Merge pull request #486 from yugoslavskiy/tieto_oscd

[OSCD] Tieto DNS exfiltration rules

rules/network/net_dns_c2_detection.yml

@@ -7,7 +7,7 @@ references:
 author: Patrick Bareiss
 date: 2019/04/07
 logsource:
-    product: dns
+    category: dns
 detection:
     selection:
         parent_domain: '*'
@@ -16,4 +16,5 @@ falsepositives:
     - Valid software, which uses dns for transferring data
 level: high
 tags:
-    - attack.t1043
+    - attack.t1048
+    - attack.exfiltration

rules/network/net_high_dns_bytes_out.yml

@@ -0,0 +1,29 @@
+---
+action: global
+title: High DNS bytes out
+description: High DNS queries bytes amount from host per short period of time
+status: experimental
+author: Daniil Yugoslavskiy, oscd.community
+date: 2019/10/24
+tags:
+    - attack.exfiltration
+    - attack.t1048
+falsepositives:
+    - Legitimate high DNS bytes out rate to domain name which should be added to whitelist
+level: medium
+---
+logsource:
+    category: dns
+detection:
+    selection:
+        query: '*'
+    timeframe: 1m
+    condition: selection | sum(question_length) by src_ip > 300000
+---
+logsource:
+    category: firewall
+detection:
+    selection:
+        dst_port: 53
+    timeframe: 1m
+    condition: selection | sum(message_size) by src_ip > 300000

rules/network/net_high_dns_requests_rate.yml

@@ -0,0 +1,29 @@
+---
+action: global
+title: High DNS requests rate
+description: High DNS requests amount from host per short period of time
+status: experimental
+author: Daniil Yugoslavskiy, oscd.community
+date: 2019/10/24
+tags:
+    - attack.exfiltration
+    - attack.t1048
+falsepositives:
+    - Legitimate high DNS requests rate to domain name which should be added to whitelist
+level: medium
+---
+logsource:
+    category: dns
+detection:
+    selection:
+        query: '*'
+    timeframe: 1m
+    condition: selection | count() by src_ip > 1000
+---
+logsource:
+    category: firewall
+detection:
+    selection:    
+        dst_port: 53
+    timeframe: 1m
+    condition: selection | count() by src_ip > 1000

rules/network/net_high_null_records_requests_rate.yml

@@ -0,0 +1,18 @@
+title: High NULL records requests rate
+description: Extremely high rate of NULL record type DNS requests from host per short period of time. Possible result of iodine tool execution
+status: experimental
+author: Daniil Yugoslavskiy, oscd.community
+date: 2019/10/24
+tags:
+    - attack.exfiltration
+    - attack.t1048
+logsource:
+    category: dns
+detection:
+    selection:    
+        record_type: "NULL"
+    timeframe: 1m
+    condition: selection | count() by src_ip > 50
+falsepositives:
+    - Legitimate high DNS NULL requests rate to domain name which should be added to whitelist
+level: medium

rules/network/net_high_txt_records_requests_rate.yml

@@ -0,0 +1,18 @@
+title: High TXT records requests rate
+description: Extremely high rate of TXT record type DNS requests from host per short period of time. Possible result of Do-exfiltration tool execution
+status: experimental
+author: Daniil Yugoslavskiy, oscd.community
+date: 2019/10/24
+tags:
+    - attack.exfiltration
+    - attack.t1048
+logsource:
+    category: dns
+detection:
+    selection:
+        record_type: "TXT"
+    timeframe: 1m
+    condition: selection | count() by src_ip > 50
+falsepositives:
+    - Legitimate high DNS TXT requests rate to domain name which should be added to whitelist
+level: medium

rules/windows/powershell/powershell_dnscat_execution.yml

@@ -0,0 +1,19 @@
+title: Dnscat execution
+description: Dnscat exfiltration tool execution
+status: experimental
+author: Daniil Yugoslavskiy, oscd.community
+date: 2019/10/24
+tags:
+    - attack.exfiltration
+    - attack.t1048
+logsource:
+    product: windows
+    service: powershell
+detection:
+    selection:
+        EventID: 4104
+        ScriptBlockText: "*Start-Dnscat2*"
+    condition: selection
+falsepositives:
+    - Legitimate usage of PowerShell Dnscat2 — DNS Exfiltration tool (unlikely)
+level: medium

rules/windows/process_creation/win_dns_exfiltration_tools_execution.yml

@@ -0,0 +1,20 @@
+title: DNS exfiltration tools execution
+description: Well-known DNS Exfiltration tools execution
+status: experimental
+author: Daniil Yugoslavskiy, oscd.community
+date: 2019/10/24
+tags:
+    - attack.exfiltration
+    - attack.t1048
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        NewProcessName: 
+            - "*\\iodine.exe"
+            - "*\\dnscat2*"
+    condition: selection
+falsepositives:
+    - Legitimate usage of iodine or dnscat2 — DNS Exfiltration tools (unlikely)
+level: medium

rules/windows/process_creation/win_exfiltration_and_tunneling_tools_execution.yml

@@ -0,0 +1,22 @@
+title: Exfiltration and tunneling tools execution
+description: Execution of well known tools for data exfiltration and tunneling
+status: experimental
+author: Daniil Yugoslavskiy, oscd.community
+date: 2019/10/24
+tags:
+    - attack.exfiltration
+    - attack.t1020
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        NewProcessName:
+            - "*\\plink.exe"
+            - "*\\socat.exe"
+            - "*\\stunnel.exe"
+            - "*\\httptunnel.exe"
+    condition: selection
+falsepositives:
+    - Legitimate Administrator using tool for exfiltration for other needs
+level: medium

rules/windows/process_creation/win_tap_installer_execution.yml

@@ -0,0 +1,18 @@
+title: Tap installer execution
+description: Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques
+status: experimental
+author: Daniil Yugoslavskiy, oscd.community
+date: 2019/10/24
+tags:
+    - attack.exfiltration
+    - attack.t1048
+logsource:
+     category: process_creation
+     product: windows
+detection:
+    selection:
+        CommandLine: "*\\tapinstall.exe"
+    condition: selection
+falsepositives:
+    - Legitimate OpenVPN TAP insntallation
+level: medium

rules/windows/sysmon/win_tap_driver_installation.yml

@@ -0,0 +1,31 @@
+---
+action: global
+title: Tap driver installation
+description: Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques
+status: experimental
+author: Daniil Yugoslavskiy, oscd.community
+date: 2019/10/24
+tags:
+    - attack.exfiltration
+    - attack.t1048
+falsepositives:
+    - Legitimate OpenVPN TAP insntallation
+level: medium
+detection:
+    selection:
+        ImagePath: "*tap0901*"
+    condition: selection
+---
+logsource:
+    product: windows
+    service: system
+detection:
+    selection:
+        EventID: 7045
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 6