diff --git a/rules/application/app_python_sql_exceptions.yml b/rules/application/app_python_sql_exceptions.yml index 6523adc2d..85eeb7429 100644 --- a/rules/application/app_python_sql_exceptions.yml +++ b/rules/application/app_python_sql_exceptions.yml @@ -2,6 +2,7 @@ title: Python SQL Exceptions id: 19aefed0-ffd4-47dc-a7fc-f8b1425e84f9 description: Generic rule for SQL exceptions in Python according to PEP 249 author: Thomas Patzke +date: 2017/08/12 references: - https://www.python.org/dev/peps/pep-0249/#exceptions logsource: @@ -18,4 +19,3 @@ falsepositives: - Application bugs - Penetration testing level: medium - diff --git a/rules/application/app_sqlinjection_errors.yml b/rules/application/app_sqlinjection_errors.yml index dd411340d..7421bc15d 100644 --- a/rules/application/app_sqlinjection_errors.yml +++ b/rules/application/app_sqlinjection_errors.yml @@ -3,6 +3,7 @@ id: 8a670c6d-7189-4b1c-8017-a417ca84a086 status: experimental description: Detects SQL error messages that indicate probing for an injection attack author: Bjoern Kimminich +date: 2017/11/27 references: - http://www.sqlinjection.net/errors logsource: diff --git a/rules/application/appframework_django_exceptions.yml b/rules/application/appframework_django_exceptions.yml index b44075737..69ca84e71 100644 --- a/rules/application/appframework_django_exceptions.yml +++ b/rules/application/appframework_django_exceptions.yml @@ -2,6 +2,7 @@ title: Django framework exceptions id: fd435618-981e-4a7c-81f8-f78ce480d616 description: Detects suspicious Django web application framework exceptions that could indicate exploitation attempts author: Thomas Patzke +date: 2017/08/05 references: - https://docs.djangoproject.com/en/1.11/ref/exceptions/ - https://docs.djangoproject.com/en/1.11/topics/logging/#django-security @@ -29,4 +30,3 @@ falsepositives: - Application bugs - Penetration testing level: medium - diff --git a/rules/application/appframework_ruby_on_rails_exceptions.yml b/rules/application/appframework_ruby_on_rails_exceptions.yml index e87751afd..5899a054d 100644 --- a/rules/application/appframework_ruby_on_rails_exceptions.yml +++ b/rules/application/appframework_ruby_on_rails_exceptions.yml @@ -2,6 +2,7 @@ title: Ruby on Rails framework exceptions id: 0d2c3d4c-4b48-4ac3-8f23-ea845746bb1a description: Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts author: Thomas Patzke +date: 2017/08/06 references: - http://edgeguides.rubyonrails.org/security.html - http://guides.rubyonrails.org/action_controller_overview.html @@ -22,4 +23,3 @@ falsepositives: - Application bugs - Penetration testing level: medium - diff --git a/rules/application/appframework_spring_exceptions.yml b/rules/application/appframework_spring_exceptions.yml index c05bd82ca..f71aef60b 100644 --- a/rules/application/appframework_spring_exceptions.yml +++ b/rules/application/appframework_spring_exceptions.yml @@ -2,6 +2,7 @@ title: Spring framework exceptions id: ae48ab93-45f7-4051-9dfe-5d30a3f78e33 description: Detects suspicious Spring framework exceptions that could indicate exploitation attempts author: Thomas Patzke +date: 2017/08/06 references: - https://docs.spring.io/spring-security/site/docs/current/apidocs/overview-tree.html logsource: @@ -21,4 +22,3 @@ falsepositives: - Application bugs - Penetration testing level: medium - diff --git a/rules/apt/apt_apt29_tor.yml b/rules/apt/apt_apt29_tor.yml index b8d82523c..a089caa6d 100755 --- a/rules/apt/apt_apt29_tor.yml +++ b/rules/apt/apt_apt29_tor.yml @@ -9,6 +9,8 @@ tags: - attack.persistence - attack.g0016 - attack.t1050 +date: 2017/11/01 +author: Thomas Patzke logsource: product: windows service: system @@ -27,6 +29,6 @@ logsource: product: windows detection: process: - Image: + Image: - 'C:\Program Files(x86)\Google\GoogleService.exe' - 'C:\Program Files(x86)\Google\GoogleUpdate.exe' diff --git a/rules/apt/apt_carbonpaper_turla.yml b/rules/apt/apt_carbonpaper_turla.yml index 3770c4d38..b16c0733b 100755 --- a/rules/apt/apt_carbonpaper_turla.yml +++ b/rules/apt/apt_carbonpaper_turla.yml @@ -7,6 +7,8 @@ tags: - attack.persistence - attack.g0010 - attack.t1050 +date: 2017/03/31 +author: Florian Roth logsource: product: windows service: system @@ -16,7 +18,7 @@ detection: ServiceName: - 'srservice' - 'ipvpn' - - 'hkmsvc' + - 'hkmsvc' condition: selection falsepositives: - Unknown diff --git a/rules/apt/apt_cloudhopper.yml b/rules/apt/apt_cloudhopper.yml index 025300a22..3e94043ff 100755 --- a/rules/apt/apt_cloudhopper.yml +++ b/rules/apt/apt_cloudhopper.yml @@ -2,6 +2,7 @@ title: WMIExec VBS Script id: 966e4016-627f-44f7-8341-f394905c361f description: Detects suspicious file execution by wscript and cscript author: Florian Roth +date: 2017/04/07 references: - https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf tags: diff --git a/rules/apt/apt_dragonfly.yml b/rules/apt/apt_dragonfly.yml index 9c5349fbe..4c1593865 100755 --- a/rules/apt/apt_dragonfly.yml +++ b/rules/apt/apt_dragonfly.yml @@ -7,6 +7,7 @@ references: tags: - attack.g0035 author: Markus Neis +date: 2018/04/08 logsource: category: process_creation product: windows @@ -15,6 +16,6 @@ detection: Image: - '*\crackmapexec.exe' condition: selection -falsepositives: - - None -level: critical \ No newline at end of file +falsepositives: + - None +level: critical diff --git a/rules/apt/apt_equationgroup_c2.yml b/rules/apt/apt_equationgroup_c2.yml index fc2614e1f..d41700615 100755 --- a/rules/apt/apt_equationgroup_c2.yml +++ b/rules/apt/apt_equationgroup_c2.yml @@ -8,6 +8,7 @@ tags: - attack.command_and_control - attack.g0020 author: Florian Roth +date: 2017/04/15 logsource: category: firewall detection: diff --git a/rules/apt/apt_equationgroup_dll_u_load.yml b/rules/apt/apt_equationgroup_dll_u_load.yml index c4c81bac8..8cfc979a5 100755 --- a/rules/apt/apt_equationgroup_dll_u_load.yml +++ b/rules/apt/apt_equationgroup_dll_u_load.yml @@ -1,6 +1,7 @@ title: Equation Group DLL_U Load id: d465d1d8-27a2-4cca-9621-a800f37cf72e author: Florian Roth +date: 2019/03/04 description: Detects a specific tool and export used by EquationGroup references: - https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type= diff --git a/rules/apt/apt_equationgroup_lnx.yml b/rules/apt/apt_equationgroup_lnx.yml index fa4bbcadf..390d59677 100755 --- a/rules/apt/apt_equationgroup_lnx.yml +++ b/rules/apt/apt_equationgroup_lnx.yml @@ -8,6 +8,7 @@ tags: - attack.g0020 - attack.t1059 author: Florian Roth +date: 2017/04/09 logsource: product: linux detection: diff --git a/rules/apt/apt_gallium.yml b/rules/apt/apt_gallium.yml index 23088604e..6f628c892 100644 --- a/rules/apt/apt_gallium.yml +++ b/rules/apt/apt_gallium.yml @@ -4,6 +4,7 @@ id: 440a56bf-7873-4439-940a-1c8a671073c2 status: experimental description: Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019. author: Tim Burrell +date: 2020/01/02 references: - https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11) @@ -47,7 +48,7 @@ logsource: detection: c2_selection: EventID: 257 - QNAME: + QNAME: - 'asyspy256.ddns.net' - 'hotkillmail9sddcc.ddns.net' - 'rosaf112.ddns.net' diff --git a/rules/apt/apt_hurricane_panda.yml b/rules/apt/apt_hurricane_panda.yml index bea4a8602..294a3484d 100755 --- a/rules/apt/apt_hurricane_panda.yml +++ b/rules/apt/apt_hurricane_panda.yml @@ -1,6 +1,7 @@ title: Hurricane Panda Activity id: 0eb2107b-a596-422e-b123-b389d5594ed7 author: Florian Roth +date: 2019/03/04 status: experimental description: Detects Hurricane Panda Activity references: @@ -14,11 +15,10 @@ logsource: product: windows detection: selection: - CommandLine: + CommandLine: - '* localgroup administrators admin /add' - '*\Win64.exe*' condition: selection falsepositives: - Unknown level: high - diff --git a/rules/apt/apt_pandemic.yml b/rules/apt/apt_pandemic.yml index 670bc3424..69e393e81 100755 --- a/rules/apt/apt_pandemic.yml +++ b/rules/apt/apt_pandemic.yml @@ -10,6 +10,7 @@ tags: - attack.lateral_movement - attack.t1105 author: Florian Roth +date: 2017/06/01 detection: condition: 1 of them fields: @@ -29,7 +30,7 @@ logsource: detection: selection1: EventID: 13 - TargetObject: + TargetObject: - '\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\services\null\Instance*' - '\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\null\Instance*' - '\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\null\Instance*' @@ -40,4 +41,3 @@ logsource: detection: selection2: Command: 'loaddll -a *' - diff --git a/rules/apt/apt_slingshot.yml b/rules/apt/apt_slingshot.yml index f91a0f34f..723eba626 100755 --- a/rules/apt/apt_slingshot.yml +++ b/rules/apt/apt_slingshot.yml @@ -2,6 +2,7 @@ action: global title: Defrag Deactivation id: 958d81aa-8566-4cea-a565-59ccd4df27b0 author: Florian Roth +date: 2019/03/04 description: Detects the deactivation of the Scheduled defragmentation task as seen by Slingshot APT group references: - https://securelist.com/apt-slingshot/84312/ @@ -20,13 +21,13 @@ logsource: product: windows detection: selection1: - CommandLine: + CommandLine: - '*schtasks* /delete *Defrag\ScheduledDefrag*' --- logsource: product: windows service: security - definition: 'Requirements: Audit Policy : Audit Other Object Access Events > Success' + definition: 'Requirements: Audit Policy : Audit Other Object Access Events > Success' detection: selection2: EventID: 4701 diff --git a/rules/apt/apt_sofacy.yml b/rules/apt/apt_sofacy.yml index 09a580315..15963070d 100755 --- a/rules/apt/apt_sofacy.yml +++ b/rules/apt/apt_sofacy.yml @@ -2,6 +2,7 @@ title: Sofacy Trojan Loader Activity id: ba778144-5e3d-40cf-8af9-e28fb1df1e20 author: Florian Roth status: experimental +date: 2018/03/01 description: Detects Trojan loader acitivty as used by APT28 references: - https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/ @@ -19,7 +20,7 @@ logsource: product: windows detection: selection: - CommandLine: + CommandLine: - 'rundll32.exe %APPDATA%\\*.dat",*' - 'rundll32.exe %APPDATA%\\*.dll",#1' condition: selection diff --git a/rules/apt/apt_stonedrill.yml b/rules/apt/apt_stonedrill.yml index 72f4dfa6e..3db1bfe6b 100755 --- a/rules/apt/apt_stonedrill.yml +++ b/rules/apt/apt_stonedrill.yml @@ -2,6 +2,7 @@ title: StoneDrill Service Install id: 9e987c6c-4c1e-40d8-bd85-dd26fba8fdd6 description: This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky author: Florian Roth +date: 2017/03/07 references: - https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/ tags: diff --git a/rules/apt/apt_tropictrooper.yml b/rules/apt/apt_tropictrooper.yml index 2dc2dbfd1..6c0c932df 100644 --- a/rules/apt/apt_tropictrooper.yml +++ b/rules/apt/apt_tropictrooper.yml @@ -2,6 +2,7 @@ title: TropicTrooper Campaign November 2018 id: 8c7090c3-e0a0-4944-bd08-08c3a0cecf79 author: '@41thexplorer, Windows Defender ATP' status: stable +date: 2019/11/12 description: Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia references: - https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/ @@ -15,4 +16,4 @@ detection: selection: CommandLine: '*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*' condition: selection -level: high \ No newline at end of file +level: high diff --git a/rules/apt/apt_turla_commands.yml b/rules/apt/apt_turla_commands.yml index a863c95e3..5d659fe02 100755 --- a/rules/apt/apt_turla_commands.yml +++ b/rules/apt/apt_turla_commands.yml @@ -2,6 +2,7 @@ action: global title: Turla Group Lateral Movement id: c601f20d-570a-4cde-a7d6-e17f99cb8e7f status: experimental +date: 2017/11/08 description: Detects automated lateral movement by Turla group references: - https://securelist.com/the-epic-turla-operation/65545/ @@ -24,7 +25,7 @@ falsepositives: --- detection: selection: - CommandLine: + CommandLine: - 'net use \\%DomainController%\C$ "P@ssw0rd" *' - 'dir c:\\*.doc* /s' - 'dir %TEMP%\\*.exe' @@ -39,5 +40,5 @@ detection: netCommand3: CommandLine: 'net share' timeframe: 1m - condition: netCommand1 | near netCommand2 and netCommand3 + condition: netCommand1 | near netCommand2 and netCommand3 level: medium diff --git a/rules/apt/apt_zxshell.yml b/rules/apt/apt_zxshell.yml index e6a5f4594..af5e61227 100755 --- a/rules/apt/apt_zxshell.yml +++ b/rules/apt/apt_zxshell.yml @@ -2,6 +2,7 @@ title: ZxShell Malware id: f0b70adb-0075-43b0-9745-e82a1c608fcc description: Detects a ZxShell start by the called and well-known function name author: Florian Roth +date: 2017/07/20 references: - https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100 tags: @@ -15,7 +16,7 @@ logsource: product: windows detection: selection: - Command: + Command: - 'rundll32.exe *,zxFunction*' - 'rundll32.exe *,RemoteDiskXXXXX' condition: selection diff --git a/rules/linux/lnx_buffer_overflows.yml b/rules/linux/lnx_buffer_overflows.yml index 39249915e..3ed4a8233 100644 --- a/rules/linux/lnx_buffer_overflows.yml +++ b/rules/linux/lnx_buffer_overflows.yml @@ -1,6 +1,8 @@ title: Buffer Overflow Attempts id: 18b042f0-2ecd-4b6e-9f8d-aa7a7e7de781 description: Detects buffer overflow attempts in Unix system log files +author: Florian Roth +date: 2017/03/01 references: - https://github.com/ossec/ossec-hids/blob/master/etc/rules/attack_rules.xml logsource: diff --git a/rules/linux/lnx_clamav.yml b/rules/linux/lnx_clamav.yml index 4ac050bc6..5605d012e 100644 --- a/rules/linux/lnx_clamav.yml +++ b/rules/linux/lnx_clamav.yml @@ -1,6 +1,8 @@ title: Relevant ClamAV Message id: 36aa86ca-fd9d-4456-814e-d3b1b8e1e0bb description: Detects relevant ClamAV messages +author: Florian Roth +date: 2017/03/01 references: - https://github.com/ossec/ossec-hids/blob/master/etc/rules/clam_av_rules.xml logsource: diff --git a/rules/linux/lnx_shell_susp_log_entries.yml b/rules/linux/lnx_shell_susp_log_entries.yml index f89298799..656256bee 100644 --- a/rules/linux/lnx_shell_susp_log_entries.yml +++ b/rules/linux/lnx_shell_susp_log_entries.yml @@ -2,6 +2,7 @@ title: Suspicious Log Entries id: f64b6e9a-5d9d-48a5-8289-e1dd2b3876e1 description: Detects suspicious log entries in Linux log files author: Florian Roth +date: 2017/03/25 logsource: product: linux detection: diff --git a/rules/linux/lnx_shellshock.yml b/rules/linux/lnx_shellshock.yml index 43d639d45..6e81bc604 100644 --- a/rules/linux/lnx_shellshock.yml +++ b/rules/linux/lnx_shellshock.yml @@ -1,6 +1,8 @@ title: Shellshock Expression id: c67e0c98-4d39-46ee-8f6b-437ebf6b950e description: Detects shellshock expressions in log files +date: 2017/03/14 +author: Florian Roth references: - http://rubular.com/r/zxBfjWfFYs logsource: diff --git a/rules/linux/lnx_susp_failed_logons_single_source.yml b/rules/linux/lnx_susp_failed_logons_single_source.yml index 5c9e6abe3..b82c88975 100644 --- a/rules/linux/lnx_susp_failed_logons_single_source.yml +++ b/rules/linux/lnx_susp_failed_logons_single_source.yml @@ -1,5 +1,7 @@ title: Multiple Failed Logins with Different Accounts from Single Source System id: fc947f8e-ea81-4b14-9a7b-13f888f94e18 +author: Florian Roth +date: 2017/02/16 description: Detects suspicious failed logins with different user accounts from a single source system logsource: product: linux diff --git a/rules/linux/lnx_susp_vsftp.yml b/rules/linux/lnx_susp_vsftp.yml index 614112e29..3fb3eaf9a 100644 --- a/rules/linux/lnx_susp_vsftp.yml +++ b/rules/linux/lnx_susp_vsftp.yml @@ -31,4 +31,3 @@ detection: falsepositives: - Unknown level: medium - diff --git a/rules/network/net_susp_network_scan.yml b/rules/network/net_susp_network_scan.yml index 337bfbd56..d0e0e4798 100644 --- a/rules/network/net_susp_network_scan.yml +++ b/rules/network/net_susp_network_scan.yml @@ -2,6 +2,7 @@ title: Network Scans id: fab0ddf0-b8a9-4d70-91ce-a20547209afb description: Detects many failed connection attempts to different ports or hosts author: Thomas Patzke +date: 2017/02/19 logsource: category: firewall detection: diff --git a/rules/web/web_apache_segfault.yml b/rules/web/web_apache_segfault.yml index effe92f7a..9f579c28f 100644 --- a/rules/web/web_apache_segfault.yml +++ b/rules/web/web_apache_segfault.yml @@ -2,6 +2,7 @@ title: Apache Segmentation Fault id: 1da8ce0b-855d-4004-8860-7d64d42063b1 description: Detects a segmentation fault error message caused by a creashing apacke worker process author: Florian Roth +date: 2017/02/28 references: - http://www.securityfocus.com/infocus/1633 logsource: @@ -13,4 +14,3 @@ detection: falsepositives: - Unknown level: high - diff --git a/rules/web/web_multiple_suspicious_resp_codes_single_source.yml b/rules/web/web_multiple_suspicious_resp_codes_single_source.yml index 650f68866..9617bbe07 100644 --- a/rules/web/web_multiple_suspicious_resp_codes_single_source.yml +++ b/rules/web/web_multiple_suspicious_resp_codes_single_source.yml @@ -2,6 +2,7 @@ title: Multiple suspicious Response Codes caused by Single Client id: 6fdfc796-06b3-46e8-af08-58f3505318af description: Detects possible exploitation activity or bugs in a web application author: Thomas Patzke +date: 2017/02/19 logsource: category: webserver detection: diff --git a/rules/web/web_pulsesecure_cve-2019-11510.yml b/rules/web/web_pulsesecure_cve-2019-11510.yml index 317367ab7..b01247163 100644 --- a/rules/web/web_pulsesecure_cve-2019-11510.yml +++ b/rules/web/web_pulsesecure_cve-2019-11510.yml @@ -4,6 +4,7 @@ description: Detects CVE-2019-11510 exploitation attempt - URI contains Guacamol references: - https://www.exploit-db.com/exploits/47297 author: Florian Roth +date: 2019/11/18 logsource: category: webserver detection: @@ -17,4 +18,4 @@ fields: - response falsepositives: - Unknown -level: critical \ No newline at end of file +level: critical diff --git a/rules/web/web_source_code_enumeration.yml b/rules/web/web_source_code_enumeration.yml index 1544a70c1..8eada5b3c 100644 --- a/rules/web/web_source_code_enumeration.yml +++ b/rules/web/web_source_code_enumeration.yml @@ -2,6 +2,7 @@ title: Source Code Enumeration Detection by Keyword id: 953d460b-f810-420a-97a2-cfca4c98e602 description: Detects source code enumeration that use GET requests by keyword searches in URL strings author: James Ahearn +date: 2019/06/08 references: - https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html - https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1 @@ -18,4 +19,4 @@ fields: - response falsepositives: - unknown -level: medium \ No newline at end of file +level: medium diff --git a/rules/web/web_webshell_keyword.yml b/rules/web/web_webshell_keyword.yml index ac014b1f7..2de20019c 100644 --- a/rules/web/web_webshell_keyword.yml +++ b/rules/web/web_webshell_keyword.yml @@ -2,6 +2,7 @@ title: Webshell Detection by Keyword id: 7ff9db12-1b94-4a79-ba68-a2402c5d6729 description: Detects webshells that use GET requests by keyword searches in URL strings author: Florian Roth +date: 2017/02/19 logsource: category: webserver detection: @@ -19,4 +20,3 @@ falsepositives: - Web sites like wikis with articles on os commands and pages that include the os commands in the URLs - User searches in search boxes of the respective website level: high -