security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge PR #4695 from @defensivedepth - Add new rules based on OpenCanary tooling

Browse Source 
new: OpenCanary - FTP Login Attempt
new: OpenCanary - GIT Clone Request
new: OpenCanary - HTTP GET Request
new: OpenCanary - HTTP POST Login Attempt
new: OpenCanary - HTTPPROXY Login Attempt
new: OpenCanary - MSSQL Login Attempt Via SQLAuth
new: OpenCanary - MSSQL Login Attempt Via Windows Authentication
new: OpenCanary - MySQL Login Attempt
new: OpenCanary - NTP Monlist Request
new: OpenCanary - REDIS Action Command Attempt
new: OpenCanary - SIP Request
new: OpenCanary - SMB File Open Request
new: OpenCanary - SNMP OID Request
new: OpenCanary - SSH Login Attempt
new: OpenCanary - SSH New Connection Attempt
new: OpenCanary - Telnet Login Attempt
new: OpenCanary - TFTP Request
new: OpenCanary - VNC Connection Attempt 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
This commit is contained in:
Josh Brower
2024-03-08 10:24:19 -05:00
committed by GitHub
parent bcedce923f
commit eac04262c2
19 changed files with 433 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/application/opencanary/opencanary_ftp_login_attempt.yml
+24
View File
@@ -0,0 +1,24 @@
title: OpenCanary - FTP Login Attempt
id: 6991bc2b-ae2e-447f-bc55-3a1ba04c14e5
status: experimental
description: Detects instances where an FTP service on an OpenCanary node has had a login attempt.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024/03/08
tags:
- attack.initial_access
- attack.exfiltration
- attack.t1190
- attack.t1021
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 2000
condition: selection
falsepositives:
- Unlikely
level: high
rules/application/opencanary/opencanary_git_clone_request.yml
+22
View File
@@ -0,0 +1,22 @@
title: OpenCanary - GIT Clone Request
id: 4fe17521-aef3-4e6a-9d6b-4a7c8de155a8
status: experimental
description: Detects instances where a GIT service on an OpenCanary node has had Git Clone request.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024/03/08
tags:
- attack.collection
- attack.t1213
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 16001
condition: selection
falsepositives:
- Unlikely
level: high
rules/application/opencanary/opencanary_http_get.yml
+22
View File
@@ -0,0 +1,22 @@
title: OpenCanary - HTTP GET Request
id: af6c3078-84cd-4c68-8842-08b76bd81b13
status: experimental
description: Detects instances where an HTTP service on an OpenCanary node has received a GET request.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024/03/08
tags:
- attack.initial_access
- attack.t1190
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 3000
condition: selection
falsepositives:
- Unlikely
level: high
rules/application/opencanary/opencanary_http_post_login_attempt.yml
+23
View File
@@ -0,0 +1,23 @@
title: OpenCanary - HTTP POST Login Attempt
id: af1ac430-df6b-4b38-b976-0b52f07a0252
status: experimental
description: |
Detects instances where an HTTP service on an OpenCanary node has had login attempt via Form POST.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024/03/08
tags:
- attack.initial_access
- attack.t1190
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 3001
condition: selection
falsepositives:
- Unlikely
level: high
rules/application/opencanary/opencanary_httpproxy_login_attempt.yml
+24
View File
@@ -0,0 +1,24 @@
title: OpenCanary - HTTPPROXY Login Attempt
id: 5498fc09-adc6-4804-b9d9-5cca1f0b8760
status: experimental
description: |
Detects instances where an HTTPPROXY service on an OpenCanary node has had an attempt to proxy another page.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024/03/08
tags:
- attack.initial_access
- attack.defense_evasion
- attack.t1090
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 7001
condition: selection
falsepositives:
- Unlikely
level: high
rules/application/opencanary/opencanary_mssql_login_sqlauth.yml
+25
View File
@@ -0,0 +1,25 @@
title: OpenCanary - MSSQL Login Attempt Via SQLAuth
id: 3ec9a16d-0b4f-4967-9542-ebf38ceac7dd
status: experimental
description: |
Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using SQLAuth.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024/03/08
tags:
- attack.credential_access
- attack.collection
- attack.t1003
- attack.t1213
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 9001
condition: selection
falsepositives:
- Unlikely
level: high
rules/application/opencanary/opencanary_mssql_login_winauth.yml
+25
View File
@@ -0,0 +1,25 @@
title: OpenCanary - MSSQL Login Attempt Via Windows Authentication
id: 6e78f90f-0043-4a01-ac41-f97681613a66
status: experimental
description: |
Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using Windows Authentication.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024/03/08
tags:
- attack.credential_access
- attack.collection
- attack.t1003
- attack.t1213
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 9002
condition: selection
falsepositives:
- Unlikely
level: high
rules/application/opencanary/opencanary_mysql_login_attempt.yml
+24
View File
@@ -0,0 +1,24 @@
title: OpenCanary - MySQL Login Attempt
id: e7d79a1b-25ed-4956-bd56-bd344fa8fd06
status: experimental
description: Detects instances where a MySQL service on an OpenCanary node has had a login attempt.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024/03/08
tags:
- attack.credential_access
- attack.collection
- attack.t1003
- attack.t1213
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 8001
condition: selection
falsepositives:
- Unlikely
level: high
rules/application/opencanary/opencanary_ntp_monlist.yml
+22
View File
@@ -0,0 +1,22 @@
title: OpenCanary - NTP Monlist Request
id: 7cded4b3-f09e-405a-b96f-24248433ba44
status: experimental
description: Detects instances where an NTP service on an OpenCanary node has had a NTP monlist request.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024/03/08
tags:
- attack.impact
- attack.t1498
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 11001
condition: selection
falsepositives:
- Unlikely
level: high
rules/application/opencanary/opencanary_redis_command.yml
+24
View File
@@ -0,0 +1,24 @@
title: OpenCanary - REDIS Action Command Attempt
id: 547dfc53-ebf6-4afe-8d2e-793d9574975d
status: experimental
description: Detects instances where a REDIS service on an OpenCanary node has had an action command attempted.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024/03/08
tags:
- attack.credential_access
- attack.collection
- attack.t1003
- attack.t1213
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 17001
condition: selection
falsepositives:
- Unlikely
level: high
rules/application/opencanary/opencanary_sip_request.yml
+22
View File
@@ -0,0 +1,22 @@
title: OpenCanary - SIP Request
id: e30de276-68ec-435c-ab99-ef3befec6c61
status: experimental
description: Detects instances where an SIP service on an OpenCanary node has had a SIP request.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024/03/08
tags:
- attack.collection
- attack.t1123
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 15001
condition: selection
falsepositives:
- Unlikely
level: high
rules/application/opencanary/opencanary_smb_file_open.yml
+24
View File
@@ -0,0 +1,24 @@
title: OpenCanary - SMB File Open Request
id: 22777c9e-873a-4b49-855f-6072ab861a52
status: experimental
description: Detects instances where an SMB service on an OpenCanary node has had a file open request.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024/03/08
tags:
- attack.lateral_movement
- attack.collection
- attack.t1021
- attack.t1005
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 5000
condition: selection
falsepositives:
- Unlikely
level: high
rules/application/opencanary/opencanary_snmp_cmd.yml
+24
View File
@@ -0,0 +1,24 @@
title: OpenCanary - SNMP OID Request
id: e9856028-fd4e-46e6-b3d1-10f7ceb95078
status: experimental
description: Detects instances where an SNMP service on an OpenCanary node has had an OID request.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024/03/08
tags:
- attack.discovery
- attack.lateral_movement
- attack.t1016
- attack.t1021
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 13001
condition: selection
falsepositives:
- Unlikely
level: high
rules/application/opencanary/opencanary_ssh_login_attempt.yml
+26
View File
@@ -0,0 +1,26 @@
title: OpenCanary - SSH Login Attempt
id: ff7139bc-fdb1-4437-92f2-6afefe8884cb
status: experimental
description: Detects instances where an SSH service on an OpenCanary node has had a login attempt.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024/03/08
tags:
- attack.initial_access
- attack.lateral_movement
- attack.persistence
- attack.t1133
- attack.t1021
- attack.t1078
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 4002
condition: selection
falsepositives:
- Unlikely
level: high
rules/application/opencanary/opencanary_ssh_new_connection.yml
+26
View File
@@ -0,0 +1,26 @@
title: OpenCanary - SSH New Connection Attempt
id: cd55f721-5623-4663-bd9b-5229cab5237d
status: experimental
description: Detects instances where an SSH service on an OpenCanary node has had a connection attempt.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024/03/08
tags:
- attack.initial_access
- attack.lateral_movement
- attack.persistence
- attack.t1133
- attack.t1021
- attack.t1078
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 4000
condition: selection
falsepositives:
- Unlikely
level: high
rules/application/opencanary/opencanary_telnet_login_attempt.yml
+24
View File
@@ -0,0 +1,24 @@
title: OpenCanary - Telnet Login Attempt
id: 512cff7a-683a-43ad-afe0-dd398e872f36
status: experimental
description: Detects instances where a Telnet service on an OpenCanary node has had a login attempt.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024/03/08
tags:
- attack.initial_access
- attack.command_and_control
- attack.t1133
- attack.t1078
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 6001
condition: selection
falsepositives:
- Unlikely
level: high
rules/application/opencanary/opencanary_tftp_request.yml
+22
View File
@@ -0,0 +1,22 @@
title: OpenCanary - TFTP Request
id: b4e6b016-a2ac-4759-ad85-8000b300d61e
status: experimental
description: Detects instances where a TFTP service on an OpenCanary node has had a request.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024/03/08
tags:
- attack.exfiltration
- attack.t1041
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 10001
condition: selection
falsepositives:
- Unlikely
level: high
rules/application/opencanary/opencanary_vnc_connection_attempt.yml
+22
View File
@@ -0,0 +1,22 @@
title: OpenCanary - VNC Connection Attempt
id: 9db5446c-b44a-4291-8b89-fcab5609c3b3
status: experimental
description: Detects instances where a VNC service on an OpenCanary node has had a connection attempt.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024/03/08
tags:
- attack.lateral_movement
- attack.t1021
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 12001
condition: selection
falsepositives:
- Unlikely
level: high
tests/logsource.json
+8
View File
@@ -266,6 +266,14 @@
},
"service":{}
},
"opencanary":{
"commun": [],
"empty": [],
"category":{
"application":[]
},
"service":{}
},
"velocity":{
"commun": [],
"empty": [],