chore: test rules: check for unused selections

2022-05-10 11:07:40 +02:00
parent 654e9e9b9c
commit b4fdb13e8a
4 changed files with 41 additions and 7 deletions
@@ -5,7 +5,7 @@ description: Detects suspicious sub processes of web server processes
 references:
   - https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/
 date: 2021/10/15
-modified: 2022/03/14
+modified: 2022/05/09
 author: Florian Roth
 tags:
    - attack.persistence
@@ -26,18 +26,18 @@ detection:
      ParentCommandLine|contains|all:
         - '/bin/java'
         - 'tomcat'
-   selection_websphere:  # ? just guessing 
+   selection_websphere:  # ? just guessing
      ParentCommandLine|contains|all:
         - '/bin/java'
         - 'websphere'
   selection_sub_processes:
-      Image|endswith: 
+      Image|endswith:
         - '/whoami'
         - '/ifconfig'
         - '/usr/bin/ip'
         - '/bin/uname'
-   condition: selection_sub_processes and ( selection_general or selection_tomcat )
+   condition: selection_sub_processes and ( selection_general or selection_tomcat or selection_websphere)
 falsepositives:
-   - Web applications that invoke Linux command line tools 
+   - Web applications that invoke Linux command line tools
 level: critical

@@ -6,6 +6,7 @@ references:
    - https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/
 author: Florian Roth
 date: 2022/03/22
+modified: 2022/05/09
 logsource:
    category: process_creation
    product: windows
@@ -22,7 +23,7 @@ detection:
        CommandLine|contains:
            - 'Real-Time Protection'
            - 'TamperProtection'
-    condition: selection
+    condition: selection and selection_target
 falsepositives:
    - Legitimate use
 level: high
@@ -6,6 +6,7 @@ references:
    - https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/
 author: Florian Roth
 date: 2022/03/22
+modified: 2022/05/09
 logsource:
    category: process_creation
    product: windows
@@ -21,7 +22,7 @@ detection:
        CommandLine|contains:
            - 'Real-Time Protection'
            - 'TamperProtection'
-    condition: selection
+    condition: selection and selection_target
 falsepositives:
    - Unlikely
 level: high
@@ -749,6 +749,38 @@ class TestRules(unittest.TestCase):

        self.assertEqual(faulty_rules, [], Fore.RED + "There are rules using list with only 1 element")

+    def test_unused_selection(self):
+        faulty_rules = []
+        for file in self.yield_next_rule_file_path(self.path_to_rules):
+            detection = self.get_rule_part(file_path=file, part_name="detection")
+            condition = detection["condition"]
+            wildcard_selections = re.compile(r"\sof\s([\w\*]+)(?:$|\s|\))")
+
+            # skip rules containing aggregations
+            if type(condition) == list:
+                continue
+
+            for selection in detection:
+                if selection == "condition":
+                    continue
+                if selection == "timeframe":
+                    continue
+                if selection in condition:
+                    continue
+                # find all wildcards in condition
+                found = False
+                for wildcard_selection in wildcard_selections.findall(condition):
+                    # wildcard matches selection
+                    if re.search(wildcard_selection.replace(r"*", r".*"), selection) is not None:
+                        found = True
+                        break
+                # selection was not found in condition
+                if not found:
+                    print(Fore.RED + "Rule {} has an unused selection '{}'".format(file, selection))
+                    faulty_rules.append(file)
+
+        self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with unused selections")
+
    def test_condition_operator_casesensitive(self):
        faulty_rules = []
        for file in self.yield_next_rule_file_path(self.path_to_rules):