From 0078ee795b27305e3dfe41be6bf036930fb6b792 Mon Sep 17 00:00:00 2001 From: Lei Chen Date: Fri, 6 Aug 2021 16:47:35 +0800 Subject: [PATCH 001/108] chore: update sigma ci badge Replace travis-ci tatus badge with github actions tatus badge --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 424533b59..c5ead69fd 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -[![Build Status](https://travis-ci.org/Neo23x0/sigma.svg?branch=master)](https://travis-ci.org/Neo23x0/sigma) +![sigma build sttaus](https://github.com/SigmaHQ/sigma/actions/workflows/sigma-test.yml/badge.svg?branch=master) ![sigma_logo](./images/Sigma_0.3.png) From 932fe14cf69be50e65d567caaa87c33e12d2acdd Mon Sep 17 00:00:00 2001 From: Lei Chen Date: Fri, 6 Aug 2021 16:51:19 +0800 Subject: [PATCH 002/108] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index c5ead69fd..3fb50937f 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -![sigma build sttaus](https://github.com/SigmaHQ/sigma/actions/workflows/sigma-test.yml/badge.svg?branch=master) +[![sigma build sttaus](https://github.com/SigmaHQ/sigma/actions/workflows/sigma-test.yml/badge.svg?branch=master)](https://github.com/SigmaHQ/sigma/actions?query=branch%3Amaster) ![sigma_logo](./images/Sigma_0.3.png) From 4c3a7007e682ea00673972e85755b7c68bab5993 Mon Sep 17 00:00:00 2001 From: Lei Chen Date: Sat, 7 Aug 2021 21:13:19 +0800 Subject: [PATCH 003/108] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 3fb50937f..864235a65 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -[![sigma build sttaus](https://github.com/SigmaHQ/sigma/actions/workflows/sigma-test.yml/badge.svg?branch=master)](https://github.com/SigmaHQ/sigma/actions?query=branch%3Amaster) +[![sigma build status](https://github.com/SigmaHQ/sigma/actions/workflows/sigma-test.yml/badge.svg?branch=master)](https://github.com/SigmaHQ/sigma/actions?query=branch%3Amaster) ![sigma_logo](./images/Sigma_0.3.png) From a75859a976409df0a3c3705f01efba97859eda23 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 15 Aug 2021 16:00:14 +0200 Subject: [PATCH 004/108] First commit --- ...reating_number_of_resources_detection.yaml | 20 + .../azure_granting_permission_detection.yml | 20 + rules/cloud/azure/azure_rare_operations.yml | 25 ++ rules/network/zeek/zeek_dns_mining_pools.yml | 43 +++ rules/network/zeek/zeek_dns_torproxy.yml | 21 + rules/web/sql_injection_keywords.yml | 23 ++ rules/web/xss_keywords.yml | 24 ++ .../builtin/win_anomaly_process_execution.yml | 22 ++ .../windows/builtin/win_event_log_cleared.yml | 22 ++ .../builtin/win_powershelll_empire.yml | 363 ++++++++++++++++++ .../builtin/win_user_acc_added_removed.yml | 25 ++ .../builtin/win_user_acc_created_deleted.yml | 18 + .../builtin/win_user_acc_enabled_disabled.yml | 20 + ...in_user_created_added_to_bultin_admins.yml | 21 + 14 files changed, 667 insertions(+) create mode 100644 rules/cloud/azure/azure_creating_number_of_resources_detection.yaml create mode 100644 rules/cloud/azure/azure_granting_permission_detection.yml create mode 100644 rules/cloud/azure/azure_rare_operations.yml create mode 100644 rules/network/zeek/zeek_dns_mining_pools.yml create mode 100644 rules/network/zeek/zeek_dns_torproxy.yml create mode 100644 rules/web/sql_injection_keywords.yml create mode 100644 rules/web/xss_keywords.yml create mode 100644 rules/windows/builtin/win_anomaly_process_execution.yml create mode 100644 rules/windows/builtin/win_event_log_cleared.yml create mode 100644 rules/windows/builtin/win_powershelll_empire.yml create mode 100644 rules/windows/builtin/win_user_acc_added_removed.yml create mode 100644 rules/windows/builtin/win_user_acc_created_deleted.yml create mode 100644 rules/windows/builtin/win_user_acc_enabled_disabled.yml create mode 100644 rules/windows/builtin/win_user_created_added_to_bultin_admins.yml diff --git a/rules/cloud/azure/azure_creating_number_of_resources_detection.yaml b/rules/cloud/azure/azure_creating_number_of_resources_detection.yaml new file mode 100644 index 000000000..d1a608299 --- /dev/null +++ b/rules/cloud/azure/azure_creating_number_of_resources_detection.yaml @@ -0,0 +1,20 @@ +title: number of resource creation or deployment activities +id: d2d901db-7a75-45a1-bc39-0cbf00812192 +status: experimental +author: sawwinnnaung +date: 2020/05/07 +description: Number of VM creations or deployment activities occur in Azure via the AzureActivity log. +references: + - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/Creating_Anomalous_Number_Of_Resources_detection.yaml +logsource: + service: AzureActivity +detection: + keywords: + - Microsoft.Compute/virtualMachines/write + - Microsoft.Resources/deployments/write + condition: keywords +level: medium +falsepositives: + - Valid change +tags: + - attack.t1098 diff --git a/rules/cloud/azure/azure_granting_permission_detection.yml b/rules/cloud/azure/azure_granting_permission_detection.yml new file mode 100644 index 000000000..cf644a6ba --- /dev/null +++ b/rules/cloud/azure/azure_granting_permission_detection.yml @@ -0,0 +1,20 @@ +title: Granting of permissions to an account +id: a622fcd2-4b5a-436a-b8a2-a4171161833c +status: experimental +author: sawwinnnaung +date: 2020/05/07 +description: Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used. +references: + - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/Granting_Permissions_To_Account_detection.yaml +logsource: + service: AzureActivity +detection: + keywords: + - Microsoft.Authorization/roleAssignments/write + + condition: keywords +level: medium +falsepositives: + - Valid change +tags: + - attack.t1098 diff --git a/rules/cloud/azure/azure_rare_operations.yml b/rules/cloud/azure/azure_rare_operations.yml new file mode 100644 index 000000000..caa65c030 --- /dev/null +++ b/rules/cloud/azure/azure_rare_operations.yml @@ -0,0 +1,25 @@ +title: Rare subscription-level operations in Azure +id: c1182e02-49a3-481c-b3de-0fadc4091488 +status: experimental +author: sawwinnnaung +date: 2020/05/07 +description: Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used. +references: + - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/RareOperations.yaml +logsource: + service: AzureActivity +detection: + keywords: -Microsoft.DocumentDB/databaseAccounts/listKeys/action + -Microsoft.Maps/accounts/listKeys/action + -Microsoft.Media/mediaservices/listKeys/action + -Microsoft.CognitiveServices/accounts/listKeys/action + -Microsoft.Storage/storageAccounts/listKeys/action + -Microsoft.Compute/snapshots/write + -Microsoft.Network/networkSecurityGroups/write + + condition: keywords +level: medium +falsepositives: + - Valid change +tags: + - attack.t1003 diff --git a/rules/network/zeek/zeek_dns_mining_pools.yml b/rules/network/zeek/zeek_dns_mining_pools.yml new file mode 100644 index 000000000..f45df3408 --- /dev/null +++ b/rules/network/zeek/zeek_dns_mining_pools.yml @@ -0,0 +1,43 @@ +id: bf74135c-18e8-4a72-a926-0e4f47888c19 +title: DNS events related to mining pools +description: | + 'Identifies IPs that may be performing DNS lookups associated with common currency mining pools.' +reference: Azure Sentinel +author: Saw Winn Naung +severity: Medium +logsource: + service: dns + product: zeek +tags: + - attack.t1035 + - attack.t1496 +detection: + selection: + query: + - 'monerohash.com' + - 'do-dear.com' + - 'xmrminerpro.com' + - 'secumine.net' + - 'xmrpool.com' + - 'minexmr.org' + - 'hashanywhere.com' + - 'xmrget.com' + - 'mininglottery.eu' + - 'minergate.com' + - 'moriaxmr.com' + - 'multipooler.com' + - 'moneropools.com' + - 'xmrpool.eu' + - 'coolmining.club' + - 'supportxmr.com' + - 'minexmr.com' + - 'coinfoundry.org' + - 'cryptoknight.cc' + - 'fairhash.org' + - 'baikalmine.com' + - 'tubepool.xyz' + - 'fairpool.xyz' + - 'asiapool.io' + condition: selection +fields: + - clientip diff --git a/rules/network/zeek/zeek_dns_torproxy.yml b/rules/network/zeek/zeek_dns_torproxy.yml new file mode 100644 index 000000000..1249c6ade --- /dev/null +++ b/rules/network/zeek/zeek_dns_torproxy.yml @@ -0,0 +1,21 @@ +id: a8322756-015c-42e7-afb1-436e85ed3ff5 +title: DNS tor proxies +description: | + 'Identifies IPs performing DNS lookups associated with common Tor proxies.' +reference: Azure Sentinel +author: Saw Winn Naung +severity: Medium +logsource: + service: dns + product: zeek +tags: + - attack.t1048 +detection: + selection: + query: + - 'tor2web.*' + - 'onion.*' + - '*tor-gateways*' + condition: selection +fields: + - clientip diff --git a/rules/web/sql_injection_keywords.yml b/rules/web/sql_injection_keywords.yml new file mode 100644 index 000000000..f1dd79722 --- /dev/null +++ b/rules/web/sql_injection_keywords.yml @@ -0,0 +1,23 @@ +title: Detect sql injection by keywords +id: 5513deaf-f49a-46c2-a6c8-3f111b5cb453 +status: experimental +description: Detects sql injection that use GET requests by keyword searches in URL strings +author: Saw Win Naung +date: 2020/02/22 +logsource: + category: webserver +detection: + keywords: + - '=select' + - '=union' + - '=concat' + condition: keywords +fields: + - client_ip + - vhost + - url + - response +falsepositives: + - Java scripts and CSS Files + - User searches in search boxes of the respective website +level: high diff --git a/rules/web/xss_keywords.yml b/rules/web/xss_keywords.yml new file mode 100644 index 000000000..2c17f38b5 --- /dev/null +++ b/rules/web/xss_keywords.yml @@ -0,0 +1,24 @@ +title: Detect XSS Attempts by keywords +id: 553a450b8-604d-41a9-8587-a28334aaddfb +status: experimental +description: Detects XSS that use GET requests by keyword searches in URL strings +author: Saw Win Naung +date: 2020/02/22 +logsource: + category: webserver +detection: + keywords: + - '=cookie' + - '=script' + - '=onload' + - '=onmouseover' + condition: keywords +fields: + - client_ip + - vhost + - url + - response +falsepositives: + - Java scripts,CSS Files and PNG files + - User searches in search boxes of the respective website +level: high diff --git a/rules/windows/builtin/win_anomaly_process_execution.yml b/rules/windows/builtin/win_anomaly_process_execution.yml new file mode 100644 index 000000000..1a38f02aa --- /dev/null +++ b/rules/windows/builtin/win_anomaly_process_execution.yml @@ -0,0 +1,22 @@ +title: Process execution anomaly +id: 2c55fe7a-b06f-4029-a5b9-c54a2320d7b8 +description: 'Identifies anomalous executions of sensitive processes which are often leveraged as attack vectors.' +references: Azure Sentinel +level: Medium +logsource: + service: Security + product: windows +tags: + - attack.execution + - attack.t1064 +detection: + selection: + EventID: 4688 + NewProcessName|contains: + - 'powershell.exe' + - 'cmd.exe' + - 'wmic.exe' + - 'psexec.exe' + - 'cacls.exe' + - 'rundll.exe' + condition: selection diff --git a/rules/windows/builtin/win_event_log_cleared.yml b/rules/windows/builtin/win_event_log_cleared.yml new file mode 100644 index 000000000..2540d98e5 --- /dev/null +++ b/rules/windows/builtin/win_event_log_cleared.yml @@ -0,0 +1,22 @@ +id: a122ac13-daf8-4175-83a2-72c387be339d +title: Security Event log cleared +status: experimental +description: | + 'Checks for event id 1102 which indicates the security event log was cleared.' +reference: Azure Sentinel +author: Saw Winn Naung +severity: Medium +logsource: + service: security + product: windows +tags: + + - attack.t1107 +detection: + selection: + EventID: 1102 + condition: selection +fields: + - fields in the log source that are important to investigate further +falsepositives: + - Legitimate administrative activity diff --git a/rules/windows/builtin/win_powershelll_empire.yml b/rules/windows/builtin/win_powershelll_empire.yml new file mode 100644 index 000000000..f3883029c --- /dev/null +++ b/rules/windows/builtin/win_powershelll_empire.yml @@ -0,0 +1,363 @@ +title: Powershell Empire cmdlets seen in command line +id: ef88eb96-861c-43a0-ab16-f3835a97c928 +description: | + 'Identifies instances of PowerShell Empire cmdlets in powershell process command line data.' +references: Azure Sentinel +level: Medium +logsource: + service: Security + product: windows +tags: + - attack.execution + - attack.persistence + - attack.t1208 +detection: + selection1: + EventID: 4688 + CommandLine|contains: ' -encodedCommand' + selection2: + CommandLine: + - 'SetDelay' + - 'GetDelay' + - 'Set-LostLimit' + - 'Get-LostLimit' + - 'Set-Killdate' + - 'Get-Killdate' + - 'Set-WorkingHours' + - 'Get-WorkingHours' + - 'Get-Sysinfo' + - 'Add-Servers' + - 'Invoke-ShellCommand' + - 'Start-AgentJob' + - 'Update-Profile' + - 'Get-FilePart' + - 'Encrypt-Bytes' + - 'Decrypt-Bytes' + - 'Encode-Packet' + - 'Decode-Packet' + - 'Send-Message' + - 'Process-Packet' + - 'Process-Tasking' + - 'Get-Task' + - 'Start-Negotiate' + - 'Invoke-DllInjection' + - 'Invoke-ReflectivePEInjection' + - 'Invoke-Shellcode' + - 'Invoke-ShellcodeMSIL' + - 'Get-ChromeDump' + - 'Get-ClipboardContents' + - 'Get-IndexedItem' + - 'Get-Keystrokes' + - 'Invoke-Inveigh' + - 'Invoke-NetRipper' + - 'local:Invoke-PatchDll' + - 'Invoke-NinjaCopy' + - 'Get-Win32Types' + - 'Get-Win32Constants' + - 'Get-Win32Functions' + - 'Sub-SignedIntAsUnsigned' + - 'Add-SignedIntAsUnsigned' + - 'Compare-Val1GreaterThanVal2AsUInt' + - 'Convert-UIntToInt' + - 'Test-MemoryRangeValid' + - 'Write-BytesToMemory' + - 'Get-DelegateType' + - 'Get-ProcAddress' + - 'Enable-SeDebugPrivilege' + - 'Invoke-CreateRemoteThread' + - 'Get-ImageNtHeaders' + - 'Get-PEBasicInfo' + - 'Get-PEDetailedInfo' + - 'Import-DllInRemoteProcess' + - 'Get-RemoteProcAddress' + - 'Copy-Sections' + - 'Update-MemoryAddresses' + - 'Import-DllImports' + - 'Get-VirtualProtectValue' + - 'Update-MemoryProtectionFlags' + - 'Update-ExeFunctions' + - 'Copy-ArrayOfMemAddresses' + - 'Get-MemoryProcAddress' + - 'Invoke-MemoryLoadLibrary' + - 'Invoke-MemoryFreeLibrary' + - 'Out-Minidump' + - 'Get-VaultCredential' + - 'Invoke-DCSync' + - 'Translate-Name' + - 'Get-NetDomain' + - 'Get-NetForest' + - 'Get-NetForestDomain' + - 'Get-DomainSearcher' + - 'Get-NetComputer' + - 'Get-NetGroupMember' + - 'Get-NetUser' + - 'Invoke-Mimikatz' + - 'Invoke-PowerDump' + - 'Invoke-TokenManipulation' + - 'Exploit-JMXConsole' + - 'Exploit-JBoss' + - 'Invoke-Thunderstruck' + - 'Invoke-VoiceTroll' + - 'Set-WallPaper' + - 'Invoke-PsExec' + - 'Invoke-SSHCommand' + - 'Invoke-PSInject' + - 'Invoke-RunAs' + - 'Invoke-SendMail' + - 'Invoke-Rule' + - 'Get-OSVersion' + - 'Select-EmailItem' + - 'View-Email' + - 'Get-OutlookFolder' + - 'Get-EmailItems' + - 'Invoke-MailSearch' + - 'Get-SubFolders' + - 'Get-GlobalAddressList' + - 'Invoke-SearchGAL' + - 'Get-SMTPAddress' + - 'Disable-SecuritySettings' + - 'Reset-SecuritySettings' + - 'Get-OutlookInstance' + - 'New-HoneyHash' + - 'Set-MacAttribute' + - 'Invoke-PatchDll' + - 'Get-SecurityPackages' + - 'Install-SSP' + - 'Invoke-BackdoorLNK' + - 'New-ElevatedPersistenceOption' + - 'New-UserPersistenceOption' + - 'Add-Persistence' + - 'Invoke-CallbackIEX' + - 'Add-PSFirewallRules' + - 'Invoke-EventLoop' + - 'Invoke-PortBind' + - 'Invoke-DNSLoop' + - 'Invoke-PacketKnock' + - 'Invoke-CallbackLoop' + - 'Invoke-BypassUAC' + - 'Get-DecryptedCpassword' + - 'Get-GPPInnerFields' + - 'Invoke-WScriptBypassUAC' + - 'Get-ModifiableFile' + - 'Get-ServiceUnquoted' + - 'Get-ServiceFilePermission' + - 'Get-ServicePermission' + - 'Invoke-ServiceUserAdd' + - 'Invoke-ServiceCMD' + - 'Write-UserAddServiceBinary' + - 'Write-CMDServiceBinary' + - 'Write-ServiceEXE' + - 'Write-ServiceEXECMD' + - 'Restore-ServiceEXE' + - 'Invoke-ServiceStart' + - 'Invoke-ServiceStop' + - 'Invoke-ServiceEnable' + - 'Invoke-ServiceDisable' + - 'Get-ServiceDetail' + - 'Find-DLLHijack' + - 'Find-PathHijack' + - 'Write-HijackDll' + - 'Get-RegAlwaysInstallElevated' + - 'Get-RegAutoLogon' + - 'Get-VulnAutoRun' + - 'Get-VulnSchTask' + - 'Get-UnattendedInstallFile' + - 'Get-Webconfig' + - 'Get-ApplicationHost' + - 'Write-UserAddMSI' + - 'Invoke-AllChecks' + - 'Invoke-ThreadedFunction' + - 'Test-Login' + - 'Get-UserAgent' + - 'Test-Password' + - 'Get-ComputerDetails' + - 'Find-4648Logons' + - 'Find-4624Logons' + - 'Find-AppLockerLogs' + - 'Find-PSScriptsInPSAppLog' + - 'Find-RDPClientConnections' + - 'Get-SystemDNSServer' + - 'Invoke-Paranoia' + - 'Invoke-WinEnum{' + - 'Get-SPN' + - 'Invoke-ARPScan' + - 'Invoke-Portscan' + - 'Invoke-ReverseDNSLookup' + - 'Invoke-SMBScanner' + - 'New-InMemoryModule' + - 'Add-Win32Type' + - 'Export-PowerViewCSV' + - 'Get-MacAttribute' + - 'Copy-ClonedFile' + - 'Get-IPAddress' + - 'Convert-NameToSid' + - 'Convert-SidToName' + - 'Convert-NT4toCanonical' + - 'Get-Proxy' + - 'Get-PathAcl' + - 'Get-NameField' + - 'Convert-LDAPProperty' + - 'Get-NetDomainController' + - 'Add-NetUser' + - 'Add-NetGroupUser' + - 'Get-UserProperty' + - 'Find-UserField' + - 'Get-UserEvent' + - 'Get-ObjectAcl' + - 'Add-ObjectAcl' + - 'Invoke-ACLScanner' + - 'Get-GUIDMap' + - 'Get-ADObject' + - 'Set-ADObject' + - 'Get-ComputerProperty' + - 'Find-ComputerField' + - 'Get-NetOU' + - 'Get-NetSite' + - 'Get-NetSubnet' + - 'Get-DomainSID' + - 'Get-NetGroup' + - 'Get-NetFileServer' + - 'SplitPath' + - 'Get-DFSshare' + - 'Get-DFSshareV1' + - 'Get-DFSshareV2' + - 'Get-GptTmpl' + - 'Get-GroupsXML' + - 'Get-NetGPO' + - 'Get-NetGPOGroup' + - 'Find-GPOLocation' + - 'Find-GPOComputerAdmin' + - 'Get-DomainPolicy' + - 'Get-NetLocalGroup' + - 'Get-NetShare' + - 'Get-NetLoggedon' + - 'Get-NetSession' + - 'Get-NetRDPSession' + - 'Invoke-CheckLocalAdminAccess' + - 'Get-LastLoggedOn' + - 'Get-NetProcess' + - 'Find-InterestingFile' + - 'Invoke-CheckWrite' + - 'Invoke-UserHunter' + - 'Invoke-StealthUserHunter' + - 'Invoke-ProcessHunter' + - 'Invoke-EventHunter' + - 'Invoke-ShareFinder' + - 'Invoke-FileFinder' + - 'Find-LocalAdminAccess' + - 'Get-ExploitableSystem' + - 'Invoke-EnumerateLocalAdmin' + - 'Get-NetDomainTrust' + - 'Get-NetForestTrust' + - 'Find-ForeignUser' + - 'Find-ForeignGroup' + - 'Invoke-MapDomainTrust' + - 'Get-Hex' + - 'Create-RemoteThread' + - 'Get-FoxDump' + - 'Decrypt-CipherText' + - 'Get-Screenshot' + - 'Start-HTTP-Server' + - 'Local:Invoke-CreateRemoteThread' + - 'Local:Get-Win32Functions' + - 'Local:Inject-NetRipper' + - 'GetCommandLine' + - 'ElevatePrivs' + - 'Get-RegKeyClass' + - 'Get-BootKey' + - 'Get-HBootKey' + - 'Get-UserName' + - 'Get-UserHashes' + - 'DecryptHashes' + - 'DecryptSingleHash' + - 'Get-UserKeys' + - 'DumpHashes' + - 'Enable-SeAssignPrimaryTokenPrivilege' + - 'Enable-Privilege' + - 'Set-DesktopACLs' + - 'Set-DesktopACLToAllowEveryone' + - 'Get-PrimaryToken' + - 'Get-ThreadToken' + - 'Get-TokenInformation' + - 'Get-UniqueTokens' + - 'Find-GPOLocation' + - 'Find-GPOComputerAdmin' + - 'Get-DomainPolicy' + - 'Get-NetLocalGroup' + - 'Get-NetShare' + - 'Get-NetLoggedon' + - 'Get-NetSession' + - 'Get-NetRDPSession' + - 'Invoke-CheckLocalAdminAccess' + - 'Get-LastLoggedOn' + - 'Get-NetProcess' + - 'Find-InterestingFile' + - 'Invoke-CheckWrite' + - 'Invoke-UserHunter' + - 'Invoke-StealthUserHunter' + - 'Invoke-ProcessHunter' + - 'Invoke-EventHunter' + - 'Invoke-ShareFinder' + - 'Invoke-FileFinder' + - 'Find-LocalAdminAccess' + - 'Get-ExploitableSystem' + - 'Invoke-EnumerateLocalAdmin' + - 'Get-NetDomainTrust' + - 'Get-NetForestTrust' + - 'Find-ForeignUser' + - 'Find-ForeignGroup' + - 'Invoke-MapDomainTrust' + - 'Get-Hex' + - 'Create-RemoteThread' + - 'Get-FoxDump' + - 'Decrypt-CipherText' + - 'Get-Screenshot' + - 'Start-HTTP-Server' + - 'Local:Invoke-CreateRemoteThread' + - 'Local:Get-Win32Functions' + - 'Local:Inject-NetRipper' + - 'GetCommandLine' + - 'ElevatePrivs' + - 'Get-RegKeyClass' + - 'Get-BootKey' + - 'Get-HBootKey' + - 'Get-UserName' + - 'Get-UserHashes' + - 'DecryptHashes' + - 'DecryptSingleHash' + - 'Get-UserKeys' + - 'DumpHashes' + - 'Enable-SeAssignPrimaryTokenPrivilege' + - 'Enable-Privilege' + - 'Set-DesktopACLs' + - 'Set-DesktopACLToAllowEveryone' + - 'Get-PrimaryToken' + - 'Get-ThreadToken' + - 'Get-TokenInformation' + - 'Get-UniqueTokens' + - 'Invoke-ImpersonateUser' + - 'Create-ProcessWithToken' + - 'Free-AllTokens' + - 'Enum-AllTokens' + - 'Invoke-RevertToSelf' + - 'Set-Speaker(\$Volume){\$wshShell' + - 'Local:Get-RandomString' + - 'Local:Invoke-PsExecCmd' + - 'Get-GPPPassword' + - 'Local:Inject-BypassStuff' + - 'Local:Invoke-CopyFile\(\$sSource,' + - 'ind-Fruit' + - 'New-IPv4Range' + - 'New-IPv4RangeFromCIDR' + - 'Parse-Hosts' + - 'Parse-ILHosts' + - 'Exclude-Hosts' + - 'Get-TopPort' + - 'Parse-Ports' + - 'Parse-IpPorts' + - 'Remove-Ports' + - 'Write-PortscanOut' + - 'Convert-SwitchtoBool' + - 'Get-ForeignUser' + - 'Get-ForeignGroup' + condition: selection1 or selection2 \ No newline at end of file diff --git a/rules/windows/builtin/win_user_acc_added_removed.yml b/rules/windows/builtin/win_user_acc_added_removed.yml new file mode 100644 index 000000000..d827a04c6 --- /dev/null +++ b/rules/windows/builtin/win_user_acc_added_removed.yml @@ -0,0 +1,25 @@ +title: Account added and removed from privileged groups +id: 7efc75ce-e2a4-400f-a8b1-283d3b0f2c60 +description: 'Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise.' +references: Azure Sentinel +level: Low +logsource: + service: Security + product: windows +tags: + - attack.persistence + - attack.privilege_escalation + - attack.t1098 + - attack.t1078 +detection: + selection1: + EventID: + - 4728 + - 4732 + - 4756 + selection2: + EventID: + - 4729 + - 4733 + - 4757 + condition: selection1 or selection2 diff --git a/rules/windows/builtin/win_user_acc_created_deleted.yml b/rules/windows/builtin/win_user_acc_created_deleted.yml new file mode 100644 index 000000000..48bd4be5e --- /dev/null +++ b/rules/windows/builtin/win_user_acc_created_deleted.yml @@ -0,0 +1,18 @@ +title: User account created and deleted within 10 mins +id: 4b93c5af-d20b-4236-b696-a28b8c51407f +description: 'Identifies when a user account is created and then deleted within 10 minutes. This can be an indication of compromise and + an adversary attempting to hide in the noise.' +references: Azure Sentinel +level: Medium +logsource: + service: Security + product: windows +tags: + - attack.persistence + - attack.privilege_escalation + - attack.t1098 + - attack.t1078 +detection: + selection: + EventID: 4720 + condition: selection \ No newline at end of file diff --git a/rules/windows/builtin/win_user_acc_enabled_disabled.yml b/rules/windows/builtin/win_user_acc_enabled_disabled.yml new file mode 100644 index 000000000..915592020 --- /dev/null +++ b/rules/windows/builtin/win_user_acc_enabled_disabled.yml @@ -0,0 +1,20 @@ +title: User account enabled and disabled +id: 3d023f64-8225-41a2-9570-2bd7c2c4535e +description: 'Identifies when a user account is enabled and then disabled. This can be an indication of compromise and + an adversary attempting to hide in the noise.' +references: Azure Sentinel +level: Medium +logsource: + service: Security + product: windows +tags: + - attack.persistence + - attack.privilege_escalation + - attack.t1098 + - attack.t1078 +detection: + selection: + EventID: + - 4722 + - 4725 + condition: selection diff --git a/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml b/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml new file mode 100644 index 000000000..831dfea24 --- /dev/null +++ b/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml @@ -0,0 +1,21 @@ +title: New user created and added to the built-in administrators group +id: aa1eff90-29d4-49dc-a3ea-b65199f516db +description: 'Identifies when a user account was created and then added to the builtin Administrators group. + This should be monitored closely and all additions reviewed.' +references: Azure Sentinel +level: Low +logsource: + service: Security + product: windows +tags: + - attack.persistence + - attack.privilege_escalation +relevantTechniques: + - attack.t1098 + - attack.t1078 +detection: + selection: + EventID: + - 4720 + - 4732 + condition: selection \ No newline at end of file From 12396f615c9f0528c8dc028a8317892fd1a389cc Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 15 Aug 2021 16:52:24 +0200 Subject: [PATCH 005/108] remove duplicate rule and fix errors --- ...creating_number_of_resources_detection.yml} | 0 rules/network/zeek/zeek_dns_mining_pools.yml | 5 ++--- rules/network/zeek/zeek_dns_torproxy.yml | 2 +- .../builtin/win_anomaly_process_execution.yml | 5 ++--- .../windows/builtin/win_event_log_cleared.yml | 2 +- .../windows/builtin/win_powershelll_empire.yml | 10 ++++------ .../builtin/win_user_acc_added_removed.yml | 2 +- .../builtin/win_user_acc_created_deleted.yml | 18 ------------------ .../builtin/win_user_acc_enabled_disabled.yml | 2 +- ...win_user_created_added_to_bultin_admins.yml | 2 +- 10 files changed, 13 insertions(+), 35 deletions(-) rename rules/cloud/azure/{azure_creating_number_of_resources_detection.yaml => azure_creating_number_of_resources_detection.yml} (100%) delete mode 100644 rules/windows/builtin/win_user_acc_created_deleted.yml diff --git a/rules/cloud/azure/azure_creating_number_of_resources_detection.yaml b/rules/cloud/azure/azure_creating_number_of_resources_detection.yml similarity index 100% rename from rules/cloud/azure/azure_creating_number_of_resources_detection.yaml rename to rules/cloud/azure/azure_creating_number_of_resources_detection.yml diff --git a/rules/network/zeek/zeek_dns_mining_pools.yml b/rules/network/zeek/zeek_dns_mining_pools.yml index f45df3408..281e37796 100644 --- a/rules/network/zeek/zeek_dns_mining_pools.yml +++ b/rules/network/zeek/zeek_dns_mining_pools.yml @@ -1,10 +1,9 @@ id: bf74135c-18e8-4a72-a926-0e4f47888c19 title: DNS events related to mining pools -description: | - 'Identifies IPs that may be performing DNS lookups associated with common currency mining pools.' +description: Identifies IPs that may be performing DNS lookups associated with common currency mining pools. reference: Azure Sentinel author: Saw Winn Naung -severity: Medium +severity: medium logsource: service: dns product: zeek diff --git a/rules/network/zeek/zeek_dns_torproxy.yml b/rules/network/zeek/zeek_dns_torproxy.yml index 1249c6ade..6a3e8a77f 100644 --- a/rules/network/zeek/zeek_dns_torproxy.yml +++ b/rules/network/zeek/zeek_dns_torproxy.yml @@ -4,7 +4,7 @@ description: | 'Identifies IPs performing DNS lookups associated with common Tor proxies.' reference: Azure Sentinel author: Saw Winn Naung -severity: Medium +severity: medium logsource: service: dns product: zeek diff --git a/rules/windows/builtin/win_anomaly_process_execution.yml b/rules/windows/builtin/win_anomaly_process_execution.yml index 1a38f02aa..2746bf8f0 100644 --- a/rules/windows/builtin/win_anomaly_process_execution.yml +++ b/rules/windows/builtin/win_anomaly_process_execution.yml @@ -2,16 +2,15 @@ title: Process execution anomaly id: 2c55fe7a-b06f-4029-a5b9-c54a2320d7b8 description: 'Identifies anomalous executions of sensitive processes which are often leveraged as attack vectors.' references: Azure Sentinel -level: Medium +level: medium logsource: - service: Security product: windows + category: process_creation tags: - attack.execution - attack.t1064 detection: selection: - EventID: 4688 NewProcessName|contains: - 'powershell.exe' - 'cmd.exe' diff --git a/rules/windows/builtin/win_event_log_cleared.yml b/rules/windows/builtin/win_event_log_cleared.yml index 2540d98e5..ac7e1691e 100644 --- a/rules/windows/builtin/win_event_log_cleared.yml +++ b/rules/windows/builtin/win_event_log_cleared.yml @@ -5,7 +5,7 @@ description: | 'Checks for event id 1102 which indicates the security event log was cleared.' reference: Azure Sentinel author: Saw Winn Naung -severity: Medium +severity: medium logsource: service: security product: windows diff --git a/rules/windows/builtin/win_powershelll_empire.yml b/rules/windows/builtin/win_powershelll_empire.yml index f3883029c..e4883f3e9 100644 --- a/rules/windows/builtin/win_powershelll_empire.yml +++ b/rules/windows/builtin/win_powershelll_empire.yml @@ -1,19 +1,17 @@ title: Powershell Empire cmdlets seen in command line id: ef88eb96-861c-43a0-ab16-f3835a97c928 -description: | - 'Identifies instances of PowerShell Empire cmdlets in powershell process command line data.' +description: Identifies instances of PowerShell Empire cmdlets in powershell process command line data. references: Azure Sentinel -level: Medium +level: medium logsource: - service: Security - product: windows + product: windows + category: process_creation tags: - attack.execution - attack.persistence - attack.t1208 detection: selection1: - EventID: 4688 CommandLine|contains: ' -encodedCommand' selection2: CommandLine: diff --git a/rules/windows/builtin/win_user_acc_added_removed.yml b/rules/windows/builtin/win_user_acc_added_removed.yml index d827a04c6..e3fe87b96 100644 --- a/rules/windows/builtin/win_user_acc_added_removed.yml +++ b/rules/windows/builtin/win_user_acc_added_removed.yml @@ -2,7 +2,7 @@ title: Account added and removed from privileged groups id: 7efc75ce-e2a4-400f-a8b1-283d3b0f2c60 description: 'Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise.' references: Azure Sentinel -level: Low +level: low logsource: service: Security product: windows diff --git a/rules/windows/builtin/win_user_acc_created_deleted.yml b/rules/windows/builtin/win_user_acc_created_deleted.yml deleted file mode 100644 index 48bd4be5e..000000000 --- a/rules/windows/builtin/win_user_acc_created_deleted.yml +++ /dev/null @@ -1,18 +0,0 @@ -title: User account created and deleted within 10 mins -id: 4b93c5af-d20b-4236-b696-a28b8c51407f -description: 'Identifies when a user account is created and then deleted within 10 minutes. This can be an indication of compromise and - an adversary attempting to hide in the noise.' -references: Azure Sentinel -level: Medium -logsource: - service: Security - product: windows -tags: - - attack.persistence - - attack.privilege_escalation - - attack.t1098 - - attack.t1078 -detection: - selection: - EventID: 4720 - condition: selection \ No newline at end of file diff --git a/rules/windows/builtin/win_user_acc_enabled_disabled.yml b/rules/windows/builtin/win_user_acc_enabled_disabled.yml index 915592020..a6cd343c6 100644 --- a/rules/windows/builtin/win_user_acc_enabled_disabled.yml +++ b/rules/windows/builtin/win_user_acc_enabled_disabled.yml @@ -3,7 +3,7 @@ id: 3d023f64-8225-41a2-9570-2bd7c2c4535e description: 'Identifies when a user account is enabled and then disabled. This can be an indication of compromise and an adversary attempting to hide in the noise.' references: Azure Sentinel -level: Medium +level: medium logsource: service: Security product: windows diff --git a/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml b/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml index 831dfea24..639debc51 100644 --- a/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml +++ b/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml @@ -3,7 +3,7 @@ id: aa1eff90-29d4-49dc-a3ea-b65199f516db description: 'Identifies when a user account was created and then added to the builtin Administrators group. This should be monitored closely and all additions reviewed.' references: Azure Sentinel -level: Low +level: low logsource: service: Security product: windows From 245cb6d5101ee8f024eb75747f4ad6f682da85a1 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 15 Aug 2021 18:55:44 +0200 Subject: [PATCH 006/108] fix more errors --- rules/network/zeek/zeek_dns_mining_pools.yml | 6 +- rules/network/zeek/zeek_dns_torproxy.yml | 9 +- rules/web/xss_keywords.yml | 4 +- .../builtin/win_anomaly_process_execution.yml | 6 +- .../windows/builtin/win_event_log_cleared.yml | 10 +- .../builtin/win_powershelll_empire.yml | 635 ++++++++---------- .../builtin/win_user_acc_added_removed.yml | 6 +- .../builtin/win_user_acc_enabled_disabled.yml | 7 +- ...in_user_created_added_to_bultin_admins.yml | 7 +- 9 files changed, 323 insertions(+), 367 deletions(-) diff --git a/rules/network/zeek/zeek_dns_mining_pools.yml b/rules/network/zeek/zeek_dns_mining_pools.yml index 281e37796..0de24200e 100644 --- a/rules/network/zeek/zeek_dns_mining_pools.yml +++ b/rules/network/zeek/zeek_dns_mining_pools.yml @@ -1,9 +1,11 @@ id: bf74135c-18e8-4a72-a926-0e4f47888c19 title: DNS events related to mining pools description: Identifies IPs that may be performing DNS lookups associated with common currency mining pools. -reference: Azure Sentinel +references: + - Azure Sentinel +date: 2021/08/15 author: Saw Winn Naung -severity: medium +level: medium logsource: service: dns product: zeek diff --git a/rules/network/zeek/zeek_dns_torproxy.yml b/rules/network/zeek/zeek_dns_torproxy.yml index 6a3e8a77f..466ab203e 100644 --- a/rules/network/zeek/zeek_dns_torproxy.yml +++ b/rules/network/zeek/zeek_dns_torproxy.yml @@ -1,10 +1,11 @@ id: a8322756-015c-42e7-afb1-436e85ed3ff5 title: DNS tor proxies -description: | - 'Identifies IPs performing DNS lookups associated with common Tor proxies.' -reference: Azure Sentinel +description: Identifies IPs performing DNS lookups associated with common Tor proxies. +references: + - Azure Sentinel +date: 2021/08/15 author: Saw Winn Naung -severity: medium +level: medium logsource: service: dns product: zeek diff --git a/rules/web/xss_keywords.yml b/rules/web/xss_keywords.yml index 2c17f38b5..775ec8717 100644 --- a/rules/web/xss_keywords.yml +++ b/rules/web/xss_keywords.yml @@ -1,9 +1,9 @@ title: Detect XSS Attempts by keywords -id: 553a450b8-604d-41a9-8587-a28334aaddfb +id: 65354b83-a2ea-4ea6-8414-3ab38be0d409 status: experimental description: Detects XSS that use GET requests by keyword searches in URL strings author: Saw Win Naung -date: 2020/02/22 +date: 2021/08/15 logsource: category: webserver detection: diff --git a/rules/windows/builtin/win_anomaly_process_execution.yml b/rules/windows/builtin/win_anomaly_process_execution.yml index 2746bf8f0..176d64bd6 100644 --- a/rules/windows/builtin/win_anomaly_process_execution.yml +++ b/rules/windows/builtin/win_anomaly_process_execution.yml @@ -1,7 +1,9 @@ -title: Process execution anomaly +title: Process Execution Anomaly id: 2c55fe7a-b06f-4029-a5b9-c54a2320d7b8 description: 'Identifies anomalous executions of sensitive processes which are often leveraged as attack vectors.' -references: Azure Sentinel +references: + - Azure Sentinel +date: 2021/08/15 level: medium logsource: product: windows diff --git a/rules/windows/builtin/win_event_log_cleared.yml b/rules/windows/builtin/win_event_log_cleared.yml index ac7e1691e..0fdbdd54c 100644 --- a/rules/windows/builtin/win_event_log_cleared.yml +++ b/rules/windows/builtin/win_event_log_cleared.yml @@ -1,16 +1,16 @@ id: a122ac13-daf8-4175-83a2-72c387be339d title: Security Event log cleared status: experimental -description: | - 'Checks for event id 1102 which indicates the security event log was cleared.' -reference: Azure Sentinel +description: Checks for event id 1102 which indicates the security event log was cleared. +references: + - Azure Sentinel +date: 2021/08/15 author: Saw Winn Naung -severity: medium +level: medium logsource: service: security product: windows tags: - - attack.t1107 detection: selection: diff --git a/rules/windows/builtin/win_powershelll_empire.yml b/rules/windows/builtin/win_powershelll_empire.yml index e4883f3e9..8aa638eff 100644 --- a/rules/windows/builtin/win_powershelll_empire.yml +++ b/rules/windows/builtin/win_powershelll_empire.yml @@ -1,7 +1,9 @@ title: Powershell Empire cmdlets seen in command line id: ef88eb96-861c-43a0-ab16-f3835a97c928 description: Identifies instances of PowerShell Empire cmdlets in powershell process command line data. -references: Azure Sentinel +references: + - Azure Sentinel +date: 2021/08/15 level: medium logsource: product: windows @@ -15,347 +17,292 @@ detection: CommandLine|contains: ' -encodedCommand' selection2: CommandLine: - - 'SetDelay' - - 'GetDelay' - - 'Set-LostLimit' - - 'Get-LostLimit' - - 'Set-Killdate' - - 'Get-Killdate' - - 'Set-WorkingHours' - - 'Get-WorkingHours' - - 'Get-Sysinfo' - - 'Add-Servers' - - 'Invoke-ShellCommand' - - 'Start-AgentJob' - - 'Update-Profile' - - 'Get-FilePart' - - 'Encrypt-Bytes' - - 'Decrypt-Bytes' - - 'Encode-Packet' - - 'Decode-Packet' - - 'Send-Message' - - 'Process-Packet' - - 'Process-Tasking' - - 'Get-Task' - - 'Start-Negotiate' - - 'Invoke-DllInjection' - - 'Invoke-ReflectivePEInjection' - - 'Invoke-Shellcode' - - 'Invoke-ShellcodeMSIL' - - 'Get-ChromeDump' - - 'Get-ClipboardContents' - - 'Get-IndexedItem' - - 'Get-Keystrokes' - - 'Invoke-Inveigh' - - 'Invoke-NetRipper' - - 'local:Invoke-PatchDll' - - 'Invoke-NinjaCopy' - - 'Get-Win32Types' - - 'Get-Win32Constants' - - 'Get-Win32Functions' - - 'Sub-SignedIntAsUnsigned' - - 'Add-SignedIntAsUnsigned' - - 'Compare-Val1GreaterThanVal2AsUInt' - - 'Convert-UIntToInt' - - 'Test-MemoryRangeValid' - - 'Write-BytesToMemory' - - 'Get-DelegateType' - - 'Get-ProcAddress' - - 'Enable-SeDebugPrivilege' - - 'Invoke-CreateRemoteThread' - - 'Get-ImageNtHeaders' - - 'Get-PEBasicInfo' - - 'Get-PEDetailedInfo' - - 'Import-DllInRemoteProcess' - - 'Get-RemoteProcAddress' - - 'Copy-Sections' - - 'Update-MemoryAddresses' - - 'Import-DllImports' - - 'Get-VirtualProtectValue' - - 'Update-MemoryProtectionFlags' - - 'Update-ExeFunctions' - - 'Copy-ArrayOfMemAddresses' - - 'Get-MemoryProcAddress' - - 'Invoke-MemoryLoadLibrary' - - 'Invoke-MemoryFreeLibrary' - - 'Out-Minidump' - - 'Get-VaultCredential' - - 'Invoke-DCSync' - - 'Translate-Name' - - 'Get-NetDomain' - - 'Get-NetForest' - - 'Get-NetForestDomain' - - 'Get-DomainSearcher' - - 'Get-NetComputer' - - 'Get-NetGroupMember' - - 'Get-NetUser' - - 'Invoke-Mimikatz' - - 'Invoke-PowerDump' - - 'Invoke-TokenManipulation' - - 'Exploit-JMXConsole' - - 'Exploit-JBoss' - - 'Invoke-Thunderstruck' - - 'Invoke-VoiceTroll' - - 'Set-WallPaper' - - 'Invoke-PsExec' - - 'Invoke-SSHCommand' - - 'Invoke-PSInject' - - 'Invoke-RunAs' - - 'Invoke-SendMail' - - 'Invoke-Rule' - - 'Get-OSVersion' - - 'Select-EmailItem' - - 'View-Email' - - 'Get-OutlookFolder' - - 'Get-EmailItems' - - 'Invoke-MailSearch' - - 'Get-SubFolders' - - 'Get-GlobalAddressList' - - 'Invoke-SearchGAL' - - 'Get-SMTPAddress' - - 'Disable-SecuritySettings' - - 'Reset-SecuritySettings' - - 'Get-OutlookInstance' - - 'New-HoneyHash' - - 'Set-MacAttribute' - - 'Invoke-PatchDll' - - 'Get-SecurityPackages' - - 'Install-SSP' - - 'Invoke-BackdoorLNK' - - 'New-ElevatedPersistenceOption' - - 'New-UserPersistenceOption' - - 'Add-Persistence' - - 'Invoke-CallbackIEX' - - 'Add-PSFirewallRules' - - 'Invoke-EventLoop' - - 'Invoke-PortBind' - - 'Invoke-DNSLoop' - - 'Invoke-PacketKnock' - - 'Invoke-CallbackLoop' - - 'Invoke-BypassUAC' - - 'Get-DecryptedCpassword' - - 'Get-GPPInnerFields' - - 'Invoke-WScriptBypassUAC' - - 'Get-ModifiableFile' - - 'Get-ServiceUnquoted' - - 'Get-ServiceFilePermission' - - 'Get-ServicePermission' - - 'Invoke-ServiceUserAdd' - - 'Invoke-ServiceCMD' - - 'Write-UserAddServiceBinary' - - 'Write-CMDServiceBinary' - - 'Write-ServiceEXE' - - 'Write-ServiceEXECMD' - - 'Restore-ServiceEXE' - - 'Invoke-ServiceStart' - - 'Invoke-ServiceStop' - - 'Invoke-ServiceEnable' - - 'Invoke-ServiceDisable' - - 'Get-ServiceDetail' - - 'Find-DLLHijack' - - 'Find-PathHijack' - - 'Write-HijackDll' - - 'Get-RegAlwaysInstallElevated' - - 'Get-RegAutoLogon' - - 'Get-VulnAutoRun' - - 'Get-VulnSchTask' - - 'Get-UnattendedInstallFile' - - 'Get-Webconfig' - - 'Get-ApplicationHost' - - 'Write-UserAddMSI' - - 'Invoke-AllChecks' - - 'Invoke-ThreadedFunction' - - 'Test-Login' - - 'Get-UserAgent' - - 'Test-Password' - - 'Get-ComputerDetails' - - 'Find-4648Logons' - - 'Find-4624Logons' - - 'Find-AppLockerLogs' - - 'Find-PSScriptsInPSAppLog' - - 'Find-RDPClientConnections' - - 'Get-SystemDNSServer' - - 'Invoke-Paranoia' - - 'Invoke-WinEnum{' - - 'Get-SPN' - - 'Invoke-ARPScan' - - 'Invoke-Portscan' - - 'Invoke-ReverseDNSLookup' - - 'Invoke-SMBScanner' - - 'New-InMemoryModule' - - 'Add-Win32Type' - - 'Export-PowerViewCSV' - - 'Get-MacAttribute' - - 'Copy-ClonedFile' - - 'Get-IPAddress' - - 'Convert-NameToSid' - - 'Convert-SidToName' - - 'Convert-NT4toCanonical' - - 'Get-Proxy' - - 'Get-PathAcl' - - 'Get-NameField' - - 'Convert-LDAPProperty' - - 'Get-NetDomainController' - - 'Add-NetUser' - - 'Add-NetGroupUser' - - 'Get-UserProperty' - - 'Find-UserField' - - 'Get-UserEvent' - - 'Get-ObjectAcl' - - 'Add-ObjectAcl' - - 'Invoke-ACLScanner' - - 'Get-GUIDMap' - - 'Get-ADObject' - - 'Set-ADObject' - - 'Get-ComputerProperty' - - 'Find-ComputerField' - - 'Get-NetOU' - - 'Get-NetSite' - - 'Get-NetSubnet' - - 'Get-DomainSID' - - 'Get-NetGroup' - - 'Get-NetFileServer' - - 'SplitPath' - - 'Get-DFSshare' - - 'Get-DFSshareV1' - - 'Get-DFSshareV2' - - 'Get-GptTmpl' - - 'Get-GroupsXML' - - 'Get-NetGPO' - - 'Get-NetGPOGroup' - - 'Find-GPOLocation' - - 'Find-GPOComputerAdmin' - - 'Get-DomainPolicy' - - 'Get-NetLocalGroup' - - 'Get-NetShare' - - 'Get-NetLoggedon' - - 'Get-NetSession' - - 'Get-NetRDPSession' - - 'Invoke-CheckLocalAdminAccess' - - 'Get-LastLoggedOn' - - 'Get-NetProcess' - - 'Find-InterestingFile' - - 'Invoke-CheckWrite' - - 'Invoke-UserHunter' - - 'Invoke-StealthUserHunter' - - 'Invoke-ProcessHunter' - - 'Invoke-EventHunter' - - 'Invoke-ShareFinder' - - 'Invoke-FileFinder' - - 'Find-LocalAdminAccess' - - 'Get-ExploitableSystem' - - 'Invoke-EnumerateLocalAdmin' - - 'Get-NetDomainTrust' - - 'Get-NetForestTrust' - - 'Find-ForeignUser' - - 'Find-ForeignGroup' - - 'Invoke-MapDomainTrust' - - 'Get-Hex' - - 'Create-RemoteThread' - - 'Get-FoxDump' - - 'Decrypt-CipherText' - - 'Get-Screenshot' - - 'Start-HTTP-Server' - - 'Local:Invoke-CreateRemoteThread' - - 'Local:Get-Win32Functions' - - 'Local:Inject-NetRipper' - - 'GetCommandLine' - - 'ElevatePrivs' - - 'Get-RegKeyClass' - - 'Get-BootKey' - - 'Get-HBootKey' - - 'Get-UserName' - - 'Get-UserHashes' - - 'DecryptHashes' - - 'DecryptSingleHash' - - 'Get-UserKeys' - - 'DumpHashes' - - 'Enable-SeAssignPrimaryTokenPrivilege' - - 'Enable-Privilege' - - 'Set-DesktopACLs' - - 'Set-DesktopACLToAllowEveryone' - - 'Get-PrimaryToken' - - 'Get-ThreadToken' - - 'Get-TokenInformation' - - 'Get-UniqueTokens' - - 'Find-GPOLocation' - - 'Find-GPOComputerAdmin' - - 'Get-DomainPolicy' - - 'Get-NetLocalGroup' - - 'Get-NetShare' - - 'Get-NetLoggedon' - - 'Get-NetSession' - - 'Get-NetRDPSession' - - 'Invoke-CheckLocalAdminAccess' - - 'Get-LastLoggedOn' - - 'Get-NetProcess' - - 'Find-InterestingFile' - - 'Invoke-CheckWrite' - - 'Invoke-UserHunter' - - 'Invoke-StealthUserHunter' - - 'Invoke-ProcessHunter' - - 'Invoke-EventHunter' - - 'Invoke-ShareFinder' - - 'Invoke-FileFinder' - - 'Find-LocalAdminAccess' - - 'Get-ExploitableSystem' - - 'Invoke-EnumerateLocalAdmin' - - 'Get-NetDomainTrust' - - 'Get-NetForestTrust' - - 'Find-ForeignUser' - - 'Find-ForeignGroup' - - 'Invoke-MapDomainTrust' - - 'Get-Hex' - - 'Create-RemoteThread' - - 'Get-FoxDump' - - 'Decrypt-CipherText' - - 'Get-Screenshot' - - 'Start-HTTP-Server' - - 'Local:Invoke-CreateRemoteThread' - - 'Local:Get-Win32Functions' - - 'Local:Inject-NetRipper' - - 'GetCommandLine' - - 'ElevatePrivs' - - 'Get-RegKeyClass' - - 'Get-BootKey' - - 'Get-HBootKey' - - 'Get-UserName' - - 'Get-UserHashes' - - 'DecryptHashes' - - 'DecryptSingleHash' - - 'Get-UserKeys' - - 'DumpHashes' - - 'Enable-SeAssignPrimaryTokenPrivilege' - - 'Enable-Privilege' - - 'Set-DesktopACLs' - - 'Set-DesktopACLToAllowEveryone' - - 'Get-PrimaryToken' - - 'Get-ThreadToken' - - 'Get-TokenInformation' - - 'Get-UniqueTokens' - - 'Invoke-ImpersonateUser' - - 'Create-ProcessWithToken' - - 'Free-AllTokens' - - 'Enum-AllTokens' - - 'Invoke-RevertToSelf' - - 'Set-Speaker(\$Volume){\$wshShell' - - 'Local:Get-RandomString' - - 'Local:Invoke-PsExecCmd' - - 'Get-GPPPassword' - - 'Local:Inject-BypassStuff' - - 'Local:Invoke-CopyFile\(\$sSource,' - - 'ind-Fruit' - - 'New-IPv4Range' - - 'New-IPv4RangeFromCIDR' - - 'Parse-Hosts' - - 'Parse-ILHosts' - - 'Exclude-Hosts' - - 'Get-TopPort' - - 'Parse-Ports' - - 'Parse-IpPorts' - - 'Remove-Ports' - - 'Write-PortscanOut' - - 'Convert-SwitchtoBool' - - 'Get-ForeignUser' - - 'Get-ForeignGroup' + - 'SetDelay' + - 'GetDelay' + - 'Set-LostLimit' + - 'Get-LostLimit' + - 'Set-Killdate' + - 'Get-Killdate' + - 'Set-WorkingHours' + - 'Get-WorkingHours' + - 'Get-Sysinfo' + - 'Add-Servers' + - 'Invoke-ShellCommand' + - 'Start-AgentJob' + - 'Update-Profile' + - 'Get-FilePart' + - 'Encrypt-Bytes' + - 'Decrypt-Bytes' + - 'Encode-Packet' + - 'Decode-Packet' + - 'Send-Message' + - 'Process-Packet' + - 'Process-Tasking' + - 'Get-Task' + - 'Start-Negotiate' + - 'Invoke-DllInjection' + - 'Invoke-ReflectivePEInjection' + - 'Invoke-Shellcode' + - 'Invoke-ShellcodeMSIL' + - 'Get-ChromeDump' + - 'Get-ClipboardContents' + - 'Get-IndexedItem' + - 'Get-Keystrokes' + - 'Invoke-Inveigh' + - 'Invoke-NetRipper' + - 'local:Invoke-PatchDll' + - 'Invoke-NinjaCopy' + - 'Get-Win32Types' + - 'Get-Win32Constants' + - 'Get-Win32Functions' + - 'Sub-SignedIntAsUnsigned' + - 'Add-SignedIntAsUnsigned' + - 'Compare-Val1GreaterThanVal2AsUInt' + - 'Convert-UIntToInt' + - 'Test-MemoryRangeValid' + - 'Write-BytesToMemory' + - 'Get-DelegateType' + - 'Get-ProcAddress' + - 'Enable-SeDebugPrivilege' + - 'Invoke-CreateRemoteThread' + - 'Get-ImageNtHeaders' + - 'Get-PEBasicInfo' + - 'Get-PEDetailedInfo' + - 'Import-DllInRemoteProcess' + - 'Get-RemoteProcAddress' + - 'Copy-Sections' + - 'Update-MemoryAddresses' + - 'Import-DllImports' + - 'Get-VirtualProtectValue' + - 'Update-MemoryProtectionFlags' + - 'Update-ExeFunctions' + - 'Copy-ArrayOfMemAddresses' + - 'Get-MemoryProcAddress' + - 'Invoke-MemoryLoadLibrary' + - 'Invoke-MemoryFreeLibrary' + - 'Out-Minidump' + - 'Get-VaultCredential' + - 'Invoke-DCSync' + - 'Translate-Name' + - 'Get-NetDomain' + - 'Get-NetForest' + - 'Get-NetForestDomain' + - 'Get-DomainSearcher' + - 'Get-NetComputer' + - 'Get-NetGroupMember' + - 'Get-NetUser' + - 'Invoke-Mimikatz' + - 'Invoke-PowerDump' + - 'Invoke-TokenManipulation' + - 'Exploit-JMXConsole' + - 'Exploit-JBoss' + - 'Invoke-Thunderstruck' + - 'Invoke-VoiceTroll' + - 'Set-WallPaper' + - 'Invoke-PsExec' + - 'Invoke-SSHCommand' + - 'Invoke-PSInject' + - 'Invoke-RunAs' + - 'Invoke-SendMail' + - 'Invoke-Rule' + - 'Get-OSVersion' + - 'Select-EmailItem' + - 'View-Email' + - 'Get-OutlookFolder' + - 'Get-EmailItems' + - 'Invoke-MailSearch' + - 'Get-SubFolders' + - 'Get-GlobalAddressList' + - 'Invoke-SearchGAL' + - 'Get-SMTPAddress' + - 'Disable-SecuritySettings' + - 'Reset-SecuritySettings' + - 'Get-OutlookInstance' + - 'New-HoneyHash' + - 'Set-MacAttribute' + - 'Invoke-PatchDll' + - 'Get-SecurityPackages' + - 'Install-SSP' + - 'Invoke-BackdoorLNK' + - 'New-ElevatedPersistenceOption' + - 'New-UserPersistenceOption' + - 'Add-Persistence' + - 'Invoke-CallbackIEX' + - 'Add-PSFirewallRules' + - 'Invoke-EventLoop' + - 'Invoke-PortBind' + - 'Invoke-DNSLoop' + - 'Invoke-PacketKnock' + - 'Invoke-CallbackLoop' + - 'Invoke-BypassUAC' + - 'Get-DecryptedCpassword' + - 'Get-GPPInnerFields' + - 'Invoke-WScriptBypassUAC' + - 'Get-ModifiableFile' + - 'Get-ServiceUnquoted' + - 'Get-ServiceFilePermission' + - 'Get-ServicePermission' + - 'Invoke-ServiceUserAdd' + - 'Invoke-ServiceCMD' + - 'Write-UserAddServiceBinary' + - 'Write-CMDServiceBinary' + - 'Write-ServiceEXE' + - 'Write-ServiceEXECMD' + - 'Restore-ServiceEXE' + - 'Invoke-ServiceStart' + - 'Invoke-ServiceStop' + - 'Invoke-ServiceEnable' + - 'Invoke-ServiceDisable' + - 'Get-ServiceDetail' + - 'Find-DLLHijack' + - 'Find-PathHijack' + - 'Write-HijackDll' + - 'Get-RegAlwaysInstallElevated' + - 'Get-RegAutoLogon' + - 'Get-VulnAutoRun' + - 'Get-VulnSchTask' + - 'Get-UnattendedInstallFile' + - 'Get-Webconfig' + - 'Get-ApplicationHost' + - 'Write-UserAddMSI' + - 'Invoke-AllChecks' + - 'Invoke-ThreadedFunction' + - 'Test-Login' + - 'Get-UserAgent' + - 'Test-Password' + - 'Get-ComputerDetails' + - 'Find-4648Logons' + - 'Find-4624Logons' + - 'Find-AppLockerLogs' + - 'Find-PSScriptsInPSAppLog' + - 'Find-RDPClientConnections' + - 'Get-SystemDNSServer' + - 'Invoke-Paranoia' + - 'Invoke-WinEnum{' + - 'Get-SPN' + - 'Invoke-ARPScan' + - 'Invoke-Portscan' + - 'Invoke-ReverseDNSLookup' + - 'Invoke-SMBScanner' + - 'New-InMemoryModule' + - 'Add-Win32Type' + - 'Export-PowerViewCSV' + - 'Get-MacAttribute' + - 'Copy-ClonedFile' + - 'Get-IPAddress' + - 'Convert-NameToSid' + - 'Convert-SidToName' + - 'Convert-NT4toCanonical' + - 'Get-Proxy' + - 'Get-PathAcl' + - 'Get-NameField' + - 'Convert-LDAPProperty' + - 'Get-NetDomainController' + - 'Add-NetUser' + - 'Add-NetGroupUser' + - 'Get-UserProperty' + - 'Find-UserField' + - 'Get-UserEvent' + - 'Get-ObjectAcl' + - 'Add-ObjectAcl' + - 'Invoke-ACLScanner' + - 'Get-GUIDMap' + - 'Get-ADObject' + - 'Set-ADObject' + - 'Get-ComputerProperty' + - 'Find-ComputerField' + - 'Get-NetOU' + - 'Get-NetSite' + - 'Get-NetSubnet' + - 'Get-DomainSID' + - 'Get-NetGroup' + - 'Get-NetFileServer' + - 'SplitPath' + - 'Get-DFSshare' + - 'Get-DFSshareV1' + - 'Get-DFSshareV2' + - 'Get-GptTmpl' + - 'Get-GroupsXML' + - 'Get-NetGPO' + - 'Get-NetGPOGroup' + - 'Find-GPOLocation' + - 'Get-DomainPolicy' + - 'Get-NetLocalGroup' + - 'Get-NetShare' + - 'Get-NetLoggedon' + - 'Get-NetSession' + - 'Get-NetRDPSession' + - 'Invoke-CheckLocalAdminAccess' + - 'Get-LastLoggedOn' + - 'Get-NetProcess' + - 'Find-InterestingFile' + - 'Invoke-CheckWrite' + - 'Invoke-UserHunter' + - 'Invoke-StealthUserHunter' + - 'Invoke-ProcessHunter' + - 'Invoke-EventHunter' + - 'Invoke-ShareFinder' + - 'Invoke-FileFinder' + - 'Find-LocalAdminAccess' + - 'Get-ExploitableSystem' + - 'Invoke-EnumerateLocalAdmin' + - 'Get-NetDomainTrust' + - 'Get-NetForestTrust' + - 'Find-ForeignUser' + - 'Find-ForeignGroup' + - 'Invoke-MapDomainTrust' + - 'Get-Hex' + - 'Create-RemoteThread' + - 'Get-FoxDump' + - 'Decrypt-CipherText' + - 'Get-Screenshot' + - 'Start-HTTP-Server' + - 'Local:Invoke-CreateRemoteThread' + - 'Local:Get-Win32Functions' + - 'Local:Inject-NetRipper' + - 'GetCommandLine' + - 'ElevatePrivs' + - 'Get-RegKeyClass' + - 'Get-BootKey' + - 'Get-HBootKey' + - 'Get-UserName' + - 'Get-UserHashes' + - 'DecryptHashes' + - 'DecryptSingleHash' + - 'Get-UserKeys' + - 'DumpHashes' + - 'Enable-SeAssignPrimaryTokenPrivilege' + - 'Enable-Privilege' + - 'Set-DesktopACLs' + - 'Set-DesktopACLToAllowEveryone' + - 'Get-PrimaryToken' + - 'Get-ThreadToken' + - 'Get-TokenInformation' + - 'Get-UniqueTokens' + - 'Find-GPOComputerAdmin' + - 'Invoke-ImpersonateUser' + - 'Create-ProcessWithToken' + - 'Free-AllTokens' + - 'Enum-AllTokens' + - 'Invoke-RevertToSelf' + - 'Set-Speaker(\$Volume){\$wshShell' + - 'Local:Get-RandomString' + - 'Local:Invoke-PsExecCmd' + - 'Get-GPPPassword' + - 'Local:Inject-BypassStuff' + - 'Local:Invoke-CopyFile\(\$sSource,' + - 'ind-Fruit' + - 'New-IPv4Range' + - 'New-IPv4RangeFromCIDR' + - 'Parse-Hosts' + - 'Parse-ILHosts' + - 'Exclude-Hosts' + - 'Get-TopPort' + - 'Parse-Ports' + - 'Parse-IpPorts' + - 'Remove-Ports' + - 'Write-PortscanOut' + - 'Convert-SwitchtoBool' + - 'Get-ForeignUser' + - 'Get-ForeignGroup' condition: selection1 or selection2 \ No newline at end of file diff --git a/rules/windows/builtin/win_user_acc_added_removed.yml b/rules/windows/builtin/win_user_acc_added_removed.yml index e3fe87b96..daf670034 100644 --- a/rules/windows/builtin/win_user_acc_added_removed.yml +++ b/rules/windows/builtin/win_user_acc_added_removed.yml @@ -1,7 +1,9 @@ title: Account added and removed from privileged groups id: 7efc75ce-e2a4-400f-a8b1-283d3b0f2c60 -description: 'Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise.' -references: Azure Sentinel +description: Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise. +references: + - Azure Sentinel +date: 2021/08/15 level: low logsource: service: Security diff --git a/rules/windows/builtin/win_user_acc_enabled_disabled.yml b/rules/windows/builtin/win_user_acc_enabled_disabled.yml index a6cd343c6..7751dd330 100644 --- a/rules/windows/builtin/win_user_acc_enabled_disabled.yml +++ b/rules/windows/builtin/win_user_acc_enabled_disabled.yml @@ -1,8 +1,9 @@ title: User account enabled and disabled id: 3d023f64-8225-41a2-9570-2bd7c2c4535e -description: 'Identifies when a user account is enabled and then disabled. This can be an indication of compromise and - an adversary attempting to hide in the noise.' -references: Azure Sentinel +description: Identifies when a user account is enabled and then disabled. This can be an indication of compromise and an adversary attempting to hide in the noise. +references: + - Azure Sentinel +date: 2021/08/15 level: medium logsource: service: Security diff --git a/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml b/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml index 639debc51..264ac030f 100644 --- a/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml +++ b/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml @@ -1,8 +1,9 @@ title: New user created and added to the built-in administrators group id: aa1eff90-29d4-49dc-a3ea-b65199f516db -description: 'Identifies when a user account was created and then added to the builtin Administrators group. - This should be monitored closely and all additions reviewed.' -references: Azure Sentinel +description: Identifies when a user account was created and then added to the builtin Administrators group. This should be monitored closely and all additions reviewed. +references: + - Azure Sentinel +date: 2021/08/15 level: low logsource: service: Security From c3457c9911691314ca348dfc264fe7682418abd0 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 15 Aug 2021 19:05:00 +0200 Subject: [PATCH 007/108] fix titles --- .../azure/azure_creating_number_of_resources_detection.yml | 2 +- rules/cloud/azure/azure_granting_permission_detection.yml | 2 +- rules/network/zeek/zeek_dns_mining_pools.yml | 2 +- rules/network/zeek/zeek_dns_torproxy.yml | 2 +- rules/web/sql_injection_keywords.yml | 2 +- rules/web/xss_keywords.yml | 2 +- rules/windows/builtin/win_event_log_cleared.yml | 2 +- rules/windows/builtin/win_powershelll_empire.yml | 2 +- rules/windows/builtin/win_user_acc_added_removed.yml | 2 +- rules/windows/builtin/win_user_acc_enabled_disabled.yml | 2 +- .../windows/builtin/win_user_created_added_to_bultin_admins.yml | 2 +- 11 files changed, 11 insertions(+), 11 deletions(-) diff --git a/rules/cloud/azure/azure_creating_number_of_resources_detection.yml b/rules/cloud/azure/azure_creating_number_of_resources_detection.yml index d1a608299..74041d51f 100644 --- a/rules/cloud/azure/azure_creating_number_of_resources_detection.yml +++ b/rules/cloud/azure/azure_creating_number_of_resources_detection.yml @@ -1,4 +1,4 @@ -title: number of resource creation or deployment activities +title: Number Of Resource Creation Or Deployment Activities id: d2d901db-7a75-45a1-bc39-0cbf00812192 status: experimental author: sawwinnnaung diff --git a/rules/cloud/azure/azure_granting_permission_detection.yml b/rules/cloud/azure/azure_granting_permission_detection.yml index cf644a6ba..1a93acee0 100644 --- a/rules/cloud/azure/azure_granting_permission_detection.yml +++ b/rules/cloud/azure/azure_granting_permission_detection.yml @@ -1,4 +1,4 @@ -title: Granting of permissions to an account +title: Granting Of Permissions To An Account id: a622fcd2-4b5a-436a-b8a2-a4171161833c status: experimental author: sawwinnnaung diff --git a/rules/network/zeek/zeek_dns_mining_pools.yml b/rules/network/zeek/zeek_dns_mining_pools.yml index 0de24200e..c6b4cde5c 100644 --- a/rules/network/zeek/zeek_dns_mining_pools.yml +++ b/rules/network/zeek/zeek_dns_mining_pools.yml @@ -1,5 +1,5 @@ +title: DNS Events Related To Mining Pools id: bf74135c-18e8-4a72-a926-0e4f47888c19 -title: DNS events related to mining pools description: Identifies IPs that may be performing DNS lookups associated with common currency mining pools. references: - Azure Sentinel diff --git a/rules/network/zeek/zeek_dns_torproxy.yml b/rules/network/zeek/zeek_dns_torproxy.yml index 466ab203e..b3f89c187 100644 --- a/rules/network/zeek/zeek_dns_torproxy.yml +++ b/rules/network/zeek/zeek_dns_torproxy.yml @@ -1,5 +1,5 @@ +title: DNS TOR Proxies id: a8322756-015c-42e7-afb1-436e85ed3ff5 -title: DNS tor proxies description: Identifies IPs performing DNS lookups associated with common Tor proxies. references: - Azure Sentinel diff --git a/rules/web/sql_injection_keywords.yml b/rules/web/sql_injection_keywords.yml index f1dd79722..f3d8985ff 100644 --- a/rules/web/sql_injection_keywords.yml +++ b/rules/web/sql_injection_keywords.yml @@ -1,4 +1,4 @@ -title: Detect sql injection by keywords +title: Detect Sql Injection By Keywords id: 5513deaf-f49a-46c2-a6c8-3f111b5cb453 status: experimental description: Detects sql injection that use GET requests by keyword searches in URL strings diff --git a/rules/web/xss_keywords.yml b/rules/web/xss_keywords.yml index 775ec8717..c5d1470f7 100644 --- a/rules/web/xss_keywords.yml +++ b/rules/web/xss_keywords.yml @@ -1,4 +1,4 @@ -title: Detect XSS Attempts by keywords +title: Detect XSS Attempts By Keywords id: 65354b83-a2ea-4ea6-8414-3ab38be0d409 status: experimental description: Detects XSS that use GET requests by keyword searches in URL strings diff --git a/rules/windows/builtin/win_event_log_cleared.yml b/rules/windows/builtin/win_event_log_cleared.yml index 0fdbdd54c..f8c56070e 100644 --- a/rules/windows/builtin/win_event_log_cleared.yml +++ b/rules/windows/builtin/win_event_log_cleared.yml @@ -1,5 +1,5 @@ +title: Security Event Log Cleared id: a122ac13-daf8-4175-83a2-72c387be339d -title: Security Event log cleared status: experimental description: Checks for event id 1102 which indicates the security event log was cleared. references: diff --git a/rules/windows/builtin/win_powershelll_empire.yml b/rules/windows/builtin/win_powershelll_empire.yml index 8aa638eff..6dc937fef 100644 --- a/rules/windows/builtin/win_powershelll_empire.yml +++ b/rules/windows/builtin/win_powershelll_empire.yml @@ -1,4 +1,4 @@ -title: Powershell Empire cmdlets seen in command line +title: Powershell Empire Cmdlets Seen In Command Line id: ef88eb96-861c-43a0-ab16-f3835a97c928 description: Identifies instances of PowerShell Empire cmdlets in powershell process command line data. references: diff --git a/rules/windows/builtin/win_user_acc_added_removed.yml b/rules/windows/builtin/win_user_acc_added_removed.yml index daf670034..f8ee4d37a 100644 --- a/rules/windows/builtin/win_user_acc_added_removed.yml +++ b/rules/windows/builtin/win_user_acc_added_removed.yml @@ -1,4 +1,4 @@ -title: Account added and removed from privileged groups +title: Account Added And Removed From Privileged Groups id: 7efc75ce-e2a4-400f-a8b1-283d3b0f2c60 description: Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise. references: diff --git a/rules/windows/builtin/win_user_acc_enabled_disabled.yml b/rules/windows/builtin/win_user_acc_enabled_disabled.yml index 7751dd330..72857cbc9 100644 --- a/rules/windows/builtin/win_user_acc_enabled_disabled.yml +++ b/rules/windows/builtin/win_user_acc_enabled_disabled.yml @@ -1,4 +1,4 @@ -title: User account enabled and disabled +title: User Account Enabled And Disabled id: 3d023f64-8225-41a2-9570-2bd7c2c4535e description: Identifies when a user account is enabled and then disabled. This can be an indication of compromise and an adversary attempting to hide in the noise. references: diff --git a/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml b/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml index 264ac030f..3eb3c977b 100644 --- a/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml +++ b/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml @@ -1,4 +1,4 @@ -title: New user created and added to the built-in administrators group +title: New Uer Created And Added To The Built-in Administrators Group id: aa1eff90-29d4-49dc-a3ea-b65199f516db description: Identifies when a user account was created and then added to the builtin Administrators group. This should be monitored closely and all additions reviewed. references: From 0de1949c59750c626cf1f3e6950c13479ac99b2e Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 15 Aug 2021 19:11:43 +0200 Subject: [PATCH 008/108] fix azure_rare_operations.yml --- rules/cloud/azure/azure_rare_operations.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/cloud/azure/azure_rare_operations.yml b/rules/cloud/azure/azure_rare_operations.yml index caa65c030..1796dd12d 100644 --- a/rules/cloud/azure/azure_rare_operations.yml +++ b/rules/cloud/azure/azure_rare_operations.yml @@ -1,4 +1,4 @@ -title: Rare subscription-level operations in Azure +title: Rare Subscription-level Operations In Azure id: c1182e02-49a3-481c-b3de-0fadc4091488 status: experimental author: sawwinnnaung @@ -9,14 +9,14 @@ references: logsource: service: AzureActivity detection: - keywords: -Microsoft.DocumentDB/databaseAccounts/listKeys/action + keywords: + -Microsoft.DocumentDB/databaseAccounts/listKeys/action -Microsoft.Maps/accounts/listKeys/action -Microsoft.Media/mediaservices/listKeys/action -Microsoft.CognitiveServices/accounts/listKeys/action -Microsoft.Storage/storageAccounts/listKeys/action -Microsoft.Compute/snapshots/write -Microsoft.Network/networkSecurityGroups/write - condition: keywords level: medium falsepositives: From 050fb2b77df50a1bd8294890b253fe0897d5148a Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 15 Aug 2021 19:17:56 +0200 Subject: [PATCH 009/108] fix more errors --- .../azure/azure_granting_permission_detection.yml | 1 - rules/cloud/azure/azure_rare_operations.yml | 14 +++++++------- 2 files changed, 7 insertions(+), 8 deletions(-) diff --git a/rules/cloud/azure/azure_granting_permission_detection.yml b/rules/cloud/azure/azure_granting_permission_detection.yml index 1a93acee0..2cfb1fe8b 100644 --- a/rules/cloud/azure/azure_granting_permission_detection.yml +++ b/rules/cloud/azure/azure_granting_permission_detection.yml @@ -11,7 +11,6 @@ logsource: detection: keywords: - Microsoft.Authorization/roleAssignments/write - condition: keywords level: medium falsepositives: diff --git a/rules/cloud/azure/azure_rare_operations.yml b/rules/cloud/azure/azure_rare_operations.yml index 1796dd12d..49ae1bb74 100644 --- a/rules/cloud/azure/azure_rare_operations.yml +++ b/rules/cloud/azure/azure_rare_operations.yml @@ -10,13 +10,13 @@ logsource: service: AzureActivity detection: keywords: - -Microsoft.DocumentDB/databaseAccounts/listKeys/action - -Microsoft.Maps/accounts/listKeys/action - -Microsoft.Media/mediaservices/listKeys/action - -Microsoft.CognitiveServices/accounts/listKeys/action - -Microsoft.Storage/storageAccounts/listKeys/action - -Microsoft.Compute/snapshots/write - -Microsoft.Network/networkSecurityGroups/write + - Microsoft.DocumentDB/databaseAccounts/listKeys/action + - Microsoft.Maps/accounts/listKeys/action + - Microsoft.Media/mediaservices/listKeys/action + - Microsoft.CognitiveServices/accounts/listKeys/action + - Microsoft.Storage/storageAccounts/listKeys/action + - Microsoft.Compute/snapshots/write + - Microsoft.Network/networkSecurityGroups/write condition: keywords level: medium falsepositives: From 40018eef7f102e85ce4788a3540b07806d70c2c1 Mon Sep 17 00:00:00 2001 From: Theo Guidoux Date: Mon, 16 Aug 2021 10:44:01 +0200 Subject: [PATCH 010/108] edit help + case where 'select=' --- tools/sigma/backends/sql.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/tools/sigma/backends/sql.py b/tools/sigma/backends/sql.py index cd0b86474..18f8ab309 100644 --- a/tools/sigma/backends/sql.py +++ b/tools/sigma/backends/sql.py @@ -45,19 +45,21 @@ class SQLBackend(SingleTextQueryBackend): mapLength = "(%s %s)" options = SingleTextQueryBackend.options + ( - ("table", False, "Use this option to specify table name, default is \"eventlog\"", None), + ("table", "eventlog", "Use this option to specify table name.", None), + ("select", "*", "Use this option to specify fields you want to select. Example: \"--backend-option select=xxx,yyy\"", None), ) def __init__(self, sigmaconfig, options): super().__init__(sigmaconfig) + if "table" in options: self.table = options["table"] else: self.table = "eventlog" - if "select" in options: + if "select" in options and options["select"]: self.select_fields = options["select"].split(',') else: self.select_fields = list() From 16269c0d6388b15f72cf5ca416496a66199a22e5 Mon Sep 17 00:00:00 2001 From: Theo Guidoux Date: Mon, 16 Aug 2021 10:47:05 +0200 Subject: [PATCH 011/108] cleaner default value handling --- tools/sigma/backends/sql.py | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/tools/sigma/backends/sql.py b/tools/sigma/backends/sql.py index 18f8ab309..31afbb58d 100644 --- a/tools/sigma/backends/sql.py +++ b/tools/sigma/backends/sql.py @@ -48,7 +48,6 @@ class SQLBackend(SingleTextQueryBackend): ("table", "eventlog", "Use this option to specify table name.", None), ("select", "*", "Use this option to specify fields you want to select. Example: \"--backend-option select=xxx,yyy\"", None), ) - def __init__(self, sigmaconfig, options): @@ -62,7 +61,7 @@ class SQLBackend(SingleTextQueryBackend): if "select" in options and options["select"]: self.select_fields = options["select"].split(',') else: - self.select_fields = list() + self.select_fields = list("*") def generateANDNode(self, node): generated = [ self.generateNode(val) for val in node ] @@ -197,10 +196,7 @@ class SQLBackend(SingleTextQueryBackend): if self._recursiveFtsSearch(parsed.parsedSearch): raise NotImplementedError("FullTextSearch not implemented for SQL Backend.") result = self.generateNode(parsed.parsedSearch) - select = "*" - - if self.select_fields: - select = ", ".join(self.select_fields) + select = ", ".join(self.select_fields) if parsed.parsedAgg: #Handle aggregation From c1876b9ff68af739f55889f09e1cadcedf982c1b Mon Sep 17 00:00:00 2001 From: Theo Guidoux Date: Mon, 16 Aug 2021 13:33:43 +0200 Subject: [PATCH 012/108] add fields from rules to query + sqlite --- tools/sigma/backends/sql.py | 60 +++++++++++++++++++++++++++++++--- tools/sigma/backends/sqlite.py | 15 +++------ 2 files changed, 61 insertions(+), 14 deletions(-) diff --git a/tools/sigma/backends/sql.py b/tools/sigma/backends/sql.py index 31afbb58d..f18cac2fd 100644 --- a/tools/sigma/backends/sql.py +++ b/tools/sigma/backends/sql.py @@ -21,7 +21,6 @@ import sigma from sigma.backends.base import SingleTextQueryBackend from sigma.parser.condition import SigmaAggregationParser, NodeSubexpression, ConditionAND, ConditionOR, ConditionNOT from sigma.parser.exceptions import SigmaParseError - class SQLBackend(SingleTextQueryBackend): """Converts Sigma rule into SQL query""" identifier = "sql" @@ -61,7 +60,7 @@ class SQLBackend(SingleTextQueryBackend): if "select" in options and options["select"]: self.select_fields = options["select"].split(',') else: - self.select_fields = list("*") + self.select_fields = list() def generateANDNode(self, node): generated = [ self.generateNode(val) for val in node ] @@ -142,6 +141,47 @@ class SQLBackend(SingleTextQueryBackend): """ return fieldname + def generate(self, sigmaparser): + """Method is called for each sigma rule and receives the parsed rule (SigmaParser)""" + fields = list() + + # First add fields specified in the rule + try: + for field in sigmaparser.parsedyaml["fields"]: + mapped = sigmaparser.config.get_fieldmapping(field).resolve_fieldname(field, sigmaparser) + if type(mapped) == str: + fields.append(mapped) + elif type(mapped) == list: + fields.extend(mapped) + else: + raise TypeError("Field mapping must return string or list") + + except KeyError: # no 'fields' attribute + pass + + # Then add fields specified in the backend configuration + fields.extend(self.select_fields) + + # Finally, in case fields is empty, add the default value + if not fields: + fields = list("*") + + for parsed in sigmaparser.condparsed: + #query = self.generateQuery(parsed) + query = self._generateQueryWithFields(parsed, fields) + before = self.generateBefore(parsed) + after = self.generateAfter(parsed) + + result = "" + if before is not None: + result = before + if query is not None: + result += query + if after is not None: + result += after + + return result + def cleanValue(self, val): if not isinstance(val, str): return str(val) @@ -191,12 +231,24 @@ class SQLBackend(SingleTextQueryBackend): return temp_table, agg_condition raise NotImplementedError("{} aggregation not implemented in SQL Backend".format(agg.aggfunc_notrans)) - + def generateQuery(self, parsed): + return self._generateQueryWithFields(parsed, list("*")) + + def checkFTS(self, parsed, result): if self._recursiveFtsSearch(parsed.parsedSearch): raise NotImplementedError("FullTextSearch not implemented for SQL Backend.") + + def _generateQueryWithFields(self, parsed, fields): + """ + Return a SQL query with fields specified. + """ + result = self.generateNode(parsed.parsedSearch) - select = ", ".join(self.select_fields) + + self.checkFTS(parsed, result) + + select = ", ".join(fields) if parsed.parsedAgg: #Handle aggregation diff --git a/tools/sigma/backends/sqlite.py b/tools/sigma/backends/sqlite.py index 8eec13ea7..1f7e4e7ec 100644 --- a/tools/sigma/backends/sqlite.py +++ b/tools/sigma/backends/sqlite.py @@ -18,7 +18,6 @@ from sigma.backends.sql import SQLBackend from sigma.parser.condition import NodeSubexpression, ConditionAND, ConditionOR, ConditionNOT import re - class SQLiteBackend(SQLBackend): """Converts Sigma rule into SQL query for SQLite""" identifier = "sqlite" @@ -26,6 +25,8 @@ class SQLiteBackend(SQLBackend): mapFullTextSearch = "%s MATCH ('\"%s\"')" + countFTS = 0 + def __init__(self, sigmaconfig, table): super().__init__(sigmaconfig, table) self.mappingItem = False @@ -108,16 +109,10 @@ class SQLiteBackend(SQLBackend): return self.generateFTS(self.cleanValue(str(node))) def generateQuery(self, parsed): - self.countFTS = 0 - result = self.generateNode(parsed.parsedSearch) + return self._generateQueryWithFields(parsed, list("*")) + + def checkFTS(self, parsed, result): if self.countFTS > 1: raise NotImplementedError( "Match operator ({}) is allowed only once in SQLite, parse rule in a different way:\n{}".format(self.countFTS, result)) self.countFTS = 0 - - if parsed.parsedAgg: - # Handle aggregation - fro, whe = self.generateAggregation(parsed.parsedAgg, result) - return "SELECT * FROM {} WHERE {}".format(fro, whe) - - return "SELECT * FROM {} WHERE {}".format(self.table, result) From 06840be3e7fa65d9fd12031786dbc13c70b1f41d Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 16 Aug 2021 18:46:25 +0200 Subject: [PATCH 013/108] fix author --- rules/windows/builtin/win_anomaly_process_execution.yml | 1 + rules/windows/builtin/win_powershelll_empire.yml | 1 + rules/windows/builtin/win_user_acc_added_removed.yml | 1 + rules/windows/builtin/win_user_acc_enabled_disabled.yml | 1 + .../windows/builtin/win_user_created_added_to_bultin_admins.yml | 1 + 5 files changed, 5 insertions(+) diff --git a/rules/windows/builtin/win_anomaly_process_execution.yml b/rules/windows/builtin/win_anomaly_process_execution.yml index 176d64bd6..c49f18c25 100644 --- a/rules/windows/builtin/win_anomaly_process_execution.yml +++ b/rules/windows/builtin/win_anomaly_process_execution.yml @@ -1,6 +1,7 @@ title: Process Execution Anomaly id: 2c55fe7a-b06f-4029-a5b9-c54a2320d7b8 description: 'Identifies anomalous executions of sensitive processes which are often leveraged as attack vectors.' +author: sawwinnnaung references: - Azure Sentinel date: 2021/08/15 diff --git a/rules/windows/builtin/win_powershelll_empire.yml b/rules/windows/builtin/win_powershelll_empire.yml index 6dc937fef..a765f45d7 100644 --- a/rules/windows/builtin/win_powershelll_empire.yml +++ b/rules/windows/builtin/win_powershelll_empire.yml @@ -1,6 +1,7 @@ title: Powershell Empire Cmdlets Seen In Command Line id: ef88eb96-861c-43a0-ab16-f3835a97c928 description: Identifies instances of PowerShell Empire cmdlets in powershell process command line data. +author: sawwinnnaung references: - Azure Sentinel date: 2021/08/15 diff --git a/rules/windows/builtin/win_user_acc_added_removed.yml b/rules/windows/builtin/win_user_acc_added_removed.yml index f8ee4d37a..8e083b644 100644 --- a/rules/windows/builtin/win_user_acc_added_removed.yml +++ b/rules/windows/builtin/win_user_acc_added_removed.yml @@ -1,6 +1,7 @@ title: Account Added And Removed From Privileged Groups id: 7efc75ce-e2a4-400f-a8b1-283d3b0f2c60 description: Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise. +author: sawwinnnaung references: - Azure Sentinel date: 2021/08/15 diff --git a/rules/windows/builtin/win_user_acc_enabled_disabled.yml b/rules/windows/builtin/win_user_acc_enabled_disabled.yml index 72857cbc9..920efc48e 100644 --- a/rules/windows/builtin/win_user_acc_enabled_disabled.yml +++ b/rules/windows/builtin/win_user_acc_enabled_disabled.yml @@ -1,6 +1,7 @@ title: User Account Enabled And Disabled id: 3d023f64-8225-41a2-9570-2bd7c2c4535e description: Identifies when a user account is enabled and then disabled. This can be an indication of compromise and an adversary attempting to hide in the noise. +author: sawwinnnaung references: - Azure Sentinel date: 2021/08/15 diff --git a/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml b/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml index 3eb3c977b..57bb606cf 100644 --- a/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml +++ b/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml @@ -1,6 +1,7 @@ title: New Uer Created And Added To The Built-in Administrators Group id: aa1eff90-29d4-49dc-a3ea-b65199f516db description: Identifies when a user account was created and then added to the builtin Administrators group. This should be monitored closely and all additions reviewed. +author: sawwinnnaung references: - Azure Sentinel date: 2021/08/15 From 2a3acd7d119f561bc9f17bac2de6bd4fc2f3ca16 Mon Sep 17 00:00:00 2001 From: Theo Guidoux Date: Mon, 16 Aug 2021 19:32:54 +0200 Subject: [PATCH 014/108] add selection flag for backward compatibility --- tools/sigma/backends/sql.py | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/tools/sigma/backends/sql.py b/tools/sigma/backends/sql.py index f18cac2fd..b31fba2b8 100644 --- a/tools/sigma/backends/sql.py +++ b/tools/sigma/backends/sql.py @@ -46,7 +46,10 @@ class SQLBackend(SingleTextQueryBackend): options = SingleTextQueryBackend.options + ( ("table", "eventlog", "Use this option to specify table name.", None), ("select", "*", "Use this option to specify fields you want to select. Example: \"--backend-option select=xxx,yyy\"", None), + ("selection", False, "Use this option to enable fields selection from Sigma rules.", None), ) + + selection_enabled = False def __init__(self, sigmaconfig, options): @@ -62,6 +65,9 @@ class SQLBackend(SingleTextQueryBackend): else: self.select_fields = list() + if "selection" in options: + self.selection_enabled = True + def generateANDNode(self, node): generated = [ self.generateNode(val) for val in node ] filtered = [ g for g in generated if g is not None ] @@ -162,13 +168,19 @@ class SQLBackend(SingleTextQueryBackend): # Then add fields specified in the backend configuration fields.extend(self.select_fields) + # In case select is specified in backend option, we want to enable selection + if len(self.select_fields) > 0: + self.selection_enabled = True + # Finally, in case fields is empty, add the default value if not fields: fields = list("*") for parsed in sigmaparser.condparsed: - #query = self.generateQuery(parsed) - query = self._generateQueryWithFields(parsed, fields) + if self.selection_enabled: + query = self._generateQueryWithFields(parsed, fields) + else: + query = self.generateQuery(parsed) before = self.generateBefore(parsed) after = self.generateAfter(parsed) From b4a029ac3c40d2297abbf4d197ae2d4c368b3625 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 19 Aug 2021 13:55:09 +0200 Subject: [PATCH 015/108] Add win_susp_screensaver_reg.yml --- .../win_susp_netsh_dll_persistence.yml | 6 +-- .../win_susp_screensaver_reg.yml | 52 +++++++++++++++++++ 2 files changed, 55 insertions(+), 3 deletions(-) create mode 100644 rules/windows/process_creation/win_susp_screensaver_reg.yml diff --git a/rules/windows/process_creation/win_susp_netsh_dll_persistence.yml b/rules/windows/process_creation/win_susp_netsh_dll_persistence.yml index 20eaa79ea..3ee753935 100644 --- a/rules/windows/process_creation/win_susp_netsh_dll_persistence.yml +++ b/rules/windows/process_creation/win_susp_netsh_dll_persistence.yml @@ -3,12 +3,12 @@ id: 56321594-9087-49d9-bf10-524fe8479452 description: Detects persitence via netsh helper status: test references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1128/T1128.md + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md + - https://attack.mitre.org/software/S0108/ tags: - - attack.persistence + - attack.privilege_escalation - attack.t1546.007 - attack.s0108 - - attack.t1128 # an old one date: 2019/10/25 modified: 2020/08/30 author: Victor Sergeev, oscd.community diff --git a/rules/windows/process_creation/win_susp_screensaver_reg.yml b/rules/windows/process_creation/win_susp_screensaver_reg.yml new file mode 100644 index 000000000..5d49d1c87 --- /dev/null +++ b/rules/windows/process_creation/win_susp_screensaver_reg.yml @@ -0,0 +1,52 @@ +title: Suspicious ScreenSave Change by Reg.exe +id: 0fc35fc3-efe6-4898-8a37-0b233339524f +status: experimental +author: frack113 +date: 2021/08/19 +description: | + Adversaries may establish persistence by executing malicious content triggered by user inactivity. + Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md + - https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf +tags: + - attack.privilege_escalation + - attack.t1546.002 +logsource: + category: process_creation + product: windows +detection: + selection_reg: + Image|endswith: reg.exe + CommandLine|contains: + - 'HKEY_CURRENT_USER\Control Panel\Desktop' + - 'HKCU\Control Panel\Desktop' + selection_option_1: # /force Active ScreenSaveActive + CommandLine|contains|all: + - '/v ScreenSaveActive' + - '/t REG_SZ' + - '/d 1' + - '/f' + selection_option_2: # /force set ScreenSaveTimeout + CommandLine|contains|all: + - '/v ScreenSaveTimeout' + - '/t REG_SZ' + - '/d ' + - '/f' + selection_option_3: # /force set ScreenSaverIsSecure + CommandLine|contains|all: + - '/v ScreenSaverIsSecure' + - '/t REG_SZ' + - '/d 0' + - '/f' + selection_option_4: # /force set a .scr + CommandLine|contains|all: + - '/v SCRNSAVE.EXE' + - '/t REG_SZ' + - '/d ' + - '.scr' + - '/f' + condition: selection_reg and 1 of selection_option_* +falsepositives: + - GPO +level: medium \ No newline at end of file From 1266a66a8d5cb6ea745e672de6a5f8965b8571ce Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 19 Aug 2021 15:37:28 +0200 Subject: [PATCH 016/108] add powershell_wmi_persistence.yml --- .../powershell/powershell_wmi_persistence.yml | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 rules/windows/powershell/powershell_wmi_persistence.yml diff --git a/rules/windows/powershell/powershell_wmi_persistence.yml b/rules/windows/powershell/powershell_wmi_persistence.yml new file mode 100644 index 000000000..c5a43e787 --- /dev/null +++ b/rules/windows/powershell/powershell_wmi_persistence.yml @@ -0,0 +1,34 @@ +title: Powershell WMI persistence +id: 9e07f6e7-83aa-45c6-998e-0af26efd0a85 +status: experimental +author: frack113 +date: 2021/08/19 +description: Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md + - https://github.com/EmpireProject/Empire/blob/master/data/module_source/persistence/Persistence.psm1#L545 +tags: + - attack.privilege_escalation + - attack.t1546.003 +logsource: + product: windows + service: powershell + definition: EnableScriptBlockLogging must be set to enable +detection: + selection_id: + EventID: 4104 + selection_ioc: + - ScriptBlockText|contains|all: + - 'New-CimInstance ' + - '-Namespace root/subscription ' + - '-ClassName __EventFilter + - '-Property ' #is a variable name + - ScriptBlockText|contains|all: + - 'New-CimInstance ' + - '-Namespace root/subscription ' + - '-ClassName CommandLineEventConsumer ' + - '-Property ' #is a variable name + condition: all all them +falsepositives: + - Unknown +level: medium \ No newline at end of file From 89b6e1108ba3abe67396b5d1b6d2de13ee8578e2 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 19 Aug 2021 15:42:19 +0200 Subject: [PATCH 017/108] powershell_wmi_persistence fix errors --- rules/windows/powershell/powershell_wmi_persistence.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/powershell/powershell_wmi_persistence.yml b/rules/windows/powershell/powershell_wmi_persistence.yml index c5a43e787..905595418 100644 --- a/rules/windows/powershell/powershell_wmi_persistence.yml +++ b/rules/windows/powershell/powershell_wmi_persistence.yml @@ -21,14 +21,14 @@ detection: - ScriptBlockText|contains|all: - 'New-CimInstance ' - '-Namespace root/subscription ' - - '-ClassName __EventFilter + - '-ClassName __EventFilter ' - '-Property ' #is a variable name - ScriptBlockText|contains|all: - 'New-CimInstance ' - '-Namespace root/subscription ' - '-ClassName CommandLineEventConsumer ' - '-Property ' #is a variable name - condition: all all them + condition: all of them falsepositives: - Unknown level: medium \ No newline at end of file From 90c9c08743271bc8bd71b0a7872d4c71c1dc17c6 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 19 Aug 2021 16:09:31 +0200 Subject: [PATCH 018/108] fix title --- rules/windows/powershell/powershell_wmi_persistence.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_wmi_persistence.yml b/rules/windows/powershell/powershell_wmi_persistence.yml index 905595418..514bf4537 100644 --- a/rules/windows/powershell/powershell_wmi_persistence.yml +++ b/rules/windows/powershell/powershell_wmi_persistence.yml @@ -1,4 +1,4 @@ -title: Powershell WMI persistence +title: Powershell WMI Persistence id: 9e07f6e7-83aa-45c6-998e-0af26efd0a85 status: experimental author: frack113 From f1a84536c3bbf95ae420cad12cbe2ae98fe6a554 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 19 Aug 2021 17:55:41 +0200 Subject: [PATCH 019/108] update fix --- rules/network/zeek/zeek_dns_mining_pools.yml | 103 +++++++++++++----- rules/network/zeek/zeek_dns_torproxy.yml | 39 ++++++- .../builtin/win_anomaly_process_execution.yml | 8 +- .../windows/builtin/win_event_log_cleared.yml | 2 +- 4 files changed, 115 insertions(+), 37 deletions(-) diff --git a/rules/network/zeek/zeek_dns_mining_pools.yml b/rules/network/zeek/zeek_dns_mining_pools.yml index c6b4cde5c..8adfe85df 100644 --- a/rules/network/zeek/zeek_dns_mining_pools.yml +++ b/rules/network/zeek/zeek_dns_mining_pools.yml @@ -2,9 +2,9 @@ title: DNS Events Related To Mining Pools id: bf74135c-18e8-4a72-a926-0e4f47888c19 description: Identifies IPs that may be performing DNS lookups associated with common currency mining pools. references: - - Azure Sentinel -date: 2021/08/15 -author: Saw Winn Naung + - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_Miners.yaml +date: 2021/08/19 +author: Saw Winn Naung , Azure-Sentinel level: medium logsource: service: dns @@ -15,30 +15,79 @@ tags: detection: selection: query: - - 'monerohash.com' - - 'do-dear.com' - - 'xmrminerpro.com' - - 'secumine.net' - - 'xmrpool.com' - - 'minexmr.org' - - 'hashanywhere.com' - - 'xmrget.com' - - 'mininglottery.eu' - - 'minergate.com' - - 'moriaxmr.com' - - 'multipooler.com' - - 'moneropools.com' - - 'xmrpool.eu' - - 'coolmining.club' - - 'supportxmr.com' - - 'minexmr.com' - - 'coinfoundry.org' - - 'cryptoknight.cc' - - 'fairhash.org' - - 'baikalmine.com' - - 'tubepool.xyz' - - 'fairpool.xyz' - - 'asiapool.io' + - "monerohash.com" + - "do-dear.com" + - "xmrminerpro.com" + - "secumine.net" + - "xmrpool.com" + - "minexmr.org" + - "hashanywhere.com" + - "xmrget.com" + - "mininglottery.eu" + - "minergate.com" + - "moriaxmr.com" + - "multipooler.com" + - "moneropools.com" + - "xmrpool.eu" + - "coolmining.club" + - "supportxmr.com" + - "minexmr.com" + - "hashvault.pro" + - "xmrpool.net" + - "crypto-pool.fr" + - "xmr.pt" + - "miner.rocks" + - "walpool.com" + - "herominers.com" + - "gntl.co.uk" + - "semipool.com" + - "coinfoundry.org" + - "cryptoknight.cc" + - "fairhash.org" + - "baikalmine.com" + - "tubepool.xyz" + - "fairpool.xyz" + - "asiapool.io" + - "coinpoolit.webhop.me" + - "nanopool.org" + - "moneropool.com" + - "miner.center" + - "prohash.net" + - "poolto.be" + - "cryptoescrow.eu" + - "monerominers.net" + - "cryptonotepool.org" + - "extrmepool.org" + - "webcoin.me" + - "kippo.eu" + - "hashinvest.ws" + - "monero.farm" + - "supportxmr.com" + - "xmrpool.eu" + - "linux-repository-updates.com" + - "1gh.com" + - "dwarfpool.com" + - "hash-to-coins.com" + - "hashvault.pro" + - "pool-proxy.com" + - "hashfor.cash" + - "fairpool.cloud" + - "litecoinpool.org" + - "mineshaft.ml" + - "abcxyz.stream" + - "moneropool.ru" + - "cryptonotepool.org.uk" + - "extremepool.org" + - "extremehash.com" + - "hashinvest.net" + - "unipool.pro" + - "crypto-pools.org" + - "monero.net" + - "backup-pool.com" + - "mooo.com" + - "freeyy.me" + - "cryptonight.net" + - "shscrypto.net" condition: selection fields: - clientip diff --git a/rules/network/zeek/zeek_dns_torproxy.yml b/rules/network/zeek/zeek_dns_torproxy.yml index b3f89c187..e073a15ec 100644 --- a/rules/network/zeek/zeek_dns_torproxy.yml +++ b/rules/network/zeek/zeek_dns_torproxy.yml @@ -2,9 +2,9 @@ title: DNS TOR Proxies id: a8322756-015c-42e7-afb1-436e85ed3ff5 description: Identifies IPs performing DNS lookups associated with common Tor proxies. references: - - Azure Sentinel + - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_TorProxies.yaml date: 2021/08/15 -author: Saw Winn Naung +author: Saw Winn Naung , Azure-Sentinel level: medium logsource: service: dns @@ -14,9 +14,38 @@ tags: detection: selection: query: - - 'tor2web.*' - - 'onion.*' - - '*tor-gateways*' + - "tor2web.org" + - "tor2web.com" + - "torlink.co" + - "onion.to" + - "onion.ink" + - "onion.cab" + - "onion.nu" + - "onion.link" + - "onion.it" + - "onion.city" + - "onion.direct" + - "onion.top" + - "onion.casa" + - "onion.plus" + - "onion.rip" + - "onion.dog" + - "tor2web.fi" + - "tor2web.blutmagie.de" + - "onion.sh" + - "onion.lu" + - "onion.pet" + - "t2w.pw" + - "tor2web.ae.org" + - "tor2web.io" + - "tor2web.xyz" + - "onion.lt" + - "s1.tor-gateways.de" + - "s2.tor-gateways.de" + - "s3.tor-gateways.de" + - "s4.tor-gateways.de" + - "s5.tor-gateways.de" + - "hiddenservice.net" condition: selection fields: - clientip diff --git a/rules/windows/builtin/win_anomaly_process_execution.yml b/rules/windows/builtin/win_anomaly_process_execution.yml index c49f18c25..163af4790 100644 --- a/rules/windows/builtin/win_anomaly_process_execution.yml +++ b/rules/windows/builtin/win_anomaly_process_execution.yml @@ -3,15 +3,15 @@ id: 2c55fe7a-b06f-4029-a5b9-c54a2320d7b8 description: 'Identifies anomalous executions of sensitive processes which are often leveraged as attack vectors.' author: sawwinnnaung references: - - Azure Sentinel + - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/TimeSeriesAnomaly-ProcessExecutions.yaml date: 2021/08/15 level: medium -logsource: - product: windows - category: process_creation tags: - attack.execution - attack.t1064 +logsource: + product: windows + category: process_creation detection: selection: NewProcessName|contains: diff --git a/rules/windows/builtin/win_event_log_cleared.yml b/rules/windows/builtin/win_event_log_cleared.yml index f8c56070e..e3a88f08d 100644 --- a/rules/windows/builtin/win_event_log_cleared.yml +++ b/rules/windows/builtin/win_event_log_cleared.yml @@ -3,7 +3,7 @@ id: a122ac13-daf8-4175-83a2-72c387be339d status: experimental description: Checks for event id 1102 which indicates the security event log was cleared. references: - - Azure Sentinel + - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/SecurityEventLogCleared.yaml date: 2021/08/15 author: Saw Winn Naung level: medium From 3283664154cc1cccd63cd9e40cdf2cac9d0616a2 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 19 Aug 2021 18:28:44 +0200 Subject: [PATCH 020/108] Update remove useless rules --- rules/network/zeek/zeek_dns_mining_pools.yml | 3 - .../builtin/win_anomaly_process_execution.yml | 24 -- .../builtin/win_powershelll_empire.yml | 309 ------------------ 3 files changed, 336 deletions(-) delete mode 100644 rules/windows/builtin/win_anomaly_process_execution.yml delete mode 100644 rules/windows/builtin/win_powershelll_empire.yml diff --git a/rules/network/zeek/zeek_dns_mining_pools.yml b/rules/network/zeek/zeek_dns_mining_pools.yml index 8adfe85df..71003888c 100644 --- a/rules/network/zeek/zeek_dns_mining_pools.yml +++ b/rules/network/zeek/zeek_dns_mining_pools.yml @@ -62,13 +62,10 @@ detection: - "kippo.eu" - "hashinvest.ws" - "monero.farm" - - "supportxmr.com" - - "xmrpool.eu" - "linux-repository-updates.com" - "1gh.com" - "dwarfpool.com" - "hash-to-coins.com" - - "hashvault.pro" - "pool-proxy.com" - "hashfor.cash" - "fairpool.cloud" diff --git a/rules/windows/builtin/win_anomaly_process_execution.yml b/rules/windows/builtin/win_anomaly_process_execution.yml deleted file mode 100644 index 163af4790..000000000 --- a/rules/windows/builtin/win_anomaly_process_execution.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: Process Execution Anomaly -id: 2c55fe7a-b06f-4029-a5b9-c54a2320d7b8 -description: 'Identifies anomalous executions of sensitive processes which are often leveraged as attack vectors.' -author: sawwinnnaung -references: - - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/TimeSeriesAnomaly-ProcessExecutions.yaml -date: 2021/08/15 -level: medium -tags: - - attack.execution - - attack.t1064 -logsource: - product: windows - category: process_creation -detection: - selection: - NewProcessName|contains: - - 'powershell.exe' - - 'cmd.exe' - - 'wmic.exe' - - 'psexec.exe' - - 'cacls.exe' - - 'rundll.exe' - condition: selection diff --git a/rules/windows/builtin/win_powershelll_empire.yml b/rules/windows/builtin/win_powershelll_empire.yml deleted file mode 100644 index a765f45d7..000000000 --- a/rules/windows/builtin/win_powershelll_empire.yml +++ /dev/null @@ -1,309 +0,0 @@ -title: Powershell Empire Cmdlets Seen In Command Line -id: ef88eb96-861c-43a0-ab16-f3835a97c928 -description: Identifies instances of PowerShell Empire cmdlets in powershell process command line data. -author: sawwinnnaung -references: - - Azure Sentinel -date: 2021/08/15 -level: medium -logsource: - product: windows - category: process_creation -tags: - - attack.execution - - attack.persistence - - attack.t1208 -detection: - selection1: - CommandLine|contains: ' -encodedCommand' - selection2: - CommandLine: - - 'SetDelay' - - 'GetDelay' - - 'Set-LostLimit' - - 'Get-LostLimit' - - 'Set-Killdate' - - 'Get-Killdate' - - 'Set-WorkingHours' - - 'Get-WorkingHours' - - 'Get-Sysinfo' - - 'Add-Servers' - - 'Invoke-ShellCommand' - - 'Start-AgentJob' - - 'Update-Profile' - - 'Get-FilePart' - - 'Encrypt-Bytes' - - 'Decrypt-Bytes' - - 'Encode-Packet' - - 'Decode-Packet' - - 'Send-Message' - - 'Process-Packet' - - 'Process-Tasking' - - 'Get-Task' - - 'Start-Negotiate' - - 'Invoke-DllInjection' - - 'Invoke-ReflectivePEInjection' - - 'Invoke-Shellcode' - - 'Invoke-ShellcodeMSIL' - - 'Get-ChromeDump' - - 'Get-ClipboardContents' - - 'Get-IndexedItem' - - 'Get-Keystrokes' - - 'Invoke-Inveigh' - - 'Invoke-NetRipper' - - 'local:Invoke-PatchDll' - - 'Invoke-NinjaCopy' - - 'Get-Win32Types' - - 'Get-Win32Constants' - - 'Get-Win32Functions' - - 'Sub-SignedIntAsUnsigned' - - 'Add-SignedIntAsUnsigned' - - 'Compare-Val1GreaterThanVal2AsUInt' - - 'Convert-UIntToInt' - - 'Test-MemoryRangeValid' - - 'Write-BytesToMemory' - - 'Get-DelegateType' - - 'Get-ProcAddress' - - 'Enable-SeDebugPrivilege' - - 'Invoke-CreateRemoteThread' - - 'Get-ImageNtHeaders' - - 'Get-PEBasicInfo' - - 'Get-PEDetailedInfo' - - 'Import-DllInRemoteProcess' - - 'Get-RemoteProcAddress' - - 'Copy-Sections' - - 'Update-MemoryAddresses' - - 'Import-DllImports' - - 'Get-VirtualProtectValue' - - 'Update-MemoryProtectionFlags' - - 'Update-ExeFunctions' - - 'Copy-ArrayOfMemAddresses' - - 'Get-MemoryProcAddress' - - 'Invoke-MemoryLoadLibrary' - - 'Invoke-MemoryFreeLibrary' - - 'Out-Minidump' - - 'Get-VaultCredential' - - 'Invoke-DCSync' - - 'Translate-Name' - - 'Get-NetDomain' - - 'Get-NetForest' - - 'Get-NetForestDomain' - - 'Get-DomainSearcher' - - 'Get-NetComputer' - - 'Get-NetGroupMember' - - 'Get-NetUser' - - 'Invoke-Mimikatz' - - 'Invoke-PowerDump' - - 'Invoke-TokenManipulation' - - 'Exploit-JMXConsole' - - 'Exploit-JBoss' - - 'Invoke-Thunderstruck' - - 'Invoke-VoiceTroll' - - 'Set-WallPaper' - - 'Invoke-PsExec' - - 'Invoke-SSHCommand' - - 'Invoke-PSInject' - - 'Invoke-RunAs' - - 'Invoke-SendMail' - - 'Invoke-Rule' - - 'Get-OSVersion' - - 'Select-EmailItem' - - 'View-Email' - - 'Get-OutlookFolder' - - 'Get-EmailItems' - - 'Invoke-MailSearch' - - 'Get-SubFolders' - - 'Get-GlobalAddressList' - - 'Invoke-SearchGAL' - - 'Get-SMTPAddress' - - 'Disable-SecuritySettings' - - 'Reset-SecuritySettings' - - 'Get-OutlookInstance' - - 'New-HoneyHash' - - 'Set-MacAttribute' - - 'Invoke-PatchDll' - - 'Get-SecurityPackages' - - 'Install-SSP' - - 'Invoke-BackdoorLNK' - - 'New-ElevatedPersistenceOption' - - 'New-UserPersistenceOption' - - 'Add-Persistence' - - 'Invoke-CallbackIEX' - - 'Add-PSFirewallRules' - - 'Invoke-EventLoop' - - 'Invoke-PortBind' - - 'Invoke-DNSLoop' - - 'Invoke-PacketKnock' - - 'Invoke-CallbackLoop' - - 'Invoke-BypassUAC' - - 'Get-DecryptedCpassword' - - 'Get-GPPInnerFields' - - 'Invoke-WScriptBypassUAC' - - 'Get-ModifiableFile' - - 'Get-ServiceUnquoted' - - 'Get-ServiceFilePermission' - - 'Get-ServicePermission' - - 'Invoke-ServiceUserAdd' - - 'Invoke-ServiceCMD' - - 'Write-UserAddServiceBinary' - - 'Write-CMDServiceBinary' - - 'Write-ServiceEXE' - - 'Write-ServiceEXECMD' - - 'Restore-ServiceEXE' - - 'Invoke-ServiceStart' - - 'Invoke-ServiceStop' - - 'Invoke-ServiceEnable' - - 'Invoke-ServiceDisable' - - 'Get-ServiceDetail' - - 'Find-DLLHijack' - - 'Find-PathHijack' - - 'Write-HijackDll' - - 'Get-RegAlwaysInstallElevated' - - 'Get-RegAutoLogon' - - 'Get-VulnAutoRun' - - 'Get-VulnSchTask' - - 'Get-UnattendedInstallFile' - - 'Get-Webconfig' - - 'Get-ApplicationHost' - - 'Write-UserAddMSI' - - 'Invoke-AllChecks' - - 'Invoke-ThreadedFunction' - - 'Test-Login' - - 'Get-UserAgent' - - 'Test-Password' - - 'Get-ComputerDetails' - - 'Find-4648Logons' - - 'Find-4624Logons' - - 'Find-AppLockerLogs' - - 'Find-PSScriptsInPSAppLog' - - 'Find-RDPClientConnections' - - 'Get-SystemDNSServer' - - 'Invoke-Paranoia' - - 'Invoke-WinEnum{' - - 'Get-SPN' - - 'Invoke-ARPScan' - - 'Invoke-Portscan' - - 'Invoke-ReverseDNSLookup' - - 'Invoke-SMBScanner' - - 'New-InMemoryModule' - - 'Add-Win32Type' - - 'Export-PowerViewCSV' - - 'Get-MacAttribute' - - 'Copy-ClonedFile' - - 'Get-IPAddress' - - 'Convert-NameToSid' - - 'Convert-SidToName' - - 'Convert-NT4toCanonical' - - 'Get-Proxy' - - 'Get-PathAcl' - - 'Get-NameField' - - 'Convert-LDAPProperty' - - 'Get-NetDomainController' - - 'Add-NetUser' - - 'Add-NetGroupUser' - - 'Get-UserProperty' - - 'Find-UserField' - - 'Get-UserEvent' - - 'Get-ObjectAcl' - - 'Add-ObjectAcl' - - 'Invoke-ACLScanner' - - 'Get-GUIDMap' - - 'Get-ADObject' - - 'Set-ADObject' - - 'Get-ComputerProperty' - - 'Find-ComputerField' - - 'Get-NetOU' - - 'Get-NetSite' - - 'Get-NetSubnet' - - 'Get-DomainSID' - - 'Get-NetGroup' - - 'Get-NetFileServer' - - 'SplitPath' - - 'Get-DFSshare' - - 'Get-DFSshareV1' - - 'Get-DFSshareV2' - - 'Get-GptTmpl' - - 'Get-GroupsXML' - - 'Get-NetGPO' - - 'Get-NetGPOGroup' - - 'Find-GPOLocation' - - 'Get-DomainPolicy' - - 'Get-NetLocalGroup' - - 'Get-NetShare' - - 'Get-NetLoggedon' - - 'Get-NetSession' - - 'Get-NetRDPSession' - - 'Invoke-CheckLocalAdminAccess' - - 'Get-LastLoggedOn' - - 'Get-NetProcess' - - 'Find-InterestingFile' - - 'Invoke-CheckWrite' - - 'Invoke-UserHunter' - - 'Invoke-StealthUserHunter' - - 'Invoke-ProcessHunter' - - 'Invoke-EventHunter' - - 'Invoke-ShareFinder' - - 'Invoke-FileFinder' - - 'Find-LocalAdminAccess' - - 'Get-ExploitableSystem' - - 'Invoke-EnumerateLocalAdmin' - - 'Get-NetDomainTrust' - - 'Get-NetForestTrust' - - 'Find-ForeignUser' - - 'Find-ForeignGroup' - - 'Invoke-MapDomainTrust' - - 'Get-Hex' - - 'Create-RemoteThread' - - 'Get-FoxDump' - - 'Decrypt-CipherText' - - 'Get-Screenshot' - - 'Start-HTTP-Server' - - 'Local:Invoke-CreateRemoteThread' - - 'Local:Get-Win32Functions' - - 'Local:Inject-NetRipper' - - 'GetCommandLine' - - 'ElevatePrivs' - - 'Get-RegKeyClass' - - 'Get-BootKey' - - 'Get-HBootKey' - - 'Get-UserName' - - 'Get-UserHashes' - - 'DecryptHashes' - - 'DecryptSingleHash' - - 'Get-UserKeys' - - 'DumpHashes' - - 'Enable-SeAssignPrimaryTokenPrivilege' - - 'Enable-Privilege' - - 'Set-DesktopACLs' - - 'Set-DesktopACLToAllowEveryone' - - 'Get-PrimaryToken' - - 'Get-ThreadToken' - - 'Get-TokenInformation' - - 'Get-UniqueTokens' - - 'Find-GPOComputerAdmin' - - 'Invoke-ImpersonateUser' - - 'Create-ProcessWithToken' - - 'Free-AllTokens' - - 'Enum-AllTokens' - - 'Invoke-RevertToSelf' - - 'Set-Speaker(\$Volume){\$wshShell' - - 'Local:Get-RandomString' - - 'Local:Invoke-PsExecCmd' - - 'Get-GPPPassword' - - 'Local:Inject-BypassStuff' - - 'Local:Invoke-CopyFile\(\$sSource,' - - 'ind-Fruit' - - 'New-IPv4Range' - - 'New-IPv4RangeFromCIDR' - - 'Parse-Hosts' - - 'Parse-ILHosts' - - 'Exclude-Hosts' - - 'Get-TopPort' - - 'Parse-Ports' - - 'Parse-IpPorts' - - 'Remove-Ports' - - 'Write-PortscanOut' - - 'Convert-SwitchtoBool' - - 'Get-ForeignUser' - - 'Get-ForeignGroup' - condition: selection1 or selection2 \ No newline at end of file From 23ad8cd14e9d0b71c1a1e45c0fb2f7c0538df534 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 19 Aug 2021 18:30:32 +0200 Subject: [PATCH 021/108] remove bad rules --- .../builtin/win_user_acc_added_removed.yml | 28 ------------------- .../builtin/win_user_acc_enabled_disabled.yml | 22 --------------- ...in_user_created_added_to_bultin_admins.yml | 23 --------------- 3 files changed, 73 deletions(-) delete mode 100644 rules/windows/builtin/win_user_acc_added_removed.yml delete mode 100644 rules/windows/builtin/win_user_acc_enabled_disabled.yml delete mode 100644 rules/windows/builtin/win_user_created_added_to_bultin_admins.yml diff --git a/rules/windows/builtin/win_user_acc_added_removed.yml b/rules/windows/builtin/win_user_acc_added_removed.yml deleted file mode 100644 index 8e083b644..000000000 --- a/rules/windows/builtin/win_user_acc_added_removed.yml +++ /dev/null @@ -1,28 +0,0 @@ -title: Account Added And Removed From Privileged Groups -id: 7efc75ce-e2a4-400f-a8b1-283d3b0f2c60 -description: Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise. -author: sawwinnnaung -references: - - Azure Sentinel -date: 2021/08/15 -level: low -logsource: - service: Security - product: windows -tags: - - attack.persistence - - attack.privilege_escalation - - attack.t1098 - - attack.t1078 -detection: - selection1: - EventID: - - 4728 - - 4732 - - 4756 - selection2: - EventID: - - 4729 - - 4733 - - 4757 - condition: selection1 or selection2 diff --git a/rules/windows/builtin/win_user_acc_enabled_disabled.yml b/rules/windows/builtin/win_user_acc_enabled_disabled.yml deleted file mode 100644 index 920efc48e..000000000 --- a/rules/windows/builtin/win_user_acc_enabled_disabled.yml +++ /dev/null @@ -1,22 +0,0 @@ -title: User Account Enabled And Disabled -id: 3d023f64-8225-41a2-9570-2bd7c2c4535e -description: Identifies when a user account is enabled and then disabled. This can be an indication of compromise and an adversary attempting to hide in the noise. -author: sawwinnnaung -references: - - Azure Sentinel -date: 2021/08/15 -level: medium -logsource: - service: Security - product: windows -tags: - - attack.persistence - - attack.privilege_escalation - - attack.t1098 - - attack.t1078 -detection: - selection: - EventID: - - 4722 - - 4725 - condition: selection diff --git a/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml b/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml deleted file mode 100644 index 57bb606cf..000000000 --- a/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml +++ /dev/null @@ -1,23 +0,0 @@ -title: New Uer Created And Added To The Built-in Administrators Group -id: aa1eff90-29d4-49dc-a3ea-b65199f516db -description: Identifies when a user account was created and then added to the builtin Administrators group. This should be monitored closely and all additions reviewed. -author: sawwinnnaung -references: - - Azure Sentinel -date: 2021/08/15 -level: low -logsource: - service: Security - product: windows -tags: - - attack.persistence - - attack.privilege_escalation -relevantTechniques: - - attack.t1098 - - attack.t1078 -detection: - selection: - EventID: - - 4720 - - 4732 - condition: selection \ No newline at end of file From 4e895da471f221aff0ed5f94db6c622bb00634e3 Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 20 Aug 2021 09:20:56 +0200 Subject: [PATCH 022/108] fix error "has no len()" --- tools/sigma/backends/base.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/tools/sigma/backends/base.py b/tools/sigma/backends/base.py index 08d29b4ba..469c06480 100644 --- a/tools/sigma/backends/base.py +++ b/tools/sigma/backends/base.py @@ -277,9 +277,10 @@ class SingleTextQueryBackend(RulenameCommentMixin, BaseBackend, QuoteCharMixin): def generateSubexpressionNode(self, node): generated = self.generateNode(node.items) - if len(node.items) == 1: - # A sub expression with length 1 is not a proper sub expression, no self.subExpression required - return generated + if 'len'in dir(node.items): # fix the "TypeError: object of type 'NodeSubexpression' has no len()" + if len(node.items) == 1: + # A sub expression with length 1 is not a proper sub expression, no self.subExpression required + return generated if generated: return self.subExpression % generated else: From f09b3ea4b18842866b9f2e007e9340649b275730 Mon Sep 17 00:00:00 2001 From: Rachel Rice Date: Fri, 20 Aug 2021 13:43:00 +0100 Subject: [PATCH 023/108] Update AWS CloudTrail rules aws_ec2_disable_encryption.yml Remove `status: success` from selection criteria, not required aws_ec2_vm_export_failure.yml Remove filter3: ``` eventName: 'ConsoleLogin' responseElements|contains: 'Failure' ``` Incompatible with selection criteria `eventName: 'CreateInstanceExportTask'` aws_ec2_download_userdata.yml, aws_iam_backdoor_users_keys.yml, aws_rds_change_master_password.yml, aws_rds_public_db_restore.yml Update reference aws_sts_assumedrole_misuse.yml Rename to aws_sts_assumerole_misuse.yml Update references to "AssumedRole" to "AssumeRole" Update selection criteria of `userIdentity.sessionContext: Role` to `userIdentity.sessionContext.sessionIssuer.type: Role` --- rules/cloud/aws/aws_ec2_disable_encryption.yml | 3 +-- rules/cloud/aws/aws_ec2_download_userdata.yml | 4 ++-- rules/cloud/aws/aws_ec2_vm_export_failure.yml | 6 ++---- rules/cloud/aws/aws_iam_backdoor_users_keys.yml | 4 ++-- rules/cloud/aws/aws_rds_change_master_password.yml | 4 ++-- rules/cloud/aws/aws_rds_public_db_restore.yml | 4 ++-- ...drole_misuse.yml => aws_sts_assumerole_misuse.yml} | 11 ++++++----- 7 files changed, 17 insertions(+), 19 deletions(-) rename rules/cloud/aws/{aws_sts_assumedrole_misuse.yml => aws_sts_assumerole_misuse.yml} (51%) diff --git a/rules/cloud/aws/aws_ec2_disable_encryption.yml b/rules/cloud/aws/aws_ec2_disable_encryption.yml index ea7330a3b..e383c9495 100644 --- a/rules/cloud/aws/aws_ec2_disable_encryption.yml +++ b/rules/cloud/aws/aws_ec2_disable_encryption.yml @@ -4,7 +4,7 @@ status: stable description: Identifies disabling of default Amazon Elastic Block Store (EBS) encryption in the current region. Disabling default encryption does not change the encryption status of your existing volumes. author: Sittikorn S date: 2021/06/29 -modified: 2021/08/09 +modified: 2021/08/20 references: - https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html tags: @@ -17,7 +17,6 @@ detection: selection: eventSource: ec2.amazonaws.com eventName: DisableEbsEncryptionByDefault - status: success condition: selection falsepositives: - System Administrator Activities diff --git a/rules/cloud/aws/aws_ec2_download_userdata.yml b/rules/cloud/aws/aws_ec2_download_userdata.yml index 073bdf6b6..be6b74389 100644 --- a/rules/cloud/aws/aws_ec2_download_userdata.yml +++ b/rules/cloud/aws/aws_ec2_download_userdata.yml @@ -4,9 +4,9 @@ status: experimental description: Detects bulk downloading of User Data associated with AWS EC2 instances. Instance User Data may include installation scripts and hard-coded secrets for deployment. author: faloker date: 2020/02/11 -modified: 2021/08/09 +modified: 2021/08/20 references: - - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/ec2__download_userdata/main.py#L24 + - https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/ec2__download_userdata/main.py logsource: service: cloudtrail detection: diff --git a/rules/cloud/aws/aws_ec2_vm_export_failure.yml b/rules/cloud/aws/aws_ec2_vm_export_failure.yml index dff7a078e..2fed0c668 100644 --- a/rules/cloud/aws/aws_ec2_vm_export_failure.yml +++ b/rules/cloud/aws/aws_ec2_vm_export_failure.yml @@ -4,6 +4,7 @@ status: experimental description: An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance. author: Diogo Braz date: 2020/04/16 +modified: 2021/08/20 references: - https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance logsource: @@ -16,10 +17,7 @@ detection: errorMessage: '*' filter2: errorCode: '*' - filter3: - eventName: 'ConsoleLogin' - responseElements|contains: 'Failure' - condition: selection and (filter1 or filter2 or filter3) + condition: selection and (filter1 or filter2) level: low tags: - attack.collection diff --git a/rules/cloud/aws/aws_iam_backdoor_users_keys.yml b/rules/cloud/aws/aws_iam_backdoor_users_keys.yml index 2af725c89..7991b3ae5 100644 --- a/rules/cloud/aws/aws_iam_backdoor_users_keys.yml +++ b/rules/cloud/aws/aws_iam_backdoor_users_keys.yml @@ -4,9 +4,9 @@ status: experimental description: Detects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment. Also with this alert, you can detect a flow of AWS keys in your org. author: faloker date: 2020/02/12 -modified: 2021/08/09 +modified: 2021/08/20 references: - - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/iam__backdoor_users_keys/main.py#L6 + - https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/iam__backdoor_users_keys/main.py logsource: service: cloudtrail detection: diff --git a/rules/cloud/aws/aws_rds_change_master_password.yml b/rules/cloud/aws/aws_rds_change_master_password.yml index 4204cbaff..cfdfb70a2 100644 --- a/rules/cloud/aws/aws_rds_change_master_password.yml +++ b/rules/cloud/aws/aws_rds_change_master_password.yml @@ -4,9 +4,9 @@ status: experimental description: Detects the change of database master password. It may be a part of data exfiltration. author: faloker date: 2020/02/12 -modified: 2021/08/09 +modified: 2021/08/20 references: - - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/rds__explore_snapshots/main.py#L10 + - https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/rds__explore_snapshots/main.py logsource: service: cloudtrail detection: diff --git a/rules/cloud/aws/aws_rds_public_db_restore.yml b/rules/cloud/aws/aws_rds_public_db_restore.yml index 41497778e..fdc8c19d8 100644 --- a/rules/cloud/aws/aws_rds_public_db_restore.yml +++ b/rules/cloud/aws/aws_rds_public_db_restore.yml @@ -4,9 +4,9 @@ status: experimental description: Detects the recovery of a new public database instance from a snapshot. It may be a part of data exfiltration. author: faloker date: 2020/02/12 -modified: 2021/08/09 +modified: 2021/08/20 references: - - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/rds__explore_snapshots/main.py#L10 + - https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/rds__explore_snapshots/main.py logsource: service: cloudtrail detection: diff --git a/rules/cloud/aws/aws_sts_assumedrole_misuse.yml b/rules/cloud/aws/aws_sts_assumerole_misuse.yml similarity index 51% rename from rules/cloud/aws/aws_sts_assumedrole_misuse.yml rename to rules/cloud/aws/aws_sts_assumerole_misuse.yml index 2e9d22f48..3bc5af7f6 100644 --- a/rules/cloud/aws/aws_sts_assumedrole_misuse.yml +++ b/rules/cloud/aws/aws_sts_assumerole_misuse.yml @@ -1,9 +1,10 @@ -title: AWS STS AssumedRole Misuse +title: AWS STS AssumeRole Misuse id: 905d389b-b853-46d0-9d3d-dea0d3a3cd49 -description: Identifies the suspicious use of AssumedRole. Attackers could move laterally and escalate privileges. +description: Identifies the suspicious use of AssumeRole. Attackers could move laterally and escalate privileges. author: Austin Songer @austinsonger status: experimental date: 2021/07/24 +modified: 2021/08/20 references: - https://github.com/elastic/detection-rules/pull/1214 - https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html @@ -12,8 +13,8 @@ logsource: detection: selection: eventSource: sts.amazonaws.com - eventName: AssumedRole - userIdentity.sessionContext: Role + eventName: AssumeRole + userIdentity.sessionContext.sessionIssuer.type: Role condition: selection level: low tags: @@ -23,5 +24,5 @@ tags: - attack.t1550 - attack.t1550.001 falsepositives: - - AssumedRole may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. AssumedRole from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - AssumeRole may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. AssumeRole from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. - Automated processes that uses Terraform may lead to false positives. From f037f5b0a928bacc97ebf991e9cbbc0e47103be3 Mon Sep 17 00:00:00 2001 From: Rachel Rice Date: Fri, 20 Aug 2021 15:42:49 +0100 Subject: [PATCH 024/108] Add filter3 back for vm export failure, without consolelogin Signed-off-by: Rachel Rice --- rules/cloud/aws/aws_ec2_vm_export_failure.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/cloud/aws/aws_ec2_vm_export_failure.yml b/rules/cloud/aws/aws_ec2_vm_export_failure.yml index 2fed0c668..05baed245 100644 --- a/rules/cloud/aws/aws_ec2_vm_export_failure.yml +++ b/rules/cloud/aws/aws_ec2_vm_export_failure.yml @@ -17,7 +17,9 @@ detection: errorMessage: '*' filter2: errorCode: '*' - condition: selection and (filter1 or filter2) + filter3: + responseElements|contains: 'Failure' + condition: selection and (filter1 or filter2 or filter3) level: low tags: - attack.collection From b9a355e3f428906023a78ca6678491890477d0be Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 20 Aug 2021 17:18:32 +0200 Subject: [PATCH 025/108] cleanup falsepositives --- rules/cloud/aws/aws_sts_assumerole_misuse.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/cloud/aws/aws_sts_assumerole_misuse.yml b/rules/cloud/aws/aws_sts_assumerole_misuse.yml index 3bc5af7f6..f74646120 100644 --- a/rules/cloud/aws/aws_sts_assumerole_misuse.yml +++ b/rules/cloud/aws/aws_sts_assumerole_misuse.yml @@ -24,5 +24,6 @@ tags: - attack.t1550 - attack.t1550.001 falsepositives: - - AssumeRole may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. AssumeRole from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - AssumeRole may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - AssumeRole from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. - Automated processes that uses Terraform may lead to false positives. From cb95582077c675b9fc47a389bb93f3cefcbd8ce8 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sat, 21 Aug 2021 09:08:38 +0200 Subject: [PATCH 026/108] Update PowerShell rule --- .../powershell_malicious_keywords.yml | 47 ++++++++++--------- ...wershell_nishang_malicious_commandlets.yml | 11 +++-- 2 files changed, 31 insertions(+), 27 deletions(-) diff --git a/rules/windows/powershell/powershell_malicious_keywords.yml b/rules/windows/powershell/powershell_malicious_keywords.yml index 03858d395..071f37257 100644 --- a/rules/windows/powershell/powershell_malicious_keywords.yml +++ b/rules/windows/powershell/powershell_malicious_keywords.yml @@ -10,33 +10,36 @@ tags: - attack.t1086 #an old one author: Sean Metcalf (source), Florian Roth (rule) date: 2017/03/05 +modified: 2021/08/21 logsource: product: windows service: powershell definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' detection: - keywords: - - "AdjustTokenPrivileges" - - "IMAGE_NT_OPTIONAL_HDR64_MAGIC" - - "Microsoft.Win32.UnsafeNativeMethods" - - "ReadProcessMemory.Invoke" - - "SE_PRIVILEGE_ENABLED" - - "LSA_UNICODE_STRING" - - "MiniDumpWriteDump" - - "PAGE_EXECUTE_READ" - - "SECURITY_DELEGATION" - - "TOKEN_ADJUST_PRIVILEGES" - - "TOKEN_ALL_ACCESS" - - "TOKEN_ASSIGN_PRIMARY" - - "TOKEN_DUPLICATE" - - "TOKEN_ELEVATION" - - "TOKEN_IMPERSONATE" - - "TOKEN_INFORMATION_CLASS" - - "TOKEN_PRIVILEGES" - - "TOKEN_QUERY" - - "Metasploit" - - "Mimikatz" - condition: keywords + Malicious: + EventID: 4104 + ScriptBlockText|contains: + - "AdjustTokenPrivileges" + - "IMAGE_NT_OPTIONAL_HDR64_MAGIC" + - "Microsoft.Win32.UnsafeNativeMethods" + - "ReadProcessMemory.Invoke" + - "SE_PRIVILEGE_ENABLED" + - "LSA_UNICODE_STRING" + - "MiniDumpWriteDump" + - "PAGE_EXECUTE_READ" + - "SECURITY_DELEGATION" + - "TOKEN_ADJUST_PRIVILEGES" + - "TOKEN_ALL_ACCESS" + - "TOKEN_ASSIGN_PRIMARY" + - "TOKEN_DUPLICATE" + - "TOKEN_ELEVATION" + - "TOKEN_IMPERSONATE" + - "TOKEN_INFORMATION_CLASS" + - "TOKEN_PRIVILEGES" + - "TOKEN_QUERY" + - "Metasploit" + - "Mimikatz" + condition: Malicious falsepositives: - Penetration tests level: high diff --git a/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml b/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml index e8a9ef6c1..90b3e7a76 100644 --- a/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml @@ -3,7 +3,7 @@ id: f772cee9-b7c2-4cb2-8f07-49870adc02e0 status: experimental description: Detects Commandlet names and arguments from the Nishang exploitation framework date: 2019/05/16 -modified: 2021/07/21 +modified: 2021/08/21 references: - https://github.com/samratashok/nishang tags: @@ -14,10 +14,11 @@ author: Alec Costello logsource: product: windows service: powershell - definition: It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277 + definition: Script block logging must be enabled detection: - keywords: - Payload|contains: + Nishang: + EventID: 4104 + ScriptBlockText|contains: - Add-ConstrainedDelegationBackdoor - Set-DCShadowPermissions - DNS_TXT_Pwnage @@ -89,7 +90,7 @@ detection: - NotAllNameSpaces - exfill - FakeDC - condition: keywords + condition: Nishang falsepositives: - Penetration testing level: high From 6c529f7ab27c9574da2d5a50dc661714e4d03a00 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sat, 21 Aug 2021 09:33:52 +0200 Subject: [PATCH 027/108] Update PS rules --- .../powershell_clear_powershell_history.yml | 2 +- .../powershell/powershell_ntfs_ads_access.yml | 20 +++++++++++-------- .../powershell/powershell_powercat.yml | 1 + ...rshell_powerview_malicious_commandlets.yml | 6 +++--- .../powershell_prompt_credentials.yml | 7 +++---- .../powershell/powershell_psattack.yml | 8 ++++---- .../powershell_remote_powershell_session.yml | 1 + .../powershell/powershell_shellcode_b64.yml | 2 +- ...shell_shellintel_malicious_commandlets.yml | 5 +++-- 9 files changed, 29 insertions(+), 23 deletions(-) diff --git a/rules/windows/powershell/powershell_clear_powershell_history.yml b/rules/windows/powershell/powershell_clear_powershell_history.yml index e937037d6..ff01b1534 100644 --- a/rules/windows/powershell/powershell_clear_powershell_history.yml +++ b/rules/windows/powershell/powershell_clear_powershell_history.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: 4104 Script block logging must be enabled , 4103 Module Logging must be enabled detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_ntfs_ads_access.yml b/rules/windows/powershell/powershell_ntfs_ads_access.yml index 9ee13a9fa..0d38b0d77 100644 --- a/rules/windows/powershell/powershell_ntfs_ads_access.yml +++ b/rules/windows/powershell/powershell_ntfs_ads_access.yml @@ -13,18 +13,22 @@ tags: - attack.t1086 # an old one author: Sami Ruohonen date: 2018/07/24 -modified: 2020/08/24 +modified: 2021/08/21 logsource: product: windows service: powershell - definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' + definition: Script block logging must be enabled detection: - keyword1: - - "set-content" - - "add-content" - keyword2: - - "-stream" - condition: keyword1 and keyword2 + event: + EventID: 4104 + content: + ScriptBlockText|contains: + - "set-content" + - "add-content" + stream: + ScriptBlockText|contains: + - "-stream" + condition: all of them falsepositives: - unknown level: high diff --git a/rules/windows/powershell/powershell_powercat.yml b/rules/windows/powershell/powershell_powercat.yml index 553a8059a..c4c5cb0cf 100644 --- a/rules/windows/powershell/powershell_powercat.yml +++ b/rules/windows/powershell/powershell_powercat.yml @@ -31,6 +31,7 @@ detection: logsource: product: windows service: powershell + definition: Module Logging must be enable detection: selection: EventID: 4103 diff --git a/rules/windows/powershell/powershell_powerview_malicious_commandlets.yml b/rules/windows/powershell/powershell_powerview_malicious_commandlets.yml index b98fbb4cb..1b2b74546 100644 --- a/rules/windows/powershell/powershell_powerview_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_powerview_malicious_commandlets.yml @@ -3,7 +3,7 @@ id: dcd74b95-3f36-4ed9-9598-0490951643aa status: experimental description: Detects Commandlet names from PowerView of PowerSploit exploitation framework. date: 2021/05/18 -modified: 2021/07/02 +modified: 2021/08/21 references: - https://powersploit.readthedocs.io/en/stable/Recon/README - https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon @@ -16,11 +16,11 @@ author: Bhabesh Raj logsource: product: windows service: powershell - definition: It is recommended to use the new "Script Block Logging" of PowerShell v5. + definition: Script Block Logging must be enable detection: selection: EventID: 4104 - ScriptBlockText: + ScriptBlockText|contains: - Export-PowerViewCSV - Get-IPAddress - Resolve-IPAddress diff --git a/rules/windows/powershell/powershell_prompt_credentials.yml b/rules/windows/powershell/powershell_prompt_credentials.yml index 8ef73b448..b3d5e7133 100644 --- a/rules/windows/powershell/powershell_prompt_credentials.yml +++ b/rules/windows/powershell/powershell_prompt_credentials.yml @@ -16,13 +16,12 @@ modified: 2021/08/04 logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection: EventID: 4104 - keyword: ScriptBlockText|contains: 'PromptForCredential' - condition: all of them -falsepositives: + condition: selection +falsepositives: - Unknown level: high diff --git a/rules/windows/powershell/powershell_psattack.yml b/rules/windows/powershell/powershell_psattack.yml index 0b3d41679..78690987e 100644 --- a/rules/windows/powershell/powershell_psattack.yml +++ b/rules/windows/powershell/powershell_psattack.yml @@ -10,15 +10,15 @@ tags: - attack.t1086 #an old one author: Sean Metcalf (source), Florian Roth (rule) date: 2017/03/05 +modified: 2021/08/21 logsource: product: windows service: powershell - definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' + definition: Script block logging must be enabled detection: selection: - EventID: 4103 - keyword: - - 'PS ATTACK!!!' + EventID: 4104 + ScriptBlockText|contains: 'PS ATTACK!!!' condition: all of them falsepositives: - Pentesters diff --git a/rules/windows/powershell/powershell_remote_powershell_session.yml b/rules/windows/powershell/powershell_remote_powershell_session.yml index 3e345947a..237c546b5 100644 --- a/rules/windows/powershell/powershell_remote_powershell_session.yml +++ b/rules/windows/powershell/powershell_remote_powershell_session.yml @@ -22,6 +22,7 @@ level: high logsource: product: windows service: powershell + definition: Module Logging must be enable and fields have to be extract from event detection: selection: EventID: 4103 diff --git a/rules/windows/powershell/powershell_shellcode_b64.yml b/rules/windows/powershell/powershell_shellcode_b64.yml index ba269aca2..45ea29091 100644 --- a/rules/windows/powershell/powershell_shellcode_b64.yml +++ b/rules/windows/powershell/powershell_shellcode_b64.yml @@ -17,7 +17,7 @@ modified: 2020/12/01 logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_shellintel_malicious_commandlets.yml b/rules/windows/powershell/powershell_shellintel_malicious_commandlets.yml index e65c3c23b..62dfb25f8 100644 --- a/rules/windows/powershell/powershell_shellintel_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_shellintel_malicious_commandlets.yml @@ -3,6 +3,7 @@ id: 402e1e1d-ad59-47b6-bf80-1ee44985b3a7 status: experimental description: Detects Commandlet names from ShellIntel exploitation scripts. date: 2021/08/09 +modified: 2021/08/21 references: - https://github.com/Shellntel/scripts/ tags: @@ -12,11 +13,11 @@ author: Max Altgelt, Tobias Michalski logsource: product: windows service: powershell - definition: It is recommended to use the new "Script Block Logging" of PowerShell v5. + definition: Script Block Logging must be enable detection: selection: EventID: 4104 - ScriptBlockText: + ScriptBlockText|contains: - Invoke-SMBAutoBrute - Invoke-GPOLinks - Out-Minidump From da839775fe800c41fed9eea420b290a142368675 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sat, 21 Aug 2021 09:50:59 +0200 Subject: [PATCH 028/108] Update PS rules --- .../sysmon_suspicious_powershell_profile_create.yml} | 0 .../powershell/powershell_CL_Invocation_LOLScript.yml | 2 +- .../powershell/powershell_CL_Invocation_LOLScript_v2.yml | 2 +- .../powershell/powershell_CL_Mutexverifiers_LOLScript.yml | 2 +- rules/windows/powershell/powershell_accessing_win_api.yml | 2 +- rules/windows/powershell/powershell_adrecon_execution.yml | 2 +- .../windows/powershell/powershell_automated_collection.yml | 2 +- rules/windows/powershell/powershell_bad_opsec_artifacts.yml | 2 +- rules/windows/powershell/powershell_decompress_commands.yml | 2 +- rules/windows/powershell/powershell_get_clipboard.yml | 2 +- .../powershell/powershell_invoke_obfuscation_clip+.yml | 2 +- .../powershell_invoke_obfuscation_obfuscated_iex.yml | 2 +- .../powershell/powershell_invoke_obfuscation_stdin+.yml | 2 +- .../powershell/powershell_invoke_obfuscation_var+.yml | 2 +- .../powershell_invoke_obfuscation_via_compress.yml | 2 +- .../powershell/powershell_invoke_obfuscation_via_rundll.yml | 2 +- .../powershell_invoke_obfuscation_via_use_clip.yml | 2 +- .../powershell_invoke_obfuscation_via_use_mhsta.yml | 2 +- .../powershell_invoke_obfuscation_via_use_rundll32.yml | 2 +- .../powershell/powershell_invoke_obfuscation_via_var++.yml | 2 +- .../powershell_suspicious_export_pfxcertificate.yml | 6 +++--- .../powershell/powershell_suspicious_getprocess_lsass.yml | 6 +++--- .../powershell_suspicious_invocation_specific.yml | 1 + rules/windows/powershell/powershell_suspicious_keywords.yml | 2 +- .../windows/powershell/powershell_suspicious_mail_acces.yml | 2 +- .../powershell_suspicious_mounted_share_deletion.yml | 2 +- rules/windows/powershell/powershell_suspicious_recon.yml | 2 +- rules/windows/powershell/powershell_winlogon_helper_dll.yml | 2 +- rules/windows/powershell/powershell_wmimplant.yml | 2 +- 29 files changed, 32 insertions(+), 31 deletions(-) rename rules/windows/{powershell/powershell_suspicious_profile_create.yml => file_event/sysmon_suspicious_powershell_profile_create.yml} (100%) diff --git a/rules/windows/powershell/powershell_suspicious_profile_create.yml b/rules/windows/file_event/sysmon_suspicious_powershell_profile_create.yml similarity index 100% rename from rules/windows/powershell/powershell_suspicious_profile_create.yml rename to rules/windows/file_event/sysmon_suspicious_powershell_profile_create.yml diff --git a/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml b/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml index 3976c19fb..054cd341e 100644 --- a/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml +++ b/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_CL_Invocation_LOLScript_v2.yml b/rules/windows/powershell/powershell_CL_Invocation_LOLScript_v2.yml index 5cd1d3add..246803a01 100644 --- a/rules/windows/powershell/powershell_CL_Invocation_LOLScript_v2.yml +++ b/rules/windows/powershell/powershell_CL_Invocation_LOLScript_v2.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection2: EventID: 4104 diff --git a/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript.yml b/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript.yml index a9e742a2d..3430cdd73 100644 --- a/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript.yml +++ b/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_accessing_win_api.yml b/rules/windows/powershell/powershell_accessing_win_api.yml index aa74974e9..f7ed287ec 100644 --- a/rules/windows/powershell/powershell_accessing_win_api.yml +++ b/rules/windows/powershell/powershell_accessing_win_api.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_adrecon_execution.yml b/rules/windows/powershell/powershell_adrecon_execution.yml index f041ac685..af2ba36ae 100644 --- a/rules/windows/powershell/powershell_adrecon_execution.yml +++ b/rules/windows/powershell/powershell_adrecon_execution.yml @@ -14,7 +14,7 @@ date: 2021/07/16 logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_automated_collection.yml b/rules/windows/powershell/powershell_automated_collection.yml index d482a22b3..d19a88eac 100644 --- a/rules/windows/powershell/powershell_automated_collection.yml +++ b/rules/windows/powershell/powershell_automated_collection.yml @@ -12,7 +12,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection_eventid: EventID: 4104 diff --git a/rules/windows/powershell/powershell_bad_opsec_artifacts.yml b/rules/windows/powershell/powershell_bad_opsec_artifacts.yml index 0479fcd14..98ec30525 100644 --- a/rules/windows/powershell/powershell_bad_opsec_artifacts.yml +++ b/rules/windows/powershell/powershell_bad_opsec_artifacts.yml @@ -16,7 +16,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104 , Module Logging must be enable for 4103 detection: selection_4104: EventID: 4104 diff --git a/rules/windows/powershell/powershell_decompress_commands.yml b/rules/windows/powershell/powershell_decompress_commands.yml index bdef59f86..19028f6a8 100644 --- a/rules/windows/powershell/powershell_decompress_commands.yml +++ b/rules/windows/powershell/powershell_decompress_commands.yml @@ -13,7 +13,7 @@ references: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 detection: selection1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_get_clipboard.yml b/rules/windows/powershell/powershell_get_clipboard.yml index 26282f89e..542c432c5 100644 --- a/rules/windows/powershell/powershell_get_clipboard.yml +++ b/rules/windows/powershell/powershell_get_clipboard.yml @@ -13,7 +13,7 @@ references: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 detection: selection1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_clip+.yml b/rules/windows/powershell/powershell_invoke_obfuscation_clip+.yml index 8438323a1..45c57fa3b 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_clip+.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_clip+.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104 , Module Logging must be enabled for 4103 detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_obfuscated_iex.yml b/rules/windows/powershell/powershell_invoke_obfuscation_obfuscated_iex.yml index dd5771b8b..9b030a97d 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_obfuscated_iex.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_obfuscated_iex.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_stdin+.yml b/rules/windows/powershell/powershell_invoke_obfuscation_stdin+.yml index f1969a380..a8b5d3432 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_stdin+.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_stdin+.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_var+.yml b/rules/windows/powershell/powershell_invoke_obfuscation_var+.yml index 61e5ee7ec..f84762624 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_var+.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_var+.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104,Module Logging must be enabled for 4103 detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_compress.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_compress.yml index 8fde7bb9d..165d13d29 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_compress.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_compress.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_rundll.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_rundll.yml index e26c5a29f..e47cf4f44 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_rundll.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_rundll.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_clip.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_clip.yml index 5adbdedcc..30749fc4e 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_clip.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_clip.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml index 07f71af31..ceaab3492 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml index cc5e50e6c..445355bc7 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml index f1d98861d..60a0fe2bb 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml @@ -15,7 +15,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_suspicious_export_pfxcertificate.yml b/rules/windows/powershell/powershell_suspicious_export_pfxcertificate.yml index 6a621346a..b39cf109e 100644 --- a/rules/windows/powershell/powershell_suspicious_export_pfxcertificate.yml +++ b/rules/windows/powershell/powershell_suspicious_export_pfxcertificate.yml @@ -14,12 +14,12 @@ modified: 2021/08/04 logsource: product: windows service: powershell - definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' + definition: Script Block Logging must be enable detection: - keywords: + PfxCertificate: EventID: 4104 ScriptBlockText|contains: "Export-PfxCertificate" - condition: keywords + condition: PfxCertificate falsepositives: - Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable) level: high diff --git a/rules/windows/powershell/powershell_suspicious_getprocess_lsass.yml b/rules/windows/powershell/powershell_suspicious_getprocess_lsass.yml index c08f0ca50..eccd3337d 100644 --- a/rules/windows/powershell/powershell_suspicious_getprocess_lsass.yml +++ b/rules/windows/powershell/powershell_suspicious_getprocess_lsass.yml @@ -13,12 +13,12 @@ modified: 2021/08/04 logsource: product: windows service: powershell - definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' + definition: Script Block Logging must be enable detection: - keywords: + select_LSASS: EventID: 4104 ScriptBlockText|contains: 'Get-Process lsass' - condition: keywords + condition: select_LSASS falsepositives: - Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable) level: high diff --git a/rules/windows/powershell/powershell_suspicious_invocation_specific.yml b/rules/windows/powershell/powershell_suspicious_invocation_specific.yml index 39da524b4..7ae574e14 100644 --- a/rules/windows/powershell/powershell_suspicious_invocation_specific.yml +++ b/rules/windows/powershell/powershell_suspicious_invocation_specific.yml @@ -11,6 +11,7 @@ date: 2017/03/05 logsource: product: windows service: powershell + definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 detection: convert_b64: - '-nop' diff --git a/rules/windows/powershell/powershell_suspicious_keywords.yml b/rules/windows/powershell/powershell_suspicious_keywords.yml index 991dfc3cd..356730482 100644 --- a/rules/windows/powershell/powershell_suspicious_keywords.yml +++ b/rules/windows/powershell/powershell_suspicious_keywords.yml @@ -17,7 +17,7 @@ tags: logsource: product: windows service: powershell - definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277. Monitor for EventID 4104' + definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 detection: keywords: - "System.Reflection.Assembly.Load($" diff --git a/rules/windows/powershell/powershell_suspicious_mail_acces.yml b/rules/windows/powershell/powershell_suspicious_mail_acces.yml index 13210d4ad..18b6b4600 100644 --- a/rules/windows/powershell/powershell_suspicious_mail_acces.yml +++ b/rules/windows/powershell/powershell_suspicious_mail_acces.yml @@ -12,7 +12,7 @@ tags: logsource: product: windows service: powershell - definition: EnableScriptBlockLogging must be set to enable + definition: Script block logging must be enabled detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_suspicious_mounted_share_deletion.yml b/rules/windows/powershell/powershell_suspicious_mounted_share_deletion.yml index c040e3a50..941ef606c 100644 --- a/rules/windows/powershell/powershell_suspicious_mounted_share_deletion.yml +++ b/rules/windows/powershell/powershell_suspicious_mounted_share_deletion.yml @@ -12,7 +12,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_suspicious_recon.yml b/rules/windows/powershell/powershell_suspicious_recon.yml index 78368cdf0..a46b1d1b6 100644 --- a/rules/windows/powershell/powershell_suspicious_recon.yml +++ b/rules/windows/powershell/powershell_suspicious_recon.yml @@ -12,7 +12,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection_eventid: EventID: 4104 diff --git a/rules/windows/powershell/powershell_winlogon_helper_dll.yml b/rules/windows/powershell/powershell_winlogon_helper_dll.yml index 026d82402..d15724be1 100644 --- a/rules/windows/powershell/powershell_winlogon_helper_dll.yml +++ b/rules/windows/powershell/powershell_winlogon_helper_dll.yml @@ -10,7 +10,7 @@ references: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_wmimplant.yml b/rules/windows/powershell/powershell_wmimplant.yml index 8ff61cde2..ec0915ffa 100644 --- a/rules/windows/powershell/powershell_wmimplant.yml +++ b/rules/windows/powershell/powershell_wmimplant.yml @@ -14,7 +14,7 @@ date: 2020/03/26 logsource: product: windows service: powershell - definition: "Script block logging must be enabled" + definition: Script block logging must be enabled detection: selection: ScriptBlockText|contains: From 0fb6c35b1fe80decd09cccdeae23abf24497e222 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sat, 21 Aug 2021 09:58:58 +0200 Subject: [PATCH 029/108] Cleanup PS rules --- .../sysmon_powershell_code_injection.yml} | 0 .../powershell_CL_Mutexverifiers_LOLScript_v2.yml | 2 +- .../powershell/powershell_create_local_user.yml | 2 +- .../powershell/powershell_data_compressed.yml | 2 +- .../powershell/powershell_dnscat_execution.yml | 2 +- .../powershell/powershell_icmp_exfiltration.yml | 2 +- .../powershell/powershell_invoke_nightmare.yml | 2 +- .../powershell_invoke_obfuscation_via_stdin.yml | 2 +- .../powershell/powershell_malicious_commandlets.yml | 12 +++++------- .../win_powershell_cmdline_reversed_strings.yml} | 0 .../win_powershell_cmdline_special_characters.yml} | 0 ...win_powershell_cmdline_specific_comb_methods.yml} | 0 12 files changed, 12 insertions(+), 14 deletions(-) rename rules/windows/{powershell/powershell_code_injection.yml => create_remote_thread/sysmon_powershell_code_injection.yml} (100%) rename rules/windows/{powershell/powershell_cmdline_reversed_strings.yml => process_creation/win_powershell_cmdline_reversed_strings.yml} (100%) rename rules/windows/{powershell/powershell_cmdline_special_characters.yml => process_creation/win_powershell_cmdline_special_characters.yml} (100%) rename rules/windows/{powershell/powershell_cmdline_specific_comb_methods.yml => process_creation/win_powershell_cmdline_specific_comb_methods.yml} (100%) diff --git a/rules/windows/powershell/powershell_code_injection.yml b/rules/windows/create_remote_thread/sysmon_powershell_code_injection.yml similarity index 100% rename from rules/windows/powershell/powershell_code_injection.yml rename to rules/windows/create_remote_thread/sysmon_powershell_code_injection.yml diff --git a/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript_v2.yml b/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript_v2.yml index 8a0fa3a33..cc7de5f47 100644 --- a/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript_v2.yml +++ b/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript_v2.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection2: EventID: 4104 diff --git a/rules/windows/powershell/powershell_create_local_user.yml b/rules/windows/powershell/powershell_create_local_user.yml index 6fd05f5cb..29961866c 100644 --- a/rules/windows/powershell/powershell_create_local_user.yml +++ b/rules/windows/powershell/powershell_create_local_user.yml @@ -17,7 +17,7 @@ modified: 2021/08/04 logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_data_compressed.yml b/rules/windows/powershell/powershell_data_compressed.yml index ada73d64b..72ba0304a 100644 --- a/rules/windows/powershell/powershell_data_compressed.yml +++ b/rules/windows/powershell/powershell_data_compressed.yml @@ -10,7 +10,7 @@ references: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_dnscat_execution.yml b/rules/windows/powershell/powershell_dnscat_execution.yml index 63a590f30..bfe388a4c 100644 --- a/rules/windows/powershell/powershell_dnscat_execution.yml +++ b/rules/windows/powershell/powershell_dnscat_execution.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_icmp_exfiltration.yml b/rules/windows/powershell/powershell_icmp_exfiltration.yml index c6e83568c..a9d9036af 100644 --- a/rules/windows/powershell/powershell_icmp_exfiltration.yml +++ b/rules/windows/powershell/powershell_icmp_exfiltration.yml @@ -12,7 +12,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_nightmare.yml b/rules/windows/powershell/powershell_invoke_nightmare.yml index 9d7443edb..64e93f5a8 100644 --- a/rules/windows/powershell/powershell_invoke_nightmare.yml +++ b/rules/windows/powershell/powershell_invoke_nightmare.yml @@ -9,7 +9,7 @@ author: Max Altgelt, Tobias Michalski logsource: product: windows service: powershell - definition: It is recommended to use the new "Script Block Logging" of PowerShell v5. + definition: Script Block Logging must be enable detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_stdin.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_stdin.yml index 5b638d941..330912c96 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_stdin.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_stdin.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104, Module Logging must be enable for 4103 detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_malicious_commandlets.yml b/rules/windows/powershell/powershell_malicious_commandlets.yml index ad4609d8d..34c4ccb08 100644 --- a/rules/windows/powershell/powershell_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_malicious_commandlets.yml @@ -10,13 +10,13 @@ tags: - attack.t1086 #an old one author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update) date: 2017/03/05 -modified: 2020/10/11 +modified: 2021/08/21 logsource: product: windows service: powershell - definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' + definition: Script Block Logging must be enable detection: - keywords: + select_Malicious: EventID: 4104 ScriptBlockText|contains: - "Invoke-DllInjection" @@ -115,10 +115,8 @@ detection: - "Invoke-Mimikittenz" - "Invoke-AllChecks" false_positives: - EventID: 4104 - ScriptBlockText|contains: - - Get-SystemDriveInfo # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1 - condition: keywords and not false_positives + ScriptBlockText|contains: Get-SystemDriveInfo # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1 + condition: select_Malicious and not false_positives falsepositives: - Penetration testing level: high diff --git a/rules/windows/powershell/powershell_cmdline_reversed_strings.yml b/rules/windows/process_creation/win_powershell_cmdline_reversed_strings.yml similarity index 100% rename from rules/windows/powershell/powershell_cmdline_reversed_strings.yml rename to rules/windows/process_creation/win_powershell_cmdline_reversed_strings.yml diff --git a/rules/windows/powershell/powershell_cmdline_special_characters.yml b/rules/windows/process_creation/win_powershell_cmdline_special_characters.yml similarity index 100% rename from rules/windows/powershell/powershell_cmdline_special_characters.yml rename to rules/windows/process_creation/win_powershell_cmdline_special_characters.yml diff --git a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml b/rules/windows/process_creation/win_powershell_cmdline_specific_comb_methods.yml similarity index 100% rename from rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml rename to rules/windows/process_creation/win_powershell_cmdline_specific_comb_methods.yml From 2f683b9ab79604228b4dfd5113467ab90b370457 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sat, 21 Aug 2021 10:00:48 +0200 Subject: [PATCH 030/108] fix powershell_clear_powershell_history error --- .../windows/powershell/powershell_clear_powershell_history.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_clear_powershell_history.yml b/rules/windows/powershell/powershell_clear_powershell_history.yml index ff01b1534..430e93052 100644 --- a/rules/windows/powershell/powershell_clear_powershell_history.yml +++ b/rules/windows/powershell/powershell_clear_powershell_history.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 4104 Script block logging must be enabled , 4103 Module Logging must be enabled + definition: 4104 Script block logging must be enabled , 4103 Module Logging must be enabled detection: selection_1: EventID: 4104 From 42c90b9d20e4dad422b5b46e50a4944480641cac Mon Sep 17 00:00:00 2001 From: frack113 Date: Sat, 21 Aug 2021 10:05:47 +0200 Subject: [PATCH 031/108] fix powershell_psattack error --- rules/windows/powershell/powershell_psattack.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_psattack.yml b/rules/windows/powershell/powershell_psattack.yml index 78690987e..8e178cb4e 100644 --- a/rules/windows/powershell/powershell_psattack.yml +++ b/rules/windows/powershell/powershell_psattack.yml @@ -19,7 +19,7 @@ detection: selection: EventID: 4104 ScriptBlockText|contains: 'PS ATTACK!!!' - condition: all of them + condition: selection falsepositives: - Pentesters level: high From 645492cef56899253752216a909b6218bb6f8c25 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 21 Aug 2021 14:57:38 -0500 Subject: [PATCH 032/108] Update m365.yml just working on expanding this. --- tools/config/generic/m365.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tools/config/generic/m365.yml b/tools/config/generic/m365.yml index 51e08af6e..fb816bd10 100644 --- a/tools/config/generic/m365.yml +++ b/tools/config/generic/m365.yml @@ -5,3 +5,8 @@ ThreatManagement: category: ThreatManagement conditions: eventSource: SecurityComplianceCenter +AccessGovernance: + product: m365 + category: AccessGovernance + conditions: + eventSource: SecurityComplianceCenter From 579a80411de1ec3c01b222d42c5b3fa857edc50a Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 21 Aug 2021 15:03:31 -0500 Subject: [PATCH 033/108] Update m365.yml --- tools/config/generic/m365.yml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/tools/config/generic/m365.yml b/tools/config/generic/m365.yml index fb816bd10..de769059c 100644 --- a/tools/config/generic/m365.yml +++ b/tools/config/generic/m365.yml @@ -10,3 +10,23 @@ AccessGovernance: category: AccessGovernance conditions: eventSource: SecurityComplianceCenter +CloudDiscovery: + product: m365 + category: CloudDiscovery + conditions: + eventSource: SecurityComplianceCenter +DataLossPrevention: + product: m365 + category: DataLossPrevention + conditions: + eventSource: SecurityComplianceCenter +ThreatDetection: + product: m365 + category: ThreatDetection + conditions: + eventSource: SecurityComplianceCenter +SharingControl: + product: m365 + category: SharingControl + conditions: + eventSource: SecurityComplianceCenter From 7cd71b224036583a214f440f1d7308f24be4283a Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 22 Aug 2021 08:57:07 +0200 Subject: [PATCH 034/108] fix yaml error --- tools/sigma/sigma2attack.py | 38 +++++++++++++++++++------------------ 1 file changed, 20 insertions(+), 18 deletions(-) diff --git a/tools/sigma/sigma2attack.py b/tools/sigma/sigma2attack.py index 165d077fc..2f6ceafca 100755 --- a/tools/sigma/sigma2attack.py +++ b/tools/sigma/sigma2attack.py @@ -8,6 +8,7 @@ import sys import yaml + def main(): parser = argparse.ArgumentParser(formatter_class=argparse.ArgumentDefaultsHelpFormatter) parser.add_argument("--rules-directory", "-d", dest="rules_dir", default="rules", help="Directory to read rules from") @@ -20,24 +21,25 @@ def main(): curr_max_technique_count = 0 num_rules_used = 0 for rule_file in rule_files: - try: - rule = yaml.safe_load(open(rule_file, encoding="utf-8").read()) - except yaml.YAMLError: - sys.stderr.write("Ignoring rule " + rule_file + " (parsing failed)\n") - continue - if "tags" not in rule: - sys.stderr.write("Ignoring rule " + rule_file + " (no tags)\n") - continue - tags = rule["tags"] - for tag in tags: - if tag.lower().startswith("attack.t"): - technique_id = tag[len("attack."):].upper() - num_rules_used += 1 - if technique_id not in techniques_to_rules: - techniques_to_rules[technique_id] = [] - techniques_to_rules[technique_id].append(os.path.basename(rule_file)) - curr_max_technique_count = max(curr_max_technique_count, len(techniques_to_rules[technique_id])) - + with open(rule_file,encoding='utf-8') as f: + docs = yaml.load_all(f, Loader=yaml.FullLoader) + double = False + for rule in docs: + if "tags" not in rule : + if double == False : # Only 1 warning + sys.stderr.write("Ignoring rule " + rule_file + " (no tags)\n") + double = True # action globle no tag + continue + tags = rule["tags"] + double = True + for tag in tags: + if tag.lower().startswith("attack.t"): + technique_id = tag[len("attack."):].upper() + num_rules_used += 1 + if technique_id not in techniques_to_rules: + techniques_to_rules[technique_id] = [] + techniques_to_rules[technique_id].append(os.path.basename(rule_file)) + curr_max_technique_count = max(curr_max_technique_count, len(techniques_to_rules[technique_id])) scores = [] for technique in techniques_to_rules: From 295054dcbe0a362d7eed143b8f37c2b5b47a2eb5 Mon Sep 17 00:00:00 2001 From: SomeOne Date: Sun, 22 Aug 2021 13:57:56 +0200 Subject: [PATCH 035/108] Replace old mitre techniques by new one --- rules/linux/lnx_security_tools_disabling.yml | 2 +- rules/linux/lnx_sudo_cve_2019_14287.yml | 3 ++- rules/network/zeek/zeek_dns_mining_pools.yml | 3 ++- rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml | 3 ++- rules/web/win_powershell_snapins_hafnium.yml | 4 ++-- rules/web/win_webshell_regeorg.yml | 2 +- .../win_arbitrary_shell_execution_via_settingcontent.yml | 3 ++- rules/windows/builtin/win_event_log_cleared.yml | 3 ++- rules/windows/malware/av_webshell.yml | 2 +- rules/windows/powershell/powershell_bad_opsec_artifacts.yml | 2 +- .../powershell/powershell_remote_powershell_session.yml | 6 +++--- rules/windows/powershell/powershell_renamed_powershell.yml | 5 +++-- .../windows/process_access/sysmon_mimikatz_trough_winrm.yml | 6 +++--- .../win_bad_opsec_sacrificial_processes.yml | 2 +- .../win_credential_access_via_password_filter.yml | 3 ++- .../process_creation/win_lolbas_execution_of_wuauclt.yml | 5 +++-- .../win_modif_of_services_for_via_commandline.yml | 6 ++++-- .../process_creation/win_powershell_disable_windef_av.yml | 2 +- .../win_powershell_reverse_shell_connection.yml | 4 ++-- ...ticky_keys_unauthenticated_privileged_console_access.yml | 5 +++-- .../process_creation/win_susp_shell_spawn_from_mssql.yml | 3 ++- .../sysmon_registry_persistence_key_linking.yml | 3 ++- 22 files changed, 45 insertions(+), 32 deletions(-) diff --git a/rules/linux/lnx_security_tools_disabling.yml b/rules/linux/lnx_security_tools_disabling.yml index 8d1f16177..2fee4c8e0 100644 --- a/rules/linux/lnx_security_tools_disabling.yml +++ b/rules/linux/lnx_security_tools_disabling.yml @@ -13,7 +13,7 @@ level: medium tags: - attack.defense_evasion - attack.t1562.004 - - attack.t1089 + - attack.t1089 # an old one --- logsource: category: process_creation diff --git a/rules/linux/lnx_sudo_cve_2019_14287.yml b/rules/linux/lnx_sudo_cve_2019_14287.yml index bbd9d785d..84ab95b7f 100644 --- a/rules/linux/lnx_sudo_cve_2019_14287.yml +++ b/rules/linux/lnx_sudo_cve_2019_14287.yml @@ -18,7 +18,8 @@ level: critical tags: - attack.privilege_escalation - attack.t1068 - - attack.t1169 + - attack.t1169 # an old one + - attack.t1548.003 --- detection: selection_keywords: diff --git a/rules/network/zeek/zeek_dns_mining_pools.yml b/rules/network/zeek/zeek_dns_mining_pools.yml index 71003888c..c43795db8 100644 --- a/rules/network/zeek/zeek_dns_mining_pools.yml +++ b/rules/network/zeek/zeek_dns_mining_pools.yml @@ -10,7 +10,8 @@ logsource: service: dns product: zeek tags: - - attack.t1035 + - attack.t1035 # an old one + - attack.t1569.002 - attack.t1496 detection: selection: diff --git a/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml b/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml index 85306e0ae..1690856f8 100644 --- a/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml +++ b/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml @@ -10,7 +10,8 @@ references: - 'https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS' author: '@neu5ron, SOC Prime Team, Corelight' tags: - - attack.t1094 + - attack.t1094 # an old one + - attack.t1095 - attack.t1043 - attack.command_and_control logsource: diff --git a/rules/web/win_powershell_snapins_hafnium.yml b/rules/web/win_powershell_snapins_hafnium.yml index 3c35f8162..b51f2b830 100644 --- a/rules/web/win_powershell_snapins_hafnium.yml +++ b/rules/web/win_powershell_snapins_hafnium.yml @@ -10,8 +10,8 @@ date: 2021/03/03 modified: 2021/08/09 tags: - attack.execution - - attack.t1086 - - attack.t1059.005 + - attack.t1086 # an old one + - attack.t1059.001 - attack.collection - attack.t1114 logsource: diff --git a/rules/web/win_webshell_regeorg.yml b/rules/web/win_webshell_regeorg.yml index b4ccdb5c3..2a2b89e4a 100644 --- a/rules/web/win_webshell_regeorg.yml +++ b/rules/web/win_webshell_regeorg.yml @@ -33,5 +33,5 @@ falsepositives: level: high tags: - attack.persistence - - attack.t1100 + - attack.t1100 # an old one - attack.t1505.003 diff --git a/rules/windows/builtin/win_arbitrary_shell_execution_via_settingcontent.yml b/rules/windows/builtin/win_arbitrary_shell_execution_via_settingcontent.yml index 659c0e75f..fffa3a9ef 100644 --- a/rules/windows/builtin/win_arbitrary_shell_execution_via_settingcontent.yml +++ b/rules/windows/builtin/win_arbitrary_shell_execution_via_settingcontent.yml @@ -8,7 +8,8 @@ references: - https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39 tags: - attack.t1204 - - attack.t1193 + - attack.t1193 # an old one + - attack.t1566.001 - attack.execution - attack.initial_access logsource: diff --git a/rules/windows/builtin/win_event_log_cleared.yml b/rules/windows/builtin/win_event_log_cleared.yml index e3a88f08d..649d0d95b 100644 --- a/rules/windows/builtin/win_event_log_cleared.yml +++ b/rules/windows/builtin/win_event_log_cleared.yml @@ -11,7 +11,8 @@ logsource: service: security product: windows tags: - - attack.t1107 + - attack.t1107 # an old one + - attack.t1070.001 detection: selection: EventID: 1102 diff --git a/rules/windows/malware/av_webshell.yml b/rules/windows/malware/av_webshell.yml index 3d9cc3105..39960e1d2 100644 --- a/rules/windows/malware/av_webshell.yml +++ b/rules/windows/malware/av_webshell.yml @@ -16,7 +16,7 @@ references: - https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection tags: - attack.persistence - - attack.t1100 + - attack.t1100 # an old one - attack.t1505.003 logsource: product: antivirus diff --git a/rules/windows/powershell/powershell_bad_opsec_artifacts.yml b/rules/windows/powershell/powershell_bad_opsec_artifacts.yml index 98ec30525..64bc41c2b 100644 --- a/rules/windows/powershell/powershell_bad_opsec_artifacts.yml +++ b/rules/windows/powershell/powershell_bad_opsec_artifacts.yml @@ -12,7 +12,7 @@ modified: 2020/10/09 tags: - attack.execution - attack.t1059.001 - - attack.t1086 + - attack.t1086 # an old one logsource: product: windows service: powershell diff --git a/rules/windows/powershell/powershell_remote_powershell_session.yml b/rules/windows/powershell/powershell_remote_powershell_session.yml index 237c546b5..e8e29b1a3 100644 --- a/rules/windows/powershell/powershell_remote_powershell_session.yml +++ b/rules/windows/powershell/powershell_remote_powershell_session.yml @@ -11,10 +11,10 @@ references: tags: - attack.execution - attack.t1059.001 - - attack.t1086 #an old one + - attack.t1086 # an old one - attack.lateral_movement - attack.t1021.006 - - attack.t1028 #an old one + - attack.t1028 # an old one falsepositives: - Legitimate use remote PowerShell sessions level: high @@ -39,4 +39,4 @@ detection: EventID: 400 HostName: 'ServerRemoteHost' HostApplication|contains: 'wsmprovhost.exe' - condition: selection \ No newline at end of file + condition: selection diff --git a/rules/windows/powershell/powershell_renamed_powershell.yml b/rules/windows/powershell/powershell_renamed_powershell.yml index 5b6304efd..d0d732e13 100644 --- a/rules/windows/powershell/powershell_renamed_powershell.yml +++ b/rules/windows/powershell/powershell_renamed_powershell.yml @@ -9,7 +9,8 @@ date: 2020/06/29 modified: 2021/08/18 tags: - attack.execution - - attack.t1086 + - attack.t1086 # an old one + - attack.t1059.001 logsource: product: windows service: powershell-classic @@ -25,4 +26,4 @@ detection: condition: selection and not filter falsepositives: - unknown -level: low \ No newline at end of file +level: low diff --git a/rules/windows/process_access/sysmon_mimikatz_trough_winrm.yml b/rules/windows/process_access/sysmon_mimikatz_trough_winrm.yml index c433c22d6..cf5b00e42 100755 --- a/rules/windows/process_access/sysmon_mimikatz_trough_winrm.yml +++ b/rules/windows/process_access/sysmon_mimikatz_trough_winrm.yml @@ -19,12 +19,12 @@ tags: - attack.credential_access - attack.execution - attack.t1003.001 - - attack.t1003 #an old one + - attack.t1003 # an old one - attack.t1059.001 - - attack.t1086 #an old one + - attack.t1086 # an old one - attack.lateral_movement - attack.t1021.006 - - attack.t1028 #an old one + - attack.t1028 # an old one - attack.s0002 falsepositives: - low diff --git a/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml b/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml index 4b9294d8c..bce196ae3 100644 --- a/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml +++ b/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml @@ -9,7 +9,7 @@ references: - https://www.cobaltstrike.com/help-opsec tags: - attack.defense_evasion - - attack.t1085 # legacy + - attack.t1085 # an old one - attack.t1218.011 logsource: category: process_creation diff --git a/rules/windows/process_creation/win_credential_access_via_password_filter.yml b/rules/windows/process_creation/win_credential_access_via_password_filter.yml index 2fda0365b..c67033c10 100644 --- a/rules/windows/process_creation/win_credential_access_via_password_filter.yml +++ b/rules/windows/process_creation/win_credential_access_via_password_filter.yml @@ -10,7 +10,8 @@ references: - https://github.com/3gstudent/PasswordFilter/tree/master/PasswordFilter tags: - attack.credential_access - - attack.t1174 + - attack.t1174 # an old one + - attack.t1556.002 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_lolbas_execution_of_wuauclt.yml b/rules/windows/process_creation/win_lolbas_execution_of_wuauclt.yml index c603644ea..447057246 100644 --- a/rules/windows/process_creation/win_lolbas_execution_of_wuauclt.yml +++ b/rules/windows/process_creation/win_lolbas_execution_of_wuauclt.yml @@ -10,7 +10,8 @@ modified: 2021/06/11 tags: - attack.defense_evasion - attack.execution - - attack.t1085 + - attack.t1085 # an old one + - attack.t1218.011 logsource: product: windows category: process_creation @@ -26,4 +27,4 @@ falsepositives: - Wuaueng.dll which is a module belonging to Microsoft Windows Update. fields: - CommandLine -level: medium \ No newline at end of file +level: medium diff --git a/rules/windows/process_creation/win_modif_of_services_for_via_commandline.yml b/rules/windows/process_creation/win_modif_of_services_for_via_commandline.yml index 05ee03d58..7b146ad29 100644 --- a/rules/windows/process_creation/win_modif_of_services_for_via_commandline.yml +++ b/rules/windows/process_creation/win_modif_of_services_for_via_commandline.yml @@ -6,8 +6,10 @@ references: status: experimental tags: - attack.persistence - - attack.t1031 - - attack.t1058 + - attack.t1031 # an old one + - attack.t1543.003 + - attack.t1058 # an old one + - attack.t1574.011 author: Sreeman date: 2020/09/29 modified: 2021/08/10 diff --git a/rules/windows/process_creation/win_powershell_disable_windef_av.yml b/rules/windows/process_creation/win_powershell_disable_windef_av.yml index ebfb84ed8..4d5072552 100644 --- a/rules/windows/process_creation/win_powershell_disable_windef_av.yml +++ b/rules/windows/process_creation/win_powershell_disable_windef_av.yml @@ -11,7 +11,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md tags: - attack.defense_evasion - - attack.t1089 # legacy + - attack.t1089 # an old one - attack.t1562.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/win_powershell_reverse_shell_connection.yml b/rules/windows/process_creation/win_powershell_reverse_shell_connection.yml index b044d26ee..06cee06aa 100644 --- a/rules/windows/process_creation/win_powershell_reverse_shell_connection.yml +++ b/rules/windows/process_creation/win_powershell_reverse_shell_connection.yml @@ -10,8 +10,8 @@ date: 2021/03/03 modified: 2021/06/27 tags: - attack.execution - - attack.t1086 - - attack.t1059.005 + - attack.t1086 # an old one + - attack.t1059.001 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml b/rules/windows/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml index 328318d1c..715dfc753 100644 --- a/rules/windows/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml +++ b/rules/windows/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml @@ -9,7 +9,8 @@ date: 2020/18/02 modified: 2021/06/11 author: Sreeman tags: - - attack.t1015 + - attack.t1015 # an old one + - attack.t1546.008 - attack.privilege_escalation logsource: product: windows @@ -24,4 +25,4 @@ fields: - ParentProcess falsepositives: - Unknown -level: medium \ No newline at end of file +level: medium diff --git a/rules/windows/process_creation/win_susp_shell_spawn_from_mssql.yml b/rules/windows/process_creation/win_susp_shell_spawn_from_mssql.yml index 198851a13..11c66ddbc 100644 --- a/rules/windows/process_creation/win_susp_shell_spawn_from_mssql.yml +++ b/rules/windows/process_creation/win_susp_shell_spawn_from_mssql.yml @@ -6,7 +6,8 @@ author: FPT.EagleEye Team, wagga date: 2020/12/11 modified: 2021/06/27 tags: - - attack.t1100 + - attack.t1100 # an old one + - attack.t1505.003 - attack.t1190 - attack.initial_access - attack.persistence diff --git a/rules/windows/registry_event/sysmon_registry_persistence_key_linking.yml b/rules/windows/registry_event/sysmon_registry_persistence_key_linking.yml index 2ede1d708..34447d116 100755 --- a/rules/windows/registry_event/sysmon_registry_persistence_key_linking.yml +++ b/rules/windows/registry_event/sysmon_registry_persistence_key_linking.yml @@ -9,7 +9,8 @@ date: 2019/10/23 modified: 2019/11/07 tags: - attack.persistence - - attack.t1122 + - attack.t1122 # an old one + - attack.t1546.015 logsource: category: registry_event product: windows From 9b30b487c3be60105202bd695ca90314e30f6495 Mon Sep 17 00:00:00 2001 From: Yugoslavskiy Daniil Date: Mon, 23 Aug 2021 04:25:29 +0200 Subject: [PATCH 036/108] add ATC to the Projects or Products that use Sigma section --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 864235a65..4815056d4 100644 --- a/README.md +++ b/README.md @@ -318,6 +318,7 @@ These tools are not part of the main toolchain and maintained separately by thei # Projects or Products that use Sigma * [MISP](http://www.misp-project.org/2017/03/26/MISP.2.4.70.released.html) (since version 2.4.70, March 2017) +* [Atomic Threat Coverage](https://github.com/atc-project/atomic-threat-coverage) (since December 2018) * [SOC Prime - Sigma Rule Editor](https://tdm.socprime.com/sigma/) * [uncoder.io](https://uncoder.io/) - Online Translator for SIEM Searches * [THOR](https://www.nextron-systems.com/2018/06/28/spark-applies-sigma-rules-in-eventlog-scan/) - Scan with Sigma rules on endpoints From dc3ed771b52a54ed2a82d3e524ece52becd824b1 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 23 Aug 2021 08:32:50 +0200 Subject: [PATCH 037/108] rule: EfsPotato Named Pipe --- .../sysmon_efspotato_namedpipe.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/windows/pipe_created/sysmon_efspotato_namedpipe.yml diff --git a/rules/windows/pipe_created/sysmon_efspotato_namedpipe.yml b/rules/windows/pipe_created/sysmon_efspotato_namedpipe.yml new file mode 100644 index 000000000..b80687c1e --- /dev/null +++ b/rules/windows/pipe_created/sysmon_efspotato_namedpipe.yml @@ -0,0 +1,24 @@ +title: EfsPotato Named Pipe +id: 637f689e-b4a5-4a86-be0e-0100a0a33ba2 +status: experimental +description: Detects the pattern of a pipe name as used by the tool EfsPotato +references: + - https://twitter.com/SBousseaden/status/1429530155291193354?s=20 + - https://github.com/zcgonvh/EfsPotato +date: 2021/08/23 +author: Florian Roth +logsource: + product: windows + category: pipe_created + definition: 'Note that you have to configure logging for PipeEvents in Sysmon config' +detection: + selection: + PipeName|contains: '\pipe\' + condition: selection +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1055 +falsepositives: + - Unknown +level: critical From a0f72e5f6f5c2d6bd6a45e03d57e52d6358c4ce2 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 23 Aug 2021 10:41:42 +0200 Subject: [PATCH 038/108] rule: suspicious splwow64 process starts --- .../process_creation/win_susp_splwow64.yml | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_splwow64.yml diff --git a/rules/windows/process_creation/win_susp_splwow64.yml b/rules/windows/process_creation/win_susp_splwow64.yml new file mode 100644 index 000000000..3695fcec2 --- /dev/null +++ b/rules/windows/process_creation/win_susp_splwow64.yml @@ -0,0 +1,20 @@ +title: Suspicious Splwow64 Without Params +id: 1f1a8509-2cbb-44f5-8751-8e1571518ce2 +status: experimental +description: Detects suspicious Splwow64.exe process without any command line parameters +references: + - https://twitter.com/sbousseaden/status/1429401053229891590?s=12 +author: Florian Roth +date: 2021/08/23 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\splwow64.exe' + filter: + CommandLine|contains: 'splwow64.exe ' + condition: selection and not filter +falsepositives: + - Unknown +level: high From 82dde594d1d206289dfb479c9e788f8875e539dd Mon Sep 17 00:00:00 2001 From: Max Altgelt Date: Mon, 23 Aug 2021 11:17:10 +0200 Subject: [PATCH 039/108] feat: Add rule for malicious CSR export on Exchange --- ...ange_proxyshell_certificate_generation.yml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 rules/windows/other/win_exchange_proxyshell_certificate_generation.yml diff --git a/rules/windows/other/win_exchange_proxyshell_certificate_generation.yml b/rules/windows/other/win_exchange_proxyshell_certificate_generation.yml new file mode 100644 index 000000000..003bdd72b --- /dev/null +++ b/rules/windows/other/win_exchange_proxyshell_certificate_generation.yml @@ -0,0 +1,29 @@ +title: Certificate Request Export to Exchange Webserver +id: b7bc7038-638b-4ffd-880c-292c692209ef +status: experimental +description: Detects a write of an Exchange CSR to an untypical directory or with aspx name suffix which can be used to place a webshell +references: + - https://twitter.com/GossiTheDog/status/1429175908905127938 +author: Max Altgelt +date: 2021/08/23 +logsource: + service: msexchange-management + product: windows +detection: + export_command: + - 'New-ExchangeCertificate' + - ' -GenerateRequest' + - ' -BinaryEncoded' + - ' -RequestFile' + export_params: + - '\\\\localhost\\C$' + - '\\\\127.0.0.1\\C$' + - 'C:\\inetpub' + - '.aspx' + condition: all of export_command and export_params +falsepositives: + - unlikely +level: critical +tags: + - attack.persistence + - attack.t1505.003 From 33c6ff6b5f4af8a416cf183074fe0f528c477328 Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 23 Aug 2021 13:17:35 +0200 Subject: [PATCH 040/108] add powershell_suspicious_win32_pnpentity --- ...m_env.yml => powershell_detect_vm_env.yml} | 0 .../powershell_suspicious_win32_pnpentity.yml | 23 +++++++++++++++++++ 2 files changed, 23 insertions(+) rename rules/windows/powershell/{poweshell_detect_vm_env.yml => powershell_detect_vm_env.yml} (100%) create mode 100644 rules/windows/powershell/powershell_suspicious_win32_pnpentity.yml diff --git a/rules/windows/powershell/poweshell_detect_vm_env.yml b/rules/windows/powershell/powershell_detect_vm_env.yml similarity index 100% rename from rules/windows/powershell/poweshell_detect_vm_env.yml rename to rules/windows/powershell/powershell_detect_vm_env.yml diff --git a/rules/windows/powershell/powershell_suspicious_win32_pnpentity.yml b/rules/windows/powershell/powershell_suspicious_win32_pnpentity.yml new file mode 100644 index 000000000..3cf7777d5 --- /dev/null +++ b/rules/windows/powershell/powershell_suspicious_win32_pnpentity.yml @@ -0,0 +1,23 @@ +title: Powershell Suspicious Win32_PnPEntity +id: b26647de-4feb-4283-af6b-6117661283c5 +status: experimental +author: frack113 +date: 2021/08/23 +description: Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md +tags: + - attack.discovery + - attack.t1120 +logsource: + product: windows + service: powershell + definition: EnableScriptBlockLogging must be set to enable +detection: + selection: + EventID: 4104 + ScriptBlockText|contains: Win32_PnPEntity + condition: selection +falsepositives: + - admin script +level: low \ No newline at end of file From 25072e37b393bf2d6726034744b66e973f451d76 Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 23 Aug 2021 13:30:46 +0200 Subject: [PATCH 041/108] update references --- rules/windows/process_creation/win_possible_applocker_bypass.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/process_creation/win_possible_applocker_bypass.yml b/rules/windows/process_creation/win_possible_applocker_bypass.yml index 39ac4e712..6ebbdd452 100644 --- a/rules/windows/process_creation/win_possible_applocker_bypass.yml +++ b/rules/windows/process_creation/win_possible_applocker_bypass.yml @@ -5,6 +5,7 @@ status: experimental references: - https://github.com/subTee/ApplicationWhitelistBypassTechniques/blob/master/TheList.txt - https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/ + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md author: juju4 date: 2019/01/16 modified: 2020/09/01 From 45f30cb2b43a9d3a419eab6b6df85116838a7003 Mon Sep 17 00:00:00 2001 From: SomeOne Date: Mon, 23 Aug 2021 15:00:07 +0200 Subject: [PATCH 042/108] Add fields to event log cleared --- rules/windows/builtin/win_event_log_cleared.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_event_log_cleared.yml b/rules/windows/builtin/win_event_log_cleared.yml index 649d0d95b..969f06309 100644 --- a/rules/windows/builtin/win_event_log_cleared.yml +++ b/rules/windows/builtin/win_event_log_cleared.yml @@ -18,6 +18,9 @@ detection: EventID: 1102 condition: selection fields: - - fields in the log source that are important to investigate further + - logon_id + - src_user + - src_user_id + - src_nt_domain falsepositives: - Legitimate administrative activity From 91b42f9077d11e202387beda5f3632251ba77d93 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 23 Aug 2021 15:03:59 +0200 Subject: [PATCH 043/108] fix: indentation --- .../pipe_created/sysmon_efspotato_namedpipe.yml | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/rules/windows/pipe_created/sysmon_efspotato_namedpipe.yml b/rules/windows/pipe_created/sysmon_efspotato_namedpipe.yml index b80687c1e..9d444f88b 100644 --- a/rules/windows/pipe_created/sysmon_efspotato_namedpipe.yml +++ b/rules/windows/pipe_created/sysmon_efspotato_namedpipe.yml @@ -3,8 +3,8 @@ id: 637f689e-b4a5-4a86-be0e-0100a0a33ba2 status: experimental description: Detects the pattern of a pipe name as used by the tool EfsPotato references: - - https://twitter.com/SBousseaden/status/1429530155291193354?s=20 - - https://github.com/zcgonvh/EfsPotato + - https://twitter.com/SBousseaden/status/1429530155291193354?s=20 + - https://github.com/zcgonvh/EfsPotato date: 2021/08/23 author: Florian Roth logsource: @@ -13,12 +13,14 @@ logsource: definition: 'Note that you have to configure logging for PipeEvents in Sysmon config' detection: selection: - PipeName|contains: '\pipe\' + PipeName|contains: + - '\pipe\' + - '\pipe\srvsvc' # more specific version (use only this one of the other causes too many false positives) condition: selection tags: - - attack.defense_evasion - - attack.privilege_escalation - - attack.t1055 + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1055 falsepositives: - Unknown level: critical From 037f33b5e200710140d11c9a9c644ddea01addab Mon Sep 17 00:00:00 2001 From: SomeOne Date: Mon, 23 Aug 2021 15:24:48 +0200 Subject: [PATCH 044/108] Replace by default windows fieldnames --- rules/windows/builtin/win_event_log_cleared.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/builtin/win_event_log_cleared.yml b/rules/windows/builtin/win_event_log_cleared.yml index 969f06309..92c9a2eac 100644 --- a/rules/windows/builtin/win_event_log_cleared.yml +++ b/rules/windows/builtin/win_event_log_cleared.yml @@ -18,9 +18,9 @@ detection: EventID: 1102 condition: selection fields: - - logon_id - - src_user - - src_user_id - - src_nt_domain + - SubjectLogonId + - SubjectUserName + - SubjectUserSid + - SubjectDomainName falsepositives: - Legitimate administrative activity From 96e77eb8db5327a7f45a8fbd6127da1b792c8963 Mon Sep 17 00:00:00 2001 From: Nate Guagenti Date: Mon, 23 Aug 2021 11:06:44 -0400 Subject: [PATCH 045/108] Create zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml --- ...rpc_potential_petit_potam_efs_rpc_call.yml | 46 +++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml diff --git a/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml b/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml new file mode 100644 index 000000000..e6f2ddad3 --- /dev/null +++ b/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml @@ -0,0 +1,46 @@ +title: Potential PetitPotam Attack via Usage of Encrypting File System RPC Calls. +id: bae2865c-5565-470d-b505-9496c87d0c30 +Description: 'Detects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam. The usage of this RPC function should be rare if ever used at all. Thus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate. View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..' +author: '@neu5ron, @Antonlovesdnb, Mike Remen' +date: 2021/08/17 +references: + - 'https://github.com/topotam/PetitPotam/blob/main/PetitPotam/PetitPotam.cpp' + - 'https://msrc.microsoft.com/update-guide/vulnerability/ADV210003' + - 'https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf' + - 'https://threatpost.com/microsoft-petitpotam-poc/168163/' +tags: + - attack.t1557.001 + - attack.t1187 +logsource: + product: zeek + service: dce_rpc +detection: + efs_operation: + endpoint|startswith: + - 'Efs' + - 'efs' + # EfsDecryptFileSrv' + # EfsRpcAddUsersToFile' + # EfsRpcAddUsersToFileEx' + # EfsRpcCloseRaw' + # EfsRpcDuplicateEncryptionInfoFile' + # EfsRpcEncryptFileExServ' + # EfsRpcEncryptFileSrv' + # EfsRpcFileKeyInfo' + # EfsRpcFileKeyInfoEx' + # EfsRpcFlushEfsCache' + # EfsRpcGetEncryptedFileMetadata' + # EfsRpcNotSupported' + # EfsRpcOpenFileRaw' + # EfsRpcQueryProtectors' + # EfsRpcQueryRecoveryAgents' + # EfsRpcQueryUsersOnFile' + # EfsRpcReadFileRaw' + # EfsRpcRemoveUsersFromFile' + # EfsRpcSetEncryptedFileMetadata' + # EfsRpcWriteFileRaw' + condition: efs_operation +falsepositives: + - 'Uncommon but legitimate windows administrator or software tasks that make use of the Encrypting File System RPC Calls. Verify if this is common activity (see description).' +level: medium +status: stable From 78c667fda1980d26915434d4142c3839076efbf6 Mon Sep 17 00:00:00 2001 From: Nate Guagenti Date: Mon, 23 Aug 2021 11:15:30 -0400 Subject: [PATCH 046/108] Update zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml shorten title --- ...rpc_potential_petit_potam_efs_rpc_call.yml | 46 ++++++++++++++++++- 1 file changed, 45 insertions(+), 1 deletion(-) diff --git a/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml b/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml index e6f2ddad3..189f1843e 100644 --- a/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml +++ b/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml @@ -1,4 +1,48 @@ -title: Potential PetitPotam Attack via Usage of Encrypting File System RPC Calls. +title: Potential PetitPotam Attack via EFS RPC Call +id: bae2865c-5565-470d-b505-9496c87d0c30 +Description: 'Detects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam. The usage of this RPC function should be rare if ever used at all. Thus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate. View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..' +author: '@neu5ron, @Antonlovesdnb, Mike Remen' +date: 2021/08/17 +references: + - 'https://github.com/topotam/PetitPotam/blob/main/PetitPotam/PetitPotam.cpp' + - 'https://msrc.microsoft.com/update-guide/vulnerability/ADV210003' + - 'https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf' + - 'https://threatpost.com/microsoft-petitpotam-poc/168163/' +tags: + - attack.t1557.001 + - attack.t1187 +logsource: + product: zeek + service: dce_rpc +detection: + efs_operation: + endpoint|startswith: + - 'Efs' + - 'efs' + # EfsDecryptFileSrv' + # EfsRpcAddUsersToFile' + # EfsRpcAddUsersToFileEx' + # EfsRpcCloseRaw' + # EfsRpcDuplicateEncryptionInfoFile' + # EfsRpcEncryptFileExServ' + # EfsRpcEncryptFileSrv' + # EfsRpcFileKeyInfo' + # EfsRpcFileKeyInfoEx' + # EfsRpcFlushEfsCache' + # EfsRpcGetEncryptedFileMetadata' + # EfsRpcNotSupported' + # EfsRpcOpenFileRaw' + # EfsRpcQueryProtectors' + # EfsRpcQueryRecoveryAgents' + # EfsRpcQueryUsersOnFile' + # EfsRpcReadFileRaw' + # EfsRpcRemoveUsersFromFile' + # EfsRpcSetEncryptedFileMetadata' + # EfsRpcWriteFileRaw' + condition: efs_operation +falsepositives: + - 'Uncommon but legitimate windows administrator or software tasks that make use of the Encrypting File System RPC Calls. Verify if this is common activity (see description).' +level: medium id: bae2865c-5565-470d-b505-9496c87d0c30 Description: 'Detects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam. The usage of this RPC function should be rare if ever used at all. Thus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate. View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..' author: '@neu5ron, @Antonlovesdnb, Mike Remen' From 6aea58b4d2a4a53bee1426f2d624412be4d210e7 Mon Sep 17 00:00:00 2001 From: Nate Guagenti Date: Mon, 23 Aug 2021 11:18:51 -0400 Subject: [PATCH 047/108] Update zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml --- ...rpc_potential_petit_potam_efs_rpc_call.yml | 71 +------------------ 1 file changed, 3 insertions(+), 68 deletions(-) diff --git a/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml b/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml index 189f1843e..f03a89227 100644 --- a/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml +++ b/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml @@ -1,4 +1,4 @@ -title: Potential PetitPotam Attack via EFS RPC Call +title: Potential PetitPotam Attack via EFS RPC Calls id: bae2865c-5565-470d-b505-9496c87d0c30 Description: 'Detects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam. The usage of this RPC function should be rare if ever used at all. Thus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate. View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..' author: '@neu5ron, @Antonlovesdnb, Mike Remen' @@ -17,74 +17,9 @@ logsource: detection: efs_operation: endpoint|startswith: - - 'Efs' - - 'efs' - # EfsDecryptFileSrv' - # EfsRpcAddUsersToFile' - # EfsRpcAddUsersToFileEx' - # EfsRpcCloseRaw' - # EfsRpcDuplicateEncryptionInfoFile' - # EfsRpcEncryptFileExServ' - # EfsRpcEncryptFileSrv' - # EfsRpcFileKeyInfo' - # EfsRpcFileKeyInfoEx' - # EfsRpcFlushEfsCache' - # EfsRpcGetEncryptedFileMetadata' - # EfsRpcNotSupported' - # EfsRpcOpenFileRaw' - # EfsRpcQueryProtectors' - # EfsRpcQueryRecoveryAgents' - # EfsRpcQueryUsersOnFile' - # EfsRpcReadFileRaw' - # EfsRpcRemoveUsersFromFile' - # EfsRpcSetEncryptedFileMetadata' - # EfsRpcWriteFileRaw' + - 'Efs' + - 'efs' condition: efs_operation falsepositives: - 'Uncommon but legitimate windows administrator or software tasks that make use of the Encrypting File System RPC Calls. Verify if this is common activity (see description).' level: medium -id: bae2865c-5565-470d-b505-9496c87d0c30 -Description: 'Detects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam. The usage of this RPC function should be rare if ever used at all. Thus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate. View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..' -author: '@neu5ron, @Antonlovesdnb, Mike Remen' -date: 2021/08/17 -references: - - 'https://github.com/topotam/PetitPotam/blob/main/PetitPotam/PetitPotam.cpp' - - 'https://msrc.microsoft.com/update-guide/vulnerability/ADV210003' - - 'https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf' - - 'https://threatpost.com/microsoft-petitpotam-poc/168163/' -tags: - - attack.t1557.001 - - attack.t1187 -logsource: - product: zeek - service: dce_rpc -detection: - efs_operation: - endpoint|startswith: - - 'Efs' - - 'efs' - # EfsDecryptFileSrv' - # EfsRpcAddUsersToFile' - # EfsRpcAddUsersToFileEx' - # EfsRpcCloseRaw' - # EfsRpcDuplicateEncryptionInfoFile' - # EfsRpcEncryptFileExServ' - # EfsRpcEncryptFileSrv' - # EfsRpcFileKeyInfo' - # EfsRpcFileKeyInfoEx' - # EfsRpcFlushEfsCache' - # EfsRpcGetEncryptedFileMetadata' - # EfsRpcNotSupported' - # EfsRpcOpenFileRaw' - # EfsRpcQueryProtectors' - # EfsRpcQueryRecoveryAgents' - # EfsRpcQueryUsersOnFile' - # EfsRpcReadFileRaw' - # EfsRpcRemoveUsersFromFile' - # EfsRpcSetEncryptedFileMetadata' - # EfsRpcWriteFileRaw' - condition: efs_operation -falsepositives: - - 'Uncommon but legitimate windows administrator or software tasks that make use of the Encrypting File System RPC Calls. Verify if this is common activity (see description).' -level: medium -status: stable From 4f8bd4a5a254489ba43a1a8b8e9287ec7686fa13 Mon Sep 17 00:00:00 2001 From: Nate Guagenti Date: Mon, 23 Aug 2021 11:24:22 -0400 Subject: [PATCH 048/108] Update zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml try new uuid to pass check... --- .../zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml b/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml index f03a89227..b2186f1fe 100644 --- a/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml +++ b/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml @@ -1,5 +1,5 @@ title: Potential PetitPotam Attack via EFS RPC Calls -id: bae2865c-5565-470d-b505-9496c87d0c30 +id: 4096842a-8f9f-4d36-92b4-d0b2a62f9b2a Description: 'Detects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam. The usage of this RPC function should be rare if ever used at all. Thus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate. View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..' author: '@neu5ron, @Antonlovesdnb, Mike Remen' date: 2021/08/17 From 6b86dacc9e1da940324de3c1cab5fbf9b98b15b7 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 23 Aug 2021 18:44:15 +0200 Subject: [PATCH 049/108] rule: razor installer --- .../win_susp_razorinstaller_explorer.yml | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_razorinstaller_explorer.yml diff --git a/rules/windows/process_creation/win_susp_razorinstaller_explorer.yml b/rules/windows/process_creation/win_susp_razorinstaller_explorer.yml new file mode 100644 index 000000000..967932cc0 --- /dev/null +++ b/rules/windows/process_creation/win_susp_razorinstaller_explorer.yml @@ -0,0 +1,22 @@ +title: Suspicious RazorInstaller Explorer Subprocess +id: a4eaf250-7dc1-4842-862a-5e71cd59a167 +status: experimental +description: Detects a explorer.exe sub process of the RazorInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM +references: + - https://twitter.com/j0nh4t/status/1429049506021138437 + - https://streamable.com/q2dsji +author: Florian Roth +date: 2021/08/23 +tags: + - attack.privilege_escalation +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\explorer.exe' + ParentImage|endswith: '\RazorInstaller.exe' + condition: selection +falsepositives: + - User selecting a different installation folder (check for other sub processes of this explorer.exe process) +level: high \ No newline at end of file From 998ebbe1f3bcb09ac2ebbf4818a863a5c91c2521 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 23 Aug 2021 18:46:05 +0200 Subject: [PATCH 050/108] fix: typo in name --- .../process_creation/win_susp_razorinstaller_explorer.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_susp_razorinstaller_explorer.yml b/rules/windows/process_creation/win_susp_razorinstaller_explorer.yml index 967932cc0..cffed8586 100644 --- a/rules/windows/process_creation/win_susp_razorinstaller_explorer.yml +++ b/rules/windows/process_creation/win_susp_razorinstaller_explorer.yml @@ -1,7 +1,7 @@ -title: Suspicious RazorInstaller Explorer Subprocess +title: Suspicious RazerInstaller Explorer Subprocess id: a4eaf250-7dc1-4842-862a-5e71cd59a167 status: experimental -description: Detects a explorer.exe sub process of the RazorInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM +description: Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM references: - https://twitter.com/j0nh4t/status/1429049506021138437 - https://streamable.com/q2dsji @@ -15,7 +15,7 @@ logsource: detection: selection: Image|endswith: '\explorer.exe' - ParentImage|endswith: '\RazorInstaller.exe' + ParentImage|endswith: '\RazerInstaller.exe' condition: selection falsepositives: - User selecting a different installation folder (check for other sub processes of this explorer.exe process) From 9d3a13b13e9b372256cd0545e1b27c21a15648a4 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 23 Aug 2021 19:04:01 +0200 Subject: [PATCH 051/108] cleanup --- ...rpc_potential_petit_potam_efs_rpc_call.yml | 22 +++++++++++-------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml b/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml index b2186f1fe..c50ceb512 100644 --- a/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml +++ b/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml @@ -1,13 +1,17 @@ -title: Potential PetitPotam Attack via EFS RPC Calls +title: Potential PetitPotam Attack Via EFS RPC Calls id: 4096842a-8f9f-4d36-92b4-d0b2a62f9b2a -Description: 'Detects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam. The usage of this RPC function should be rare if ever used at all. Thus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate. View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..' +description: | + Detects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam. + The usage of this RPC function should be rare if ever used at all. + Thus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate. + View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..' author: '@neu5ron, @Antonlovesdnb, Mike Remen' date: 2021/08/17 references: - - 'https://github.com/topotam/PetitPotam/blob/main/PetitPotam/PetitPotam.cpp' - - 'https://msrc.microsoft.com/update-guide/vulnerability/ADV210003' - - 'https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf' - - 'https://threatpost.com/microsoft-petitpotam-poc/168163/' + - https://github.com/topotam/PetitPotam/blob/main/PetitPotam/PetitPotam.cpp + - https://msrc.microsoft.com/update-guide/vulnerability/ADV210003 + - https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf + - https://threatpost.com/microsoft-petitpotam-poc/168163/ tags: - attack.t1557.001 - attack.t1187 @@ -17,9 +21,9 @@ logsource: detection: efs_operation: endpoint|startswith: - - 'Efs' - - 'efs' + - 'Efs' + - 'efs' condition: efs_operation falsepositives: - - 'Uncommon but legitimate windows administrator or software tasks that make use of the Encrypting File System RPC Calls. Verify if this is common activity (see description).' + - Uncommon but legitimate windows administrator or software tasks that make use of the Encrypting File System RPC Calls. Verify if this is common activity (see description). level: medium From ae845594880b7ff3599a21785666bd71fb8dc5fa Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 17:18:16 +0000 Subject: [PATCH 052/108] M365 - Risky IP Addresses --- ...crosoft365_logon_from_risky_ip_address.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml diff --git a/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml b/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml new file mode 100644 index 000000000..0530dbcff --- /dev/null +++ b/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml @@ -0,0 +1,24 @@ +title: Microsoft 365 - Log on from a risky IP address +id: c191e2fa-f9d6-4ccf-82af-4f2aba08359f +status: experimental +description: Detects when a Microsoft Cloud App Security reported when a user signs into your sanctioned apps from a risky IP address. +author: Austin Songer @austinsonger +date: 2021/08/23 +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +logsource: + category: ThreatManagement + service: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: "Log on from a risky IP address" + status: success + condition: selection +falsepositives: + - Unkown +level: medium +tags: + - attack.initial_access + - attack.t1078 \ No newline at end of file From 3a4c61f44d63e584aea5c7abfc3122c39ae4a778 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 17:21:27 +0000 Subject: [PATCH 053/108] M365 - Inbox Manipulation Rules --- ...65_suspicious_inbox_manipulation_rules.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/cloud/m365/microsoft365_suspicious_inbox_manipulation_rules.yml diff --git a/rules/cloud/m365/microsoft365_suspicious_inbox_manipulation_rules.yml b/rules/cloud/m365/microsoft365_suspicious_inbox_manipulation_rules.yml new file mode 100644 index 000000000..5bcdf4800 --- /dev/null +++ b/rules/cloud/m365/microsoft365_suspicious_inbox_manipulation_rules.yml @@ -0,0 +1,24 @@ +title: Microsoft 365 - Suspicious inbox manipulation rules +id: d2001772-f43f-4def-86d3-a9d5c47588c0 +status: experimental +description: Detects when a Microsoft Cloud App Security reported for suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address. +author: Austin Songer @austinsonger +date: 2021/08/23 +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +logsource: + category: ThreatManagement + service: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: "Suspicious inbox manipulation rules" + status: success + condition: selection +falsepositives: + - Unknown +level: medium +tags: + - attack.exfiltration + - attack.t1020.001 \ No newline at end of file From 7d211f2487977101b40188a5252bea4d45f5a945 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 17:33:00 +0000 Subject: [PATCH 054/108] Data exfiltration to unsanctioned apps --- ..._data_exfiltration_to_unsanctioned_app.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml diff --git a/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml b/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml new file mode 100644 index 000000000..1c645f003 --- /dev/null +++ b/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml @@ -0,0 +1,24 @@ +title: Microsoft 365 - Data exfiltration to unsanctioned apps +id: 2b669496-d215-47d8-bd9a-f4a45bf07cda +status: experimental +description: Detects when a Microsoft Cloud App Security reported when a user or IP address uses an app that is not sanctioned to perform an activity that resembles an attempt to exfiltrate information from your organization. +author: Austin Songer @austinsonger +date: 2021/08/23 +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +logsource: + category: + service: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: "Data exfiltration to unsanctioned apps" + status: success + condition: selection +falsepositives: + - +level: medium +tags: + - attack.exfiltration + - attack.t1537 \ No newline at end of file From 1834324a160efd896ae3727ed243add9e53d1535 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 17:33:57 +0000 Subject: [PATCH 055/108] Update --- .../m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml b/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml index 1c645f003..0d55777db 100644 --- a/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml +++ b/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml @@ -8,7 +8,7 @@ references: - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: - category: + category: ThreatManagement service: m365 detection: selection: From 23e96712f8f0b75d9cf110c8faae4a0821969c8f Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 12:59:44 -0500 Subject: [PATCH 056/108] Update microsoft365_data_exfiltration_to_unsanctioned_app.yml --- .../microsoft365_data_exfiltration_to_unsanctioned_app.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml b/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml index 0d55777db..a758f328c 100644 --- a/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml +++ b/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml @@ -1,4 +1,4 @@ -title: Microsoft 365 - Data exfiltration to unsanctioned apps +title: Microsoft 365 Data exfiltration to unsanctioned apps id: 2b669496-d215-47d8-bd9a-f4a45bf07cda status: experimental description: Detects when a Microsoft Cloud App Security reported when a user or IP address uses an app that is not sanctioned to perform an activity that resembles an attempt to exfiltrate information from your organization. @@ -21,4 +21,4 @@ falsepositives: level: medium tags: - attack.exfiltration - - attack.t1537 \ No newline at end of file + - attack.t1537 From 3d151ef9f11255ac582c14e4797cebfb0dacedb8 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 12:59:53 -0500 Subject: [PATCH 057/108] Update microsoft365_logon_from_risky_ip_address.yml --- rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml b/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml index 0530dbcff..f841b3dd9 100644 --- a/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml +++ b/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml @@ -1,4 +1,4 @@ -title: Microsoft 365 - Log on from a risky IP address +title: Microsoft 365 Log on from a risky IP address id: c191e2fa-f9d6-4ccf-82af-4f2aba08359f status: experimental description: Detects when a Microsoft Cloud App Security reported when a user signs into your sanctioned apps from a risky IP address. @@ -21,4 +21,4 @@ falsepositives: level: medium tags: - attack.initial_access - - attack.t1078 \ No newline at end of file + - attack.t1078 From b00e1772b3acd7c45ab24eed490381a4d2009dde Mon Sep 17 00:00:00 2001 From: Nate Guagenti Date: Mon, 23 Aug 2021 14:03:38 -0400 Subject: [PATCH 058/108] added logic and usage rule logic should be endswith. match zeek fields for `fields` section add false positive information --- rules/network/zeek/zeek_dns_mining_pools.yml | 27 +++++++++++++++----- 1 file changed, 20 insertions(+), 7 deletions(-) diff --git a/rules/network/zeek/zeek_dns_mining_pools.yml b/rules/network/zeek/zeek_dns_mining_pools.yml index c43795db8..8be5222b3 100644 --- a/rules/network/zeek/zeek_dns_mining_pools.yml +++ b/rules/network/zeek/zeek_dns_mining_pools.yml @@ -1,11 +1,11 @@ title: DNS Events Related To Mining Pools id: bf74135c-18e8-4a72-a926-0e4f47888c19 -description: Identifies IPs that may be performing DNS lookups associated with common currency mining pools. +description: Identifies clients that may be performing DNS lookups associated with common currency mining pools. references: - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_Miners.yaml date: 2021/08/19 -author: Saw Winn Naung , Azure-Sentinel -level: medium +author: Saw Winn Naung, Azure-Sentinel, @neu5ron +level: low logsource: service: dns product: zeek @@ -15,7 +15,7 @@ tags: - attack.t1496 detection: selection: - query: + query|endswith: - "monerohash.com" - "do-dear.com" - "xmrminerpro.com" @@ -82,10 +82,23 @@ detection: - "crypto-pools.org" - "monero.net" - "backup-pool.com" - - "mooo.com" + - "mooo.com" # Dynamic DNS, may want to exclude - "freeyy.me" - "cryptonight.net" - "shscrypto.net" - condition: selection + exclude_answers: + answers: + - "127.0.0.1" + - "0.0.0.0" + exclude_rejected: + rejected: "true" + condition: selection and not (exclude_answers OR exclude_rejected) +falsepositives: | + A DNS lookup does not necessarily mean a successful attempt, verify a) if there was a response using the zeek answers field, if there was then verify the connections (conn.log) to those IPs. b) verify if HTTP, SSL, or TLS activity to the domain that was queried. http.log field is "host" and ssl/tls is "server_name". fields: - - clientip + - id.orig_h + - id.resp_h + - query + - answers + - qtype_name + - rcode_name From feb7d0e187d2a6276d2b1ecbd0c2f8713d683bb8 Mon Sep 17 00:00:00 2001 From: Nate Guagenti Date: Mon, 23 Aug 2021 14:11:04 -0400 Subject: [PATCH 059/108] Update zeek_dns_mining_pools.yml --- rules/network/zeek/zeek_dns_mining_pools.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/network/zeek/zeek_dns_mining_pools.yml b/rules/network/zeek/zeek_dns_mining_pools.yml index 8be5222b3..91d878243 100644 --- a/rules/network/zeek/zeek_dns_mining_pools.yml +++ b/rules/network/zeek/zeek_dns_mining_pools.yml @@ -93,8 +93,8 @@ detection: exclude_rejected: rejected: "true" condition: selection and not (exclude_answers OR exclude_rejected) -falsepositives: | - A DNS lookup does not necessarily mean a successful attempt, verify a) if there was a response using the zeek answers field, if there was then verify the connections (conn.log) to those IPs. b) verify if HTTP, SSL, or TLS activity to the domain that was queried. http.log field is "host" and ssl/tls is "server_name". +falsepositives: + - A DNS lookup does not necessarily mean a successful attempt, verify a) if there was a response using the zeek answers field, if there was then verify the connections (conn.log) to those IPs. b) verify if HTTP, SSL, or TLS activity to the domain that was queried. http.log field is "host" and ssl/tls is "server_name". fields: - id.orig_h - id.resp_h From 1819e4b02b6654101f9767880a102c2fbbd492be Mon Sep 17 00:00:00 2001 From: Nate Guagenti Date: Mon, 23 Aug 2021 14:12:50 -0400 Subject: [PATCH 060/108] improve rule - improve rule logic - match zeek fields for fields section - add false positive information - change rule name to match the logic of the original rule.. Rule said "first" seen, however, no logic that matches that (ie: rare, stacking, etc..) --- .../zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml b/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml index dfa15acba..a8853b8e1 100644 --- a/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml +++ b/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml @@ -1,7 +1,7 @@ -title: First Time Seen Remote Named Pipe - Zeek +title: SMB Spoolss Name Piped Usage id: bae2865c-5565-470d-b505-9496c87d0c30 description: Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled. -author: OTR (Open Threat Research) +author: OTR (Open Threat Research), @neu5ron references: - https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1 - https://dirkjanm.io/a-different-way-of-abusing-zerologon/ @@ -9,15 +9,15 @@ references: tags: - attack.lateral_movement - attack.t1021.002 -date: 2018/11/28 +date: 2021/08/23 logsource: product: zeek service: smb_files detection: selection: - path: \\*\IPC$ + path|endswith: IPC$ name: spoolss condition: selection falsepositives: - - 'Domain Controllers acting as printer servers too? :)' -level: medium \ No newline at end of file + - Domain Controllers that are sometimes, commonly although should not be, acting as printer servers too +level: medium From cfc32e595063433349fd9f4a5d56f1f4e34b0d10 Mon Sep 17 00:00:00 2001 From: Nate Guagenti Date: Mon, 23 Aug 2021 14:16:55 -0400 Subject: [PATCH 061/108] correct fields for zeek_rdp_public_listener.yml correct zeek fields for `fields` section. improve false positives information --- rules/network/zeek/zeek_rdp_public_listener.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/network/zeek/zeek_rdp_public_listener.yml b/rules/network/zeek/zeek_rdp_public_listener.yml index f5e9be21b..c0b70992b 100644 --- a/rules/network/zeek/zeek_rdp_public_listener.yml +++ b/rules/network/zeek/zeek_rdp_public_listener.yml @@ -38,8 +38,8 @@ detection: #- x.x.x.x condition: not selection #and not approved_rdp fields: - - src_ip - - dst_ip + - id.orig_h + - id.resp_h falsepositives: - - none + - Although it is recommended to NOT have RDP exposed to the internet, verify that this is a) allowed b) the server has not already been compromised via some brute force or remote exploit since it has been exposed to the internet. Work to secure the server if you are unable to remove it from being exposed to the internet. level: high From 064d7b7b9f7a8bfd7cd990ab5bd6370944390b45 Mon Sep 17 00:00:00 2001 From: Nate Guagenti Date: Mon, 23 Aug 2021 14:23:41 -0400 Subject: [PATCH 062/108] improve rule logic zeek_default_cobalt_strike_certificate.yml zeek logging for `certificate.serial` is all letters are capitalized --- rules/network/zeek/zeek_default_cobalt_strike_certificate.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml b/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml index a4e69cc5a..974604957 100644 --- a/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml +++ b/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml @@ -2,7 +2,7 @@ title: Default Cobalt Strike Certificate id: 7100f7e3-92ce-4584-b7b7-01b40d3d4118 description: Detects the presence of default Cobalt Strike certificate in the HTTPS traffic author: Bhabesh Raj -date: 2021/06/23 +date: 2021/08/26 references: - https://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468 tags: @@ -13,7 +13,7 @@ logsource: service: x509 detection: selection: - certificate.serial: 8bb00ee + certificate.serial: 8BB00EE condition: selection fields: - san.dns From 41786a1b63bf6a8f7b042c354ee552bd050fb84a Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 18:55:29 +0000 Subject: [PATCH 063/108] In-Progress --- ...crosoft365_activity_by_terminated_user.yml | 24 +++++++++++++++++++ ...ft365_activity_from_infrequent_country.yml | 24 +++++++++++++++++++ ...icrosoft365_activity_from_ip_addresses.yml | 24 +++++++++++++++++++ ...rosoft365_from_suspicious_ip_addresses.yml | 24 +++++++++++++++++++ ...crosoft365_suspicious_inbox_forwarding.yml | 24 +++++++++++++++++++ ...ous_oauth_app_file_download_activities.yml | 24 +++++++++++++++++++ 6 files changed, 144 insertions(+) create mode 100644 rules/cloud/m365/microsoft365_activity_by_terminated_user.yml create mode 100644 rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml create mode 100644 rules/cloud/m365/microsoft365_activity_from_ip_addresses.yml create mode 100644 rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml create mode 100644 rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml create mode 100644 rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml diff --git a/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml b/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml new file mode 100644 index 000000000..d79cd3733 --- /dev/null +++ b/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml @@ -0,0 +1,24 @@ +title: Microsoft 365 - Activity performed by terminated user +id: +status: experimental +description: Detects when a Microsoft Cloud App Security reported +author: Austin Songer @austinsonger +date: 2021/08/23 +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +logsource: + category: ThreatManagement + service: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: "Activity performed by terminated user" + status: success + condition: selection +falsepositives: + - +level: medium +tags: + - attack.exfiltration + - attack.t1537 \ No newline at end of file diff --git a/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml b/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml new file mode 100644 index 000000000..6aa39b329 --- /dev/null +++ b/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml @@ -0,0 +1,24 @@ +title: Microsoft 365 - Activity from infrequent country +id: +status: experimental +description: Detects when a Microsoft Cloud App Security reported +author: Austin Songer @austinsonger +date: 2021/08/23 +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +logsource: + category: + service: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: "Activity from infrequent country" + status: success + condition: selection +falsepositives: + - +level: medium +tags: + - attack.initial_access + - \ No newline at end of file diff --git a/rules/cloud/m365/microsoft365_activity_from_ip_addresses.yml b/rules/cloud/m365/microsoft365_activity_from_ip_addresses.yml new file mode 100644 index 000000000..9b7702042 --- /dev/null +++ b/rules/cloud/m365/microsoft365_activity_from_ip_addresses.yml @@ -0,0 +1,24 @@ +title: Microsoft 365 - Activity from anonymous IP addresses +id: +status: experimental +description: Detects when a Microsoft Cloud App Security reported +author: Austin Songer @austinsonger +date: 2021/08/23 +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +logsource: + category: + service: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: "Activity from anonymous IP addresses" + status: success + condition: selection +falsepositives: + - +level: medium +tags: + - attack.initial_access + - \ No newline at end of file diff --git a/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml b/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml new file mode 100644 index 000000000..208a9de31 --- /dev/null +++ b/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml @@ -0,0 +1,24 @@ +title: Microsoft 365 - Activity from suspicious IP addresses +id: +status: experimental +description: Detects when a Microsoft Cloud App Security reported +author: Austin Songer @austinsonger +date: 2021/08/23 +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +logsource: + category: + service: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: "Activity from suspicious IP addresses" + status: success + condition: selection +falsepositives: + - +level: medium +tags: + - attack.initial_access + - \ No newline at end of file diff --git a/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml b/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml new file mode 100644 index 000000000..7ae798f74 --- /dev/null +++ b/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml @@ -0,0 +1,24 @@ +title: Microsoft 365 - +id: +status: experimental +description: Detects when a Microsoft Cloud App Security reported +author: Austin Songer @austinsonger +date: 2021/08/22 +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +logsource: + category: + service: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: "Suspicious inbox forwarding" + status: success + condition: selection +falsepositives: + - +level: medium +tags: + - attack.initial_access + - \ No newline at end of file diff --git a/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml b/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml new file mode 100644 index 000000000..3c748083a --- /dev/null +++ b/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml @@ -0,0 +1,24 @@ +title: Microsoft 365 - +id: +status: experimental +description: Detects when a Microsoft Cloud App Security reported +author: Austin Songer @austinsonger +date: 2021/08/22 +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +logsource: + category: + service: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: "Suspicious OAuth app file download activities" + status: success + condition: selection +falsepositives: + - +level: medium +tags: + - attack.initial_access + - \ No newline at end of file From 8e4b8f45dd75a6911aec3ca5487982ae560da388 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 18:57:17 +0000 Subject: [PATCH 064/108] Update --- rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml | 2 +- ...crosoft365_suspicious_oauth_app_file_download_activities.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml b/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml index 7ae798f74..7f328a98b 100644 --- a/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml +++ b/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml @@ -1,4 +1,4 @@ -title: Microsoft 365 - +title: Microsoft 365 - Suspicious inbox forwarding id: status: experimental description: Detects when a Microsoft Cloud App Security reported diff --git a/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml b/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml index 3c748083a..d743264ef 100644 --- a/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml +++ b/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml @@ -1,4 +1,4 @@ -title: Microsoft 365 - +title: Microsoft 365 - Suspicious OAuth app file download activities id: status: experimental description: Detects when a Microsoft Cloud App Security reported From b255586117bba130ef69e84f465d269c030d5d71 Mon Sep 17 00:00:00 2001 From: Nate Guagenti Date: Mon, 23 Aug 2021 14:59:06 -0400 Subject: [PATCH 065/108] condition fix and add fields should be `operation` not `endpoint` for the detection logic. added various fields useful for investigation --- ...zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml b/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml index c50ceb512..52cae5548 100644 --- a/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml +++ b/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml @@ -20,10 +20,18 @@ logsource: service: dce_rpc detection: efs_operation: - endpoint|startswith: + operation|startswith: - 'Efs' - 'efs' condition: efs_operation falsepositives: - Uncommon but legitimate windows administrator or software tasks that make use of the Encrypting File System RPC Calls. Verify if this is common activity (see description). level: medium +fields: + - id.orig_h + - id.resp_h + - id.resp_p + - operation + - endpoint + - named_pipe + - uid From 4ab9519546102984137cdc8252a5275f5e6c22b4 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 18:59:07 +0000 Subject: [PATCH 066/108] Update --- rules/cloud/m365/microsoft365_activity_by_terminated_user.yml | 2 +- .../m365/microsoft365_activity_from_infrequent_country.yml | 2 +- rules/cloud/m365/microsoft365_activity_from_ip_addresses.yml | 2 +- rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml | 2 +- rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml | 2 +- ...crosoft365_suspicious_oauth_app_file_download_activities.yml | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml b/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml index d79cd3733..4b60b111e 100644 --- a/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml +++ b/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml @@ -1,5 +1,5 @@ title: Microsoft 365 - Activity performed by terminated user -id: +id: 2e669ed8-742e-4fe5-b3c4-5a59b486c2ee status: experimental description: Detects when a Microsoft Cloud App Security reported author: Austin Songer @austinsonger diff --git a/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml b/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml index 6aa39b329..6e161f7d5 100644 --- a/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml +++ b/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml @@ -1,5 +1,5 @@ title: Microsoft 365 - Activity from infrequent country -id: +id: 0f2468a2-5055-4212-a368-7321198ee706 status: experimental description: Detects when a Microsoft Cloud App Security reported author: Austin Songer @austinsonger diff --git a/rules/cloud/m365/microsoft365_activity_from_ip_addresses.yml b/rules/cloud/m365/microsoft365_activity_from_ip_addresses.yml index 9b7702042..ac34cd56a 100644 --- a/rules/cloud/m365/microsoft365_activity_from_ip_addresses.yml +++ b/rules/cloud/m365/microsoft365_activity_from_ip_addresses.yml @@ -1,5 +1,5 @@ title: Microsoft 365 - Activity from anonymous IP addresses -id: +id: d8b0a4fe-07a8-41be-bd39-b14afa025d95 status: experimental description: Detects when a Microsoft Cloud App Security reported author: Austin Songer @austinsonger diff --git a/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml b/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml index 208a9de31..36f5e305a 100644 --- a/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml +++ b/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml @@ -1,5 +1,5 @@ title: Microsoft 365 - Activity from suspicious IP addresses -id: +id: a3501e8e-af9e-43c6-8cd6-9360bdaae498 status: experimental description: Detects when a Microsoft Cloud App Security reported author: Austin Songer @austinsonger diff --git a/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml b/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml index 7f328a98b..5f349d2dc 100644 --- a/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml +++ b/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml @@ -1,5 +1,5 @@ title: Microsoft 365 - Suspicious inbox forwarding -id: +id: 6c220477-0b5b-4b25-bb90-66183b4089e8 status: experimental description: Detects when a Microsoft Cloud App Security reported author: Austin Songer @austinsonger diff --git a/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml b/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml index d743264ef..d795148d8 100644 --- a/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml +++ b/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml @@ -1,5 +1,5 @@ title: Microsoft 365 - Suspicious OAuth app file download activities -id: +id: ee111937-1fe7-40f0-962a-0eb44d57d174 status: experimental description: Detects when a Microsoft Cloud App Security reported author: Austin Songer @austinsonger From 1fa32fcd1a764127bab1c5e4fb8410c19b9d663f Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 22:02:47 +0000 Subject: [PATCH 067/108] Update --- .../microsoft365_suspicious_inbox_forwarding.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml b/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml index 5f349d2dc..e583f123c 100644 --- a/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml +++ b/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml @@ -1,14 +1,14 @@ title: Microsoft 365 - Suspicious inbox forwarding id: 6c220477-0b5b-4b25-bb90-66183b4089e8 status: experimental -description: Detects when a Microsoft Cloud App Security reported +description: Detects when a Microsoft Cloud App Security reported suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address. author: Austin Songer @austinsonger date: 2021/08/22 references: - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: - category: + category: ThreatManagement service: m365 detection: selection: @@ -17,8 +17,8 @@ detection: status: success condition: selection falsepositives: - - -level: medium + - Unknown +level: low tags: - - attack.initial_access - - \ No newline at end of file + - attack.exfiltration + - attack.t1020 \ No newline at end of file From 595bd3b80f34a2d997f013be2a4bf890818c7956 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 22:07:09 +0000 Subject: [PATCH 068/108] Updated --- .../m365/microsoft365_activity_by_terminated_user.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml b/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml index 4b60b111e..037dcd00c 100644 --- a/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml +++ b/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml @@ -1,7 +1,7 @@ title: Microsoft 365 - Activity performed by terminated user id: 2e669ed8-742e-4fe5-b3c4-5a59b486c2ee status: experimental -description: Detects when a Microsoft Cloud App Security reported +description: Detects when a Microsoft Cloud App Security reported for users whose account were terminated in Azure AD, but still perform activities in other platforms such as AWS or Salesforce. This is especially relevant for users who use another account to manage resources, since these accounts are often not terminated when a user leaves the company. author: Austin Songer @austinsonger date: 2021/08/23 references: @@ -17,8 +17,7 @@ detection: status: success condition: selection falsepositives: - - + - Unknown level: medium tags: - - attack.exfiltration - - attack.t1537 \ No newline at end of file + - attack.impact \ No newline at end of file From da69b2f531332e072be94a75e8ca525db9bc82b4 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 22:09:27 +0000 Subject: [PATCH 069/108] Update --- ..._suspicious_oauth_app_file_download_activities.yml | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml b/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml index d795148d8..91cbe32c1 100644 --- a/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml +++ b/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml @@ -1,14 +1,14 @@ title: Microsoft 365 - Suspicious OAuth app file download activities id: ee111937-1fe7-40f0-962a-0eb44d57d174 status: experimental -description: Detects when a Microsoft Cloud App Security reported +description: Detects when a Microsoft Cloud App Security reported when an app downloads multiple files from Microsoft SharePoint or Microsoft OneDrive in a manner that is unusual for the user. author: Austin Songer @austinsonger -date: 2021/08/22 +date: 2021/08/23 references: - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: - category: + category: ThreatManagement service: m365 detection: selection: @@ -17,8 +17,7 @@ detection: status: success condition: selection falsepositives: - - + - Unknown level: medium tags: - - attack.initial_access - - \ No newline at end of file + - attack.exfiltration \ No newline at end of file From 754158bfd24c2c0dd965a8ebadcb132df33e9e9d Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 22:18:12 +0000 Subject: [PATCH 070/108] Update --- ...5_activity_from_anonymous_ip_addresses.yml | 24 +++++++++++++++++++ ...ft365_activity_from_infrequent_country.yml | 10 ++++---- ...rosoft365_from_suspicious_ip_addresses.yml | 10 ++++---- ...ous_oauth_app_file_download_activities.yml | 3 ++- 4 files changed, 36 insertions(+), 11 deletions(-) create mode 100644 rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml diff --git a/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml b/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml new file mode 100644 index 000000000..697d6f8dc --- /dev/null +++ b/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml @@ -0,0 +1,24 @@ +title: Microsoft 365 - Activity from anonymous IP addresses +id: d8b0a4fe-07a8-41be-bd39-b14afa025d95 +status: experimental +description: Detects when a Microsoft Cloud App Security reported when users were active from an IP address that has been identified as an anonymous proxy IP address. +author: Austin Songer @austinsonger +date: 2021/08/23 +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +logsource: + category: ThreatManagement + service: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: "Activity from anonymous IP addresses" + status: success + condition: selection +falsepositives: + - User using a VPN or Proxy +level: medium +tags: + - attack.command_and_control + - attack.t1573 \ No newline at end of file diff --git a/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml b/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml index 6e161f7d5..8e155919a 100644 --- a/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml +++ b/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml @@ -1,14 +1,14 @@ title: Microsoft 365 - Activity from infrequent country id: 0f2468a2-5055-4212-a368-7321198ee706 status: experimental -description: Detects when a Microsoft Cloud App Security reported +description: Detects when a Microsoft Cloud App Security reported when an activity occurs from a location that wasn't recently or never visited by any user in the organization. author: Austin Songer @austinsonger date: 2021/08/23 references: - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: - category: + category: ThreatManagement service: m365 detection: selection: @@ -17,8 +17,8 @@ detection: status: success condition: selection falsepositives: - - + - Unknown level: medium tags: - - attack.initial_access - - \ No newline at end of file + - attack.command_and_control + - attack.t1573 \ No newline at end of file diff --git a/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml b/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml index 36f5e305a..4ade854ae 100644 --- a/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml +++ b/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml @@ -1,14 +1,14 @@ title: Microsoft 365 - Activity from suspicious IP addresses id: a3501e8e-af9e-43c6-8cd6-9360bdaae498 status: experimental -description: Detects when a Microsoft Cloud App Security reported +description: Detects when a Microsoft Cloud App Security reported users were active from an IP address identified as risky by Microsoft Threat Intelligence. These IP addresses are involved in malicious activities, such as Botnet C&C, and may indicate compromised account. author: Austin Songer @austinsonger date: 2021/08/23 references: - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: - category: + category: ThreatDetection service: m365 detection: selection: @@ -17,8 +17,8 @@ detection: status: success condition: selection falsepositives: - - + - Unknown level: medium tags: - - attack.initial_access - - \ No newline at end of file + - attack.command_and_control + - attack.t1573 \ No newline at end of file diff --git a/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml b/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml index 91cbe32c1..906cd1006 100644 --- a/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml +++ b/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml @@ -20,4 +20,5 @@ falsepositives: - Unknown level: medium tags: - - attack.exfiltration \ No newline at end of file + - attack.exfiltration + \ No newline at end of file From 53482b7e9cb9d2fc05f5de477d0463cebd93074b Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 22:19:41 +0000 Subject: [PATCH 071/108] Update --- ...crosoft365_activity_by_terminated_user.yml | 2 +- ...5_activity_from_anonymous_ip_addresses.yml | 2 +- ...ft365_activity_from_infrequent_country.yml | 2 +- ...icrosoft365_activity_from_ip_addresses.yml | 24 ------------------- ...rosoft365_from_suspicious_ip_addresses.yml | 2 +- ...crosoft365_suspicious_inbox_forwarding.yml | 2 +- ...ous_oauth_app_file_download_activities.yml | 1 - 7 files changed, 5 insertions(+), 30 deletions(-) delete mode 100644 rules/cloud/m365/microsoft365_activity_from_ip_addresses.yml diff --git a/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml b/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml index 037dcd00c..5b2e2df98 100644 --- a/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml +++ b/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml @@ -20,4 +20,4 @@ falsepositives: - Unknown level: medium tags: - - attack.impact \ No newline at end of file + - attack.impact diff --git a/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml b/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml index 697d6f8dc..a46219e10 100644 --- a/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml +++ b/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml @@ -21,4 +21,4 @@ falsepositives: level: medium tags: - attack.command_and_control - - attack.t1573 \ No newline at end of file + - attack.t1573 diff --git a/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml b/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml index 8e155919a..3d7862fad 100644 --- a/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml +++ b/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml @@ -21,4 +21,4 @@ falsepositives: level: medium tags: - attack.command_and_control - - attack.t1573 \ No newline at end of file + - attack.t1573 diff --git a/rules/cloud/m365/microsoft365_activity_from_ip_addresses.yml b/rules/cloud/m365/microsoft365_activity_from_ip_addresses.yml deleted file mode 100644 index ac34cd56a..000000000 --- a/rules/cloud/m365/microsoft365_activity_from_ip_addresses.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: Microsoft 365 - Activity from anonymous IP addresses -id: d8b0a4fe-07a8-41be-bd39-b14afa025d95 -status: experimental -description: Detects when a Microsoft Cloud App Security reported -author: Austin Songer @austinsonger -date: 2021/08/23 -references: - - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy - - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference -logsource: - category: - service: m365 -detection: - selection: - eventSource: SecurityComplianceCenter - eventName: "Activity from anonymous IP addresses" - status: success - condition: selection -falsepositives: - - -level: medium -tags: - - attack.initial_access - - \ No newline at end of file diff --git a/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml b/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml index 4ade854ae..8c703557d 100644 --- a/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml +++ b/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml @@ -21,4 +21,4 @@ falsepositives: level: medium tags: - attack.command_and_control - - attack.t1573 \ No newline at end of file + - attack.t1573 diff --git a/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml b/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml index e583f123c..7910c62c9 100644 --- a/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml +++ b/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml @@ -21,4 +21,4 @@ falsepositives: level: low tags: - attack.exfiltration - - attack.t1020 \ No newline at end of file + - attack.t1020 diff --git a/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml b/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml index 906cd1006..3ba0e3267 100644 --- a/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml +++ b/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml @@ -21,4 +21,3 @@ falsepositives: level: medium tags: - attack.exfiltration - \ No newline at end of file From 84944cf84965ecba07daf0e7e50ca7cc60830443 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 22:30:11 +0000 Subject: [PATCH 072/108] Update --- rules/cloud/m365/microsoft365_activity_by_terminated_user.yml | 2 +- .../m365/microsoft365_activity_from_anonymous_ip_addresses.yml | 2 +- .../m365/microsoft365_activity_from_infrequent_country.yml | 2 +- .../m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml | 2 +- rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml | 2 +- rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml | 2 +- rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml | 2 +- ...crosoft365_suspicious_oauth_app_file_download_activities.yml | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml b/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml index 5b2e2df98..738af6e9e 100644 --- a/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml +++ b/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml @@ -1,4 +1,4 @@ -title: Microsoft 365 - Activity performed by terminated user +title: Activity performed by terminated user id: 2e669ed8-742e-4fe5-b3c4-5a59b486c2ee status: experimental description: Detects when a Microsoft Cloud App Security reported for users whose account were terminated in Azure AD, but still perform activities in other platforms such as AWS or Salesforce. This is especially relevant for users who use another account to manage resources, since these accounts are often not terminated when a user leaves the company. diff --git a/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml b/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml index a46219e10..cf1cb8712 100644 --- a/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml +++ b/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml @@ -1,4 +1,4 @@ -title: Microsoft 365 - Activity from anonymous IP addresses +title: Activity from anonymous IP addresses id: d8b0a4fe-07a8-41be-bd39-b14afa025d95 status: experimental description: Detects when a Microsoft Cloud App Security reported when users were active from an IP address that has been identified as an anonymous proxy IP address. diff --git a/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml b/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml index 3d7862fad..9c8a433f1 100644 --- a/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml +++ b/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml @@ -1,4 +1,4 @@ -title: Microsoft 365 - Activity from infrequent country +title: Activity from infrequent country id: 0f2468a2-5055-4212-a368-7321198ee706 status: experimental description: Detects when a Microsoft Cloud App Security reported when an activity occurs from a location that wasn't recently or never visited by any user in the organization. diff --git a/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml b/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml index a758f328c..09256f6a7 100644 --- a/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml +++ b/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml @@ -1,4 +1,4 @@ -title: Microsoft 365 Data exfiltration to unsanctioned apps +title: Data exfiltration to unsanctioned apps id: 2b669496-d215-47d8-bd9a-f4a45bf07cda status: experimental description: Detects when a Microsoft Cloud App Security reported when a user or IP address uses an app that is not sanctioned to perform an activity that resembles an attempt to exfiltrate information from your organization. diff --git a/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml b/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml index 8c703557d..1714b0cd6 100644 --- a/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml +++ b/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml @@ -1,4 +1,4 @@ -title: Microsoft 365 - Activity from suspicious IP addresses +title: Activity from suspicious IP addresses id: a3501e8e-af9e-43c6-8cd6-9360bdaae498 status: experimental description: Detects when a Microsoft Cloud App Security reported users were active from an IP address identified as risky by Microsoft Threat Intelligence. These IP addresses are involved in malicious activities, such as Botnet C&C, and may indicate compromised account. diff --git a/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml b/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml index f841b3dd9..99950ddcd 100644 --- a/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml +++ b/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml @@ -1,4 +1,4 @@ -title: Microsoft 365 Log on from a risky IP address +title: Logon from a risky IP address id: c191e2fa-f9d6-4ccf-82af-4f2aba08359f status: experimental description: Detects when a Microsoft Cloud App Security reported when a user signs into your sanctioned apps from a risky IP address. diff --git a/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml b/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml index 7910c62c9..5975e8b36 100644 --- a/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml +++ b/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml @@ -1,4 +1,4 @@ -title: Microsoft 365 - Suspicious inbox forwarding +title: Suspicious inbox forwarding id: 6c220477-0b5b-4b25-bb90-66183b4089e8 status: experimental description: Detects when a Microsoft Cloud App Security reported suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address. diff --git a/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml b/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml index 3ba0e3267..29944ff46 100644 --- a/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml +++ b/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml @@ -1,4 +1,4 @@ -title: Microsoft 365 - Suspicious OAuth app file download activities +title: Suspicious OAuth app file download activities id: ee111937-1fe7-40f0-962a-0eb44d57d174 status: experimental description: Detects when a Microsoft Cloud App Security reported when an app downloads multiple files from Microsoft SharePoint or Microsoft OneDrive in a manner that is unusual for the user. From ad892eb239f10cafd6634c4fa6c17c9439391506 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 22:46:37 +0000 Subject: [PATCH 073/108] Update --- .../m365/m365_activity_by_terminated_user.yml | 23 +++++++++++++++++++ ..._activity_from_anonymous_ip_addresses.yml} | 0 ...m365_activity_from_infrequent_country.yml} | 0 ...data_exfiltration_to_unsanctioned_app.yml} | 0 ... => m365_from_suspicious_ip_addresses.yml} | 0 ...l => m365_logon_from_risky_ip_address.yml} | 0 ...l => m365_suspicious_inbox_forwarding.yml} | 0 ...us_oauth_app_file_download_activities.yml} | 0 8 files changed, 23 insertions(+) create mode 100644 rules/cloud/m365/m365_activity_by_terminated_user.yml rename rules/cloud/m365/{microsoft365_activity_from_anonymous_ip_addresses.yml => m365_activity_from_anonymous_ip_addresses.yml} (100%) rename rules/cloud/m365/{microsoft365_activity_from_infrequent_country.yml => m365_activity_from_infrequent_country.yml} (100%) rename rules/cloud/m365/{microsoft365_data_exfiltration_to_unsanctioned_app.yml => m365_data_exfiltration_to_unsanctioned_app.yml} (100%) rename rules/cloud/m365/{microsoft365_from_suspicious_ip_addresses.yml => m365_from_suspicious_ip_addresses.yml} (100%) rename rules/cloud/m365/{microsoft365_logon_from_risky_ip_address.yml => m365_logon_from_risky_ip_address.yml} (100%) rename rules/cloud/m365/{microsoft365_suspicious_inbox_forwarding.yml => m365_suspicious_inbox_forwarding.yml} (100%) rename rules/cloud/m365/{microsoft365_suspicious_oauth_app_file_download_activities.yml => m365_suspicious_oauth_app_file_download_activities.yml} (100%) diff --git a/rules/cloud/m365/m365_activity_by_terminated_user.yml b/rules/cloud/m365/m365_activity_by_terminated_user.yml new file mode 100644 index 000000000..738af6e9e --- /dev/null +++ b/rules/cloud/m365/m365_activity_by_terminated_user.yml @@ -0,0 +1,23 @@ +title: Activity performed by terminated user +id: 2e669ed8-742e-4fe5-b3c4-5a59b486c2ee +status: experimental +description: Detects when a Microsoft Cloud App Security reported for users whose account were terminated in Azure AD, but still perform activities in other platforms such as AWS or Salesforce. This is especially relevant for users who use another account to manage resources, since these accounts are often not terminated when a user leaves the company. +author: Austin Songer @austinsonger +date: 2021/08/23 +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +logsource: + category: ThreatManagement + service: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: "Activity performed by terminated user" + status: success + condition: selection +falsepositives: + - Unknown +level: medium +tags: + - attack.impact diff --git a/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml b/rules/cloud/m365/m365_activity_from_anonymous_ip_addresses.yml similarity index 100% rename from rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml rename to rules/cloud/m365/m365_activity_from_anonymous_ip_addresses.yml diff --git a/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml b/rules/cloud/m365/m365_activity_from_infrequent_country.yml similarity index 100% rename from rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml rename to rules/cloud/m365/m365_activity_from_infrequent_country.yml diff --git a/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml b/rules/cloud/m365/m365_data_exfiltration_to_unsanctioned_app.yml similarity index 100% rename from rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml rename to rules/cloud/m365/m365_data_exfiltration_to_unsanctioned_app.yml diff --git a/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml b/rules/cloud/m365/m365_from_suspicious_ip_addresses.yml similarity index 100% rename from rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml rename to rules/cloud/m365/m365_from_suspicious_ip_addresses.yml diff --git a/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml b/rules/cloud/m365/m365_logon_from_risky_ip_address.yml similarity index 100% rename from rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml rename to rules/cloud/m365/m365_logon_from_risky_ip_address.yml diff --git a/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml b/rules/cloud/m365/m365_suspicious_inbox_forwarding.yml similarity index 100% rename from rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml rename to rules/cloud/m365/m365_suspicious_inbox_forwarding.yml diff --git a/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml b/rules/cloud/m365/m365_suspicious_oauth_app_file_download_activities.yml similarity index 100% rename from rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml rename to rules/cloud/m365/m365_suspicious_oauth_app_file_download_activities.yml From 29e1ce7e8f32f85584432f023b9a44747e40a330 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 22:50:39 +0000 Subject: [PATCH 074/108] Update --- ...crosoft365_activity_by_terminated_user.yml | 23 ------------------- 1 file changed, 23 deletions(-) delete mode 100644 rules/cloud/m365/microsoft365_activity_by_terminated_user.yml diff --git a/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml b/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml deleted file mode 100644 index 738af6e9e..000000000 --- a/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml +++ /dev/null @@ -1,23 +0,0 @@ -title: Activity performed by terminated user -id: 2e669ed8-742e-4fe5-b3c4-5a59b486c2ee -status: experimental -description: Detects when a Microsoft Cloud App Security reported for users whose account were terminated in Azure AD, but still perform activities in other platforms such as AWS or Salesforce. This is especially relevant for users who use another account to manage resources, since these accounts are often not terminated when a user leaves the company. -author: Austin Songer @austinsonger -date: 2021/08/23 -references: - - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy - - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference -logsource: - category: ThreatManagement - service: m365 -detection: - selection: - eventSource: SecurityComplianceCenter - eventName: "Activity performed by terminated user" - status: success - condition: selection -falsepositives: - - Unknown -level: medium -tags: - - attack.impact From c0e58d3c276ba3a9de7bc2e01af4ed554d8e5a5b Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 23:00:58 +0000 Subject: [PATCH 075/108] Update --- ...ed_user.yml => microsoft365_activity_by_terminated_user.yml} | 2 +- ...ml => microsoft365_activity_from_anonymous_ip_addresses.yml} | 2 +- ...ry.yml => microsoft365_activity_from_infrequent_country.yml} | 2 +- ...l => microsoft365_data_exfiltration_to_unsanctioned_app.yml} | 2 +- ...resses.yml => microsoft365_from_suspicious_ip_addresses.yml} | 2 +- ...address.yml => microsoft365_logon_from_risky_ip_address.yml} | 2 +- ...warding.yml => microsoft365_suspicious_inbox_forwarding.yml} | 2 +- ...rosoft365_suspicious_oauth_app_file_download_activities.yml} | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) rename rules/cloud/m365/{m365_activity_by_terminated_user.yml => microsoft365_activity_by_terminated_user.yml} (95%) rename rules/cloud/m365/{m365_activity_from_anonymous_ip_addresses.yml => microsoft365_activity_from_anonymous_ip_addresses.yml} (94%) rename rules/cloud/m365/{m365_activity_from_infrequent_country.yml => microsoft365_activity_from_infrequent_country.yml} (95%) rename rules/cloud/m365/{m365_data_exfiltration_to_unsanctioned_app.yml => microsoft365_data_exfiltration_to_unsanctioned_app.yml} (94%) rename rules/cloud/m365/{m365_from_suspicious_ip_addresses.yml => microsoft365_from_suspicious_ip_addresses.yml} (95%) rename rules/cloud/m365/{m365_logon_from_risky_ip_address.yml => microsoft365_logon_from_risky_ip_address.yml} (95%) rename rules/cloud/m365/{m365_suspicious_inbox_forwarding.yml => microsoft365_suspicious_inbox_forwarding.yml} (95%) rename rules/cloud/m365/{m365_suspicious_oauth_app_file_download_activities.yml => microsoft365_suspicious_oauth_app_file_download_activities.yml} (93%) diff --git a/rules/cloud/m365/m365_activity_by_terminated_user.yml b/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml similarity index 95% rename from rules/cloud/m365/m365_activity_by_terminated_user.yml rename to rules/cloud/m365/microsoft365_activity_by_terminated_user.yml index 738af6e9e..c24d42b67 100644 --- a/rules/cloud/m365/m365_activity_by_terminated_user.yml +++ b/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml @@ -1,4 +1,4 @@ -title: Activity performed by terminated user +title: Activity Performed by Terminated User id: 2e669ed8-742e-4fe5-b3c4-5a59b486c2ee status: experimental description: Detects when a Microsoft Cloud App Security reported for users whose account were terminated in Azure AD, but still perform activities in other platforms such as AWS or Salesforce. This is especially relevant for users who use another account to manage resources, since these accounts are often not terminated when a user leaves the company. diff --git a/rules/cloud/m365/m365_activity_from_anonymous_ip_addresses.yml b/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml similarity index 94% rename from rules/cloud/m365/m365_activity_from_anonymous_ip_addresses.yml rename to rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml index cf1cb8712..7b3a72716 100644 --- a/rules/cloud/m365/m365_activity_from_anonymous_ip_addresses.yml +++ b/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml @@ -1,4 +1,4 @@ -title: Activity from anonymous IP addresses +title: Activity from Anonymous IP Addresses id: d8b0a4fe-07a8-41be-bd39-b14afa025d95 status: experimental description: Detects when a Microsoft Cloud App Security reported when users were active from an IP address that has been identified as an anonymous proxy IP address. diff --git a/rules/cloud/m365/m365_activity_from_infrequent_country.yml b/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml similarity index 95% rename from rules/cloud/m365/m365_activity_from_infrequent_country.yml rename to rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml index 9c8a433f1..9aa5ab394 100644 --- a/rules/cloud/m365/m365_activity_from_infrequent_country.yml +++ b/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml @@ -1,4 +1,4 @@ -title: Activity from infrequent country +title: Activity from Infrequent Country id: 0f2468a2-5055-4212-a368-7321198ee706 status: experimental description: Detects when a Microsoft Cloud App Security reported when an activity occurs from a location that wasn't recently or never visited by any user in the organization. diff --git a/rules/cloud/m365/m365_data_exfiltration_to_unsanctioned_app.yml b/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml similarity index 94% rename from rules/cloud/m365/m365_data_exfiltration_to_unsanctioned_app.yml rename to rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml index 09256f6a7..831a15ed6 100644 --- a/rules/cloud/m365/m365_data_exfiltration_to_unsanctioned_app.yml +++ b/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml @@ -1,4 +1,4 @@ -title: Data exfiltration to unsanctioned apps +title: Data Exfiltration to Unsanctioned Apps id: 2b669496-d215-47d8-bd9a-f4a45bf07cda status: experimental description: Detects when a Microsoft Cloud App Security reported when a user or IP address uses an app that is not sanctioned to perform an activity that resembles an attempt to exfiltrate information from your organization. diff --git a/rules/cloud/m365/m365_from_suspicious_ip_addresses.yml b/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml similarity index 95% rename from rules/cloud/m365/m365_from_suspicious_ip_addresses.yml rename to rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml index 1714b0cd6..9be142d81 100644 --- a/rules/cloud/m365/m365_from_suspicious_ip_addresses.yml +++ b/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml @@ -1,4 +1,4 @@ -title: Activity from suspicious IP addresses +title: Activity from Suspicious IP Addresses id: a3501e8e-af9e-43c6-8cd6-9360bdaae498 status: experimental description: Detects when a Microsoft Cloud App Security reported users were active from an IP address identified as risky by Microsoft Threat Intelligence. These IP addresses are involved in malicious activities, such as Botnet C&C, and may indicate compromised account. diff --git a/rules/cloud/m365/m365_logon_from_risky_ip_address.yml b/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml similarity index 95% rename from rules/cloud/m365/m365_logon_from_risky_ip_address.yml rename to rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml index 99950ddcd..55d1b4050 100644 --- a/rules/cloud/m365/m365_logon_from_risky_ip_address.yml +++ b/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml @@ -1,4 +1,4 @@ -title: Logon from a risky IP address +title: Logon from a Risky IP Address id: c191e2fa-f9d6-4ccf-82af-4f2aba08359f status: experimental description: Detects when a Microsoft Cloud App Security reported when a user signs into your sanctioned apps from a risky IP address. diff --git a/rules/cloud/m365/m365_suspicious_inbox_forwarding.yml b/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml similarity index 95% rename from rules/cloud/m365/m365_suspicious_inbox_forwarding.yml rename to rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml index 5975e8b36..513e4f1b0 100644 --- a/rules/cloud/m365/m365_suspicious_inbox_forwarding.yml +++ b/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml @@ -1,4 +1,4 @@ -title: Suspicious inbox forwarding +title: Suspicious Inbox Forwarding id: 6c220477-0b5b-4b25-bb90-66183b4089e8 status: experimental description: Detects when a Microsoft Cloud App Security reported suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address. diff --git a/rules/cloud/m365/m365_suspicious_oauth_app_file_download_activities.yml b/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml similarity index 93% rename from rules/cloud/m365/m365_suspicious_oauth_app_file_download_activities.yml rename to rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml index 29944ff46..6dbc4be42 100644 --- a/rules/cloud/m365/m365_suspicious_oauth_app_file_download_activities.yml +++ b/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml @@ -1,4 +1,4 @@ -title: Suspicious OAuth app file download activities +title: Suspicious OAuth App File Download Activities id: ee111937-1fe7-40f0-962a-0eb44d57d174 status: experimental description: Detects when a Microsoft Cloud App Security reported when an app downloads multiple files from Microsoft SharePoint or Microsoft OneDrive in a manner that is unusual for the user. From 8382bbfe09a0ee3f6e154842e393305e5b383b54 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 19:37:46 -0500 Subject: [PATCH 076/108] Create gworkspace_user_assigned_admin_role.yml --- rules/gworkspace_user_assigned_admin_role.yml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 rules/gworkspace_user_assigned_admin_role.yml diff --git a/rules/gworkspace_user_assigned_admin_role.yml b/rules/gworkspace_user_assigned_admin_role.yml new file mode 100644 index 000000000..09cfcc4f5 --- /dev/null +++ b/rules/gworkspace_user_assigned_admin_role.yml @@ -0,0 +1,21 @@ +title: Google Workspace User Assigned Admin Role +id: 2d1b83e4-17c6-4896-a37b-29140b40a788 +description: Detects when an admin role is assigned to a Google Workspace user. +author: Austin Songer +status: experimental +date: 2021/08/23 +references: + - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 +logsource: + service: google_workspace.admin +detection: + selection: + eventService: admin.googleapis.com + admin.alert.name: google.admin.AdminService.grantAdminPrivilege + condition: selection +level: medium +tags: + - attack.persistence + - attack.t1098 +falsepositives: + - Google Workspace admin role assigned, may be modified by system administrators. From c767da91d13062c892c76040dc414f8c55ba241c Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 19:38:01 -0500 Subject: [PATCH 077/108] Delete gworkspace_user_assigned_admin_role.yml --- rules/gworkspace_user_assigned_admin_role.yml | 21 ------------------- 1 file changed, 21 deletions(-) delete mode 100644 rules/gworkspace_user_assigned_admin_role.yml diff --git a/rules/gworkspace_user_assigned_admin_role.yml b/rules/gworkspace_user_assigned_admin_role.yml deleted file mode 100644 index 09cfcc4f5..000000000 --- a/rules/gworkspace_user_assigned_admin_role.yml +++ /dev/null @@ -1,21 +0,0 @@ -title: Google Workspace User Assigned Admin Role -id: 2d1b83e4-17c6-4896-a37b-29140b40a788 -description: Detects when an admin role is assigned to a Google Workspace user. -author: Austin Songer -status: experimental -date: 2021/08/23 -references: - - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 -logsource: - service: google_workspace.admin -detection: - selection: - eventService: admin.googleapis.com - admin.alert.name: google.admin.AdminService.grantAdminPrivilege - condition: selection -level: medium -tags: - - attack.persistence - - attack.t1098 -falsepositives: - - Google Workspace admin role assigned, may be modified by system administrators. From 6b1f0b83f424ba88aec537a42d322a4008b65f04 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 19:38:47 -0500 Subject: [PATCH 078/108] Create workspace_user_assigned_admin_role.yml --- .../workspace_user_assigned_admin_role.yml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 rules/cloud/gworkspace/workspace_user_assigned_admin_role.yml diff --git a/rules/cloud/gworkspace/workspace_user_assigned_admin_role.yml b/rules/cloud/gworkspace/workspace_user_assigned_admin_role.yml new file mode 100644 index 000000000..09cfcc4f5 --- /dev/null +++ b/rules/cloud/gworkspace/workspace_user_assigned_admin_role.yml @@ -0,0 +1,21 @@ +title: Google Workspace User Assigned Admin Role +id: 2d1b83e4-17c6-4896-a37b-29140b40a788 +description: Detects when an admin role is assigned to a Google Workspace user. +author: Austin Songer +status: experimental +date: 2021/08/23 +references: + - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 +logsource: + service: google_workspace.admin +detection: + selection: + eventService: admin.googleapis.com + admin.alert.name: google.admin.AdminService.grantAdminPrivilege + condition: selection +level: medium +tags: + - attack.persistence + - attack.t1098 +falsepositives: + - Google Workspace admin role assigned, may be modified by system administrators. From 3dd201d36f694a4e477858bf99e7a118cd3ef5f2 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 19:38:58 -0500 Subject: [PATCH 079/108] Rename workspace_user_assigned_admin_role.yml to gworkspace_user_assigned_admin_role.yml --- ...ned_admin_role.yml => gworkspace_user_assigned_admin_role.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/cloud/gworkspace/{workspace_user_assigned_admin_role.yml => gworkspace_user_assigned_admin_role.yml} (100%) diff --git a/rules/cloud/gworkspace/workspace_user_assigned_admin_role.yml b/rules/cloud/gworkspace/gworkspace_user_assigned_admin_role.yml similarity index 100% rename from rules/cloud/gworkspace/workspace_user_assigned_admin_role.yml rename to rules/cloud/gworkspace/gworkspace_user_assigned_admin_role.yml From ede0332f222de278d3e14ed0d099fc34cf5db0a1 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 19:40:20 -0500 Subject: [PATCH 080/108] Delete microsoft365_suspicious_inbox_manipulation_rules.yml --- ...65_suspicious_inbox_manipulation_rules.yml | 24 ------------------- 1 file changed, 24 deletions(-) delete mode 100644 rules/cloud/m365/microsoft365_suspicious_inbox_manipulation_rules.yml diff --git a/rules/cloud/m365/microsoft365_suspicious_inbox_manipulation_rules.yml b/rules/cloud/m365/microsoft365_suspicious_inbox_manipulation_rules.yml deleted file mode 100644 index 5bcdf4800..000000000 --- a/rules/cloud/m365/microsoft365_suspicious_inbox_manipulation_rules.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: Microsoft 365 - Suspicious inbox manipulation rules -id: d2001772-f43f-4def-86d3-a9d5c47588c0 -status: experimental -description: Detects when a Microsoft Cloud App Security reported for suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address. -author: Austin Songer @austinsonger -date: 2021/08/23 -references: - - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy - - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference -logsource: - category: ThreatManagement - service: m365 -detection: - selection: - eventSource: SecurityComplianceCenter - eventName: "Suspicious inbox manipulation rules" - status: success - condition: selection -falsepositives: - - Unknown -level: medium -tags: - - attack.exfiltration - - attack.t1020.001 \ No newline at end of file From 0fe2b3f5695a2ca9b1bb5d2dd0cd478555f810c0 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 19:52:32 -0500 Subject: [PATCH 081/108] Update and rename gworkspace_user_assigned_admin_role.yml to gworkspace_user_granted_admin_privileges.yml --- ....yml => gworkspace_user_granted_admin_privileges.yml} | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) rename rules/cloud/gworkspace/{gworkspace_user_assigned_admin_role.yml => gworkspace_user_granted_admin_privileges.yml} (51%) diff --git a/rules/cloud/gworkspace/gworkspace_user_assigned_admin_role.yml b/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml similarity index 51% rename from rules/cloud/gworkspace/gworkspace_user_assigned_admin_role.yml rename to rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml index 09cfcc4f5..39d05f14f 100644 --- a/rules/cloud/gworkspace/gworkspace_user_assigned_admin_role.yml +++ b/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml @@ -1,21 +1,22 @@ -title: Google Workspace User Assigned Admin Role +title: Google Workspace User Granted Admin Privileges id: 2d1b83e4-17c6-4896-a37b-29140b40a788 -description: Detects when an admin role is assigned to a Google Workspace user. +description: Detects when an Google Workspace user is granted admin privileges. author: Austin Songer status: experimental date: 2021/08/23 references: - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 + - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE logsource: service: google_workspace.admin detection: selection: eventService: admin.googleapis.com - admin.alert.name: google.admin.AdminService.grantAdminPrivilege + eventName: GRANT_ADMIN_PRIVILEGE condition: selection level: medium tags: - attack.persistence - attack.t1098 falsepositives: - - Google Workspace admin role assigned, may be modified by system administrators. + - Google Workspace admin role privileges, may be modified by system administrators. From aa7a8a3e71446183c861fb0bab850fb3555aafc5 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 19:58:20 -0500 Subject: [PATCH 082/108] Update gworkspace_user_granted_admin_privileges.yml --- .../gworkspace/gworkspace_user_granted_admin_privileges.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml b/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml index 39d05f14f..c0b1f470a 100644 --- a/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml +++ b/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml @@ -12,7 +12,9 @@ logsource: detection: selection: eventService: admin.googleapis.com - eventName: GRANT_ADMIN_PRIVILEGE + eventName: + - GRANT_DELEGATED_ADMIN_PRIVILEGES + - GRANT_ADMIN_PRIVILEGE condition: selection level: medium tags: From 3cd43bfd9b04f18fb84620a853f74351e62700a3 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 21:19:44 -0500 Subject: [PATCH 083/108] Create gworkspace_granted_domain_api_access.yml --- .../gworkspace_granted_domain_api_access.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml diff --git a/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml b/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml new file mode 100644 index 000000000..8857a8749 --- /dev/null +++ b/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml @@ -0,0 +1,23 @@ +title: Google Workspace Granted Domain API Access +id: 04e2a23a-9b29-4a5c-be3a-3542e3f982ba +description: Detects when an API access service account is granted domain authority. +author: Austin Songer +status: experimental +date: 2021/08/23 +references: + - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 + - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#AUTHORIZE_API_CLIENT_ACCESS +logsource: + service: google_workspace.admin +detection: + selection: + eventService: admin.googleapis.com + eventName: AUTHORIZE_API_CLIENT_ACCESS + condition: selection +level: medium +tags: + - attack.persistence + - atack.t1098 +falsepositives: + - Unknown + From facd58bd0ad5972bb8c723075b38b01f2a0e8b67 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 21:19:51 -0500 Subject: [PATCH 084/108] Delete gworkspace_user_granted_admin_privileges.yml --- ...orkspace_user_granted_admin_privileges.yml | 24 ------------------- 1 file changed, 24 deletions(-) delete mode 100644 rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml diff --git a/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml b/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml deleted file mode 100644 index c0b1f470a..000000000 --- a/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: Google Workspace User Granted Admin Privileges -id: 2d1b83e4-17c6-4896-a37b-29140b40a788 -description: Detects when an Google Workspace user is granted admin privileges. -author: Austin Songer -status: experimental -date: 2021/08/23 -references: - - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 - - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE -logsource: - service: google_workspace.admin -detection: - selection: - eventService: admin.googleapis.com - eventName: - - GRANT_DELEGATED_ADMIN_PRIVILEGES - - GRANT_ADMIN_PRIVILEGE - condition: selection -level: medium -tags: - - attack.persistence - - attack.t1098 -falsepositives: - - Google Workspace admin role privileges, may be modified by system administrators. From 9e588fdcf68ba9fc485e03bcf4a7fd10e8d81b75 Mon Sep 17 00:00:00 2001 From: neu5ron Date: Tue, 24 Aug 2021 00:58:36 -0400 Subject: [PATCH 085/108] Zeek dce_rpc.log Detection of print driver installs over RPC (ie: possible PrintNightmare) using the three existing known RPC functions, as well as few others "discussed" but not directly related to PrintNightmare PoC or public post-compromise write-ups. --- ...pc_printnightmare_print_driver_install.yml | 45 +++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml diff --git a/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml b/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml new file mode 100644 index 000000000..390edb4da --- /dev/null +++ b/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml @@ -0,0 +1,45 @@ +title: Possible PrintNightmare Print Driver Install +id: 7b33baef-2a75-4ca3-9da4-34f9a15382d8 +description: | + Detects the remote installation of a print driver which is possible indication of the exploitation of PrintNightmare (CVE-2021-1675). + The occurrence of print drivers being installed remotely via RPC functions should be rare, as print drivers are normally installed locally and or through group policy. +author: '@neu5ron (Nate Guagenti)' +date: 2021/08/23 +references: + - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29 + - https://github.com/zeek/zeek/blob/master/scripts/base/protocols/dce-rpc/consts.zeek + - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527 + - https://github.com/corelight/CVE-2021-1675 + - https://github.com/SigmaHQ/sigma/blob/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml + - https://old.zeek.org/zeekweek2019/slides/bzar.pdf + - https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/ + - +tags: + - attack.execution + - cve.2021-1675 + - cve.2021-1678 +logsource: + product: zeek + service: dce_rpc +detection: + printer_operation: + operation: + - "RpcAsyncInstallPrinterDriverFromPackage" # "76f03f96-cdfd-44fc-a22c-64950a001209",0x3e + - "RpcAsyncAddPrintProcessor" # "76f03f96-cdfd-44fc-a22c-64950a001209",0x2c + - "RpcAddPrintProcessor" # "12345678-1234-abcd-ef00-0123456789ab",0x0e + - "RpcAddPrinterDriverEx" # "12345678-1234-abcd-ef00-0123456789ab",0x59 + - "RpcAddPrinterDriver" # "12345678-1234-abcd-ef00-0123456789ab",0x09 + - "RpcAsyncAddPrinterDriver" # "76f03f96-cdfd-44fc-a22c-64950a001209",0x27 + condition: printer_operation +falsepositives: + - Legitimate remote alteration of a printer driver. +level: medium +fields: + - id.orig_h + - id.resp_h + - id.resp_p + - operation + - endpoint + - named_pipe + - uid +status: stable \ No newline at end of file From d8befe3a13f29b100b78c5f9534b769124a5c3d2 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Tue, 24 Aug 2021 07:34:33 +0200 Subject: [PATCH 086/108] Update References --- rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml b/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml index 8857a8749..e1602e388 100644 --- a/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml +++ b/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml @@ -6,7 +6,7 @@ status: experimental date: 2021/08/23 references: - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 - - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#AUTHORIZE_API_CLIENT_ACCESS + - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS logsource: service: google_workspace.admin detection: From be43ecd70db63098b7209f2e596ef68c4978ca74 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Tue, 24 Aug 2021 07:57:16 +0200 Subject: [PATCH 087/108] Remove empty element in list Otherwise get a `null` when convert to some backend (es-rule,...) --- .../zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml b/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml index 390edb4da..e6e840850 100644 --- a/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml +++ b/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml @@ -13,7 +13,6 @@ references: - https://github.com/SigmaHQ/sigma/blob/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml - https://old.zeek.org/zeekweek2019/slides/bzar.pdf - https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/ - - tags: - attack.execution - cve.2021-1675 @@ -42,4 +41,4 @@ fields: - endpoint - named_pipe - uid -status: stable \ No newline at end of file +status: stable From 8ab90d801293189a4486e2d8a397ffe1d9396db1 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Tue, 24 Aug 2021 07:59:36 +0200 Subject: [PATCH 088/108] add modified --- rules/network/zeek/zeek_default_cobalt_strike_certificate.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml b/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml index 974604957..ed328eebf 100644 --- a/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml +++ b/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml @@ -2,7 +2,8 @@ title: Default Cobalt Strike Certificate id: 7100f7e3-92ce-4584-b7b7-01b40d3d4118 description: Detects the presence of default Cobalt Strike certificate in the HTTPS traffic author: Bhabesh Raj -date: 2021/08/26 +date: 2021/06/23 +modified: 2021/08/24 references: - https://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468 tags: From 4ee4f12f308f2da69cad4ab135f7ad9a433c86a0 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Tue, 24 Aug 2021 08:01:01 +0200 Subject: [PATCH 089/108] add modified --- rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml b/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml index a8853b8e1..c4ee427d6 100644 --- a/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml +++ b/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml @@ -9,7 +9,8 @@ references: tags: - attack.lateral_movement - attack.t1021.002 -date: 2021/08/23 +date: 2018/11/28 +modified: 2021/08/23 logsource: product: zeek service: smb_files From 15aa0cb70ee920560b2476f049663053fc6be551 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Tue, 24 Aug 2021 08:02:24 +0200 Subject: [PATCH 090/108] add modified --- rules/network/zeek/zeek_dns_mining_pools.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/network/zeek/zeek_dns_mining_pools.yml b/rules/network/zeek/zeek_dns_mining_pools.yml index 91d878243..c6d112047 100644 --- a/rules/network/zeek/zeek_dns_mining_pools.yml +++ b/rules/network/zeek/zeek_dns_mining_pools.yml @@ -4,6 +4,7 @@ description: Identifies clients that may be performing DNS lookups associated wi references: - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_Miners.yaml date: 2021/08/19 +modified: 2021/08/23 author: Saw Winn Naung, Azure-Sentinel, @neu5ron level: low logsource: From 272625a0052f6c0ecfa07b687a4452177bfa51f8 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 24 Aug 2021 08:34:08 +0200 Subject: [PATCH 091/108] Update win_susp_splwow64.yml --- rules/windows/process_creation/win_susp_splwow64.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_splwow64.yml b/rules/windows/process_creation/win_susp_splwow64.yml index 3695fcec2..38c4a4da3 100644 --- a/rules/windows/process_creation/win_susp_splwow64.yml +++ b/rules/windows/process_creation/win_susp_splwow64.yml @@ -13,7 +13,7 @@ detection: selection: Image|endswith: '\splwow64.exe' filter: - CommandLine|contains: 'splwow64.exe ' + CommandLine|endswith: 'splwow64.exe' condition: selection and not filter falsepositives: - Unknown From 8f85ac0fdefa0966399c9f71b0f7116851a644a1 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 24 Aug 2021 09:35:04 +0200 Subject: [PATCH 092/108] tags update --- rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml | 2 +- rules/web/web_cve_2018_2894_weblogic_exploit.yml | 2 +- rules/web/web_cve_2020_3452_cisco_asa_ftd.yml | 2 +- rules/web/web_cve_2021_2109_weblogic_rce_exploit.yml | 2 +- rules/web/web_cve_2021_21978_vmware_view_planner_exploit.yml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml b/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml index e1602e388..0b09904be 100644 --- a/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml +++ b/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml @@ -17,7 +17,7 @@ detection: level: medium tags: - attack.persistence - - atack.t1098 + - attack.t1098 falsepositives: - Unknown diff --git a/rules/web/web_cve_2018_2894_weblogic_exploit.yml b/rules/web/web_cve_2018_2894_weblogic_exploit.yml index cb39d1fbe..b2fcd3e7e 100644 --- a/rules/web/web_cve_2018_2894_weblogic_exploit.yml +++ b/rules/web/web_cve_2018_2894_weblogic_exploit.yml @@ -9,6 +9,7 @@ references: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2894 - https://twitter.com/pyn3rd/status/1020620932967223296 - https://github.com/LandGrey/CVE-2018-2894 + - https://nvd.nist.gov/vuln/detail/cve-2018-2894 logsource: category: webserver detection: @@ -26,5 +27,4 @@ tags: - attack.t1190 - attack.initial_access - attack.persistence - - cve.2018-2894 - attack.t1505.003 diff --git a/rules/web/web_cve_2020_3452_cisco_asa_ftd.yml b/rules/web/web_cve_2020_3452_cisco_asa_ftd.yml index 8fb1ae929..f7ac95ebb 100644 --- a/rules/web/web_cve_2020_3452_cisco_asa_ftd.yml +++ b/rules/web/web_cve_2020_3452_cisco_asa_ftd.yml @@ -8,6 +8,7 @@ references: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3452 - https://twitter.com/aboul3la/status/1286012324722155525 - https://github.com/darklotuskdb/CISCO-CVE-2020-3452-Scanner-Exploiter + - https://nvd.nist.gov/vuln/detail/CVE-2020-3452 logsource: category: webserver detection: @@ -34,4 +35,3 @@ tags: - attack.t1100 # an old one - attack.t1190 - attack.initial_access - - cve.2020-3452 diff --git a/rules/web/web_cve_2021_2109_weblogic_rce_exploit.yml b/rules/web/web_cve_2021_2109_weblogic_rce_exploit.yml index 476408c22..df17a5de0 100644 --- a/rules/web/web_cve_2021_2109_weblogic_rce_exploit.yml +++ b/rules/web/web_cve_2021_2109_weblogic_rce_exploit.yml @@ -7,6 +7,7 @@ date: 2021/01/20 references: - https://twitter.com/pyn3rd/status/1351696768065409026 - https://mp.weixin.qq.com/s/wX9TMXl1KVWwB_k6EZOklw + - https://nvd.nist.gov/vuln/detail/cve-2021-2109 logsource: category: webserver detection: @@ -26,4 +27,3 @@ level: critical tags: - attack.t1190 - attack.initial_access - - cve.2021-2109 diff --git a/rules/web/web_cve_2021_21978_vmware_view_planner_exploit.yml b/rules/web/web_cve_2021_21978_vmware_view_planner_exploit.yml index 8a240ab40..9da58de5d 100644 --- a/rules/web/web_cve_2021_21978_vmware_view_planner_exploit.yml +++ b/rules/web/web_cve_2021_21978_vmware_view_planner_exploit.yml @@ -8,6 +8,7 @@ references: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21978 - https://twitter.com/wugeej/status/1369476795255320580 - https://paper.seebug.org/1495/ + - https://nvd.nist.gov/vuln/detail/CVE-2021-21978 logsource: category: webserver detection: @@ -27,4 +28,3 @@ level: high tags: - attack.initial_access - attack.t1190 - - cve.2021-21978 \ No newline at end of file From c2302a15dadc1063687846c8aaa1026633a4e778 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 24 Aug 2021 10:10:45 +0200 Subject: [PATCH 093/108] fix cve tags --- .../web_cve_2020_14882_weblogic_exploit.yml | 2 +- rules/web/web_cve_2021_26814_wzuh_rce.yml | 2 +- ...terramaster_cve_2020_28188_rce_exploit.yml | 2 +- ...cve_2021_31979_cve_2021_33771_exploits.yml | 4 ++-- tests/test_rules.py | 21 +++++++++++++++++++ 5 files changed, 26 insertions(+), 5 deletions(-) diff --git a/rules/web/web_cve_2020_14882_weblogic_exploit.yml b/rules/web/web_cve_2020_14882_weblogic_exploit.yml index 14afc0d12..cb3545ad0 100644 --- a/rules/web/web_cve_2020_14882_weblogic_exploit.yml +++ b/rules/web/web_cve_2020_14882_weblogic_exploit.yml @@ -10,6 +10,7 @@ references: - https://isc.sans.edu/diary/26734 - https://twitter.com/jas502n/status/1321416053050667009?s=20 - https://twitter.com/sudo_sudoka/status/1323951871078223874 + - https://nvd.nist.gov/vuln/detail/cve-2020-14882 logsource: category: webserver detection: @@ -28,4 +29,3 @@ tags: - attack.t1100 # an old one - attack.t1190 - attack.initial_access - - cve.2020-14882 diff --git a/rules/web/web_cve_2021_26814_wzuh_rce.yml b/rules/web/web_cve_2021_26814_wzuh_rce.yml index 672226f45..03012d37f 100644 --- a/rules/web/web_cve_2021_26814_wzuh_rce.yml +++ b/rules/web/web_cve_2021_26814_wzuh_rce.yml @@ -7,6 +7,7 @@ date: 2021/05/22 references: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-26814 - https://github.com/WickdDavid/CVE-2021-26814/blob/main/PoC.py + - https://nvd.nist.gov/vuln/detail/cve-2021-21978 logsource: category: webserver detection: @@ -22,4 +23,3 @@ level: high tags: - attack.initial_access - attack.t1190 - - cve.2021-21978 \ No newline at end of file diff --git a/rules/web/web_terramaster_cve_2020_28188_rce_exploit.yml b/rules/web/web_terramaster_cve_2020_28188_rce_exploit.yml index 931e23897..73316e52b 100644 --- a/rules/web/web_terramaster_cve_2020_28188_rce_exploit.yml +++ b/rules/web/web_terramaster_cve_2020_28188_rce_exploit.yml @@ -8,6 +8,7 @@ references: - https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/ - https://nvd.nist.gov/vuln/detail/CVE-2020-28188 - https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/ + - https://nvd.nist.gov/vuln/detail/cve-2020-28188 logsource: category: webserver detection: @@ -34,4 +35,3 @@ level: critical tags: - attack.t1190 - attack.initial_access - - cve.2020-28188 diff --git a/rules/windows/sysmon/sysmon_cve_2021_31979_cve_2021_33771_exploits.yml b/rules/windows/sysmon/sysmon_cve_2021_31979_cve_2021_33771_exploits.yml index f2ec067cb..d0117429a 100644 --- a/rules/windows/sysmon/sysmon_cve_2021_31979_cve_2021_33771_exploits.yml +++ b/rules/windows/sysmon/sysmon_cve_2021_31979_cve_2021_33771_exploits.yml @@ -9,12 +9,12 @@ modified: 2021/08/06 references: - https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/ - https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/ + - https://nvd.nist.gov/vuln/detail/cve-2021-33771 + - https://nvd.nist.gov/vuln/detail/cve-2021-31979 tags: - attack.credential_access - attack.t1566 - attack.t1203 - - cve.2021-33771 - - cve.2021-31979 - threat_group.Sourgum falsepositives: - Unlikely diff --git a/tests/test_rules.py b/tests/test_rules.py index d34bd8497..eefaad4a7 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -72,6 +72,27 @@ class TestRules(unittest.TestCase): self.assertEqual(files_with_legal_issues, [], Fore.RED + "There are rule files which contains a trademark or reference that doesn't comply with the respective trademark requirements - please remove the trademark to avoid legal issues") + + def test_optional_tags(self): + files_with_incorrect_tags = [] + + for file in self.yield_next_rule_file_path(self.path_to_rules): + tags = self.get_rule_part(file_path=file, part_name="tags") + if tags: + for tag in tags: + if tag.startswith("attack."): + continue + elif tag.startswith("car."): + continue + elif tag.startswith("cve."): + print(Fore.RED + "Rule {} has the cve tag <{}> but is it a references (https://nvd.nist.gov/)".format(file, tag)) + # files_with_incorrect_tags.append(file) + else: + print(Fore.RED + "Rule {} has the unknown tag <{}>".format(file, tag)) + # files_with_incorrect_tags.append(file) + + self.assertEqual(files_with_incorrect_tags, [], Fore.RED + + "There are rules with incorrect/unknown MITRE Tags. (please inform us about new tags that are not yet supported in our tests) and check the correct tags here: https://attack.mitre.org/ ") def test_confirm_correct_mitre_tags(self): files_with_incorrect_mitre_tags = [] From ace46c17bee09d8d331dcd22d5551b2516d26773 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 24 Aug 2021 10:27:27 +0200 Subject: [PATCH 094/108] Update cve tags --- .../win_exploit_cve_2021_1675_printspooler.yml | 2 +- ...xploit_cve_2021_1675_printspooler_Security.yml | 4 ++-- ...oit_cve_2021_1675_printspooler_operational.yml | 2 +- .../driver_load/sysmon_vuln_dell_driver_load.yml | 3 ++- .../win_cve_2021_1675_printspooler_del.yml | 11 +++++------ .../image_load/sysmon_spoolsv_dll_load.yml | 15 ++++++--------- .../win_susp_servu_process_pattern.yml | 3 ++- 7 files changed, 19 insertions(+), 21 deletions(-) diff --git a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler.yml b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler.yml index 62e123578..26866f88b 100644 --- a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler.yml +++ b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler.yml @@ -8,11 +8,11 @@ references: - https://github.com/hhlxf/PrintNightmare - https://github.com/afwu/PrintNightmare - https://twitter.com/fuzzyf10w/status/1410202370835898371 + - https://nvd.nist.gov/vuln/detail/cve-2021-1675 date: 2021/06/30 modified: 2021/07/08 tags: - attack.execution - - cve.2021-1675 logsource: product: windows service: printservice-admin diff --git a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_Security.yml b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_Security.yml index ce921b989..d36b0ea47 100644 --- a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_Security.yml +++ b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_Security.yml @@ -6,11 +6,11 @@ status: experimental level: critical references: - https://twitter.com/INIT_3/status/1410662463641731075 + - https://nvd.nist.gov/vuln/detail/cve-2021-1675 + - https://nvd.nist.gov/vuln/detail/cve-2021-34527 date: 2021/07/02 tags: - attack.execution - - cve.2021-1675 - - cve.2021-34527 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml index 9b2fa1744..4fbbee51d 100644 --- a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml +++ b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml @@ -6,10 +6,10 @@ status: experimental level: critical references: - https://twitter.com/MalwareJake/status/1410421967463731200 + - https://nvd.nist.gov/vuln/detail/cve-2021-1675 date: 2021/07/01 tags: - attack.execution - - cve.2021-1675 logsource: product: windows service: printservice-operational diff --git a/rules/windows/driver_load/sysmon_vuln_dell_driver_load.yml b/rules/windows/driver_load/sysmon_vuln_dell_driver_load.yml index 21868b8af..ea92afb40 100644 --- a/rules/windows/driver_load/sysmon_vuln_dell_driver_load.yml +++ b/rules/windows/driver_load/sysmon_vuln_dell_driver_load.yml @@ -5,11 +5,12 @@ author: Florian Roth date: 2021/05/05 references: - https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/ + - https://nvd.nist.gov/vuln/detail/cve-2021-21551 logsource: category: driver_load product: windows tags: - - cve.2021-21551 + - attack.privilege_escalation detection: selection_image: ImageLoaded|contains: '\DBUtil_2_3.Sys' diff --git a/rules/windows/file_delete/win_cve_2021_1675_printspooler_del.yml b/rules/windows/file_delete/win_cve_2021_1675_printspooler_del.yml index 1b97f004c..397a66b13 100644 --- a/rules/windows/file_delete/win_cve_2021_1675_printspooler_del.yml +++ b/rules/windows/file_delete/win_cve_2021_1675_printspooler_del.yml @@ -5,24 +5,23 @@ description: Detect DLL deletions from Spooler Service driver folder references: - https://github.com/hhlxf/PrintNightmare - https://github.com/cube0x0/CVE-2021-1675 + - https://nvd.nist.gov/vuln/detail/cve-2021-1675 author: Bhabesh Raj date: 2021/07/01 +modified: 2021/08/24 tags: - attack.persistence - attack.defense_evasion - attack.privilege_escalation - attack.t1574 - - cve.2021-1675 logsource: category: file_delete product: windows detection: selection: - Image|endswith: - - 'spoolsv.exe' - TargetFilename|contains: - - 'C:\Windows\System32\spool\drivers\x64\3\' + Image|endswith: 'spoolsv.exe' + TargetFilename|contains: 'C:\Windows\System32\spool\drivers\x64\3\' condition: selection falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/rules/windows/image_load/sysmon_spoolsv_dll_load.yml b/rules/windows/image_load/sysmon_spoolsv_dll_load.yml index e51c20cdd..38e94f804 100644 --- a/rules/windows/image_load/sysmon_spoolsv_dll_load.yml +++ b/rules/windows/image_load/sysmon_spoolsv_dll_load.yml @@ -4,27 +4,24 @@ status: experimental description: Detect DLL Load from Spooler Service backup folder references: - https://github.com/hhlxf/PrintNightmare + - https://nvd.nist.gov/vuln/detail/cve-2021-1675 + - https://nvd.nist.gov/vuln/detail/cve-2021-34527 author: FPT.EagleEye, Thomas Patzke (improvements) date: 2021/06/29 -modified: 2021/07/08 +modified: 2021/08/24 tags: - attack.persistence - attack.defense_evasion - attack.privilege_escalation - attack.t1574 - - cve.2021-1675 - - cve.2021-34527 logsource: category: image_load product: windows detection: selection: - Image|endswith: - - 'spoolsv.exe' - ImageLoaded|contains: - - '\Windows\System32\spool\drivers\x64\3\' - ImageLoaded|endswith: - - '.dll' + Image|endswith: 'spoolsv.exe' + ImageLoaded|contains: '\Windows\System32\spool\drivers\x64\3\' + ImageLoaded|endswith: '.dll' condition: selection falsepositives: - Loading of legitimate driver diff --git a/rules/windows/process_creation/win_susp_servu_process_pattern.yml b/rules/windows/process_creation/win_susp_servu_process_pattern.yml index 097a6ae6e..90b50893a 100644 --- a/rules/windows/process_creation/win_susp_servu_process_pattern.yml +++ b/rules/windows/process_creation/win_susp_servu_process_pattern.yml @@ -6,11 +6,12 @@ author: Florian Roth date: 2021/07/14 references: - https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/ + - https://nvd.nist.gov/vuln/detail/cve-2021-35211 logsource: category: process_creation product: windows tags: - - cve.2021-35211 + - attack.credential_access detection: selection: ParentImage|endswith: '\Serv-U.exe' From 5b869a3f427e5a7931d047f5ef4e2eedbf712305 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 24 Aug 2021 10:50:01 +0200 Subject: [PATCH 095/108] Update cve tags --- .../lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml | 2 +- .../zeek_dce_rpc_printnightmare_print_driver_install.yml | 4 ++-- .../windows/file_event/sysmon_cve_2021_26858_msexchange.yml | 2 +- rules/windows/file_event/win_cve_2021_1675_printspooler.yml | 3 ++- rules/windows/file_event/win_hivenightmare_file_exports.yml | 2 +- .../process_creation/sysmon_cve_2021_26857_msexchange.yml | 2 +- .../win_susp_servu_exploitation_cve_2021_35211.yml | 2 +- .../registry_event/sysmon_registry_susp_printer_driver.yml | 3 ++- .../win_registry_mimikatz_printernightmare.yml | 6 +++--- tests/test_rules.py | 2 +- 10 files changed, 15 insertions(+), 13 deletions(-) diff --git a/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml b/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml index e307a025e..da9e53df9 100644 --- a/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml +++ b/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml @@ -10,13 +10,13 @@ date: 2021/02/01 references: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3156 - https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit + - https://nvd.nist.gov/vuln/detail/cve-2021-3156 falsepositives: - Unknown level: critical tags: - attack.privilege_escalation - attack.t1068 - - cve.2021-3156 logsource: product: linux service: auditd diff --git a/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml b/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml index e6e840850..adf326609 100644 --- a/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml +++ b/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml @@ -13,10 +13,10 @@ references: - https://github.com/SigmaHQ/sigma/blob/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml - https://old.zeek.org/zeekweek2019/slides/bzar.pdf - https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/ + - https://nvd.nist.gov/vuln/detail/cve-2021-1675 + - https://nvd.nist.gov/vuln/detail/cve-2021-1678 tags: - attack.execution - - cve.2021-1675 - - cve.2021-1678 logsource: product: zeek service: dce_rpc diff --git a/rules/windows/file_event/sysmon_cve_2021_26858_msexchange.yml b/rules/windows/file_event/sysmon_cve_2021_26858_msexchange.yml index 0b4ba06e9..84390c481 100644 --- a/rules/windows/file_event/sysmon_cve_2021_26858_msexchange.yml +++ b/rules/windows/file_event/sysmon_cve_2021_26858_msexchange.yml @@ -9,11 +9,11 @@ level: critical references: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26858 - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ + - https://nvd.nist.gov/vuln/detail/cve-2021-26858 date: 2021/03/03 tags: - attack.t1203 - attack.execution - - cve.2021-26858 logsource: category: file_event product: windows diff --git a/rules/windows/file_event/win_cve_2021_1675_printspooler.yml b/rules/windows/file_event/win_cve_2021_1675_printspooler.yml index 60ee7dca1..9f426abdb 100644 --- a/rules/windows/file_event/win_cve_2021_1675_printspooler.yml +++ b/rules/windows/file_event/win_cve_2021_1675_printspooler.yml @@ -8,11 +8,12 @@ references: - https://github.com/hhlxf/PrintNightmare - https://github.com/afwu/PrintNightmare - https://github.com/cube0x0/CVE-2021-1675 + - https://nvd.nist.gov/vuln/detail/cve-2021-1675 date: 2021/06/29 modified: 2021/07/01 tags: - attack.execution - - cve.2021-1675 + - attack.privilege_escalation logsource: category: file_event product: windows diff --git a/rules/windows/file_event/win_hivenightmare_file_exports.yml b/rules/windows/file_event/win_hivenightmare_file_exports.yml index 47292ac6a..ea5cc8883 100644 --- a/rules/windows/file_event/win_hivenightmare_file_exports.yml +++ b/rules/windows/file_event/win_hivenightmare_file_exports.yml @@ -9,11 +9,11 @@ references: - https://github.com/FireFart/hivenightmare/ - https://github.com/WiredPulse/Invoke-HiveNightmare - https://twitter.com/cube0x0/status/1418920190759378944 + - https://nvd.nist.gov/vuln/detail/cve-2021-36934 logsource: product: windows category: file_event tags: - - cve.2021-36934 - attack.credential_access - attack.t1552.001 detection: diff --git a/rules/windows/process_creation/sysmon_cve_2021_26857_msexchange.yml b/rules/windows/process_creation/sysmon_cve_2021_26857_msexchange.yml index 420288963..b0102bf58 100644 --- a/rules/windows/process_creation/sysmon_cve_2021_26857_msexchange.yml +++ b/rules/windows/process_creation/sysmon_cve_2021_26857_msexchange.yml @@ -8,11 +8,11 @@ level: critical references: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-26857 - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ + - https://nvd.nist.gov/vuln/detail/cve-2021-26857 date: 2021/03/03 tags: - attack.t1203 - attack.execution - - cve.2021-26857 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_servu_exploitation_cve_2021_35211.yml b/rules/windows/process_creation/win_susp_servu_exploitation_cve_2021_35211.yml index 78f543acc..f6208a36e 100644 --- a/rules/windows/process_creation/win_susp_servu_exploitation_cve_2021_35211.yml +++ b/rules/windows/process_creation/win_susp_servu_exploitation_cve_2021_35211.yml @@ -6,13 +6,13 @@ author: Florian Roth date: 2021/07/14 references: - https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/ + - https://nvd.nist.gov/vuln/detail/cve-2021-35211 logsource: category: process_creation product: windows tags: - attack.persistence - attack.t1136.001 - - cve.2021-35211 - threat_group.DEV-0322 detection: selection1: diff --git a/rules/windows/registry_event/sysmon_registry_susp_printer_driver.yml b/rules/windows/registry_event/sysmon_registry_susp_printer_driver.yml index 542bd527b..ad3f790db 100644 --- a/rules/windows/registry_event/sysmon_registry_susp_printer_driver.yml +++ b/rules/windows/registry_event/sysmon_registry_susp_printer_driver.yml @@ -4,10 +4,11 @@ status: experimental description: Detects a suspicious printer driver installation with an empty Manufacturer value references: - https://twitter.com/SBousseaden/status/1410545674773467140 + - https://nvd.nist.gov/vuln/detail/cve-2021-1675 author: Florian Roth date: 2020/07/01 tags: - - cve.2021-1675 + - attack.privilege_escalation logsource: category: registry_event product: windows diff --git a/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml b/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml index 44c2e9435..db8f4a1fd 100644 --- a/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml +++ b/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml @@ -6,11 +6,11 @@ references: - https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760 - https://www.lexjansen.com/sesug/1993/SESUG93035.pdf - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913 + - https://nvd.nist.gov/vuln/detail/cve-2021-1675 + - https://nvd.nist.gov/vuln/detail/cve-2021-34527 author: Markus Neis, @markus_neis, Florian Roth tags: - attack.execution - - cve.2021-1675 - - cve.2021-34527 date: 2021/07/04 modified: 2021/07/28 logsource: @@ -37,4 +37,4 @@ detection: condition: selection or selection_alt or (selection_print and selection_kiwi) falsepositives: - Legitimate installation of printer driver QMS 810, Texas Instruments microLaser printer (unlikely) -level: critical \ No newline at end of file +level: critical diff --git a/tests/test_rules.py b/tests/test_rules.py index eefaad4a7..f712875f1 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -86,7 +86,7 @@ class TestRules(unittest.TestCase): continue elif tag.startswith("cve."): print(Fore.RED + "Rule {} has the cve tag <{}> but is it a references (https://nvd.nist.gov/)".format(file, tag)) - # files_with_incorrect_tags.append(file) + files_with_incorrect_tags.append(file) else: print(Fore.RED + "Rule {} has the unknown tag <{}>".format(file, tag)) # files_with_incorrect_tags.append(file) From 3cdb88ad55a206881b67ea604b4fc3f2113990da Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 24 Aug 2021 12:30:40 +0200 Subject: [PATCH 096/108] refactor: level of suspicious parent for powershell rule --- .../process_creation/win_susp_powershell_parent_process.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_powershell_parent_process.yml b/rules/windows/process_creation/win_susp_powershell_parent_process.yml index b58535be5..70b6b93f1 100644 --- a/rules/windows/process_creation/win_susp_powershell_parent_process.yml +++ b/rules/windows/process_creation/win_susp_powershell_parent_process.yml @@ -56,4 +56,4 @@ detection: condition: all of them falsepositives: - Other scripts -level: medium +level: high From 7753f8c22e1137315d26fdf22c247e3ef6c71f9e Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 24 Aug 2021 12:36:31 +0200 Subject: [PATCH 097/108] fix tags --- rules/windows/file_event/win_outlook_c2_macro_creation.yml | 2 +- .../win_office_spawn_exe_from_users_directory.yml | 2 +- rules/windows/process_creation/win_renamed_paexec.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/file_event/win_outlook_c2_macro_creation.yml b/rules/windows/file_event/win_outlook_c2_macro_creation.yml index e2b9f0c1e..a7b44dbb1 100644 --- a/rules/windows/file_event/win_outlook_c2_macro_creation.yml +++ b/rules/windows/file_event/win_outlook_c2_macro_creation.yml @@ -7,7 +7,7 @@ references: author: '@ScoubiMtl' tags: - attack.persistence - - command_and_control + - attack.command_and_control - attack.t1137 - attack.t1008 - attack.t1546 diff --git a/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml b/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml index cf43685fc..fbb81445b 100644 --- a/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml +++ b/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml @@ -9,7 +9,7 @@ tags: - attack.execution - attack.t1204 # an old one - attack.t1204.002 - - FIN7 + - attack.g0046 - car.2013-05-002 author: Jason Lynch date: 2019/04/02 diff --git a/rules/windows/process_creation/win_renamed_paexec.yml b/rules/windows/process_creation/win_renamed_paexec.yml index b062debd0..50de18b03 100644 --- a/rules/windows/process_creation/win_renamed_paexec.yml +++ b/rules/windows/process_creation/win_renamed_paexec.yml @@ -9,7 +9,7 @@ tags: - attack.defense_evasion - attack.t1036 # an old one - attack.t1036.003 - - FIN7 + - attack.g0046 - car.2013-05-009 date: 2019/04/17 modified: 2020/09/06 From cc519552aa7f7b282790062c85e3a422710852cb Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 24 Aug 2021 14:54:07 +0200 Subject: [PATCH 098/108] refactor: RazorInstaller integrity level system --- .../win_susp_razorinstaller_explorer.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_susp_razorinstaller_explorer.yml b/rules/windows/process_creation/win_susp_razorinstaller_explorer.yml index cffed8586..1059d9288 100644 --- a/rules/windows/process_creation/win_susp_razorinstaller_explorer.yml +++ b/rules/windows/process_creation/win_susp_razorinstaller_explorer.yml @@ -5,8 +5,9 @@ description: Detects a explorer.exe sub process of the RazerInstaller software w references: - https://twitter.com/j0nh4t/status/1429049506021138437 - https://streamable.com/q2dsji -author: Florian Roth +author: Florian Roth, Maxime Thiebaut date: 2021/08/23 +modified: 2021/08/24 tags: - attack.privilege_escalation logsource: @@ -14,9 +15,11 @@ logsource: product: windows detection: selection: - Image|endswith: '\explorer.exe' ParentImage|endswith: '\RazerInstaller.exe' - condition: selection + IntegrityLevel: 'System' + filter: + Image|beginswith: 'C:\Windows\Installer\Razer\Installer\' + condition: selection and not filter falsepositives: - User selecting a different installation folder (check for other sub processes of this explorer.exe process) level: high \ No newline at end of file From 46e312ff0deba8b37ec058e02bd0b64abf50ef6c Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 24 Aug 2021 15:03:23 +0200 Subject: [PATCH 099/108] fix: error in modifier --- .../process_creation/win_susp_razorinstaller_explorer.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_razorinstaller_explorer.yml b/rules/windows/process_creation/win_susp_razorinstaller_explorer.yml index 1059d9288..6f1b91d87 100644 --- a/rules/windows/process_creation/win_susp_razorinstaller_explorer.yml +++ b/rules/windows/process_creation/win_susp_razorinstaller_explorer.yml @@ -18,7 +18,7 @@ detection: ParentImage|endswith: '\RazerInstaller.exe' IntegrityLevel: 'System' filter: - Image|beginswith: 'C:\Windows\Installer\Razer\Installer\' + Image|startswith: 'C:\Windows\Installer\Razer\Installer\' condition: selection and not filter falsepositives: - User selecting a different installation folder (check for other sub processes of this explorer.exe process) From 62f2affd032fff63e086fdeefc1634cb40a809e0 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Tue, 24 Aug 2021 14:15:50 +0000 Subject: [PATCH 100/108] Spelling fix --- CHANGELOG.md | 2 +- rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml | 2 +- rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ece949b93..23cb01864 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -23,7 +23,7 @@ from version 0.14.0. * Elastic EQL backend * Additional conversion selection filters * Filter negation -* Specifiy table in SQL backend +* Specify table in SQL backend * Generic registry event log source * Chronicle backend diff --git a/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml b/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml index e1602e388..0b09904be 100644 --- a/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml +++ b/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml @@ -17,7 +17,7 @@ detection: level: medium tags: - attack.persistence - - atack.t1098 + - attack.t1098 falsepositives: - Unknown diff --git a/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml b/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml index 55d1b4050..b71a4344b 100644 --- a/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml +++ b/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml @@ -17,7 +17,7 @@ detection: status: success condition: selection falsepositives: - - Unkown + - Unknown level: medium tags: - attack.initial_access From ce6141e3187e20bd39e3b412e353767bad99df6f Mon Sep 17 00:00:00 2001 From: Bhabesh Rai Date: Tue, 24 Aug 2021 21:11:46 +0545 Subject: [PATCH 101/108] Added rule for Arcadyan Router Exploitations --- ...uter_cve_2021_20090_2021_20091_exploit.yml | 58 +++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 rules/web/web_arcadyan_router_cve_2021_20090_2021_20091_exploit.yml diff --git a/rules/web/web_arcadyan_router_cve_2021_20090_2021_20091_exploit.yml b/rules/web/web_arcadyan_router_cve_2021_20090_2021_20091_exploit.yml new file mode 100644 index 000000000..7cda3b67f --- /dev/null +++ b/rules/web/web_arcadyan_router_cve_2021_20090_2021_20091_exploit.yml @@ -0,0 +1,58 @@ +action: global +title: Arcadyan Router Exploitations +id: f0500377-bc70-425d-ac8c-e956cd906871 +status: experimental +description: Detects exploitation of vulnerabilities in Arcadyan routers as reported in CVE-2021-20090 and CVE-2021-20091. +references: + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20090 + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20091 + - https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2 + - https://www.tenable.com/security/research/tra-2021-13 + - https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild +author: Bhabesh Raj +date: 2021/08/24 +falsepositives: + - Unknown +level: critical +tags: + - attack.initial_access + - attack.t1190 + - cve.2021-20090 + - cve.2021-20091 +--- +logsource: # CVE-2021-20090 (Path Traversal) + category: webserver +detection: + path_traversal: + c-uri|contains: + - '..%2f' + noauth_list: + c-uri|contains: + - '/images/' + - '/js/' + - '/css/' + - '/setup_top_login.htm' + - '/login.html' + - '/loginerror.html' + - '/loginexclude.html' + - '/loginlock.html' + condition: path_traversal and noauth_list +--- +logsource: # Chaining of CVE-2021-20090 (Bypass Auth) and CVE-2021-20091 (Config File Injection) + category: webserver +detection: + path_traversal: + c-uri|contains|all: + - '..%2f' + - 'apply_abstract.cgi' + noauth_list: + c-uri|contains: + - '/images/' + - '/js/' + - '/css/' + - '/setup_top_login.htm' + - '/login.html' + - '/loginerror.html' + - '/loginexclude.html' + - '/loginlock.html' + condition: path_traversal and noauth_list \ No newline at end of file From ab8cc52dc6fde1b40cd7d5552d389738192fd78c Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Tue, 24 Aug 2021 10:53:59 -0500 Subject: [PATCH 102/108] Role-Based Rules --- .../gworkspace_role_modified_or_deleted.yml | 25 +++++++++++++++++++ .../gworkspace_role_privilege_deleted.yml | 22 ++++++++++++++++ 2 files changed, 47 insertions(+) create mode 100644 rules/cloud/gworkspace/gworkspace_role_modified_or_deleted.yml create mode 100644 rules/cloud/gworkspace/gworkspace_role_privilege_deleted.yml diff --git a/rules/cloud/gworkspace/gworkspace_role_modified_or_deleted.yml b/rules/cloud/gworkspace/gworkspace_role_modified_or_deleted.yml new file mode 100644 index 000000000..9437ca57d --- /dev/null +++ b/rules/cloud/gworkspace/gworkspace_role_modified_or_deleted.yml @@ -0,0 +1,25 @@ +title: Google Workspace Role Modified or Deleted +id: 6aef64e3-60c6-4782-8db3-8448759c714e +description: Detects when an a role is modified or deleted in Google Workspace. +author: Austin Songer +status: experimental +date: 2021/08/24 +references: + - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 + - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings +logsource: + service: google_workspace.admin +detection: + selection: + eventService: admin.googleapis.com + eventName: + - DELETE_ROLE + - RENAME_ROLE + - UPDATE_ROLE + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Unknown + \ No newline at end of file diff --git a/rules/cloud/gworkspace/gworkspace_role_privilege_deleted.yml b/rules/cloud/gworkspace/gworkspace_role_privilege_deleted.yml new file mode 100644 index 000000000..f130b35e9 --- /dev/null +++ b/rules/cloud/gworkspace/gworkspace_role_privilege_deleted.yml @@ -0,0 +1,22 @@ +title: Google Workspace Role Privilege Deleted +id: bf638ef7-4d2d-44bb-a1dc-a238252e6267 +description: Detects when an a role privilege is deleted in Google Workspace. +author: Austin Songer +status: experimental +date: 2021/08/24 +references: + - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 + - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings +logsource: + service: google_workspace.admin +detection: + selection: + eventService: admin.googleapis.com + eventName: REMOVE_PRIVILEGE + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Unknown + \ No newline at end of file From a5f858b63c283abd96e90990bb4befecf3ce2e3a Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Tue, 24 Aug 2021 21:13:49 +0200 Subject: [PATCH 103/108] update references --- .../cloud/gworkspace/gworkspace_role_modified_or_deleted.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/cloud/gworkspace/gworkspace_role_modified_or_deleted.yml b/rules/cloud/gworkspace/gworkspace_role_modified_or_deleted.yml index 9437ca57d..e0bab12fd 100644 --- a/rules/cloud/gworkspace/gworkspace_role_modified_or_deleted.yml +++ b/rules/cloud/gworkspace/gworkspace_role_modified_or_deleted.yml @@ -6,7 +6,7 @@ status: experimental date: 2021/08/24 references: - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 - - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings + - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings logsource: service: google_workspace.admin detection: @@ -22,4 +22,4 @@ tags: - attack.impact falsepositives: - Unknown - \ No newline at end of file + From 09a00232fb70cc1e0c0107dcdde34ec023fb51ec Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Tue, 24 Aug 2021 21:14:59 +0200 Subject: [PATCH 104/108] update references --- rules/cloud/gworkspace/gworkspace_role_privilege_deleted.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/cloud/gworkspace/gworkspace_role_privilege_deleted.yml b/rules/cloud/gworkspace/gworkspace_role_privilege_deleted.yml index f130b35e9..7a803146b 100644 --- a/rules/cloud/gworkspace/gworkspace_role_privilege_deleted.yml +++ b/rules/cloud/gworkspace/gworkspace_role_privilege_deleted.yml @@ -6,7 +6,7 @@ status: experimental date: 2021/08/24 references: - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 - - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings + - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings logsource: service: google_workspace.admin detection: @@ -19,4 +19,4 @@ tags: - attack.impact falsepositives: - Unknown - \ No newline at end of file + From a4d0e3453d5a72ef39850089ab204fe17badc694 Mon Sep 17 00:00:00 2001 From: Bhabesh Rai Date: Wed, 25 Aug 2021 10:24:15 +0545 Subject: [PATCH 105/108] Fix for CVE tag --- ...b_arcadyan_router_cve_2021_20090_2021_20091_exploit.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/rules/web/web_arcadyan_router_cve_2021_20090_2021_20091_exploit.yml b/rules/web/web_arcadyan_router_cve_2021_20090_2021_20091_exploit.yml index 7cda3b67f..a816bc220 100644 --- a/rules/web/web_arcadyan_router_cve_2021_20090_2021_20091_exploit.yml +++ b/rules/web/web_arcadyan_router_cve_2021_20090_2021_20091_exploit.yml @@ -4,21 +4,20 @@ id: f0500377-bc70-425d-ac8c-e956cd906871 status: experimental description: Detects exploitation of vulnerabilities in Arcadyan routers as reported in CVE-2021-20090 and CVE-2021-20091. references: - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20090 - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20091 + - https://nvd.nist.gov/vuln/detail/cve-2021-20090 + - https://nvd.nist.gov/vuln/detail/cve-2021-20091 - https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2 - https://www.tenable.com/security/research/tra-2021-13 - https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild author: Bhabesh Raj date: 2021/08/24 +modified: 2021/08/25 falsepositives: - Unknown level: critical tags: - attack.initial_access - attack.t1190 - - cve.2021-20090 - - cve.2021-20091 --- logsource: # CVE-2021-20090 (Path Traversal) category: webserver From df4180547ef43e43820f5277cc5a750f4b548e25 Mon Sep 17 00:00:00 2001 From: Bhabesh Rai Date: Wed, 25 Aug 2021 11:18:51 +0545 Subject: [PATCH 106/108] Merged rules --- ...uter_cve_2021_20090_2021_20091_exploit.yml | 27 ++++--------------- 1 file changed, 5 insertions(+), 22 deletions(-) diff --git a/rules/web/web_arcadyan_router_cve_2021_20090_2021_20091_exploit.yml b/rules/web/web_arcadyan_router_cve_2021_20090_2021_20091_exploit.yml index a816bc220..06718546e 100644 --- a/rules/web/web_arcadyan_router_cve_2021_20090_2021_20091_exploit.yml +++ b/rules/web/web_arcadyan_router_cve_2021_20090_2021_20091_exploit.yml @@ -1,4 +1,3 @@ -action: global title: Arcadyan Router Exploitations id: f0500377-bc70-425d-ac8c-e956cd906871 status: experimental @@ -18,30 +17,14 @@ level: critical tags: - attack.initial_access - attack.t1190 ---- -logsource: # CVE-2021-20090 (Path Traversal) +logsource: category: webserver detection: path_traversal: - c-uri|contains: + c-uri|contains: # CVE-2021-20090 (Bypass Auth: Path Traversal) - '..%2f' - noauth_list: - c-uri|contains: - - '/images/' - - '/js/' - - '/css/' - - '/setup_top_login.htm' - - '/login.html' - - '/loginerror.html' - - '/loginexclude.html' - - '/loginlock.html' - condition: path_traversal and noauth_list ---- -logsource: # Chaining of CVE-2021-20090 (Bypass Auth) and CVE-2021-20091 (Config File Injection) - category: webserver -detection: - path_traversal: - c-uri|contains|all: + config_file_inj: + c-uri|contains|all: # Chaining of CVE-2021-20090 (Bypass Auth) and CVE-2021-20091 (Config File Injection) - '..%2f' - 'apply_abstract.cgi' noauth_list: @@ -54,4 +37,4 @@ detection: - '/loginerror.html' - '/loginexclude.html' - '/loginlock.html' - condition: path_traversal and noauth_list \ No newline at end of file + condition: (path_traversal or config_file_inj) and noauth_list \ No newline at end of file From 1d725e8519247d7bda21d6c02d826c9533cca11e Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 25 Aug 2021 08:15:18 +0200 Subject: [PATCH 107/108] add gworkspace_user_granted_admin_privileges.yml --- ...orkspace_user_granted_admin_privileges.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml diff --git a/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml b/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml new file mode 100644 index 000000000..ffc061d08 --- /dev/null +++ b/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml @@ -0,0 +1,24 @@ +title: Google Workspace User Granted Admin Privileges +id: 2d1b83e4-17c6-4896-a37b-29140b40a788 +description: Detects when an Google Workspace user is granted admin privileges. +author: Austin Songer +status: experimental +date: 2021/08/23 +references: + - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 + - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE +logsource: + service: google_workspace.admin +detection: + selection: + eventService: admin.googleapis.com + eventName: + - GRANT_DELEGATED_ADMIN_PRIVILEGES + - GRANT_ADMIN_PRIVILEGE + condition: selection +level: medium +tags: + - attack.persistence + - attack.t1098 +falsepositives: + - Google Workspace admin role privileges, may be modified by system administrators. \ No newline at end of file From a4021842de4aeecbf2dea05cf8154280da921a31 Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 25 Aug 2021 09:15:57 +0200 Subject: [PATCH 108/108] Fix invalid tags --- rules/compliance/cleartext_protocols.yml | 86 +++++++++---------- .../compliance/default_credentials_usage.yml | 52 +++++------ .../compliance/group_modification_logging.yml | 52 +++++------ rules/compliance/host_without_firewall.yml | 24 +++--- rules/compliance/workstation_was_locked.yml | 48 +++++------ .../process_creation/win_apt_unc2452_cmds.yml | 4 +- .../process_creation/win_apt_unc2452_ps.yml | 2 +- ...susp_servu_exploitation_cve_2021_35211.yml | 2 +- .../sysmon_susp_reg_persist_explorer_run.yml | 2 +- ...cve_2021_31979_cve_2021_33771_exploits.yml | 2 +- tests/test_rules.py | 22 ++--- 11 files changed, 148 insertions(+), 148 deletions(-) diff --git a/rules/compliance/cleartext_protocols.yml b/rules/compliance/cleartext_protocols.yml index eb1acd9c9..40905d705 100644 --- a/rules/compliance/cleartext_protocols.yml +++ b/rules/compliance/cleartext_protocols.yml @@ -13,49 +13,49 @@ references: falsepositives: - unknown level: low -tags: - - CSC4 - - CSC4.5 - - CSC14 - - CSC14.4 - - CSC16 - - CSC16.5 - - NIST CSF 1.1 PR.AT-2 - - NIST CSF 1.1 PR.MA-2 - - NIST CSF 1.1 PR.PT-3 - - NIST CSF 1.1 PR.AC-1 - - NIST CSF 1.1 PR.AC-4 - - NIST CSF 1.1 PR.AC-5 - - NIST CSF 1.1 PR.AC-6 - - NIST CSF 1.1 PR.AC-7 - - NIST CSF 1.1 PR.DS-1 - - NIST CSF 1.1 PR.DS-2 - - ISO 27002-2013 A.9.2.1 - - ISO 27002-2013 A.9.2.2 - - ISO 27002-2013 A.9.2.3 - - ISO 27002-2013 A.9.2.4 - - ISO 27002-2013 A.9.2.5 - - ISO 27002-2013 A.9.2.6 - - ISO 27002-2013 A.9.3.1 - - ISO 27002-2013 A.9.4.1 - - ISO 27002-2013 A.9.4.2 - - ISO 27002-2013 A.9.4.3 - - ISO 27002-2013 A.9.4.4 - - ISO 27002-2013 A.8.3.1 - - ISO 27002-2013 A.9.1.1 - - ISO 27002-2013 A.10.1.1 - - PCI DSS 3.2 2.1 - - PCI DSS 3.2 8.1 - - PCI DSS 3.2 8.2 - - PCI DSS 3.2 8.3 - - PCI DSS 3.2 8.7 - - PCI DSS 3.2 8.8 - - PCI DSS 3.2 1.3 - - PCI DSS 3.2 1.4 - - PCI DSS 3.2 4.3 - - PCI DSS 3.2 7.1 - - PCI DSS 3.2 7.2 - - PCI DSS 3.2 7.3 +# tags: + # - CSC4 + # - CSC4.5 + # - CSC14 + # - CSC14.4 + # - CSC16 + # - CSC16.5 + # - NIST CSF 1.1 PR.AT-2 + # - NIST CSF 1.1 PR.MA-2 + # - NIST CSF 1.1 PR.PT-3 + # - NIST CSF 1.1 PR.AC-1 + # - NIST CSF 1.1 PR.AC-4 + # - NIST CSF 1.1 PR.AC-5 + # - NIST CSF 1.1 PR.AC-6 + # - NIST CSF 1.1 PR.AC-7 + # - NIST CSF 1.1 PR.DS-1 + # - NIST CSF 1.1 PR.DS-2 + # - ISO 27002-2013 A.9.2.1 + # - ISO 27002-2013 A.9.2.2 + # - ISO 27002-2013 A.9.2.3 + # - ISO 27002-2013 A.9.2.4 + # - ISO 27002-2013 A.9.2.5 + # - ISO 27002-2013 A.9.2.6 + # - ISO 27002-2013 A.9.3.1 + # - ISO 27002-2013 A.9.4.1 + # - ISO 27002-2013 A.9.4.2 + # - ISO 27002-2013 A.9.4.3 + # - ISO 27002-2013 A.9.4.4 + # - ISO 27002-2013 A.8.3.1 + # - ISO 27002-2013 A.9.1.1 + # - ISO 27002-2013 A.10.1.1 + # - PCI DSS 3.2 2.1 + # - PCI DSS 3.2 8.1 + # - PCI DSS 3.2 8.2 + # - PCI DSS 3.2 8.3 + # - PCI DSS 3.2 8.7 + # - PCI DSS 3.2 8.8 + # - PCI DSS 3.2 1.3 + # - PCI DSS 3.2 1.4 + # - PCI DSS 3.2 4.3 + # - PCI DSS 3.2 7.1 + # - PCI DSS 3.2 7.2 + # - PCI DSS 3.2 7.3 --- logsource: product: netflow diff --git a/rules/compliance/default_credentials_usage.yml b/rules/compliance/default_credentials_usage.yml index 297e16aac..fa9c67ce3 100644 --- a/rules/compliance/default_credentials_usage.yml +++ b/rules/compliance/default_credentials_usage.yml @@ -81,29 +81,29 @@ detection: falsepositives: - unknown level: medium -tags: - - CSC4 - - CSC4.2 - - NIST CSF 1.1 PR.AC-4 - - NIST CSF 1.1 PR.AT-2 - - NIST CSF 1.1 PR.MA-2 - - NIST CSF 1.1 PR.PT-3 - - ISO 27002-2013 A.9.1.1 - - ISO 27002-2013 A.9.2.2 - - ISO 27002-2013 A.9.2.3 - - ISO 27002-2013 A.9.2.4 - - ISO 27002-2013 A.9.2.5 - - ISO 27002-2013 A.9.2.6 - - ISO 27002-2013 A.9.3.1 - - ISO 27002-2013 A.9.4.1 - - ISO 27002-2013 A.9.4.2 - - ISO 27002-2013 A.9.4.3 - - ISO 27002-2013 A.9.4.4 - - PCI DSS 3.2 2.1 - - PCI DSS 3.2 7.1 - - PCI DSS 3.2 7.2 - - PCI DSS 3.2 7.3 - - PCI DSS 3.2 8.1 - - PCI DSS 3.2 8.2 - - PCI DSS 3.2 8.3 - - PCI DSS 3.2 8.7 +# tags: + # - CSC4 + # - CSC4.2 + # - NIST CSF 1.1 PR.AC-4 + # - NIST CSF 1.1 PR.AT-2 + # - NIST CSF 1.1 PR.MA-2 + # - NIST CSF 1.1 PR.PT-3 + # - ISO 27002-2013 A.9.1.1 + # - ISO 27002-2013 A.9.2.2 + # - ISO 27002-2013 A.9.2.3 + # - ISO 27002-2013 A.9.2.4 + # - ISO 27002-2013 A.9.2.5 + # - ISO 27002-2013 A.9.2.6 + # - ISO 27002-2013 A.9.3.1 + # - ISO 27002-2013 A.9.4.1 + # - ISO 27002-2013 A.9.4.2 + # - ISO 27002-2013 A.9.4.3 + # - ISO 27002-2013 A.9.4.4 + # - PCI DSS 3.2 2.1 + # - PCI DSS 3.2 7.1 + # - PCI DSS 3.2 7.2 + # - PCI DSS 3.2 7.3 + # - PCI DSS 3.2 8.1 + # - PCI DSS 3.2 8.2 + # - PCI DSS 3.2 8.3 + # - PCI DSS 3.2 8.7 diff --git a/rules/compliance/group_modification_logging.yml b/rules/compliance/group_modification_logging.yml index 083cc2b60..0da15dea2 100644 --- a/rules/compliance/group_modification_logging.yml +++ b/rules/compliance/group_modification_logging.yml @@ -33,29 +33,29 @@ detection: falsepositives: - unknown level: low -tags: - - CSC4 - - CSC4.8 - - NIST CSF 1.1 PR.AC-4 - - NIST CSF 1.1 PR.AT-2 - - NIST CSF 1.1 PR.MA-2 - - NIST CSF 1.1 PR.PT-3 - - ISO 27002-2013 A.9.1.1 - - ISO 27002-2013 A.9.2.2 - - ISO 27002-2013 A.9.2.3 - - ISO 27002-2013 A.9.2.4 - - ISO 27002-2013 A.9.2.5 - - ISO 27002-2013 A.9.2.6 - - ISO 27002-2013 A.9.3.1 - - ISO 27002-2013 A.9.4.1 - - ISO 27002-2013 A.9.4.2 - - ISO 27002-2013 A.9.4.3 - - ISO 27002-2013 A.9.4.4 - - PCI DSS 3.2 2.1 - - PCI DSS 3.2 7.1 - - PCI DSS 3.2 7.2 - - PCI DSS 3.2 7.3 - - PCI DSS 3.2 8.1 - - PCI DSS 3.2 8.2 - - PCI DSS 3.2 8.3 - - PCI DSS 3.2 8.7 +# tags: + # - CSC4 + # - CSC4.8 + # - NIST CSF 1.1 PR.AC-4 + # - NIST CSF 1.1 PR.AT-2 + # - NIST CSF 1.1 PR.MA-2 + # - NIST CSF 1.1 PR.PT-3 + # - ISO 27002-2013 A.9.1.1 + # - ISO 27002-2013 A.9.2.2 + # - ISO 27002-2013 A.9.2.3 + # - ISO 27002-2013 A.9.2.4 + # - ISO 27002-2013 A.9.2.5 + # - ISO 27002-2013 A.9.2.6 + # - ISO 27002-2013 A.9.3.1 + # - ISO 27002-2013 A.9.4.1 + # - ISO 27002-2013 A.9.4.2 + # - ISO 27002-2013 A.9.4.3 + # - ISO 27002-2013 A.9.4.4 + # - PCI DSS 3.2 2.1 + # - PCI DSS 3.2 7.1 + # - PCI DSS 3.2 7.2 + # - PCI DSS 3.2 7.3 + # - PCI DSS 3.2 8.1 + # - PCI DSS 3.2 8.2 + # - PCI DSS 3.2 8.3 + # - PCI DSS 3.2 8.7 diff --git a/rules/compliance/host_without_firewall.yml b/rules/compliance/host_without_firewall.yml index cab122e0b..ae9a76a72 100644 --- a/rules/compliance/host_without_firewall.yml +++ b/rules/compliance/host_without_firewall.yml @@ -17,15 +17,15 @@ detection: host.scan.vuln_name: Firewall Product Not Detected* condition: selection level: low -tags: - - CSC9 - - CSC9.4 - - NIST CSF 1.1 PR.AC-5 - - NIST CSF 1.1 PR.AC-6 - - NIST CSF 1.1 PR.AC-7 - - NIST CSF 1.1 DE.AE-1 - - ISO 27002-2013 A.9.1.2 - - ISO 27002-2013 A.13.2.1 - - ISO 27002-2013 A.13.2.2 - - ISO 27002-2013 A.14.1.2 - - PCI DSS 3.2 1.4 +# tags: + # - CSC9 + # - CSC9.4 + # - NIST CSF 1.1 PR.AC-5 + # - NIST CSF 1.1 PR.AC-6 + # - NIST CSF 1.1 PR.AC-7 + # - NIST CSF 1.1 DE.AE-1 + # - ISO 27002-2013 A.9.1.2 + # - ISO 27002-2013 A.13.2.1 + # - ISO 27002-2013 A.13.2.2 + # - ISO 27002-2013 A.14.1.2 + # - PCI DSS 3.2 1.4 diff --git a/rules/compliance/workstation_was_locked.yml b/rules/compliance/workstation_was_locked.yml index 37fd37c90..0cb5033c4 100644 --- a/rules/compliance/workstation_was_locked.yml +++ b/rules/compliance/workstation_was_locked.yml @@ -21,27 +21,27 @@ detection: falsepositives: - unknown level: low -tags: - - CSC16 - - CSC16.11 - - ISO27002-2013 A.9.1.1 - - ISO27002-2013 A.9.2.1 - - ISO27002-2013 A.9.2.2 - - ISO27002-2013 A.9.2.3 - - ISO27002-2013 A.9.2.4 - - ISO27002-2013 A.9.2.5 - - ISO27002-2013 A.9.2.6 - - ISO27002-2013 A.9.3.1 - - ISO27002-2013 A.9.4.1 - - ISO27002-2013 A.9.4.3 - - ISO27002-2013 A.11.2.8 - - PCI DSS 3.1 7.1 - - PCI DSS 3.1 7.2 - - PCI DSS 3.1 7.3 - - PCI DSS 3.1 8.7 - - PCI DSS 3.1 8.8 - - NIST CSF 1.1 PR.AC-1 - - NIST CSF 1.1 PR.AC-4 - - NIST CSF 1.1 PR.AC-6 - - NIST CSF 1.1 PR.AC-7 - - NIST CSF 1.1 PR.PT-3 +# tags: + # - CSC16 + # - CSC16.11 + # - ISO27002-2013 A.9.1.1 + # - ISO27002-2013 A.9.2.1 + # - ISO27002-2013 A.9.2.2 + # - ISO27002-2013 A.9.2.3 + # - ISO27002-2013 A.9.2.4 + # - ISO27002-2013 A.9.2.5 + # - ISO27002-2013 A.9.2.6 + # - ISO27002-2013 A.9.3.1 + # - ISO27002-2013 A.9.4.1 + # - ISO27002-2013 A.9.4.3 + # - ISO27002-2013 A.11.2.8 + # - PCI DSS 3.1 7.1 + # - PCI DSS 3.1 7.2 + # - PCI DSS 3.1 7.3 + # - PCI DSS 3.1 8.7 + # - PCI DSS 3.1 8.8 + # - NIST CSF 1.1 PR.AC-1 + # - NIST CSF 1.1 PR.AC-4 + # - NIST CSF 1.1 PR.AC-6 + # - NIST CSF 1.1 PR.AC-7 + # - NIST CSF 1.1 PR.PT-3 diff --git a/rules/windows/process_creation/win_apt_unc2452_cmds.yml b/rules/windows/process_creation/win_apt_unc2452_cmds.yml index b1c081801..be14932ea 100644 --- a/rules/windows/process_creation/win_apt_unc2452_cmds.yml +++ b/rules/windows/process_creation/win_apt_unc2452_cmds.yml @@ -7,8 +7,8 @@ references: tags: - attack.execution - attack.t1059.001 - - sunburst - - unc2452 + # - sunburst + # - unc2452 author: Florian Roth date: 2021/01/22 modified: 2021/06/27 diff --git a/rules/windows/process_creation/win_apt_unc2452_ps.yml b/rules/windows/process_creation/win_apt_unc2452_ps.yml index 89de914d9..5575f09f4 100644 --- a/rules/windows/process_creation/win_apt_unc2452_ps.yml +++ b/rules/windows/process_creation/win_apt_unc2452_ps.yml @@ -9,7 +9,7 @@ tags: - attack.execution - attack.t1059.001 - attack.t1047 - - sunburst + # - sunburst author: Florian Roth date: 2021/01/20 modified: 2021/01/22 diff --git a/rules/windows/process_creation/win_susp_servu_exploitation_cve_2021_35211.yml b/rules/windows/process_creation/win_susp_servu_exploitation_cve_2021_35211.yml index f6208a36e..4056fcdb7 100644 --- a/rules/windows/process_creation/win_susp_servu_exploitation_cve_2021_35211.yml +++ b/rules/windows/process_creation/win_susp_servu_exploitation_cve_2021_35211.yml @@ -13,7 +13,7 @@ logsource: tags: - attack.persistence - attack.t1136.001 - - threat_group.DEV-0322 + # - threat_group.DEV-0322 detection: selection1: CommandLine|contains: 'whoami' diff --git a/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml b/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml index 2c6ae5ca2..b1ce684ac 100755 --- a/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml +++ b/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml @@ -28,7 +28,7 @@ tags: - attack.persistence - attack.t1060 # an old one - attack.t1547.001 - - capec.270 + # - capec.270 fields: - Image - ParentImage diff --git a/rules/windows/sysmon/sysmon_cve_2021_31979_cve_2021_33771_exploits.yml b/rules/windows/sysmon/sysmon_cve_2021_31979_cve_2021_33771_exploits.yml index d0117429a..eea60e94b 100644 --- a/rules/windows/sysmon/sysmon_cve_2021_31979_cve_2021_33771_exploits.yml +++ b/rules/windows/sysmon/sysmon_cve_2021_31979_cve_2021_33771_exploits.yml @@ -15,7 +15,7 @@ tags: - attack.credential_access - attack.t1566 - attack.t1203 - - threat_group.Sourgum + # - threat_group.Sourgum falsepositives: - Unlikely level: critical diff --git a/tests/test_rules.py b/tests/test_rules.py index f712875f1..4c01de39c 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -79,17 +79,17 @@ class TestRules(unittest.TestCase): for file in self.yield_next_rule_file_path(self.path_to_rules): tags = self.get_rule_part(file_path=file, part_name="tags") if tags: - for tag in tags: - if tag.startswith("attack."): - continue - elif tag.startswith("car."): - continue - elif tag.startswith("cve."): - print(Fore.RED + "Rule {} has the cve tag <{}> but is it a references (https://nvd.nist.gov/)".format(file, tag)) - files_with_incorrect_tags.append(file) - else: - print(Fore.RED + "Rule {} has the unknown tag <{}>".format(file, tag)) - # files_with_incorrect_tags.append(file) + for tag in tags: + if tag.startswith("attack."): + continue + elif tag.startswith("car."): + continue + elif tag.startswith("cve."): + print(Fore.RED + "Rule {} has the cve tag <{}> but is it a references (https://nvd.nist.gov/)".format(file, tag)) + files_with_incorrect_tags.append(file) + else: + print(Fore.RED + "Rule {} has the unknown tag <{}>".format(file, tag)) + files_with_incorrect_tags.append(file) self.assertEqual(files_with_incorrect_tags, [], Fore.RED + "There are rules with incorrect/unknown MITRE Tags. (please inform us about new tags that are not yet supported in our tests) and check the correct tags here: https://attack.mitre.org/ ")