security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'master' of git://github.com/Neo23x0/sigma

Browse Source
This commit is contained in:
Aidan Bracher
2020-07-15 16:35:29 +01:00
parent 1e5ee5823c 8f66803ddf
commit e0476d5ce6
64 changed files with 1344 additions and 275 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Makefile
+2
View File
@@ -52,6 +52,7 @@ test-sigmac:
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t arcsight -c tools/config/arcsight.yml rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t arcsight-esm -c tools/config/arcsight.yml rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t qradar -c tools/config/qradar.yml rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t stix -c tools/config/stix.yml -c tools/config/stix-qradar.yml -c tools/config/stix-windows.yml rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t limacharlie -c tools/config/limacharlie.yml rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t carbonblack -c tools/config/carbon-black.yml rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t qualys -c tools/config/qualys.yml rules/ > /dev/null
@@ -61,6 +62,7 @@ test-sigmac:
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t crowdstrike -O rulecomment -c tools/config/crowdstrike.yml rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t sql -c sysmon rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t sqlite -c sysmon rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t csharp -c sysmon rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t logiq -c sysmon rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'level>=high,level<=critical,status=stable,logsource=windows,tag=attack.execution' rules/ > /dev/null
! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'level>=high,level<=critical,status=xstable,logsource=windows' rules/ > /dev/null
rules/linux/lnx_shell_clear_cmd_history.yml
+2 -3
View File
@@ -15,7 +15,7 @@ references:
- https://www.hackers-arise.com/single-post/2016/06/20/Covering-your-BASH-Shell-Tracks-AntiForensics
author: Patrick Bareiss
date: 2019/03/24
modified: 2020/05/28
modified: 2020/07/13
logsource:
product: linux
detection:
@@ -37,5 +37,4 @@ falsepositives:
level: high
tags:
- attack.defense_evasion
- attack.t1146
- attack.t1551.003
- attack.t1070.003
rules/network/cisco/aaa/cisco_cli_clear_logs.yml
+2 -2
View File
@@ -11,8 +11,8 @@ tags:
- attack.defense_evasion
- attack.t1146
- attack.t1070
- attack.t1551.003
- attack.t1551
- attack.t1070.003
- attack.t1070
logsource:
product: cisco
service: aaa
rules/network/cisco/aaa/cisco_cli_file_deletion.yml
+1 -1
View File
@@ -15,7 +15,7 @@ tags:
- attack.t1488
- attack.t1487
- attack.t1561.002
- attack.t1551.004
- attack.t1070.004
- attack.t1561.001
logsource:
product: cisco
rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml
+2 -1
View File
@@ -3,7 +3,8 @@ id: 286b47ed-f6fe-40b3-b3a8-35129acd43bc
description: Detects known sensitive file extensions via Zeek
author: 'Samir Bousseaden, @neu5ron'
date: 2020/04/02
references: https://github.com/neo23x0/sigma/blob/d42e87edd741dd646db946f30964f331f92f50e6/rules/windows/builtin/win_susp_raccess_sensitive_fext.yml
references:
- https://github.com/neo23x0/sigma/blob/d42e87edd741dd646db946f30964f331f92f50e6/rules/windows/builtin/win_susp_raccess_sensitive_fext.yml
tags:
- attack.collection
logsource:
rules/proxy/proxy_empire_ua_uri_combos.yml
+25
View File
@@ -0,0 +1,25 @@
title: Empire UserAgent URI Combo
id: b923f7d6-ac89-4a50-a71a-89fb846b4aa8
status: experimental
description: Detects user agent and URI paths used by empire agents
references:
- https://github.com/BC-SECURITY/Empire
author: Florian Roth
date: 2020/07/13
logsource:
category: proxy
detection:
selection:
c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko'
cs-uri-query:
- '/admin/get.php'
- '/news.php'
- '/login/process.php'
cs-method: 'POST'
condition: selection
fields:
- c-uri
- c-ip
falsepositives:
- Valid requests with this exact user agent to server scripts of the defined names
level: high
rules/proxy/proxy_pwndrop.yml
+21
View File
@@ -0,0 +1,21 @@
title: PwnDrp Access
id: 2b1ee7e4-89b6-4739-b7bb-b811b6607e5e
status: experimental
description: Detects downloads from PwnDrp web servers developed for red team testing and most likely also used for criminal activity
references:
- https://breakdev.org/pwndrop/
author: Florian Roth
date: 2020/04/15
logsource:
category: proxy
detection:
selection:
c-uri|contains: '/pwndrop/'
condition: selection
fields:
- ClientIP
- c-uri
- c-useragent
falsepositives:
- Unknown
level: critical
rules/web/web_citrix_cve_2020_8193_8195_exploit.yml
+34
View File
@@ -0,0 +1,34 @@
title: Citrix ADS Exploitation CVE-2020-8193 CVE-2020-8195
description: Detects exploitation attempt against Citrix Netscaler, Application Delivery Controller (ADS) and Citrix Gateway exploiting vulnerabilities reported as CVE-2020-8193 and CVE-2020-8195
id: 0d0d9a8a-a49e-4e27-b061-7ce4b936cfb7
references:
- https://support.citrix.com/article/CTX276688
- https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/
- https://dmaasland.github.io/posts/citrix.html
author: Florian Roth
status: experimental
date: 2020/07/10
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection1:
c-uri|contains:
- '/rapi/filedownload?filter=path:%2F'
selection2:
c-uri|contains|all:
- '/pcidss/report'
- 'type=all_signatures'
- 'sig_name=_default_signature_'
condition: 1 of them
fields:
- client_ip
- vhost
- url
- response
falsepositives:
- Unknown
level: critical
rules/web/web_cve_2020_5902_f5_bigip.yml
+5 -1
View File
@@ -6,13 +6,17 @@ references:
- https://support.f5.com/csp/article/K52145254
- https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/
- https://twitter.com/yorickkoster/status/1279709009151434754
- https://www.criticalstart.com/f5-big-ip-remote-code-execution-exploit/
author: Florian Roth
date: 2020/07/05
modified: 2020/07/07
logsource:
category: webserver
detection:
selection_base:
c-uri|contains: '/tmui/login'
c-uri|contains:
- '/tmui/'
- '/hsqldb'
selection_traversal:
c-uri|contains:
- '..;/'
rules/windows/builtin/win_applocker_file_was_not_allowed_to_run.yml
+37
View File
@@ -0,0 +1,37 @@
title: File Was Not Allowed To Run
id: 401e5d00-b944-11ea-8f9a-00163ecd60ae
description: Detect run not allowed files. Applocker is a very useful tool, especially on servers where unprivileged users have access. For example terminal servers. You need configure applocker and log collect to receive these events.
status: experimental
tags:
- attack.execution
- attack.t1204
- attack.t1086
- attack.t1064
- attack.t1035
references:
- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker
- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker
- https://nxlog.co/documentation/nxlog-user-guide/applocker.html
author: Pushkarev Dmitry
date: 2020/06/28
logsource:
product: windows
service: applocker
detection:
selection:
EventID:
- 8004
- 8007
condition: selection
fields:
- PolicyName
- RuleId
- RuleName
- TargetUser
- TargetProcessId
- FilePath
- FileHash
- Fqbn
falsepositives:
- need tuning applocker or add exceptions in SIEM
level: medium
rules/windows/builtin/win_global_catalog_enumeration.yml
+23
View File
@@ -0,0 +1,23 @@
title: Enumeration via the Global Catalog
description: Detects enumeration of the global catalog (that can be performed using BloodHound or others AD reconnaissance tools). Adjust Treshhold according to domain width.
author: Chakib Gzenayi (@Chak092), Hosni Mribah
id: 619b020f-0fd7-4f23-87db-3f51ef837a34
date: 2020/05/11
tags:
- attack.discovery
- attack.t1087
logsource:
product: windows
service: system
description: 'The advanced audit policy setting "Windows Filtering Platform > Filtering Platform Connection" must be configured for Success'
detection:
selection:
EventID: 5156
DestinationPort:
- 3268
- 3269
timeframe: 1h
condition: selection | count() by SourceAddress > 2000
falsepositives:
- Exclude known DCs.
level: medium
rules/windows/builtin/win_metasploit_authentication.yml
+29
View File
@@ -0,0 +1,29 @@
title: Metasploit SMB Authentication
description: Alerts on Metasploit host's authentications on the domain.
id: 72124974-a68b-4366-b990-d30e0b2a190d
author: Chakib Gzenayi (@Chak092), Hosni Mribah
date: 2020/05/06
references:
- https://github.com/rapid7/metasploit-framework/blob/master/lib/rex/proto/smb/client.rb
tags:
- attack.credential_access
- attack.t1110
logsource:
product: windows
service: security
detection:
selection1:
EventID:
- 4625
- 4624
LogonType: 3
AuthenticationPackage: 'NTLM'
WorkstationName|re: '^[A-Za-z0-9]{16}$'
selection2:
ProcessName:
EventID: 4776
SourceWorkstation|re: '^[A-Za-z0-9]{16}$'
condition: selection1 OR selection2
falsepositives:
- Linux hostnames composed of 16 characters.
level: high
rules/windows/builtin/win_susp_backup_delete.yml
+1 -1
View File
@@ -10,7 +10,7 @@ date: 2017/05/12
tags:
- attack.defense_evasion
- attack.t1107
- attack.t1551.004
- attack.t1070.004
logsource:
product: windows
service: application
rules/windows/builtin/win_susp_eventlog_cleared.yml
+1 -1
View File
@@ -10,7 +10,7 @@ tags:
- attack.defense_evasion
- attack.t1070
- car.2016-04-002
- attack.t1551
- attack.t1070
logsource:
product: windows
service: system
rules/windows/builtin/win_susp_sdelete.yml
+1 -1
View File
@@ -13,7 +13,7 @@ tags:
- attack.t1107
- attack.t1066
- attack.s0195
- attack.t1551.004
- attack.t1070.004
- attack.t1027
logsource:
product: windows
rules/windows/builtin/win_susp_security_eventlog_cleared.yml
+1 -1
View File
@@ -5,7 +5,7 @@ tags:
- attack.defense_evasion
- attack.t1070
- car.2016-04-002
- attack.t1551
- attack.t1070
author: Florian Roth
date: 2017/02/19
logsource:
rules/windows/builtin/win_susp_time_modification.yml
+1 -1
View File
@@ -11,7 +11,7 @@ midified: 2020/01/27
tags:
- attack.defense_evasion
- attack.t1099
- attack.t1551.006
- attack.t1070.006
logsource:
product: windows
service: security
rules/windows/builtin/win_user_driver_loaded.yml
+1
View File
@@ -32,6 +32,7 @@ detection:
- '*\procexp.exe'
- '*\procmon64.exe'
- '*\procmon.exe'
- '*\Google\Chrome\Application\chrome.exe'
condition: selection_1 and not selection_2
falsepositives:
- Other legimate tools loading drivers. There are some: Sysinternals, CPU-Z, AVs etc. - but not much. You have to baseline this according to your used products and allowed tools. Also try to exclude users, which are allowed to load drivers.
rules/windows/file_event/sysmon_creation_system_file.yml
+2 -2
View File
@@ -14,7 +14,7 @@ logsource:
product: windows
detection:
selection:
Image:
TargetFilename:
- '*\svchost.exe'
- '*\rundll32.exe'
- '*\services.exe'
@@ -40,7 +40,7 @@ detection:
- '*\audiodg.exe'
- '*\wlanext.exe'
filter:
Image:
TargetFilename:
- 'C:\Windows\System32\\*'
- 'C:\Windows\system32\\*'
- 'C:\Windows\SysWow64\\*'
rules/windows/file_event/sysmon_susp_adsi_cache_usage.yml
+1 -1
View File
@@ -16,7 +16,7 @@ logsource:
category: file_event
detection:
selection_1:
TargetFilename: '*\Local\Microsoft\Windows\SchCache\*.sch'
TargetFilename: '*\Local\Microsoft\Windows\SchCache\\*.sch'
selection_2:
Image|contains:
- 'C:\windows\system32\svchost.exe'
rules/windows/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml
+1 -1
View File
@@ -14,7 +14,7 @@ logsource:
category: file_event
detection:
selection_1:
TargetFilename: '*\AppData\Local\Temp\*\PROCEXP152.sys'
TargetFilename: '*\AppData\Local\Temp\\*\PROCEXP152.sys'
selection_2:
Image|contains:
- '*\procexp64.exe'
rules/windows/image_load/sysmon_in_memory_powershell.yml
+1
View File
@@ -24,6 +24,7 @@ detection:
- '\powershell.exe'
- '\powershell_ise.exe'
- '\WINDOWS\System32\sdiagnhost.exe'
- '\mscorsvw.exe' # c:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsw.exe for instance
# User: 'NT AUTHORITY\SYSTEM' # if set, matches all powershell processes not launched by SYSTEM
condition: selection and not filter
falsepositives:
rules/windows/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml
+1 -1
View File
@@ -20,7 +20,7 @@ detection:
- '*\excel.exe'
- '*\outlook.exe'
ImageLoaded:
- 'C:\Windows\assembly\*'
- 'C:\Windows\assembly\\*'
condition: selection
falsepositives:
- Alerts on legitimate macro usage as well, will need to filter as appropriate
rules/windows/image_load/sysmon_svchost_dll_search_order_hijack.yml
+1 -1
View File
@@ -27,7 +27,7 @@ detection:
- '*\wlbsctrl.dll'
filter:
ImageLoaded:
- 'C:\Windows\WinSxS\*'
- 'C:\Windows\WinSxS\\*'
condition: selection and not filter
falsepositives:
- Pentest
rules/windows/image_load/sysmon_wmi_module_load.yml
+3
View File
@@ -34,6 +34,9 @@ detection:
- '\CompatTelRunner.exe'
- '\sdiagnhost.exe'
- '\SIHClient.exe'
- '\ngentask.exe' # c:\Windows\Microsoft.NET\Framework(64)\ngentask.exe
- '\windows\system32\taskhostw.exe' # c:\windows\system32\taskhostw.exe
- '\windows\system32\MoUsoCoreWorker.exe' # c:\windows\System32\MoUsoCoreWorker.exe on win10 20H04 at least
condition: selection and not filter
fields:
- ComputerName
rules/windows/image_load/sysmon_wmi_persistence_commandline_event_consumer.yml
+2 -2
View File
@@ -10,12 +10,12 @@ tags:
- attack.t1084
- attack.persistence
logsource:
cqtegory: image_loaded
category: image_load
product: windows
detection:
selection:
Image: 'C:\Windows\System32\wbem\WmiPrvSE.exe'
ImageLoaded: 'wbemcons.dll'
ImageLoaded|endswith: '\wbemcons.dll'
condition: selection
falsepositives:
- Unknown (data set is too small; further testing needed)
rules/windows/other/win_pcap_drivers.yml
+39
View File
@@ -0,0 +1,39 @@
title: Windows Pcap Drivers
id: 7b687634-ab20-11ea-bb37-0242ac130002
status: experimental
description: Detects Windows Pcap driver installation based on a list of associated .sys files.
author: Cian Heasley
date: 2020/06/10
references:
- https://ragged-lab.blogspot.com/2020/06/capturing-pcap-driver-installations.html#more
tags:
- attack.discovery
- attack.credential_access
- attack.t1040
logsource:
product: windows
service: system
detection:
selection:
EventID: 4697
ServiceFileName:
- '*pcap*'
- '*npcap*'
- '*npf*'
- '*nm3*'
- '*ndiscap*'
- '*nmnt*'
- '*windivert*'
- '*USBPcap*'
- '*pktmon*'
condition: selection
fields:
- EventID
- ServiceFileName
- Account_Name
- Computer_Name
- Originating_Computer
- ServiceName
falsepositives:
- unknown
level: medium
rules/windows/powershell/powershell_clear_powershell_history.yml
+1 -1
View File
@@ -9,7 +9,7 @@ references:
tags:
- attack.defense_evasion
- attack.t1146
- attack.t1551.003
- attack.t1070.003
logsource:
product: windows
service: powershell
rules/windows/powershell/win_powershell_web_request.yml
+46
View File
@@ -0,0 +1,46 @@
action: global
title: Windows PowerShell Web Request
id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d
status: experimental
description: Detects the use of various web request methods (including aliases) via Windows PowerShell
references:
- https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/
- https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell
author: James Pemberton / @4A616D6573
date: 2019/10/24
tags:
- attack.execution
- attack.t1059
- attack.t1086
detection:
condition: selection
falsepositives:
- Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer.
level: medium
---
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- 'Invoke-WebRequest'
- 'iwr '
- 'wget '
- 'curl '
- 'Net.WebClient'
- 'Start-BitsTransfer'
---
logsource:
product: windows
service: powershell
detection:
selection:
EventID: 4104
ScriptBlockText|contains:
- 'Invoke-WebRequest'
- 'iwr '
- 'wget '
- 'curl '
- 'Net.WebClient'
- 'Start-BitsTransfer'
rules/windows/process_creation/win_apt_evilnum_jul20.yml
+23
View File
@@ -0,0 +1,23 @@
title: EvilNum Golden Chickens Deployment via OCX Files
id: 8acf3cfa-1e8c-4099-83de-a0c4038e18f0
status: experimental
description: Detects Golden Chickens deployment method as used by Evilnum in report published in July 2020
references:
- https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/
- https://app.any.run/tasks/33d37fdf-158d-4930-aa68-813e1d5eb8ba/
author: Florian Roth
date: 2020/07/10
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'regsvr32'
- ' /s /i '
- '\AppData\Roaming\'
- '.ocx'
condition: selection
falsepositives:
- Unknown
level: critical
rules/windows/process_creation/win_etw_trace_evasion.yml
+1 -1
View File
@@ -12,7 +12,7 @@ tags:
- attack.execution
- attack.t1070
- car.2016-04-002
- attack.t1551
- attack.t1070
level: high
logsource:
category: process_creation
rules/windows/process_creation/win_exploit_cve_2020_1350.yml
+29
View File
@@ -0,0 +1,29 @@
title: DNS RCE CVE-2020-1350
id: b5281f31-f9cc-4d0d-95d0-45b91c45b487
status: experimental
description: Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process
references:
- https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/
- https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html
author: Florian Roth
date: 2020/07/15
tags:
- attack.initial_access
- attack.t1190
- attack.execution
- attack.t1569.002
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\System32\dns.exe'
filter:
Image|endswith:
- '\System32\werfault.exe'
- '\System32\conhost.exe'
- '\System32\dnscmd.exe'
condition: selection and not filter
falsepositives:
- Unknown but benign sub processes of the Windows DNS service dns.exe
level: critical
rules/windows/process_creation/win_malware_notpetya.yml
+1 -1
View File
@@ -16,7 +16,7 @@ tags:
- attack.t1003
- car.2016-04-002
- attack.t1218.011
- attack.t1551
- attack.t1070
logsource:
category: process_creation
product: windows
rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml
+4 -3
View File
@@ -10,14 +10,15 @@ tags:
- attack.t1059.001
author: Florian Roth (rule), Daniel Bohannon (idea), Roberto Rodriguez (Fix)
date: 2019/01/16
modified: 2020/07/14
logsource:
category: process_creation
product: windows
detection:
selection:
Image:
- '*\Powershell.exe'
CommandLine:
Image|endswith:
- '\Powershell.exe'
CommandLine|contains:
- ' -windowstyle h '
- ' -windowstyl h'
- ' -windowsty h'
rules/windows/process_creation/win_shadow_copies_deletion.yml
+1 -1
View File
@@ -15,7 +15,7 @@ tags:
- attack.impact
- attack.t1070
- attack.t1490
- attack.t1551
- attack.t1070
logsource:
category: process_creation
product: windows
rules/windows/process_creation/win_susp_bcdedit.yml
+1 -1
View File
@@ -11,7 +11,7 @@ tags:
- attack.t1070
- attack.persistence
- attack.t1067
- attack.t1551
- attack.t1070
- attack.t1542.003
logsource:
category: process_creation
rules/windows/process_creation/win_susp_ditsnap.yml
+26
View File
@@ -0,0 +1,26 @@
title: DIT Snapshot Viewer Use
id: d3b70aad-097e-409c-9df2-450f80dc476b
status: experimental
description: Detects the use of Ditsnap tool. Seems to be a tool for ransomware groups.
references:
- https://thedfirreport.com/2020/06/21/snatch-ransomware/
- https://github.com/yosqueoy/ditsnap
author: 'Furkan Caliskan (@caliskanfurkan_)'
date: 2020/07/04
tags:
- attack.credential_access
- attack.t1003
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\ditsnap.exe'
selection2:
CommandLine|contains:
- 'ditsnap.exe'
condition: selection or selection2
falsepositives:
- Legitimate admin usage
level: high
rules/windows/process_creation/win_susp_eventlog_clear.yml
+1 -1
View File
@@ -11,7 +11,7 @@ tags:
- attack.defense_evasion
- attack.t1070
- car.2016-04-002
- attack.t1551
- attack.t1070
level: high
logsource:
category: process_creation
rules/windows/process_creation/win_susp_fsutil_usage.yml
+1 -1
View File
@@ -12,7 +12,7 @@ references:
tags:
- attack.defense_evasion
- attack.t1070
- attack.t1551
- attack.t1070
logsource:
category: process_creation
product: windows
rules/windows/process_creation/win_susp_powershell_empire_launch.yml
+8 -4
View File
@@ -9,6 +9,7 @@ references:
- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64
author: Florian Roth
date: 2019/04/20
modified: 2020/07/13
tags:
- attack.execution
- attack.t1086
@@ -18,9 +19,12 @@ logsource:
product: windows
detection:
selection:
CommandLine:
- '* -NoP -sta -NonI -W Hidden -Enc *'
- '* -noP -sta -w 1 -enc *'
- '* -NoP -NonI -W Hidden -enc *'
CommandLine|contains:
- ' -NoP -sta -NonI -W Hidden -Enc '
- ' -noP -sta -w 1 -enc '
- ' -NoP -NonI -W Hidden -enc '
- ' -noP -sta -w 1 -enc'
- ' -enc SQB'
- ' -nop -exec bypass -EncodedCommand SQB'
condition: selection
level: critical
rules/windows/process_creation/win_susp_powershell_encoded_param.yml
+24
View File
@@ -0,0 +1,24 @@
title: PowerShell Encoded Character Syntax
id: e312efd0-35a1-407f-8439-b8d434b438a6
status: experimental
description: Detects suspicious encoded character syntax often used for defense evasion
references:
- https://twitter.com/0gtweet/status/1281103918693482496
tags:
- attack.execution
- attack.defense_evasion
- attack.t1027
- attack.t1086
- attack.t1059.001
author: Florian Roth
date: 2020/07/09
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine: '(WCHAR)0x'
condition: selection
falsepositives:
- Unknown
level: high
rules/windows/process_creation/win_susp_regsvr32_flags_anomaly.yml
+28
View File
@@ -0,0 +1,28 @@
title: Regsvr32 Flags Anomaly
id: b236190c-1c61-41e9-84b3-3fe03f6d76b0
status: experimental
description: Detects a flag anomaly in which regsvr32.exe uses a /i flag without using a /n flag at the same time
author: Florian Roth
date: 2019/07/13
references:
- https://twitter.com/sbousseaden/status/1282441816986484737?s=12
tags:
- attack.t1117
- attack.defense_evasion
- attack.t1218.010
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\regsvr32.exe'
CommandLine|contains: ' /i:'
filter:
CommandLine|contains: ' /n '
condition: selection and not filter
fields:
- CommandLine
- ParentCommandLine
falsepositives:
- Unknown
level: high
rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml
+2 -2
View File
@@ -15,8 +15,8 @@ logsource:
detection:
selection_registry:
TargetObject:
- '*\Keyboard Layout\Preload\*'
- '*\Keyboard Layout\Substitutes\*'
- '*\Keyboard Layout\Preload\\*'
- '*\Keyboard Layout\Substitutes\\*'
Details|contains:
- 00000429 # Persian (Iran)
- 00050429 # Persian (Iran)
rules/windows/registry_event/sysmon_uac_bypass_eventvwr.yml
+22 -15
View File
@@ -1,3 +1,4 @@
action: global
title: UAC Bypass via Event Viewer
id: 7c81fec3-1c1d-43b0-996a-46753041b1b6
status: experimental
@@ -7,21 +8,6 @@ references:
- https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100
author: Florian Roth
date: 2017/03/19
logsource:
product: windows
category: registry_event
detection:
methregistry:
TargetObject: 'HKU\\*\mscfile\shell\open\command'
methprocess:
EventID: 1 # Migration to process_creation requires multipart YAML
ParentImage: '*\eventvwr.exe'
filterprocess:
Image: '*\mmc.exe'
condition: methregistry or ( methprocess and not filterprocess )
fields:
- CommandLine
- ParentCommandLine
tags:
- attack.defense_evasion
- attack.privilege_escalation
@@ -30,3 +16,24 @@ tags:
falsepositives:
- unknown
level: critical
---
logsource:
product: windows
category: registry_event
detection:
methregistry:
TargetObject: 'HKU\\*\mscfile\shell\open\command'
condition: methregistry
---
logsource:
category: process_creation
product: windows
detection:
methprocess:
ParentImage: '*\eventvwr.exe'
filterprocess:
Image: '*\mmc.exe'
condition: methprocess and not filterprocess
fields:
- CommandLine
- ParentCommandLine
tests/test_rules.py
+80 -222
View File
@@ -10,232 +10,13 @@ import os
import unittest
import yaml
import re
from attackcti import attack_client
from colorama import init
from colorama import Fore
class TestRules(unittest.TestCase):
MITRE_TECHNIQUES = [
"t1002",
"t1003",
"t1003.001",
"t1003.002",
"t1003.003",
"t1003.004",
"t1003.005",
"t1003.006",
"t1004",
"t1005",
"t1006",
"t1007",
"t1009",
"t1011",
"t1012",
"t1015",
"t1016",
"t1018",
"t1020",
"t1021",
"t1021.001",
"t1021.002",
"t1021.003",
"t1021.006",
"t1023",
"t1027",
"t1028",
"t1031",
"t1033",
"t1035",
"t1036",
"t1036.005",
"t1037",
"t1037.001",
"t1038",
"t1040",
"t1041",
"t1042",
"t1043",
"t1046",
"t1047",
"t1048",
"t1049",
"t1050",
"t1053",
"t1053.002",
"t1053.005",
"t1054",
"t1055",
"t1056",
"t1057",
"t1058",
"t1059",
"t1059.001",
"t1059.003",
"t1059.004",
"t1059.005",
"t1059.006",
"t1060",
"t1064",
"t1066",
"t1067",
"t1068",
"t1069",
"t1070",
"t1071",
"t1071.004",
"t1073",
"t1074",
"t1075",
"t1076",
"t1077",
"t1078",
"t1081",
"t1082",
"t1083",
"t1084",
"t1085",
"t1086",
"t1087",
"t1088",
"t1089",
"t1090",
"t1091",
"t1096",
"t1098",
"t1099",
"t1100",
"t1102",
"t1103",
"t1105",
"t1106",
"t1107",
"t1110",
"t1112",
"t1114",
"t1117",
"t1118",
"t1121",
"t1122",
"t1123",
"t1124",
"t1125",
"t1127",
"t1128",
"t1130",
"t1133",
"t1134",
"t1134.005",
"t1135",
"t1136",
"t1137",
"t1138",
"t1139",
"t1140",
"t1145",
"t1146",
"t1156",
"t1158",
"t1168",
"t1169",
"t1170",
"t1171",
"t1175",
"t1177",
"t1178",
"t1182",
"t1183",
"t1190",
"t1191",
"t1193",
"t1195",
"t1195.001",
"t1196",
"t1197",
"t1200",
"t1201",
"t1202",
"t1203",
"t1204",
"t1207",
"t1208",
"t1210",
"t1211",
"t1212",
"t1218",
"t1218.001",
"t1218.005",
"t1218.010",
"t1218.011",
"t1219",
"t1220",
"t1222",
"t1223",
"t1482",
"t1485",
"t1487",
"t1488",
"t1489",
"t1490",
"t1492",
"t1493",
"t1495",
"t1499",
"t1500",
"t1501",
"t1505",
"t1505.003",
"t1537",
"t1542.003",
"t1543.002",
"t1543.003",
"t1546.001",
"t1546.003",
"t1546.004",
"t1546.007",
"t1546.008",
"t1546.009",
"t1546.010",
"t1546.011",
"t1546.012",
"t1546.015",
"t1547.001",
"t1547.004",
"t1547.008",
"t1547.009",
"t1548.002",
"t1550.002",
"t1551",
"t1551.003",
"t1551.004",
"t1551.006",
"t1552.001",
"t1552.003",
"t1552.004",
"t1553.004",
"t1557.001",
"t1558",
"t1558.003",
"t1559.001",
"t1560",
"t1561.001",
"t1561.002",
"t1562.001",
"t1562.006",
"t1564.001",
"t1564.004",
"t1565.001",
"t1565.002",
"t1566.001",
"t1569.002",
"t1571",
"t1574.001",
"t1574.002",
"t1574.011",
]
MITRE_TECHNIQUE_NAMES = ["process_injection", "signed_binary_proxy_execution", "process_injection"] # incomplete list
MITRE_TACTICS = ["initial_access", "execution", "persistence", "privilege_escalation", "defense_evasion", "credential_access", "discovery", "lateral_movement", "collection", "exfiltration", "command_and_control", "impact", "launch"]
MITRE_GROUPS = ["g0001", "g0002", "g0003", "g0004", "g0005", "g0006", "g0007", "g0008", "g0009", "g0010", "g0011", "g0012", "g0013", "g0014", "g0015", "g0016", "g0017", "g0018", "g0019", "g0020", "g0021", "g0022", "g0023", "g0024", "g0025", "g0026", "g0027", "g0028", "g0029", "g0030", "g0031", "g0032", "g0033", "g0034", "g0035", "g0036", "g0037", "g0038", "g0039", "g0040", "g0041", "g0042", "g0043", "g0044", "g0045", "g0046", "g0047", "g0048", "g0049", "g0050", "g0051", "g0052", "g0053", "g0054", "g0055", "g0056", "g0057", "g0058", "g0059", "g0060", "g0061", "g0062", "g0063", "g0064", "g0065", "g0066", "g0067", "g0068", "g0069", "g0070", "g0071", "g0072", "g0073", "g0074", "g0075", "g0076", "g0077", "g0078", "g0079", "g0080", "g0081", "g0082", "g0083", "g0084", "g0085", "g0086", "g0087", "g0088", "g0089", "g0090", "g0091", "g0092", "g0093", "g0094", "g0095", "g0096"]
MITRE_SOFTWARE = ["s0001", "s0002", "s0003", "s0004", "s0005", "s0006", "s0007", "s0008", "s0009", "s0010", "s0011", "s0012", "s0013", "s0014", "s0015", "s0016", "s0017", "s0018", "s0019", "s0020", "s0021", "s0022", "s0023", "s0024", "s0025", "s0026", "s0027", "s0028", "s0029", "s0030", "s0031", "s0032", "s0033", "s0034", "s0035", "s0036", "s0037", "s0038", "s0039", "s0040", "s0041", "s0042", "s0043", "s0044", "s0045", "s0046", "s0047", "s0048", "s0049", "s0050", "s0051", "s0052", "s0053", "s0054", "s0055", "s0056", "s0057", "s0058", "s0059", "s0060", "s0061", "s0062", "s0063", "s0064", "s0065", "s0066", "s0067", "s0068", "s0069", "s0070", "s0071", "s0072", "s0073", "s0074", "s0075", "s0076", "s0077", "s0078", "s0079", "s0080", "s0081", "s0082", "s0083", "s0084", "s0085", "s0086", "s0087", "s0088", "s0089", "s0090", "s0091", "s0092", "s0093", "s0094", "s0095", "s0096", "s0097", "s0098", "s0099", "s0100", "s0101", "s0102", "s0103", "s0104", "s0105", "s0106", "s0107", "s0108", "s0109", "s0110", "s0111", "s0112", "s0113", "s0114", "s0115", "s0116", "s0117", "s0118", "s0119", "s0120", "s0121", "s0122", "s0123", "s0124", "s0125", "s0126", "s0127", "s0128", "s0129", "s0130", "s0131", "s0132", "s0133", "s0134", "s0135", "s0136", "s0137", "s0138", "s0139", "s0140", "s0141", "s0142", "s0143", "s0144", "s0145", "s0146", "s0147", "s0148", "s0149", "s0150", "s0151", "s0152", "s0153", "s0154", "s0155", "s0156", "s0157", "s0158", "s0159", "s0160", "s0161", "s0162", "s0163", "s0164", "s0165", "s0166", "s0167", "s0168", "s0169", "s0170", "s0171", "s0172", "s0173", "s0174", "s0175", "s0176", "s0177", "s0178", "s0179", "s0180", "s0181", "s0182", "s0183", "s0184", "s0185", "s0186", "s0187", "s0188", "s0189", "s0190", "s0191", "s0192", "s0193", "s0194", "s0195", "s0196", "s0197", "s0198", "s0199", "s0200", "s0201", "s0202", "s0203", "s0204", "s0205", "s0206", "s0207", "s0208", "s0209", "s0210", "s0211", "s0212", "s0213", "s0214", "s0215", "s0216", "s0217", "s0218", "s0219", "s0220", "s0221", "s0222", "s0223", "s0224", "s0225", "s0226", "s0227", "s0228", "s0229", "s0230", "s0231", "s0232", "s0233", "s0234", "s0235", "s0236", "s0237", "s0238", "s0239", "s0240", "s0241", "s0242", "s0243", "s0244", "s0245", "s0246", "s0247", "s0248", "s0249", "s0250", "s0251", "s0252", "s0253", "s0254", "s0255", "s0256", "s0257", "s0258", "s0259", "s0260", "s0261", "s0262", "s0263", "s0264", "s0265", "s0266", "s0267", "s0268", "s0269", "s0270", "s0271", "s0272", "s0273", "s0274", "s0275", "s0276", "s0277", "s0278", "s0279", "s0280", "s0281", "s0282", "s0283", "s0284", "s0330", "s0331", "s0332", "s0333", "s0334", "s0335", "s0336", "s0337", "s0338", "s0339", "s0340", "s0341", "s0342", "s0343", "s0344", "s0345", "s0346", "s0347", "s0348", "s0349", "s0350", "s0351", "s0352", "s0353", "s0354", "s0355", "s0356", "s0357", "s0358", "s0359", "s0360", "s0361", "s0362", "s0363", "s0364", "s0365", "s0366", "s0367", "s0368", "s0369", "s0370", "s0371", "s0372", "s0373", "s0374", "s0375", "s0376", "s0377", "s0378", "s0379", "s0380", "s0381", "s0382", "s0383", "s0384", "s0385", "s0386", "s0387", "s0388", "s0389", "s0390", "s0391", "s0393", "s0394", "s0395", "s0396", "s0397", "s0398", "s0400", "s0401", "s0402", "s0404", "s0409", "s0410", "s0412", "s0413", "s0414", "s0415", "s0416", "s0417"]
MITRE_ALL = ["attack." + item for item in MITRE_TECHNIQUES + MITRE_TACTICS + MITRE_GROUPS + MITRE_SOFTWARE]
path_to_rules = "rules"
@@ -284,12 +65,12 @@ class TestRules(unittest.TestCase):
tags = self.get_rule_part(file_path=file, part_name="tags")
if tags:
for tag in tags:
if tag not in self.MITRE_ALL and tag.startswith("attack."):
if tag not in MITRE_ALL and tag.startswith("attack."):
print(Fore.RED + "Rule {} has the following incorrect tag {}".format(file, tag))
files_with_incorrect_mitre_tags.append(file)
self.assertEqual(files_with_incorrect_mitre_tags, [], Fore.RED +
"There are rules with incorrect MITRE Tags. (please inform us about new tags that are not yet supported in our tests) Check the correct tags here: https://attack.mitre.org/ ")
"There are rules with incorrect/unknown MITRE Tags. (please inform us about new tags that are not yet supported in our tests) and check the correct tags here: https://attack.mitre.org/ ")
def test_look_for_duplicate_filters(self):
def check_list_or_recurse_on_dict(item, depth:int) -> None:
@@ -466,6 +247,35 @@ class TestRules(unittest.TestCase):
self.assertEqual(faulty_rules, [], Fore.RED +
"There are rules with missing or malformed 'date' fields. (create one, e.g. date: 2019/01/14)")
def test_references(self):
faulty_rules = []
for file in self.yield_next_rule_file_path(self.path_to_rules):
references = self.get_rule_part(file_path=file, part_name="references")
# Reference field doesn't exist
#if not references:
#print(Fore.YELLOW + "Rule {} has no field 'references'.".format(file))
#faulty_rules.append(file)
if references:
# it exists but isn't a list
if not isinstance(references, list):
print(Fore.YELLOW + "Rule {} has a references field that isn't a list.".format(file))
faulty_rules.append(file)
self.assertEqual(faulty_rules, [], Fore.RED +
"There are rules with malformed 'references' fields. (has to be a list of values even if it contains only a single value)")
def test_file_names(self):
faulty_rules = []
filename_pattern = re.compile('[a-z0-9_]{10,70}\.yml')
for file in self.yield_next_rule_file_path(self.path_to_rules):
filename = os.path.basename(file)
if not filename_pattern.match(filename) and not '_' in filename:
print(Fore.YELLOW + "Rule {} has a file name that doesn't match our standard.".format(file))
faulty_rules.append(file)
self.assertEqual(faulty_rules, [], Fore.RED +
"There are rules with malformed file names (too short, too long, uppercase letters, a minus sign etc.). Please see the file names used in our repository and adjust your file names accordingly. The pattern for a valid file name is '[a-z0-9_]{10,70}\.yml' and it has to contain at least an underline character.")
def test_title(self):
faulty_rules = []
allowed_lowercase_words = [
@@ -513,6 +323,54 @@ class TestRules(unittest.TestCase):
self.assertEqual(faulty_rules, [], Fore.RED +
"There are rules with non-conform 'title' fields. Please check: https://github.com/Neo23x0/sigma/wiki/Rule-Creation-Guide#title")
def get_mitre_data():
"""
Generate tags from live MITRE ATT&CK TAXI service to get up-to-date data
"""
# Get MITRE ATT&CK information
lift = attack_client()
# Techniques
MITRE_TECHNIQUES = []
MITRE_TECHNIQUE_NAMES = []
MITRE_PHASE_NAMES = set()
MITRE_TOOLS = []
MITRE_GROUPS = []
# Techniques
enterprise_techniques = lift.get_enterprise_techniques()
for t in enterprise_techniques:
MITRE_TECHNIQUE_NAMES.append(t['name'].lower().replace(' ', '_').replace('-', '_'))
for r in t.external_references:
if 'external_id' in r:
MITRE_TECHNIQUES.append(r['external_id'].lower())
if 'kill_chain_phases' in t:
for kc in t['kill_chain_phases']:
if 'phase_name' in kc:
MITRE_PHASE_NAMES.add(kc['phase_name'].replace('-','_'))
# Tools / Malware
enterprise_tools = lift.get_enterprise_tools()
for t in enterprise_tools:
for r in t.external_references:
if 'external_id' in r:
MITRE_TOOLS.append(r['external_id'].lower())
enterprise_malware = lift.get_enterprise_malware()
for m in enterprise_malware:
for r in m.external_references:
if 'external_id' in r:
MITRE_TOOLS.append(r['external_id'].lower())
# Groups
enterprise_groups = lift.get_enterprise_groups()
for g in enterprise_groups:
for r in g.external_references:
if 'external_id' in r:
MITRE_GROUPS.append(r['external_id'].lower())
# Combine all IDs to a big tag list
return ["attack." + item for item in MITRE_TECHNIQUES + MITRE_TECHNIQUE_NAMES + list(MITRE_PHASE_NAMES) + MITRE_GROUPS + MITRE_TOOLS]
if __name__ == "__main__":
init(autoreset=True)
# Get Current Data from MITRE on ATT&CK
MITRE_ALL = get_mitre_data()
# Run the tests
unittest.main()
tools/config/arcsight.yml
+6
View File
@@ -99,6 +99,12 @@ logsources:
service: application
conditions:
deviceVendor: Microsoft
windows-applocker:
product: windows
service: applocker
conditions:
deviceVendor: Microsoft
deviceProduct: AppLocker
proxy:
category: proxy
conditions:
tools/config/elk-windows.yml
+9
View File
@@ -33,4 +33,13 @@ logsources:
service: ntlm
conditions:
EventLog: 'Microsoft-Windows-NTLM/Operational'
windows-applocker:
product: windows
service: applocker
conditions:
EventLog:
- 'Microsoft-Windows-AppLocker/MSI and Script'
- 'Microsoft-Windows-AppLocker/EXE and DLL'
- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'Microsoft-Windows-AppLocker/Packaged app-Execution'
defaultindex: logstash-*
tools/config/elk-winlogbeat-sp.yml
+9
View File
@@ -33,6 +33,15 @@ logsources:
service: ntlm
conditions:
log_name: 'Microsoft-Windows-NTLM/Operational'
windows-applocker:
product: windows
service: applocker
conditions:
log_name:
- 'Microsoft-Windows-AppLocker/MSI and Script'
- 'Microsoft-Windows-AppLocker/EXE and DLL'
- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'Microsoft-Windows-AppLocker/Packaged app-Execution'
defaultindex: <winlogbeat-{now/d}>
# Extract all field names qith yq:
# yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g'
tools/config/elk-winlogbeat.yml
+9
View File
@@ -33,6 +33,15 @@ logsources:
service: ntlm
conditions:
log_name: 'Microsoft-Windows-NTLM/Operational'
windows-applocker:
product: windows
service: applocker
conditions:
log_name:
- 'Microsoft-Windows-AppLocker/MSI and Script'
- 'Microsoft-Windows-AppLocker/EXE and DLL'
- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'Microsoft-Windows-AppLocker/Packaged app-Execution'
defaultindex: winlogbeat-*
# Extract all field names qith yq:
# yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g'
tools/config/logpoint-windows.yml
+9
View File
@@ -33,6 +33,15 @@ logsources:
service: ntlm
conditions:
event_source: 'Microsoft-Windows-NTLM/Operational'
windows-applocker:
product: windows
service: applocker
conditions:
event_source:
- 'Microsoft-Windows-AppLocker/MSI and Script'
- 'Microsoft-Windows-AppLocker/EXE and DLL'
- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'Microsoft-Windows-AppLocker/Packaged app-Execution'
fieldmappings:
EventID: event_id
tools/config/logstash-windows.yml
+9
View File
@@ -53,4 +53,13 @@ logsources:
service: ntlm
conditions:
Channel: 'Microsoft-Windows-NTLM/Operational'
windows-applocker:
product: windows
service: applocker
conditions:
Channel:
- 'Microsoft-Windows-AppLocker/MSI and Script'
- 'Microsoft-Windows-AppLocker/EXE and DLL'
- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'Microsoft-Windows-AppLocker/Packaged app-Execution'
defaultindex: logstash-*
tools/config/powershell-windows-all.yml
+9
View File
@@ -60,3 +60,12 @@ logsources:
service: ntlm
conditions:
LogName: 'Microsoft-Windows-NTLM/Operational'
windows-applocker:
product: windows
service: applocker
conditions:
LogName:
- 'Microsoft-Windows-AppLocker/MSI and Script'
- 'Microsoft-Windows-AppLocker/EXE and DLL'
- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'Microsoft-Windows-AppLocker/Packaged app-Execution'
tools/config/powershell.yml
+9
View File
@@ -74,3 +74,12 @@ logsources:
service: windefend
conditions:
LogName: 'Microsoft-Windows-Windows Defender/Operational'
windows-applocker:
product: windows
service: applocker
conditions:
LogName:
- 'Microsoft-Windows-AppLocker/MSI and Script'
- 'Microsoft-Windows-AppLocker/EXE and DLL'
- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'Microsoft-Windows-AppLocker/Packaged app-Execution'
tools/config/splunk-windows.yml
+9
View File
@@ -70,5 +70,14 @@ logsources:
service: dhcp
conditions:
source: 'Microsoft-Windows-DHCP-Server/Operational'
windows-applocker:
product: windows
service: applocker
conditions:
source:
- 'Microsoft-Windows-AppLocker/MSI and Script'
- 'Microsoft-Windows-AppLocker/EXE and DLL'
- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'Microsoft-Windows-AppLocker/Packaged app-Execution'
fieldmappings:
EventID: EventCode
tools/config/stix-qradar.yml
+51
View File
@@ -0,0 +1,51 @@
title: STIX for QRadar
backends:
- stix
order: 30
fieldmappings:
categoryid:
- x-ibm-ariel:category_id
categoryname:
- x-ibm-ariel:category_name
credescription:
- x-ibm-finding:description
Description:
- x-ibm-finding:description
credibility:
- x-ibm-ariel:credibility
crename:
- x-ibm-finding:name
devicetype:
- x-ibm-ariel:device_type
Device:
- x-ibm-ariel:device_type
direction:
- x-ibm-ariel:direction
domainid:
- x-ibm-ariel:domain_id
geographic:
- x-ibm-ariel:geographic
high_level_category_id:
- x-ibm-ariel:high_level_category_id
high_level_category_name:
- x-ibm-ariel:high_level_category_name
identityhostname:
- x-ibm-ariel:identity_host_name
logsourceid:
- x-ibm-ariel:log_source_id
logsourcename:
- x-ibm-ariel:log_source_name
logsourcetypename:
- x-ibm-ariel:log_source_type_name
magnitude:
- x-ibm-ariel:magnitude
qid:
- x-ibm-ariel:qid
qidname:
- x-ibm-ariel:event_name
relevance:
- x-ibm-ariel:relevance
rulenames:
- x-ibm-ariel:rule_names[*]
severity:
- x-ibm-ariel:severity
tools/config/stix-windows.yml
+286
View File
@@ -0,0 +1,286 @@
title: STIX for Windows Logs
backends:
- stix
order: 40
logsources:
windows:
product: windows
fieldmappings:
AccessMask:
- x-windows:accessmask
Accesses:
- x-windows:accesses
AccountDomain:
- user-account:x_domain
AccountID:
- user-account:user_id
AccountName:
- user-account:account_login
- user-account:display_name
AccountSecurityID:
- user-account:x_security_id
CallTrace:
- x-windows:calltrace
ChangedAttributes:
- x-windows:changedattributes
ClientIP:
- ipv4-addr:value
- ipv6-addr:value
- network-traffic:src_ref.value
ComputerName:
- x-host:name
Description:
- x-event:action
DestinationIsIpv6:
- x-windows:destisipv6
DestinationHostname:
- network-traffic:dst_ref.value
Device:
- file:name
ErrorCode:
- x-error:code
Event-ID:
- x-event:id
- x-event:code
EventID:
- x-event:id
- x-event:code
Event_ID:
- x-event:id
- x-event:code
EventType:
- x-event:action
ExtendedErrorCode:
- x-error:code
- x-error:id
FileDirectory:
- directory:path
FileExtension:
- file:x_extension
FileHash:
- file:hashes.SHA-256
- file:hashes.MD5
- file:hashes.SHA-1
FilePath:
- file:name
Filename:
- file:name
GrantedAccess:
- x-windows:grantedaccess
GroupDomain:
- x-group:domain
GroupID:
- x-group:id
GroupName:
- x-group:name
GroupSecurityID:
- x-group:security_id
HomeDirectory:
- directory:path
IMPHash:
- x-windows:imphash
Imphash:
- x-windows:imphash
Image:
- process:image_ref.name
ImageLoadedTempPath:
- process:image_ref.x_temp_path
ImageName:
- process:image_ref.name
ImagePath:
- process:image_ref.name
ImageTempPath:
- process:image_ref.x_temp_path
InitiatedConnection:
- x-windows:initiatedconnection
Initiated:
- x-windows:initiatedconnection
InitiatorUserName:
- user-account:user_id
- user-account:account_login
IntegrityLevel:
- x-windows:integritylevel
LoadedImage:
- process:image_ref.name
LoadedImageName:
- process:image_ref.name
LogonType:
- x-windows:logontype
MD5Hash:
- file:hashes.MD5
Message:
- x-event:original
NewName:
- windows-registry-key:key
ObjectName:
- x-windows:objectname
ObjectType:
- x-windows:objecttype
PSEncodedCommand:
- x-windows:psencodedcommand
ParentCommandLine:
- process:parent_ref.command_line
ParentImage:
- process:parent_ref.image_ref.name
ParentImageName:
- process:parent_ref.image_ref.name
ParentProcessGuid:
- process:parent_ref.x_guid
ParentProcessName:
- process:parent_ref.image_ref.name
ParentProcessPath:
- process:parent_ref.image_ref.name
PipeName:
- x-windows:pipename
ProcessCommandLine:
- process:command_line
Command:
- process:command_line
CommandLine:
- process:command_line
ProcessGuid:
- process:x_guid
ProcessId:
- process:pid
ProcessName:
- process:image_ref.name
ProcessPath:
- process:image_ref.name
QueryName:
- x-windows:queryname
QueryResults:
- x-windows:queryresults
QueryStatus:
- x-windows:querystatus
Realm:
- x-windows:realm
RecordNumber:
- x-windows:recordnumber
RegistryKey:
- windows-registry-key:key
RegistryValueData:
- windows-registry-key:values[*].data
RegistryValueName:
- windows-registry-key:values[*].name
RunLevel:
- x-windows:runlevel
SAMAccountName:
- x-windows:samaccountname
SHA1Hash:
- file:hashes.SHA-1
SHA256Hash:
- file:hashes.SHA-256
Scope:
- x-windows:scope
ServiceFileName:
- process:extensions.windows-service-ext.service_dll_refs[*].name
ServiceName:
- process:extensions.windows-service-ext.service_name
ShareName:
- x-windows:sharename
SharePath:
- x-windows:sharepath
Signature:
- x-windows:signature
SignatureStatus:
- x-windows:signaturestatus
Signed:
- x-windows:signed
SourceImage:
- x-windows:sourceimage
SourceImageTempPath:
- x-windows:sourceimagetemppath
SourceWorkstation:
- x-windows:sourceworkstation
StartAddress:
- x-windows:startaddress
StartFunction:
- x-windows:startfunction
StartModule:
- x-windows:startmodule
TargetAccountSecurityID:
- x-windows:targetaccountsecurityid
TargetComputerDomain:
- x-windows:targetcomputerdomain
TargetComputerName:
- x-windows:targetcomputername
TargetDetails:
- x-windows:targetdetails
Details:
- windows-registry-key:values[*].data
- x-event:original
TargetFilename:
- file:name
TargetImage:
- x-windows:targetimage
TargetImageName:
- x-windows:targetimagename
TargetObject:
- windows-registry-key:key
TargetProcessGuid:
- x-windows:targetprocessguid
TargetProcessAddress:
- x-windows:startaddress
TargetUserDomain:
- x-windows:targetuserdomain
TargetUserName:
- x-windows:targetusername
TaskName:
- x-windows:taskname
TicketEncryptionType:
- x-windows:ticketencryptiontype
User:
- user-account:user_id
UserDomain:
- user-account:x_domain
UserPrincipalName:
- x-windows:userprincipalname
UserRight:
- x-windows:userright
UserWorkstations:
- x-windows:userworkstations
event-id:
- x-event:id
eventId:
- x-event:id
event_data.FileName:
- file:name
event_data.Image:
- process:image_ref.name
event_data.ImageLoaded:
- process:image_ref.name
ImageLoaded:
- process:image_ref.name
event_data.ImagePath:
- process:image_ref.name
event_data.ParentCommandLine:
- process:parent_ref.command_line
event_data.ParentImage:
- process:parent_ref.image_ref.name
event_data.ParentProcessName:
- process:parent_ref.image_ref.name
event_data.PipeName:
- x-windows:pipename
event_data.ServiceFileName:
- process:extensions.windows-service-ext.service_dll_refs[*].name
event_data.ShareName:
- x-windows:sharename
event_data.Signature:
- x-windows:signature
event_data.SourceImage:
- x-windows:sourceimage
event_data.StartModule:
- x-windows:startmodule
event_data.SubjectUserName:
- user-account:user_id
- user-account:account_login
event_data.TargetFilename:
- file:name
event_data.TargetImage:
- x-windows:targetimage
event_data.User:
- user-account:user_id
event_id:
- x-event:id
eventid:
- x-event:id
tools/config/stix.yml
+94
View File
@@ -0,0 +1,94 @@
title: Basic STIX
backends:
- stix
order: 20
fieldmappings:
User:
- user-account:user_id
c-ip:
- ipv4-addr:value
- ipv6-addr:value
- network-traffic:src_ref.value
cs-ip:
- ipv4-addr:value
- ipv6-addr:value
- network-traffic:src_ref.value
destinationip:
- ipv4-addr:value
- ipv6-addr:value
- network-traffic:dst_ref.value
destinationmac:
- mac-addr:value
- network-traffic:dst_ref.value
destinationport:
- network-traffic:dst_port
domainname:
- domain-name:value
dst:
- ipv4-addr:value
- ipv6-addr:value
- network-traffic:dst_ref.value
dst_ip:
- ipv4-addr:value
- ipv6-addr:value
- network-traffic:dst_ref.value
endtime:
- network-traffic:end
event_data.DestinationIp:
- ipv4-addr:value
- ipv6-addr:value
- network-traffic:dst_ref.value
DestinationIp:
- ipv4-addr:value
- ipv6-addr:value
- network-traffic:dst_ref.value
event_data.DestinationPort:
- network-traffic:dst_port
DestinationPort:
- network-traffic:dst_port
event_data.SubjectUserName:
- user-account:user_id
event_data.User:
- user-account:user_id
filehash:
- file:hashes.SHA-256
- file:hashes.MD5
- file:hashes.SHA-1
filename:
- file:name
filepath:
- file:parent_directory_ref
- directory:path
identityip:
- ipv4-addr:value
protocolid:
- network-traffic:protocols[*]
sourceip:
- ipv4-addr:value
- ipv6-addr:value
- network-traffic:src_ref.value
sourcemac:
- mac-addr:value
- network-traffic:src_ref.value
sourceport:
- network-traffic:src_port
SourcePort:
- network-traffic:src_port
src:
- ipv4-addr:value
- ipv6-addr:value
- network-traffic:src_ref.value
src_ip:
- ipv4-addr:value
- ipv6-addr:value
- network-traffic:src_ref.value
starttime:
- network-traffic:start
url:
- url:value
user:
- user-account:user_id
username:
- user-account:user_id
utf8_payload:
- artifact:payload_bin
tools/config/thor.yml
+10 -1
View File
@@ -71,6 +71,15 @@ logsources:
service: dhcp
sources:
- 'WinEventLog:Microsoft-Windows-DHCP-Server/Operational'
windows-applocker:
product: windows
service: applocker
conditions:
sources:
- 'Microsoft-Windows-AppLocker/MSI and Script'
- 'Microsoft-Windows-AppLocker/EXE and DLL'
- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'Microsoft-Windows-AppLocker/Packaged app-Execution'
apache:
category: webserver
sources:
@@ -92,4 +101,4 @@ logsources:
logfiles:
category: logfile
sources:
- 'File:*.log'
- 'File:*.log'
tools/config/winlogbeat-modules-enabled.yml
+9
View File
@@ -54,6 +54,15 @@ logsources:
service: windefend
conditions:
winlog.channel: 'Microsoft-Windows-Windows Defender/Operational'
windows-applocker:
product: windows
service: applocker
conditions:
winlog.channel:
- 'Microsoft-Windows-AppLocker/MSI and Script'
- 'Microsoft-Windows-AppLocker/EXE and DLL'
- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'Microsoft-Windows-AppLocker/Packaged app-Execution'
defaultindex: winlogbeat-*
# Extract all field names qith yq:
# yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g'
tools/config/winlogbeat-old.yml
+9
View File
@@ -53,6 +53,15 @@ logsources:
service: windefend
conditions:
log_name: 'Microsoft-Windows-Windows Defender/Operational'
windows-applocker:
product: windows
service: applocker
conditions:
log_name:
- 'Microsoft-Windows-AppLocker/MSI and Script'
- 'Microsoft-Windows-AppLocker/EXE and DLL'
- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'Microsoft-Windows-AppLocker/Packaged app-Execution'
defaultindex: winlogbeat-*
# Extract all field names qith yq:
# yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g'
tools/config/winlogbeat.yml
+9
View File
@@ -53,6 +53,15 @@ logsources:
service: windefend
conditions:
winlog.channel: 'Microsoft-Windows-Windows Defender/Operational'
windows-applocker:
product: windows
service: applocker
conditions:
winlog.channel:
- 'Microsoft-Windows-AppLocker/MSI and Script'
- 'Microsoft-Windows-AppLocker/EXE and DLL'
- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'Microsoft-Windows-AppLocker/Packaged app-Execution'
defaultindex: winlogbeat-*
# Extract all field names qith yq:
# yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g'
tools/requirements-devel.txt
+2
View File
@@ -6,3 +6,5 @@ setuptools
wheel
pytest~=5.4
colorama
stix2
attackcti
tools/sigma/backends/csharp.py
+165
View File
@@ -0,0 +1,165 @@
# Output backends for sigmac
# Copyright 2020 Danijel Grah (dgrah@nil.com)
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Lesser General Public License for more details.
# You should have received a copy of the GNU Lesser General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# How to use it in your CSharp program:
# public Dictionary<string, dynamic> sigmas = new Dictionary<string, dynamic>();
# Dictionary<string, string> evnt = new Dictionary<string, string>();
# this.evnt.Add(Key, Value);
# sigmas["rules/windows/process_creation/win_cmdkey_recon.yml"] = THE OUTPUT OF csharp BACKEND
import re
import sigma
from .base import SingleTextQueryBackend
from .mixins import MultiRuleOutputMixin
class CSharpBackend(SingleTextQueryBackend):
"""Converts Sigma rule into CSharp Regex in LINQ query."""
identifier = "csharp"
active = True
config_required = False
default_config = ["sysmon"]
reEscape = re.compile('((?<!\\\\)\\\\(?![*?\\\\])|([\+\?\(\)]))')
reClear = None
andToken = " && "
orToken = " | "
notToken = " ! "
subExpression = "(%s)"
valueExpression = "\"%s\""
nullExpression = "! %s=\"*\""
notNullExpression = "%s=\"*\""
mapExpression = "%s == %s"
mapListsSpecialHandling = True
logname = None
def generate(self, sigmaparser):
"""Method is called for each sigma rule and receives the parsed rule (SigmaParser)"""
for parsed in sigmaparser.condparsed:
query = self.generateQuery(parsed, sigmaparser)
before = self.generateBefore(parsed)
after = self.generateAfter(parsed)
result = ""
if before is not None:
result = before
if query is not None:
result += query
if after is not None:
result += after
return result
def generateBefore(self, parsed):
return "from x in evnt where "
def generateAfter(self, parsed):
return " select x;"
def generateNode(self, node):
if type(node) == sigma.parser.condition.ConditionAND:
return self.generateANDNode(node)
elif type(node) == sigma.parser.condition.ConditionOR:
return self.generateORNode(node)
elif type(node) == sigma.parser.condition.ConditionNOT:
return self.generateNOTNode(node)
elif type(node) == sigma.parser.condition.ConditionNULLValue:
return self.generateNULLValueNode(node)
elif type(node) == sigma.parser.condition.ConditionNotNULLValue:
return self.generateNotNULLValueNode(node)
elif type(node) == sigma.parser.condition.NodeSubexpression:
return self.generateSubexpressionNode(node)
elif type(node) == tuple:
return self.generateMapItemNode(node)
elif type(node) in (str, int):
return self.generateValueNode(node, False)
elif type(node) == list:
return self.generateListNode(node)
else:
raise TypeError("Node type %s was not expected in Sigma parse tree" % (str(type(node))))
def generateQuery(self, parsed, sigmaparser):
result = self.generateNode(parsed.parsedSearch)
self.parsedlogsource = sigmaparser.get_logsource().service
if parsed.parsedAgg:
raise NotImplementedError("Aggregation function is NOT implemented for this backend")
else:
return result
def generateMapItemNode(self, node):
key, value = node
if self.mapListsSpecialHandling == False and type(value) in (str, int, list) or self.mapListsSpecialHandling == True and type(value) in (str, int):
if key in ("LogName","source"):
self.logname = value
elif key in ("EventID","x.Key"):
key = "x.Key"
return self.mapExpression % (key, self.generateValueNode(value, True))
elif (type(value) == str and "\"" in value) or (type(value) == str and "*" in value) or (type(value) == str and "?" in value):
value = value.replace("\"", "\"\"").replace("*", ".*").replace("?","\?")
return "new Regex(@%s, RegexOptions.IgnoreCase).IsMatch(x.Value)" % (self.generateValueNode(key +".*"+ value, True))
elif type(value) in (str, int):
return "new Regex(@%s, RegexOptions.IgnoreCase).IsMatch(x.Value)" % (self.generateValueNode(key +".*"+ str(value), True))
else:
return self.mapExpression % (key, self.generateNode(value))
elif type(value) == list:
return self.generateMapItemListNode(key, value)
elif value is None:
return self.nullExpression % (key, )
else:
raise TypeError("Backend does not support map values of type " + str(type(value)))
def generateMapItemListNode(self, key, value):
itemslist = list()
for item in value:
if key in ("EventID","x.Key"):
key = "x.Key"
itemslist.append(self.mapExpression % (key, self.generateValueNode(item, True)))
elif (type(item) == str and "\"" in item) or (type(item) == str and "*" in item) or (type(item) == str and "?" in item):
item = item.replace("\"", "\"\"").replace("*", ".*").replace("?","\?")
itemslist.append("new Regex(@%s, RegexOptions.IgnoreCase).IsMatch(x.Value)" % (self.generateValueNode(key +".*"+ item, True)))
else:
itemslist.append("new Regex(@%s, RegexOptions.IgnoreCase).IsMatch(x.Value)" % (self.generateValueNode(key +".*"+ item, True)))
return '('+" | ".join(itemslist)+')'
def generateANDNode(self, node):
generated = [ self.generateNode(val) for val in node ]
filtered = [ g for g in generated if g is not None ]
if filtered:
return self.andToken.join(filtered)
else:
return None
def generateValueNode(self, node, keypresent):
if keypresent == False:
return "new Regex(@\"{0}\", RegexOptions.IgnoreCase).IsMatch(x.Value)".format(str(node))
else:
return self.valueExpression % (self.cleanValue(str(node)))
tools/sigma/backends/stix.py
+92
View File
@@ -0,0 +1,92 @@
import sigma
from sigma.parser.modifiers.base import SigmaTypeModifier
from sigma.parser.modifiers.type import SigmaRegularExpressionModifier
from .base import SingleTextQueryBackend
class STIXBackend(SingleTextQueryBackend):
"""Converts Sigma rule into STIX pattern."""
identifier = "stix"
active = True
andToken = " AND "
orToken = " OR "
notToken = "NOT "
subExpression = "(%s)"
valueExpression = "\'%s\'"
mapExpression = "%s = %s"
mapListsSpecialHandling = True
sigmaSTIXObjectName = "x-sigma"
def cleanKey(self, key):
if key is None:
raise TypeError("Backend does not support empty key " + str(key))
else:
return key
def cleanValue(self, value):
return value
def generateMapItemListNode(self, key, value):
items_list = list()
for item in value:
if type(item) == str and "*" in item:
item = item.replace("*", "%")
items_list.append('%s LIKE %s' % (self.cleanKey(key), self.generateValueNode(item)))
else:
items_list.append('%s = %s' % (self.cleanKey(key), self.generateValueNode(item)))
return '('+" OR ".join(items_list)+')'
def generateMapItemTypedNode(self, key, value):
if type(value) == SigmaRegularExpressionModifier:
regex = str(value)
# Regular Expressions have to match the full value in QRadar
if not (regex.startswith('^') or regex.startswith('.*')):
regex = '.*' + regex
if not (regex.endswith('$') or regex.endswith('.*')):
regex = regex + '.*'
return "%s MATCHES %s" % (self.cleanKey(key), self.generateValueNode(regex))
else:
raise NotImplementedError("Type modifier '{}' is not supported by backend".format(value.identifier))
def generateMapItemNode(self, node):
key, value = node
if ":" not in key:
key = "%s:%s" % (self.sigmaSTIXObjectName, str(key).lower())
if self.mapListsSpecialHandling == False and type(value) in (str, int, list) or self.mapListsSpecialHandling == True and type(value) in (str, int):
if type(value) == str and "*" in value:
value = value.replace("*", "%")
return "%s LIKE %s" % (self.cleanKey(key), self.generateValueNode(value))
elif type(value) in (str, int):
return self.mapExpression % (self.cleanKey(key), self.generateValueNode(value))
elif type(value) == list:
return self.generateMapItemListNode(key, value)
elif isinstance(value, SigmaTypeModifier):
return self.generateMapItemTypedNode(key, value)
else:
raise TypeError("Backend does not support map values of type " + str(type(value)))
def generateValueNode(self, node):
return self.valueExpression % (self.cleanValue(str(node)))
def generateNode(self, node):
if type(node) == sigma.parser.condition.ConditionAND:
return self.generateANDNode(node)
elif type(node) == sigma.parser.condition.ConditionOR:
return self.generateORNode(node)
elif type(node) == sigma.parser.condition.ConditionNOT:
return self.generateNOTNode(node)
elif type(node) == sigma.parser.condition.NodeSubexpression:
return self.generateSubexpressionNode(node)
elif type(node) == tuple:
return self.generateMapItemNode(node)
else:
raise TypeError("Node type %s was not expected in Sigma parse tree" % (str(type(node))))
def generate(self, sigmaparser):
for parsed in sigmaparser.condparsed:
query = self.generateQuery(parsed, sigmaparser)
return "[" + query + "]"
def generateQuery(self, parsed, sigmaparser):
result = self.generateNode(parsed.parsedSearch)
return result