From a2b309404b46f3dfe2e6147e697d44a654722e87 Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Wed, 27 Feb 2019 17:52:20 +0300 Subject: [PATCH 01/26] Create win_rdp_session_hijacking.yml Adversaries may perform RDP session hijacking which involves stealing a legitimate user's remote session. Typically, a user is notified when someone else is trying to steal their session and prompted with a question. With System permissions and using Terminal Services Console, c:\windows\system32\tscon.exe [session number to be stolen], an adversary can hijack a session without the need for credentials or prompts to the user. This can be done remotely or locally and with active or disconnected sessions. It can also lead to Remote System Discovery and Privilege Escalation by stealing a Domain Admin or higher privileged account session. --- .../builtin/win_rdp_session_hijacking.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/windows/builtin/win_rdp_session_hijacking.yml diff --git a/rules/windows/builtin/win_rdp_session_hijacking.yml b/rules/windows/builtin/win_rdp_session_hijacking.yml new file mode 100644 index 000000000..0ea0829cc --- /dev/null +++ b/rules/windows/builtin/win_rdp_session_hijacking.yml @@ -0,0 +1,23 @@ +title: RDP Session Hijacking detected +description: Adversaries may perform RDP session hijacking which involves stealing a legitimate user's remote session. +references: + - http://blog.gentilkiwi.com/securite/vol-de-session-rdp + - http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html +date: 2019/02/27 +modified: 2019/02/27 +tags: + - attack.lateral_movement +status: experimental +author: vburov +logsource: + product: windows + service: security +detection: + selection: + EventID: 4688 + NewProcessName: "*\tscon.exe" + SecurityID: "System" + condition: selection +falsepositives: + - Unknown +level: high From 7efc704ccf4aa7663490b1ab26b1fe9c298d2054 Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Wed, 27 Feb 2019 17:58:23 +0300 Subject: [PATCH 02/26] Update win_rdp_session_hijacking.yml --- rules/windows/builtin/win_rdp_session_hijacking.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/builtin/win_rdp_session_hijacking.yml b/rules/windows/builtin/win_rdp_session_hijacking.yml index 0ea0829cc..f50381960 100644 --- a/rules/windows/builtin/win_rdp_session_hijacking.yml +++ b/rules/windows/builtin/win_rdp_session_hijacking.yml @@ -12,6 +12,7 @@ author: vburov logsource: product: windows service: security +definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: selection: EventID: 4688 From cc3674bd12f30653f86374e6c9332f2317efc5df Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Fri, 16 Oct 2020 21:03:11 +0300 Subject: [PATCH 03/26] Create win_susp_multiple_files_renamed.yml It is not the task of the OSCD sprint#2 but I decide to include this rule here :-) --- .../win_susp_multiple_files_renamed.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/windows/file_event/win_susp_multiple_files_renamed.yml diff --git a/rules/windows/file_event/win_susp_multiple_files_renamed.yml b/rules/windows/file_event/win_susp_multiple_files_renamed.yml new file mode 100644 index 000000000..e0e82577c --- /dev/null +++ b/rules/windows/file_event/win_susp_multiple_files_renamed.yml @@ -0,0 +1,27 @@ +title: Suspicious Multiple File Rename Occurred +id: 97919310-06a7-482c-9639-92b67ed63cf8 +author: Vasiliy Burov, oscd.community +date: 2020/10/16 +description: Detects multiple file rename events occurrence within a specified period of time by a same user. These events may signalize about ransomware activity. +status: experimental +references: + - https://www.manageengine.com/data-security/how-to/how-to-detect-ransomware-attacks.html +tags: + - attack.impact + - attack.t1486 +logsource: + product: windows + service: security + definition: 'Requirements: Audit Policy : Policies/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit object access, Policies/Windows Settings/Security Settings/Advanced Audit Policy Configuration/Object Access' +detection: + selection: + EventID: 4663 + ObjectType: 'File' + SubjectLogonId: '*' + AccessList: '%%1537' + Keywords: '0x8020000000000000' + timeframe: 30s + condition: selection | count() by SubjectLogonId > 20 +falsepositives: + - Unlikely +level: high From 3bddff4d521ee7f608a824fc8f43ade129261650 Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Sun, 18 Oct 2020 11:52:34 +0300 Subject: [PATCH 04/26] Update win_susp_multiple_files_renamed.yml --- rules/windows/file_event/win_susp_multiple_files_renamed.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file_event/win_susp_multiple_files_renamed.yml b/rules/windows/file_event/win_susp_multiple_files_renamed.yml index e0e82577c..40e145f9b 100644 --- a/rules/windows/file_event/win_susp_multiple_files_renamed.yml +++ b/rules/windows/file_event/win_susp_multiple_files_renamed.yml @@ -17,7 +17,7 @@ detection: selection: EventID: 4663 ObjectType: 'File' - SubjectLogonId: '*' + SubjectLogonId: not null AccessList: '%%1537' Keywords: '0x8020000000000000' timeframe: 30s From 3a2c1d213a3ff314eb22b5377ad345e09e7193e1 Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Tue, 20 Oct 2020 19:25:31 +0300 Subject: [PATCH 05/26] Update win_susp_multiple_files_renamed.yml --- rules/windows/file_event/win_susp_multiple_files_renamed.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/windows/file_event/win_susp_multiple_files_renamed.yml b/rules/windows/file_event/win_susp_multiple_files_renamed.yml index 40e145f9b..8c2d4b900 100644 --- a/rules/windows/file_event/win_susp_multiple_files_renamed.yml +++ b/rules/windows/file_event/win_susp_multiple_files_renamed.yml @@ -17,11 +17,10 @@ detection: selection: EventID: 4663 ObjectType: 'File' - SubjectLogonId: not null AccessList: '%%1537' Keywords: '0x8020000000000000' timeframe: 30s - condition: selection | count() by SubjectLogonId > 20 + condition: selection | count() by SubjectLogonId > 10 falsepositives: - Unlikely level: high From 093941778bf92accc11ee12a4098b0a796f588a1 Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Thu, 22 Oct 2020 15:57:29 +0300 Subject: [PATCH 06/26] Update and rename win_susp_multiple_files_renamed.yml to win_susp_multiple_files_renamed_or_deleted.yml --- ...med.yml => win_susp_multiple_files_renamed_or_deleted.yml} | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) rename rules/windows/file_event/{win_susp_multiple_files_renamed.yml => win_susp_multiple_files_renamed_or_deleted.yml} (77%) diff --git a/rules/windows/file_event/win_susp_multiple_files_renamed.yml b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml similarity index 77% rename from rules/windows/file_event/win_susp_multiple_files_renamed.yml rename to rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml index 8c2d4b900..ea083f54a 100644 --- a/rules/windows/file_event/win_susp_multiple_files_renamed.yml +++ b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml @@ -1,8 +1,8 @@ -title: Suspicious Multiple File Rename Occurred +title: Suspicious Multiple File Rename Or Delete Occurred id: 97919310-06a7-482c-9639-92b67ed63cf8 author: Vasiliy Burov, oscd.community date: 2020/10/16 -description: Detects multiple file rename events occurrence within a specified period of time by a same user. These events may signalize about ransomware activity. +description: Detects multiple file rename or delete events occurrence within a specified period of time by a same user. These events may signalize about ransomware activity. status: experimental references: - https://www.manageengine.com/data-security/how-to/how-to-detect-ransomware-attacks.html From 6da58584c5f60822bc0422ce5e2ffa421b3f740e Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Mon, 26 Oct 2020 12:14:59 +0300 Subject: [PATCH 07/26] Update win_susp_multiple_files_renamed_or_deleted.yml Added an issue into 'falsepositives' section. --- .../file_event/win_susp_multiple_files_renamed_or_deleted.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml index ea083f54a..bd78cf417 100644 --- a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml +++ b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml @@ -22,5 +22,5 @@ detection: timeframe: 30s condition: selection | count() by SubjectLogonId > 10 falsepositives: - - Unlikely + - Software uninstallation level: high From 779596334c152b55eac202cb0e308bacc4cca45d Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Mon, 26 Oct 2020 12:35:16 +0300 Subject: [PATCH 08/26] Update win_susp_multiple_files_renamed_or_deleted.yml --- .../file_event/win_susp_multiple_files_renamed_or_deleted.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml index bd78cf417..3ff4c519d 100644 --- a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml +++ b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml @@ -22,5 +22,5 @@ detection: timeframe: 30s condition: selection | count() by SubjectLogonId > 10 falsepositives: - - Software uninstallation + - Software uninstallation. level: high From b84fc7850cfbd9040f23e0eaed84229548b5ee41 Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Mon, 26 Oct 2020 13:48:19 +0300 Subject: [PATCH 09/26] Update win_susp_multiple_files_renamed_or_deleted.yml --- .../file_event/win_susp_multiple_files_renamed_or_deleted.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml index 3ff4c519d..fb61a718a 100644 --- a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml +++ b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml @@ -22,5 +22,5 @@ detection: timeframe: 30s condition: selection | count() by SubjectLogonId > 10 falsepositives: - - Software uninstallation. + - software uninstallation level: high From 66965cec33b87c6763957dc405728b9b408df5ab Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Tue, 27 Oct 2020 17:31:46 +0300 Subject: [PATCH 10/26] Added some false positives issues --- .../win_susp_multiple_files_renamed_or_deleted.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml index fb61a718a..faf8703aa 100644 --- a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml +++ b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml @@ -21,6 +21,7 @@ detection: Keywords: '0x8020000000000000' timeframe: 30s condition: selection | count() by SubjectLogonId > 10 -falsepositives: - - software uninstallation +falsepositives: + - Software Uninstallation + - Files Restore Activities level: high From 515c4dd9cdcef8e7704ccc63958cc497e143927e Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Tue, 27 Oct 2020 20:35:22 +0300 Subject: [PATCH 11/26] Added some false positives issues --- .../win_susp_multiple_files_renamed_or_deleted.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml index faf8703aa..b2ef9b58c 100644 --- a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml +++ b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml @@ -1,6 +1,6 @@ title: Suspicious Multiple File Rename Or Delete Occurred id: 97919310-06a7-482c-9639-92b67ed63cf8 -author: Vasiliy Burov, oscd.community +author: Vasiliy Burov; oscd.community date: 2020/10/16 description: Detects multiple file rename or delete events occurrence within a specified period of time by a same user. These events may signalize about ransomware activity. status: experimental @@ -21,7 +21,7 @@ detection: Keywords: '0x8020000000000000' timeframe: 30s condition: selection | count() by SubjectLogonId > 10 -falsepositives: - - Software Uninstallation - - Files Restore Activities +falsepositives: + - software uninstallation + - files restore activities level: high From edede617cf6cb0463b603d79cb1171ac0177aed6 Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Tue, 27 Oct 2020 22:36:12 +0300 Subject: [PATCH 12/26] Update win_susp_multiple_files_renamed_or_deleted.yml --- .../file_event/win_susp_multiple_files_renamed_or_deleted.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml index b2ef9b58c..9444c7b19 100644 --- a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml +++ b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml @@ -12,7 +12,7 @@ tags: logsource: product: windows service: security - definition: 'Requirements: Audit Policy : Policies/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit object access, Policies/Windows Settings/Security Settings/Advanced Audit Policy Configuration/Object Access' + definition: Requirements: Audit Policy : Policies/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit object access, Policies/Windows Settings/Security Settings/Advanced Audit Policy Configuration/Object Access detection: selection: EventID: 4663 From 172c619719b78724ebc09236796818e1e1e1bbd9 Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Tue, 27 Oct 2020 22:50:09 +0300 Subject: [PATCH 13/26] Update win_susp_multiple_files_renamed_or_deleted.yml --- .../file_event/win_susp_multiple_files_renamed_or_deleted.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml index 9444c7b19..b2ef9b58c 100644 --- a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml +++ b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml @@ -12,7 +12,7 @@ tags: logsource: product: windows service: security - definition: Requirements: Audit Policy : Policies/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit object access, Policies/Windows Settings/Security Settings/Advanced Audit Policy Configuration/Object Access + definition: 'Requirements: Audit Policy : Policies/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit object access, Policies/Windows Settings/Security Settings/Advanced Audit Policy Configuration/Object Access' detection: selection: EventID: 4663 From eb166222bdccb80a8124d1c8295cac792758aee1 Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Tue, 27 Oct 2020 23:15:28 +0300 Subject: [PATCH 14/26] Update win_susp_multiple_files_renamed_or_deleted.yml --- .../file_event/win_susp_multiple_files_renamed_or_deleted.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml index b2ef9b58c..8ad51ec14 100644 --- a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml +++ b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml @@ -21,7 +21,5 @@ detection: Keywords: '0x8020000000000000' timeframe: 30s condition: selection | count() by SubjectLogonId > 10 -falsepositives: - - software uninstallation - - files restore activities +falsepositives: software uninstallation, files restore activities level: high From 64e48ed94d9ef5041a1dc66979a1e375185d394b Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Tue, 27 Oct 2020 23:33:56 +0300 Subject: [PATCH 15/26] Update win_susp_multiple_files_renamed_or_deleted.yml --- .../file_event/win_susp_multiple_files_renamed_or_deleted.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml index 8ad51ec14..a3af11d09 100644 --- a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml +++ b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml @@ -21,5 +21,4 @@ detection: Keywords: '0x8020000000000000' timeframe: 30s condition: selection | count() by SubjectLogonId > 10 -falsepositives: software uninstallation, files restore activities level: high From 00f1326ae6edc0c27a35d1bf661293a7157eccab Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Wed, 28 Oct 2020 10:50:53 +0300 Subject: [PATCH 16/26] Revert "Update win_susp_multiple_files_renamed_or_deleted.yml" This reverts commit 64e48ed94d9ef5041a1dc66979a1e375185d394b. --- .../file_event/win_susp_multiple_files_renamed_or_deleted.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml index a3af11d09..8ad51ec14 100644 --- a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml +++ b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml @@ -21,4 +21,5 @@ detection: Keywords: '0x8020000000000000' timeframe: 30s condition: selection | count() by SubjectLogonId > 10 +falsepositives: software uninstallation, files restore activities level: high From fdbd8de219865d2a425229912f7944d8fed4f7b0 Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Wed, 28 Oct 2020 10:51:18 +0300 Subject: [PATCH 17/26] Revert "Update win_susp_multiple_files_renamed_or_deleted.yml" This reverts commit eb166222bdccb80a8124d1c8295cac792758aee1. --- .../file_event/win_susp_multiple_files_renamed_or_deleted.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml index 8ad51ec14..b2ef9b58c 100644 --- a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml +++ b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml @@ -21,5 +21,7 @@ detection: Keywords: '0x8020000000000000' timeframe: 30s condition: selection | count() by SubjectLogonId > 10 -falsepositives: software uninstallation, files restore activities +falsepositives: + - software uninstallation + - files restore activities level: high From 2d2464ba22635b6b493593fcb458c433aadb541d Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Wed, 28 Oct 2020 11:20:26 +0300 Subject: [PATCH 18/26] Update win_susp_multiple_files_renamed_or_deleted.yml --- .../win_susp_multiple_files_renamed_or_deleted.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml index b2ef9b58c..ea083f54a 100644 --- a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml +++ b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml @@ -1,6 +1,6 @@ title: Suspicious Multiple File Rename Or Delete Occurred id: 97919310-06a7-482c-9639-92b67ed63cf8 -author: Vasiliy Burov; oscd.community +author: Vasiliy Burov, oscd.community date: 2020/10/16 description: Detects multiple file rename or delete events occurrence within a specified period of time by a same user. These events may signalize about ransomware activity. status: experimental @@ -22,6 +22,5 @@ detection: timeframe: 30s condition: selection | count() by SubjectLogonId > 10 falsepositives: - - software uninstallation - - files restore activities + - Unlikely level: high From 744c637125c238a3fa0d294ebf89eb5016e5f900 Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Wed, 28 Oct 2020 11:38:39 +0300 Subject: [PATCH 19/26] Delete win_rdp_session_hijacking.yml --- .../builtin/win_rdp_session_hijacking.yml | 24 ------------------- 1 file changed, 24 deletions(-) delete mode 100644 rules/windows/builtin/win_rdp_session_hijacking.yml diff --git a/rules/windows/builtin/win_rdp_session_hijacking.yml b/rules/windows/builtin/win_rdp_session_hijacking.yml deleted file mode 100644 index f50381960..000000000 --- a/rules/windows/builtin/win_rdp_session_hijacking.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: RDP Session Hijacking detected -description: Adversaries may perform RDP session hijacking which involves stealing a legitimate user's remote session. -references: - - http://blog.gentilkiwi.com/securite/vol-de-session-rdp - - http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html -date: 2019/02/27 -modified: 2019/02/27 -tags: - - attack.lateral_movement -status: experimental -author: vburov -logsource: - product: windows - service: security -definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - NewProcessName: "*\tscon.exe" - SecurityID: "System" - condition: selection -falsepositives: - - Unknown -level: high From d90ec67ccec4d57d352212162b4341fbec68dbea Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Wed, 28 Oct 2020 11:44:21 +0300 Subject: [PATCH 20/26] Update win_susp_multiple_files_renamed_or_deleted.yml --- .../file_event/win_susp_multiple_files_renamed_or_deleted.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml index ea083f54a..223c394b5 100644 --- a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml +++ b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml @@ -22,5 +22,6 @@ detection: timeframe: 30s condition: selection | count() by SubjectLogonId > 10 falsepositives: - - Unlikely + - Software uninstallation + - Files restore activities level: high From d743cbbe4bc77fef05805c464769eddd8651fc96 Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Thu, 29 Oct 2020 11:14:43 +0300 Subject: [PATCH 21/26] Update win_susp_multiple_files_renamed_or_deleted.yml --- .../file_event/win_susp_multiple_files_renamed_or_deleted.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml index 223c394b5..ab6f5afca 100644 --- a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml +++ b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml @@ -22,6 +22,6 @@ detection: timeframe: 30s condition: selection | count() by SubjectLogonId > 10 falsepositives: - - Software uninstallation - - Files restore activities + - software uninstallation + - files restore activities level: high From 683824ee464fee417ece8798c20b4f9674621606 Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Thu, 29 Oct 2020 11:44:45 +0300 Subject: [PATCH 22/26] Update win_susp_multiple_files_renamed_or_deleted.yml --- .../win_susp_multiple_files_renamed_or_deleted.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml index ab6f5afca..5670c4c31 100644 --- a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml +++ b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml @@ -1,14 +1,14 @@ title: Suspicious Multiple File Rename Or Delete Occurred id: 97919310-06a7-482c-9639-92b67ed63cf8 -author: Vasiliy Burov, oscd.community -date: 2020/10/16 -description: Detects multiple file rename or delete events occurrence within a specified period of time by a same user. These events may signalize about ransomware activity. status: experimental -references: - - https://www.manageengine.com/data-security/how-to/how-to-detect-ransomware-attacks.html +description: Detects multiple file rename or delete events occurrence within a specified period of time by a same user (these events may signalize about ransomware activity). tags: - attack.impact - attack.t1486 +author: Vasiliy Burov, oscd.community +date: 2020/10/16 +references: + - https://www.manageengine.com/data-security/how-to/how-to-detect-ransomware-attacks.html logsource: product: windows service: security From ab60fdcef471fc0360b7c561d7df4ce27d3f2dc6 Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Thu, 29 Oct 2020 23:38:22 +0300 Subject: [PATCH 23/26] Update win_susp_multiple_files_renamed_or_deleted.yml --- .../file_event/win_susp_multiple_files_renamed_or_deleted.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml index 5670c4c31..488512208 100644 --- a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml +++ b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml @@ -22,6 +22,6 @@ detection: timeframe: 30s condition: selection | count() by SubjectLogonId > 10 falsepositives: - - software uninstallation - - files restore activities + - Software uninstallation + - Files restore activities level: high From 903ce08277929bbd9da300e5bfdaa66d6894d433 Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Sun, 1 Nov 2020 14:21:27 +0300 Subject: [PATCH 24/26] Update win_susp_multiple_files_renamed_or_deleted.yml --- .../file_event/win_susp_multiple_files_renamed_or_deleted.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml index 488512208..fddb210e8 100644 --- a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml +++ b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml @@ -22,6 +22,5 @@ detection: timeframe: 30s condition: selection | count() by SubjectLogonId > 10 falsepositives: - - Software uninstallation - - Files restore activities + - Unlikely level: high From 6e690ad31359d04ef6ebc40a107e50f7fe12ac4b Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Mon, 2 Nov 2020 22:57:01 +0100 Subject: [PATCH 25/26] Removed ES query tests --- .github/workflows/sigma-test.yml | 9 --------- 1 file changed, 9 deletions(-) diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index 8703e1bfd..d451debbd 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -23,18 +23,9 @@ jobs: run: | python -m pip install --upgrade pip pip install -r tools/requirements.txt -r tools/requirements-devel.txt - wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add - - sudo apt install -y apt-transport-https - echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic.list - sudo apt update - sudo apt install -y elasticsearch - sudo systemctl start elasticsearch - name: Test Sigma Tools and Rules run: | make test - - name: Test Generated Elasticsearch Query Strings - run: | - make test-backend-es-qs - name: Test SQL(ite) Backend run: | make test-backend-sql From cf8d195c5c788414db0c4641bf1245f98890bb6b Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Mon, 30 Nov 2020 11:49:42 +0300 Subject: [PATCH 26/26] Update win_susp_multiple_files_renamed_or_deleted.yml --- .../file_event/win_susp_multiple_files_renamed_or_deleted.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml index fddb210e8..488512208 100644 --- a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml +++ b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml @@ -22,5 +22,6 @@ detection: timeframe: 30s condition: selection | count() by SubjectLogonId > 10 falsepositives: - - Unlikely + - Software uninstallation + - Files restore activities level: high