From bb758bdb0fefd337d88838375838d2a42a8af440 Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 20 Oct 2021 21:20:04 +0200 Subject: [PATCH 001/113] manage start end regex --- tools/sigma/backends/elasticsearch.py | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/tools/sigma/backends/elasticsearch.py b/tools/sigma/backends/elasticsearch.py index ab48a9e16..1ed69e2ce 100644 --- a/tools/sigma/backends/elasticsearch.py +++ b/tools/sigma/backends/elasticsearch.py @@ -153,6 +153,15 @@ class ElasticsearchWildcardHandlingMixin(object): elif type(value) == list: return self.generateMapItemListNode(transformed_fieldname, value) elif isinstance(value, SigmaTypeModifier): + #On elastic can not use ^ or $ re is full match + if isinstance(value,sigma.parser.modifiers.type.SigmaRegularExpressionModifier): + the_regex = value.value + if the_regex[0]=="^" and the_regex[-1]=="$": + value.value = the_regex[1:-1] + elif the_regex[0]=="^": + value.value = the_regex[1:] if the_regex[-2:] == ".*" else the_regex[1:] + ".*" + elif the_regex[-1]=="$": + value.value = the_regex[:-1] if the_regex[:2] == ".*" else ".*" +the_regex[:-1] return self.generateMapItemTypedNode(transformed_fieldname, value) elif value is None: return self.nullExpression % (transformed_fieldname, ) From f0dd02f483573e93c01f8931db7d31e44bfd739e Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 29 Oct 2021 10:25:27 +0200 Subject: [PATCH 002/113] fix: FPs with Failed Logon Reason rule --- rules/windows/builtin/win_susp_failed_logon_reasons.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/win_susp_failed_logon_reasons.yml b/rules/windows/builtin/win_susp_failed_logon_reasons.yml index b2379beb5..c5b66905d 100644 --- a/rules/windows/builtin/win_susp_failed_logon_reasons.yml +++ b/rules/windows/builtin/win_susp_failed_logon_reasons.yml @@ -4,8 +4,9 @@ description: This method uses uncommon error codes on failed logons to determine restricted. author: Florian Roth date: 2017/02/19 -modified: 2020/08/23 +modified: 2021/10/29 references: + - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 - https://twitter.com/SBousseaden/status/1101431884540710913 tags: - attack.persistence @@ -28,7 +29,9 @@ detection: - '0xC0000413' # Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine - '0xC000018C' # The logon request failed because the trust relationship between the primary domain and the trusted domain failed - '0xC000015B' # The user has not been granted the requested logon type (aka logon right) at this machine - condition: selection + filter: + SubjectUserSid: 'S-1-0-0' + condition: selection and not filter falsepositives: - User using a disabled account level: high From 2a2bfab06e379a07259917617620484a9285474c Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 1 Nov 2021 15:35:46 +0100 Subject: [PATCH 003/113] add win_pc_set_policies_to_unsecure_level --- .../win_pc_set_policies_to_unsecure_level.yml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 rules/windows/process_creation/win_pc_set_policies_to_unsecure_level.yml diff --git a/rules/windows/process_creation/win_pc_set_policies_to_unsecure_level.yml b/rules/windows/process_creation/win_pc_set_policies_to_unsecure_level.yml new file mode 100644 index 000000000..7bc3f6a2f --- /dev/null +++ b/rules/windows/process_creation/win_pc_set_policies_to_unsecure_level.yml @@ -0,0 +1,28 @@ +title: Change PowerShell Policies to a Unsecure Level +id: 87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180 +description: Detects use of executionpolicy option to set a unsecure policies +references: + - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1 + - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1 + - https://adsecurity.org/?p=2604 + - https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/ +tags: + - attack.execution + - attack.t1059.001 +author: frack113 +date: 2021/11/01 +logsource: + product: windows + category: process_creation +detection: + option: + CommandLine|contains: '-executionpolicy ' + level: + CommandLine|contains: + - 'Unrestricted' + - 'bypass' + - 'RemoteSigned' + condition: option and level +falsepositives: + - Administrator script +level: high From 802cdb0189a44ad6a1e8dc91d10bc0dbbab76778 Mon Sep 17 00:00:00 2001 From: "S.kiran kumar" Date: Mon, 1 Nov 2021 21:41:57 +0530 Subject: [PATCH 004/113] Added another application --- ...t_executable_and_script_creation_by_office_using_file_ext.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/file_event/file_event_executable_and_script_creation_by_office_using_file_ext.yml b/rules/windows/file_event/file_event_executable_and_script_creation_by_office_using_file_ext.yml index f0a453bd2..f6406ce9e 100644 --- a/rules/windows/file_event/file_event_executable_and_script_creation_by_office_using_file_ext.yml +++ b/rules/windows/file_event/file_event_executable_and_script_creation_by_office_using_file_ext.yml @@ -23,6 +23,7 @@ detection: - 'winword.exe' - 'excel.exe' - 'powerpnt.exe' + - 'outlook.exe' selection2: FileName|endswith: - ".exe" From dd7817917c9c9ba6abacc628c4b2f16c2b84c0a6 Mon Sep 17 00:00:00 2001 From: Pawel Mazur Date: Tue, 2 Nov 2021 17:04:39 +0100 Subject: [PATCH 005/113] Linux - Auditd - Loading of Kernel Module via Insmod rule --- .../auditd/lnx_auditd_load_module_insmod.yml | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 rules/linux/auditd/lnx_auditd_load_module_insmod.yml diff --git a/rules/linux/auditd/lnx_auditd_load_module_insmod.yml b/rules/linux/auditd/lnx_auditd_load_module_insmod.yml new file mode 100644 index 000000000..d57e4f9fb --- /dev/null +++ b/rules/linux/auditd/lnx_auditd_load_module_insmod.yml @@ -0,0 +1,26 @@ +title: Loading of Kernel Module via Insmod +id: 106d7cbd-80ff-4985-b682-a7043e5acb72 +status: experimental +description: Detects loading of kernel modules with insmod command. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. Adversaries may use LKMs to obtain persistence within the system or elevate the privileges. +author: 'Pawel Mazur' +references: + - https://attack.mitre.org/techniques/T1547/006/ + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md + - https://linux.die.net/man/8/insmod + - https://man7.org/linux/man-pages/man8/kmod.8.html +logsource: + product: linux + service: auditd +detection: + insmod: + type: 'SYSCALL' + comm: insmod + exe: /usr/bin/kmod + condition: insmod +falsepositives: + - Unknown +level: high +tags: + - attack.persistence + - attack.privilege_escalation + - attack.t1547.006 \ No newline at end of file From 30f13d41f57c058cd7c56cd6f0704e1679f3fbf8 Mon Sep 17 00:00:00 2001 From: zakibro <48967550+zakibro@users.noreply.github.com> Date: Tue, 2 Nov 2021 17:16:59 +0100 Subject: [PATCH 006/113] Update lnx_auditd_load_module_insmod.yml fixing missing date --- rules/linux/auditd/lnx_auditd_load_module_insmod.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/linux/auditd/lnx_auditd_load_module_insmod.yml b/rules/linux/auditd/lnx_auditd_load_module_insmod.yml index d57e4f9fb..399741fc4 100644 --- a/rules/linux/auditd/lnx_auditd_load_module_insmod.yml +++ b/rules/linux/auditd/lnx_auditd_load_module_insmod.yml @@ -3,6 +3,7 @@ id: 106d7cbd-80ff-4985-b682-a7043e5acb72 status: experimental description: Detects loading of kernel modules with insmod command. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. Adversaries may use LKMs to obtain persistence within the system or elevate the privileges. author: 'Pawel Mazur' +date: 2021/11/02 references: - https://attack.mitre.org/techniques/T1547/006/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md @@ -23,4 +24,4 @@ level: high tags: - attack.persistence - attack.privilege_escalation - - attack.t1547.006 \ No newline at end of file + - attack.t1547.006 From 5a4db26ec76b553b49dd546a173523940ce56d29 Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 3 Nov 2021 15:14:34 +0100 Subject: [PATCH 007/113] add win_pc_susp_schtasks_user_temp --- .../win_pc_susp_schtasks_user_temp.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/windows/process_creation/win_pc_susp_schtasks_user_temp.yml diff --git a/rules/windows/process_creation/win_pc_susp_schtasks_user_temp.yml b/rules/windows/process_creation/win_pc_susp_schtasks_user_temp.yml new file mode 100644 index 000000000..714ec65d1 --- /dev/null +++ b/rules/windows/process_creation/win_pc_susp_schtasks_user_temp.yml @@ -0,0 +1,24 @@ +title: Suspicius Add Task From User AppData Temp +id: 43f487f0-755f-4c2a-bce7-d6d2eec2fcf8 +description: schtasks.exe create task from user AppData\Local\Temp +references: + - malware analyse https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04 +tags: + - attack.execution + - attack.t1053.005 +author: frack113 +date: 2021/11/03 +logsource: + product: windows + category: process_creation +detection: + schtasks: + Image|endswith: 'schtasks.exe' + option: + CommandLine|contains|all: + - '/Create ' + - '\AppData\Temp' + condition: schtasks and option +falsepositives: + - unknown +level: high From be6186fa1cffc9b4108e3e3bb149f64f51fd321a Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Wed, 3 Nov 2021 17:01:34 +0100 Subject: [PATCH 008/113] Forget the Local --- .../windows/process_creation/win_pc_susp_schtasks_user_temp.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_pc_susp_schtasks_user_temp.yml b/rules/windows/process_creation/win_pc_susp_schtasks_user_temp.yml index 714ec65d1..38d1e3c3e 100644 --- a/rules/windows/process_creation/win_pc_susp_schtasks_user_temp.yml +++ b/rules/windows/process_creation/win_pc_susp_schtasks_user_temp.yml @@ -17,7 +17,7 @@ detection: option: CommandLine|contains|all: - '/Create ' - - '\AppData\Temp' + - '\AppData\Local\Temp' condition: schtasks and option falsepositives: - unknown From edb145879136265ac9eeb02e1d0c3b6cb0a71b75 Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 3 Nov 2021 20:45:21 +0100 Subject: [PATCH 009/113] add win_pc_susp_cmdl32_lolbas --- .../win_pc_susp_cmdl32_lolbas.yml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 rules/windows/process_creation/win_pc_susp_cmdl32_lolbas.yml diff --git a/rules/windows/process_creation/win_pc_susp_cmdl32_lolbas.yml b/rules/windows/process_creation/win_pc_susp_cmdl32_lolbas.yml new file mode 100644 index 000000000..dbcb32c60 --- /dev/null +++ b/rules/windows/process_creation/win_pc_susp_cmdl32_lolbas.yml @@ -0,0 +1,28 @@ +title: Suspicious Cmdl32 Execution +id: f37aba28-a9e6-4045-882c-d5004043b337 +status: experimental +description: lolbas Cmdl32 is use to download a payload to evade antivirus +references: + - https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/ + - https://twitter.com/SwiftOnSecurity/status/1455897435063074824 +tags: + - attack.execution + - attack.defense_evasion + - attack.t1218 + - attack.t1202 +author: frack113 +date: 2021/11/03 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: + - '\cmdl32.exe' + CommandLine|contains|all: + - '/vpn ' + - '/lan ' + condition: selection +falsepositives: + - unknow +level: medium From 5506b1c5666caaa81344304f2e2895d4861616e6 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 4 Nov 2021 13:42:04 +0100 Subject: [PATCH 010/113] add OriginalFileName --- .../process_creation/win_pc_susp_cmdl32_lolbas.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/win_pc_susp_cmdl32_lolbas.yml b/rules/windows/process_creation/win_pc_susp_cmdl32_lolbas.yml index dbcb32c60..6ea4e27a1 100644 --- a/rules/windows/process_creation/win_pc_susp_cmdl32_lolbas.yml +++ b/rules/windows/process_creation/win_pc_susp_cmdl32_lolbas.yml @@ -16,13 +16,14 @@ logsource: category: process_creation product: windows detection: - selection: - Image|endswith: - - '\cmdl32.exe' + cmdl32: + - Image|endswith: '\cmdl32.exe' + - OriginalFileName: CMDL32.EXE + options: CommandLine|contains|all: - '/vpn ' - '/lan ' - condition: selection + condition: cmdl32 and options falsepositives: - unknow level: medium From 1ae596b634de23386aba382e93a34088a64de519 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Thu, 4 Nov 2021 17:07:00 +0000 Subject: [PATCH 011/113] removing rule 867613fb-fa60-4497-a017-a82df74a172c . this is a duplicate of 092bc4b9-3d1d-43b4-a6b4-8c8acd83522f and does not contain an allow list of known processes. --- ...sysmon_powershell_execution_moduleload.yml | 29 ------------------- 1 file changed, 29 deletions(-) delete mode 100755 rules/windows/image_load/sysmon_powershell_execution_moduleload.yml diff --git a/rules/windows/image_load/sysmon_powershell_execution_moduleload.yml b/rules/windows/image_load/sysmon_powershell_execution_moduleload.yml deleted file mode 100755 index 111759c39..000000000 --- a/rules/windows/image_load/sysmon_powershell_execution_moduleload.yml +++ /dev/null @@ -1,29 +0,0 @@ -title: PowerShell Execution -id: 867613fb-fa60-4497-a017-a82df74a172c -description: Detects execution of PowerShell -status: experimental -date: 2019/09/12 -modified: 2019/11/10 -author: Roberto Rodriguez @Cyb3rWard0g -references: - - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html -tags: - - attack.execution - - attack.t1086 # an old one - - attack.t1059.001 -logsource: - category: image_load - product: windows -detection: - selection: - Description: 'System.Management.Automation' - ImageLoaded|contains: 'System.Management.Automation' - condition: selection -fields: - - ComputerName - - Image - - ProcessID - - ImageLoaded -falsepositives: - - Unknown -level: medium From e058e56c2231311b3ae10ca93eb772f9d43b461b Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Thu, 4 Nov 2021 18:07:16 +0100 Subject: [PATCH 012/113] fix unknown --- rules/windows/process_creation/win_pc_susp_cmdl32_lolbas.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_pc_susp_cmdl32_lolbas.yml b/rules/windows/process_creation/win_pc_susp_cmdl32_lolbas.yml index 6ea4e27a1..2bd94ad65 100644 --- a/rules/windows/process_creation/win_pc_susp_cmdl32_lolbas.yml +++ b/rules/windows/process_creation/win_pc_susp_cmdl32_lolbas.yml @@ -25,5 +25,5 @@ detection: - '/lan ' condition: cmdl32 and options falsepositives: - - unknow + - unknown level: medium From e266491f0a270b210d2c7dc83e4a9f0b146b8f5f Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Thu, 4 Nov 2021 18:36:55 +0000 Subject: [PATCH 013/113] adding obsoletes tags --- rules/windows/image_load/sysmon_in_memory_powershell.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/rules/windows/image_load/sysmon_in_memory_powershell.yml b/rules/windows/image_load/sysmon_in_memory_powershell.yml index d4f1dcd25..16e0993fa 100755 --- a/rules/windows/image_load/sysmon_in_memory_powershell.yml +++ b/rules/windows/image_load/sysmon_in_memory_powershell.yml @@ -1,5 +1,8 @@ title: In-memory PowerShell id: 092bc4b9-3d1d-43b4-a6b4-8c8acd83522f +related: + id: 867613fb-fa60-4497-a017-a82df74a172c + type: obsoletes status: experimental description: Detects loading of essential DLL used by PowerShell, but not by the process powershell.exe. Detects meterpreter's "load powershell" extension. author: Tom Kern, oscd.community, Natalia Shornikova From dda204bd51e193751a00d5abe60398565871d254 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Thu, 4 Nov 2021 18:56:07 +0000 Subject: [PATCH 014/113] updating yaml --- rules/windows/image_load/sysmon_in_memory_powershell.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/image_load/sysmon_in_memory_powershell.yml b/rules/windows/image_load/sysmon_in_memory_powershell.yml index 16e0993fa..5ca45f7d1 100755 --- a/rules/windows/image_load/sysmon_in_memory_powershell.yml +++ b/rules/windows/image_load/sysmon_in_memory_powershell.yml @@ -1,8 +1,8 @@ title: In-memory PowerShell id: 092bc4b9-3d1d-43b4-a6b4-8c8acd83522f related: - id: 867613fb-fa60-4497-a017-a82df74a172c - type: obsoletes + - id: 867613fb-fa60-4497-a017-a82df74a172c + type: obsoletes status: experimental description: Detects loading of essential DLL used by PowerShell, but not by the process powershell.exe. Detects meterpreter's "load powershell" extension. author: Tom Kern, oscd.community, Natalia Shornikova From a3f3ec84c9f30c682f638705fd91c93f2c1bb844 Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 5 Nov 2021 13:16:24 +0100 Subject: [PATCH 015/113] fix product windows case --- ...ript_creation_by_office_using_file_ext.yml | 26 +++++++++---------- ...ript_creation_by_office_using_file_ext.yml | 2 +- ...reation_lolbins_by_office_applications.yml | 2 +- ...n_lolbins_with_wmiprvse_parent_process.yml | 2 +- ..._from_proxy_executing_regsvr32_payload.yml | 2 +- ...from_proxy_executing_regsvr32_payload2.yml | 2 +- 6 files changed, 18 insertions(+), 18 deletions(-) diff --git a/rules/windows/file_event/file_event_executable_and_script_creation_by_office_using_file_ext.yml b/rules/windows/file_event/file_event_executable_and_script_creation_by_office_using_file_ext.yml index f6406ce9e..ac0f39659 100644 --- a/rules/windows/file_event/file_event_executable_and_script_creation_by_office_using_file_ext.yml +++ b/rules/windows/file_event/file_event_executable_and_script_creation_by_office_using_file_ext.yml @@ -14,7 +14,7 @@ tags: status: experimental date: 2021/08/23 logsource: - product: Windows + product: windows category: file_event detection: #useful_information: Please add more file extensions and magic bytes to the logic of your choice. @@ -26,20 +26,20 @@ detection: - 'outlook.exe' selection2: FileName|endswith: - - ".exe" - - ".dll" - - ".ocx" - - ".com" - - ".ps1" - - ".vbs" - - ".sys" - - ".bat" - - ".scr" - - ".proj" + - ".exe" + - ".dll" + - ".ocx" + - ".com" + - ".ps1" + - ".vbs" + - ".sys" + - ".bat" + - ".scr" + - ".proj" selection3: FileMagicBytes|startswith: - - "4D5A" + - "4D5A" condition: selection1 and (selection2 or selection3) falsepositives: -- Unknown + - Unknown level: high diff --git a/rules/windows/file_event/file_event_script_creation_by_office_using_file_ext.yml b/rules/windows/file_event/file_event_script_creation_by_office_using_file_ext.yml index e5da93512..107cdd312 100644 --- a/rules/windows/file_event/file_event_script_creation_by_office_using_file_ext.yml +++ b/rules/windows/file_event/file_event_script_creation_by_office_using_file_ext.yml @@ -14,7 +14,7 @@ tags: status: experimental date: 2021/08/23 logsource: - product: Windows + product: windows category: file_event detection: #useful_information: Please add more file extensions to the logic of your choice. diff --git a/rules/windows/process_creation/process_creation_lolbins_by_office_applications.yml b/rules/windows/process_creation/process_creation_lolbins_by_office_applications.yml index 4f887b912..54af48794 100644 --- a/rules/windows/process_creation/process_creation_lolbins_by_office_applications.yml +++ b/rules/windows/process_creation/process_creation_lolbins_by_office_applications.yml @@ -14,7 +14,7 @@ tags: status: experimental date: 2021/08/23 logsource: - product: Windows + product: windows category: process_creation detection: #useful_information: add more LOLBins to the rules logic of your choice. diff --git a/rules/windows/process_creation/process_creation_lolbins_with_wmiprvse_parent_process.yml b/rules/windows/process_creation/process_creation_lolbins_with_wmiprvse_parent_process.yml index 9dab9d437..9a2bd4996 100644 --- a/rules/windows/process_creation/process_creation_lolbins_with_wmiprvse_parent_process.yml +++ b/rules/windows/process_creation/process_creation_lolbins_with_wmiprvse_parent_process.yml @@ -14,7 +14,7 @@ tags: status: experimental date: 2021/08/23 logsource: - product: Windows + product: windows category: process_creation detection: #useful_information: add more LOLBins to the rules logic of your choice. diff --git a/rules/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload.yml b/rules/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload.yml index 1ae6fc02a..3fb743549 100644 --- a/rules/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload.yml +++ b/rules/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload.yml @@ -14,7 +14,7 @@ tags: status: experimental date: 2021/08/23 logsource: - product: Windows + product: windows category: process_creation detection: #useful_information: add more LOLBins to the rules logic of your choice. diff --git a/rules/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload2.yml b/rules/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload2.yml index 36b6d571e..e752a0c9b 100644 --- a/rules/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload2.yml +++ b/rules/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload2.yml @@ -14,7 +14,7 @@ tags: status: experimental date: 2021/08/23 logsource: - product: Windows + product: windows category: process_creation detection: #useful_information: add more LOLBins to the rules logic of your choice. From 588c3a1b0b94c2a79d98a9cc5546953a1d1c99f2 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 5 Nov 2021 18:12:57 -0500 Subject: [PATCH 016/113] Create win_susp_registration_via_cscript.yml --- .../win_susp_registration_via_cscript.yml | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_registration_via_cscript.yml diff --git a/rules/windows/process_creation/win_susp_registration_via_cscript.yml b/rules/windows/process_creation/win_susp_registration_via_cscript.yml new file mode 100644 index 000000000..08ddbea38 --- /dev/null +++ b/rules/windows/process_creation/win_susp_registration_via_cscript.yml @@ -0,0 +1,30 @@ +title: Suspicious Registration via cscript.exe +id: 28c8f68b-098d-45af-8d43-8089f3e35403 +description: Detects when +status: experimental +author: Austin Songer @austinsonger +date: 2021/11/05 +references: +- https://twitter.com/sblmsrsn/status/1456613494783160325?s=20 +- https://ss64.com/vb/cscript.html +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\cscript.exe' + CommandLine|contains|all: + - '-register' + - '\Windows Kits\10\bin\10.0.22000.0\x64\register_app.vbs' + - '\Windows Kits\10\bin\10.0.19041.0\x64\register_app.vbs' + - '\Windows Kits\10\bin\10.0.17763.0\x64\register_app.vbs' + condition: selection +fields: + - CommandLine + - ParentCommandLine +tags: +- attack.defense_evasion +- attack.t1218 +level: medium +falsepositives: +- None From 5778b6e24f75706a81c2df54de1bdf0634e3ae4b Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 5 Nov 2021 18:14:42 -0500 Subject: [PATCH 017/113] Update win_susp_registration_via_cscript.yml --- .../process_creation/win_susp_registration_via_cscript.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_susp_registration_via_cscript.yml b/rules/windows/process_creation/win_susp_registration_via_cscript.yml index 08ddbea38..354b8fdaa 100644 --- a/rules/windows/process_creation/win_susp_registration_via_cscript.yml +++ b/rules/windows/process_creation/win_susp_registration_via_cscript.yml @@ -15,9 +15,9 @@ detection: Image|endswith: '\cscript.exe' CommandLine|contains|all: - '-register' - - '\Windows Kits\10\bin\10.0.22000.0\x64\register_app.vbs' - - '\Windows Kits\10\bin\10.0.19041.0\x64\register_app.vbs' - - '\Windows Kits\10\bin\10.0.17763.0\x64\register_app.vbs' + - '\Windows Kits\10\bin\10.0.22000.0\x64\' + - '\Windows Kits\10\bin\10.0.19041.0\x64\' + - '\Windows Kits\10\bin\10.0.17763.0\x64\' condition: selection fields: - CommandLine From aec6f40203dde71cc256d5dfc424f750b83b5041 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 5 Nov 2021 18:15:24 -0500 Subject: [PATCH 018/113] Update win_susp_registration_via_cscript.yml --- .../process_creation/win_susp_registration_via_cscript.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_registration_via_cscript.yml b/rules/windows/process_creation/win_susp_registration_via_cscript.yml index 354b8fdaa..f3aacaf31 100644 --- a/rules/windows/process_creation/win_susp_registration_via_cscript.yml +++ b/rules/windows/process_creation/win_susp_registration_via_cscript.yml @@ -1,6 +1,6 @@ title: Suspicious Registration via cscript.exe id: 28c8f68b-098d-45af-8d43-8089f3e35403 -description: Detects when +description: Detects when the registration of a VSS/VDS Provider as a COM+ application. status: experimental author: Austin Songer @austinsonger date: 2021/11/05 From b30aec65de34f3fe92c061dd3ad7c680b224c97a Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 5 Nov 2021 18:45:49 -0500 Subject: [PATCH 019/113] Update win_susp_registration_via_cscript.yml --- .../process_creation/win_susp_registration_via_cscript.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_susp_registration_via_cscript.yml b/rules/windows/process_creation/win_susp_registration_via_cscript.yml index f3aacaf31..c529c7ca7 100644 --- a/rules/windows/process_creation/win_susp_registration_via_cscript.yml +++ b/rules/windows/process_creation/win_susp_registration_via_cscript.yml @@ -15,9 +15,9 @@ detection: Image|endswith: '\cscript.exe' CommandLine|contains|all: - '-register' - - '\Windows Kits\10\bin\10.0.22000.0\x64\' - - '\Windows Kits\10\bin\10.0.19041.0\x64\' - - '\Windows Kits\10\bin\10.0.17763.0\x64\' + - '\Windows Kits\10\bin\10.0.22000.0\x64' + - '\Windows Kits\10\bin\10.0.19041.0\x64' + - '\Windows Kits\10\bin\10.0.17763.0\x64' condition: selection fields: - CommandLine From 68d30293b55519534cb679c8768afd99a984a426 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sat, 6 Nov 2021 10:16:16 +0100 Subject: [PATCH 020/113] Cleanup process_creation --- .../process_creation_command_execution_by_office_applications.yml | 0 .../win_exchange_proxylogon_oabvirtualdir.yml | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename rules/windows/{process_creation => other}/process_creation_command_execution_by_office_applications.yml (100%) rename rules/windows/{process_creation => other}/win_exchange_proxylogon_oabvirtualdir.yml (100%) diff --git a/rules/windows/process_creation/process_creation_command_execution_by_office_applications.yml b/rules/windows/other/process_creation_command_execution_by_office_applications.yml similarity index 100% rename from rules/windows/process_creation/process_creation_command_execution_by_office_applications.yml rename to rules/windows/other/process_creation_command_execution_by_office_applications.yml diff --git a/rules/windows/process_creation/win_exchange_proxylogon_oabvirtualdir.yml b/rules/windows/other/win_exchange_proxylogon_oabvirtualdir.yml similarity index 100% rename from rules/windows/process_creation/win_exchange_proxylogon_oabvirtualdir.yml rename to rules/windows/other/win_exchange_proxylogon_oabvirtualdir.yml From aa8694fdefbfb2e5071a2c657d15283c00b21c18 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sat, 6 Nov 2021 10:17:12 +0100 Subject: [PATCH 021/113] add missing category --- rules/windows/process_creation/win_task_folder_evasion.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_task_folder_evasion.yml b/rules/windows/process_creation/win_task_folder_evasion.yml index 402ff3615..e45421438 100644 --- a/rules/windows/process_creation/win_task_folder_evasion.yml +++ b/rules/windows/process_creation/win_task_folder_evasion.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/subTee/status/1216465628946563073 - https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26 date: 2020/01/13 -modified: 2021/05/30 +modified: 2021/11/06 author: Sreeman tags: - attack.defense_evasion @@ -15,9 +15,9 @@ tags: - attack.t1574.002 - attack.t1059 # an old one - attack.t1064 # an old one - logsource: product: windows + category: process_creation detection: selection1: CommandLine|contains: From 8291aba4d33c8c929bdd489f0cc24edd2b8412ed Mon Sep 17 00:00:00 2001 From: Nate Guagenti Date: Sat, 6 Nov 2021 15:45:34 -0400 Subject: [PATCH 022/113] remove duplicate exclusion exclude_tlds was listed twice --- rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml b/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml index 242a62d9f..0b20b2bce 100644 --- a/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml +++ b/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml @@ -44,7 +44,7 @@ detection: - '137' - '138' - '139' - condition: not z_flag_unset and most_probable_valid_domain and not (exclude_tlds or exclude_tlds or exclude_query_types or exclude_responses or exclude_netbios) + condition: not z_flag_unset and most_probable_valid_domain and not (exclude_tlds or exclude_query_types or exclude_responses or exclude_netbios) falsepositives: - 'Internal or legitimate external domains using DNSSec. Verify if these are legitimate DNSSec domains and then exclude them.' - 'If you work in a Public Sector then it may be good to exclude things like endswith ".edu", ".gov" and or ".mil"' From e51dab10c265b2bab68e2a927bb431db17fd8a16 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 7 Nov 2021 09:55:02 +0100 Subject: [PATCH 023/113] fix logsources --- .../pipe_created/sysmon_susp_adfs_namedpipe_connection.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/pipe_created/sysmon_susp_adfs_namedpipe_connection.yml b/rules/windows/pipe_created/sysmon_susp_adfs_namedpipe_connection.yml index f1bc4e86d..04b903fe0 100644 --- a/rules/windows/pipe_created/sysmon_susp_adfs_namedpipe_connection.yml +++ b/rules/windows/pipe_created/sysmon_susp_adfs_namedpipe_connection.yml @@ -3,7 +3,7 @@ id: 1ea13e8c-03ea-409b-877d-ce5c3d2c1cb3 description: Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database). Used to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens. status: experimental date: 2021/10/08 -modified: 2021/10/08 +modified: 2021/11/07 author: Roberto Rodriguez @Cyb3rWard0g references: - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml @@ -14,7 +14,7 @@ tags: - attack.t1005 logsource: product: windows - service: pipe_connected + category: pipe_created detection: selection: PipeName: '\MICROSOFT##WID\tsql\query' @@ -30,4 +30,4 @@ detection: condition: selection and not filter falsepositives: - Processes in the filter condition -level: critical \ No newline at end of file +level: critical From 46727620100df6c124a1d6c9bc9ede5621ba61c7 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 7 Nov 2021 21:57:40 +0100 Subject: [PATCH 024/113] add win_pc_susp_zipexec --- .../process_creation/win_pc_susp_zipexec.yml | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 rules/windows/process_creation/win_pc_susp_zipexec.yml diff --git a/rules/windows/process_creation/win_pc_susp_zipexec.yml b/rules/windows/process_creation/win_pc_susp_zipexec.yml new file mode 100644 index 000000000..427cf76ea --- /dev/null +++ b/rules/windows/process_creation/win_pc_susp_zipexec.yml @@ -0,0 +1,33 @@ +title: Suspicious ZipExec Execution +id: 90dcf730-1b71-4ae7-9ffc-6fcf62bd0132 +status: experimental +description: ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file. +references: + - https://twitter.com/SBousseaden/status/1451237393017839616 + - https://github.com/Tylous/ZipExec +tags: + - attack.execution + - attack.defense_evasion + - attack.t1218 + - attack.t1202 +author: frack113 +date: 2021/11/07 +logsource: + category: process_creation + product: windows +detection: + run: + CommandLine|contains|all: + - '/generic:Microsoft_Windows_Shell_ZipFolder:filename=' + - '.zip' + - '/pass:' + - '/user:' + delete: + CommandLine|contains|all: + - '/delete' + - 'Microsoft_Windows_Shell_ZipFolder:filename=' + - '.zip' + condition: run or delete +falsepositives: + - unknown +level: medium From 20f4099cec6b454bc26b91293f9fe20d17a103f8 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 8 Nov 2021 11:21:40 +0100 Subject: [PATCH 025/113] rule: Kirbi file creation --- ...ile_event_mimikatz_kirbi_file_creation.yml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 rules/windows/file_event/file_event_mimikatz_kirbi_file_creation.yml diff --git a/rules/windows/file_event/file_event_mimikatz_kirbi_file_creation.yml b/rules/windows/file_event/file_event_mimikatz_kirbi_file_creation.yml new file mode 100644 index 000000000..63ef4dac0 --- /dev/null +++ b/rules/windows/file_event/file_event_mimikatz_kirbi_file_creation.yml @@ -0,0 +1,21 @@ +title: Mimikatz Kirbi File Creation +id: 9e099d99-44c2-42b6-a6d8-54c3545cab29 +status: test +description: Detects the creation of files that contain Kerberos tickets based on an extension used by the popular tool Mimikatz +author: Florian Roth +references: + - https://cobalt.io/blog/kerberoast-attack-techniques +modified: 2021/11/08 +tags: + - attack.credential_access + - attack.t1558 +logsource: + category: file_event + product: windows +detection: + selection: + TargetFilename|endswith: '.kirbi' + condition: selection +falsepositives: + - Unlikely +level: critical From d43f845157c141762272d6ad7b5983b72630a9fc Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 8 Nov 2021 11:21:49 +0100 Subject: [PATCH 026/113] Update proxy_cobalt_malformed_uas.yml --- rules/proxy/proxy_cobalt_malformed_uas.yml | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/rules/proxy/proxy_cobalt_malformed_uas.yml b/rules/proxy/proxy_cobalt_malformed_uas.yml index 419c0f120..75b258d15 100644 --- a/rules/proxy/proxy_cobalt_malformed_uas.yml +++ b/rules/proxy/proxy_cobalt_malformed_uas.yml @@ -4,17 +4,20 @@ status: experimental description: Detects different malformed user agents used in Malleable Profiles used with Cobalt Strike author: Florian Roth date: 2021/05/06 +modified: 2021/11/02 references: - https://github.com/yeyintminthuhtut/Malleable-C2-Profiles-Collection/ logsource: category: proxy detection: - selection: + selection1: c-useragent: - - "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)" - - "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E )" - - "Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08" - condition: selection + - "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)" + - "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E )" + - "Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08" + selection2: + c-useragent|endswith: '; MANM; MANM)' + condition: 1 of them falsepositives: - Unknown level: critical From 8ed456258fd0807c8ee8d1a36d56d57a8b50745e Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 8 Nov 2021 18:22:23 +0100 Subject: [PATCH 027/113] Use correct pipenv version --- .github/workflows/sigma-test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index 2d1f625b3..88c6d0502 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -24,7 +24,7 @@ jobs: - name: Install dependencies run: | python -m pip install --upgrade pip - pip install pipenv + pip install pipenv==2021.5.29 pipenv lock pipenv install --dev --deploy - name: Test Sigma Tools and Rules From 3430943746506f065f08e32337e3d172124fb7dc Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 9 Nov 2021 07:27:25 +0100 Subject: [PATCH 028/113] standardization --- ...crosoft365_activity_by_terminated_user.yml | 2 +- ...5_activity_from_anonymous_ip_addresses.yml | 2 +- ...ft365_activity_from_infrequent_country.yml | 2 +- ..._data_exfiltration_to_unsanctioned_app.yml | 2 +- ...rosoft365_from_suspicious_ip_addresses.yml | 2 +- ...icrosoft365_impossible_travel_activity.yml | 2 +- ...crosoft365_logon_from_risky_ip_address.yml | 2 +- ...osoft365_potential_ransomware_activity.yml | 2 +- ...crosoft365_suspicious_inbox_forwarding.yml | 2 +- ...ous_oauth_app_file_download_activities.yml | 2 +- ...oft365_unusual_volume_of_file_deletion.yml | 2 +- ...365_user_restricted_from_sending_email.yml | 2 +- tools/config/generic/m365.yml | 61 ++++++++++--------- 13 files changed, 43 insertions(+), 42 deletions(-) diff --git a/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml b/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml index c24d42b67..e9c4857d9 100644 --- a/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml +++ b/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml @@ -9,7 +9,7 @@ references: - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: category: ThreatManagement - service: m365 + product: m365 detection: selection: eventSource: SecurityComplianceCenter diff --git a/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml b/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml index 7b3a72716..1b75ffd8e 100644 --- a/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml +++ b/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml @@ -9,7 +9,7 @@ references: - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: category: ThreatManagement - service: m365 + product: m365 detection: selection: eventSource: SecurityComplianceCenter diff --git a/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml b/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml index 9aa5ab394..34557397e 100644 --- a/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml +++ b/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml @@ -9,7 +9,7 @@ references: - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: category: ThreatManagement - service: m365 + product: m365 detection: selection: eventSource: SecurityComplianceCenter diff --git a/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml b/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml index 831a15ed6..b224f6014 100644 --- a/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml +++ b/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml @@ -9,7 +9,7 @@ references: - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: category: ThreatManagement - service: m365 + product: m365 detection: selection: eventSource: SecurityComplianceCenter diff --git a/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml b/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml index 9be142d81..bf3b9d459 100644 --- a/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml +++ b/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml @@ -9,7 +9,7 @@ references: - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: category: ThreatDetection - service: m365 + product: m365 detection: selection: eventSource: SecurityComplianceCenter diff --git a/rules/cloud/m365/microsoft365_impossible_travel_activity.yml b/rules/cloud/m365/microsoft365_impossible_travel_activity.yml index 68146567b..8531eaef5 100644 --- a/rules/cloud/m365/microsoft365_impossible_travel_activity.yml +++ b/rules/cloud/m365/microsoft365_impossible_travel_activity.yml @@ -10,7 +10,7 @@ references: - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: category: ThreatManagement - service: Office365 + product: m365 detection: selection: eventSource: SecurityComplianceCenter diff --git a/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml b/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml index b71a4344b..e9a282bd0 100644 --- a/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml +++ b/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml @@ -9,7 +9,7 @@ references: - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: category: ThreatManagement - service: m365 + product: m365 detection: selection: eventSource: SecurityComplianceCenter diff --git a/rules/cloud/m365/microsoft365_potential_ransomware_activity.yml b/rules/cloud/m365/microsoft365_potential_ransomware_activity.yml index b5571ef94..936b3c708 100644 --- a/rules/cloud/m365/microsoft365_potential_ransomware_activity.yml +++ b/rules/cloud/m365/microsoft365_potential_ransomware_activity.yml @@ -9,7 +9,7 @@ references: - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: category: ThreatManagement - service: Microsoft365 + product: m365 detection: selection: eventSource: SecurityComplianceCenter diff --git a/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml b/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml index 513e4f1b0..61f478323 100644 --- a/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml +++ b/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml @@ -9,7 +9,7 @@ references: - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: category: ThreatManagement - service: m365 + product: m365 detection: selection: eventSource: SecurityComplianceCenter diff --git a/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml b/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml index 6dbc4be42..df7d6e742 100644 --- a/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml +++ b/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml @@ -9,7 +9,7 @@ references: - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: category: ThreatManagement - service: m365 + product: m365 detection: selection: eventSource: SecurityComplianceCenter diff --git a/rules/cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml b/rules/cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml index 53bbf8ff2..84e368e0f 100644 --- a/rules/cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml +++ b/rules/cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml @@ -9,7 +9,7 @@ references: - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: category: ThreatManagement - service: Microsoft365 + product: m365 detection: selection: eventSource: SecurityComplianceCenter diff --git a/rules/cloud/m365/microsoft365_user_restricted_from_sending_email.yml b/rules/cloud/m365/microsoft365_user_restricted_from_sending_email.yml index b969efece..c0c02669d 100644 --- a/rules/cloud/m365/microsoft365_user_restricted_from_sending_email.yml +++ b/rules/cloud/m365/microsoft365_user_restricted_from_sending_email.yml @@ -9,7 +9,7 @@ references: - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: category: ThreatManagement - service: Microsoft365 + product: m365 detection: selection: eventSource: SecurityComplianceCenter diff --git a/tools/config/generic/m365.yml b/tools/config/generic/m365.yml index de769059c..c83606056 100644 --- a/tools/config/generic/m365.yml +++ b/tools/config/generic/m365.yml @@ -1,32 +1,33 @@ title: Microsoft 365 Rules order: 10 -ThreatManagement: - product: m365 - category: ThreatManagement - conditions: - eventSource: SecurityComplianceCenter -AccessGovernance: - product: m365 - category: AccessGovernance - conditions: - eventSource: SecurityComplianceCenter -CloudDiscovery: - product: m365 - category: CloudDiscovery - conditions: - eventSource: SecurityComplianceCenter -DataLossPrevention: - product: m365 - category: DataLossPrevention - conditions: - eventSource: SecurityComplianceCenter -ThreatDetection: - product: m365 - category: ThreatDetection - conditions: - eventSource: SecurityComplianceCenter -SharingControl: - product: m365 - category: SharingControl - conditions: - eventSource: SecurityComplianceCenter +logsources: + ThreatManagement: + product: m365 + category: ThreatManagement + conditions: + eventSource: SecurityComplianceCenter + AccessGovernance: + product: m365 + category: AccessGovernance + conditions: + eventSource: SecurityComplianceCenter + CloudDiscovery: + product: m365 + category: CloudDiscovery + conditions: + eventSource: SecurityComplianceCenter + DataLossPrevention: + product: m365 + category: DataLossPrevention + conditions: + eventSource: SecurityComplianceCenter + ThreatDetection: + product: m365 + category: ThreatDetection + conditions: + eventSource: SecurityComplianceCenter + SharingControl: + product: m365 + category: SharingControl + conditions: + eventSource: SecurityComplianceCenter From 8f39ef9ed1fb228067c0d8ba194d6a6cc57ef414 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 9 Nov 2021 10:41:09 +0100 Subject: [PATCH 029/113] normalize logsource --- .../edr_command_execution_by_office_applications.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/{other/process_creation_command_execution_by_office_applications.yml => edr/edr_command_execution_by_office_applications.yml} (100%) diff --git a/rules/windows/other/process_creation_command_execution_by_office_applications.yml b/rules/windows/edr/edr_command_execution_by_office_applications.yml similarity index 100% rename from rules/windows/other/process_creation_command_execution_by_office_applications.yml rename to rules/windows/edr/edr_command_execution_by_office_applications.yml From 6c19303aa442f81bf4e4f5cfd6d5718a7790065a Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 9 Nov 2021 10:48:13 +0100 Subject: [PATCH 030/113] normalize logsource --- .../builtin/win_hybridconnectionmgr_svc_running.yml | 2 +- .../edr/edr_command_execution_by_office_applications.yml | 7 ++++--- rules/windows/other/win_ldap_recon.yml | 2 +- rules/windows/other/win_system_defender_disabled.yml | 4 ++-- tools/config/winlogbeat-modules-enabled.yml | 5 +++++ 5 files changed, 13 insertions(+), 7 deletions(-) diff --git a/rules/windows/builtin/win_hybridconnectionmgr_svc_running.yml b/rules/windows/builtin/win_hybridconnectionmgr_svc_running.yml index f2fb29d7d..de445a56a 100644 --- a/rules/windows/builtin/win_hybridconnectionmgr_svc_running.yml +++ b/rules/windows/builtin/win_hybridconnectionmgr_svc_running.yml @@ -10,7 +10,7 @@ references: - https://twitter.com/Cyb3rWard0g/status/1381642789369286662 logsource: product: windows - service: Microsoft-ServiceBus-Client + service: microsoft-servicebus-client detection: selection: EventID: diff --git a/rules/windows/edr/edr_command_execution_by_office_applications.yml b/rules/windows/edr/edr_command_execution_by_office_applications.yml index 19133d219..d8496c10d 100644 --- a/rules/windows/edr/edr_command_execution_by_office_applications.yml +++ b/rules/windows/edr/edr_command_execution_by_office_applications.yml @@ -1,4 +1,4 @@ -title: WMI Command Execution by Office Applications +title: EDR WMI Command Execution by Office Applications id: 3ee1bba8-b9e2-4e35-bec5-7fb66b6b3815 description: Initial execution of malicious document calls wmic Win32_Process::Create to execute the file with regsvr32 references: @@ -13,9 +13,10 @@ tags: - attack.defense_evasion status: experimental date: 2021/08/23 +modified: 2021/11/09 logsource: - product: EndPoint Detection Logs - category: process_creation + product: windows + category: edr detection: #useful_information: Add more office applications to the rule logic of choice selection1: diff --git a/rules/windows/other/win_ldap_recon.yml b/rules/windows/other/win_ldap_recon.yml index ee8ff3db5..e0a9559dd 100644 --- a/rules/windows/other/win_ldap_recon.yml +++ b/rules/windows/other/win_ldap_recon.yml @@ -9,8 +9,8 @@ references: - https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1 - https://github.com/BloodHoundAD/SharpHound3/blob/master/SharpHound3/LdapBuilder.cs logsource: - category: ldap_query product: windows + service: ldap_debug definition: 'Requires Microsoft-Windows-LDAP-Client/Debug ETW logging' detection: generic_search: diff --git a/rules/windows/other/win_system_defender_disabled.yml b/rules/windows/other/win_system_defender_disabled.yml index 15114f1dc..1d4838ea0 100644 --- a/rules/windows/other/win_system_defender_disabled.yml +++ b/rules/windows/other/win_system_defender_disabled.yml @@ -5,7 +5,7 @@ related: type: derived description: Detects disabling Windows Defender threat protection date: 2020/07/28 -modified: 2021/09/21 +modified: 2021/11/09 author: Ján Trenčanský, frack113 references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus @@ -17,7 +17,7 @@ tags: - attack.t1562.001 logsource: product: windows - category: system + service: system detection: selection3: EventID: 7036 diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index d7ec0f095..07c3c4e09 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -100,6 +100,11 @@ logsources: service: msexchange-management conditions: winlog.channel: 'MSExchange Management' + microsoft-servicebus-client: + product: windows + service: microsoft-servicebus-client + conditions: + winlog.channel: 'Microsoft-ServiceBus-Client' defaultindex: winlogbeat-* # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g' From e1ecd379fa2d66e1f1089b38e1a1401e00661fd8 Mon Sep 17 00:00:00 2001 From: David Vassallo Date: Tue, 9 Nov 2021 13:38:31 +0200 Subject: [PATCH 031/113] Update elk-winlogbeat.yml Adding "RelativeTargetName" since it's used by `win_lm_namedpipe.yml` --- tools/config/elk-winlogbeat.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/config/elk-winlogbeat.yml b/tools/config/elk-winlogbeat.yml index 8a9f000a0..97dfe3ec8 100644 --- a/tools/config/elk-winlogbeat.yml +++ b/tools/config/elk-winlogbeat.yml @@ -111,6 +111,7 @@ fieldmappings: PipeName: event_data.PipeName ProcessName: event_data.ProcessName Properties: event_data.Properties + RelativeTargetName: event_data.RelativeTargetName ServiceFileName: event_data.ServiceFileName ServiceName: event_data.ServiceName ShareName: event_data.ShareName From c7259b6196560b5f62f17eaea6403c45a09251c0 Mon Sep 17 00:00:00 2001 From: Entropy0 Date: Tue, 9 Nov 2021 13:19:53 +0100 Subject: [PATCH 032/113] fix condition token inheritance Without this fix, isinstance(ConditionOR(), ConditionAND) yields True --- tools/sigma/parser/condition.py | 53 +++++++++++++++++++-------------- 1 file changed, 30 insertions(+), 23 deletions(-) diff --git a/tools/sigma/parser/condition.py b/tools/sigma/parser/condition.py index 644e24816..9fa787503 100644 --- a/tools/sigma/parser/condition.py +++ b/tools/sigma/parser/condition.py @@ -191,8 +191,14 @@ class ConditionBase(ParseTreeNode): op = COND_NONE items = None - def __init__(self): - raise NotImplementedError("ConditionBase is no usable class") + def __init__(self, sigma=None, op=None, *args): + if type(self) == ConditionBase: + raise NotImplementedError("ConditionBase is no usable class") + + if sigma == None and op == None and len(args) == 0: # no parameters given - initialize empty + self.items = list() + else: # called by parser, use given values + self.items = args def add(self, item): self.items.append(item) @@ -204,27 +210,11 @@ class ConditionBase(ParseTreeNode): return len(self.items) -class ConditionAND(ConditionBase): - """AND Condition""" - op = COND_AND - - def __init__(self, sigma=None, op=None, *args): - if sigma == None and op == None and len(args) == 0: # no parameters given - initialize empty - self.items = list() - else: # called by parser, use given values - self.items = args - - -class ConditionOR(ConditionAND): - """OR Condition""" - op = COND_OR - - -class ConditionNOT(ConditionBase): - """NOT Condition""" - op = COND_NOT - +class ConditionBaseOneItem(ConditionBase): def __init__(self, sigma=None, op=None, val=None): + if type(self) == ConditionBaseOneItem: + raise NotImplementedError("ConditionBaseOneItem is no usable class") + if sigma == None and op == None and val == None: # no parameters given - initialize empty self.items = list() else: # called by parser, use given values @@ -244,13 +234,30 @@ class ConditionNOT(ConditionBase): return None -class ConditionNULLValue(ConditionNOT): +class ConditionAND(ConditionBase): + """AND Condition""" + op = COND_AND + + +class ConditionOR(ConditionBase): + """OR Condition""" + op = COND_OR + + +class ConditionNOT(ConditionBaseOneItem): + """NOT Condition""" + op = COND_NOT + + +class ConditionNULLValue(ConditionBaseOneItem): """Condition: Field value is empty or doesn't exists""" + op = COND_NULL pass class ConditionNotNULLValue(ConditionNULLValue): """Condition: Field value is not empty""" + op = COND_NULL pass From c8f488eabf94271e79ac874099464a18246675f6 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 9 Nov 2021 13:27:20 +0100 Subject: [PATCH 033/113] move to builtin --- rules/linux/{ => builtin}/lnx_apt_equationgroup_lnx.yml | 0 rules/linux/{ => builtin}/lnx_buffer_overflows.yml | 0 rules/linux/{ => builtin}/lnx_clear_syslog.yml | 0 rules/linux/{ => builtin}/lnx_file_copy.yml | 0 rules/linux/{ => builtin}/lnx_ldso_preload_injection.yml | 0 rules/linux/{ => builtin}/lnx_proxy_connection.yml | 0 rules/linux/{ => builtin}/lnx_setgid_setuid.yml | 0 rules/linux/{ => builtin}/lnx_shell_clear_cmd_history.yml | 0 rules/linux/{ => builtin}/lnx_shell_priv_esc_prep.yml | 0 rules/linux/{ => builtin}/lnx_shell_susp_commands.yml | 0 rules/linux/{ => builtin}/lnx_shell_susp_log_entries.yml | 0 rules/linux/{ => builtin}/lnx_shell_susp_rev_shells.yml | 0 rules/linux/{ => builtin}/lnx_shellshock.yml | 0 rules/linux/{ => builtin}/lnx_space_after_filename_.yml | 0 rules/linux/{ => builtin}/lnx_sudo_cve_2019_14287.yml | 0 rules/linux/{ => builtin}/lnx_sudo_cve_2019_14287_user.yml | 0 rules/linux/{ => builtin}/lnx_susp_jexboss.yml | 0 rules/linux/{ => builtin}/lnx_symlink_etc_passwd.yml | 0 18 files changed, 0 insertions(+), 0 deletions(-) rename rules/linux/{ => builtin}/lnx_apt_equationgroup_lnx.yml (100%) rename rules/linux/{ => builtin}/lnx_buffer_overflows.yml (100%) rename rules/linux/{ => builtin}/lnx_clear_syslog.yml (100%) rename rules/linux/{ => builtin}/lnx_file_copy.yml (100%) rename rules/linux/{ => builtin}/lnx_ldso_preload_injection.yml (100%) rename rules/linux/{ => builtin}/lnx_proxy_connection.yml (100%) rename rules/linux/{ => builtin}/lnx_setgid_setuid.yml (100%) rename rules/linux/{ => builtin}/lnx_shell_clear_cmd_history.yml (100%) rename rules/linux/{ => builtin}/lnx_shell_priv_esc_prep.yml (100%) rename rules/linux/{ => builtin}/lnx_shell_susp_commands.yml (100%) rename rules/linux/{ => builtin}/lnx_shell_susp_log_entries.yml (100%) rename rules/linux/{ => builtin}/lnx_shell_susp_rev_shells.yml (100%) rename rules/linux/{ => builtin}/lnx_shellshock.yml (100%) rename rules/linux/{ => builtin}/lnx_space_after_filename_.yml (100%) rename rules/linux/{ => builtin}/lnx_sudo_cve_2019_14287.yml (100%) rename rules/linux/{ => builtin}/lnx_sudo_cve_2019_14287_user.yml (100%) rename rules/linux/{ => builtin}/lnx_susp_jexboss.yml (100%) rename rules/linux/{ => builtin}/lnx_symlink_etc_passwd.yml (100%) diff --git a/rules/linux/lnx_apt_equationgroup_lnx.yml b/rules/linux/builtin/lnx_apt_equationgroup_lnx.yml similarity index 100% rename from rules/linux/lnx_apt_equationgroup_lnx.yml rename to rules/linux/builtin/lnx_apt_equationgroup_lnx.yml diff --git a/rules/linux/lnx_buffer_overflows.yml b/rules/linux/builtin/lnx_buffer_overflows.yml similarity index 100% rename from rules/linux/lnx_buffer_overflows.yml rename to rules/linux/builtin/lnx_buffer_overflows.yml diff --git a/rules/linux/lnx_clear_syslog.yml b/rules/linux/builtin/lnx_clear_syslog.yml similarity index 100% rename from rules/linux/lnx_clear_syslog.yml rename to rules/linux/builtin/lnx_clear_syslog.yml diff --git a/rules/linux/lnx_file_copy.yml b/rules/linux/builtin/lnx_file_copy.yml similarity index 100% rename from rules/linux/lnx_file_copy.yml rename to rules/linux/builtin/lnx_file_copy.yml diff --git a/rules/linux/lnx_ldso_preload_injection.yml b/rules/linux/builtin/lnx_ldso_preload_injection.yml similarity index 100% rename from rules/linux/lnx_ldso_preload_injection.yml rename to rules/linux/builtin/lnx_ldso_preload_injection.yml diff --git a/rules/linux/lnx_proxy_connection.yml b/rules/linux/builtin/lnx_proxy_connection.yml similarity index 100% rename from rules/linux/lnx_proxy_connection.yml rename to rules/linux/builtin/lnx_proxy_connection.yml diff --git a/rules/linux/lnx_setgid_setuid.yml b/rules/linux/builtin/lnx_setgid_setuid.yml similarity index 100% rename from rules/linux/lnx_setgid_setuid.yml rename to rules/linux/builtin/lnx_setgid_setuid.yml diff --git a/rules/linux/lnx_shell_clear_cmd_history.yml b/rules/linux/builtin/lnx_shell_clear_cmd_history.yml similarity index 100% rename from rules/linux/lnx_shell_clear_cmd_history.yml rename to rules/linux/builtin/lnx_shell_clear_cmd_history.yml diff --git a/rules/linux/lnx_shell_priv_esc_prep.yml b/rules/linux/builtin/lnx_shell_priv_esc_prep.yml similarity index 100% rename from rules/linux/lnx_shell_priv_esc_prep.yml rename to rules/linux/builtin/lnx_shell_priv_esc_prep.yml diff --git a/rules/linux/lnx_shell_susp_commands.yml b/rules/linux/builtin/lnx_shell_susp_commands.yml similarity index 100% rename from rules/linux/lnx_shell_susp_commands.yml rename to rules/linux/builtin/lnx_shell_susp_commands.yml diff --git a/rules/linux/lnx_shell_susp_log_entries.yml b/rules/linux/builtin/lnx_shell_susp_log_entries.yml similarity index 100% rename from rules/linux/lnx_shell_susp_log_entries.yml rename to rules/linux/builtin/lnx_shell_susp_log_entries.yml diff --git a/rules/linux/lnx_shell_susp_rev_shells.yml b/rules/linux/builtin/lnx_shell_susp_rev_shells.yml similarity index 100% rename from rules/linux/lnx_shell_susp_rev_shells.yml rename to rules/linux/builtin/lnx_shell_susp_rev_shells.yml diff --git a/rules/linux/lnx_shellshock.yml b/rules/linux/builtin/lnx_shellshock.yml similarity index 100% rename from rules/linux/lnx_shellshock.yml rename to rules/linux/builtin/lnx_shellshock.yml diff --git a/rules/linux/lnx_space_after_filename_.yml b/rules/linux/builtin/lnx_space_after_filename_.yml similarity index 100% rename from rules/linux/lnx_space_after_filename_.yml rename to rules/linux/builtin/lnx_space_after_filename_.yml diff --git a/rules/linux/lnx_sudo_cve_2019_14287.yml b/rules/linux/builtin/lnx_sudo_cve_2019_14287.yml similarity index 100% rename from rules/linux/lnx_sudo_cve_2019_14287.yml rename to rules/linux/builtin/lnx_sudo_cve_2019_14287.yml diff --git a/rules/linux/lnx_sudo_cve_2019_14287_user.yml b/rules/linux/builtin/lnx_sudo_cve_2019_14287_user.yml similarity index 100% rename from rules/linux/lnx_sudo_cve_2019_14287_user.yml rename to rules/linux/builtin/lnx_sudo_cve_2019_14287_user.yml diff --git a/rules/linux/lnx_susp_jexboss.yml b/rules/linux/builtin/lnx_susp_jexboss.yml similarity index 100% rename from rules/linux/lnx_susp_jexboss.yml rename to rules/linux/builtin/lnx_susp_jexboss.yml diff --git a/rules/linux/lnx_symlink_etc_passwd.yml b/rules/linux/builtin/lnx_symlink_etc_passwd.yml similarity index 100% rename from rules/linux/lnx_symlink_etc_passwd.yml rename to rules/linux/builtin/lnx_symlink_etc_passwd.yml From e8a36ace969c0d5e90c9159b9325eff0e6f0fa12 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 9 Nov 2021 13:32:22 +0100 Subject: [PATCH 034/113] move to other --- rules/linux/{ => other}/lnx_clamav.yml | 0 rules/linux/{ => other}/lnx_security_tools_disabling_syslog.yml | 0 rules/linux/{ => other}/lnx_ssh_cve_2018_15473.yml | 0 rules/linux/{ => other}/lnx_susp_failed_logons_single_source.yml | 0 rules/linux/{ => other}/lnx_susp_guacamole.yml | 0 rules/linux/{ => other}/lnx_susp_named.yml | 0 rules/linux/{ => other}/lnx_susp_ssh.yml | 0 rules/linux/{ => other}/lnx_susp_vsftp.yml | 0 8 files changed, 0 insertions(+), 0 deletions(-) rename rules/linux/{ => other}/lnx_clamav.yml (100%) rename rules/linux/{ => other}/lnx_security_tools_disabling_syslog.yml (100%) rename rules/linux/{ => other}/lnx_ssh_cve_2018_15473.yml (100%) rename rules/linux/{ => other}/lnx_susp_failed_logons_single_source.yml (100%) rename rules/linux/{ => other}/lnx_susp_guacamole.yml (100%) rename rules/linux/{ => other}/lnx_susp_named.yml (100%) rename rules/linux/{ => other}/lnx_susp_ssh.yml (100%) rename rules/linux/{ => other}/lnx_susp_vsftp.yml (100%) diff --git a/rules/linux/lnx_clamav.yml b/rules/linux/other/lnx_clamav.yml similarity index 100% rename from rules/linux/lnx_clamav.yml rename to rules/linux/other/lnx_clamav.yml diff --git a/rules/linux/lnx_security_tools_disabling_syslog.yml b/rules/linux/other/lnx_security_tools_disabling_syslog.yml similarity index 100% rename from rules/linux/lnx_security_tools_disabling_syslog.yml rename to rules/linux/other/lnx_security_tools_disabling_syslog.yml diff --git a/rules/linux/lnx_ssh_cve_2018_15473.yml b/rules/linux/other/lnx_ssh_cve_2018_15473.yml similarity index 100% rename from rules/linux/lnx_ssh_cve_2018_15473.yml rename to rules/linux/other/lnx_ssh_cve_2018_15473.yml diff --git a/rules/linux/lnx_susp_failed_logons_single_source.yml b/rules/linux/other/lnx_susp_failed_logons_single_source.yml similarity index 100% rename from rules/linux/lnx_susp_failed_logons_single_source.yml rename to rules/linux/other/lnx_susp_failed_logons_single_source.yml diff --git a/rules/linux/lnx_susp_guacamole.yml b/rules/linux/other/lnx_susp_guacamole.yml similarity index 100% rename from rules/linux/lnx_susp_guacamole.yml rename to rules/linux/other/lnx_susp_guacamole.yml diff --git a/rules/linux/lnx_susp_named.yml b/rules/linux/other/lnx_susp_named.yml similarity index 100% rename from rules/linux/lnx_susp_named.yml rename to rules/linux/other/lnx_susp_named.yml diff --git a/rules/linux/lnx_susp_ssh.yml b/rules/linux/other/lnx_susp_ssh.yml similarity index 100% rename from rules/linux/lnx_susp_ssh.yml rename to rules/linux/other/lnx_susp_ssh.yml diff --git a/rules/linux/lnx_susp_vsftp.yml b/rules/linux/other/lnx_susp_vsftp.yml similarity index 100% rename from rules/linux/lnx_susp_vsftp.yml rename to rules/linux/other/lnx_susp_vsftp.yml From 18fea95b86b40ac4b6f7a7aa041f1273d2f73ead Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 9 Nov 2021 13:33:58 +0100 Subject: [PATCH 035/113] move to macos --- rules/linux/{ => macos}/macos_applescript.yml | 0 rules/linux/{ => macos}/macos_base64_decode.yml | 0 rules/linux/{ => macos}/macos_binary_padding.yml | 0 rules/linux/{ => macos}/macos_change_file_time_attr.yml | 0 rules/linux/{ => macos}/macos_clear_system_logs.yml | 0 rules/linux/{ => macos}/macos_create_account.yml | 0 rules/linux/{ => macos}/macos_create_hidden_account.yml | 0 rules/linux/{ => macos}/macos_creds_from_keychain.yml | 0 rules/linux/{ => macos}/macos_disable_security_tools.yml | 0 rules/linux/{ => macos}/macos_emond_launch_daemon.yml | 0 rules/linux/{ => macos}/macos_file_and_directory_discovery.yml | 0 rules/linux/{ => macos}/macos_find_cred_in_files.yml | 0 rules/linux/{ => macos}/macos_gui_input_capture.yml | 0 rules/linux/{ => macos}/macos_local_account.yml | 0 rules/linux/{ => macos}/macos_local_groups.yml | 0 rules/linux/{ => macos}/macos_network_service_scanning.yml | 0 rules/linux/{ => macos}/macos_network_sniffing.yml | 0 rules/linux/{ => macos}/macos_remote_system_discovery.yml | 0 rules/linux/{ => macos}/macos_schedule_task_job_cron.yml | 0 rules/linux/{ => macos}/macos_screencapture.yml | 0 rules/linux/{ => macos}/macos_security_software_discovery.yml | 0 rules/linux/{ => macos}/macos_split_file_into_pieces.yml | 0 rules/linux/{ => macos}/macos_startup_items.yml | 0 rules/linux/{ => macos}/macos_susp_histfile_operations.yml | 0 .../{ => macos}/macos_suspicious_macos_firmware_activity.yml | 0 .../{ => macos}/macos_system_network_connections_discovery.yml | 0 rules/linux/{ => macos}/macos_system_network_discovery.yml | 0 rules/linux/{ => macos}/macos_system_shutdown_reboot.yml | 0 rules/linux/{ => macos}/macos_xattr_gatekeeper_bypass.yml | 0 29 files changed, 0 insertions(+), 0 deletions(-) rename rules/linux/{ => macos}/macos_applescript.yml (100%) rename rules/linux/{ => macos}/macos_base64_decode.yml (100%) rename rules/linux/{ => macos}/macos_binary_padding.yml (100%) rename rules/linux/{ => macos}/macos_change_file_time_attr.yml (100%) rename rules/linux/{ => macos}/macos_clear_system_logs.yml (100%) rename rules/linux/{ => macos}/macos_create_account.yml (100%) rename rules/linux/{ => macos}/macos_create_hidden_account.yml (100%) rename rules/linux/{ => macos}/macos_creds_from_keychain.yml (100%) rename rules/linux/{ => macos}/macos_disable_security_tools.yml (100%) rename rules/linux/{ => macos}/macos_emond_launch_daemon.yml (100%) rename rules/linux/{ => macos}/macos_file_and_directory_discovery.yml (100%) rename rules/linux/{ => macos}/macos_find_cred_in_files.yml (100%) rename rules/linux/{ => macos}/macos_gui_input_capture.yml (100%) rename rules/linux/{ => macos}/macos_local_account.yml (100%) rename rules/linux/{ => macos}/macos_local_groups.yml (100%) rename rules/linux/{ => macos}/macos_network_service_scanning.yml (100%) rename rules/linux/{ => macos}/macos_network_sniffing.yml (100%) rename rules/linux/{ => macos}/macos_remote_system_discovery.yml (100%) rename rules/linux/{ => macos}/macos_schedule_task_job_cron.yml (100%) rename rules/linux/{ => macos}/macos_screencapture.yml (100%) rename rules/linux/{ => macos}/macos_security_software_discovery.yml (100%) rename rules/linux/{ => macos}/macos_split_file_into_pieces.yml (100%) rename rules/linux/{ => macos}/macos_startup_items.yml (100%) rename rules/linux/{ => macos}/macos_susp_histfile_operations.yml (100%) rename rules/linux/{ => macos}/macos_suspicious_macos_firmware_activity.yml (100%) rename rules/linux/{ => macos}/macos_system_network_connections_discovery.yml (100%) rename rules/linux/{ => macos}/macos_system_network_discovery.yml (100%) rename rules/linux/{ => macos}/macos_system_shutdown_reboot.yml (100%) rename rules/linux/{ => macos}/macos_xattr_gatekeeper_bypass.yml (100%) diff --git a/rules/linux/macos_applescript.yml b/rules/linux/macos/macos_applescript.yml similarity index 100% rename from rules/linux/macos_applescript.yml rename to rules/linux/macos/macos_applescript.yml diff --git a/rules/linux/macos_base64_decode.yml b/rules/linux/macos/macos_base64_decode.yml similarity index 100% rename from rules/linux/macos_base64_decode.yml rename to rules/linux/macos/macos_base64_decode.yml diff --git a/rules/linux/macos_binary_padding.yml b/rules/linux/macos/macos_binary_padding.yml similarity index 100% rename from rules/linux/macos_binary_padding.yml rename to rules/linux/macos/macos_binary_padding.yml diff --git a/rules/linux/macos_change_file_time_attr.yml b/rules/linux/macos/macos_change_file_time_attr.yml similarity index 100% rename from rules/linux/macos_change_file_time_attr.yml rename to rules/linux/macos/macos_change_file_time_attr.yml diff --git a/rules/linux/macos_clear_system_logs.yml b/rules/linux/macos/macos_clear_system_logs.yml similarity index 100% rename from rules/linux/macos_clear_system_logs.yml rename to rules/linux/macos/macos_clear_system_logs.yml diff --git a/rules/linux/macos_create_account.yml b/rules/linux/macos/macos_create_account.yml similarity index 100% rename from rules/linux/macos_create_account.yml rename to rules/linux/macos/macos_create_account.yml diff --git a/rules/linux/macos_create_hidden_account.yml b/rules/linux/macos/macos_create_hidden_account.yml similarity index 100% rename from rules/linux/macos_create_hidden_account.yml rename to rules/linux/macos/macos_create_hidden_account.yml diff --git a/rules/linux/macos_creds_from_keychain.yml b/rules/linux/macos/macos_creds_from_keychain.yml similarity index 100% rename from rules/linux/macos_creds_from_keychain.yml rename to rules/linux/macos/macos_creds_from_keychain.yml diff --git a/rules/linux/macos_disable_security_tools.yml b/rules/linux/macos/macos_disable_security_tools.yml similarity index 100% rename from rules/linux/macos_disable_security_tools.yml rename to rules/linux/macos/macos_disable_security_tools.yml diff --git a/rules/linux/macos_emond_launch_daemon.yml b/rules/linux/macos/macos_emond_launch_daemon.yml similarity index 100% rename from rules/linux/macos_emond_launch_daemon.yml rename to rules/linux/macos/macos_emond_launch_daemon.yml diff --git a/rules/linux/macos_file_and_directory_discovery.yml b/rules/linux/macos/macos_file_and_directory_discovery.yml similarity index 100% rename from rules/linux/macos_file_and_directory_discovery.yml rename to rules/linux/macos/macos_file_and_directory_discovery.yml diff --git a/rules/linux/macos_find_cred_in_files.yml b/rules/linux/macos/macos_find_cred_in_files.yml similarity index 100% rename from rules/linux/macos_find_cred_in_files.yml rename to rules/linux/macos/macos_find_cred_in_files.yml diff --git a/rules/linux/macos_gui_input_capture.yml b/rules/linux/macos/macos_gui_input_capture.yml similarity index 100% rename from rules/linux/macos_gui_input_capture.yml rename to rules/linux/macos/macos_gui_input_capture.yml diff --git a/rules/linux/macos_local_account.yml b/rules/linux/macos/macos_local_account.yml similarity index 100% rename from rules/linux/macos_local_account.yml rename to rules/linux/macos/macos_local_account.yml diff --git a/rules/linux/macos_local_groups.yml b/rules/linux/macos/macos_local_groups.yml similarity index 100% rename from rules/linux/macos_local_groups.yml rename to rules/linux/macos/macos_local_groups.yml diff --git a/rules/linux/macos_network_service_scanning.yml b/rules/linux/macos/macos_network_service_scanning.yml similarity index 100% rename from rules/linux/macos_network_service_scanning.yml rename to rules/linux/macos/macos_network_service_scanning.yml diff --git a/rules/linux/macos_network_sniffing.yml b/rules/linux/macos/macos_network_sniffing.yml similarity index 100% rename from rules/linux/macos_network_sniffing.yml rename to rules/linux/macos/macos_network_sniffing.yml diff --git a/rules/linux/macos_remote_system_discovery.yml b/rules/linux/macos/macos_remote_system_discovery.yml similarity index 100% rename from rules/linux/macos_remote_system_discovery.yml rename to rules/linux/macos/macos_remote_system_discovery.yml diff --git a/rules/linux/macos_schedule_task_job_cron.yml b/rules/linux/macos/macos_schedule_task_job_cron.yml similarity index 100% rename from rules/linux/macos_schedule_task_job_cron.yml rename to rules/linux/macos/macos_schedule_task_job_cron.yml diff --git a/rules/linux/macos_screencapture.yml b/rules/linux/macos/macos_screencapture.yml similarity index 100% rename from rules/linux/macos_screencapture.yml rename to rules/linux/macos/macos_screencapture.yml diff --git a/rules/linux/macos_security_software_discovery.yml b/rules/linux/macos/macos_security_software_discovery.yml similarity index 100% rename from rules/linux/macos_security_software_discovery.yml rename to rules/linux/macos/macos_security_software_discovery.yml diff --git a/rules/linux/macos_split_file_into_pieces.yml b/rules/linux/macos/macos_split_file_into_pieces.yml similarity index 100% rename from rules/linux/macos_split_file_into_pieces.yml rename to rules/linux/macos/macos_split_file_into_pieces.yml diff --git a/rules/linux/macos_startup_items.yml b/rules/linux/macos/macos_startup_items.yml similarity index 100% rename from rules/linux/macos_startup_items.yml rename to rules/linux/macos/macos_startup_items.yml diff --git a/rules/linux/macos_susp_histfile_operations.yml b/rules/linux/macos/macos_susp_histfile_operations.yml similarity index 100% rename from rules/linux/macos_susp_histfile_operations.yml rename to rules/linux/macos/macos_susp_histfile_operations.yml diff --git a/rules/linux/macos_suspicious_macos_firmware_activity.yml b/rules/linux/macos/macos_suspicious_macos_firmware_activity.yml similarity index 100% rename from rules/linux/macos_suspicious_macos_firmware_activity.yml rename to rules/linux/macos/macos_suspicious_macos_firmware_activity.yml diff --git a/rules/linux/macos_system_network_connections_discovery.yml b/rules/linux/macos/macos_system_network_connections_discovery.yml similarity index 100% rename from rules/linux/macos_system_network_connections_discovery.yml rename to rules/linux/macos/macos_system_network_connections_discovery.yml diff --git a/rules/linux/macos_system_network_discovery.yml b/rules/linux/macos/macos_system_network_discovery.yml similarity index 100% rename from rules/linux/macos_system_network_discovery.yml rename to rules/linux/macos/macos_system_network_discovery.yml diff --git a/rules/linux/macos_system_shutdown_reboot.yml b/rules/linux/macos/macos_system_shutdown_reboot.yml similarity index 100% rename from rules/linux/macos_system_shutdown_reboot.yml rename to rules/linux/macos/macos_system_shutdown_reboot.yml diff --git a/rules/linux/macos_xattr_gatekeeper_bypass.yml b/rules/linux/macos/macos_xattr_gatekeeper_bypass.yml similarity index 100% rename from rules/linux/macos_xattr_gatekeeper_bypass.yml rename to rules/linux/macos/macos_xattr_gatekeeper_bypass.yml From c5fa73c328acd5fac5c89c84f2a71c94efc65827 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Tue, 9 Nov 2021 16:13:29 +0100 Subject: [PATCH 036/113] fix ProcessCommandLine to ParentCommandLine --- ...office_from_proxy_executing_regsvr32_payload.yml | 11 ++++++----- ...ffice_from_proxy_executing_regsvr32_payload2.yml | 13 +++++++------ ...ess_creation_office_spawning_wmi_commandline.yml | 13 +++++++------ rules/windows/process_creation/win_susp_wuauclt.yml | 4 ++-- tools/config/generic/windows-audit.yml | 1 + 5 files changed, 23 insertions(+), 19 deletions(-) diff --git a/rules/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload.yml b/rules/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload.yml index 3fb743549..a901d3fd7 100644 --- a/rules/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload.yml +++ b/rules/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload.yml @@ -13,6 +13,7 @@ tags: - attack.defense_evasion status: experimental date: 2021/08/23 +modified: 2021/11/09 logsource: product: windows category: process_creation @@ -20,7 +21,7 @@ detection: #useful_information: add more LOLBins to the rules logic of your choice. selection1: - Image|endswith: '\wbem\WMIC.exe' - - ProcessCommandLine|contains: 'wmic ' + - ParentCommandLine|contains: 'wmic ' - OriginalFileName: 'wmic.exe' - Description: 'WMI Commandline Utility' selection2: @@ -32,11 +33,11 @@ detection: - 'verclsid' selection3: ParentImage|endswith: - - winword.exe - - excel.exe - - powerpnt.exe + - winword.exe + - excel.exe + - powerpnt.exe selection4: - processCommandLine|contains|all: + ParentCommandLine|contains|all: - 'process' - 'create' - 'call' diff --git a/rules/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload2.yml b/rules/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload2.yml index e752a0c9b..8989e0e30 100644 --- a/rules/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload2.yml +++ b/rules/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload2.yml @@ -13,13 +13,14 @@ tags: - attack.defense_evasion status: experimental date: 2021/08/23 +modified: 2021/11/09 logsource: product: windows category: process_creation detection: #useful_information: add more LOLBins to the rules logic of your choice. selection1: - ProcessCommandLine: + ParentCommandLine: - '*regsvr32*' - '*rundll32*' - '*msiexec*' @@ -27,14 +28,14 @@ detection: - '*verclsid*' selection2: - Image|endswith: '\wbem\WMIC.exe' - - ProcessCommandLine|contains: 'wmic ' + - ParentCommandLine|contains: 'wmic ' selection3: ParentImage|endswith: - - winword.exe - - excel.exe - - powerpnt.exe + - winword.exe + - excel.exe + - powerpnt.exe selection4: - processCommandLine|contains|all: + ParentCommandLine|contains|all: - 'process' - 'create' - 'call' diff --git a/rules/windows/process_creation/process_creation_office_spawning_wmi_commandline.yml b/rules/windows/process_creation/process_creation_office_spawning_wmi_commandline.yml index 2fceff749..edbae2013 100644 --- a/rules/windows/process_creation/process_creation_office_spawning_wmi_commandline.yml +++ b/rules/windows/process_creation/process_creation_office_spawning_wmi_commandline.yml @@ -13,19 +13,20 @@ tags: - attack.defense_evasion status: experimental date: 2021/08/23 +modified: 2021/11/09 logsource: product: windows category: process_creation detection: #useful_information: Add more office applications to the rule logic of choice selection1: - - Image|endswith: '\wbem\WMIC.exe' - - ProcessCommandLine|contains: 'wmic ' + - Image|endswith: '\wbem\WMIC.exe' + - ParentCommandLine|contains: 'wmic ' selection2: - ParentImage: - - winword.exe - - excel.exe - - powerpnt.exe + ParentImage: + - winword.exe + - excel.exe + - powerpnt.exe condition: selection1 and selection2 falsepositives: - Unknown diff --git a/rules/windows/process_creation/win_susp_wuauclt.yml b/rules/windows/process_creation/win_susp_wuauclt.yml index 9d36bc717..93002eb61 100644 --- a/rules/windows/process_creation/win_susp_wuauclt.yml +++ b/rules/windows/process_creation/win_susp_wuauclt.yml @@ -6,7 +6,7 @@ references: - https://dtm.uk/wuauclt/ author: FPT.EagleEye Team date: 2020/10/17 -modified: 2021/05/12 +modified: 2021/11/09 tags: - attack.command_and_control - attack.execution @@ -17,7 +17,7 @@ logsource: category: process_creation detection: selection: - ProcessCommandLine|contains|all: + ParentCommandLine|contains|all: - '/UpdateDeploymentProvider' - '/RunHandlerComServer' Image|endswith: diff --git a/tools/config/generic/windows-audit.yml b/tools/config/generic/windows-audit.yml index 63080759e..241520813 100644 --- a/tools/config/generic/windows-audit.yml +++ b/tools/config/generic/windows-audit.yml @@ -24,3 +24,4 @@ fieldmappings: Image: NewProcessName ParentImage: ParentProcessName Details: NewValue + ParentCommandLine: ProcessCommandLine \ No newline at end of file From c61ca81d9c86cefb383c8523caf2fc677d42e27c Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 9 Nov 2021 16:15:31 +0100 Subject: [PATCH 037/113] refactor: raw disk access rule FPs --- .../sysmon_raw_disk_access_using_illegitimate_tools.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml b/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml index abb7d2c79..57389c082 100644 --- a/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml +++ b/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml @@ -3,7 +3,7 @@ id: db809f10-56ce-4420-8c86-d6a7d793c79c description: Raw disk access using illegitimate tools, possible defence evasion author: Teymur Kheirkhabarov, oscd.community date: 2019/10/22 -modified: 2021/08/14 +modified: 2021/11/09 references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment tags: @@ -31,6 +31,7 @@ detection: - '\dfsrs.exe' - '\vds.exe' - '\lsass.exe' + - '\svchost.exe' condition: not filter_1 and not filter_2 fields: - ComputerName From 24f3e9db5b187edc9c8234903fb885feec546056 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Tue, 9 Nov 2021 16:44:11 +0100 Subject: [PATCH 038/113] fix detection from ref --- rules/windows/process_creation/win_susp_wuauclt.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_wuauclt.yml b/rules/windows/process_creation/win_susp_wuauclt.yml index 93002eb61..a777e6ec9 100644 --- a/rules/windows/process_creation/win_susp_wuauclt.yml +++ b/rules/windows/process_creation/win_susp_wuauclt.yml @@ -20,7 +20,7 @@ detection: ParentCommandLine|contains|all: - '/UpdateDeploymentProvider' - '/RunHandlerComServer' - Image|endswith: + ParentImage|endswith: - '\wuauclt.exe' condition: selection falsepositives: From 37b9abd827432587a0a6608cbcda3bdfc91331f8 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 9 Nov 2021 16:52:19 +0100 Subject: [PATCH 039/113] fix: date field --- .../file_event/file_event_mimikatz_kirbi_file_creation.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file_event/file_event_mimikatz_kirbi_file_creation.yml b/rules/windows/file_event/file_event_mimikatz_kirbi_file_creation.yml index 63ef4dac0..4aadcd2fc 100644 --- a/rules/windows/file_event/file_event_mimikatz_kirbi_file_creation.yml +++ b/rules/windows/file_event/file_event_mimikatz_kirbi_file_creation.yml @@ -5,7 +5,7 @@ description: Detects the creation of files that contain Kerberos tickets based o author: Florian Roth references: - https://cobalt.io/blog/kerberoast-attack-techniques -modified: 2021/11/08 +date: 2021/11/08 tags: - attack.credential_access - attack.t1558 From 3c3bf75aa86cb4f523641294ad265d9b266962b7 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Tue, 9 Nov 2021 17:04:27 +0100 Subject: [PATCH 040/113] fix detection from test --- rules/windows/process_creation/win_susp_wuauclt.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_wuauclt.yml b/rules/windows/process_creation/win_susp_wuauclt.yml index a777e6ec9..c480fcbf7 100644 --- a/rules/windows/process_creation/win_susp_wuauclt.yml +++ b/rules/windows/process_creation/win_susp_wuauclt.yml @@ -17,10 +17,10 @@ logsource: category: process_creation detection: selection: - ParentCommandLine|contains|all: + CommandLine|contains|all: - '/UpdateDeploymentProvider' - '/RunHandlerComServer' - ParentImage|endswith: + Image|endswith: - '\wuauclt.exe' condition: selection falsepositives: From 39283c0ac268ce9711e004bc5fcd56d508ffbd5a Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 9 Nov 2021 17:29:43 +0100 Subject: [PATCH 041/113] CobaltStrike DNS rules --- rules/network/net_mal_dns_cobaltstrike.yml | 6 ++-- .../dns_query/dns_net_mal_cobaltstrike.yml | 30 +++++++++++++++++++ 2 files changed, 34 insertions(+), 2 deletions(-) create mode 100644 rules/windows/dns_query/dns_net_mal_cobaltstrike.yml diff --git a/rules/network/net_mal_dns_cobaltstrike.yml b/rules/network/net_mal_dns_cobaltstrike.yml index 3775bc795..05716fee9 100644 --- a/rules/network/net_mal_dns_cobaltstrike.yml +++ b/rules/network/net_mal_dns_cobaltstrike.yml @@ -11,11 +11,13 @@ references: logsource: category: dns detection: - selection: + selection1: query|startswith: - 'aaa.stage.' - 'post.1' - condition: selection + selection2: + query|contains: '.stage.123456.' + condition: 1 of them falsepositives: - Unknown level: critical diff --git a/rules/windows/dns_query/dns_net_mal_cobaltstrike.yml b/rules/windows/dns_query/dns_net_mal_cobaltstrike.yml new file mode 100644 index 000000000..42fc9bc23 --- /dev/null +++ b/rules/windows/dns_query/dns_net_mal_cobaltstrike.yml @@ -0,0 +1,30 @@ +title: Suspicious Cobalt Strike DNS Beaconing +id: f356a9c4-effd-4608-bbf8-408afd5cd006 +status: experimental +description: Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons +author: Florian Roth +date: 2021/11/09 +references: + - https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns + - https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/ +tags: + - attack.command_and_control + - attack.t1071 # an old one + - attack.t1071.004 +logsource: + product: windows + category: dns_query +detection: + selection1: + QueryName|startswith: + - 'aaa.stage.' + - 'post.1' + selection2: + QueryName|contains: '.stage.123456.' + condition: 1 of them +fields: + - Image + - CommandLine +falsepositives: + - Unknown +level: critical From c07a9adb9bd2f6025973ba62d4f7d52f024cfec2 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 9 Nov 2021 17:30:15 +0100 Subject: [PATCH 042/113] fix: moved rule written for DNS/Sysmon to the correct folder --- .../dns_query/dns_net_susp_ipify.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/{network/net_susp_ipify.yml => windows/dns_query/dns_net_susp_ipify.yml} (100%) diff --git a/rules/network/net_susp_ipify.yml b/rules/windows/dns_query/dns_net_susp_ipify.yml similarity index 100% rename from rules/network/net_susp_ipify.yml rename to rules/windows/dns_query/dns_net_susp_ipify.yml From 5613b6ca828a7979e8ff6537ea331329929356dd Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 9 Nov 2021 19:06:26 +0100 Subject: [PATCH 043/113] fix: FP with MicrosoftEdgeUpdate --- rules/windows/builtin/win_susp_lsass_dump_generic.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_susp_lsass_dump_generic.yml b/rules/windows/builtin/win_susp_lsass_dump_generic.yml index 2856705cd..2ab869121 100644 --- a/rules/windows/builtin/win_susp_lsass_dump_generic.yml +++ b/rules/windows/builtin/win_susp_lsass_dump_generic.yml @@ -4,7 +4,7 @@ description: Detects process handle on LSASS process with certain access mask status: experimental author: Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update) date: 2019/11/01 -modified: 2021/04/19 +modified: 2021/11/09 references: - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment @@ -53,6 +53,7 @@ detection: - '\minionhost.exe' # Cyberreason - '\VsTskMgr.exe' # McAfee Enterprise - '\thor64.exe' # THOR + - '\MicrosoftEdgeUpdate.exe' ProcessName|startswith: - C:\Windows\System32\ - C:\Windows\SysWow64\ From e30b09fcced1614692c7c894101af4b672b43da4 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 9 Nov 2021 19:09:07 +0100 Subject: [PATCH 044/113] fix: more FPs with Windows 11 services --- rules/windows/builtin/win_susp_lsass_dump_generic.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rules/windows/builtin/win_susp_lsass_dump_generic.yml b/rules/windows/builtin/win_susp_lsass_dump_generic.yml index 2ab869121..4b6ab1faf 100644 --- a/rules/windows/builtin/win_susp_lsass_dump_generic.yml +++ b/rules/windows/builtin/win_susp_lsass_dump_generic.yml @@ -54,6 +54,8 @@ detection: - '\VsTskMgr.exe' # McAfee Enterprise - '\thor64.exe' # THOR - '\MicrosoftEdgeUpdate.exe' + - '\GamingServices.exe' + - '\svchost.exe' ProcessName|startswith: - C:\Windows\System32\ - C:\Windows\SysWow64\ From 5abea871b03dc516f66bba65d88c31846913dad8 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 10 Nov 2021 09:28:59 +0100 Subject: [PATCH 045/113] docs: put link in references --- ...in_invoke_obfuscation_obfuscated_iex_services_security.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services_security.yml b/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services_security.yml index 043bcf55b..0f746e487 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services_security.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services_security.yml @@ -3,7 +3,9 @@ id: fd0f5778-d3cb-4c9a-9695-66759d04702a related: - id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9 type: derived -description: "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888" +description: "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references" +references: + - https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888" status: experimental author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community date: 2019/11/08 From 52d0cb67eb22bafd47098ca56eb79e2e7b32804e Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Wed, 10 Nov 2021 17:09:15 +0000 Subject: [PATCH 046/113] adding additional allow for dns service (domain controllers) --- rules/windows/network_connection/sysmon_susp_rdp.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rules/windows/network_connection/sysmon_susp_rdp.yml b/rules/windows/network_connection/sysmon_susp_rdp.yml index e12fde626..9867e2b1d 100755 --- a/rules/windows/network_connection/sysmon_susp_rdp.yml +++ b/rules/windows/network_connection/sysmon_susp_rdp.yml @@ -38,9 +38,11 @@ detection: - '\FSAssessment.exe' - '\MobaRTE.exe' - '\chrome.exe' + - '\System32\dns.exe' - '\thor.exe' - '\thor64.exe' condition: selection and not filter falsepositives: - Other Remote Desktop RDP tools + - domain controller using dns.exe level: high From 9b469f21a258b22118745db365cf0e1815e73bbc Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Wed, 10 Nov 2021 17:38:15 +0000 Subject: [PATCH 047/113] adds microsoft sql server mgmt studio to allow list, along with note --- rules/windows/image_load/sysmon_in_memory_powershell.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rules/windows/image_load/sysmon_in_memory_powershell.yml b/rules/windows/image_load/sysmon_in_memory_powershell.yml index 5ca45f7d1..6b92c18f6 100755 --- a/rules/windows/image_load/sysmon_in_memory_powershell.yml +++ b/rules/windows/image_load/sysmon_in_memory_powershell.yml @@ -36,10 +36,12 @@ detection: - '\syncappvpublishingserver.exe' - '\runscripthelper.exe' - '\ServerManager.exe' + - '\Microsoft SQL Server Management Studio *\Common*\IDE\Ssms.exe' # User: 'NT AUTHORITY\SYSTEM' # if set, matches all powershell processes not launched by SYSTEM condition: selection and not filter falsepositives: - Used by some .NET binaries, minimal on user workstation. + - Used by Microsoft SQL Server Management Studio level: high enrichment: - EN_0001_cache_sysmon_event_id_1_info # http://bit.ly/314zc6x From a4951a29bb0c804bf9e1044f0a5bb5b37729d161 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Wed, 10 Nov 2021 18:57:54 +0100 Subject: [PATCH 048/113] Fix detection --- ...creation_office_applications_spawning_wmi_commandline.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/process_creation_office_applications_spawning_wmi_commandline.yml b/rules/windows/process_creation/process_creation_office_applications_spawning_wmi_commandline.yml index a8e8f5824..700d264f4 100644 --- a/rules/windows/process_creation/process_creation_office_applications_spawning_wmi_commandline.yml +++ b/rules/windows/process_creation/process_creation_office_applications_spawning_wmi_commandline.yml @@ -13,6 +13,7 @@ tags: - attack.defense_evasion status: experimental date: 2021/08/23 +modified: 2021/11/10 logsource: product: windows category: process_creation @@ -24,11 +25,11 @@ detection: - OriginalFileName: 'wmic.exe' - Description: 'WMI Commandline Utility' selection2: - ParentPrcessName|endswith: + ParentImage|endswith: - winword.exe - excel.exe - powerpnt.exe condition: selection1 and selection2 falsepositives: -- Unknown + - Unknown level: high From b7b1ebf7720d454d6060ccae03dc5bf52e0cd72d Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Wed, 10 Nov 2021 19:12:51 +0100 Subject: [PATCH 049/113] Fix LogonId - SubjectLogonId --- .../win_wmiprvse_spawning_process.yml | 11 +++-------- tools/config/generic/windows-audit.yml | 3 ++- 2 files changed, 5 insertions(+), 9 deletions(-) diff --git a/rules/windows/process_creation/win_wmiprvse_spawning_process.yml b/rules/windows/process_creation/win_wmiprvse_spawning_process.yml index d3e6843f3..2ad743d7a 100644 --- a/rules/windows/process_creation/win_wmiprvse_spawning_process.yml +++ b/rules/windows/process_creation/win_wmiprvse_spawning_process.yml @@ -3,7 +3,7 @@ id: d21374ff-f574-44a7-9998-4a8c8bf33d7d description: Detects wmiprvse spawning processes status: experimental date: 2019/08/15 -modified: 2021/08/26 +modified: 2021/11/10 author: Roberto Rodriguez @Cyb3rWard0g references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190810201010.html @@ -20,20 +20,15 @@ detection: - LogonId: - '0x3e7' # LUID 999 for SYSTEM - 'null' # too many false positives - - SubjectLogonId: - - '0x3e7' # LUID 999 for SYSTEM - - 'null' # too many false positives - User|startswith: - 'NT AUTHORITY\SYSTEM' # if we don't have LogonId data, fallback on username detection - 'AUTORITE NT\Sys' # French language settings - Image|endswith: - '\WmiPrvSE.exe' - '\WerFault.exe' - filter_null1: # some backends need the null value in a separate expression + filter_null: # some backends need the null value in a separate expression LogonId: null - filter_null2: # some backends need the null value in a separate expression - SubjectLogonId: null - condition: selection and not filter and not filter_null1 and not filter_null2 + condition: selection and not filter and not filter_null falsepositives: - Unknown level: high diff --git a/tools/config/generic/windows-audit.yml b/tools/config/generic/windows-audit.yml index 241520813..5eff54cfb 100644 --- a/tools/config/generic/windows-audit.yml +++ b/tools/config/generic/windows-audit.yml @@ -24,4 +24,5 @@ fieldmappings: Image: NewProcessName ParentImage: ParentProcessName Details: NewValue - ParentCommandLine: ProcessCommandLine \ No newline at end of file + ParentCommandLine: ProcessCommandLine + LogonId: SubjectLogonId \ No newline at end of file From 3ea1eda717510fbd468fc35d1a8f189a24605de4 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Wed, 10 Nov 2021 19:38:05 +0100 Subject: [PATCH 050/113] ParentImage do not exist in network_connection --- .../win_suspicious_werfault_connection_outbound.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename {rules/windows/builtin => rules-unsupported}/win_suspicious_werfault_connection_outbound.yml (100%) diff --git a/rules/windows/builtin/win_suspicious_werfault_connection_outbound.yml b/rules-unsupported/win_suspicious_werfault_connection_outbound.yml similarity index 100% rename from rules/windows/builtin/win_suspicious_werfault_connection_outbound.yml rename to rules-unsupported/win_suspicious_werfault_connection_outbound.yml From 95b9cd3d35c997b0c98f27a1656b4ddb22aaf8fd Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Wed, 10 Nov 2021 19:40:10 +0100 Subject: [PATCH 051/113] fix detection --- .../silenttrinity_stager_msbuild_activity.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/network_connection/silenttrinity_stager_msbuild_activity.yml b/rules/windows/network_connection/silenttrinity_stager_msbuild_activity.yml index ab68f0b04..4dad7b038 100644 --- a/rules/windows/network_connection/silenttrinity_stager_msbuild_activity.yml +++ b/rules/windows/network_connection/silenttrinity_stager_msbuild_activity.yml @@ -14,7 +14,7 @@ logsource: product: windows detection: selection: - ParentImage|endswith: '\msbuild.exe' + Image|endswith: '\msbuild.exe' filter: DestinationPort: - '80' From b6f6beda3ce9a06150fc1bd8329a02e5a40f4930 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Wed, 10 Nov 2021 19:44:08 +0100 Subject: [PATCH 052/113] FileMagicBytes do not exist in file_event --- ...nt_executable_and_script_creation_by_office_using_file_ext.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename {rules/windows/file_event => rules-unsupported}/file_event_executable_and_script_creation_by_office_using_file_ext.yml (100%) diff --git a/rules/windows/file_event/file_event_executable_and_script_creation_by_office_using_file_ext.yml b/rules-unsupported/file_event_executable_and_script_creation_by_office_using_file_ext.yml similarity index 100% rename from rules/windows/file_event/file_event_executable_and_script_creation_by_office_using_file_ext.yml rename to rules-unsupported/file_event_executable_and_script_creation_by_office_using_file_ext.yml From da8fcabe0cd43078a917ebddd0b5176013dcc9df Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Wed, 10 Nov 2021 19:49:25 +0100 Subject: [PATCH 053/113] Fix TargetFilename case --- ...ript_creation_by_office_using_file_ext.yml | 45 ++++++++++--------- 1 file changed, 23 insertions(+), 22 deletions(-) diff --git a/rules/windows/file_event/file_event_script_creation_by_office_using_file_ext.yml b/rules/windows/file_event/file_event_script_creation_by_office_using_file_ext.yml index 107cdd312..6c4745fe3 100644 --- a/rules/windows/file_event/file_event_script_creation_by_office_using_file_ext.yml +++ b/rules/windows/file_event/file_event_script_creation_by_office_using_file_ext.yml @@ -13,29 +13,30 @@ tags: - attack.defense_evasion status: experimental date: 2021/08/23 +modified: 2021/11/10 logsource: - product: windows - category: file_event + product: windows + category: file_event detection: - #useful_information: Please add more file extensions to the logic of your choice. - selection1: - Image|endswith: - - 'winword.exe' - - 'excel.exe' - - 'powerpnt.exe' - selection2: - TargetFileName|endswith: - - ".exe" - - ".dll" - - ".ocx" - - ".com" - - ".ps1" - - ".vbs" - - ".sys" - - ".bat" - - ".scr" - - ".proj" - condition: selection1 and selection2 + #useful_information: Please add more file extensions to the logic of your choice. + selection1: + Image|endswith: + - 'winword.exe' + - 'excel.exe' + - 'powerpnt.exe' + selection2: + TargetFilename|endswith: + - ".exe" + - ".dll" + - ".ocx" + - ".com" + - ".ps1" + - ".vbs" + - ".sys" + - ".bat" + - ".scr" + - ".proj" + condition: selection1 and selection2 falsepositives: -- Unknown + - Unknown level: high From f01523d7915a12292d55c9fd6c1249207bcd1fc7 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Wed, 10 Nov 2021 19:51:01 +0100 Subject: [PATCH 054/113] Integrity do not exist in file_event --- .../sysmon_non_priv_program_files_move.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename {rules/windows/file_event => rules-unsupported}/sysmon_non_priv_program_files_move.yml (100%) diff --git a/rules/windows/file_event/sysmon_non_priv_program_files_move.yml b/rules-unsupported/sysmon_non_priv_program_files_move.yml similarity index 100% rename from rules/windows/file_event/sysmon_non_priv_program_files_move.yml rename to rules-unsupported/sysmon_non_priv_program_files_move.yml From 82c9785f872abfe6ab245e691118e345e95db3e3 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Wed, 10 Nov 2021 19:57:46 +0100 Subject: [PATCH 055/113] Fix detection --- rules/windows/driver_load/driver_load_mal_creddumper.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/driver_load/driver_load_mal_creddumper.yml b/rules/windows/driver_load/driver_load_mal_creddumper.yml index 76fb665b7..3803a7313 100644 --- a/rules/windows/driver_load/driver_load_mal_creddumper.yml +++ b/rules/windows/driver_load/driver_load_mal_creddumper.yml @@ -6,7 +6,7 @@ related: description: Detects well-known credential dumping tools execution via service execution events author: Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community date: 2017/03/05 -modified: 2021/10/14 +modified: 2021/11/10 references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment tags: @@ -26,7 +26,7 @@ logsource: category: driver_load detection: selection: - ImagePath|contains: + ImageLoaded|contains: - 'fgexec' - 'dumpsvc' - 'cachedump' From 510da0085ec62f882a6dd544afdcc595f5df356e Mon Sep 17 00:00:00 2001 From: ZikyHD Date: Wed, 10 Nov 2021 20:43:13 +0100 Subject: [PATCH 056/113] Update sysmon.py (#2234) Update sysmon.py and merge from master --- tools/sigma/backends/sysmon.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tools/sigma/backends/sysmon.py b/tools/sigma/backends/sysmon.py index 3b592525b..927d00dbc 100644 --- a/tools/sigma/backends/sysmon.py +++ b/tools/sigma/backends/sysmon.py @@ -213,9 +213,9 @@ class SysmonConfigBackend(SingleTextQueryBackend, MultiRuleOutputMixin): raise NotSupportedError("Not supported condition.") def createTableFromLogsource(self): - if self.logsource.get("product", "") != "windows": + if self.logsource.get("product", "") not in ("linux","windows"): raise NotSupportedError( - "Not supported logsource. Should be product `windows`.") + "Not supported logsource. Should be product `linux` or `windows`.") for item in self.logsource.values(): if str(item).lower() in self.allowedSource.keys(): self.table = self.allowedSource.get(item.lower()) @@ -248,4 +248,4 @@ class SysmonConfigBackend(SingleTextQueryBackend, MultiRuleOutputMixin): if sysmon_rule: rulegroup_comment = '' - return "{}\n{}".format(rulegroup_comment, sysmon_rule) \ No newline at end of file + return "{}\n{}".format(rulegroup_comment, sysmon_rule) From 352b62241b89f63861e50b0f48ded6d17714494f Mon Sep 17 00:00:00 2001 From: securepeacock <92804416+securepeacock@users.noreply.github.com> Date: Wed, 10 Nov 2021 15:18:16 -0500 Subject: [PATCH 057/113] Create sysmon_excel_outbound_network_connection.yml --- ...smon_excel_outbound_network_connection.yml | 45 +++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 rules/windows/network_connection/sysmon_excel_outbound_network_connection.yml diff --git a/rules/windows/network_connection/sysmon_excel_outbound_network_connection.yml b/rules/windows/network_connection/sysmon_excel_outbound_network_connection.yml new file mode 100644 index 000000000..f59c63c57 --- /dev/null +++ b/rules/windows/network_connection/sysmon_excel_outbound_network_connection.yml @@ -0,0 +1,45 @@ +title: Excel Network Connections +id: 1f21ec3f-810d-4b0e-8045-31102e22b4b +status: experimental +description: Detects a Excel process that opens suspicious network connections to non-private IP addresses, and attempts to cover CVE-2021-42292. +author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' +date: 2021/11/10 +references: + - https://corelight.com/blog/detecting-cve-2021-42292 +tags: + - attack.execution + - attack.t1203 +logsource: + category: network_connection + product: windows +detection: + selection: + Image|endswith: '\excel.exe' + Initiated: 'true' + DestinationIsIpv6: 'false' + filter: + DestinationIp|startswith: + - '10.' + - '192.168.' + - '172.16.' + - '172.17.' + - '172.18.' + - '172.19.' + - '172.20.' + - '172.21.' + - '172.22.' + - '172.23.' + - '172.24.' + - '172.25.' + - '172.26.' + - '172.27.' + - '172.28.' + - '172.29.' + - '172.30.' + - '172.31.' + - '127.0.0.1' + DestinationIsIpv6: 'false' + condition: selection and not filter +falsepositives: + - You may have to tune certain domains out that Excel may call out to, such as microsoft or other business use case domains. +level: low From 361660e42ca9fd5f5f94c23b3cb2a06211cab2b8 Mon Sep 17 00:00:00 2001 From: securepeacock <92804416+securepeacock@users.noreply.github.com> Date: Wed, 10 Nov 2021 15:28:19 -0500 Subject: [PATCH 058/113] Update sysmon_excel_outbound_network_connection.yml --- .../sysmon_excel_outbound_network_connection.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/network_connection/sysmon_excel_outbound_network_connection.yml b/rules/windows/network_connection/sysmon_excel_outbound_network_connection.yml index f59c63c57..a60175691 100644 --- a/rules/windows/network_connection/sysmon_excel_outbound_network_connection.yml +++ b/rules/windows/network_connection/sysmon_excel_outbound_network_connection.yml @@ -1,5 +1,5 @@ title: Excel Network Connections -id: 1f21ec3f-810d-4b0e-8045-31102e22b4b +id: 75e33ce3-ae32-4dcc-9aa8-a2a3029d6f84 status: experimental description: Detects a Excel process that opens suspicious network connections to non-private IP addresses, and attempts to cover CVE-2021-42292. author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' From a9b49679d32d834103f42303f7a8f10ade97028a Mon Sep 17 00:00:00 2001 From: "redsand (Tim Shelton)" Date: Thu, 11 Nov 2021 01:01:53 -0600 Subject: [PATCH 059/113] Updates to hawk sigmac backend (#2244) Updated HAWK sigma backend --- tools/config/hawk.yml | 233 +++++++++++++++++++++++++++++++++-- tools/sigma/backends/hawk.py | 162 +++++++++++++++++------- 2 files changed, 343 insertions(+), 52 deletions(-) diff --git a/tools/config/hawk.yml b/tools/config/hawk.yml index a9e7b9e01..cdfed557c 100644 --- a/tools/config/hawk.yml +++ b/tools/config/hawk.yml @@ -7,11 +7,213 @@ logsources: product: apache conditions: product_name: '*apache*' + okta: + service: okta + conditions: + vendor_name: "Okta" + product_name: "Identity and Access Management" + onedrive: + service: onedrive + conditions: + vendor_name: "Microsoft" + product_name: "Onedrive" + onelogin-events: + service: onelogin.events + conditions: + vendor_name: "Microsoft" + product_name: "Onelogin" + microsoft365: + category: ThreatManagement + service: Microsoft365 + conditions: + vendor_name: "Microsoft" + product_name: "365" + m365: + category: ThreatManagement + service: m365 + conditions: + vendor_name: "Microsoft" + product_name: "365" + google-workspace: + service: google_workspace.admin + conditions: + vendor_name: "Google" + product_name: "Workspace" + guacamole: + service: guacamole + product_name: "Guacamole" + conditions: + vendor_name: "Guacamole" + google-cloud: + service: gcp.audit + conditions: + vendor_name: "Google" + product_name: "Cloud" + auditd: + service: auditd + conditions: + process_name: "auditd" + sshd: + service: sshd + conditions: + process_name: "sshd*" + syslog: + service: syslog + conditions: + process_name: "syslog*" + modsecurity: + service: modsecurity + conditions: + process_name: "modsec*" + msexchange-management: + service: msexchange-management + conditions: + channel: "MSExchange Management" windows: product: windows index: windows conditions: - vendor_name: 'Microsoft' + vendor_name: "Microsoft" + windows-stream-hash: + product: windows + category: create_stream_hash + conditions: + product_name: "Sysmon" + vendor_id: "15" + windows-create-remote-thread: + product: windows + category: create_remote_thread + conditions: + product_name: "Sysmon" + vendor_id: "8" + windows-process-access: + product: windows + category: process_access + conditions: + product_name: "Sysmon" + vendor_id: "10" + windows-process-creation: + product: windows + category: process_creation + conditions: + product_name: "Sysmon" + vendor_id: "1" + windows-network-connection: + product: windows + category: network_connection + conditions: + product_name: "Sysmon" + vendor_id: "3" + windows-sysmon-status: + product: windows + category: sysmon_status + conditions: + product_name: "Sysmon" + vendor_id: + - 4 + - 5 + windows-sysmon-error: + product: windows + category: sysmon_error + conditions: + product_name: "Sysmon" + vendor_id: "255" + windows-raw-access-thread: + product: windows + category: raw_access_thread + conditions: + product_name: "Sysmon" + vendor_id: 9 + windows-file-create: + product: windows + category: file_create + conditions: + product_name: "Sysmon" + vendor_id: "11" + windows-file-event: + product: windows + category: file_create + conditions: + product_name: "Sysmon" + vendor_id: "11" + windows-pipe-created: + product: windows + category: pipe_created + conditions: + product_name: "Sysmon" + vendor_id: + - 17 + - 18 + windows-dns-query: + product: windows + category: dns_query + conditions: + product_name: "Sysmon" + vendor_id: "22" + windows-file-delete: + product: windows + category: file_delete + conditions: + product_name: "Sysmon" + vendor_id: "23" + windows-wmi-sysmon: + product: windows + category: wmi_event + conditions: + product_name: "Sysmon" + vendor_id: + - 19 + - 20 + - 21 + windows-ldap-query: + product: windows + category: ldap_query + conditions: + channel: "Microsoft-Windows-LDAP-Client/Debug ETW" + windows-driver-load: + product: windows + category: driver_load + conditions: + product_name: "Sysmon" + vendor_id: "6" + windows-image-load: + product: windows + category: image_load + conditions: + product_name: "Sysmon" + vendor_id: "7" + clamav: + service: clamav + conditions: + process_name: "clamav*" + aws-cloudtrail: + service: cloudtrail + conditions: + vendor_name: "AWS CloudTrail" + zeek: + product: zeek + conditions: + vendor_name: "Zeek IDS" + azure-signin: + service: azure.signinlogs + conditions: + vendor_name: "Microsoft" + product_name: "Azure" + azure-auditlogs: + service: azure.auditlogs + conditions: + vendor_name: "Microsoft" + product_name: "Azure" + azure-activitylogs: + service: azure.activitylogs + conditions: + vendor_name: "Microsoft" + product_name: "Azure" + azure-activity: + service: AzureActivity + conditions: + vendor_name: "Microsoft" + product_name: "Azure" windows-application: product: windows service: application @@ -55,14 +257,13 @@ logsources: windows-dns-server: product: windows service: dns-server - category: dns conditions: - product_name: 'DNS Server' + channel: 'DNS Server' windows-dns-server-audit: product: windows service: dns-server-audit conditions: - product_name: 'DNS-Server' + channel: 'DNS Server' windows-driver-framework: product: windows service: driver-framework @@ -89,11 +290,15 @@ logsources: conditions: product_name: - 'AppLocker' + windows-service-bus: + service: Microsoft-ServiceBus-Client + conditions: + product_name: "Microsoft-ServiceBus-Client" windows-msexchange-management: product: windows service: msexchange-management conditions: - product_name: 'MSExchange Management' + channel: 'MSExchange Management' windows-printservice-admin: product: windows service: printservice-admin @@ -109,6 +314,14 @@ logsources: service: smbclient-security conditions: product_name: 'SmbClient' + windows-registry: + product: windows + category: registry_event + conditions: + vendor_id: + - 12 + - 13 + - 14 qflow: product: qflow netflow: @@ -116,7 +329,7 @@ logsources: ipfix: product: ipfix flow: - category: flow + product: flow fieldmappings: dst: - ip_dst_host @@ -126,6 +339,9 @@ fieldmappings: - ip_src_host src_ip: - ip_src + IPAddress: ip_src + DNSAddress: dns_address + DCIPAddress: ip_src category: vendor_category error: error_code key: event_key @@ -171,7 +387,9 @@ fieldmappings: ServiceFileName: filename EventID: vendor_id SourceImage: parent_image + ImageLoaded: image_loaded Description: image_description + ScriptBlockText: value Product: image_product Company: image_company CurrentDirectory: path @@ -197,7 +415,6 @@ fieldmappings: Details: object_target CallTrace: calltrace IpAddress: ip_src - DCIPAddress: ip_src WorkstationName: hostname_src Workstation: hostname_src DestinationIp: ip_dst @@ -210,3 +427,5 @@ fieldmappings: TicketEncryptionType: sys.ticket.encryption.type DetectionSource: value Priority: event_priority + event_type_id: vendor_id + eventtype: vendor_type diff --git a/tools/sigma/backends/hawk.py b/tools/sigma/backends/hawk.py index 7147ff37b..904e81563 100644 --- a/tools/sigma/backends/hawk.py +++ b/tools/sigma/backends/hawk.py @@ -20,6 +20,7 @@ import re import sigma import json import uuid +import re from sigma.parser.modifiers.base import SigmaTypeModifier from sigma.parser.modifiers.type import SigmaRegularExpressionModifier from .base import SingleTextQueryBackend @@ -62,27 +63,27 @@ class HAWKBackend(SingleTextQueryBackend): #print(type(node)) #print(node) if type(node) == sigma.parser.condition.ConditionAND: - return self.generateANDNode(node) + return self.generateANDNode(node, notNode) elif type(node) == sigma.parser.condition.ConditionOR: #print("OR NODE") #print(node) - return self.generateORNode(node) + return self.generateORNode(node, notNode) elif type(node) == sigma.parser.condition.ConditionNOT: #print("NOT NODE") #print(node) return self.generateNOTNode(node) elif type(node) == sigma.parser.condition.ConditionNULLValue: - return self.generateNULLValueNode(node) + return self.generateNULLValueNode(node, notNode) elif type(node) == sigma.parser.condition.ConditionNotNULLValue: return self.generateNotNULLValueNode(node) elif type(node) == sigma.parser.condition.NodeSubexpression: #print(node) - return self.generateSubexpressionNode(node) + return self.generateSubexpressionNode(node, notNode) elif type(node) == tuple: #print("TUPLE: ", node) return self.generateMapItemNode(node, notNode) elif type(node) in (str, int): - nodeRet = {"key": "", "description": "", "class": "column", "return": "str", "args": { "comparison": { "value": "regex" }, "str": { "value": "5" } } } + nodeRet = {"key": "", "description": "", "class": "column", "return": "str", "args": { "comparison": { "value": "=" }, "str": { "value": "5", "regex": "true" } } } #key = next(iter(self.sigmaparser.parsedyaml['detection'])) key = "payload" @@ -94,7 +95,7 @@ class HAWKBackend(SingleTextQueryBackend): # they imply the entire payload nodeRet['description'] = key nodeRet['rule_id'] = str(uuid.uuid4()) - nodeRet['args']['str']['value'] = self.generateValueNode(node, False).replace("\\","\\\\") + nodeRet['args']['str']['value'] = re.escape(self.generateValueNode(node, False)) # .replace("\\","\\\\").replace(".","\\.") # return json.dumps(nodeRet) return nodeRet elif type(node) == list: @@ -102,7 +103,7 @@ class HAWKBackend(SingleTextQueryBackend): else: raise TypeError("Node type %s was not expected in Sigma parse tree" % (str(type(node)))) - def generateANDNode(self, node): + def generateANDNode(self, node, notNode=False): """ generated = [ self.generateNode(val) for val in node ] filtered = [ g for g in generated if g is not None ] @@ -114,7 +115,7 @@ class HAWKBackend(SingleTextQueryBackend): return None """ ret = { "id" : "and", "key": "And", "children" : [ ] } - generated = [ self.generateNode(val) for val in node ] + generated = [ self.generateNode(val, notNode) for val in node ] filtered = [ g for g in generated if g is not None ] if filtered: if self.sort_condition_lists: @@ -125,11 +126,12 @@ class HAWKBackend(SingleTextQueryBackend): else: return None - def generateORNode(self, node): - #retAnd = { "id" : "and", "key": "And", "children" : [ ] } - - ret = { "id" : "or", "key": "Or", "children" : [ ] } - generated = [ self.generateNode(val) for val in node ] + def generateORNode(self, node, notNode=False): + if notNode: + ret = { "id" : "and", "key": "And", "children" : [ ] } + else: + ret = { "id" : "or", "key": "Or", "children" : [ ] } + generated = [ self.generateNode(val, notNode) for val in node ] filtered = [ g for g in generated if g is not None ] if filtered: if self.sort_condition_lists: @@ -142,8 +144,8 @@ class HAWKBackend(SingleTextQueryBackend): else: return None - def generateSubexpressionNode(self, node): - generated = self.generateNode(node.items) + def generateSubexpressionNode(self, node, notNode=False): + generated = self.generateNode(node.items, notNode) if 'len'in dir(node.items): # fix the "TypeError: object of type 'NodeSubexpression' has no len()" if len(node.items) == 1: # A sub expression with length 1 is not a proper sub expression, no self.subExpression required @@ -182,12 +184,13 @@ class HAWKBackend(SingleTextQueryBackend): elif type(value) == str and "*" in value: # value = value.replace("*", ".*") value = value.replace("*", "") - value = value.replace("\\", "\\\\") + value = re.escape(value) # .replace("\\", "\\\\").replace(".","\\.") if notNode: - nodeRet["args"]["comparison"]["value"] = "!regex" + nodeRet["args"]["comparison"]["value"] = "!=" else: - nodeRet['args']['comparison']['value'] = "regex" + nodeRet['args']['comparison']['value'] = "=" nodeRet['args']['str']['value'] = value + nodeRet['args']['str']['regex'] = "true" # return "%s regex %s" % (self.cleanKey(key), self.generateValueNode(value, True)) #return json.dumps(nodeRet) return nodeRet @@ -214,14 +217,27 @@ class HAWKBackend(SingleTextQueryBackend): return self.generateMapItemTypedNode(key, value) elif value is None: #return self.nullExpression % (key, ) - nodeRet['args']['str']['value'] = None + #print("Performing null") + #print(notNode) + #print(key) + nodeRet = { "key" : "empty", "description" : "Value Does Not Exist (IS NULL)", "class" : "function", "inputs" : { "comparison" : { "order" : 0, "source" : "comparison", "type" : "comparison" }, "column" : { "order" : 1, "source" : "columns", "type" : "str" } }, "args" : { "comparison" : { "value" : "!=" }, "column" : { "value" : "" } }, "return" : "boolean" } + nodeRet['args']['column']['value'] = self.cleanKey(key).lower() + nodeRet['description'] += " %s" % key + if notNode: + nodeRet['args']['comparison']['value'] = "!=" + else: + nodeRet['args']['comparison']['value'] = "=" #return json.dumps(nodeRet) + #print(json.dumps(nodeRet)) return nodeRet else: raise TypeError("Backend does not support map values of type " + str(type(value))) def generateMapItemListNode(self, key, value, notNode=False): - ret = { "id" : "or", "key": "Or", "children" : [ ] } + if notNode: + ret = { "id" : "and", "key": "And", "children" : [ ] } + else: + ret = { "id" : "or", "key": "Or", "children" : [ ] } for item in value: nodeRet = {"key": "", "description": "", "class": "column", "return": "str", "args": { "comparison": { "value": "=" }, "str": { "value": "5" } } } nodeRet['key'] = self.cleanKey(key).lower() @@ -232,15 +248,15 @@ class HAWKBackend(SingleTextQueryBackend): ret['children'].append( nodeRet ) elif type(item) == str and "*" in item: item = item.replace("*", "") - item = item.replace("\\", "\\\\") - # item = item.replace("*", ".*") + item = re.escape(item) # .replace("\\", "\\\\").replace(".","\\.") #print("item") #print(item) nodeRet['args']['str']['value'] = item # self.generateValueNode(item, True) + nodeRet['args']['str']['regex'] = "true" if notNode: - nodeRet["args"]["comparison"]["value"] = "!regex" + nodeRet["args"]["comparison"]["value"] = "!=" else: - nodeRet['args']['comparison']['value'] = "regex" + nodeRet['args']['comparison']['value'] = "=" ret['children'].append( nodeRet ) else: #print("item2") @@ -258,35 +274,21 @@ class HAWKBackend(SingleTextQueryBackend): nodeRet['rule_id'] = str(uuid.uuid4()) if type(value) == SigmaRegularExpressionModifier: regex = str(value) - """ - # Regular Expressions have to match the full value in QRadar - if not (regex.startswith('^') or regex.startswith('.*')): - regex = '.*' + regex - if not (regex.endswith('$') or regex.endswith('.*')): - regex = regex + '.*' - return "%s imatches %s" % (self.cleanKey(fieldname), self.generateValueNode(regex, True)) - """ - #print("ENDS WITH!!!") - nodeRet['args']['str']['value'] = self.generateValueNode(regex, True).replace("\\", "\\\\") + nodeRet['args']['str']['value'] = re.escape(self.generateValueNode(regex, True)) # .replace("\\", "\\\\").replace(".","\\.") + nodeRet['args']['str']['regex'] = "true" if notNode: - nodeRet["args"]["comparison"]["value"] = "!regex" + nodeRet["args"]["comparison"]["value"] = "!=" else: - nodeRet['args']['comparison']['value'] = "regex" + nodeRet['args']['comparison']['value'] = "=" # return json.dumps(nodeRet) return nodeRet else: raise NotImplementedError("Type modifier '{}' is not supported by backend".format(value.identifier)) def generateValueNode(self, node, keypresent): - """ - if keypresent == False: - return "payload regex \'{0}{1}{2}\'".format("%", self.cleanValue(str(node)), "%") - else: - return self.valueExpression % (self.cleanValue(str(node))) - """ return self.valueExpression % (self.cleanValue(str(node))) - def generateNULLValueNode(self, node): + def generateNULLValueNode(self, node, notNode): # node.item nodeRet = {"key": node.item, "description": node.item, "class": "column", "return": "str", "args": { "comparison": { "value": "=" }, "str": { "value": "null" } } } nodeRet['rule_id'] = str(uuid.uuid4()) @@ -440,6 +442,72 @@ class HAWKBackend(SingleTextQueryBackend): return result + def dedupeAnds(self, arr, parentAnd=False): + # simple dedupe + for i in range(0, len(arr)): + if 'id' in arr[i] and arr[i]['id'].lower() == "and": + arr[i]['children'] = self.dedupeAnds(arr[i]['children']) + + if len(arr[i]['children']) == 1 and 'id' in arr[i]['children'][0] and arr[i]['children'][0]['id'].lower() == "and": + arr[i] = arr[i]['children'][0] + + + return arr + + """ + for i in range(0, len(arr)): + if parentAnd and 'id' in arr[i] and arr[i]['id'].lower() == "and": + isAnd = True + else: + isAnd = False + + if 'children' in arr[i]: + arr[i]['children'] = self.dedupeAnds(arr['i']['children'], isAnd) + + if parentAnd and 'id' in arr[i] and arr[i]['id'].lower() == "and": + pass + + if len(arr) == 1 and 'id' in arr[0] and arr[0]['id'].lower() == "and": + # print("Returning less!") + for i in range(0, len(arr) ): + if 'id' in arr[i] and arr[i]['id'].lower() == "and": + arr[i]['children'] = self.dedupeAnds(arr[i]['children']) + return arr[0]['children'] + + """ + return arr + + """ + def dedupeAnds(self, arr, parentAnd=False): + #if not parentAnd: + # for i in range(0, len(arr) ): + # if 'id' in arr[i] and arr[i]['id'].lower() == "and": + # arr[i]['children'] = self.dedupeAnds(arr[i]['children'], False) + + if len(arr) == 1 and 'id' in arr[0] and arr[0]['id'].lower() == "and": + # print("Returning less!") + for i in range(0, len(arr) ): + if 'id' in arr[i] and arr[i]['id'].lower() == "and": + arr[i]['children'] = self.dedupeAnds(arr[i]['children']) + return arr[0]['children'] + + allAndCheck = True + for i in range(0, len(arr) ): + # print(arr[i]) + if 'id' in arr[i] and arr[i]['id'].lower() == "and": + arr[i]['children'] = self.dedupeAnds(arr[i]['children']) + else: + allAndCheck = False + + + x = [ ] + if allAndCheck: + for i in range(0, len(arr)): + x = x + arr[i]['children'] + return x + return arr + """ + def generateQuery(self, parsed, sigmaparser): self.sigmaparser = sigmaparser result = self.generateNode(parsed.parsedSearch) @@ -508,6 +576,9 @@ class HAWKBackend(SingleTextQueryBackend): analytic_txt = ret + result + ret2 # json.dumps(ret) try: analytic = json.loads(analytic_txt) # json.dumps(ret) + # analytic = self.dedupeAnds(analytic) + analytic[0]['children'] = self.dedupeAnds(analytic[0]['children'], True) + except Exception as e: print("Failed to parse json: %s" % analytic_txt) raise Exception("Failed to parse json: %s" % analytic_txt) @@ -535,12 +606,13 @@ class HAWKBackend(SingleTextQueryBackend): record = { "rules" : analytic, # analytic_txt.replace('"','""'), "filter_name" : sigmaparser.parsedyaml['title'], + "filter_details" : cmt, "actions_category_name" : "Add (+)", "correlation_action" : 5.00, "date_added" : sigmaparser.parsedyaml['date'], - "enabled" : True, + "enabled" : False, + # "enabled" : True, "public" : True, - "comments" : cmt, "references" : ref, "group_name" : ".", "hawk_id" : sigmaparser.parsedyaml['id'] From 735e5eade97af3130568af16674b44f885038edf Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Thu, 11 Nov 2021 09:52:31 +0100 Subject: [PATCH 060/113] Fix macos category --- .../macos/{ => file_event}/macos_emond_launch_daemon.yml | 0 rules/linux/macos/{ => file_event}/macos_startup_items.yml | 0 .../linux/macos/{ => process_creation}/macos_applescript.yml | 0 .../macos/{ => process_creation}/macos_base64_decode.yml | 0 .../macos/{ => process_creation}/macos_binary_padding.yml | 0 .../{ => process_creation}/macos_change_file_time_attr.yml | 0 .../macos/{ => process_creation}/macos_clear_system_logs.yml | 4 ++-- .../macos/{ => process_creation}/macos_create_account.yml | 0 .../{ => process_creation}/macos_create_hidden_account.yml | 0 .../{ => process_creation}/macos_creds_from_keychain.yml | 0 .../{ => process_creation}/macos_disable_security_tools.yml | 0 .../macos_file_and_directory_discovery.yml | 0 .../{ => process_creation}/macos_find_cred_in_files.yml | 0 .../macos/{ => process_creation}/macos_gui_input_capture.yml | 5 +++-- .../macos/{ => process_creation}/macos_local_account.yml | 0 .../macos/{ => process_creation}/macos_local_groups.yml | 0 .../macos_network_service_scanning.yml | 0 .../macos/{ => process_creation}/macos_network_sniffing.yml | 0 .../{ => process_creation}/macos_remote_system_discovery.yml | 0 .../{ => process_creation}/macos_schedule_task_job_cron.yml | 0 .../macos/{ => process_creation}/macos_screencapture.yml | 0 .../macos_security_software_discovery.yml | 0 .../{ => process_creation}/macos_split_file_into_pieces.yml | 0 .../macos_susp_histfile_operations.yml | 0 .../macos_suspicious_macos_firmware_activity.yml | 0 .../macos_system_network_connections_discovery.yml | 0 .../macos_system_network_discovery.yml | 2 +- .../{ => process_creation}/macos_system_shutdown_reboot.yml | 0 .../{ => process_creation}/macos_xattr_gatekeeper_bypass.yml | 0 29 files changed, 6 insertions(+), 5 deletions(-) rename rules/linux/macos/{ => file_event}/macos_emond_launch_daemon.yml (100%) rename rules/linux/macos/{ => file_event}/macos_startup_items.yml (100%) rename rules/linux/macos/{ => process_creation}/macos_applescript.yml (100%) rename rules/linux/macos/{ => process_creation}/macos_base64_decode.yml (100%) rename rules/linux/macos/{ => process_creation}/macos_binary_padding.yml (100%) rename rules/linux/macos/{ => process_creation}/macos_change_file_time_attr.yml (100%) rename rules/linux/macos/{ => process_creation}/macos_clear_system_logs.yml (93%) rename rules/linux/macos/{ => process_creation}/macos_create_account.yml (100%) rename rules/linux/macos/{ => process_creation}/macos_create_hidden_account.yml (100%) rename rules/linux/macos/{ => process_creation}/macos_creds_from_keychain.yml (100%) rename rules/linux/macos/{ => process_creation}/macos_disable_security_tools.yml (100%) rename rules/linux/macos/{ => process_creation}/macos_file_and_directory_discovery.yml (100%) rename rules/linux/macos/{ => process_creation}/macos_find_cred_in_files.yml (100%) rename rules/linux/macos/{ => process_creation}/macos_gui_input_capture.yml (92%) rename rules/linux/macos/{ => process_creation}/macos_local_account.yml (100%) rename rules/linux/macos/{ => process_creation}/macos_local_groups.yml (100%) rename rules/linux/macos/{ => process_creation}/macos_network_service_scanning.yml (100%) rename rules/linux/macos/{ => process_creation}/macos_network_sniffing.yml (100%) rename rules/linux/macos/{ => process_creation}/macos_remote_system_discovery.yml (100%) rename rules/linux/macos/{ => process_creation}/macos_schedule_task_job_cron.yml (100%) rename rules/linux/macos/{ => process_creation}/macos_screencapture.yml (100%) rename rules/linux/macos/{ => process_creation}/macos_security_software_discovery.yml (100%) rename rules/linux/macos/{ => process_creation}/macos_split_file_into_pieces.yml (100%) rename rules/linux/macos/{ => process_creation}/macos_susp_histfile_operations.yml (100%) rename rules/linux/macos/{ => process_creation}/macos_suspicious_macos_firmware_activity.yml (100%) rename rules/linux/macos/{ => process_creation}/macos_system_network_connections_discovery.yml (100%) rename rules/linux/macos/{ => process_creation}/macos_system_network_discovery.yml (96%) rename rules/linux/macos/{ => process_creation}/macos_system_shutdown_reboot.yml (100%) rename rules/linux/macos/{ => process_creation}/macos_xattr_gatekeeper_bypass.yml (100%) diff --git a/rules/linux/macos/macos_emond_launch_daemon.yml b/rules/linux/macos/file_event/macos_emond_launch_daemon.yml similarity index 100% rename from rules/linux/macos/macos_emond_launch_daemon.yml rename to rules/linux/macos/file_event/macos_emond_launch_daemon.yml diff --git a/rules/linux/macos/macos_startup_items.yml b/rules/linux/macos/file_event/macos_startup_items.yml similarity index 100% rename from rules/linux/macos/macos_startup_items.yml rename to rules/linux/macos/file_event/macos_startup_items.yml diff --git a/rules/linux/macos/macos_applescript.yml b/rules/linux/macos/process_creation/macos_applescript.yml similarity index 100% rename from rules/linux/macos/macos_applescript.yml rename to rules/linux/macos/process_creation/macos_applescript.yml diff --git a/rules/linux/macos/macos_base64_decode.yml b/rules/linux/macos/process_creation/macos_base64_decode.yml similarity index 100% rename from rules/linux/macos/macos_base64_decode.yml rename to rules/linux/macos/process_creation/macos_base64_decode.yml diff --git a/rules/linux/macos/macos_binary_padding.yml b/rules/linux/macos/process_creation/macos_binary_padding.yml similarity index 100% rename from rules/linux/macos/macos_binary_padding.yml rename to rules/linux/macos/process_creation/macos_binary_padding.yml diff --git a/rules/linux/macos/macos_change_file_time_attr.yml b/rules/linux/macos/process_creation/macos_change_file_time_attr.yml similarity index 100% rename from rules/linux/macos/macos_change_file_time_attr.yml rename to rules/linux/macos/process_creation/macos_change_file_time_attr.yml diff --git a/rules/linux/macos/macos_clear_system_logs.yml b/rules/linux/macos/process_creation/macos_clear_system_logs.yml similarity index 93% rename from rules/linux/macos/macos_clear_system_logs.yml rename to rules/linux/macos/process_creation/macos_clear_system_logs.yml index 4df611653..0c554bba2 100644 --- a/rules/linux/macos/macos_clear_system_logs.yml +++ b/rules/linux/macos/process_creation/macos_clear_system_logs.yml @@ -4,7 +4,7 @@ status: experimental description: Detects deletion of local audit logs author: remotephone, oscd.community date: 2020/10/11 -modified: 2021/08/14 +modified: 2021/11/11 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md logsource: @@ -16,7 +16,7 @@ detection: selection2: CommandLine|contains: '/var/log' selection3: - Commandline|contains|all: + CommandLine|contains|all: - '/Users/' - '/Library/Logs/' condition: selection1 and (selection2 or selection3) diff --git a/rules/linux/macos/macos_create_account.yml b/rules/linux/macos/process_creation/macos_create_account.yml similarity index 100% rename from rules/linux/macos/macos_create_account.yml rename to rules/linux/macos/process_creation/macos_create_account.yml diff --git a/rules/linux/macos/macos_create_hidden_account.yml b/rules/linux/macos/process_creation/macos_create_hidden_account.yml similarity index 100% rename from rules/linux/macos/macos_create_hidden_account.yml rename to rules/linux/macos/process_creation/macos_create_hidden_account.yml diff --git a/rules/linux/macos/macos_creds_from_keychain.yml b/rules/linux/macos/process_creation/macos_creds_from_keychain.yml similarity index 100% rename from rules/linux/macos/macos_creds_from_keychain.yml rename to rules/linux/macos/process_creation/macos_creds_from_keychain.yml diff --git a/rules/linux/macos/macos_disable_security_tools.yml b/rules/linux/macos/process_creation/macos_disable_security_tools.yml similarity index 100% rename from rules/linux/macos/macos_disable_security_tools.yml rename to rules/linux/macos/process_creation/macos_disable_security_tools.yml diff --git a/rules/linux/macos/macos_file_and_directory_discovery.yml b/rules/linux/macos/process_creation/macos_file_and_directory_discovery.yml similarity index 100% rename from rules/linux/macos/macos_file_and_directory_discovery.yml rename to rules/linux/macos/process_creation/macos_file_and_directory_discovery.yml diff --git a/rules/linux/macos/macos_find_cred_in_files.yml b/rules/linux/macos/process_creation/macos_find_cred_in_files.yml similarity index 100% rename from rules/linux/macos/macos_find_cred_in_files.yml rename to rules/linux/macos/process_creation/macos_find_cred_in_files.yml diff --git a/rules/linux/macos/macos_gui_input_capture.yml b/rules/linux/macos/process_creation/macos_gui_input_capture.yml similarity index 92% rename from rules/linux/macos/macos_gui_input_capture.yml rename to rules/linux/macos/process_creation/macos_gui_input_capture.yml index 22b42e1c4..99a94a524 100644 --- a/rules/linux/macos/macos_gui_input_capture.yml +++ b/rules/linux/macos/process_creation/macos_gui_input_capture.yml @@ -4,6 +4,7 @@ status: experimental description: Detects attempts to use system dialog prompts to capture user credentials author: remotephone, oscd.community date: 2020/10/13 +modified: 2021/11/11 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md - https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/ @@ -15,13 +16,13 @@ detection: Image: - '/usr/sbin/osascript' selection2: - Commandline|contains|all: + CommandLine|contains|all: - '-e' - 'display' - 'dialog' - 'answer' selection3: - Commandline|contains: + CommandLine|contains: - 'admin' - 'administrator' - 'authenticate' diff --git a/rules/linux/macos/macos_local_account.yml b/rules/linux/macos/process_creation/macos_local_account.yml similarity index 100% rename from rules/linux/macos/macos_local_account.yml rename to rules/linux/macos/process_creation/macos_local_account.yml diff --git a/rules/linux/macos/macos_local_groups.yml b/rules/linux/macos/process_creation/macos_local_groups.yml similarity index 100% rename from rules/linux/macos/macos_local_groups.yml rename to rules/linux/macos/process_creation/macos_local_groups.yml diff --git a/rules/linux/macos/macos_network_service_scanning.yml b/rules/linux/macos/process_creation/macos_network_service_scanning.yml similarity index 100% rename from rules/linux/macos/macos_network_service_scanning.yml rename to rules/linux/macos/process_creation/macos_network_service_scanning.yml diff --git a/rules/linux/macos/macos_network_sniffing.yml b/rules/linux/macos/process_creation/macos_network_sniffing.yml similarity index 100% rename from rules/linux/macos/macos_network_sniffing.yml rename to rules/linux/macos/process_creation/macos_network_sniffing.yml diff --git a/rules/linux/macos/macos_remote_system_discovery.yml b/rules/linux/macos/process_creation/macos_remote_system_discovery.yml similarity index 100% rename from rules/linux/macos/macos_remote_system_discovery.yml rename to rules/linux/macos/process_creation/macos_remote_system_discovery.yml diff --git a/rules/linux/macos/macos_schedule_task_job_cron.yml b/rules/linux/macos/process_creation/macos_schedule_task_job_cron.yml similarity index 100% rename from rules/linux/macos/macos_schedule_task_job_cron.yml rename to rules/linux/macos/process_creation/macos_schedule_task_job_cron.yml diff --git a/rules/linux/macos/macos_screencapture.yml b/rules/linux/macos/process_creation/macos_screencapture.yml similarity index 100% rename from rules/linux/macos/macos_screencapture.yml rename to rules/linux/macos/process_creation/macos_screencapture.yml diff --git a/rules/linux/macos/macos_security_software_discovery.yml b/rules/linux/macos/process_creation/macos_security_software_discovery.yml similarity index 100% rename from rules/linux/macos/macos_security_software_discovery.yml rename to rules/linux/macos/process_creation/macos_security_software_discovery.yml diff --git a/rules/linux/macos/macos_split_file_into_pieces.yml b/rules/linux/macos/process_creation/macos_split_file_into_pieces.yml similarity index 100% rename from rules/linux/macos/macos_split_file_into_pieces.yml rename to rules/linux/macos/process_creation/macos_split_file_into_pieces.yml diff --git a/rules/linux/macos/macos_susp_histfile_operations.yml b/rules/linux/macos/process_creation/macos_susp_histfile_operations.yml similarity index 100% rename from rules/linux/macos/macos_susp_histfile_operations.yml rename to rules/linux/macos/process_creation/macos_susp_histfile_operations.yml diff --git a/rules/linux/macos/macos_suspicious_macos_firmware_activity.yml b/rules/linux/macos/process_creation/macos_suspicious_macos_firmware_activity.yml similarity index 100% rename from rules/linux/macos/macos_suspicious_macos_firmware_activity.yml rename to rules/linux/macos/process_creation/macos_suspicious_macos_firmware_activity.yml diff --git a/rules/linux/macos/macos_system_network_connections_discovery.yml b/rules/linux/macos/process_creation/macos_system_network_connections_discovery.yml similarity index 100% rename from rules/linux/macos/macos_system_network_connections_discovery.yml rename to rules/linux/macos/process_creation/macos_system_network_connections_discovery.yml diff --git a/rules/linux/macos/macos_system_network_discovery.yml b/rules/linux/macos/process_creation/macos_system_network_discovery.yml similarity index 96% rename from rules/linux/macos/macos_system_network_discovery.yml rename to rules/linux/macos/process_creation/macos_system_network_discovery.yml index 40b2f33d5..cc4278175 100644 --- a/rules/linux/macos/macos_system_network_discovery.yml +++ b/rules/linux/macos/process_creation/macos_system_network_discovery.yml @@ -20,7 +20,7 @@ detection: - '/usr/sbin/arp' selection2: Image: '/usr/bin/defaults' - Commandline|contains|all: + CommandLine|contains|all: - 'read' - '/Library/Preferences/com.apple.alf' condition: selection1 or selection2 diff --git a/rules/linux/macos/macos_system_shutdown_reboot.yml b/rules/linux/macos/process_creation/macos_system_shutdown_reboot.yml similarity index 100% rename from rules/linux/macos/macos_system_shutdown_reboot.yml rename to rules/linux/macos/process_creation/macos_system_shutdown_reboot.yml diff --git a/rules/linux/macos/macos_xattr_gatekeeper_bypass.yml b/rules/linux/macos/process_creation/macos_xattr_gatekeeper_bypass.yml similarity index 100% rename from rules/linux/macos/macos_xattr_gatekeeper_bypass.yml rename to rules/linux/macos/process_creation/macos_xattr_gatekeeper_bypass.yml From bd3358d33c03c84dcc532b007d385168e7b63757 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Thu, 11 Nov 2021 10:13:48 +0100 Subject: [PATCH 061/113] Fix auditd field name --- .../lnx_auditd_omigod_scx_runasprovider_executescript.yml | 3 ++- ...x_auditd_omigod_scx_runasprovider_executeshellcommand.yml | 4 ++-- rules/linux/auditd/lnx_auditd_web_rce.yml | 5 ++--- 3 files changed, 6 insertions(+), 6 deletions(-) rename {rules/linux/auditd => rules-unsupported}/lnx_auditd_omigod_scx_runasprovider_executescript.yml (96%) diff --git a/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executescript.yml b/rules-unsupported/lnx_auditd_omigod_scx_runasprovider_executescript.yml similarity index 96% rename from rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executescript.yml rename to rules-unsupported/lnx_auditd_omigod_scx_runasprovider_executescript.yml index a760be6da..8571eee41 100644 --- a/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executescript.yml +++ b/rules-unsupported/lnx_auditd_omigod_scx_runasprovider_executescript.yml @@ -3,6 +3,7 @@ id: 865c10a6-9541-4d11-9f45-9a3484e23b0a description: Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell. Script being executed gets created as a temp file in /tmp folder with a scx* prefix. Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/. The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite. status: experimental date: 2021/09/18 +modified: 2021/11/11 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.privilege_escalation @@ -21,7 +22,7 @@ logsource: detection: selection: type: 'SYSCALL' - SYSCALL: 'execve' + syscall: 'execve' uid: '0' cwd: '/var/opt/microsoft/scx/tmp' cmdline|contains: /etc/opt/microsoft/scx/conf/tmpdir/scx diff --git a/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml b/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml index d98c1a541..0cd784820 100644 --- a/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml +++ b/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml @@ -3,6 +3,7 @@ id: 045b5f9c-49f7-4419-a236-9854fb3c827a description: Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite. status: experimental date: 2021/09/17 +modified: 2021/11/11 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.privilege_escalation @@ -20,7 +21,7 @@ logsource: detection: selection: type: 'SYSCALL' - SYSCALL: 'execve' + syscall: 'execve' uid: '0' cwd: '/var/opt/microsoft/scx/tmp' comm: 'sh' @@ -28,4 +29,3 @@ detection: falsepositives: - Legitimate use of SCX RunAsProvider Invoke_ExecuteShellCommand. level: high - diff --git a/rules/linux/auditd/lnx_auditd_web_rce.yml b/rules/linux/auditd/lnx_auditd_web_rce.yml index 32b3c16f5..69a36bdc0 100644 --- a/rules/linux/auditd/lnx_auditd_web_rce.yml +++ b/rules/linux/auditd/lnx_auditd_web_rce.yml @@ -4,17 +4,16 @@ status: experimental description: Detects possible command execution by web application/web shell author: Ilyas Ochkov, Beyu Denis, oscd.community date: 2019/10/12 -modified: 2019/11/04 +modified: 2021/11/11 references: - personal experience - logsource: product: linux service: auditd detection: selection: type: 'SYSCALL' - SYSCALL: 'execve' + syscall: 'execve' key: 'detect_execve_www' condition: selection falsepositives: From 1d38a7dfa5c0440e58db7a568e440e8dfe7efae8 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Thu, 11 Nov 2021 10:16:36 +0100 Subject: [PATCH 062/113] Fix linux process_creation field case --- .../process_creation/omigod_scx_runasprovider_executescript.yml | 2 +- .../omigod_scx_runasprovider_executeshellcommand.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/linux/process_creation/omigod_scx_runasprovider_executescript.yml b/rules/linux/process_creation/omigod_scx_runasprovider_executescript.yml index 573b6aeff..5288f13df 100644 --- a/rules/linux/process_creation/omigod_scx_runasprovider_executescript.yml +++ b/rules/linux/process_creation/omigod_scx_runasprovider_executescript.yml @@ -20,7 +20,7 @@ logsource: category: process_creation detection: selection: - user: root + User: root LogonId: '0' CurrentDirectory: '/var/opt/microsoft/scx/tmp' CommandLine|contains: '/etc/opt/microsoft/scx/conf/tmpdir/scx' diff --git a/rules/linux/process_creation/omigod_scx_runasprovider_executeshellcommand.yml b/rules/linux/process_creation/omigod_scx_runasprovider_executeshellcommand.yml index f53b0ff6d..5e9c8b81b 100644 --- a/rules/linux/process_creation/omigod_scx_runasprovider_executeshellcommand.yml +++ b/rules/linux/process_creation/omigod_scx_runasprovider_executeshellcommand.yml @@ -20,7 +20,7 @@ logsource: category: process_creation detection: selection: - user: root + User: root LogonId: '0' CurrentDirectory: '/var/opt/microsoft/scx/tmp' CommandLine|contains: '/bin/sh' From c682c12ecfe2b426682139031ef7fa332c4c096d Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Thu, 11 Nov 2021 10:21:21 +0100 Subject: [PATCH 063/113] Add sudo service --- rules/linux/builtin/lnx_sudo_cve_2019_14287_user.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/linux/builtin/lnx_sudo_cve_2019_14287_user.yml b/rules/linux/builtin/lnx_sudo_cve_2019_14287_user.yml index d49f5e9c1..96afaf522 100644 --- a/rules/linux/builtin/lnx_sudo_cve_2019_14287_user.yml +++ b/rules/linux/builtin/lnx_sudo_cve_2019_14287_user.yml @@ -7,13 +7,14 @@ status: experimental description: Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287 author: Florian Roth date: 2019/10/15 -modified: 2021/09/14 +modified: 2021/11/11 references: - https://www.openwall.com/lists/oss-security/2019/10/14/1 - https://access.redhat.com/security/cve/cve-2019-14287 - https://twitter.com/matthieugarin/status/1183970598210412546 logsource: product: linux + service: sudo tags: - attack.privilege_escalation - attack.t1068 From c2ef681e86d2d5dc5325d8a02cc34f798079b245 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Thu, 11 Nov 2021 10:26:08 +0100 Subject: [PATCH 064/113] fix modified --- .../lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml b/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml index 0cd784820..29fe14e15 100644 --- a/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml +++ b/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml @@ -3,7 +3,7 @@ id: 045b5f9c-49f7-4419-a236-9854fb3c827a description: Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite. status: experimental date: 2021/09/17 -modified: 2021/11/11 +modified: 2021/11/11 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.privilege_escalation From b61e92ae1deb44a0ba5830304886ea763dbcd6ab Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 11 Nov 2021 16:12:49 +0100 Subject: [PATCH 065/113] fix: FP with VSCode --- .../process_creation/win_susp_script_exec_from_temp.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_script_exec_from_temp.yml b/rules/windows/process_creation/win_susp_script_exec_from_temp.yml index 5389761e7..1a817b30f 100644 --- a/rules/windows/process_creation/win_susp_script_exec_from_temp.yml +++ b/rules/windows/process_creation/win_susp_script_exec_from_temp.yml @@ -6,7 +6,7 @@ references: - https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/ author: Florian Roth, Max Altgelt date: 2021/07/14 -modified: 2021/08/10 +modified: 2021/11/11 tags: - attack.execution logsource: @@ -32,6 +32,7 @@ detection: - ' >' - 'Out-File' - 'ConvertTo-Json' + - '-WindowStyle hidden -Verb runAs' # VSCode behaviour if file cannot be written as current user condition: selection and not filter falsepositives: - Administrative scripts From 9fddfd4afbbe34fd012b8b4c1fb964496e1db961 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Thu, 11 Nov 2021 17:34:20 +0000 Subject: [PATCH 066/113] filter out where Details is (Empty) --- .../registry_event/sysmon_asep_reg_keys_modification.yml | 4 +++- .../sysmon_new_dll_added_to_appinit_dlls_registry_key.yml | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml index cac8f9e7d..c1a5177c5 100755 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml @@ -190,6 +190,8 @@ detection: - '\Lsa\Notification Packages' - '\Lsa\Authentication Packages' - '\BootVerificationProgram\ImagePath' + filter: + Details: '(Empty)' condition: main_selection or session_manager_base and session_manager or current_version_base and current_version or @@ -202,7 +204,7 @@ detection: classes_base and classes or scripts_base and scripts or winsock_parameters_base and winsock_parameters or - system_control_base and system_control + system_control_base and system_control and not filter fields: - SecurityID - ObjectName diff --git a/rules/windows/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml b/rules/windows/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml index 820a65f60..dd3467c76 100755 --- a/rules/windows/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml +++ b/rules/windows/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml @@ -24,7 +24,9 @@ detection: NewName|endswith: - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls' - '\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls' - condition: selection + filter: + Details: '(Empty)' + condition: selection and not filter fields: - EventID - Image From a8d00385c3ce9aa607d77585dce1f58fb95456a0 Mon Sep 17 00:00:00 2001 From: wagga40 <6437862+wagga40@users.noreply.github.com> Date: Thu, 11 Nov 2021 20:55:01 +0100 Subject: [PATCH 067/113] Fix double quotes escaping and values with commas in SQLite/SQL backends --- tools/sigma/backends/sql.py | 15 +++++++------ tools/sigma/backends/sqlite.py | 41 ++++++++++++++++++++++++++-------- 2 files changed, 40 insertions(+), 16 deletions(-) diff --git a/tools/sigma/backends/sql.py b/tools/sigma/backends/sql.py index b31fba2b8..4c00f0248 100644 --- a/tools/sigma/backends/sql.py +++ b/tools/sigma/backends/sql.py @@ -106,24 +106,25 @@ class SQLBackend(SingleTextQueryBackend): def generateMapItemNode(self, node): fieldname, value = node transformed_fieldname = self.fieldNameMapping(fieldname, value) + generated_value = self.generateNode(value) - has_wildcard = re.search(r"((\\(\*|\?|\\))|\*|\?|_|%)", self.generateNode(value)) + has_wildcard = re.search(r"((\\(\*|\?|\\))|\*|\?|_|%)", generated_value) - if "," in self.generateNode(value) and not has_wildcard: - return self.mapMulti % (transformed_fieldname, self.generateNode(value)) + if "," in generated_value and generated_value[0]=="(" and generated_value[-1]==")" and not has_wildcard: + return self.mapMulti % (transformed_fieldname, generated_value) elif "LENGTH" in transformed_fieldname: return self.mapLength % (transformed_fieldname, value) elif type(value) == list: return self.generateMapItemListNode(transformed_fieldname, value) elif self.mapListsSpecialHandling == False and type(value) in (str, int, list) or self.mapListsSpecialHandling == True and type(value) in (str, int): if has_wildcard: - return self.mapWildcard % (transformed_fieldname, self.generateNode(value)) + return self.mapWildcard % (transformed_fieldname, generated_value) else: - return self.mapExpression % (transformed_fieldname, self.generateNode(value)) + return self.mapExpression % (transformed_fieldname, generated_value) elif "sourcetype" in transformed_fieldname: - return self.mapSource % (transformed_fieldname, self.generateNode(value)) + return self.mapSource % (transformed_fieldname, generated_value) elif has_wildcard: - return self.mapWildcard % (transformed_fieldname, self.generateNode(value)) + return self.mapWildcard % (transformed_fieldname, generated_value) else: raise TypeError("Backend does not support map values of type " + str(type(value))) diff --git a/tools/sigma/backends/sqlite.py b/tools/sigma/backends/sqlite.py index 0b445b59a..c456d9220 100644 --- a/tools/sigma/backends/sqlite.py +++ b/tools/sigma/backends/sqlite.py @@ -69,33 +69,56 @@ class SQLiteBackend(SQLBackend): return self.orToken.join(filtered) else: return None + + def cleanValue(self, val): + if not isinstance(val, str): + return str(val) + + #Escape double quotes in SQLite + val = val.replace('"','""') + + #Single backlashes which are not in front of * or ? are doulbed + val = re.sub(r"(? Date: Thu, 11 Nov 2021 20:34:00 +0000 Subject: [PATCH 068/113] updating modified date and author fields --- .../registry_event/sysmon_asep_reg_keys_modification.yml | 4 ++-- .../sysmon_new_dll_added_to_appinit_dlls_registry_key.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml index c1a5177c5..52a4072ff 100755 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml @@ -11,8 +11,8 @@ tags: - attack.t1547.001 - attack.t1060 # an old one date: 2019/10/25 -modified: 2020/11/04 -author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community +modified: 2021/11/11 +author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton logsource: category: registry_event product: windows diff --git a/rules/windows/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml b/rules/windows/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml index dd3467c76..e54f396b2 100755 --- a/rules/windows/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml +++ b/rules/windows/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml @@ -9,9 +9,9 @@ tags: - attack.persistence - attack.t1103 # an old one - attack.t1546.010 -author: Ilyas Ochkov, oscd.community +author: Ilyas Ochkov, oscd.community, Tim Shelton date: 2019/10/25 -modified: 2020/09/06 +modified: 2021/11/11 logsource: category: registry_event product: windows From a1c85108fa04318c74e5562e1358fa5c39c11d8c Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Thu, 11 Nov 2021 20:37:34 +0000 Subject: [PATCH 069/113] Updating author and date modified --- rules/windows/image_load/sysmon_in_memory_powershell.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/image_load/sysmon_in_memory_powershell.yml b/rules/windows/image_load/sysmon_in_memory_powershell.yml index 6b92c18f6..13bf248d4 100755 --- a/rules/windows/image_load/sysmon_in_memory_powershell.yml +++ b/rules/windows/image_load/sysmon_in_memory_powershell.yml @@ -5,9 +5,9 @@ related: type: obsoletes status: experimental description: Detects loading of essential DLL used by PowerShell, but not by the process powershell.exe. Detects meterpreter's "load powershell" extension. -author: Tom Kern, oscd.community, Natalia Shornikova +author: Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton date: 2019/11/14 -modified: 2020/10/12 +modified: 2021/11/11 references: - https://adsecurity.org/?p=2921 - https://github.com/p3nt4/PowerShdll From b4da880a9f5be7f1cf378fa3490366b1ad4a910a Mon Sep 17 00:00:00 2001 From: securepeacock <92804416+securepeacock@users.noreply.github.com> Date: Thu, 11 Nov 2021 19:49:16 -0500 Subject: [PATCH 070/113] Update sysmon_excel_outbound_network_connection.yml Updated per Florian's recommendations, please let me know if there's anything else. --- .../sysmon_excel_outbound_network_connection.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/rules/windows/network_connection/sysmon_excel_outbound_network_connection.yml b/rules/windows/network_connection/sysmon_excel_outbound_network_connection.yml index a60175691..05faa8400 100644 --- a/rules/windows/network_connection/sysmon_excel_outbound_network_connection.yml +++ b/rules/windows/network_connection/sysmon_excel_outbound_network_connection.yml @@ -1,7 +1,8 @@ title: Excel Network Connections id: 75e33ce3-ae32-4dcc-9aa8-a2a3029d6f84 status: experimental -description: Detects a Excel process that opens suspicious network connections to non-private IP addresses, and attempts to cover CVE-2021-42292. +description: Detects an Excel process that opens suspicious network connections to non-private IP addresses, and attempts to cover CVE-2021-42292. You will likely have to tune this rule for +your organization, but it is certainly something you should look for and could have applications for malicious activity beyond CVE-2021-42292. author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' date: 2021/11/10 references: @@ -42,4 +43,6 @@ detection: condition: selection and not filter falsepositives: - You may have to tune certain domains out that Excel may call out to, such as microsoft or other business use case domains. -level: low + - Office documents commonly have templates that refer to external addresses, like sharepoint.ourcompany.com may have to be tuned. + - It is highly recomended to baseline your activity and tune out common business use cases. +level: Medium From 1d58c7938663215f25311949362a9d96295d8c46 Mon Sep 17 00:00:00 2001 From: securepeacock <92804416+securepeacock@users.noreply.github.com> Date: Thu, 11 Nov 2021 21:44:07 -0500 Subject: [PATCH 071/113] Update sysmon_excel_outbound_network_connection.yml --- .../sysmon_excel_outbound_network_connection.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/windows/network_connection/sysmon_excel_outbound_network_connection.yml b/rules/windows/network_connection/sysmon_excel_outbound_network_connection.yml index 05faa8400..b60ce74ab 100644 --- a/rules/windows/network_connection/sysmon_excel_outbound_network_connection.yml +++ b/rules/windows/network_connection/sysmon_excel_outbound_network_connection.yml @@ -1,8 +1,7 @@ title: Excel Network Connections id: 75e33ce3-ae32-4dcc-9aa8-a2a3029d6f84 status: experimental -description: Detects an Excel process that opens suspicious network connections to non-private IP addresses, and attempts to cover CVE-2021-42292. You will likely have to tune this rule for -your organization, but it is certainly something you should look for and could have applications for malicious activity beyond CVE-2021-42292. +description: Detects an Excel process that opens suspicious network connections to non-private IP addresses, and attempts to cover CVE-2021-42292. You will likely have to tune this rule foryour organization, but it is certainly something you should look for and could have applications for malicious activity beyond CVE-2021-42292. author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' date: 2021/11/10 references: From e207596041a5b79c80f05573196860dcfde34589 Mon Sep 17 00:00:00 2001 From: securepeacock <92804416+securepeacock@users.noreply.github.com> Date: Thu, 11 Nov 2021 21:46:24 -0500 Subject: [PATCH 072/113] Update sysmon_excel_outbound_network_connection.yml --- .../sysmon_excel_outbound_network_connection.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/network_connection/sysmon_excel_outbound_network_connection.yml b/rules/windows/network_connection/sysmon_excel_outbound_network_connection.yml index b60ce74ab..515d663ae 100644 --- a/rules/windows/network_connection/sysmon_excel_outbound_network_connection.yml +++ b/rules/windows/network_connection/sysmon_excel_outbound_network_connection.yml @@ -2,7 +2,7 @@ title: Excel Network Connections id: 75e33ce3-ae32-4dcc-9aa8-a2a3029d6f84 status: experimental description: Detects an Excel process that opens suspicious network connections to non-private IP addresses, and attempts to cover CVE-2021-42292. You will likely have to tune this rule foryour organization, but it is certainly something you should look for and could have applications for malicious activity beyond CVE-2021-42292. -author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' +author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0" date: 2021/11/10 references: - https://corelight.com/blog/detecting-cve-2021-42292 From e514567a82a6a84fd8f4c16155778cd501d85764 Mon Sep 17 00:00:00 2001 From: securepeacock <92804416+securepeacock@users.noreply.github.com> Date: Thu, 11 Nov 2021 21:50:10 -0500 Subject: [PATCH 073/113] Update sysmon_excel_outbound_network_connection.yml --- .../sysmon_excel_outbound_network_connection.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/network_connection/sysmon_excel_outbound_network_connection.yml b/rules/windows/network_connection/sysmon_excel_outbound_network_connection.yml index 515d663ae..8cd226ec7 100644 --- a/rules/windows/network_connection/sysmon_excel_outbound_network_connection.yml +++ b/rules/windows/network_connection/sysmon_excel_outbound_network_connection.yml @@ -1,7 +1,7 @@ title: Excel Network Connections id: 75e33ce3-ae32-4dcc-9aa8-a2a3029d6f84 status: experimental -description: Detects an Excel process that opens suspicious network connections to non-private IP addresses, and attempts to cover CVE-2021-42292. You will likely have to tune this rule foryour organization, but it is certainly something you should look for and could have applications for malicious activity beyond CVE-2021-42292. +description: Detects an Excel process that opens suspicious network connections to non-private IP addresses, and attempts to cover CVE-2021-42292. You will likely have to tune this rule for your organization, but it is certainly something you should look for and could have applications for malicious activity beyond CVE-2021-42292. author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0" date: 2021/11/10 references: From 27a72f10feb9b06e079cdf69ad540fbf6f63acf5 Mon Sep 17 00:00:00 2001 From: securepeacock <92804416+securepeacock@users.noreply.github.com> Date: Thu, 11 Nov 2021 21:57:44 -0500 Subject: [PATCH 074/113] Update sysmon_excel_outbound_network_connection.yml I got an error for level field, I'm guessing it was due to a capital M and it's case sensitive. --- .../sysmon_excel_outbound_network_connection.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/network_connection/sysmon_excel_outbound_network_connection.yml b/rules/windows/network_connection/sysmon_excel_outbound_network_connection.yml index 8cd226ec7..716f240ab 100644 --- a/rules/windows/network_connection/sysmon_excel_outbound_network_connection.yml +++ b/rules/windows/network_connection/sysmon_excel_outbound_network_connection.yml @@ -44,4 +44,4 @@ falsepositives: - You may have to tune certain domains out that Excel may call out to, such as microsoft or other business use case domains. - Office documents commonly have templates that refer to external addresses, like sharepoint.ourcompany.com may have to be tuned. - It is highly recomended to baseline your activity and tune out common business use cases. -level: Medium +level: medium From 7ad901fce10ea11535be25910fe93e6e5a950d65 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Andr=C3=A9?= Date: Fri, 12 Nov 2021 08:36:13 +0100 Subject: [PATCH 075/113] Corrected typo in HyperBro malware name --- rules/windows/pipe_created/sysmon_mal_namedpipes.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/pipe_created/sysmon_mal_namedpipes.yml b/rules/windows/pipe_created/sysmon_mal_namedpipes.yml index b6b948ec6..c9b377394 100644 --- a/rules/windows/pipe_created/sysmon_mal_namedpipes.yml +++ b/rules/windows/pipe_created/sysmon_mal_namedpipes.yml @@ -50,7 +50,7 @@ detection: - '\AnonymousPipe' # Hidden Cobra Hoplight - '\bc367' # Pacifier - '\bc31a7' # Pacifier - - '\testPipe' # Emissary Panda Hyerbri + - '\testPipe' # Emissary Panda Hyperbro condition: selection tags: - attack.defense_evasion From 8e39eb7fde012bccba92e21c52b059e0118dc8d3 Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 12 Nov 2021 11:28:09 +0100 Subject: [PATCH 076/113] Remove useless EventID --- rules/windows/create_remote_thread/sysmon_cactustorch.yml | 3 +-- .../create_remote_thread/sysmon_susp_powershell_rundll32.yml | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/rules/windows/create_remote_thread/sysmon_cactustorch.yml b/rules/windows/create_remote_thread/sysmon_cactustorch.yml index 1bd0ff71f..8b6e3dee2 100644 --- a/rules/windows/create_remote_thread/sysmon_cactustorch.yml +++ b/rules/windows/create_remote_thread/sysmon_cactustorch.yml @@ -7,13 +7,12 @@ references: status: experimental author: '@SBousseaden (detection), Thomas Patzke (rule)' date: 2019/02/01 -modified: 2020/08/28 +modified: 2021/11/12 logsource: product: windows category: create_remote_thread detection: selection: - EventID: 8 SourceImage|endswith: - '\System32\cscript.exe' - '\System32\wscript.exe' diff --git a/rules/windows/create_remote_thread/sysmon_susp_powershell_rundll32.yml b/rules/windows/create_remote_thread/sysmon_susp_powershell_rundll32.yml index d1262e1f7..081bd0b01 100644 --- a/rules/windows/create_remote_thread/sysmon_susp_powershell_rundll32.yml +++ b/rules/windows/create_remote_thread/sysmon_susp_powershell_rundll32.yml @@ -6,12 +6,12 @@ author: Florian Roth references: - https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html date: 2018/06/25 +modified: 2021/11/12 logsource: product: windows category: create_remote_thread detection: selection: - EventID: 8 SourceImage|endswith: '\powershell.exe' TargetImage|endswith: '\rundll32.exe' condition: selection From 9f7a027913e72110ad66b511a04c22bc48f416fd Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 12 Nov 2021 12:18:44 +0100 Subject: [PATCH 077/113] Fix category and EventID --- .../powershell_script/powershell_software_discovery.yml} | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) rename rules/windows/{builtin/win_software_discovery.yml => powershell/powershell_script/powershell_software_discovery.yml} (90%) diff --git a/rules/windows/builtin/win_software_discovery.yml b/rules/windows/powershell/powershell_script/powershell_software_discovery.yml similarity index 90% rename from rules/windows/builtin/win_software_discovery.yml rename to rules/windows/powershell/powershell_script/powershell_software_discovery.yml index 9a2754889..d7af2edbc 100644 --- a/rules/windows/builtin/win_software_discovery.yml +++ b/rules/windows/powershell/powershell_script/powershell_software_discovery.yml @@ -4,7 +4,7 @@ description: Adversaries may attempt to enumerate software for a variety of reas status: experimental author: Nikita Nazarov, oscd.community date: 2020/10/16 -modified: 2021/09/21 +modified: 2021/11/12 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md - https://github.com/harleyQu1nn/AggressorScripts #AVQuery.cna @@ -13,11 +13,10 @@ tags: - attack.t1518 logsource: product: windows - service: powershell + category: ps_script definition: 'Script block logging must be enabled' detection: selection: - EventID: 4104 ScriptBlockText|contains|all: # Example: Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize - 'get-itemProperty' - '\software\' @@ -26,4 +25,4 @@ detection: condition: selection level: medium falsepositives: - - Legitimate administration activities \ No newline at end of file + - Legitimate administration activities From 0ab163b6badf9109278839865ab2d9cc181fa9d6 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 12 Nov 2021 13:31:25 +0100 Subject: [PATCH 078/113] fix: FP which happens more frequently under normal circumstances --- rules/windows/sysmon/sysmon_config_modification_error.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/sysmon/sysmon_config_modification_error.yml b/rules/windows/sysmon/sysmon_config_modification_error.yml index c91e0d20c..9d97fafb4 100644 --- a/rules/windows/sysmon/sysmon_config_modification_error.yml +++ b/rules/windows/sysmon/sysmon_config_modification_error.yml @@ -4,7 +4,7 @@ description: Someone try to hide from Sysmon status: experimental author: frack113 date: 2021/06/04 -modified: 2021/09/07 +modified: 2021/11/12 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md - https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html @@ -19,6 +19,8 @@ detection: Description|contains: - 'Failed to open service configuration with error' - 'Failed to connect to the driver to update configuration' + selection_filter: + Description: 'Failed to open service configuration with error 19' condition: selection_error falsepositives: - legitimate administrative action From eb5465e5a6ec8e0503c11808006b0a9dc82e4fe8 Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 12 Nov 2021 13:41:48 +0100 Subject: [PATCH 079/113] Fix detection from reference --- rules/windows/builtin/win_scm_database_handle_failure.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/win_scm_database_handle_failure.yml b/rules/windows/builtin/win_scm_database_handle_failure.yml index bf753fdca..e83eeec7e 100644 --- a/rules/windows/builtin/win_scm_database_handle_failure.yml +++ b/rules/windows/builtin/win_scm_database_handle_failure.yml @@ -3,6 +3,7 @@ id: 13addce7-47b2-4ca0-a98f-1de964d1d669 description: Detects non-system users failing to get a handle of the SCM database. status: experimental date: 2019/08/12 +modified: 2021/11/12 author: Roberto Rodriguez @Cyb3rWard0g references: - https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190826010110.html @@ -15,8 +16,8 @@ detection: selection: EventID: 4656 ObjectType: 'SC_MANAGER OBJECT' - ObjectName: 'servicesactive' - Keywords: "Audit Failure" + ObjectName: 'ServicesActive' + #Keywords: "Audit Failure" <-> in the ref "Keywords":-9214364837600034816 filter: SubjectLogonId: "0x3e4" condition: selection and not filter From f145392b6aeb92445492f4e0fd19f4230086bdbc Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 12 Nov 2021 13:55:45 +0100 Subject: [PATCH 080/113] Fix detection field name --- rules/windows/builtin/win_rdp_bluekeep_poc_scanner.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_rdp_bluekeep_poc_scanner.yml b/rules/windows/builtin/win_rdp_bluekeep_poc_scanner.yml index 431a01fca..49ec46136 100644 --- a/rules/windows/builtin/win_rdp_bluekeep_poc_scanner.yml +++ b/rules/windows/builtin/win_rdp_bluekeep_poc_scanner.yml @@ -10,13 +10,14 @@ tags: - car.2013-07-002 author: Florian Roth (rule), Adam Bradbury (idea) date: 2019/06/02 +modified: 2021/11/12 logsource: product: windows service: security detection: selection: EventID: 4625 - AccountName: AAAAAAA + TargetUserName: AAAAAAA condition: selection falsepositives: - Unlikely From 64839d9e4f51ee4a5840c9a7aa7a8a00ec1e141f Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 12 Nov 2021 14:21:53 +0100 Subject: [PATCH 081/113] Fix detection field name --- rules/windows/builtin/win_susp_logon_explicit_credentials.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/win_susp_logon_explicit_credentials.yml b/rules/windows/builtin/win_susp_logon_explicit_credentials.yml index 595a57420..3a987cbb2 100644 --- a/rules/windows/builtin/win_susp_logon_explicit_credentials.yml +++ b/rules/windows/builtin/win_susp_logon_explicit_credentials.yml @@ -6,7 +6,7 @@ references: - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view author: 'oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st' date: 2020/10/05 -modified: 2021/07/07 +modified: 2021/11/12 tags: - attack.t1078 - attack.lateral_movement @@ -16,7 +16,7 @@ logsource: detection: selection: EventID: 4648 - Image|endswith: + ProcessName|endswith: - '\cmd.exe' - '\powershell.exe' - '\pwsh.exe' From 07a3e3e2349098bfc97405c915e3b87ad9476bdc Mon Sep 17 00:00:00 2001 From: Pawel Mazur Date: Fri, 12 Nov 2021 16:18:29 +0100 Subject: [PATCH 082/113] Making the Password Policy Discovery rule more resilient by adding detection for specific commands --- .../lnx_auditd_password_policy_discovery.yml | 25 ++++++++++++++++--- 1 file changed, 21 insertions(+), 4 deletions(-) diff --git a/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml b/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml index ec9ede5a7..646abed8a 100644 --- a/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml +++ b/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml @@ -3,25 +3,42 @@ id: ca94a6db-8106-4737-9ed2-3e3bb826af0a status: stable description: Detects password policy discovery commands author: Ömer Günal, oscd.community +contributor: 'Pawel Mazur' date: 2020/10/08 -modified: 2021/09/14 +modified: 2021/11/12 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md + - https://attack.mitre.org/techniques/T1201/ + - https://linux.die.net/man/1/chage + - https://man7.org/linux/man-pages/man1/passwd.1.html + - https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu logsource: product: linux service: auditd detection: - selection: + files: type: 'PATH' name: - '/etc/pam.d/common-password' - '/etc/security/pwquality.conf' - '/etc/pam.d/system-auth' - '/etc/login.defs' - condition: selection + chage: + type: 'EXECVE' + a0: 'chage' + a1: + - '--list' + - '-l' + passwd: + type: 'EXECVE' + a0: 'passwd' + a1: + - '-S' + - '--status' + condition: files or chage or passwd falsepositives: - Legitimate administration activities level: low tags: - attack.discovery - - attack.t1201 + - attack.t1201 \ No newline at end of file From 5a542431ac818dd17441dccaa7ec096eb5198240 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 12 Nov 2021 11:12:31 -0600 Subject: [PATCH 083/113] Update win_susp_registration_via_cscript.yml --- .../win_susp_registration_via_cscript.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/win_susp_registration_via_cscript.yml b/rules/windows/process_creation/win_susp_registration_via_cscript.yml index c529c7ca7..ae050a068 100644 --- a/rules/windows/process_creation/win_susp_registration_via_cscript.yml +++ b/rules/windows/process_creation/win_susp_registration_via_cscript.yml @@ -11,14 +11,16 @@ logsource: category: process_creation product: windows detection: - selection: + selection1: Image|endswith: '\cscript.exe' - CommandLine|contains|all: - - '-register' + CommandLine|contains: '-register' + selection2: + CommandLine|contains: - '\Windows Kits\10\bin\10.0.22000.0\x64' - '\Windows Kits\10\bin\10.0.19041.0\x64' - '\Windows Kits\10\bin\10.0.17763.0\x64' - condition: selection + condition: + selection1 and selection2 fields: - CommandLine - ParentCommandLine From 645292d945fbe9c1f98d35932e3cb77cacddde8c Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 12 Nov 2021 19:44:50 +0100 Subject: [PATCH 084/113] removed contributor, added to authors --- rules/linux/auditd/lnx_auditd_password_policy_discovery.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml b/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml index 646abed8a..4d3c28203 100644 --- a/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml +++ b/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml @@ -2,8 +2,7 @@ title: Password Policy Discovery id: ca94a6db-8106-4737-9ed2-3e3bb826af0a status: stable description: Detects password policy discovery commands -author: Ömer Günal, oscd.community -contributor: 'Pawel Mazur' +author: Ömer Günal, oscd.community, Pawel Mazur date: 2020/10/08 modified: 2021/11/12 references: @@ -41,4 +40,4 @@ falsepositives: level: low tags: - attack.discovery - - attack.t1201 \ No newline at end of file + - attack.t1201 From f647571478996f476431c8bdda06d7268e647150 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sat, 13 Nov 2021 09:59:14 +0100 Subject: [PATCH 085/113] fix logsource --- rules/windows/builtin/win_alert_lsass_access.yml | 4 +++- rules/windows/other/win_defender_psexec_wmi_asr.yml | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/win_alert_lsass_access.yml b/rules/windows/builtin/win_alert_lsass_access.yml index a2cddf48a..90269aed6 100644 --- a/rules/windows/builtin/win_alert_lsass_access.yml +++ b/rules/windows/builtin/win_alert_lsass_access.yml @@ -6,13 +6,15 @@ references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard?WT.mc_id=twitter author: Markus Neis date: 2018/08/26 +modified: 2021/11/13 tags: - attack.credential_access - attack.t1003 # an old one # Defender Attack Surface Reduction - attack.t1003.001 logsource: - product: windows_defender + product: windows + service: windefend definition: 'Requirements:Enabled Block credential stealing from the Windows local security authority subsystem (lsass.exe) from Attack Surface Reduction (GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2)' detection: selection: diff --git a/rules/windows/other/win_defender_psexec_wmi_asr.yml b/rules/windows/other/win_defender_psexec_wmi_asr.yml index 6761ba143..07d2196e8 100644 --- a/rules/windows/other/win_defender_psexec_wmi_asr.yml +++ b/rules/windows/other/win_defender_psexec_wmi_asr.yml @@ -7,6 +7,7 @@ references: - https://twitter.com/duff22b/status/1280166329660497920 author: Bhabesh Raj date: 2020/07/14 +modified: 2021/11/13 tags: - attack.execution - attack.lateral_movement @@ -14,7 +15,8 @@ tags: - attack.t1035 # an old one - attack.t1569.002 logsource: - product: windows_defender + product: windows + service: windefend definition: 'Requirements:Enabled Block process creations originating from PSExec and WMI commands from Attack Surface Reduction (GUID: d1e49aac-8f56-4280-b9ba-993a6d77406c)' detection: selection: From 5245360186a1fd2dd58378f92e6705c8db5384e4 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 14 Nov 2021 09:24:34 +0100 Subject: [PATCH 086/113] No filetype or bodyMagic in zeek http log field --- .../zeek/zeek_http_exfiltration_compressed_files.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename {rules/network => rules-unsupported}/zeek/zeek_http_exfiltration_compressed_files.yml (100%) diff --git a/rules/network/zeek/zeek_http_exfiltration_compressed_files.yml b/rules-unsupported/zeek/zeek_http_exfiltration_compressed_files.yml similarity index 100% rename from rules/network/zeek/zeek_http_exfiltration_compressed_files.yml rename to rules-unsupported/zeek/zeek_http_exfiltration_compressed_files.yml From 9d0be2348d110f8039ee92a846b9be7ec0b1765f Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 14 Nov 2021 09:26:00 +0100 Subject: [PATCH 087/113] Fix field name --- rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml | 4 ++-- rules/network/zeek/zeek_http_webdav_put_request.yml | 2 +- rules/network/zeek/zeek_rdp_public_listener.yml | 5 +++-- 3 files changed, 6 insertions(+), 5 deletions(-) diff --git a/rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml b/rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml index 2c98984e8..aca0a0867 100644 --- a/rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml +++ b/rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml @@ -6,7 +6,7 @@ references: - "https://github.com/OTRF/detection-hackathon-apt29/issues/37" author: 'Nate Guagenti (@neu5ron), Open Threat Research (OTR)' date: 2020/05/03 -modified: 2020/09/02 +modified: 2021/11/14 tags: - attack.discovery - attack.t1087 # an old one @@ -28,7 +28,7 @@ detection: - SamrQuerySecurityObject #method queries the access control on a server, domain, user, group, or alias object - SamrQueryInformationGroup #obtains attributes from a group object timeframe: 30s - condition: selection | count(operation) by src_ip > 4 + condition: selection | count(operation) by id.orig_h > 4 falsepositives: - Devices that may do authentication like a VPN or a firewall that looksup IPs to username - False positives depend on scripts and administrative tools used in the monitored environment diff --git a/rules/network/zeek/zeek_http_webdav_put_request.yml b/rules/network/zeek/zeek_http_webdav_put_request.yml index c4eb70960..b02c7e6a9 100644 --- a/rules/network/zeek/zeek_http_webdav_put_request.yml +++ b/rules/network/zeek/zeek_http_webdav_put_request.yml @@ -17,7 +17,7 @@ detection: user_agent|contains: 'WebDAV' method: 'PUT' filter: - id_resp_h: + id.resp_h: - 192.168.0.0/16 - 172.16.0.0/12 - 10.0.0.0/8 diff --git a/rules/network/zeek/zeek_rdp_public_listener.yml b/rules/network/zeek/zeek_rdp_public_listener.yml index c0b70992b..8b2f1a02f 100644 --- a/rules/network/zeek/zeek_rdp_public_listener.yml +++ b/rules/network/zeek/zeek_rdp_public_listener.yml @@ -8,13 +8,14 @@ tags: - attack.t1021 # an old one - attack.t1021.001 author: 'Josh Brower @DefensiveDepth' -date: 2020/08/22 +date: 2020/08/22 +modified: 2021/11/14 logsource: product: zeek service: rdp detection: selection: - src_ip|startswith: + id.orig_h|startswith: - '192.168.' - '10.' - '172.16.' From b2933729134471ccf21cd4b5d362ab9bb18151a9 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 14 Nov 2021 09:56:59 +0100 Subject: [PATCH 088/113] Add product aws --- rules/cloud/aws/aws_attached_malicious_lambda_layer.yml | 1 + rules/cloud/aws/aws_cloudtrail_disable_logging.yml | 1 + rules/cloud/aws/aws_config_disable_recording.yml | 1 + rules/cloud/aws/aws_ec2_disable_encryption.yml | 1 + rules/cloud/aws/aws_ec2_download_userdata.yml | 1 + rules/cloud/aws/aws_ec2_startup_script_change.yml | 1 + rules/cloud/aws/aws_ec2_vm_export_failure.yml | 1 + rules/cloud/aws/aws_efs_fileshare_modified_or_deleted.yml | 1 + rules/cloud/aws/aws_efs_fileshare_mount_modified_or_deleted.yml | 1 + rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml | 1 + rules/cloud/aws/aws_elasticache_security_group_created.yml | 1 + .../aws/aws_elasticache_security_group_modified_or_deleted.yml | 1 + rules/cloud/aws/aws_enum_listing.yml | 1 + rules/cloud/aws/aws_guardduty_disruption.yml | 1 + rules/cloud/aws/aws_iam_backdoor_users_keys.yml | 1 + rules/cloud/aws/aws_lambda_function_created_or_invoked.yml | 1 + rules/cloud/aws/aws_macic_evasion.yml | 1 + ...oint.yml => aws_passed_role_to_glue_development_endpoint.yml} | 1 + rules/cloud/aws/aws_rds_change_master_password.yml | 1 + rules/cloud/aws/aws_rds_public_db_restore.yml | 1 + rules/cloud/aws/aws_root_account_usage.yml | 1 + .../cloud/aws/aws_route_53_domain_transferred_lock_disabled.yml | 1 + .../aws/aws_route_53_domain_transferred_to_another_account.yml | 1 + rules/cloud/aws/aws_s3_data_management_tampering.yml | 1 + rules/cloud/aws/aws_securityhub_finding_evasion.yml | 1 + rules/cloud/aws/aws_snapshot_backup_exfiltration.yml | 1 + rules/cloud/aws/aws_sts_assumerole_misuse.yml | 1 + rules/cloud/aws/aws_sts_getsessiontoken_misuse.yml | 1 + rules/cloud/aws/aws_suspicious_saml_activity.yml | 1 + rules/cloud/aws/aws_update_login_profile.yml | 1 + 30 files changed, 30 insertions(+) rename rules/cloud/aws/{passed_role_to_glue_development_endpoint.yml => aws_passed_role_to_glue_development_endpoint.yml} (98%) diff --git a/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml b/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml index 597b668d9..83a17e8da 100644 --- a/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml +++ b/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml @@ -7,6 +7,7 @@ date: 2021/09/23 references: - https://docs.aws.amazon.com/lambda/latest/dg/API_UpdateFunctionConfiguration.html logsource: + product: aws service: cloudtrail detection: selection: diff --git a/rules/cloud/aws/aws_cloudtrail_disable_logging.yml b/rules/cloud/aws/aws_cloudtrail_disable_logging.yml index 816a25d5f..6d3e484db 100644 --- a/rules/cloud/aws/aws_cloudtrail_disable_logging.yml +++ b/rules/cloud/aws/aws_cloudtrail_disable_logging.yml @@ -8,6 +8,7 @@ modified: 2021/08/09 references: - https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html logsource: + product: aws service: cloudtrail detection: selection_source: diff --git a/rules/cloud/aws/aws_config_disable_recording.yml b/rules/cloud/aws/aws_config_disable_recording.yml index ee3f0ef93..71ff54910 100644 --- a/rules/cloud/aws/aws_config_disable_recording.yml +++ b/rules/cloud/aws/aws_config_disable_recording.yml @@ -6,6 +6,7 @@ author: vitaliy0x1 date: 2020/01/21 modified: 2021/08/09 logsource: + product: aws service: cloudtrail detection: selection_source: diff --git a/rules/cloud/aws/aws_ec2_disable_encryption.yml b/rules/cloud/aws/aws_ec2_disable_encryption.yml index e383c9495..cafbe45b6 100644 --- a/rules/cloud/aws/aws_ec2_disable_encryption.yml +++ b/rules/cloud/aws/aws_ec2_disable_encryption.yml @@ -12,6 +12,7 @@ tags: - attack.t1486 - attack.t1565 logsource: + product: aws service: cloudtrail detection: selection: diff --git a/rules/cloud/aws/aws_ec2_download_userdata.yml b/rules/cloud/aws/aws_ec2_download_userdata.yml index be6b74389..722508c5b 100644 --- a/rules/cloud/aws/aws_ec2_download_userdata.yml +++ b/rules/cloud/aws/aws_ec2_download_userdata.yml @@ -8,6 +8,7 @@ modified: 2021/08/20 references: - https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/ec2__download_userdata/main.py logsource: + product: aws service: cloudtrail detection: selection_source: diff --git a/rules/cloud/aws/aws_ec2_startup_script_change.yml b/rules/cloud/aws/aws_ec2_startup_script_change.yml index ac9712520..73c1dd1dc 100644 --- a/rules/cloud/aws/aws_ec2_startup_script_change.yml +++ b/rules/cloud/aws/aws_ec2_startup_script_change.yml @@ -8,6 +8,7 @@ modified: 2021/08/09 references: - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/ec2__startup_shell_script/main.py#L9 logsource: + product: aws service: cloudtrail detection: selection_source: diff --git a/rules/cloud/aws/aws_ec2_vm_export_failure.yml b/rules/cloud/aws/aws_ec2_vm_export_failure.yml index 05baed245..57c2fa5c2 100644 --- a/rules/cloud/aws/aws_ec2_vm_export_failure.yml +++ b/rules/cloud/aws/aws_ec2_vm_export_failure.yml @@ -8,6 +8,7 @@ modified: 2021/08/20 references: - https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance logsource: + product: aws service: cloudtrail detection: selection: diff --git a/rules/cloud/aws/aws_efs_fileshare_modified_or_deleted.yml b/rules/cloud/aws/aws_efs_fileshare_modified_or_deleted.yml index cd4b6d12f..0cbbce502 100644 --- a/rules/cloud/aws/aws_efs_fileshare_modified_or_deleted.yml +++ b/rules/cloud/aws/aws_efs_fileshare_modified_or_deleted.yml @@ -7,6 +7,7 @@ date: 2021/08/15 references: - https://docs.aws.amazon.com/efs/latest/ug/API_DeleteFileSystem.html logsource: + product: aws service: cloudtrail detection: selection: diff --git a/rules/cloud/aws/aws_efs_fileshare_mount_modified_or_deleted.yml b/rules/cloud/aws/aws_efs_fileshare_mount_modified_or_deleted.yml index d6d22c653..86583bdf8 100644 --- a/rules/cloud/aws/aws_efs_fileshare_mount_modified_or_deleted.yml +++ b/rules/cloud/aws/aws_efs_fileshare_mount_modified_or_deleted.yml @@ -7,6 +7,7 @@ date: 2021/08/15 references: - https://docs.aws.amazon.com/efs/latest/ug/API_DeleteMountTarget.html logsource: + product: aws service: cloudtrail detection: selection: diff --git a/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml b/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml index 1ffc14959..65d3a3bac 100644 --- a/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml +++ b/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml @@ -7,6 +7,7 @@ date: 2021/08/16 references: - https://any-api.com/amazonaws_com/eks/docs/API_Description logsource: + product: aws service: cloudtrail detection: selection: diff --git a/rules/cloud/aws/aws_elasticache_security_group_created.yml b/rules/cloud/aws/aws_elasticache_security_group_created.yml index 4ee73e1ae..17c6ebb8e 100644 --- a/rules/cloud/aws/aws_elasticache_security_group_created.yml +++ b/rules/cloud/aws/aws_elasticache_security_group_created.yml @@ -8,6 +8,7 @@ modified: 2021/08/19 references: - https://github.com/elastic/detection-rules/blob/598f3d7e0a63221c0703ad9a0ea7e22e7bc5961e/rules/integrations/aws/persistence_elasticache_security_group_creation.toml logsource: + product: aws service: cloudtrail detection: selection: diff --git a/rules/cloud/aws/aws_elasticache_security_group_modified_or_deleted.yml b/rules/cloud/aws/aws_elasticache_security_group_modified_or_deleted.yml index f5bbe1068..5487aa55c 100644 --- a/rules/cloud/aws/aws_elasticache_security_group_modified_or_deleted.yml +++ b/rules/cloud/aws/aws_elasticache_security_group_modified_or_deleted.yml @@ -8,6 +8,7 @@ modified: 2021/08/19 references: - https://github.com/elastic/detection-rules/blob/7d5efd68603f42be5e125b5a6a503b2ef3ac0f4e/rules/integrations/aws/impact_elasticache_security_group_modified_or_deleted.toml logsource: + product: aws service: cloudtrail detection: selection: diff --git a/rules/cloud/aws/aws_enum_listing.yml b/rules/cloud/aws/aws_enum_listing.yml index fe8f1ca02..f43bfeea6 100644 --- a/rules/cloud/aws/aws_enum_listing.yml +++ b/rules/cloud/aws/aws_enum_listing.yml @@ -6,6 +6,7 @@ author: toffeebr33k date: 2020/11/21 modified: 2021/08/09 logsource: + product: aws service: cloudtrail detection: selection_eventname: diff --git a/rules/cloud/aws/aws_guardduty_disruption.yml b/rules/cloud/aws/aws_guardduty_disruption.yml index 2181fce53..d7500a063 100644 --- a/rules/cloud/aws/aws_guardduty_disruption.yml +++ b/rules/cloud/aws/aws_guardduty_disruption.yml @@ -8,6 +8,7 @@ modified: 2021/08/09 references: - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/guardduty__whitelist_ip/main.py#L9 logsource: + product: aws service: cloudtrail detection: selection_source: diff --git a/rules/cloud/aws/aws_iam_backdoor_users_keys.yml b/rules/cloud/aws/aws_iam_backdoor_users_keys.yml index 7991b3ae5..0d7cd569a 100644 --- a/rules/cloud/aws/aws_iam_backdoor_users_keys.yml +++ b/rules/cloud/aws/aws_iam_backdoor_users_keys.yml @@ -8,6 +8,7 @@ modified: 2021/08/20 references: - https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/iam__backdoor_users_keys/main.py logsource: + product: aws service: cloudtrail detection: selection_source: diff --git a/rules/cloud/aws/aws_lambda_function_created_or_invoked.yml b/rules/cloud/aws/aws_lambda_function_created_or_invoked.yml index 669ca76c8..eae76fe06 100644 --- a/rules/cloud/aws/aws_lambda_function_created_or_invoked.yml +++ b/rules/cloud/aws/aws_lambda_function_created_or_invoked.yml @@ -8,6 +8,7 @@ update: 2021/10/13 references: - https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/ logsource: + product: aws service: cloudtrail detection: selection1: diff --git a/rules/cloud/aws/aws_macic_evasion.yml b/rules/cloud/aws/aws_macic_evasion.yml index 07c3c9c5e..9e04bbc34 100644 --- a/rules/cloud/aws/aws_macic_evasion.yml +++ b/rules/cloud/aws/aws_macic_evasion.yml @@ -10,6 +10,7 @@ tags: - attack.defense_evasion - attack.t1562.001 logsource: + product: aws service: cloudtrail detection: selection: diff --git a/rules/cloud/aws/passed_role_to_glue_development_endpoint.yml b/rules/cloud/aws/aws_passed_role_to_glue_development_endpoint.yml similarity index 98% rename from rules/cloud/aws/passed_role_to_glue_development_endpoint.yml rename to rules/cloud/aws/aws_passed_role_to_glue_development_endpoint.yml index c43ce53e0..743fbbbe8 100644 --- a/rules/cloud/aws/passed_role_to_glue_development_endpoint.yml +++ b/rules/cloud/aws/aws_passed_role_to_glue_development_endpoint.yml @@ -9,6 +9,7 @@ references: - https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/ - https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html logsource: + product: aws service: cloudtrail detection: selection1: diff --git a/rules/cloud/aws/aws_rds_change_master_password.yml b/rules/cloud/aws/aws_rds_change_master_password.yml index cfdfb70a2..8fe0d7958 100644 --- a/rules/cloud/aws/aws_rds_change_master_password.yml +++ b/rules/cloud/aws/aws_rds_change_master_password.yml @@ -8,6 +8,7 @@ modified: 2021/08/20 references: - https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/rds__explore_snapshots/main.py logsource: + product: aws service: cloudtrail detection: selection_source: diff --git a/rules/cloud/aws/aws_rds_public_db_restore.yml b/rules/cloud/aws/aws_rds_public_db_restore.yml index fdc8c19d8..d69d7352b 100644 --- a/rules/cloud/aws/aws_rds_public_db_restore.yml +++ b/rules/cloud/aws/aws_rds_public_db_restore.yml @@ -8,6 +8,7 @@ modified: 2021/08/20 references: - https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/rds__explore_snapshots/main.py logsource: + product: aws service: cloudtrail detection: selection_source: diff --git a/rules/cloud/aws/aws_root_account_usage.yml b/rules/cloud/aws/aws_root_account_usage.yml index 62aaafbd0..2306c3222 100644 --- a/rules/cloud/aws/aws_root_account_usage.yml +++ b/rules/cloud/aws/aws_root_account_usage.yml @@ -8,6 +8,7 @@ modified: 2021/08/09 references: - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html logsource: + product: aws service: cloudtrail detection: selection_usertype: diff --git a/rules/cloud/aws/aws_route_53_domain_transferred_lock_disabled.yml b/rules/cloud/aws/aws_route_53_domain_transferred_lock_disabled.yml index 0b43a509d..fa9b5171c 100644 --- a/rules/cloud/aws/aws_route_53_domain_transferred_lock_disabled.yml +++ b/rules/cloud/aws/aws_route_53_domain_transferred_lock_disabled.yml @@ -9,6 +9,7 @@ references: - https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html - https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html logsource: + product: aws service: cloudtrail detection: selection: diff --git a/rules/cloud/aws/aws_route_53_domain_transferred_to_another_account.yml b/rules/cloud/aws/aws_route_53_domain_transferred_to_another_account.yml index 80aec16dd..69302a914 100644 --- a/rules/cloud/aws/aws_route_53_domain_transferred_to_another_account.yml +++ b/rules/cloud/aws/aws_route_53_domain_transferred_to_another_account.yml @@ -7,6 +7,7 @@ date: 2021/07/22 references: - https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml logsource: + product: aws service: cloudtrail detection: selection: diff --git a/rules/cloud/aws/aws_s3_data_management_tampering.yml b/rules/cloud/aws/aws_s3_data_management_tampering.yml index 1670c6b64..13e21a4bc 100644 --- a/rules/cloud/aws/aws_s3_data_management_tampering.yml +++ b/rules/cloud/aws/aws_s3_data_management_tampering.yml @@ -14,6 +14,7 @@ references: - https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html - https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html logsource: + product: aws service: cloudtrail detection: selection: diff --git a/rules/cloud/aws/aws_securityhub_finding_evasion.yml b/rules/cloud/aws/aws_securityhub_finding_evasion.yml index 5c9013583..2a5361e0f 100644 --- a/rules/cloud/aws/aws_securityhub_finding_evasion.yml +++ b/rules/cloud/aws/aws_securityhub_finding_evasion.yml @@ -10,6 +10,7 @@ tags: - attack.defense_evasion - attack.t1562 logsource: + product: aws service: cloudtrail detection: selection: diff --git a/rules/cloud/aws/aws_snapshot_backup_exfiltration.yml b/rules/cloud/aws/aws_snapshot_backup_exfiltration.yml index e8794cee2..11ddcf8b4 100644 --- a/rules/cloud/aws/aws_snapshot_backup_exfiltration.yml +++ b/rules/cloud/aws/aws_snapshot_backup_exfiltration.yml @@ -9,6 +9,7 @@ references: - https://www.justice.gov/file/1080281/download - https://attack.mitre.org/techniques/T1537/ logsource: + product: aws service: cloudtrail detection: selection_source: diff --git a/rules/cloud/aws/aws_sts_assumerole_misuse.yml b/rules/cloud/aws/aws_sts_assumerole_misuse.yml index 6163a0403..1f6b76ae1 100644 --- a/rules/cloud/aws/aws_sts_assumerole_misuse.yml +++ b/rules/cloud/aws/aws_sts_assumerole_misuse.yml @@ -9,6 +9,7 @@ references: - https://github.com/elastic/detection-rules/pull/1214 - https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html logsource: + product: aws service: cloudtrail detection: selection: diff --git a/rules/cloud/aws/aws_sts_getsessiontoken_misuse.yml b/rules/cloud/aws/aws_sts_getsessiontoken_misuse.yml index d94ae3b92..340e41bc6 100644 --- a/rules/cloud/aws/aws_sts_getsessiontoken_misuse.yml +++ b/rules/cloud/aws/aws_sts_getsessiontoken_misuse.yml @@ -8,6 +8,7 @@ references: - https://github.com/elastic/detection-rules/pull/1213 - https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html logsource: + product: aws service: cloudtrail detection: selection: diff --git a/rules/cloud/aws/aws_suspicious_saml_activity.yml b/rules/cloud/aws/aws_suspicious_saml_activity.yml index f8b542bea..d6caa4835 100644 --- a/rules/cloud/aws/aws_suspicious_saml_activity.yml +++ b/rules/cloud/aws/aws_suspicious_saml_activity.yml @@ -8,6 +8,7 @@ references: - https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html - https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html logsource: + product: aws service: cloudtrail detection: selection1: diff --git a/rules/cloud/aws/aws_update_login_profile.yml b/rules/cloud/aws/aws_update_login_profile.yml index d8468d6de..093dbd905 100644 --- a/rules/cloud/aws/aws_update_login_profile.yml +++ b/rules/cloud/aws/aws_update_login_profile.yml @@ -9,6 +9,7 @@ date: 2021/08/09 references: - https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation logsource: + product: aws service: cloudtrail detection: selection_source: From 5f87eba8961545965c1fb61ae214b0beee1b14c2 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 14 Nov 2021 10:11:29 +0100 Subject: [PATCH 089/113] restore src_ip for coverage --- rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml b/rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml index aca0a0867..e8b7378fd 100644 --- a/rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml +++ b/rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml @@ -28,7 +28,7 @@ detection: - SamrQuerySecurityObject #method queries the access control on a server, domain, user, group, or alias object - SamrQueryInformationGroup #obtains attributes from a group object timeframe: 30s - condition: selection | count(operation) by id.orig_h > 4 + condition: selection | count(operation) by src_ip > 4 falsepositives: - Devices that may do authentication like a VPN or a firewall that looksup IPs to username - False positives depend on scripts and administrative tools used in the monitored environment From 1c99a93cd8630a4239ab5d04a00954e51f0e514e Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 14 Nov 2021 10:50:16 +0100 Subject: [PATCH 090/113] Add azure product --- rules/cloud/azure/azure_aadhybridhealth_adfs_new_server.yml | 1 + rules/cloud/azure/azure_aadhybridhealth_adfs_service_delete.yml | 1 + rules/cloud/azure/azure_account_lockout.yml | 1 + rules/cloud/azure/azure_ad_user_added_to_admin_role.yml | 1 + rules/cloud/azure/azure_app_credential_modification.yml | 1 + rules/cloud/azure/azure_application_deleted.yml | 1 + .../azure/azure_application_gateway_modified_or_deleted.yml | 1 + .../azure_application_security_group_modified_or_deleted.yml | 1 + rules/cloud/azure/azure_change_to_authentication_method.yml | 1 + .../cloud/azure/azure_container_registry_created_or_deleted.yml | 1 + .../cloud/azure/azure_creating_number_of_resources_detection.yml | 1 + .../cloud/azure/azure_device_no_longer_managed_or_compliant.yml | 1 + .../azure/azure_device_or_configuration_modified_or_deleted.yml | 1 + rules/cloud/azure/azure_dns_zone_modified_or_deleted.yml | 1 + rules/cloud/azure/azure_federation_modified.yml | 1 + rules/cloud/azure/azure_firewall_modified_or_deleted.yml | 1 + .../azure/azure_firewall_rule_collection_modified_or_deleted.yml | 1 + rules/cloud/azure/azure_granting_permission_detection.yml | 1 + rules/cloud/azure/azure_keyvault_key_modified_or_deleted.yml | 1 + rules/cloud/azure/azure_keyvault_modified_or_deleted.yml | 1 + rules/cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml | 1 + .../cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml | 1 + rules/cloud/azure/azure_kubernetes_events_deleted.yml | 1 + rules/cloud/azure/azure_kubernetes_network_policy_change.yml | 1 + rules/cloud/azure/azure_kubernetes_pods_deleted.yml | 1 + rules/cloud/azure/azure_kubernetes_role_access.yml | 1 + .../azure/azure_kubernetes_rolebinding_modified_or_deleted.yml | 1 + .../azure/azure_kubernetes_secret_or_config_object_access.yml | 1 + .../azure_kubernetes_service_account_modified_or_deleted.yml | 1 + rules/cloud/azure/azure_login_to_disabled_account.yml | 1 + rules/cloud/azure/azure_mfa_interrupted.yml | 1 + .../azure/azure_network_firewall_policy_modified_or_deleted.yml | 1 + .../azure/azure_network_firewall_rule_modified_or_deleted.yml | 1 + rules/cloud/azure/azure_network_p2s_vpn_modified_or_deleted.yml | 1 + rules/cloud/azure/azure_network_security_modified_or_deleted.yml | 1 + .../azure/azure_network_virtual_device_modified_or_deleted.yml | 1 + rules/cloud/azure/azure_new_cloudshell_created.yml | 1 + ...azure_owner_removed_from_application_or_service_principal.yml | 1 + rules/cloud/azure/azure_rare_operations.yml | 1 + rules/cloud/azure/azure_service_principal_created.yml | 1 + rules/cloud/azure/azure_service_principal_removed.yml | 1 + rules/cloud/azure/azure_suppression_rule_created.yml | 1 + .../azure/azure_user_login_blocked_by_conditional_access.yml | 1 + rules/cloud/azure/azure_virtual_network_modified_or_deleted.yml | 1 + rules/cloud/azure/azure_vpn_connection_modified_or_deleted.yml | 1 + 45 files changed, 45 insertions(+) diff --git a/rules/cloud/azure/azure_aadhybridhealth_adfs_new_server.yml b/rules/cloud/azure/azure_aadhybridhealth_adfs_new_server.yml index 6a06f19be..5dc522e2c 100644 --- a/rules/cloud/azure/azure_aadhybridhealth_adfs_new_server.yml +++ b/rules/cloud/azure/azure_aadhybridhealth_adfs_new_server.yml @@ -13,6 +13,7 @@ tags: references: - https://o365blog.com/post/hybridhealthagent/ logsource: + product: azure service: AzureActivity detection: selection: diff --git a/rules/cloud/azure/azure_aadhybridhealth_adfs_service_delete.yml b/rules/cloud/azure/azure_aadhybridhealth_adfs_service_delete.yml index a4bd4e63f..bbed90f57 100644 --- a/rules/cloud/azure/azure_aadhybridhealth_adfs_service_delete.yml +++ b/rules/cloud/azure/azure_aadhybridhealth_adfs_service_delete.yml @@ -13,6 +13,7 @@ tags: references: - https://o365blog.com/post/hybridhealthagent/ logsource: + product: azure service: AzureActivity detection: selection: diff --git a/rules/cloud/azure/azure_account_lockout.yml b/rules/cloud/azure/azure_account_lockout.yml index c2abe63cd..3f65b7eeb 100644 --- a/rules/cloud/azure/azure_account_lockout.yml +++ b/rules/cloud/azure/azure_account_lockout.yml @@ -7,6 +7,7 @@ description: Identifies user account which has been locked because the user trie references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts logsource: + product: azure service: azure.signinlogs detection: selection: diff --git a/rules/cloud/azure/azure_ad_user_added_to_admin_role.yml b/rules/cloud/azure/azure_ad_user_added_to_admin_role.yml index ce6c956bf..381913fd1 100644 --- a/rules/cloud/azure/azure_ad_user_added_to_admin_role.yml +++ b/rules/cloud/azure/azure_ad_user_added_to_admin_role.yml @@ -7,6 +7,7 @@ references: - https://attack.mitre.org/techniques/T1098/003/ - https://m365internals.com/2021/07/13/what-ive-learned-from-doing-a-year-of-cloud-forensics-in-azure-ad/ logsource: + product: azure service: azure.activitylogs detection: selection: diff --git a/rules/cloud/azure/azure_app_credential_modification.yml b/rules/cloud/azure/azure_app_credential_modification.yml index 1a95a62ca..2867e6d78 100644 --- a/rules/cloud/azure/azure_app_credential_modification.yml +++ b/rules/cloud/azure/azure_app_credential_modification.yml @@ -7,6 +7,7 @@ date: 2021/09/02 references: - https://www.cloud-architekt.net/auditing-of-msi-and-service-principals/ logsource: + product: azure service: azure.activitylogs detection: selection: diff --git a/rules/cloud/azure/azure_application_deleted.yml b/rules/cloud/azure/azure_application_deleted.yml index 7160069c5..d92172000 100644 --- a/rules/cloud/azure/azure_application_deleted.yml +++ b/rules/cloud/azure/azure_application_deleted.yml @@ -7,6 +7,7 @@ date: 2021/09/03 references: - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy logsource: + product: azure service: azure.activitylogs detection: selection: diff --git a/rules/cloud/azure/azure_application_gateway_modified_or_deleted.yml b/rules/cloud/azure/azure_application_gateway_modified_or_deleted.yml index bb7b1e751..0dd456f31 100644 --- a/rules/cloud/azure/azure_application_gateway_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_application_gateway_modified_or_deleted.yml @@ -7,6 +7,7 @@ date: 2021/08/16 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations logsource: + product: azure service: azure.activitylogs detection: selection: diff --git a/rules/cloud/azure/azure_application_security_group_modified_or_deleted.yml b/rules/cloud/azure/azure_application_security_group_modified_or_deleted.yml index 686380ee4..24dd86b99 100644 --- a/rules/cloud/azure/azure_application_security_group_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_application_security_group_modified_or_deleted.yml @@ -7,6 +7,7 @@ date: 2021/08/16 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations logsource: + product: azure service: azure.activitylogs detection: selection: diff --git a/rules/cloud/azure/azure_change_to_authentication_method.yml b/rules/cloud/azure/azure_change_to_authentication_method.yml index a6d43f7dc..f84820f90 100644 --- a/rules/cloud/azure/azure_change_to_authentication_method.yml +++ b/rules/cloud/azure/azure_change_to_authentication_method.yml @@ -7,6 +7,7 @@ description: Change to authentication method could be an indicated of an attacke references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts logsource: + product: azure service: azure.auditlogs detection: selection: diff --git a/rules/cloud/azure/azure_container_registry_created_or_deleted.yml b/rules/cloud/azure/azure_container_registry_created_or_deleted.yml index a05829eaf..19cd8c917 100644 --- a/rules/cloud/azure/azure_container_registry_created_or_deleted.yml +++ b/rules/cloud/azure/azure_container_registry_created_or_deleted.yml @@ -11,6 +11,7 @@ references: - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 - https://attack.mitre.org/matrices/enterprise/cloud/ logsource: + product: azure service: azure.activitylogs detection: selection: diff --git a/rules/cloud/azure/azure_creating_number_of_resources_detection.yml b/rules/cloud/azure/azure_creating_number_of_resources_detection.yml index 74041d51f..ed305d5e3 100644 --- a/rules/cloud/azure/azure_creating_number_of_resources_detection.yml +++ b/rules/cloud/azure/azure_creating_number_of_resources_detection.yml @@ -7,6 +7,7 @@ description: Number of VM creations or deployment activities occur in Azure via references: - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/Creating_Anomalous_Number_Of_Resources_detection.yaml logsource: + product: azure service: AzureActivity detection: keywords: diff --git a/rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml b/rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml index 13be72771..c60bde66c 100644 --- a/rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml +++ b/rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml @@ -7,6 +7,7 @@ date: 2021/09/03 references: - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#core-directory logsource: + product: azure service: azure.activitylogs detection: selection: diff --git a/rules/cloud/azure/azure_device_or_configuration_modified_or_deleted.yml b/rules/cloud/azure/azure_device_or_configuration_modified_or_deleted.yml index c5136d769..972a3dd95 100644 --- a/rules/cloud/azure/azure_device_or_configuration_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_device_or_configuration_modified_or_deleted.yml @@ -7,6 +7,7 @@ date: 2021/09/03 references: - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#core-directory logsource: + product: azure service: azure.activitylogs detection: selection: diff --git a/rules/cloud/azure/azure_dns_zone_modified_or_deleted.yml b/rules/cloud/azure/azure_dns_zone_modified_or_deleted.yml index 6028af1f6..9831b9a1b 100644 --- a/rules/cloud/azure/azure_dns_zone_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_dns_zone_modified_or_deleted.yml @@ -7,6 +7,7 @@ date: 2021/08/08 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes logsource: + product: azure service: azure.activitylogs detection: selection: diff --git a/rules/cloud/azure/azure_federation_modified.yml b/rules/cloud/azure/azure_federation_modified.yml index bc627c97b..b1902b278 100644 --- a/rules/cloud/azure/azure_federation_modified.yml +++ b/rules/cloud/azure/azure_federation_modified.yml @@ -7,6 +7,7 @@ date: 2021/09/06 references: - https://attack.mitre.org/techniques/T1078 logsource: + product: azure service: azure.signinlogs detection: selection: diff --git a/rules/cloud/azure/azure_firewall_modified_or_deleted.yml b/rules/cloud/azure/azure_firewall_modified_or_deleted.yml index 40d0864a8..468ee7155 100644 --- a/rules/cloud/azure/azure_firewall_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_firewall_modified_or_deleted.yml @@ -7,6 +7,7 @@ date: 2021/08/08 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations logsource: + product: azure service: azure.activitylogs detection: selection: diff --git a/rules/cloud/azure/azure_firewall_rule_collection_modified_or_deleted.yml b/rules/cloud/azure/azure_firewall_rule_collection_modified_or_deleted.yml index 15799e9df..a28556c8b 100644 --- a/rules/cloud/azure/azure_firewall_rule_collection_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_firewall_rule_collection_modified_or_deleted.yml @@ -7,6 +7,7 @@ date: 2021/08/08 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations logsource: + product: azure service: azure.activitylogs detection: selection: diff --git a/rules/cloud/azure/azure_granting_permission_detection.yml b/rules/cloud/azure/azure_granting_permission_detection.yml index 2cfb1fe8b..a7bb6240f 100644 --- a/rules/cloud/azure/azure_granting_permission_detection.yml +++ b/rules/cloud/azure/azure_granting_permission_detection.yml @@ -7,6 +7,7 @@ description: Identifies IPs from which users grant access to other users on azur references: - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/Granting_Permissions_To_Account_detection.yaml logsource: + product: azure service: AzureActivity detection: keywords: diff --git a/rules/cloud/azure/azure_keyvault_key_modified_or_deleted.yml b/rules/cloud/azure/azure_keyvault_key_modified_or_deleted.yml index db6a8128e..77c69fadb 100644 --- a/rules/cloud/azure/azure_keyvault_key_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_keyvault_key_modified_or_deleted.yml @@ -7,6 +7,7 @@ date: 2021/08/16 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations logsource: + product: azure service: azure.activitylogs detection: selection: diff --git a/rules/cloud/azure/azure_keyvault_modified_or_deleted.yml b/rules/cloud/azure/azure_keyvault_modified_or_deleted.yml index 993ed2fc9..d5955a8ca 100644 --- a/rules/cloud/azure/azure_keyvault_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_keyvault_modified_or_deleted.yml @@ -7,6 +7,7 @@ date: 2021/08/16 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations logsource: + product: azure service: azure.activitylogs detection: selection: diff --git a/rules/cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml b/rules/cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml index 2ae7d373f..1796669a3 100644 --- a/rules/cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml @@ -7,6 +7,7 @@ date: 2021/08/16 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations logsource: + product: azure service: azure.activitylogs detection: selection: diff --git a/rules/cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml b/rules/cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml index bf150b5ad..598fd4ea6 100644 --- a/rules/cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml +++ b/rules/cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml @@ -11,6 +11,7 @@ references: - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 - https://attack.mitre.org/matrices/enterprise/cloud/ logsource: + product: azure service: azure.activitylogs detection: selection: diff --git a/rules/cloud/azure/azure_kubernetes_events_deleted.yml b/rules/cloud/azure/azure_kubernetes_events_deleted.yml index 4a080c286..611925741 100644 --- a/rules/cloud/azure/azure_kubernetes_events_deleted.yml +++ b/rules/cloud/azure/azure_kubernetes_events_deleted.yml @@ -8,6 +8,7 @@ references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes - https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml logsource: + product: azure service: azure.activitylogs detection: selection_operation_name: diff --git a/rules/cloud/azure/azure_kubernetes_network_policy_change.yml b/rules/cloud/azure/azure_kubernetes_network_policy_change.yml index 15163d6e0..33de95bf6 100644 --- a/rules/cloud/azure/azure_kubernetes_network_policy_change.yml +++ b/rules/cloud/azure/azure_kubernetes_network_policy_change.yml @@ -11,6 +11,7 @@ references: - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 - https://attack.mitre.org/matrices/enterprise/cloud/ logsource: + product: azure service: azure.activitylogs detection: selection: diff --git a/rules/cloud/azure/azure_kubernetes_pods_deleted.yml b/rules/cloud/azure/azure_kubernetes_pods_deleted.yml index 4f7d6b9ba..7040be7c5 100644 --- a/rules/cloud/azure/azure_kubernetes_pods_deleted.yml +++ b/rules/cloud/azure/azure_kubernetes_pods_deleted.yml @@ -8,6 +8,7 @@ references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes - https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml logsource: + product: azure service: azure.activitylogs detection: selection_operation_name: diff --git a/rules/cloud/azure/azure_kubernetes_role_access.yml b/rules/cloud/azure/azure_kubernetes_role_access.yml index 39b14ad8e..7306b36a0 100644 --- a/rules/cloud/azure/azure_kubernetes_role_access.yml +++ b/rules/cloud/azure/azure_kubernetes_role_access.yml @@ -11,6 +11,7 @@ references: - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 - https://attack.mitre.org/matrices/enterprise/cloud/ logsource: + product: azure service: azure.activitylogs detection: selection: diff --git a/rules/cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml b/rules/cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml index 6e5b955a9..e1f86ce74 100644 --- a/rules/cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml @@ -11,6 +11,7 @@ references: - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 - https://attack.mitre.org/matrices/enterprise/cloud/ logsource: + product: azure service: azure.activitylogs detection: selection: diff --git a/rules/cloud/azure/azure_kubernetes_secret_or_config_object_access.yml b/rules/cloud/azure/azure_kubernetes_secret_or_config_object_access.yml index 108e64c2b..bd823765a 100644 --- a/rules/cloud/azure/azure_kubernetes_secret_or_config_object_access.yml +++ b/rules/cloud/azure/azure_kubernetes_secret_or_config_object_access.yml @@ -11,6 +11,7 @@ references: - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 - https://attack.mitre.org/matrices/enterprise/cloud/ logsource: + product: azure service: azure.activitylogs detection: selection: diff --git a/rules/cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml b/rules/cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml index f9c3cd77a..b393caa01 100644 --- a/rules/cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml @@ -11,6 +11,7 @@ references: - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 - https://attack.mitre.org/matrices/enterprise/cloud/ logsource: + product: azure service: azure.activitylogs detection: selection: diff --git a/rules/cloud/azure/azure_login_to_disabled_account.yml b/rules/cloud/azure/azure_login_to_disabled_account.yml index 48a1b501b..1510f307a 100644 --- a/rules/cloud/azure/azure_login_to_disabled_account.yml +++ b/rules/cloud/azure/azure_login_to_disabled_account.yml @@ -7,6 +7,7 @@ description: Detect failed attempts to sign in to disabled accounts. references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts logsource: + product: azure service: azure.signinlogs detection: selection: diff --git a/rules/cloud/azure/azure_mfa_interrupted.yml b/rules/cloud/azure/azure_mfa_interrupted.yml index 22d5e37cb..795d2cdb4 100644 --- a/rules/cloud/azure/azure_mfa_interrupted.yml +++ b/rules/cloud/azure/azure_mfa_interrupted.yml @@ -7,6 +7,7 @@ description: Identifies user login with multifactor authentication failures, whi references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts logsource: + product: azure service: azure.signinlogs detection: selection: diff --git a/rules/cloud/azure/azure_network_firewall_policy_modified_or_deleted.yml b/rules/cloud/azure/azure_network_firewall_policy_modified_or_deleted.yml index b087d550f..c9c9c2860 100644 --- a/rules/cloud/azure/azure_network_firewall_policy_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_network_firewall_policy_modified_or_deleted.yml @@ -7,6 +7,7 @@ date: 2021/09/02 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations logsource: + product: azure service: azure.activitylogs detection: selection: diff --git a/rules/cloud/azure/azure_network_firewall_rule_modified_or_deleted.yml b/rules/cloud/azure/azure_network_firewall_rule_modified_or_deleted.yml index e9eb00af7..c1731807a 100644 --- a/rules/cloud/azure/azure_network_firewall_rule_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_network_firewall_rule_modified_or_deleted.yml @@ -7,6 +7,7 @@ date: 2021/08/08 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations logsource: + product: azure service: azure.activitylogs detection: selection: diff --git a/rules/cloud/azure/azure_network_p2s_vpn_modified_or_deleted.yml b/rules/cloud/azure/azure_network_p2s_vpn_modified_or_deleted.yml index 19e762ff3..109c825a4 100644 --- a/rules/cloud/azure/azure_network_p2s_vpn_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_network_p2s_vpn_modified_or_deleted.yml @@ -7,6 +7,7 @@ date: 2021/08/08 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations logsource: + product: azure service: azure.activitylogs detection: selection: diff --git a/rules/cloud/azure/azure_network_security_modified_or_deleted.yml b/rules/cloud/azure/azure_network_security_modified_or_deleted.yml index 75b3733fe..cc35235ae 100644 --- a/rules/cloud/azure/azure_network_security_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_network_security_modified_or_deleted.yml @@ -7,6 +7,7 @@ date: 2021/08/08 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations logsource: + product: azure service: azure.activitylogs detection: selection: diff --git a/rules/cloud/azure/azure_network_virtual_device_modified_or_deleted.yml b/rules/cloud/azure/azure_network_virtual_device_modified_or_deleted.yml index 60d39103f..bf2990d3b 100644 --- a/rules/cloud/azure/azure_network_virtual_device_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_network_virtual_device_modified_or_deleted.yml @@ -7,6 +7,7 @@ date: 2021/08/08 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations logsource: + product: azure service: azure.activitylogs detection: selection: diff --git a/rules/cloud/azure/azure_new_cloudshell_created.yml b/rules/cloud/azure/azure_new_cloudshell_created.yml index 03afa08e4..77ce17e7a 100644 --- a/rules/cloud/azure/azure_new_cloudshell_created.yml +++ b/rules/cloud/azure/azure_new_cloudshell_created.yml @@ -7,6 +7,7 @@ date: 2021/09/21 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations logsource: + product: azure service: azure.activitylogs detection: selection: diff --git a/rules/cloud/azure/azure_owner_removed_from_application_or_service_principal.yml b/rules/cloud/azure/azure_owner_removed_from_application_or_service_principal.yml index 5db903ee0..055e3dab7 100644 --- a/rules/cloud/azure/azure_owner_removed_from_application_or_service_principal.yml +++ b/rules/cloud/azure/azure_owner_removed_from_application_or_service_principal.yml @@ -7,6 +7,7 @@ date: 2021/09/03 references: - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy logsource: + product: azure service: azure.activitylogs detection: selection: diff --git a/rules/cloud/azure/azure_rare_operations.yml b/rules/cloud/azure/azure_rare_operations.yml index 49ae1bb74..3d93148de 100644 --- a/rules/cloud/azure/azure_rare_operations.yml +++ b/rules/cloud/azure/azure_rare_operations.yml @@ -7,6 +7,7 @@ description: Identifies IPs from which users grant access to other users on azur references: - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/RareOperations.yaml logsource: + product: azure service: AzureActivity detection: keywords: diff --git a/rules/cloud/azure/azure_service_principal_created.yml b/rules/cloud/azure/azure_service_principal_created.yml index 82e422ca2..100ef8868 100644 --- a/rules/cloud/azure/azure_service_principal_created.yml +++ b/rules/cloud/azure/azure_service_principal_created.yml @@ -7,6 +7,7 @@ date: 2021/09/02 references: - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy logsource: + product: azure service: azure.activitylogs detection: selection: diff --git a/rules/cloud/azure/azure_service_principal_removed.yml b/rules/cloud/azure/azure_service_principal_removed.yml index e05012525..34c16e92c 100644 --- a/rules/cloud/azure/azure_service_principal_removed.yml +++ b/rules/cloud/azure/azure_service_principal_removed.yml @@ -7,6 +7,7 @@ date: 2021/09/03 references: - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy logsource: + product: azure service: azure.activitylogs detection: selection: diff --git a/rules/cloud/azure/azure_suppression_rule_created.yml b/rules/cloud/azure/azure_suppression_rule_created.yml index be4d70d37..a4ef51caf 100644 --- a/rules/cloud/azure/azure_suppression_rule_created.yml +++ b/rules/cloud/azure/azure_suppression_rule_created.yml @@ -7,6 +7,7 @@ date: 2021/08/16 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations logsource: + product: azure service: azure.activitylogs detection: selection: diff --git a/rules/cloud/azure/azure_user_login_blocked_by_conditional_access.yml b/rules/cloud/azure/azure_user_login_blocked_by_conditional_access.yml index 9dff5f2da..1af7385bb 100644 --- a/rules/cloud/azure/azure_user_login_blocked_by_conditional_access.yml +++ b/rules/cloud/azure/azure_user_login_blocked_by_conditional_access.yml @@ -7,6 +7,7 @@ description: Detect access has been blocked by Conditional Access policies. The references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts logsource: + product: azure service: azure.signinlogs detection: selection: diff --git a/rules/cloud/azure/azure_virtual_network_modified_or_deleted.yml b/rules/cloud/azure/azure_virtual_network_modified_or_deleted.yml index cf322fa29..57fe151b9 100644 --- a/rules/cloud/azure/azure_virtual_network_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_virtual_network_modified_or_deleted.yml @@ -7,6 +7,7 @@ date: 2021/08/08 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations logsource: + product: azure service: azure.activitylogs detection: selection: diff --git a/rules/cloud/azure/azure_vpn_connection_modified_or_deleted.yml b/rules/cloud/azure/azure_vpn_connection_modified_or_deleted.yml index 50dc3a56b..a57ffb160 100644 --- a/rules/cloud/azure/azure_vpn_connection_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_vpn_connection_modified_or_deleted.yml @@ -7,6 +7,7 @@ date: 2021/08/08 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations logsource: + product: azure service: azure.activitylogs detection: selection: From 7dfd6b1417afb419970c9332de3715c9b39f971a Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 14 Nov 2021 10:54:14 +0100 Subject: [PATCH 091/113] Add gcp product --- rules/cloud/gcp/gcp_bucket_enumeration.yml | 1 + rules/cloud/gcp/gcp_bucket_modified_or_deleted.yml | 1 + rules/cloud/gcp/gcp_dlp_re_identifies_sensitive_information.yml | 1 + rules/cloud/gcp/gcp_dns_zone_modified_or_deleted.yml | 1 + rules/cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml | 1 + rules/cloud/gcp/gcp_full_network_traffic_packet_capture.yml | 1 + rules/cloud/gcp/gcp_kubernetes_rolebinding.yml | 1 + rules/cloud/gcp/gcp_kubernetes_secrets_modified_or_deleted.yml | 1 + rules/cloud/gcp/gcp_service_account_disabled_or_deleted.yml | 1 + rules/cloud/gcp/gcp_service_account_modified.yml | 1 + rules/cloud/gcp/gcp_sql_database_modified_or_deleted.yml | 1 + rules/cloud/gcp/gcp_vpn_tunnel_modified_or_deleted.yml | 1 + 12 files changed, 12 insertions(+) diff --git a/rules/cloud/gcp/gcp_bucket_enumeration.yml b/rules/cloud/gcp/gcp_bucket_enumeration.yml index 4449bb15a..e7f8fc61f 100644 --- a/rules/cloud/gcp/gcp_bucket_enumeration.yml +++ b/rules/cloud/gcp/gcp_bucket_enumeration.yml @@ -7,6 +7,7 @@ date: 2021/08/14 references: - https://cloud.google.com/storage/docs/json_api/v1/buckets logsource: + product: gcp service: gcp.audit detection: selection: diff --git a/rules/cloud/gcp/gcp_bucket_modified_or_deleted.yml b/rules/cloud/gcp/gcp_bucket_modified_or_deleted.yml index 13904bb8d..ac5017c9f 100644 --- a/rules/cloud/gcp/gcp_bucket_modified_or_deleted.yml +++ b/rules/cloud/gcp/gcp_bucket_modified_or_deleted.yml @@ -7,6 +7,7 @@ date: 2021/08/14 references: - https://cloud.google.com/storage/docs/json_api/v1/buckets logsource: + product: gcp service: gcp.audit detection: selection: diff --git a/rules/cloud/gcp/gcp_dlp_re_identifies_sensitive_information.yml b/rules/cloud/gcp/gcp_dlp_re_identifies_sensitive_information.yml index c5d17b329..8ee23cf0c 100644 --- a/rules/cloud/gcp/gcp_dlp_re_identifies_sensitive_information.yml +++ b/rules/cloud/gcp/gcp_dlp_re_identifies_sensitive_information.yml @@ -7,6 +7,7 @@ date: 2021/08/15 references: - https://cloud.google.com/dlp/docs/reference/rest/v2/projects.content/reidentify logsource: + product: gcp service: gcp.audit detection: selection: diff --git a/rules/cloud/gcp/gcp_dns_zone_modified_or_deleted.yml b/rules/cloud/gcp/gcp_dns_zone_modified_or_deleted.yml index 629dff399..9455782d4 100644 --- a/rules/cloud/gcp/gcp_dns_zone_modified_or_deleted.yml +++ b/rules/cloud/gcp/gcp_dns_zone_modified_or_deleted.yml @@ -7,6 +7,7 @@ date: 2021/08/15 references: - https://cloud.google.com/dns/docs/reference/v1/managedZones logsource: + product: gcp service: gcp.audit detection: selection: diff --git a/rules/cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml b/rules/cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml index 016a6bcbb..4cb33dd81 100644 --- a/rules/cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml +++ b/rules/cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml @@ -8,6 +8,7 @@ references: - https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging - https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.Firewalls.html logsource: + product: gcp service: gcp.audit detection: selection: diff --git a/rules/cloud/gcp/gcp_full_network_traffic_packet_capture.yml b/rules/cloud/gcp/gcp_full_network_traffic_packet_capture.yml index b2b9e0ef2..cd29c4055 100644 --- a/rules/cloud/gcp/gcp_full_network_traffic_packet_capture.yml +++ b/rules/cloud/gcp/gcp_full_network_traffic_packet_capture.yml @@ -8,6 +8,7 @@ references: - https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging - https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.PacketMirrorings.html logsource: + product: gcp service: gcp.audit detection: selection: diff --git a/rules/cloud/gcp/gcp_kubernetes_rolebinding.yml b/rules/cloud/gcp/gcp_kubernetes_rolebinding.yml index 58eaad19d..472ff97b5 100644 --- a/rules/cloud/gcp/gcp_kubernetes_rolebinding.yml +++ b/rules/cloud/gcp/gcp_kubernetes_rolebinding.yml @@ -11,6 +11,7 @@ references: - https://kubernetes.io/docs/reference/access-authn-authz/rbac/ - https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging logsource: + product: gcp service: gcp.audit detection: selection: diff --git a/rules/cloud/gcp/gcp_kubernetes_secrets_modified_or_deleted.yml b/rules/cloud/gcp/gcp_kubernetes_secrets_modified_or_deleted.yml index c2bf97bfe..35f1ebda3 100644 --- a/rules/cloud/gcp/gcp_kubernetes_secrets_modified_or_deleted.yml +++ b/rules/cloud/gcp/gcp_kubernetes_secrets_modified_or_deleted.yml @@ -7,6 +7,7 @@ date: 2021/08/09 references: - https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging logsource: + product: gcp service: gcp.audit detection: selection: diff --git a/rules/cloud/gcp/gcp_service_account_disabled_or_deleted.yml b/rules/cloud/gcp/gcp_service_account_disabled_or_deleted.yml index 447fd4dbc..c265f7c9d 100644 --- a/rules/cloud/gcp/gcp_service_account_disabled_or_deleted.yml +++ b/rules/cloud/gcp/gcp_service_account_disabled_or_deleted.yml @@ -7,6 +7,7 @@ date: 2021/08/14 references: - https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts logsource: + product: gcp service: gcp.audit detection: selection: diff --git a/rules/cloud/gcp/gcp_service_account_modified.yml b/rules/cloud/gcp/gcp_service_account_modified.yml index f7dca8d86..b990d00a4 100644 --- a/rules/cloud/gcp/gcp_service_account_modified.yml +++ b/rules/cloud/gcp/gcp_service_account_modified.yml @@ -7,6 +7,7 @@ date: 2021/08/14 references: - https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts logsource: + product: gcp service: gcp.audit detection: selection: diff --git a/rules/cloud/gcp/gcp_sql_database_modified_or_deleted.yml b/rules/cloud/gcp/gcp_sql_database_modified_or_deleted.yml index ca75927f8..c2693f286 100644 --- a/rules/cloud/gcp/gcp_sql_database_modified_or_deleted.yml +++ b/rules/cloud/gcp/gcp_sql_database_modified_or_deleted.yml @@ -7,6 +7,7 @@ date: 2021/10/15 references: - https://cloud.google.com/sql/docs/mysql/admin-api/rest/v1beta4/users/update logsource: + product: gcp service: gcp.audit detection: selection: diff --git a/rules/cloud/gcp/gcp_vpn_tunnel_modified_or_deleted.yml b/rules/cloud/gcp/gcp_vpn_tunnel_modified_or_deleted.yml index 65dfd6167..8171bb42a 100644 --- a/rules/cloud/gcp/gcp_vpn_tunnel_modified_or_deleted.yml +++ b/rules/cloud/gcp/gcp_vpn_tunnel_modified_or_deleted.yml @@ -7,6 +7,7 @@ date: 2021/08/16 references: - https://any-api.com/googleapis_com/compute/docs/vpnTunnels logsource: + product: gcp service: gcp.audit detection: selection: From b4e7c350ee94ae686ed660b0e510a81d3017f78a Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 14 Nov 2021 10:56:17 +0100 Subject: [PATCH 092/113] Add gworkspace product --- rules/cloud/gworkspace/gworkspace_application_removed.yml | 1 + rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml | 1 + rules/cloud/gworkspace/gworkspace_mfa_disabled.yml | 1 + rules/cloud/gworkspace/gworkspace_role_modified_or_deleted.yml | 1 + rules/cloud/gworkspace/gworkspace_role_privilege_deleted.yml | 1 + .../gworkspace/gworkspace_user_granted_admin_privileges.yml | 1 + 6 files changed, 6 insertions(+) diff --git a/rules/cloud/gworkspace/gworkspace_application_removed.yml b/rules/cloud/gworkspace/gworkspace_application_removed.yml index 7ed765245..176b7f9f3 100644 --- a/rules/cloud/gworkspace/gworkspace_application_removed.yml +++ b/rules/cloud/gworkspace/gworkspace_application_removed.yml @@ -9,6 +9,7 @@ references: - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST logsource: + product: google_workspace service: google_workspace.admin detection: selection: diff --git a/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml b/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml index 0b09904be..e177ee7d1 100644 --- a/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml +++ b/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml @@ -8,6 +8,7 @@ references: - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS logsource: + product: google_workspace service: google_workspace.admin detection: selection: diff --git a/rules/cloud/gworkspace/gworkspace_mfa_disabled.yml b/rules/cloud/gworkspace/gworkspace_mfa_disabled.yml index ec1798985..1221d88e2 100644 --- a/rules/cloud/gworkspace/gworkspace_mfa_disabled.yml +++ b/rules/cloud/gworkspace/gworkspace_mfa_disabled.yml @@ -10,6 +10,7 @@ references: - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION logsource: + product: google_workspace service: google_workspace.admin detection: selection: diff --git a/rules/cloud/gworkspace/gworkspace_role_modified_or_deleted.yml b/rules/cloud/gworkspace/gworkspace_role_modified_or_deleted.yml index e0bab12fd..18c23bc28 100644 --- a/rules/cloud/gworkspace/gworkspace_role_modified_or_deleted.yml +++ b/rules/cloud/gworkspace/gworkspace_role_modified_or_deleted.yml @@ -8,6 +8,7 @@ references: - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings logsource: + product: google_workspace service: google_workspace.admin detection: selection: diff --git a/rules/cloud/gworkspace/gworkspace_role_privilege_deleted.yml b/rules/cloud/gworkspace/gworkspace_role_privilege_deleted.yml index 7a803146b..bbe666a6e 100644 --- a/rules/cloud/gworkspace/gworkspace_role_privilege_deleted.yml +++ b/rules/cloud/gworkspace/gworkspace_role_privilege_deleted.yml @@ -8,6 +8,7 @@ references: - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings logsource: + product: google_workspace service: google_workspace.admin detection: selection: diff --git a/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml b/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml index ffc061d08..802f60526 100644 --- a/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml +++ b/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml @@ -8,6 +8,7 @@ references: - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE logsource: + product: google_workspace service: google_workspace.admin detection: selection: From 6e4944e47559d2343e945bc161489ba8f11d7568 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 14 Nov 2021 10:58:26 +0100 Subject: [PATCH 093/113] Add okta product --- rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml | 1 + rules/cloud/okta/okta_api_token_created.yml | 1 + rules/cloud/okta/okta_api_token_revoked.yml | 1 + rules/cloud/okta/okta_application_modified_or_deleted.yml | 1 + .../okta/okta_application_sign_on_policy_modified_or_deleted.yml | 1 + rules/cloud/okta/okta_mfa_reset_or_deactivated.yml | 1 + rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml | 1 + rules/cloud/okta/okta_policy_modified_or_deleted.yml | 1 + rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml | 1 + rules/cloud/okta/okta_security_threat_detected.yml | 1 + rules/cloud/okta/okta_unauthorized_access_to_app.yml | 1 + rules/cloud/okta/okta_user_account_locked_out.yml | 1 + 12 files changed, 12 insertions(+) diff --git a/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml b/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml index 7f3377013..32b496a79 100644 --- a/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml +++ b/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml @@ -9,6 +9,7 @@ references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ logsource: + product: okta service: okta detection: selection: diff --git a/rules/cloud/okta/okta_api_token_created.yml b/rules/cloud/okta/okta_api_token_created.yml index 4969a8468..a39c3ae70 100644 --- a/rules/cloud/okta/okta_api_token_created.yml +++ b/rules/cloud/okta/okta_api_token_created.yml @@ -9,6 +9,7 @@ references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ logsource: + product: okta service: okta detection: selection: diff --git a/rules/cloud/okta/okta_api_token_revoked.yml b/rules/cloud/okta/okta_api_token_revoked.yml index ba2f81b9d..644f1aea5 100644 --- a/rules/cloud/okta/okta_api_token_revoked.yml +++ b/rules/cloud/okta/okta_api_token_revoked.yml @@ -9,6 +9,7 @@ references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ logsource: + product: okta service: okta detection: selection: diff --git a/rules/cloud/okta/okta_application_modified_or_deleted.yml b/rules/cloud/okta/okta_application_modified_or_deleted.yml index 078c764be..35cbd1b95 100644 --- a/rules/cloud/okta/okta_application_modified_or_deleted.yml +++ b/rules/cloud/okta/okta_application_modified_or_deleted.yml @@ -9,6 +9,7 @@ references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ logsource: + product: okta service: okta detection: selection: diff --git a/rules/cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml b/rules/cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml index aaccaad3d..0520ddd6b 100644 --- a/rules/cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml +++ b/rules/cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml @@ -9,6 +9,7 @@ references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ logsource: + product: okta service: okta detection: selection: diff --git a/rules/cloud/okta/okta_mfa_reset_or_deactivated.yml b/rules/cloud/okta/okta_mfa_reset_or_deactivated.yml index acc04ac8c..69185811f 100644 --- a/rules/cloud/okta/okta_mfa_reset_or_deactivated.yml +++ b/rules/cloud/okta/okta_mfa_reset_or_deactivated.yml @@ -9,6 +9,7 @@ references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ logsource: + product: okta service: okta detection: selection: diff --git a/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml b/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml index 273d8713a..b4f6adf83 100644 --- a/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml +++ b/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml @@ -9,6 +9,7 @@ references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ logsource: + product: okta service: okta detection: selection: diff --git a/rules/cloud/okta/okta_policy_modified_or_deleted.yml b/rules/cloud/okta/okta_policy_modified_or_deleted.yml index fb4aa5b21..247901b96 100644 --- a/rules/cloud/okta/okta_policy_modified_or_deleted.yml +++ b/rules/cloud/okta/okta_policy_modified_or_deleted.yml @@ -9,6 +9,7 @@ references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ logsource: + product: okta service: okta detection: selection: diff --git a/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml b/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml index 278171ebb..9a1ab4bf7 100644 --- a/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml +++ b/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml @@ -9,6 +9,7 @@ references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ logsource: + product: okta service: okta detection: selection: diff --git a/rules/cloud/okta/okta_security_threat_detected.yml b/rules/cloud/okta/okta_security_threat_detected.yml index 8e754c450..eedd79768 100644 --- a/rules/cloud/okta/okta_security_threat_detected.yml +++ b/rules/cloud/okta/okta_security_threat_detected.yml @@ -10,6 +10,7 @@ references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ logsource: + product: okta service: okta detection: selection: diff --git a/rules/cloud/okta/okta_unauthorized_access_to_app.yml b/rules/cloud/okta/okta_unauthorized_access_to_app.yml index 103050241..69480d462 100644 --- a/rules/cloud/okta/okta_unauthorized_access_to_app.yml +++ b/rules/cloud/okta/okta_unauthorized_access_to_app.yml @@ -9,6 +9,7 @@ references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ logsource: + product: okta service: okta detection: selection: diff --git a/rules/cloud/okta/okta_user_account_locked_out.yml b/rules/cloud/okta/okta_user_account_locked_out.yml index 7acd02c01..21b4c7ed2 100644 --- a/rules/cloud/okta/okta_user_account_locked_out.yml +++ b/rules/cloud/okta/okta_user_account_locked_out.yml @@ -9,6 +9,7 @@ references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ logsource: + product: okta service: okta detection: selection: From c7a2fe0ca4ace5b4540348f4275e828ddd094b32 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 14 Nov 2021 10:59:08 +0100 Subject: [PATCH 094/113] Add onelogin product --- rules/cloud/onelogin/onelogin_assumed_another_user.yml | 1 + rules/cloud/onelogin/onelogin_user_account_locked.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/rules/cloud/onelogin/onelogin_assumed_another_user.yml b/rules/cloud/onelogin/onelogin_assumed_another_user.yml index 51fb2fd7f..4180492a2 100644 --- a/rules/cloud/onelogin/onelogin_assumed_another_user.yml +++ b/rules/cloud/onelogin/onelogin_assumed_another_user.yml @@ -8,6 +8,7 @@ modified: 2021/10/12 references: - https://developers.onelogin.com/api-docs/1/events/event-resource logsource: + product: onelogin service: onelogin.events detection: selection: diff --git a/rules/cloud/onelogin/onelogin_user_account_locked.yml b/rules/cloud/onelogin/onelogin_user_account_locked.yml index d43ddf3bc..17878b511 100644 --- a/rules/cloud/onelogin/onelogin_user_account_locked.yml +++ b/rules/cloud/onelogin/onelogin_user_account_locked.yml @@ -8,6 +8,7 @@ modified: 2021/10/12 references: - https://developers.onelogin.com/api-docs/1/events/event-resource/ logsource: + product: onelogin service: onelogin.events detection: selection1: # Locked via API From 20686c908dacffaf25b501e2515b041092448c68 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 15 Nov 2021 12:16:44 +0100 Subject: [PATCH 095/113] rules: lsass dumps --- .../file_event_hktl_createminidump.yml | 1 + .../file_event/file_event_lsass_dump.yml | 32 +++++++++++++++++++ 2 files changed, 33 insertions(+) create mode 100644 rules/windows/file_event/file_event_lsass_dump.yml diff --git a/rules/windows/file_event/file_event_hktl_createminidump.yml b/rules/windows/file_event/file_event_hktl_createminidump.yml index 35b0c8cec..1aae4f62e 100644 --- a/rules/windows/file_event/file_event_hktl_createminidump.yml +++ b/rules/windows/file_event/file_event_hktl_createminidump.yml @@ -1,5 +1,6 @@ title: CreateMiniDump Hacktool id: db2110f3-479d-42a6-94fb-d35bc1e46492 +status: deprecated related: - id: 36d88494-1d43-4dc0-b3fa-35c8fea0ca9d type: derived diff --git a/rules/windows/file_event/file_event_lsass_dump.yml b/rules/windows/file_event/file_event_lsass_dump.yml new file mode 100644 index 000000000..86008a310 --- /dev/null +++ b/rules/windows/file_event/file_event_lsass_dump.yml @@ -0,0 +1,32 @@ +title: LSASS Process Memory Dump Files +id: a5a2d357-1ab8-4675-a967-ef9990a59391 +related: + - id: db2110f3-479d-42a6-94fb-d35bc1e46492 + type: obsoletes +description: Detects file names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials +author: Florian Roth +references: + - https://www.google.com/search?q=procdump+lsass +date: 2021/11/15 +tags: + - attack.credential_access + - attack.t1003.001 + - attack.t1003 # an old one +logsource: + product: windows + category: file_event +detection: + selection1: + TargetFilename|endswith: + - '\lsass.dmp' + - '\lsass.zip' + - '\lsass.rar' + selection2: + TargetFilename|contains: + - '\lsass_2' # default format of procdump v9.0 is lsass_YYMMDD_HHmmss.dmp + - '\lsassdump' + - '\lsassdmp' + condition: selection1 or selection2 +falsepositives: + - Unknown +level: high \ No newline at end of file From f4d5238049f61022c53e1de4cb81811a31806195 Mon Sep 17 00:00:00 2001 From: phantinuss Date: Mon, 15 Nov 2021 12:30:51 +0100 Subject: [PATCH 096/113] fix: FP --- rules/windows/malware/registry_event_mal_ursnif.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/malware/registry_event_mal_ursnif.yml b/rules/windows/malware/registry_event_mal_ursnif.yml index 312770122..3ebe01950 100644 --- a/rules/windows/malware/registry_event_mal_ursnif.yml +++ b/rules/windows/malware/registry_event_mal_ursnif.yml @@ -22,6 +22,7 @@ detection: - '\SOFTWARE\AppDataLow\Software\Microsoft\Internet Explorer\' - '\SOFTWARE\AppDataLow\Software\Microsoft\RepService\' - '\SOFTWARE\AppDataLow\Software\Microsoft\IME\' + - '\SOFTWARE\AppDataLow\Software\Microsoft\Edge\' condition: selection and not filter falsepositives: - Unknown From b9be5b262f591ad71a93e3a20b435e746c81b9f7 Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 15 Nov 2021 13:24:26 +0100 Subject: [PATCH 097/113] Add win_pc_susp_reg_bitLocker --- .../win_pc_susp_reg_bitLocker.yml | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 rules/windows/process_creation/win_pc_susp_reg_bitLocker.yml diff --git a/rules/windows/process_creation/win_pc_susp_reg_bitLocker.yml b/rules/windows/process_creation/win_pc_susp_reg_bitLocker.yml new file mode 100644 index 000000000..5949587fa --- /dev/null +++ b/rules/windows/process_creation/win_pc_susp_reg_bitLocker.yml @@ -0,0 +1,36 @@ +title: Suspicious Reg Add BitLocker +id: 0e0255bf-2548-47b8-9582-c0955c9283f5 +status: experimental +description: Suspicious add key for BitLocker +references: + - https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/ +tags: + - attack.impact + - attack.t1486 +author: frack113 +date: 2021/11/15 +logsource: + category: process_creation + product: windows +detection: + set: + CommandLine|contains|all: + - 'REG' + - 'ADD' + - 'HKLM\SOFTWARE\Policies\Microsoft\FVE' + - '/v' + - '/f' + key: + CommandLine|contains: + - 'EnableBDEWithNoTPM' + - 'UseAdvancedStartup' + - 'UseTPM' + - 'UseTPMKey' + - 'UseTPMKeyPIN' + - 'RecoveryKeyMessageSource' + - 'UseTPMPIN' + - 'RecoveryKeyMessage' + condition: set and key +falsepositives: + - unknown +level: medium From 51744b31b45d63cf015780d6932c71e0083f7f25 Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 15 Nov 2021 13:38:38 +0100 Subject: [PATCH 098/113] fix name --- ...in_pc_susp_reg_bitLocker.yml => win_pc_susp_reg_bitlocker.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/process_creation/{win_pc_susp_reg_bitLocker.yml => win_pc_susp_reg_bitlocker.yml} (100%) diff --git a/rules/windows/process_creation/win_pc_susp_reg_bitLocker.yml b/rules/windows/process_creation/win_pc_susp_reg_bitlocker.yml similarity index 100% rename from rules/windows/process_creation/win_pc_susp_reg_bitLocker.yml rename to rules/windows/process_creation/win_pc_susp_reg_bitlocker.yml From c3ecbc52a92d78d9f848814801bd135801df67e2 Mon Sep 17 00:00:00 2001 From: phantinuss Date: Mon, 15 Nov 2021 14:00:05 +0100 Subject: [PATCH 099/113] add Exchange reference to title/description --- .../builtin/win_set_oabvirtualdirectory_externalurl.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/win_set_oabvirtualdirectory_externalurl.yml b/rules/windows/builtin/win_set_oabvirtualdirectory_externalurl.yml index 4a728edbc..0aec83b3b 100644 --- a/rules/windows/builtin/win_set_oabvirtualdirectory_externalurl.yml +++ b/rules/windows/builtin/win_set_oabvirtualdirectory_externalurl.yml @@ -1,9 +1,10 @@ -title: Set OabVirtualDirectory ExternalUrl Property +title: Exchange Set OabVirtualDirectory ExternalUrl Property id: 9db37458-4df2-46a5-95ab-307e7f29e675 -description: Rule to detect an adversary setting OabVirtualDirectory External URL property to a script +description: Rule to detect an adversary setting OabVirtualDirectory External URL property to a script in Exchange Management log author: Jose Rodriguez @Cyb3rPandaH status: experimental date: 2021/03/15 +modified: 2021/11/15 references: - https://twitter.com/OTR_Community/status/1371053369071132675 tags: From 42cbe8664b3affb6974553f47c254203d7dab692 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 15 Nov 2021 20:21:20 +0100 Subject: [PATCH 100/113] Update registry_event_mal_ursnif.yml --- rules/windows/malware/registry_event_mal_ursnif.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/malware/registry_event_mal_ursnif.yml b/rules/windows/malware/registry_event_mal_ursnif.yml index 3ebe01950..2cfe298b0 100644 --- a/rules/windows/malware/registry_event_mal_ursnif.yml +++ b/rules/windows/malware/registry_event_mal_ursnif.yml @@ -10,7 +10,7 @@ tags: - attack.t1112 author: megan201296 date: 2019/02/13 -modified: 2021/10/28 +modified: 2021/11/15 logsource: product: windows category: registry_event From 87f919d0bc7193be6dbcee5a6fd44d2af02e70db Mon Sep 17 00:00:00 2001 From: Joshua Roys Date: Mon, 15 Nov 2021 15:57:46 -0500 Subject: [PATCH 101/113] Fix aggregation GE/LE List longest matches first otherwise they will never match. --- tools/sigma/parser/condition.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/sigma/parser/condition.py b/tools/sigma/parser/condition.py index a4c908cc8..19ac17b15 100644 --- a/tools/sigma/parser/condition.py +++ b/tools/sigma/parser/condition.py @@ -113,10 +113,10 @@ class SigmaConditionTokenizer: (SigmaConditionToken.TOKEN_NEAR, re.compile("near", re.IGNORECASE)), (SigmaConditionToken.TOKEN_BY, re.compile("by", re.IGNORECASE)), (SigmaConditionToken.TOKEN_EQ, re.compile("==")), - (SigmaConditionToken.TOKEN_LT, re.compile("<")), (SigmaConditionToken.TOKEN_LTE, re.compile("<=")), - (SigmaConditionToken.TOKEN_GT, re.compile(">")), + (SigmaConditionToken.TOKEN_LT, re.compile("<")), (SigmaConditionToken.TOKEN_GTE, re.compile(">=")), + (SigmaConditionToken.TOKEN_GT, re.compile(">")), (SigmaConditionToken.TOKEN_PIPE, re.compile("\\|")), (SigmaConditionToken.TOKEN_AND, re.compile("and", re.IGNORECASE)), (SigmaConditionToken.TOKEN_OR, re.compile("or", re.IGNORECASE)), From 068255fc82d45b019364018ae3475cfb19af467c Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Mon, 15 Nov 2021 22:46:22 +0100 Subject: [PATCH 102/113] Additional characters in identifier token --- tools/sigma/parser/condition.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tools/sigma/parser/condition.py b/tools/sigma/parser/condition.py index 644e24816..2c7e9ced7 100644 --- a/tools/sigma/parser/condition.py +++ b/tools/sigma/parser/condition.py @@ -121,7 +121,7 @@ class SigmaConditionTokenizer: (SigmaConditionToken.TOKEN_AND, re.compile("and", re.IGNORECASE)), (SigmaConditionToken.TOKEN_OR, re.compile("or", re.IGNORECASE)), (SigmaConditionToken.TOKEN_NOT, re.compile("not", re.IGNORECASE)), - (SigmaConditionToken.TOKEN_ID, re.compile("[\\w*]+")), + (SigmaConditionToken.TOKEN_ID, re.compile("[\\w*-.]+")), (SigmaConditionToken.TOKEN_LPAR, re.compile("\\(")), (SigmaConditionToken.TOKEN_RPAR, re.compile("\\)")), ] @@ -270,7 +270,7 @@ class SigmaSearchValueAsIs: def generateXOf(sigma, val, condclass): """ Generic implementation of (1|all) of x expressions. - + * condclass across all list items if x is name of definition * condclass across all definitions if x is keyword 'them' * condclass across all matching definition if x is wildcard expression, e.g. 'selection*' @@ -520,7 +520,7 @@ class SigmaConditionParser: open_token was '(' and tokens were ['(', '...', '(', '...', ')', ')'] the first '(' should pair with the last ')' instead of the first ')' - + Parameters: tokens: the list of tokens start_index: the start index (included) of the input tokens for finding the close_token From 4c1fab644de78fe4dc7e9164b6294d382c084524 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 16 Nov 2021 12:09:03 +0100 Subject: [PATCH 103/113] fix: FPs with Windows Update Client LOLBIN rule --- rules/windows/process_creation/win_susp_wuauclt.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_susp_wuauclt.yml b/rules/windows/process_creation/win_susp_wuauclt.yml index 9d36bc717..16ef150c5 100644 --- a/rules/windows/process_creation/win_susp_wuauclt.yml +++ b/rules/windows/process_creation/win_susp_wuauclt.yml @@ -6,7 +6,7 @@ references: - https://dtm.uk/wuauclt/ author: FPT.EagleEye Team date: 2020/10/17 -modified: 2021/05/12 +modified: 2021/11/16 tags: - attack.command_and_control - attack.execution @@ -17,12 +17,15 @@ logsource: category: process_creation detection: selection: - ProcessCommandLine|contains|all: + CommandLine|contains|all: - '/UpdateDeploymentProvider' - '/RunHandlerComServer' Image|endswith: - '\wuauclt.exe' - condition: selection + filter: + CommandLine|contains: + - ' /ClassId ' + condition: selection and not filter falsepositives: - Unknown level: high From 3be53dfb7212bc924e636cbdc79003ff35ea8e55 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 16 Nov 2021 12:17:43 +0100 Subject: [PATCH 104/113] refactor: tightened rule --- rules/windows/process_creation/win_susp_wuauclt.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/process_creation/win_susp_wuauclt.yml b/rules/windows/process_creation/win_susp_wuauclt.yml index 16ef150c5..356e53dcb 100644 --- a/rules/windows/process_creation/win_susp_wuauclt.yml +++ b/rules/windows/process_creation/win_susp_wuauclt.yml @@ -20,6 +20,7 @@ detection: CommandLine|contains|all: - '/UpdateDeploymentProvider' - '/RunHandlerComServer' + - '.dll' Image|endswith: - '\wuauclt.exe' filter: From 2448691ad03d399e5ca446f024d1447b55ccd9e0 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 16 Nov 2021 13:04:52 +0100 Subject: [PATCH 105/113] fix: FPs --- .../sysmon_suspicious_dbghelp_dbgcore_load.yml | 14 ++++++++------ .../windows/image_load/sysmon_wmi_module_load.yml | 5 ++++- 2 files changed, 12 insertions(+), 7 deletions(-) diff --git a/rules/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml b/rules/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml index 68b9041f4..6932eb2cb 100755 --- a/rules/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml +++ b/rules/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml @@ -1,9 +1,7 @@ title: Load of dbghelp/dbgcore DLL from Suspicious Process id: 0e277796-5f23-4e49-a490-483131d4f6e1 status: experimental -description: Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump - API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and - transfer it over the network back to the attacker's machine. +description: Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine. date: 2019/10/27 modified: 2020/08/23 author: Perez Diego (@darkquassar), oscd.community, Ecco @@ -50,10 +48,14 @@ detection: ImageLoaded|endswith: - '\dbghelp.dll' - '\dbgcore.dll' - Signed: "FALSE" - filter: + Signed: 'FALSE' + filter1: Image|contains: 'Visual Studio' - condition: (signedprocess and not filter) or (unsignedprocess and not filter) + filter2: + Signed: + - null + - '' + condition: (signedprocess and not filter) or (unsignedprocess and not filter1 and not filter2) fields: - ComputerName - User diff --git a/rules/windows/image_load/sysmon_wmi_module_load.yml b/rules/windows/image_load/sysmon_wmi_module_load.yml index 57d3ade28..319074766 100755 --- a/rules/windows/image_load/sysmon_wmi_module_load.yml +++ b/rules/windows/image_load/sysmon_wmi_module_load.yml @@ -3,7 +3,7 @@ id: 671bb7e3-a020-4824-a00e-2ee5b55f385e description: Detects non wmiprvse loading WMI modules status: experimental date: 2019/08/10 -modified: 2021/08/18 +modified: 2021/11/16 author: Roberto Rodriguez @Cyb3rWard0g references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190811201010.html @@ -38,6 +38,9 @@ detection: - '\windows\system32\taskhostw.exe' # c:\windows\system32\taskhostw.exe - '\windows\system32\MoUsoCoreWorker.exe' # c:\windows\System32\MoUsoCoreWorker.exe on win10 20H04 at least - '\windows\system32\wbem\WMIADAP.exe' # https://github.com/SigmaHQ/sigma/issues/1871 + - 'C:\Windows\Sysmon64.exe' + - 'C:\Windows\Sysmon.exe' + - 'C:\Windows\System32\wbem\unsecapp.exe' condition: selection and not filter fields: - ComputerName From 98073049ba73ed2df7f63866e7248343bf2b9765 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 16 Nov 2021 13:11:11 +0100 Subject: [PATCH 106/113] fix: FPs with Load of dbghelp/dbgcore DLL from Suspicious Process --- .../image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml b/rules/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml index 6932eb2cb..630a2bfda 100755 --- a/rules/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml +++ b/rules/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml @@ -50,12 +50,13 @@ detection: - '\dbgcore.dll' Signed: 'FALSE' filter1: - Image|contains: 'Visual Studio' + - Image|contains: 'Visual Studio' + - CommandLine|contains: '-k LocalSystemNetworkRestricted' filter2: Signed: - null - '' - condition: (signedprocess and not filter) or (unsignedprocess and not filter1 and not filter2) + condition: (signedprocess and not filter1) or (unsignedprocess and not filter1 and not filter2) fields: - ComputerName - User From 2383b2b76bb28d5490275447227821dbe283777e Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 16 Nov 2021 13:33:00 +0100 Subject: [PATCH 107/113] fix: problem with empty string --- .../image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml b/rules/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml index 630a2bfda..cd6c7c34f 100755 --- a/rules/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml +++ b/rules/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml @@ -55,7 +55,6 @@ detection: filter2: Signed: - null - - '' condition: (signedprocess and not filter1) or (unsignedprocess and not filter1 and not filter2) fields: - ComputerName From 5e14b73b9ce8516e07d41dc4a9b98d59bc2ce67d Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 16 Nov 2021 13:39:32 +0100 Subject: [PATCH 108/113] fix: FP with logman.exe --- rules/windows/image_load/sysmon_wmi_module_load.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/image_load/sysmon_wmi_module_load.yml b/rules/windows/image_load/sysmon_wmi_module_load.yml index 319074766..7bed856f7 100755 --- a/rules/windows/image_load/sysmon_wmi_module_load.yml +++ b/rules/windows/image_load/sysmon_wmi_module_load.yml @@ -41,6 +41,7 @@ detection: - 'C:\Windows\Sysmon64.exe' - 'C:\Windows\Sysmon.exe' - 'C:\Windows\System32\wbem\unsecapp.exe' + - '\logman.exe' condition: selection and not filter fields: - ComputerName From daff947d4ba3dbc935d36a54cc4e200118cf89e4 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 16 Nov 2021 13:46:15 +0100 Subject: [PATCH 109/113] refactor: fixes without CommandLine field in ImageLoad events --- .../image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/rules/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml b/rules/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml index cd6c7c34f..2a8fd3331 100755 --- a/rules/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml +++ b/rules/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml @@ -24,7 +24,7 @@ detection: Image|endswith: - '\msbuild.exe' - '\cmd.exe' - - '\svchost.exe' + # - '\svchost.exe' - '\rundll32.exe' - '\powershell.exe' - '\word.exe' @@ -33,7 +33,7 @@ detection: - '\outlook.exe' - '\monitoringhost.exe' - '\wmic.exe' - # - '\msiexec.exe' an installer installing a program using one of those DLL will raise an alert + # - '\msiexec.exe' an installer installing a program using one of those DLL will raise an alert - '\bash.exe' - '\wscript.exe' - '\cscript.exe' @@ -50,8 +50,7 @@ detection: - '\dbgcore.dll' Signed: 'FALSE' filter1: - - Image|contains: 'Visual Studio' - - CommandLine|contains: '-k LocalSystemNetworkRestricted' + Image|contains: 'Visual Studio' filter2: Signed: - null From d29c3537189fb168684f426d166038fec886819a Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 16 Nov 2021 13:47:41 +0100 Subject: [PATCH 110/113] refactor: unnecessary filter --- .../image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/rules/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml b/rules/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml index 2a8fd3331..022931277 100755 --- a/rules/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml +++ b/rules/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml @@ -51,10 +51,7 @@ detection: Signed: 'FALSE' filter1: Image|contains: 'Visual Studio' - filter2: - Signed: - - null - condition: (signedprocess and not filter1) or (unsignedprocess and not filter1 and not filter2) + condition: (signedprocess and not filter1) or (unsignedprocess and not filter1) fields: - ComputerName - User From 8d6d8c2c9278196bc0844a18d23bc74e8781f6fc Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 16 Nov 2021 17:30:23 +0100 Subject: [PATCH 111/113] fix: several FPs --- .../image_load/sysmon_susp_system_drawing_load.yml | 5 ++++- .../sysmon_cred_dump_lsass_access.yml | 14 ++++++++++---- .../sysmon_in_memory_assembly_execution.yml | 12 +++++------- .../process_creation/win_susp_execution_path.yml | 1 - 4 files changed, 19 insertions(+), 13 deletions(-) diff --git a/rules/windows/image_load/sysmon_susp_system_drawing_load.yml b/rules/windows/image_load/sysmon_susp_system_drawing_load.yml index 771952fe7..b32e11ac3 100644 --- a/rules/windows/image_load/sysmon_susp_system_drawing_load.yml +++ b/rules/windows/image_load/sysmon_susp_system_drawing_load.yml @@ -3,6 +3,7 @@ id: 666ecfc7-229d-42b8-821e-1a8f8cb7057c description: A General detection for processes loading System.Drawing.ni.dll. This could be an indicator of potential Screen Capture. status: experimental date: 2020/05/02 +modified: 2021/11/16 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.collection @@ -17,7 +18,9 @@ detection: selection: ImageLoaded|endswith: '\System.Drawing.ni.dll' filter: - Image|endswith: '\WmiPrvSE.exe' + Image|endswith: + - '\WmiPrvSE.exe' + - '\mmc.exe' condition: selection and not filter falsepositives: - unknown diff --git a/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml b/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml index e4c5cea6a..ab48806a2 100755 --- a/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml +++ b/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml @@ -5,7 +5,7 @@ description: Detects process access LSASS memory which is typical for credential author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community (update) date: 2017/02/16 -modified: 2021/10/20 +modified: 2021/11/16 references: - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html @@ -23,7 +23,7 @@ logsource: detection: selection: TargetImage|endswith: '\lsass.exe' - GrantedAccess|contains: + GrantedAccess|startswith: - '0x40' - '0x1000' - '0x1400' @@ -37,7 +37,7 @@ detection: - '0x1f1fff' - '0x1f2fff' - '0x1f3fff' - filter: + filter1: SourceImage|endswith: # easy to bypass. need to implement supportive rule to detect bypass attempts - '\wmiprvse.exe' - '\taskmgr.exe' @@ -48,7 +48,13 @@ detection: - '\csrss.exe' - '\wininit.exe' - '\vmtoolsd.exe' - condition: selection and not filter + filter2: + GrantedAccess: '0x1000' + SourceImage|endswith: + - '\MicrosoftEdgeUpdate.exe' + - '\GamingServices.exe' + - 'C:\Windows\System32\svchost.exe' + condition: selection and not filter1 and not filter2 fields: - ComputerName - User diff --git a/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml b/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml index 8455bfee9..888b15eb6 100755 --- a/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml +++ b/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml @@ -1,10 +1,6 @@ title: Suspicious In-Memory Module Execution id: 5f113a8f-8b61-41ca-b90f-d374fa7e4a39 -description: Detects the access to processes by other suspicious processes which have reflectively loaded libraries in their memory space. An example is SilentTrinity - C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack call to a dll loaded from disk (the standard way), it will display "UNKNOWN" - as the module name. Usually this means the stack call points to a module that was reflectively loaded in memory. Adding to this, it is not common to see such - few calls in the stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that most of the functions required by the process to execute certain - routines are already present in memory, not requiring any calls to external libraries. The latter should also be considered suspicious. +description: Detects the access to processes by other suspicious processes which have reflectively loaded libraries in their memory space. An example is SilentTrinity C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack call to a dll loaded from disk (the standard way), it will display "UNKNOWN" as the module name. Usually this means the stack call points to a module that was reflectively loaded in memory. Adding to this, it is not common to see such few calls in the stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that most of the functions required by the process to execute certain routines are already present in memory, not requiring any calls to external libraries. The latter should also be considered suspicious. status: experimental date: 2019/10/27 modified: 2021/10/21 @@ -46,6 +42,8 @@ detection: filter: SourceImage|endswith: - '\Windows\System32\sdiagnhost.exe' + - '\procexp64.exe' + - '\procexp.exe' condition: selection1 or selection2 or selection3 and not filter fields: - ComputerName @@ -53,6 +51,6 @@ fields: - SourceImage - TargetImage - CallTrace -level: critical +level: high falsepositives: - - Low + - SysInternals Process Explorer diff --git a/rules/windows/process_creation/win_susp_execution_path.yml b/rules/windows/process_creation/win_susp_execution_path.yml index ed571e472..876bb1ce9 100644 --- a/rules/windows/process_creation/win_susp_execution_path.yml +++ b/rules/windows/process_creation/win_susp_execution_path.yml @@ -35,7 +35,6 @@ detection: - '\Windows\Media\' - '\Windows\repair\' - '\Windows\security\' - - '\Windows\system32\config\systemprofile\' - '\Windows\System32\Tasks\' - '\Windows\Tasks\' - Image|startswith: 'C:\Perflogs\' From 97bc8aa6f26727722b903ec4daeb4775899d1c0b Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 16 Nov 2021 17:30:47 +0100 Subject: [PATCH 112/113] rule: suspicious write to system tasks --- .../file_event/file_event_susp_task_write.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/windows/file_event/file_event_susp_task_write.yml diff --git a/rules/windows/file_event/file_event_susp_task_write.yml b/rules/windows/file_event/file_event_susp_task_write.yml new file mode 100644 index 000000000..40e5b8f90 --- /dev/null +++ b/rules/windows/file_event/file_event_susp_task_write.yml @@ -0,0 +1,24 @@ +title: Suspicious Scheduled Task Writ to System32 Tasks +id: 80e1f67a-4596-4351-98f5-a9c3efabac95 +status: experimental +description: +references: + - https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/ +author: Florian Roth +date: 2021/11/16 +tags: + - attack.persistence +logsource: + product: windows + category: file_event +detection: + selection: + TargetFilename|contains: '\Windows\System32\Tasks' + Image|contains: + - '\AppData\' + - 'C:\PerfLogs' + - '\Windows\System32\config\systemprofile' + condition: selection +falsepositives: + - Unknown +level: high From 7d4e3fd2ed98138aae40ed1ad3b53cf334234c1d Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 16 Nov 2021 23:27:00 +0100 Subject: [PATCH 113/113] fix: more false positive fixes --- rules/windows/image_load/sysmon_uipromptforcreds_dlls.yml | 5 ++++- rules/windows/image_load/sysmon_wmi_module_load.yml | 1 + .../process_access/sysmon_cred_dump_lsass_access.yml | 4 +++- .../sysmon_raw_disk_access_using_illegitimate_tools.yml | 6 ++++-- 4 files changed, 12 insertions(+), 4 deletions(-) diff --git a/rules/windows/image_load/sysmon_uipromptforcreds_dlls.yml b/rules/windows/image_load/sysmon_uipromptforcreds_dlls.yml index ae9420ad8..d5513ece8 100644 --- a/rules/windows/image_load/sysmon_uipromptforcreds_dlls.yml +++ b/rules/windows/image_load/sysmon_uipromptforcreds_dlls.yml @@ -3,6 +3,7 @@ id: 9ae01559-cf7e-4f8e-8e14-4c290a1b4784 description: Detects potential use of UIPromptForCredentials functions by looking for some of the DLLs needed for it. status: experimental date: 2020/10/20 +modified: 2021/11/16 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.credential_access @@ -23,7 +24,9 @@ detection: - OriginalFileName: - 'credui.dll' - 'wincredui.dll' - condition: selection + filter: + Image: 'C:\Windows\System32\Taskmgr.exe' + condition: selection and not filter falsepositives: - other legitimate processes loading those DLLs in your environment. level: medium diff --git a/rules/windows/image_load/sysmon_wmi_module_load.yml b/rules/windows/image_load/sysmon_wmi_module_load.yml index 7bed856f7..d983e294b 100755 --- a/rules/windows/image_load/sysmon_wmi_module_load.yml +++ b/rules/windows/image_load/sysmon_wmi_module_load.yml @@ -42,6 +42,7 @@ detection: - 'C:\Windows\Sysmon.exe' - 'C:\Windows\System32\wbem\unsecapp.exe' - '\logman.exe' + - '\nvcontainer.exe' condition: selection and not filter fields: - ComputerName diff --git a/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml b/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml index ab48806a2..448880272 100755 --- a/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml +++ b/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml @@ -49,7 +49,9 @@ detection: - '\wininit.exe' - '\vmtoolsd.exe' filter2: - GrantedAccess: '0x1000' + GrantedAccess: + - '0x1000' + - '0x1410' SourceImage|endswith: - '\MicrosoftEdgeUpdate.exe' - '\GamingServices.exe' diff --git a/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml b/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml index 57389c082..4fb1304fd 100644 --- a/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml +++ b/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml @@ -3,7 +3,7 @@ id: db809f10-56ce-4420-8c86-d6a7d793c79c description: Raw disk access using illegitimate tools, possible defence evasion author: Teymur Kheirkhabarov, oscd.community date: 2019/10/22 -modified: 2021/11/09 +modified: 2021/11/16 references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment tags: @@ -32,7 +32,9 @@ detection: - '\vds.exe' - '\lsass.exe' - '\svchost.exe' - condition: not filter_1 and not filter_2 + filter_3: + ProcessId: 4 + condition: not filter_1 and not filter_2 and not filter_3 fields: - ComputerName - Image