diff --git a/Makefile b/Makefile index f981a2395..a9a5a0f6f 100644 --- a/Makefile +++ b/Makefile @@ -52,6 +52,7 @@ test-sigmac: $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t arcsight -c tools/config/arcsight.yml rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t arcsight-esm -c tools/config/arcsight.yml rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t qradar -c tools/config/qradar.yml rules/ > /dev/null + $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t stix -c tools/config/stix.yml -c tools/config/stix-qradar.yml -c tools/config/stix-windows.yml rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t limacharlie -c tools/config/limacharlie.yml rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t carbonblack -c tools/config/carbon-black.yml rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t qualys -c tools/config/qualys.yml rules/ > /dev/null @@ -61,6 +62,7 @@ test-sigmac: $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t crowdstrike -O rulecomment -c tools/config/crowdstrike.yml rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t sql -c sysmon rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t sqlite -c sysmon rules/ > /dev/null + $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t csharp -c sysmon rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t logiq -c sysmon rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'level>=high,level<=critical,status=stable,logsource=windows,tag=attack.execution' rules/ > /dev/null ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'level>=high,level<=critical,status=xstable,logsource=windows' rules/ > /dev/null diff --git a/rules/linux/lnx_shell_clear_cmd_history.yml b/rules/linux/lnx_shell_clear_cmd_history.yml index 68e9773c2..6b950cced 100644 --- a/rules/linux/lnx_shell_clear_cmd_history.yml +++ b/rules/linux/lnx_shell_clear_cmd_history.yml @@ -15,7 +15,7 @@ references: - https://www.hackers-arise.com/single-post/2016/06/20/Covering-your-BASH-Shell-Tracks-AntiForensics author: Patrick Bareiss date: 2019/03/24 -modified: 2020/05/28 +modified: 2020/07/13 logsource: product: linux detection: @@ -37,5 +37,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1146 - - attack.t1551.003 + - attack.t1070.003 diff --git a/rules/network/cisco/aaa/cisco_cli_clear_logs.yml b/rules/network/cisco/aaa/cisco_cli_clear_logs.yml index 244bdeade..35671eedc 100644 --- a/rules/network/cisco/aaa/cisco_cli_clear_logs.yml +++ b/rules/network/cisco/aaa/cisco_cli_clear_logs.yml @@ -11,8 +11,8 @@ tags: - attack.defense_evasion - attack.t1146 - attack.t1070 - - attack.t1551.003 - - attack.t1551 + - attack.t1070.003 + - attack.t1070 logsource: product: cisco service: aaa diff --git a/rules/network/cisco/aaa/cisco_cli_file_deletion.yml b/rules/network/cisco/aaa/cisco_cli_file_deletion.yml index ec6b4e1ef..f248dd598 100644 --- a/rules/network/cisco/aaa/cisco_cli_file_deletion.yml +++ b/rules/network/cisco/aaa/cisco_cli_file_deletion.yml @@ -15,7 +15,7 @@ tags: - attack.t1488 - attack.t1487 - attack.t1561.002 - - attack.t1551.004 + - attack.t1070.004 - attack.t1561.001 logsource: product: cisco diff --git a/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml b/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml index fa7f41f0a..7e5880e00 100644 --- a/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml +++ b/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml @@ -3,7 +3,8 @@ id: 286b47ed-f6fe-40b3-b3a8-35129acd43bc description: Detects known sensitive file extensions via Zeek author: 'Samir Bousseaden, @neu5ron' date: 2020/04/02 -references: https://github.com/neo23x0/sigma/blob/d42e87edd741dd646db946f30964f331f92f50e6/rules/windows/builtin/win_susp_raccess_sensitive_fext.yml +references: + - https://github.com/neo23x0/sigma/blob/d42e87edd741dd646db946f30964f331f92f50e6/rules/windows/builtin/win_susp_raccess_sensitive_fext.yml tags: - attack.collection logsource: diff --git a/rules/proxy/proxy_empire_ua_uri_combos.yml b/rules/proxy/proxy_empire_ua_uri_combos.yml new file mode 100644 index 000000000..7c3153a6e --- /dev/null +++ b/rules/proxy/proxy_empire_ua_uri_combos.yml @@ -0,0 +1,25 @@ +title: Empire UserAgent URI Combo +id: b923f7d6-ac89-4a50-a71a-89fb846b4aa8 +status: experimental +description: Detects user agent and URI paths used by empire agents +references: + - https://github.com/BC-SECURITY/Empire +author: Florian Roth +date: 2020/07/13 +logsource: + category: proxy +detection: + selection: + c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko' + cs-uri-query: + - '/admin/get.php' + - '/news.php' + - '/login/process.php' + cs-method: 'POST' + condition: selection +fields: + - c-uri + - c-ip +falsepositives: + - Valid requests with this exact user agent to server scripts of the defined names +level: high diff --git a/rules/proxy/proxy_pwndrop.yml b/rules/proxy/proxy_pwndrop.yml new file mode 100644 index 000000000..9fe81dc17 --- /dev/null +++ b/rules/proxy/proxy_pwndrop.yml @@ -0,0 +1,21 @@ +title: PwnDrp Access +id: 2b1ee7e4-89b6-4739-b7bb-b811b6607e5e +status: experimental +description: Detects downloads from PwnDrp web servers developed for red team testing and most likely also used for criminal activity +references: + - https://breakdev.org/pwndrop/ +author: Florian Roth +date: 2020/04/15 +logsource: + category: proxy +detection: + selection: + c-uri|contains: '/pwndrop/' + condition: selection +fields: + - ClientIP + - c-uri + - c-useragent +falsepositives: + - Unknown +level: critical diff --git a/rules/web/web_citrix_cve_2020_8193_8195_exploit.yml b/rules/web/web_citrix_cve_2020_8193_8195_exploit.yml new file mode 100644 index 000000000..7b8ad5902 --- /dev/null +++ b/rules/web/web_citrix_cve_2020_8193_8195_exploit.yml @@ -0,0 +1,34 @@ +title: Citrix ADS Exploitation CVE-2020-8193 CVE-2020-8195 +description: Detects exploitation attempt against Citrix Netscaler, Application Delivery Controller (ADS) and Citrix Gateway exploiting vulnerabilities reported as CVE-2020-8193 and CVE-2020-8195 +id: 0d0d9a8a-a49e-4e27-b061-7ce4b936cfb7 +references: + - https://support.citrix.com/article/CTX276688 + - https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/ + - https://dmaasland.github.io/posts/citrix.html +author: Florian Roth +status: experimental +date: 2020/07/10 +tags: + - attack.initial_access + - attack.t1190 +logsource: + category: webserver +detection: + selection1: + c-uri|contains: + - '/rapi/filedownload?filter=path:%2F' + selection2: + c-uri|contains|all: + - '/pcidss/report' + - 'type=all_signatures' + - 'sig_name=_default_signature_' + condition: 1 of them +fields: + - client_ip + - vhost + - url + - response +falsepositives: + - Unknown +level: critical + diff --git a/rules/web/web_cve_2020_5902_f5_bigip.yml b/rules/web/web_cve_2020_5902_f5_bigip.yml index 2162c9df7..c8ab6a366 100644 --- a/rules/web/web_cve_2020_5902_f5_bigip.yml +++ b/rules/web/web_cve_2020_5902_f5_bigip.yml @@ -6,13 +6,17 @@ references: - https://support.f5.com/csp/article/K52145254 - https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/ - https://twitter.com/yorickkoster/status/1279709009151434754 + - https://www.criticalstart.com/f5-big-ip-remote-code-execution-exploit/ author: Florian Roth date: 2020/07/05 +modified: 2020/07/07 logsource: category: webserver detection: selection_base: - c-uri|contains: '/tmui/login' + c-uri|contains: + - '/tmui/' + - '/hsqldb' selection_traversal: c-uri|contains: - '..;/' diff --git a/rules/windows/builtin/win_applocker_file_was_not_allowed_to_run.yml b/rules/windows/builtin/win_applocker_file_was_not_allowed_to_run.yml new file mode 100644 index 000000000..561bf7aec --- /dev/null +++ b/rules/windows/builtin/win_applocker_file_was_not_allowed_to_run.yml @@ -0,0 +1,37 @@ +title: File Was Not Allowed To Run +id: 401e5d00-b944-11ea-8f9a-00163ecd60ae +description: Detect run not allowed files. Applocker is a very useful tool, especially on servers where unprivileged users have access. For example terminal servers. You need configure applocker and log collect to receive these events. +status: experimental +tags: + - attack.execution + - attack.t1204 + - attack.t1086 + - attack.t1064 + - attack.t1035 +references: + - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker + - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker + - https://nxlog.co/documentation/nxlog-user-guide/applocker.html +author: Pushkarev Dmitry +date: 2020/06/28 +logsource: + product: windows + service: applocker +detection: + selection: + EventID: + - 8004 + - 8007 + condition: selection +fields: + - PolicyName + - RuleId + - RuleName + - TargetUser + - TargetProcessId + - FilePath + - FileHash + - Fqbn +falsepositives: + - need tuning applocker or add exceptions in SIEM +level: medium diff --git a/rules/windows/builtin/win_global_catalog_enumeration.yml b/rules/windows/builtin/win_global_catalog_enumeration.yml new file mode 100644 index 000000000..d2707b31b --- /dev/null +++ b/rules/windows/builtin/win_global_catalog_enumeration.yml @@ -0,0 +1,23 @@ +title: Enumeration via the Global Catalog +description: Detects enumeration of the global catalog (that can be performed using BloodHound or others AD reconnaissance tools). Adjust Treshhold according to domain width. +author: Chakib Gzenayi (@Chak092), Hosni Mribah +id: 619b020f-0fd7-4f23-87db-3f51ef837a34 +date: 2020/05/11 +tags: + - attack.discovery + - attack.t1087 +logsource: + product: windows + service: system + description: 'The advanced audit policy setting "Windows Filtering Platform > Filtering Platform Connection" must be configured for Success' +detection: + selection: + EventID: 5156 + DestinationPort: + - 3268 + - 3269 + timeframe: 1h + condition: selection | count() by SourceAddress > 2000 +falsepositives: + - Exclude known DCs. +level: medium diff --git a/rules/windows/builtin/win_metasploit_authentication.yml b/rules/windows/builtin/win_metasploit_authentication.yml new file mode 100644 index 000000000..35561e559 --- /dev/null +++ b/rules/windows/builtin/win_metasploit_authentication.yml @@ -0,0 +1,29 @@ +title: Metasploit SMB Authentication +description: Alerts on Metasploit host's authentications on the domain. +id: 72124974-a68b-4366-b990-d30e0b2a190d +author: Chakib Gzenayi (@Chak092), Hosni Mribah +date: 2020/05/06 +references: + - https://github.com/rapid7/metasploit-framework/blob/master/lib/rex/proto/smb/client.rb +tags: + - attack.credential_access + - attack.t1110 +logsource: + product: windows + service: security +detection: + selection1: + EventID: + - 4625 + - 4624 + LogonType: 3 + AuthenticationPackage: 'NTLM' + WorkstationName|re: '^[A-Za-z0-9]{16}$' + selection2: + ProcessName: + EventID: 4776 + SourceWorkstation|re: '^[A-Za-z0-9]{16}$' + condition: selection1 OR selection2 +falsepositives: + - Linux hostnames composed of 16 characters. +level: high diff --git a/rules/windows/builtin/win_susp_backup_delete.yml b/rules/windows/builtin/win_susp_backup_delete.yml index 332b6c806..d58d1d606 100644 --- a/rules/windows/builtin/win_susp_backup_delete.yml +++ b/rules/windows/builtin/win_susp_backup_delete.yml @@ -10,7 +10,7 @@ date: 2017/05/12 tags: - attack.defense_evasion - attack.t1107 - - attack.t1551.004 + - attack.t1070.004 logsource: product: windows service: application diff --git a/rules/windows/builtin/win_susp_eventlog_cleared.yml b/rules/windows/builtin/win_susp_eventlog_cleared.yml index b0698a1cb..7b87b35c8 100644 --- a/rules/windows/builtin/win_susp_eventlog_cleared.yml +++ b/rules/windows/builtin/win_susp_eventlog_cleared.yml @@ -10,7 +10,7 @@ tags: - attack.defense_evasion - attack.t1070 - car.2016-04-002 - - attack.t1551 + - attack.t1070 logsource: product: windows service: system diff --git a/rules/windows/builtin/win_susp_sdelete.yml b/rules/windows/builtin/win_susp_sdelete.yml index 8483f0265..540a09538 100644 --- a/rules/windows/builtin/win_susp_sdelete.yml +++ b/rules/windows/builtin/win_susp_sdelete.yml @@ -13,7 +13,7 @@ tags: - attack.t1107 - attack.t1066 - attack.s0195 - - attack.t1551.004 + - attack.t1070.004 - attack.t1027 logsource: product: windows diff --git a/rules/windows/builtin/win_susp_security_eventlog_cleared.yml b/rules/windows/builtin/win_susp_security_eventlog_cleared.yml index d31a49b42..9e0f24d76 100644 --- a/rules/windows/builtin/win_susp_security_eventlog_cleared.yml +++ b/rules/windows/builtin/win_susp_security_eventlog_cleared.yml @@ -5,7 +5,7 @@ tags: - attack.defense_evasion - attack.t1070 - car.2016-04-002 - - attack.t1551 + - attack.t1070 author: Florian Roth date: 2017/02/19 logsource: diff --git a/rules/windows/builtin/win_susp_time_modification.yml b/rules/windows/builtin/win_susp_time_modification.yml index c457b28e5..e015c0256 100644 --- a/rules/windows/builtin/win_susp_time_modification.yml +++ b/rules/windows/builtin/win_susp_time_modification.yml @@ -11,7 +11,7 @@ midified: 2020/01/27 tags: - attack.defense_evasion - attack.t1099 - - attack.t1551.006 + - attack.t1070.006 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_user_driver_loaded.yml b/rules/windows/builtin/win_user_driver_loaded.yml index 9d3ae187f..c64a039a5 100644 --- a/rules/windows/builtin/win_user_driver_loaded.yml +++ b/rules/windows/builtin/win_user_driver_loaded.yml @@ -32,6 +32,7 @@ detection: - '*\procexp.exe' - '*\procmon64.exe' - '*\procmon.exe' + - '*\Google\Chrome\Application\chrome.exe' condition: selection_1 and not selection_2 falsepositives: - Other legimate tools loading drivers. There are some: Sysinternals, CPU-Z, AVs etc. - but not much. You have to baseline this according to your used products and allowed tools. Also try to exclude users, which are allowed to load drivers. diff --git a/rules/windows/file_event/sysmon_creation_system_file.yml b/rules/windows/file_event/sysmon_creation_system_file.yml index 7ce7adf45..1bef84c62 100755 --- a/rules/windows/file_event/sysmon_creation_system_file.yml +++ b/rules/windows/file_event/sysmon_creation_system_file.yml @@ -14,7 +14,7 @@ logsource: product: windows detection: selection: - Image: + TargetFilename: - '*\svchost.exe' - '*\rundll32.exe' - '*\services.exe' @@ -40,7 +40,7 @@ detection: - '*\audiodg.exe' - '*\wlanext.exe' filter: - Image: + TargetFilename: - 'C:\Windows\System32\\*' - 'C:\Windows\system32\\*' - 'C:\Windows\SysWow64\\*' diff --git a/rules/windows/file_event/sysmon_susp_adsi_cache_usage.yml b/rules/windows/file_event/sysmon_susp_adsi_cache_usage.yml index f19697148..5a892af95 100755 --- a/rules/windows/file_event/sysmon_susp_adsi_cache_usage.yml +++ b/rules/windows/file_event/sysmon_susp_adsi_cache_usage.yml @@ -16,7 +16,7 @@ logsource: category: file_event detection: selection_1: - TargetFilename: '*\Local\Microsoft\Windows\SchCache\*.sch' + TargetFilename: '*\Local\Microsoft\Windows\SchCache\\*.sch' selection_2: Image|contains: - 'C:\windows\system32\svchost.exe' diff --git a/rules/windows/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml b/rules/windows/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml index 5d2b079c7..e4ffdd616 100755 --- a/rules/windows/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml +++ b/rules/windows/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml @@ -14,7 +14,7 @@ logsource: category: file_event detection: selection_1: - TargetFilename: '*\AppData\Local\Temp\*\PROCEXP152.sys' + TargetFilename: '*\AppData\Local\Temp\\*\PROCEXP152.sys' selection_2: Image|contains: - '*\procexp64.exe' diff --git a/rules/windows/image_load/sysmon_in_memory_powershell.yml b/rules/windows/image_load/sysmon_in_memory_powershell.yml index aeb46d86d..b1bbc3dee 100755 --- a/rules/windows/image_load/sysmon_in_memory_powershell.yml +++ b/rules/windows/image_load/sysmon_in_memory_powershell.yml @@ -24,6 +24,7 @@ detection: - '\powershell.exe' - '\powershell_ise.exe' - '\WINDOWS\System32\sdiagnhost.exe' + - '\mscorsvw.exe' # c:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsw.exe for instance # User: 'NT AUTHORITY\SYSTEM' # if set, matches all powershell processes not launched by SYSTEM condition: selection and not filter falsepositives: diff --git a/rules/windows/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml b/rules/windows/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml index 5fb8bc69b..ca5714dae 100755 --- a/rules/windows/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml +++ b/rules/windows/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml @@ -20,7 +20,7 @@ detection: - '*\excel.exe' - '*\outlook.exe' ImageLoaded: - - 'C:\Windows\assembly\*' + - 'C:\Windows\assembly\\*' condition: selection falsepositives: - Alerts on legitimate macro usage as well, will need to filter as appropriate diff --git a/rules/windows/image_load/sysmon_svchost_dll_search_order_hijack.yml b/rules/windows/image_load/sysmon_svchost_dll_search_order_hijack.yml index f2098fae8..e8176c24f 100755 --- a/rules/windows/image_load/sysmon_svchost_dll_search_order_hijack.yml +++ b/rules/windows/image_load/sysmon_svchost_dll_search_order_hijack.yml @@ -27,7 +27,7 @@ detection: - '*\wlbsctrl.dll' filter: ImageLoaded: - - 'C:\Windows\WinSxS\*' + - 'C:\Windows\WinSxS\\*' condition: selection and not filter falsepositives: - Pentest diff --git a/rules/windows/image_load/sysmon_wmi_module_load.yml b/rules/windows/image_load/sysmon_wmi_module_load.yml index 44353ab39..6b46e7b0f 100755 --- a/rules/windows/image_load/sysmon_wmi_module_load.yml +++ b/rules/windows/image_load/sysmon_wmi_module_load.yml @@ -34,6 +34,9 @@ detection: - '\CompatTelRunner.exe' - '\sdiagnhost.exe' - '\SIHClient.exe' + - '\ngentask.exe' # c:\Windows\Microsoft.NET\Framework(64)\ngentask.exe + - '\windows\system32\taskhostw.exe' # c:\windows\system32\taskhostw.exe + - '\windows\system32\MoUsoCoreWorker.exe' # c:\windows\System32\MoUsoCoreWorker.exe on win10 20H04 at least condition: selection and not filter fields: - ComputerName diff --git a/rules/windows/image_load/sysmon_wmi_persistence_commandline_event_consumer.yml b/rules/windows/image_load/sysmon_wmi_persistence_commandline_event_consumer.yml index 19b7d30bf..c1655c2ec 100755 --- a/rules/windows/image_load/sysmon_wmi_persistence_commandline_event_consumer.yml +++ b/rules/windows/image_load/sysmon_wmi_persistence_commandline_event_consumer.yml @@ -10,12 +10,12 @@ tags: - attack.t1084 - attack.persistence logsource: - cqtegory: image_loaded + category: image_load product: windows detection: selection: Image: 'C:\Windows\System32\wbem\WmiPrvSE.exe' - ImageLoaded: 'wbemcons.dll' + ImageLoaded|endswith: '\wbemcons.dll' condition: selection falsepositives: - Unknown (data set is too small; further testing needed) diff --git a/rules/windows/other/win_pcap_drivers.yml b/rules/windows/other/win_pcap_drivers.yml new file mode 100644 index 000000000..c24d04104 --- /dev/null +++ b/rules/windows/other/win_pcap_drivers.yml @@ -0,0 +1,39 @@ +title: Windows Pcap Drivers +id: 7b687634-ab20-11ea-bb37-0242ac130002 +status: experimental +description: Detects Windows Pcap driver installation based on a list of associated .sys files. +author: Cian Heasley +date: 2020/06/10 +references: + - https://ragged-lab.blogspot.com/2020/06/capturing-pcap-driver-installations.html#more +tags: + - attack.discovery + - attack.credential_access + - attack.t1040 +logsource: + product: windows + service: system +detection: + selection: + EventID: 4697 + ServiceFileName: + - '*pcap*' + - '*npcap*' + - '*npf*' + - '*nm3*' + - '*ndiscap*' + - '*nmnt*' + - '*windivert*' + - '*USBPcap*' + - '*pktmon*' + condition: selection +fields: + - EventID + - ServiceFileName + - Account_Name + - Computer_Name + - Originating_Computer + - ServiceName +falsepositives: + - unknown +level: medium diff --git a/rules/windows/powershell/powershell_clear_powershell_history.yml b/rules/windows/powershell/powershell_clear_powershell_history.yml index 4f52faecf..db298c670 100644 --- a/rules/windows/powershell/powershell_clear_powershell_history.yml +++ b/rules/windows/powershell/powershell_clear_powershell_history.yml @@ -9,7 +9,7 @@ references: tags: - attack.defense_evasion - attack.t1146 - - attack.t1551.003 + - attack.t1070.003 logsource: product: windows service: powershell diff --git a/rules/windows/powershell/win_powershell_web_request.yml b/rules/windows/powershell/win_powershell_web_request.yml new file mode 100644 index 000000000..6ab268500 --- /dev/null +++ b/rules/windows/powershell/win_powershell_web_request.yml @@ -0,0 +1,46 @@ +action: global +title: Windows PowerShell Web Request +id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d +status: experimental +description: Detects the use of various web request methods (including aliases) via Windows PowerShell +references: + - https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/ + - https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell +author: James Pemberton / @4A616D6573 +date: 2019/10/24 +tags: + - attack.execution + - attack.t1059 + - attack.t1086 +detection: + condition: selection +falsepositives: + - Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer. +level: medium +--- +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains: + - 'Invoke-WebRequest' + - 'iwr ' + - 'wget ' + - 'curl ' + - 'Net.WebClient' + - 'Start-BitsTransfer' +--- +logsource: + product: windows + service: powershell +detection: + selection: + EventID: 4104 + ScriptBlockText|contains: + - 'Invoke-WebRequest' + - 'iwr ' + - 'wget ' + - 'curl ' + - 'Net.WebClient' + - 'Start-BitsTransfer' diff --git a/rules/windows/process_creation/win_apt_evilnum_jul20.yml b/rules/windows/process_creation/win_apt_evilnum_jul20.yml new file mode 100644 index 000000000..2a469e904 --- /dev/null +++ b/rules/windows/process_creation/win_apt_evilnum_jul20.yml @@ -0,0 +1,23 @@ +title: EvilNum Golden Chickens Deployment via OCX Files +id: 8acf3cfa-1e8c-4099-83de-a0c4038e18f0 +status: experimental +description: Detects Golden Chickens deployment method as used by Evilnum in report published in July 2020 +references: + - https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/ + - https://app.any.run/tasks/33d37fdf-158d-4930-aa68-813e1d5eb8ba/ +author: Florian Roth +date: 2020/07/10 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - 'regsvr32' + - ' /s /i ' + - '\AppData\Roaming\' + - '.ocx' + condition: selection +falsepositives: + - Unknown +level: critical diff --git a/rules/windows/process_creation/win_etw_trace_evasion.yml b/rules/windows/process_creation/win_etw_trace_evasion.yml index 6b6e182fa..d7b7000fe 100644 --- a/rules/windows/process_creation/win_etw_trace_evasion.yml +++ b/rules/windows/process_creation/win_etw_trace_evasion.yml @@ -12,7 +12,7 @@ tags: - attack.execution - attack.t1070 - car.2016-04-002 - - attack.t1551 + - attack.t1070 level: high logsource: category: process_creation diff --git a/rules/windows/process_creation/win_exploit_cve_2020_1350.yml b/rules/windows/process_creation/win_exploit_cve_2020_1350.yml new file mode 100644 index 000000000..ec82fbc6b --- /dev/null +++ b/rules/windows/process_creation/win_exploit_cve_2020_1350.yml @@ -0,0 +1,29 @@ +title: DNS RCE CVE-2020-1350 +id: b5281f31-f9cc-4d0d-95d0-45b91c45b487 +status: experimental +description: Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process +references: + - https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/ + - https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html +author: Florian Roth +date: 2020/07/15 +tags: + - attack.initial_access + - attack.t1190 + - attack.execution + - attack.t1569.002 +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage|endswith: '\System32\dns.exe' + filter: + Image|endswith: + - '\System32\werfault.exe' + - '\System32\conhost.exe' + - '\System32\dnscmd.exe' + condition: selection and not filter +falsepositives: + - Unknown but benign sub processes of the Windows DNS service dns.exe +level: critical diff --git a/rules/windows/process_creation/win_malware_notpetya.yml b/rules/windows/process_creation/win_malware_notpetya.yml index 10ecc8a76..4293239d7 100644 --- a/rules/windows/process_creation/win_malware_notpetya.yml +++ b/rules/windows/process_creation/win_malware_notpetya.yml @@ -16,7 +16,7 @@ tags: - attack.t1003 - car.2016-04-002 - attack.t1218.011 - - attack.t1551 + - attack.t1070 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml b/rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml index 141000599..620edf36c 100644 --- a/rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml +++ b/rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml @@ -10,14 +10,15 @@ tags: - attack.t1059.001 author: Florian Roth (rule), Daniel Bohannon (idea), Roberto Rodriguez (Fix) date: 2019/01/16 +modified: 2020/07/14 logsource: category: process_creation product: windows detection: selection: - Image: - - '*\Powershell.exe' - CommandLine: + Image|endswith: + - '\Powershell.exe' + CommandLine|contains: - ' -windowstyle h ' - ' -windowstyl h' - ' -windowsty h' diff --git a/rules/windows/process_creation/win_shadow_copies_deletion.yml b/rules/windows/process_creation/win_shadow_copies_deletion.yml index d017b3596..6fb0d27d7 100644 --- a/rules/windows/process_creation/win_shadow_copies_deletion.yml +++ b/rules/windows/process_creation/win_shadow_copies_deletion.yml @@ -15,7 +15,7 @@ tags: - attack.impact - attack.t1070 - attack.t1490 - - attack.t1551 + - attack.t1070 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_bcdedit.yml b/rules/windows/process_creation/win_susp_bcdedit.yml index 7b74bef44..e5c87b340 100644 --- a/rules/windows/process_creation/win_susp_bcdedit.yml +++ b/rules/windows/process_creation/win_susp_bcdedit.yml @@ -11,7 +11,7 @@ tags: - attack.t1070 - attack.persistence - attack.t1067 - - attack.t1551 + - attack.t1070 - attack.t1542.003 logsource: category: process_creation diff --git a/rules/windows/process_creation/win_susp_ditsnap.yml b/rules/windows/process_creation/win_susp_ditsnap.yml new file mode 100644 index 000000000..b279a6eff --- /dev/null +++ b/rules/windows/process_creation/win_susp_ditsnap.yml @@ -0,0 +1,26 @@ +title: DIT Snapshot Viewer Use +id: d3b70aad-097e-409c-9df2-450f80dc476b +status: experimental +description: Detects the use of Ditsnap tool. Seems to be a tool for ransomware groups. +references: + - https://thedfirreport.com/2020/06/21/snatch-ransomware/ + - https://github.com/yosqueoy/ditsnap +author: 'Furkan Caliskan (@caliskanfurkan_)' +date: 2020/07/04 +tags: + - attack.credential_access + - attack.t1003 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: + - '\ditsnap.exe' + selection2: + CommandLine|contains: + - 'ditsnap.exe' + condition: selection or selection2 +falsepositives: + - Legitimate admin usage +level: high diff --git a/rules/windows/process_creation/win_susp_eventlog_clear.yml b/rules/windows/process_creation/win_susp_eventlog_clear.yml index b0e27546a..bff846f4f 100644 --- a/rules/windows/process_creation/win_susp_eventlog_clear.yml +++ b/rules/windows/process_creation/win_susp_eventlog_clear.yml @@ -11,7 +11,7 @@ tags: - attack.defense_evasion - attack.t1070 - car.2016-04-002 - - attack.t1551 + - attack.t1070 level: high logsource: category: process_creation diff --git a/rules/windows/process_creation/win_susp_fsutil_usage.yml b/rules/windows/process_creation/win_susp_fsutil_usage.yml index e7a3d0c9a..26348553c 100644 --- a/rules/windows/process_creation/win_susp_fsutil_usage.yml +++ b/rules/windows/process_creation/win_susp_fsutil_usage.yml @@ -12,7 +12,7 @@ references: tags: - attack.defense_evasion - attack.t1070 - - attack.t1551 + - attack.t1070 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_powershell_empire_launch.yml b/rules/windows/process_creation/win_susp_powershell_empire_launch.yml index 1097603f8..84d9adf13 100644 --- a/rules/windows/process_creation/win_susp_powershell_empire_launch.yml +++ b/rules/windows/process_creation/win_susp_powershell_empire_launch.yml @@ -9,6 +9,7 @@ references: - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64 author: Florian Roth date: 2019/04/20 +modified: 2020/07/13 tags: - attack.execution - attack.t1086 @@ -18,9 +19,12 @@ logsource: product: windows detection: selection: - CommandLine: - - '* -NoP -sta -NonI -W Hidden -Enc *' - - '* -noP -sta -w 1 -enc *' - - '* -NoP -NonI -W Hidden -enc *' + CommandLine|contains: + - ' -NoP -sta -NonI -W Hidden -Enc ' + - ' -noP -sta -w 1 -enc ' + - ' -NoP -NonI -W Hidden -enc ' + - ' -noP -sta -w 1 -enc' + - ' -enc SQB' + - ' -nop -exec bypass -EncodedCommand SQB' condition: selection level: critical diff --git a/rules/windows/process_creation/win_susp_powershell_encoded_param.yml b/rules/windows/process_creation/win_susp_powershell_encoded_param.yml new file mode 100644 index 000000000..04c975d1a --- /dev/null +++ b/rules/windows/process_creation/win_susp_powershell_encoded_param.yml @@ -0,0 +1,24 @@ +title: PowerShell Encoded Character Syntax +id: e312efd0-35a1-407f-8439-b8d434b438a6 +status: experimental +description: Detects suspicious encoded character syntax often used for defense evasion +references: + - https://twitter.com/0gtweet/status/1281103918693482496 +tags: + - attack.execution + - attack.defense_evasion + - attack.t1027 + - attack.t1086 + - attack.t1059.001 +author: Florian Roth +date: 2020/07/09 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: '(WCHAR)0x' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_susp_regsvr32_flags_anomaly.yml b/rules/windows/process_creation/win_susp_regsvr32_flags_anomaly.yml new file mode 100644 index 000000000..f0064816b --- /dev/null +++ b/rules/windows/process_creation/win_susp_regsvr32_flags_anomaly.yml @@ -0,0 +1,28 @@ +title: Regsvr32 Flags Anomaly +id: b236190c-1c61-41e9-84b3-3fe03f6d76b0 +status: experimental +description: Detects a flag anomaly in which regsvr32.exe uses a /i flag without using a /n flag at the same time +author: Florian Roth +date: 2019/07/13 +references: + - https://twitter.com/sbousseaden/status/1282441816986484737?s=12 +tags: + - attack.t1117 + - attack.defense_evasion + - attack.t1218.010 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\regsvr32.exe' + CommandLine|contains: ' /i:' + filter: + CommandLine|contains: ' /n ' + condition: selection and not filter +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Unknown +level: high diff --git a/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml b/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml index aa2a1b1db..125d927da 100755 --- a/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml +++ b/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml @@ -15,8 +15,8 @@ logsource: detection: selection_registry: TargetObject: - - '*\Keyboard Layout\Preload\*' - - '*\Keyboard Layout\Substitutes\*' + - '*\Keyboard Layout\Preload\\*' + - '*\Keyboard Layout\Substitutes\\*' Details|contains: - 00000429 # Persian (Iran) - 00050429 # Persian (Iran) diff --git a/rules/windows/registry_event/sysmon_uac_bypass_eventvwr.yml b/rules/windows/registry_event/sysmon_uac_bypass_eventvwr.yml index 9821f0f6f..6eef00881 100755 --- a/rules/windows/registry_event/sysmon_uac_bypass_eventvwr.yml +++ b/rules/windows/registry_event/sysmon_uac_bypass_eventvwr.yml @@ -1,3 +1,4 @@ +action: global title: UAC Bypass via Event Viewer id: 7c81fec3-1c1d-43b0-996a-46753041b1b6 status: experimental @@ -7,21 +8,6 @@ references: - https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100 author: Florian Roth date: 2017/03/19 -logsource: - product: windows - category: registry_event -detection: - methregistry: - TargetObject: 'HKU\\*\mscfile\shell\open\command' - methprocess: - EventID: 1 # Migration to process_creation requires multipart YAML - ParentImage: '*\eventvwr.exe' - filterprocess: - Image: '*\mmc.exe' - condition: methregistry or ( methprocess and not filterprocess ) -fields: - - CommandLine - - ParentCommandLine tags: - attack.defense_evasion - attack.privilege_escalation @@ -30,3 +16,24 @@ tags: falsepositives: - unknown level: critical +--- +logsource: + product: windows + category: registry_event +detection: + methregistry: + TargetObject: 'HKU\\*\mscfile\shell\open\command' + condition: methregistry +--- +logsource: + category: process_creation + product: windows +detection: + methprocess: + ParentImage: '*\eventvwr.exe' + filterprocess: + Image: '*\mmc.exe' + condition: methprocess and not filterprocess +fields: + - CommandLine + - ParentCommandLine diff --git a/tests/test_rules.py b/tests/test_rules.py index c0662e960..ecfb2f348 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -10,232 +10,13 @@ import os import unittest import yaml import re +from attackcti import attack_client from colorama import init from colorama import Fore class TestRules(unittest.TestCase): - MITRE_TECHNIQUES = [ - "t1002", - "t1003", - "t1003.001", - "t1003.002", - "t1003.003", - "t1003.004", - "t1003.005", - "t1003.006", - "t1004", - "t1005", - "t1006", - "t1007", - "t1009", - "t1011", - "t1012", - "t1015", - "t1016", - "t1018", - "t1020", - "t1021", - "t1021.001", - "t1021.002", - "t1021.003", - "t1021.006", - "t1023", - "t1027", - "t1028", - "t1031", - "t1033", - "t1035", - "t1036", - "t1036.005", - "t1037", - "t1037.001", - "t1038", - "t1040", - "t1041", - "t1042", - "t1043", - "t1046", - "t1047", - "t1048", - "t1049", - "t1050", - "t1053", - "t1053.002", - "t1053.005", - "t1054", - "t1055", - "t1056", - "t1057", - "t1058", - "t1059", - "t1059.001", - "t1059.003", - "t1059.004", - "t1059.005", - "t1059.006", - "t1060", - "t1064", - "t1066", - "t1067", - "t1068", - "t1069", - "t1070", - "t1071", - "t1071.004", - "t1073", - "t1074", - "t1075", - "t1076", - "t1077", - "t1078", - "t1081", - "t1082", - "t1083", - "t1084", - "t1085", - "t1086", - "t1087", - "t1088", - "t1089", - "t1090", - "t1091", - "t1096", - "t1098", - "t1099", - "t1100", - "t1102", - "t1103", - "t1105", - "t1106", - "t1107", - "t1110", - "t1112", - "t1114", - "t1117", - "t1118", - "t1121", - "t1122", - "t1123", - "t1124", - "t1125", - "t1127", - "t1128", - "t1130", - "t1133", - "t1134", - "t1134.005", - "t1135", - "t1136", - "t1137", - "t1138", - "t1139", - "t1140", - "t1145", - "t1146", - "t1156", - "t1158", - "t1168", - "t1169", - "t1170", - "t1171", - "t1175", - "t1177", - "t1178", - "t1182", - "t1183", - "t1190", - "t1191", - "t1193", - "t1195", - "t1195.001", - "t1196", - "t1197", - "t1200", - "t1201", - "t1202", - "t1203", - "t1204", - "t1207", - "t1208", - "t1210", - "t1211", - "t1212", - "t1218", - "t1218.001", - "t1218.005", - "t1218.010", - "t1218.011", - "t1219", - "t1220", - "t1222", - "t1223", - "t1482", - "t1485", - "t1487", - "t1488", - "t1489", - "t1490", - "t1492", - "t1493", - "t1495", - "t1499", - "t1500", - "t1501", - "t1505", - "t1505.003", - "t1537", - "t1542.003", - "t1543.002", - "t1543.003", - "t1546.001", - "t1546.003", - "t1546.004", - "t1546.007", - "t1546.008", - "t1546.009", - "t1546.010", - "t1546.011", - "t1546.012", - "t1546.015", - "t1547.001", - "t1547.004", - "t1547.008", - "t1547.009", - "t1548.002", - "t1550.002", - "t1551", - "t1551.003", - "t1551.004", - "t1551.006", - "t1552.001", - "t1552.003", - "t1552.004", - "t1553.004", - "t1557.001", - "t1558", - "t1558.003", - "t1559.001", - "t1560", - "t1561.001", - "t1561.002", - "t1562.001", - "t1562.006", - "t1564.001", - "t1564.004", - "t1565.001", - "t1565.002", - "t1566.001", - "t1569.002", - "t1571", - "t1574.001", - "t1574.002", - "t1574.011", -] MITRE_TECHNIQUE_NAMES = ["process_injection", "signed_binary_proxy_execution", "process_injection"] # incomplete list MITRE_TACTICS = ["initial_access", "execution", "persistence", "privilege_escalation", "defense_evasion", "credential_access", "discovery", "lateral_movement", "collection", "exfiltration", "command_and_control", "impact", "launch"] - MITRE_GROUPS = ["g0001", "g0002", "g0003", "g0004", "g0005", "g0006", "g0007", "g0008", "g0009", "g0010", "g0011", "g0012", "g0013", "g0014", "g0015", "g0016", "g0017", "g0018", "g0019", "g0020", "g0021", "g0022", "g0023", "g0024", "g0025", "g0026", "g0027", "g0028", "g0029", "g0030", "g0031", "g0032", "g0033", "g0034", "g0035", "g0036", "g0037", "g0038", "g0039", "g0040", "g0041", "g0042", "g0043", "g0044", "g0045", "g0046", "g0047", "g0048", "g0049", "g0050", "g0051", "g0052", "g0053", "g0054", "g0055", "g0056", "g0057", "g0058", "g0059", "g0060", "g0061", "g0062", "g0063", "g0064", "g0065", "g0066", "g0067", "g0068", "g0069", "g0070", "g0071", "g0072", "g0073", "g0074", "g0075", "g0076", "g0077", "g0078", "g0079", "g0080", "g0081", "g0082", "g0083", "g0084", "g0085", "g0086", "g0087", "g0088", "g0089", "g0090", "g0091", "g0092", "g0093", "g0094", "g0095", "g0096"] - MITRE_SOFTWARE = ["s0001", "s0002", "s0003", "s0004", "s0005", "s0006", "s0007", "s0008", "s0009", "s0010", "s0011", "s0012", "s0013", "s0014", "s0015", "s0016", "s0017", "s0018", "s0019", "s0020", "s0021", "s0022", "s0023", "s0024", "s0025", "s0026", "s0027", "s0028", "s0029", "s0030", "s0031", "s0032", "s0033", "s0034", "s0035", "s0036", "s0037", "s0038", "s0039", "s0040", "s0041", "s0042", "s0043", "s0044", "s0045", "s0046", "s0047", "s0048", "s0049", "s0050", "s0051", "s0052", "s0053", "s0054", "s0055", "s0056", "s0057", "s0058", "s0059", "s0060", "s0061", "s0062", "s0063", "s0064", "s0065", "s0066", "s0067", "s0068", "s0069", "s0070", "s0071", "s0072", "s0073", "s0074", "s0075", "s0076", "s0077", "s0078", "s0079", "s0080", "s0081", "s0082", "s0083", "s0084", "s0085", "s0086", "s0087", "s0088", "s0089", "s0090", "s0091", "s0092", "s0093", "s0094", "s0095", "s0096", "s0097", "s0098", "s0099", "s0100", "s0101", "s0102", "s0103", "s0104", "s0105", "s0106", "s0107", "s0108", "s0109", "s0110", "s0111", "s0112", "s0113", "s0114", "s0115", "s0116", "s0117", "s0118", "s0119", "s0120", "s0121", "s0122", "s0123", "s0124", "s0125", "s0126", "s0127", "s0128", "s0129", "s0130", "s0131", "s0132", "s0133", "s0134", "s0135", "s0136", "s0137", "s0138", "s0139", "s0140", "s0141", "s0142", "s0143", "s0144", "s0145", "s0146", "s0147", "s0148", "s0149", "s0150", "s0151", "s0152", "s0153", "s0154", "s0155", "s0156", "s0157", "s0158", "s0159", "s0160", "s0161", "s0162", "s0163", "s0164", "s0165", "s0166", "s0167", "s0168", "s0169", "s0170", "s0171", "s0172", "s0173", "s0174", "s0175", "s0176", "s0177", "s0178", "s0179", "s0180", "s0181", "s0182", "s0183", "s0184", "s0185", "s0186", "s0187", "s0188", "s0189", "s0190", "s0191", "s0192", "s0193", "s0194", "s0195", "s0196", "s0197", "s0198", "s0199", "s0200", "s0201", "s0202", "s0203", "s0204", "s0205", "s0206", "s0207", "s0208", "s0209", "s0210", "s0211", "s0212", "s0213", "s0214", "s0215", "s0216", "s0217", "s0218", "s0219", "s0220", "s0221", "s0222", "s0223", "s0224", "s0225", "s0226", "s0227", "s0228", "s0229", "s0230", "s0231", "s0232", "s0233", "s0234", "s0235", "s0236", "s0237", "s0238", "s0239", "s0240", "s0241", "s0242", "s0243", "s0244", "s0245", "s0246", "s0247", "s0248", "s0249", "s0250", "s0251", "s0252", "s0253", "s0254", "s0255", "s0256", "s0257", "s0258", "s0259", "s0260", "s0261", "s0262", "s0263", "s0264", "s0265", "s0266", "s0267", "s0268", "s0269", "s0270", "s0271", "s0272", "s0273", "s0274", "s0275", "s0276", "s0277", "s0278", "s0279", "s0280", "s0281", "s0282", "s0283", "s0284", "s0330", "s0331", "s0332", "s0333", "s0334", "s0335", "s0336", "s0337", "s0338", "s0339", "s0340", "s0341", "s0342", "s0343", "s0344", "s0345", "s0346", "s0347", "s0348", "s0349", "s0350", "s0351", "s0352", "s0353", "s0354", "s0355", "s0356", "s0357", "s0358", "s0359", "s0360", "s0361", "s0362", "s0363", "s0364", "s0365", "s0366", "s0367", "s0368", "s0369", "s0370", "s0371", "s0372", "s0373", "s0374", "s0375", "s0376", "s0377", "s0378", "s0379", "s0380", "s0381", "s0382", "s0383", "s0384", "s0385", "s0386", "s0387", "s0388", "s0389", "s0390", "s0391", "s0393", "s0394", "s0395", "s0396", "s0397", "s0398", "s0400", "s0401", "s0402", "s0404", "s0409", "s0410", "s0412", "s0413", "s0414", "s0415", "s0416", "s0417"] - MITRE_ALL = ["attack." + item for item in MITRE_TECHNIQUES + MITRE_TACTICS + MITRE_GROUPS + MITRE_SOFTWARE] path_to_rules = "rules" @@ -284,12 +65,12 @@ class TestRules(unittest.TestCase): tags = self.get_rule_part(file_path=file, part_name="tags") if tags: for tag in tags: - if tag not in self.MITRE_ALL and tag.startswith("attack."): + if tag not in MITRE_ALL and tag.startswith("attack."): print(Fore.RED + "Rule {} has the following incorrect tag {}".format(file, tag)) files_with_incorrect_mitre_tags.append(file) self.assertEqual(files_with_incorrect_mitre_tags, [], Fore.RED + - "There are rules with incorrect MITRE Tags. (please inform us about new tags that are not yet supported in our tests) Check the correct tags here: https://attack.mitre.org/ ") + "There are rules with incorrect/unknown MITRE Tags. (please inform us about new tags that are not yet supported in our tests) and check the correct tags here: https://attack.mitre.org/ ") def test_look_for_duplicate_filters(self): def check_list_or_recurse_on_dict(item, depth:int) -> None: @@ -466,6 +247,35 @@ class TestRules(unittest.TestCase): self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with missing or malformed 'date' fields. (create one, e.g. date: 2019/01/14)") + def test_references(self): + faulty_rules = [] + for file in self.yield_next_rule_file_path(self.path_to_rules): + references = self.get_rule_part(file_path=file, part_name="references") + # Reference field doesn't exist + #if not references: + #print(Fore.YELLOW + "Rule {} has no field 'references'.".format(file)) + #faulty_rules.append(file) + if references: + # it exists but isn't a list + if not isinstance(references, list): + print(Fore.YELLOW + "Rule {} has a references field that isn't a list.".format(file)) + faulty_rules.append(file) + + self.assertEqual(faulty_rules, [], Fore.RED + + "There are rules with malformed 'references' fields. (has to be a list of values even if it contains only a single value)") + + def test_file_names(self): + faulty_rules = [] + filename_pattern = re.compile('[a-z0-9_]{10,70}\.yml') + for file in self.yield_next_rule_file_path(self.path_to_rules): + filename = os.path.basename(file) + if not filename_pattern.match(filename) and not '_' in filename: + print(Fore.YELLOW + "Rule {} has a file name that doesn't match our standard.".format(file)) + faulty_rules.append(file) + + self.assertEqual(faulty_rules, [], Fore.RED + + "There are rules with malformed file names (too short, too long, uppercase letters, a minus sign etc.). Please see the file names used in our repository and adjust your file names accordingly. The pattern for a valid file name is '[a-z0-9_]{10,70}\.yml' and it has to contain at least an underline character.") + def test_title(self): faulty_rules = [] allowed_lowercase_words = [ @@ -513,6 +323,54 @@ class TestRules(unittest.TestCase): self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with non-conform 'title' fields. Please check: https://github.com/Neo23x0/sigma/wiki/Rule-Creation-Guide#title") +def get_mitre_data(): + """ + Generate tags from live MITRE ATT&CK TAXI service to get up-to-date data + """ + # Get MITRE ATT&CK information + lift = attack_client() + # Techniques + MITRE_TECHNIQUES = [] + MITRE_TECHNIQUE_NAMES = [] + MITRE_PHASE_NAMES = set() + MITRE_TOOLS = [] + MITRE_GROUPS = [] + # Techniques + enterprise_techniques = lift.get_enterprise_techniques() + for t in enterprise_techniques: + MITRE_TECHNIQUE_NAMES.append(t['name'].lower().replace(' ', '_').replace('-', '_')) + for r in t.external_references: + if 'external_id' in r: + MITRE_TECHNIQUES.append(r['external_id'].lower()) + if 'kill_chain_phases' in t: + for kc in t['kill_chain_phases']: + if 'phase_name' in kc: + MITRE_PHASE_NAMES.add(kc['phase_name'].replace('-','_')) + # Tools / Malware + enterprise_tools = lift.get_enterprise_tools() + for t in enterprise_tools: + for r in t.external_references: + if 'external_id' in r: + MITRE_TOOLS.append(r['external_id'].lower()) + enterprise_malware = lift.get_enterprise_malware() + for m in enterprise_malware: + for r in m.external_references: + if 'external_id' in r: + MITRE_TOOLS.append(r['external_id'].lower()) + # Groups + enterprise_groups = lift.get_enterprise_groups() + for g in enterprise_groups: + for r in g.external_references: + if 'external_id' in r: + MITRE_GROUPS.append(r['external_id'].lower()) + + # Combine all IDs to a big tag list + return ["attack." + item for item in MITRE_TECHNIQUES + MITRE_TECHNIQUE_NAMES + list(MITRE_PHASE_NAMES) + MITRE_GROUPS + MITRE_TOOLS] + + if __name__ == "__main__": init(autoreset=True) + # Get Current Data from MITRE on ATT&CK + MITRE_ALL = get_mitre_data() + # Run the tests unittest.main() diff --git a/tools/config/arcsight.yml b/tools/config/arcsight.yml index ba5ef7806..3532e7b1b 100644 --- a/tools/config/arcsight.yml +++ b/tools/config/arcsight.yml @@ -99,6 +99,12 @@ logsources: service: application conditions: deviceVendor: Microsoft + windows-applocker: + product: windows + service: applocker + conditions: + deviceVendor: Microsoft + deviceProduct: AppLocker proxy: category: proxy conditions: diff --git a/tools/config/elk-windows.yml b/tools/config/elk-windows.yml index 42bec150e..0714d7699 100644 --- a/tools/config/elk-windows.yml +++ b/tools/config/elk-windows.yml @@ -33,4 +33,13 @@ logsources: service: ntlm conditions: EventLog: 'Microsoft-Windows-NTLM/Operational' + windows-applocker: + product: windows + service: applocker + conditions: + EventLog: + - 'Microsoft-Windows-AppLocker/MSI and Script' + - 'Microsoft-Windows-AppLocker/EXE and DLL' + - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' + - 'Microsoft-Windows-AppLocker/Packaged app-Execution' defaultindex: logstash-* diff --git a/tools/config/elk-winlogbeat-sp.yml b/tools/config/elk-winlogbeat-sp.yml index 4c1ded4e4..078f68025 100644 --- a/tools/config/elk-winlogbeat-sp.yml +++ b/tools/config/elk-winlogbeat-sp.yml @@ -33,6 +33,15 @@ logsources: service: ntlm conditions: log_name: 'Microsoft-Windows-NTLM/Operational' + windows-applocker: + product: windows + service: applocker + conditions: + log_name: + - 'Microsoft-Windows-AppLocker/MSI and Script' + - 'Microsoft-Windows-AppLocker/EXE and DLL' + - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' + - 'Microsoft-Windows-AppLocker/Packaged app-Execution' defaultindex: # Extract all field names qith yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g' diff --git a/tools/config/elk-winlogbeat.yml b/tools/config/elk-winlogbeat.yml index 25c4525bb..9c77653fa 100644 --- a/tools/config/elk-winlogbeat.yml +++ b/tools/config/elk-winlogbeat.yml @@ -33,6 +33,15 @@ logsources: service: ntlm conditions: log_name: 'Microsoft-Windows-NTLM/Operational' + windows-applocker: + product: windows + service: applocker + conditions: + log_name: + - 'Microsoft-Windows-AppLocker/MSI and Script' + - 'Microsoft-Windows-AppLocker/EXE and DLL' + - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' + - 'Microsoft-Windows-AppLocker/Packaged app-Execution' defaultindex: winlogbeat-* # Extract all field names qith yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g' diff --git a/tools/config/logpoint-windows.yml b/tools/config/logpoint-windows.yml index 5dbd3fdbd..1dfb74aaa 100644 --- a/tools/config/logpoint-windows.yml +++ b/tools/config/logpoint-windows.yml @@ -33,6 +33,15 @@ logsources: service: ntlm conditions: event_source: 'Microsoft-Windows-NTLM/Operational' + windows-applocker: + product: windows + service: applocker + conditions: + event_source: + - 'Microsoft-Windows-AppLocker/MSI and Script' + - 'Microsoft-Windows-AppLocker/EXE and DLL' + - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' + - 'Microsoft-Windows-AppLocker/Packaged app-Execution' fieldmappings: EventID: event_id diff --git a/tools/config/logstash-windows.yml b/tools/config/logstash-windows.yml index 9a939be52..d21a846bd 100644 --- a/tools/config/logstash-windows.yml +++ b/tools/config/logstash-windows.yml @@ -53,4 +53,13 @@ logsources: service: ntlm conditions: Channel: 'Microsoft-Windows-NTLM/Operational' + windows-applocker: + product: windows + service: applocker + conditions: + Channel: + - 'Microsoft-Windows-AppLocker/MSI and Script' + - 'Microsoft-Windows-AppLocker/EXE and DLL' + - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' + - 'Microsoft-Windows-AppLocker/Packaged app-Execution' defaultindex: logstash-* diff --git a/tools/config/powershell-windows-all.yml b/tools/config/powershell-windows-all.yml index 8464ade07..e7bf8ae9c 100644 --- a/tools/config/powershell-windows-all.yml +++ b/tools/config/powershell-windows-all.yml @@ -60,3 +60,12 @@ logsources: service: ntlm conditions: LogName: 'Microsoft-Windows-NTLM/Operational' + windows-applocker: + product: windows + service: applocker + conditions: + LogName: + - 'Microsoft-Windows-AppLocker/MSI and Script' + - 'Microsoft-Windows-AppLocker/EXE and DLL' + - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' + - 'Microsoft-Windows-AppLocker/Packaged app-Execution' diff --git a/tools/config/powershell.yml b/tools/config/powershell.yml index c22cdc99b..e116f0cd1 100644 --- a/tools/config/powershell.yml +++ b/tools/config/powershell.yml @@ -74,3 +74,12 @@ logsources: service: windefend conditions: LogName: 'Microsoft-Windows-Windows Defender/Operational' + windows-applocker: + product: windows + service: applocker + conditions: + LogName: + - 'Microsoft-Windows-AppLocker/MSI and Script' + - 'Microsoft-Windows-AppLocker/EXE and DLL' + - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' + - 'Microsoft-Windows-AppLocker/Packaged app-Execution' diff --git a/tools/config/splunk-windows.yml b/tools/config/splunk-windows.yml index f1373489e..3c298599a 100644 --- a/tools/config/splunk-windows.yml +++ b/tools/config/splunk-windows.yml @@ -70,5 +70,14 @@ logsources: service: dhcp conditions: source: 'Microsoft-Windows-DHCP-Server/Operational' + windows-applocker: + product: windows + service: applocker + conditions: + source: + - 'Microsoft-Windows-AppLocker/MSI and Script' + - 'Microsoft-Windows-AppLocker/EXE and DLL' + - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' + - 'Microsoft-Windows-AppLocker/Packaged app-Execution' fieldmappings: EventID: EventCode diff --git a/tools/config/stix-qradar.yml b/tools/config/stix-qradar.yml new file mode 100644 index 000000000..cd78c1904 --- /dev/null +++ b/tools/config/stix-qradar.yml @@ -0,0 +1,51 @@ +title: STIX for QRadar +backends: + - stix +order: 30 +fieldmappings: + categoryid: + - x-ibm-ariel:category_id + categoryname: + - x-ibm-ariel:category_name + credescription: + - x-ibm-finding:description + Description: + - x-ibm-finding:description + credibility: + - x-ibm-ariel:credibility + crename: + - x-ibm-finding:name + devicetype: + - x-ibm-ariel:device_type + Device: + - x-ibm-ariel:device_type + direction: + - x-ibm-ariel:direction + domainid: + - x-ibm-ariel:domain_id + geographic: + - x-ibm-ariel:geographic + high_level_category_id: + - x-ibm-ariel:high_level_category_id + high_level_category_name: + - x-ibm-ariel:high_level_category_name + identityhostname: + - x-ibm-ariel:identity_host_name + logsourceid: + - x-ibm-ariel:log_source_id + logsourcename: + - x-ibm-ariel:log_source_name + logsourcetypename: + - x-ibm-ariel:log_source_type_name + magnitude: + - x-ibm-ariel:magnitude + qid: + - x-ibm-ariel:qid + qidname: + - x-ibm-ariel:event_name + relevance: + - x-ibm-ariel:relevance + rulenames: + - x-ibm-ariel:rule_names[*] + severity: + - x-ibm-ariel:severity diff --git a/tools/config/stix-windows.yml b/tools/config/stix-windows.yml new file mode 100644 index 000000000..b3026badb --- /dev/null +++ b/tools/config/stix-windows.yml @@ -0,0 +1,286 @@ +title: STIX for Windows Logs +backends: + - stix +order: 40 +logsources: + windows: + product: windows +fieldmappings: + AccessMask: + - x-windows:accessmask + Accesses: + - x-windows:accesses + AccountDomain: + - user-account:x_domain + AccountID: + - user-account:user_id + AccountName: + - user-account:account_login + - user-account:display_name + AccountSecurityID: + - user-account:x_security_id + CallTrace: + - x-windows:calltrace + ChangedAttributes: + - x-windows:changedattributes + ClientIP: + - ipv4-addr:value + - ipv6-addr:value + - network-traffic:src_ref.value + ComputerName: + - x-host:name + Description: + - x-event:action + DestinationIsIpv6: + - x-windows:destisipv6 + DestinationHostname: + - network-traffic:dst_ref.value + Device: + - file:name + ErrorCode: + - x-error:code + Event-ID: + - x-event:id + - x-event:code + EventID: + - x-event:id + - x-event:code + Event_ID: + - x-event:id + - x-event:code + EventType: + - x-event:action + ExtendedErrorCode: + - x-error:code + - x-error:id + FileDirectory: + - directory:path + FileExtension: + - file:x_extension + FileHash: + - file:hashes.SHA-256 + - file:hashes.MD5 + - file:hashes.SHA-1 + FilePath: + - file:name + Filename: + - file:name + GrantedAccess: + - x-windows:grantedaccess + GroupDomain: + - x-group:domain + GroupID: + - x-group:id + GroupName: + - x-group:name + GroupSecurityID: + - x-group:security_id + HomeDirectory: + - directory:path + IMPHash: + - x-windows:imphash + Imphash: + - x-windows:imphash + Image: + - process:image_ref.name + ImageLoadedTempPath: + - process:image_ref.x_temp_path + ImageName: + - process:image_ref.name + ImagePath: + - process:image_ref.name + ImageTempPath: + - process:image_ref.x_temp_path + InitiatedConnection: + - x-windows:initiatedconnection + Initiated: + - x-windows:initiatedconnection + InitiatorUserName: + - user-account:user_id + - user-account:account_login + IntegrityLevel: + - x-windows:integritylevel + LoadedImage: + - process:image_ref.name + LoadedImageName: + - process:image_ref.name + LogonType: + - x-windows:logontype + MD5Hash: + - file:hashes.MD5 + Message: + - x-event:original + NewName: + - windows-registry-key:key + ObjectName: + - x-windows:objectname + ObjectType: + - x-windows:objecttype + PSEncodedCommand: + - x-windows:psencodedcommand + ParentCommandLine: + - process:parent_ref.command_line + ParentImage: + - process:parent_ref.image_ref.name + ParentImageName: + - process:parent_ref.image_ref.name + ParentProcessGuid: + - process:parent_ref.x_guid + ParentProcessName: + - process:parent_ref.image_ref.name + ParentProcessPath: + - process:parent_ref.image_ref.name + PipeName: + - x-windows:pipename + ProcessCommandLine: + - process:command_line + Command: + - process:command_line + CommandLine: + - process:command_line + ProcessGuid: + - process:x_guid + ProcessId: + - process:pid + ProcessName: + - process:image_ref.name + ProcessPath: + - process:image_ref.name + QueryName: + - x-windows:queryname + QueryResults: + - x-windows:queryresults + QueryStatus: + - x-windows:querystatus + Realm: + - x-windows:realm + RecordNumber: + - x-windows:recordnumber + RegistryKey: + - windows-registry-key:key + RegistryValueData: + - windows-registry-key:values[*].data + RegistryValueName: + - windows-registry-key:values[*].name + RunLevel: + - x-windows:runlevel + SAMAccountName: + - x-windows:samaccountname + SHA1Hash: + - file:hashes.SHA-1 + SHA256Hash: + - file:hashes.SHA-256 + Scope: + - x-windows:scope + ServiceFileName: + - process:extensions.windows-service-ext.service_dll_refs[*].name + ServiceName: + - process:extensions.windows-service-ext.service_name + ShareName: + - x-windows:sharename + SharePath: + - x-windows:sharepath + Signature: + - x-windows:signature + SignatureStatus: + - x-windows:signaturestatus + Signed: + - x-windows:signed + SourceImage: + - x-windows:sourceimage + SourceImageTempPath: + - x-windows:sourceimagetemppath + SourceWorkstation: + - x-windows:sourceworkstation + StartAddress: + - x-windows:startaddress + StartFunction: + - x-windows:startfunction + StartModule: + - x-windows:startmodule + TargetAccountSecurityID: + - x-windows:targetaccountsecurityid + TargetComputerDomain: + - x-windows:targetcomputerdomain + TargetComputerName: + - x-windows:targetcomputername + TargetDetails: + - x-windows:targetdetails + Details: + - windows-registry-key:values[*].data + - x-event:original + TargetFilename: + - file:name + TargetImage: + - x-windows:targetimage + TargetImageName: + - x-windows:targetimagename + TargetObject: + - windows-registry-key:key + TargetProcessGuid: + - x-windows:targetprocessguid + TargetProcessAddress: + - x-windows:startaddress + TargetUserDomain: + - x-windows:targetuserdomain + TargetUserName: + - x-windows:targetusername + TaskName: + - x-windows:taskname + TicketEncryptionType: + - x-windows:ticketencryptiontype + User: + - user-account:user_id + UserDomain: + - user-account:x_domain + UserPrincipalName: + - x-windows:userprincipalname + UserRight: + - x-windows:userright + UserWorkstations: + - x-windows:userworkstations + event-id: + - x-event:id + eventId: + - x-event:id + event_data.FileName: + - file:name + event_data.Image: + - process:image_ref.name + event_data.ImageLoaded: + - process:image_ref.name + ImageLoaded: + - process:image_ref.name + event_data.ImagePath: + - process:image_ref.name + event_data.ParentCommandLine: + - process:parent_ref.command_line + event_data.ParentImage: + - process:parent_ref.image_ref.name + event_data.ParentProcessName: + - process:parent_ref.image_ref.name + event_data.PipeName: + - x-windows:pipename + event_data.ServiceFileName: + - process:extensions.windows-service-ext.service_dll_refs[*].name + event_data.ShareName: + - x-windows:sharename + event_data.Signature: + - x-windows:signature + event_data.SourceImage: + - x-windows:sourceimage + event_data.StartModule: + - x-windows:startmodule + event_data.SubjectUserName: + - user-account:user_id + - user-account:account_login + event_data.TargetFilename: + - file:name + event_data.TargetImage: + - x-windows:targetimage + event_data.User: + - user-account:user_id + event_id: + - x-event:id + eventid: + - x-event:id \ No newline at end of file diff --git a/tools/config/stix.yml b/tools/config/stix.yml new file mode 100644 index 000000000..c6d13293c --- /dev/null +++ b/tools/config/stix.yml @@ -0,0 +1,94 @@ +title: Basic STIX +backends: + - stix +order: 20 +fieldmappings: + User: + - user-account:user_id + c-ip: + - ipv4-addr:value + - ipv6-addr:value + - network-traffic:src_ref.value + cs-ip: + - ipv4-addr:value + - ipv6-addr:value + - network-traffic:src_ref.value + destinationip: + - ipv4-addr:value + - ipv6-addr:value + - network-traffic:dst_ref.value + destinationmac: + - mac-addr:value + - network-traffic:dst_ref.value + destinationport: + - network-traffic:dst_port + domainname: + - domain-name:value + dst: + - ipv4-addr:value + - ipv6-addr:value + - network-traffic:dst_ref.value + dst_ip: + - ipv4-addr:value + - ipv6-addr:value + - network-traffic:dst_ref.value + endtime: + - network-traffic:end + event_data.DestinationIp: + - ipv4-addr:value + - ipv6-addr:value + - network-traffic:dst_ref.value + DestinationIp: + - ipv4-addr:value + - ipv6-addr:value + - network-traffic:dst_ref.value + event_data.DestinationPort: + - network-traffic:dst_port + DestinationPort: + - network-traffic:dst_port + event_data.SubjectUserName: + - user-account:user_id + event_data.User: + - user-account:user_id + filehash: + - file:hashes.SHA-256 + - file:hashes.MD5 + - file:hashes.SHA-1 + filename: + - file:name + filepath: + - file:parent_directory_ref + - directory:path + identityip: + - ipv4-addr:value + protocolid: + - network-traffic:protocols[*] + sourceip: + - ipv4-addr:value + - ipv6-addr:value + - network-traffic:src_ref.value + sourcemac: + - mac-addr:value + - network-traffic:src_ref.value + sourceport: + - network-traffic:src_port + SourcePort: + - network-traffic:src_port + src: + - ipv4-addr:value + - ipv6-addr:value + - network-traffic:src_ref.value + src_ip: + - ipv4-addr:value + - ipv6-addr:value + - network-traffic:src_ref.value + starttime: + - network-traffic:start + url: + - url:value + user: + - user-account:user_id + username: + - user-account:user_id + utf8_payload: + - artifact:payload_bin \ No newline at end of file diff --git a/tools/config/thor.yml b/tools/config/thor.yml index 9c8a44048..37163f422 100644 --- a/tools/config/thor.yml +++ b/tools/config/thor.yml @@ -71,6 +71,15 @@ logsources: service: dhcp sources: - 'WinEventLog:Microsoft-Windows-DHCP-Server/Operational' + windows-applocker: + product: windows + service: applocker + conditions: + sources: + - 'Microsoft-Windows-AppLocker/MSI and Script' + - 'Microsoft-Windows-AppLocker/EXE and DLL' + - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' + - 'Microsoft-Windows-AppLocker/Packaged app-Execution' apache: category: webserver sources: @@ -92,4 +101,4 @@ logsources: logfiles: category: logfile sources: - - 'File:*.log' \ No newline at end of file + - 'File:*.log' diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index f0cab88ca..4009a9bde 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -54,6 +54,15 @@ logsources: service: windefend conditions: winlog.channel: 'Microsoft-Windows-Windows Defender/Operational' + windows-applocker: + product: windows + service: applocker + conditions: + winlog.channel: + - 'Microsoft-Windows-AppLocker/MSI and Script' + - 'Microsoft-Windows-AppLocker/EXE and DLL' + - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' + - 'Microsoft-Windows-AppLocker/Packaged app-Execution' defaultindex: winlogbeat-* # Extract all field names qith yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g' diff --git a/tools/config/winlogbeat-old.yml b/tools/config/winlogbeat-old.yml index 6bb0daaa6..f60c49b84 100644 --- a/tools/config/winlogbeat-old.yml +++ b/tools/config/winlogbeat-old.yml @@ -53,6 +53,15 @@ logsources: service: windefend conditions: log_name: 'Microsoft-Windows-Windows Defender/Operational' + windows-applocker: + product: windows + service: applocker + conditions: + log_name: + - 'Microsoft-Windows-AppLocker/MSI and Script' + - 'Microsoft-Windows-AppLocker/EXE and DLL' + - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' + - 'Microsoft-Windows-AppLocker/Packaged app-Execution' defaultindex: winlogbeat-* # Extract all field names qith yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g' diff --git a/tools/config/winlogbeat.yml b/tools/config/winlogbeat.yml index 2a30094d9..3bc1824e4 100644 --- a/tools/config/winlogbeat.yml +++ b/tools/config/winlogbeat.yml @@ -53,6 +53,15 @@ logsources: service: windefend conditions: winlog.channel: 'Microsoft-Windows-Windows Defender/Operational' + windows-applocker: + product: windows + service: applocker + conditions: + winlog.channel: + - 'Microsoft-Windows-AppLocker/MSI and Script' + - 'Microsoft-Windows-AppLocker/EXE and DLL' + - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' + - 'Microsoft-Windows-AppLocker/Packaged app-Execution' defaultindex: winlogbeat-* # Extract all field names qith yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g' diff --git a/tools/requirements-devel.txt b/tools/requirements-devel.txt index 4806396de..3665b6ee4 100644 --- a/tools/requirements-devel.txt +++ b/tools/requirements-devel.txt @@ -6,3 +6,5 @@ setuptools wheel pytest~=5.4 colorama +stix2 +attackcti \ No newline at end of file diff --git a/tools/sigma/backends/csharp.py b/tools/sigma/backends/csharp.py new file mode 100644 index 000000000..388b72ca9 --- /dev/null +++ b/tools/sigma/backends/csharp.py @@ -0,0 +1,165 @@ +# Output backends for sigmac +# Copyright 2020 Danijel Grah (dgrah@nil.com) + +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Lesser General Public License for more details. + +# You should have received a copy of the GNU Lesser General Public License +# along with this program. If not, see . + +# How to use it in your CSharp program: +# public Dictionary sigmas = new Dictionary(); +# Dictionary evnt = new Dictionary(); +# this.evnt.Add(Key, Value); +# sigmas["rules/windows/process_creation/win_cmdkey_recon.yml"] = THE OUTPUT OF csharp BACKEND + +import re +import sigma +from .base import SingleTextQueryBackend +from .mixins import MultiRuleOutputMixin + +class CSharpBackend(SingleTextQueryBackend): + """Converts Sigma rule into CSharp Regex in LINQ query.""" + identifier = "csharp" + active = True + config_required = False + default_config = ["sysmon"] + + + reEscape = re.compile('((?