From 98471bc53c19081ae240711f0ffe9a0442b88fc0 Mon Sep 17 00:00:00 2001 From: Kevin Dienst Date: Mon, 3 Feb 2020 07:29:42 -0600 Subject: [PATCH 01/11] Update proxy_raw_paste_service_access.yml Add another paste provider website, ghostbin.co to the list. Note that saved pastes generate pseudo random 5 character strings before being suffixed with `/raw` at the end of the URL. e.g. `https://ghostbin.co/paste/y4e9a/raw` Thus, I've added a regex match between /paste and /raw. I'm unsure if this is supported, I skimmed the Sigma specification wiki but didn't see anything other than that contains adds '*' to end and beginning of each selection. If this regex isn't going to work then I'd imagine we just have to remove the `.+/raw/` from the URI. --- rules/proxy/proxy_raw_paste_service_access.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/proxy/proxy_raw_paste_service_access.yml b/rules/proxy/proxy_raw_paste_service_access.yml index d5d21d3be..a752099c3 100644 --- a/rules/proxy/proxy_raw_paste_service_access.yml +++ b/rules/proxy/proxy_raw_paste_service_access.yml @@ -17,6 +17,7 @@ detection: - '.paste.ee/r/' - '.pastebin.com/raw/' - '.hastebin.com/raw/' + - '.ghostbin.co/paste/.+/raw/' condition: selection fields: - ClientIP From df7356e829e3a5761a0d2cdae0e66ffbb3645502 Mon Sep 17 00:00:00 2001 From: ecco Date: Mon, 24 Feb 2020 08:00:06 -0500 Subject: [PATCH 02/11] Rule: restore initial behaviour matching single word with spaces on each side --- .../process_creation/win_susp_eventlog_clear.yml | 16 ++++++++-------- .../process_creation/win_susp_fsutil_usage.yml | 4 ++-- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/rules/windows/process_creation/win_susp_eventlog_clear.yml b/rules/windows/process_creation/win_susp_eventlog_clear.yml index 8a26e7446..5d8a74945 100644 --- a/rules/windows/process_creation/win_susp_eventlog_clear.yml +++ b/rules/windows/process_creation/win_susp_eventlog_clear.yml @@ -20,19 +20,19 @@ detection: Image|endswith: '\wevtutil.exe' selection_wevtutil_command: CommandLine|contains: - - 'clear-log' # clears specified log - - 'cl' # short version of 'clear-log' - - 'set-log' # modifies config of specified log. could be uset to set it to a tiny size - - 'sl' # short version of 'set-log' + - ' clear-log ' # clears specified log + - ' cl ' # short version of 'clear-log' + - ' set-log ' # modifies config of specified log. could be uset to set it to a tiny size + - ' sl ' # short version of 'set-log' selection_other_ps: Image|endswith: '\powershell.exe' CommandLine|contains: - - 'Clear-EventLog' - - 'Remove-EventLog' - - 'Limit-EventLog' + - ' Clear-EventLog ' + - ' Remove-EventLog ' + - ' Limit-EventLog ' selection_other_wmic: Image|endswith: '\wmic.exe' - CommandLine|contains: 'ClearEventLog' + CommandLine|contains: ' ClearEventLog ' condition: 1 of selection_other_* or (selection_wevtutil_binary and selection_wevtutil_command) falsepositives: - Admin activity diff --git a/rules/windows/process_creation/win_susp_fsutil_usage.yml b/rules/windows/process_creation/win_susp_fsutil_usage.yml index e204a9d7e..b5825dc05 100644 --- a/rules/windows/process_creation/win_susp_fsutil_usage.yml +++ b/rules/windows/process_creation/win_susp_fsutil_usage.yml @@ -22,8 +22,8 @@ detection: OriginalFileName: 'fsutil.exe' selection: CommandLine|contains: - - 'deletejournal' # usn deletejournal ==> generally ransomware or attacker - - 'createjournal' # usn createjournal ==> can modify config to set it to a tiny size + - ' deletejournal ' # usn deletejournal ==> generally ransomware or attacker + - ' createjournal ' # usn createjournal ==> can modify config to set it to a tiny size condition: (1 of binary_*) and selection falsepositives: - Admin activity From ca2cc87f0c8e8e05886f4c250a73efa6736b2197 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 26 Feb 2020 09:43:29 +0100 Subject: [PATCH 03/11] fixed regex syntax to wildcard syntax --- rules/proxy/proxy_raw_paste_service_access.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/proxy/proxy_raw_paste_service_access.yml b/rules/proxy/proxy_raw_paste_service_access.yml index a752099c3..eba8c9a12 100644 --- a/rules/proxy/proxy_raw_paste_service_access.yml +++ b/rules/proxy/proxy_raw_paste_service_access.yml @@ -17,7 +17,7 @@ detection: - '.paste.ee/r/' - '.pastebin.com/raw/' - '.hastebin.com/raw/' - - '.ghostbin.co/paste/.+/raw/' + - '.ghostbin.co/paste/*/raw/' condition: selection fields: - ClientIP From 0d932810b5bfaeea5e40d3b6365114371493ab77 Mon Sep 17 00:00:00 2001 From: grumo35 Date: Fri, 28 Feb 2020 15:16:18 +0100 Subject: [PATCH 04/11] Update sysmon_cred_dump_tools_dropped_files.yml Adding sysinternal's procdump utility more about this on : https://en.hackndo.com/remote-lsass-dump-passwords/ --- rules/windows/sysmon/sysmon_cred_dump_tools_dropped_files.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/sysmon/sysmon_cred_dump_tools_dropped_files.yml b/rules/windows/sysmon/sysmon_cred_dump_tools_dropped_files.yml index 0295398ff..4ea0955c9 100644 --- a/rules/windows/sysmon/sysmon_cred_dump_tools_dropped_files.yml +++ b/rules/windows/sysmon/sysmon_cred_dump_tools_dropped_files.yml @@ -40,6 +40,7 @@ detection: - '\servpw.exe' - '\servpw64.exe' - '\pwdump.exe' + - '\procdump64.exe' condition: selection falsepositives: - Legitimate Administrator using tool for password recovery From a0f7da8c03e54fb9db9d293e2f557525203e8d36 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Sun, 1 Mar 2020 22:21:30 +0100 Subject: [PATCH 05/11] Splunk XML backend rule title Fixes #645 --- CHANGELOG.md | 6 ++++++ tools/sigma/backends/splunk.py | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 692b1532e..d55e3d3d9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,12 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html) from version 0.14.0. +## Unreleased + +### Fixed + +* Splunx XML rule name is now set to rule title + ## 0.16.0 - 2020-02-25 ### Added diff --git a/tools/sigma/backends/splunk.py b/tools/sigma/backends/splunk.py index 9d95d9eec..63cb88106 100644 --- a/tools/sigma/backends/splunk.py +++ b/tools/sigma/backends/splunk.py @@ -160,7 +160,7 @@ class SplunkXMLBackend(SingleTextQueryBackend, MultiRuleOutputMixin): query = self.generateQuery(parsed) if query is not None: self.queries += self.panel_pre - self.queries += self.getRuleName(sigmaparser) + self.queries += sigmaparser.parsedyaml.get("title") or "" self.queries += self.panel_inf query = query.replace("<", "<") query = query.replace(">", ">") From b63889af75c0bacfc825be9d8a00c04938952998 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Sun, 1 Mar 2020 23:14:53 +0100 Subject: [PATCH 06/11] Fixed rules that likely will cause false negatives by fix --- .../win_local_system_owner_account_discovery.yml | 2 +- .../process_creation/win_susp_eventlog_clear.yml | 10 +++++----- .../windows/process_creation/win_susp_fsutil_usage.yml | 4 ++-- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/rules/windows/process_creation/win_local_system_owner_account_discovery.yml b/rules/windows/process_creation/win_local_system_owner_account_discovery.yml index 68b4618d2..a46f9b194 100644 --- a/rules/windows/process_creation/win_local_system_owner_account_discovery.yml +++ b/rules/windows/process_creation/win_local_system_owner_account_discovery.yml @@ -25,7 +25,7 @@ detection: - Image|endswith: '\cmd.exe' CommandLine|contains|all: - '/c' - - 'dir' + - 'dir ' - '\Users\' filter_1: CommandLine|contains: diff --git a/rules/windows/process_creation/win_susp_eventlog_clear.yml b/rules/windows/process_creation/win_susp_eventlog_clear.yml index 5d8a74945..8100a2e4c 100644 --- a/rules/windows/process_creation/win_susp_eventlog_clear.yml +++ b/rules/windows/process_creation/win_susp_eventlog_clear.yml @@ -20,16 +20,16 @@ detection: Image|endswith: '\wevtutil.exe' selection_wevtutil_command: CommandLine|contains: - - ' clear-log ' # clears specified log + - 'clear-log' # clears specified log - ' cl ' # short version of 'clear-log' - - ' set-log ' # modifies config of specified log. could be uset to set it to a tiny size + - 'set-log' # modifies config of specified log. could be uset to set it to a tiny size - ' sl ' # short version of 'set-log' selection_other_ps: Image|endswith: '\powershell.exe' CommandLine|contains: - - ' Clear-EventLog ' - - ' Remove-EventLog ' - - ' Limit-EventLog ' + - 'Clear-EventLog' + - 'Remove-EventLog' + - 'Limit-EventLog' selection_other_wmic: Image|endswith: '\wmic.exe' CommandLine|contains: ' ClearEventLog ' diff --git a/rules/windows/process_creation/win_susp_fsutil_usage.yml b/rules/windows/process_creation/win_susp_fsutil_usage.yml index b5825dc05..e204a9d7e 100644 --- a/rules/windows/process_creation/win_susp_fsutil_usage.yml +++ b/rules/windows/process_creation/win_susp_fsutil_usage.yml @@ -22,8 +22,8 @@ detection: OriginalFileName: 'fsutil.exe' selection: CommandLine|contains: - - ' deletejournal ' # usn deletejournal ==> generally ransomware or attacker - - ' createjournal ' # usn createjournal ==> can modify config to set it to a tiny size + - 'deletejournal' # usn deletejournal ==> generally ransomware or attacker + - 'createjournal' # usn createjournal ==> can modify config to set it to a tiny size condition: (1 of binary_*) and selection falsepositives: - Admin activity From d4b5dd5749bfc108d93c8e24dc6d0a552c02a554 Mon Sep 17 00:00:00 2001 From: Remco Hofman Date: Mon, 2 Mar 2020 16:43:20 +0100 Subject: [PATCH 07/11] Exclude Azure AD sync accounts from AD Replication rule --- .../builtin/win_ad_replication_non_machine_account.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/win_ad_replication_non_machine_account.yml b/rules/windows/builtin/win_ad_replication_non_machine_account.yml index 93580c596..60eab938a 100644 --- a/rules/windows/builtin/win_ad_replication_non_machine_account.yml +++ b/rules/windows/builtin/win_ad_replication_non_machine_account.yml @@ -3,7 +3,7 @@ id: 17d619c1-e020-4347-957e-1d1207455c93 description: Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials. status: experimental date: 2019/07/26 -modified: 2019/11/10 +modified: 2020/03/02 author: Roberto Rodriguez @Cyb3rWard0g references: - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/ad_replication_non_machine_account.md @@ -22,7 +22,8 @@ detection: - '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2' - '89e95b76-444d-4c62-991a-0facbeda640c' filter: - SubjectUserName|endswith: '$' + - SubjectUserName|endswith: '$' + - SubjectUserName|startswith: 'MSOL_' #https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions#ad-ds-connector-account condition: selection and not filter fields: - ComputerName From b9e4734087eb599c4ec55c548f06b003c3d4f120 Mon Sep 17 00:00:00 2001 From: ecco Date: Wed, 4 Mar 2020 12:47:42 -0500 Subject: [PATCH 08/11] fix sysmon registry rules with HKLM/HKU format as used since 02/2017 in sysmon --- rules/windows/process_creation/win_mal_adwind.yml | 2 +- rules/windows/sysmon/sysmon_apt_pandemic.yml | 4 +--- rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml | 2 +- rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml | 2 +- 4 files changed, 4 insertions(+), 6 deletions(-) diff --git a/rules/windows/process_creation/win_mal_adwind.yml b/rules/windows/process_creation/win_mal_adwind.yml index d007e070e..68cea191f 100644 --- a/rules/windows/process_creation/win_mal_adwind.yml +++ b/rules/windows/process_creation/win_mal_adwind.yml @@ -41,5 +41,5 @@ logsource: detection: selection: EventID: 13 - TargetObject: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run* + TargetObject: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run* Details: '%AppData%\Roaming\Oracle\bin\\*' diff --git a/rules/windows/sysmon/sysmon_apt_pandemic.yml b/rules/windows/sysmon/sysmon_apt_pandemic.yml index 69e393e81..7360e5e22 100755 --- a/rules/windows/sysmon/sysmon_apt_pandemic.yml +++ b/rules/windows/sysmon/sysmon_apt_pandemic.yml @@ -31,9 +31,7 @@ detection: selection1: EventID: 13 TargetObject: - - '\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\services\null\Instance*' - - '\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\null\Instance*' - - '\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\null\Instance*' + - 'HKLM\SYSTEM\CurrentControlSet\services\null\Instance*' --- logsource: category: process_creation diff --git a/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml b/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml index 02b5ffab3..c91f0abdb 100644 --- a/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml +++ b/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml @@ -13,7 +13,7 @@ logsource: detection: methregistry: EventID: 13 - TargetObject: 'HKEY_USERS\\*\mscfile\shell\open\command' + TargetObject: 'HKU\\*\mscfile\shell\open\command' methprocess: EventID: 1 # Migration to process_creation requires multipart YAML ParentImage: '*\eventvwr.exe' diff --git a/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml b/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml index 12b73f3a0..180f7b5da 100644 --- a/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml +++ b/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml @@ -12,7 +12,7 @@ logsource: detection: selection: EventID: 13 - TargetObject: 'HKEY_USERS\\*\Classes\exefile\shell\runas\command\isolatedCommand' + TargetObject: 'HKU\\*\Classes\exefile\shell\runas\command\isolatedCommand' condition: selection tags: - attack.defense_evasion From ae56db97ffdf6b188123488e322d30851be1050d Mon Sep 17 00:00:00 2001 From: "2XXE (SRA)" <40869774+2XXE-SRA@users.noreply.github.com> Date: Wed, 4 Mar 2020 14:57:41 -0500 Subject: [PATCH 09/11] mmc lateral movement detection 1 see https://github.com/Neo23x0/sigma/issues/576 --- .../builtin/win_mmc20_lateral_movement.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/windows/builtin/win_mmc20_lateral_movement.yml diff --git a/rules/windows/builtin/win_mmc20_lateral_movement.yml b/rules/windows/builtin/win_mmc20_lateral_movement.yml new file mode 100644 index 000000000..f15df478d --- /dev/null +++ b/rules/windows/builtin/win_mmc20_lateral_movement.yml @@ -0,0 +1,24 @@ +title: MMC20 Lateral Movement +id: f1f3bf22-deb2-418d-8cce-e1a45e46a5bd +description: Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe +author: @2xxeformyshirt (Security Risk Advisors) +date: 2020/03/04 +references: + - https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/ + - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing +tags: + - attack.execution + - attack.t1175 +logsource: + category: process_creation + product: windows +detection: + selection: + EventID: 4688 + ParentImage: '*\svchost.exe' + Image: '*\mmc.exe' + CommandLine: '*-Embedding*' + condition: selection +falsepositives: + - Unlikely +level: high From b040c129be191f620d187a76e5a33b5747d8abd7 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 7 Mar 2020 10:38:02 +0100 Subject: [PATCH 10/11] fix: author field starting with an '@' symbol --- rules/windows/builtin/win_mmc20_lateral_movement.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_mmc20_lateral_movement.yml b/rules/windows/builtin/win_mmc20_lateral_movement.yml index f15df478d..4bf638ae1 100644 --- a/rules/windows/builtin/win_mmc20_lateral_movement.yml +++ b/rules/windows/builtin/win_mmc20_lateral_movement.yml @@ -1,7 +1,7 @@ title: MMC20 Lateral Movement id: f1f3bf22-deb2-418d-8cce-e1a45e46a5bd description: Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe -author: @2xxeformyshirt (Security Risk Advisors) +author: '@2xxeformyshirt (Security Risk Advisors)' date: 2020/03/04 references: - https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/ From 2e184382f5390cc4b161b6216334adc3d6e86e78 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 7 Mar 2020 10:43:47 +0100 Subject: [PATCH 11/11] fix: eventid in process_creation rules --- rules/windows/builtin/win_mmc20_lateral_movement.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/windows/builtin/win_mmc20_lateral_movement.yml b/rules/windows/builtin/win_mmc20_lateral_movement.yml index 4bf638ae1..baaaca7f9 100644 --- a/rules/windows/builtin/win_mmc20_lateral_movement.yml +++ b/rules/windows/builtin/win_mmc20_lateral_movement.yml @@ -14,7 +14,6 @@ logsource: product: windows detection: selection: - EventID: 4688 ParentImage: '*\svchost.exe' Image: '*\mmc.exe' CommandLine: '*-Embedding*'