Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel

2021-07-30 07:11:14 +02:00
parent 0cbb6f82ad 61a9da3901
commit b105402fe4
3 changed files with 15 additions and 42 deletions
@@ -1,5 +1,5 @@
 title: AWS STS AssumedRole Misuse
-id: 216e11fa-2796-4fb0-8416-8910b63faec4
+id: 905d389b-b853-46d0-9d3d-dea0d3a3cd49
 description: Identifies the suspicious use of AssumedRole. Attackers could move laterally and escalate privileges.
 author: Austin Songer
 status: experimental
@@ -16,68 +16,56 @@ fieldmappings:
    - process_product_version
    - process_publisher
    - process_file_description
-  DestPort:
-    - netconn_port
-    - netconn_remote_port
+  DestPort: netconn_port
  Destination:
    - netconn_domain
  DestinationAddress:
    - netconn_domain
    - netconn_ipv4
    - netconn_ipv6
-    - netconn_remote_ipv4
-    - netconn_remote_ipv6
-  DestinationHostname: 
+  DestinationHostname:
    - netconn_domain
    - netconn_proxy_domain
  DestinationIp:
    - netconn_ipv4
    - netconn_ipv6
-    - netconn_remote_ipv4
-    - netconn_remote_ipv6
-  DestinationPort:
-    - netconn_port
-    - netconn_remote_port
+  DestinationPort: netconn_port
  Device: device_name
  FileName:
-    - process_internal_name
    - process_name
    - process_original_filename
  FileVersion: process_product_version
  Image:
    - process_name
-    - process_internal_name
  IntegrityLevel: process_integrity_level
  IpAddress:
    - netconn_ipv4
    - netconn_ipv6
    - netconn_local_ipv4
    - netconn_local_ipv6
-    - netconn_remote_ipv4
-    - netconn_remote_ipv6
  LogonId:
    - childproc_username
    - process_username
  md5: hash
-  NewName: regmod_new_name
+  NewName: regmod_name
  OriginalFileName: process_original_filename
  ParentCommandLine: parent_cmdline
  ParentImage: parent_name
  ParentIntegrityLevel: process_integrity_level
  ProcessCommandLine: process_cmdline
  ProcessName: process_name
-  Product: 
+  Product:
    - process_product_name
    - process_file_description
  RelativeTargetName: childproc_name
-  ScriptBlockText: 
+  ScriptBlockText:
    - childproc_cmdline
    - crossproc_cmdline
    - process_cmdline
  ServiceFileName: process_service_name
  ServiceName: process_service_name
  sha256: hash
-  Signature: 
+  Signature:
    - childproc_publisher
    - filemod_publisher
    - modload_publisher
@@ -98,27 +86,17 @@ fieldmappings:
    - netconn_local_port
    - netconn_port
  SourceWorkstation: device_name
-  TargetFilename: 
-    - filemod_name
-    - crossproc_name
-  TargetImage:
-    - filemod_name
-    - crossproc_name
-  TargetName:
-    - filemod_name
-    - crossproc_name
+  TargetFilename: filemod_name
+  TargetImage: filemod_name
+  TargetName: filemod_name
  TargetUserName:
    - childproc_username
    - process_username
-  TargetObject: 
-    - regmod_name
-    - regmod_new_name
+  TargetObject: regmod_name
  User:
    - childproc_username
    - process_username
-  Value:
-    - regmod_name
-    - regmod_new_name
+  Value: regmod_name
  Workstation: device_name
  WorkstationName: device_name

@@ -127,15 +105,9 @@ fieldmappings:
    - netconn_ipv6
    - netconn_local_ipv4
    - netconn_local_ipv6
-    - netconn_remote_ipv4
-    - netconn_remote_ipv6
-  dst_port:
-    - netconn_port
-    - netconn_remote_port
+  dst_port: netconn_port
  src_ip:
    - netconn_ipv4
    - netconn_ipv6
    - netconn_local_ipv4
    - netconn_local_ipv6
-    - netconn_remote_ipv4
-    - netconn_remote_ipv6
@@ -81,6 +81,7 @@ class CarbonBlackQueryBackend(CarbonBlackWildcardHandlingMixin, SingleTextQueryB
        '|',
        ';',
        ':',
+        '-'
    ]

    def __init__(self, *args, **kwargs):