From 3b02967ffb37048b1ba68a616fe571d07d51b801 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Wed, 16 Feb 2022 19:53:46 +0100 Subject: [PATCH 01/26] add win_pc_lolbin_wlrmdr --- .../process_creation/win_pc_lolbin_wlrmdr.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/windows/process_creation/win_pc_lolbin_wlrmdr.yml diff --git a/rules/windows/process_creation/win_pc_lolbin_wlrmdr.yml b/rules/windows/process_creation/win_pc_lolbin_wlrmdr.yml new file mode 100644 index 000000000..a290118bb --- /dev/null +++ b/rules/windows/process_creation/win_pc_lolbin_wlrmdr.yml @@ -0,0 +1,27 @@ +title: Wlrmdr Lolbin Use as Laucher +id: 9cfc00b6-bfb7-49ce-9781-ef78503154bb +status: experimental +description: Detects use of Wlrmdr.exe the -u parameter is passed to ShellExecute() +references: + - https://twitter.com/0gtweet/status/1493963591745220608?s=20&t=xUg9DsZhJy1q9bPTUWgeIQ +author: frack113 +date: 2022/02/16 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: wlrmdr.exe + CommandLine|contains|all: + - '-s ' + - '-f ' + - '-t ' + - '-m ' + - '-a ' + - '-u ' + condition: selection +falsepositives: + - Unknown +level: medium +tags: + - attack.defense_evasion \ No newline at end of file From 5deb9af69817eaef0d03221fd04af91e5c906719 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 17 Feb 2022 08:15:25 +0100 Subject: [PATCH 02/26] Update sysmon_reg_office_security.yml --- rules/windows/registry_event/sysmon_reg_office_security.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/registry_event/sysmon_reg_office_security.yml b/rules/windows/registry_event/sysmon_reg_office_security.yml index 1ef9cf359..9f0c5fcbe 100644 --- a/rules/windows/registry_event/sysmon_reg_office_security.yml +++ b/rules/windows/registry_event/sysmon_reg_office_security.yml @@ -1,12 +1,12 @@ title: Office Security Settings Changed id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd status: experimental -description: Detects registry changes to Office macro settings +description: Detects registry changes to Office macro settings. The TrustRecords contain information on executed macro-enabled documents. (see references) author: Trent Liffick (@tliffick) date: 2020/05/22 modified: 2022/01/10 references: - - Internal Research + - https://twitter.com/inversecos/status/1494174785621819397 - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/ - https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/ tags: From e0d8f59f428fc235f6cce5133c8cd9f505a23761 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 17 Feb 2022 16:24:52 +0100 Subject: [PATCH 03/26] Update win_pc_lolbin_wlrmdr.yml --- rules/windows/process_creation/win_pc_lolbin_wlrmdr.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_pc_lolbin_wlrmdr.yml b/rules/windows/process_creation/win_pc_lolbin_wlrmdr.yml index a290118bb..bd0590851 100644 --- a/rules/windows/process_creation/win_pc_lolbin_wlrmdr.yml +++ b/rules/windows/process_creation/win_pc_lolbin_wlrmdr.yml @@ -1,7 +1,7 @@ title: Wlrmdr Lolbin Use as Laucher id: 9cfc00b6-bfb7-49ce-9781-ef78503154bb status: experimental -description: Detects use of Wlrmdr.exe the -u parameter is passed to ShellExecute() +description: Detects use of Wlrmdr.exe in which the -u parameter is passed to ShellExecute references: - https://twitter.com/0gtweet/status/1493963591745220608?s=20&t=xUg9DsZhJy1q9bPTUWgeIQ author: frack113 @@ -24,4 +24,4 @@ falsepositives: - Unknown level: medium tags: - - attack.defense_evasion \ No newline at end of file + - attack.defense_evasion From f2be1ed1b814166dbd602d85d18de525dc03f426 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Fri, 18 Feb 2022 09:31:26 +0100 Subject: [PATCH 04/26] fix: FPs --- .../win_susp_proc_access_lsass.yml | 27 ++++++++++++------- ...win_susp_proc_access_lsass_susp_source.yml | 7 ++--- 2 files changed, 22 insertions(+), 12 deletions(-) diff --git a/rules/windows/process_access/win_susp_proc_access_lsass.yml b/rules/windows/process_access/win_susp_proc_access_lsass.yml index 615e14fb7..0e25b6efa 100644 --- a/rules/windows/process_access/win_susp_proc_access_lsass.yml +++ b/rules/windows/process_access/win_susp_proc_access_lsass.yml @@ -7,7 +7,7 @@ status: experimental description: Detects process access to LSASS memory with suspicious access flags author: Florian Roth date: 2021/11/22 -modified: 2022/02/12 +modified: 2022/02/18 references: - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow @@ -71,16 +71,16 @@ detection: filter3: SourceImage|startswith: 'C:\Program Files\WindowsApps\' SourceImage|endswith: '\GamingServices.exe' - GrantedAccess: + GrantedAccess: - '0x1410' - '0x410' - '0x1040' # Process Explorer filter4: - SourceImage|endswith: + SourceImage|endswith: - '\PROCEXP64.EXE' - '\PROCEXP.EXE' - GrantedAccess: + GrantedAccess: - '0x1410' - '0x410' # VMware Tools @@ -89,14 +89,14 @@ detection: SourceImage|endswith: '\vmtoolsd.exe' # Antivirus and EDR agents filter6: - SourceImage|startswith: + SourceImage|startswith: - 'C:\Progra Files\' - 'C:\Progra Files (x86)\' - SourceImage|contains: + SourceImage|contains: - 'Antivirus' filter7: SourceImage: 'C:\WINDOWS\system32\wbem\wmiprvse.exe' - GrantedAccess: + GrantedAccess: - '0x1410' - '0x410' filter8: @@ -107,13 +107,22 @@ detection: GrantedAccess: '0x1418' # Generic Filter for 0x1410 filter (caused by so many programs like DropBox updates etc.) filter_generic: - SourceImage|startswith: + SourceImage|startswith: - 'C:\Program Files\' - 'C:\Program Files (x86)\' - 'C:\WINDOWS\system32\' - GrantedAccess: + GrantedAccess: - '0x1410' - '0x410' + filter_localappdata: + SourceImage|contains|all: + - 'C:\Users\' + - '\AppData\Local\' + SourceImage|endswith: + - '\Microsoft VS Code\Code.exe' + - '\software_reporter_tool.exe' + - '\DropboxUpdate.exe' + GrantedAccess: '0x410' condition: selection and not 1 of filter* fields: - User diff --git a/rules/windows/process_access/win_susp_proc_access_lsass_susp_source.yml b/rules/windows/process_access/win_susp_proc_access_lsass_susp_source.yml index 02541dfcd..8c06e0518 100644 --- a/rules/windows/process_access/win_susp_proc_access_lsass_susp_source.yml +++ b/rules/windows/process_access/win_susp_proc_access_lsass_susp_source.yml @@ -4,7 +4,7 @@ status: experimental description: Detects process access to LSASS memory with suspicious access flags and from a suspicious folder author: Florian Roth date: 2021/11/27 -modified: 2021/12/05 +modified: 2022/02/18 references: - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow @@ -48,19 +48,20 @@ detection: - 'FA' - '0x14C2' # https://github.com/b4rtik/ATPMiniDump/blob/master/ATPMiniDump/ATPMiniDump.c - 'FF' - SourceImage|contains: + SourceImage|contains: - '\Temp\' - '\Users\Public\' - '\PerfLogs\' - '\AppData\' - '\Temporary' filter1: - SourceImage|contains|all: + SourceImage|contains|all: - 'C:\Users\' - '\AppData\Local\' SourceImage|endswith: - '\Microsoft VS Code\Code.exe' - '\software_reporter_tool.exe' + - '\DropboxUpdate.exe' GrantedAccess: '0x410' condition: selection and not 1 of filter* fields: From 631a30023628b4fd60059eeadd915d2f81937946 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sat, 19 Feb 2022 10:25:26 +0100 Subject: [PATCH 05/26] Fix some FP --- rules/windows/process_creation/win_pc_susp_run_folder.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_pc_susp_run_folder.yml b/rules/windows/process_creation/win_pc_susp_run_folder.yml index b316906ea..a9103c537 100644 --- a/rules/windows/process_creation/win_pc_susp_run_folder.yml +++ b/rules/windows/process_creation/win_pc_susp_run_folder.yml @@ -6,6 +6,7 @@ references: - Malware sandbox results author: frack113 date: 2022/02/11 +modified: 2022/02/18 logsource: category: process_creation product: windows @@ -15,7 +16,11 @@ detection: - '\Desktop\' - '\Temp\' - '\Temporary Internet' - condition: image + filter_parent: + ParentImage: + - 'C:\Windows\System32\cleanmgr.exe' + - 'C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\BackgroundDownload.exe' + condition: image and not filter_parent falsepositives: - unknown level: low From ec7af1fcaa5e0adeffa039d10861b28288866b32 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sat, 19 Feb 2022 18:30:14 +0100 Subject: [PATCH 06/26] add win_etw_rename_to_dll --- .../etw/file_rename/win_etw_rename_to_dll.yml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 rules/windows/etw/file_rename/win_etw_rename_to_dll.yml diff --git a/rules/windows/etw/file_rename/win_etw_rename_to_dll.yml b/rules/windows/etw/file_rename/win_etw_rename_to_dll.yml new file mode 100644 index 000000000..26d71cbc3 --- /dev/null +++ b/rules/windows/etw/file_rename/win_etw_rename_to_dll.yml @@ -0,0 +1,21 @@ +title: Rename a Commun File to DLL File +id: bbfd974c-248e-4435-8de6-1e938c79c5c1 +status: experimental +description: To bypass detection download a dll hide with commun extension and rename it to dll +references: + - https://twitter.com/ffforward/status/1481672378639912960 + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md#atomic-test-1---system-file-copied-to-unusual-location +author: frack113 +date: 2022/02/19 +logsource: + product: windows + category: file_rename +detection: + to_dll: + TargetFilename|endswith: '.dll' + from_dll: + OriginalFilename|endswith: '.dll' + condition: to_dll and not from_dll +falsepositives: + - Application installation +level: medium From 82660bbaf213f83369a707635808c78583c312ba Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 20 Feb 2022 11:26:13 +0100 Subject: [PATCH 07/26] Simple TOR rules --- rules/windows/dns_query/win_dq_tor_onion.yml | 21 +++++++++++++++++ .../process_creation/win_pc_tor_browser.yml | 23 +++++++++++++++++++ 2 files changed, 44 insertions(+) create mode 100644 rules/windows/dns_query/win_dq_tor_onion.yml create mode 100644 rules/windows/process_creation/win_pc_tor_browser.yml diff --git a/rules/windows/dns_query/win_dq_tor_onion.yml b/rules/windows/dns_query/win_dq_tor_onion.yml new file mode 100644 index 000000000..355db3639 --- /dev/null +++ b/rules/windows/dns_query/win_dq_tor_onion.yml @@ -0,0 +1,21 @@ +title: Query to TOR Onion +id: b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544 +status: experimental +description: DNS query to onion routing networks +references: + - https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/ +author: frack113 +date: 2022/02/20 +logsource: + product: windows + category: dns_query +detection: + selection: + QueryName|contains: 'onion.' + condition: selection +falsepositives: + - Unknown +level: medium +tags: + - attack.command_and_control + - attack.t1090.003 \ No newline at end of file diff --git a/rules/windows/process_creation/win_pc_tor_browser.yml b/rules/windows/process_creation/win_pc_tor_browser.yml new file mode 100644 index 000000000..212e36507 --- /dev/null +++ b/rules/windows/process_creation/win_pc_tor_browser.yml @@ -0,0 +1,23 @@ +title: Use Tor Client or Tor Browser +id: 62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c +status: experimental +description: use tor or tor-browser to connect to onion routing networks +references: + - https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/ +author: frack113 +date: 2022/02/20 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: + - '\tor.exe' + - '\Tor Browser\Browser\firefox.exe' + condition: selection +falsepositives: + - Unknown +level: medium +tags: + - attack.command_and_control + - attack.t1090.003 \ No newline at end of file From 470ca979b475a4e7f75b3c2d38a0297c24abc585 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 20 Feb 2022 11:31:08 +0100 Subject: [PATCH 08/26] Fix FP binary --- rules/windows/registry_event/win_re_ie_persistence.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/registry_event/win_re_ie_persistence.yml b/rules/windows/registry_event/win_re_ie_persistence.yml index a0ca82133..645f47c50 100644 --- a/rules/windows/registry_event/win_re_ie_persistence.yml +++ b/rules/windows/registry_event/win_re_ie_persistence.yml @@ -3,7 +3,7 @@ id: d88d0ab2-e696-4d40-a2ed-9790064e66b3 description: Use IE registry to hide a scripts author: frack113 date: 2022/01/22 -modified: 2022/02/13 +modified: 2022/02/20 status: experimental references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md#atomic-test-5---javascript-in-registry @@ -21,6 +21,8 @@ detection: - 'Cookie:' - 'Visited:' - '(Empty)' + filter_binary: + Details: 'Binary Data' condition: selection_domains and not 1 of filter_* falsepositives: - Unknown From d3c0d90ba77340538f7077b28b126aa78d708de3 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sun, 20 Feb 2022 12:14:05 +0100 Subject: [PATCH 09/26] increased level --- rules/windows/dns_query/win_dq_tor_onion.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/dns_query/win_dq_tor_onion.yml b/rules/windows/dns_query/win_dq_tor_onion.yml index 355db3639..215f2ad30 100644 --- a/rules/windows/dns_query/win_dq_tor_onion.yml +++ b/rules/windows/dns_query/win_dq_tor_onion.yml @@ -15,7 +15,7 @@ detection: condition: selection falsepositives: - Unknown -level: medium +level: high tags: - attack.command_and_control - - attack.t1090.003 \ No newline at end of file + - attack.t1090.003 From 505734730d31d41bbc40099e2275b7d7328b6ec7 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sun, 20 Feb 2022 12:14:14 +0100 Subject: [PATCH 10/26] increased level --- rules/windows/process_creation/win_pc_tor_browser.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_pc_tor_browser.yml b/rules/windows/process_creation/win_pc_tor_browser.yml index 212e36507..7cc56fe7e 100644 --- a/rules/windows/process_creation/win_pc_tor_browser.yml +++ b/rules/windows/process_creation/win_pc_tor_browser.yml @@ -17,7 +17,7 @@ detection: condition: selection falsepositives: - Unknown -level: medium +level: high tags: - attack.command_and_control - - attack.t1090.003 \ No newline at end of file + - attack.t1090.003 From e7bf14c6dcb1d53c791d569e10d9eb5650347136 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sun, 20 Feb 2022 12:14:57 +0100 Subject: [PATCH 11/26] description and title --- rules/windows/process_creation/win_pc_tor_browser.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_pc_tor_browser.yml b/rules/windows/process_creation/win_pc_tor_browser.yml index 7cc56fe7e..9c858b127 100644 --- a/rules/windows/process_creation/win_pc_tor_browser.yml +++ b/rules/windows/process_creation/win_pc_tor_browser.yml @@ -1,7 +1,7 @@ -title: Use Tor Client or Tor Browser +title: Tor Client or Tor Browser Use id: 62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c status: experimental -description: use tor or tor-browser to connect to onion routing networks +description: Detects the use of Tor or Tor-Browser to connect to onion routing networks references: - https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/ author: frack113 From dff806c5bc2e4d56a22311be655775a7e81ab61e Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sun, 20 Feb 2022 12:17:12 +0100 Subject: [PATCH 12/26] changed description, fix: onion TLD position of '.' --- rules/windows/dns_query/win_dq_tor_onion.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/dns_query/win_dq_tor_onion.yml b/rules/windows/dns_query/win_dq_tor_onion.yml index 215f2ad30..07f86ecb8 100644 --- a/rules/windows/dns_query/win_dq_tor_onion.yml +++ b/rules/windows/dns_query/win_dq_tor_onion.yml @@ -1,7 +1,7 @@ -title: Query to TOR Onion +title: Query Tor Onion Address id: b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544 status: experimental -description: DNS query to onion routing networks +description: Detects DNS resolution of an .onion address related to Tor routing networks references: - https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/ author: frack113 @@ -11,7 +11,7 @@ logsource: category: dns_query detection: selection: - QueryName|contains: 'onion.' + QueryName|contains: '.onion' condition: selection falsepositives: - Unknown From dcf936bb6cb82b3800c267f1797937491bce8cdb Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 20 Feb 2022 17:59:53 +0100 Subject: [PATCH 13/26] Rename win_pc_tor_browser.yml to proc_creation_win_tor_browser.yml --- .../{win_pc_tor_browser.yml => proc_creation_win_tor_browser.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/process_creation/{win_pc_tor_browser.yml => proc_creation_win_tor_browser.yml} (100%) diff --git a/rules/windows/process_creation/win_pc_tor_browser.yml b/rules/windows/process_creation/proc_creation_win_tor_browser.yml similarity index 100% rename from rules/windows/process_creation/win_pc_tor_browser.yml rename to rules/windows/process_creation/proc_creation_win_tor_browser.yml From 15e659fed8c804148adf335082a2cbc1728ebdc9 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 20 Feb 2022 18:59:08 +0100 Subject: [PATCH 14/26] Rename win_etw_rename_to_dll.yml to file_rename_win_not_dll_to_dll.yml --- ...n_etw_rename_to_dll.yml => file_rename_win_not_dll_to_dll.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/etw/file_rename/{win_etw_rename_to_dll.yml => file_rename_win_not_dll_to_dll.yml} (100%) diff --git a/rules/windows/etw/file_rename/win_etw_rename_to_dll.yml b/rules/windows/etw/file_rename/file_rename_win_not_dll_to_dll.yml similarity index 100% rename from rules/windows/etw/file_rename/win_etw_rename_to_dll.yml rename to rules/windows/etw/file_rename/file_rename_win_not_dll_to_dll.yml From e6fe8fdeddf95165915ec9a6dcecdc7a9d12e008 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Fri, 18 Feb 2022 13:33:29 +0100 Subject: [PATCH 15/26] workflow: execute evtx-sigma-checker --- .github/workflows/sigma-test.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index 88c6d0502..8c0171a21 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -39,3 +39,20 @@ jobs: - uses: actions/checkout@v2 - name: yaml-lint uses: ibiqlik/action-yamllint@v3 + check-baseline-win10: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Download evtx-sigma-checker + run: wget https://github.com/NextronSystems/evtx-baseline/releases/download/v0.1/evtx-sigma-checker + - name: Download and extract Windows 10 baseline + run: | + wget https://github.com/NextronSystems/evtx-baseline/releases/download/v0.1/win10-client-v0.1.tgz + tar xzf win10-client-v0.1.tgz + - name: Remove deprecated rules + run: grep -ER "^status: deprecated" rules | xargs -r rm + - name: Run evtx-sigma-checker + run: | + chmod +x evtx-sigma-checker + ./evtx-sigma-checker --log-source tools/config/thor.yml --evtx-path Logs_Client/ --rule-path rules/windows/ > findings-client.json + cat findings-client.json From d3397929b400acbe249c9b3aa8febf7d02debceb Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Fri, 18 Feb 2022 13:35:19 +0100 Subject: [PATCH 16/26] workflow: fix: quote command with pipe --- .github/workflows/sigma-test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index 8c0171a21..ecea4b2cc 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -50,7 +50,7 @@ jobs: wget https://github.com/NextronSystems/evtx-baseline/releases/download/v0.1/win10-client-v0.1.tgz tar xzf win10-client-v0.1.tgz - name: Remove deprecated rules - run: grep -ER "^status: deprecated" rules | xargs -r rm + run: 'grep -ER "^status: deprecated" rules | xargs -r rm' - name: Run evtx-sigma-checker run: | chmod +x evtx-sigma-checker From 00f1f561dd9727d949d0a3453bbae0068aa4e8c0 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Fri, 18 Feb 2022 13:37:13 +0100 Subject: [PATCH 17/26] workflow: fix: missing -l grep flag --- .github/workflows/sigma-test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index ecea4b2cc..efd38bf10 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -50,7 +50,7 @@ jobs: wget https://github.com/NextronSystems/evtx-baseline/releases/download/v0.1/win10-client-v0.1.tgz tar xzf win10-client-v0.1.tgz - name: Remove deprecated rules - run: 'grep -ER "^status: deprecated" rules | xargs -r rm' + run: 'grep -ERl "^status: deprecated" rules | xargs -r rm' - name: Run evtx-sigma-checker run: | chmod +x evtx-sigma-checker From 48eefe29f705f8a652b1a0f9f8f28c32dfa21d0c Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Fri, 18 Feb 2022 13:43:58 +0100 Subject: [PATCH 18/26] workflow: verbose remove of deprecated rules --- .github/workflows/sigma-test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index efd38bf10..8092ba0fe 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -50,7 +50,7 @@ jobs: wget https://github.com/NextronSystems/evtx-baseline/releases/download/v0.1/win10-client-v0.1.tgz tar xzf win10-client-v0.1.tgz - name: Remove deprecated rules - run: 'grep -ERl "^status: deprecated" rules | xargs -r rm' + run: 'grep -ERl "^status: deprecated" rules | xargs -r rm -v' - name: Run evtx-sigma-checker run: | chmod +x evtx-sigma-checker From 20761d03325692d9a0690ae888d70304473ee508 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Fri, 18 Feb 2022 16:01:37 +0100 Subject: [PATCH 19/26] workflow: link to latest release --- .github/workflows/sigma-test.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index 8092ba0fe..e73de6ed1 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -44,11 +44,11 @@ jobs: steps: - uses: actions/checkout@v2 - name: Download evtx-sigma-checker - run: wget https://github.com/NextronSystems/evtx-baseline/releases/download/v0.1/evtx-sigma-checker + run: wget https://github.com/NextronSystems/evtx-baseline/releases/latest/download/evtx-sigma-checker - name: Download and extract Windows 10 baseline run: | - wget https://github.com/NextronSystems/evtx-baseline/releases/download/v0.1/win10-client-v0.1.tgz - tar xzf win10-client-v0.1.tgz + wget https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win10-client.tgz + tar xzf win10-client.tgz - name: Remove deprecated rules run: 'grep -ERl "^status: deprecated" rules | xargs -r rm -v' - name: Run evtx-sigma-checker From 0c473a3e775dd37954fd6aab1913504ba8c015e0 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Mon, 21 Feb 2022 10:24:03 +0100 Subject: [PATCH 20/26] workflow: evaluate findings, exclude known FPs --- .github/workflows/known-FPs.csv | 12 ++++++++++++ .github/workflows/matchgrep.sh | 33 ++++++++++++++++++++++++++++++++ .github/workflows/sigma-test.yml | 5 +++-- 3 files changed, 48 insertions(+), 2 deletions(-) create mode 100644 .github/workflows/known-FPs.csv create mode 100755 .github/workflows/matchgrep.sh diff --git a/.github/workflows/known-FPs.csv b/.github/workflows/known-FPs.csv new file mode 100644 index 000000000..092277629 --- /dev/null +++ b/.github/workflows/known-FPs.csv @@ -0,0 +1,12 @@ +RuleId;RuleName;MatchString +8e5e38e4-5350-4c0b-895a-e872ce0dd54f;Msiexec Initiated Connection;.* +ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94;Suspicious WSMAN Provider Image Loads;svchost\.exe +db809f10-56ce-4420-8c86-d6a7d793c79c;Raw Disk Access Using Illegitimate Tools;python-3 +db809f10-56ce-4420-8c86-d6a7d793c79c;Raw Disk Access Using Illegitimate Tools;target\.exe +96f697b0-b499-4e5d-9908-a67bec11cdb6;Removal of Potential COM Hijacking Registry Keys;sharepointclient +96f697b0-b499-4e5d-9908-a67bec11cdb6;Removal of Potential COM Hijacking Registry Keys;odopen +e28a5a99-da44-436d-b7a0-2afc20a5f413;Whoami Execution;WindowsPowerShell +8ac03a65-6c84-4116-acad-dc1558ff7a77;Sysmon Configuration Change;sysmon-intense\.xml +4358e5a5-7542-4dcb-b9f3-87667371839b;ISO or Image Mount Indicator in Recent Files;_Office_Professional_Plus_ +36480ae1-a1cb-4eaa-a0d6-29801d7e9142;Renamed Binary;WinRAR +73bba97f-a82d-42ce-b315-9182e76c57b1;Imports Registry Key From a File;Evernote diff --git a/.github/workflows/matchgrep.sh b/.github/workflows/matchgrep.sh new file mode 100755 index 000000000..e61bbe4c2 --- /dev/null +++ b/.github/workflows/matchgrep.sh @@ -0,0 +1,33 @@ +infile=$1 +fps=$2 + +if [[ -z ${infile} || -z ${fps} ]]; then + >&2 echo "usage: $0 [json-file] [FPs.csv]" + exit 1 +fi + +if [[ ! -f ${infile} || ! -r ${infile} ]]; then + >&2 echo "${infile} is not a valid, readable file" + exit 2 +fi +if [[ ! -f ${fps} || ! -r ${fps} ]]; then + >&2 echo "${fps} is not a valid, readable file" + exit 2 +fi + +# Exclude all rules with level "low" +findings=$(grep -v '"RuleLevel":"low"' ${infile}) + +{ + read # Skip CSV header + while IFS=\; read -r id name fpstring; do + findings=$(echo "${findings}" | grep -Ev "\"RuleId\":\"${id}\".*${fpstring}") + done +} < ${fps} + +if [[ -z ${findings} ]]; then + echo "No matches found." +else + >&2 echo "Found matches:" + >&2 echo "${findings}" +fi diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index e73de6ed1..630cb7b33 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -54,5 +54,6 @@ jobs: - name: Run evtx-sigma-checker run: | chmod +x evtx-sigma-checker - ./evtx-sigma-checker --log-source tools/config/thor.yml --evtx-path Logs_Client/ --rule-path rules/windows/ > findings-client.json - cat findings-client.json + ./evtx-sigma-checker --log-source tools/config/thor.yml --evtx-path Logs_Client/ --rule-path rules/windows/ > findings.json + - name: Check for Sigma matches in baseline + run: ./github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv From 2cecd0e6ef7ddecbf81ce5f01b2205ccfdcbb414 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Mon, 21 Feb 2022 10:27:27 +0100 Subject: [PATCH 21/26] workflow: rename steps --- .github/workflows/sigma-test.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index 630cb7b33..00dd1fa1b 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -51,9 +51,9 @@ jobs: tar xzf win10-client.tgz - name: Remove deprecated rules run: 'grep -ERl "^status: deprecated" rules | xargs -r rm -v' - - name: Run evtx-sigma-checker + - name: Check for Sigma matches in baseline (run evtx-sigma-checker) run: | chmod +x evtx-sigma-checker ./evtx-sigma-checker --log-source tools/config/thor.yml --evtx-path Logs_Client/ --rule-path rules/windows/ > findings.json - - name: Check for Sigma matches in baseline + - name: Show findings (exclude known FPs) run: ./github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv From a1c0c1c03dcb1c2004a8e604d08d1c1c7c5735a8 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Mon, 21 Feb 2022 10:29:39 +0100 Subject: [PATCH 22/26] workflow: add shebang to matchgrep.sh --- .github/workflows/matchgrep.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/matchgrep.sh b/.github/workflows/matchgrep.sh index e61bbe4c2..c5c0f715f 100755 --- a/.github/workflows/matchgrep.sh +++ b/.github/workflows/matchgrep.sh @@ -1,3 +1,5 @@ +#!/bin/bash + infile=$1 fps=$2 From fc8cf7d4a0dcb0415ccdeba08e573a74a00b9ed0 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Mon, 21 Feb 2022 10:31:09 +0100 Subject: [PATCH 23/26] workflow: fix: missing . in path --- .github/workflows/sigma-test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index 00dd1fa1b..00876fca6 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -56,4 +56,4 @@ jobs: chmod +x evtx-sigma-checker ./evtx-sigma-checker --log-source tools/config/thor.yml --evtx-path Logs_Client/ --rule-path rules/windows/ > findings.json - name: Show findings (exclude known FPs) - run: ./github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv + run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv From 3961774991833b8ba207b7f3d5f6e22edbd4bf18 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Mon, 21 Feb 2022 10:42:52 +0100 Subject: [PATCH 24/26] workflow: show error on sigma matches --- .github/workflows/matchgrep.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/matchgrep.sh b/.github/workflows/matchgrep.sh index c5c0f715f..651a7407c 100755 --- a/.github/workflows/matchgrep.sh +++ b/.github/workflows/matchgrep.sh @@ -32,4 +32,6 @@ if [[ -z ${findings} ]]; then else >&2 echo "Found matches:" >&2 echo "${findings}" + >&2 echo "You either need to tune your rule(s) for false positives or add a false positive filter to .github/workflows/known-FPs.csv" + exit 3 fi From 62949b043735698947264840667010fcf051854b Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Mon, 21 Feb 2022 10:50:26 +0100 Subject: [PATCH 25/26] workflow: output cosmetics --- .github/workflows/matchgrep.sh | 1 + .github/workflows/sigma-test.yml | 8 ++++---- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/matchgrep.sh b/.github/workflows/matchgrep.sh index 651a7407c..49baf8473 100755 --- a/.github/workflows/matchgrep.sh +++ b/.github/workflows/matchgrep.sh @@ -32,6 +32,7 @@ if [[ -z ${findings} ]]; then else >&2 echo "Found matches:" >&2 echo "${findings}" + >&2 echo >&2 echo "You either need to tune your rule(s) for false positives or add a false positive filter to .github/workflows/known-FPs.csv" exit 3 fi diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index 00876fca6..64a6ed7f2 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -44,16 +44,16 @@ jobs: steps: - uses: actions/checkout@v2 - name: Download evtx-sigma-checker - run: wget https://github.com/NextronSystems/evtx-baseline/releases/latest/download/evtx-sigma-checker + run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/latest/download/evtx-sigma-checker - name: Download and extract Windows 10 baseline run: | - wget https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win10-client.tgz + wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win10-client.tgz tar xzf win10-client.tgz - name: Remove deprecated rules run: 'grep -ERl "^status: deprecated" rules | xargs -r rm -v' - - name: Check for Sigma matches in baseline (run evtx-sigma-checker) + - name: Check for Sigma matches in baseline run: | chmod +x evtx-sigma-checker ./evtx-sigma-checker --log-source tools/config/thor.yml --evtx-path Logs_Client/ --rule-path rules/windows/ > findings.json - - name: Show findings (exclude known FPs) + - name: Show findings excluding known FPs run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv From df21201783638bfd4b04be8b32f94c07c3861c00 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Mon, 21 Feb 2022 11:09:20 +0100 Subject: [PATCH 26/26] fix: FP --- rules/windows/process_creation/win_pc_lolbin_wlrmdr.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_pc_lolbin_wlrmdr.yml b/rules/windows/process_creation/win_pc_lolbin_wlrmdr.yml index bd0590851..7582d89b3 100644 --- a/rules/windows/process_creation/win_pc_lolbin_wlrmdr.yml +++ b/rules/windows/process_creation/win_pc_lolbin_wlrmdr.yml @@ -6,6 +6,7 @@ references: - https://twitter.com/0gtweet/status/1493963591745220608?s=20&t=xUg9DsZhJy1q9bPTUWgeIQ author: frack113 date: 2022/02/16 +modified: 2022/02/21 logsource: category: process_creation product: windows @@ -19,7 +20,9 @@ detection: - '-m ' - '-a ' - '-u ' - condition: selection + filter: + ParentImage: 'C:\Windows\System32\winlogon.exe' + condition: selection and not filter falsepositives: - Unknown level: medium