From fdbdca003b9db506e20d926c26bf07f68a55639c Mon Sep 17 00:00:00 2001 From: 4A616D6573 Date: Thu, 24 Oct 2019 11:57:37 +1100 Subject: [PATCH 01/76] Create win_powershell_web_request.yml Broader rule for detecting web requests via various methods using Windows PowerShell, slightly crosses over the below rules but caters for different methods: https://github.com/Neo23x0/sigma/blob/99b15edf8add183543ca5738ec93f87416c34bd9/rules/windows/process_creation/win_powershell_download.yml https://github.com/Neo23x0/sigma/blob/0fa914139ca85966b49f0a8eda40a3f26608e86b/rules/windows/powershell/powershell_suspicious_download.yml --- .../powershell/win_powershell_web_request.yml | 42 +++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 rules/windows/powershell/win_powershell_web_request.yml diff --git a/rules/windows/powershell/win_powershell_web_request.yml b/rules/windows/powershell/win_powershell_web_request.yml new file mode 100644 index 000000000..949fde620 --- /dev/null +++ b/rules/windows/powershell/win_powershell_web_request.yml @@ -0,0 +1,42 @@ +title: Windows PowerShell Web Request +status: experimental +description: Detects the use of various web request methods (including aliases) via Windows PowerShell +references: + - https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/ + - https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell +author: James Pemberton / @4A616D6573 +date: 2019/10/24 +tags: + - attack.execution + - attack.t1059 + - attack.t1086 +logsource: + category: powershell/sysmon + product: windows + definition: 'Recommended: Turn on PowerShell Script Block Logging = Enabled - see https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-6#enabling-script-block-logging' +detection: + eventcode: + EventCode: + - '1' + - '4688' + - '4104' + powershell: + ScriptBlockText: + - '*Invoke-WebRequest*' + - '*iwr *' + - '*wget *' + - '*curl *' + - '*Net.WebClient*' + - '*Start-BitsTransfer*' + cmdsysmon: + CommandLine: + - '*Invoke-WebRequest*' + - '*iwr *' + - '*wget *' + - '*curl *' + - '*Net.WebClient*' + - '*Start-BitsTransfer*' + condition: eventcode and (powershell or cmdsysmon) +falsepositives: + - Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer. +level: medium From d174e172b0ed163ee897f6f9eb40bf4be9a0e2ef Mon Sep 17 00:00:00 2001 From: 4A616D6573 Date: Thu, 31 Oct 2019 21:44:47 +1100 Subject: [PATCH 02/76] Create win_susp_local_anon_logon_created.yml --- .../win_susp_local_anon_logon_created.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/windows/builtin/win_susp_local_anon_logon_created.yml diff --git a/rules/windows/builtin/win_susp_local_anon_logon_created.yml b/rules/windows/builtin/win_susp_local_anon_logon_created.yml new file mode 100644 index 000000000..d05c5fddf --- /dev/null +++ b/rules/windows/builtin/win_susp_local_anon_logon_created.yml @@ -0,0 +1,23 @@ +title: Suspicious Windows ANONYMOUS LOGON Local Account Created +status: experimental +description: Detects the creation of suspicious accounts simliar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts. +references: + - https://twitter.com/SBousseaden/status/1189469425482829824 +author: James Pemberton / @4A616D6573 +date: 2019/10/31 +tags: + - attack.persistence + - attack.t1136 +logsource: + product: windows + service: security +detection: + selection: + EventID: + - '4720' + user: + - '*ANONYMOUS*LOGON*' + condition: selection +falsepositives: + - Unknown +level: high From c8e5fc4e6d70d41a9ae6917f3a4f30b3829db2ab Mon Sep 17 00:00:00 2001 From: 4A616D6573 Date: Thu, 31 Oct 2019 21:49:57 +1100 Subject: [PATCH 03/76] Revert "Create win_susp_local_anon_logon_created.yml" This reverts commit d174e172b0ed163ee897f6f9eb40bf4be9a0e2ef. --- .../win_susp_local_anon_logon_created.yml | 23 ------------------- 1 file changed, 23 deletions(-) delete mode 100644 rules/windows/builtin/win_susp_local_anon_logon_created.yml diff --git a/rules/windows/builtin/win_susp_local_anon_logon_created.yml b/rules/windows/builtin/win_susp_local_anon_logon_created.yml deleted file mode 100644 index d05c5fddf..000000000 --- a/rules/windows/builtin/win_susp_local_anon_logon_created.yml +++ /dev/null @@ -1,23 +0,0 @@ -title: Suspicious Windows ANONYMOUS LOGON Local Account Created -status: experimental -description: Detects the creation of suspicious accounts simliar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts. -references: - - https://twitter.com/SBousseaden/status/1189469425482829824 -author: James Pemberton / @4A616D6573 -date: 2019/10/31 -tags: - - attack.persistence - - attack.t1136 -logsource: - product: windows - service: security -detection: - selection: - EventID: - - '4720' - user: - - '*ANONYMOUS*LOGON*' - condition: selection -falsepositives: - - Unknown -level: high From 6312f381bfb8c8661b2b6aba70742fe58fb1ca15 Mon Sep 17 00:00:00 2001 From: Danijel Grah <1746112+alm8i@users.noreply.github.com> Date: Fri, 10 Apr 2020 16:12:05 +0200 Subject: [PATCH 04/76] C# backend Converts Sigma rule into C# Regex in LINQ query --- tools/sigma/backends/csharp.py | 163 +++++++++++++++++++++++++++++++++ 1 file changed, 163 insertions(+) create mode 100644 tools/sigma/backends/csharp.py diff --git a/tools/sigma/backends/csharp.py b/tools/sigma/backends/csharp.py new file mode 100644 index 000000000..8d827a36d --- /dev/null +++ b/tools/sigma/backends/csharp.py @@ -0,0 +1,163 @@ +# Output backends for sigmac +# Copyright 2020 Danijel Grah (dgrah@nil.com) + +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Lesser General Public License for more details. + +# You should have received a copy of the GNU Lesser General Public License +# along with this program. If not, see . + +# How to use it in your CSharp program: +# public Dictionary sigmas = new Dictionary(); +# sigmas["rules/windows/process_creation/win_cmdkey_recon.yml"] = from x in evnt where (x.Key == "1" .... + +import re +import sigma +from .base import SingleTextQueryBackend +from .mixins import MultiRuleOutputMixin + +class CSharpBackend(SingleTextQueryBackend): + """Converts Sigma rule into CSharp Regex in LINQ query.""" + identifier = "csharp" + active = True + config_required = False + default_config = ["sysmon"] + + + reEscape = re.compile('((? Date: Sat, 11 Apr 2020 15:47:23 +0200 Subject: [PATCH 05/76] comments for usage --- tools/sigma/backends/csharp.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/tools/sigma/backends/csharp.py b/tools/sigma/backends/csharp.py index 8d827a36d..388b72ca9 100644 --- a/tools/sigma/backends/csharp.py +++ b/tools/sigma/backends/csharp.py @@ -14,9 +14,11 @@ # You should have received a copy of the GNU Lesser General Public License # along with this program. If not, see . -# How to use it in your CSharp program: +# How to use it in your CSharp program: # public Dictionary sigmas = new Dictionary(); -# sigmas["rules/windows/process_creation/win_cmdkey_recon.yml"] = from x in evnt where (x.Key == "1" .... +# Dictionary evnt = new Dictionary(); +# this.evnt.Add(Key, Value); +# sigmas["rules/windows/process_creation/win_cmdkey_recon.yml"] = THE OUTPUT OF csharp BACKEND import re import sigma From e67dddcc359eeb579e2997304c801ddd9567de97 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 17 Apr 2020 08:55:40 +0200 Subject: [PATCH 06/76] rule: PwnDrp access --- rules/proxy/proxy_pwndrop.yml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 rules/proxy/proxy_pwndrop.yml diff --git a/rules/proxy/proxy_pwndrop.yml b/rules/proxy/proxy_pwndrop.yml new file mode 100644 index 000000000..9fe81dc17 --- /dev/null +++ b/rules/proxy/proxy_pwndrop.yml @@ -0,0 +1,21 @@ +title: PwnDrp Access +id: 2b1ee7e4-89b6-4739-b7bb-b811b6607e5e +status: experimental +description: Detects downloads from PwnDrp web servers developed for red team testing and most likely also used for criminal activity +references: + - https://breakdev.org/pwndrop/ +author: Florian Roth +date: 2020/04/15 +logsource: + category: proxy +detection: + selection: + c-uri|contains: '/pwndrop/' + condition: selection +fields: + - ClientIP + - c-uri + - c-useragent +falsepositives: + - Unknown +level: critical From 7371ce234bdbfb33eae433b92ae4796470bbff0d Mon Sep 17 00:00:00 2001 From: Rettila Date: Wed, 6 May 2020 16:42:27 +0200 Subject: [PATCH 07/76] Create win_metasploit_authentication.yml --- .../builtin/win_metasploit_authentication.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/windows/builtin/win_metasploit_authentication.yml diff --git a/rules/windows/builtin/win_metasploit_authentication.yml b/rules/windows/builtin/win_metasploit_authentication.yml new file mode 100644 index 000000000..d4981282c --- /dev/null +++ b/rules/windows/builtin/win_metasploit_authentication.yml @@ -0,0 +1,27 @@ +title: metasploit authentication +description: Alerts on Metasploit host's authentications on the domain. +author: Chakib Gzenayi (@Chak092), Hosni Mribah +references: https://github.com/rapid7/metasploit-framework/blob/master/lib/rex/proto/smb/client.rb +tags: + - attack.credential_access + - attack.t1110 +logsource: + product: windows + service: security +detection: + selection1: + EventID: + - 4625 + - 4624 + LogonType: 3 + AuthenticationPackage: 'NTLM' + WorkstationName: '^[A-Za-z0-9]{16}$' + selection2: + ProcessName: + EventID: + - 4776 + SourceWorkstation: '^[A-Za-z0-9]{16}$' + condition: selection1 OR selection2 +falsepositives: + - Linux hostnames composed of 16 characters. +level: high From 2beb65076ce170616d67441acc4ee5e24f142a07 Mon Sep 17 00:00:00 2001 From: Rettila Date: Wed, 6 May 2020 16:44:19 +0200 Subject: [PATCH 08/76] Update win_metasploit_authentication.yml --- rules/windows/builtin/win_metasploit_authentication.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/windows/builtin/win_metasploit_authentication.yml b/rules/windows/builtin/win_metasploit_authentication.yml index d4981282c..06b384c84 100644 --- a/rules/windows/builtin/win_metasploit_authentication.yml +++ b/rules/windows/builtin/win_metasploit_authentication.yml @@ -18,8 +18,7 @@ detection: WorkstationName: '^[A-Za-z0-9]{16}$' selection2: ProcessName: - EventID: - - 4776 + EventID: 4776 SourceWorkstation: '^[A-Za-z0-9]{16}$' condition: selection1 OR selection2 falsepositives: From 6aed82a0398ff4c20fb9b9687777c358365b1275 Mon Sep 17 00:00:00 2001 From: Rettila Date: Wed, 6 May 2020 17:04:47 +0200 Subject: [PATCH 09/76] Update win_metasploit_authentication.yml --- rules/windows/builtin/win_metasploit_authentication.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_metasploit_authentication.yml b/rules/windows/builtin/win_metasploit_authentication.yml index 06b384c84..6da05f43b 100644 --- a/rules/windows/builtin/win_metasploit_authentication.yml +++ b/rules/windows/builtin/win_metasploit_authentication.yml @@ -1,6 +1,8 @@ -title: metasploit authentication +title: Metasploit SMB Authentication description: Alerts on Metasploit host's authentications on the domain. +id: 72124974-a68b-4366-b990-d30e0b2a190d author: Chakib Gzenayi (@Chak092), Hosni Mribah +date: 2020/05/06 references: https://github.com/rapid7/metasploit-framework/blob/master/lib/rex/proto/smb/client.rb tags: - attack.credential_access From 07a50edf89bee9a4865733afbadc931e70d3fac1 Mon Sep 17 00:00:00 2001 From: Rettila Date: Thu, 7 May 2020 14:42:00 +0200 Subject: [PATCH 10/76] Update win_metasploit_authentication.yml --- rules/windows/builtin/win_metasploit_authentication.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/win_metasploit_authentication.yml b/rules/windows/builtin/win_metasploit_authentication.yml index 6da05f43b..365937a40 100644 --- a/rules/windows/builtin/win_metasploit_authentication.yml +++ b/rules/windows/builtin/win_metasploit_authentication.yml @@ -17,11 +17,11 @@ detection: - 4624 LogonType: 3 AuthenticationPackage: 'NTLM' - WorkstationName: '^[A-Za-z0-9]{16}$' + WorkstationName|re: '^[A-Za-z0-9]{16}$' selection2: ProcessName: EventID: 4776 - SourceWorkstation: '^[A-Za-z0-9]{16}$' + SourceWorkstation|re: '^[A-Za-z0-9]{16}$' condition: selection1 OR selection2 falsepositives: - Linux hostnames composed of 16 characters. From 7cc1b300d2991888bfddb18af1fc884d36a8ba2d Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 8 May 2020 11:42:06 +0200 Subject: [PATCH 11/76] rule: maze ransomware patterns --- .../win_crime_maze_ransomware.yml | 40 +++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 rules/windows/process_creation/win_crime_maze_ransomware.yml diff --git a/rules/windows/process_creation/win_crime_maze_ransomware.yml b/rules/windows/process_creation/win_crime_maze_ransomware.yml new file mode 100644 index 000000000..9f7d3d64f --- /dev/null +++ b/rules/windows/process_creation/win_crime_maze_ransomware.yml @@ -0,0 +1,40 @@ +title: Maze Ransomware +id: 29fd07fc-9cfd-4331-b7fd-cc18dfa21052 +status: experimental +description: Detects specific process characteristics of Maze ransomware word document droppers +references: + - https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html + - https://app.any.run/tasks/51e7185c-52d7-4efb-ac0d-e86340053473/ + - https://app.any.run/tasks/65a79440-373a-4725-8d74-77db9f2abda4/ +author: Florian Roth +date: 2020/05/08 +tags: + - attack.execution + - attack.t1204 +logsource: + category: process_creation + product: windows +detection: + # Dropper + selection1: + ParentImage|endswith: + - '\WINWORD.exe' + Image|endswith: + - '*.tmp' + # Binary Execution + selection2: + Image|endswith: '\wmic.exe' + ParentImage|contains: '\Temp\' + CommandLine|endswith: 'shadowcopy delete' + # Specific Pattern + selection3: + CommandLine|endswith: 'shadowcopy delete' + CommandLine|contains: '\..\..\system32' + condition: 1 of them +fields: + - ComputerName + - User + - Image +falsepositives: + - Unlikely +level: critical From 6ec74364f222f50a5532b12383ec973b10574f86 Mon Sep 17 00:00:00 2001 From: Rettila Date: Mon, 11 May 2020 17:40:47 +0200 Subject: [PATCH 12/76] Create win_global_catalog_enumeration.yml --- .../win_global_catalog_enumeration.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/windows/builtin/win_global_catalog_enumeration.yml diff --git a/rules/windows/builtin/win_global_catalog_enumeration.yml b/rules/windows/builtin/win_global_catalog_enumeration.yml new file mode 100644 index 000000000..d2707b31b --- /dev/null +++ b/rules/windows/builtin/win_global_catalog_enumeration.yml @@ -0,0 +1,23 @@ +title: Enumeration via the Global Catalog +description: Detects enumeration of the global catalog (that can be performed using BloodHound or others AD reconnaissance tools). Adjust Treshhold according to domain width. +author: Chakib Gzenayi (@Chak092), Hosni Mribah +id: 619b020f-0fd7-4f23-87db-3f51ef837a34 +date: 2020/05/11 +tags: + - attack.discovery + - attack.t1087 +logsource: + product: windows + service: system + description: 'The advanced audit policy setting "Windows Filtering Platform > Filtering Platform Connection" must be configured for Success' +detection: + selection: + EventID: 5156 + DestinationPort: + - 3268 + - 3269 + timeframe: 1h + condition: selection | count() by SourceAddress > 2000 +falsepositives: + - Exclude known DCs. +level: medium From 9835c6d67d1b6e4e09c60f74ff8c7589dae4b540 Mon Sep 17 00:00:00 2001 From: Cian Heasley Date: Wed, 10 Jun 2020 15:53:22 +0100 Subject: [PATCH 13/76] add win_pcap_drivers.yml --- rules/windows/other/win_pcap_drivers.yml | 42 ++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 rules/windows/other/win_pcap_drivers.yml diff --git a/rules/windows/other/win_pcap_drivers.yml b/rules/windows/other/win_pcap_drivers.yml new file mode 100644 index 000000000..64c37f1b0 --- /dev/null +++ b/rules/windows/other/win_pcap_drivers.yml @@ -0,0 +1,42 @@ +action: global +title: Windows Pcap Drivers +id: 7b687634-ab20-11ea-bb37-0242ac130002 +status: experimental +description: Detects Windows Pcap driver installation based on a list of associated .sys files. +author: Cian Heasley +date: 2020/06/10 +references: + - https://ragged-lab.blogspot.com/2020/06/capturing-pcap-driver-installations.html#more +tags: + - attack.discovery + - attack.CredentialAccess + - attack.t1040 +detection: + condition: 1 of them +fields: + - EventID + - ServiceFileName + - Account_Name + - Computer_Name + - Originating_Computer + - ServiceName +falsepositives: + - unknown +level: low +--- +logsource: + product: windows + service: system +detection: + service_installation: + EventID: 4697 + ServiceFileName: + - '*pcap*' + - '*npcap*' + - '*npf*' + - '*nm3*' + - '*ndiscap*'' + - '*nmnt*' + - '*windivert*' + - '*USBPcap*' + - '*pktmon*' From a7136481f1c7f48ed723751105d03a117a1d2b7b Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 11 Jun 2020 11:14:43 +0200 Subject: [PATCH 14/76] Update win_pcap_drivers.yml --- rules/windows/other/win_pcap_drivers.yml | 27 +++++++++++------------- 1 file changed, 12 insertions(+), 15 deletions(-) diff --git a/rules/windows/other/win_pcap_drivers.yml b/rules/windows/other/win_pcap_drivers.yml index 64c37f1b0..f21ed6c93 100644 --- a/rules/windows/other/win_pcap_drivers.yml +++ b/rules/windows/other/win_pcap_drivers.yml @@ -1,4 +1,3 @@ -action: global title: Windows Pcap Drivers id: 7b687634-ab20-11ea-bb37-0242ac130002 status: experimental @@ -9,21 +8,8 @@ references: - https://ragged-lab.blogspot.com/2020/06/capturing-pcap-driver-installations.html#more tags: - attack.discovery - - attack.CredentialAccess + - attack.credential_access - attack.t1040 -detection: - condition: 1 of them -fields: - - EventID - - ServiceFileName - - Account_Name - - Computer_Name - - Originating_Computer - - ServiceName -falsepositives: - - unknown -level: low ---- logsource: product: windows service: system @@ -40,3 +26,14 @@ detection: - '*windivert*' - '*USBPcap*' - '*pktmon*' + condition: 1 of them +fields: + - EventID + - ServiceFileName + - Account_Name + - Computer_Name + - Originating_Computer + - ServiceName +falsepositives: + - unknown +level: medium From 7031d9e2b86f6a67b0e5e198f1633f7ed8c87e93 Mon Sep 17 00:00:00 2001 From: Brad Kish Date: Fri, 3 Jul 2020 16:23:17 -0400 Subject: [PATCH 15/76] Fix typo for rule in image_load category image_load not image_loaded. --- .../sysmon_wmi_persistence_commandline_event_consumer.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/image_load/sysmon_wmi_persistence_commandline_event_consumer.yml b/rules/windows/image_load/sysmon_wmi_persistence_commandline_event_consumer.yml index 19b7d30bf..6560df2ea 100755 --- a/rules/windows/image_load/sysmon_wmi_persistence_commandline_event_consumer.yml +++ b/rules/windows/image_load/sysmon_wmi_persistence_commandline_event_consumer.yml @@ -10,7 +10,7 @@ tags: - attack.t1084 - attack.persistence logsource: - cqtegory: image_loaded + category: image_load product: windows detection: selection: From 8ef82e48eb360bfb6ddb9af82fbf6249da311524 Mon Sep 17 00:00:00 2001 From: Furkan CALISKAN Date: Sat, 4 Jul 2020 23:21:52 +0300 Subject: [PATCH 16/76] ditsnap --- .../process_creation/win_susp_ditsnap.yml | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_ditsnap.yml diff --git a/rules/windows/process_creation/win_susp_ditsnap.yml b/rules/windows/process_creation/win_susp_ditsnap.yml new file mode 100644 index 000000000..b279a6eff --- /dev/null +++ b/rules/windows/process_creation/win_susp_ditsnap.yml @@ -0,0 +1,26 @@ +title: DIT Snapshot Viewer Use +id: d3b70aad-097e-409c-9df2-450f80dc476b +status: experimental +description: Detects the use of Ditsnap tool. Seems to be a tool for ransomware groups. +references: + - https://thedfirreport.com/2020/06/21/snatch-ransomware/ + - https://github.com/yosqueoy/ditsnap +author: 'Furkan Caliskan (@caliskanfurkan_)' +date: 2020/07/04 +tags: + - attack.credential_access + - attack.t1003 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: + - '\ditsnap.exe' + selection2: + CommandLine|contains: + - 'ditsnap.exe' + condition: selection or selection2 +falsepositives: + - Legitimate admin usage +level: high From 7e06fd80fd3db193d151f68215b3214e2ad2652d Mon Sep 17 00:00:00 2001 From: Brad Kish Date: Mon, 6 Jul 2020 09:20:34 -0400 Subject: [PATCH 17/76] Proposed fix for sysmon_uac_bypass_eventvwr Issue: https://github.com/Neo23x0/sigma/issues/888 The rules were not merged correctly with the transition to sysmon categories. Split the rule into separate documents: one for the registry_event and one for the process_creation --- .../sysmon_uac_bypass_eventvwr.yml | 37 +++++++++++-------- 1 file changed, 22 insertions(+), 15 deletions(-) diff --git a/rules/windows/registry_event/sysmon_uac_bypass_eventvwr.yml b/rules/windows/registry_event/sysmon_uac_bypass_eventvwr.yml index 9821f0f6f..6eef00881 100755 --- a/rules/windows/registry_event/sysmon_uac_bypass_eventvwr.yml +++ b/rules/windows/registry_event/sysmon_uac_bypass_eventvwr.yml @@ -1,3 +1,4 @@ +action: global title: UAC Bypass via Event Viewer id: 7c81fec3-1c1d-43b0-996a-46753041b1b6 status: experimental @@ -7,21 +8,6 @@ references: - https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100 author: Florian Roth date: 2017/03/19 -logsource: - product: windows - category: registry_event -detection: - methregistry: - TargetObject: 'HKU\\*\mscfile\shell\open\command' - methprocess: - EventID: 1 # Migration to process_creation requires multipart YAML - ParentImage: '*\eventvwr.exe' - filterprocess: - Image: '*\mmc.exe' - condition: methregistry or ( methprocess and not filterprocess ) -fields: - - CommandLine - - ParentCommandLine tags: - attack.defense_evasion - attack.privilege_escalation @@ -30,3 +16,24 @@ tags: falsepositives: - unknown level: critical +--- +logsource: + product: windows + category: registry_event +detection: + methregistry: + TargetObject: 'HKU\\*\mscfile\shell\open\command' + condition: methregistry +--- +logsource: + category: process_creation + product: windows +detection: + methprocess: + ParentImage: '*\eventvwr.exe' + filterprocess: + Image: '*\mmc.exe' + condition: methprocess and not filterprocess +fields: + - CommandLine + - ParentCommandLine From c758ca0eb97f7dd5f87240f4ba6d8bc0db4eba5e Mon Sep 17 00:00:00 2001 From: Brad Kish Date: Mon, 6 Jul 2020 10:55:42 -0400 Subject: [PATCH 18/76] Re-fix sysmon rules that are lost changes with category refactoring. Several fixes for sysmon rules got lost when the rules were refactored to use categories. Re-add the fixes. https://github.com/Neo23x0/sigma/commit/38afd8b5def24191616ff0f0c0324cfbb7f0d6d0 https://github.com/Neo23x0/sigma/commit/422b2bffd77b217e6cec9a67c496b0aa44711ece https://github.com/Neo23x0/sigma/commit/dfae2a6df6f5bbc90a7b476c22fc9c8fedab47e9 --- rules/windows/file_event/sysmon_creation_system_file.yml | 4 ++-- rules/windows/file_event/sysmon_susp_adsi_cache_usage.yml | 2 +- .../sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml | 2 +- .../sysmon_susp_office_dotnet_assembly_dll_load.yml | 2 +- .../image_load/sysmon_svchost_dll_search_order_hijack.yml | 2 +- .../sysmon_wmi_persistence_commandline_event_consumer.yml | 2 +- .../registry_event/sysmon_suspicious_keyboard_layout_load.yml | 4 ++-- 7 files changed, 9 insertions(+), 9 deletions(-) diff --git a/rules/windows/file_event/sysmon_creation_system_file.yml b/rules/windows/file_event/sysmon_creation_system_file.yml index 7ce7adf45..1bef84c62 100755 --- a/rules/windows/file_event/sysmon_creation_system_file.yml +++ b/rules/windows/file_event/sysmon_creation_system_file.yml @@ -14,7 +14,7 @@ logsource: product: windows detection: selection: - Image: + TargetFilename: - '*\svchost.exe' - '*\rundll32.exe' - '*\services.exe' @@ -40,7 +40,7 @@ detection: - '*\audiodg.exe' - '*\wlanext.exe' filter: - Image: + TargetFilename: - 'C:\Windows\System32\\*' - 'C:\Windows\system32\\*' - 'C:\Windows\SysWow64\\*' diff --git a/rules/windows/file_event/sysmon_susp_adsi_cache_usage.yml b/rules/windows/file_event/sysmon_susp_adsi_cache_usage.yml index f19697148..5a892af95 100755 --- a/rules/windows/file_event/sysmon_susp_adsi_cache_usage.yml +++ b/rules/windows/file_event/sysmon_susp_adsi_cache_usage.yml @@ -16,7 +16,7 @@ logsource: category: file_event detection: selection_1: - TargetFilename: '*\Local\Microsoft\Windows\SchCache\*.sch' + TargetFilename: '*\Local\Microsoft\Windows\SchCache\\*.sch' selection_2: Image|contains: - 'C:\windows\system32\svchost.exe' diff --git a/rules/windows/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml b/rules/windows/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml index 5d2b079c7..e4ffdd616 100755 --- a/rules/windows/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml +++ b/rules/windows/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml @@ -14,7 +14,7 @@ logsource: category: file_event detection: selection_1: - TargetFilename: '*\AppData\Local\Temp\*\PROCEXP152.sys' + TargetFilename: '*\AppData\Local\Temp\\*\PROCEXP152.sys' selection_2: Image|contains: - '*\procexp64.exe' diff --git a/rules/windows/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml b/rules/windows/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml index 5fb8bc69b..ca5714dae 100755 --- a/rules/windows/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml +++ b/rules/windows/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml @@ -20,7 +20,7 @@ detection: - '*\excel.exe' - '*\outlook.exe' ImageLoaded: - - 'C:\Windows\assembly\*' + - 'C:\Windows\assembly\\*' condition: selection falsepositives: - Alerts on legitimate macro usage as well, will need to filter as appropriate diff --git a/rules/windows/image_load/sysmon_svchost_dll_search_order_hijack.yml b/rules/windows/image_load/sysmon_svchost_dll_search_order_hijack.yml index f2098fae8..e8176c24f 100755 --- a/rules/windows/image_load/sysmon_svchost_dll_search_order_hijack.yml +++ b/rules/windows/image_load/sysmon_svchost_dll_search_order_hijack.yml @@ -27,7 +27,7 @@ detection: - '*\wlbsctrl.dll' filter: ImageLoaded: - - 'C:\Windows\WinSxS\*' + - 'C:\Windows\WinSxS\\*' condition: selection and not filter falsepositives: - Pentest diff --git a/rules/windows/image_load/sysmon_wmi_persistence_commandline_event_consumer.yml b/rules/windows/image_load/sysmon_wmi_persistence_commandline_event_consumer.yml index 19b7d30bf..b5d3fc999 100755 --- a/rules/windows/image_load/sysmon_wmi_persistence_commandline_event_consumer.yml +++ b/rules/windows/image_load/sysmon_wmi_persistence_commandline_event_consumer.yml @@ -15,7 +15,7 @@ logsource: detection: selection: Image: 'C:\Windows\System32\wbem\WmiPrvSE.exe' - ImageLoaded: 'wbemcons.dll' + ImageLoaded|endswith: '\wbemcons.dll' condition: selection falsepositives: - Unknown (data set is too small; further testing needed) diff --git a/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml b/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml index aa2a1b1db..125d927da 100755 --- a/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml +++ b/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml @@ -15,8 +15,8 @@ logsource: detection: selection_registry: TargetObject: - - '*\Keyboard Layout\Preload\*' - - '*\Keyboard Layout\Substitutes\*' + - '*\Keyboard Layout\Preload\\*' + - '*\Keyboard Layout\Substitutes\\*' Details|contains: - 00000429 # Persian (Iran) - 00050429 # Persian (Iran) From acbab2db4b0500cde0b582a6fe5df86fe2437b6e Mon Sep 17 00:00:00 2001 From: bar Date: Tue, 7 Jul 2020 15:04:16 +0300 Subject: [PATCH 19/76] stix backend + mapping configurations for windows logs and qradar --- tools/config/stix-qradar.yml | 51 ++++++ tools/config/stix-windows.yml | 286 ++++++++++++++++++++++++++++++++++ tools/config/stix.yml | 98 ++++++++++++ tools/sigma/backends/stix.py | 91 +++++++++++ 4 files changed, 526 insertions(+) create mode 100644 tools/config/stix-qradar.yml create mode 100644 tools/config/stix-windows.yml create mode 100644 tools/config/stix.yml create mode 100644 tools/sigma/backends/stix.py diff --git a/tools/config/stix-qradar.yml b/tools/config/stix-qradar.yml new file mode 100644 index 000000000..cd78c1904 --- /dev/null +++ b/tools/config/stix-qradar.yml @@ -0,0 +1,51 @@ +title: STIX for QRadar +backends: + - stix +order: 30 +fieldmappings: + categoryid: + - x-ibm-ariel:category_id + categoryname: + - x-ibm-ariel:category_name + credescription: + - x-ibm-finding:description + Description: + - x-ibm-finding:description + credibility: + - x-ibm-ariel:credibility + crename: + - x-ibm-finding:name + devicetype: + - x-ibm-ariel:device_type + Device: + - x-ibm-ariel:device_type + direction: + - x-ibm-ariel:direction + domainid: + - x-ibm-ariel:domain_id + geographic: + - x-ibm-ariel:geographic + high_level_category_id: + - x-ibm-ariel:high_level_category_id + high_level_category_name: + - x-ibm-ariel:high_level_category_name + identityhostname: + - x-ibm-ariel:identity_host_name + logsourceid: + - x-ibm-ariel:log_source_id + logsourcename: + - x-ibm-ariel:log_source_name + logsourcetypename: + - x-ibm-ariel:log_source_type_name + magnitude: + - x-ibm-ariel:magnitude + qid: + - x-ibm-ariel:qid + qidname: + - x-ibm-ariel:event_name + relevance: + - x-ibm-ariel:relevance + rulenames: + - x-ibm-ariel:rule_names[*] + severity: + - x-ibm-ariel:severity diff --git a/tools/config/stix-windows.yml b/tools/config/stix-windows.yml new file mode 100644 index 000000000..7d8af4a60 --- /dev/null +++ b/tools/config/stix-windows.yml @@ -0,0 +1,286 @@ +title: STIX for Windows Logs +backends: + - stix +order: 40 +logsources: + windows: + product: windows +fieldmappings: + AccessMask: + - x-windows:accessmask + Accesses: + - x-windows:accesses + AccountDomain: + - user-account:x_domain + AccountID: + - user-account:user_id + AccountName: + - user-account:account_login + - user-account:display_name + AccountSecurityID: + - user-account:x_security_id + CallTrace: + - x-windows:calltrace + ChangedAttributes: + - x-windows:changedattributes + ClientIP: + - ipv4-addr:value + - ipv6-addr:value + - network-traffic:src_ref.value + ComputerName: + - x-host:name + Description: + - x-event:action + DestinationIsIpv6: + - x-windows:destisipv6 + DestinationHostname: + - network-traffic:dst_ref.value + Device: + - file:name + ErrorCode: + - x-error:code + Event-ID: + - x-event:id + - x-event:code + EventID: + - x-event:id + - x-event:code + Event_ID: + - x-event:id + - x-event:code + EventType: + - x-event:action + ExtendedErrorCode: + - x-error:code + - x-error:id + FileDirectory: + - directory:path + FileExtension: + - file:x_extension + FileHash: + - file:hashes.SHA-256 + - file:hashes.MD5 + - file:hashes.SHA-1 + FilePath: + - file:name + Filename: + - file:name + GrantedAccess: + - x-windows:grantedaccess + GroupDomain: + - x-group:domain + GroupID: + - x-group:id + GroupName: + - x-group:name + GroupSecurityID: + - x-group:security_id + HomeDirectory: + - directory:path + IMPHash: + - x-windows:imphash + Imphash: + - x-windows:imphash + Image: + - process:image_ref.name + ImageLoadedTempPath: + - process:image_ref.x_temp_path + ImageName: + - process:image_ref.name + ImagePath: + - process:image_ref.name + ImageTempPath: + - process:image_ref.x_temp_path + InitiatedConnection: + - x-windows:initiatedconnection + Initiated: + - x-windows:initiatedconnection + InitiatorUserName: + - user-account:user_id + - user-account:account_login + IntegrityLevel: + - x-windows:integrityname + LoadedImage: + - process:image_ref.name + LoadedImageName: + - process:image_ref.name + LogonType: + - x-windows:logontype + MD5Hash: + - file:hashes.MD5 + Message: + - x-event:original + NewName: + - windows-registry-key:key + ObjectName: + - x-windows:objectname + ObjectType: + - x-windows:objecttype + PSEncodedCommand: + - x-windows:psencodedcommand + ParentCommandLine: + - process:parent_ref.command_line + ParentImage: + - process:parent_ref.image_ref.name + ParentImageName: + - process:parent_ref.image_ref.name + ParentProcessGuid: + - process:parent_ref.x_guid + ParentProcessName: + - process:parent_ref.image_ref.name + ParentProcessPath: + - process:parent_ref.image_ref.name + PipeName: + - x-windows:pipename + ProcessCommandLine: + - process:command_line + Command: + - process:command_line + CommandLine: + - process:command_line + ProcessGuid: + - process:x_guid + ProcessId: + - process:pid + ProcessName: + - process:image_ref.name + ProcessPath: + - process:image_ref.name + QueryName: + - x-windows:queryname + QueryResults: + - x-windows:queryresults + QueryStatus: + - - x-windows:querystatus + Realm: + - x-windows:realm + RecordNumber: + - x-windows:recordnumber + RegistryKey: + - windows-registry-key:key + RegistryValueData: + - windows-registry-key:values[*].data + RegistryValueName: + - windows-registry-key:values[*].name + RunLevel: + - x-windows:runlevel + SAMAccountName: + - x-windows:samaccountname + SHA1Hash: + - file:hashes.SHA-1 + SHA256Hash: + - file:hashes.SHA-256 + Scope: + - x-windows:scope + ServiceFileName: + - process:extensions.windows-service-ext.service_dll_refs[*].name + ServiceName: + - process:extensions.windows-service-ext.service_name + ShareName: + - x-windows:sharename + SharePath: + - x-windows:sharepath + Signature: + - x-windows:signature + SignatureStatus: + - x-windows:signaturestatus + Signed: + - x-windows:signed + SourceImage: + - x-windows:sourceimage + SourceImageTempPath: + - x-windows:sourceimagetemppath + SourceWorkstation: + - x-windows:sourceworkstation + StartAddress: + - x-windows:startaddress + StartFunction: + - x-windows:startfunction + StartModule: + - x-windows:startmodule + TargetAccountSecurityID: + - x-windows:targetaccountsecurityid + TargetComputerDomain: + - x-windows:targetcomputerdomain + TargetComputerName: + - x-windows:targetcomputername + TargetDetails: + - x-windows:targetdetails + Details: + - windows-registry-key:values[*].data + - x-event:original + TargetFilename: + - file:name + TargetImage: + - x-windows:targetimage + TargetImageName: + - x-windows:targetimagename + TargetObject: + - windows-registry-key:key + TargetProcessGuid: + - x-windows:targetprocessguid + TargetProcessAddress: + - x-windows:targetprocessaddress + TargetUserDomain: + - x-windows:targetuserdomain + TargetUserName: + - x-windows:targetusername + TaskName: + - x-windows:taskname + TicketEncryptionType: + - x-windows:ticketencryptiontype + User: + - user-account:user_id + UserDomain: + - user-account:x_domain + UserPrincipalName: + - x-windows:userprincipalname + UserRight: + - x-windows:userright + UserWorkstations: + - x-windows:userworkstations + event-id: + - x-event:id + eventId: + - x-event:id + event_data.FileName: + - file:name + event_data.Image: + - process:image_ref.name + event_data.ImageLoaded: + - process:image_ref.name + ImageLoaded: + - process:image_ref.name + event_data.ImagePath: + - process:image_ref.name + event_data.ParentCommandLine: + - process:parent_ref.command_line + event_data.ParentImage: + - process:parent_ref.image_ref.name + event_data.ParentProcessName: + - process:parent_ref.image_ref.name + event_data.PipeName: + - x-windows:pipename + event_data.ServiceFileName: + - process:extensions.windows-service-ext.service_dll_refs[*].name + event_data.ShareName: + - x-windows:sharename + event_data.Signature: + - x-windows:signature + event_data.SourceImage: + - x-windows:sourceimage + event_data.StartModule: + - x-windows:startmodule + event_data.SubjectUserName: + - user-account:user_id + - user-account:account_login + event_data.TargetFilename: + - file:name + event_data.TargetImage: + - x-windows:targetimage + event_data.User: + - user-account:user_id + event_id: + - x-event:id + eventid: + - x-event:id \ No newline at end of file diff --git a/tools/config/stix.yml b/tools/config/stix.yml new file mode 100644 index 000000000..fff7f7682 --- /dev/null +++ b/tools/config/stix.yml @@ -0,0 +1,98 @@ +title: Basic STIX +backends: + - stix +order: 20 +fieldmappings: + User: + - user-account:user_id + c-ip: + - ipv4-addr:value + - ipv6-addr:value + - network-traffic:src_ref.value + cs-ip: + - ipv4-addr:value + - ipv6-addr:value + - network-traffic:src_ref.value + destinationip: + - ipv4-addr:value + - ipv6-addr:value + - network-traffic:dst_ref.value + destinationmac: + - mac-addr:value + - network-traffic:dst_ref.value + destinationport: + - network-traffic:dst_port + domainname: + - domain-name:value + dst: + - ipv4-addr:value + - ipv6-addr:value + - network-traffic:dst_ref.value + dst_ip: + - ipv4-addr:value + - ipv6-addr:value + - network-traffic:dst_ref.value + endtime: + - network-traffic:end + event_data.DestinationIp: + - ipv4-addr:value + - ipv6-addr:value + - network-traffic:dst_ref.value + DestinationIp: + - ipv4-addr:value + - ipv6-addr:value + - network-traffic:dst_ref.value + event_data.DestinationPort: + - ipv4-addr:value + - ipv6-addr:value + - network-traffic:dst_ref.value + DestinationPort: + - ipv4-addr:value + - ipv6-addr:value + - network-traffic:dst_ref.value + event_data.SubjectUserName: + - user-account:user_id + event_data.User: + - user-account:user_id + filehash: + - file:hashes.SHA-256 + - file:hashes.MD5 + - file:hashes.SHA-1 + filename: + - file:name + filepath: + - file:parent_directory_ref + - directory:path + identityip: + - ipv4-addr:value + protocolid: + - network-traffic:protocols[*] + sourceip: + - ipv4-addr:value + - ipv6-addr:value + - network-traffic:src_ref.value + sourcemac: + - mac-addr:value + - network-traffic:src_ref.value + sourceport: + - network-traffic:src_port + SourcePort: + - network-traffic:src_port + src: + - ipv4-addr:value + - ipv6-addr:value + - network-traffic:src_ref.value + src_ip: + - ipv4-addr:value + - ipv6-addr:value + - network-traffic:src_ref.value + starttime: + - network-traffic:start + url: + - url:value + user: + - user-account:user_id + username: + - user-account:user_id + utf8_payload: + - artifact:payload_bin \ No newline at end of file diff --git a/tools/sigma/backends/stix.py b/tools/sigma/backends/stix.py new file mode 100644 index 000000000..9f1cfb489 --- /dev/null +++ b/tools/sigma/backends/stix.py @@ -0,0 +1,91 @@ +import sigma +from sigma.parser.modifiers.base import SigmaTypeModifier +from sigma.parser.modifiers.type import SigmaRegularExpressionModifier +from .base import SingleTextQueryBackend + + +class STIXBackend(SingleTextQueryBackend): + """Converts Sigma rule into STIX pattern.""" + identifier = "stix" + active = True + andToken = " AND " + orToken = " OR " + notToken = "NOT " + subExpression = "(%s)" + valueExpression = "\'%s\'" + mapExpression = "%s = %s" + mapListsSpecialHandling = True + + def cleanKey(self, key): + if key is None: + raise TypeError("Backend does not support empty key " + str(key)) + else: + return key + + def cleanValue(self, value): + return value + + def generateMapItemListNode(self, key, value): + items_list = list() + for item in value: + if type(item) == str and "*" in item: + item = item.replace("*", "%") + items_list.append('%s LIKE %s' % (self.cleanKey(key), self.generateValueNode(item))) + else: + items_list.append('%s = %s' % (self.cleanKey(key), self.generateValueNode(item))) + return '('+" OR ".join(items_list)+')' + + def generateMapItemTypedNode(self, key, value): + if type(value) == SigmaRegularExpressionModifier: + regex = str(value) + # Regular Expressions have to match the full value in QRadar + if not (regex.startswith('^') or regex.startswith('.*')): + regex = '.*' + regex + if not (regex.endswith('$') or regex.endswith('.*')): + regex = regex + '.*' + return "%s MATCHES %s" % (self.cleanKey(key), self.generateValueNode(regex)) + else: + raise NotImplementedError("Type modifier '{}' is not supported by backend".format(value.identifier)) + + def generateMapItemNode(self, node): + key, value = node + if ":" not in key: + raise TypeError("Backend does not support mapping for key " + str(key)) + if self.mapListsSpecialHandling == False and type(value) in (str, int, list) or self.mapListsSpecialHandling == True and type(value) in (str, int): + if type(value) == str and "*" in value: + value = value.replace("*", "%") + return "%s LIKE %s" % (self.cleanKey(key), self.generateValueNode(value)) + elif type(value) in (str, int): + return self.mapExpression % (self.cleanKey(key), self.generateValueNode(value)) + elif type(value) == list: + return self.generateMapItemListNode(key, value) + elif isinstance(value, SigmaTypeModifier): + return self.generateMapItemTypedNode(key, value) + else: + raise TypeError("Backend does not support map values of type " + str(type(value))) + + def generateValueNode(self, node): + return self.valueExpression % (self.cleanValue(str(node))) + + def generateNode(self, node): + if type(node) == sigma.parser.condition.ConditionAND: + return self.generateANDNode(node) + elif type(node) == sigma.parser.condition.ConditionOR: + return self.generateORNode(node) + elif type(node) == sigma.parser.condition.ConditionNOT: + return self.generateNOTNode(node) + elif type(node) == sigma.parser.condition.NodeSubexpression: + return self.generateSubexpressionNode(node) + elif type(node) == tuple: + return self.generateMapItemNode(node) + else: + raise TypeError("Node type %s was not expected in Sigma parse tree" % (str(type(node)))) + + def generate(self, sigmaparser): + for parsed in sigmaparser.condparsed: + query = self.generateQuery(parsed, sigmaparser) + return "[" + query + "]" + + def generateQuery(self, parsed, sigmaparser): + result = self.generateNode(parsed.parsedSearch) + return result From 35bb8df0b5ac5d2b4bcd5488a9dec574d324982a Mon Sep 17 00:00:00 2001 From: bar Date: Tue, 7 Jul 2020 16:39:59 +0300 Subject: [PATCH 20/76] updated makefile with stix coverage cmd --- Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/Makefile b/Makefile index f981a2395..66c88fa73 100644 --- a/Makefile +++ b/Makefile @@ -52,6 +52,7 @@ test-sigmac: $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t arcsight -c tools/config/arcsight.yml rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t arcsight-esm -c tools/config/arcsight.yml rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t qradar -c tools/config/qradar.yml rules/ > /dev/null + $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t stix -c tools/config/stix.yml -c tools/config/stix-qradar.yml -c tools/config/stix-windows.yml rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t limacharlie -c tools/config/limacharlie.yml rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t carbonblack -c tools/config/carbon-black.yml rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t qualys -c tools/config/qualys.yml rules/ > /dev/null From acfe20aa34809ed07df567c891c178796f870736 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 7 Jul 2020 21:45:08 +0200 Subject: [PATCH 21/76] rule: extended F5 BIG-IP exploitation detection rule --- rules/web/web_cve_2020_5902_f5_bigip.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/rules/web/web_cve_2020_5902_f5_bigip.yml b/rules/web/web_cve_2020_5902_f5_bigip.yml index 2162c9df7..c8ab6a366 100644 --- a/rules/web/web_cve_2020_5902_f5_bigip.yml +++ b/rules/web/web_cve_2020_5902_f5_bigip.yml @@ -6,13 +6,17 @@ references: - https://support.f5.com/csp/article/K52145254 - https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/ - https://twitter.com/yorickkoster/status/1279709009151434754 + - https://www.criticalstart.com/f5-big-ip-remote-code-execution-exploit/ author: Florian Roth date: 2020/07/05 +modified: 2020/07/07 logsource: category: webserver detection: selection_base: - c-uri|contains: '/tmui/login' + c-uri|contains: + - '/tmui/' + - '/hsqldb' selection_traversal: c-uri|contains: - '..;/' From 360b5714a88308187a3d66ea0fc105e03fe8bb1d Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Tue, 7 Jul 2020 22:47:14 +0200 Subject: [PATCH 22/76] Splitted and improved new rule --- .../powershell/win_powershell_web_request.yml | 55 ++++++++++--------- 1 file changed, 29 insertions(+), 26 deletions(-) diff --git a/rules/windows/powershell/win_powershell_web_request.yml b/rules/windows/powershell/win_powershell_web_request.yml index 949fde620..2b6d5e7a0 100644 --- a/rules/windows/powershell/win_powershell_web_request.yml +++ b/rules/windows/powershell/win_powershell_web_request.yml @@ -1,3 +1,4 @@ +action: global title: Windows PowerShell Web Request status: experimental description: Detects the use of various web request methods (including aliases) via Windows PowerShell @@ -10,33 +11,35 @@ tags: - attack.execution - attack.t1059 - attack.t1086 -logsource: - category: powershell/sysmon - product: windows - definition: 'Recommended: Turn on PowerShell Script Block Logging = Enabled - see https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-6#enabling-script-block-logging' detection: - eventcode: - EventCode: - - '1' - - '4688' - - '4104' - powershell: - ScriptBlockText: - - '*Invoke-WebRequest*' - - '*iwr *' - - '*wget *' - - '*curl *' - - '*Net.WebClient*' - - '*Start-BitsTransfer*' - cmdsysmon: - CommandLine: - - '*Invoke-WebRequest*' - - '*iwr *' - - '*wget *' - - '*curl *' - - '*Net.WebClient*' - - '*Start-BitsTransfer*' - condition: eventcode and (powershell or cmdsysmon) + condition: selection falsepositives: - Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer. level: medium +--- +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains: + - 'Invoke-WebRequest' + - 'iwr ' + - 'wget ' + - 'curl ' + - 'Net.WebClient' + - 'Start-BitsTransfer' +--- +logsource: + product: windows + service: powershell +detection: + selection: + EventID: 4104 + ScriptBlockText|contains: + - 'Invoke-WebRequest' + - 'iwr ' + - 'wget ' + - 'curl ' + - 'Net.WebClient' + - 'Start-BitsTransfer' From 7eb499ad8558a7c78eff0fa24a0acf0f37a0be1d Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Tue, 7 Jul 2020 22:54:55 +0200 Subject: [PATCH 23/76] Added rule id --- rules/windows/powershell/win_powershell_web_request.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/powershell/win_powershell_web_request.yml b/rules/windows/powershell/win_powershell_web_request.yml index 2b6d5e7a0..6ab268500 100644 --- a/rules/windows/powershell/win_powershell_web_request.yml +++ b/rules/windows/powershell/win_powershell_web_request.yml @@ -1,5 +1,6 @@ action: global title: Windows PowerShell Web Request +id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d status: experimental description: Detects the use of various web request methods (including aliases) via Windows PowerShell references: From 28013a15e1a1b87df58e082a4a68af3fba890758 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Tue, 7 Jul 2020 23:18:07 +0200 Subject: [PATCH 24/76] Improved rule --- rules/windows/other/win_pcap_drivers.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/other/win_pcap_drivers.yml b/rules/windows/other/win_pcap_drivers.yml index f21ed6c93..c24d04104 100644 --- a/rules/windows/other/win_pcap_drivers.yml +++ b/rules/windows/other/win_pcap_drivers.yml @@ -14,19 +14,19 @@ logsource: product: windows service: system detection: - service_installation: + selection: EventID: 4697 ServiceFileName: - '*pcap*' - '*npcap*' - '*npf*' - '*nm3*' - - '*ndiscap*'' + - '*ndiscap*' - '*nmnt*' - '*windivert*' - '*USBPcap*' - '*pktmon*' - condition: 1 of them + condition: selection fields: - EventID - ServiceFileName From bd9410fe069b2e69257b0ca0cb774b4bdc983b90 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Tue, 7 Jul 2020 23:46:49 +0200 Subject: [PATCH 25/76] Added CI test --- Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/Makefile b/Makefile index 66c88fa73..a9a5a0f6f 100644 --- a/Makefile +++ b/Makefile @@ -62,6 +62,7 @@ test-sigmac: $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t crowdstrike -O rulecomment -c tools/config/crowdstrike.yml rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t sql -c sysmon rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t sqlite -c sysmon rules/ > /dev/null + $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t csharp -c sysmon rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t logiq -c sysmon rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'level>=high,level<=critical,status=stable,logsource=windows,tag=attack.execution' rules/ > /dev/null ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'level>=high,level<=critical,status=xstable,logsource=windows' rules/ > /dev/null From 50ef79b3989ae9a57b0dc897b37a12b13a921aa1 Mon Sep 17 00:00:00 2001 From: bar Date: Wed, 8 Jul 2020 14:09:26 +0300 Subject: [PATCH 26/76] Custom STIX object "x-sigma" for fields that missing mapping, so the pattern is STIX valid --- tools/sigma/backends/stix.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tools/sigma/backends/stix.py b/tools/sigma/backends/stix.py index 9f1cfb489..82e7b3fd5 100644 --- a/tools/sigma/backends/stix.py +++ b/tools/sigma/backends/stix.py @@ -15,6 +15,7 @@ class STIXBackend(SingleTextQueryBackend): valueExpression = "\'%s\'" mapExpression = "%s = %s" mapListsSpecialHandling = True + sigmaSTIXObjectName = "x-sigma" def cleanKey(self, key): if key is None: @@ -50,7 +51,7 @@ class STIXBackend(SingleTextQueryBackend): def generateMapItemNode(self, node): key, value = node if ":" not in key: - raise TypeError("Backend does not support mapping for key " + str(key)) + key = "%s:%s" % (self.sigmaSTIXObjectName, str(key).lower()) if self.mapListsSpecialHandling == False and type(value) in (str, int, list) or self.mapListsSpecialHandling == True and type(value) in (str, int): if type(value) == str and "*" in value: value = value.replace("*", "%") From 8889ae21cace2f8279aea94a613c9d2ce3338b98 Mon Sep 17 00:00:00 2001 From: bar Date: Wed, 8 Jul 2020 14:31:04 +0300 Subject: [PATCH 27/76] DestinationPort to network-traffic:dst_port mapping fix --- tools/config/stix.yml | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/tools/config/stix.yml b/tools/config/stix.yml index fff7f7682..c6d13293c 100644 --- a/tools/config/stix.yml +++ b/tools/config/stix.yml @@ -43,13 +43,9 @@ fieldmappings: - ipv6-addr:value - network-traffic:dst_ref.value event_data.DestinationPort: - - ipv4-addr:value - - ipv6-addr:value - - network-traffic:dst_ref.value + - network-traffic:dst_port DestinationPort: - - ipv4-addr:value - - ipv6-addr:value - - network-traffic:dst_ref.value + - network-traffic:dst_port event_data.SubjectUserName: - user-account:user_id event_data.User: From efae210556d1ed6f9b2efa5390c26f8550730e60 Mon Sep 17 00:00:00 2001 From: GelosSnake Date: Wed, 8 Jul 2020 16:44:41 +0300 Subject: [PATCH 28/76] adding google chrome to FP list legitimate errors generated by Google Chrome are reported often. Official google standpoint on this: https://support.google.com/chrome/a/thread/15440066?hl=en --- rules/windows/builtin/win_user_driver_loaded.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/builtin/win_user_driver_loaded.yml b/rules/windows/builtin/win_user_driver_loaded.yml index 9d3ae187f..804564c70 100644 --- a/rules/windows/builtin/win_user_driver_loaded.yml +++ b/rules/windows/builtin/win_user_driver_loaded.yml @@ -32,6 +32,7 @@ detection: - '*\procexp.exe' - '*\procmon64.exe' - '*\procmon.exe' + - '*\Google\Chrome\Application\chrome.exe condition: selection_1 and not selection_2 falsepositives: - Other legimate tools loading drivers. There are some: Sysinternals, CPU-Z, AVs etc. - but not much. You have to baseline this according to your used products and allowed tools. Also try to exclude users, which are allowed to load drivers. From e3734aaa275d25b254bd1a45361c43dde36a9344 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 8 Jul 2020 15:53:04 +0200 Subject: [PATCH 29/76] fix: missing upper tick --- rules/windows/builtin/win_user_driver_loaded.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_user_driver_loaded.yml b/rules/windows/builtin/win_user_driver_loaded.yml index 804564c70..c64a039a5 100644 --- a/rules/windows/builtin/win_user_driver_loaded.yml +++ b/rules/windows/builtin/win_user_driver_loaded.yml @@ -32,7 +32,7 @@ detection: - '*\procexp.exe' - '*\procmon64.exe' - '*\procmon.exe' - - '*\Google\Chrome\Application\chrome.exe + - '*\Google\Chrome\Application\chrome.exe' condition: selection_1 and not selection_2 falsepositives: - Other legimate tools loading drivers. There are some: Sysinternals, CPU-Z, AVs etc. - but not much. You have to baseline this according to your used products and allowed tools. Also try to exclude users, which are allowed to load drivers. From 8855a87dbffc3f0956cab66898bb1656f2db1336 Mon Sep 17 00:00:00 2001 From: bar Date: Wed, 8 Jul 2020 17:35:57 +0300 Subject: [PATCH 30/76] - TargetProcessAddress mapping should be as startaddress mapping - remove extra '-' --- tools/config/stix-windows.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/config/stix-windows.yml b/tools/config/stix-windows.yml index 7d8af4a60..99d302130 100644 --- a/tools/config/stix-windows.yml +++ b/tools/config/stix-windows.yml @@ -151,7 +151,7 @@ fieldmappings: QueryResults: - x-windows:queryresults QueryStatus: - - - x-windows:querystatus + - x-windows:querystatus Realm: - x-windows:realm RecordNumber: @@ -220,7 +220,7 @@ fieldmappings: TargetProcessGuid: - x-windows:targetprocessguid TargetProcessAddress: - - x-windows:targetprocessaddress + - x-windows:startaddress TargetUserDomain: - x-windows:targetuserdomain TargetUserName: From ca7cf8478d843d6c7aacdd5daf1fb67f80f575f1 Mon Sep 17 00:00:00 2001 From: bar Date: Wed, 8 Jul 2020 19:37:24 +0300 Subject: [PATCH 31/76] - IntegrityLevel mapping to integritylevel --- tools/config/stix-windows.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/config/stix-windows.yml b/tools/config/stix-windows.yml index 99d302130..b3026badb 100644 --- a/tools/config/stix-windows.yml +++ b/tools/config/stix-windows.yml @@ -99,7 +99,7 @@ fieldmappings: - user-account:user_id - user-account:account_login IntegrityLevel: - - x-windows:integrityname + - x-windows:integritylevel LoadedImage: - process:image_ref.name LoadedImageName: From 7949729fa44b1c11f1c5fb3b079fba474147f862 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 9 Jul 2020 08:52:32 +0200 Subject: [PATCH 32/76] rule: PowerShell encoded character syntax --- .../win_susp_powershell_encoded_param.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_powershell_encoded_param.yml diff --git a/rules/windows/process_creation/win_susp_powershell_encoded_param.yml b/rules/windows/process_creation/win_susp_powershell_encoded_param.yml new file mode 100644 index 000000000..04c975d1a --- /dev/null +++ b/rules/windows/process_creation/win_susp_powershell_encoded_param.yml @@ -0,0 +1,24 @@ +title: PowerShell Encoded Character Syntax +id: e312efd0-35a1-407f-8439-b8d434b438a6 +status: experimental +description: Detects suspicious encoded character syntax often used for defense evasion +references: + - https://twitter.com/0gtweet/status/1281103918693482496 +tags: + - attack.execution + - attack.defense_evasion + - attack.t1027 + - attack.t1086 + - attack.t1059.001 +author: Florian Roth +date: 2020/07/09 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: '(WCHAR)0x' + condition: selection +falsepositives: + - Unknown +level: high From 905f1b38234c765ce6acf76dfa1de04f012e9e36 Mon Sep 17 00:00:00 2001 From: ecco Date: Thu, 9 Jul 2020 10:26:54 -0400 Subject: [PATCH 33/76] add WMI and powershell false positives --- rules/windows/image_load/sysmon_in_memory_powershell.yml | 1 + rules/windows/image_load/sysmon_wmi_module_load.yml | 2 ++ 2 files changed, 3 insertions(+) diff --git a/rules/windows/image_load/sysmon_in_memory_powershell.yml b/rules/windows/image_load/sysmon_in_memory_powershell.yml index aeb46d86d..b1bbc3dee 100755 --- a/rules/windows/image_load/sysmon_in_memory_powershell.yml +++ b/rules/windows/image_load/sysmon_in_memory_powershell.yml @@ -24,6 +24,7 @@ detection: - '\powershell.exe' - '\powershell_ise.exe' - '\WINDOWS\System32\sdiagnhost.exe' + - '\mscorsvw.exe' # c:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsw.exe for instance # User: 'NT AUTHORITY\SYSTEM' # if set, matches all powershell processes not launched by SYSTEM condition: selection and not filter falsepositives: diff --git a/rules/windows/image_load/sysmon_wmi_module_load.yml b/rules/windows/image_load/sysmon_wmi_module_load.yml index 44353ab39..fe2567120 100755 --- a/rules/windows/image_load/sysmon_wmi_module_load.yml +++ b/rules/windows/image_load/sysmon_wmi_module_load.yml @@ -34,6 +34,8 @@ detection: - '\CompatTelRunner.exe' - '\sdiagnhost.exe' - '\SIHClient.exe' + - '\ngentask.exe' # c:\Windows\Microsoft.NET\Framework(64)\ngentask.exe + - '\windows\system32\taskhostw.exe' # c:\windows\system32\taskhostw.exe condition: selection and not filter fields: - ComputerName From 94e3bd9e6bb42633e866bd6a5cc67044f6680de2 Mon Sep 17 00:00:00 2001 From: ecco Date: Thu, 9 Jul 2020 13:32:21 -0400 Subject: [PATCH 34/76] add WMI module load false positive --- rules/windows/image_load/sysmon_wmi_module_load.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/image_load/sysmon_wmi_module_load.yml b/rules/windows/image_load/sysmon_wmi_module_load.yml index fe2567120..bcdf87320 100755 --- a/rules/windows/image_load/sysmon_wmi_module_load.yml +++ b/rules/windows/image_load/sysmon_wmi_module_load.yml @@ -36,6 +36,7 @@ detection: - '\SIHClient.exe' - '\ngentask.exe' # c:\Windows\Microsoft.NET\Framework(64)\ngentask.exe - '\windows\system32\taskhostw.exe' # c:\windows\system32\taskhostw.exe + - '\MoUsoCoreWorker.exe' # c:\windows\System32\MoUsoCoreWorker.exe on win10 20H04 at least condition: selection and not filter fields: - ComputerName From e30eaa020268dc209369360923225ad9fa4016f3 Mon Sep 17 00:00:00 2001 From: ecco Date: Thu, 9 Jul 2020 13:33:59 -0400 Subject: [PATCH 35/76] be more specific about file location --- rules/windows/image_load/sysmon_wmi_module_load.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/image_load/sysmon_wmi_module_load.yml b/rules/windows/image_load/sysmon_wmi_module_load.yml index bcdf87320..6b46e7b0f 100755 --- a/rules/windows/image_load/sysmon_wmi_module_load.yml +++ b/rules/windows/image_load/sysmon_wmi_module_load.yml @@ -36,7 +36,7 @@ detection: - '\SIHClient.exe' - '\ngentask.exe' # c:\Windows\Microsoft.NET\Framework(64)\ngentask.exe - '\windows\system32\taskhostw.exe' # c:\windows\system32\taskhostw.exe - - '\MoUsoCoreWorker.exe' # c:\windows\System32\MoUsoCoreWorker.exe on win10 20H04 at least + - '\windows\system32\MoUsoCoreWorker.exe' # c:\windows\System32\MoUsoCoreWorker.exe on win10 20H04 at least condition: selection and not filter fields: - ComputerName From 268a28daedd3ed4e0a8161e607a0e0a4aef664ac Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 10 Jul 2020 13:02:52 +0200 Subject: [PATCH 36/76] rule: Evilnum Golden Chicken rule OCX --- .../win_apt_evilnum_jul20.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/windows/process_creation/win_apt_evilnum_jul20.yml diff --git a/rules/windows/process_creation/win_apt_evilnum_jul20.yml b/rules/windows/process_creation/win_apt_evilnum_jul20.yml new file mode 100644 index 000000000..2a469e904 --- /dev/null +++ b/rules/windows/process_creation/win_apt_evilnum_jul20.yml @@ -0,0 +1,23 @@ +title: EvilNum Golden Chickens Deployment via OCX Files +id: 8acf3cfa-1e8c-4099-83de-a0c4038e18f0 +status: experimental +description: Detects Golden Chickens deployment method as used by Evilnum in report published in July 2020 +references: + - https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/ + - https://app.any.run/tasks/33d37fdf-158d-4930-aa68-813e1d5eb8ba/ +author: Florian Roth +date: 2020/07/10 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - 'regsvr32' + - ' /s /i ' + - '\AppData\Roaming\' + - '.ocx' + condition: selection +falsepositives: + - Unknown +level: critical From eda08e3a895290f16f6022b97c419c4cdd73b41f Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 10 Jul 2020 17:45:11 +0200 Subject: [PATCH 37/76] rule: Citrix Netscaler Attack CVE-2020-8193 CVE-2020-8195 --- .../web_citrix_cve_2020_8193_8195_exploit.yml | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 rules/web/web_citrix_cve_2020_8193_8195_exploit.yml diff --git a/rules/web/web_citrix_cve_2020_8193_8195_exploit.yml b/rules/web/web_citrix_cve_2020_8193_8195_exploit.yml new file mode 100644 index 000000000..5d46ba8bd --- /dev/null +++ b/rules/web/web_citrix_cve_2020_8193_8195_exploit.yml @@ -0,0 +1,25 @@ +title: Citrix Netscaler Attack CVE-2020-8193 CVE-2020-8195 +description: Detects exploitation attempt against Citrix Netscaler, Application Delivery Controller and Citrix Gateway +id: 0d0d9a8a-a49e-4e27-b061-7ce4b936cfb7 +references: + - https://support.citrix.com/article/CTX276688 + - https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/ +author: Florian Roth +status: experimental +date: 2020/07/10 +logsource: + category: webserver +detection: + selection: + c-uri|contains: + - '/rapi/filedownload?filter=path:%2F' + condition: selection +fields: + - client_ip + - vhost + - url + - response +falsepositives: + - Unknown +level: critical + From 0d89208242e0a3c41e097c9913da25d2e2683bf5 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 10 Jul 2020 17:49:07 +0200 Subject: [PATCH 38/76] rule: updated Citrix rule --- rules/web/web_citrix_cve_2020_8193_8195_exploit.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rules/web/web_citrix_cve_2020_8193_8195_exploit.yml b/rules/web/web_citrix_cve_2020_8193_8195_exploit.yml index 5d46ba8bd..99a9d56bc 100644 --- a/rules/web/web_citrix_cve_2020_8193_8195_exploit.yml +++ b/rules/web/web_citrix_cve_2020_8193_8195_exploit.yml @@ -4,6 +4,7 @@ id: 0d0d9a8a-a49e-4e27-b061-7ce4b936cfb7 references: - https://support.citrix.com/article/CTX276688 - https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/ + - https://dmaasland.github.io/posts/citrix.html author: Florian Roth status: experimental date: 2020/07/10 @@ -13,6 +14,7 @@ detection: selection: c-uri|contains: - '/rapi/filedownload?filter=path:%2F' + - '&sig_name=_default_signature_' condition: selection fields: - client_ip From 383953c74e7668c821a93739bd753c508912fed8 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 10 Jul 2020 17:55:13 +0200 Subject: [PATCH 39/76] rule: better rule name and descriptions, plus MITRE ATT&CK tags --- rules/web/web_citrix_cve_2020_8193_8195_exploit.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/rules/web/web_citrix_cve_2020_8193_8195_exploit.yml b/rules/web/web_citrix_cve_2020_8193_8195_exploit.yml index 99a9d56bc..e8a88b6c6 100644 --- a/rules/web/web_citrix_cve_2020_8193_8195_exploit.yml +++ b/rules/web/web_citrix_cve_2020_8193_8195_exploit.yml @@ -1,5 +1,5 @@ -title: Citrix Netscaler Attack CVE-2020-8193 CVE-2020-8195 -description: Detects exploitation attempt against Citrix Netscaler, Application Delivery Controller and Citrix Gateway +title: Citrix ADS Exploitation CVE-2020-8193 CVE-2020-8195 +description: Detects exploitation attempt against Citrix Netscaler, Application Delivery Controller (ADS) and Citrix Gateway exploiting vulnerabilities reported as CVE-2020-8193 and CVE-2020-8195 id: 0d0d9a8a-a49e-4e27-b061-7ce4b936cfb7 references: - https://support.citrix.com/article/CTX276688 @@ -8,6 +8,9 @@ references: author: Florian Roth status: experimental date: 2020/07/10 +tags: + - attack.initial_access + - attack.t1190 logsource: category: webserver detection: From 129925ce0bfb4cf09a6dca47d55f8f72fb385799 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 10 Jul 2020 18:15:35 +0200 Subject: [PATCH 40/76] rule: improved Citrix rule --- rules/web/web_citrix_cve_2020_8193_8195_exploit.yml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/rules/web/web_citrix_cve_2020_8193_8195_exploit.yml b/rules/web/web_citrix_cve_2020_8193_8195_exploit.yml index e8a88b6c6..7b8ad5902 100644 --- a/rules/web/web_citrix_cve_2020_8193_8195_exploit.yml +++ b/rules/web/web_citrix_cve_2020_8193_8195_exploit.yml @@ -14,11 +14,15 @@ tags: logsource: category: webserver detection: - selection: + selection1: c-uri|contains: - '/rapi/filedownload?filter=path:%2F' - - '&sig_name=_default_signature_' - condition: selection + selection2: + c-uri|contains|all: + - '/pcidss/report' + - 'type=all_signatures' + - 'sig_name=_default_signature_' + condition: 1 of them fields: - client_ip - vhost From 7a63fd56da316bb010884de4f5083e66d46fd694 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 13 Jul 2020 11:59:44 +0200 Subject: [PATCH 41/76] rule: regsvr32 flags anomaly --- .../win_susp_regsvr32_flags_anomaly.yml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_regsvr32_flags_anomaly.yml diff --git a/rules/windows/process_creation/win_susp_regsvr32_flags_anomaly.yml b/rules/windows/process_creation/win_susp_regsvr32_flags_anomaly.yml new file mode 100644 index 000000000..f0064816b --- /dev/null +++ b/rules/windows/process_creation/win_susp_regsvr32_flags_anomaly.yml @@ -0,0 +1,28 @@ +title: Regsvr32 Flags Anomaly +id: b236190c-1c61-41e9-84b3-3fe03f6d76b0 +status: experimental +description: Detects a flag anomaly in which regsvr32.exe uses a /i flag without using a /n flag at the same time +author: Florian Roth +date: 2019/07/13 +references: + - https://twitter.com/sbousseaden/status/1282441816986484737?s=12 +tags: + - attack.t1117 + - attack.defense_evasion + - attack.t1218.010 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\regsvr32.exe' + CommandLine|contains: ' /i:' + filter: + CommandLine|contains: ' /n ' + condition: selection and not filter +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Unknown +level: high From 26f0d497722df611e8a0d24ec338e8fddfaf757c Mon Sep 17 00:00:00 2001 From: viniciusvec Date: Mon, 13 Jul 2020 14:06:14 +0100 Subject: [PATCH 42/76] Update lnx_shell_clear_cmd_history.yml Renamed tags to match production MITRE: https://attack.mitre.org/techniques/T1070/003/ --- rules/linux/lnx_shell_clear_cmd_history.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/rules/linux/lnx_shell_clear_cmd_history.yml b/rules/linux/lnx_shell_clear_cmd_history.yml index 68e9773c2..9a8935c94 100644 --- a/rules/linux/lnx_shell_clear_cmd_history.yml +++ b/rules/linux/lnx_shell_clear_cmd_history.yml @@ -15,7 +15,7 @@ references: - https://www.hackers-arise.com/single-post/2016/06/20/Covering-your-BASH-Shell-Tracks-AntiForensics author: Patrick Bareiss date: 2019/03/24 -modified: 2020/05/28 +modified: 2020/07/13 logsource: product: linux detection: @@ -37,5 +37,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1146 - - attack.t1551.003 + - attack.T1070.003 From 557e8b0faf9607d35f4a7278ef20cb32f61a0d7a Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 13 Jul 2020 15:47:53 +0200 Subject: [PATCH 43/76] rule: improved Empire detection --- rules/proxy/proxy_empire_ua_uri_combos.yml | 25 +++++++++++++++++++ .../win_susp_powershell_empire_launch.yml | 12 ++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) create mode 100644 rules/proxy/proxy_empire_ua_uri_combos.yml diff --git a/rules/proxy/proxy_empire_ua_uri_combos.yml b/rules/proxy/proxy_empire_ua_uri_combos.yml new file mode 100644 index 000000000..7c3153a6e --- /dev/null +++ b/rules/proxy/proxy_empire_ua_uri_combos.yml @@ -0,0 +1,25 @@ +title: Empire UserAgent URI Combo +id: b923f7d6-ac89-4a50-a71a-89fb846b4aa8 +status: experimental +description: Detects user agent and URI paths used by empire agents +references: + - https://github.com/BC-SECURITY/Empire +author: Florian Roth +date: 2020/07/13 +logsource: + category: proxy +detection: + selection: + c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko' + cs-uri-query: + - '/admin/get.php' + - '/news.php' + - '/login/process.php' + cs-method: 'POST' + condition: selection +fields: + - c-uri + - c-ip +falsepositives: + - Valid requests with this exact user agent to server scripts of the defined names +level: high diff --git a/rules/windows/process_creation/win_susp_powershell_empire_launch.yml b/rules/windows/process_creation/win_susp_powershell_empire_launch.yml index 1097603f8..84d9adf13 100644 --- a/rules/windows/process_creation/win_susp_powershell_empire_launch.yml +++ b/rules/windows/process_creation/win_susp_powershell_empire_launch.yml @@ -9,6 +9,7 @@ references: - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64 author: Florian Roth date: 2019/04/20 +modified: 2020/07/13 tags: - attack.execution - attack.t1086 @@ -18,9 +19,12 @@ logsource: product: windows detection: selection: - CommandLine: - - '* -NoP -sta -NonI -W Hidden -Enc *' - - '* -noP -sta -w 1 -enc *' - - '* -NoP -NonI -W Hidden -enc *' + CommandLine|contains: + - ' -NoP -sta -NonI -W Hidden -Enc ' + - ' -noP -sta -w 1 -enc ' + - ' -NoP -NonI -W Hidden -enc ' + - ' -noP -sta -w 1 -enc' + - ' -enc SQB' + - ' -nop -exec bypass -EncodedCommand SQB' condition: selection level: critical From 87ce5e5745a0c1aa1f96652cfff45d614ed922ff Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 13 Jul 2020 16:02:00 +0200 Subject: [PATCH 44/76] fix: missing MITRE ATT&CK IDs in test --- tests/test_rules.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tests/test_rules.py b/tests/test_rules.py index c0662e960..b0c5ecc0c 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -80,6 +80,12 @@ class TestRules(unittest.TestCase): "t1068", "t1069", "t1070", + "t1070.001", + "t1070.002", + "t1070.003", + "t1070.004", + "t1070.005", + "t1070.006", "t1071", "t1071.004", "t1073", From 1c63a936432c8cebdbbe4b7965c4eb8f6f4417f5 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 13 Jul 2020 16:20:42 +0200 Subject: [PATCH 45/76] fix: wrong casing in tag --- rules/linux/lnx_shell_clear_cmd_history.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/lnx_shell_clear_cmd_history.yml b/rules/linux/lnx_shell_clear_cmd_history.yml index 9a8935c94..6b950cced 100644 --- a/rules/linux/lnx_shell_clear_cmd_history.yml +++ b/rules/linux/lnx_shell_clear_cmd_history.yml @@ -37,4 +37,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.T1070.003 + - attack.t1070.003 From f12cb7309b9e177879dc31dba3a16dab843feed3 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 13 Jul 2020 17:37:03 +0200 Subject: [PATCH 46/76] fix: references is not a list --- rules/windows/builtin/win_metasploit_authentication.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_metasploit_authentication.yml b/rules/windows/builtin/win_metasploit_authentication.yml index 365937a40..35561e559 100644 --- a/rules/windows/builtin/win_metasploit_authentication.yml +++ b/rules/windows/builtin/win_metasploit_authentication.yml @@ -3,7 +3,8 @@ description: Alerts on Metasploit host's authentications on the domain. id: 72124974-a68b-4366-b990-d30e0b2a190d author: Chakib Gzenayi (@Chak092), Hosni Mribah date: 2020/05/06 -references: https://github.com/rapid7/metasploit-framework/blob/master/lib/rex/proto/smb/client.rb +references: + - https://github.com/rapid7/metasploit-framework/blob/master/lib/rex/proto/smb/client.rb tags: - attack.credential_access - attack.t1110 From 4c610ec6934053c0f29e049416d8a0958e7bc459 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 13 Jul 2020 18:07:19 +0200 Subject: [PATCH 47/76] feat: test references is list --- tests/test_rules.py | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/tests/test_rules.py b/tests/test_rules.py index b0c5ecc0c..7c68d4840 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -472,6 +472,20 @@ class TestRules(unittest.TestCase): self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with missing or malformed 'date' fields. (create one, e.g. date: 2019/01/14)") + def test_references(self): + faulty_rules = [] + for file in self.yield_next_rule_file_path(self.path_to_rules): + references = self.get_rule_part(file_path=file, part_name="refrences") + if not references: + print(Fore.YELLOW + "Rule {} has no field 'references'.".format(file)) + faulty_rules.append(file) + elif not isinstance(references, list): + print(Fore.YELLOW + "Rule {} has a refences field that isn't a list.".format(file)) + faulty_rules.append(file) + + self.assertEqual(faulty_rules, [], Fore.RED + + "There are rules with malformed 'references' fields. (has to be a list of values even if it contains only a single value)") + def test_title(self): faulty_rules = [] allowed_lowercase_words = [ From 8d91659c2a71421fc949809c414b91214245cfe7 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 13 Jul 2020 18:08:00 +0200 Subject: [PATCH 48/76] fix: typo in field value --- tests/test_rules.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/test_rules.py b/tests/test_rules.py index 7c68d4840..adca0b025 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -475,7 +475,7 @@ class TestRules(unittest.TestCase): def test_references(self): faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): - references = self.get_rule_part(file_path=file, part_name="refrences") + references = self.get_rule_part(file_path=file, part_name="references") if not references: print(Fore.YELLOW + "Rule {} has no field 'references'.".format(file)) faulty_rules.append(file) From 758f5039b5e671b99f931fa57af67cc941ca778c Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 13 Jul 2020 18:16:32 +0200 Subject: [PATCH 49/76] fix: no error on rules without references --- tests/test_rules.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/test_rules.py b/tests/test_rules.py index adca0b025..06fa8b10e 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -478,7 +478,7 @@ class TestRules(unittest.TestCase): references = self.get_rule_part(file_path=file, part_name="references") if not references: print(Fore.YELLOW + "Rule {} has no field 'references'.".format(file)) - faulty_rules.append(file) + #faulty_rules.append(file) elif not isinstance(references, list): print(Fore.YELLOW + "Rule {} has a refences field that isn't a list.".format(file)) faulty_rules.append(file) From 91c0bea5705bca64f5a55705b2e6160da8ec31bf Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 13 Jul 2020 18:22:47 +0200 Subject: [PATCH 50/76] fix: typo and reordered --- tests/test_rules.py | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tests/test_rules.py b/tests/test_rules.py index 06fa8b10e..a38c40543 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -476,12 +476,12 @@ class TestRules(unittest.TestCase): faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): references = self.get_rule_part(file_path=file, part_name="references") - if not references: - print(Fore.YELLOW + "Rule {} has no field 'references'.".format(file)) - #faulty_rules.append(file) - elif not isinstance(references, list): - print(Fore.YELLOW + "Rule {} has a refences field that isn't a list.".format(file)) + if not isinstance(references, list): + print(Fore.YELLOW + "Rule {} has a references field that isn't a list.".format(file)) faulty_rules.append(file) + #if not references: + #print(Fore.YELLOW + "Rule {} has no field 'references'.".format(file)) + #faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with malformed 'references' fields. (has to be a list of values even if it contains only a single value)") From b3e15eea68711630c3033ebc226ce13ce283f0ce Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 13 Jul 2020 18:49:00 +0200 Subject: [PATCH 51/76] fix: nested check --- tests/test_rules.py | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/tests/test_rules.py b/tests/test_rules.py index a38c40543..3b91717c0 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -476,12 +476,15 @@ class TestRules(unittest.TestCase): faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): references = self.get_rule_part(file_path=file, part_name="references") - if not isinstance(references, list): - print(Fore.YELLOW + "Rule {} has a references field that isn't a list.".format(file)) - faulty_rules.append(file) - #if not references: - #print(Fore.YELLOW + "Rule {} has no field 'references'.".format(file)) + # Reference field doesn't exist + if not references: + print(Fore.YELLOW + "Rule {} has no field 'references'.".format(file)) #faulty_rules.append(file) + else: + # it exists but isn't a list + if not isinstance(references, list): + print(Fore.YELLOW + "Rule {} has a references field that isn't a list.".format(file)) + faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with malformed 'references' fields. (has to be a list of values even if it contains only a single value)") From 3a19e3cf23041faa0d5e684b639316ec831f1cd1 Mon Sep 17 00:00:00 2001 From: Pushkarev Dmitry Date: Mon, 13 Jul 2020 20:18:01 +0000 Subject: [PATCH 52/76] Added AppLocker log source --- tools/config/winlogbeat.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/tools/config/winlogbeat.yml b/tools/config/winlogbeat.yml index 2a30094d9..3bc1824e4 100644 --- a/tools/config/winlogbeat.yml +++ b/tools/config/winlogbeat.yml @@ -53,6 +53,15 @@ logsources: service: windefend conditions: winlog.channel: 'Microsoft-Windows-Windows Defender/Operational' + windows-applocker: + product: windows + service: applocker + conditions: + winlog.channel: + - 'Microsoft-Windows-AppLocker/MSI and Script' + - 'Microsoft-Windows-AppLocker/EXE and DLL' + - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' + - 'Microsoft-Windows-AppLocker/Packaged app-Execution' defaultindex: winlogbeat-* # Extract all field names qith yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g' From 1da229e3a910f61150a04dc094d16325031f51b7 Mon Sep 17 00:00:00 2001 From: Pushkarev Dmitry Date: Mon, 13 Jul 2020 20:20:28 +0000 Subject: [PATCH 53/76] Added AppLocker log source --- tools/config/winlogbeat-old.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/tools/config/winlogbeat-old.yml b/tools/config/winlogbeat-old.yml index 6bb0daaa6..f60c49b84 100644 --- a/tools/config/winlogbeat-old.yml +++ b/tools/config/winlogbeat-old.yml @@ -53,6 +53,15 @@ logsources: service: windefend conditions: log_name: 'Microsoft-Windows-Windows Defender/Operational' + windows-applocker: + product: windows + service: applocker + conditions: + log_name: + - 'Microsoft-Windows-AppLocker/MSI and Script' + - 'Microsoft-Windows-AppLocker/EXE and DLL' + - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' + - 'Microsoft-Windows-AppLocker/Packaged app-Execution' defaultindex: winlogbeat-* # Extract all field names qith yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g' From c30a256030388868cc83efb3683880f174daf79d Mon Sep 17 00:00:00 2001 From: Pushkarev Dmitry Date: Mon, 13 Jul 2020 20:21:46 +0000 Subject: [PATCH 54/76] Added AppLocker log source --- tools/config/winlogbeat-modules-enabled.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index f0cab88ca..4009a9bde 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -54,6 +54,15 @@ logsources: service: windefend conditions: winlog.channel: 'Microsoft-Windows-Windows Defender/Operational' + windows-applocker: + product: windows + service: applocker + conditions: + winlog.channel: + - 'Microsoft-Windows-AppLocker/MSI and Script' + - 'Microsoft-Windows-AppLocker/EXE and DLL' + - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' + - 'Microsoft-Windows-AppLocker/Packaged app-Execution' defaultindex: winlogbeat-* # Extract all field names qith yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g' From 0d925896b9e500098417a33a167d1010717793da Mon Sep 17 00:00:00 2001 From: Pushkarev Dmitry Date: Mon, 13 Jul 2020 20:23:42 +0000 Subject: [PATCH 55/76] Added AppLocker log source --- tools/config/thor.yml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/tools/config/thor.yml b/tools/config/thor.yml index 9c8a44048..37163f422 100644 --- a/tools/config/thor.yml +++ b/tools/config/thor.yml @@ -71,6 +71,15 @@ logsources: service: dhcp sources: - 'WinEventLog:Microsoft-Windows-DHCP-Server/Operational' + windows-applocker: + product: windows + service: applocker + conditions: + sources: + - 'Microsoft-Windows-AppLocker/MSI and Script' + - 'Microsoft-Windows-AppLocker/EXE and DLL' + - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' + - 'Microsoft-Windows-AppLocker/Packaged app-Execution' apache: category: webserver sources: @@ -92,4 +101,4 @@ logsources: logfiles: category: logfile sources: - - 'File:*.log' \ No newline at end of file + - 'File:*.log' From e37694825810999a1dfb653e463bbadfccef5810 Mon Sep 17 00:00:00 2001 From: Pushkarev Dmitry Date: Mon, 13 Jul 2020 20:27:52 +0000 Subject: [PATCH 56/76] Added AppLocker log source --- tools/config/splunk-windows.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/tools/config/splunk-windows.yml b/tools/config/splunk-windows.yml index f1373489e..3c298599a 100644 --- a/tools/config/splunk-windows.yml +++ b/tools/config/splunk-windows.yml @@ -70,5 +70,14 @@ logsources: service: dhcp conditions: source: 'Microsoft-Windows-DHCP-Server/Operational' + windows-applocker: + product: windows + service: applocker + conditions: + source: + - 'Microsoft-Windows-AppLocker/MSI and Script' + - 'Microsoft-Windows-AppLocker/EXE and DLL' + - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' + - 'Microsoft-Windows-AppLocker/Packaged app-Execution' fieldmappings: EventID: EventCode From 7fb2e2b845d4e901be705edd299f141580311d87 Mon Sep 17 00:00:00 2001 From: Pushkarev Dmitry Date: Mon, 13 Jul 2020 20:29:13 +0000 Subject: [PATCH 57/76] Added AppLocker log source --- tools/config/powershell.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/tools/config/powershell.yml b/tools/config/powershell.yml index c22cdc99b..e116f0cd1 100644 --- a/tools/config/powershell.yml +++ b/tools/config/powershell.yml @@ -74,3 +74,12 @@ logsources: service: windefend conditions: LogName: 'Microsoft-Windows-Windows Defender/Operational' + windows-applocker: + product: windows + service: applocker + conditions: + LogName: + - 'Microsoft-Windows-AppLocker/MSI and Script' + - 'Microsoft-Windows-AppLocker/EXE and DLL' + - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' + - 'Microsoft-Windows-AppLocker/Packaged app-Execution' From a58e03750934b015bc144c1e7dfb8a135a3c86ea Mon Sep 17 00:00:00 2001 From: Pushkarev Dmitry Date: Mon, 13 Jul 2020 20:30:02 +0000 Subject: [PATCH 58/76] Added AppLocker log source --- tools/config/powershell-windows-all.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/tools/config/powershell-windows-all.yml b/tools/config/powershell-windows-all.yml index 8464ade07..e7bf8ae9c 100644 --- a/tools/config/powershell-windows-all.yml +++ b/tools/config/powershell-windows-all.yml @@ -60,3 +60,12 @@ logsources: service: ntlm conditions: LogName: 'Microsoft-Windows-NTLM/Operational' + windows-applocker: + product: windows + service: applocker + conditions: + LogName: + - 'Microsoft-Windows-AppLocker/MSI and Script' + - 'Microsoft-Windows-AppLocker/EXE and DLL' + - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' + - 'Microsoft-Windows-AppLocker/Packaged app-Execution' From 46a6183745d8e8ea2c61d1c9f85c7862063c2950 Mon Sep 17 00:00:00 2001 From: Pushkarev Dmitry Date: Mon, 13 Jul 2020 20:32:03 +0000 Subject: [PATCH 59/76] Added AppLocker log source --- tools/config/elk-windows.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/tools/config/elk-windows.yml b/tools/config/elk-windows.yml index 42bec150e..0714d7699 100644 --- a/tools/config/elk-windows.yml +++ b/tools/config/elk-windows.yml @@ -33,4 +33,13 @@ logsources: service: ntlm conditions: EventLog: 'Microsoft-Windows-NTLM/Operational' + windows-applocker: + product: windows + service: applocker + conditions: + EventLog: + - 'Microsoft-Windows-AppLocker/MSI and Script' + - 'Microsoft-Windows-AppLocker/EXE and DLL' + - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' + - 'Microsoft-Windows-AppLocker/Packaged app-Execution' defaultindex: logstash-* From 326cf05a74583f2a87cb984b4deb29d6dfa292ea Mon Sep 17 00:00:00 2001 From: Pushkarev Dmitry Date: Mon, 13 Jul 2020 20:41:54 +0000 Subject: [PATCH 60/76] Added AppLocker log source --- tools/config/arcsight.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tools/config/arcsight.yml b/tools/config/arcsight.yml index ba5ef7806..3532e7b1b 100644 --- a/tools/config/arcsight.yml +++ b/tools/config/arcsight.yml @@ -99,6 +99,12 @@ logsources: service: application conditions: deviceVendor: Microsoft + windows-applocker: + product: windows + service: applocker + conditions: + deviceVendor: Microsoft + deviceProduct: AppLocker proxy: category: proxy conditions: From 364af53902968afa02ee58f283c0eb898ea9fe52 Mon Sep 17 00:00:00 2001 From: Pushkarev Dmitry Date: Mon, 13 Jul 2020 20:44:03 +0000 Subject: [PATCH 61/76] Added AppLocker log source --- tools/config/elk-winlogbeat.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/tools/config/elk-winlogbeat.yml b/tools/config/elk-winlogbeat.yml index 25c4525bb..9c77653fa 100644 --- a/tools/config/elk-winlogbeat.yml +++ b/tools/config/elk-winlogbeat.yml @@ -33,6 +33,15 @@ logsources: service: ntlm conditions: log_name: 'Microsoft-Windows-NTLM/Operational' + windows-applocker: + product: windows + service: applocker + conditions: + log_name: + - 'Microsoft-Windows-AppLocker/MSI and Script' + - 'Microsoft-Windows-AppLocker/EXE and DLL' + - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' + - 'Microsoft-Windows-AppLocker/Packaged app-Execution' defaultindex: winlogbeat-* # Extract all field names qith yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g' From bdfb646228a6ff2919c2fcf9d3a62d8709cf06b2 Mon Sep 17 00:00:00 2001 From: Pushkarev Dmitry Date: Mon, 13 Jul 2020 20:45:30 +0000 Subject: [PATCH 62/76] Added AppLocker log source --- tools/config/elk-winlogbeat-sp.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/tools/config/elk-winlogbeat-sp.yml b/tools/config/elk-winlogbeat-sp.yml index 4c1ded4e4..078f68025 100644 --- a/tools/config/elk-winlogbeat-sp.yml +++ b/tools/config/elk-winlogbeat-sp.yml @@ -33,6 +33,15 @@ logsources: service: ntlm conditions: log_name: 'Microsoft-Windows-NTLM/Operational' + windows-applocker: + product: windows + service: applocker + conditions: + log_name: + - 'Microsoft-Windows-AppLocker/MSI and Script' + - 'Microsoft-Windows-AppLocker/EXE and DLL' + - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' + - 'Microsoft-Windows-AppLocker/Packaged app-Execution' defaultindex: # Extract all field names qith yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g' From 8e3f973e6988c7aa99c162644c9b646d065a8363 Mon Sep 17 00:00:00 2001 From: Pushkarev Dmitry Date: Mon, 13 Jul 2020 20:46:49 +0000 Subject: [PATCH 63/76] Added AppLocker log source --- tools/config/logpoint-windows.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/tools/config/logpoint-windows.yml b/tools/config/logpoint-windows.yml index 5dbd3fdbd..1dfb74aaa 100644 --- a/tools/config/logpoint-windows.yml +++ b/tools/config/logpoint-windows.yml @@ -33,6 +33,15 @@ logsources: service: ntlm conditions: event_source: 'Microsoft-Windows-NTLM/Operational' + windows-applocker: + product: windows + service: applocker + conditions: + event_source: + - 'Microsoft-Windows-AppLocker/MSI and Script' + - 'Microsoft-Windows-AppLocker/EXE and DLL' + - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' + - 'Microsoft-Windows-AppLocker/Packaged app-Execution' fieldmappings: EventID: event_id From 6c999df3b70f672d97a612859a1b0e56960e0ffe Mon Sep 17 00:00:00 2001 From: Pushkarev Dmitry Date: Mon, 13 Jul 2020 20:48:06 +0000 Subject: [PATCH 64/76] Added AppLocker log source --- tools/config/logstash-windows.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/tools/config/logstash-windows.yml b/tools/config/logstash-windows.yml index 9a939be52..d21a846bd 100644 --- a/tools/config/logstash-windows.yml +++ b/tools/config/logstash-windows.yml @@ -53,4 +53,13 @@ logsources: service: ntlm conditions: Channel: 'Microsoft-Windows-NTLM/Operational' + windows-applocker: + product: windows + service: applocker + conditions: + Channel: + - 'Microsoft-Windows-AppLocker/MSI and Script' + - 'Microsoft-Windows-AppLocker/EXE and DLL' + - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' + - 'Microsoft-Windows-AppLocker/Packaged app-Execution' defaultindex: logstash-* From efe720d44e6d40fcd1dc0087dc145c4303837232 Mon Sep 17 00:00:00 2001 From: Pushkarev Dmitry Date: Mon, 13 Jul 2020 20:51:48 +0000 Subject: [PATCH 65/76] Added new rule. AppLocker --- ..._applocker_file_was_not_allowed_to_run.yml | 37 +++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 rules/windows/builtin/win_applocker_file_was_not_allowed_to_run.yml diff --git a/rules/windows/builtin/win_applocker_file_was_not_allowed_to_run.yml b/rules/windows/builtin/win_applocker_file_was_not_allowed_to_run.yml new file mode 100644 index 000000000..561bf7aec --- /dev/null +++ b/rules/windows/builtin/win_applocker_file_was_not_allowed_to_run.yml @@ -0,0 +1,37 @@ +title: File Was Not Allowed To Run +id: 401e5d00-b944-11ea-8f9a-00163ecd60ae +description: Detect run not allowed files. Applocker is a very useful tool, especially on servers where unprivileged users have access. For example terminal servers. You need configure applocker and log collect to receive these events. +status: experimental +tags: + - attack.execution + - attack.t1204 + - attack.t1086 + - attack.t1064 + - attack.t1035 +references: + - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker + - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker + - https://nxlog.co/documentation/nxlog-user-guide/applocker.html +author: Pushkarev Dmitry +date: 2020/06/28 +logsource: + product: windows + service: applocker +detection: + selection: + EventID: + - 8004 + - 8007 + condition: selection +fields: + - PolicyName + - RuleId + - RuleName + - TargetUser + - TargetProcessId + - FilePath + - FileHash + - Fqbn +falsepositives: + - need tuning applocker or add exceptions in SIEM +level: medium From 781667ef2247dc18721ee9199a4473d26fd0f72d Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 14 Jul 2020 00:33:47 +0200 Subject: [PATCH 66/76] fix: zeek rule references isn't a list --- .../zeek_smb_converted_win_susp_raccess_sensitive_fext.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml b/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml index fa7f41f0a..7e5880e00 100644 --- a/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml +++ b/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml @@ -3,7 +3,8 @@ id: 286b47ed-f6fe-40b3-b3a8-35129acd43bc description: Detects known sensitive file extensions via Zeek author: 'Samir Bousseaden, @neu5ron' date: 2020/04/02 -references: https://github.com/neo23x0/sigma/blob/d42e87edd741dd646db946f30964f331f92f50e6/rules/windows/builtin/win_susp_raccess_sensitive_fext.yml +references: + - https://github.com/neo23x0/sigma/blob/d42e87edd741dd646db946f30964f331f92f50e6/rules/windows/builtin/win_susp_raccess_sensitive_fext.yml tags: - attack.collection logsource: From bae979f5c708e5f804c05ef6c14f7accb4ceb199 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 14 Jul 2020 11:56:28 +0200 Subject: [PATCH 67/76] refactor: ignore sub techniques as long as we do not have a complete list --- tests/test_rules.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/test_rules.py b/tests/test_rules.py index 3b91717c0..c11c2bdda 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -290,12 +290,12 @@ class TestRules(unittest.TestCase): tags = self.get_rule_part(file_path=file, part_name="tags") if tags: for tag in tags: - if tag not in self.MITRE_ALL and tag.startswith("attack."): + if tag not in self.MITRE_ALL and tag.startswith("attack.") and len(split(".", tag)) < 3: print(Fore.RED + "Rule {} has the following incorrect tag {}".format(file, tag)) files_with_incorrect_mitre_tags.append(file) self.assertEqual(files_with_incorrect_mitre_tags, [], Fore.RED + - "There are rules with incorrect MITRE Tags. (please inform us about new tags that are not yet supported in our tests) Check the correct tags here: https://attack.mitre.org/ ") + "There are rules with incorrect/unknown MITRE Tags. (please inform us about new tags that are not yet supported in our tests) and check the correct tags here: https://attack.mitre.org/ ") def test_look_for_duplicate_filters(self): def check_list_or_recurse_on_dict(item, depth:int) -> None: From 495376df77e460a34aff20bc4026a063ff38b97e Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 14 Jul 2020 12:33:02 +0200 Subject: [PATCH 68/76] refactor: references test without warnings for missing refs --- tests/test_rules.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/test_rules.py b/tests/test_rules.py index c11c2bdda..a051ae9a8 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -477,10 +477,10 @@ class TestRules(unittest.TestCase): for file in self.yield_next_rule_file_path(self.path_to_rules): references = self.get_rule_part(file_path=file, part_name="references") # Reference field doesn't exist - if not references: - print(Fore.YELLOW + "Rule {} has no field 'references'.".format(file)) + #if not references: + #print(Fore.YELLOW + "Rule {} has no field 'references'.".format(file)) #faulty_rules.append(file) - else: + if references: # it exists but isn't a list if not isinstance(references, list): print(Fore.YELLOW + "Rule {} has a references field that isn't a list.".format(file)) From cf25b9c509c14aa941b527a6b4de29960ae30dfe Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 14 Jul 2020 12:33:16 +0200 Subject: [PATCH 69/76] feat: filename test --- tests/test_rules.py | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/tests/test_rules.py b/tests/test_rules.py index a051ae9a8..7fc90f168 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -489,6 +489,18 @@ class TestRules(unittest.TestCase): self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with malformed 'references' fields. (has to be a list of values even if it contains only a single value)") + def test_file_names(self): + faulty_rules = [] + filename_pattern = re.compile('[a-z0-9_]{10,70}\.yml') + for file in self.yield_next_rule_file_path(self.path_to_rules): + filename = os.path.basename(file) + if not filename_pattern.match(filename) and not '_' in filename: + print(Fore.YELLOW + "Rule {} has a file name that doesn't match our standard.".format(file)) + faulty_rules.append(file) + + self.assertEqual(faulty_rules, [], Fore.RED + + "There are rules with malformed file names (too short, too long, uppercase letters, a minus sign etc.). Please see the file names used in our repository and adjust your file names accordingly. The pattern for a valid file name is '[a-z0-9_]{10,70}\.yml' and it has to contain at least an underline character.") + def test_title(self): faulty_rules = [] allowed_lowercase_words = [ From 58b68758b4e5c8fcaec8d8b6b95b5e1f273df481 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 14 Jul 2020 17:53:32 +0200 Subject: [PATCH 70/76] fix: wrong MITRE ATT&CK ids used in the beta version --- rules/network/cisco/aaa/cisco_cli_clear_logs.yml | 4 ++-- rules/network/cisco/aaa/cisco_cli_file_deletion.yml | 2 +- rules/windows/builtin/win_susp_backup_delete.yml | 2 +- rules/windows/builtin/win_susp_eventlog_cleared.yml | 2 +- rules/windows/builtin/win_susp_sdelete.yml | 2 +- rules/windows/builtin/win_susp_security_eventlog_cleared.yml | 2 +- rules/windows/builtin/win_susp_time_modification.yml | 2 +- .../powershell/powershell_clear_powershell_history.yml | 2 +- rules/windows/process_creation/win_etw_trace_evasion.yml | 2 +- rules/windows/process_creation/win_malware_notpetya.yml | 2 +- rules/windows/process_creation/win_shadow_copies_deletion.yml | 2 +- rules/windows/process_creation/win_susp_bcdedit.yml | 2 +- rules/windows/process_creation/win_susp_eventlog_clear.yml | 2 +- rules/windows/process_creation/win_susp_fsutil_usage.yml | 2 +- 14 files changed, 15 insertions(+), 15 deletions(-) diff --git a/rules/network/cisco/aaa/cisco_cli_clear_logs.yml b/rules/network/cisco/aaa/cisco_cli_clear_logs.yml index 244bdeade..35671eedc 100644 --- a/rules/network/cisco/aaa/cisco_cli_clear_logs.yml +++ b/rules/network/cisco/aaa/cisco_cli_clear_logs.yml @@ -11,8 +11,8 @@ tags: - attack.defense_evasion - attack.t1146 - attack.t1070 - - attack.t1551.003 - - attack.t1551 + - attack.t1070.003 + - attack.t1070 logsource: product: cisco service: aaa diff --git a/rules/network/cisco/aaa/cisco_cli_file_deletion.yml b/rules/network/cisco/aaa/cisco_cli_file_deletion.yml index ec6b4e1ef..f248dd598 100644 --- a/rules/network/cisco/aaa/cisco_cli_file_deletion.yml +++ b/rules/network/cisco/aaa/cisco_cli_file_deletion.yml @@ -15,7 +15,7 @@ tags: - attack.t1488 - attack.t1487 - attack.t1561.002 - - attack.t1551.004 + - attack.t1070.004 - attack.t1561.001 logsource: product: cisco diff --git a/rules/windows/builtin/win_susp_backup_delete.yml b/rules/windows/builtin/win_susp_backup_delete.yml index 332b6c806..d58d1d606 100644 --- a/rules/windows/builtin/win_susp_backup_delete.yml +++ b/rules/windows/builtin/win_susp_backup_delete.yml @@ -10,7 +10,7 @@ date: 2017/05/12 tags: - attack.defense_evasion - attack.t1107 - - attack.t1551.004 + - attack.t1070.004 logsource: product: windows service: application diff --git a/rules/windows/builtin/win_susp_eventlog_cleared.yml b/rules/windows/builtin/win_susp_eventlog_cleared.yml index b0698a1cb..7b87b35c8 100644 --- a/rules/windows/builtin/win_susp_eventlog_cleared.yml +++ b/rules/windows/builtin/win_susp_eventlog_cleared.yml @@ -10,7 +10,7 @@ tags: - attack.defense_evasion - attack.t1070 - car.2016-04-002 - - attack.t1551 + - attack.t1070 logsource: product: windows service: system diff --git a/rules/windows/builtin/win_susp_sdelete.yml b/rules/windows/builtin/win_susp_sdelete.yml index 8483f0265..540a09538 100644 --- a/rules/windows/builtin/win_susp_sdelete.yml +++ b/rules/windows/builtin/win_susp_sdelete.yml @@ -13,7 +13,7 @@ tags: - attack.t1107 - attack.t1066 - attack.s0195 - - attack.t1551.004 + - attack.t1070.004 - attack.t1027 logsource: product: windows diff --git a/rules/windows/builtin/win_susp_security_eventlog_cleared.yml b/rules/windows/builtin/win_susp_security_eventlog_cleared.yml index d31a49b42..9e0f24d76 100644 --- a/rules/windows/builtin/win_susp_security_eventlog_cleared.yml +++ b/rules/windows/builtin/win_susp_security_eventlog_cleared.yml @@ -5,7 +5,7 @@ tags: - attack.defense_evasion - attack.t1070 - car.2016-04-002 - - attack.t1551 + - attack.t1070 author: Florian Roth date: 2017/02/19 logsource: diff --git a/rules/windows/builtin/win_susp_time_modification.yml b/rules/windows/builtin/win_susp_time_modification.yml index c457b28e5..e015c0256 100644 --- a/rules/windows/builtin/win_susp_time_modification.yml +++ b/rules/windows/builtin/win_susp_time_modification.yml @@ -11,7 +11,7 @@ midified: 2020/01/27 tags: - attack.defense_evasion - attack.t1099 - - attack.t1551.006 + - attack.t1070.006 logsource: product: windows service: security diff --git a/rules/windows/powershell/powershell_clear_powershell_history.yml b/rules/windows/powershell/powershell_clear_powershell_history.yml index 4f52faecf..db298c670 100644 --- a/rules/windows/powershell/powershell_clear_powershell_history.yml +++ b/rules/windows/powershell/powershell_clear_powershell_history.yml @@ -9,7 +9,7 @@ references: tags: - attack.defense_evasion - attack.t1146 - - attack.t1551.003 + - attack.t1070.003 logsource: product: windows service: powershell diff --git a/rules/windows/process_creation/win_etw_trace_evasion.yml b/rules/windows/process_creation/win_etw_trace_evasion.yml index 6b6e182fa..d7b7000fe 100644 --- a/rules/windows/process_creation/win_etw_trace_evasion.yml +++ b/rules/windows/process_creation/win_etw_trace_evasion.yml @@ -12,7 +12,7 @@ tags: - attack.execution - attack.t1070 - car.2016-04-002 - - attack.t1551 + - attack.t1070 level: high logsource: category: process_creation diff --git a/rules/windows/process_creation/win_malware_notpetya.yml b/rules/windows/process_creation/win_malware_notpetya.yml index 10ecc8a76..4293239d7 100644 --- a/rules/windows/process_creation/win_malware_notpetya.yml +++ b/rules/windows/process_creation/win_malware_notpetya.yml @@ -16,7 +16,7 @@ tags: - attack.t1003 - car.2016-04-002 - attack.t1218.011 - - attack.t1551 + - attack.t1070 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_shadow_copies_deletion.yml b/rules/windows/process_creation/win_shadow_copies_deletion.yml index d017b3596..6fb0d27d7 100644 --- a/rules/windows/process_creation/win_shadow_copies_deletion.yml +++ b/rules/windows/process_creation/win_shadow_copies_deletion.yml @@ -15,7 +15,7 @@ tags: - attack.impact - attack.t1070 - attack.t1490 - - attack.t1551 + - attack.t1070 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_bcdedit.yml b/rules/windows/process_creation/win_susp_bcdedit.yml index 7b74bef44..e5c87b340 100644 --- a/rules/windows/process_creation/win_susp_bcdedit.yml +++ b/rules/windows/process_creation/win_susp_bcdedit.yml @@ -11,7 +11,7 @@ tags: - attack.t1070 - attack.persistence - attack.t1067 - - attack.t1551 + - attack.t1070 - attack.t1542.003 logsource: category: process_creation diff --git a/rules/windows/process_creation/win_susp_eventlog_clear.yml b/rules/windows/process_creation/win_susp_eventlog_clear.yml index b0e27546a..bff846f4f 100644 --- a/rules/windows/process_creation/win_susp_eventlog_clear.yml +++ b/rules/windows/process_creation/win_susp_eventlog_clear.yml @@ -11,7 +11,7 @@ tags: - attack.defense_evasion - attack.t1070 - car.2016-04-002 - - attack.t1551 + - attack.t1070 level: high logsource: category: process_creation diff --git a/rules/windows/process_creation/win_susp_fsutil_usage.yml b/rules/windows/process_creation/win_susp_fsutil_usage.yml index e7a3d0c9a..26348553c 100644 --- a/rules/windows/process_creation/win_susp_fsutil_usage.yml +++ b/rules/windows/process_creation/win_susp_fsutil_usage.yml @@ -12,7 +12,7 @@ references: tags: - attack.defense_evasion - attack.t1070 - - attack.t1551 + - attack.t1070 logsource: category: process_creation product: windows From 71e66ea9ba71f8893605a348d77a28515edd2f7a Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 14 Jul 2020 17:54:02 +0200 Subject: [PATCH 71/76] refactor: tests use live data from MITRE's TAXI service --- tests/test_rules.py | 277 +++++++---------------------------- tools/requirements-devel.txt | 2 + 2 files changed, 52 insertions(+), 227 deletions(-) diff --git a/tests/test_rules.py b/tests/test_rules.py index 7fc90f168..ecfb2f348 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -10,238 +10,13 @@ import os import unittest import yaml import re +from attackcti import attack_client from colorama import init from colorama import Fore class TestRules(unittest.TestCase): - MITRE_TECHNIQUES = [ - "t1002", - "t1003", - "t1003.001", - "t1003.002", - "t1003.003", - "t1003.004", - "t1003.005", - "t1003.006", - "t1004", - "t1005", - "t1006", - "t1007", - "t1009", - "t1011", - "t1012", - "t1015", - "t1016", - "t1018", - "t1020", - "t1021", - "t1021.001", - "t1021.002", - "t1021.003", - "t1021.006", - "t1023", - "t1027", - "t1028", - "t1031", - "t1033", - "t1035", - "t1036", - "t1036.005", - "t1037", - "t1037.001", - "t1038", - "t1040", - "t1041", - "t1042", - "t1043", - "t1046", - "t1047", - "t1048", - "t1049", - "t1050", - "t1053", - "t1053.002", - "t1053.005", - "t1054", - "t1055", - "t1056", - "t1057", - "t1058", - "t1059", - "t1059.001", - "t1059.003", - "t1059.004", - "t1059.005", - "t1059.006", - "t1060", - "t1064", - "t1066", - "t1067", - "t1068", - "t1069", - "t1070", - "t1070.001", - "t1070.002", - "t1070.003", - "t1070.004", - "t1070.005", - "t1070.006", - "t1071", - "t1071.004", - "t1073", - "t1074", - "t1075", - "t1076", - "t1077", - "t1078", - "t1081", - "t1082", - "t1083", - "t1084", - "t1085", - "t1086", - "t1087", - "t1088", - "t1089", - "t1090", - "t1091", - "t1096", - "t1098", - "t1099", - "t1100", - "t1102", - "t1103", - "t1105", - "t1106", - "t1107", - "t1110", - "t1112", - "t1114", - "t1117", - "t1118", - "t1121", - "t1122", - "t1123", - "t1124", - "t1125", - "t1127", - "t1128", - "t1130", - "t1133", - "t1134", - "t1134.005", - "t1135", - "t1136", - "t1137", - "t1138", - "t1139", - "t1140", - "t1145", - "t1146", - "t1156", - "t1158", - "t1168", - "t1169", - "t1170", - "t1171", - "t1175", - "t1177", - "t1178", - "t1182", - "t1183", - "t1190", - "t1191", - "t1193", - "t1195", - "t1195.001", - "t1196", - "t1197", - "t1200", - "t1201", - "t1202", - "t1203", - "t1204", - "t1207", - "t1208", - "t1210", - "t1211", - "t1212", - "t1218", - "t1218.001", - "t1218.005", - "t1218.010", - "t1218.011", - "t1219", - "t1220", - "t1222", - "t1223", - "t1482", - "t1485", - "t1487", - "t1488", - "t1489", - "t1490", - "t1492", - "t1493", - "t1495", - "t1499", - "t1500", - "t1501", - "t1505", - "t1505.003", - "t1537", - "t1542.003", - "t1543.002", - "t1543.003", - "t1546.001", - "t1546.003", - "t1546.004", - "t1546.007", - "t1546.008", - "t1546.009", - "t1546.010", - "t1546.011", - "t1546.012", - "t1546.015", - "t1547.001", - "t1547.004", - "t1547.008", - "t1547.009", - "t1548.002", - "t1550.002", - "t1551", - "t1551.003", - "t1551.004", - "t1551.006", - "t1552.001", - "t1552.003", - "t1552.004", - "t1553.004", - "t1557.001", - "t1558", - "t1558.003", - "t1559.001", - "t1560", - "t1561.001", - "t1561.002", - "t1562.001", - "t1562.006", - "t1564.001", - "t1564.004", - "t1565.001", - "t1565.002", - "t1566.001", - "t1569.002", - "t1571", - "t1574.001", - "t1574.002", - "t1574.011", -] MITRE_TECHNIQUE_NAMES = ["process_injection", "signed_binary_proxy_execution", "process_injection"] # incomplete list MITRE_TACTICS = ["initial_access", "execution", "persistence", "privilege_escalation", "defense_evasion", "credential_access", "discovery", "lateral_movement", "collection", "exfiltration", "command_and_control", "impact", "launch"] - MITRE_GROUPS = ["g0001", "g0002", "g0003", "g0004", "g0005", "g0006", "g0007", "g0008", "g0009", "g0010", "g0011", "g0012", "g0013", "g0014", "g0015", "g0016", "g0017", "g0018", "g0019", "g0020", "g0021", "g0022", "g0023", "g0024", "g0025", "g0026", "g0027", "g0028", "g0029", "g0030", "g0031", "g0032", "g0033", "g0034", "g0035", "g0036", "g0037", "g0038", "g0039", "g0040", "g0041", "g0042", "g0043", "g0044", "g0045", "g0046", "g0047", "g0048", "g0049", "g0050", "g0051", "g0052", "g0053", "g0054", "g0055", "g0056", "g0057", "g0058", "g0059", "g0060", "g0061", "g0062", "g0063", "g0064", "g0065", "g0066", "g0067", "g0068", "g0069", "g0070", "g0071", "g0072", "g0073", "g0074", "g0075", "g0076", "g0077", "g0078", "g0079", "g0080", "g0081", "g0082", "g0083", "g0084", "g0085", "g0086", "g0087", "g0088", "g0089", "g0090", "g0091", "g0092", "g0093", "g0094", "g0095", "g0096"] - MITRE_SOFTWARE = ["s0001", "s0002", "s0003", "s0004", "s0005", "s0006", "s0007", "s0008", "s0009", "s0010", "s0011", "s0012", "s0013", "s0014", "s0015", "s0016", "s0017", "s0018", "s0019", "s0020", "s0021", "s0022", "s0023", "s0024", "s0025", "s0026", "s0027", "s0028", "s0029", "s0030", "s0031", "s0032", "s0033", "s0034", "s0035", "s0036", "s0037", "s0038", "s0039", "s0040", "s0041", "s0042", "s0043", "s0044", "s0045", "s0046", "s0047", "s0048", "s0049", "s0050", "s0051", "s0052", "s0053", "s0054", "s0055", "s0056", "s0057", "s0058", "s0059", "s0060", "s0061", "s0062", "s0063", "s0064", "s0065", "s0066", "s0067", "s0068", "s0069", "s0070", "s0071", "s0072", "s0073", "s0074", "s0075", "s0076", "s0077", "s0078", "s0079", "s0080", "s0081", "s0082", "s0083", "s0084", "s0085", "s0086", "s0087", "s0088", "s0089", "s0090", "s0091", "s0092", "s0093", "s0094", "s0095", "s0096", "s0097", "s0098", "s0099", "s0100", "s0101", "s0102", "s0103", "s0104", "s0105", "s0106", "s0107", "s0108", "s0109", "s0110", "s0111", "s0112", "s0113", "s0114", "s0115", "s0116", "s0117", "s0118", "s0119", "s0120", "s0121", "s0122", "s0123", "s0124", "s0125", "s0126", "s0127", "s0128", "s0129", "s0130", "s0131", "s0132", "s0133", "s0134", "s0135", "s0136", "s0137", "s0138", "s0139", "s0140", "s0141", "s0142", "s0143", "s0144", "s0145", "s0146", "s0147", "s0148", "s0149", "s0150", "s0151", "s0152", "s0153", "s0154", "s0155", "s0156", "s0157", "s0158", "s0159", "s0160", "s0161", "s0162", "s0163", "s0164", "s0165", "s0166", "s0167", "s0168", "s0169", "s0170", "s0171", "s0172", "s0173", "s0174", "s0175", "s0176", "s0177", "s0178", "s0179", "s0180", "s0181", "s0182", "s0183", "s0184", "s0185", "s0186", "s0187", "s0188", "s0189", "s0190", "s0191", "s0192", "s0193", "s0194", "s0195", "s0196", "s0197", "s0198", "s0199", "s0200", "s0201", "s0202", "s0203", "s0204", "s0205", "s0206", "s0207", "s0208", "s0209", "s0210", "s0211", "s0212", "s0213", "s0214", "s0215", "s0216", "s0217", "s0218", "s0219", "s0220", "s0221", "s0222", "s0223", "s0224", "s0225", "s0226", "s0227", "s0228", "s0229", "s0230", "s0231", "s0232", "s0233", "s0234", "s0235", "s0236", "s0237", "s0238", "s0239", "s0240", "s0241", "s0242", "s0243", "s0244", "s0245", "s0246", "s0247", "s0248", "s0249", "s0250", "s0251", "s0252", "s0253", "s0254", "s0255", "s0256", "s0257", "s0258", "s0259", "s0260", "s0261", "s0262", "s0263", "s0264", "s0265", "s0266", "s0267", "s0268", "s0269", "s0270", "s0271", "s0272", "s0273", "s0274", "s0275", "s0276", "s0277", "s0278", "s0279", "s0280", "s0281", "s0282", "s0283", "s0284", "s0330", "s0331", "s0332", "s0333", "s0334", "s0335", "s0336", "s0337", "s0338", "s0339", "s0340", "s0341", "s0342", "s0343", "s0344", "s0345", "s0346", "s0347", "s0348", "s0349", "s0350", "s0351", "s0352", "s0353", "s0354", "s0355", "s0356", "s0357", "s0358", "s0359", "s0360", "s0361", "s0362", "s0363", "s0364", "s0365", "s0366", "s0367", "s0368", "s0369", "s0370", "s0371", "s0372", "s0373", "s0374", "s0375", "s0376", "s0377", "s0378", "s0379", "s0380", "s0381", "s0382", "s0383", "s0384", "s0385", "s0386", "s0387", "s0388", "s0389", "s0390", "s0391", "s0393", "s0394", "s0395", "s0396", "s0397", "s0398", "s0400", "s0401", "s0402", "s0404", "s0409", "s0410", "s0412", "s0413", "s0414", "s0415", "s0416", "s0417"] - MITRE_ALL = ["attack." + item for item in MITRE_TECHNIQUES + MITRE_TACTICS + MITRE_GROUPS + MITRE_SOFTWARE] path_to_rules = "rules" @@ -290,7 +65,7 @@ class TestRules(unittest.TestCase): tags = self.get_rule_part(file_path=file, part_name="tags") if tags: for tag in tags: - if tag not in self.MITRE_ALL and tag.startswith("attack.") and len(split(".", tag)) < 3: + if tag not in MITRE_ALL and tag.startswith("attack."): print(Fore.RED + "Rule {} has the following incorrect tag {}".format(file, tag)) files_with_incorrect_mitre_tags.append(file) @@ -548,6 +323,54 @@ class TestRules(unittest.TestCase): self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with non-conform 'title' fields. Please check: https://github.com/Neo23x0/sigma/wiki/Rule-Creation-Guide#title") +def get_mitre_data(): + """ + Generate tags from live MITRE ATT&CK TAXI service to get up-to-date data + """ + # Get MITRE ATT&CK information + lift = attack_client() + # Techniques + MITRE_TECHNIQUES = [] + MITRE_TECHNIQUE_NAMES = [] + MITRE_PHASE_NAMES = set() + MITRE_TOOLS = [] + MITRE_GROUPS = [] + # Techniques + enterprise_techniques = lift.get_enterprise_techniques() + for t in enterprise_techniques: + MITRE_TECHNIQUE_NAMES.append(t['name'].lower().replace(' ', '_').replace('-', '_')) + for r in t.external_references: + if 'external_id' in r: + MITRE_TECHNIQUES.append(r['external_id'].lower()) + if 'kill_chain_phases' in t: + for kc in t['kill_chain_phases']: + if 'phase_name' in kc: + MITRE_PHASE_NAMES.add(kc['phase_name'].replace('-','_')) + # Tools / Malware + enterprise_tools = lift.get_enterprise_tools() + for t in enterprise_tools: + for r in t.external_references: + if 'external_id' in r: + MITRE_TOOLS.append(r['external_id'].lower()) + enterprise_malware = lift.get_enterprise_malware() + for m in enterprise_malware: + for r in m.external_references: + if 'external_id' in r: + MITRE_TOOLS.append(r['external_id'].lower()) + # Groups + enterprise_groups = lift.get_enterprise_groups() + for g in enterprise_groups: + for r in g.external_references: + if 'external_id' in r: + MITRE_GROUPS.append(r['external_id'].lower()) + + # Combine all IDs to a big tag list + return ["attack." + item for item in MITRE_TECHNIQUES + MITRE_TECHNIQUE_NAMES + list(MITRE_PHASE_NAMES) + MITRE_GROUPS + MITRE_TOOLS] + + if __name__ == "__main__": init(autoreset=True) + # Get Current Data from MITRE on ATT&CK + MITRE_ALL = get_mitre_data() + # Run the tests unittest.main() diff --git a/tools/requirements-devel.txt b/tools/requirements-devel.txt index 4806396de..3665b6ee4 100644 --- a/tools/requirements-devel.txt +++ b/tools/requirements-devel.txt @@ -6,3 +6,5 @@ setuptools wheel pytest~=5.4 colorama +stix2 +attackcti \ No newline at end of file From 741d42ce8840d91c10026913b4705563eebbac6f Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 14 Jul 2020 17:59:59 +0200 Subject: [PATCH 72/76] fix: issue reported as https://github.com/Neo23x0/sigma/issues/923 --- .../win_powershell_suspicious_parameter_variation.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml b/rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml index 141000599..620edf36c 100644 --- a/rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml +++ b/rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml @@ -10,14 +10,15 @@ tags: - attack.t1059.001 author: Florian Roth (rule), Daniel Bohannon (idea), Roberto Rodriguez (Fix) date: 2019/01/16 +modified: 2020/07/14 logsource: category: process_creation product: windows detection: selection: - Image: - - '*\Powershell.exe' - CommandLine: + Image|endswith: + - '\Powershell.exe' + CommandLine|contains: - ' -windowstyle h ' - ' -windowstyl h' - ' -windowsty h' From 80639afd434e2da2ef2a69a657110a4566a983eb Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 15 Jul 2020 11:03:31 +0200 Subject: [PATCH 73/76] rule: CVE-2020-1350 --- .../win_exploit_cve_2020_1350.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/windows/process_creation/win_exploit_cve_2020_1350.yml diff --git a/rules/windows/process_creation/win_exploit_cve_2020_1350.yml b/rules/windows/process_creation/win_exploit_cve_2020_1350.yml new file mode 100644 index 000000000..3cf364c51 --- /dev/null +++ b/rules/windows/process_creation/win_exploit_cve_2020_1350.yml @@ -0,0 +1,24 @@ +title: DNS RCE CVE-2020-1350 +id: b5281f31-f9cc-4d0d-95d0-45b91c45b487 +status: experimental +description: Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process +references: + - https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/ + - https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html +author: Florian Roth +date: 2020/07/15 +tags: + - attack.initial_access + - attack.t1190 + - attack.execution + - attack.t1569.002 +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage|endswith: '\dns.exe' + condition: selection +falsepositives: + - Unknown but benign sub processes of the Windows DNS service dns.exe +level: critical From ae7fbb92459e63254cc41e12d0d9046d72b6c8e2 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 15 Jul 2020 11:49:20 +0200 Subject: [PATCH 74/76] fix: false positive filters based on SOC Prime's rule --- .../windows/process_creation/win_exploit_cve_2020_1350.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_exploit_cve_2020_1350.yml b/rules/windows/process_creation/win_exploit_cve_2020_1350.yml index 3cf364c51..361a99f17 100644 --- a/rules/windows/process_creation/win_exploit_cve_2020_1350.yml +++ b/rules/windows/process_creation/win_exploit_cve_2020_1350.yml @@ -18,7 +18,11 @@ logsource: detection: selection: ParentImage|endswith: '\dns.exe' - condition: selection + filter: + Image|endswith: + - '\werfault.exe' + - '\conhost.exe' + condition: selection and not filter falsepositives: - Unknown but benign sub processes of the Windows DNS service dns.exe level: critical From c2eb110fcae9724426048c5b02ecea4c2409b722 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 15 Jul 2020 11:56:11 +0200 Subject: [PATCH 75/76] fix: more exact patterns --- .../windows/process_creation/win_exploit_cve_2020_1350.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_exploit_cve_2020_1350.yml b/rules/windows/process_creation/win_exploit_cve_2020_1350.yml index 361a99f17..95e6eaef3 100644 --- a/rules/windows/process_creation/win_exploit_cve_2020_1350.yml +++ b/rules/windows/process_creation/win_exploit_cve_2020_1350.yml @@ -17,11 +17,11 @@ logsource: product: windows detection: selection: - ParentImage|endswith: '\dns.exe' + ParentImage|endswith: '\System32\dns.exe' filter: Image|endswith: - - '\werfault.exe' - - '\conhost.exe' + - '\System32\werfault.exe' + - '\System32\conhost.exe' condition: selection and not filter falsepositives: - Unknown but benign sub processes of the Windows DNS service dns.exe From 1c103a749fb5004b0dafb5176abdabd3eabf4dca Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 15 Jul 2020 12:05:50 +0200 Subject: [PATCH 76/76] fix: more FPs based on feedback https://twitter.com/GossiTheDog/status/1283341486680166400 --- rules/windows/process_creation/win_exploit_cve_2020_1350.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/process_creation/win_exploit_cve_2020_1350.yml b/rules/windows/process_creation/win_exploit_cve_2020_1350.yml index 95e6eaef3..ec82fbc6b 100644 --- a/rules/windows/process_creation/win_exploit_cve_2020_1350.yml +++ b/rules/windows/process_creation/win_exploit_cve_2020_1350.yml @@ -22,6 +22,7 @@ detection: Image|endswith: - '\System32\werfault.exe' - '\System32\conhost.exe' + - '\System32\dnscmd.exe' condition: selection and not filter falsepositives: - Unknown but benign sub processes of the Windows DNS service dns.exe