From e6588c08f43adb14ece0bc414d7d670476f22995 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=96mer=20G=C3=BCnal?= Date: Thu, 8 Oct 2020 00:15:46 +0300 Subject: [PATCH 01/12] Create lnx_system_info_discovery.yml --- rules/linux/lnx_system_info_discovery.yml | 26 +++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 rules/linux/lnx_system_info_discovery.yml diff --git a/rules/linux/lnx_system_info_discovery.yml b/rules/linux/lnx_system_info_discovery.yml new file mode 100644 index 000000000..69be33b13 --- /dev/null +++ b/rules/linux/lnx_system_info_discovery.yml @@ -0,0 +1,26 @@ +title: System Information Discovery +id: 42df45e7-e6e9-43b5-8f26-bec5b39cc239 +status: stable +description: Detects system information discovery commands +author: Ömer Günal, oscd.community +date: 2020/10/08 +references: + - https://attack.mitre.org/techniques/T1082/ +logsource: + product: linux +detection: + selection: + CommandLine|contains: + - 'uname' + - '/proc/version' + - '/etc/*-release' + - 'hostname' + - '/etc/issue' + - 'uptime' + condition: selection +falsepositives: + - Legitimate administration activities +level: low +tags: + - attack.discovery + - attack.t1082 From 68e843f0d37b14f8607f910ca6ca77620ff7f3ba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=96mer=20G=C3=BCnal?= Date: Fri, 16 Oct 2020 10:48:36 +0300 Subject: [PATCH 02/12] Update lnx_system_info_discovery.yml --- rules/linux/lnx_system_info_discovery.yml | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/rules/linux/lnx_system_info_discovery.yml b/rules/linux/lnx_system_info_discovery.yml index 69be33b13..2768bb6c4 100644 --- a/rules/linux/lnx_system_info_discovery.yml +++ b/rules/linux/lnx_system_info_discovery.yml @@ -17,7 +17,19 @@ detection: - 'hostname' - '/etc/issue' - 'uptime' - condition: selection + - 'lspci' + - 'dmidecode' + - 'lscpu' + - 'lsmod' + selection2: + type: 'PATH' + name: + - '/sys/class/dmi/id/bios_version' + - '/sys/class/dmi/id/product_name' + - '/sys/class/dmi/id/chassis_vendor' + - '/proc/scsi/scsi' + - '/proc/ide/hd0/model' + condition: selection or selection2 falsepositives: - Legitimate administration activities level: low From f7fbfda7940dab6942a3455eeb529fa0079b294b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=96mer=20G=C3=BCnal?= Date: Fri, 16 Oct 2020 20:53:00 +0300 Subject: [PATCH 03/12] Update lnx_system_info_discovery.yml --- rules/linux/lnx_system_info_discovery.yml | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/rules/linux/lnx_system_info_discovery.yml b/rules/linux/lnx_system_info_discovery.yml index 2768bb6c4..f1afc953c 100644 --- a/rules/linux/lnx_system_info_discovery.yml +++ b/rules/linux/lnx_system_info_discovery.yml @@ -1,3 +1,4 @@ +action: global title: System Information Discovery id: 42df45e7-e6e9-43b5-8f26-bec5b39cc239 status: stable @@ -5,9 +6,11 @@ description: Detects system information discovery commands author: Ömer Günal, oscd.community date: 2020/10/08 references: - - https://attack.mitre.org/techniques/T1082/ + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md +--- logsource: product: linux + categories: process_creation detection: selection: CommandLine|contains: @@ -21,7 +24,13 @@ detection: - 'dmidecode' - 'lscpu' - 'lsmod' - selection2: + condition: selection +--- +logsource: + product: linux + categories: file_event +detection: + selection: type: 'PATH' name: - '/sys/class/dmi/id/bios_version' @@ -29,7 +38,7 @@ detection: - '/sys/class/dmi/id/chassis_vendor' - '/proc/scsi/scsi' - '/proc/ide/hd0/model' - condition: selection or selection2 + condition: selection falsepositives: - Legitimate administration activities level: low From 723df2f15b6b5a965350f69c6f9cbbb22cad58f1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=96mer=20G=C3=BCnal?= Date: Fri, 16 Oct 2020 21:08:01 +0300 Subject: [PATCH 04/12] Update lnx_system_info_discovery.yml --- rules/linux/lnx_system_info_discovery.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/rules/linux/lnx_system_info_discovery.yml b/rules/linux/lnx_system_info_discovery.yml index f1afc953c..aafdfbdf0 100644 --- a/rules/linux/lnx_system_info_discovery.yml +++ b/rules/linux/lnx_system_info_discovery.yml @@ -7,6 +7,12 @@ author: Ömer Günal, oscd.community date: 2020/10/08 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md +falsepositives: + - Legitimate administration activities +level: low +tags: + - attack.discovery + - attack.t1082 --- logsource: product: linux @@ -39,9 +45,3 @@ detection: - '/proc/scsi/scsi' - '/proc/ide/hd0/model' condition: selection -falsepositives: - - Legitimate administration activities -level: low -tags: - - attack.discovery - - attack.t1082 From 26bb43eaf6f364214055ad3777491ce0863afb3a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=96mer=20G=C3=BCnal?= Date: Fri, 16 Oct 2020 23:00:44 +0300 Subject: [PATCH 05/12] Update lnx_system_info_discovery.yml --- rules/linux/lnx_system_info_discovery.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/linux/lnx_system_info_discovery.yml b/rules/linux/lnx_system_info_discovery.yml index aafdfbdf0..df9a1cc80 100644 --- a/rules/linux/lnx_system_info_discovery.yml +++ b/rules/linux/lnx_system_info_discovery.yml @@ -21,10 +21,7 @@ detection: selection: CommandLine|contains: - 'uname' - - '/proc/version' - - '/etc/*-release' - 'hostname' - - '/etc/issue' - 'uptime' - 'lspci' - 'dmidecode' @@ -44,4 +41,7 @@ detection: - '/sys/class/dmi/id/chassis_vendor' - '/proc/scsi/scsi' - '/proc/ide/hd0/model' + - '/proc/version' + - '/etc/redhat-release' + - '/etc/issue' condition: selection From 9f7244f01922b903e5f2c8af6f92487d07c2cf77 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=96mer=20G=C3=BCnal?= Date: Wed, 21 Oct 2020 21:45:23 +0300 Subject: [PATCH 06/12] Update lnx_system_info_discovery.yml --- rules/linux/lnx_system_info_discovery.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/linux/lnx_system_info_discovery.yml b/rules/linux/lnx_system_info_discovery.yml index df9a1cc80..5df4ff904 100644 --- a/rules/linux/lnx_system_info_discovery.yml +++ b/rules/linux/lnx_system_info_discovery.yml @@ -42,6 +42,7 @@ detection: - '/proc/scsi/scsi' - '/proc/ide/hd0/model' - '/proc/version' - - '/etc/redhat-release' + - '/etc/*version + - '/etc/*release' - '/etc/issue' condition: selection From afe97c000cb1642bb08ac181bfc7ccd523783ef6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=96mer=20G=C3=BCnal?= Date: Wed, 21 Oct 2020 21:48:43 +0300 Subject: [PATCH 07/12] Update lnx_system_info_discovery.yml --- rules/linux/lnx_system_info_discovery.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/lnx_system_info_discovery.yml b/rules/linux/lnx_system_info_discovery.yml index 5df4ff904..2ac156ddc 100644 --- a/rules/linux/lnx_system_info_discovery.yml +++ b/rules/linux/lnx_system_info_discovery.yml @@ -42,7 +42,7 @@ detection: - '/proc/scsi/scsi' - '/proc/ide/hd0/model' - '/proc/version' - - '/etc/*version + - '/etc/*version' - '/etc/*release' - '/etc/issue' condition: selection From 5dc3472af0afa0aba6dd011f803a025ea3e65e31 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=96mer=20G=C3=BCnal?= Date: Sat, 7 Nov 2020 11:51:53 +0300 Subject: [PATCH 08/12] Update lnx_system_info_discovery.yml --- rules/linux/lnx_system_info_discovery.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/lnx_system_info_discovery.yml b/rules/linux/lnx_system_info_discovery.yml index 2ac156ddc..f13c05efa 100644 --- a/rules/linux/lnx_system_info_discovery.yml +++ b/rules/linux/lnx_system_info_discovery.yml @@ -19,7 +19,7 @@ logsource: categories: process_creation detection: selection: - CommandLine|contains: + ProcessName|contains: - 'uname' - 'hostname' - 'uptime' From 577165b7f7067ab70e1e899ce562ca90e37caaa7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=96mer=20G=C3=BCnal?= Date: Sun, 8 Nov 2020 11:09:27 +0300 Subject: [PATCH 09/12] Update lnx_system_info_discovery.yml --- rules/linux/lnx_system_info_discovery.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/rules/linux/lnx_system_info_discovery.yml b/rules/linux/lnx_system_info_discovery.yml index f13c05efa..f5709a91e 100644 --- a/rules/linux/lnx_system_info_discovery.yml +++ b/rules/linux/lnx_system_info_discovery.yml @@ -19,14 +19,14 @@ logsource: categories: process_creation detection: selection: - ProcessName|contains: - - 'uname' - - 'hostname' - - 'uptime' - - 'lspci' - - 'dmidecode' - - 'lscpu' - - 'lsmod' + ProcessName|endswith: + - '/uname' + - '/hostname' + - '/uptime' + - '/lspci' + - '/dmidecode' + - '/lscpu' + - '/lsmod' condition: selection --- logsource: From 19cad11a4adaa720caa635c281cb47311eae3a3a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=96mer=20G=C3=BCnal?= Date: Tue, 10 Nov 2020 20:11:49 +0300 Subject: [PATCH 10/12] Update lnx_system_info_discovery.yml --- rules/linux/lnx_system_info_discovery.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/linux/lnx_system_info_discovery.yml b/rules/linux/lnx_system_info_discovery.yml index f5709a91e..aa196084a 100644 --- a/rules/linux/lnx_system_info_discovery.yml +++ b/rules/linux/lnx_system_info_discovery.yml @@ -31,10 +31,9 @@ detection: --- logsource: product: linux - categories: file_event + categories: auditd detection: selection: - type: 'PATH' name: - '/sys/class/dmi/id/bios_version' - '/sys/class/dmi/id/product_name' From edc416a1d8f7ace9386dacb4c8ec8b74826d832f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=96mer=20G=C3=BCnal?= Date: Sat, 14 Nov 2020 19:24:23 +0300 Subject: [PATCH 11/12] Update lnx_system_info_discovery.yml --- rules/linux/lnx_system_info_discovery.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/linux/lnx_system_info_discovery.yml b/rules/linux/lnx_system_info_discovery.yml index aa196084a..eabff7636 100644 --- a/rules/linux/lnx_system_info_discovery.yml +++ b/rules/linux/lnx_system_info_discovery.yml @@ -34,6 +34,7 @@ logsource: categories: auditd detection: selection: + type: 'PATH' name: - '/sys/class/dmi/id/bios_version' - '/sys/class/dmi/id/product_name' From 38154c014e7490843f0788255e4af32f76a09b8a Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Mon, 2 Nov 2020 22:57:01 +0100 Subject: [PATCH 12/12] Removed ES query tests --- .github/workflows/sigma-test.yml | 9 --------- 1 file changed, 9 deletions(-) diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index ee0c317a5..28931b92e 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -23,18 +23,9 @@ jobs: run: | python -m pip install --upgrade pip pip install -r tools/requirements.txt -r tools/requirements-devel.txt - wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add - - sudo apt install -y apt-transport-https - echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic.list - sudo apt update - sudo apt install -y elasticsearch - sudo systemctl start elasticsearch - name: Test Sigma Tools and Rules run: | make test - - name: Test Generated Elasticsearch Query Strings - run: | - make test-backend-es-qs - name: Test SQL(ite) Backend run: | make test-backend-sql