security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #4211 from fukusuket/refactor-use-all-modifier-without-field-instead-of-all-of

Browse Source 
chore: refactor use `'|all'` instead of using `all of` for a single selector.
This commit is contained in:
Nasreddine Bencherchali
2023-05-05 18:44:35 +02:00
committed by GitHub
parent 21f6554ccd 915201db2d
commit f3104f748f
5 changed files with 74 additions and 62 deletions
Download Patch File Download Diff File Expand all files Collapse all files
deprecated/windows/powershell_suspicious_invocation_specific.yml
+46 -40
View File
@@ -7,55 +7,61 @@ tags:
- attack.t1059.001
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro
date: 2017/03/05
modified: 2022/04/11
modified: 2023/05/04
logsource:
product: windows
service: powershell
definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103
detection:
convert_b64:
- '-nop'
- ' -w '
- 'hidden'
- ' -c '
- '[Convert]::FromBase64String'
iex_selection:
- ' -w '
- 'hidden'
- '-noni'
- '-nop'
- ' -c '
- 'iex'
- 'New-Object'
enc_selection:
- ' -w '
- 'hidden'
- '-ep'
- 'bypass'
- '-Enc'
reg_selection:
- 'powershell'
- 'reg'
- 'add'
- 'HKCU\software\microsoft\windows\currentversion\run'
webclient_selection:
- 'bypass'
- '-noprofile'
- '-windowstyle'
- 'hidden'
- 'new-object'
- 'system.net.webclient'
- '.download'
iex_webclient:
- 'iex'
- 'New-Object'
- 'Net.WebClient'
- '.Download'
selection_convert_b64:
'|all':
- '-nop'
- ' -w '
- 'hidden'
- ' -c '
- '[Convert]::FromBase64String'
selection_iex:
'|all':
- ' -w '
- 'hidden'
- '-noni'
- '-nop'
- ' -c '
- 'iex'
- 'New-Object'
selection_enc:
'|all':
- ' -w '
- 'hidden'
- '-ep'
- 'bypass'
- '-Enc'
selection_reg:
'|all':
- 'powershell'
- 'reg'
- 'add'
- 'HKCU\software\microsoft\windows\currentversion\run'
selection_webclient:
'|all':
- 'bypass'
- '-noprofile'
- '-windowstyle'
- 'hidden'
- 'new-object'
- 'system.net.webclient'
- '.download'
selection_iex_webclient:
'|all':
- 'iex'
- 'New-Object'
- 'Net.WebClient'
- '.Download'
filter_chocolatey:
- "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1"
- "(New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1')"
- 'Write-ChocolateyWarning'
condition: (all of convert_b64 or all of iex_selection or all of enc_selection or all of reg_selection or all of webclient_selection or all of iex_webclient) and not 1 of filter_*
condition: 1 of selection_* and not 1 of filter_*
falsepositives:
- Unknown
level: high
rules/linux/auditd/lnx_auditd_binary_padding.yml
+9 -7
View File
@@ -6,9 +6,9 @@ description: |
This rule detect using dd and truncate to add a junk data to file.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md
author: 'Igor Fits, oscd.community'
author: Igor Fits, oscd.community
date: 2020/10/13
modified: 2023/01/06
modified: 2023/05/03
tags:
- attack.defense_evasion
- attack.t1027.001
@@ -19,14 +19,16 @@ detection:
selection_execve:
type: 'EXECVE'
keywords_truncate:
- 'truncate'
- '-s'
'|all':
- 'truncate'
- '-s'
keywords_dd:
- 'dd'
- 'if='
'|all':
- 'dd'
- 'if='
keywords_filter:
- 'of='
condition: selection_execve and (all of keywords_truncate or (all of keywords_dd and not keywords_filter))
condition: selection_execve and (keywords_truncate or (keywords_dd and not keywords_filter))
falsepositives:
- Unknown
level: high
rules/linux/auditd/lnx_auditd_find_cred_in_files.yml
+5 -4
View File
@@ -6,7 +6,7 @@ references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md
author: 'Igor Fits, oscd.community'
date: 2020/10/15
modified: 2023/01/06
modified: 2023/04/30
tags:
- attack.credential_access
- attack.t1552.001
@@ -17,9 +17,10 @@ detection:
selection:
type: 'EXECVE'
keywords:
- 'grep'
- 'password'
condition: selection and all of keywords
'|all':
- 'grep'
- 'password'
condition: selection and keywords
falsepositives:
- Unknown
level: high
rules/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml
+9 -7
View File
@@ -6,7 +6,7 @@ references:
- https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html
author: Florian Roth (Nextron Systems), Rich Warren, Christian Burkard (Nextron Systems)
date: 2021/08/09
modified: 2023/02/28
modified: 2023/04/30
tags:
- attack.persistence
- attack.t1505.003
@@ -15,16 +15,18 @@ logsource:
product: windows
detection:
export_command:
- 'New-MailboxExportRequest'
- ' -Mailbox '
'|all':
- 'New-MailboxExportRequest'
- ' -Mailbox '
export_params:
- '-FilePath "\\\\' # We care about any share location.
- '.aspx'
role_assignment:
- 'New-ManagementRoleAssignment'
- ' -Role "Mailbox Import Export"'
- ' -User '
condition: (all of export_command and export_params) or all of role_assignment
'|all':
- 'New-ManagementRoleAssignment'
- ' -Role "Mailbox Import Export"'
- ' -User '
condition: (export_command and export_params) or role_assignment
falsepositives:
- Unlikely
level: critical
rules/windows/builtin/system/microsoft_windows_kernel_general/win_system_susp_sam_dump.yml
+5 -4
View File
@@ -4,7 +4,7 @@ status: test
description: Detects suspicious SAM dump activity as cause by QuarksPwDump and other password dumpers
author: Florian Roth (Nextron Systems)
date: 2018/01/27
modified: 2022/04/14
modified: 2023/04/30
tags:
- attack.credential_access
- attack.t1003.002
@@ -17,9 +17,10 @@ detection:
Provider_Name: Microsoft-Windows-Kernel-General
EventID: 16
keywords:
- '\AppData\Local\Temp\SAM-'
- '.dmp'
condition: selection and all of keywords
'|all':
- '\AppData\Local\Temp\SAM-'
- '.dmp'
condition: selection and keywords
falsepositives:
- Unknown
level: high