPowerShell/*' condition: selection fields: - ClientIP - - URL - - UserAgent + - c-uri + - c-useragent falsepositives: - Administrative scripts that download files from the Internet - Administrative scripts that retrieve certain website contents diff --git a/rules/proxy/proxy_raw_paste_service_access.yml b/rules/proxy/proxy_raw_paste_service_access.yml index 5d2f2b688..d5d21d3be 100644 --- a/rules/proxy/proxy_raw_paste_service_access.yml +++ b/rules/proxy/proxy_raw_paste_service_access.yml @@ -20,8 +20,8 @@ detection: condition: selection fields: - ClientIP - - URL - - UserAgent + - c-uri + - c-useragent falsepositives: - User activity (e.g. developer that shared and copied code snippets and used the raw link instead of just copy & paste) level: high diff --git a/rules/proxy/proxy_telegram_api.yml b/rules/proxy/proxy_telegram_api.yml index 14d2902e3..3c4cdac0b 100644 --- a/rules/proxy/proxy_telegram_api.yml +++ b/rules/proxy/proxy_telegram_api.yml @@ -15,15 +15,15 @@ detection: r-dns: - 'api.telegram.org' # Often used by Bots filter: - UserAgent: + c-useragent: # Used https://core.telegram.org/bots/samples for this list - '*Telegram*' - '*Bot*' condition: selection and not filter fields: - ClientIP - - URL - - UserAgent + - c-uri + - c-useragent falsepositives: - Legitimate use of Telegram bots in the company level: medium diff --git a/rules/proxy/proxy_ua_apt.yml b/rules/proxy/proxy_ua_apt.yml index 7aa317924..460631c95 100644 --- a/rules/proxy/proxy_ua_apt.yml +++ b/rules/proxy/proxy_ua_apt.yml @@ -9,7 +9,7 @@ logsource: category: proxy detection: selection: - UserAgent: + c-useragent: # APT Related - 'SJZJ (compatible; MSIE 6.0; Win32)' # APT Backspace - 'Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0' # APT GrizzlySteppe - ChopStick - US CERT https://goo.gl/1DTHwi @@ -46,8 +46,8 @@ detection: condition: selection fields: - ClientIP - - URL - - UserAgent + - c-uri + - c-useragent falsepositives: - Old browsers level: high diff --git a/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml b/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml index 869b97fac..c0ed66830 100644 --- a/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml +++ b/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml @@ -8,7 +8,7 @@ logsource: category: proxy detection: selection: - UserAgent: + c-useragent: - 'Microsoft BITS/*' falsepositives: r-dns: @@ -18,8 +18,8 @@ detection: condition: selection and not falsepositives fields: - ClientIP - - URL - - UserAgent + - c-uri + - c-useragent falsepositives: - Rare programs that use Bitsadmin and update from regional TLDs e.g. .uk or .ca level: high diff --git a/rules/proxy/proxy_ua_cryptominer.yml b/rules/proxy/proxy_ua_cryptominer.yml index b0c696e94..3fad1d167 100644 --- a/rules/proxy/proxy_ua_cryptominer.yml +++ b/rules/proxy/proxy_ua_cryptominer.yml @@ -11,7 +11,7 @@ logsource: category: proxy detection: selection: - UserAgent: + c-useragent: # XMRig - 'XMRig *' # CCMiner @@ -19,8 +19,8 @@ detection: condition: selection fields: - ClientIP - - URL - - UserAgent + - c-uri + - c-useragent falsepositives: - Unknown level: high diff --git a/rules/proxy/proxy_ua_frameworks.yml b/rules/proxy/proxy_ua_frameworks.yml index 9538c30ae..b6c8792f1 100644 --- a/rules/proxy/proxy_ua_frameworks.yml +++ b/rules/proxy/proxy_ua_frameworks.yml @@ -9,7 +9,7 @@ logsource: category: proxy detection: selection: - UserAgent: + c-useragent: # Cobalt Strike https://www.cobaltstrike.com/help-malleable-c2 - 'Internet Explorer *' - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)' # https://goo.gl/f4H5Ez @@ -43,8 +43,8 @@ detection: condition: selection fields: - ClientIP - - URL - - UserAgent + - c-uri + - c-useragent falsepositives: - Unknown level: high diff --git a/rules/proxy/proxy_ua_hacktool.yml b/rules/proxy/proxy_ua_hacktool.yml index e2ab7d36f..203543ceb 100644 --- a/rules/proxy/proxy_ua_hacktool.yml +++ b/rules/proxy/proxy_ua_hacktool.yml @@ -10,7 +10,7 @@ logsource: category: proxy detection: selection: - UserAgent: + c-useragent: # Vulnerbility scanner and brute force tools - '*(hydra)*' - '* arachni/*' @@ -65,8 +65,8 @@ detection: condition: selection fields: - ClientIP - - URL - - UserAgent + - c-uri + - c-useragent falsepositives: - Unknown level: high diff --git a/rules/proxy/proxy_ua_malware.yml b/rules/proxy/proxy_ua_malware.yml index 265b78407..de51980eb 100644 --- a/rules/proxy/proxy_ua_malware.yml +++ b/rules/proxy/proxy_ua_malware.yml @@ -13,7 +13,7 @@ logsource: category: proxy detection: selection: - UserAgent: + c-useragent: # RATs - 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Chrome /53.0' # DargonOK - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)' # Used by PlugX - base-lining recommended - https://community.rsa.com/thread/185439 @@ -70,8 +70,8 @@ detection: condition: selection fields: - ClientIP - - URL - - UserAgent + - c-uri + - c-useragent falsepositives: - Unknown level: high diff --git a/rules/proxy/proxy_ua_suspicious.yml b/rules/proxy/proxy_ua_suspicious.yml index 7e2d3f091..19e5ea4ab 100644 --- a/rules/proxy/proxy_ua_suspicious.yml +++ b/rules/proxy/proxy_ua_suspicious.yml @@ -9,7 +9,7 @@ logsource: category: proxy detection: selection: - UserAgent: + c-useragent: # Badly scripted UA - 'user-agent' # User-Agent: User-Agent: - '* (compatible;MSIE *' # typical typo - missing space @@ -25,13 +25,13 @@ detection: - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0)' # CobaltStrike Beacon https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/ - 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0' # used by APT28 malware https://threatvector.cylance.com/en_us/home/inside-the-apt28-dll-backdoor-blitz.html falsepositives: - UserAgent: + c-useragent: - 'Mozilla/3.0 * Acrobat *' # Acrobat with linked content condition: selection and not falsepositives fields: - ClientIP - - URL - - UserAgent + - c-uri + - c-useragent falsepositives: - Unknown level: high From 991108e64dc32717943fd05024ab30460a630698 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Sat, 7 Dec 2019 00:23:30 +0100 Subject: [PATCH 07/11] Further proxy field name fixes (config + rules) --- rules/proxy/proxy_apt40.yml | 2 +- rules/proxy/proxy_susp_flash_download_loc.yml | 5 +- tools/config/arcsight.yml | 2 +- tools/config/netwitness.yml | 14 +- tools/config/powershell.yml | 6 +- tools/config/qradar.yml | 46 +++--- tools/config/qualys.yml | 31 ++-- tools/config/splunk-windows.yml | 4 +- tools/config/sumologic.yml | 6 +- tools/config/thor.yml | 16 +- tools/config/winlogbeat-modules-enabled.yml | 154 +++++++++--------- tools/config/winlogbeat-old.yml | 134 +++++++-------- tools/config/winlogbeat.yml | 134 +++++++-------- 13 files changed, 273 insertions(+), 281 deletions(-) diff --git a/rules/proxy/proxy_apt40.yml b/rules/proxy/proxy_apt40.yml index 9bb8b316d..fc6985195 100644 --- a/rules/proxy/proxy_apt40.yml +++ b/rules/proxy/proxy_apt40.yml @@ -14,7 +14,7 @@ detection: condition: selection fields: - c-ip - - cs-uri + - c-uri falsepositives: - Old browsers level: high diff --git a/rules/proxy/proxy_susp_flash_download_loc.yml b/rules/proxy/proxy_susp_flash_download_loc.yml index fecc08902..f2f9aa95a 100644 --- a/rules/proxy/proxy_susp_flash_download_loc.yml +++ b/rules/proxy/proxy_susp_flash_download_loc.yml @@ -9,13 +9,12 @@ logsource: category: proxy detection: selection: - cs-uri-query: + c-uri-query: - '*/install_flash_player.exe' - '*/flash_install.php*' filter: - cs-uri-stem: '*.adobe.com/*' + c-uri-stem: '*.adobe.com/*' condition: selection and not filter falsepositives: - Unknown flash download locations level: high - diff --git a/tools/config/arcsight.yml b/tools/config/arcsight.yml index 10946c14f..58c99aaba 100644 --- a/tools/config/arcsight.yml +++ b/tools/config/arcsight.yml @@ -53,7 +53,7 @@ logsources: windows-dhcp: product: windows service: dhcp - conditions: + conditions: deviceVendor: Microsoft windows-system: product: windows diff --git a/tools/config/netwitness.yml b/tools/config/netwitness.yml index 69ce69e47..e4123d546 100644 --- a/tools/config/netwitness.yml +++ b/tools/config/netwitness.yml @@ -37,7 +37,7 @@ logsources: windows-dhcp: product: windows service: dhcp - conditions: + conditions: device.type: winevent_nic event.source: microsoft-windows-dhcp-server windows-sec: @@ -52,7 +52,7 @@ logsources: conditions: device.type: winevent_nic fieldmappings: - dst: + dst: - ip.dst dst_ip: - ip.dst @@ -72,21 +72,21 @@ fieldmappings: - user.dst c-uri-extension: - extension - UserAgent: + c-useragent: - user.agent r-dns: - alias.host DestinationHostname: - alias.host - Host: + cs-host: - alias.host c-uri-query: - web.page - URL: + c-uri: - web.page - HttpMethod: + cs-method: - action - Cookie: + cs-cookie: - web.cookie SubjectUserName: - user.dst diff --git a/tools/config/powershell.yml b/tools/config/powershell.yml index 1c96adc82..5cb0ea758 100644 --- a/tools/config/powershell.yml +++ b/tools/config/powershell.yml @@ -22,12 +22,12 @@ logsources: product: windows service: sysmon conditions: - LogName: 'Microsoft-Windows-Sysmon/Operational' + LogName: 'Microsoft-Windows-Sysmon/Operational' windows-powershell: product: windows service: powershell conditions: - LogName: 'Microsoft-Windows-PowerShell/Operational' + LogName: 'Microsoft-Windows-PowerShell/Operational' windows-classicpowershell: product: windows service: powershell-classic @@ -67,5 +67,5 @@ logsources: windows-dhcp: product: windows service: dhcp - conditions: + conditions: LogName: 'Microsoft-Windows-DHCP-Server/Operational' diff --git a/tools/config/qradar.yml b/tools/config/qradar.yml index 4a12b9ab0..1768f96bb 100644 --- a/tools/config/qradar.yml +++ b/tools/config/qradar.yml @@ -26,29 +26,27 @@ logsources: index: flows flow: - category: flow - index: flows + category: flow + index: flows fieldmappings: - EventID: - - Event ID Code - dst: - - destinationIP - dst_ip: - - destinationIP - src: - - sourceIP - src_ip: - - sourceIP - c-ip: sourceIP - cs-ip: sourceIP - cs-uri: url - c-uri: sourceIP - c-uri-extension: file_extension - UserAgent: user_agent - c-uri-query: uri_query - HttpMethod: Method - URL: URL - r-dns: FQDN - ClientIP: sourceIP - ServiceFileName: Service Name + EventID: + - Event ID Code + dst: + - destinationIP + dst_ip: + - destinationIP + src: + - sourceIP + src_ip: + - sourceIP + c-ip: sourceIP + cs-ip: sourceIP + c-uri: url + c-uri-extension: file_extension + c-useragent: user_agent + c-uri-query: uri_query + cs-method: Method + r-dns: FQDN + ClientIP: sourceIP + ServiceFileName: Service Name diff --git a/tools/config/qualys.yml b/tools/config/qualys.yml index 400124fb8..a5cf1d924 100644 --- a/tools/config/qualys.yml +++ b/tools/config/qualys.yml @@ -3,19 +3,18 @@ order: 20 backends: - qualys fieldmappings: - dst: - - network.remote.address.ip - dst_ip: - - network.remote.address.ip - src: - - network.local.address.ip - src_ip: - - network.local.address.ip - file_hash: - - file.hash.md5 - - file.hash.sha256 - NewProcessName: process.name - ServiceName: process.name - ServiceFileName: process.name - TargetObject: registry.path - + dst: + - network.remote.address.ip + dst_ip: + - network.remote.address.ip + src: + - network.local.address.ip + src_ip: + - network.local.address.ip + file_hash: + - file.hash.md5 + - file.hash.sha256 + NewProcessName: process.name + ServiceName: process.name + ServiceFileName: process.name + TargetObject: registry.path diff --git a/tools/config/splunk-windows.yml b/tools/config/splunk-windows.yml index a7b45bb4e..f1373489e 100644 --- a/tools/config/splunk-windows.yml +++ b/tools/config/splunk-windows.yml @@ -68,7 +68,7 @@ logsources: windows-dhcp: product: windows service: dhcp - conditions: + conditions: source: 'Microsoft-Windows-DHCP-Server/Operational' fieldmappings: - EventID: EventCode + EventID: EventCode diff --git a/tools/config/sumologic.yml b/tools/config/sumologic.yml index dbb7b9dca..09e83fbbe 100644 --- a/tools/config/sumologic.yml +++ b/tools/config/sumologic.yml @@ -54,7 +54,7 @@ logsources: windows-dhcp: product: windows service: dhcp - conditions: + conditions: EventChannel: Microsoft-Windows-DHCP-Server index: WINDOWS apache: @@ -97,10 +97,6 @@ logsources: application-rails: product: rails index: RAILS - application-rails: - category: application - product: ruby_on_rails - index: RAILS application-spring: product: spring index: SPRING diff --git a/tools/config/thor.yml b/tools/config/thor.yml index 468a92789..7cfe52993 100644 --- a/tools/config/thor.yml +++ b/tools/config/thor.yml @@ -29,42 +29,42 @@ logsources: windows-application: product: windows service: application - sources: + sources: - 'WinEventLog:Application' windows-security: product: windows service: security - sources: + sources: - 'WinEventLog:Security' windows-system: product: windows service: system - sources: + sources: - 'WinEventLog:System' windows-sysmon: product: windows service: sysmon - sources: + sources: - 'WinEventLog:Microsoft-Windows-Sysmon/Operational' windows-powershell: product: windows service: powershell - sources: + sources: - 'WinEventLog:Microsoft-Windows-PowerShell/Operational' windows-taskscheduler: product: windows service: taskscheduler - sources: + sources: - 'WinEventLog:Microsoft-Windows-TaskScheduler/Operational' windows-wmi: product: windows service: wmi - sources: + sources: - 'WinEventLog:Microsoft-Windows-WMI-Activity/Operational' windows-dhcp: product: windows service: dhcp - sources: + sources: - 'WinEventLog:Microsoft-Windows-DHCP-Server/Operational' apache: category: webserver diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index a59ce36fc..8e00c9610 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -46,80 +46,80 @@ defaultindex: winlogbeat-* # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g' # Keep EventID! Clean up the list afterwards! fieldmappings: - EventID: winlog.event_id - AccessMask: winlog.event_data.AccessMask - AccountName: winlog.event_data.AccountName - AllowedToDelegateTo: winlog.event_data.AllowedToDelegateTo - AttributeLDAPDisplayName: winlog.event_data.AttributeLDAPDisplayName - AuditPolicyChanges: winlog.event_data.AuditPolicyChanges - AuthenticationPackageName: winlog.event_data.AuthenticationPackageName - CallingProcessName: winlog.event_data.CallingProcessName - CallTrace: winlog.event_data.CallTrace - CommandLine: process.args - ComputerName: winlog.ComputerName - CurrentDirectory: process.working_directory - Description: winlog.event_data.Description - DestinationHostname: destination.domain - DestinationIp: destination.ip - #DestinationIsIpv6: winlog.event_data.DestinationIsIpv6 #=gets deleted and not boolean...https://github.com/elastic/beats/blob/71eee76e7cfb8d5b18dfacad64864370ddb14ce7/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js#L278-L279 - DestinationPort: destination.port - DestinationPortName: network.protocol - Details: winlog.event_data.Details - EngineVersion: winlog.event_data.EngineVersion - EventType: winlog.event_data.EventType - FailureCode: winlog.event_data.FailureCode - FileName: file.path - GrantedAccess: winlog.event_data.GrantedAccess - GroupName: winlog.event_data.GroupName - GroupSid: winlog.event_data.GroupSid - Hashes: winlog.event_data.Hashes - HiveName: winlog.event_data.HiveName - HostVersion: winlog.event_data.HostVersion - Image: process.executable - ImageLoaded: file.path - ImagePath: winlog.event_data.ImagePath - Imphash: winlog.event_data.Imphash - IpAddress: source.ip - IpPort: source.port - KeyLength: winlog.event_data.KeyLength - LogonProcessName: winlog.event_data.LogonProcessName - LogonType: winlog.event_data.LogonType - NewProcessName: winlog.event_data.NewProcessName - ObjectClass: winlog.event_data.ObjectClass - ObjectName: winlog.event_data.ObjectName - ObjectType: winlog.event_data.ObjectType - ObjectValueName: winlog.event_data.ObjectValueName - ParentCommandLine: process.parent.args - ParentProcessName: process.parent.name - ParentImage: process.parent.executable - Path: winlog.event_data.Path - PipeName: file.name - ProcessCommandLine: winlog.event_data.ProcessCommandLine - ProcessName: process.executable - Properties: winlog.event_data.Properties - SecurityID: winlog.event_data.SecurityID - ServiceFileName: winlog.event_data.ServiceFileName - ServiceName: winlog.event_data.ServiceName - ShareName: winlog.event_data.ShareName - Signature: winlog.event_data.Signature - Source: winlog.event_data.Source - SourceHostname: source.domain - SourceImage: process.executable - SourceIp: source.ip - SourcePort: source.port - #SourceIsIpv6: winlog.event_data.SourceIsIpv6 #=gets deleted and not boolean...https://github.com/elastic/beats/blob/71eee76e7cfb8d5b18dfacad64864370ddb14ce7/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js#L278-L279 - StartModule: winlog.event_data.StartModule - Status: winlog.event_data.Status - SubjectDomainName: user.domain - SubjectUserName: user.name - SubjectUserSid: user.id - TargetFilename: file.path - TargetImage: winlog.event_data.TargetImage - TargetObject: winlog.event_data.TargetObject - TicketEncryptionType: winlog.event_data.TicketEncryptionType - TicketOptions: winlog.event_data.TicketOptions - TargetDomainName: user.domain - TargetUserName: user.name - TargetUserSid: user.id - User: user.name - WorkstationName: source.domain \ No newline at end of file + EventID: winlog.event_id + AccessMask: winlog.event_data.AccessMask + AccountName: winlog.event_data.AccountName + AllowedToDelegateTo: winlog.event_data.AllowedToDelegateTo + AttributeLDAPDisplayName: winlog.event_data.AttributeLDAPDisplayName + AuditPolicyChanges: winlog.event_data.AuditPolicyChanges + AuthenticationPackageName: winlog.event_data.AuthenticationPackageName + CallingProcessName: winlog.event_data.CallingProcessName + CallTrace: winlog.event_data.CallTrace + CommandLine: process.args + ComputerName: winlog.ComputerName + CurrentDirectory: process.working_directory + Description: winlog.event_data.Description + DestinationHostname: destination.domain + DestinationIp: destination.ip + #DestinationIsIpv6: winlog.event_data.DestinationIsIpv6 #=gets deleted and not boolean...https://github.com/elastic/beats/blob/71eee76e7cfb8d5b18dfacad64864370ddb14ce7/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js#L278-L279 + DestinationPort: destination.port + DestinationPortName: network.protocol + Details: winlog.event_data.Details + EngineVersion: winlog.event_data.EngineVersion + EventType: winlog.event_data.EventType + FailureCode: winlog.event_data.FailureCode + FileName: file.path + GrantedAccess: winlog.event_data.GrantedAccess + GroupName: winlog.event_data.GroupName + GroupSid: winlog.event_data.GroupSid + Hashes: winlog.event_data.Hashes + HiveName: winlog.event_data.HiveName + HostVersion: winlog.event_data.HostVersion + Image: process.executable + ImageLoaded: file.path + ImagePath: winlog.event_data.ImagePath + Imphash: winlog.event_data.Imphash + IpAddress: source.ip + IpPort: source.port + KeyLength: winlog.event_data.KeyLength + LogonProcessName: winlog.event_data.LogonProcessName + LogonType: winlog.event_data.LogonType + NewProcessName: winlog.event_data.NewProcessName + ObjectClass: winlog.event_data.ObjectClass + ObjectName: winlog.event_data.ObjectName + ObjectType: winlog.event_data.ObjectType + ObjectValueName: winlog.event_data.ObjectValueName + ParentCommandLine: process.parent.args + ParentProcessName: process.parent.name + ParentImage: process.parent.executable + Path: winlog.event_data.Path + PipeName: file.name + ProcessCommandLine: winlog.event_data.ProcessCommandLine + ProcessName: process.executable + Properties: winlog.event_data.Properties + SecurityID: winlog.event_data.SecurityID + ServiceFileName: winlog.event_data.ServiceFileName + ServiceName: winlog.event_data.ServiceName + ShareName: winlog.event_data.ShareName + Signature: winlog.event_data.Signature + Source: winlog.event_data.Source + SourceHostname: source.domain + SourceImage: process.executable + SourceIp: source.ip + SourcePort: source.port + #SourceIsIpv6: winlog.event_data.SourceIsIpv6 #=gets deleted and not boolean...https://github.com/elastic/beats/blob/71eee76e7cfb8d5b18dfacad64864370ddb14ce7/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js#L278-L279 + StartModule: winlog.event_data.StartModule + Status: winlog.event_data.Status + SubjectDomainName: user.domain + SubjectUserName: user.name + SubjectUserSid: user.id + TargetFilename: file.path + TargetImage: winlog.event_data.TargetImage + TargetObject: winlog.event_data.TargetObject + TicketEncryptionType: winlog.event_data.TicketEncryptionType + TicketOptions: winlog.event_data.TicketOptions + TargetDomainName: user.domain + TargetUserName: user.name + TargetUserSid: user.id + User: user.name + WorkstationName: source.domain diff --git a/tools/config/winlogbeat-old.yml b/tools/config/winlogbeat-old.yml index 3e7f35ac0..d381263ab 100644 --- a/tools/config/winlogbeat-old.yml +++ b/tools/config/winlogbeat-old.yml @@ -46,70 +46,70 @@ defaultindex: winlogbeat-* # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g' # Keep EventID! Clean up the list afterwards! fieldmappings: - EventID: event_id - AccessMask: event_data.AccessMask - AccountName: event_data.AccountName - AllowedToDelegateTo: event_data.AllowedToDelegateTo - AttributeLDAPDisplayName: event_data.AttributeLDAPDisplayName - AuditPolicyChanges: event_data.AuditPolicyChanges - AuthenticationPackageName: event_data.AuthenticationPackageName - CallingProcessName: event_data.CallingProcessName - CallTrace: event_data.CallTrace - CommandLine: event_data.CommandLine - ComputerName: event_data.ComputerName - CurrentDirectory: event_data.CurrentDirectory - Description: event_data.Description - DestinationHostname: event_data.DestinationHostname - DestinationIp: event_data.DestinationIp - DestinationIsIpv6: event_data.DestinationIsIpv6 - DestinationPort: event_data.DestinationPort - Details: event_data.Details - EngineVersion: event_data.EngineVersion - EventType: event_data.EventType - FailureCode: event_data.FailureCode - FileName: event_data.FileName - GrantedAccess: event_data.GrantedAccess - GroupName: event_data.GroupName - GroupSid: event_data.GroupSid - Hashes: event_data.Hashes - HiveName: event_data.HiveName - HostVersion: event_data.HostVersion - Image: event_data.Image - ImageLoaded: event_data.ImageLoaded - ImagePath: event_data.ImagePath - Imphash: event_data.Imphash - IpAddress: event_data.IpAddress - KeyLength: event_data.KeyLength - LogonProcessName: event_data.LogonProcessName - LogonType: event_data.LogonType - NewProcessName: event_data.NewProcessName - ObjectClass: event_data.ObjectClass - ObjectName: event_data.ObjectName - ObjectType: event_data.ObjectType - ObjectValueName: event_data.ObjectValueName - ParentCommandLine: event_data.ParentCommandLine - ParentProcessName: event_data.ParentProcessName - ParentImage: event_data.ParentImage - Path: event_data.Path - PipeName: event_data.PipeName - ProcessCommandLine: event_data.ProcessCommandLine - ProcessName: event_data.ProcessName - Properties: event_data.Properties - SecurityID: event_data.SecurityID - ServiceFileName: event_data.ServiceFileName - ServiceName: event_data.ServiceName - ShareName: event_data.ShareName - Signature: event_data.Signature - Source: event_data.Source - SourceImage: event_data.SourceImage - StartModule: event_data.StartModule - Status: event_data.Status - SubjectUserName: event_data.SubjectUserName - SubjectUserSid: event_data.SubjectUserSid - TargetFilename: event_data.TargetFilename - TargetImage: event_data.TargetImage - TargetObject: event_data.TargetObject - TicketEncryptionType: event_data.TicketEncryptionType - TicketOptions: event_data.TicketOptions - User: event_data.User - WorkstationName: event_data.WorkstationName + EventID: event_id + AccessMask: event_data.AccessMask + AccountName: event_data.AccountName + AllowedToDelegateTo: event_data.AllowedToDelegateTo + AttributeLDAPDisplayName: event_data.AttributeLDAPDisplayName + AuditPolicyChanges: event_data.AuditPolicyChanges + AuthenticationPackageName: event_data.AuthenticationPackageName + CallingProcessName: event_data.CallingProcessName + CallTrace: event_data.CallTrace + CommandLine: event_data.CommandLine + ComputerName: event_data.ComputerName + CurrentDirectory: event_data.CurrentDirectory + Description: event_data.Description + DestinationHostname: event_data.DestinationHostname + DestinationIp: event_data.DestinationIp + DestinationIsIpv6: event_data.DestinationIsIpv6 + DestinationPort: event_data.DestinationPort + Details: event_data.Details + EngineVersion: event_data.EngineVersion + EventType: event_data.EventType + FailureCode: event_data.FailureCode + FileName: event_data.FileName + GrantedAccess: event_data.GrantedAccess + GroupName: event_data.GroupName + GroupSid: event_data.GroupSid + Hashes: event_data.Hashes + HiveName: event_data.HiveName + HostVersion: event_data.HostVersion + Image: event_data.Image + ImageLoaded: event_data.ImageLoaded + ImagePath: event_data.ImagePath + Imphash: event_data.Imphash + IpAddress: event_data.IpAddress + KeyLength: event_data.KeyLength + LogonProcessName: event_data.LogonProcessName + LogonType: event_data.LogonType + NewProcessName: event_data.NewProcessName + ObjectClass: event_data.ObjectClass + ObjectName: event_data.ObjectName + ObjectType: event_data.ObjectType + ObjectValueName: event_data.ObjectValueName + ParentCommandLine: event_data.ParentCommandLine + ParentProcessName: event_data.ParentProcessName + ParentImage: event_data.ParentImage + Path: event_data.Path + PipeName: event_data.PipeName + ProcessCommandLine: event_data.ProcessCommandLine + ProcessName: event_data.ProcessName + Properties: event_data.Properties + SecurityID: event_data.SecurityID + ServiceFileName: event_data.ServiceFileName + ServiceName: event_data.ServiceName + ShareName: event_data.ShareName + Signature: event_data.Signature + Source: event_data.Source + SourceImage: event_data.SourceImage + StartModule: event_data.StartModule + Status: event_data.Status + SubjectUserName: event_data.SubjectUserName + SubjectUserSid: event_data.SubjectUserSid + TargetFilename: event_data.TargetFilename + TargetImage: event_data.TargetImage + TargetObject: event_data.TargetObject + TicketEncryptionType: event_data.TicketEncryptionType + TicketOptions: event_data.TicketOptions + User: event_data.User + WorkstationName: event_data.WorkstationName diff --git a/tools/config/winlogbeat.yml b/tools/config/winlogbeat.yml index a63adc53c..749810caa 100644 --- a/tools/config/winlogbeat.yml +++ b/tools/config/winlogbeat.yml @@ -46,70 +46,70 @@ defaultindex: winlogbeat-* # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g' # Keep EventID! Clean up the list afterwards! fieldmappings: - EventID: winlog.event_id - AccessMask: winlog.event_data.AccessMask - AccountName: winlog.event_data.AccountName - AllowedToDelegateTo: winlog.event_data.AllowedToDelegateTo - AttributeLDAPDisplayName: winlog.event_data.AttributeLDAPDisplayName - AuditPolicyChanges: winlog.event_data.AuditPolicyChanges - AuthenticationPackageName: winlog.event_data.AuthenticationPackageName - CallingProcessName: winlog.event_data.CallingProcessName - CallTrace: winlog.event_data.CallTrace - CommandLine: winlog.event_data.CommandLine - ComputerName: winlog.ComputerName - CurrentDirectory: winlog.event_data.CurrentDirectory - Description: winlog.event_data.Description - DestinationHostname: winlog.event_data.DestinationHostname - DestinationIp: winlog.event_data.DestinationIp - DestinationIsIpv6: winlog.event_data.DestinationIsIpv6 - DestinationPort: winlog.event_data.DestinationPort - Details: winlog.event_data.Details - EngineVersion: winlog.event_data.EngineVersion - EventType: winlog.event_data.EventType - FailureCode: winlog.event_data.FailureCode - FileName: winlog.event_data.FileName - GrantedAccess: winlog.event_data.GrantedAccess - GroupName: winlog.event_data.GroupName - GroupSid: winlog.event_data.GroupSid - Hashes: winlog.event_data.Hashes - HiveName: winlog.event_data.HiveName - HostVersion: winlog.event_data.HostVersion - Image: winlog.event_data.Image - ImageLoaded: winlog.event_data.ImageLoaded - ImagePath: winlog.event_data.ImagePath - Imphash: winlog.event_data.Imphash - IpAddress: winlog.event_data.IpAddress - KeyLength: winlog.event_data.KeyLength - LogonProcessName: winlog.event_data.LogonProcessName - LogonType: winlog.event_data.LogonType - NewProcessName: winlog.event_data.NewProcessName - ObjectClass: winlog.event_data.ObjectClass - ObjectName: winlog.event_data.ObjectName - ObjectType: winlog.event_data.ObjectType - ObjectValueName: winlog.event_data.ObjectValueName - ParentCommandLine: winlog.event_data.ParentCommandLine - ParentProcessName: winlog.event_data.ParentProcessName - ParentImage: winlog.event_data.ParentImage - Path: winlog.event_data.Path - PipeName: winlog.event_data.PipeName - ProcessCommandLine: winlog.event_data.ProcessCommandLine - ProcessName: winlog.event_data.ProcessName - Properties: winlog.event_data.Properties - SecurityID: winlog.event_data.SecurityID - ServiceFileName: winlog.event_data.ServiceFileName - ServiceName: winlog.event_data.ServiceName - ShareName: winlog.event_data.ShareName - Signature: winlog.event_data.Signature - Source: winlog.event_data.Source - SourceImage: winlog.event_data.SourceImage - StartModule: winlog.event_data.StartModule - Status: winlog.event_data.Status - SubjectUserName: winlog.event_data.SubjectUserName - SubjectUserSid: winlog.event_data.SubjectUserSid - TargetFilename: winlog.event_data.TargetFilename - TargetImage: winlog.event_data.TargetImage - TargetObject: winlog.event_data.TargetObject - TicketEncryptionType: winlog.event_data.TicketEncryptionType - TicketOptions: winlog.event_data.TicketOptions - User: winlog.event_data.User - WorkstationName: winlog.event_data.WorkstationName + EventID: winlog.event_id + AccessMask: winlog.event_data.AccessMask + AccountName: winlog.event_data.AccountName + AllowedToDelegateTo: winlog.event_data.AllowedToDelegateTo + AttributeLDAPDisplayName: winlog.event_data.AttributeLDAPDisplayName + AuditPolicyChanges: winlog.event_data.AuditPolicyChanges + AuthenticationPackageName: winlog.event_data.AuthenticationPackageName + CallingProcessName: winlog.event_data.CallingProcessName + CallTrace: winlog.event_data.CallTrace + CommandLine: winlog.event_data.CommandLine + ComputerName: winlog.ComputerName + CurrentDirectory: winlog.event_data.CurrentDirectory + Description: winlog.event_data.Description + DestinationHostname: winlog.event_data.DestinationHostname + DestinationIp: winlog.event_data.DestinationIp + DestinationIsIpv6: winlog.event_data.DestinationIsIpv6 + DestinationPort: winlog.event_data.DestinationPort + Details: winlog.event_data.Details + EngineVersion: winlog.event_data.EngineVersion + EventType: winlog.event_data.EventType + FailureCode: winlog.event_data.FailureCode + FileName: winlog.event_data.FileName + GrantedAccess: winlog.event_data.GrantedAccess + GroupName: winlog.event_data.GroupName + GroupSid: winlog.event_data.GroupSid + Hashes: winlog.event_data.Hashes + HiveName: winlog.event_data.HiveName + HostVersion: winlog.event_data.HostVersion + Image: winlog.event_data.Image + ImageLoaded: winlog.event_data.ImageLoaded + ImagePath: winlog.event_data.ImagePath + Imphash: winlog.event_data.Imphash + IpAddress: winlog.event_data.IpAddress + KeyLength: winlog.event_data.KeyLength + LogonProcessName: winlog.event_data.LogonProcessName + LogonType: winlog.event_data.LogonType + NewProcessName: winlog.event_data.NewProcessName + ObjectClass: winlog.event_data.ObjectClass + ObjectName: winlog.event_data.ObjectName + ObjectType: winlog.event_data.ObjectType + ObjectValueName: winlog.event_data.ObjectValueName + ParentCommandLine: winlog.event_data.ParentCommandLine + ParentProcessName: winlog.event_data.ParentProcessName + ParentImage: winlog.event_data.ParentImage + Path: winlog.event_data.Path + PipeName: winlog.event_data.PipeName + ProcessCommandLine: winlog.event_data.ProcessCommandLine + ProcessName: winlog.event_data.ProcessName + Properties: winlog.event_data.Properties + SecurityID: winlog.event_data.SecurityID + ServiceFileName: winlog.event_data.ServiceFileName + ServiceName: winlog.event_data.ServiceName + ShareName: winlog.event_data.ShareName + Signature: winlog.event_data.Signature + Source: winlog.event_data.Source + SourceImage: winlog.event_data.SourceImage + StartModule: winlog.event_data.StartModule + Status: winlog.event_data.Status + SubjectUserName: winlog.event_data.SubjectUserName + SubjectUserSid: winlog.event_data.SubjectUserSid + TargetFilename: winlog.event_data.TargetFilename + TargetImage: winlog.event_data.TargetImage + TargetObject: winlog.event_data.TargetObject + TicketEncryptionType: winlog.event_data.TicketEncryptionType + TicketOptions: winlog.event_data.TicketOptions + User: winlog.event_data.User + WorkstationName: winlog.event_data.WorkstationName From 2ea87f187cdb1856dfaf16d501df4605c9194f83 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Mon, 9 Dec 2019 16:02:10 +0100 Subject: [PATCH 08/11] Added Ursnif proxy detections --- rules/proxy/proxy_ursnif_malware.yml | 48 ++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 rules/proxy/proxy_ursnif_malware.yml diff --git a/rules/proxy/proxy_ursnif_malware.yml b/rules/proxy/proxy_ursnif_malware.yml new file mode 100644 index 000000000..7d4aea955 --- /dev/null +++ b/rules/proxy/proxy_ursnif_malware.yml @@ -0,0 +1,48 @@ +title: Ursnif Malware Download URL Pattern +id: a36ce77e-30db-4ea0-8795-644d7af5dfb4 +status: stable +description: Detects download of Ursnif malware done by dropper documents. +author: Thomas Patzke +logsource: + category: proxy +detection: + selection: + c-uri: '*/*.php?l=*.cab' + sc-status: 200 + condition: selection +fields: + - c-ip + - c-uri + - sc-bytes + - c-ua +falsepositives: + - Unknown +level: critical +--- +title: Ursnif Malware C2 URL Pattern +id: 932ac737-33ca-4afd-9869-0d48b391fcc9 +status: stable +description: Detects Ursnif C2 traffic. +references: + - https://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html +author: Thomas Patzke +logsource: + category: proxy +detection: + b64encoding: + c-uri: + - "*_2f*" + - "*_2b*" + urlpatterns: + c-uri|all: + - "*.avi" + - "*/images/*" + condition: b64encoding and urlpatterns +fields: + - c-ip + - c-uri + - sc-bytes + - c-ua +falsepositives: + - Unknown +level: critical From b701e9be50a926753ce3e497a5f39e3426135bc6 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Mon, 9 Dec 2019 16:31:07 +0100 Subject: [PATCH 09/11] Added ECS proxy configuration --- CHANGELOG.md | 6 ++++++ Makefile | 1 + tools/config/ecs-proxy.yml | 24 ++++++++++++++++++++++++ tools/setup.py | 1 + 4 files changed, 32 insertions(+) create mode 100644 tools/config/ecs-proxy.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index 0c3e48d37..f568a8dc9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,12 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html) from version 0.14.0. +## Unreleased + +### Added + +* Proxy field names to ECS mapping (ecs-proxy) configuration + ## 0.15.0 ### Added diff --git a/Makefile b/Makefile index b5a6a04c0..d8062448e 100644 --- a/Makefile +++ b/Makefile @@ -51,6 +51,7 @@ test-sigmac: ! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'level=xcritical' rules/ > /dev/null ! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'foo=bar' rules/ > /dev/null coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/logstash-windows.yml -t es-qs rules/ > /dev/null + coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c ecs-proxy -t es-qs rules/proxy > /dev/null coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c sysmon -c logstash-windows -t es-qs rules/ > /dev/null ! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c sysmon -c logstash-windows -t splunk rules/ > /dev/null ! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/logstash-windows.yml -c tools/config/generic/sysmon.yml -t es-qs rules/ > /dev/null diff --git a/tools/config/ecs-proxy.yml b/tools/config/ecs-proxy.yml new file mode 100644 index 000000000..9e75578c7 --- /dev/null +++ b/tools/config/ecs-proxy.yml @@ -0,0 +1,24 @@ +title: Elastic Common Schema mapping for proxy logs +order: 20 +backends: + - es-qs + - es-dsl + - kibana + - xpack-watcher + - elastalert + - elastalert-dsl +logsources: + proxy: + category: proxy + index: filebeat-* +fieldmappings: + c-uri: url.original + c-uri-extension: url.extension + c-uri-query: url.query + c-uri-stem: url.original + c-useragent: user_agent.original + cs-cookie: http.cookie + cs-host: url.domain + cs-method: http.request.method + r-dns: url.domain + sc-status: http.response.status_code diff --git a/tools/setup.py b/tools/setup.py index f192eb806..b9d37db1f 100644 --- a/tools/setup.py +++ b/tools/setup.py @@ -66,6 +66,7 @@ setup( 'config/winlogbeat-modules-enabled.yml', 'config/winlogbeat.yml', 'config/winlogbeat-old.yml', + 'config/ecs-proxy.yml', 'config/limacharlie.yml', ]), ('etc/sigma/generic', [ From 0dd4324abacc6892eaeaf56b53320f1f3b8d58be Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Tue, 10 Dec 2019 19:31:12 +0300 Subject: [PATCH 10/11] Added svchost.exe as a parent image Added svchost.exe as a parent image accordingly this article (https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/) and my investigations. --- rules/windows/process_creation/win_susp_svchost.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/process_creation/win_susp_svchost.yml b/rules/windows/process_creation/win_susp_svchost.yml index 21784bf2c..158e21905 100644 --- a/rules/windows/process_creation/win_susp_svchost.yml +++ b/rules/windows/process_creation/win_susp_svchost.yml @@ -19,6 +19,7 @@ detection: - '*\MsMpEng.exe' - '*\Mrt.exe' - '*\rpcnet.exe' + - '*\svchost.exe' filter_null: ParentImage: null condition: selection and not filter and not filter_null From 977551c69d5220ac8fbf086ee5c631229bbd003a Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Tue, 10 Dec 2019 20:17:40 +0300 Subject: [PATCH 11/11] Added some suspicious locations Added 'C:\Windows\Tasks' and 'C:\Windows\System32\Tasks' as suspicious locations accordingly article: https://github.com/ThreatHuntingProject/ThreatHunting/blob/master/hunts/suspicious_process_creation_via_windows_event_logs.md --- rules/windows/process_creation/win_susp_exec_folder.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/rules/windows/process_creation/win_susp_exec_folder.yml b/rules/windows/process_creation/win_susp_exec_folder.yml index 9ec58361e..f42c4c82d 100644 --- a/rules/windows/process_creation/win_susp_exec_folder.yml +++ b/rules/windows/process_creation/win_susp_exec_folder.yml @@ -9,6 +9,7 @@ references: - https://github.com/mbevilacqua/appcompatprocessor/blob/master/AppCompatSearch.txt - https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ + - https://github.com/ThreatHuntingProject/ThreatHunting/blob/master/hunts/suspicious_process_creation_via_windows_event_logs.md tags: - attack.defense_evasion - attack.t1036 @@ -33,6 +34,8 @@ detection: - C:\Windows\security\\* - '*\RSA\MachineKeys\\*' - C:\Windows\system32\config\systemprofile\\* + - C:\Windows\Tasks\\* + - C:\Windows\System32\Tasks\\* condition: selection falsepositives: - Unknown