diff --git a/CHANGELOG.md b/CHANGELOG.md index ece949b93..23cb01864 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -23,7 +23,7 @@ from version 0.14.0. * Elastic EQL backend * Additional conversion selection filters * Filter negation -* Specifiy table in SQL backend +* Specify table in SQL backend * Generic registry event log source * Chronicle backend diff --git a/README.md b/README.md index 424533b59..4815056d4 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -[![Build Status](https://travis-ci.org/Neo23x0/sigma.svg?branch=master)](https://travis-ci.org/Neo23x0/sigma) +[![sigma build status](https://github.com/SigmaHQ/sigma/actions/workflows/sigma-test.yml/badge.svg?branch=master)](https://github.com/SigmaHQ/sigma/actions?query=branch%3Amaster) ![sigma_logo](./images/Sigma_0.3.png) @@ -318,6 +318,7 @@ These tools are not part of the main toolchain and maintained separately by thei # Projects or Products that use Sigma * [MISP](http://www.misp-project.org/2017/03/26/MISP.2.4.70.released.html) (since version 2.4.70, March 2017) +* [Atomic Threat Coverage](https://github.com/atc-project/atomic-threat-coverage) (since December 2018) * [SOC Prime - Sigma Rule Editor](https://tdm.socprime.com/sigma/) * [uncoder.io](https://uncoder.io/) - Online Translator for SIEM Searches * [THOR](https://www.nextron-systems.com/2018/06/28/spark-applies-sigma-rules-in-eventlog-scan/) - Scan with Sigma rules on endpoints diff --git a/rules/cloud/aws/aws_ec2_disable_encryption.yml b/rules/cloud/aws/aws_ec2_disable_encryption.yml index ea7330a3b..e383c9495 100644 --- a/rules/cloud/aws/aws_ec2_disable_encryption.yml +++ b/rules/cloud/aws/aws_ec2_disable_encryption.yml @@ -4,7 +4,7 @@ status: stable description: Identifies disabling of default Amazon Elastic Block Store (EBS) encryption in the current region. Disabling default encryption does not change the encryption status of your existing volumes. author: Sittikorn S date: 2021/06/29 -modified: 2021/08/09 +modified: 2021/08/20 references: - https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html tags: @@ -17,7 +17,6 @@ detection: selection: eventSource: ec2.amazonaws.com eventName: DisableEbsEncryptionByDefault - status: success condition: selection falsepositives: - System Administrator Activities diff --git a/rules/cloud/aws/aws_ec2_download_userdata.yml b/rules/cloud/aws/aws_ec2_download_userdata.yml index 073bdf6b6..be6b74389 100644 --- a/rules/cloud/aws/aws_ec2_download_userdata.yml +++ b/rules/cloud/aws/aws_ec2_download_userdata.yml @@ -4,9 +4,9 @@ status: experimental description: Detects bulk downloading of User Data associated with AWS EC2 instances. Instance User Data may include installation scripts and hard-coded secrets for deployment. author: faloker date: 2020/02/11 -modified: 2021/08/09 +modified: 2021/08/20 references: - - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/ec2__download_userdata/main.py#L24 + - https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/ec2__download_userdata/main.py logsource: service: cloudtrail detection: diff --git a/rules/cloud/aws/aws_ec2_vm_export_failure.yml b/rules/cloud/aws/aws_ec2_vm_export_failure.yml index dff7a078e..05baed245 100644 --- a/rules/cloud/aws/aws_ec2_vm_export_failure.yml +++ b/rules/cloud/aws/aws_ec2_vm_export_failure.yml @@ -4,6 +4,7 @@ status: experimental description: An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance. author: Diogo Braz date: 2020/04/16 +modified: 2021/08/20 references: - https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance logsource: @@ -17,7 +18,6 @@ detection: filter2: errorCode: '*' filter3: - eventName: 'ConsoleLogin' responseElements|contains: 'Failure' condition: selection and (filter1 or filter2 or filter3) level: low diff --git a/rules/cloud/aws/aws_iam_backdoor_users_keys.yml b/rules/cloud/aws/aws_iam_backdoor_users_keys.yml index 2af725c89..7991b3ae5 100644 --- a/rules/cloud/aws/aws_iam_backdoor_users_keys.yml +++ b/rules/cloud/aws/aws_iam_backdoor_users_keys.yml @@ -4,9 +4,9 @@ status: experimental description: Detects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment. Also with this alert, you can detect a flow of AWS keys in your org. author: faloker date: 2020/02/12 -modified: 2021/08/09 +modified: 2021/08/20 references: - - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/iam__backdoor_users_keys/main.py#L6 + - https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/iam__backdoor_users_keys/main.py logsource: service: cloudtrail detection: diff --git a/rules/cloud/aws/aws_rds_change_master_password.yml b/rules/cloud/aws/aws_rds_change_master_password.yml index 4204cbaff..cfdfb70a2 100644 --- a/rules/cloud/aws/aws_rds_change_master_password.yml +++ b/rules/cloud/aws/aws_rds_change_master_password.yml @@ -4,9 +4,9 @@ status: experimental description: Detects the change of database master password. It may be a part of data exfiltration. author: faloker date: 2020/02/12 -modified: 2021/08/09 +modified: 2021/08/20 references: - - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/rds__explore_snapshots/main.py#L10 + - https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/rds__explore_snapshots/main.py logsource: service: cloudtrail detection: diff --git a/rules/cloud/aws/aws_rds_public_db_restore.yml b/rules/cloud/aws/aws_rds_public_db_restore.yml index 41497778e..fdc8c19d8 100644 --- a/rules/cloud/aws/aws_rds_public_db_restore.yml +++ b/rules/cloud/aws/aws_rds_public_db_restore.yml @@ -4,9 +4,9 @@ status: experimental description: Detects the recovery of a new public database instance from a snapshot. It may be a part of data exfiltration. author: faloker date: 2020/02/12 -modified: 2021/08/09 +modified: 2021/08/20 references: - - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/rds__explore_snapshots/main.py#L10 + - https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/rds__explore_snapshots/main.py logsource: service: cloudtrail detection: diff --git a/rules/cloud/aws/aws_sts_assumedrole_misuse.yml b/rules/cloud/aws/aws_sts_assumerole_misuse.yml similarity index 51% rename from rules/cloud/aws/aws_sts_assumedrole_misuse.yml rename to rules/cloud/aws/aws_sts_assumerole_misuse.yml index 2e9d22f48..f74646120 100644 --- a/rules/cloud/aws/aws_sts_assumedrole_misuse.yml +++ b/rules/cloud/aws/aws_sts_assumerole_misuse.yml @@ -1,9 +1,10 @@ -title: AWS STS AssumedRole Misuse +title: AWS STS AssumeRole Misuse id: 905d389b-b853-46d0-9d3d-dea0d3a3cd49 -description: Identifies the suspicious use of AssumedRole. Attackers could move laterally and escalate privileges. +description: Identifies the suspicious use of AssumeRole. Attackers could move laterally and escalate privileges. author: Austin Songer @austinsonger status: experimental date: 2021/07/24 +modified: 2021/08/20 references: - https://github.com/elastic/detection-rules/pull/1214 - https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html @@ -12,8 +13,8 @@ logsource: detection: selection: eventSource: sts.amazonaws.com - eventName: AssumedRole - userIdentity.sessionContext: Role + eventName: AssumeRole + userIdentity.sessionContext.sessionIssuer.type: Role condition: selection level: low tags: @@ -23,5 +24,6 @@ tags: - attack.t1550 - attack.t1550.001 falsepositives: - - AssumedRole may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. AssumedRole from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - AssumeRole may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - AssumeRole from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. - Automated processes that uses Terraform may lead to false positives. diff --git a/rules/cloud/azure/azure_creating_number_of_resources_detection.yml b/rules/cloud/azure/azure_creating_number_of_resources_detection.yml new file mode 100644 index 000000000..74041d51f --- /dev/null +++ b/rules/cloud/azure/azure_creating_number_of_resources_detection.yml @@ -0,0 +1,20 @@ +title: Number Of Resource Creation Or Deployment Activities +id: d2d901db-7a75-45a1-bc39-0cbf00812192 +status: experimental +author: sawwinnnaung +date: 2020/05/07 +description: Number of VM creations or deployment activities occur in Azure via the AzureActivity log. +references: + - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/Creating_Anomalous_Number_Of_Resources_detection.yaml +logsource: + service: AzureActivity +detection: + keywords: + - Microsoft.Compute/virtualMachines/write + - Microsoft.Resources/deployments/write + condition: keywords +level: medium +falsepositives: + - Valid change +tags: + - attack.t1098 diff --git a/rules/cloud/azure/azure_granting_permission_detection.yml b/rules/cloud/azure/azure_granting_permission_detection.yml new file mode 100644 index 000000000..2cfb1fe8b --- /dev/null +++ b/rules/cloud/azure/azure_granting_permission_detection.yml @@ -0,0 +1,19 @@ +title: Granting Of Permissions To An Account +id: a622fcd2-4b5a-436a-b8a2-a4171161833c +status: experimental +author: sawwinnnaung +date: 2020/05/07 +description: Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used. +references: + - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/Granting_Permissions_To_Account_detection.yaml +logsource: + service: AzureActivity +detection: + keywords: + - Microsoft.Authorization/roleAssignments/write + condition: keywords +level: medium +falsepositives: + - Valid change +tags: + - attack.t1098 diff --git a/rules/cloud/azure/azure_rare_operations.yml b/rules/cloud/azure/azure_rare_operations.yml new file mode 100644 index 000000000..49ae1bb74 --- /dev/null +++ b/rules/cloud/azure/azure_rare_operations.yml @@ -0,0 +1,25 @@ +title: Rare Subscription-level Operations In Azure +id: c1182e02-49a3-481c-b3de-0fadc4091488 +status: experimental +author: sawwinnnaung +date: 2020/05/07 +description: Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used. +references: + - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/RareOperations.yaml +logsource: + service: AzureActivity +detection: + keywords: + - Microsoft.DocumentDB/databaseAccounts/listKeys/action + - Microsoft.Maps/accounts/listKeys/action + - Microsoft.Media/mediaservices/listKeys/action + - Microsoft.CognitiveServices/accounts/listKeys/action + - Microsoft.Storage/storageAccounts/listKeys/action + - Microsoft.Compute/snapshots/write + - Microsoft.Network/networkSecurityGroups/write + condition: keywords +level: medium +falsepositives: + - Valid change +tags: + - attack.t1003 diff --git a/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml b/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml new file mode 100644 index 000000000..0b09904be --- /dev/null +++ b/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml @@ -0,0 +1,23 @@ +title: Google Workspace Granted Domain API Access +id: 04e2a23a-9b29-4a5c-be3a-3542e3f982ba +description: Detects when an API access service account is granted domain authority. +author: Austin Songer +status: experimental +date: 2021/08/23 +references: + - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 + - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS +logsource: + service: google_workspace.admin +detection: + selection: + eventService: admin.googleapis.com + eventName: AUTHORIZE_API_CLIENT_ACCESS + condition: selection +level: medium +tags: + - attack.persistence + - attack.t1098 +falsepositives: + - Unknown + diff --git a/rules/cloud/gworkspace/gworkspace_role_modified_or_deleted.yml b/rules/cloud/gworkspace/gworkspace_role_modified_or_deleted.yml new file mode 100644 index 000000000..e0bab12fd --- /dev/null +++ b/rules/cloud/gworkspace/gworkspace_role_modified_or_deleted.yml @@ -0,0 +1,25 @@ +title: Google Workspace Role Modified or Deleted +id: 6aef64e3-60c6-4782-8db3-8448759c714e +description: Detects when an a role is modified or deleted in Google Workspace. +author: Austin Songer +status: experimental +date: 2021/08/24 +references: + - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 + - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings +logsource: + service: google_workspace.admin +detection: + selection: + eventService: admin.googleapis.com + eventName: + - DELETE_ROLE + - RENAME_ROLE + - UPDATE_ROLE + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Unknown + diff --git a/rules/cloud/gworkspace/gworkspace_role_privilege_deleted.yml b/rules/cloud/gworkspace/gworkspace_role_privilege_deleted.yml new file mode 100644 index 000000000..7a803146b --- /dev/null +++ b/rules/cloud/gworkspace/gworkspace_role_privilege_deleted.yml @@ -0,0 +1,22 @@ +title: Google Workspace Role Privilege Deleted +id: bf638ef7-4d2d-44bb-a1dc-a238252e6267 +description: Detects when an a role privilege is deleted in Google Workspace. +author: Austin Songer +status: experimental +date: 2021/08/24 +references: + - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 + - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings +logsource: + service: google_workspace.admin +detection: + selection: + eventService: admin.googleapis.com + eventName: REMOVE_PRIVILEGE + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Unknown + diff --git a/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml b/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml new file mode 100644 index 000000000..ffc061d08 --- /dev/null +++ b/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml @@ -0,0 +1,24 @@ +title: Google Workspace User Granted Admin Privileges +id: 2d1b83e4-17c6-4896-a37b-29140b40a788 +description: Detects when an Google Workspace user is granted admin privileges. +author: Austin Songer +status: experimental +date: 2021/08/23 +references: + - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 + - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE +logsource: + service: google_workspace.admin +detection: + selection: + eventService: admin.googleapis.com + eventName: + - GRANT_DELEGATED_ADMIN_PRIVILEGES + - GRANT_ADMIN_PRIVILEGE + condition: selection +level: medium +tags: + - attack.persistence + - attack.t1098 +falsepositives: + - Google Workspace admin role privileges, may be modified by system administrators. \ No newline at end of file diff --git a/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml b/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml new file mode 100644 index 000000000..c24d42b67 --- /dev/null +++ b/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml @@ -0,0 +1,23 @@ +title: Activity Performed by Terminated User +id: 2e669ed8-742e-4fe5-b3c4-5a59b486c2ee +status: experimental +description: Detects when a Microsoft Cloud App Security reported for users whose account were terminated in Azure AD, but still perform activities in other platforms such as AWS or Salesforce. This is especially relevant for users who use another account to manage resources, since these accounts are often not terminated when a user leaves the company. +author: Austin Songer @austinsonger +date: 2021/08/23 +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +logsource: + category: ThreatManagement + service: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: "Activity performed by terminated user" + status: success + condition: selection +falsepositives: + - Unknown +level: medium +tags: + - attack.impact diff --git a/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml b/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml new file mode 100644 index 000000000..7b3a72716 --- /dev/null +++ b/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml @@ -0,0 +1,24 @@ +title: Activity from Anonymous IP Addresses +id: d8b0a4fe-07a8-41be-bd39-b14afa025d95 +status: experimental +description: Detects when a Microsoft Cloud App Security reported when users were active from an IP address that has been identified as an anonymous proxy IP address. +author: Austin Songer @austinsonger +date: 2021/08/23 +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +logsource: + category: ThreatManagement + service: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: "Activity from anonymous IP addresses" + status: success + condition: selection +falsepositives: + - User using a VPN or Proxy +level: medium +tags: + - attack.command_and_control + - attack.t1573 diff --git a/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml b/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml new file mode 100644 index 000000000..9aa5ab394 --- /dev/null +++ b/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml @@ -0,0 +1,24 @@ +title: Activity from Infrequent Country +id: 0f2468a2-5055-4212-a368-7321198ee706 +status: experimental +description: Detects when a Microsoft Cloud App Security reported when an activity occurs from a location that wasn't recently or never visited by any user in the organization. +author: Austin Songer @austinsonger +date: 2021/08/23 +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +logsource: + category: ThreatManagement + service: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: "Activity from infrequent country" + status: success + condition: selection +falsepositives: + - Unknown +level: medium +tags: + - attack.command_and_control + - attack.t1573 diff --git a/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml b/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml new file mode 100644 index 000000000..831a15ed6 --- /dev/null +++ b/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml @@ -0,0 +1,24 @@ +title: Data Exfiltration to Unsanctioned Apps +id: 2b669496-d215-47d8-bd9a-f4a45bf07cda +status: experimental +description: Detects when a Microsoft Cloud App Security reported when a user or IP address uses an app that is not sanctioned to perform an activity that resembles an attempt to exfiltrate information from your organization. +author: Austin Songer @austinsonger +date: 2021/08/23 +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +logsource: + category: ThreatManagement + service: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: "Data exfiltration to unsanctioned apps" + status: success + condition: selection +falsepositives: + - +level: medium +tags: + - attack.exfiltration + - attack.t1537 diff --git a/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml b/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml new file mode 100644 index 000000000..9be142d81 --- /dev/null +++ b/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml @@ -0,0 +1,24 @@ +title: Activity from Suspicious IP Addresses +id: a3501e8e-af9e-43c6-8cd6-9360bdaae498 +status: experimental +description: Detects when a Microsoft Cloud App Security reported users were active from an IP address identified as risky by Microsoft Threat Intelligence. These IP addresses are involved in malicious activities, such as Botnet C&C, and may indicate compromised account. +author: Austin Songer @austinsonger +date: 2021/08/23 +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +logsource: + category: ThreatDetection + service: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: "Activity from suspicious IP addresses" + status: success + condition: selection +falsepositives: + - Unknown +level: medium +tags: + - attack.command_and_control + - attack.t1573 diff --git a/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml b/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml new file mode 100644 index 000000000..b71a4344b --- /dev/null +++ b/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml @@ -0,0 +1,24 @@ +title: Logon from a Risky IP Address +id: c191e2fa-f9d6-4ccf-82af-4f2aba08359f +status: experimental +description: Detects when a Microsoft Cloud App Security reported when a user signs into your sanctioned apps from a risky IP address. +author: Austin Songer @austinsonger +date: 2021/08/23 +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +logsource: + category: ThreatManagement + service: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: "Log on from a risky IP address" + status: success + condition: selection +falsepositives: + - Unknown +level: medium +tags: + - attack.initial_access + - attack.t1078 diff --git a/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml b/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml new file mode 100644 index 000000000..513e4f1b0 --- /dev/null +++ b/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml @@ -0,0 +1,24 @@ +title: Suspicious Inbox Forwarding +id: 6c220477-0b5b-4b25-bb90-66183b4089e8 +status: experimental +description: Detects when a Microsoft Cloud App Security reported suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address. +author: Austin Songer @austinsonger +date: 2021/08/22 +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +logsource: + category: ThreatManagement + service: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: "Suspicious inbox forwarding" + status: success + condition: selection +falsepositives: + - Unknown +level: low +tags: + - attack.exfiltration + - attack.t1020 diff --git a/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml b/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml new file mode 100644 index 000000000..6dbc4be42 --- /dev/null +++ b/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml @@ -0,0 +1,23 @@ +title: Suspicious OAuth App File Download Activities +id: ee111937-1fe7-40f0-962a-0eb44d57d174 +status: experimental +description: Detects when a Microsoft Cloud App Security reported when an app downloads multiple files from Microsoft SharePoint or Microsoft OneDrive in a manner that is unusual for the user. +author: Austin Songer @austinsonger +date: 2021/08/23 +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +logsource: + category: ThreatManagement + service: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: "Suspicious OAuth app file download activities" + status: success + condition: selection +falsepositives: + - Unknown +level: medium +tags: + - attack.exfiltration diff --git a/rules/compliance/cleartext_protocols.yml b/rules/compliance/cleartext_protocols.yml index eb1acd9c9..40905d705 100644 --- a/rules/compliance/cleartext_protocols.yml +++ b/rules/compliance/cleartext_protocols.yml @@ -13,49 +13,49 @@ references: falsepositives: - unknown level: low -tags: - - CSC4 - - CSC4.5 - - CSC14 - - CSC14.4 - - CSC16 - - CSC16.5 - - NIST CSF 1.1 PR.AT-2 - - NIST CSF 1.1 PR.MA-2 - - NIST CSF 1.1 PR.PT-3 - - NIST CSF 1.1 PR.AC-1 - - NIST CSF 1.1 PR.AC-4 - - NIST CSF 1.1 PR.AC-5 - - NIST CSF 1.1 PR.AC-6 - - NIST CSF 1.1 PR.AC-7 - - NIST CSF 1.1 PR.DS-1 - - NIST CSF 1.1 PR.DS-2 - - ISO 27002-2013 A.9.2.1 - - ISO 27002-2013 A.9.2.2 - - ISO 27002-2013 A.9.2.3 - - ISO 27002-2013 A.9.2.4 - - ISO 27002-2013 A.9.2.5 - - ISO 27002-2013 A.9.2.6 - - ISO 27002-2013 A.9.3.1 - - ISO 27002-2013 A.9.4.1 - - ISO 27002-2013 A.9.4.2 - - ISO 27002-2013 A.9.4.3 - - ISO 27002-2013 A.9.4.4 - - ISO 27002-2013 A.8.3.1 - - ISO 27002-2013 A.9.1.1 - - ISO 27002-2013 A.10.1.1 - - PCI DSS 3.2 2.1 - - PCI DSS 3.2 8.1 - - PCI DSS 3.2 8.2 - - PCI DSS 3.2 8.3 - - PCI DSS 3.2 8.7 - - PCI DSS 3.2 8.8 - - PCI DSS 3.2 1.3 - - PCI DSS 3.2 1.4 - - PCI DSS 3.2 4.3 - - PCI DSS 3.2 7.1 - - PCI DSS 3.2 7.2 - - PCI DSS 3.2 7.3 +# tags: + # - CSC4 + # - CSC4.5 + # - CSC14 + # - CSC14.4 + # - CSC16 + # - CSC16.5 + # - NIST CSF 1.1 PR.AT-2 + # - NIST CSF 1.1 PR.MA-2 + # - NIST CSF 1.1 PR.PT-3 + # - NIST CSF 1.1 PR.AC-1 + # - NIST CSF 1.1 PR.AC-4 + # - NIST CSF 1.1 PR.AC-5 + # - NIST CSF 1.1 PR.AC-6 + # - NIST CSF 1.1 PR.AC-7 + # - NIST CSF 1.1 PR.DS-1 + # - NIST CSF 1.1 PR.DS-2 + # - ISO 27002-2013 A.9.2.1 + # - ISO 27002-2013 A.9.2.2 + # - ISO 27002-2013 A.9.2.3 + # - ISO 27002-2013 A.9.2.4 + # - ISO 27002-2013 A.9.2.5 + # - ISO 27002-2013 A.9.2.6 + # - ISO 27002-2013 A.9.3.1 + # - ISO 27002-2013 A.9.4.1 + # - ISO 27002-2013 A.9.4.2 + # - ISO 27002-2013 A.9.4.3 + # - ISO 27002-2013 A.9.4.4 + # - ISO 27002-2013 A.8.3.1 + # - ISO 27002-2013 A.9.1.1 + # - ISO 27002-2013 A.10.1.1 + # - PCI DSS 3.2 2.1 + # - PCI DSS 3.2 8.1 + # - PCI DSS 3.2 8.2 + # - PCI DSS 3.2 8.3 + # - PCI DSS 3.2 8.7 + # - PCI DSS 3.2 8.8 + # - PCI DSS 3.2 1.3 + # - PCI DSS 3.2 1.4 + # - PCI DSS 3.2 4.3 + # - PCI DSS 3.2 7.1 + # - PCI DSS 3.2 7.2 + # - PCI DSS 3.2 7.3 --- logsource: product: netflow diff --git a/rules/compliance/default_credentials_usage.yml b/rules/compliance/default_credentials_usage.yml index 297e16aac..fa9c67ce3 100644 --- a/rules/compliance/default_credentials_usage.yml +++ b/rules/compliance/default_credentials_usage.yml @@ -81,29 +81,29 @@ detection: falsepositives: - unknown level: medium -tags: - - CSC4 - - CSC4.2 - - NIST CSF 1.1 PR.AC-4 - - NIST CSF 1.1 PR.AT-2 - - NIST CSF 1.1 PR.MA-2 - - NIST CSF 1.1 PR.PT-3 - - ISO 27002-2013 A.9.1.1 - - ISO 27002-2013 A.9.2.2 - - ISO 27002-2013 A.9.2.3 - - ISO 27002-2013 A.9.2.4 - - ISO 27002-2013 A.9.2.5 - - ISO 27002-2013 A.9.2.6 - - ISO 27002-2013 A.9.3.1 - - ISO 27002-2013 A.9.4.1 - - ISO 27002-2013 A.9.4.2 - - ISO 27002-2013 A.9.4.3 - - ISO 27002-2013 A.9.4.4 - - PCI DSS 3.2 2.1 - - PCI DSS 3.2 7.1 - - PCI DSS 3.2 7.2 - - PCI DSS 3.2 7.3 - - PCI DSS 3.2 8.1 - - PCI DSS 3.2 8.2 - - PCI DSS 3.2 8.3 - - PCI DSS 3.2 8.7 +# tags: + # - CSC4 + # - CSC4.2 + # - NIST CSF 1.1 PR.AC-4 + # - NIST CSF 1.1 PR.AT-2 + # - NIST CSF 1.1 PR.MA-2 + # - NIST CSF 1.1 PR.PT-3 + # - ISO 27002-2013 A.9.1.1 + # - ISO 27002-2013 A.9.2.2 + # - ISO 27002-2013 A.9.2.3 + # - ISO 27002-2013 A.9.2.4 + # - ISO 27002-2013 A.9.2.5 + # - ISO 27002-2013 A.9.2.6 + # - ISO 27002-2013 A.9.3.1 + # - ISO 27002-2013 A.9.4.1 + # - ISO 27002-2013 A.9.4.2 + # - ISO 27002-2013 A.9.4.3 + # - ISO 27002-2013 A.9.4.4 + # - PCI DSS 3.2 2.1 + # - PCI DSS 3.2 7.1 + # - PCI DSS 3.2 7.2 + # - PCI DSS 3.2 7.3 + # - PCI DSS 3.2 8.1 + # - PCI DSS 3.2 8.2 + # - PCI DSS 3.2 8.3 + # - PCI DSS 3.2 8.7 diff --git a/rules/compliance/group_modification_logging.yml b/rules/compliance/group_modification_logging.yml index 083cc2b60..0da15dea2 100644 --- a/rules/compliance/group_modification_logging.yml +++ b/rules/compliance/group_modification_logging.yml @@ -33,29 +33,29 @@ detection: falsepositives: - unknown level: low -tags: - - CSC4 - - CSC4.8 - - NIST CSF 1.1 PR.AC-4 - - NIST CSF 1.1 PR.AT-2 - - NIST CSF 1.1 PR.MA-2 - - NIST CSF 1.1 PR.PT-3 - - ISO 27002-2013 A.9.1.1 - - ISO 27002-2013 A.9.2.2 - - ISO 27002-2013 A.9.2.3 - - ISO 27002-2013 A.9.2.4 - - ISO 27002-2013 A.9.2.5 - - ISO 27002-2013 A.9.2.6 - - ISO 27002-2013 A.9.3.1 - - ISO 27002-2013 A.9.4.1 - - ISO 27002-2013 A.9.4.2 - - ISO 27002-2013 A.9.4.3 - - ISO 27002-2013 A.9.4.4 - - PCI DSS 3.2 2.1 - - PCI DSS 3.2 7.1 - - PCI DSS 3.2 7.2 - - PCI DSS 3.2 7.3 - - PCI DSS 3.2 8.1 - - PCI DSS 3.2 8.2 - - PCI DSS 3.2 8.3 - - PCI DSS 3.2 8.7 +# tags: + # - CSC4 + # - CSC4.8 + # - NIST CSF 1.1 PR.AC-4 + # - NIST CSF 1.1 PR.AT-2 + # - NIST CSF 1.1 PR.MA-2 + # - NIST CSF 1.1 PR.PT-3 + # - ISO 27002-2013 A.9.1.1 + # - ISO 27002-2013 A.9.2.2 + # - ISO 27002-2013 A.9.2.3 + # - ISO 27002-2013 A.9.2.4 + # - ISO 27002-2013 A.9.2.5 + # - ISO 27002-2013 A.9.2.6 + # - ISO 27002-2013 A.9.3.1 + # - ISO 27002-2013 A.9.4.1 + # - ISO 27002-2013 A.9.4.2 + # - ISO 27002-2013 A.9.4.3 + # - ISO 27002-2013 A.9.4.4 + # - PCI DSS 3.2 2.1 + # - PCI DSS 3.2 7.1 + # - PCI DSS 3.2 7.2 + # - PCI DSS 3.2 7.3 + # - PCI DSS 3.2 8.1 + # - PCI DSS 3.2 8.2 + # - PCI DSS 3.2 8.3 + # - PCI DSS 3.2 8.7 diff --git a/rules/compliance/host_without_firewall.yml b/rules/compliance/host_without_firewall.yml index cab122e0b..ae9a76a72 100644 --- a/rules/compliance/host_without_firewall.yml +++ b/rules/compliance/host_without_firewall.yml @@ -17,15 +17,15 @@ detection: host.scan.vuln_name: Firewall Product Not Detected* condition: selection level: low -tags: - - CSC9 - - CSC9.4 - - NIST CSF 1.1 PR.AC-5 - - NIST CSF 1.1 PR.AC-6 - - NIST CSF 1.1 PR.AC-7 - - NIST CSF 1.1 DE.AE-1 - - ISO 27002-2013 A.9.1.2 - - ISO 27002-2013 A.13.2.1 - - ISO 27002-2013 A.13.2.2 - - ISO 27002-2013 A.14.1.2 - - PCI DSS 3.2 1.4 +# tags: + # - CSC9 + # - CSC9.4 + # - NIST CSF 1.1 PR.AC-5 + # - NIST CSF 1.1 PR.AC-6 + # - NIST CSF 1.1 PR.AC-7 + # - NIST CSF 1.1 DE.AE-1 + # - ISO 27002-2013 A.9.1.2 + # - ISO 27002-2013 A.13.2.1 + # - ISO 27002-2013 A.13.2.2 + # - ISO 27002-2013 A.14.1.2 + # - PCI DSS 3.2 1.4 diff --git a/rules/compliance/workstation_was_locked.yml b/rules/compliance/workstation_was_locked.yml index 37fd37c90..0cb5033c4 100644 --- a/rules/compliance/workstation_was_locked.yml +++ b/rules/compliance/workstation_was_locked.yml @@ -21,27 +21,27 @@ detection: falsepositives: - unknown level: low -tags: - - CSC16 - - CSC16.11 - - ISO27002-2013 A.9.1.1 - - ISO27002-2013 A.9.2.1 - - ISO27002-2013 A.9.2.2 - - ISO27002-2013 A.9.2.3 - - ISO27002-2013 A.9.2.4 - - ISO27002-2013 A.9.2.5 - - ISO27002-2013 A.9.2.6 - - ISO27002-2013 A.9.3.1 - - ISO27002-2013 A.9.4.1 - - ISO27002-2013 A.9.4.3 - - ISO27002-2013 A.11.2.8 - - PCI DSS 3.1 7.1 - - PCI DSS 3.1 7.2 - - PCI DSS 3.1 7.3 - - PCI DSS 3.1 8.7 - - PCI DSS 3.1 8.8 - - NIST CSF 1.1 PR.AC-1 - - NIST CSF 1.1 PR.AC-4 - - NIST CSF 1.1 PR.AC-6 - - NIST CSF 1.1 PR.AC-7 - - NIST CSF 1.1 PR.PT-3 +# tags: + # - CSC16 + # - CSC16.11 + # - ISO27002-2013 A.9.1.1 + # - ISO27002-2013 A.9.2.1 + # - ISO27002-2013 A.9.2.2 + # - ISO27002-2013 A.9.2.3 + # - ISO27002-2013 A.9.2.4 + # - ISO27002-2013 A.9.2.5 + # - ISO27002-2013 A.9.2.6 + # - ISO27002-2013 A.9.3.1 + # - ISO27002-2013 A.9.4.1 + # - ISO27002-2013 A.9.4.3 + # - ISO27002-2013 A.11.2.8 + # - PCI DSS 3.1 7.1 + # - PCI DSS 3.1 7.2 + # - PCI DSS 3.1 7.3 + # - PCI DSS 3.1 8.7 + # - PCI DSS 3.1 8.8 + # - NIST CSF 1.1 PR.AC-1 + # - NIST CSF 1.1 PR.AC-4 + # - NIST CSF 1.1 PR.AC-6 + # - NIST CSF 1.1 PR.AC-7 + # - NIST CSF 1.1 PR.PT-3 diff --git a/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml b/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml index e307a025e..da9e53df9 100644 --- a/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml +++ b/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml @@ -10,13 +10,13 @@ date: 2021/02/01 references: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3156 - https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit + - https://nvd.nist.gov/vuln/detail/cve-2021-3156 falsepositives: - Unknown level: critical tags: - attack.privilege_escalation - attack.t1068 - - cve.2021-3156 logsource: product: linux service: auditd diff --git a/rules/linux/lnx_security_tools_disabling.yml b/rules/linux/lnx_security_tools_disabling.yml index 8d1f16177..2fee4c8e0 100644 --- a/rules/linux/lnx_security_tools_disabling.yml +++ b/rules/linux/lnx_security_tools_disabling.yml @@ -13,7 +13,7 @@ level: medium tags: - attack.defense_evasion - attack.t1562.004 - - attack.t1089 + - attack.t1089 # an old one --- logsource: category: process_creation diff --git a/rules/linux/lnx_sudo_cve_2019_14287.yml b/rules/linux/lnx_sudo_cve_2019_14287.yml index bbd9d785d..84ab95b7f 100644 --- a/rules/linux/lnx_sudo_cve_2019_14287.yml +++ b/rules/linux/lnx_sudo_cve_2019_14287.yml @@ -18,7 +18,8 @@ level: critical tags: - attack.privilege_escalation - attack.t1068 - - attack.t1169 + - attack.t1169 # an old one + - attack.t1548.003 --- detection: selection_keywords: diff --git a/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml b/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml new file mode 100644 index 000000000..52cae5548 --- /dev/null +++ b/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml @@ -0,0 +1,37 @@ +title: Potential PetitPotam Attack Via EFS RPC Calls +id: 4096842a-8f9f-4d36-92b4-d0b2a62f9b2a +description: | + Detects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam. + The usage of this RPC function should be rare if ever used at all. + Thus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate. + View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..' +author: '@neu5ron, @Antonlovesdnb, Mike Remen' +date: 2021/08/17 +references: + - https://github.com/topotam/PetitPotam/blob/main/PetitPotam/PetitPotam.cpp + - https://msrc.microsoft.com/update-guide/vulnerability/ADV210003 + - https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf + - https://threatpost.com/microsoft-petitpotam-poc/168163/ +tags: + - attack.t1557.001 + - attack.t1187 +logsource: + product: zeek + service: dce_rpc +detection: + efs_operation: + operation|startswith: + - 'Efs' + - 'efs' + condition: efs_operation +falsepositives: + - Uncommon but legitimate windows administrator or software tasks that make use of the Encrypting File System RPC Calls. Verify if this is common activity (see description). +level: medium +fields: + - id.orig_h + - id.resp_h + - id.resp_p + - operation + - endpoint + - named_pipe + - uid diff --git a/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml b/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml new file mode 100644 index 000000000..adf326609 --- /dev/null +++ b/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml @@ -0,0 +1,44 @@ +title: Possible PrintNightmare Print Driver Install +id: 7b33baef-2a75-4ca3-9da4-34f9a15382d8 +description: | + Detects the remote installation of a print driver which is possible indication of the exploitation of PrintNightmare (CVE-2021-1675). + The occurrence of print drivers being installed remotely via RPC functions should be rare, as print drivers are normally installed locally and or through group policy. +author: '@neu5ron (Nate Guagenti)' +date: 2021/08/23 +references: + - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29 + - https://github.com/zeek/zeek/blob/master/scripts/base/protocols/dce-rpc/consts.zeek + - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527 + - https://github.com/corelight/CVE-2021-1675 + - https://github.com/SigmaHQ/sigma/blob/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml + - https://old.zeek.org/zeekweek2019/slides/bzar.pdf + - https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/ + - https://nvd.nist.gov/vuln/detail/cve-2021-1675 + - https://nvd.nist.gov/vuln/detail/cve-2021-1678 +tags: + - attack.execution +logsource: + product: zeek + service: dce_rpc +detection: + printer_operation: + operation: + - "RpcAsyncInstallPrinterDriverFromPackage" # "76f03f96-cdfd-44fc-a22c-64950a001209",0x3e + - "RpcAsyncAddPrintProcessor" # "76f03f96-cdfd-44fc-a22c-64950a001209",0x2c + - "RpcAddPrintProcessor" # "12345678-1234-abcd-ef00-0123456789ab",0x0e + - "RpcAddPrinterDriverEx" # "12345678-1234-abcd-ef00-0123456789ab",0x59 + - "RpcAddPrinterDriver" # "12345678-1234-abcd-ef00-0123456789ab",0x09 + - "RpcAsyncAddPrinterDriver" # "76f03f96-cdfd-44fc-a22c-64950a001209",0x27 + condition: printer_operation +falsepositives: + - Legitimate remote alteration of a printer driver. +level: medium +fields: + - id.orig_h + - id.resp_h + - id.resp_p + - operation + - endpoint + - named_pipe + - uid +status: stable diff --git a/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml b/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml index dfa15acba..c4ee427d6 100644 --- a/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml +++ b/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml @@ -1,7 +1,7 @@ -title: First Time Seen Remote Named Pipe - Zeek +title: SMB Spoolss Name Piped Usage id: bae2865c-5565-470d-b505-9496c87d0c30 description: Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled. -author: OTR (Open Threat Research) +author: OTR (Open Threat Research), @neu5ron references: - https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1 - https://dirkjanm.io/a-different-way-of-abusing-zerologon/ @@ -10,14 +10,15 @@ tags: - attack.lateral_movement - attack.t1021.002 date: 2018/11/28 +modified: 2021/08/23 logsource: product: zeek service: smb_files detection: selection: - path: \\*\IPC$ + path|endswith: IPC$ name: spoolss condition: selection falsepositives: - - 'Domain Controllers acting as printer servers too? :)' -level: medium \ No newline at end of file + - Domain Controllers that are sometimes, commonly although should not be, acting as printer servers too +level: medium diff --git a/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml b/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml index a4e69cc5a..ed328eebf 100644 --- a/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml +++ b/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml @@ -3,6 +3,7 @@ id: 7100f7e3-92ce-4584-b7b7-01b40d3d4118 description: Detects the presence of default Cobalt Strike certificate in the HTTPS traffic author: Bhabesh Raj date: 2021/06/23 +modified: 2021/08/24 references: - https://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468 tags: @@ -13,7 +14,7 @@ logsource: service: x509 detection: selection: - certificate.serial: 8bb00ee + certificate.serial: 8BB00EE condition: selection fields: - san.dns diff --git a/rules/network/zeek/zeek_dns_mining_pools.yml b/rules/network/zeek/zeek_dns_mining_pools.yml new file mode 100644 index 000000000..c6d112047 --- /dev/null +++ b/rules/network/zeek/zeek_dns_mining_pools.yml @@ -0,0 +1,105 @@ +title: DNS Events Related To Mining Pools +id: bf74135c-18e8-4a72-a926-0e4f47888c19 +description: Identifies clients that may be performing DNS lookups associated with common currency mining pools. +references: + - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_Miners.yaml +date: 2021/08/19 +modified: 2021/08/23 +author: Saw Winn Naung, Azure-Sentinel, @neu5ron +level: low +logsource: + service: dns + product: zeek +tags: + - attack.t1035 # an old one + - attack.t1569.002 + - attack.t1496 +detection: + selection: + query|endswith: + - "monerohash.com" + - "do-dear.com" + - "xmrminerpro.com" + - "secumine.net" + - "xmrpool.com" + - "minexmr.org" + - "hashanywhere.com" + - "xmrget.com" + - "mininglottery.eu" + - "minergate.com" + - "moriaxmr.com" + - "multipooler.com" + - "moneropools.com" + - "xmrpool.eu" + - "coolmining.club" + - "supportxmr.com" + - "minexmr.com" + - "hashvault.pro" + - "xmrpool.net" + - "crypto-pool.fr" + - "xmr.pt" + - "miner.rocks" + - "walpool.com" + - "herominers.com" + - "gntl.co.uk" + - "semipool.com" + - "coinfoundry.org" + - "cryptoknight.cc" + - "fairhash.org" + - "baikalmine.com" + - "tubepool.xyz" + - "fairpool.xyz" + - "asiapool.io" + - "coinpoolit.webhop.me" + - "nanopool.org" + - "moneropool.com" + - "miner.center" + - "prohash.net" + - "poolto.be" + - "cryptoescrow.eu" + - "monerominers.net" + - "cryptonotepool.org" + - "extrmepool.org" + - "webcoin.me" + - "kippo.eu" + - "hashinvest.ws" + - "monero.farm" + - "linux-repository-updates.com" + - "1gh.com" + - "dwarfpool.com" + - "hash-to-coins.com" + - "pool-proxy.com" + - "hashfor.cash" + - "fairpool.cloud" + - "litecoinpool.org" + - "mineshaft.ml" + - "abcxyz.stream" + - "moneropool.ru" + - "cryptonotepool.org.uk" + - "extremepool.org" + - "extremehash.com" + - "hashinvest.net" + - "unipool.pro" + - "crypto-pools.org" + - "monero.net" + - "backup-pool.com" + - "mooo.com" # Dynamic DNS, may want to exclude + - "freeyy.me" + - "cryptonight.net" + - "shscrypto.net" + exclude_answers: + answers: + - "127.0.0.1" + - "0.0.0.0" + exclude_rejected: + rejected: "true" + condition: selection and not (exclude_answers OR exclude_rejected) +falsepositives: + - A DNS lookup does not necessarily mean a successful attempt, verify a) if there was a response using the zeek answers field, if there was then verify the connections (conn.log) to those IPs. b) verify if HTTP, SSL, or TLS activity to the domain that was queried. http.log field is "host" and ssl/tls is "server_name". +fields: + - id.orig_h + - id.resp_h + - query + - answers + - qtype_name + - rcode_name diff --git a/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml b/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml index 85306e0ae..1690856f8 100644 --- a/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml +++ b/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml @@ -10,7 +10,8 @@ references: - 'https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS' author: '@neu5ron, SOC Prime Team, Corelight' tags: - - attack.t1094 + - attack.t1094 # an old one + - attack.t1095 - attack.t1043 - attack.command_and_control logsource: diff --git a/rules/network/zeek/zeek_dns_torproxy.yml b/rules/network/zeek/zeek_dns_torproxy.yml new file mode 100644 index 000000000..e073a15ec --- /dev/null +++ b/rules/network/zeek/zeek_dns_torproxy.yml @@ -0,0 +1,51 @@ +title: DNS TOR Proxies +id: a8322756-015c-42e7-afb1-436e85ed3ff5 +description: Identifies IPs performing DNS lookups associated with common Tor proxies. +references: + - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_TorProxies.yaml +date: 2021/08/15 +author: Saw Winn Naung , Azure-Sentinel +level: medium +logsource: + service: dns + product: zeek +tags: + - attack.t1048 +detection: + selection: + query: + - "tor2web.org" + - "tor2web.com" + - "torlink.co" + - "onion.to" + - "onion.ink" + - "onion.cab" + - "onion.nu" + - "onion.link" + - "onion.it" + - "onion.city" + - "onion.direct" + - "onion.top" + - "onion.casa" + - "onion.plus" + - "onion.rip" + - "onion.dog" + - "tor2web.fi" + - "tor2web.blutmagie.de" + - "onion.sh" + - "onion.lu" + - "onion.pet" + - "t2w.pw" + - "tor2web.ae.org" + - "tor2web.io" + - "tor2web.xyz" + - "onion.lt" + - "s1.tor-gateways.de" + - "s2.tor-gateways.de" + - "s3.tor-gateways.de" + - "s4.tor-gateways.de" + - "s5.tor-gateways.de" + - "hiddenservice.net" + condition: selection +fields: + - clientip diff --git a/rules/network/zeek/zeek_rdp_public_listener.yml b/rules/network/zeek/zeek_rdp_public_listener.yml index f5e9be21b..c0b70992b 100644 --- a/rules/network/zeek/zeek_rdp_public_listener.yml +++ b/rules/network/zeek/zeek_rdp_public_listener.yml @@ -38,8 +38,8 @@ detection: #- x.x.x.x condition: not selection #and not approved_rdp fields: - - src_ip - - dst_ip + - id.orig_h + - id.resp_h falsepositives: - - none + - Although it is recommended to NOT have RDP exposed to the internet, verify that this is a) allowed b) the server has not already been compromised via some brute force or remote exploit since it has been exposed to the internet. Work to secure the server if you are unable to remove it from being exposed to the internet. level: high diff --git a/rules/web/sql_injection_keywords.yml b/rules/web/sql_injection_keywords.yml new file mode 100644 index 000000000..f3d8985ff --- /dev/null +++ b/rules/web/sql_injection_keywords.yml @@ -0,0 +1,23 @@ +title: Detect Sql Injection By Keywords +id: 5513deaf-f49a-46c2-a6c8-3f111b5cb453 +status: experimental +description: Detects sql injection that use GET requests by keyword searches in URL strings +author: Saw Win Naung +date: 2020/02/22 +logsource: + category: webserver +detection: + keywords: + - '=select' + - '=union' + - '=concat' + condition: keywords +fields: + - client_ip + - vhost + - url + - response +falsepositives: + - Java scripts and CSS Files + - User searches in search boxes of the respective website +level: high diff --git a/rules/web/web_arcadyan_router_cve_2021_20090_2021_20091_exploit.yml b/rules/web/web_arcadyan_router_cve_2021_20090_2021_20091_exploit.yml new file mode 100644 index 000000000..06718546e --- /dev/null +++ b/rules/web/web_arcadyan_router_cve_2021_20090_2021_20091_exploit.yml @@ -0,0 +1,40 @@ +title: Arcadyan Router Exploitations +id: f0500377-bc70-425d-ac8c-e956cd906871 +status: experimental +description: Detects exploitation of vulnerabilities in Arcadyan routers as reported in CVE-2021-20090 and CVE-2021-20091. +references: + - https://nvd.nist.gov/vuln/detail/cve-2021-20090 + - https://nvd.nist.gov/vuln/detail/cve-2021-20091 + - https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2 + - https://www.tenable.com/security/research/tra-2021-13 + - https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild +author: Bhabesh Raj +date: 2021/08/24 +modified: 2021/08/25 +falsepositives: + - Unknown +level: critical +tags: + - attack.initial_access + - attack.t1190 +logsource: + category: webserver +detection: + path_traversal: + c-uri|contains: # CVE-2021-20090 (Bypass Auth: Path Traversal) + - '..%2f' + config_file_inj: + c-uri|contains|all: # Chaining of CVE-2021-20090 (Bypass Auth) and CVE-2021-20091 (Config File Injection) + - '..%2f' + - 'apply_abstract.cgi' + noauth_list: + c-uri|contains: + - '/images/' + - '/js/' + - '/css/' + - '/setup_top_login.htm' + - '/login.html' + - '/loginerror.html' + - '/loginexclude.html' + - '/loginlock.html' + condition: (path_traversal or config_file_inj) and noauth_list \ No newline at end of file diff --git a/rules/web/web_cve_2018_2894_weblogic_exploit.yml b/rules/web/web_cve_2018_2894_weblogic_exploit.yml index cb39d1fbe..b2fcd3e7e 100644 --- a/rules/web/web_cve_2018_2894_weblogic_exploit.yml +++ b/rules/web/web_cve_2018_2894_weblogic_exploit.yml @@ -9,6 +9,7 @@ references: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2894 - https://twitter.com/pyn3rd/status/1020620932967223296 - https://github.com/LandGrey/CVE-2018-2894 + - https://nvd.nist.gov/vuln/detail/cve-2018-2894 logsource: category: webserver detection: @@ -26,5 +27,4 @@ tags: - attack.t1190 - attack.initial_access - attack.persistence - - cve.2018-2894 - attack.t1505.003 diff --git a/rules/web/web_cve_2020_14882_weblogic_exploit.yml b/rules/web/web_cve_2020_14882_weblogic_exploit.yml index 14afc0d12..cb3545ad0 100644 --- a/rules/web/web_cve_2020_14882_weblogic_exploit.yml +++ b/rules/web/web_cve_2020_14882_weblogic_exploit.yml @@ -10,6 +10,7 @@ references: - https://isc.sans.edu/diary/26734 - https://twitter.com/jas502n/status/1321416053050667009?s=20 - https://twitter.com/sudo_sudoka/status/1323951871078223874 + - https://nvd.nist.gov/vuln/detail/cve-2020-14882 logsource: category: webserver detection: @@ -28,4 +29,3 @@ tags: - attack.t1100 # an old one - attack.t1190 - attack.initial_access - - cve.2020-14882 diff --git a/rules/web/web_cve_2020_3452_cisco_asa_ftd.yml b/rules/web/web_cve_2020_3452_cisco_asa_ftd.yml index 8fb1ae929..f7ac95ebb 100644 --- a/rules/web/web_cve_2020_3452_cisco_asa_ftd.yml +++ b/rules/web/web_cve_2020_3452_cisco_asa_ftd.yml @@ -8,6 +8,7 @@ references: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3452 - https://twitter.com/aboul3la/status/1286012324722155525 - https://github.com/darklotuskdb/CISCO-CVE-2020-3452-Scanner-Exploiter + - https://nvd.nist.gov/vuln/detail/CVE-2020-3452 logsource: category: webserver detection: @@ -34,4 +35,3 @@ tags: - attack.t1100 # an old one - attack.t1190 - attack.initial_access - - cve.2020-3452 diff --git a/rules/web/web_cve_2021_2109_weblogic_rce_exploit.yml b/rules/web/web_cve_2021_2109_weblogic_rce_exploit.yml index 476408c22..df17a5de0 100644 --- a/rules/web/web_cve_2021_2109_weblogic_rce_exploit.yml +++ b/rules/web/web_cve_2021_2109_weblogic_rce_exploit.yml @@ -7,6 +7,7 @@ date: 2021/01/20 references: - https://twitter.com/pyn3rd/status/1351696768065409026 - https://mp.weixin.qq.com/s/wX9TMXl1KVWwB_k6EZOklw + - https://nvd.nist.gov/vuln/detail/cve-2021-2109 logsource: category: webserver detection: @@ -26,4 +27,3 @@ level: critical tags: - attack.t1190 - attack.initial_access - - cve.2021-2109 diff --git a/rules/web/web_cve_2021_21978_vmware_view_planner_exploit.yml b/rules/web/web_cve_2021_21978_vmware_view_planner_exploit.yml index 8a240ab40..9da58de5d 100644 --- a/rules/web/web_cve_2021_21978_vmware_view_planner_exploit.yml +++ b/rules/web/web_cve_2021_21978_vmware_view_planner_exploit.yml @@ -8,6 +8,7 @@ references: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21978 - https://twitter.com/wugeej/status/1369476795255320580 - https://paper.seebug.org/1495/ + - https://nvd.nist.gov/vuln/detail/CVE-2021-21978 logsource: category: webserver detection: @@ -27,4 +28,3 @@ level: high tags: - attack.initial_access - attack.t1190 - - cve.2021-21978 \ No newline at end of file diff --git a/rules/web/web_cve_2021_26814_wzuh_rce.yml b/rules/web/web_cve_2021_26814_wzuh_rce.yml index 672226f45..03012d37f 100644 --- a/rules/web/web_cve_2021_26814_wzuh_rce.yml +++ b/rules/web/web_cve_2021_26814_wzuh_rce.yml @@ -7,6 +7,7 @@ date: 2021/05/22 references: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-26814 - https://github.com/WickdDavid/CVE-2021-26814/blob/main/PoC.py + - https://nvd.nist.gov/vuln/detail/cve-2021-21978 logsource: category: webserver detection: @@ -22,4 +23,3 @@ level: high tags: - attack.initial_access - attack.t1190 - - cve.2021-21978 \ No newline at end of file diff --git a/rules/web/web_terramaster_cve_2020_28188_rce_exploit.yml b/rules/web/web_terramaster_cve_2020_28188_rce_exploit.yml index 931e23897..73316e52b 100644 --- a/rules/web/web_terramaster_cve_2020_28188_rce_exploit.yml +++ b/rules/web/web_terramaster_cve_2020_28188_rce_exploit.yml @@ -8,6 +8,7 @@ references: - https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/ - https://nvd.nist.gov/vuln/detail/CVE-2020-28188 - https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/ + - https://nvd.nist.gov/vuln/detail/cve-2020-28188 logsource: category: webserver detection: @@ -34,4 +35,3 @@ level: critical tags: - attack.t1190 - attack.initial_access - - cve.2020-28188 diff --git a/rules/web/win_powershell_snapins_hafnium.yml b/rules/web/win_powershell_snapins_hafnium.yml index 3c35f8162..b51f2b830 100644 --- a/rules/web/win_powershell_snapins_hafnium.yml +++ b/rules/web/win_powershell_snapins_hafnium.yml @@ -10,8 +10,8 @@ date: 2021/03/03 modified: 2021/08/09 tags: - attack.execution - - attack.t1086 - - attack.t1059.005 + - attack.t1086 # an old one + - attack.t1059.001 - attack.collection - attack.t1114 logsource: diff --git a/rules/web/win_webshell_regeorg.yml b/rules/web/win_webshell_regeorg.yml index b4ccdb5c3..2a2b89e4a 100644 --- a/rules/web/win_webshell_regeorg.yml +++ b/rules/web/win_webshell_regeorg.yml @@ -33,5 +33,5 @@ falsepositives: level: high tags: - attack.persistence - - attack.t1100 + - attack.t1100 # an old one - attack.t1505.003 diff --git a/rules/web/xss_keywords.yml b/rules/web/xss_keywords.yml new file mode 100644 index 000000000..c5d1470f7 --- /dev/null +++ b/rules/web/xss_keywords.yml @@ -0,0 +1,24 @@ +title: Detect XSS Attempts By Keywords +id: 65354b83-a2ea-4ea6-8414-3ab38be0d409 +status: experimental +description: Detects XSS that use GET requests by keyword searches in URL strings +author: Saw Win Naung +date: 2021/08/15 +logsource: + category: webserver +detection: + keywords: + - '=cookie' + - '=script' + - '=onload' + - '=onmouseover' + condition: keywords +fields: + - client_ip + - vhost + - url + - response +falsepositives: + - Java scripts,CSS Files and PNG files + - User searches in search boxes of the respective website +level: high diff --git a/rules/windows/builtin/win_arbitrary_shell_execution_via_settingcontent.yml b/rules/windows/builtin/win_arbitrary_shell_execution_via_settingcontent.yml index 659c0e75f..fffa3a9ef 100644 --- a/rules/windows/builtin/win_arbitrary_shell_execution_via_settingcontent.yml +++ b/rules/windows/builtin/win_arbitrary_shell_execution_via_settingcontent.yml @@ -8,7 +8,8 @@ references: - https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39 tags: - attack.t1204 - - attack.t1193 + - attack.t1193 # an old one + - attack.t1566.001 - attack.execution - attack.initial_access logsource: diff --git a/rules/windows/builtin/win_event_log_cleared.yml b/rules/windows/builtin/win_event_log_cleared.yml new file mode 100644 index 000000000..92c9a2eac --- /dev/null +++ b/rules/windows/builtin/win_event_log_cleared.yml @@ -0,0 +1,26 @@ +title: Security Event Log Cleared +id: a122ac13-daf8-4175-83a2-72c387be339d +status: experimental +description: Checks for event id 1102 which indicates the security event log was cleared. +references: + - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/SecurityEventLogCleared.yaml +date: 2021/08/15 +author: Saw Winn Naung +level: medium +logsource: + service: security + product: windows +tags: + - attack.t1107 # an old one + - attack.t1070.001 +detection: + selection: + EventID: 1102 + condition: selection +fields: + - SubjectLogonId + - SubjectUserName + - SubjectUserSid + - SubjectDomainName +falsepositives: + - Legitimate administrative activity diff --git a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler.yml b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler.yml index 62e123578..26866f88b 100644 --- a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler.yml +++ b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler.yml @@ -8,11 +8,11 @@ references: - https://github.com/hhlxf/PrintNightmare - https://github.com/afwu/PrintNightmare - https://twitter.com/fuzzyf10w/status/1410202370835898371 + - https://nvd.nist.gov/vuln/detail/cve-2021-1675 date: 2021/06/30 modified: 2021/07/08 tags: - attack.execution - - cve.2021-1675 logsource: product: windows service: printservice-admin diff --git a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_Security.yml b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_Security.yml index ce921b989..d36b0ea47 100644 --- a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_Security.yml +++ b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_Security.yml @@ -6,11 +6,11 @@ status: experimental level: critical references: - https://twitter.com/INIT_3/status/1410662463641731075 + - https://nvd.nist.gov/vuln/detail/cve-2021-1675 + - https://nvd.nist.gov/vuln/detail/cve-2021-34527 date: 2021/07/02 tags: - attack.execution - - cve.2021-1675 - - cve.2021-34527 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml index 9b2fa1744..4fbbee51d 100644 --- a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml +++ b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml @@ -6,10 +6,10 @@ status: experimental level: critical references: - https://twitter.com/MalwareJake/status/1410421967463731200 + - https://nvd.nist.gov/vuln/detail/cve-2021-1675 date: 2021/07/01 tags: - attack.execution - - cve.2021-1675 logsource: product: windows service: printservice-operational diff --git a/rules/windows/powershell/powershell_code_injection.yml b/rules/windows/create_remote_thread/sysmon_powershell_code_injection.yml similarity index 100% rename from rules/windows/powershell/powershell_code_injection.yml rename to rules/windows/create_remote_thread/sysmon_powershell_code_injection.yml diff --git a/rules/windows/driver_load/sysmon_vuln_dell_driver_load.yml b/rules/windows/driver_load/sysmon_vuln_dell_driver_load.yml index 21868b8af..ea92afb40 100644 --- a/rules/windows/driver_load/sysmon_vuln_dell_driver_load.yml +++ b/rules/windows/driver_load/sysmon_vuln_dell_driver_load.yml @@ -5,11 +5,12 @@ author: Florian Roth date: 2021/05/05 references: - https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/ + - https://nvd.nist.gov/vuln/detail/cve-2021-21551 logsource: category: driver_load product: windows tags: - - cve.2021-21551 + - attack.privilege_escalation detection: selection_image: ImageLoaded|contains: '\DBUtil_2_3.Sys' diff --git a/rules/windows/file_delete/win_cve_2021_1675_printspooler_del.yml b/rules/windows/file_delete/win_cve_2021_1675_printspooler_del.yml index 1b97f004c..397a66b13 100644 --- a/rules/windows/file_delete/win_cve_2021_1675_printspooler_del.yml +++ b/rules/windows/file_delete/win_cve_2021_1675_printspooler_del.yml @@ -5,24 +5,23 @@ description: Detect DLL deletions from Spooler Service driver folder references: - https://github.com/hhlxf/PrintNightmare - https://github.com/cube0x0/CVE-2021-1675 + - https://nvd.nist.gov/vuln/detail/cve-2021-1675 author: Bhabesh Raj date: 2021/07/01 +modified: 2021/08/24 tags: - attack.persistence - attack.defense_evasion - attack.privilege_escalation - attack.t1574 - - cve.2021-1675 logsource: category: file_delete product: windows detection: selection: - Image|endswith: - - 'spoolsv.exe' - TargetFilename|contains: - - 'C:\Windows\System32\spool\drivers\x64\3\' + Image|endswith: 'spoolsv.exe' + TargetFilename|contains: 'C:\Windows\System32\spool\drivers\x64\3\' condition: selection falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/rules/windows/file_event/sysmon_cve_2021_26858_msexchange.yml b/rules/windows/file_event/sysmon_cve_2021_26858_msexchange.yml index 0b4ba06e9..84390c481 100644 --- a/rules/windows/file_event/sysmon_cve_2021_26858_msexchange.yml +++ b/rules/windows/file_event/sysmon_cve_2021_26858_msexchange.yml @@ -9,11 +9,11 @@ level: critical references: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26858 - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ + - https://nvd.nist.gov/vuln/detail/cve-2021-26858 date: 2021/03/03 tags: - attack.t1203 - attack.execution - - cve.2021-26858 logsource: category: file_event product: windows diff --git a/rules/windows/powershell/powershell_suspicious_profile_create.yml b/rules/windows/file_event/sysmon_suspicious_powershell_profile_create.yml similarity index 100% rename from rules/windows/powershell/powershell_suspicious_profile_create.yml rename to rules/windows/file_event/sysmon_suspicious_powershell_profile_create.yml diff --git a/rules/windows/file_event/win_cve_2021_1675_printspooler.yml b/rules/windows/file_event/win_cve_2021_1675_printspooler.yml index 60ee7dca1..9f426abdb 100644 --- a/rules/windows/file_event/win_cve_2021_1675_printspooler.yml +++ b/rules/windows/file_event/win_cve_2021_1675_printspooler.yml @@ -8,11 +8,12 @@ references: - https://github.com/hhlxf/PrintNightmare - https://github.com/afwu/PrintNightmare - https://github.com/cube0x0/CVE-2021-1675 + - https://nvd.nist.gov/vuln/detail/cve-2021-1675 date: 2021/06/29 modified: 2021/07/01 tags: - attack.execution - - cve.2021-1675 + - attack.privilege_escalation logsource: category: file_event product: windows diff --git a/rules/windows/file_event/win_hivenightmare_file_exports.yml b/rules/windows/file_event/win_hivenightmare_file_exports.yml index 47292ac6a..ea5cc8883 100644 --- a/rules/windows/file_event/win_hivenightmare_file_exports.yml +++ b/rules/windows/file_event/win_hivenightmare_file_exports.yml @@ -9,11 +9,11 @@ references: - https://github.com/FireFart/hivenightmare/ - https://github.com/WiredPulse/Invoke-HiveNightmare - https://twitter.com/cube0x0/status/1418920190759378944 + - https://nvd.nist.gov/vuln/detail/cve-2021-36934 logsource: product: windows category: file_event tags: - - cve.2021-36934 - attack.credential_access - attack.t1552.001 detection: diff --git a/rules/windows/file_event/win_outlook_c2_macro_creation.yml b/rules/windows/file_event/win_outlook_c2_macro_creation.yml index e2b9f0c1e..a7b44dbb1 100644 --- a/rules/windows/file_event/win_outlook_c2_macro_creation.yml +++ b/rules/windows/file_event/win_outlook_c2_macro_creation.yml @@ -7,7 +7,7 @@ references: author: '@ScoubiMtl' tags: - attack.persistence - - command_and_control + - attack.command_and_control - attack.t1137 - attack.t1008 - attack.t1546 diff --git a/rules/windows/image_load/sysmon_spoolsv_dll_load.yml b/rules/windows/image_load/sysmon_spoolsv_dll_load.yml index e51c20cdd..38e94f804 100644 --- a/rules/windows/image_load/sysmon_spoolsv_dll_load.yml +++ b/rules/windows/image_load/sysmon_spoolsv_dll_load.yml @@ -4,27 +4,24 @@ status: experimental description: Detect DLL Load from Spooler Service backup folder references: - https://github.com/hhlxf/PrintNightmare + - https://nvd.nist.gov/vuln/detail/cve-2021-1675 + - https://nvd.nist.gov/vuln/detail/cve-2021-34527 author: FPT.EagleEye, Thomas Patzke (improvements) date: 2021/06/29 -modified: 2021/07/08 +modified: 2021/08/24 tags: - attack.persistence - attack.defense_evasion - attack.privilege_escalation - attack.t1574 - - cve.2021-1675 - - cve.2021-34527 logsource: category: image_load product: windows detection: selection: - Image|endswith: - - 'spoolsv.exe' - ImageLoaded|contains: - - '\Windows\System32\spool\drivers\x64\3\' - ImageLoaded|endswith: - - '.dll' + Image|endswith: 'spoolsv.exe' + ImageLoaded|contains: '\Windows\System32\spool\drivers\x64\3\' + ImageLoaded|endswith: '.dll' condition: selection falsepositives: - Loading of legitimate driver diff --git a/rules/windows/malware/av_webshell.yml b/rules/windows/malware/av_webshell.yml index 3d9cc3105..39960e1d2 100644 --- a/rules/windows/malware/av_webshell.yml +++ b/rules/windows/malware/av_webshell.yml @@ -16,7 +16,7 @@ references: - https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection tags: - attack.persistence - - attack.t1100 + - attack.t1100 # an old one - attack.t1505.003 logsource: product: antivirus diff --git a/rules/windows/other/win_exchange_proxyshell_certificate_generation.yml b/rules/windows/other/win_exchange_proxyshell_certificate_generation.yml new file mode 100644 index 000000000..003bdd72b --- /dev/null +++ b/rules/windows/other/win_exchange_proxyshell_certificate_generation.yml @@ -0,0 +1,29 @@ +title: Certificate Request Export to Exchange Webserver +id: b7bc7038-638b-4ffd-880c-292c692209ef +status: experimental +description: Detects a write of an Exchange CSR to an untypical directory or with aspx name suffix which can be used to place a webshell +references: + - https://twitter.com/GossiTheDog/status/1429175908905127938 +author: Max Altgelt +date: 2021/08/23 +logsource: + service: msexchange-management + product: windows +detection: + export_command: + - 'New-ExchangeCertificate' + - ' -GenerateRequest' + - ' -BinaryEncoded' + - ' -RequestFile' + export_params: + - '\\\\localhost\\C$' + - '\\\\127.0.0.1\\C$' + - 'C:\\inetpub' + - '.aspx' + condition: all of export_command and export_params +falsepositives: + - unlikely +level: critical +tags: + - attack.persistence + - attack.t1505.003 diff --git a/rules/windows/pipe_created/sysmon_efspotato_namedpipe.yml b/rules/windows/pipe_created/sysmon_efspotato_namedpipe.yml new file mode 100644 index 000000000..9d444f88b --- /dev/null +++ b/rules/windows/pipe_created/sysmon_efspotato_namedpipe.yml @@ -0,0 +1,26 @@ +title: EfsPotato Named Pipe +id: 637f689e-b4a5-4a86-be0e-0100a0a33ba2 +status: experimental +description: Detects the pattern of a pipe name as used by the tool EfsPotato +references: + - https://twitter.com/SBousseaden/status/1429530155291193354?s=20 + - https://github.com/zcgonvh/EfsPotato +date: 2021/08/23 +author: Florian Roth +logsource: + product: windows + category: pipe_created + definition: 'Note that you have to configure logging for PipeEvents in Sysmon config' +detection: + selection: + PipeName|contains: + - '\pipe\' + - '\pipe\srvsvc' # more specific version (use only this one of the other causes too many false positives) + condition: selection +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1055 +falsepositives: + - Unknown +level: critical diff --git a/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml b/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml index 3976c19fb..054cd341e 100644 --- a/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml +++ b/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_CL_Invocation_LOLScript_v2.yml b/rules/windows/powershell/powershell_CL_Invocation_LOLScript_v2.yml index 5cd1d3add..246803a01 100644 --- a/rules/windows/powershell/powershell_CL_Invocation_LOLScript_v2.yml +++ b/rules/windows/powershell/powershell_CL_Invocation_LOLScript_v2.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection2: EventID: 4104 diff --git a/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript.yml b/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript.yml index a9e742a2d..3430cdd73 100644 --- a/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript.yml +++ b/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript_v2.yml b/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript_v2.yml index 8a0fa3a33..cc7de5f47 100644 --- a/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript_v2.yml +++ b/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript_v2.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection2: EventID: 4104 diff --git a/rules/windows/powershell/powershell_accessing_win_api.yml b/rules/windows/powershell/powershell_accessing_win_api.yml index aa74974e9..f7ed287ec 100644 --- a/rules/windows/powershell/powershell_accessing_win_api.yml +++ b/rules/windows/powershell/powershell_accessing_win_api.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_adrecon_execution.yml b/rules/windows/powershell/powershell_adrecon_execution.yml index f041ac685..af2ba36ae 100644 --- a/rules/windows/powershell/powershell_adrecon_execution.yml +++ b/rules/windows/powershell/powershell_adrecon_execution.yml @@ -14,7 +14,7 @@ date: 2021/07/16 logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_automated_collection.yml b/rules/windows/powershell/powershell_automated_collection.yml index d482a22b3..d19a88eac 100644 --- a/rules/windows/powershell/powershell_automated_collection.yml +++ b/rules/windows/powershell/powershell_automated_collection.yml @@ -12,7 +12,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection_eventid: EventID: 4104 diff --git a/rules/windows/powershell/powershell_bad_opsec_artifacts.yml b/rules/windows/powershell/powershell_bad_opsec_artifacts.yml index 0479fcd14..64bc41c2b 100644 --- a/rules/windows/powershell/powershell_bad_opsec_artifacts.yml +++ b/rules/windows/powershell/powershell_bad_opsec_artifacts.yml @@ -12,11 +12,11 @@ modified: 2020/10/09 tags: - attack.execution - attack.t1059.001 - - attack.t1086 + - attack.t1086 # an old one logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104 , Module Logging must be enable for 4103 detection: selection_4104: EventID: 4104 diff --git a/rules/windows/powershell/powershell_clear_powershell_history.yml b/rules/windows/powershell/powershell_clear_powershell_history.yml index e937037d6..430e93052 100644 --- a/rules/windows/powershell/powershell_clear_powershell_history.yml +++ b/rules/windows/powershell/powershell_clear_powershell_history.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: 4104 Script block logging must be enabled , 4103 Module Logging must be enabled detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_create_local_user.yml b/rules/windows/powershell/powershell_create_local_user.yml index 6fd05f5cb..29961866c 100644 --- a/rules/windows/powershell/powershell_create_local_user.yml +++ b/rules/windows/powershell/powershell_create_local_user.yml @@ -17,7 +17,7 @@ modified: 2021/08/04 logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_data_compressed.yml b/rules/windows/powershell/powershell_data_compressed.yml index ada73d64b..72ba0304a 100644 --- a/rules/windows/powershell/powershell_data_compressed.yml +++ b/rules/windows/powershell/powershell_data_compressed.yml @@ -10,7 +10,7 @@ references: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_decompress_commands.yml b/rules/windows/powershell/powershell_decompress_commands.yml index bdef59f86..19028f6a8 100644 --- a/rules/windows/powershell/powershell_decompress_commands.yml +++ b/rules/windows/powershell/powershell_decompress_commands.yml @@ -13,7 +13,7 @@ references: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 detection: selection1: EventID: 4104 diff --git a/rules/windows/powershell/poweshell_detect_vm_env.yml b/rules/windows/powershell/powershell_detect_vm_env.yml similarity index 100% rename from rules/windows/powershell/poweshell_detect_vm_env.yml rename to rules/windows/powershell/powershell_detect_vm_env.yml diff --git a/rules/windows/powershell/powershell_dnscat_execution.yml b/rules/windows/powershell/powershell_dnscat_execution.yml index 63a590f30..bfe388a4c 100644 --- a/rules/windows/powershell/powershell_dnscat_execution.yml +++ b/rules/windows/powershell/powershell_dnscat_execution.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_get_clipboard.yml b/rules/windows/powershell/powershell_get_clipboard.yml index 26282f89e..542c432c5 100644 --- a/rules/windows/powershell/powershell_get_clipboard.yml +++ b/rules/windows/powershell/powershell_get_clipboard.yml @@ -13,7 +13,7 @@ references: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 detection: selection1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_icmp_exfiltration.yml b/rules/windows/powershell/powershell_icmp_exfiltration.yml index c6e83568c..a9d9036af 100644 --- a/rules/windows/powershell/powershell_icmp_exfiltration.yml +++ b/rules/windows/powershell/powershell_icmp_exfiltration.yml @@ -12,7 +12,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_nightmare.yml b/rules/windows/powershell/powershell_invoke_nightmare.yml index 9d7443edb..64e93f5a8 100644 --- a/rules/windows/powershell/powershell_invoke_nightmare.yml +++ b/rules/windows/powershell/powershell_invoke_nightmare.yml @@ -9,7 +9,7 @@ author: Max Altgelt, Tobias Michalski logsource: product: windows service: powershell - definition: It is recommended to use the new "Script Block Logging" of PowerShell v5. + definition: Script Block Logging must be enable detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_clip+.yml b/rules/windows/powershell/powershell_invoke_obfuscation_clip+.yml index 8438323a1..45c57fa3b 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_clip+.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_clip+.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104 , Module Logging must be enabled for 4103 detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_obfuscated_iex.yml b/rules/windows/powershell/powershell_invoke_obfuscation_obfuscated_iex.yml index dd5771b8b..9b030a97d 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_obfuscated_iex.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_obfuscated_iex.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_stdin+.yml b/rules/windows/powershell/powershell_invoke_obfuscation_stdin+.yml index f1969a380..a8b5d3432 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_stdin+.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_stdin+.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_var+.yml b/rules/windows/powershell/powershell_invoke_obfuscation_var+.yml index 61e5ee7ec..f84762624 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_var+.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_var+.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104,Module Logging must be enabled for 4103 detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_compress.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_compress.yml index 8fde7bb9d..165d13d29 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_compress.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_compress.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_rundll.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_rundll.yml index e26c5a29f..e47cf4f44 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_rundll.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_rundll.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_stdin.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_stdin.yml index 5b638d941..330912c96 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_stdin.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_stdin.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104, Module Logging must be enable for 4103 detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_clip.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_clip.yml index 5adbdedcc..30749fc4e 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_clip.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_clip.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml index 07f71af31..ceaab3492 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml index cc5e50e6c..445355bc7 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml index f1d98861d..60a0fe2bb 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml @@ -15,7 +15,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_malicious_commandlets.yml b/rules/windows/powershell/powershell_malicious_commandlets.yml index ad4609d8d..34c4ccb08 100644 --- a/rules/windows/powershell/powershell_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_malicious_commandlets.yml @@ -10,13 +10,13 @@ tags: - attack.t1086 #an old one author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update) date: 2017/03/05 -modified: 2020/10/11 +modified: 2021/08/21 logsource: product: windows service: powershell - definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' + definition: Script Block Logging must be enable detection: - keywords: + select_Malicious: EventID: 4104 ScriptBlockText|contains: - "Invoke-DllInjection" @@ -115,10 +115,8 @@ detection: - "Invoke-Mimikittenz" - "Invoke-AllChecks" false_positives: - EventID: 4104 - ScriptBlockText|contains: - - Get-SystemDriveInfo # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1 - condition: keywords and not false_positives + ScriptBlockText|contains: Get-SystemDriveInfo # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1 + condition: select_Malicious and not false_positives falsepositives: - Penetration testing level: high diff --git a/rules/windows/powershell/powershell_malicious_keywords.yml b/rules/windows/powershell/powershell_malicious_keywords.yml index 03858d395..071f37257 100644 --- a/rules/windows/powershell/powershell_malicious_keywords.yml +++ b/rules/windows/powershell/powershell_malicious_keywords.yml @@ -10,33 +10,36 @@ tags: - attack.t1086 #an old one author: Sean Metcalf (source), Florian Roth (rule) date: 2017/03/05 +modified: 2021/08/21 logsource: product: windows service: powershell definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' detection: - keywords: - - "AdjustTokenPrivileges" - - "IMAGE_NT_OPTIONAL_HDR64_MAGIC" - - "Microsoft.Win32.UnsafeNativeMethods" - - "ReadProcessMemory.Invoke" - - "SE_PRIVILEGE_ENABLED" - - "LSA_UNICODE_STRING" - - "MiniDumpWriteDump" - - "PAGE_EXECUTE_READ" - - "SECURITY_DELEGATION" - - "TOKEN_ADJUST_PRIVILEGES" - - "TOKEN_ALL_ACCESS" - - "TOKEN_ASSIGN_PRIMARY" - - "TOKEN_DUPLICATE" - - "TOKEN_ELEVATION" - - "TOKEN_IMPERSONATE" - - "TOKEN_INFORMATION_CLASS" - - "TOKEN_PRIVILEGES" - - "TOKEN_QUERY" - - "Metasploit" - - "Mimikatz" - condition: keywords + Malicious: + EventID: 4104 + ScriptBlockText|contains: + - "AdjustTokenPrivileges" + - "IMAGE_NT_OPTIONAL_HDR64_MAGIC" + - "Microsoft.Win32.UnsafeNativeMethods" + - "ReadProcessMemory.Invoke" + - "SE_PRIVILEGE_ENABLED" + - "LSA_UNICODE_STRING" + - "MiniDumpWriteDump" + - "PAGE_EXECUTE_READ" + - "SECURITY_DELEGATION" + - "TOKEN_ADJUST_PRIVILEGES" + - "TOKEN_ALL_ACCESS" + - "TOKEN_ASSIGN_PRIMARY" + - "TOKEN_DUPLICATE" + - "TOKEN_ELEVATION" + - "TOKEN_IMPERSONATE" + - "TOKEN_INFORMATION_CLASS" + - "TOKEN_PRIVILEGES" + - "TOKEN_QUERY" + - "Metasploit" + - "Mimikatz" + condition: Malicious falsepositives: - Penetration tests level: high diff --git a/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml b/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml index e8a9ef6c1..90b3e7a76 100644 --- a/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml @@ -3,7 +3,7 @@ id: f772cee9-b7c2-4cb2-8f07-49870adc02e0 status: experimental description: Detects Commandlet names and arguments from the Nishang exploitation framework date: 2019/05/16 -modified: 2021/07/21 +modified: 2021/08/21 references: - https://github.com/samratashok/nishang tags: @@ -14,10 +14,11 @@ author: Alec Costello logsource: product: windows service: powershell - definition: It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277 + definition: Script block logging must be enabled detection: - keywords: - Payload|contains: + Nishang: + EventID: 4104 + ScriptBlockText|contains: - Add-ConstrainedDelegationBackdoor - Set-DCShadowPermissions - DNS_TXT_Pwnage @@ -89,7 +90,7 @@ detection: - NotAllNameSpaces - exfill - FakeDC - condition: keywords + condition: Nishang falsepositives: - Penetration testing level: high diff --git a/rules/windows/powershell/powershell_ntfs_ads_access.yml b/rules/windows/powershell/powershell_ntfs_ads_access.yml index 9ee13a9fa..0d38b0d77 100644 --- a/rules/windows/powershell/powershell_ntfs_ads_access.yml +++ b/rules/windows/powershell/powershell_ntfs_ads_access.yml @@ -13,18 +13,22 @@ tags: - attack.t1086 # an old one author: Sami Ruohonen date: 2018/07/24 -modified: 2020/08/24 +modified: 2021/08/21 logsource: product: windows service: powershell - definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' + definition: Script block logging must be enabled detection: - keyword1: - - "set-content" - - "add-content" - keyword2: - - "-stream" - condition: keyword1 and keyword2 + event: + EventID: 4104 + content: + ScriptBlockText|contains: + - "set-content" + - "add-content" + stream: + ScriptBlockText|contains: + - "-stream" + condition: all of them falsepositives: - unknown level: high diff --git a/rules/windows/powershell/powershell_powercat.yml b/rules/windows/powershell/powershell_powercat.yml index 553a8059a..c4c5cb0cf 100644 --- a/rules/windows/powershell/powershell_powercat.yml +++ b/rules/windows/powershell/powershell_powercat.yml @@ -31,6 +31,7 @@ detection: logsource: product: windows service: powershell + definition: Module Logging must be enable detection: selection: EventID: 4103 diff --git a/rules/windows/powershell/powershell_powerview_malicious_commandlets.yml b/rules/windows/powershell/powershell_powerview_malicious_commandlets.yml index b98fbb4cb..1b2b74546 100644 --- a/rules/windows/powershell/powershell_powerview_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_powerview_malicious_commandlets.yml @@ -3,7 +3,7 @@ id: dcd74b95-3f36-4ed9-9598-0490951643aa status: experimental description: Detects Commandlet names from PowerView of PowerSploit exploitation framework. date: 2021/05/18 -modified: 2021/07/02 +modified: 2021/08/21 references: - https://powersploit.readthedocs.io/en/stable/Recon/README - https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon @@ -16,11 +16,11 @@ author: Bhabesh Raj logsource: product: windows service: powershell - definition: It is recommended to use the new "Script Block Logging" of PowerShell v5. + definition: Script Block Logging must be enable detection: selection: EventID: 4104 - ScriptBlockText: + ScriptBlockText|contains: - Export-PowerViewCSV - Get-IPAddress - Resolve-IPAddress diff --git a/rules/windows/powershell/powershell_prompt_credentials.yml b/rules/windows/powershell/powershell_prompt_credentials.yml index 8ef73b448..b3d5e7133 100644 --- a/rules/windows/powershell/powershell_prompt_credentials.yml +++ b/rules/windows/powershell/powershell_prompt_credentials.yml @@ -16,13 +16,12 @@ modified: 2021/08/04 logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection: EventID: 4104 - keyword: ScriptBlockText|contains: 'PromptForCredential' - condition: all of them -falsepositives: + condition: selection +falsepositives: - Unknown level: high diff --git a/rules/windows/powershell/powershell_psattack.yml b/rules/windows/powershell/powershell_psattack.yml index 0b3d41679..8e178cb4e 100644 --- a/rules/windows/powershell/powershell_psattack.yml +++ b/rules/windows/powershell/powershell_psattack.yml @@ -10,16 +10,16 @@ tags: - attack.t1086 #an old one author: Sean Metcalf (source), Florian Roth (rule) date: 2017/03/05 +modified: 2021/08/21 logsource: product: windows service: powershell - definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' + definition: Script block logging must be enabled detection: selection: - EventID: 4103 - keyword: - - 'PS ATTACK!!!' - condition: all of them + EventID: 4104 + ScriptBlockText|contains: 'PS ATTACK!!!' + condition: selection falsepositives: - Pentesters level: high diff --git a/rules/windows/powershell/powershell_remote_powershell_session.yml b/rules/windows/powershell/powershell_remote_powershell_session.yml index 3e345947a..e8e29b1a3 100644 --- a/rules/windows/powershell/powershell_remote_powershell_session.yml +++ b/rules/windows/powershell/powershell_remote_powershell_session.yml @@ -11,10 +11,10 @@ references: tags: - attack.execution - attack.t1059.001 - - attack.t1086 #an old one + - attack.t1086 # an old one - attack.lateral_movement - attack.t1021.006 - - attack.t1028 #an old one + - attack.t1028 # an old one falsepositives: - Legitimate use remote PowerShell sessions level: high @@ -22,6 +22,7 @@ level: high logsource: product: windows service: powershell + definition: Module Logging must be enable and fields have to be extract from event detection: selection: EventID: 4103 @@ -38,4 +39,4 @@ detection: EventID: 400 HostName: 'ServerRemoteHost' HostApplication|contains: 'wsmprovhost.exe' - condition: selection \ No newline at end of file + condition: selection diff --git a/rules/windows/powershell/powershell_renamed_powershell.yml b/rules/windows/powershell/powershell_renamed_powershell.yml index 5b6304efd..d0d732e13 100644 --- a/rules/windows/powershell/powershell_renamed_powershell.yml +++ b/rules/windows/powershell/powershell_renamed_powershell.yml @@ -9,7 +9,8 @@ date: 2020/06/29 modified: 2021/08/18 tags: - attack.execution - - attack.t1086 + - attack.t1086 # an old one + - attack.t1059.001 logsource: product: windows service: powershell-classic @@ -25,4 +26,4 @@ detection: condition: selection and not filter falsepositives: - unknown -level: low \ No newline at end of file +level: low diff --git a/rules/windows/powershell/powershell_shellcode_b64.yml b/rules/windows/powershell/powershell_shellcode_b64.yml index ba269aca2..45ea29091 100644 --- a/rules/windows/powershell/powershell_shellcode_b64.yml +++ b/rules/windows/powershell/powershell_shellcode_b64.yml @@ -17,7 +17,7 @@ modified: 2020/12/01 logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_shellintel_malicious_commandlets.yml b/rules/windows/powershell/powershell_shellintel_malicious_commandlets.yml index e65c3c23b..62dfb25f8 100644 --- a/rules/windows/powershell/powershell_shellintel_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_shellintel_malicious_commandlets.yml @@ -3,6 +3,7 @@ id: 402e1e1d-ad59-47b6-bf80-1ee44985b3a7 status: experimental description: Detects Commandlet names from ShellIntel exploitation scripts. date: 2021/08/09 +modified: 2021/08/21 references: - https://github.com/Shellntel/scripts/ tags: @@ -12,11 +13,11 @@ author: Max Altgelt, Tobias Michalski logsource: product: windows service: powershell - definition: It is recommended to use the new "Script Block Logging" of PowerShell v5. + definition: Script Block Logging must be enable detection: selection: EventID: 4104 - ScriptBlockText: + ScriptBlockText|contains: - Invoke-SMBAutoBrute - Invoke-GPOLinks - Out-Minidump diff --git a/rules/windows/powershell/powershell_suspicious_export_pfxcertificate.yml b/rules/windows/powershell/powershell_suspicious_export_pfxcertificate.yml index 6a621346a..b39cf109e 100644 --- a/rules/windows/powershell/powershell_suspicious_export_pfxcertificate.yml +++ b/rules/windows/powershell/powershell_suspicious_export_pfxcertificate.yml @@ -14,12 +14,12 @@ modified: 2021/08/04 logsource: product: windows service: powershell - definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' + definition: Script Block Logging must be enable detection: - keywords: + PfxCertificate: EventID: 4104 ScriptBlockText|contains: "Export-PfxCertificate" - condition: keywords + condition: PfxCertificate falsepositives: - Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable) level: high diff --git a/rules/windows/powershell/powershell_suspicious_getprocess_lsass.yml b/rules/windows/powershell/powershell_suspicious_getprocess_lsass.yml index c08f0ca50..eccd3337d 100644 --- a/rules/windows/powershell/powershell_suspicious_getprocess_lsass.yml +++ b/rules/windows/powershell/powershell_suspicious_getprocess_lsass.yml @@ -13,12 +13,12 @@ modified: 2021/08/04 logsource: product: windows service: powershell - definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' + definition: Script Block Logging must be enable detection: - keywords: + select_LSASS: EventID: 4104 ScriptBlockText|contains: 'Get-Process lsass' - condition: keywords + condition: select_LSASS falsepositives: - Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable) level: high diff --git a/rules/windows/powershell/powershell_suspicious_invocation_specific.yml b/rules/windows/powershell/powershell_suspicious_invocation_specific.yml index 39da524b4..7ae574e14 100644 --- a/rules/windows/powershell/powershell_suspicious_invocation_specific.yml +++ b/rules/windows/powershell/powershell_suspicious_invocation_specific.yml @@ -11,6 +11,7 @@ date: 2017/03/05 logsource: product: windows service: powershell + definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 detection: convert_b64: - '-nop' diff --git a/rules/windows/powershell/powershell_suspicious_keywords.yml b/rules/windows/powershell/powershell_suspicious_keywords.yml index 991dfc3cd..356730482 100644 --- a/rules/windows/powershell/powershell_suspicious_keywords.yml +++ b/rules/windows/powershell/powershell_suspicious_keywords.yml @@ -17,7 +17,7 @@ tags: logsource: product: windows service: powershell - definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277. Monitor for EventID 4104' + definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 detection: keywords: - "System.Reflection.Assembly.Load($" diff --git a/rules/windows/powershell/powershell_suspicious_mail_acces.yml b/rules/windows/powershell/powershell_suspicious_mail_acces.yml index 13210d4ad..18b6b4600 100644 --- a/rules/windows/powershell/powershell_suspicious_mail_acces.yml +++ b/rules/windows/powershell/powershell_suspicious_mail_acces.yml @@ -12,7 +12,7 @@ tags: logsource: product: windows service: powershell - definition: EnableScriptBlockLogging must be set to enable + definition: Script block logging must be enabled detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_suspicious_mounted_share_deletion.yml b/rules/windows/powershell/powershell_suspicious_mounted_share_deletion.yml index c040e3a50..941ef606c 100644 --- a/rules/windows/powershell/powershell_suspicious_mounted_share_deletion.yml +++ b/rules/windows/powershell/powershell_suspicious_mounted_share_deletion.yml @@ -12,7 +12,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_suspicious_recon.yml b/rules/windows/powershell/powershell_suspicious_recon.yml index 78368cdf0..a46b1d1b6 100644 --- a/rules/windows/powershell/powershell_suspicious_recon.yml +++ b/rules/windows/powershell/powershell_suspicious_recon.yml @@ -12,7 +12,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection_eventid: EventID: 4104 diff --git a/rules/windows/powershell/powershell_suspicious_win32_pnpentity.yml b/rules/windows/powershell/powershell_suspicious_win32_pnpentity.yml new file mode 100644 index 000000000..3cf7777d5 --- /dev/null +++ b/rules/windows/powershell/powershell_suspicious_win32_pnpentity.yml @@ -0,0 +1,23 @@ +title: Powershell Suspicious Win32_PnPEntity +id: b26647de-4feb-4283-af6b-6117661283c5 +status: experimental +author: frack113 +date: 2021/08/23 +description: Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md +tags: + - attack.discovery + - attack.t1120 +logsource: + product: windows + service: powershell + definition: EnableScriptBlockLogging must be set to enable +detection: + selection: + EventID: 4104 + ScriptBlockText|contains: Win32_PnPEntity + condition: selection +falsepositives: + - admin script +level: low \ No newline at end of file diff --git a/rules/windows/powershell/powershell_winlogon_helper_dll.yml b/rules/windows/powershell/powershell_winlogon_helper_dll.yml index 026d82402..d15724be1 100644 --- a/rules/windows/powershell/powershell_winlogon_helper_dll.yml +++ b/rules/windows/powershell/powershell_winlogon_helper_dll.yml @@ -10,7 +10,7 @@ references: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_wmi_persistence.yml b/rules/windows/powershell/powershell_wmi_persistence.yml new file mode 100644 index 000000000..514bf4537 --- /dev/null +++ b/rules/windows/powershell/powershell_wmi_persistence.yml @@ -0,0 +1,34 @@ +title: Powershell WMI Persistence +id: 9e07f6e7-83aa-45c6-998e-0af26efd0a85 +status: experimental +author: frack113 +date: 2021/08/19 +description: Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md + - https://github.com/EmpireProject/Empire/blob/master/data/module_source/persistence/Persistence.psm1#L545 +tags: + - attack.privilege_escalation + - attack.t1546.003 +logsource: + product: windows + service: powershell + definition: EnableScriptBlockLogging must be set to enable +detection: + selection_id: + EventID: 4104 + selection_ioc: + - ScriptBlockText|contains|all: + - 'New-CimInstance ' + - '-Namespace root/subscription ' + - '-ClassName __EventFilter ' + - '-Property ' #is a variable name + - ScriptBlockText|contains|all: + - 'New-CimInstance ' + - '-Namespace root/subscription ' + - '-ClassName CommandLineEventConsumer ' + - '-Property ' #is a variable name + condition: all of them +falsepositives: + - Unknown +level: medium \ No newline at end of file diff --git a/rules/windows/powershell/powershell_wmimplant.yml b/rules/windows/powershell/powershell_wmimplant.yml index 8ff61cde2..ec0915ffa 100644 --- a/rules/windows/powershell/powershell_wmimplant.yml +++ b/rules/windows/powershell/powershell_wmimplant.yml @@ -14,7 +14,7 @@ date: 2020/03/26 logsource: product: windows service: powershell - definition: "Script block logging must be enabled" + definition: Script block logging must be enabled detection: selection: ScriptBlockText|contains: diff --git a/rules/windows/process_access/sysmon_mimikatz_trough_winrm.yml b/rules/windows/process_access/sysmon_mimikatz_trough_winrm.yml index c433c22d6..cf5b00e42 100755 --- a/rules/windows/process_access/sysmon_mimikatz_trough_winrm.yml +++ b/rules/windows/process_access/sysmon_mimikatz_trough_winrm.yml @@ -19,12 +19,12 @@ tags: - attack.credential_access - attack.execution - attack.t1003.001 - - attack.t1003 #an old one + - attack.t1003 # an old one - attack.t1059.001 - - attack.t1086 #an old one + - attack.t1086 # an old one - attack.lateral_movement - attack.t1021.006 - - attack.t1028 #an old one + - attack.t1028 # an old one - attack.s0002 falsepositives: - low diff --git a/rules/windows/process_creation/sysmon_cve_2021_26857_msexchange.yml b/rules/windows/process_creation/sysmon_cve_2021_26857_msexchange.yml index 420288963..b0102bf58 100644 --- a/rules/windows/process_creation/sysmon_cve_2021_26857_msexchange.yml +++ b/rules/windows/process_creation/sysmon_cve_2021_26857_msexchange.yml @@ -8,11 +8,11 @@ level: critical references: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-26857 - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ + - https://nvd.nist.gov/vuln/detail/cve-2021-26857 date: 2021/03/03 tags: - attack.t1203 - attack.execution - - cve.2021-26857 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_apt_unc2452_cmds.yml b/rules/windows/process_creation/win_apt_unc2452_cmds.yml index b1c081801..be14932ea 100644 --- a/rules/windows/process_creation/win_apt_unc2452_cmds.yml +++ b/rules/windows/process_creation/win_apt_unc2452_cmds.yml @@ -7,8 +7,8 @@ references: tags: - attack.execution - attack.t1059.001 - - sunburst - - unc2452 + # - sunburst + # - unc2452 author: Florian Roth date: 2021/01/22 modified: 2021/06/27 diff --git a/rules/windows/process_creation/win_apt_unc2452_ps.yml b/rules/windows/process_creation/win_apt_unc2452_ps.yml index 89de914d9..5575f09f4 100644 --- a/rules/windows/process_creation/win_apt_unc2452_ps.yml +++ b/rules/windows/process_creation/win_apt_unc2452_ps.yml @@ -9,7 +9,7 @@ tags: - attack.execution - attack.t1059.001 - attack.t1047 - - sunburst + # - sunburst author: Florian Roth date: 2021/01/20 modified: 2021/01/22 diff --git a/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml b/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml index 4b9294d8c..bce196ae3 100644 --- a/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml +++ b/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml @@ -9,7 +9,7 @@ references: - https://www.cobaltstrike.com/help-opsec tags: - attack.defense_evasion - - attack.t1085 # legacy + - attack.t1085 # an old one - attack.t1218.011 logsource: category: process_creation diff --git a/rules/windows/process_creation/win_credential_access_via_password_filter.yml b/rules/windows/process_creation/win_credential_access_via_password_filter.yml index 2fda0365b..c67033c10 100644 --- a/rules/windows/process_creation/win_credential_access_via_password_filter.yml +++ b/rules/windows/process_creation/win_credential_access_via_password_filter.yml @@ -10,7 +10,8 @@ references: - https://github.com/3gstudent/PasswordFilter/tree/master/PasswordFilter tags: - attack.credential_access - - attack.t1174 + - attack.t1174 # an old one + - attack.t1556.002 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_lolbas_execution_of_wuauclt.yml b/rules/windows/process_creation/win_lolbas_execution_of_wuauclt.yml index c603644ea..447057246 100644 --- a/rules/windows/process_creation/win_lolbas_execution_of_wuauclt.yml +++ b/rules/windows/process_creation/win_lolbas_execution_of_wuauclt.yml @@ -10,7 +10,8 @@ modified: 2021/06/11 tags: - attack.defense_evasion - attack.execution - - attack.t1085 + - attack.t1085 # an old one + - attack.t1218.011 logsource: product: windows category: process_creation @@ -26,4 +27,4 @@ falsepositives: - Wuaueng.dll which is a module belonging to Microsoft Windows Update. fields: - CommandLine -level: medium \ No newline at end of file +level: medium diff --git a/rules/windows/process_creation/win_modif_of_services_for_via_commandline.yml b/rules/windows/process_creation/win_modif_of_services_for_via_commandline.yml index 05ee03d58..7b146ad29 100644 --- a/rules/windows/process_creation/win_modif_of_services_for_via_commandline.yml +++ b/rules/windows/process_creation/win_modif_of_services_for_via_commandline.yml @@ -6,8 +6,10 @@ references: status: experimental tags: - attack.persistence - - attack.t1031 - - attack.t1058 + - attack.t1031 # an old one + - attack.t1543.003 + - attack.t1058 # an old one + - attack.t1574.011 author: Sreeman date: 2020/09/29 modified: 2021/08/10 diff --git a/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml b/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml index cf43685fc..fbb81445b 100644 --- a/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml +++ b/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml @@ -9,7 +9,7 @@ tags: - attack.execution - attack.t1204 # an old one - attack.t1204.002 - - FIN7 + - attack.g0046 - car.2013-05-002 author: Jason Lynch date: 2019/04/02 diff --git a/rules/windows/process_creation/win_possible_applocker_bypass.yml b/rules/windows/process_creation/win_possible_applocker_bypass.yml index 39ac4e712..6ebbdd452 100644 --- a/rules/windows/process_creation/win_possible_applocker_bypass.yml +++ b/rules/windows/process_creation/win_possible_applocker_bypass.yml @@ -5,6 +5,7 @@ status: experimental references: - https://github.com/subTee/ApplicationWhitelistBypassTechniques/blob/master/TheList.txt - https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/ + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md author: juju4 date: 2019/01/16 modified: 2020/09/01 diff --git a/rules/windows/powershell/powershell_cmdline_reversed_strings.yml b/rules/windows/process_creation/win_powershell_cmdline_reversed_strings.yml similarity index 100% rename from rules/windows/powershell/powershell_cmdline_reversed_strings.yml rename to rules/windows/process_creation/win_powershell_cmdline_reversed_strings.yml diff --git a/rules/windows/powershell/powershell_cmdline_special_characters.yml b/rules/windows/process_creation/win_powershell_cmdline_special_characters.yml similarity index 100% rename from rules/windows/powershell/powershell_cmdline_special_characters.yml rename to rules/windows/process_creation/win_powershell_cmdline_special_characters.yml diff --git a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml b/rules/windows/process_creation/win_powershell_cmdline_specific_comb_methods.yml similarity index 100% rename from rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml rename to rules/windows/process_creation/win_powershell_cmdline_specific_comb_methods.yml diff --git a/rules/windows/process_creation/win_powershell_disable_windef_av.yml b/rules/windows/process_creation/win_powershell_disable_windef_av.yml index ebfb84ed8..4d5072552 100644 --- a/rules/windows/process_creation/win_powershell_disable_windef_av.yml +++ b/rules/windows/process_creation/win_powershell_disable_windef_av.yml @@ -11,7 +11,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md tags: - attack.defense_evasion - - attack.t1089 # legacy + - attack.t1089 # an old one - attack.t1562.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/win_powershell_reverse_shell_connection.yml b/rules/windows/process_creation/win_powershell_reverse_shell_connection.yml index b044d26ee..06cee06aa 100644 --- a/rules/windows/process_creation/win_powershell_reverse_shell_connection.yml +++ b/rules/windows/process_creation/win_powershell_reverse_shell_connection.yml @@ -10,8 +10,8 @@ date: 2021/03/03 modified: 2021/06/27 tags: - attack.execution - - attack.t1086 - - attack.t1059.005 + - attack.t1086 # an old one + - attack.t1059.001 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_renamed_paexec.yml b/rules/windows/process_creation/win_renamed_paexec.yml index b062debd0..50de18b03 100644 --- a/rules/windows/process_creation/win_renamed_paexec.yml +++ b/rules/windows/process_creation/win_renamed_paexec.yml @@ -9,7 +9,7 @@ tags: - attack.defense_evasion - attack.t1036 # an old one - attack.t1036.003 - - FIN7 + - attack.g0046 - car.2013-05-009 date: 2019/04/17 modified: 2020/09/06 diff --git a/rules/windows/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml b/rules/windows/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml index 328318d1c..715dfc753 100644 --- a/rules/windows/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml +++ b/rules/windows/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml @@ -9,7 +9,8 @@ date: 2020/18/02 modified: 2021/06/11 author: Sreeman tags: - - attack.t1015 + - attack.t1015 # an old one + - attack.t1546.008 - attack.privilege_escalation logsource: product: windows @@ -24,4 +25,4 @@ fields: - ParentProcess falsepositives: - Unknown -level: medium \ No newline at end of file +level: medium diff --git a/rules/windows/process_creation/win_susp_netsh_dll_persistence.yml b/rules/windows/process_creation/win_susp_netsh_dll_persistence.yml index 20eaa79ea..3ee753935 100644 --- a/rules/windows/process_creation/win_susp_netsh_dll_persistence.yml +++ b/rules/windows/process_creation/win_susp_netsh_dll_persistence.yml @@ -3,12 +3,12 @@ id: 56321594-9087-49d9-bf10-524fe8479452 description: Detects persitence via netsh helper status: test references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1128/T1128.md + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md + - https://attack.mitre.org/software/S0108/ tags: - - attack.persistence + - attack.privilege_escalation - attack.t1546.007 - attack.s0108 - - attack.t1128 # an old one date: 2019/10/25 modified: 2020/08/30 author: Victor Sergeev, oscd.community diff --git a/rules/windows/process_creation/win_susp_powershell_parent_process.yml b/rules/windows/process_creation/win_susp_powershell_parent_process.yml index b58535be5..70b6b93f1 100644 --- a/rules/windows/process_creation/win_susp_powershell_parent_process.yml +++ b/rules/windows/process_creation/win_susp_powershell_parent_process.yml @@ -56,4 +56,4 @@ detection: condition: all of them falsepositives: - Other scripts -level: medium +level: high diff --git a/rules/windows/process_creation/win_susp_razorinstaller_explorer.yml b/rules/windows/process_creation/win_susp_razorinstaller_explorer.yml new file mode 100644 index 000000000..6f1b91d87 --- /dev/null +++ b/rules/windows/process_creation/win_susp_razorinstaller_explorer.yml @@ -0,0 +1,25 @@ +title: Suspicious RazerInstaller Explorer Subprocess +id: a4eaf250-7dc1-4842-862a-5e71cd59a167 +status: experimental +description: Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM +references: + - https://twitter.com/j0nh4t/status/1429049506021138437 + - https://streamable.com/q2dsji +author: Florian Roth, Maxime Thiebaut +date: 2021/08/23 +modified: 2021/08/24 +tags: + - attack.privilege_escalation +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage|endswith: '\RazerInstaller.exe' + IntegrityLevel: 'System' + filter: + Image|startswith: 'C:\Windows\Installer\Razer\Installer\' + condition: selection and not filter +falsepositives: + - User selecting a different installation folder (check for other sub processes of this explorer.exe process) +level: high \ No newline at end of file diff --git a/rules/windows/process_creation/win_susp_screensaver_reg.yml b/rules/windows/process_creation/win_susp_screensaver_reg.yml new file mode 100644 index 000000000..5d49d1c87 --- /dev/null +++ b/rules/windows/process_creation/win_susp_screensaver_reg.yml @@ -0,0 +1,52 @@ +title: Suspicious ScreenSave Change by Reg.exe +id: 0fc35fc3-efe6-4898-8a37-0b233339524f +status: experimental +author: frack113 +date: 2021/08/19 +description: | + Adversaries may establish persistence by executing malicious content triggered by user inactivity. + Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md + - https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf +tags: + - attack.privilege_escalation + - attack.t1546.002 +logsource: + category: process_creation + product: windows +detection: + selection_reg: + Image|endswith: reg.exe + CommandLine|contains: + - 'HKEY_CURRENT_USER\Control Panel\Desktop' + - 'HKCU\Control Panel\Desktop' + selection_option_1: # /force Active ScreenSaveActive + CommandLine|contains|all: + - '/v ScreenSaveActive' + - '/t REG_SZ' + - '/d 1' + - '/f' + selection_option_2: # /force set ScreenSaveTimeout + CommandLine|contains|all: + - '/v ScreenSaveTimeout' + - '/t REG_SZ' + - '/d ' + - '/f' + selection_option_3: # /force set ScreenSaverIsSecure + CommandLine|contains|all: + - '/v ScreenSaverIsSecure' + - '/t REG_SZ' + - '/d 0' + - '/f' + selection_option_4: # /force set a .scr + CommandLine|contains|all: + - '/v SCRNSAVE.EXE' + - '/t REG_SZ' + - '/d ' + - '.scr' + - '/f' + condition: selection_reg and 1 of selection_option_* +falsepositives: + - GPO +level: medium \ No newline at end of file diff --git a/rules/windows/process_creation/win_susp_servu_exploitation_cve_2021_35211.yml b/rules/windows/process_creation/win_susp_servu_exploitation_cve_2021_35211.yml index 78f543acc..4056fcdb7 100644 --- a/rules/windows/process_creation/win_susp_servu_exploitation_cve_2021_35211.yml +++ b/rules/windows/process_creation/win_susp_servu_exploitation_cve_2021_35211.yml @@ -6,14 +6,14 @@ author: Florian Roth date: 2021/07/14 references: - https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/ + - https://nvd.nist.gov/vuln/detail/cve-2021-35211 logsource: category: process_creation product: windows tags: - attack.persistence - attack.t1136.001 - - cve.2021-35211 - - threat_group.DEV-0322 + # - threat_group.DEV-0322 detection: selection1: CommandLine|contains: 'whoami' diff --git a/rules/windows/process_creation/win_susp_servu_process_pattern.yml b/rules/windows/process_creation/win_susp_servu_process_pattern.yml index 097a6ae6e..90b50893a 100644 --- a/rules/windows/process_creation/win_susp_servu_process_pattern.yml +++ b/rules/windows/process_creation/win_susp_servu_process_pattern.yml @@ -6,11 +6,12 @@ author: Florian Roth date: 2021/07/14 references: - https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/ + - https://nvd.nist.gov/vuln/detail/cve-2021-35211 logsource: category: process_creation product: windows tags: - - cve.2021-35211 + - attack.credential_access detection: selection: ParentImage|endswith: '\Serv-U.exe' diff --git a/rules/windows/process_creation/win_susp_shell_spawn_from_mssql.yml b/rules/windows/process_creation/win_susp_shell_spawn_from_mssql.yml index 198851a13..11c66ddbc 100644 --- a/rules/windows/process_creation/win_susp_shell_spawn_from_mssql.yml +++ b/rules/windows/process_creation/win_susp_shell_spawn_from_mssql.yml @@ -6,7 +6,8 @@ author: FPT.EagleEye Team, wagga date: 2020/12/11 modified: 2021/06/27 tags: - - attack.t1100 + - attack.t1100 # an old one + - attack.t1505.003 - attack.t1190 - attack.initial_access - attack.persistence diff --git a/rules/windows/process_creation/win_susp_splwow64.yml b/rules/windows/process_creation/win_susp_splwow64.yml new file mode 100644 index 000000000..38c4a4da3 --- /dev/null +++ b/rules/windows/process_creation/win_susp_splwow64.yml @@ -0,0 +1,20 @@ +title: Suspicious Splwow64 Without Params +id: 1f1a8509-2cbb-44f5-8751-8e1571518ce2 +status: experimental +description: Detects suspicious Splwow64.exe process without any command line parameters +references: + - https://twitter.com/sbousseaden/status/1429401053229891590?s=12 +author: Florian Roth +date: 2021/08/23 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\splwow64.exe' + filter: + CommandLine|endswith: 'splwow64.exe' + condition: selection and not filter +falsepositives: + - Unknown +level: high diff --git a/rules/windows/registry_event/sysmon_registry_persistence_key_linking.yml b/rules/windows/registry_event/sysmon_registry_persistence_key_linking.yml index 2ede1d708..34447d116 100755 --- a/rules/windows/registry_event/sysmon_registry_persistence_key_linking.yml +++ b/rules/windows/registry_event/sysmon_registry_persistence_key_linking.yml @@ -9,7 +9,8 @@ date: 2019/10/23 modified: 2019/11/07 tags: - attack.persistence - - attack.t1122 + - attack.t1122 # an old one + - attack.t1546.015 logsource: category: registry_event product: windows diff --git a/rules/windows/registry_event/sysmon_registry_susp_printer_driver.yml b/rules/windows/registry_event/sysmon_registry_susp_printer_driver.yml index 542bd527b..ad3f790db 100644 --- a/rules/windows/registry_event/sysmon_registry_susp_printer_driver.yml +++ b/rules/windows/registry_event/sysmon_registry_susp_printer_driver.yml @@ -4,10 +4,11 @@ status: experimental description: Detects a suspicious printer driver installation with an empty Manufacturer value references: - https://twitter.com/SBousseaden/status/1410545674773467140 + - https://nvd.nist.gov/vuln/detail/cve-2021-1675 author: Florian Roth date: 2020/07/01 tags: - - cve.2021-1675 + - attack.privilege_escalation logsource: category: registry_event product: windows diff --git a/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml b/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml index 2c6ae5ca2..b1ce684ac 100755 --- a/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml +++ b/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml @@ -28,7 +28,7 @@ tags: - attack.persistence - attack.t1060 # an old one - attack.t1547.001 - - capec.270 + # - capec.270 fields: - Image - ParentImage diff --git a/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml b/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml index 44c2e9435..db8f4a1fd 100644 --- a/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml +++ b/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml @@ -6,11 +6,11 @@ references: - https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760 - https://www.lexjansen.com/sesug/1993/SESUG93035.pdf - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913 + - https://nvd.nist.gov/vuln/detail/cve-2021-1675 + - https://nvd.nist.gov/vuln/detail/cve-2021-34527 author: Markus Neis, @markus_neis, Florian Roth tags: - attack.execution - - cve.2021-1675 - - cve.2021-34527 date: 2021/07/04 modified: 2021/07/28 logsource: @@ -37,4 +37,4 @@ detection: condition: selection or selection_alt or (selection_print and selection_kiwi) falsepositives: - Legitimate installation of printer driver QMS 810, Texas Instruments microLaser printer (unlikely) -level: critical \ No newline at end of file +level: critical diff --git a/rules/windows/sysmon/sysmon_cve_2021_31979_cve_2021_33771_exploits.yml b/rules/windows/sysmon/sysmon_cve_2021_31979_cve_2021_33771_exploits.yml index f2ec067cb..eea60e94b 100644 --- a/rules/windows/sysmon/sysmon_cve_2021_31979_cve_2021_33771_exploits.yml +++ b/rules/windows/sysmon/sysmon_cve_2021_31979_cve_2021_33771_exploits.yml @@ -9,13 +9,13 @@ modified: 2021/08/06 references: - https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/ - https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/ + - https://nvd.nist.gov/vuln/detail/cve-2021-33771 + - https://nvd.nist.gov/vuln/detail/cve-2021-31979 tags: - attack.credential_access - attack.t1566 - attack.t1203 - - cve.2021-33771 - - cve.2021-31979 - - threat_group.Sourgum + # - threat_group.Sourgum falsepositives: - Unlikely level: critical diff --git a/tests/test_rules.py b/tests/test_rules.py index d34bd8497..4c01de39c 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -72,6 +72,27 @@ class TestRules(unittest.TestCase): self.assertEqual(files_with_legal_issues, [], Fore.RED + "There are rule files which contains a trademark or reference that doesn't comply with the respective trademark requirements - please remove the trademark to avoid legal issues") + + def test_optional_tags(self): + files_with_incorrect_tags = [] + + for file in self.yield_next_rule_file_path(self.path_to_rules): + tags = self.get_rule_part(file_path=file, part_name="tags") + if tags: + for tag in tags: + if tag.startswith("attack."): + continue + elif tag.startswith("car."): + continue + elif tag.startswith("cve."): + print(Fore.RED + "Rule {} has the cve tag <{}> but is it a references (https://nvd.nist.gov/)".format(file, tag)) + files_with_incorrect_tags.append(file) + else: + print(Fore.RED + "Rule {} has the unknown tag <{}>".format(file, tag)) + files_with_incorrect_tags.append(file) + + self.assertEqual(files_with_incorrect_tags, [], Fore.RED + + "There are rules with incorrect/unknown MITRE Tags. (please inform us about new tags that are not yet supported in our tests) and check the correct tags here: https://attack.mitre.org/ ") def test_confirm_correct_mitre_tags(self): files_with_incorrect_mitre_tags = [] diff --git a/tools/config/generic/m365.yml b/tools/config/generic/m365.yml index 51e08af6e..de769059c 100644 --- a/tools/config/generic/m365.yml +++ b/tools/config/generic/m365.yml @@ -5,3 +5,28 @@ ThreatManagement: category: ThreatManagement conditions: eventSource: SecurityComplianceCenter +AccessGovernance: + product: m365 + category: AccessGovernance + conditions: + eventSource: SecurityComplianceCenter +CloudDiscovery: + product: m365 + category: CloudDiscovery + conditions: + eventSource: SecurityComplianceCenter +DataLossPrevention: + product: m365 + category: DataLossPrevention + conditions: + eventSource: SecurityComplianceCenter +ThreatDetection: + product: m365 + category: ThreatDetection + conditions: + eventSource: SecurityComplianceCenter +SharingControl: + product: m365 + category: SharingControl + conditions: + eventSource: SecurityComplianceCenter diff --git a/tools/sigma/backends/base.py b/tools/sigma/backends/base.py index 08d29b4ba..469c06480 100644 --- a/tools/sigma/backends/base.py +++ b/tools/sigma/backends/base.py @@ -277,9 +277,10 @@ class SingleTextQueryBackend(RulenameCommentMixin, BaseBackend, QuoteCharMixin): def generateSubexpressionNode(self, node): generated = self.generateNode(node.items) - if len(node.items) == 1: - # A sub expression with length 1 is not a proper sub expression, no self.subExpression required - return generated + if 'len'in dir(node.items): # fix the "TypeError: object of type 'NodeSubexpression' has no len()" + if len(node.items) == 1: + # A sub expression with length 1 is not a proper sub expression, no self.subExpression required + return generated if generated: return self.subExpression % generated else: diff --git a/tools/sigma/backends/sql.py b/tools/sigma/backends/sql.py index cd0b86474..b31fba2b8 100644 --- a/tools/sigma/backends/sql.py +++ b/tools/sigma/backends/sql.py @@ -21,7 +21,6 @@ import sigma from sigma.backends.base import SingleTextQueryBackend from sigma.parser.condition import SigmaAggregationParser, NodeSubexpression, ConditionAND, ConditionOR, ConditionNOT from sigma.parser.exceptions import SigmaParseError - class SQLBackend(SingleTextQueryBackend): """Converts Sigma rule into SQL query""" identifier = "sql" @@ -45,23 +44,30 @@ class SQLBackend(SingleTextQueryBackend): mapLength = "(%s %s)" options = SingleTextQueryBackend.options + ( - ("table", False, "Use this option to specify table name, default is \"eventlog\"", None), + ("table", "eventlog", "Use this option to specify table name.", None), + ("select", "*", "Use this option to specify fields you want to select. Example: \"--backend-option select=xxx,yyy\"", None), + ("selection", False, "Use this option to enable fields selection from Sigma rules.", None), ) + selection_enabled = False def __init__(self, sigmaconfig, options): super().__init__(sigmaconfig) + if "table" in options: self.table = options["table"] else: self.table = "eventlog" - if "select" in options: + if "select" in options and options["select"]: self.select_fields = options["select"].split(',') else: self.select_fields = list() + if "selection" in options: + self.selection_enabled = True + def generateANDNode(self, node): generated = [ self.generateNode(val) for val in node ] filtered = [ g for g in generated if g is not None ] @@ -141,6 +147,53 @@ class SQLBackend(SingleTextQueryBackend): """ return fieldname + def generate(self, sigmaparser): + """Method is called for each sigma rule and receives the parsed rule (SigmaParser)""" + fields = list() + + # First add fields specified in the rule + try: + for field in sigmaparser.parsedyaml["fields"]: + mapped = sigmaparser.config.get_fieldmapping(field).resolve_fieldname(field, sigmaparser) + if type(mapped) == str: + fields.append(mapped) + elif type(mapped) == list: + fields.extend(mapped) + else: + raise TypeError("Field mapping must return string or list") + + except KeyError: # no 'fields' attribute + pass + + # Then add fields specified in the backend configuration + fields.extend(self.select_fields) + + # In case select is specified in backend option, we want to enable selection + if len(self.select_fields) > 0: + self.selection_enabled = True + + # Finally, in case fields is empty, add the default value + if not fields: + fields = list("*") + + for parsed in sigmaparser.condparsed: + if self.selection_enabled: + query = self._generateQueryWithFields(parsed, fields) + else: + query = self.generateQuery(parsed) + before = self.generateBefore(parsed) + after = self.generateAfter(parsed) + + result = "" + if before is not None: + result = before + if query is not None: + result += query + if after is not None: + result += after + + return result + def cleanValue(self, val): if not isinstance(val, str): return str(val) @@ -190,15 +243,24 @@ class SQLBackend(SingleTextQueryBackend): return temp_table, agg_condition raise NotImplementedError("{} aggregation not implemented in SQL Backend".format(agg.aggfunc_notrans)) - + def generateQuery(self, parsed): + return self._generateQueryWithFields(parsed, list("*")) + + def checkFTS(self, parsed, result): if self._recursiveFtsSearch(parsed.parsedSearch): raise NotImplementedError("FullTextSearch not implemented for SQL Backend.") - result = self.generateNode(parsed.parsedSearch) - select = "*" - if self.select_fields: - select = ", ".join(self.select_fields) + def _generateQueryWithFields(self, parsed, fields): + """ + Return a SQL query with fields specified. + """ + + result = self.generateNode(parsed.parsedSearch) + + self.checkFTS(parsed, result) + + select = ", ".join(fields) if parsed.parsedAgg: #Handle aggregation diff --git a/tools/sigma/backends/sqlite.py b/tools/sigma/backends/sqlite.py index 8eec13ea7..1f7e4e7ec 100644 --- a/tools/sigma/backends/sqlite.py +++ b/tools/sigma/backends/sqlite.py @@ -18,7 +18,6 @@ from sigma.backends.sql import SQLBackend from sigma.parser.condition import NodeSubexpression, ConditionAND, ConditionOR, ConditionNOT import re - class SQLiteBackend(SQLBackend): """Converts Sigma rule into SQL query for SQLite""" identifier = "sqlite" @@ -26,6 +25,8 @@ class SQLiteBackend(SQLBackend): mapFullTextSearch = "%s MATCH ('\"%s\"')" + countFTS = 0 + def __init__(self, sigmaconfig, table): super().__init__(sigmaconfig, table) self.mappingItem = False @@ -108,16 +109,10 @@ class SQLiteBackend(SQLBackend): return self.generateFTS(self.cleanValue(str(node))) def generateQuery(self, parsed): - self.countFTS = 0 - result = self.generateNode(parsed.parsedSearch) + return self._generateQueryWithFields(parsed, list("*")) + + def checkFTS(self, parsed, result): if self.countFTS > 1: raise NotImplementedError( "Match operator ({}) is allowed only once in SQLite, parse rule in a different way:\n{}".format(self.countFTS, result)) self.countFTS = 0 - - if parsed.parsedAgg: - # Handle aggregation - fro, whe = self.generateAggregation(parsed.parsedAgg, result) - return "SELECT * FROM {} WHERE {}".format(fro, whe) - - return "SELECT * FROM {} WHERE {}".format(self.table, result) diff --git a/tools/sigma/sigma2attack.py b/tools/sigma/sigma2attack.py index 165d077fc..2f6ceafca 100755 --- a/tools/sigma/sigma2attack.py +++ b/tools/sigma/sigma2attack.py @@ -8,6 +8,7 @@ import sys import yaml + def main(): parser = argparse.ArgumentParser(formatter_class=argparse.ArgumentDefaultsHelpFormatter) parser.add_argument("--rules-directory", "-d", dest="rules_dir", default="rules", help="Directory to read rules from") @@ -20,24 +21,25 @@ def main(): curr_max_technique_count = 0 num_rules_used = 0 for rule_file in rule_files: - try: - rule = yaml.safe_load(open(rule_file, encoding="utf-8").read()) - except yaml.YAMLError: - sys.stderr.write("Ignoring rule " + rule_file + " (parsing failed)\n") - continue - if "tags" not in rule: - sys.stderr.write("Ignoring rule " + rule_file + " (no tags)\n") - continue - tags = rule["tags"] - for tag in tags: - if tag.lower().startswith("attack.t"): - technique_id = tag[len("attack."):].upper() - num_rules_used += 1 - if technique_id not in techniques_to_rules: - techniques_to_rules[technique_id] = [] - techniques_to_rules[technique_id].append(os.path.basename(rule_file)) - curr_max_technique_count = max(curr_max_technique_count, len(techniques_to_rules[technique_id])) - + with open(rule_file,encoding='utf-8') as f: + docs = yaml.load_all(f, Loader=yaml.FullLoader) + double = False + for rule in docs: + if "tags" not in rule : + if double == False : # Only 1 warning + sys.stderr.write("Ignoring rule " + rule_file + " (no tags)\n") + double = True # action globle no tag + continue + tags = rule["tags"] + double = True + for tag in tags: + if tag.lower().startswith("attack.t"): + technique_id = tag[len("attack."):].upper() + num_rules_used += 1 + if technique_id not in techniques_to_rules: + techniques_to_rules[technique_id] = [] + techniques_to_rules[technique_id].append(os.path.basename(rule_file)) + curr_max_technique_count = max(curr_max_technique_count, len(techniques_to_rules[technique_id])) scores = [] for technique in techniques_to_rules: