From 5eb484a06207defeadb9572f089b85a87594767e Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Fri, 25 Oct 2019 04:30:55 +0200 Subject: [PATCH] add tieto dns exfiltration rules --- rules/network/net_dns_c2_detection.yml | 5 +-- rules/network/net_high_dns_bytes_out.yml | 29 +++++++++++++++++ rules/network/net_high_dns_requests_rate.yml | 29 +++++++++++++++++ .../net_high_null_records_requests_rate.yml | 18 +++++++++++ .../net_high_txt_records_requests_rate.yml | 18 +++++++++++ .../powershell_dnscat_execution.yml | 19 ++++++++++++ .../win_dns_exfiltration_tools_execution.yml | 20 ++++++++++++ ...ltration_and_tunneling_tools_execution.yml | 22 +++++++++++++ .../win_tap_installer_execution.yml | 18 +++++++++++ .../sysmon/win_tap_driver_installation.yml | 31 +++++++++++++++++++ 10 files changed, 207 insertions(+), 2 deletions(-) create mode 100644 rules/network/net_high_dns_bytes_out.yml create mode 100644 rules/network/net_high_dns_requests_rate.yml create mode 100644 rules/network/net_high_null_records_requests_rate.yml create mode 100644 rules/network/net_high_txt_records_requests_rate.yml create mode 100644 rules/windows/powershell/powershell_dnscat_execution.yml create mode 100644 rules/windows/process_creation/win_dns_exfiltration_tools_execution.yml create mode 100644 rules/windows/process_creation/win_exfiltration_and_tunneling_tools_execution.yml create mode 100644 rules/windows/process_creation/win_tap_installer_execution.yml create mode 100644 rules/windows/sysmon/win_tap_driver_installation.yml diff --git a/rules/network/net_dns_c2_detection.yml b/rules/network/net_dns_c2_detection.yml index 90a889dc2..fd47f29df 100644 --- a/rules/network/net_dns_c2_detection.yml +++ b/rules/network/net_dns_c2_detection.yml @@ -7,7 +7,7 @@ references: author: Patrick Bareiss date: 2019/04/07 logsource: - product: dns + category: dns detection: selection: parent_domain: '*' @@ -16,4 +16,5 @@ falsepositives: - Valid software, which uses dns for transferring data level: high tags: - - attack.t1043 + - attack.t1048 + - attack.exfiltration diff --git a/rules/network/net_high_dns_bytes_out.yml b/rules/network/net_high_dns_bytes_out.yml new file mode 100644 index 000000000..b435c5359 --- /dev/null +++ b/rules/network/net_high_dns_bytes_out.yml @@ -0,0 +1,29 @@ +--- +action: global +title: High DNS bytes out +description: High DNS queries bytes amount from host per short period of time +status: experimental +author: Daniil Yugoslavskiy, oscd.community +date: 2019/10/24 +tags: + - attack.exfiltration + - attack.t1048 +falsepositives: + - Legitimate high DNS bytes out rate to domain name which should be added to whitelist +level: medium +--- +logsource: + category: dns +detection: + selection: + query: '*' + timeframe: 1m + condition: selection | sum(question_length) by src_ip > 300000 +--- +logsource: + category: firewall +detection: + selection: + dst_port: 53 + timeframe: 1m + condition: selection | sum(message_size) by src_ip > 300000 diff --git a/rules/network/net_high_dns_requests_rate.yml b/rules/network/net_high_dns_requests_rate.yml new file mode 100644 index 000000000..3eb99ede7 --- /dev/null +++ b/rules/network/net_high_dns_requests_rate.yml @@ -0,0 +1,29 @@ +--- +action: global +title: High DNS requests rate +description: High DNS requests amount from host per short period of time +status: experimental +author: Daniil Yugoslavskiy, oscd.community +date: 2019/10/24 +tags: + - attack.exfiltration + - attack.t1048 +falsepositives: + - Legitimate high DNS requests rate to domain name which should be added to whitelist +level: medium +--- +logsource: + category: dns +detection: + selection: + query: '*' + timeframe: 1m + condition: selection | count() by src_ip > 1000 +--- +logsource: + category: firewall +detection: + selection: + dst_port: 53 + timeframe: 1m + condition: selection | count() by src_ip > 1000 diff --git a/rules/network/net_high_null_records_requests_rate.yml b/rules/network/net_high_null_records_requests_rate.yml new file mode 100644 index 000000000..3a42156a0 --- /dev/null +++ b/rules/network/net_high_null_records_requests_rate.yml @@ -0,0 +1,18 @@ +title: High NULL records requests rate +description: Extremely high rate of NULL record type DNS requests from host per short period of time. Possible result of iodine tool execution +status: experimental +author: Daniil Yugoslavskiy, oscd.community +date: 2019/10/24 +tags: + - attack.exfiltration + - attack.t1048 +logsource: + category: dns +detection: + selection: + record_type: "NULL" + timeframe: 1m + condition: selection | count() by src_ip > 50 +falsepositives: + - Legitimate high DNS NULL requests rate to domain name which should be added to whitelist +level: medium diff --git a/rules/network/net_high_txt_records_requests_rate.yml b/rules/network/net_high_txt_records_requests_rate.yml new file mode 100644 index 000000000..58f19c5ef --- /dev/null +++ b/rules/network/net_high_txt_records_requests_rate.yml @@ -0,0 +1,18 @@ +title: High TXT records requests rate +description: Extremely high rate of TXT record type DNS requests from host per short period of time. Possible result of Do-exfiltration tool execution +status: experimental +author: Daniil Yugoslavskiy, oscd.community +date: 2019/10/24 +tags: + - attack.exfiltration + - attack.t1048 +logsource: + category: dns +detection: + selection: + record_type: "TXT" + timeframe: 1m + condition: selection | count() by src_ip > 50 +falsepositives: + - Legitimate high DNS TXT requests rate to domain name which should be added to whitelist +level: medium \ No newline at end of file diff --git a/rules/windows/powershell/powershell_dnscat_execution.yml b/rules/windows/powershell/powershell_dnscat_execution.yml new file mode 100644 index 000000000..e8f698eaf --- /dev/null +++ b/rules/windows/powershell/powershell_dnscat_execution.yml @@ -0,0 +1,19 @@ +title: Dnscat execution +description: Dnscat exfiltration tool execution +status: experimental +author: Daniil Yugoslavskiy, oscd.community +date: 2019/10/24 +tags: + - attack.exfiltration + - attack.t1048 +logsource: + product: windows + service: powershell +detection: + selection: + EventID: 4104 + ScriptBlockText: "*Start-Dnscat2*" + condition: selection +falsepositives: + - Legitimate usage of PowerShell Dnscat2 — DNS Exfiltration tool (unlikely) +level: medium diff --git a/rules/windows/process_creation/win_dns_exfiltration_tools_execution.yml b/rules/windows/process_creation/win_dns_exfiltration_tools_execution.yml new file mode 100644 index 000000000..6f072e792 --- /dev/null +++ b/rules/windows/process_creation/win_dns_exfiltration_tools_execution.yml @@ -0,0 +1,20 @@ +title: DNS exfiltration tools execution +description: Well-known DNS Exfiltration tools execution +status: experimental +author: Daniil Yugoslavskiy, oscd.community +date: 2019/10/24 +tags: + - attack.exfiltration + - attack.t1048 +logsource: + category: process_creation + product: windows +detection: + selection: + NewProcessName: + - "*\\iodine.exe" + - "*\\dnscat2*" + condition: selection +falsepositives: + - Legitimate usage of iodine or dnscat2 — DNS Exfiltration tools (unlikely) +level: medium diff --git a/rules/windows/process_creation/win_exfiltration_and_tunneling_tools_execution.yml b/rules/windows/process_creation/win_exfiltration_and_tunneling_tools_execution.yml new file mode 100644 index 000000000..0cd906be8 --- /dev/null +++ b/rules/windows/process_creation/win_exfiltration_and_tunneling_tools_execution.yml @@ -0,0 +1,22 @@ +title: Exfiltration and tunneling tools execution +description: Execution of well known tools for data exfiltration and tunneling +status: experimental +author: Daniil Yugoslavskiy, oscd.community +date: 2019/10/24 +tags: + - attack.exfiltration + - attack.t1020 +logsource: + category: process_creation + product: windows +detection: + selection: + NewProcessName: + - "*\\plink.exe" + - "*\\socat.exe" + - "*\\stunnel.exe" + - "*\\httptunnel.exe" + condition: selection +falsepositives: + - Legitimate Administrator using tool for exfiltration for other needs +level: medium diff --git a/rules/windows/process_creation/win_tap_installer_execution.yml b/rules/windows/process_creation/win_tap_installer_execution.yml new file mode 100644 index 000000000..b9c0395f1 --- /dev/null +++ b/rules/windows/process_creation/win_tap_installer_execution.yml @@ -0,0 +1,18 @@ +title: Tap installer execution +description: Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques +status: experimental +author: Daniil Yugoslavskiy, oscd.community +date: 2019/10/24 +tags: + - attack.exfiltration + - attack.t1048 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: "*\\tapinstall.exe" + condition: selection +falsepositives: + - Legitimate OpenVPN TAP insntallation +level: medium diff --git a/rules/windows/sysmon/win_tap_driver_installation.yml b/rules/windows/sysmon/win_tap_driver_installation.yml new file mode 100644 index 000000000..3d09ad4fb --- /dev/null +++ b/rules/windows/sysmon/win_tap_driver_installation.yml @@ -0,0 +1,31 @@ +--- +action: global +title: Tap driver installation +description: Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques +status: experimental +author: Daniil Yugoslavskiy, oscd.community +date: 2019/10/24 +tags: + - attack.exfiltration + - attack.t1048 +falsepositives: + - Legitimate OpenVPN TAP insntallation +level: medium +detection: + selection: + ImagePath: "*tap0901*" + condition: selection +--- +logsource: + product: windows + service: system +detection: + selection: + EventID: 7045 +--- +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 6