diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index 2d1f625b3..88c6d0502 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -24,7 +24,7 @@ jobs: - name: Install dependencies run: | python -m pip install --upgrade pip - pip install pipenv + pip install pipenv==2021.5.29 pipenv lock pipenv install --dev --deploy - name: Test Sigma Tools and Rules diff --git a/rules/windows/file_event/file_event_executable_and_script_creation_by_office_using_file_ext.yml b/rules-unsupported/file_event_executable_and_script_creation_by_office_using_file_ext.yml similarity index 83% rename from rules/windows/file_event/file_event_executable_and_script_creation_by_office_using_file_ext.yml rename to rules-unsupported/file_event_executable_and_script_creation_by_office_using_file_ext.yml index f0a453bd2..ac0f39659 100644 --- a/rules/windows/file_event/file_event_executable_and_script_creation_by_office_using_file_ext.yml +++ b/rules-unsupported/file_event_executable_and_script_creation_by_office_using_file_ext.yml @@ -14,7 +14,7 @@ tags: status: experimental date: 2021/08/23 logsource: - product: Windows + product: windows category: file_event detection: #useful_information: Please add more file extensions and magic bytes to the logic of your choice. @@ -23,22 +23,23 @@ detection: - 'winword.exe' - 'excel.exe' - 'powerpnt.exe' + - 'outlook.exe' selection2: FileName|endswith: - - ".exe" - - ".dll" - - ".ocx" - - ".com" - - ".ps1" - - ".vbs" - - ".sys" - - ".bat" - - ".scr" - - ".proj" + - ".exe" + - ".dll" + - ".ocx" + - ".com" + - ".ps1" + - ".vbs" + - ".sys" + - ".bat" + - ".scr" + - ".proj" selection3: FileMagicBytes|startswith: - - "4D5A" + - "4D5A" condition: selection1 and (selection2 or selection3) falsepositives: -- Unknown + - Unknown level: high diff --git a/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executescript.yml b/rules-unsupported/lnx_auditd_omigod_scx_runasprovider_executescript.yml similarity index 96% rename from rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executescript.yml rename to rules-unsupported/lnx_auditd_omigod_scx_runasprovider_executescript.yml index a760be6da..8571eee41 100644 --- a/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executescript.yml +++ b/rules-unsupported/lnx_auditd_omigod_scx_runasprovider_executescript.yml @@ -3,6 +3,7 @@ id: 865c10a6-9541-4d11-9f45-9a3484e23b0a description: Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell. Script being executed gets created as a temp file in /tmp folder with a scx* prefix. Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/. The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite. status: experimental date: 2021/09/18 +modified: 2021/11/11 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.privilege_escalation @@ -21,7 +22,7 @@ logsource: detection: selection: type: 'SYSCALL' - SYSCALL: 'execve' + syscall: 'execve' uid: '0' cwd: '/var/opt/microsoft/scx/tmp' cmdline|contains: /etc/opt/microsoft/scx/conf/tmpdir/scx diff --git a/rules/windows/file_event/sysmon_non_priv_program_files_move.yml b/rules-unsupported/sysmon_non_priv_program_files_move.yml similarity index 100% rename from rules/windows/file_event/sysmon_non_priv_program_files_move.yml rename to rules-unsupported/sysmon_non_priv_program_files_move.yml diff --git a/rules/windows/builtin/win_suspicious_werfault_connection_outbound.yml b/rules-unsupported/win_suspicious_werfault_connection_outbound.yml similarity index 100% rename from rules/windows/builtin/win_suspicious_werfault_connection_outbound.yml rename to rules-unsupported/win_suspicious_werfault_connection_outbound.yml diff --git a/rules/network/zeek/zeek_http_exfiltration_compressed_files.yml b/rules-unsupported/zeek/zeek_http_exfiltration_compressed_files.yml similarity index 100% rename from rules/network/zeek/zeek_http_exfiltration_compressed_files.yml rename to rules-unsupported/zeek/zeek_http_exfiltration_compressed_files.yml diff --git a/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml b/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml index 597b668d9..83a17e8da 100644 --- a/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml +++ b/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml @@ -7,6 +7,7 @@ date: 2021/09/23 references: - https://docs.aws.amazon.com/lambda/latest/dg/API_UpdateFunctionConfiguration.html logsource: + product: aws service: cloudtrail detection: selection: diff --git a/rules/cloud/aws/aws_cloudtrail_disable_logging.yml b/rules/cloud/aws/aws_cloudtrail_disable_logging.yml index 816a25d5f..6d3e484db 100644 --- a/rules/cloud/aws/aws_cloudtrail_disable_logging.yml +++ b/rules/cloud/aws/aws_cloudtrail_disable_logging.yml @@ -8,6 +8,7 @@ modified: 2021/08/09 references: - https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html logsource: + product: aws service: cloudtrail detection: selection_source: diff --git a/rules/cloud/aws/aws_config_disable_recording.yml b/rules/cloud/aws/aws_config_disable_recording.yml index ee3f0ef93..71ff54910 100644 --- a/rules/cloud/aws/aws_config_disable_recording.yml +++ b/rules/cloud/aws/aws_config_disable_recording.yml @@ -6,6 +6,7 @@ author: vitaliy0x1 date: 2020/01/21 modified: 2021/08/09 logsource: + product: aws service: cloudtrail detection: selection_source: diff --git a/rules/cloud/aws/aws_ec2_disable_encryption.yml b/rules/cloud/aws/aws_ec2_disable_encryption.yml index e383c9495..cafbe45b6 100644 --- a/rules/cloud/aws/aws_ec2_disable_encryption.yml +++ b/rules/cloud/aws/aws_ec2_disable_encryption.yml @@ -12,6 +12,7 @@ tags: - attack.t1486 - attack.t1565 logsource: + product: aws service: cloudtrail detection: selection: diff --git a/rules/cloud/aws/aws_ec2_download_userdata.yml b/rules/cloud/aws/aws_ec2_download_userdata.yml index be6b74389..722508c5b 100644 --- a/rules/cloud/aws/aws_ec2_download_userdata.yml +++ b/rules/cloud/aws/aws_ec2_download_userdata.yml @@ -8,6 +8,7 @@ modified: 2021/08/20 references: - https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/ec2__download_userdata/main.py logsource: + product: aws service: cloudtrail detection: selection_source: diff --git a/rules/cloud/aws/aws_ec2_startup_script_change.yml b/rules/cloud/aws/aws_ec2_startup_script_change.yml index ac9712520..73c1dd1dc 100644 --- a/rules/cloud/aws/aws_ec2_startup_script_change.yml +++ b/rules/cloud/aws/aws_ec2_startup_script_change.yml @@ -8,6 +8,7 @@ modified: 2021/08/09 references: - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/ec2__startup_shell_script/main.py#L9 logsource: + product: aws service: cloudtrail detection: selection_source: diff --git a/rules/cloud/aws/aws_ec2_vm_export_failure.yml b/rules/cloud/aws/aws_ec2_vm_export_failure.yml index 05baed245..57c2fa5c2 100644 --- a/rules/cloud/aws/aws_ec2_vm_export_failure.yml +++ b/rules/cloud/aws/aws_ec2_vm_export_failure.yml @@ -8,6 +8,7 @@ modified: 2021/08/20 references: - https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance logsource: + product: aws service: cloudtrail detection: selection: diff --git a/rules/cloud/aws/aws_efs_fileshare_modified_or_deleted.yml b/rules/cloud/aws/aws_efs_fileshare_modified_or_deleted.yml index cd4b6d12f..0cbbce502 100644 --- a/rules/cloud/aws/aws_efs_fileshare_modified_or_deleted.yml +++ b/rules/cloud/aws/aws_efs_fileshare_modified_or_deleted.yml @@ -7,6 +7,7 @@ date: 2021/08/15 references: - https://docs.aws.amazon.com/efs/latest/ug/API_DeleteFileSystem.html logsource: + product: aws service: cloudtrail detection: selection: diff --git a/rules/cloud/aws/aws_efs_fileshare_mount_modified_or_deleted.yml b/rules/cloud/aws/aws_efs_fileshare_mount_modified_or_deleted.yml index d6d22c653..86583bdf8 100644 --- a/rules/cloud/aws/aws_efs_fileshare_mount_modified_or_deleted.yml +++ b/rules/cloud/aws/aws_efs_fileshare_mount_modified_or_deleted.yml @@ -7,6 +7,7 @@ date: 2021/08/15 references: - https://docs.aws.amazon.com/efs/latest/ug/API_DeleteMountTarget.html logsource: + product: aws service: cloudtrail detection: selection: diff --git a/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml b/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml index 1ffc14959..65d3a3bac 100644 --- a/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml +++ b/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml @@ -7,6 +7,7 @@ date: 2021/08/16 references: - https://any-api.com/amazonaws_com/eks/docs/API_Description logsource: + product: aws service: cloudtrail detection: selection: diff --git a/rules/cloud/aws/aws_elasticache_security_group_created.yml b/rules/cloud/aws/aws_elasticache_security_group_created.yml index 4ee73e1ae..17c6ebb8e 100644 --- a/rules/cloud/aws/aws_elasticache_security_group_created.yml +++ b/rules/cloud/aws/aws_elasticache_security_group_created.yml @@ -8,6 +8,7 @@ modified: 2021/08/19 references: - https://github.com/elastic/detection-rules/blob/598f3d7e0a63221c0703ad9a0ea7e22e7bc5961e/rules/integrations/aws/persistence_elasticache_security_group_creation.toml logsource: + product: aws service: cloudtrail detection: selection: diff --git a/rules/cloud/aws/aws_elasticache_security_group_modified_or_deleted.yml b/rules/cloud/aws/aws_elasticache_security_group_modified_or_deleted.yml index f5bbe1068..5487aa55c 100644 --- a/rules/cloud/aws/aws_elasticache_security_group_modified_or_deleted.yml +++ b/rules/cloud/aws/aws_elasticache_security_group_modified_or_deleted.yml @@ -8,6 +8,7 @@ modified: 2021/08/19 references: - https://github.com/elastic/detection-rules/blob/7d5efd68603f42be5e125b5a6a503b2ef3ac0f4e/rules/integrations/aws/impact_elasticache_security_group_modified_or_deleted.toml logsource: + product: aws service: cloudtrail detection: selection: diff --git a/rules/cloud/aws/aws_enum_listing.yml b/rules/cloud/aws/aws_enum_listing.yml index fe8f1ca02..f43bfeea6 100644 --- a/rules/cloud/aws/aws_enum_listing.yml +++ b/rules/cloud/aws/aws_enum_listing.yml @@ -6,6 +6,7 @@ author: toffeebr33k date: 2020/11/21 modified: 2021/08/09 logsource: + product: aws service: cloudtrail detection: selection_eventname: diff --git a/rules/cloud/aws/aws_guardduty_disruption.yml b/rules/cloud/aws/aws_guardduty_disruption.yml index 2181fce53..d7500a063 100644 --- a/rules/cloud/aws/aws_guardduty_disruption.yml +++ b/rules/cloud/aws/aws_guardduty_disruption.yml @@ -8,6 +8,7 @@ modified: 2021/08/09 references: - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/guardduty__whitelist_ip/main.py#L9 logsource: + product: aws service: cloudtrail detection: selection_source: diff --git a/rules/cloud/aws/aws_iam_backdoor_users_keys.yml b/rules/cloud/aws/aws_iam_backdoor_users_keys.yml index 7991b3ae5..0d7cd569a 100644 --- a/rules/cloud/aws/aws_iam_backdoor_users_keys.yml +++ b/rules/cloud/aws/aws_iam_backdoor_users_keys.yml @@ -8,6 +8,7 @@ modified: 2021/08/20 references: - https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/iam__backdoor_users_keys/main.py logsource: + product: aws service: cloudtrail detection: selection_source: diff --git a/rules/cloud/aws/aws_lambda_function_created_or_invoked.yml b/rules/cloud/aws/aws_lambda_function_created_or_invoked.yml index 669ca76c8..eae76fe06 100644 --- a/rules/cloud/aws/aws_lambda_function_created_or_invoked.yml +++ b/rules/cloud/aws/aws_lambda_function_created_or_invoked.yml @@ -8,6 +8,7 @@ update: 2021/10/13 references: - https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/ logsource: + product: aws service: cloudtrail detection: selection1: diff --git a/rules/cloud/aws/aws_macic_evasion.yml b/rules/cloud/aws/aws_macic_evasion.yml index 07c3c9c5e..9e04bbc34 100644 --- a/rules/cloud/aws/aws_macic_evasion.yml +++ b/rules/cloud/aws/aws_macic_evasion.yml @@ -10,6 +10,7 @@ tags: - attack.defense_evasion - attack.t1562.001 logsource: + product: aws service: cloudtrail detection: selection: diff --git a/rules/cloud/aws/passed_role_to_glue_development_endpoint.yml b/rules/cloud/aws/aws_passed_role_to_glue_development_endpoint.yml similarity index 98% rename from rules/cloud/aws/passed_role_to_glue_development_endpoint.yml rename to rules/cloud/aws/aws_passed_role_to_glue_development_endpoint.yml index c43ce53e0..743fbbbe8 100644 --- a/rules/cloud/aws/passed_role_to_glue_development_endpoint.yml +++ b/rules/cloud/aws/aws_passed_role_to_glue_development_endpoint.yml @@ -9,6 +9,7 @@ references: - https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/ - https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html logsource: + product: aws service: cloudtrail detection: selection1: diff --git a/rules/cloud/aws/aws_rds_change_master_password.yml b/rules/cloud/aws/aws_rds_change_master_password.yml index cfdfb70a2..8fe0d7958 100644 --- a/rules/cloud/aws/aws_rds_change_master_password.yml +++ b/rules/cloud/aws/aws_rds_change_master_password.yml @@ -8,6 +8,7 @@ modified: 2021/08/20 references: - https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/rds__explore_snapshots/main.py logsource: + product: aws service: cloudtrail detection: selection_source: diff --git a/rules/cloud/aws/aws_rds_public_db_restore.yml b/rules/cloud/aws/aws_rds_public_db_restore.yml index fdc8c19d8..d69d7352b 100644 --- a/rules/cloud/aws/aws_rds_public_db_restore.yml +++ b/rules/cloud/aws/aws_rds_public_db_restore.yml @@ -8,6 +8,7 @@ modified: 2021/08/20 references: - https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/rds__explore_snapshots/main.py logsource: + product: aws service: cloudtrail detection: selection_source: diff --git a/rules/cloud/aws/aws_root_account_usage.yml b/rules/cloud/aws/aws_root_account_usage.yml index 62aaafbd0..2306c3222 100644 --- a/rules/cloud/aws/aws_root_account_usage.yml +++ b/rules/cloud/aws/aws_root_account_usage.yml @@ -8,6 +8,7 @@ modified: 2021/08/09 references: - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html logsource: + product: aws service: cloudtrail detection: selection_usertype: diff --git a/rules/cloud/aws/aws_route_53_domain_transferred_lock_disabled.yml b/rules/cloud/aws/aws_route_53_domain_transferred_lock_disabled.yml index 0b43a509d..fa9b5171c 100644 --- a/rules/cloud/aws/aws_route_53_domain_transferred_lock_disabled.yml +++ b/rules/cloud/aws/aws_route_53_domain_transferred_lock_disabled.yml @@ -9,6 +9,7 @@ references: - https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html - https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html logsource: + product: aws service: cloudtrail detection: selection: diff --git a/rules/cloud/aws/aws_route_53_domain_transferred_to_another_account.yml b/rules/cloud/aws/aws_route_53_domain_transferred_to_another_account.yml index 80aec16dd..69302a914 100644 --- a/rules/cloud/aws/aws_route_53_domain_transferred_to_another_account.yml +++ b/rules/cloud/aws/aws_route_53_domain_transferred_to_another_account.yml @@ -7,6 +7,7 @@ date: 2021/07/22 references: - https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml logsource: + product: aws service: cloudtrail detection: selection: diff --git a/rules/cloud/aws/aws_s3_data_management_tampering.yml b/rules/cloud/aws/aws_s3_data_management_tampering.yml index 1670c6b64..13e21a4bc 100644 --- a/rules/cloud/aws/aws_s3_data_management_tampering.yml +++ b/rules/cloud/aws/aws_s3_data_management_tampering.yml @@ -14,6 +14,7 @@ references: - https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html - https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html logsource: + product: aws service: cloudtrail detection: selection: diff --git a/rules/cloud/aws/aws_securityhub_finding_evasion.yml b/rules/cloud/aws/aws_securityhub_finding_evasion.yml index 5c9013583..2a5361e0f 100644 --- a/rules/cloud/aws/aws_securityhub_finding_evasion.yml +++ b/rules/cloud/aws/aws_securityhub_finding_evasion.yml @@ -10,6 +10,7 @@ tags: - attack.defense_evasion - attack.t1562 logsource: + product: aws service: cloudtrail detection: selection: diff --git a/rules/cloud/aws/aws_snapshot_backup_exfiltration.yml b/rules/cloud/aws/aws_snapshot_backup_exfiltration.yml index e8794cee2..11ddcf8b4 100644 --- a/rules/cloud/aws/aws_snapshot_backup_exfiltration.yml +++ b/rules/cloud/aws/aws_snapshot_backup_exfiltration.yml @@ -9,6 +9,7 @@ references: - https://www.justice.gov/file/1080281/download - https://attack.mitre.org/techniques/T1537/ logsource: + product: aws service: cloudtrail detection: selection_source: diff --git a/rules/cloud/aws/aws_sts_assumerole_misuse.yml b/rules/cloud/aws/aws_sts_assumerole_misuse.yml index 6163a0403..1f6b76ae1 100644 --- a/rules/cloud/aws/aws_sts_assumerole_misuse.yml +++ b/rules/cloud/aws/aws_sts_assumerole_misuse.yml @@ -9,6 +9,7 @@ references: - https://github.com/elastic/detection-rules/pull/1214 - https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html logsource: + product: aws service: cloudtrail detection: selection: diff --git a/rules/cloud/aws/aws_sts_getsessiontoken_misuse.yml b/rules/cloud/aws/aws_sts_getsessiontoken_misuse.yml index d94ae3b92..340e41bc6 100644 --- a/rules/cloud/aws/aws_sts_getsessiontoken_misuse.yml +++ b/rules/cloud/aws/aws_sts_getsessiontoken_misuse.yml @@ -8,6 +8,7 @@ references: - https://github.com/elastic/detection-rules/pull/1213 - https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html logsource: + product: aws service: cloudtrail detection: selection: diff --git a/rules/cloud/aws/aws_suspicious_saml_activity.yml b/rules/cloud/aws/aws_suspicious_saml_activity.yml index f8b542bea..d6caa4835 100644 --- a/rules/cloud/aws/aws_suspicious_saml_activity.yml +++ b/rules/cloud/aws/aws_suspicious_saml_activity.yml @@ -8,6 +8,7 @@ references: - https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html - https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html logsource: + product: aws service: cloudtrail detection: selection1: diff --git a/rules/cloud/aws/aws_update_login_profile.yml b/rules/cloud/aws/aws_update_login_profile.yml index d8468d6de..093dbd905 100644 --- a/rules/cloud/aws/aws_update_login_profile.yml +++ b/rules/cloud/aws/aws_update_login_profile.yml @@ -9,6 +9,7 @@ date: 2021/08/09 references: - https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation logsource: + product: aws service: cloudtrail detection: selection_source: diff --git a/rules/cloud/azure/azure_aadhybridhealth_adfs_new_server.yml b/rules/cloud/azure/azure_aadhybridhealth_adfs_new_server.yml index 6a06f19be..5dc522e2c 100644 --- a/rules/cloud/azure/azure_aadhybridhealth_adfs_new_server.yml +++ b/rules/cloud/azure/azure_aadhybridhealth_adfs_new_server.yml @@ -13,6 +13,7 @@ tags: references: - https://o365blog.com/post/hybridhealthagent/ logsource: + product: azure service: AzureActivity detection: selection: diff --git a/rules/cloud/azure/azure_aadhybridhealth_adfs_service_delete.yml b/rules/cloud/azure/azure_aadhybridhealth_adfs_service_delete.yml index a4bd4e63f..bbed90f57 100644 --- a/rules/cloud/azure/azure_aadhybridhealth_adfs_service_delete.yml +++ b/rules/cloud/azure/azure_aadhybridhealth_adfs_service_delete.yml @@ -13,6 +13,7 @@ tags: references: - https://o365blog.com/post/hybridhealthagent/ logsource: + product: azure service: AzureActivity detection: selection: diff --git a/rules/cloud/azure/azure_account_lockout.yml b/rules/cloud/azure/azure_account_lockout.yml index c2abe63cd..3f65b7eeb 100644 --- a/rules/cloud/azure/azure_account_lockout.yml +++ b/rules/cloud/azure/azure_account_lockout.yml @@ -7,6 +7,7 @@ description: Identifies user account which has been locked because the user trie references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts logsource: + product: azure service: azure.signinlogs detection: selection: diff --git a/rules/cloud/azure/azure_ad_user_added_to_admin_role.yml b/rules/cloud/azure/azure_ad_user_added_to_admin_role.yml index ce6c956bf..381913fd1 100644 --- a/rules/cloud/azure/azure_ad_user_added_to_admin_role.yml +++ b/rules/cloud/azure/azure_ad_user_added_to_admin_role.yml @@ -7,6 +7,7 @@ references: - https://attack.mitre.org/techniques/T1098/003/ - https://m365internals.com/2021/07/13/what-ive-learned-from-doing-a-year-of-cloud-forensics-in-azure-ad/ logsource: + product: azure service: azure.activitylogs detection: selection: diff --git a/rules/cloud/azure/azure_app_credential_modification.yml b/rules/cloud/azure/azure_app_credential_modification.yml index 1a95a62ca..2867e6d78 100644 --- a/rules/cloud/azure/azure_app_credential_modification.yml +++ b/rules/cloud/azure/azure_app_credential_modification.yml @@ -7,6 +7,7 @@ date: 2021/09/02 references: - https://www.cloud-architekt.net/auditing-of-msi-and-service-principals/ logsource: + product: azure service: azure.activitylogs detection: selection: diff --git a/rules/cloud/azure/azure_application_deleted.yml b/rules/cloud/azure/azure_application_deleted.yml index 7160069c5..d92172000 100644 --- a/rules/cloud/azure/azure_application_deleted.yml +++ b/rules/cloud/azure/azure_application_deleted.yml @@ -7,6 +7,7 @@ date: 2021/09/03 references: - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy logsource: + product: azure service: azure.activitylogs detection: selection: diff --git a/rules/cloud/azure/azure_application_gateway_modified_or_deleted.yml b/rules/cloud/azure/azure_application_gateway_modified_or_deleted.yml index bb7b1e751..0dd456f31 100644 --- a/rules/cloud/azure/azure_application_gateway_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_application_gateway_modified_or_deleted.yml @@ -7,6 +7,7 @@ date: 2021/08/16 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations logsource: + product: azure service: azure.activitylogs detection: selection: diff --git a/rules/cloud/azure/azure_application_security_group_modified_or_deleted.yml b/rules/cloud/azure/azure_application_security_group_modified_or_deleted.yml index 686380ee4..24dd86b99 100644 --- a/rules/cloud/azure/azure_application_security_group_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_application_security_group_modified_or_deleted.yml @@ -7,6 +7,7 @@ date: 2021/08/16 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations logsource: + product: azure service: azure.activitylogs detection: selection: diff --git a/rules/cloud/azure/azure_change_to_authentication_method.yml b/rules/cloud/azure/azure_change_to_authentication_method.yml index a6d43f7dc..f84820f90 100644 --- a/rules/cloud/azure/azure_change_to_authentication_method.yml +++ b/rules/cloud/azure/azure_change_to_authentication_method.yml @@ -7,6 +7,7 @@ description: Change to authentication method could be an indicated of an attacke references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts logsource: + product: azure service: azure.auditlogs detection: selection: diff --git a/rules/cloud/azure/azure_container_registry_created_or_deleted.yml b/rules/cloud/azure/azure_container_registry_created_or_deleted.yml index a05829eaf..19cd8c917 100644 --- a/rules/cloud/azure/azure_container_registry_created_or_deleted.yml +++ b/rules/cloud/azure/azure_container_registry_created_or_deleted.yml @@ -11,6 +11,7 @@ references: - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 - https://attack.mitre.org/matrices/enterprise/cloud/ logsource: + product: azure service: azure.activitylogs detection: selection: diff --git a/rules/cloud/azure/azure_creating_number_of_resources_detection.yml b/rules/cloud/azure/azure_creating_number_of_resources_detection.yml index 74041d51f..ed305d5e3 100644 --- a/rules/cloud/azure/azure_creating_number_of_resources_detection.yml +++ b/rules/cloud/azure/azure_creating_number_of_resources_detection.yml @@ -7,6 +7,7 @@ description: Number of VM creations or deployment activities occur in Azure via references: - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/Creating_Anomalous_Number_Of_Resources_detection.yaml logsource: + product: azure service: AzureActivity detection: keywords: diff --git a/rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml b/rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml index 13be72771..c60bde66c 100644 --- a/rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml +++ b/rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml @@ -7,6 +7,7 @@ date: 2021/09/03 references: - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#core-directory logsource: + product: azure service: azure.activitylogs detection: selection: diff --git a/rules/cloud/azure/azure_device_or_configuration_modified_or_deleted.yml b/rules/cloud/azure/azure_device_or_configuration_modified_or_deleted.yml index c5136d769..972a3dd95 100644 --- a/rules/cloud/azure/azure_device_or_configuration_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_device_or_configuration_modified_or_deleted.yml @@ -7,6 +7,7 @@ date: 2021/09/03 references: - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#core-directory logsource: + product: azure service: azure.activitylogs detection: selection: diff --git a/rules/cloud/azure/azure_dns_zone_modified_or_deleted.yml b/rules/cloud/azure/azure_dns_zone_modified_or_deleted.yml index 6028af1f6..9831b9a1b 100644 --- a/rules/cloud/azure/azure_dns_zone_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_dns_zone_modified_or_deleted.yml @@ -7,6 +7,7 @@ date: 2021/08/08 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes logsource: + product: azure service: azure.activitylogs detection: selection: diff --git a/rules/cloud/azure/azure_federation_modified.yml b/rules/cloud/azure/azure_federation_modified.yml index bc627c97b..b1902b278 100644 --- a/rules/cloud/azure/azure_federation_modified.yml +++ b/rules/cloud/azure/azure_federation_modified.yml @@ -7,6 +7,7 @@ date: 2021/09/06 references: - https://attack.mitre.org/techniques/T1078 logsource: + product: azure service: azure.signinlogs detection: selection: diff --git a/rules/cloud/azure/azure_firewall_modified_or_deleted.yml b/rules/cloud/azure/azure_firewall_modified_or_deleted.yml index 40d0864a8..468ee7155 100644 --- a/rules/cloud/azure/azure_firewall_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_firewall_modified_or_deleted.yml @@ -7,6 +7,7 @@ date: 2021/08/08 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations logsource: + product: azure service: azure.activitylogs detection: selection: diff --git a/rules/cloud/azure/azure_firewall_rule_collection_modified_or_deleted.yml b/rules/cloud/azure/azure_firewall_rule_collection_modified_or_deleted.yml index 15799e9df..a28556c8b 100644 --- a/rules/cloud/azure/azure_firewall_rule_collection_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_firewall_rule_collection_modified_or_deleted.yml @@ -7,6 +7,7 @@ date: 2021/08/08 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations logsource: + product: azure service: azure.activitylogs detection: selection: diff --git a/rules/cloud/azure/azure_granting_permission_detection.yml b/rules/cloud/azure/azure_granting_permission_detection.yml index 2cfb1fe8b..a7bb6240f 100644 --- a/rules/cloud/azure/azure_granting_permission_detection.yml +++ b/rules/cloud/azure/azure_granting_permission_detection.yml @@ -7,6 +7,7 @@ description: Identifies IPs from which users grant access to other users on azur references: - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/Granting_Permissions_To_Account_detection.yaml logsource: + product: azure service: AzureActivity detection: keywords: diff --git a/rules/cloud/azure/azure_keyvault_key_modified_or_deleted.yml b/rules/cloud/azure/azure_keyvault_key_modified_or_deleted.yml index db6a8128e..77c69fadb 100644 --- a/rules/cloud/azure/azure_keyvault_key_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_keyvault_key_modified_or_deleted.yml @@ -7,6 +7,7 @@ date: 2021/08/16 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations logsource: + product: azure service: azure.activitylogs detection: selection: diff --git a/rules/cloud/azure/azure_keyvault_modified_or_deleted.yml b/rules/cloud/azure/azure_keyvault_modified_or_deleted.yml index 993ed2fc9..d5955a8ca 100644 --- a/rules/cloud/azure/azure_keyvault_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_keyvault_modified_or_deleted.yml @@ -7,6 +7,7 @@ date: 2021/08/16 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations logsource: + product: azure service: azure.activitylogs detection: selection: diff --git a/rules/cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml b/rules/cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml index 2ae7d373f..1796669a3 100644 --- a/rules/cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml @@ -7,6 +7,7 @@ date: 2021/08/16 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations logsource: + product: azure service: azure.activitylogs detection: selection: diff --git a/rules/cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml b/rules/cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml index bf150b5ad..598fd4ea6 100644 --- a/rules/cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml +++ b/rules/cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml @@ -11,6 +11,7 @@ references: - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 - https://attack.mitre.org/matrices/enterprise/cloud/ logsource: + product: azure service: azure.activitylogs detection: selection: diff --git a/rules/cloud/azure/azure_kubernetes_events_deleted.yml b/rules/cloud/azure/azure_kubernetes_events_deleted.yml index 4a080c286..611925741 100644 --- a/rules/cloud/azure/azure_kubernetes_events_deleted.yml +++ b/rules/cloud/azure/azure_kubernetes_events_deleted.yml @@ -8,6 +8,7 @@ references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes - https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml logsource: + product: azure service: azure.activitylogs detection: selection_operation_name: diff --git a/rules/cloud/azure/azure_kubernetes_network_policy_change.yml b/rules/cloud/azure/azure_kubernetes_network_policy_change.yml index 15163d6e0..33de95bf6 100644 --- a/rules/cloud/azure/azure_kubernetes_network_policy_change.yml +++ b/rules/cloud/azure/azure_kubernetes_network_policy_change.yml @@ -11,6 +11,7 @@ references: - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 - https://attack.mitre.org/matrices/enterprise/cloud/ logsource: + product: azure service: azure.activitylogs detection: selection: diff --git a/rules/cloud/azure/azure_kubernetes_pods_deleted.yml b/rules/cloud/azure/azure_kubernetes_pods_deleted.yml index 4f7d6b9ba..7040be7c5 100644 --- a/rules/cloud/azure/azure_kubernetes_pods_deleted.yml +++ b/rules/cloud/azure/azure_kubernetes_pods_deleted.yml @@ -8,6 +8,7 @@ references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes - https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml logsource: + product: azure service: azure.activitylogs detection: selection_operation_name: diff --git a/rules/cloud/azure/azure_kubernetes_role_access.yml b/rules/cloud/azure/azure_kubernetes_role_access.yml index 39b14ad8e..7306b36a0 100644 --- a/rules/cloud/azure/azure_kubernetes_role_access.yml +++ b/rules/cloud/azure/azure_kubernetes_role_access.yml @@ -11,6 +11,7 @@ references: - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 - https://attack.mitre.org/matrices/enterprise/cloud/ logsource: + product: azure service: azure.activitylogs detection: selection: diff --git a/rules/cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml b/rules/cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml index 6e5b955a9..e1f86ce74 100644 --- a/rules/cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml @@ -11,6 +11,7 @@ references: - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 - https://attack.mitre.org/matrices/enterprise/cloud/ logsource: + product: azure service: azure.activitylogs detection: selection: diff --git a/rules/cloud/azure/azure_kubernetes_secret_or_config_object_access.yml b/rules/cloud/azure/azure_kubernetes_secret_or_config_object_access.yml index 108e64c2b..bd823765a 100644 --- a/rules/cloud/azure/azure_kubernetes_secret_or_config_object_access.yml +++ b/rules/cloud/azure/azure_kubernetes_secret_or_config_object_access.yml @@ -11,6 +11,7 @@ references: - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 - https://attack.mitre.org/matrices/enterprise/cloud/ logsource: + product: azure service: azure.activitylogs detection: selection: diff --git a/rules/cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml b/rules/cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml index f9c3cd77a..b393caa01 100644 --- a/rules/cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml @@ -11,6 +11,7 @@ references: - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 - https://attack.mitre.org/matrices/enterprise/cloud/ logsource: + product: azure service: azure.activitylogs detection: selection: diff --git a/rules/cloud/azure/azure_login_to_disabled_account.yml b/rules/cloud/azure/azure_login_to_disabled_account.yml index 48a1b501b..1510f307a 100644 --- a/rules/cloud/azure/azure_login_to_disabled_account.yml +++ b/rules/cloud/azure/azure_login_to_disabled_account.yml @@ -7,6 +7,7 @@ description: Detect failed attempts to sign in to disabled accounts. references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts logsource: + product: azure service: azure.signinlogs detection: selection: diff --git a/rules/cloud/azure/azure_mfa_interrupted.yml b/rules/cloud/azure/azure_mfa_interrupted.yml index 22d5e37cb..795d2cdb4 100644 --- a/rules/cloud/azure/azure_mfa_interrupted.yml +++ b/rules/cloud/azure/azure_mfa_interrupted.yml @@ -7,6 +7,7 @@ description: Identifies user login with multifactor authentication failures, whi references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts logsource: + product: azure service: azure.signinlogs detection: selection: diff --git a/rules/cloud/azure/azure_network_firewall_policy_modified_or_deleted.yml b/rules/cloud/azure/azure_network_firewall_policy_modified_or_deleted.yml index b087d550f..c9c9c2860 100644 --- a/rules/cloud/azure/azure_network_firewall_policy_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_network_firewall_policy_modified_or_deleted.yml @@ -7,6 +7,7 @@ date: 2021/09/02 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations logsource: + product: azure service: azure.activitylogs detection: selection: diff --git a/rules/cloud/azure/azure_network_firewall_rule_modified_or_deleted.yml b/rules/cloud/azure/azure_network_firewall_rule_modified_or_deleted.yml index e9eb00af7..c1731807a 100644 --- a/rules/cloud/azure/azure_network_firewall_rule_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_network_firewall_rule_modified_or_deleted.yml @@ -7,6 +7,7 @@ date: 2021/08/08 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations logsource: + product: azure service: azure.activitylogs detection: selection: diff --git a/rules/cloud/azure/azure_network_p2s_vpn_modified_or_deleted.yml b/rules/cloud/azure/azure_network_p2s_vpn_modified_or_deleted.yml index 19e762ff3..109c825a4 100644 --- a/rules/cloud/azure/azure_network_p2s_vpn_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_network_p2s_vpn_modified_or_deleted.yml @@ -7,6 +7,7 @@ date: 2021/08/08 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations logsource: + product: azure service: azure.activitylogs detection: selection: diff --git a/rules/cloud/azure/azure_network_security_modified_or_deleted.yml b/rules/cloud/azure/azure_network_security_modified_or_deleted.yml index 75b3733fe..cc35235ae 100644 --- a/rules/cloud/azure/azure_network_security_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_network_security_modified_or_deleted.yml @@ -7,6 +7,7 @@ date: 2021/08/08 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations logsource: + product: azure service: azure.activitylogs detection: selection: diff --git a/rules/cloud/azure/azure_network_virtual_device_modified_or_deleted.yml b/rules/cloud/azure/azure_network_virtual_device_modified_or_deleted.yml index 60d39103f..bf2990d3b 100644 --- a/rules/cloud/azure/azure_network_virtual_device_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_network_virtual_device_modified_or_deleted.yml @@ -7,6 +7,7 @@ date: 2021/08/08 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations logsource: + product: azure service: azure.activitylogs detection: selection: diff --git a/rules/cloud/azure/azure_new_cloudshell_created.yml b/rules/cloud/azure/azure_new_cloudshell_created.yml index 03afa08e4..77ce17e7a 100644 --- a/rules/cloud/azure/azure_new_cloudshell_created.yml +++ b/rules/cloud/azure/azure_new_cloudshell_created.yml @@ -7,6 +7,7 @@ date: 2021/09/21 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations logsource: + product: azure service: azure.activitylogs detection: selection: diff --git a/rules/cloud/azure/azure_owner_removed_from_application_or_service_principal.yml b/rules/cloud/azure/azure_owner_removed_from_application_or_service_principal.yml index 5db903ee0..055e3dab7 100644 --- a/rules/cloud/azure/azure_owner_removed_from_application_or_service_principal.yml +++ b/rules/cloud/azure/azure_owner_removed_from_application_or_service_principal.yml @@ -7,6 +7,7 @@ date: 2021/09/03 references: - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy logsource: + product: azure service: azure.activitylogs detection: selection: diff --git a/rules/cloud/azure/azure_rare_operations.yml b/rules/cloud/azure/azure_rare_operations.yml index 49ae1bb74..3d93148de 100644 --- a/rules/cloud/azure/azure_rare_operations.yml +++ b/rules/cloud/azure/azure_rare_operations.yml @@ -7,6 +7,7 @@ description: Identifies IPs from which users grant access to other users on azur references: - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/RareOperations.yaml logsource: + product: azure service: AzureActivity detection: keywords: diff --git a/rules/cloud/azure/azure_service_principal_created.yml b/rules/cloud/azure/azure_service_principal_created.yml index 82e422ca2..100ef8868 100644 --- a/rules/cloud/azure/azure_service_principal_created.yml +++ b/rules/cloud/azure/azure_service_principal_created.yml @@ -7,6 +7,7 @@ date: 2021/09/02 references: - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy logsource: + product: azure service: azure.activitylogs detection: selection: diff --git a/rules/cloud/azure/azure_service_principal_removed.yml b/rules/cloud/azure/azure_service_principal_removed.yml index e05012525..34c16e92c 100644 --- a/rules/cloud/azure/azure_service_principal_removed.yml +++ b/rules/cloud/azure/azure_service_principal_removed.yml @@ -7,6 +7,7 @@ date: 2021/09/03 references: - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy logsource: + product: azure service: azure.activitylogs detection: selection: diff --git a/rules/cloud/azure/azure_suppression_rule_created.yml b/rules/cloud/azure/azure_suppression_rule_created.yml index be4d70d37..a4ef51caf 100644 --- a/rules/cloud/azure/azure_suppression_rule_created.yml +++ b/rules/cloud/azure/azure_suppression_rule_created.yml @@ -7,6 +7,7 @@ date: 2021/08/16 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations logsource: + product: azure service: azure.activitylogs detection: selection: diff --git a/rules/cloud/azure/azure_user_login_blocked_by_conditional_access.yml b/rules/cloud/azure/azure_user_login_blocked_by_conditional_access.yml index 9dff5f2da..1af7385bb 100644 --- a/rules/cloud/azure/azure_user_login_blocked_by_conditional_access.yml +++ b/rules/cloud/azure/azure_user_login_blocked_by_conditional_access.yml @@ -7,6 +7,7 @@ description: Detect access has been blocked by Conditional Access policies. The references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts logsource: + product: azure service: azure.signinlogs detection: selection: diff --git a/rules/cloud/azure/azure_virtual_network_modified_or_deleted.yml b/rules/cloud/azure/azure_virtual_network_modified_or_deleted.yml index cf322fa29..57fe151b9 100644 --- a/rules/cloud/azure/azure_virtual_network_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_virtual_network_modified_or_deleted.yml @@ -7,6 +7,7 @@ date: 2021/08/08 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations logsource: + product: azure service: azure.activitylogs detection: selection: diff --git a/rules/cloud/azure/azure_vpn_connection_modified_or_deleted.yml b/rules/cloud/azure/azure_vpn_connection_modified_or_deleted.yml index 50dc3a56b..a57ffb160 100644 --- a/rules/cloud/azure/azure_vpn_connection_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_vpn_connection_modified_or_deleted.yml @@ -7,6 +7,7 @@ date: 2021/08/08 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations logsource: + product: azure service: azure.activitylogs detection: selection: diff --git a/rules/cloud/gcp/gcp_bucket_enumeration.yml b/rules/cloud/gcp/gcp_bucket_enumeration.yml index 4449bb15a..e7f8fc61f 100644 --- a/rules/cloud/gcp/gcp_bucket_enumeration.yml +++ b/rules/cloud/gcp/gcp_bucket_enumeration.yml @@ -7,6 +7,7 @@ date: 2021/08/14 references: - https://cloud.google.com/storage/docs/json_api/v1/buckets logsource: + product: gcp service: gcp.audit detection: selection: diff --git a/rules/cloud/gcp/gcp_bucket_modified_or_deleted.yml b/rules/cloud/gcp/gcp_bucket_modified_or_deleted.yml index 13904bb8d..ac5017c9f 100644 --- a/rules/cloud/gcp/gcp_bucket_modified_or_deleted.yml +++ b/rules/cloud/gcp/gcp_bucket_modified_or_deleted.yml @@ -7,6 +7,7 @@ date: 2021/08/14 references: - https://cloud.google.com/storage/docs/json_api/v1/buckets logsource: + product: gcp service: gcp.audit detection: selection: diff --git a/rules/cloud/gcp/gcp_dlp_re_identifies_sensitive_information.yml b/rules/cloud/gcp/gcp_dlp_re_identifies_sensitive_information.yml index c5d17b329..8ee23cf0c 100644 --- a/rules/cloud/gcp/gcp_dlp_re_identifies_sensitive_information.yml +++ b/rules/cloud/gcp/gcp_dlp_re_identifies_sensitive_information.yml @@ -7,6 +7,7 @@ date: 2021/08/15 references: - https://cloud.google.com/dlp/docs/reference/rest/v2/projects.content/reidentify logsource: + product: gcp service: gcp.audit detection: selection: diff --git a/rules/cloud/gcp/gcp_dns_zone_modified_or_deleted.yml b/rules/cloud/gcp/gcp_dns_zone_modified_or_deleted.yml index 629dff399..9455782d4 100644 --- a/rules/cloud/gcp/gcp_dns_zone_modified_or_deleted.yml +++ b/rules/cloud/gcp/gcp_dns_zone_modified_or_deleted.yml @@ -7,6 +7,7 @@ date: 2021/08/15 references: - https://cloud.google.com/dns/docs/reference/v1/managedZones logsource: + product: gcp service: gcp.audit detection: selection: diff --git a/rules/cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml b/rules/cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml index 016a6bcbb..4cb33dd81 100644 --- a/rules/cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml +++ b/rules/cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml @@ -8,6 +8,7 @@ references: - https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging - https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.Firewalls.html logsource: + product: gcp service: gcp.audit detection: selection: diff --git a/rules/cloud/gcp/gcp_full_network_traffic_packet_capture.yml b/rules/cloud/gcp/gcp_full_network_traffic_packet_capture.yml index b2b9e0ef2..cd29c4055 100644 --- a/rules/cloud/gcp/gcp_full_network_traffic_packet_capture.yml +++ b/rules/cloud/gcp/gcp_full_network_traffic_packet_capture.yml @@ -8,6 +8,7 @@ references: - https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging - https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.PacketMirrorings.html logsource: + product: gcp service: gcp.audit detection: selection: diff --git a/rules/cloud/gcp/gcp_kubernetes_rolebinding.yml b/rules/cloud/gcp/gcp_kubernetes_rolebinding.yml index 58eaad19d..472ff97b5 100644 --- a/rules/cloud/gcp/gcp_kubernetes_rolebinding.yml +++ b/rules/cloud/gcp/gcp_kubernetes_rolebinding.yml @@ -11,6 +11,7 @@ references: - https://kubernetes.io/docs/reference/access-authn-authz/rbac/ - https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging logsource: + product: gcp service: gcp.audit detection: selection: diff --git a/rules/cloud/gcp/gcp_kubernetes_secrets_modified_or_deleted.yml b/rules/cloud/gcp/gcp_kubernetes_secrets_modified_or_deleted.yml index c2bf97bfe..35f1ebda3 100644 --- a/rules/cloud/gcp/gcp_kubernetes_secrets_modified_or_deleted.yml +++ b/rules/cloud/gcp/gcp_kubernetes_secrets_modified_or_deleted.yml @@ -7,6 +7,7 @@ date: 2021/08/09 references: - https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging logsource: + product: gcp service: gcp.audit detection: selection: diff --git a/rules/cloud/gcp/gcp_service_account_disabled_or_deleted.yml b/rules/cloud/gcp/gcp_service_account_disabled_or_deleted.yml index 447fd4dbc..c265f7c9d 100644 --- a/rules/cloud/gcp/gcp_service_account_disabled_or_deleted.yml +++ b/rules/cloud/gcp/gcp_service_account_disabled_or_deleted.yml @@ -7,6 +7,7 @@ date: 2021/08/14 references: - https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts logsource: + product: gcp service: gcp.audit detection: selection: diff --git a/rules/cloud/gcp/gcp_service_account_modified.yml b/rules/cloud/gcp/gcp_service_account_modified.yml index f7dca8d86..b990d00a4 100644 --- a/rules/cloud/gcp/gcp_service_account_modified.yml +++ b/rules/cloud/gcp/gcp_service_account_modified.yml @@ -7,6 +7,7 @@ date: 2021/08/14 references: - https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts logsource: + product: gcp service: gcp.audit detection: selection: diff --git a/rules/cloud/gcp/gcp_sql_database_modified_or_deleted.yml b/rules/cloud/gcp/gcp_sql_database_modified_or_deleted.yml index ca75927f8..c2693f286 100644 --- a/rules/cloud/gcp/gcp_sql_database_modified_or_deleted.yml +++ b/rules/cloud/gcp/gcp_sql_database_modified_or_deleted.yml @@ -7,6 +7,7 @@ date: 2021/10/15 references: - https://cloud.google.com/sql/docs/mysql/admin-api/rest/v1beta4/users/update logsource: + product: gcp service: gcp.audit detection: selection: diff --git a/rules/cloud/gcp/gcp_vpn_tunnel_modified_or_deleted.yml b/rules/cloud/gcp/gcp_vpn_tunnel_modified_or_deleted.yml index 65dfd6167..8171bb42a 100644 --- a/rules/cloud/gcp/gcp_vpn_tunnel_modified_or_deleted.yml +++ b/rules/cloud/gcp/gcp_vpn_tunnel_modified_or_deleted.yml @@ -7,6 +7,7 @@ date: 2021/08/16 references: - https://any-api.com/googleapis_com/compute/docs/vpnTunnels logsource: + product: gcp service: gcp.audit detection: selection: diff --git a/rules/cloud/gworkspace/gworkspace_application_removed.yml b/rules/cloud/gworkspace/gworkspace_application_removed.yml index 7ed765245..176b7f9f3 100644 --- a/rules/cloud/gworkspace/gworkspace_application_removed.yml +++ b/rules/cloud/gworkspace/gworkspace_application_removed.yml @@ -9,6 +9,7 @@ references: - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST logsource: + product: google_workspace service: google_workspace.admin detection: selection: diff --git a/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml b/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml index 0b09904be..e177ee7d1 100644 --- a/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml +++ b/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml @@ -8,6 +8,7 @@ references: - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS logsource: + product: google_workspace service: google_workspace.admin detection: selection: diff --git a/rules/cloud/gworkspace/gworkspace_mfa_disabled.yml b/rules/cloud/gworkspace/gworkspace_mfa_disabled.yml index ec1798985..1221d88e2 100644 --- a/rules/cloud/gworkspace/gworkspace_mfa_disabled.yml +++ b/rules/cloud/gworkspace/gworkspace_mfa_disabled.yml @@ -10,6 +10,7 @@ references: - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION logsource: + product: google_workspace service: google_workspace.admin detection: selection: diff --git a/rules/cloud/gworkspace/gworkspace_role_modified_or_deleted.yml b/rules/cloud/gworkspace/gworkspace_role_modified_or_deleted.yml index e0bab12fd..18c23bc28 100644 --- a/rules/cloud/gworkspace/gworkspace_role_modified_or_deleted.yml +++ b/rules/cloud/gworkspace/gworkspace_role_modified_or_deleted.yml @@ -8,6 +8,7 @@ references: - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings logsource: + product: google_workspace service: google_workspace.admin detection: selection: diff --git a/rules/cloud/gworkspace/gworkspace_role_privilege_deleted.yml b/rules/cloud/gworkspace/gworkspace_role_privilege_deleted.yml index 7a803146b..bbe666a6e 100644 --- a/rules/cloud/gworkspace/gworkspace_role_privilege_deleted.yml +++ b/rules/cloud/gworkspace/gworkspace_role_privilege_deleted.yml @@ -8,6 +8,7 @@ references: - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings logsource: + product: google_workspace service: google_workspace.admin detection: selection: diff --git a/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml b/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml index ffc061d08..802f60526 100644 --- a/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml +++ b/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml @@ -8,6 +8,7 @@ references: - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE logsource: + product: google_workspace service: google_workspace.admin detection: selection: diff --git a/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml b/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml index c24d42b67..e9c4857d9 100644 --- a/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml +++ b/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml @@ -9,7 +9,7 @@ references: - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: category: ThreatManagement - service: m365 + product: m365 detection: selection: eventSource: SecurityComplianceCenter diff --git a/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml b/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml index 7b3a72716..1b75ffd8e 100644 --- a/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml +++ b/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml @@ -9,7 +9,7 @@ references: - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: category: ThreatManagement - service: m365 + product: m365 detection: selection: eventSource: SecurityComplianceCenter diff --git a/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml b/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml index 9aa5ab394..34557397e 100644 --- a/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml +++ b/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml @@ -9,7 +9,7 @@ references: - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: category: ThreatManagement - service: m365 + product: m365 detection: selection: eventSource: SecurityComplianceCenter diff --git a/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml b/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml index 831a15ed6..b224f6014 100644 --- a/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml +++ b/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml @@ -9,7 +9,7 @@ references: - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: category: ThreatManagement - service: m365 + product: m365 detection: selection: eventSource: SecurityComplianceCenter diff --git a/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml b/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml index 9be142d81..bf3b9d459 100644 --- a/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml +++ b/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml @@ -9,7 +9,7 @@ references: - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: category: ThreatDetection - service: m365 + product: m365 detection: selection: eventSource: SecurityComplianceCenter diff --git a/rules/cloud/m365/microsoft365_impossible_travel_activity.yml b/rules/cloud/m365/microsoft365_impossible_travel_activity.yml index 68146567b..8531eaef5 100644 --- a/rules/cloud/m365/microsoft365_impossible_travel_activity.yml +++ b/rules/cloud/m365/microsoft365_impossible_travel_activity.yml @@ -10,7 +10,7 @@ references: - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: category: ThreatManagement - service: Office365 + product: m365 detection: selection: eventSource: SecurityComplianceCenter diff --git a/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml b/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml index b71a4344b..e9a282bd0 100644 --- a/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml +++ b/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml @@ -9,7 +9,7 @@ references: - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: category: ThreatManagement - service: m365 + product: m365 detection: selection: eventSource: SecurityComplianceCenter diff --git a/rules/cloud/m365/microsoft365_potential_ransomware_activity.yml b/rules/cloud/m365/microsoft365_potential_ransomware_activity.yml index b5571ef94..936b3c708 100644 --- a/rules/cloud/m365/microsoft365_potential_ransomware_activity.yml +++ b/rules/cloud/m365/microsoft365_potential_ransomware_activity.yml @@ -9,7 +9,7 @@ references: - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: category: ThreatManagement - service: Microsoft365 + product: m365 detection: selection: eventSource: SecurityComplianceCenter diff --git a/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml b/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml index 513e4f1b0..61f478323 100644 --- a/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml +++ b/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml @@ -9,7 +9,7 @@ references: - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: category: ThreatManagement - service: m365 + product: m365 detection: selection: eventSource: SecurityComplianceCenter diff --git a/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml b/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml index 6dbc4be42..df7d6e742 100644 --- a/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml +++ b/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml @@ -9,7 +9,7 @@ references: - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: category: ThreatManagement - service: m365 + product: m365 detection: selection: eventSource: SecurityComplianceCenter diff --git a/rules/cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml b/rules/cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml index 53bbf8ff2..84e368e0f 100644 --- a/rules/cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml +++ b/rules/cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml @@ -9,7 +9,7 @@ references: - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: category: ThreatManagement - service: Microsoft365 + product: m365 detection: selection: eventSource: SecurityComplianceCenter diff --git a/rules/cloud/m365/microsoft365_user_restricted_from_sending_email.yml b/rules/cloud/m365/microsoft365_user_restricted_from_sending_email.yml index b969efece..c0c02669d 100644 --- a/rules/cloud/m365/microsoft365_user_restricted_from_sending_email.yml +++ b/rules/cloud/m365/microsoft365_user_restricted_from_sending_email.yml @@ -9,7 +9,7 @@ references: - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: category: ThreatManagement - service: Microsoft365 + product: m365 detection: selection: eventSource: SecurityComplianceCenter diff --git a/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml b/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml index 7f3377013..32b496a79 100644 --- a/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml +++ b/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml @@ -9,6 +9,7 @@ references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ logsource: + product: okta service: okta detection: selection: diff --git a/rules/cloud/okta/okta_api_token_created.yml b/rules/cloud/okta/okta_api_token_created.yml index 4969a8468..a39c3ae70 100644 --- a/rules/cloud/okta/okta_api_token_created.yml +++ b/rules/cloud/okta/okta_api_token_created.yml @@ -9,6 +9,7 @@ references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ logsource: + product: okta service: okta detection: selection: diff --git a/rules/cloud/okta/okta_api_token_revoked.yml b/rules/cloud/okta/okta_api_token_revoked.yml index ba2f81b9d..644f1aea5 100644 --- a/rules/cloud/okta/okta_api_token_revoked.yml +++ b/rules/cloud/okta/okta_api_token_revoked.yml @@ -9,6 +9,7 @@ references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ logsource: + product: okta service: okta detection: selection: diff --git a/rules/cloud/okta/okta_application_modified_or_deleted.yml b/rules/cloud/okta/okta_application_modified_or_deleted.yml index 078c764be..35cbd1b95 100644 --- a/rules/cloud/okta/okta_application_modified_or_deleted.yml +++ b/rules/cloud/okta/okta_application_modified_or_deleted.yml @@ -9,6 +9,7 @@ references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ logsource: + product: okta service: okta detection: selection: diff --git a/rules/cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml b/rules/cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml index aaccaad3d..0520ddd6b 100644 --- a/rules/cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml +++ b/rules/cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml @@ -9,6 +9,7 @@ references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ logsource: + product: okta service: okta detection: selection: diff --git a/rules/cloud/okta/okta_mfa_reset_or_deactivated.yml b/rules/cloud/okta/okta_mfa_reset_or_deactivated.yml index acc04ac8c..69185811f 100644 --- a/rules/cloud/okta/okta_mfa_reset_or_deactivated.yml +++ b/rules/cloud/okta/okta_mfa_reset_or_deactivated.yml @@ -9,6 +9,7 @@ references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ logsource: + product: okta service: okta detection: selection: diff --git a/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml b/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml index 273d8713a..b4f6adf83 100644 --- a/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml +++ b/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml @@ -9,6 +9,7 @@ references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ logsource: + product: okta service: okta detection: selection: diff --git a/rules/cloud/okta/okta_policy_modified_or_deleted.yml b/rules/cloud/okta/okta_policy_modified_or_deleted.yml index fb4aa5b21..247901b96 100644 --- a/rules/cloud/okta/okta_policy_modified_or_deleted.yml +++ b/rules/cloud/okta/okta_policy_modified_or_deleted.yml @@ -9,6 +9,7 @@ references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ logsource: + product: okta service: okta detection: selection: diff --git a/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml b/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml index 278171ebb..9a1ab4bf7 100644 --- a/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml +++ b/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml @@ -9,6 +9,7 @@ references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ logsource: + product: okta service: okta detection: selection: diff --git a/rules/cloud/okta/okta_security_threat_detected.yml b/rules/cloud/okta/okta_security_threat_detected.yml index 8e754c450..eedd79768 100644 --- a/rules/cloud/okta/okta_security_threat_detected.yml +++ b/rules/cloud/okta/okta_security_threat_detected.yml @@ -10,6 +10,7 @@ references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ logsource: + product: okta service: okta detection: selection: diff --git a/rules/cloud/okta/okta_unauthorized_access_to_app.yml b/rules/cloud/okta/okta_unauthorized_access_to_app.yml index 103050241..69480d462 100644 --- a/rules/cloud/okta/okta_unauthorized_access_to_app.yml +++ b/rules/cloud/okta/okta_unauthorized_access_to_app.yml @@ -9,6 +9,7 @@ references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ logsource: + product: okta service: okta detection: selection: diff --git a/rules/cloud/okta/okta_user_account_locked_out.yml b/rules/cloud/okta/okta_user_account_locked_out.yml index 7acd02c01..21b4c7ed2 100644 --- a/rules/cloud/okta/okta_user_account_locked_out.yml +++ b/rules/cloud/okta/okta_user_account_locked_out.yml @@ -9,6 +9,7 @@ references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ logsource: + product: okta service: okta detection: selection: diff --git a/rules/cloud/onelogin/onelogin_assumed_another_user.yml b/rules/cloud/onelogin/onelogin_assumed_another_user.yml index 51fb2fd7f..4180492a2 100644 --- a/rules/cloud/onelogin/onelogin_assumed_another_user.yml +++ b/rules/cloud/onelogin/onelogin_assumed_another_user.yml @@ -8,6 +8,7 @@ modified: 2021/10/12 references: - https://developers.onelogin.com/api-docs/1/events/event-resource logsource: + product: onelogin service: onelogin.events detection: selection: diff --git a/rules/cloud/onelogin/onelogin_user_account_locked.yml b/rules/cloud/onelogin/onelogin_user_account_locked.yml index d43ddf3bc..17878b511 100644 --- a/rules/cloud/onelogin/onelogin_user_account_locked.yml +++ b/rules/cloud/onelogin/onelogin_user_account_locked.yml @@ -8,6 +8,7 @@ modified: 2021/10/12 references: - https://developers.onelogin.com/api-docs/1/events/event-resource/ logsource: + product: onelogin service: onelogin.events detection: selection1: # Locked via API diff --git a/rules/linux/auditd/lnx_auditd_load_module_insmod.yml b/rules/linux/auditd/lnx_auditd_load_module_insmod.yml new file mode 100644 index 000000000..399741fc4 --- /dev/null +++ b/rules/linux/auditd/lnx_auditd_load_module_insmod.yml @@ -0,0 +1,27 @@ +title: Loading of Kernel Module via Insmod +id: 106d7cbd-80ff-4985-b682-a7043e5acb72 +status: experimental +description: Detects loading of kernel modules with insmod command. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. Adversaries may use LKMs to obtain persistence within the system or elevate the privileges. +author: 'Pawel Mazur' +date: 2021/11/02 +references: + - https://attack.mitre.org/techniques/T1547/006/ + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md + - https://linux.die.net/man/8/insmod + - https://man7.org/linux/man-pages/man8/kmod.8.html +logsource: + product: linux + service: auditd +detection: + insmod: + type: 'SYSCALL' + comm: insmod + exe: /usr/bin/kmod + condition: insmod +falsepositives: + - Unknown +level: high +tags: + - attack.persistence + - attack.privilege_escalation + - attack.t1547.006 diff --git a/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml b/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml index d98c1a541..29fe14e15 100644 --- a/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml +++ b/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml @@ -3,6 +3,7 @@ id: 045b5f9c-49f7-4419-a236-9854fb3c827a description: Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite. status: experimental date: 2021/09/17 +modified: 2021/11/11 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.privilege_escalation @@ -20,7 +21,7 @@ logsource: detection: selection: type: 'SYSCALL' - SYSCALL: 'execve' + syscall: 'execve' uid: '0' cwd: '/var/opt/microsoft/scx/tmp' comm: 'sh' @@ -28,4 +29,3 @@ detection: falsepositives: - Legitimate use of SCX RunAsProvider Invoke_ExecuteShellCommand. level: high - diff --git a/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml b/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml index ec9ede5a7..4d3c28203 100644 --- a/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml +++ b/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml @@ -2,23 +2,39 @@ title: Password Policy Discovery id: ca94a6db-8106-4737-9ed2-3e3bb826af0a status: stable description: Detects password policy discovery commands -author: Ömer Günal, oscd.community +author: Ömer Günal, oscd.community, Pawel Mazur date: 2020/10/08 -modified: 2021/09/14 +modified: 2021/11/12 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md + - https://attack.mitre.org/techniques/T1201/ + - https://linux.die.net/man/1/chage + - https://man7.org/linux/man-pages/man1/passwd.1.html + - https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu logsource: product: linux service: auditd detection: - selection: + files: type: 'PATH' name: - '/etc/pam.d/common-password' - '/etc/security/pwquality.conf' - '/etc/pam.d/system-auth' - '/etc/login.defs' - condition: selection + chage: + type: 'EXECVE' + a0: 'chage' + a1: + - '--list' + - '-l' + passwd: + type: 'EXECVE' + a0: 'passwd' + a1: + - '-S' + - '--status' + condition: files or chage or passwd falsepositives: - Legitimate administration activities level: low diff --git a/rules/linux/auditd/lnx_auditd_web_rce.yml b/rules/linux/auditd/lnx_auditd_web_rce.yml index 32b3c16f5..69a36bdc0 100644 --- a/rules/linux/auditd/lnx_auditd_web_rce.yml +++ b/rules/linux/auditd/lnx_auditd_web_rce.yml @@ -4,17 +4,16 @@ status: experimental description: Detects possible command execution by web application/web shell author: Ilyas Ochkov, Beyu Denis, oscd.community date: 2019/10/12 -modified: 2019/11/04 +modified: 2021/11/11 references: - personal experience - logsource: product: linux service: auditd detection: selection: type: 'SYSCALL' - SYSCALL: 'execve' + syscall: 'execve' key: 'detect_execve_www' condition: selection falsepositives: diff --git a/rules/linux/lnx_apt_equationgroup_lnx.yml b/rules/linux/builtin/lnx_apt_equationgroup_lnx.yml similarity index 100% rename from rules/linux/lnx_apt_equationgroup_lnx.yml rename to rules/linux/builtin/lnx_apt_equationgroup_lnx.yml diff --git a/rules/linux/lnx_buffer_overflows.yml b/rules/linux/builtin/lnx_buffer_overflows.yml similarity index 100% rename from rules/linux/lnx_buffer_overflows.yml rename to rules/linux/builtin/lnx_buffer_overflows.yml diff --git a/rules/linux/lnx_clear_syslog.yml b/rules/linux/builtin/lnx_clear_syslog.yml similarity index 100% rename from rules/linux/lnx_clear_syslog.yml rename to rules/linux/builtin/lnx_clear_syslog.yml diff --git a/rules/linux/lnx_file_copy.yml b/rules/linux/builtin/lnx_file_copy.yml similarity index 100% rename from rules/linux/lnx_file_copy.yml rename to rules/linux/builtin/lnx_file_copy.yml diff --git a/rules/linux/lnx_ldso_preload_injection.yml b/rules/linux/builtin/lnx_ldso_preload_injection.yml similarity index 100% rename from rules/linux/lnx_ldso_preload_injection.yml rename to rules/linux/builtin/lnx_ldso_preload_injection.yml diff --git a/rules/linux/lnx_proxy_connection.yml b/rules/linux/builtin/lnx_proxy_connection.yml similarity index 100% rename from rules/linux/lnx_proxy_connection.yml rename to rules/linux/builtin/lnx_proxy_connection.yml diff --git a/rules/linux/lnx_setgid_setuid.yml b/rules/linux/builtin/lnx_setgid_setuid.yml similarity index 100% rename from rules/linux/lnx_setgid_setuid.yml rename to rules/linux/builtin/lnx_setgid_setuid.yml diff --git a/rules/linux/lnx_shell_clear_cmd_history.yml b/rules/linux/builtin/lnx_shell_clear_cmd_history.yml similarity index 100% rename from rules/linux/lnx_shell_clear_cmd_history.yml rename to rules/linux/builtin/lnx_shell_clear_cmd_history.yml diff --git a/rules/linux/lnx_shell_priv_esc_prep.yml b/rules/linux/builtin/lnx_shell_priv_esc_prep.yml similarity index 100% rename from rules/linux/lnx_shell_priv_esc_prep.yml rename to rules/linux/builtin/lnx_shell_priv_esc_prep.yml diff --git a/rules/linux/lnx_shell_susp_commands.yml b/rules/linux/builtin/lnx_shell_susp_commands.yml similarity index 100% rename from rules/linux/lnx_shell_susp_commands.yml rename to rules/linux/builtin/lnx_shell_susp_commands.yml diff --git a/rules/linux/lnx_shell_susp_log_entries.yml b/rules/linux/builtin/lnx_shell_susp_log_entries.yml similarity index 100% rename from rules/linux/lnx_shell_susp_log_entries.yml rename to rules/linux/builtin/lnx_shell_susp_log_entries.yml diff --git a/rules/linux/lnx_shell_susp_rev_shells.yml b/rules/linux/builtin/lnx_shell_susp_rev_shells.yml similarity index 100% rename from rules/linux/lnx_shell_susp_rev_shells.yml rename to rules/linux/builtin/lnx_shell_susp_rev_shells.yml diff --git a/rules/linux/lnx_shellshock.yml b/rules/linux/builtin/lnx_shellshock.yml similarity index 100% rename from rules/linux/lnx_shellshock.yml rename to rules/linux/builtin/lnx_shellshock.yml diff --git a/rules/linux/lnx_space_after_filename_.yml b/rules/linux/builtin/lnx_space_after_filename_.yml similarity index 100% rename from rules/linux/lnx_space_after_filename_.yml rename to rules/linux/builtin/lnx_space_after_filename_.yml diff --git a/rules/linux/lnx_sudo_cve_2019_14287.yml b/rules/linux/builtin/lnx_sudo_cve_2019_14287.yml similarity index 100% rename from rules/linux/lnx_sudo_cve_2019_14287.yml rename to rules/linux/builtin/lnx_sudo_cve_2019_14287.yml diff --git a/rules/linux/lnx_sudo_cve_2019_14287_user.yml b/rules/linux/builtin/lnx_sudo_cve_2019_14287_user.yml similarity index 93% rename from rules/linux/lnx_sudo_cve_2019_14287_user.yml rename to rules/linux/builtin/lnx_sudo_cve_2019_14287_user.yml index d49f5e9c1..96afaf522 100644 --- a/rules/linux/lnx_sudo_cve_2019_14287_user.yml +++ b/rules/linux/builtin/lnx_sudo_cve_2019_14287_user.yml @@ -7,13 +7,14 @@ status: experimental description: Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287 author: Florian Roth date: 2019/10/15 -modified: 2021/09/14 +modified: 2021/11/11 references: - https://www.openwall.com/lists/oss-security/2019/10/14/1 - https://access.redhat.com/security/cve/cve-2019-14287 - https://twitter.com/matthieugarin/status/1183970598210412546 logsource: product: linux + service: sudo tags: - attack.privilege_escalation - attack.t1068 diff --git a/rules/linux/lnx_susp_jexboss.yml b/rules/linux/builtin/lnx_susp_jexboss.yml similarity index 100% rename from rules/linux/lnx_susp_jexboss.yml rename to rules/linux/builtin/lnx_susp_jexboss.yml diff --git a/rules/linux/lnx_symlink_etc_passwd.yml b/rules/linux/builtin/lnx_symlink_etc_passwd.yml similarity index 100% rename from rules/linux/lnx_symlink_etc_passwd.yml rename to rules/linux/builtin/lnx_symlink_etc_passwd.yml diff --git a/rules/linux/macos_emond_launch_daemon.yml b/rules/linux/macos/file_event/macos_emond_launch_daemon.yml similarity index 100% rename from rules/linux/macos_emond_launch_daemon.yml rename to rules/linux/macos/file_event/macos_emond_launch_daemon.yml diff --git a/rules/linux/macos_startup_items.yml b/rules/linux/macos/file_event/macos_startup_items.yml similarity index 100% rename from rules/linux/macos_startup_items.yml rename to rules/linux/macos/file_event/macos_startup_items.yml diff --git a/rules/linux/macos_applescript.yml b/rules/linux/macos/process_creation/macos_applescript.yml similarity index 100% rename from rules/linux/macos_applescript.yml rename to rules/linux/macos/process_creation/macos_applescript.yml diff --git a/rules/linux/macos_base64_decode.yml b/rules/linux/macos/process_creation/macos_base64_decode.yml similarity index 100% rename from rules/linux/macos_base64_decode.yml rename to rules/linux/macos/process_creation/macos_base64_decode.yml diff --git a/rules/linux/macos_binary_padding.yml b/rules/linux/macos/process_creation/macos_binary_padding.yml similarity index 100% rename from rules/linux/macos_binary_padding.yml rename to rules/linux/macos/process_creation/macos_binary_padding.yml diff --git a/rules/linux/macos_change_file_time_attr.yml b/rules/linux/macos/process_creation/macos_change_file_time_attr.yml similarity index 100% rename from rules/linux/macos_change_file_time_attr.yml rename to rules/linux/macos/process_creation/macos_change_file_time_attr.yml diff --git a/rules/linux/macos_clear_system_logs.yml b/rules/linux/macos/process_creation/macos_clear_system_logs.yml similarity index 93% rename from rules/linux/macos_clear_system_logs.yml rename to rules/linux/macos/process_creation/macos_clear_system_logs.yml index 4df611653..0c554bba2 100644 --- a/rules/linux/macos_clear_system_logs.yml +++ b/rules/linux/macos/process_creation/macos_clear_system_logs.yml @@ -4,7 +4,7 @@ status: experimental description: Detects deletion of local audit logs author: remotephone, oscd.community date: 2020/10/11 -modified: 2021/08/14 +modified: 2021/11/11 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md logsource: @@ -16,7 +16,7 @@ detection: selection2: CommandLine|contains: '/var/log' selection3: - Commandline|contains|all: + CommandLine|contains|all: - '/Users/' - '/Library/Logs/' condition: selection1 and (selection2 or selection3) diff --git a/rules/linux/macos_create_account.yml b/rules/linux/macos/process_creation/macos_create_account.yml similarity index 100% rename from rules/linux/macos_create_account.yml rename to rules/linux/macos/process_creation/macos_create_account.yml diff --git a/rules/linux/macos_create_hidden_account.yml b/rules/linux/macos/process_creation/macos_create_hidden_account.yml similarity index 100% rename from rules/linux/macos_create_hidden_account.yml rename to rules/linux/macos/process_creation/macos_create_hidden_account.yml diff --git a/rules/linux/macos_creds_from_keychain.yml b/rules/linux/macos/process_creation/macos_creds_from_keychain.yml similarity index 100% rename from rules/linux/macos_creds_from_keychain.yml rename to rules/linux/macos/process_creation/macos_creds_from_keychain.yml diff --git a/rules/linux/macos_disable_security_tools.yml b/rules/linux/macos/process_creation/macos_disable_security_tools.yml similarity index 100% rename from rules/linux/macos_disable_security_tools.yml rename to rules/linux/macos/process_creation/macos_disable_security_tools.yml diff --git a/rules/linux/macos_file_and_directory_discovery.yml b/rules/linux/macos/process_creation/macos_file_and_directory_discovery.yml similarity index 100% rename from rules/linux/macos_file_and_directory_discovery.yml rename to rules/linux/macos/process_creation/macos_file_and_directory_discovery.yml diff --git a/rules/linux/macos_find_cred_in_files.yml b/rules/linux/macos/process_creation/macos_find_cred_in_files.yml similarity index 100% rename from rules/linux/macos_find_cred_in_files.yml rename to rules/linux/macos/process_creation/macos_find_cred_in_files.yml diff --git a/rules/linux/macos_gui_input_capture.yml b/rules/linux/macos/process_creation/macos_gui_input_capture.yml similarity index 92% rename from rules/linux/macos_gui_input_capture.yml rename to rules/linux/macos/process_creation/macos_gui_input_capture.yml index 22b42e1c4..99a94a524 100644 --- a/rules/linux/macos_gui_input_capture.yml +++ b/rules/linux/macos/process_creation/macos_gui_input_capture.yml @@ -4,6 +4,7 @@ status: experimental description: Detects attempts to use system dialog prompts to capture user credentials author: remotephone, oscd.community date: 2020/10/13 +modified: 2021/11/11 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md - https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/ @@ -15,13 +16,13 @@ detection: Image: - '/usr/sbin/osascript' selection2: - Commandline|contains|all: + CommandLine|contains|all: - '-e' - 'display' - 'dialog' - 'answer' selection3: - Commandline|contains: + CommandLine|contains: - 'admin' - 'administrator' - 'authenticate' diff --git a/rules/linux/macos_local_account.yml b/rules/linux/macos/process_creation/macos_local_account.yml similarity index 100% rename from rules/linux/macos_local_account.yml rename to rules/linux/macos/process_creation/macos_local_account.yml diff --git a/rules/linux/macos_local_groups.yml b/rules/linux/macos/process_creation/macos_local_groups.yml similarity index 100% rename from rules/linux/macos_local_groups.yml rename to rules/linux/macos/process_creation/macos_local_groups.yml diff --git a/rules/linux/macos_network_service_scanning.yml b/rules/linux/macos/process_creation/macos_network_service_scanning.yml similarity index 100% rename from rules/linux/macos_network_service_scanning.yml rename to rules/linux/macos/process_creation/macos_network_service_scanning.yml diff --git a/rules/linux/macos_network_sniffing.yml b/rules/linux/macos/process_creation/macos_network_sniffing.yml similarity index 100% rename from rules/linux/macos_network_sniffing.yml rename to rules/linux/macos/process_creation/macos_network_sniffing.yml diff --git a/rules/linux/macos_remote_system_discovery.yml b/rules/linux/macos/process_creation/macos_remote_system_discovery.yml similarity index 100% rename from rules/linux/macos_remote_system_discovery.yml rename to rules/linux/macos/process_creation/macos_remote_system_discovery.yml diff --git a/rules/linux/macos_schedule_task_job_cron.yml b/rules/linux/macos/process_creation/macos_schedule_task_job_cron.yml similarity index 100% rename from rules/linux/macos_schedule_task_job_cron.yml rename to rules/linux/macos/process_creation/macos_schedule_task_job_cron.yml diff --git a/rules/linux/macos_screencapture.yml b/rules/linux/macos/process_creation/macos_screencapture.yml similarity index 100% rename from rules/linux/macos_screencapture.yml rename to rules/linux/macos/process_creation/macos_screencapture.yml diff --git a/rules/linux/macos_security_software_discovery.yml b/rules/linux/macos/process_creation/macos_security_software_discovery.yml similarity index 100% rename from rules/linux/macos_security_software_discovery.yml rename to rules/linux/macos/process_creation/macos_security_software_discovery.yml diff --git a/rules/linux/macos_split_file_into_pieces.yml b/rules/linux/macos/process_creation/macos_split_file_into_pieces.yml similarity index 100% rename from rules/linux/macos_split_file_into_pieces.yml rename to rules/linux/macos/process_creation/macos_split_file_into_pieces.yml diff --git a/rules/linux/macos_susp_histfile_operations.yml b/rules/linux/macos/process_creation/macos_susp_histfile_operations.yml similarity index 100% rename from rules/linux/macos_susp_histfile_operations.yml rename to rules/linux/macos/process_creation/macos_susp_histfile_operations.yml diff --git a/rules/linux/macos_suspicious_macos_firmware_activity.yml b/rules/linux/macos/process_creation/macos_suspicious_macos_firmware_activity.yml similarity index 100% rename from rules/linux/macos_suspicious_macos_firmware_activity.yml rename to rules/linux/macos/process_creation/macos_suspicious_macos_firmware_activity.yml diff --git a/rules/linux/macos_system_network_connections_discovery.yml b/rules/linux/macos/process_creation/macos_system_network_connections_discovery.yml similarity index 100% rename from rules/linux/macos_system_network_connections_discovery.yml rename to rules/linux/macos/process_creation/macos_system_network_connections_discovery.yml diff --git a/rules/linux/macos_system_network_discovery.yml b/rules/linux/macos/process_creation/macos_system_network_discovery.yml similarity index 96% rename from rules/linux/macos_system_network_discovery.yml rename to rules/linux/macos/process_creation/macos_system_network_discovery.yml index 40b2f33d5..cc4278175 100644 --- a/rules/linux/macos_system_network_discovery.yml +++ b/rules/linux/macos/process_creation/macos_system_network_discovery.yml @@ -20,7 +20,7 @@ detection: - '/usr/sbin/arp' selection2: Image: '/usr/bin/defaults' - Commandline|contains|all: + CommandLine|contains|all: - 'read' - '/Library/Preferences/com.apple.alf' condition: selection1 or selection2 diff --git a/rules/linux/macos_system_shutdown_reboot.yml b/rules/linux/macos/process_creation/macos_system_shutdown_reboot.yml similarity index 100% rename from rules/linux/macos_system_shutdown_reboot.yml rename to rules/linux/macos/process_creation/macos_system_shutdown_reboot.yml diff --git a/rules/linux/macos_xattr_gatekeeper_bypass.yml b/rules/linux/macos/process_creation/macos_xattr_gatekeeper_bypass.yml similarity index 100% rename from rules/linux/macos_xattr_gatekeeper_bypass.yml rename to rules/linux/macos/process_creation/macos_xattr_gatekeeper_bypass.yml diff --git a/rules/linux/lnx_clamav.yml b/rules/linux/other/lnx_clamav.yml similarity index 100% rename from rules/linux/lnx_clamav.yml rename to rules/linux/other/lnx_clamav.yml diff --git a/rules/linux/lnx_security_tools_disabling_syslog.yml b/rules/linux/other/lnx_security_tools_disabling_syslog.yml similarity index 100% rename from rules/linux/lnx_security_tools_disabling_syslog.yml rename to rules/linux/other/lnx_security_tools_disabling_syslog.yml diff --git a/rules/linux/lnx_ssh_cve_2018_15473.yml b/rules/linux/other/lnx_ssh_cve_2018_15473.yml similarity index 100% rename from rules/linux/lnx_ssh_cve_2018_15473.yml rename to rules/linux/other/lnx_ssh_cve_2018_15473.yml diff --git a/rules/linux/lnx_susp_failed_logons_single_source.yml b/rules/linux/other/lnx_susp_failed_logons_single_source.yml similarity index 100% rename from rules/linux/lnx_susp_failed_logons_single_source.yml rename to rules/linux/other/lnx_susp_failed_logons_single_source.yml diff --git a/rules/linux/lnx_susp_guacamole.yml b/rules/linux/other/lnx_susp_guacamole.yml similarity index 100% rename from rules/linux/lnx_susp_guacamole.yml rename to rules/linux/other/lnx_susp_guacamole.yml diff --git a/rules/linux/lnx_susp_named.yml b/rules/linux/other/lnx_susp_named.yml similarity index 100% rename from rules/linux/lnx_susp_named.yml rename to rules/linux/other/lnx_susp_named.yml diff --git a/rules/linux/lnx_susp_ssh.yml b/rules/linux/other/lnx_susp_ssh.yml similarity index 100% rename from rules/linux/lnx_susp_ssh.yml rename to rules/linux/other/lnx_susp_ssh.yml diff --git a/rules/linux/lnx_susp_vsftp.yml b/rules/linux/other/lnx_susp_vsftp.yml similarity index 100% rename from rules/linux/lnx_susp_vsftp.yml rename to rules/linux/other/lnx_susp_vsftp.yml diff --git a/rules/linux/process_creation/omigod_scx_runasprovider_executescript.yml b/rules/linux/process_creation/omigod_scx_runasprovider_executescript.yml index 573b6aeff..5288f13df 100644 --- a/rules/linux/process_creation/omigod_scx_runasprovider_executescript.yml +++ b/rules/linux/process_creation/omigod_scx_runasprovider_executescript.yml @@ -20,7 +20,7 @@ logsource: category: process_creation detection: selection: - user: root + User: root LogonId: '0' CurrentDirectory: '/var/opt/microsoft/scx/tmp' CommandLine|contains: '/etc/opt/microsoft/scx/conf/tmpdir/scx' diff --git a/rules/linux/process_creation/omigod_scx_runasprovider_executeshellcommand.yml b/rules/linux/process_creation/omigod_scx_runasprovider_executeshellcommand.yml index f53b0ff6d..5e9c8b81b 100644 --- a/rules/linux/process_creation/omigod_scx_runasprovider_executeshellcommand.yml +++ b/rules/linux/process_creation/omigod_scx_runasprovider_executeshellcommand.yml @@ -20,7 +20,7 @@ logsource: category: process_creation detection: selection: - user: root + User: root LogonId: '0' CurrentDirectory: '/var/opt/microsoft/scx/tmp' CommandLine|contains: '/bin/sh' diff --git a/rules/network/net_mal_dns_cobaltstrike.yml b/rules/network/net_mal_dns_cobaltstrike.yml index 3775bc795..05716fee9 100644 --- a/rules/network/net_mal_dns_cobaltstrike.yml +++ b/rules/network/net_mal_dns_cobaltstrike.yml @@ -11,11 +11,13 @@ references: logsource: category: dns detection: - selection: + selection1: query|startswith: - 'aaa.stage.' - 'post.1' - condition: selection + selection2: + query|contains: '.stage.123456.' + condition: 1 of them falsepositives: - Unknown level: critical diff --git a/rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml b/rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml index 2c98984e8..e8b7378fd 100644 --- a/rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml +++ b/rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml @@ -6,7 +6,7 @@ references: - "https://github.com/OTRF/detection-hackathon-apt29/issues/37" author: 'Nate Guagenti (@neu5ron), Open Threat Research (OTR)' date: 2020/05/03 -modified: 2020/09/02 +modified: 2021/11/14 tags: - attack.discovery - attack.t1087 # an old one diff --git a/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml b/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml index 242a62d9f..0b20b2bce 100644 --- a/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml +++ b/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml @@ -44,7 +44,7 @@ detection: - '137' - '138' - '139' - condition: not z_flag_unset and most_probable_valid_domain and not (exclude_tlds or exclude_tlds or exclude_query_types or exclude_responses or exclude_netbios) + condition: not z_flag_unset and most_probable_valid_domain and not (exclude_tlds or exclude_query_types or exclude_responses or exclude_netbios) falsepositives: - 'Internal or legitimate external domains using DNSSec. Verify if these are legitimate DNSSec domains and then exclude them.' - 'If you work in a Public Sector then it may be good to exclude things like endswith ".edu", ".gov" and or ".mil"' diff --git a/rules/network/zeek/zeek_http_webdav_put_request.yml b/rules/network/zeek/zeek_http_webdav_put_request.yml index c4eb70960..b02c7e6a9 100644 --- a/rules/network/zeek/zeek_http_webdav_put_request.yml +++ b/rules/network/zeek/zeek_http_webdav_put_request.yml @@ -17,7 +17,7 @@ detection: user_agent|contains: 'WebDAV' method: 'PUT' filter: - id_resp_h: + id.resp_h: - 192.168.0.0/16 - 172.16.0.0/12 - 10.0.0.0/8 diff --git a/rules/network/zeek/zeek_rdp_public_listener.yml b/rules/network/zeek/zeek_rdp_public_listener.yml index c0b70992b..8b2f1a02f 100644 --- a/rules/network/zeek/zeek_rdp_public_listener.yml +++ b/rules/network/zeek/zeek_rdp_public_listener.yml @@ -8,13 +8,14 @@ tags: - attack.t1021 # an old one - attack.t1021.001 author: 'Josh Brower @DefensiveDepth' -date: 2020/08/22 +date: 2020/08/22 +modified: 2021/11/14 logsource: product: zeek service: rdp detection: selection: - src_ip|startswith: + id.orig_h|startswith: - '192.168.' - '10.' - '172.16.' diff --git a/rules/proxy/proxy_cobalt_malformed_uas.yml b/rules/proxy/proxy_cobalt_malformed_uas.yml index 419c0f120..75b258d15 100644 --- a/rules/proxy/proxy_cobalt_malformed_uas.yml +++ b/rules/proxy/proxy_cobalt_malformed_uas.yml @@ -4,17 +4,20 @@ status: experimental description: Detects different malformed user agents used in Malleable Profiles used with Cobalt Strike author: Florian Roth date: 2021/05/06 +modified: 2021/11/02 references: - https://github.com/yeyintminthuhtut/Malleable-C2-Profiles-Collection/ logsource: category: proxy detection: - selection: + selection1: c-useragent: - - "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)" - - "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E )" - - "Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08" - condition: selection + - "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)" + - "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E )" + - "Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08" + selection2: + c-useragent|endswith: '; MANM; MANM)' + condition: 1 of them falsepositives: - Unknown level: critical diff --git a/rules/windows/builtin/win_alert_lsass_access.yml b/rules/windows/builtin/win_alert_lsass_access.yml index a2cddf48a..90269aed6 100644 --- a/rules/windows/builtin/win_alert_lsass_access.yml +++ b/rules/windows/builtin/win_alert_lsass_access.yml @@ -6,13 +6,15 @@ references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard?WT.mc_id=twitter author: Markus Neis date: 2018/08/26 +modified: 2021/11/13 tags: - attack.credential_access - attack.t1003 # an old one # Defender Attack Surface Reduction - attack.t1003.001 logsource: - product: windows_defender + product: windows + service: windefend definition: 'Requirements:Enabled Block credential stealing from the Windows local security authority subsystem (lsass.exe) from Attack Surface Reduction (GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2)' detection: selection: diff --git a/rules/windows/builtin/win_hybridconnectionmgr_svc_running.yml b/rules/windows/builtin/win_hybridconnectionmgr_svc_running.yml index f2fb29d7d..de445a56a 100644 --- a/rules/windows/builtin/win_hybridconnectionmgr_svc_running.yml +++ b/rules/windows/builtin/win_hybridconnectionmgr_svc_running.yml @@ -10,7 +10,7 @@ references: - https://twitter.com/Cyb3rWard0g/status/1381642789369286662 logsource: product: windows - service: Microsoft-ServiceBus-Client + service: microsoft-servicebus-client detection: selection: EventID: diff --git a/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services_security.yml b/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services_security.yml index 043bcf55b..0f746e487 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services_security.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services_security.yml @@ -3,7 +3,9 @@ id: fd0f5778-d3cb-4c9a-9695-66759d04702a related: - id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9 type: derived -description: "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888" +description: "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references" +references: + - https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888" status: experimental author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community date: 2019/11/08 diff --git a/rules/windows/builtin/win_rdp_bluekeep_poc_scanner.yml b/rules/windows/builtin/win_rdp_bluekeep_poc_scanner.yml index 431a01fca..49ec46136 100644 --- a/rules/windows/builtin/win_rdp_bluekeep_poc_scanner.yml +++ b/rules/windows/builtin/win_rdp_bluekeep_poc_scanner.yml @@ -10,13 +10,14 @@ tags: - car.2013-07-002 author: Florian Roth (rule), Adam Bradbury (idea) date: 2019/06/02 +modified: 2021/11/12 logsource: product: windows service: security detection: selection: EventID: 4625 - AccountName: AAAAAAA + TargetUserName: AAAAAAA condition: selection falsepositives: - Unlikely diff --git a/rules/windows/builtin/win_scm_database_handle_failure.yml b/rules/windows/builtin/win_scm_database_handle_failure.yml index bf753fdca..e83eeec7e 100644 --- a/rules/windows/builtin/win_scm_database_handle_failure.yml +++ b/rules/windows/builtin/win_scm_database_handle_failure.yml @@ -3,6 +3,7 @@ id: 13addce7-47b2-4ca0-a98f-1de964d1d669 description: Detects non-system users failing to get a handle of the SCM database. status: experimental date: 2019/08/12 +modified: 2021/11/12 author: Roberto Rodriguez @Cyb3rWard0g references: - https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190826010110.html @@ -15,8 +16,8 @@ detection: selection: EventID: 4656 ObjectType: 'SC_MANAGER OBJECT' - ObjectName: 'servicesactive' - Keywords: "Audit Failure" + ObjectName: 'ServicesActive' + #Keywords: "Audit Failure" <-> in the ref "Keywords":-9214364837600034816 filter: SubjectLogonId: "0x3e4" condition: selection and not filter diff --git a/rules/windows/builtin/win_set_oabvirtualdirectory_externalurl.yml b/rules/windows/builtin/win_set_oabvirtualdirectory_externalurl.yml index 4a728edbc..0aec83b3b 100644 --- a/rules/windows/builtin/win_set_oabvirtualdirectory_externalurl.yml +++ b/rules/windows/builtin/win_set_oabvirtualdirectory_externalurl.yml @@ -1,9 +1,10 @@ -title: Set OabVirtualDirectory ExternalUrl Property +title: Exchange Set OabVirtualDirectory ExternalUrl Property id: 9db37458-4df2-46a5-95ab-307e7f29e675 -description: Rule to detect an adversary setting OabVirtualDirectory External URL property to a script +description: Rule to detect an adversary setting OabVirtualDirectory External URL property to a script in Exchange Management log author: Jose Rodriguez @Cyb3rPandaH status: experimental date: 2021/03/15 +modified: 2021/11/15 references: - https://twitter.com/OTR_Community/status/1371053369071132675 tags: diff --git a/rules/windows/builtin/win_susp_failed_logon_reasons.yml b/rules/windows/builtin/win_susp_failed_logon_reasons.yml index b2379beb5..c5b66905d 100644 --- a/rules/windows/builtin/win_susp_failed_logon_reasons.yml +++ b/rules/windows/builtin/win_susp_failed_logon_reasons.yml @@ -4,8 +4,9 @@ description: This method uses uncommon error codes on failed logons to determine restricted. author: Florian Roth date: 2017/02/19 -modified: 2020/08/23 +modified: 2021/10/29 references: + - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 - https://twitter.com/SBousseaden/status/1101431884540710913 tags: - attack.persistence @@ -28,7 +29,9 @@ detection: - '0xC0000413' # Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine - '0xC000018C' # The logon request failed because the trust relationship between the primary domain and the trusted domain failed - '0xC000015B' # The user has not been granted the requested logon type (aka logon right) at this machine - condition: selection + filter: + SubjectUserSid: 'S-1-0-0' + condition: selection and not filter falsepositives: - User using a disabled account level: high diff --git a/rules/windows/builtin/win_susp_logon_explicit_credentials.yml b/rules/windows/builtin/win_susp_logon_explicit_credentials.yml index 595a57420..3a987cbb2 100644 --- a/rules/windows/builtin/win_susp_logon_explicit_credentials.yml +++ b/rules/windows/builtin/win_susp_logon_explicit_credentials.yml @@ -6,7 +6,7 @@ references: - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view author: 'oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st' date: 2020/10/05 -modified: 2021/07/07 +modified: 2021/11/12 tags: - attack.t1078 - attack.lateral_movement @@ -16,7 +16,7 @@ logsource: detection: selection: EventID: 4648 - Image|endswith: + ProcessName|endswith: - '\cmd.exe' - '\powershell.exe' - '\pwsh.exe' diff --git a/rules/windows/builtin/win_susp_lsass_dump_generic.yml b/rules/windows/builtin/win_susp_lsass_dump_generic.yml index 2856705cd..4b6ab1faf 100644 --- a/rules/windows/builtin/win_susp_lsass_dump_generic.yml +++ b/rules/windows/builtin/win_susp_lsass_dump_generic.yml @@ -4,7 +4,7 @@ description: Detects process handle on LSASS process with certain access mask status: experimental author: Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update) date: 2019/11/01 -modified: 2021/04/19 +modified: 2021/11/09 references: - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment @@ -53,6 +53,9 @@ detection: - '\minionhost.exe' # Cyberreason - '\VsTskMgr.exe' # McAfee Enterprise - '\thor64.exe' # THOR + - '\MicrosoftEdgeUpdate.exe' + - '\GamingServices.exe' + - '\svchost.exe' ProcessName|startswith: - C:\Windows\System32\ - C:\Windows\SysWow64\ diff --git a/rules/windows/create_remote_thread/sysmon_cactustorch.yml b/rules/windows/create_remote_thread/sysmon_cactustorch.yml index 1bd0ff71f..8b6e3dee2 100644 --- a/rules/windows/create_remote_thread/sysmon_cactustorch.yml +++ b/rules/windows/create_remote_thread/sysmon_cactustorch.yml @@ -7,13 +7,12 @@ references: status: experimental author: '@SBousseaden (detection), Thomas Patzke (rule)' date: 2019/02/01 -modified: 2020/08/28 +modified: 2021/11/12 logsource: product: windows category: create_remote_thread detection: selection: - EventID: 8 SourceImage|endswith: - '\System32\cscript.exe' - '\System32\wscript.exe' diff --git a/rules/windows/create_remote_thread/sysmon_susp_powershell_rundll32.yml b/rules/windows/create_remote_thread/sysmon_susp_powershell_rundll32.yml index d1262e1f7..081bd0b01 100644 --- a/rules/windows/create_remote_thread/sysmon_susp_powershell_rundll32.yml +++ b/rules/windows/create_remote_thread/sysmon_susp_powershell_rundll32.yml @@ -6,12 +6,12 @@ author: Florian Roth references: - https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html date: 2018/06/25 +modified: 2021/11/12 logsource: product: windows category: create_remote_thread detection: selection: - EventID: 8 SourceImage|endswith: '\powershell.exe' TargetImage|endswith: '\rundll32.exe' condition: selection diff --git a/rules/windows/dns_query/dns_net_mal_cobaltstrike.yml b/rules/windows/dns_query/dns_net_mal_cobaltstrike.yml new file mode 100644 index 000000000..42fc9bc23 --- /dev/null +++ b/rules/windows/dns_query/dns_net_mal_cobaltstrike.yml @@ -0,0 +1,30 @@ +title: Suspicious Cobalt Strike DNS Beaconing +id: f356a9c4-effd-4608-bbf8-408afd5cd006 +status: experimental +description: Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons +author: Florian Roth +date: 2021/11/09 +references: + - https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns + - https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/ +tags: + - attack.command_and_control + - attack.t1071 # an old one + - attack.t1071.004 +logsource: + product: windows + category: dns_query +detection: + selection1: + QueryName|startswith: + - 'aaa.stage.' + - 'post.1' + selection2: + QueryName|contains: '.stage.123456.' + condition: 1 of them +fields: + - Image + - CommandLine +falsepositives: + - Unknown +level: critical diff --git a/rules/network/net_susp_ipify.yml b/rules/windows/dns_query/dns_net_susp_ipify.yml similarity index 100% rename from rules/network/net_susp_ipify.yml rename to rules/windows/dns_query/dns_net_susp_ipify.yml diff --git a/rules/windows/driver_load/driver_load_mal_creddumper.yml b/rules/windows/driver_load/driver_load_mal_creddumper.yml index 76fb665b7..3803a7313 100644 --- a/rules/windows/driver_load/driver_load_mal_creddumper.yml +++ b/rules/windows/driver_load/driver_load_mal_creddumper.yml @@ -6,7 +6,7 @@ related: description: Detects well-known credential dumping tools execution via service execution events author: Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community date: 2017/03/05 -modified: 2021/10/14 +modified: 2021/11/10 references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment tags: @@ -26,7 +26,7 @@ logsource: category: driver_load detection: selection: - ImagePath|contains: + ImageLoaded|contains: - 'fgexec' - 'dumpsvc' - 'cachedump' diff --git a/rules/windows/process_creation/process_creation_command_execution_by_office_applications.yml b/rules/windows/edr/edr_command_execution_by_office_applications.yml similarity index 89% rename from rules/windows/process_creation/process_creation_command_execution_by_office_applications.yml rename to rules/windows/edr/edr_command_execution_by_office_applications.yml index 19133d219..d8496c10d 100644 --- a/rules/windows/process_creation/process_creation_command_execution_by_office_applications.yml +++ b/rules/windows/edr/edr_command_execution_by_office_applications.yml @@ -1,4 +1,4 @@ -title: WMI Command Execution by Office Applications +title: EDR WMI Command Execution by Office Applications id: 3ee1bba8-b9e2-4e35-bec5-7fb66b6b3815 description: Initial execution of malicious document calls wmic Win32_Process::Create to execute the file with regsvr32 references: @@ -13,9 +13,10 @@ tags: - attack.defense_evasion status: experimental date: 2021/08/23 +modified: 2021/11/09 logsource: - product: EndPoint Detection Logs - category: process_creation + product: windows + category: edr detection: #useful_information: Add more office applications to the rule logic of choice selection1: diff --git a/rules/windows/file_event/file_event_hktl_createminidump.yml b/rules/windows/file_event/file_event_hktl_createminidump.yml index 35b0c8cec..1aae4f62e 100644 --- a/rules/windows/file_event/file_event_hktl_createminidump.yml +++ b/rules/windows/file_event/file_event_hktl_createminidump.yml @@ -1,5 +1,6 @@ title: CreateMiniDump Hacktool id: db2110f3-479d-42a6-94fb-d35bc1e46492 +status: deprecated related: - id: 36d88494-1d43-4dc0-b3fa-35c8fea0ca9d type: derived diff --git a/rules/windows/file_event/file_event_lsass_dump.yml b/rules/windows/file_event/file_event_lsass_dump.yml new file mode 100644 index 000000000..86008a310 --- /dev/null +++ b/rules/windows/file_event/file_event_lsass_dump.yml @@ -0,0 +1,32 @@ +title: LSASS Process Memory Dump Files +id: a5a2d357-1ab8-4675-a967-ef9990a59391 +related: + - id: db2110f3-479d-42a6-94fb-d35bc1e46492 + type: obsoletes +description: Detects file names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials +author: Florian Roth +references: + - https://www.google.com/search?q=procdump+lsass +date: 2021/11/15 +tags: + - attack.credential_access + - attack.t1003.001 + - attack.t1003 # an old one +logsource: + product: windows + category: file_event +detection: + selection1: + TargetFilename|endswith: + - '\lsass.dmp' + - '\lsass.zip' + - '\lsass.rar' + selection2: + TargetFilename|contains: + - '\lsass_2' # default format of procdump v9.0 is lsass_YYMMDD_HHmmss.dmp + - '\lsassdump' + - '\lsassdmp' + condition: selection1 or selection2 +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/file_event/file_event_mimikatz_kirbi_file_creation.yml b/rules/windows/file_event/file_event_mimikatz_kirbi_file_creation.yml new file mode 100644 index 000000000..4aadcd2fc --- /dev/null +++ b/rules/windows/file_event/file_event_mimikatz_kirbi_file_creation.yml @@ -0,0 +1,21 @@ +title: Mimikatz Kirbi File Creation +id: 9e099d99-44c2-42b6-a6d8-54c3545cab29 +status: test +description: Detects the creation of files that contain Kerberos tickets based on an extension used by the popular tool Mimikatz +author: Florian Roth +references: + - https://cobalt.io/blog/kerberoast-attack-techniques +date: 2021/11/08 +tags: + - attack.credential_access + - attack.t1558 +logsource: + category: file_event + product: windows +detection: + selection: + TargetFilename|endswith: '.kirbi' + condition: selection +falsepositives: + - Unlikely +level: critical diff --git a/rules/windows/file_event/file_event_script_creation_by_office_using_file_ext.yml b/rules/windows/file_event/file_event_script_creation_by_office_using_file_ext.yml index e5da93512..6c4745fe3 100644 --- a/rules/windows/file_event/file_event_script_creation_by_office_using_file_ext.yml +++ b/rules/windows/file_event/file_event_script_creation_by_office_using_file_ext.yml @@ -13,29 +13,30 @@ tags: - attack.defense_evasion status: experimental date: 2021/08/23 +modified: 2021/11/10 logsource: - product: Windows - category: file_event + product: windows + category: file_event detection: - #useful_information: Please add more file extensions to the logic of your choice. - selection1: - Image|endswith: - - 'winword.exe' - - 'excel.exe' - - 'powerpnt.exe' - selection2: - TargetFileName|endswith: - - ".exe" - - ".dll" - - ".ocx" - - ".com" - - ".ps1" - - ".vbs" - - ".sys" - - ".bat" - - ".scr" - - ".proj" - condition: selection1 and selection2 + #useful_information: Please add more file extensions to the logic of your choice. + selection1: + Image|endswith: + - 'winword.exe' + - 'excel.exe' + - 'powerpnt.exe' + selection2: + TargetFilename|endswith: + - ".exe" + - ".dll" + - ".ocx" + - ".com" + - ".ps1" + - ".vbs" + - ".sys" + - ".bat" + - ".scr" + - ".proj" + condition: selection1 and selection2 falsepositives: -- Unknown + - Unknown level: high diff --git a/rules/windows/file_event/file_event_susp_task_write.yml b/rules/windows/file_event/file_event_susp_task_write.yml new file mode 100644 index 000000000..40e5b8f90 --- /dev/null +++ b/rules/windows/file_event/file_event_susp_task_write.yml @@ -0,0 +1,24 @@ +title: Suspicious Scheduled Task Writ to System32 Tasks +id: 80e1f67a-4596-4351-98f5-a9c3efabac95 +status: experimental +description: +references: + - https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/ +author: Florian Roth +date: 2021/11/16 +tags: + - attack.persistence +logsource: + product: windows + category: file_event +detection: + selection: + TargetFilename|contains: '\Windows\System32\Tasks' + Image|contains: + - '\AppData\' + - 'C:\PerfLogs' + - '\Windows\System32\config\systemprofile' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/image_load/sysmon_in_memory_powershell.yml b/rules/windows/image_load/sysmon_in_memory_powershell.yml index d4f1dcd25..13bf248d4 100755 --- a/rules/windows/image_load/sysmon_in_memory_powershell.yml +++ b/rules/windows/image_load/sysmon_in_memory_powershell.yml @@ -1,10 +1,13 @@ title: In-memory PowerShell id: 092bc4b9-3d1d-43b4-a6b4-8c8acd83522f +related: + - id: 867613fb-fa60-4497-a017-a82df74a172c + type: obsoletes status: experimental description: Detects loading of essential DLL used by PowerShell, but not by the process powershell.exe. Detects meterpreter's "load powershell" extension. -author: Tom Kern, oscd.community, Natalia Shornikova +author: Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton date: 2019/11/14 -modified: 2020/10/12 +modified: 2021/11/11 references: - https://adsecurity.org/?p=2921 - https://github.com/p3nt4/PowerShdll @@ -33,10 +36,12 @@ detection: - '\syncappvpublishingserver.exe' - '\runscripthelper.exe' - '\ServerManager.exe' + - '\Microsoft SQL Server Management Studio *\Common*\IDE\Ssms.exe' # User: 'NT AUTHORITY\SYSTEM' # if set, matches all powershell processes not launched by SYSTEM condition: selection and not filter falsepositives: - Used by some .NET binaries, minimal on user workstation. + - Used by Microsoft SQL Server Management Studio level: high enrichment: - EN_0001_cache_sysmon_event_id_1_info # http://bit.ly/314zc6x diff --git a/rules/windows/image_load/sysmon_powershell_execution_moduleload.yml b/rules/windows/image_load/sysmon_powershell_execution_moduleload.yml deleted file mode 100755 index 111759c39..000000000 --- a/rules/windows/image_load/sysmon_powershell_execution_moduleload.yml +++ /dev/null @@ -1,29 +0,0 @@ -title: PowerShell Execution -id: 867613fb-fa60-4497-a017-a82df74a172c -description: Detects execution of PowerShell -status: experimental -date: 2019/09/12 -modified: 2019/11/10 -author: Roberto Rodriguez @Cyb3rWard0g -references: - - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html -tags: - - attack.execution - - attack.t1086 # an old one - - attack.t1059.001 -logsource: - category: image_load - product: windows -detection: - selection: - Description: 'System.Management.Automation' - ImageLoaded|contains: 'System.Management.Automation' - condition: selection -fields: - - ComputerName - - Image - - ProcessID - - ImageLoaded -falsepositives: - - Unknown -level: medium diff --git a/rules/windows/image_load/sysmon_susp_system_drawing_load.yml b/rules/windows/image_load/sysmon_susp_system_drawing_load.yml index 771952fe7..b32e11ac3 100644 --- a/rules/windows/image_load/sysmon_susp_system_drawing_load.yml +++ b/rules/windows/image_load/sysmon_susp_system_drawing_load.yml @@ -3,6 +3,7 @@ id: 666ecfc7-229d-42b8-821e-1a8f8cb7057c description: A General detection for processes loading System.Drawing.ni.dll. This could be an indicator of potential Screen Capture. status: experimental date: 2020/05/02 +modified: 2021/11/16 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.collection @@ -17,7 +18,9 @@ detection: selection: ImageLoaded|endswith: '\System.Drawing.ni.dll' filter: - Image|endswith: '\WmiPrvSE.exe' + Image|endswith: + - '\WmiPrvSE.exe' + - '\mmc.exe' condition: selection and not filter falsepositives: - unknown diff --git a/rules/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml b/rules/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml index 68b9041f4..022931277 100755 --- a/rules/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml +++ b/rules/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml @@ -1,9 +1,7 @@ title: Load of dbghelp/dbgcore DLL from Suspicious Process id: 0e277796-5f23-4e49-a490-483131d4f6e1 status: experimental -description: Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump - API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and - transfer it over the network back to the attacker's machine. +description: Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine. date: 2019/10/27 modified: 2020/08/23 author: Perez Diego (@darkquassar), oscd.community, Ecco @@ -26,7 +24,7 @@ detection: Image|endswith: - '\msbuild.exe' - '\cmd.exe' - - '\svchost.exe' + # - '\svchost.exe' - '\rundll32.exe' - '\powershell.exe' - '\word.exe' @@ -35,7 +33,7 @@ detection: - '\outlook.exe' - '\monitoringhost.exe' - '\wmic.exe' - # - '\msiexec.exe' an installer installing a program using one of those DLL will raise an alert + # - '\msiexec.exe' an installer installing a program using one of those DLL will raise an alert - '\bash.exe' - '\wscript.exe' - '\cscript.exe' @@ -50,10 +48,10 @@ detection: ImageLoaded|endswith: - '\dbghelp.dll' - '\dbgcore.dll' - Signed: "FALSE" - filter: + Signed: 'FALSE' + filter1: Image|contains: 'Visual Studio' - condition: (signedprocess and not filter) or (unsignedprocess and not filter) + condition: (signedprocess and not filter1) or (unsignedprocess and not filter1) fields: - ComputerName - User diff --git a/rules/windows/image_load/sysmon_uipromptforcreds_dlls.yml b/rules/windows/image_load/sysmon_uipromptforcreds_dlls.yml index ae9420ad8..d5513ece8 100644 --- a/rules/windows/image_load/sysmon_uipromptforcreds_dlls.yml +++ b/rules/windows/image_load/sysmon_uipromptforcreds_dlls.yml @@ -3,6 +3,7 @@ id: 9ae01559-cf7e-4f8e-8e14-4c290a1b4784 description: Detects potential use of UIPromptForCredentials functions by looking for some of the DLLs needed for it. status: experimental date: 2020/10/20 +modified: 2021/11/16 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.credential_access @@ -23,7 +24,9 @@ detection: - OriginalFileName: - 'credui.dll' - 'wincredui.dll' - condition: selection + filter: + Image: 'C:\Windows\System32\Taskmgr.exe' + condition: selection and not filter falsepositives: - other legitimate processes loading those DLLs in your environment. level: medium diff --git a/rules/windows/image_load/sysmon_wmi_module_load.yml b/rules/windows/image_load/sysmon_wmi_module_load.yml index 57d3ade28..d983e294b 100755 --- a/rules/windows/image_load/sysmon_wmi_module_load.yml +++ b/rules/windows/image_load/sysmon_wmi_module_load.yml @@ -3,7 +3,7 @@ id: 671bb7e3-a020-4824-a00e-2ee5b55f385e description: Detects non wmiprvse loading WMI modules status: experimental date: 2019/08/10 -modified: 2021/08/18 +modified: 2021/11/16 author: Roberto Rodriguez @Cyb3rWard0g references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190811201010.html @@ -38,6 +38,11 @@ detection: - '\windows\system32\taskhostw.exe' # c:\windows\system32\taskhostw.exe - '\windows\system32\MoUsoCoreWorker.exe' # c:\windows\System32\MoUsoCoreWorker.exe on win10 20H04 at least - '\windows\system32\wbem\WMIADAP.exe' # https://github.com/SigmaHQ/sigma/issues/1871 + - 'C:\Windows\Sysmon64.exe' + - 'C:\Windows\Sysmon.exe' + - 'C:\Windows\System32\wbem\unsecapp.exe' + - '\logman.exe' + - '\nvcontainer.exe' condition: selection and not filter fields: - ComputerName diff --git a/rules/windows/malware/registry_event_mal_ursnif.yml b/rules/windows/malware/registry_event_mal_ursnif.yml index 312770122..2cfe298b0 100644 --- a/rules/windows/malware/registry_event_mal_ursnif.yml +++ b/rules/windows/malware/registry_event_mal_ursnif.yml @@ -10,7 +10,7 @@ tags: - attack.t1112 author: megan201296 date: 2019/02/13 -modified: 2021/10/28 +modified: 2021/11/15 logsource: product: windows category: registry_event @@ -22,6 +22,7 @@ detection: - '\SOFTWARE\AppDataLow\Software\Microsoft\Internet Explorer\' - '\SOFTWARE\AppDataLow\Software\Microsoft\RepService\' - '\SOFTWARE\AppDataLow\Software\Microsoft\IME\' + - '\SOFTWARE\AppDataLow\Software\Microsoft\Edge\' condition: selection and not filter falsepositives: - Unknown diff --git a/rules/windows/network_connection/silenttrinity_stager_msbuild_activity.yml b/rules/windows/network_connection/silenttrinity_stager_msbuild_activity.yml index ab68f0b04..4dad7b038 100644 --- a/rules/windows/network_connection/silenttrinity_stager_msbuild_activity.yml +++ b/rules/windows/network_connection/silenttrinity_stager_msbuild_activity.yml @@ -14,7 +14,7 @@ logsource: product: windows detection: selection: - ParentImage|endswith: '\msbuild.exe' + Image|endswith: '\msbuild.exe' filter: DestinationPort: - '80' diff --git a/rules/windows/network_connection/sysmon_excel_outbound_network_connection.yml b/rules/windows/network_connection/sysmon_excel_outbound_network_connection.yml new file mode 100644 index 000000000..716f240ab --- /dev/null +++ b/rules/windows/network_connection/sysmon_excel_outbound_network_connection.yml @@ -0,0 +1,47 @@ +title: Excel Network Connections +id: 75e33ce3-ae32-4dcc-9aa8-a2a3029d6f84 +status: experimental +description: Detects an Excel process that opens suspicious network connections to non-private IP addresses, and attempts to cover CVE-2021-42292. You will likely have to tune this rule for your organization, but it is certainly something you should look for and could have applications for malicious activity beyond CVE-2021-42292. +author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0" +date: 2021/11/10 +references: + - https://corelight.com/blog/detecting-cve-2021-42292 +tags: + - attack.execution + - attack.t1203 +logsource: + category: network_connection + product: windows +detection: + selection: + Image|endswith: '\excel.exe' + Initiated: 'true' + DestinationIsIpv6: 'false' + filter: + DestinationIp|startswith: + - '10.' + - '192.168.' + - '172.16.' + - '172.17.' + - '172.18.' + - '172.19.' + - '172.20.' + - '172.21.' + - '172.22.' + - '172.23.' + - '172.24.' + - '172.25.' + - '172.26.' + - '172.27.' + - '172.28.' + - '172.29.' + - '172.30.' + - '172.31.' + - '127.0.0.1' + DestinationIsIpv6: 'false' + condition: selection and not filter +falsepositives: + - You may have to tune certain domains out that Excel may call out to, such as microsoft or other business use case domains. + - Office documents commonly have templates that refer to external addresses, like sharepoint.ourcompany.com may have to be tuned. + - It is highly recomended to baseline your activity and tune out common business use cases. +level: medium diff --git a/rules/windows/network_connection/sysmon_susp_rdp.yml b/rules/windows/network_connection/sysmon_susp_rdp.yml index e12fde626..9867e2b1d 100755 --- a/rules/windows/network_connection/sysmon_susp_rdp.yml +++ b/rules/windows/network_connection/sysmon_susp_rdp.yml @@ -38,9 +38,11 @@ detection: - '\FSAssessment.exe' - '\MobaRTE.exe' - '\chrome.exe' + - '\System32\dns.exe' - '\thor.exe' - '\thor64.exe' condition: selection and not filter falsepositives: - Other Remote Desktop RDP tools + - domain controller using dns.exe level: high diff --git a/rules/windows/other/win_defender_psexec_wmi_asr.yml b/rules/windows/other/win_defender_psexec_wmi_asr.yml index 6761ba143..07d2196e8 100644 --- a/rules/windows/other/win_defender_psexec_wmi_asr.yml +++ b/rules/windows/other/win_defender_psexec_wmi_asr.yml @@ -7,6 +7,7 @@ references: - https://twitter.com/duff22b/status/1280166329660497920 author: Bhabesh Raj date: 2020/07/14 +modified: 2021/11/13 tags: - attack.execution - attack.lateral_movement @@ -14,7 +15,8 @@ tags: - attack.t1035 # an old one - attack.t1569.002 logsource: - product: windows_defender + product: windows + service: windefend definition: 'Requirements:Enabled Block process creations originating from PSExec and WMI commands from Attack Surface Reduction (GUID: d1e49aac-8f56-4280-b9ba-993a6d77406c)' detection: selection: diff --git a/rules/windows/process_creation/win_exchange_proxylogon_oabvirtualdir.yml b/rules/windows/other/win_exchange_proxylogon_oabvirtualdir.yml similarity index 100% rename from rules/windows/process_creation/win_exchange_proxylogon_oabvirtualdir.yml rename to rules/windows/other/win_exchange_proxylogon_oabvirtualdir.yml diff --git a/rules/windows/other/win_ldap_recon.yml b/rules/windows/other/win_ldap_recon.yml index ee8ff3db5..e0a9559dd 100644 --- a/rules/windows/other/win_ldap_recon.yml +++ b/rules/windows/other/win_ldap_recon.yml @@ -9,8 +9,8 @@ references: - https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1 - https://github.com/BloodHoundAD/SharpHound3/blob/master/SharpHound3/LdapBuilder.cs logsource: - category: ldap_query product: windows + service: ldap_debug definition: 'Requires Microsoft-Windows-LDAP-Client/Debug ETW logging' detection: generic_search: diff --git a/rules/windows/other/win_system_defender_disabled.yml b/rules/windows/other/win_system_defender_disabled.yml index 15114f1dc..1d4838ea0 100644 --- a/rules/windows/other/win_system_defender_disabled.yml +++ b/rules/windows/other/win_system_defender_disabled.yml @@ -5,7 +5,7 @@ related: type: derived description: Detects disabling Windows Defender threat protection date: 2020/07/28 -modified: 2021/09/21 +modified: 2021/11/09 author: Ján Trenčanský, frack113 references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus @@ -17,7 +17,7 @@ tags: - attack.t1562.001 logsource: product: windows - category: system + service: system detection: selection3: EventID: 7036 diff --git a/rules/windows/pipe_created/sysmon_mal_namedpipes.yml b/rules/windows/pipe_created/sysmon_mal_namedpipes.yml index b6b948ec6..c9b377394 100644 --- a/rules/windows/pipe_created/sysmon_mal_namedpipes.yml +++ b/rules/windows/pipe_created/sysmon_mal_namedpipes.yml @@ -50,7 +50,7 @@ detection: - '\AnonymousPipe' # Hidden Cobra Hoplight - '\bc367' # Pacifier - '\bc31a7' # Pacifier - - '\testPipe' # Emissary Panda Hyerbri + - '\testPipe' # Emissary Panda Hyperbro condition: selection tags: - attack.defense_evasion diff --git a/rules/windows/pipe_created/sysmon_susp_adfs_namedpipe_connection.yml b/rules/windows/pipe_created/sysmon_susp_adfs_namedpipe_connection.yml index f1bc4e86d..04b903fe0 100644 --- a/rules/windows/pipe_created/sysmon_susp_adfs_namedpipe_connection.yml +++ b/rules/windows/pipe_created/sysmon_susp_adfs_namedpipe_connection.yml @@ -3,7 +3,7 @@ id: 1ea13e8c-03ea-409b-877d-ce5c3d2c1cb3 description: Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database). Used to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens. status: experimental date: 2021/10/08 -modified: 2021/10/08 +modified: 2021/11/07 author: Roberto Rodriguez @Cyb3rWard0g references: - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml @@ -14,7 +14,7 @@ tags: - attack.t1005 logsource: product: windows - service: pipe_connected + category: pipe_created detection: selection: PipeName: '\MICROSOFT##WID\tsql\query' @@ -30,4 +30,4 @@ detection: condition: selection and not filter falsepositives: - Processes in the filter condition -level: critical \ No newline at end of file +level: critical diff --git a/rules/windows/builtin/win_software_discovery.yml b/rules/windows/powershell/powershell_script/powershell_software_discovery.yml similarity index 90% rename from rules/windows/builtin/win_software_discovery.yml rename to rules/windows/powershell/powershell_script/powershell_software_discovery.yml index 9a2754889..d7af2edbc 100644 --- a/rules/windows/builtin/win_software_discovery.yml +++ b/rules/windows/powershell/powershell_script/powershell_software_discovery.yml @@ -4,7 +4,7 @@ description: Adversaries may attempt to enumerate software for a variety of reas status: experimental author: Nikita Nazarov, oscd.community date: 2020/10/16 -modified: 2021/09/21 +modified: 2021/11/12 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md - https://github.com/harleyQu1nn/AggressorScripts #AVQuery.cna @@ -13,11 +13,10 @@ tags: - attack.t1518 logsource: product: windows - service: powershell + category: ps_script definition: 'Script block logging must be enabled' detection: selection: - EventID: 4104 ScriptBlockText|contains|all: # Example: Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize - 'get-itemProperty' - '\software\' @@ -26,4 +25,4 @@ detection: condition: selection level: medium falsepositives: - - Legitimate administration activities \ No newline at end of file + - Legitimate administration activities diff --git a/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml b/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml index e4c5cea6a..448880272 100755 --- a/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml +++ b/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml @@ -5,7 +5,7 @@ description: Detects process access LSASS memory which is typical for credential author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community (update) date: 2017/02/16 -modified: 2021/10/20 +modified: 2021/11/16 references: - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html @@ -23,7 +23,7 @@ logsource: detection: selection: TargetImage|endswith: '\lsass.exe' - GrantedAccess|contains: + GrantedAccess|startswith: - '0x40' - '0x1000' - '0x1400' @@ -37,7 +37,7 @@ detection: - '0x1f1fff' - '0x1f2fff' - '0x1f3fff' - filter: + filter1: SourceImage|endswith: # easy to bypass. need to implement supportive rule to detect bypass attempts - '\wmiprvse.exe' - '\taskmgr.exe' @@ -48,7 +48,15 @@ detection: - '\csrss.exe' - '\wininit.exe' - '\vmtoolsd.exe' - condition: selection and not filter + filter2: + GrantedAccess: + - '0x1000' + - '0x1410' + SourceImage|endswith: + - '\MicrosoftEdgeUpdate.exe' + - '\GamingServices.exe' + - 'C:\Windows\System32\svchost.exe' + condition: selection and not filter1 and not filter2 fields: - ComputerName - User diff --git a/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml b/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml index 8455bfee9..888b15eb6 100755 --- a/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml +++ b/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml @@ -1,10 +1,6 @@ title: Suspicious In-Memory Module Execution id: 5f113a8f-8b61-41ca-b90f-d374fa7e4a39 -description: Detects the access to processes by other suspicious processes which have reflectively loaded libraries in their memory space. An example is SilentTrinity - C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack call to a dll loaded from disk (the standard way), it will display "UNKNOWN" - as the module name. Usually this means the stack call points to a module that was reflectively loaded in memory. Adding to this, it is not common to see such - few calls in the stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that most of the functions required by the process to execute certain - routines are already present in memory, not requiring any calls to external libraries. The latter should also be considered suspicious. +description: Detects the access to processes by other suspicious processes which have reflectively loaded libraries in their memory space. An example is SilentTrinity C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack call to a dll loaded from disk (the standard way), it will display "UNKNOWN" as the module name. Usually this means the stack call points to a module that was reflectively loaded in memory. Adding to this, it is not common to see such few calls in the stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that most of the functions required by the process to execute certain routines are already present in memory, not requiring any calls to external libraries. The latter should also be considered suspicious. status: experimental date: 2019/10/27 modified: 2021/10/21 @@ -46,6 +42,8 @@ detection: filter: SourceImage|endswith: - '\Windows\System32\sdiagnhost.exe' + - '\procexp64.exe' + - '\procexp.exe' condition: selection1 or selection2 or selection3 and not filter fields: - ComputerName @@ -53,6 +51,6 @@ fields: - SourceImage - TargetImage - CallTrace -level: critical +level: high falsepositives: - - Low + - SysInternals Process Explorer diff --git a/rules/windows/process_creation/process_creation_lolbins_by_office_applications.yml b/rules/windows/process_creation/process_creation_lolbins_by_office_applications.yml index 4f887b912..54af48794 100644 --- a/rules/windows/process_creation/process_creation_lolbins_by_office_applications.yml +++ b/rules/windows/process_creation/process_creation_lolbins_by_office_applications.yml @@ -14,7 +14,7 @@ tags: status: experimental date: 2021/08/23 logsource: - product: Windows + product: windows category: process_creation detection: #useful_information: add more LOLBins to the rules logic of your choice. diff --git a/rules/windows/process_creation/process_creation_lolbins_with_wmiprvse_parent_process.yml b/rules/windows/process_creation/process_creation_lolbins_with_wmiprvse_parent_process.yml index 9dab9d437..9a2bd4996 100644 --- a/rules/windows/process_creation/process_creation_lolbins_with_wmiprvse_parent_process.yml +++ b/rules/windows/process_creation/process_creation_lolbins_with_wmiprvse_parent_process.yml @@ -14,7 +14,7 @@ tags: status: experimental date: 2021/08/23 logsource: - product: Windows + product: windows category: process_creation detection: #useful_information: add more LOLBins to the rules logic of your choice. diff --git a/rules/windows/process_creation/process_creation_office_applications_spawning_wmi_commandline.yml b/rules/windows/process_creation/process_creation_office_applications_spawning_wmi_commandline.yml index a8e8f5824..700d264f4 100644 --- a/rules/windows/process_creation/process_creation_office_applications_spawning_wmi_commandline.yml +++ b/rules/windows/process_creation/process_creation_office_applications_spawning_wmi_commandline.yml @@ -13,6 +13,7 @@ tags: - attack.defense_evasion status: experimental date: 2021/08/23 +modified: 2021/11/10 logsource: product: windows category: process_creation @@ -24,11 +25,11 @@ detection: - OriginalFileName: 'wmic.exe' - Description: 'WMI Commandline Utility' selection2: - ParentPrcessName|endswith: + ParentImage|endswith: - winword.exe - excel.exe - powerpnt.exe condition: selection1 and selection2 falsepositives: -- Unknown + - Unknown level: high diff --git a/rules/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload.yml b/rules/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload.yml index 1ae6fc02a..a901d3fd7 100644 --- a/rules/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload.yml +++ b/rules/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload.yml @@ -13,14 +13,15 @@ tags: - attack.defense_evasion status: experimental date: 2021/08/23 +modified: 2021/11/09 logsource: - product: Windows + product: windows category: process_creation detection: #useful_information: add more LOLBins to the rules logic of your choice. selection1: - Image|endswith: '\wbem\WMIC.exe' - - ProcessCommandLine|contains: 'wmic ' + - ParentCommandLine|contains: 'wmic ' - OriginalFileName: 'wmic.exe' - Description: 'WMI Commandline Utility' selection2: @@ -32,11 +33,11 @@ detection: - 'verclsid' selection3: ParentImage|endswith: - - winword.exe - - excel.exe - - powerpnt.exe + - winword.exe + - excel.exe + - powerpnt.exe selection4: - processCommandLine|contains|all: + ParentCommandLine|contains|all: - 'process' - 'create' - 'call' diff --git a/rules/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload2.yml b/rules/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload2.yml index 36b6d571e..8989e0e30 100644 --- a/rules/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload2.yml +++ b/rules/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload2.yml @@ -13,13 +13,14 @@ tags: - attack.defense_evasion status: experimental date: 2021/08/23 +modified: 2021/11/09 logsource: - product: Windows + product: windows category: process_creation detection: #useful_information: add more LOLBins to the rules logic of your choice. selection1: - ProcessCommandLine: + ParentCommandLine: - '*regsvr32*' - '*rundll32*' - '*msiexec*' @@ -27,14 +28,14 @@ detection: - '*verclsid*' selection2: - Image|endswith: '\wbem\WMIC.exe' - - ProcessCommandLine|contains: 'wmic ' + - ParentCommandLine|contains: 'wmic ' selection3: ParentImage|endswith: - - winword.exe - - excel.exe - - powerpnt.exe + - winword.exe + - excel.exe + - powerpnt.exe selection4: - processCommandLine|contains|all: + ParentCommandLine|contains|all: - 'process' - 'create' - 'call' diff --git a/rules/windows/process_creation/process_creation_office_spawning_wmi_commandline.yml b/rules/windows/process_creation/process_creation_office_spawning_wmi_commandline.yml index 2fceff749..edbae2013 100644 --- a/rules/windows/process_creation/process_creation_office_spawning_wmi_commandline.yml +++ b/rules/windows/process_creation/process_creation_office_spawning_wmi_commandline.yml @@ -13,19 +13,20 @@ tags: - attack.defense_evasion status: experimental date: 2021/08/23 +modified: 2021/11/09 logsource: product: windows category: process_creation detection: #useful_information: Add more office applications to the rule logic of choice selection1: - - Image|endswith: '\wbem\WMIC.exe' - - ProcessCommandLine|contains: 'wmic ' + - Image|endswith: '\wbem\WMIC.exe' + - ParentCommandLine|contains: 'wmic ' selection2: - ParentImage: - - winword.exe - - excel.exe - - powerpnt.exe + ParentImage: + - winword.exe + - excel.exe + - powerpnt.exe condition: selection1 and selection2 falsepositives: - Unknown diff --git a/rules/windows/process_creation/win_pc_set_policies_to_unsecure_level.yml b/rules/windows/process_creation/win_pc_set_policies_to_unsecure_level.yml new file mode 100644 index 000000000..7bc3f6a2f --- /dev/null +++ b/rules/windows/process_creation/win_pc_set_policies_to_unsecure_level.yml @@ -0,0 +1,28 @@ +title: Change PowerShell Policies to a Unsecure Level +id: 87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180 +description: Detects use of executionpolicy option to set a unsecure policies +references: + - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1 + - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1 + - https://adsecurity.org/?p=2604 + - https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/ +tags: + - attack.execution + - attack.t1059.001 +author: frack113 +date: 2021/11/01 +logsource: + product: windows + category: process_creation +detection: + option: + CommandLine|contains: '-executionpolicy ' + level: + CommandLine|contains: + - 'Unrestricted' + - 'bypass' + - 'RemoteSigned' + condition: option and level +falsepositives: + - Administrator script +level: high diff --git a/rules/windows/process_creation/win_pc_susp_cmdl32_lolbas.yml b/rules/windows/process_creation/win_pc_susp_cmdl32_lolbas.yml new file mode 100644 index 000000000..2bd94ad65 --- /dev/null +++ b/rules/windows/process_creation/win_pc_susp_cmdl32_lolbas.yml @@ -0,0 +1,29 @@ +title: Suspicious Cmdl32 Execution +id: f37aba28-a9e6-4045-882c-d5004043b337 +status: experimental +description: lolbas Cmdl32 is use to download a payload to evade antivirus +references: + - https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/ + - https://twitter.com/SwiftOnSecurity/status/1455897435063074824 +tags: + - attack.execution + - attack.defense_evasion + - attack.t1218 + - attack.t1202 +author: frack113 +date: 2021/11/03 +logsource: + category: process_creation + product: windows +detection: + cmdl32: + - Image|endswith: '\cmdl32.exe' + - OriginalFileName: CMDL32.EXE + options: + CommandLine|contains|all: + - '/vpn ' + - '/lan ' + condition: cmdl32 and options +falsepositives: + - unknown +level: medium diff --git a/rules/windows/process_creation/win_pc_susp_reg_bitlocker.yml b/rules/windows/process_creation/win_pc_susp_reg_bitlocker.yml new file mode 100644 index 000000000..5949587fa --- /dev/null +++ b/rules/windows/process_creation/win_pc_susp_reg_bitlocker.yml @@ -0,0 +1,36 @@ +title: Suspicious Reg Add BitLocker +id: 0e0255bf-2548-47b8-9582-c0955c9283f5 +status: experimental +description: Suspicious add key for BitLocker +references: + - https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/ +tags: + - attack.impact + - attack.t1486 +author: frack113 +date: 2021/11/15 +logsource: + category: process_creation + product: windows +detection: + set: + CommandLine|contains|all: + - 'REG' + - 'ADD' + - 'HKLM\SOFTWARE\Policies\Microsoft\FVE' + - '/v' + - '/f' + key: + CommandLine|contains: + - 'EnableBDEWithNoTPM' + - 'UseAdvancedStartup' + - 'UseTPM' + - 'UseTPMKey' + - 'UseTPMKeyPIN' + - 'RecoveryKeyMessageSource' + - 'UseTPMPIN' + - 'RecoveryKeyMessage' + condition: set and key +falsepositives: + - unknown +level: medium diff --git a/rules/windows/process_creation/win_pc_susp_schtasks_user_temp.yml b/rules/windows/process_creation/win_pc_susp_schtasks_user_temp.yml new file mode 100644 index 000000000..38d1e3c3e --- /dev/null +++ b/rules/windows/process_creation/win_pc_susp_schtasks_user_temp.yml @@ -0,0 +1,24 @@ +title: Suspicius Add Task From User AppData Temp +id: 43f487f0-755f-4c2a-bce7-d6d2eec2fcf8 +description: schtasks.exe create task from user AppData\Local\Temp +references: + - malware analyse https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04 +tags: + - attack.execution + - attack.t1053.005 +author: frack113 +date: 2021/11/03 +logsource: + product: windows + category: process_creation +detection: + schtasks: + Image|endswith: 'schtasks.exe' + option: + CommandLine|contains|all: + - '/Create ' + - '\AppData\Local\Temp' + condition: schtasks and option +falsepositives: + - unknown +level: high diff --git a/rules/windows/process_creation/win_pc_susp_zipexec.yml b/rules/windows/process_creation/win_pc_susp_zipexec.yml new file mode 100644 index 000000000..427cf76ea --- /dev/null +++ b/rules/windows/process_creation/win_pc_susp_zipexec.yml @@ -0,0 +1,33 @@ +title: Suspicious ZipExec Execution +id: 90dcf730-1b71-4ae7-9ffc-6fcf62bd0132 +status: experimental +description: ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file. +references: + - https://twitter.com/SBousseaden/status/1451237393017839616 + - https://github.com/Tylous/ZipExec +tags: + - attack.execution + - attack.defense_evasion + - attack.t1218 + - attack.t1202 +author: frack113 +date: 2021/11/07 +logsource: + category: process_creation + product: windows +detection: + run: + CommandLine|contains|all: + - '/generic:Microsoft_Windows_Shell_ZipFolder:filename=' + - '.zip' + - '/pass:' + - '/user:' + delete: + CommandLine|contains|all: + - '/delete' + - 'Microsoft_Windows_Shell_ZipFolder:filename=' + - '.zip' + condition: run or delete +falsepositives: + - unknown +level: medium diff --git a/rules/windows/process_creation/win_susp_execution_path.yml b/rules/windows/process_creation/win_susp_execution_path.yml index ed571e472..876bb1ce9 100644 --- a/rules/windows/process_creation/win_susp_execution_path.yml +++ b/rules/windows/process_creation/win_susp_execution_path.yml @@ -35,7 +35,6 @@ detection: - '\Windows\Media\' - '\Windows\repair\' - '\Windows\security\' - - '\Windows\system32\config\systemprofile\' - '\Windows\System32\Tasks\' - '\Windows\Tasks\' - Image|startswith: 'C:\Perflogs\' diff --git a/rules/windows/process_creation/win_susp_registration_via_cscript.yml b/rules/windows/process_creation/win_susp_registration_via_cscript.yml new file mode 100644 index 000000000..ae050a068 --- /dev/null +++ b/rules/windows/process_creation/win_susp_registration_via_cscript.yml @@ -0,0 +1,32 @@ +title: Suspicious Registration via cscript.exe +id: 28c8f68b-098d-45af-8d43-8089f3e35403 +description: Detects when the registration of a VSS/VDS Provider as a COM+ application. +status: experimental +author: Austin Songer @austinsonger +date: 2021/11/05 +references: +- https://twitter.com/sblmsrsn/status/1456613494783160325?s=20 +- https://ss64.com/vb/cscript.html +logsource: + category: process_creation + product: windows +detection: + selection1: + Image|endswith: '\cscript.exe' + CommandLine|contains: '-register' + selection2: + CommandLine|contains: + - '\Windows Kits\10\bin\10.0.22000.0\x64' + - '\Windows Kits\10\bin\10.0.19041.0\x64' + - '\Windows Kits\10\bin\10.0.17763.0\x64' + condition: + selection1 and selection2 +fields: + - CommandLine + - ParentCommandLine +tags: +- attack.defense_evasion +- attack.t1218 +level: medium +falsepositives: +- None diff --git a/rules/windows/process_creation/win_susp_script_exec_from_temp.yml b/rules/windows/process_creation/win_susp_script_exec_from_temp.yml index 5389761e7..1a817b30f 100644 --- a/rules/windows/process_creation/win_susp_script_exec_from_temp.yml +++ b/rules/windows/process_creation/win_susp_script_exec_from_temp.yml @@ -6,7 +6,7 @@ references: - https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/ author: Florian Roth, Max Altgelt date: 2021/07/14 -modified: 2021/08/10 +modified: 2021/11/11 tags: - attack.execution logsource: @@ -32,6 +32,7 @@ detection: - ' >' - 'Out-File' - 'ConvertTo-Json' + - '-WindowStyle hidden -Verb runAs' # VSCode behaviour if file cannot be written as current user condition: selection and not filter falsepositives: - Administrative scripts diff --git a/rules/windows/process_creation/win_susp_wuauclt.yml b/rules/windows/process_creation/win_susp_wuauclt.yml index 9d36bc717..356e53dcb 100644 --- a/rules/windows/process_creation/win_susp_wuauclt.yml +++ b/rules/windows/process_creation/win_susp_wuauclt.yml @@ -6,7 +6,7 @@ references: - https://dtm.uk/wuauclt/ author: FPT.EagleEye Team date: 2020/10/17 -modified: 2021/05/12 +modified: 2021/11/16 tags: - attack.command_and_control - attack.execution @@ -17,12 +17,16 @@ logsource: category: process_creation detection: selection: - ProcessCommandLine|contains|all: + CommandLine|contains|all: - '/UpdateDeploymentProvider' - '/RunHandlerComServer' + - '.dll' Image|endswith: - '\wuauclt.exe' - condition: selection + filter: + CommandLine|contains: + - ' /ClassId ' + condition: selection and not filter falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/win_task_folder_evasion.yml b/rules/windows/process_creation/win_task_folder_evasion.yml index 402ff3615..e45421438 100644 --- a/rules/windows/process_creation/win_task_folder_evasion.yml +++ b/rules/windows/process_creation/win_task_folder_evasion.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/subTee/status/1216465628946563073 - https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26 date: 2020/01/13 -modified: 2021/05/30 +modified: 2021/11/06 author: Sreeman tags: - attack.defense_evasion @@ -15,9 +15,9 @@ tags: - attack.t1574.002 - attack.t1059 # an old one - attack.t1064 # an old one - logsource: product: windows + category: process_creation detection: selection1: CommandLine|contains: diff --git a/rules/windows/process_creation/win_wmiprvse_spawning_process.yml b/rules/windows/process_creation/win_wmiprvse_spawning_process.yml index d3e6843f3..2ad743d7a 100644 --- a/rules/windows/process_creation/win_wmiprvse_spawning_process.yml +++ b/rules/windows/process_creation/win_wmiprvse_spawning_process.yml @@ -3,7 +3,7 @@ id: d21374ff-f574-44a7-9998-4a8c8bf33d7d description: Detects wmiprvse spawning processes status: experimental date: 2019/08/15 -modified: 2021/08/26 +modified: 2021/11/10 author: Roberto Rodriguez @Cyb3rWard0g references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190810201010.html @@ -20,20 +20,15 @@ detection: - LogonId: - '0x3e7' # LUID 999 for SYSTEM - 'null' # too many false positives - - SubjectLogonId: - - '0x3e7' # LUID 999 for SYSTEM - - 'null' # too many false positives - User|startswith: - 'NT AUTHORITY\SYSTEM' # if we don't have LogonId data, fallback on username detection - 'AUTORITE NT\Sys' # French language settings - Image|endswith: - '\WmiPrvSE.exe' - '\WerFault.exe' - filter_null1: # some backends need the null value in a separate expression + filter_null: # some backends need the null value in a separate expression LogonId: null - filter_null2: # some backends need the null value in a separate expression - SubjectLogonId: null - condition: selection and not filter and not filter_null1 and not filter_null2 + condition: selection and not filter and not filter_null falsepositives: - Unknown level: high diff --git a/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml b/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml index abb7d2c79..4fb1304fd 100644 --- a/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml +++ b/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml @@ -3,7 +3,7 @@ id: db809f10-56ce-4420-8c86-d6a7d793c79c description: Raw disk access using illegitimate tools, possible defence evasion author: Teymur Kheirkhabarov, oscd.community date: 2019/10/22 -modified: 2021/08/14 +modified: 2021/11/16 references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment tags: @@ -31,7 +31,10 @@ detection: - '\dfsrs.exe' - '\vds.exe' - '\lsass.exe' - condition: not filter_1 and not filter_2 + - '\svchost.exe' + filter_3: + ProcessId: 4 + condition: not filter_1 and not filter_2 and not filter_3 fields: - ComputerName - Image diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml index cac8f9e7d..52a4072ff 100755 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml @@ -11,8 +11,8 @@ tags: - attack.t1547.001 - attack.t1060 # an old one date: 2019/10/25 -modified: 2020/11/04 -author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community +modified: 2021/11/11 +author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton logsource: category: registry_event product: windows @@ -190,6 +190,8 @@ detection: - '\Lsa\Notification Packages' - '\Lsa\Authentication Packages' - '\BootVerificationProgram\ImagePath' + filter: + Details: '(Empty)' condition: main_selection or session_manager_base and session_manager or current_version_base and current_version or @@ -202,7 +204,7 @@ detection: classes_base and classes or scripts_base and scripts or winsock_parameters_base and winsock_parameters or - system_control_base and system_control + system_control_base and system_control and not filter fields: - SecurityID - ObjectName diff --git a/rules/windows/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml b/rules/windows/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml index 820a65f60..e54f396b2 100755 --- a/rules/windows/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml +++ b/rules/windows/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml @@ -9,9 +9,9 @@ tags: - attack.persistence - attack.t1103 # an old one - attack.t1546.010 -author: Ilyas Ochkov, oscd.community +author: Ilyas Ochkov, oscd.community, Tim Shelton date: 2019/10/25 -modified: 2020/09/06 +modified: 2021/11/11 logsource: category: registry_event product: windows @@ -24,7 +24,9 @@ detection: NewName|endswith: - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls' - '\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls' - condition: selection + filter: + Details: '(Empty)' + condition: selection and not filter fields: - EventID - Image diff --git a/rules/windows/sysmon/sysmon_config_modification_error.yml b/rules/windows/sysmon/sysmon_config_modification_error.yml index c91e0d20c..9d97fafb4 100644 --- a/rules/windows/sysmon/sysmon_config_modification_error.yml +++ b/rules/windows/sysmon/sysmon_config_modification_error.yml @@ -4,7 +4,7 @@ description: Someone try to hide from Sysmon status: experimental author: frack113 date: 2021/06/04 -modified: 2021/09/07 +modified: 2021/11/12 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md - https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html @@ -19,6 +19,8 @@ detection: Description|contains: - 'Failed to open service configuration with error' - 'Failed to connect to the driver to update configuration' + selection_filter: + Description: 'Failed to open service configuration with error 19' condition: selection_error falsepositives: - legitimate administrative action diff --git a/tools/config/elk-winlogbeat.yml b/tools/config/elk-winlogbeat.yml index 8a9f000a0..97dfe3ec8 100644 --- a/tools/config/elk-winlogbeat.yml +++ b/tools/config/elk-winlogbeat.yml @@ -111,6 +111,7 @@ fieldmappings: PipeName: event_data.PipeName ProcessName: event_data.ProcessName Properties: event_data.Properties + RelativeTargetName: event_data.RelativeTargetName ServiceFileName: event_data.ServiceFileName ServiceName: event_data.ServiceName ShareName: event_data.ShareName diff --git a/tools/config/generic/m365.yml b/tools/config/generic/m365.yml index de769059c..c83606056 100644 --- a/tools/config/generic/m365.yml +++ b/tools/config/generic/m365.yml @@ -1,32 +1,33 @@ title: Microsoft 365 Rules order: 10 -ThreatManagement: - product: m365 - category: ThreatManagement - conditions: - eventSource: SecurityComplianceCenter -AccessGovernance: - product: m365 - category: AccessGovernance - conditions: - eventSource: SecurityComplianceCenter -CloudDiscovery: - product: m365 - category: CloudDiscovery - conditions: - eventSource: SecurityComplianceCenter -DataLossPrevention: - product: m365 - category: DataLossPrevention - conditions: - eventSource: SecurityComplianceCenter -ThreatDetection: - product: m365 - category: ThreatDetection - conditions: - eventSource: SecurityComplianceCenter -SharingControl: - product: m365 - category: SharingControl - conditions: - eventSource: SecurityComplianceCenter +logsources: + ThreatManagement: + product: m365 + category: ThreatManagement + conditions: + eventSource: SecurityComplianceCenter + AccessGovernance: + product: m365 + category: AccessGovernance + conditions: + eventSource: SecurityComplianceCenter + CloudDiscovery: + product: m365 + category: CloudDiscovery + conditions: + eventSource: SecurityComplianceCenter + DataLossPrevention: + product: m365 + category: DataLossPrevention + conditions: + eventSource: SecurityComplianceCenter + ThreatDetection: + product: m365 + category: ThreatDetection + conditions: + eventSource: SecurityComplianceCenter + SharingControl: + product: m365 + category: SharingControl + conditions: + eventSource: SecurityComplianceCenter diff --git a/tools/config/generic/windows-audit.yml b/tools/config/generic/windows-audit.yml index 63080759e..5eff54cfb 100644 --- a/tools/config/generic/windows-audit.yml +++ b/tools/config/generic/windows-audit.yml @@ -24,3 +24,5 @@ fieldmappings: Image: NewProcessName ParentImage: ParentProcessName Details: NewValue + ParentCommandLine: ProcessCommandLine + LogonId: SubjectLogonId \ No newline at end of file diff --git a/tools/config/hawk.yml b/tools/config/hawk.yml index a9e7b9e01..cdfed557c 100644 --- a/tools/config/hawk.yml +++ b/tools/config/hawk.yml @@ -7,11 +7,213 @@ logsources: product: apache conditions: product_name: '*apache*' + okta: + service: okta + conditions: + vendor_name: "Okta" + product_name: "Identity and Access Management" + onedrive: + service: onedrive + conditions: + vendor_name: "Microsoft" + product_name: "Onedrive" + onelogin-events: + service: onelogin.events + conditions: + vendor_name: "Microsoft" + product_name: "Onelogin" + microsoft365: + category: ThreatManagement + service: Microsoft365 + conditions: + vendor_name: "Microsoft" + product_name: "365" + m365: + category: ThreatManagement + service: m365 + conditions: + vendor_name: "Microsoft" + product_name: "365" + google-workspace: + service: google_workspace.admin + conditions: + vendor_name: "Google" + product_name: "Workspace" + guacamole: + service: guacamole + product_name: "Guacamole" + conditions: + vendor_name: "Guacamole" + google-cloud: + service: gcp.audit + conditions: + vendor_name: "Google" + product_name: "Cloud" + auditd: + service: auditd + conditions: + process_name: "auditd" + sshd: + service: sshd + conditions: + process_name: "sshd*" + syslog: + service: syslog + conditions: + process_name: "syslog*" + modsecurity: + service: modsecurity + conditions: + process_name: "modsec*" + msexchange-management: + service: msexchange-management + conditions: + channel: "MSExchange Management" windows: product: windows index: windows conditions: - vendor_name: 'Microsoft' + vendor_name: "Microsoft" + windows-stream-hash: + product: windows + category: create_stream_hash + conditions: + product_name: "Sysmon" + vendor_id: "15" + windows-create-remote-thread: + product: windows + category: create_remote_thread + conditions: + product_name: "Sysmon" + vendor_id: "8" + windows-process-access: + product: windows + category: process_access + conditions: + product_name: "Sysmon" + vendor_id: "10" + windows-process-creation: + product: windows + category: process_creation + conditions: + product_name: "Sysmon" + vendor_id: "1" + windows-network-connection: + product: windows + category: network_connection + conditions: + product_name: "Sysmon" + vendor_id: "3" + windows-sysmon-status: + product: windows + category: sysmon_status + conditions: + product_name: "Sysmon" + vendor_id: + - 4 + - 5 + windows-sysmon-error: + product: windows + category: sysmon_error + conditions: + product_name: "Sysmon" + vendor_id: "255" + windows-raw-access-thread: + product: windows + category: raw_access_thread + conditions: + product_name: "Sysmon" + vendor_id: 9 + windows-file-create: + product: windows + category: file_create + conditions: + product_name: "Sysmon" + vendor_id: "11" + windows-file-event: + product: windows + category: file_create + conditions: + product_name: "Sysmon" + vendor_id: "11" + windows-pipe-created: + product: windows + category: pipe_created + conditions: + product_name: "Sysmon" + vendor_id: + - 17 + - 18 + windows-dns-query: + product: windows + category: dns_query + conditions: + product_name: "Sysmon" + vendor_id: "22" + windows-file-delete: + product: windows + category: file_delete + conditions: + product_name: "Sysmon" + vendor_id: "23" + windows-wmi-sysmon: + product: windows + category: wmi_event + conditions: + product_name: "Sysmon" + vendor_id: + - 19 + - 20 + - 21 + windows-ldap-query: + product: windows + category: ldap_query + conditions: + channel: "Microsoft-Windows-LDAP-Client/Debug ETW" + windows-driver-load: + product: windows + category: driver_load + conditions: + product_name: "Sysmon" + vendor_id: "6" + windows-image-load: + product: windows + category: image_load + conditions: + product_name: "Sysmon" + vendor_id: "7" + clamav: + service: clamav + conditions: + process_name: "clamav*" + aws-cloudtrail: + service: cloudtrail + conditions: + vendor_name: "AWS CloudTrail" + zeek: + product: zeek + conditions: + vendor_name: "Zeek IDS" + azure-signin: + service: azure.signinlogs + conditions: + vendor_name: "Microsoft" + product_name: "Azure" + azure-auditlogs: + service: azure.auditlogs + conditions: + vendor_name: "Microsoft" + product_name: "Azure" + azure-activitylogs: + service: azure.activitylogs + conditions: + vendor_name: "Microsoft" + product_name: "Azure" + azure-activity: + service: AzureActivity + conditions: + vendor_name: "Microsoft" + product_name: "Azure" windows-application: product: windows service: application @@ -55,14 +257,13 @@ logsources: windows-dns-server: product: windows service: dns-server - category: dns conditions: - product_name: 'DNS Server' + channel: 'DNS Server' windows-dns-server-audit: product: windows service: dns-server-audit conditions: - product_name: 'DNS-Server' + channel: 'DNS Server' windows-driver-framework: product: windows service: driver-framework @@ -89,11 +290,15 @@ logsources: conditions: product_name: - 'AppLocker' + windows-service-bus: + service: Microsoft-ServiceBus-Client + conditions: + product_name: "Microsoft-ServiceBus-Client" windows-msexchange-management: product: windows service: msexchange-management conditions: - product_name: 'MSExchange Management' + channel: 'MSExchange Management' windows-printservice-admin: product: windows service: printservice-admin @@ -109,6 +314,14 @@ logsources: service: smbclient-security conditions: product_name: 'SmbClient' + windows-registry: + product: windows + category: registry_event + conditions: + vendor_id: + - 12 + - 13 + - 14 qflow: product: qflow netflow: @@ -116,7 +329,7 @@ logsources: ipfix: product: ipfix flow: - category: flow + product: flow fieldmappings: dst: - ip_dst_host @@ -126,6 +339,9 @@ fieldmappings: - ip_src_host src_ip: - ip_src + IPAddress: ip_src + DNSAddress: dns_address + DCIPAddress: ip_src category: vendor_category error: error_code key: event_key @@ -171,7 +387,9 @@ fieldmappings: ServiceFileName: filename EventID: vendor_id SourceImage: parent_image + ImageLoaded: image_loaded Description: image_description + ScriptBlockText: value Product: image_product Company: image_company CurrentDirectory: path @@ -197,7 +415,6 @@ fieldmappings: Details: object_target CallTrace: calltrace IpAddress: ip_src - DCIPAddress: ip_src WorkstationName: hostname_src Workstation: hostname_src DestinationIp: ip_dst @@ -210,3 +427,5 @@ fieldmappings: TicketEncryptionType: sys.ticket.encryption.type DetectionSource: value Priority: event_priority + event_type_id: vendor_id + eventtype: vendor_type diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index d7ec0f095..07c3c4e09 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -100,6 +100,11 @@ logsources: service: msexchange-management conditions: winlog.channel: 'MSExchange Management' + microsoft-servicebus-client: + product: windows + service: microsoft-servicebus-client + conditions: + winlog.channel: 'Microsoft-ServiceBus-Client' defaultindex: winlogbeat-* # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g' diff --git a/tools/sigma/backends/elasticsearch.py b/tools/sigma/backends/elasticsearch.py index ab48a9e16..1ed69e2ce 100644 --- a/tools/sigma/backends/elasticsearch.py +++ b/tools/sigma/backends/elasticsearch.py @@ -153,6 +153,15 @@ class ElasticsearchWildcardHandlingMixin(object): elif type(value) == list: return self.generateMapItemListNode(transformed_fieldname, value) elif isinstance(value, SigmaTypeModifier): + #On elastic can not use ^ or $ re is full match + if isinstance(value,sigma.parser.modifiers.type.SigmaRegularExpressionModifier): + the_regex = value.value + if the_regex[0]=="^" and the_regex[-1]=="$": + value.value = the_regex[1:-1] + elif the_regex[0]=="^": + value.value = the_regex[1:] if the_regex[-2:] == ".*" else the_regex[1:] + ".*" + elif the_regex[-1]=="$": + value.value = the_regex[:-1] if the_regex[:2] == ".*" else ".*" +the_regex[:-1] return self.generateMapItemTypedNode(transformed_fieldname, value) elif value is None: return self.nullExpression % (transformed_fieldname, ) diff --git a/tools/sigma/backends/hawk.py b/tools/sigma/backends/hawk.py index 7147ff37b..904e81563 100644 --- a/tools/sigma/backends/hawk.py +++ b/tools/sigma/backends/hawk.py @@ -20,6 +20,7 @@ import re import sigma import json import uuid +import re from sigma.parser.modifiers.base import SigmaTypeModifier from sigma.parser.modifiers.type import SigmaRegularExpressionModifier from .base import SingleTextQueryBackend @@ -62,27 +63,27 @@ class HAWKBackend(SingleTextQueryBackend): #print(type(node)) #print(node) if type(node) == sigma.parser.condition.ConditionAND: - return self.generateANDNode(node) + return self.generateANDNode(node, notNode) elif type(node) == sigma.parser.condition.ConditionOR: #print("OR NODE") #print(node) - return self.generateORNode(node) + return self.generateORNode(node, notNode) elif type(node) == sigma.parser.condition.ConditionNOT: #print("NOT NODE") #print(node) return self.generateNOTNode(node) elif type(node) == sigma.parser.condition.ConditionNULLValue: - return self.generateNULLValueNode(node) + return self.generateNULLValueNode(node, notNode) elif type(node) == sigma.parser.condition.ConditionNotNULLValue: return self.generateNotNULLValueNode(node) elif type(node) == sigma.parser.condition.NodeSubexpression: #print(node) - return self.generateSubexpressionNode(node) + return self.generateSubexpressionNode(node, notNode) elif type(node) == tuple: #print("TUPLE: ", node) return self.generateMapItemNode(node, notNode) elif type(node) in (str, int): - nodeRet = {"key": "", "description": "", "class": "column", "return": "str", "args": { "comparison": { "value": "regex" }, "str": { "value": "5" } } } + nodeRet = {"key": "", "description": "", "class": "column", "return": "str", "args": { "comparison": { "value": "=" }, "str": { "value": "5", "regex": "true" } } } #key = next(iter(self.sigmaparser.parsedyaml['detection'])) key = "payload" @@ -94,7 +95,7 @@ class HAWKBackend(SingleTextQueryBackend): # they imply the entire payload nodeRet['description'] = key nodeRet['rule_id'] = str(uuid.uuid4()) - nodeRet['args']['str']['value'] = self.generateValueNode(node, False).replace("\\","\\\\") + nodeRet['args']['str']['value'] = re.escape(self.generateValueNode(node, False)) # .replace("\\","\\\\").replace(".","\\.") # return json.dumps(nodeRet) return nodeRet elif type(node) == list: @@ -102,7 +103,7 @@ class HAWKBackend(SingleTextQueryBackend): else: raise TypeError("Node type %s was not expected in Sigma parse tree" % (str(type(node)))) - def generateANDNode(self, node): + def generateANDNode(self, node, notNode=False): """ generated = [ self.generateNode(val) for val in node ] filtered = [ g for g in generated if g is not None ] @@ -114,7 +115,7 @@ class HAWKBackend(SingleTextQueryBackend): return None """ ret = { "id" : "and", "key": "And", "children" : [ ] } - generated = [ self.generateNode(val) for val in node ] + generated = [ self.generateNode(val, notNode) for val in node ] filtered = [ g for g in generated if g is not None ] if filtered: if self.sort_condition_lists: @@ -125,11 +126,12 @@ class HAWKBackend(SingleTextQueryBackend): else: return None - def generateORNode(self, node): - #retAnd = { "id" : "and", "key": "And", "children" : [ ] } - - ret = { "id" : "or", "key": "Or", "children" : [ ] } - generated = [ self.generateNode(val) for val in node ] + def generateORNode(self, node, notNode=False): + if notNode: + ret = { "id" : "and", "key": "And", "children" : [ ] } + else: + ret = { "id" : "or", "key": "Or", "children" : [ ] } + generated = [ self.generateNode(val, notNode) for val in node ] filtered = [ g for g in generated if g is not None ] if filtered: if self.sort_condition_lists: @@ -142,8 +144,8 @@ class HAWKBackend(SingleTextQueryBackend): else: return None - def generateSubexpressionNode(self, node): - generated = self.generateNode(node.items) + def generateSubexpressionNode(self, node, notNode=False): + generated = self.generateNode(node.items, notNode) if 'len'in dir(node.items): # fix the "TypeError: object of type 'NodeSubexpression' has no len()" if len(node.items) == 1: # A sub expression with length 1 is not a proper sub expression, no self.subExpression required @@ -182,12 +184,13 @@ class HAWKBackend(SingleTextQueryBackend): elif type(value) == str and "*" in value: # value = value.replace("*", ".*") value = value.replace("*", "") - value = value.replace("\\", "\\\\") + value = re.escape(value) # .replace("\\", "\\\\").replace(".","\\.") if notNode: - nodeRet["args"]["comparison"]["value"] = "!regex" + nodeRet["args"]["comparison"]["value"] = "!=" else: - nodeRet['args']['comparison']['value'] = "regex" + nodeRet['args']['comparison']['value'] = "=" nodeRet['args']['str']['value'] = value + nodeRet['args']['str']['regex'] = "true" # return "%s regex %s" % (self.cleanKey(key), self.generateValueNode(value, True)) #return json.dumps(nodeRet) return nodeRet @@ -214,14 +217,27 @@ class HAWKBackend(SingleTextQueryBackend): return self.generateMapItemTypedNode(key, value) elif value is None: #return self.nullExpression % (key, ) - nodeRet['args']['str']['value'] = None + #print("Performing null") + #print(notNode) + #print(key) + nodeRet = { "key" : "empty", "description" : "Value Does Not Exist (IS NULL)", "class" : "function", "inputs" : { "comparison" : { "order" : 0, "source" : "comparison", "type" : "comparison" }, "column" : { "order" : 1, "source" : "columns", "type" : "str" } }, "args" : { "comparison" : { "value" : "!=" }, "column" : { "value" : "" } }, "return" : "boolean" } + nodeRet['args']['column']['value'] = self.cleanKey(key).lower() + nodeRet['description'] += " %s" % key + if notNode: + nodeRet['args']['comparison']['value'] = "!=" + else: + nodeRet['args']['comparison']['value'] = "=" #return json.dumps(nodeRet) + #print(json.dumps(nodeRet)) return nodeRet else: raise TypeError("Backend does not support map values of type " + str(type(value))) def generateMapItemListNode(self, key, value, notNode=False): - ret = { "id" : "or", "key": "Or", "children" : [ ] } + if notNode: + ret = { "id" : "and", "key": "And", "children" : [ ] } + else: + ret = { "id" : "or", "key": "Or", "children" : [ ] } for item in value: nodeRet = {"key": "", "description": "", "class": "column", "return": "str", "args": { "comparison": { "value": "=" }, "str": { "value": "5" } } } nodeRet['key'] = self.cleanKey(key).lower() @@ -232,15 +248,15 @@ class HAWKBackend(SingleTextQueryBackend): ret['children'].append( nodeRet ) elif type(item) == str and "*" in item: item = item.replace("*", "") - item = item.replace("\\", "\\\\") - # item = item.replace("*", ".*") + item = re.escape(item) # .replace("\\", "\\\\").replace(".","\\.") #print("item") #print(item) nodeRet['args']['str']['value'] = item # self.generateValueNode(item, True) + nodeRet['args']['str']['regex'] = "true" if notNode: - nodeRet["args"]["comparison"]["value"] = "!regex" + nodeRet["args"]["comparison"]["value"] = "!=" else: - nodeRet['args']['comparison']['value'] = "regex" + nodeRet['args']['comparison']['value'] = "=" ret['children'].append( nodeRet ) else: #print("item2") @@ -258,35 +274,21 @@ class HAWKBackend(SingleTextQueryBackend): nodeRet['rule_id'] = str(uuid.uuid4()) if type(value) == SigmaRegularExpressionModifier: regex = str(value) - """ - # Regular Expressions have to match the full value in QRadar - if not (regex.startswith('^') or regex.startswith('.*')): - regex = '.*' + regex - if not (regex.endswith('$') or regex.endswith('.*')): - regex = regex + '.*' - return "%s imatches %s" % (self.cleanKey(fieldname), self.generateValueNode(regex, True)) - """ - #print("ENDS WITH!!!") - nodeRet['args']['str']['value'] = self.generateValueNode(regex, True).replace("\\", "\\\\") + nodeRet['args']['str']['value'] = re.escape(self.generateValueNode(regex, True)) # .replace("\\", "\\\\").replace(".","\\.") + nodeRet['args']['str']['regex'] = "true" if notNode: - nodeRet["args"]["comparison"]["value"] = "!regex" + nodeRet["args"]["comparison"]["value"] = "!=" else: - nodeRet['args']['comparison']['value'] = "regex" + nodeRet['args']['comparison']['value'] = "=" # return json.dumps(nodeRet) return nodeRet else: raise NotImplementedError("Type modifier '{}' is not supported by backend".format(value.identifier)) def generateValueNode(self, node, keypresent): - """ - if keypresent == False: - return "payload regex \'{0}{1}{2}\'".format("%", self.cleanValue(str(node)), "%") - else: - return self.valueExpression % (self.cleanValue(str(node))) - """ return self.valueExpression % (self.cleanValue(str(node))) - def generateNULLValueNode(self, node): + def generateNULLValueNode(self, node, notNode): # node.item nodeRet = {"key": node.item, "description": node.item, "class": "column", "return": "str", "args": { "comparison": { "value": "=" }, "str": { "value": "null" } } } nodeRet['rule_id'] = str(uuid.uuid4()) @@ -440,6 +442,72 @@ class HAWKBackend(SingleTextQueryBackend): return result + def dedupeAnds(self, arr, parentAnd=False): + # simple dedupe + for i in range(0, len(arr)): + if 'id' in arr[i] and arr[i]['id'].lower() == "and": + arr[i]['children'] = self.dedupeAnds(arr[i]['children']) + + if len(arr[i]['children']) == 1 and 'id' in arr[i]['children'][0] and arr[i]['children'][0]['id'].lower() == "and": + arr[i] = arr[i]['children'][0] + + + return arr + + """ + for i in range(0, len(arr)): + if parentAnd and 'id' in arr[i] and arr[i]['id'].lower() == "and": + isAnd = True + else: + isAnd = False + + if 'children' in arr[i]: + arr[i]['children'] = self.dedupeAnds(arr['i']['children'], isAnd) + + if parentAnd and 'id' in arr[i] and arr[i]['id'].lower() == "and": + pass + + if len(arr) == 1 and 'id' in arr[0] and arr[0]['id'].lower() == "and": + # print("Returning less!") + for i in range(0, len(arr) ): + if 'id' in arr[i] and arr[i]['id'].lower() == "and": + arr[i]['children'] = self.dedupeAnds(arr[i]['children']) + return arr[0]['children'] + + """ + return arr + + """ + def dedupeAnds(self, arr, parentAnd=False): + #if not parentAnd: + # for i in range(0, len(arr) ): + # if 'id' in arr[i] and arr[i]['id'].lower() == "and": + # arr[i]['children'] = self.dedupeAnds(arr[i]['children'], False) + + if len(arr) == 1 and 'id' in arr[0] and arr[0]['id'].lower() == "and": + # print("Returning less!") + for i in range(0, len(arr) ): + if 'id' in arr[i] and arr[i]['id'].lower() == "and": + arr[i]['children'] = self.dedupeAnds(arr[i]['children']) + return arr[0]['children'] + + allAndCheck = True + for i in range(0, len(arr) ): + # print(arr[i]) + if 'id' in arr[i] and arr[i]['id'].lower() == "and": + arr[i]['children'] = self.dedupeAnds(arr[i]['children']) + else: + allAndCheck = False + + + x = [ ] + if allAndCheck: + for i in range(0, len(arr)): + x = x + arr[i]['children'] + return x + return arr + """ + def generateQuery(self, parsed, sigmaparser): self.sigmaparser = sigmaparser result = self.generateNode(parsed.parsedSearch) @@ -508,6 +576,9 @@ class HAWKBackend(SingleTextQueryBackend): analytic_txt = ret + result + ret2 # json.dumps(ret) try: analytic = json.loads(analytic_txt) # json.dumps(ret) + # analytic = self.dedupeAnds(analytic) + analytic[0]['children'] = self.dedupeAnds(analytic[0]['children'], True) + except Exception as e: print("Failed to parse json: %s" % analytic_txt) raise Exception("Failed to parse json: %s" % analytic_txt) @@ -535,12 +606,13 @@ class HAWKBackend(SingleTextQueryBackend): record = { "rules" : analytic, # analytic_txt.replace('"','""'), "filter_name" : sigmaparser.parsedyaml['title'], + "filter_details" : cmt, "actions_category_name" : "Add (+)", "correlation_action" : 5.00, "date_added" : sigmaparser.parsedyaml['date'], - "enabled" : True, + "enabled" : False, + # "enabled" : True, "public" : True, - "comments" : cmt, "references" : ref, "group_name" : ".", "hawk_id" : sigmaparser.parsedyaml['id'] diff --git a/tools/sigma/backends/sql.py b/tools/sigma/backends/sql.py index b31fba2b8..4c00f0248 100644 --- a/tools/sigma/backends/sql.py +++ b/tools/sigma/backends/sql.py @@ -106,24 +106,25 @@ class SQLBackend(SingleTextQueryBackend): def generateMapItemNode(self, node): fieldname, value = node transformed_fieldname = self.fieldNameMapping(fieldname, value) + generated_value = self.generateNode(value) - has_wildcard = re.search(r"((\\(\*|\?|\\))|\*|\?|_|%)", self.generateNode(value)) + has_wildcard = re.search(r"((\\(\*|\?|\\))|\*|\?|_|%)", generated_value) - if "," in self.generateNode(value) and not has_wildcard: - return self.mapMulti % (transformed_fieldname, self.generateNode(value)) + if "," in generated_value and generated_value[0]=="(" and generated_value[-1]==")" and not has_wildcard: + return self.mapMulti % (transformed_fieldname, generated_value) elif "LENGTH" in transformed_fieldname: return self.mapLength % (transformed_fieldname, value) elif type(value) == list: return self.generateMapItemListNode(transformed_fieldname, value) elif self.mapListsSpecialHandling == False and type(value) in (str, int, list) or self.mapListsSpecialHandling == True and type(value) in (str, int): if has_wildcard: - return self.mapWildcard % (transformed_fieldname, self.generateNode(value)) + return self.mapWildcard % (transformed_fieldname, generated_value) else: - return self.mapExpression % (transformed_fieldname, self.generateNode(value)) + return self.mapExpression % (transformed_fieldname, generated_value) elif "sourcetype" in transformed_fieldname: - return self.mapSource % (transformed_fieldname, self.generateNode(value)) + return self.mapSource % (transformed_fieldname, generated_value) elif has_wildcard: - return self.mapWildcard % (transformed_fieldname, self.generateNode(value)) + return self.mapWildcard % (transformed_fieldname, generated_value) else: raise TypeError("Backend does not support map values of type " + str(type(value))) diff --git a/tools/sigma/backends/sqlite.py b/tools/sigma/backends/sqlite.py index 0b445b59a..c456d9220 100644 --- a/tools/sigma/backends/sqlite.py +++ b/tools/sigma/backends/sqlite.py @@ -69,33 +69,56 @@ class SQLiteBackend(SQLBackend): return self.orToken.join(filtered) else: return None + + def cleanValue(self, val): + if not isinstance(val, str): + return str(val) + + #Escape double quotes in SQLite + val = val.replace('"','""') + + #Single backlashes which are not in front of * or ? are doulbed + val = re.sub(r"(? -->' - return "{}\n{}".format(rulegroup_comment, sysmon_rule) \ No newline at end of file + return "{}\n{}".format(rulegroup_comment, sysmon_rule) diff --git a/tools/sigma/parser/condition.py b/tools/sigma/parser/condition.py index 644e24816..67592c413 100644 --- a/tools/sigma/parser/condition.py +++ b/tools/sigma/parser/condition.py @@ -113,15 +113,15 @@ class SigmaConditionTokenizer: (SigmaConditionToken.TOKEN_NEAR, re.compile("near", re.IGNORECASE)), (SigmaConditionToken.TOKEN_BY, re.compile("by", re.IGNORECASE)), (SigmaConditionToken.TOKEN_EQ, re.compile("==")), - (SigmaConditionToken.TOKEN_LT, re.compile("<")), (SigmaConditionToken.TOKEN_LTE, re.compile("<=")), - (SigmaConditionToken.TOKEN_GT, re.compile(">")), + (SigmaConditionToken.TOKEN_LT, re.compile("<")), (SigmaConditionToken.TOKEN_GTE, re.compile(">=")), + (SigmaConditionToken.TOKEN_GT, re.compile(">")), (SigmaConditionToken.TOKEN_PIPE, re.compile("\\|")), (SigmaConditionToken.TOKEN_AND, re.compile("and", re.IGNORECASE)), (SigmaConditionToken.TOKEN_OR, re.compile("or", re.IGNORECASE)), (SigmaConditionToken.TOKEN_NOT, re.compile("not", re.IGNORECASE)), - (SigmaConditionToken.TOKEN_ID, re.compile("[\\w*]+")), + (SigmaConditionToken.TOKEN_ID, re.compile("[\\w*-.]+")), (SigmaConditionToken.TOKEN_LPAR, re.compile("\\(")), (SigmaConditionToken.TOKEN_RPAR, re.compile("\\)")), ] @@ -191,8 +191,14 @@ class ConditionBase(ParseTreeNode): op = COND_NONE items = None - def __init__(self): - raise NotImplementedError("ConditionBase is no usable class") + def __init__(self, sigma=None, op=None, *args): + if type(self) == ConditionBase: + raise NotImplementedError("ConditionBase is no usable class") + + if sigma == None and op == None and len(args) == 0: # no parameters given - initialize empty + self.items = list() + else: # called by parser, use given values + self.items = args def add(self, item): self.items.append(item) @@ -204,27 +210,11 @@ class ConditionBase(ParseTreeNode): return len(self.items) -class ConditionAND(ConditionBase): - """AND Condition""" - op = COND_AND - - def __init__(self, sigma=None, op=None, *args): - if sigma == None and op == None and len(args) == 0: # no parameters given - initialize empty - self.items = list() - else: # called by parser, use given values - self.items = args - - -class ConditionOR(ConditionAND): - """OR Condition""" - op = COND_OR - - -class ConditionNOT(ConditionBase): - """NOT Condition""" - op = COND_NOT - +class ConditionBaseOneItem(ConditionBase): def __init__(self, sigma=None, op=None, val=None): + if type(self) == ConditionBaseOneItem: + raise NotImplementedError("ConditionBaseOneItem is no usable class") + if sigma == None and op == None and val == None: # no parameters given - initialize empty self.items = list() else: # called by parser, use given values @@ -244,13 +234,30 @@ class ConditionNOT(ConditionBase): return None -class ConditionNULLValue(ConditionNOT): +class ConditionAND(ConditionBase): + """AND Condition""" + op = COND_AND + + +class ConditionOR(ConditionBase): + """OR Condition""" + op = COND_OR + + +class ConditionNOT(ConditionBaseOneItem): + """NOT Condition""" + op = COND_NOT + + +class ConditionNULLValue(ConditionBaseOneItem): """Condition: Field value is empty or doesn't exists""" + op = COND_NULL pass class ConditionNotNULLValue(ConditionNULLValue): """Condition: Field value is not empty""" + op = COND_NULL pass @@ -270,7 +277,7 @@ class SigmaSearchValueAsIs: def generateXOf(sigma, val, condclass): """ Generic implementation of (1|all) of x expressions. - + * condclass across all list items if x is name of definition * condclass across all definitions if x is keyword 'them' * condclass across all matching definition if x is wildcard expression, e.g. 'selection*' @@ -520,7 +527,7 @@ class SigmaConditionParser: open_token was '(' and tokens were ['(', '...', '(', '...', ')', ')'] the first '(' should pair with the last ')' instead of the first ')' - + Parameters: tokens: the list of tokens start_index: the start index (included) of the input tokens for finding the close_token