Merge branch 'master' into devel

2020-03-07 11:06:25 +01:00
parent 54d3706a7f 07914c2783
commit ddefb3bc58
12 changed files with 44 additions and 14 deletions
@@ -6,6 +6,12 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html)
 from version 0.14.0.

+## Unreleased
+
+### Fixed
+
+* Splunx XML rule name is now set to rule title
+
 ## 0.16.0 - 2020-02-25

 ### Added
@@ -17,6 +17,7 @@ detection:
          - '.paste.ee/r/'
          - '.pastebin.com/raw/'
          - '.hastebin.com/raw/'
+          - '.ghostbin.co/paste/*/raw/'
    condition: selection
 fields:
    - ClientIP
@@ -3,7 +3,7 @@ id: 17d619c1-e020-4347-957e-1d1207455c93
 description: Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.
 status: experimental
 date: 2019/07/26
-modified: 2019/11/10
+modified: 2020/03/02
 author: Roberto Rodriguez @Cyb3rWard0g
 references:
    - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/ad_replication_non_machine_account.md
@@ -22,7 +22,8 @@ detection:
            - '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'
            - '89e95b76-444d-4c62-991a-0facbeda640c'
    filter:
-        SubjectUserName|endswith: '$'
+        - SubjectUserName|endswith: '$'
+        - SubjectUserName|startswith: 'MSOL_' #https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions#ad-ds-connector-account
    condition: selection and not filter
 fields:
    - ComputerName
@@ -0,0 +1,23 @@
+title: MMC20 Lateral Movement
+id: f1f3bf22-deb2-418d-8cce-e1a45e46a5bd
+description: Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe 
+author: '@2xxeformyshirt (Security Risk Advisors)'
+date: 2020/03/04
+references:
+  - https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
+  - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing 
+tags:
+  - attack.execution
+  - attack.t1175
+logsource:
+  category: process_creation
+  product: windows
+detection:
+  selection:
+    ParentImage: '*\svchost.exe'
+    Image: '*\mmc.exe'
+    CommandLine: '*-Embedding*'
+  condition: selection
+falsepositives:
+  - Unlikely
+level: high
@@ -25,7 +25,7 @@ detection:
      - Image|endswith: '\cmd.exe'
        CommandLine|contains|all: 
            - '/c'
-            - 'dir'
+            - 'dir '
            - '\Users\'
    filter_1:
        CommandLine|contains:
@@ -41,5 +41,5 @@ logsource:
 detection:
    selection:
        EventID: 13
-        TargetObject: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*
+        TargetObject: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*
        Details: '%AppData%\Roaming\Oracle\bin\\*'
@@ -20,10 +20,10 @@ detection:
        Image|endswith: '\wevtutil.exe'
    selection_wevtutil_command:
        CommandLine|contains:  
-            - 'clear-log' # clears specified log 
-            - 'cl'        # short version of 'clear-log'
+            - 'clear-log' # clears specified log
+            - ' cl '        # short version of 'clear-log'
            - 'set-log'   # modifies config of specified log. could be uset to set it to a tiny size
-            - 'sl'        # short version of 'set-log'
+            - ' sl '        # short version of 'set-log'
    selection_other_ps:
        Image|endswith: '\powershell.exe'
        CommandLine|contains: 
@@ -32,7 +32,7 @@ detection:
            - 'Limit-EventLog'
    selection_other_wmic:
        Image|endswith: '\wmic.exe'
-        CommandLine|contains: 'ClearEventLog'
+        CommandLine|contains: ' ClearEventLog '
    condition: 1 of selection_other_* or (selection_wevtutil_binary and selection_wevtutil_command)
 falsepositives:
    - Admin activity
@@ -31,9 +31,7 @@ detection:
    selection1:
        EventID: 13
        TargetObject:
-            - '\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\services\null\Instance*'
-            - '\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\null\Instance*'
-            - '\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\null\Instance*'
+            - 'HKLM\SYSTEM\CurrentControlSet\services\null\Instance*'
 ---
 logsource:
    category: process_creation
@@ -40,6 +40,7 @@ detection:
            - '\servpw.exe'
            - '\servpw64.exe'
            - '\pwdump.exe'
+            - '\procdump64.exe'
    condition: selection
 falsepositives:
    - Legitimate Administrator using tool for password recovery
@@ -13,7 +13,7 @@ logsource:
 detection:
    methregistry:
        EventID: 13
-        TargetObject: 'HKEY_USERS\\*\mscfile\shell\open\command'
+        TargetObject: 'HKU\\*\mscfile\shell\open\command'
    methprocess:
        EventID: 1 # Migration to process_creation requires multipart YAML
        ParentImage: '*\eventvwr.exe'
@@ -12,7 +12,7 @@ logsource:
 detection:
    selection:
        EventID: 13
-        TargetObject: 'HKEY_USERS\\*\Classes\exefile\shell\runas\command\isolatedCommand'
+        TargetObject: 'HKU\\*\Classes\exefile\shell\runas\command\isolatedCommand'
    condition: selection
 tags:
    - attack.defense_evasion
@@ -160,7 +160,7 @@ class SplunkXMLBackend(SingleTextQueryBackend, MultiRuleOutputMixin):
            query = self.generateQuery(parsed)
            if query is not None:
                self.queries += self.panel_pre
-                self.queries += self.getRuleName(sigmaparser)
+                self.queries += sigmaparser.parsedyaml.get("title") or ""
                self.queries += self.panel_inf
                query = query.replace("<", "&lt;")
                query = query.replace(">", "&gt;")