diff --git a/CHANGELOG.md b/CHANGELOG.md index 692b1532e..d55e3d3d9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,12 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html) from version 0.14.0. +## Unreleased + +### Fixed + +* Splunx XML rule name is now set to rule title + ## 0.16.0 - 2020-02-25 ### Added diff --git a/rules/proxy/proxy_raw_paste_service_access.yml b/rules/proxy/proxy_raw_paste_service_access.yml index d5d21d3be..eba8c9a12 100644 --- a/rules/proxy/proxy_raw_paste_service_access.yml +++ b/rules/proxy/proxy_raw_paste_service_access.yml @@ -17,6 +17,7 @@ detection: - '.paste.ee/r/' - '.pastebin.com/raw/' - '.hastebin.com/raw/' + - '.ghostbin.co/paste/*/raw/' condition: selection fields: - ClientIP diff --git a/rules/windows/builtin/win_ad_replication_non_machine_account.yml b/rules/windows/builtin/win_ad_replication_non_machine_account.yml index 93580c596..60eab938a 100644 --- a/rules/windows/builtin/win_ad_replication_non_machine_account.yml +++ b/rules/windows/builtin/win_ad_replication_non_machine_account.yml @@ -3,7 +3,7 @@ id: 17d619c1-e020-4347-957e-1d1207455c93 description: Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials. status: experimental date: 2019/07/26 -modified: 2019/11/10 +modified: 2020/03/02 author: Roberto Rodriguez @Cyb3rWard0g references: - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/ad_replication_non_machine_account.md @@ -22,7 +22,8 @@ detection: - '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2' - '89e95b76-444d-4c62-991a-0facbeda640c' filter: - SubjectUserName|endswith: '$' + - SubjectUserName|endswith: '$' + - SubjectUserName|startswith: 'MSOL_' #https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions#ad-ds-connector-account condition: selection and not filter fields: - ComputerName diff --git a/rules/windows/builtin/win_mmc20_lateral_movement.yml b/rules/windows/builtin/win_mmc20_lateral_movement.yml new file mode 100644 index 000000000..baaaca7f9 --- /dev/null +++ b/rules/windows/builtin/win_mmc20_lateral_movement.yml @@ -0,0 +1,23 @@ +title: MMC20 Lateral Movement +id: f1f3bf22-deb2-418d-8cce-e1a45e46a5bd +description: Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe +author: '@2xxeformyshirt (Security Risk Advisors)' +date: 2020/03/04 +references: + - https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/ + - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing +tags: + - attack.execution + - attack.t1175 +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage: '*\svchost.exe' + Image: '*\mmc.exe' + CommandLine: '*-Embedding*' + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/process_creation/win_local_system_owner_account_discovery.yml b/rules/windows/process_creation/win_local_system_owner_account_discovery.yml index 68b4618d2..a46f9b194 100644 --- a/rules/windows/process_creation/win_local_system_owner_account_discovery.yml +++ b/rules/windows/process_creation/win_local_system_owner_account_discovery.yml @@ -25,7 +25,7 @@ detection: - Image|endswith: '\cmd.exe' CommandLine|contains|all: - '/c' - - 'dir' + - 'dir ' - '\Users\' filter_1: CommandLine|contains: diff --git a/rules/windows/process_creation/win_mal_adwind.yml b/rules/windows/process_creation/win_mal_adwind.yml index d007e070e..68cea191f 100644 --- a/rules/windows/process_creation/win_mal_adwind.yml +++ b/rules/windows/process_creation/win_mal_adwind.yml @@ -41,5 +41,5 @@ logsource: detection: selection: EventID: 13 - TargetObject: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run* + TargetObject: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run* Details: '%AppData%\Roaming\Oracle\bin\\*' diff --git a/rules/windows/process_creation/win_susp_eventlog_clear.yml b/rules/windows/process_creation/win_susp_eventlog_clear.yml index 8a26e7446..8100a2e4c 100644 --- a/rules/windows/process_creation/win_susp_eventlog_clear.yml +++ b/rules/windows/process_creation/win_susp_eventlog_clear.yml @@ -20,10 +20,10 @@ detection: Image|endswith: '\wevtutil.exe' selection_wevtutil_command: CommandLine|contains: - - 'clear-log' # clears specified log - - 'cl' # short version of 'clear-log' + - 'clear-log' # clears specified log + - ' cl ' # short version of 'clear-log' - 'set-log' # modifies config of specified log. could be uset to set it to a tiny size - - 'sl' # short version of 'set-log' + - ' sl ' # short version of 'set-log' selection_other_ps: Image|endswith: '\powershell.exe' CommandLine|contains: @@ -32,7 +32,7 @@ detection: - 'Limit-EventLog' selection_other_wmic: Image|endswith: '\wmic.exe' - CommandLine|contains: 'ClearEventLog' + CommandLine|contains: ' ClearEventLog ' condition: 1 of selection_other_* or (selection_wevtutil_binary and selection_wevtutil_command) falsepositives: - Admin activity diff --git a/rules/windows/sysmon/sysmon_apt_pandemic.yml b/rules/windows/sysmon/sysmon_apt_pandemic.yml index 69e393e81..7360e5e22 100755 --- a/rules/windows/sysmon/sysmon_apt_pandemic.yml +++ b/rules/windows/sysmon/sysmon_apt_pandemic.yml @@ -31,9 +31,7 @@ detection: selection1: EventID: 13 TargetObject: - - '\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\services\null\Instance*' - - '\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\null\Instance*' - - '\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\null\Instance*' + - 'HKLM\SYSTEM\CurrentControlSet\services\null\Instance*' --- logsource: category: process_creation diff --git a/rules/windows/sysmon/sysmon_cred_dump_tools_dropped_files.yml b/rules/windows/sysmon/sysmon_cred_dump_tools_dropped_files.yml index 0295398ff..4ea0955c9 100644 --- a/rules/windows/sysmon/sysmon_cred_dump_tools_dropped_files.yml +++ b/rules/windows/sysmon/sysmon_cred_dump_tools_dropped_files.yml @@ -40,6 +40,7 @@ detection: - '\servpw.exe' - '\servpw64.exe' - '\pwdump.exe' + - '\procdump64.exe' condition: selection falsepositives: - Legitimate Administrator using tool for password recovery diff --git a/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml b/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml index 02b5ffab3..c91f0abdb 100644 --- a/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml +++ b/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml @@ -13,7 +13,7 @@ logsource: detection: methregistry: EventID: 13 - TargetObject: 'HKEY_USERS\\*\mscfile\shell\open\command' + TargetObject: 'HKU\\*\mscfile\shell\open\command' methprocess: EventID: 1 # Migration to process_creation requires multipart YAML ParentImage: '*\eventvwr.exe' diff --git a/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml b/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml index 12b73f3a0..180f7b5da 100644 --- a/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml +++ b/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml @@ -12,7 +12,7 @@ logsource: detection: selection: EventID: 13 - TargetObject: 'HKEY_USERS\\*\Classes\exefile\shell\runas\command\isolatedCommand' + TargetObject: 'HKU\\*\Classes\exefile\shell\runas\command\isolatedCommand' condition: selection tags: - attack.defense_evasion diff --git a/tools/sigma/backends/splunk.py b/tools/sigma/backends/splunk.py index 9d95d9eec..63cb88106 100644 --- a/tools/sigma/backends/splunk.py +++ b/tools/sigma/backends/splunk.py @@ -160,7 +160,7 @@ class SplunkXMLBackend(SingleTextQueryBackend, MultiRuleOutputMixin): query = self.generateQuery(parsed) if query is not None: self.queries += self.panel_pre - self.queries += self.getRuleName(sigmaparser) + self.queries += sigmaparser.parsedyaml.get("title") or "" self.queries += self.panel_inf query = query.replace("<", "<") query = query.replace(">", ">")