diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index a68fc115f..d94d319dd 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -23,6 +23,7 @@ jobs: run: | python -m pip install --upgrade pip pip install pipenv + pipenv lock pipenv install --dev --deploy - name: Test Sigma Tools and Rules run: | diff --git a/Pipfile b/Pipfile index 7df1021b1..060d74e88 100644 --- a/Pipfile +++ b/Pipfile @@ -15,8 +15,8 @@ stix2 = "*" attackcti = "*" [packages] -requests = "~=2.23" -urllib3 = "~=1.25" +requests = "~=2.25" +urllib3 = "~=1.26" progressbar2 = "~=3.47" pymisp = "~=2.4.123" PyYAML = "~=5.1" diff --git a/Pipfile.lock b/Pipfile.lock index ed1329a91..f83fca957 100644 --- a/Pipfile.lock +++ b/Pipfile.lock @@ -1,7 +1,7 @@ { "_meta": { "hash": { - "sha256": "6f2116e6d1b332715efdc61c59a958c9226831cb7e19fcd4cea3f4c569d90687" + "sha256": "9d6e50bfd41bb3de5ebbae350555fe4b67c24e2c186aac053905a7740a69e8b2" }, "pipfile-spec": 6, "requires": { @@ -18,25 +18,23 @@ "default": { "attrs": { "hashes": [ - "sha256:31b2eced602aa8423c2aea9c76a724617ed67cf9513173fd3a4f03e3a929c7e6", - "sha256:832aa3cde19744e49938b91fea06d69ecb9e649c93ba974535d08ad92164f700" + "sha256:149e90d6d8ac20db7a955ad60cf0e6881a3f20d37096140088356da6c716b0b1", + "sha256:ef6aaac3ca6cd92904cdd0d83f629a15f18053ec84e6432106f7a4d04ae4f5fb" ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", - "version": "==20.3.0" + "version": "==21.2.0" }, "certifi": { "hashes": [ - "sha256:1a4995114262bffbc2413b159f2a1a480c969de6e6eb13ee966d470af86af59c", - "sha256:719a74fb9e33b9bd44cc7f3a8d94bc35e4049deebe19ba7d8e108280cfd59830" + "sha256:2bbf76fd432960138b3ef6dda3dde0544f27cbf8546c458e60baf371917ba9ee", + "sha256:50b1e4f8446b06f41be7dd6338db18e0990601dce795c2b1686458aa7e8fa7d8" ], - "version": "==2020.12.5" + "version": "==2021.5.30" }, "chardet": { "hashes": [ "sha256:0d6f53a15db4120f2b08c94f11e7d93d2c911ee118b6b30a04ec3ee8310179fa", "sha256:f864054d66fd9118f2e67044ac8981a54775ec5b67aed0441892edb553d21da5" ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", "version": "==4.0.0" }, "deprecated": { @@ -44,7 +42,6 @@ "sha256:08452d69b6b5bc66e8330adde0a4f8642e969b9e1702904d137eeb29c8ffc771", "sha256:6d2de2de7931a968874481ef30208fd4e08da39177d61d3d4ebdf4366e7dbca1" ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", "version": "==1.2.12" }, "idna": { @@ -52,7 +49,6 @@ "sha256:b307872f855b18632ce0c21c5e45be78c0ea7ae4c15c828c20788b26921eb3f6", "sha256:b97d804b1e9b523befed77c48dacec60e6dcb0b5391d57af6a65a312a90648c0" ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", "version": "==2.10" }, "jsonschema": { @@ -82,7 +78,6 @@ "hashes": [ "sha256:2e636185d9eb976a18a8a8e96efce62f2905fea90041958d8cc2a189756ebf3e" ], - "markers": "python_version >= '3.5'", "version": "==0.17.3" }, "python-dateutil": { @@ -90,7 +85,6 @@ "sha256:73ebfe9dbf22e832286dafa60473e4cd239f8592f699aa5adaf10050e6e1823c", "sha256:75bb3f31ea686f1197762692a9ee6a7550b59fc6ca3a1f4b5d7e32fb98e2da2a" ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", "version": "==2.8.1" }, "python-utils": { @@ -145,19 +139,18 @@ }, "six": { "hashes": [ - "sha256:30639c035cdb23534cd4aa2dd52c3bf48f06e5f4a941509c8bafd8ce11080259", - "sha256:8b74bedcbbbaca38ff6d7491d76f2b06b3592611af620f8426e82dddb04a5ced" + "sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926", + "sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254" ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", - "version": "==1.15.0" + "version": "==1.16.0" }, "urllib3": { "hashes": [ - "sha256:2f4da4594db7e1e110a944bb1b551fdf4e6c136ad42e4234131391e21eb5b0df", - "sha256:e7b021f7241115872f92f43c6508082facffbd1c048e3c6e2bb9c2a157e28937" + "sha256:753a0374df26658f99d826cfe40394a686d05985786d946fbe4165b5148f5a7c", + "sha256:a7acd0977125325f516bda9735fa7142b909a8d01e8b2e4c8108d0984e6e0098" ], "index": "pypi", - "version": "==1.26.4" + "version": "==1.26.5" }, "wrapt": { "hashes": [ @@ -207,7 +200,6 @@ "sha256:f881853d2643a29e643609da57b96d5f9c9b93f62429dcc1cbb413c7d07f0e1a", "sha256:fe60131d21b31fd1a14bd43e6bb88256f69dfc3188b3a89d736d6c71ed43ec95" ], - "markers": "python_version >= '3.6'", "version": "==3.7.4.post0" }, "antlr4-python3-runtime": { @@ -222,7 +214,6 @@ "sha256:0c3c816a028d47f659d6ff5c745cb2acf1f966da1fe5c19c77a70282b25f4c5f", "sha256:4291ca197d287d274d0b6cb5d6f8f8f82d434ed288f962539ff18cc9012f9ea3" ], - "markers": "python_full_version >= '3.5.3'", "version": "==3.0.1" }, "attackcti": { @@ -235,25 +226,23 @@ }, "attrs": { "hashes": [ - "sha256:31b2eced602aa8423c2aea9c76a724617ed67cf9513173fd3a4f03e3a929c7e6", - "sha256:832aa3cde19744e49938b91fea06d69ecb9e649c93ba974535d08ad92164f700" + "sha256:149e90d6d8ac20db7a955ad60cf0e6881a3f20d37096140088356da6c716b0b1", + "sha256:ef6aaac3ca6cd92904cdd0d83f629a15f18053ec84e6432106f7a4d04ae4f5fb" ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", - "version": "==20.3.0" + "version": "==21.2.0" }, "certifi": { "hashes": [ - "sha256:1a4995114262bffbc2413b159f2a1a480c969de6e6eb13ee966d470af86af59c", - "sha256:719a74fb9e33b9bd44cc7f3a8d94bc35e4049deebe19ba7d8e108280cfd59830" + "sha256:2bbf76fd432960138b3ef6dda3dde0544f27cbf8546c458e60baf371917ba9ee", + "sha256:50b1e4f8446b06f41be7dd6338db18e0990601dce795c2b1686458aa7e8fa7d8" ], - "version": "==2020.12.5" + "version": "==2021.5.30" }, "chardet": { "hashes": [ "sha256:0d6f53a15db4120f2b08c94f11e7d93d2c911ee118b6b30a04ec3ee8310179fa", "sha256:f864054d66fd9118f2e67044ac8981a54775ec5b67aed0441892edb553d21da5" ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", "version": "==4.0.0" }, "colorama": { @@ -343,16 +332,14 @@ "sha256:b307872f855b18632ce0c21c5e45be78c0ea7ae4c15c828c20788b26921eb3f6", "sha256:b97d804b1e9b523befed77c48dacec60e6dcb0b5391d57af6a65a312a90648c0" ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", "version": "==2.10" }, "more-itertools": { "hashes": [ - "sha256:5652a9ac72209ed7df8d9c15daf4e1aa0e3d2ccd3c87f8265a0673cd9cbc9ced", - "sha256:c5d6da9ca3ff65220c3bfd2a8db06d698f05d4d2b9be57e1deb2be5a45019713" + "sha256:2cf89ec599962f2ddc4d568a05defc40e0a587fbc10d5989713638864c36be4d", + "sha256:83f0308e05477c68f56ea3a888172c78ed5d5b3c282addb67508e7ba6c8f813a" ], - "markers": "python_version >= '3.5'", - "version": "==8.7.0" + "version": "==8.8.0" }, "multidict": { "hashes": [ @@ -394,7 +381,6 @@ "sha256:f21756997ad8ef815d8ef3d34edd98804ab5ea337feedcd62fb52d22bf531281", "sha256:fc13a9524bc18b6fb6e0dbec3533ba0496bbed167c56d0aabefd965584557d80" ], - "markers": "python_version >= '3.6'", "version": "==5.1.0" }, "packaging": { @@ -402,7 +388,6 @@ "sha256:5b327ac1320dc863dca72f4514ecc086f31186744b84a230374cc1fd776feae5", "sha256:67714da7f7bc052e064859c05c595155bd1ee9f69f76557e21f051443c20947a" ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", "version": "==20.9" }, "pathspec": { @@ -417,7 +402,6 @@ "sha256:15b2acde666561e1298d71b523007ed7364de07029219b604cf808bfa1c765b0", "sha256:966c145cd83c96502c3c3868f50408687b38434af77734af1e9ca461a4081d2d" ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", "version": "==0.13.1" }, "py": { @@ -425,7 +409,6 @@ "sha256:21b81bda15b66ef5e1a777a21c4dcd9c20ad3efd0b3f817e7a809035269e1bd3", "sha256:3b80836aa6d1feeaa108e046da6423ab8f6ceda6468545ae8d02d9d58d18818a" ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", "version": "==1.10.0" }, "pyparsing": { @@ -433,7 +416,6 @@ "sha256:c203ec8783bf771a155b207279b9bccb8dea02d8f0c9e5f8ead507bc3246ecc1", "sha256:ef9d7589ef3c200abe66653d3f1ab1033c3c419ae9b9bdb1240a85b024efc88b" ], - "markers": "python_version >= '2.6' and python_version not in '3.0, 3.1, 3.2, 3.3'", "version": "==2.4.7" }, "pytest": { @@ -542,16 +524,14 @@ "sha256:fed0f22bf1313ff79c7fc318f7199d6c2f96d4de3234b2f12a1eab350e597c06", "sha256:ffd4e4877a78c84d693e491b223385e0271278f5f4e1476a4962dca6824ecfeb" ], - "markers": "python_version >= '2.5' and python_version not in '3.0, 3.1, 3.2, 3.3'", "version": "==3.17.2" }, "six": { "hashes": [ - "sha256:30639c035cdb23534cd4aa2dd52c3bf48f06e5f4a941509c8bafd8ce11080259", - "sha256:8b74bedcbbbaca38ff6d7491d76f2b06b3592611af620f8426e82dddb04a5ced" + "sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926", + "sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254" ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", - "version": "==1.15.0" + "version": "==1.16.0" }, "stix2": { "hashes": [ @@ -577,20 +557,19 @@ }, "typing-extensions": { "hashes": [ - "sha256:7cb407020f00f7bfc3cb3e7881628838e69d8f3fcab2f64742a5e76b2f841918", - "sha256:99d4073b617d30288f569d3f13d2bd7548c3a7e4c8de87db09a9d29bb3a4a60c", - "sha256:dafc7639cde7f1b6e1acc0f457842a83e722ccca8eef5270af2d74792619a89f" + "sha256:0ac0f89795dd19de6b97debb0c6af1c70987fd80a2d62d1958f7e56fcc31b497", + "sha256:50b6f157849174217d0656f99dc82fe932884fb250826c18350e159ec6cdf342", + "sha256:779383f6086d90c99ae41cf0ff39aac8a7937a9283ce0a414e5dd782f4c94a84" ], - "markers": "python_version < '3.8'", - "version": "==3.7.4.3" + "version": "==3.10.0.0" }, "urllib3": { "hashes": [ - "sha256:2f4da4594db7e1e110a944bb1b551fdf4e6c136ad42e4234131391e21eb5b0df", - "sha256:e7b021f7241115872f92f43c6508082facffbd1c048e3c6e2bb9c2a157e28937" + "sha256:753a0374df26658f99d826cfe40394a686d05985786d946fbe4165b5148f5a7c", + "sha256:a7acd0977125325f516bda9735fa7142b909a8d01e8b2e4c8108d0984e6e0098" ], "index": "pypi", - "version": "==1.26.4" + "version": "==1.26.5" }, "wcwidth": { "hashes": [ @@ -647,7 +626,6 @@ "sha256:f0b059678fd549c66b89bed03efcabb009075bd131c248ecdf087bdb6faba24a", "sha256:fcbb48a93e8699eae920f8d92f7160c03567b421bc17362a9ffbbd706a816f71" ], - "markers": "python_version >= '3.6'", "version": "==1.6.3" } } diff --git a/rules/cloud/aws_snapshot_backup_exfiltration.yml b/rules/cloud/aws_snapshot_backup_exfiltration.yml new file mode 100644 index 000000000..e2f5b9e81 --- /dev/null +++ b/rules/cloud/aws_snapshot_backup_exfiltration.yml @@ -0,0 +1,24 @@ +title: AWS Snapshot Backup Exfiltration +id: abae8fec-57bd-4f87-aff6-6e3db989843d +status: test +description: Detects the modification of an EC2 snapshot's permissions to enable access from another account +author: Darin Smith +date: 2021/05/17 +references: + - https://www.justice.gov/file/1080281/download + - https://attack.mitre.org/techniques/T1537/ +logsource: + service: cloudtrail +detection: + selection_source: + - eventSource: cloudtrail.amazonaws.com + events: + - eventName: + - ModifySnapshotAttribute + condition: selection_source AND events +falsepositives: + - Valid change to a snapshot's permissions +level: medium +tags: + - attack.exfiltration + - attack.t1537 diff --git a/rules/compliance/cleartext_protocols.yml b/rules/compliance/cleartext_protocols.yml index cda779381..eb1acd9c9 100644 --- a/rules/compliance/cleartext_protocols.yml +++ b/rules/compliance/cleartext_protocols.yml @@ -81,7 +81,7 @@ detection: condition: selection --- logsource: - product: firewall + category: firewall detection: selection1: destination.port: diff --git a/rules/compliance/host_without_firewall.yml b/rules/compliance/host_without_firewall.yml index 264327142..cab122e0b 100644 --- a/rules/compliance/host_without_firewall.yml +++ b/rules/compliance/host_without_firewall.yml @@ -4,12 +4,13 @@ status: stable description: Host Without Firewall. Alert means not complied. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management. author: Alexandr Yampolskyi, SOC Prime date: 2019/03/19 +modified: 2021/05/30 references: - https://www.cisecurity.org/controls/cis-controls-list/ - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf logsource: - product: Qualys + product: qualys detection: selection: event.category: Security Policy diff --git a/rules/linux/lnx_ldso_preload_injection.yml b/rules/linux/lnx_ldso_preload_injection.yml new file mode 100644 index 000000000..be1b937b7 --- /dev/null +++ b/rules/linux/lnx_ldso_preload_injection.yml @@ -0,0 +1,17 @@ +title: Code Injection by ld.so Preload +id: 7e3c4651-c347-40c4-b1d4-d48590fdf684 +status: experimental +description: Detects the ld.so preload persistence file. See `man ld.so` for more information. +author: Christian Burkard +date: 2021/05/05 +references: + - https://man7.org/linux/man-pages/man8/ld.so.8.html +logsource: + product: linux +detection: + keyword: + - '/etc/ld.so.preload' + condition: keyword +falsepositives: + - rare temporary workaround for library misconfiguration +level: high diff --git a/rules/linux/lnx_shellshock.yml b/rules/linux/lnx_shellshock.yml index 59a534cd3..ba7fc1bb7 100644 --- a/rules/linux/lnx_shellshock.yml +++ b/rules/linux/lnx_shellshock.yml @@ -4,14 +4,18 @@ status: experimental description: Detects shellshock expressions in log files author: Florian Roth date: 2017/03/14 +modified: 2021/04/28 references: - - http://rubular.com/r/zxBfjWfFYs + - https://owasp.org/www-pdf-archive/Shellshock_-_Tudor_Enache.pdf logsource: product: linux detection: - expression: - - /\(\)\s*\t*\{.*;\s*\}\s*;/ - condition: expression + keyword: + - '(){:;};' + - '() {:;};' + - '() { :;};' + - '() { :; };' + condition: keyword falsepositives: - Unknown level: high diff --git a/rules/linux/lnx_symlink_etc_passwd.yml b/rules/linux/lnx_symlink_etc_passwd.yml new file mode 100644 index 000000000..9d20a1896 --- /dev/null +++ b/rules/linux/lnx_symlink_etc_passwd.yml @@ -0,0 +1,18 @@ +title: Symlink Etc Passwd +id: c67fc22a-0be5-4b4f-aad5-2b32c4b69523 +status: experimental +description: Detects suspicious command lines that look as if they would create symbolic links to /etc/passwd +author: Florian Roth +date: 2019/04/05 +references: + - https://www.qualys.com/2021/05/04/21nails/21nails.txt +logsource: + product: linux +detection: + keywords: + - 'ln -s -f /etc/passwd' + - 'ln -s /etc/passwd' + condition: keywords +falsepositives: + - Unknown +level: high diff --git a/rules/linux/lnx_system_info_discovery.yml b/rules/linux/lnx_system_info_discovery.yml index 43f8f6563..892f10d76 100644 --- a/rules/linux/lnx_system_info_discovery.yml +++ b/rules/linux/lnx_system_info_discovery.yml @@ -5,6 +5,7 @@ status: stable description: Detects system information discovery commands author: Ömer Günal, oscd.community date: 2020/10/08 +modified: 2020/05/30 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md falsepositives: @@ -16,7 +17,7 @@ tags: --- logsource: product: linux - categories: process_creation + category: process_creation detection: selection: Image|endswith: @@ -31,7 +32,7 @@ detection: --- logsource: product: linux - categories: auditd + service: auditd detection: selection: type: 'PATH' diff --git a/rules/linux/macos_change_file_time_attr.yml b/rules/linux/macos_change_file_time_attr.yml index f30750331..f4a0ca2d7 100644 --- a/rules/linux/macos_change_file_time_attr.yml +++ b/rules/linux/macos_change_file_time_attr.yml @@ -1,5 +1,5 @@ title: 'File Time Attribute Change' -id: b3cec4e7-6901-4b0d-a02d-8ab2d8eb818b +id: 88c0f9d8-30a8-4120-bb6b-ebb54abcf2a0 status: experimental description: 'Detect file time attribute change to hide new or changes to existing files.' # For this rule to work you must enable audit of process execution in OpenBSM, see diff --git a/rules/linux/macos_find_cred_in_files.yml b/rules/linux/macos_find_cred_in_files.yml index 2f47f1034..a0b2a0cbd 100644 --- a/rules/linux/macos_find_cred_in_files.yml +++ b/rules/linux/macos_find_cred_in_files.yml @@ -1,5 +1,5 @@ title: 'Credentials In Files' -id: df3fcaea-2715-4214-99c5-0056ea59eb35 +id: 53b1b378-9b06-4992-b972-dde6e423d2b4 status: experimental description: 'Detecting attempts to extract passwords with grep and laZagne' # For this rule to work you must enable audit of process execution in OpenBSM, see diff --git a/rules/linux/macos_remote_system_discovery.yml b/rules/linux/macos_remote_system_discovery.yml index a7a1fdf22..fd5867314 100644 --- a/rules/linux/macos_remote_system_discovery.yml +++ b/rules/linux/macos_remote_system_discovery.yml @@ -1,5 +1,5 @@ title: Macos Remote System Discovery -id: 11063ec2-de63-4153-935e-b1a8b9e616f1 +id: 10227522-8429-47e6-a301-f2b2d014e7ad status: experimental description: Detects the enumeration of other remote systems. author: Alejandro Ortuno, oscd.community diff --git a/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml b/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml new file mode 100644 index 000000000..85306e0ae --- /dev/null +++ b/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml @@ -0,0 +1,68 @@ +title: Suspicious DNS Z Flag Bit Set +id: ede05abc-2c9e-4624-9944-9ff17fdc0bf5 +description: 'The DNS Z flag is bit within the DNS protocol header that is, per the IETF design, meant to be used reserved (unused). Although recently it has been used in DNSSec, the value being set to anything other than 0 should be rare. Otherwise if it is set to non 0 and DNSSec is being used, then excluding the legitimate domains is low effort and high reward. Determine if multiple of these files were accessed in a short period of time to further enhance the possibility of seeing if this was a one off or the possibility of larger sensitive file gathering. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs' +date: 2021/05/04 +modified: 2021/05/24 +references: + - 'https://twitter.com/neu5ron/status/1346245602502443009' + - 'https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma' + - 'https://tools.ietf.org/html/rfc2929#section-2.1' + - 'https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS' +author: '@neu5ron, SOC Prime Team, Corelight' +tags: + - attack.t1094 + - attack.t1043 + - attack.command_and_control +logsource: + product: zeek + service: dns +detection: + z_flag_unset: + Z: '0' + most_probable_valid_domain: + query|contains: '.' + exclude_tlds: + query|endswith: + - '.arpa' + - '.local' + - '.ultradns.net' + - '.twtrdns.net' + - '.azuredns-prd.info' + - '.azure-dns.com' + - '.azuredns-ff.info' + - '.azuredns-ff.org' + - '.azuregov-dns.org' + exclude_query_types: + qtype_name: + - 'NS' + - 'ns' + exclude_responses: + answers|endswith: '\\x00' + exclude_netbios: + id.resp_p: + - '137' + - '138' + - '139' + condition: NOT z_flag_unset AND most_probable_valid_domain AND NOT (exclude_tlds OR exclude_tlds OR exclude_query_types OR exclude_responses OR exclude_netbios) +falsepositives: + - 'Internal or legitimate external domains using DNSSec. Verify if these are legitimate DNSSec domains and then exclude them.' + - 'If you work in a Public Sector then it may be good to exclude things like endswith ".edu", ".gov" and or ".mil"' +level: medium +fields: + - ts + - id.orig_h + - id.orig_p + - id.resp_h + - id.resp_p + - proto + - qtype_name + - qtype + - query + - answers + - rcode + - rcode_name + - trans_id + - qtype + - ttl + - AA + - uid diff --git a/rules/proxy/proxy_cobalt_malformed_uas.yml b/rules/proxy/proxy_cobalt_malformed_uas.yml new file mode 100644 index 000000000..419c0f120 --- /dev/null +++ b/rules/proxy/proxy_cobalt_malformed_uas.yml @@ -0,0 +1,25 @@ +title: CobaltStrike Malformed UAs in Malleable Profiles +id: 41b42a36-f62c-4c34-bd40-8cb804a34ad8 +status: experimental +description: Detects different malformed user agents used in Malleable Profiles used with Cobalt Strike +author: Florian Roth +date: 2021/05/06 +references: + - https://github.com/yeyintminthuhtut/Malleable-C2-Profiles-Collection/ +logsource: + category: proxy +detection: + selection: + c-useragent: + - "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)" + - "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E )" + - "Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08" + condition: selection +falsepositives: + - Unknown +level: critical +tags: + - attack.defense_evasion + - attack.command_and_control + - attack.t1071.001 + - attack.t1043 # an old one diff --git a/rules/web/web_cve_2021_26814_wzuh_rce.yml b/rules/web/web_cve_2021_26814_wzuh_rce.yml new file mode 100644 index 000000000..672226f45 --- /dev/null +++ b/rules/web/web_cve_2021_26814_wzuh_rce.yml @@ -0,0 +1,25 @@ +title: Exploitation of CVE-2021-26814 in Wazuh +id: b9888738-29ed-4c54-96a4-f38c57b84bb3 +status: experimental +description: Detects the exploitation of the Wazuh RCE vulnerability described in CVE-2021-26814 +author: Florian Roth +date: 2021/05/22 +references: + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-26814 + - https://github.com/WickdDavid/CVE-2021-26814/blob/main/PoC.py +logsource: + category: webserver +detection: + selection: + c-uri|contains: '/manager/files?path=etc/lists/../../../../..' + condition: selection +fields: + - c-ip + - c-dns +falsepositives: + - None +level: high +tags: + - attack.initial_access + - attack.t1190 + - cve.2021-21978 \ No newline at end of file diff --git a/rules/web/web_expl_exchange_cve_2021_28480.yml b/rules/web/web_expl_exchange_cve_2021_28480.yml new file mode 100644 index 000000000..62cd6efd5 --- /dev/null +++ b/rules/web/web_expl_exchange_cve_2021_28480.yml @@ -0,0 +1,23 @@ +title: Exchange Exploitation CVE-2021-28480 +id: a2a9d722-0acb-4096-bccc-daaf91a5037b +status: experimental +description: Detects successfull exploitation of Exchange vulnerability as reported in CVE-2021-28480 +references: + - https://twitter.com/GossiTheDog/status/1392965209132871683?s=20 +author: Florian Roth +date: 2021/05/14 +tags: + - attack.initial_access + - attack.t1190 +logsource: + category: webserver +detection: + selection: + c-uri|contains: '/owa/calendar/a' + cs-method: 'POST' + filter: + sc-status: 503 + condition: selection and not filter +falsepositives: + - Unknown +level: critical \ No newline at end of file diff --git a/rules/web/web_nginx_core_dump.yml b/rules/web/web_nginx_core_dump.yml new file mode 100644 index 000000000..578db765e --- /dev/null +++ b/rules/web/web_nginx_core_dump.yml @@ -0,0 +1,20 @@ +title: Nginx Core Dump +id: 59ec40bb-322e-40ab-808d-84fa690d7e56 +description: Detects a core dump of a creashing Nginx worker process, which could be a signal of a serious problem or exploitation attempts +author: Florian Roth +date: 2021/05/31 +references: + - https://docs.nginx.com/nginx/admin-guide/monitoring/debugging/#enabling-core-dumps + - https://www.x41-dsec.de/lab/advisories/x41-2021-002-nginx-resolver-copy/ +logsource: + product: apache +detection: + keywords: + - 'exited on signal 6 (core dumped)' + condition: keywords +falsepositives: + - Serious issues with a configuration or plugin +level: high +tags: + - attack.impact + - attack.t1499.004 \ No newline at end of file diff --git a/rules/windows/builtin/win_GPO_scheduledtasks.yml b/rules/windows/builtin/win_GPO_scheduledtasks.yml index cd9f525aa..669bcdaa5 100644 --- a/rules/windows/builtin/win_GPO_scheduledtasks.yml +++ b/rules/windows/builtin/win_GPO_scheduledtasks.yml @@ -20,7 +20,9 @@ detection: EventID: 5145 ShareName: \\*\SYSVOL RelativeTargetName|endswith: 'ScheduledTasks.xml' - Accesses|contains: 'WriteData' + Accesses|contains: + - 'WriteData' + - '%%4417' condition: selection falsepositives: - if the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduledtasks diff --git a/rules/windows/builtin/win_ad_object_writedac_access.yml b/rules/windows/builtin/win_ad_object_writedac_access.yml index 60a4c5974..b3ebbc942 100644 --- a/rules/windows/builtin/win_ad_object_writedac_access.yml +++ b/rules/windows/builtin/win_ad_object_writedac_access.yml @@ -5,7 +5,7 @@ status: experimental date: 2019/09/12 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1222_file_permissions_modification/ad_replication_user_backdoor.md + - https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190101151110.html tags: - attack.defense_evasion - attack.t1222 # an old one diff --git a/rules/windows/builtin/win_ad_replication_non_machine_account.yml b/rules/windows/builtin/win_ad_replication_non_machine_account.yml index fcdb3ee67..2fe27687b 100644 --- a/rules/windows/builtin/win_ad_replication_non_machine_account.yml +++ b/rules/windows/builtin/win_ad_replication_non_machine_account.yml @@ -6,7 +6,7 @@ date: 2019/07/26 modified: 2020/08/23 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/ad_replication_non_machine_account.md + - https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html tags: - attack.credential_access - attack.t1003 # an old one diff --git a/rules/windows/builtin/win_cobaltstrike_service_installs.yml b/rules/windows/builtin/win_cobaltstrike_service_installs.yml new file mode 100644 index 000000000..9834aee86 --- /dev/null +++ b/rules/windows/builtin/win_cobaltstrike_service_installs.yml @@ -0,0 +1,34 @@ +title: CobaltStrike Service Installations +id: 5a105d34-05fc-401e-8553-272b45c1522d +description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement +author: Florian Roth, Wojciech Lesicki +references: + - https://www.sans.org/webcasts/119395 +date: 2021/05/26 +modified: 2021/06/03 +tags: + - attack.execution + - attack.privilege_escalation + - attack.lateral_movement + - attack.t1021.002 + - attack.t1543.003 + - attack.t1569.002 +logsource: + product: windows + service: system +detection: + selection1: + EventID: 7045 + selection2: + ServiceFileName|contains|all: + - 'ADMIN$' + - '.exe' + selection3: + ServiceFileName|contains|all: + - '%COMSPEC%' + - 'start' + - 'powershell' + condition: selection1 and (selection2 or selection3) +falsepositives: + - Unknown +level: critical diff --git a/rules/windows/builtin/win_dcsync.yml b/rules/windows/builtin/win_dcsync.yml index 2020946e1..d4406838c 100644 --- a/rules/windows/builtin/win_dcsync.yml +++ b/rules/windows/builtin/win_dcsync.yml @@ -34,5 +34,6 @@ detection: condition: selection and not filter1 and not filter2 and not filter3 falsepositives: - Valid DC Sync that is not covered by the filters; please report + - Local Domain Admin account used for Azure AD Connect level: high diff --git a/rules/windows/builtin/win_dpapi_domain_backupkey_extraction.yml b/rules/windows/builtin/win_dpapi_domain_backupkey_extraction.yml index b9d52b7e5..f913f7531 100644 --- a/rules/windows/builtin/win_dpapi_domain_backupkey_extraction.yml +++ b/rules/windows/builtin/win_dpapi_domain_backupkey_extraction.yml @@ -5,7 +5,7 @@ status: experimental date: 2019/06/20 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/domain_dpapi_backupkey_extraction.md + - https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html tags: - attack.credential_access - attack.t1003 # an old one diff --git a/rules/windows/builtin/win_dpapi_domain_masterkey_backup_attempt.yml b/rules/windows/builtin/win_dpapi_domain_masterkey_backup_attempt.yml index a5a89c445..c65a24252 100644 --- a/rules/windows/builtin/win_dpapi_domain_masterkey_backup_attempt.yml +++ b/rules/windows/builtin/win_dpapi_domain_masterkey_backup_attempt.yml @@ -5,7 +5,7 @@ status: experimental date: 2019/08/10 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/domain_dpapi_backupkey_extraction.md + - https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html tags: - attack.credential_access - attack.t1003 # an old one diff --git a/rules/windows/builtin/win_global_catalog_enumeration.yml b/rules/windows/builtin/win_global_catalog_enumeration.yml index eb3392785..c87885a43 100644 --- a/rules/windows/builtin/win_global_catalog_enumeration.yml +++ b/rules/windows/builtin/win_global_catalog_enumeration.yml @@ -3,14 +3,16 @@ description: Detects enumeration of the global catalog (that can be performed us author: Chakib Gzenayi (@Chak092), Hosni Mribah id: 619b020f-0fd7-4f23-87db-3f51ef837a34 date: 2020/05/11 -modified: 2020/08/23 +modified: 2021/06/01 +references: + - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5156 tags: - attack.discovery - attack.t1087 # an old one - attack.t1087.002 logsource: product: windows - service: system + service: security definition: 'The advanced audit policy setting "Windows Filtering Platform > Filtering Platform Connection" must be configured for Success' detection: selection: diff --git a/rules/windows/builtin/win_hidden_user_creation.yml b/rules/windows/builtin/win_hidden_user_creation.yml new file mode 100644 index 000000000..8dee8a7c3 --- /dev/null +++ b/rules/windows/builtin/win_hidden_user_creation.yml @@ -0,0 +1,25 @@ +title: Hidden Local User Creation +id: 7b449a5e-1db5-4dd0-a2dc-4e3a67282538 +description: Detects the creation of a local hidden user account which should not happen for event ID 4720. +status: experimental +tags: + - attack.persistence + - attack.t1136.001 +references: + - https://twitter.com/SBousseaden/status/1387743867663958021 +author: Christian Burkard +date: 2021/05/03 +logsource: + product: windows + service: security +detection: + selection: + EventID: 4720 + TargetUserName|endswith: '$' + condition: selection +fields: + - EventCode + - AccountName +falsepositives: + - unkown +level: high diff --git a/rules/windows/builtin/win_invoke_obfuscation_clip+_services.yml b/rules/windows/builtin/win_invoke_obfuscation_clip+_services.yml index 95d562295..b33bf0cb8 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_clip+_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_clip+_services.yml @@ -5,6 +5,7 @@ description: Detects Obfuscated use of Clip.exe to execute PowerShell status: experimental author: Jonathan Cheong, oscd.community date: 2020/10/13 +modified: 2020/05/27 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 26) tags: @@ -16,27 +17,27 @@ falsepositives: - Unknown level: high detection: - selection_1: + selection: - ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"' - condition: selection and selection_1 + condition: selection and selection_eventid --- logsource: product: windows service: system detection: - selection: + selection_eventid: EventID: 7045 --- logsource: product: windows - service: sysmon + category: driver_load detection: - selection: + selection_eventid: EventID: 6 --- - logsource: - product: windows - service: security - detection: - selection: - EventID: 4697 \ No newline at end of file +logsource: + product: windows + service: security +detection: + selection_eventid: + EventID: 4697 diff --git a/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml b/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml index 702ca6c84..b76bdade5 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml @@ -31,7 +31,7 @@ detection: --- logsource: product: windows - service: sysmon + category: driver_load detection: selection: EventID: 6 diff --git a/rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml b/rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml index ae5bf974b..3e8313bf7 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml @@ -5,6 +5,7 @@ description: Detects Obfuscated use of stdin to execute PowerShell status: experimental author: Jonathan Cheong, oscd.community date: 2020/10/15 +modified: 2021/05/27 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 25) tags: @@ -16,27 +17,27 @@ falsepositives: - Unknown level: high detection: - selection_1: + selection: - ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' - condition: selection and selection_1 + condition: selection and selection_eventid --- logsource: product: windows service: system detection: - selection: + selection_eventid: EventID: 7045 --- logsource: product: windows - service: sysmon + category: driver_load detection: - selection: + selection_eventid: EventID: 6 --- - logsource: - product: windows - service: security - detection: - selection: - EventID: 4697 \ No newline at end of file +logsource: + product: windows + service: security +detection: + selection_eventid: + EventID: 4697 diff --git a/rules/windows/builtin/win_invoke_obfuscation_var+_services.yml b/rules/windows/builtin/win_invoke_obfuscation_var+_services.yml index cd893f908..d598d7f7e 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_var+_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_var+_services.yml @@ -5,6 +5,7 @@ description: Detects Obfuscated use of Environment Variables to execute PowerShe status: experimental author: Jonathan Cheong, oscd.community date: 2020/10/15 +modified: 2021/05/27 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24) tags: @@ -16,27 +17,27 @@ falsepositives: - Unknown level: high detection: - selection_1: + selection: - ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' - condition: selection and selection_1 + condition: selection and selection_eventid --- logsource: product: windows service: system detection: - selection: + selection_eventid: EventID: 7045 --- logsource: product: windows - service: sysmon + category: driver_load detection: - selection: + selection_eventid: EventID: 6 --- - logsource: - product: windows - service: security - detection: - selection: - EventID: 4697 \ No newline at end of file +logsource: + product: windows + service: security +detection: + selection_eventid: + EventID: 4697 diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml index e15561a51..9664661b0 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml @@ -5,6 +5,7 @@ description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION status: experimental author: Timur Zinniatullin, oscd.community date: 2020/10/18 +modified: 2021/05/27 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19) tags: @@ -16,27 +17,27 @@ falsepositives: - unknown level: medium detection: - selection_1: + selection: - ImagePath|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend' - condition: selection and selection_1 + condition: selection and selection_eventid --- logsource: product: windows service: system detection: - selection: + selection_eventid: EventID: 7045 --- logsource: product: windows - service: sysmon + category: driver_load detection: - selection: + selection_eventid: EventID: 6 --- - logsource: - product: windows - service: security - detection: - selection: - EventID: 4697 \ No newline at end of file +logsource: + product: windows + service: security +detection: + selection_eventid: + EventID: 4697 diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml index 3bad01d92..fcf7920ee 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml @@ -5,6 +5,7 @@ description: Detects Obfuscated Powershell via RUNDLL LAUNCHER status: experimental author: Timur Zinniatullin, oscd.community date: 2020/10/18 +modified: 2021/05/27 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23) tags: @@ -16,27 +17,27 @@ falsepositives: - Unknown level: medium detection: - selection_1: + selection: - ImagePath|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' - condition: selection and selection_1 + condition: selection and selection_eventid --- logsource: product: windows service: system detection: - selection: + selection_eventid: EventID: 7045 --- logsource: product: windows - service: sysmon + category: driver_load detection: - selection: + selection_eventid: EventID: 6 --- - logsource: - product: windows - service: security - detection: - selection: - EventID: 4697 +logsource: + product: windows + service: security +detection: + selection_eventid: + EventID: 4697 diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml index 9790bb96b..df37801a0 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml @@ -5,6 +5,7 @@ description: Detects Obfuscated Powershell via Stdin in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2020/10/12 +modified: 2021/05/27 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task28) tags: @@ -16,27 +17,27 @@ falsepositives: - Unknown level: high detection: - selection_1: + selection: - ImagePath|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' - condition: selection and selection_1 + condition: selection and selection_eventid --- logsource: product: windows service: system detection: - selection: + selection_eventid: EventID: 7045 --- logsource: product: windows - service: sysmon + category: driver_load detection: - selection: + selection_eventid: EventID: 6 --- - logsource: - product: windows - service: security - detection: - selection: - EventID: 4697 +logsource: + product: windows + service: security +detection: + selection_eventid: + EventID: 4697 diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml index 28e5e44fc..2bb42aec1 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml @@ -5,6 +5,7 @@ description: Detects Obfuscated Powershell via use Clip.exe in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2020/10/09 +modified: 2021/05/27 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task29) tags: @@ -16,27 +17,27 @@ falsepositives: - Unknown level: high detection: - selection_1: + selection: - ImagePath|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*' - condition: selection and selection_1 + condition: selection and selection_eventid --- logsource: product: windows service: system detection: - selection: + selection_eventid: EventID: 7045 --- logsource: product: windows - service: sysmon + category: driver_load detection: - selection: + selection_eventid: EventID: 6 --- - logsource: - product: windows - service: security - detection: - selection: - EventID: 4697 +logsource: + product: windows + service: security +detection: + selection_eventid: + EventID: 4697 diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_use_mhsta_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services.yml similarity index 75% rename from rules/windows/builtin/win_invoke_obfuscation_via_use_mhsta_services.yml rename to rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services.yml index 3df3229c0..9ba4f8960 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_use_mhsta_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services.yml @@ -5,6 +5,7 @@ description: Detects Obfuscated Powershell via use MSHTA in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2020/10/09 +modified: 2021/05/27 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task31) tags: @@ -16,27 +17,27 @@ falsepositives: - Unknown level: high detection: - selection_1: + selection: - ImagePath|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' - condition: selection and selection_1 + condition: selection and selection_eventid --- logsource: product: windows service: system detection: - selection: + selection_eventid: EventID: 7045 --- logsource: product: windows - service: sysmon + category: driver_load detection: - selection: + selection_eventid: EventID: 6 --- - logsource: - product: windows - service: security - detection: - selection: - EventID: 4697 +logsource: + product: windows + service: security +detection: + selection_eventid: + EventID: 4697 diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml index 19c236c76..84bf36fd0 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml @@ -5,6 +5,7 @@ description: Detects Obfuscated Powershell via use Rundll32 in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2020/10/09 +modified: 2021/05/27 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task30) tags: @@ -16,27 +17,27 @@ falsepositives: - Unknown level: high detection: - selection_1: + selection: - ImagePath|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"' - condition: selection and selection_1 + condition: selection and selection_eventid --- logsource: product: windows service: system detection: - selection: + selection_eventid: EventID: 7045 --- logsource: product: windows - service: sysmon + category: driver_load detection: - selection: + selection_eventid: EventID: 6 --- - logsource: - product: windows - service: security - detection: - selection: - EventID: 4697 +logsource: + product: windows + service: security +detection: + selection_eventid: + EventID: 4697 diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml index 0504ec1d4..aaa51e80b 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml @@ -16,27 +16,27 @@ falsepositives: - Unknown level: high detection: - selection_1: + selection: - ImagePath|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r - condition: selection and selection_1 + condition: selection and selection_eventid --- logsource: product: windows service: system detection: - selection: + selection_eventid: EventID: 7045 --- logsource: product: windows - service: sysmon + category: driver_load detection: - selection: + selection_eventid: EventID: 6 --- - logsource: - product: windows - service: security - detection: - selection: - EventID: 4697 \ No newline at end of file +logsource: + product: windows + service: security +detection: + selection_eventid: + EventID: 4697 diff --git a/rules/windows/builtin/win_lsass_access_non_system_account.yml b/rules/windows/builtin/win_lsass_access_non_system_account.yml index 41426031c..548473bb9 100644 --- a/rules/windows/builtin/win_lsass_access_non_system_account.yml +++ b/rules/windows/builtin/win_lsass_access_non_system_account.yml @@ -6,7 +6,7 @@ date: 2019/06/20 modified: 2021/03/17 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/lsass_access_non_system_account.md + - https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-170105221010.html tags: - attack.credential_access - attack.t1003 # an old one diff --git a/rules/windows/builtin/win_mal_creddumper.yml b/rules/windows/builtin/win_mal_creddumper.yml index a9a49ce1d..6a71474a8 100644 --- a/rules/windows/builtin/win_mal_creddumper.yml +++ b/rules/windows/builtin/win_mal_creddumper.yml @@ -21,7 +21,7 @@ tags: - attack.t1569.002 - attack.s0005 detection: - selection_1: + selection: - ServiceName|contains: - 'fgexec' - 'wceservice' @@ -39,7 +39,7 @@ detection: - 'gsecdump' - 'servpw' - 'pwdump' - condition: selection and selection_1 + condition: selection falsepositives: - Legitimate Administrator using credential dumping tool for password recovery level: high @@ -53,10 +53,7 @@ detection: --- logsource: product: windows - service: sysmon -detection: - selection: - EventID: 6 + category: driver_load --- logsource: product: windows diff --git a/rules/windows/builtin/win_mal_service_installs.yml b/rules/windows/builtin/win_mal_service_installs.yml index 4bee531c4..5e9adf31e 100644 --- a/rules/windows/builtin/win_mal_service_installs.yml +++ b/rules/windows/builtin/win_mal_service_installs.yml @@ -1,9 +1,9 @@ title: Malicious Service Installations -id: 5a105d34-05fc-401e-8553-272b45c1522d +id: 2cfe636e-317a-4bee-9f2c-1066d9f54d1a description: Detects known malicious service installs that only appear in cases of lateral movement, credential dumping and other suspicious activity author: Florian Roth, Daniil Yugoslavskiy, oscd.community (update) date: 2017/03/27 -modified: 2019/11/01 +modified: 2021/05/27 tags: - attack.persistence - attack.privilege_escalation diff --git a/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml index ef7a11a3f..7e1183737 100644 --- a/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml +++ b/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml @@ -2,9 +2,9 @@ action: global title: Meterpreter or Cobalt Strike Getsystem Service Installation id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6 description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation -author: Teymur Kheirkhabarov, Ecco +author: Teymur Kheirkhabarov, Ecco, Florian Roth date: 2019/10/26 -modified: 2020/08/23 +modified: 2021/05/20 references: - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ @@ -14,7 +14,7 @@ tags: - attack.t1134.001 - attack.t1134.002 detection: - selection_1: + selection: # meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a - ServiceFileName|contains|all: - 'cmd' @@ -27,12 +27,18 @@ detection: - '/c' - 'echo' - '\pipe\' + # cobaltstrike getsystem technique 1b (expanded %COMSPEC%): %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a + - ServiceFileName|contains|all: + - 'cmd.exe' + - '/c' + - 'echo' + - '\pipe\' # meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn - ServiceFileName|contains|all: - 'rundll32' - '.dll,a' - '/p:' - condition: selection and selection_1 + condition: selection fields: - ComputerName - SubjectDomainName @@ -51,10 +57,7 @@ detection: --- logsource: product: windows - service: sysmon -detection: - selection: - EventID: 6 + category: driver_load --- logsource: product: windows diff --git a/rules/windows/builtin/win_moriya_rootkit.yml b/rules/windows/builtin/win_moriya_rootkit.yml new file mode 100644 index 000000000..70636d9fa --- /dev/null +++ b/rules/windows/builtin/win_moriya_rootkit.yml @@ -0,0 +1,34 @@ +action: global +title: Moriya Rootkit +id: 25b9c01c-350d-4b95-bed1-836d04a4f324 +description: Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report +status: experimental +author: Bhabesh Raj +date: 2021/05/06 +modified: 2021/05/12 +level: critical +falsepositives: + - None +references: + - https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831 +tags: + - attack.persistence + - attack.privilege_escalation + - attack.t1543.003 +--- +logsource: + product: windows + service: system +detection: + selection: + EventID: 7045 + ServiceName: ZzNetSvc + condition: selection +--- +logsource: + product: windows + category: file_event +detection: + selection: + TargetFilename: 'C:\Windows\System32\drivers\MoriyaStreamWatchmen.sys' + condition: selection diff --git a/rules/windows/builtin/win_net_ntlm_downgrade.yml b/rules/windows/builtin/win_net_ntlm_downgrade.yml index 2883f3df2..c8c2a4307 100644 --- a/rules/windows/builtin/win_net_ntlm_downgrade.yml +++ b/rules/windows/builtin/win_net_ntlm_downgrade.yml @@ -20,10 +20,9 @@ level: critical --- logsource: product: windows - service: sysmon + category: registry_event detection: selection1: - EventID: 13 TargetObject|contains|all: - 'SYSTEM\' - 'ControlSet' diff --git a/rules/windows/builtin/win_powershell_script_installed_as_service.yml b/rules/windows/builtin/win_powershell_script_installed_as_service.yml index 1f5a7e419..01652c7c6 100644 --- a/rules/windows/builtin/win_powershell_script_installed_as_service.yml +++ b/rules/windows/builtin/win_powershell_script_installed_as_service.yml @@ -5,6 +5,7 @@ description: Detects powershell script installed as a Service status: experimental author: oscd.community, Natalia Shornikova date: 2020/10/06 +modified: 2021/05/21 references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse tags: @@ -16,7 +17,8 @@ detection: - 'powershell' - 'pwsh' condition: service_creation and powershell_as_service -falsepositives: Unknown +falsepositives: + - Unknown level: high --- logsource: diff --git a/rules/windows/builtin/win_protected_storage_service_access.yml b/rules/windows/builtin/win_protected_storage_service_access.yml index 263de756b..cd0a8900a 100644 --- a/rules/windows/builtin/win_protected_storage_service_access.yml +++ b/rules/windows/builtin/win_protected_storage_service_access.yml @@ -6,7 +6,7 @@ date: 2019/08/10 modified: 2020/08/23 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/domain_dpapi_backupkey_extraction.md + - https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html tags: - attack.lateral_movement - attack.t1021 # an old one @@ -22,4 +22,4 @@ detection: condition: selection falsepositives: - Unknown -level: critical \ No newline at end of file +level: critical diff --git a/rules/windows/builtin/win_remote_powershell_session.yml b/rules/windows/builtin/win_remote_powershell_session.yml index 9723914b0..3de3b459a 100644 --- a/rules/windows/builtin/win_remote_powershell_session.yml +++ b/rules/windows/builtin/win_remote_powershell_session.yml @@ -1,11 +1,12 @@ -title: Remote PowerShell Sessions +title: Remote PowerShell Sessions Network Connections (WinRM) id: 13acf386-b8c6-4fe0-9a6e-c4756b974698 -description: Detects basic PowerShell Remoting by monitoring for network inbound connections to ports 5985 OR 5986 +description: Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986 status: experimental date: 2019/09/12 +modified: 2021/05/21 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md + - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html tags: - attack.execution - attack.t1086 # an old one diff --git a/rules/windows/builtin/win_sam_registry_hive_handle_request.yml b/rules/windows/builtin/win_sam_registry_hive_handle_request.yml index f5d90abbb..da2eac46f 100644 --- a/rules/windows/builtin/win_sam_registry_hive_handle_request.yml +++ b/rules/windows/builtin/win_sam_registry_hive_handle_request.yml @@ -6,7 +6,7 @@ date: 2019/08/12 modified: 2020/08/23 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/07_discovery/T1012_query_registry/sam_registry_hive_access.md + - https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190725024610.html tags: - attack.discovery - attack.t1012 diff --git a/rules/windows/builtin/win_scm_database_handle_failure.yml b/rules/windows/builtin/win_scm_database_handle_failure.yml index 865cbc5b1..bf753fdca 100644 --- a/rules/windows/builtin/win_scm_database_handle_failure.yml +++ b/rules/windows/builtin/win_scm_database_handle_failure.yml @@ -5,7 +5,7 @@ status: experimental date: 2019/08/12 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/07_discovery/T1000_local_admin_check/local_admin_remote_check_openscmanager.md + - https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190826010110.html tags: - attack.discovery logsource: @@ -17,8 +17,9 @@ detection: ObjectType: 'SC_MANAGER OBJECT' ObjectName: 'servicesactive' Keywords: "Audit Failure" + filter: SubjectLogonId: "0x3e4" - condition: selection + condition: selection and not filter falsepositives: - Unknown level: critical diff --git a/rules/windows/builtin/win_scm_database_privileged_operation.yml b/rules/windows/builtin/win_scm_database_privileged_operation.yml index 9c9df1cb1..9501875ab 100644 --- a/rules/windows/builtin/win_scm_database_privileged_operation.yml +++ b/rules/windows/builtin/win_scm_database_privileged_operation.yml @@ -5,7 +5,7 @@ status: experimental date: 2019/08/15 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/07_discovery/T1000_local_admin_check/local_admin_remote_check_openscmanager.md + - https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190826010110.html logsource: product: windows service: security @@ -15,8 +15,9 @@ detection: ObjectType: 'SC_MANAGER OBJECT' ObjectName: 'servicesactive' PrivilegeList: 'SeTakeOwnershipPrivilege' + filter: SubjectLogonId: "0x3e4" - condition: selection + condition: selection and not filter falsepositives: - Unknown level: critical diff --git a/rules/windows/builtin/win_susp_proceshacker.yml b/rules/windows/builtin/win_susp_proceshacker.yml new file mode 100644 index 000000000..e67638118 --- /dev/null +++ b/rules/windows/builtin/win_susp_proceshacker.yml @@ -0,0 +1,24 @@ +title: ProcessHacker Privilege Elevation +id: c4ff1eac-84ad-44dd-a6fb-d56a92fc43a9 +description: Detects a ProcessHacker tool that elevated privileges to a very high level +references: + - https://twitter.com/1kwpeter/status/1397816101455765504 +author: Florian Roth +date: 2021/05/27 +tags: + - attack.execution + - attack.privilege_escalation + - attack.t1543.003 + - attack.t1569.002 +logsource: + product: windows + service: system +detection: + selection: + EventID: 7045 + ServiceName|startswith: 'ProcessHacker' + AccountName: 'LocalSystem' + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/builtin/win_susp_time_modification.yml b/rules/windows/builtin/win_susp_time_modification.yml index 01e9a7584..360e1a872 100644 --- a/rules/windows/builtin/win_susp_time_modification.yml +++ b/rules/windows/builtin/win_susp_time_modification.yml @@ -6,6 +6,7 @@ author: '@neu5ron' references: - Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well) - Live environment caused by malware + - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616 date: 2019/02/05 modified: 2020/01/27 tags: diff --git a/rules/windows/builtin/win_tap_driver_installation.yml b/rules/windows/builtin/win_tap_driver_installation.yml index 402e5929f..a5baba352 100644 --- a/rules/windows/builtin/win_tap_driver_installation.yml +++ b/rules/windows/builtin/win_tap_driver_installation.yml @@ -12,9 +12,9 @@ falsepositives: - Legitimate OpenVPN TAP insntallation level: medium detection: - selection_1: + selection: ImagePath|contains: 'tap0901' - condition: selection and selection_1 + condition: selection --- logsource: product: windows @@ -25,10 +25,7 @@ detection: --- logsource: product: windows - service: sysmon -detection: - selection: - EventID: 6 + category: driver_load --- logsource: product: windows diff --git a/rules/windows/sysmon/sysmon_cactustorch.yml b/rules/windows/create_remote_thread/sysmon_cactustorch.yml similarity index 96% rename from rules/windows/sysmon/sysmon_cactustorch.yml rename to rules/windows/create_remote_thread/sysmon_cactustorch.yml index 45ab4e3a0..1bd0ff71f 100644 --- a/rules/windows/sysmon/sysmon_cactustorch.yml +++ b/rules/windows/create_remote_thread/sysmon_cactustorch.yml @@ -10,7 +10,7 @@ date: 2019/02/01 modified: 2020/08/28 logsource: product: windows - service: sysmon + category: create_remote_thread detection: selection: EventID: 8 diff --git a/rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml b/rules/windows/create_remote_thread/sysmon_cobaltstrike_process_injection.yml similarity index 95% rename from rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml rename to rules/windows/create_remote_thread/sysmon_cobaltstrike_process_injection.yml index e2b972247..fb0e4c916 100644 --- a/rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml +++ b/rules/windows/create_remote_thread/sysmon_cobaltstrike_process_injection.yml @@ -14,10 +14,9 @@ date: 2018/11/30 modified: 2020/08/28 logsource: product: windows - service: sysmon + category: create_remote_thread detection: selection: - EventID: 8 TargetProcessAddress|endswith: - '0B80' - '0C7C' diff --git a/rules/windows/sysmon/sysmon_createremotethread_loadlibrary.yml b/rules/windows/create_remote_thread/sysmon_createremotethread_loadlibrary.yml similarity index 74% rename from rules/windows/sysmon/sysmon_createremotethread_loadlibrary.yml rename to rules/windows/create_remote_thread/sysmon_createremotethread_loadlibrary.yml index bf831b326..30b3da1b2 100644 --- a/rules/windows/sysmon/sysmon_createremotethread_loadlibrary.yml +++ b/rules/windows/create_remote_thread/sysmon_createremotethread_loadlibrary.yml @@ -6,17 +6,16 @@ date: 2019/08/11 modified: 2020/08/28 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1055_process_injection/dll_injection_createremotethread_loadlibrary.md + - https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-180719170510.html tags: - attack.defense_evasion - attack.t1055 # an old one - attack.t1055.001 logsource: product: windows - service: sysmon + category: create_remote_thread detection: selection: - EventID: 8 StartModule|endswith: '\kernel32.dll' StartFunction: 'LoadLibraryA' condition: selection diff --git a/rules/windows/sysmon/sysmon_password_dumper_lsass.yml b/rules/windows/create_remote_thread/sysmon_password_dumper_lsass.yml similarity index 95% rename from rules/windows/sysmon/sysmon_password_dumper_lsass.yml rename to rules/windows/create_remote_thread/sysmon_password_dumper_lsass.yml index b26ae3c35..9f5618505 100644 --- a/rules/windows/sysmon/sysmon_password_dumper_lsass.yml +++ b/rules/windows/create_remote_thread/sysmon_password_dumper_lsass.yml @@ -9,10 +9,9 @@ date: 2017/02/19 modified: 2021/04/01 logsource: product: windows - service: sysmon + category: create_remote_thread detection: selection: - EventID: 8 TargetImage: 'C:\Windows\System32\lsass.exe' StartModule: '' condition: selection diff --git a/rules/windows/sysmon/sysmon_susp_powershell_rundll32.yml b/rules/windows/create_remote_thread/sysmon_susp_powershell_rundll32.yml similarity index 95% rename from rules/windows/sysmon/sysmon_susp_powershell_rundll32.yml rename to rules/windows/create_remote_thread/sysmon_susp_powershell_rundll32.yml index c7671d870..d1262e1f7 100644 --- a/rules/windows/sysmon/sysmon_susp_powershell_rundll32.yml +++ b/rules/windows/create_remote_thread/sysmon_susp_powershell_rundll32.yml @@ -8,7 +8,7 @@ references: date: 2018/06/25 logsource: product: windows - service: sysmon + category: create_remote_thread detection: selection: EventID: 8 diff --git a/rules/windows/sysmon/sysmon_suspicious_remote_thread.yml b/rules/windows/create_remote_thread/sysmon_suspicious_remote_thread.yml similarity index 98% rename from rules/windows/sysmon/sysmon_suspicious_remote_thread.yml rename to rules/windows/create_remote_thread/sysmon_suspicious_remote_thread.yml index fe2dee61a..d9433e19e 100644 --- a/rules/windows/sysmon/sysmon_suspicious_remote_thread.yml +++ b/rules/windows/create_remote_thread/sysmon_suspicious_remote_thread.yml @@ -14,14 +14,13 @@ references: - https://lolbas-project.github.io logsource: product: windows - service: sysmon + category: create_remote_thread tags: - attack.privilege_escalation - attack.defense_evasion - attack.t1055 detection: selection: - EventID: 8 SourceImage|endswith: - '\bash.exe' - '\cvtres.exe' diff --git a/rules/windows/sysmon/sysmon_ads_executable.yml b/rules/windows/create_stream_hash/sysmon_ads_executable.yml similarity index 88% rename from rules/windows/sysmon/sysmon_ads_executable.yml rename to rules/windows/create_stream_hash/sysmon_ads_executable.yml index 7eaed87c7..5a0995305 100644 --- a/rules/windows/sysmon/sysmon_ads_executable.yml +++ b/rules/windows/create_stream_hash/sysmon_ads_executable.yml @@ -14,16 +14,14 @@ date: 2018/06/03 modified: 2020/08/26 logsource: product: windows - service: sysmon + category: create_stream_hash definition: 'Requirements: Sysmon config with Imphash logging activated' detection: - selection: - EventID: 15 filter1: Imphash: '00000000000000000000000000000000' filter2: Imphash: null - condition: selection and not 1 of filter* + condition: not 1 of filter* fields: - TargetFilename - Image diff --git a/rules/windows/sysmon/sysmon_regedit_export_to_ads.yml b/rules/windows/create_stream_hash/sysmon_regedit_export_to_ads.yml similarity index 94% rename from rules/windows/sysmon/sysmon_regedit_export_to_ads.yml rename to rules/windows/create_stream_hash/sysmon_regedit_export_to_ads.yml index bfd3bb138..34652dad4 100644 --- a/rules/windows/sysmon/sysmon_regedit_export_to_ads.yml +++ b/rules/windows/create_stream_hash/sysmon_regedit_export_to_ads.yml @@ -12,10 +12,9 @@ author: Oddvar Moe, Sander Wiebing, oscd.community date: 2020/10/07 logsource: product: windows - service: sysmon + category: create_stream_hash detection: selection: - EventID: 15 Image|endswith: '\regedit.exe' condition: selection fields: diff --git a/rules/windows/dns_query/dns_mega_nz.yml b/rules/windows/dns_query/dns_mega_nz.yml new file mode 100644 index 000000000..dee549f28 --- /dev/null +++ b/rules/windows/dns_query/dns_mega_nz.yml @@ -0,0 +1,22 @@ +title: DNS Query for MEGA.io Upload Domain +id: 613c03ba-0779-4a53-8a1f-47f914a4ded3 +description: Detects DNS queries for subdomains used for upload to MEGA.io +status: experimental +date: 2021/05/26 +author: Aaron Greetham (@beardofbinary) - NCC Group +references: + - https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/ +tags: + - attack.exfiltration + - attack.t1567.002 +falsepositives: + - Legitimate Mega upload +level: high +logsource: + product: windows + category: dns_query +detection: + dns_request: + EventID: 22 + QueryName|contains: userstorage.mega.co.nz + condition: dns_request \ No newline at end of file diff --git a/rules/windows/sysmon/sysmon_possible_dns_rebinding.yml b/rules/windows/dns_query/sysmon_possible_dns_rebinding.yml similarity index 97% rename from rules/windows/sysmon/sysmon_possible_dns_rebinding.yml rename to rules/windows/dns_query/sysmon_possible_dns_rebinding.yml index 5284ec125..bf301a32a 100644 --- a/rules/windows/sysmon/sysmon_possible_dns_rebinding.yml +++ b/rules/windows/dns_query/sysmon_possible_dns_rebinding.yml @@ -12,10 +12,9 @@ tags: - attack.t1189 logsource: product: windows - service: sysmon + category: dns_query detection: dns_answer: - EventID: 22 QueryName: '*' QueryStatus: '0' filter_int_ip: diff --git a/rules/windows/driver_load/sysmon_vuln_dell_driver_load.yml b/rules/windows/driver_load/sysmon_vuln_dell_driver_load.yml new file mode 100644 index 000000000..39517aa8b --- /dev/null +++ b/rules/windows/driver_load/sysmon_vuln_dell_driver_load.yml @@ -0,0 +1,30 @@ +title: Vulnerable Dell BIOS Update Driver Load +id: 21b23707-60d6-41bb-96e3-0f0481b0fed9 +description: Detects the load of the vulnerable Dell BIOS update driver as reported in CVE-2021-21551 +author: Florian Roth +date: 2021/05/05 +references: + - https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/ +logsource: + category: driver_load + product: windows +tags: + - cve.2021-21551 +detection: + selection_image: + ImageLoaded|contains: '\DBUtil_2_3.Sys' + selection_hash: + Hashes|contains: + - '0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5' + - 'c948ae14761095e4d76b55d9de86412258be7afd' + - 'c996d7971c49252c582171d9380360f2' + - 'ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1' + - '10b30bdee43b3a2ec4aa63375577ade650269d25' + - 'd2fd132ab7bbc6bbb87a84f026fa0244' + + + + condition: selection_image or selection_hash +falsepositives: + - legitimate BIOS driver updates (should be rare) +level: high diff --git a/rules/windows/sysmon/sysmon_sysinternals_sdelete_file_deletion.yml b/rules/windows/file_delete/sysmon_sysinternals_sdelete_file_deletion.yml similarity index 93% rename from rules/windows/sysmon/sysmon_sysinternals_sdelete_file_deletion.yml rename to rules/windows/file_delete/sysmon_sysinternals_sdelete_file_deletion.yml index 0f1cfbf58..f376c51db 100644 --- a/rules/windows/sysmon/sysmon_sysinternals_sdelete_file_deletion.yml +++ b/rules/windows/file_delete/sysmon_sysinternals_sdelete_file_deletion.yml @@ -12,10 +12,9 @@ references: - https://threathunterplaybook.com/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.html logsource: product: windows - service: sysmon + category: file_delete detection: selection: - EventID: 23 TargetFilename|endswith: - '.AAA' - '.ZZZ' diff --git a/rules/windows/file_event/sysmon_creation_system_file.yml b/rules/windows/file_event/sysmon_creation_system_file.yml index 386636a0c..7406f4e73 100755 --- a/rules/windows/file_event/sysmon_creation_system_file.yml +++ b/rules/windows/file_event/sysmon_creation_system_file.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the creation of a executable with a system process name in a suspicious folder author: Sander Wiebing date: 2020/05/26 -modified: 2020/08/23 +modified: 2021/05/16 tags: - attack.defense_evasion - attack.t1036 # an old one @@ -48,6 +48,8 @@ detection: - 'C:\Windows\winsxs\' - 'C:\Windows\WinSxS\' - '\SystemRoot\System32\' + Image|endswith: + - '\Windows\System32\dism.exe' condition: selection and not filter fields: - Image diff --git a/rules/windows/file_event/sysmon_pcre_net_temp_file.yml b/rules/windows/file_event/sysmon_pcre_net_temp_file.yml index 551fff252..f45d3e393 100644 --- a/rules/windows/file_event/sysmon_pcre_net_temp_file.yml +++ b/rules/windows/file_event/sysmon_pcre_net_temp_file.yml @@ -3,6 +3,7 @@ id: 6e90ae7a-7cd3-473f-a035-4ebb72d961da description: Detects processes creating temp files related to PCRE.NET package status: experimental date: 2020/10/29 +modified: 2021/05/21 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.execution @@ -18,4 +19,5 @@ detection: - TargetFilename|contains: \AppData\Local\Temp\ba9ea7344a4a5f591d6e5dc32a13494b\ condition: selection falsepositives: + - Unknown level: high \ No newline at end of file diff --git a/rules/windows/sysmon/sysmon_startup_folder_file_write.yml b/rules/windows/file_event/sysmon_startup_folder_file_write.yml similarity index 93% rename from rules/windows/sysmon/sysmon_startup_folder_file_write.yml rename to rules/windows/file_event/sysmon_startup_folder_file_write.yml index cd710e2ec..d20ad26ed 100644 --- a/rules/windows/sysmon/sysmon_startup_folder_file_write.yml +++ b/rules/windows/file_event/sysmon_startup_folder_file_write.yml @@ -12,10 +12,9 @@ references: - https://threathunterplaybook.com/evals/apt29/detections/5.B.1_611FCA99-97D0-4873-9E51-1C1BA2DBB40D.html logsource: product: windows - service: sysmon + category: file_event detection: selection: - EventID: 11 TargetFilename|contains: 'ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp' condition: selection falsepositives: diff --git a/rules/windows/sysmon/sysmon_susp_pfx_file_creation.yml b/rules/windows/file_event/sysmon_susp_pfx_file_creation.yml similarity index 93% rename from rules/windows/sysmon/sysmon_susp_pfx_file_creation.yml rename to rules/windows/file_event/sysmon_susp_pfx_file_creation.yml index d6cca64d8..e9e962736 100644 --- a/rules/windows/sysmon/sysmon_susp_pfx_file_creation.yml +++ b/rules/windows/file_event/sysmon_susp_pfx_file_creation.yml @@ -12,10 +12,9 @@ references: - https://threathunterplaybook.com/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.html logsource: product: windows - service: sysmon + category: file_event detection: selection: - EventID: 11 TargetFilename|endswith: '.pfx' condition: selection falsepositives: diff --git a/rules/windows/file_event/win_outlook_c2_macro_creation.yml b/rules/windows/file_event/win_outlook_c2_macro_creation.yml new file mode 100644 index 000000000..e2b9f0c1e --- /dev/null +++ b/rules/windows/file_event/win_outlook_c2_macro_creation.yml @@ -0,0 +1,24 @@ +title: Outlook C2 Macro Creation +id: 8c31f563-f9a7-450c-bfa8-35f8f32f1f61 +status: experimental +description: Detects the creation of a macro file for Outlook. Goes with win_outlook_c2_registry_key. VbaProject.OTM is explicitly mentioned in T1137. Particularly interesting if both events Registry & File Creation happens at the same time. +references: + - https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/ +author: '@ScoubiMtl' +tags: + - attack.persistence + - command_and_control + - attack.t1137 + - attack.t1008 + - attack.t1546 +date: 2021/04/05 +logsource: + category: file_event + product: windows +detection: + selection: + TargetFilename|endswith: '\Microsoft\Outlook\VbaProject.OTM' + condition: selection +falsepositives: + - User genuinly creates a VB Macro for their email +level: medium diff --git a/rules/windows/file_event/win_rclone_exec_file.yml b/rules/windows/file_event/win_rclone_exec_file.yml new file mode 100644 index 000000000..d812472ed --- /dev/null +++ b/rules/windows/file_event/win_rclone_exec_file.yml @@ -0,0 +1,23 @@ +title: Rclone Config File Creation +id: 34986307-b7f4-49be-92f3-e7a4d01ac5db +description: Detects Rclone config file being created +status: experimental +date: 2021/05/26 +author: Aaron Greetham (@beardofbinary) - NCC Group +references: + - https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/ +tags: + - attack.exfiltration + - attack.t1567.002 +falsepositives: + - Legitimate Rclone usage (rare) +level: high +logsource: + product: windows + category: file_event +detection: + file_selection: + EventID: 11 + TargetFilename: + - 'C:\Users\*\.config\rclone\*' + condition: file_selection \ No newline at end of file diff --git a/rules/windows/image_load/sysmon_alternate_powershell_hosts_moduleload.yml b/rules/windows/image_load/sysmon_alternate_powershell_hosts_moduleload.yml index 63f5efe97..fa78485a0 100644 --- a/rules/windows/image_load/sysmon_alternate_powershell_hosts_moduleload.yml +++ b/rules/windows/image_load/sysmon_alternate_powershell_hosts_moduleload.yml @@ -3,6 +3,7 @@ id: fe6e002f-f244-4278-9263-20e4b593827f description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe status: experimental date: 2019/09/12 +modified: 2021/05/12 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.execution @@ -11,11 +12,11 @@ references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html logsource: product: windows - service: image_load + category: image_load detection: selection: - Description: 'system.management.automation' - ImageLoaded|contains: 'system.management.automation' + Description: 'System.Management.Automation' + ImageLoaded|contains: 'System.Management.Automation' filter: Image|endswith: '\powershell.exe' condition: selection and not filter diff --git a/rules/windows/image_load/sysmon_pcre_net_load.yml b/rules/windows/image_load/sysmon_pcre_net_load.yml index b66033bed..383a83b9d 100644 --- a/rules/windows/image_load/sysmon_pcre_net_load.yml +++ b/rules/windows/image_load/sysmon_pcre_net_load.yml @@ -3,6 +3,7 @@ id: 84b0a8f3-680b-4096-a45b-e9a89221727c description: Detects processes loading modules related to PCRE.NET package status: experimental date: 2020/10/29 +modified: 2021/05/21 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.execution @@ -18,4 +19,5 @@ detection: - ImageLoaded|contains: \AppData\Local\Temp\ba9ea7344a4a5f591d6e5dc32a13494b\ condition: selection falsepositives: + - Unknown level: high \ No newline at end of file diff --git a/rules/windows/image_load/sysmon_powershell_execution_moduleload.yml b/rules/windows/image_load/sysmon_powershell_execution_moduleload.yml index b0d0303f9..111759c39 100755 --- a/rules/windows/image_load/sysmon_powershell_execution_moduleload.yml +++ b/rules/windows/image_load/sysmon_powershell_execution_moduleload.yml @@ -6,7 +6,7 @@ date: 2019/09/12 modified: 2019/11/10 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://github.com/hunters-forge/ThreatHunter-Playbook/blob/8869b7a58dba1cff63bae1d7ab923974b8c0539b/playbooks/WIN-190410151110.yaml + - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html tags: - attack.execution - attack.t1086 # an old one @@ -16,8 +16,8 @@ logsource: product: windows detection: selection: - Description: 'system.management.automation' - ImageLoaded|contains: 'system.management.automation' + Description: 'System.Management.Automation' + ImageLoaded|contains: 'System.Management.Automation' condition: selection fields: - ComputerName diff --git a/rules/windows/image_load/sysmon_susp_python_image_load.yml b/rules/windows/image_load/sysmon_susp_python_image_load.yml index d5fa64cb8..ba7f3d7d4 100644 --- a/rules/windows/image_load/sysmon_susp_python_image_load.yml +++ b/rules/windows/image_load/sysmon_susp_python_image_load.yml @@ -3,6 +3,7 @@ id: cbb56d62-4060-40f7-9466-d8aaf3123f83 description: Detects the image load of Python Core indicative of a Python script bundled with Py2Exe. status: experimental date: 2020/05/03 +modified: 2021/05/12 author: Patrick St. John, OTR (Open Threat Research) tags: - attack.defense_evasion @@ -12,7 +13,7 @@ references: - https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/ logsource: product: windows - service: image_load + category: image_load detection: selection: Description: 'Python Core' diff --git a/rules/windows/sysmon/sysmon_susp_system_drawing_load.yml b/rules/windows/image_load/sysmon_susp_system_drawing_load.yml similarity index 95% rename from rules/windows/sysmon/sysmon_susp_system_drawing_load.yml rename to rules/windows/image_load/sysmon_susp_system_drawing_load.yml index 22f216a6a..771952fe7 100644 --- a/rules/windows/sysmon/sysmon_susp_system_drawing_load.yml +++ b/rules/windows/image_load/sysmon_susp_system_drawing_load.yml @@ -12,7 +12,7 @@ references: - https://threathunterplaybook.com/evals/apt29/detections/7.A.1_3B4E5808-3C71-406A-B181-17B0CE3178C9.html logsource: product: windows - service: image_load + category: image_load detection: selection: ImageLoaded|endswith: '\System.Drawing.ni.dll' diff --git a/rules/windows/image_load/sysmon_wmi_module_load.yml b/rules/windows/image_load/sysmon_wmi_module_load.yml index 6b46e7b0f..e93309383 100755 --- a/rules/windows/image_load/sysmon_wmi_module_load.yml +++ b/rules/windows/image_load/sysmon_wmi_module_load.yml @@ -6,7 +6,7 @@ date: 2019/08/10 modified: 2019/11/10 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1047_windows_management_instrumentation/wmi_wmi_module_load.md + - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190811201010.html tags: - attack.execution - attack.t1047 diff --git a/rules/windows/malware/av_relevant_files.yml b/rules/windows/malware/av_relevant_files.yml index 4975c1e95..c200959a2 100644 --- a/rules/windows/malware/av_relevant_files.yml +++ b/rules/windows/malware/av_relevant_files.yml @@ -2,27 +2,37 @@ title: Antivirus Relevant File Paths Alerts id: c9a88268-0047-4824-ba6e-4d81ce0b907c description: Detects an Antivirus alert in a highly relevant file path or with a relevant file name date: 2018/09/09 -modified: 2019/10/04 -author: Florian Roth +modified: 2021/05/09 +author: Florian Roth, Arnim Rupp references: - - https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/ + - https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/ logsource: product: antivirus detection: selection: - FileName|startswith: - - 'C:\Windows\Temp\' + - 'C:\Windows\' - 'C:\Temp\' - 'C:\PerfLogs\' - 'C:\Users\Public\' - 'C:\Users\Default\' - FileName|contains: - '\Client\' + - '\tsclient\' + - '\inetpub\' + - '/www/' + - 'apache' + - 'tomcat' + - 'nginx' + - 'weblogic' selection2: Filename|endswith: - '.ps1' + - '.psm1' - '.vbs' - '.bat' + - '.cmd' + - '.sh' - '.chm' - '.xml' - '.txt' @@ -30,8 +40,18 @@ detection: - '.jspx' - '.asp' - '.aspx' + - '.ashx' + - '.asax' + - '.asmx' - '.php' + - '.cfm' + - '.py' + - '.pyc' + - '.pl' + - '.rb' + - '.cgi' - '.war' + - '.ear' - '.hta' - '.lnk' - '.scf' @@ -39,6 +59,12 @@ detection: - '.vbe' - '.wsf' - '.wsh' + - '.gif' + - '.png' + - '.jpg' + - '.jpeg' + - '.svg' + - '.dat' condition: selection or selection2 fields: - Signature diff --git a/rules/windows/malware/av_webshell.yml b/rules/windows/malware/av_webshell.yml index 3942662be..3d9cc3105 100644 --- a/rules/windows/malware/av_webshell.yml +++ b/rules/windows/malware/av_webshell.yml @@ -1,14 +1,19 @@ title: Antivirus Web Shell Detection id: fdf135a2-9241-4f96-a114-bb404948f736 -description: Detects a highly relevant Antivirus alert that reports a web shell +description: Detects a highly relevant Antivirus alert that reports a web shell. It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big webshell repo from e.g. github and checking the matches. date: 2018/09/09 -modified: 2001/01/07 +modified: 2021/05/08 author: Florian Roth, Arnim Rupp references: - - https://www.nextron-systems.com/2019/10/04/antivirus-event-analysis-cheat-sheet-v1-7-2/ + - https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/ + - https://github.com/tennc/webshell - https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection - https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection - https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection + - https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection + - https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection + - https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection + - https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection tags: - attack.persistence - attack.t1100 @@ -18,26 +23,48 @@ logsource: detection: selection: - Signature|startswith: - - "PHP/Backdoor" - - "JSP/Backdoor" - - "ASP/Backdoor" - - "Backdoor.PHP" - - "Backdoor.JSP" - - "Backdoor.ASP" - - "Backdoor?Java" + - "PHP/" + - "JSP/" + - "ASP/" + - "Perl/" + - "PHP." + - "JSP." + - "ASP." + - "Perl." + - "VBS/Uxor" # looking for "VBS/" would also find downloaders and droppers meant for desktops + - "IIS/BackDoor" + - "JAVA/Backdoor" + - "Troj/ASP" + - "Troj/PHP" + - "Troj/JSP" - Signature|contains: - "Webshell" - "Chopper" + - "SinoChoper" - "ASPXSpy" - "Aspdoor" + - "filebrowser" + - "PHP_" + - "JSP_" + - "ASP_" # looking for "VBS_" would also find downloaders and droppers meant for desktops - "PHP:" + - "JSP:" + - "ASP:" + - "Perl:" - "PHPShell" - "Trojan.PHP" - "Trojan.ASP" - "Trojan.JSP" + - "Trojan.VBS" - "PHP?Agent" - "ASP?Agent" - "JSP?Agent" + - "VBS?Agent" + - "Backdoor?PHP" + - "Backdoor?JSP" + - "Backdoor?ASP" + - "Backdoor?VBS" + - "Backdoor?Java" condition: selection fields: - FileName diff --git a/rules/windows/malware/mal_azorult_reg.yml b/rules/windows/malware/mal_azorult_reg.yml index 65afffb47..987e7a7fe 100644 --- a/rules/windows/malware/mal_azorult_reg.yml +++ b/rules/windows/malware/mal_azorult_reg.yml @@ -11,7 +11,7 @@ tags: - attack.t1112 logsource: product: windows - service: sysmon + category: registry_event detection: selection: EventID: diff --git a/rules/windows/malware/win_mal_blue_mockingbird.yml b/rules/windows/malware/win_mal_blue_mockingbird.yml index c40f28d76..0752d9584 100644 --- a/rules/windows/malware/win_mal_blue_mockingbird.yml +++ b/rules/windows/malware/win_mal_blue_mockingbird.yml @@ -37,9 +37,8 @@ detection: --- logsource: product: windows - service: sysmon + category: registry_event detection: mod_reg: - EventID: 13 TargetObject|endswith: - '\CurrentControlSet\Services\wercplsupport\Parameters\ServiceDll' diff --git a/rules/windows/malware/win_mal_darkside.yml b/rules/windows/malware/win_mal_darkside.yml new file mode 100644 index 000000000..26d609be4 --- /dev/null +++ b/rules/windows/malware/win_mal_darkside.yml @@ -0,0 +1,28 @@ +title: DarkSide Ransomware Pattern +id: 965fff6c-1d7e-4e25-91fd-cdccd75f7d2c +author: Florian Roth +date: 2021/05/14 +description: Detects DarkSide Ransomware and helpers +status: experimental +references: + - https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html + - https://app.any.run/tasks/8b9a571b-bcc1-4783-ba32-df4ba623b9c0/ + - https://www.joesandbox.com/analysis/411752/0/html#7048BB9A06B8F2DD9D24C77F389D7B2B58D2 +logsource: + category: process_creation + product: windows +detection: + selection1: + CommandLine|contains: + - "=[char][byte]('0x'+" + - ' -work worker0 -path ' + selection2: + ParentCommandLine|contains: + - 'DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}' + Image|contains: + - '\AppData\Local\Temp\' + condition: 1 of them +falsepositives: + - Unknown + - UAC bypass method used by other malware +level: critical diff --git a/rules/windows/malware/win_mal_flowcloud.yml b/rules/windows/malware/win_mal_flowcloud.yml index d033b4b84..95a72af54 100644 --- a/rules/windows/malware/win_mal_flowcloud.yml +++ b/rules/windows/malware/win_mal_flowcloud.yml @@ -11,7 +11,7 @@ tags: date: 2020/06/09 logsource: product: windows - service: sysmon + category: registry_event detection: selection: EventID: diff --git a/rules/windows/malware/win_mal_octopus_scanner.yml b/rules/windows/malware/win_mal_octopus_scanner.yml index 0c710eae5..a76955bea 100644 --- a/rules/windows/malware/win_mal_octopus_scanner.yml +++ b/rules/windows/malware/win_mal_octopus_scanner.yml @@ -11,15 +11,13 @@ author: NVISO date: 2020/06/09 logsource: product: windows - service: sysmon + category: file_event detection: - filecreate: - EventID: 11 selection: TargetFilename|endswith: - '\AppData\Local\Microsoft\Cache134.dat' - '\AppData\Local\Microsoft\ExplorerSync.db' - condition: filecreate and selection + condition: selection falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/rules/windows/malware/win_mal_ursnif.yml b/rules/windows/malware/win_mal_ursnif.yml index a0c51c74a..ca934073f 100644 --- a/rules/windows/malware/win_mal_ursnif.yml +++ b/rules/windows/malware/win_mal_ursnif.yml @@ -12,10 +12,9 @@ author: megan201296 date: 2019/02/13 logsource: product: windows - service: sysmon + category: registry_event detection: selection: - EventID: 13 TargetObject|contains: '\Software\AppDataLow\Software\Microsoft\' condition: selection falsepositives: diff --git a/rules/windows/network_connection/silenttrinity_stager_msbuild_activity.yml b/rules/windows/network_connection/silenttrinity_stager_msbuild_activity.yml index 124148c19..ab68f0b04 100644 --- a/rules/windows/network_connection/silenttrinity_stager_msbuild_activity.yml +++ b/rules/windows/network_connection/silenttrinity_stager_msbuild_activity.yml @@ -4,7 +4,7 @@ description: Detects a possible remote connections to Silenttrinity c2 references: - https://www.blackhillsinfosec.com/my-first-joyride-with-silenttrinity/ tags: - - attack.execution # example MITRE ATT&CK category + - attack.execution - attack.t1127.001 status: experimental author: Kiran kumar s, oscd.community diff --git a/rules/windows/network_connection/sysmon_rdp_reverse_tunnel.yml b/rules/windows/network_connection/sysmon_rdp_reverse_tunnel.yml index ad50510af..b42525448 100755 --- a/rules/windows/network_connection/sysmon_rdp_reverse_tunnel.yml +++ b/rules/windows/network_connection/sysmon_rdp_reverse_tunnel.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/SBousseaden/status/1096148422984384514 author: Samir Bousseaden date: 2019/02/16 -modified: 2020/08/24 +modified: 2021/05/11 tags: - attack.command_and_control - attack.t1572 @@ -25,7 +25,7 @@ detection: selection2: - DestinationIp|startswith: - '127.' - - DestinationIP: + - DestinationIp: - '::1' condition: selection and selection2 falsepositives: diff --git a/rules/windows/network_connection/sysmon_remote_powershell_session_network.yml b/rules/windows/network_connection/sysmon_remote_powershell_session_network.yml index de8934dcb..f25bc0b42 100755 --- a/rules/windows/network_connection/sysmon_remote_powershell_session_network.yml +++ b/rules/windows/network_connection/sysmon_remote_powershell_session_network.yml @@ -6,7 +6,7 @@ date: 2019/09/12 modified: 2020/08/24 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md + - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/other/win_defender_history_delete.yml b/rules/windows/other/win_defender_history_delete.yml index cbdaac309..21f32acef 100644 --- a/rules/windows/other/win_defender_history_delete.yml +++ b/rules/windows/other/win_defender_history_delete.yml @@ -6,12 +6,13 @@ author: Cian Heasley references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus date: 2020/08/13 +modified: 2021/05/30 tags: - attack.defense_evasion - attack.t1070.001 logsource: - category: windows - product: windef + product: windows + service: windefend detection: selection: EventID: 1013 diff --git a/rules/windows/other/win_lateral_movement_condrv.yml b/rules/windows/other/win_lateral_movement_condrv.yml new file mode 100644 index 000000000..737133055 --- /dev/null +++ b/rules/windows/other/win_lateral_movement_condrv.yml @@ -0,0 +1,28 @@ +title: Lateral Movement Indicator ConDrv +id: 29d31aee-30f4-4006-85a9-a4a02d65306c +status: stable +description: This event was observed on the target host during lateral movement. The process name within the event contains the process spawned post compromise. Account Name within the event contains the compromised user account name. This event should to be correlated with 4624 and 4688 for further intrusion context. +author: Janantha Marasinghe +date: 2021/04/27 +references: + - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/wmiexec-vbs.htm + - https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-one.html +tags: + - attack.lateral_movement + - attack.execution + - attack.t1021 + - attack.t1059 +logsource: + product: windows + service: security + definition: +detection: + selection: + EventID: 4674 + ObjectServer: 'Security' + ObjectType: 'File' + ObjectName: '\Device\ConDrv' + condition: selection +falsepositives: + - Penetration tests where lateral movement has occured. This event will be created on the target host. +level: high diff --git a/rules/windows/other/win_possible_zerologon_exploitation_using_wellknown_tools.yml b/rules/windows/other/win_possible_zerologon_exploitation_using_wellknown_tools.yml index da829faa9..df5118234 100644 --- a/rules/windows/other/win_possible_zerologon_exploitation_using_wellknown_tools.yml +++ b/rules/windows/other/win_possible_zerologon_exploitation_using_wellknown_tools.yml @@ -4,13 +4,14 @@ status: stable description: This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with "kali" hostname. references: - https://www.secura.com/blog/zero-logon + - https://bi-zone.medium.com/hunting-for-zerologon-f65c61586382 author: 'Demyan Sokolin @_drd0c, Teymur Kheirkhabarov @HeirhabarovT, oscd.community' date: 2020/10/13 +modified: 2021/05/30 tags: - attack.t1210 - attack.lateral_movement logsource: - category: other service: system product: windows detection: diff --git a/rules/windows/other/win_tool_psexec.yml b/rules/windows/other/win_tool_psexec.yml index 76f9deda4..3dee48d03 100644 --- a/rules/windows/other/win_tool_psexec.yml +++ b/rules/windows/other/win_tool_psexec.yml @@ -5,7 +5,7 @@ status: experimental description: Detects PsExec service installation and execution events (service and Sysmon) author: Thomas Patzke date: 2017/06/12 -modified: 2020/08/23 +modified: 2021/05/16 references: - https://www.jpcert.or.jp/english/pub/sr/ir_research.html - https://jpcertcc.github.io/ToolAnalysisResultSheet @@ -22,6 +22,8 @@ fields: - ParentCommandLine - ServiceName - ServiceFileName + - TargetFileName + - PipeName falsepositives: - unknown level: low @@ -45,3 +47,17 @@ detection: sysmon_processcreation: Image|endswith: '\PSEXESVC.exe' User: 'NT AUTHORITY\SYSTEM' +--- +logsource: + category: pipe_created + product: windows +detection: + sysmon_pipecreated: + PipeName: '\PSEXESVC' +--- +logsource: + category: file_event + product: windows +detection: + sysmon_filecreation: + TargetFileName|endswith: '\PSEXESVC.exe' diff --git a/rules/windows/sysmon/sysmon_alternate_powershell_hosts_pipe.yml b/rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml similarity index 80% rename from rules/windows/sysmon/sysmon_alternate_powershell_hosts_pipe.yml rename to rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml index 4e064bc8e..742aaae95 100644 --- a/rules/windows/sysmon/sysmon_alternate_powershell_hosts_pipe.yml +++ b/rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml @@ -6,17 +6,16 @@ date: 2019/09/12 modified: 2019/11/10 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md + - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html tags: - attack.execution - attack.t1086 # an old one - attack.t1059.001 logsource: product: windows - service: sysmon + category: pipe_created detection: selection: - EventID: 17 PipeName|startswith: '\PSHost' filter: Image|endswith: diff --git a/rules/windows/sysmon/sysmon_apt_turla_namedpipes.yml b/rules/windows/pipe_created/sysmon_apt_turla_namedpipes.yml similarity index 93% rename from rules/windows/sysmon/sysmon_apt_turla_namedpipes.yml rename to rules/windows/pipe_created/sysmon_apt_turla_namedpipes.yml index 8ea9e3d5b..313d3435a 100755 --- a/rules/windows/sysmon/sysmon_apt_turla_namedpipes.yml +++ b/rules/windows/pipe_created/sysmon_apt_turla_namedpipes.yml @@ -10,13 +10,10 @@ tags: author: Markus Neis logsource: product: windows - service: sysmon + category: pipe_created definition: 'Note that you have to configure logging for PipeEvents in Symson config' detection: selection: - EventID: - - 17 - - 18 PipeName: - '\atctl' # https://www.virustotal.com/#/file/a4ddb2664a6c87a1d3c5da5a5a32a5df9a0b0c8f2e951811bd1ec1d44d42ccf1/detection - '\userpipe' # ruag apt case diff --git a/rules/windows/sysmon/sysmon_cred_dump_tools_named_pipes.yml b/rules/windows/pipe_created/sysmon_cred_dump_tools_named_pipes.yml similarity index 95% rename from rules/windows/sysmon/sysmon_cred_dump_tools_named_pipes.yml rename to rules/windows/pipe_created/sysmon_cred_dump_tools_named_pipes.yml index 393aa87b3..ad56fd69a 100644 --- a/rules/windows/sysmon/sysmon_cred_dump_tools_named_pipes.yml +++ b/rules/windows/pipe_created/sysmon_cred_dump_tools_named_pipes.yml @@ -15,10 +15,9 @@ tags: - attack.t1003.005 logsource: product: windows - service: sysmon + category: pipe_created detection: selection: - EventID: 17 PipeName|contains: - '\lsadump' - '\cachedump' diff --git a/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml b/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml new file mode 100644 index 000000000..3075d846d --- /dev/null +++ b/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml @@ -0,0 +1,36 @@ +title: CobaltStrike Named Pipe +id: d5601f8c-b26f-4ab0-9035-69e11a8d4ad2 +status: experimental +description: Detects the creation of a named pipe as used by CobaltStrike +references: + - https://twitter.com/d4rksystem/status/1357010969264873472 + - https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/ + - https://github.com/Neo23x0/sigma/issues/253 + - https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/ +date: 2021/05/25 +author: Florian Roth, Wojciech Lesicki +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1055 +logsource: + product: windows + category: pipe_created + definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself.' +detection: + selection_MSSE: + PipeName|contains|all: + - '\MSSE-' + - '-server' + selection_postex: + PipeName|startswith: '\postex_' + selection_postex_ssh: + PipeName|startswith: '\postex_ssh_' + selection_status: + PipeName|startswith: '\status_' + selection_msagent: + PipeName|startswith: '\msagent_' + condition: 1 of them +falsepositives: + - Unknown +level: critical diff --git a/rules/windows/sysmon/sysmon_mal_namedpipes.yml b/rules/windows/pipe_created/sysmon_mal_namedpipes.yml similarity index 74% rename from rules/windows/sysmon/sysmon_mal_namedpipes.yml rename to rules/windows/pipe_created/sysmon_mal_namedpipes.yml index 195aee32c..e425bf51b 100644 --- a/rules/windows/sysmon/sysmon_mal_namedpipes.yml +++ b/rules/windows/pipe_created/sysmon_mal_namedpipes.yml @@ -5,16 +5,13 @@ description: Detects the creation of a named pipe used by known APT malware references: - Various sources date: 2017/11/06 -author: Florian Roth +author: Florian Roth, blueteam0ps logsource: product: windows - service: sysmon - definition: 'Note that you have to configure logging for PipeEvents in Symson config' + category: pipe_created + definition: 'Note that you have to configure logging for PipeEvents in Sysmon config' detection: selection: - EventID: - - 17 - - 18 PipeName: - '\isapi_http' # Uroburos Malware Named Pipe - '\isapi_dg' # Uroburos Malware Named Pipe @@ -29,9 +26,14 @@ detection: - '\rpchlp_3' # Project Sauron https://goo.gl/eFoP4A - Technical Analysis Input - '\NamePipe_MoreWindows' # Cloud Hopper Annex B https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, US-CERT Alert - RedLeaves https://www.us-cert.gov/ncas/alerts/TA17-117A - '\pcheap_reuse' # Pipe used by Equation Group malware 77486bb828dba77099785feda0ca1d4f33ad0d39b672190079c508b3feb21fb0 - - '\msagent_*' # CS default named pipes https://github.com/Neo23x0/sigma/issues/253 - '\gruntsvc' # Covenant default named pipe # - '\status_*' # CS default named pipes https://github.com/Neo23x0/sigma/issues/253 + - '\583da945-62af-10e8-4902-a8f205c72b2e' # SolarWinds SUNBURST malware report https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html + - '\bizkaz' # Snatch Ransomware https://thedfirreport.com/2020/06/21/snatch-ransomware/ + - '\svcctl' #Crackmapexec smbexec default named pipe + - '\Posh*' #PoshC2 default + - '\jaccdpqnvbrrxlaf' #PoshC2 default + - '\csexecsvc' #CSEXEC default condition: selection tags: - attack.defense_evasion diff --git a/rules/windows/sysmon/sysmon_powershell_execution_pipe.yml b/rules/windows/pipe_created/sysmon_powershell_execution_pipe.yml similarity index 93% rename from rules/windows/sysmon/sysmon_powershell_execution_pipe.yml rename to rules/windows/pipe_created/sysmon_powershell_execution_pipe.yml index bd1ea4281..0546b2cdc 100644 --- a/rules/windows/sysmon/sysmon_powershell_execution_pipe.yml +++ b/rules/windows/pipe_created/sysmon_powershell_execution_pipe.yml @@ -11,10 +11,9 @@ references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html logsource: product: windows - service: sysmon + category: pipe_created detection: selection: - EventID: 17 PipeName|startswith: '\PSHost' condition: selection falsepositives: diff --git a/rules/windows/sysmon/sysmon_psexec_pipes_artifacts.yml b/rules/windows/pipe_created/sysmon_psexec_pipes_artifacts.yml similarity index 91% rename from rules/windows/sysmon/sysmon_psexec_pipes_artifacts.yml rename to rules/windows/pipe_created/sysmon_psexec_pipes_artifacts.yml index 8ac9f2e3a..258a0a1d9 100644 --- a/rules/windows/sysmon/sysmon_psexec_pipes_artifacts.yml +++ b/rules/windows/pipe_created/sysmon_psexec_pipes_artifacts.yml @@ -11,13 +11,10 @@ tags: - attack.t1021.002 logsource: product: windows - service: sysmon + category: pipe_created definition: 'Note that you have to configure logging for PipeEvents in Symson config' detection: selection: - EventID: - - 17 - - 18 PipeName|startswith: - 'psexec' - 'paexec' diff --git a/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml b/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml index 9c4f4342f..4189204e1 100644 --- a/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml +++ b/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml @@ -4,6 +4,7 @@ description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module status: experimental author: oscd.community, Natalia Shornikova date: 2020/10/14 +modified: 2021/05/21 references: - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Cl_invocation.yml - https://twitter.com/bohops/status/948061991012327424 @@ -20,5 +21,6 @@ detection: - 'CL_Invocation.ps1' - 'SyncInvoke' condition: selection -falsepositives: Unknown +falsepositives: + - Unknown level: high diff --git a/rules/windows/powershell/powershell_CL_Invocation_LOLScript_v2.yml b/rules/windows/powershell/powershell_CL_Invocation_LOLScript_v2.yml index f22022cf9..c8b63179e 100644 --- a/rules/windows/powershell/powershell_CL_Invocation_LOLScript_v2.yml +++ b/rules/windows/powershell/powershell_CL_Invocation_LOLScript_v2.yml @@ -4,6 +4,7 @@ description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module status: experimental author: oscd.community, Natalia Shornikova date: 2020/10/14 +modified: 2021/05/21 references: - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Cl_invocation.yml - https://twitter.com/bohops/status/948061991012327424 @@ -22,5 +23,6 @@ detection: condition: selection2 | count(ScriptBlockText) by Computer > 2 # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Invocation.ps1 # PS > SyncInvoke c:\Evil.exe -falsepositives: Unknown +falsepositives: + - Unknown level: high diff --git a/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript.yml b/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript.yml index 46cbd45be..341b51f79 100644 --- a/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript.yml +++ b/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript.yml @@ -4,6 +4,7 @@ description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps status: experimental author: oscd.community, Natalia Shornikova date: 2020/10/14 +modified: 2021/05/21 references: - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/CL_mutexverifiers.yml - https://twitter.com/pabraeken/status/995111125447577600 @@ -20,5 +21,6 @@ detection: - 'CL_Mutexverifiers.ps1' - 'runAfterCancelProcess' condition: selection -falsepositives: Unknown +falsepositives: + - Unknown level: high \ No newline at end of file diff --git a/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript_v2.yml b/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript_v2.yml index f7c4075fa..c4b47e1b8 100644 --- a/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript_v2.yml +++ b/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript_v2.yml @@ -4,6 +4,7 @@ description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps status: experimental author: oscd.community, Natalia Shornikova date: 2020/10/14 +modified: 2021/05/21 references: - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/CL_mutexverifiers.yml - https://twitter.com/pabraeken/status/995111125447577600 @@ -22,5 +23,6 @@ detection: condition: selection2 | count(ScriptBlockText) by Computer > 2 # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1 # PS > runAfterCancelProcess c:\Evil.exe -falsepositives: Unknown +falsepositives: + - Unknown level: high diff --git a/rules/windows/powershell/powershell_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_alternate_powershell_hosts.yml index 11cb82fbf..6346854c7 100644 --- a/rules/windows/powershell/powershell_alternate_powershell_hosts.yml +++ b/rules/windows/powershell/powershell_alternate_powershell_hosts.yml @@ -1,15 +1,31 @@ +action: global title: Alternate PowerShell Hosts id: 64e8e417-c19a-475a-8d19-98ea705394cc description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe status: experimental date: 2019/08/11 +modified: 2021/06/01 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md + - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html tags: - attack.execution - attack.t1059.001 - attack.t1086 # an old one +falsepositives: + - Programs using PowerShell directly without invocation of a dedicated interpreter + - MSP Detection Searcher + - Citrix ConfigSync.ps1 +level: medium +detection: + filter: + - ContextInfo: 'powershell.exe' + - Message: 'powershell.exe' + # Both fields contain key=value pairs where the key HostApplication is relevant but + # can't be referred directly as event field. + condition: selection and not filter + +--- logsource: product: windows service: powershell @@ -17,16 +33,13 @@ detection: selection: EventID: - 4103 - - 400 ContextInfo: '*' - filter: - - ContextInfo: 'powershell.exe' - - Message: 'powershell.exe' - # Both fields contain key=value pairs where the key HostApplication is relevant but - # can't be referred directly as event field. - condition: selection and not filter -falsepositives: - - Programs using PowerShell directly without invocation of a dedicated interpreter - - MSP Detection Searcher - - Citrix ConfigSync.ps1 -level: medium +--- +logsource: + product: windows + service: powershell-classic +detection: + selection: + EventID: + - 400 + ContextInfo: '*' \ No newline at end of file diff --git a/rules/windows/powershell/powershell_code_injection.yml b/rules/windows/powershell/powershell_code_injection.yml index 47d220c50..829a9dba8 100644 --- a/rules/windows/powershell/powershell_code_injection.yml +++ b/rules/windows/powershell/powershell_code_injection.yml @@ -11,12 +11,10 @@ tags: - attack.t1059.001 logsource: product: windows - service: sysmon + category: create_remote_thread definition: 'Note that you have to configure logging for CreateRemoteThread in Symson config' detection: selection: - EventID: - - 8 SourceImage|endswith: '\powershell.exe' condition: selection falsepositives: diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml index ac20a73c2..6d19dc2e1 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml @@ -1,5 +1,5 @@ title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION -id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6 +id: e54f5149-6ba3-49cf-b153-070d24679126 description: Detects Obfuscated Powershell via VAR++ LAUNCHER status: experimental author: Timur Zinniatullin, oscd.community diff --git a/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml b/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml index 52573917f..21547f4dd 100644 --- a/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml @@ -3,6 +3,7 @@ id: f772cee9-b7c2-4cb2-8f07-49870adc02e0 status: experimental description: Detects Commandlet names and arguments from the Nishang exploitation framework date: 2019/05/16 +modified: 2021/04/23 references: - https://github.com/samratashok/nishang tags: @@ -78,7 +79,7 @@ detection: - DataToEncode - LoggedKeys - OUT-DNSTXT - - Jitter + # - Jitter # Prone to FPs - ExfilOption - DumpCerts - DumpCreds diff --git a/rules/windows/powershell/powershell_powerview_malicious_commandlets.yml b/rules/windows/powershell/powershell_powerview_malicious_commandlets.yml new file mode 100644 index 000000000..b2a3162fe --- /dev/null +++ b/rules/windows/powershell/powershell_powerview_malicious_commandlets.yml @@ -0,0 +1,98 @@ +title: Malicious PowerView PowerShell Commandlets +id: dcd74b95-3f36-4ed9-9598-0490951643aa +status: experimental +description: Detects Commandlet names from PowerView of PowerSploit exploitation framework +date: 2021/05/18 +references: + - https://powersploit.readthedocs.io/en/stable/Recon/README + - https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon + - https://thedfirreport.com/2020/10/08/ryuks-return +tags: + - attack.execution + - attack.t1059.001 +author: Bhabesh Raj +logsource: + product: windows + service: powershell + definition: It is recommanded to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277 +detection: + selection: + EventID: 4104 + ScriptBlockText: + - Export-PowerViewCSV + - Resolve-IPAddress + - ConvertTo-SID + - Convert-ADName + - ConvertFrom-UACValue + - Add-RemoteConnection + - Remove-RemoteConnection + - Invoke-UserImpersonation + - Invoke-RevertToSelf + - Get-DomainSPNTicket + - Invoke-Kerberoast + - Get-PathAcl + - Get-DomainDNSZone + - Get-DomainDNSRecord + - Get-Domain + - Get-DomainController + - Get-Forest + - Get-ForestDomain + - Get-ForestGlobalCatalog + - Find-DomainObjectPropertyOutlier- + - Get-DomainUser + - New-DomainUser + - Set-DomainUserPassword + - Get-DomainUserEvent + - Get-DomainComputer + - Get-DomainObject + - Set-DomainObject + - Get-DomainObjectAcl + - Add-DomainObjectAcl + - Find-InterestingDomainAcl + - Get-DomainOU + - Get-DomainSite + - Get-DomainSubnet + - Get-DomainSID + - Get-DomainGroup + - New-DomainGroup + - Get-DomainManagedSecurityGroup + - Get-DomainGroupMember + - Add-DomainGroupMember + - Get-DomainFileServer + - Get-DomainDFSShare + - Get-DomainGPO + - Get-DomainGPOLocalGroup + - Get-DomainGPOUserLocalGroupMapping + - Get-DomainGPOComputerLocalGroupMapping + - Get-DomainPolicy + - Get-NetLocalGroup + - Get-NetLocalGroupMember + - Get-NetShare + - Get-NetLoggedon + - Get-NetSession + - Get-RegLoggedOn + - Get-NetRDPSession + - Test-AdminAccess + - Get-NetComputerSiteName + - Get-WMIRegProxy + - Get-WMIRegLastLoggedOn + - Get-WMIRegCachedRDPConnection + - Get-WMIRegMountedDrive + - Get-WMIProcess + - Find-InterestingFile + - Find-DomainUserLocation + - Find-DomainProcess + - Find-DomainUserEvent + - Find-DomainShare + - Find-InterestingDomainShareFile + - Find-LocalAdminAccess + - Find-DomainLocalGroupMember + - Get-DomainTrust + - Get-ForestTrust + - Get-DomainForeignUser + - Get-DomainForeignGroupMember + - Get-DomainTrustMapping + condition: selection +falsepositives: + - Should not be any as administrators do not use this tool +level: high diff --git a/rules/windows/powershell/powershell_remote_powershell_session.yml b/rules/windows/powershell/powershell_remote_powershell_session.yml index 710a4a931..80f74507d 100644 --- a/rules/windows/powershell/powershell_remote_powershell_session.yml +++ b/rules/windows/powershell/powershell_remote_powershell_session.yml @@ -6,7 +6,7 @@ date: 2019/08/10 modified: 2020/08/24 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md + - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_suspicious_export_pfxcertificate.yml b/rules/windows/powershell/powershell_suspicious_export_pfxcertificate.yml new file mode 100644 index 000000000..ac4077fdb --- /dev/null +++ b/rules/windows/powershell/powershell_suspicious_export_pfxcertificate.yml @@ -0,0 +1,25 @@ +title: Suspicious Export-PfxCertificate +id: aa7a3fce-bef5-4311-9cc1-5f04bb8c308c +status: experimental +description: Detects Commandlet that is used to export certificates from the local certificate store and sometimes used by threat actors to steal provate keys from compromised machines +references: + - https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a + - https://docs.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate +tags: + - attack.credential_access + - attack.t1552.004 +author: Florian Roth +date: 2021/04/23 +logsource: + product: windows + service: powershell + definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' +detection: + keywords: + EventID: 4104 + ScriptBlockText|contains: + - "Export-PfxCertificate" + condition: keywords +falsepositives: + - Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable) +level: high diff --git a/rules/windows/powershell/powershell_suspicious_getprocess_lsass.yml b/rules/windows/powershell/powershell_suspicious_getprocess_lsass.yml new file mode 100644 index 000000000..cb8754e21 --- /dev/null +++ b/rules/windows/powershell/powershell_suspicious_getprocess_lsass.yml @@ -0,0 +1,24 @@ +title: PowerShell Get-Process LSASS in ScriptBlock +id: 84c174ab-d3ef-481f-9c86-a50d0b8e3edb +status: experimental +description: Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity +references: + - https://twitter.com/PythonResponder/status/1385064506049630211 +tags: + - attack.credential_access + - attack.t1003.001 +author: Florian Roth +date: 2021/04/23 +logsource: + product: windows + service: powershell + definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' +detection: + keywords: + EventID: 4104 + ScriptBlockText|contains: + - 'Get-Process lsass' + condition: keywords +falsepositives: + - Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable) +level: high diff --git a/rules/windows/powershell/powershell_suspicious_profile_create.yml b/rules/windows/powershell/powershell_suspicious_profile_create.yml index d1bb7343c..e07a660ad 100644 --- a/rules/windows/powershell/powershell_suspicious_profile_create.yml +++ b/rules/windows/powershell/powershell_suspicious_profile_create.yml @@ -9,10 +9,8 @@ date: 2019/10/24 modified: 2020/08/24 logsource: product: windows - service: sysmon + category: file_event detection: - event: - EventID: 11 target1: TargetFilename|contains|all: - '\My Documents\PowerShell\' @@ -21,7 +19,7 @@ detection: TargetFilename|contains|all: - 'C:\Windows\System32\WindowsPowerShell\v1.0\' - '\profile.ps1' - condition: event and (target1 or target2) + condition: target1 or target2 falsepositives: - System administrator create Powershell profile manually level: high diff --git a/rules/windows/powershell/powershell_wsman_com_provider_no_powershell.yml b/rules/windows/powershell/powershell_wsman_com_provider_no_powershell.yml index af7203148..b65954289 100644 --- a/rules/windows/powershell/powershell_wsman_com_provider_no_powershell.yml +++ b/rules/windows/powershell/powershell_wsman_com_provider_no_powershell.yml @@ -3,6 +3,7 @@ id: df9a0e0e-fedb-4d6c-8668-d765dfc92aa7 description: Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application. status: experimental date: 2020/06/24 +modified: 2021/05/21 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.execution @@ -23,4 +24,5 @@ detection: Message|contains: 'HostApplication=*powershell' condition: selection and not filter falsepositives: + - Unknown level: medium diff --git a/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml b/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml index ab1bd80de..dfaf68fcc 100755 --- a/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml +++ b/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml @@ -5,7 +5,7 @@ description: Detects process access LSASS memory which is typical for credential author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community (update) date: 2017/02/16 -modified: 2020/08/24 +modified: 2021/05/16 references: - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html @@ -44,6 +44,7 @@ detection: - '\procexp64.exe' - '\procexp.exe' - '\lsm.exe' + - '\MsMpEng.exe' - '\csrss.exe' - '\wininit.exe' - '\vmtoolsd.exe' diff --git a/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml b/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml index 615b10461..50b71bbea 100755 --- a/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml +++ b/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml @@ -7,7 +7,7 @@ description: Detects the access to processes by other suspicious processes which routines are already present in memory, not requiring any calls to external libraries. The latter should also be considered suspicious. status: experimental date: 2019/10/27 -modified: 2020/08/24 +modified: 2021/05/16 author: Perez Diego (@darkquassar), oscd.community, Jonhnathan Ribeiro references: - https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/ @@ -44,7 +44,10 @@ detection: - "0x1F2FFF" - "0x1F3FFF" - "0x1FFFFF" - condition: (selection1 or selection2) or (selection3 and granted_access) + filter: + SourceImage|endswith: + - '\Windows\System32\sdiagnhost.exe' + condition: (selection1 or selection2) or (selection3 and granted_access) and not filter fields: - ComputerName - User diff --git a/rules/windows/process_access/sysmon_lsass_dump_comsvcs_dll.yml b/rules/windows/process_access/sysmon_lsass_dump_comsvcs_dll.yml index 053ce0b56..578d232f6 100755 --- a/rules/windows/process_access/sysmon_lsass_dump_comsvcs_dll.yml +++ b/rules/windows/process_access/sysmon_lsass_dump_comsvcs_dll.yml @@ -3,6 +3,7 @@ id: a49fa4d5-11db-418c-8473-1e014a8dd462 description: Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass. status: experimental date: 2020/10/20 +modified: 2021/05/21 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.credential_access @@ -20,4 +21,5 @@ detection: CallTrace|contains: 'comsvcs.dll' condition: selection falsepositives: + - Unknown level: critical diff --git a/rules/windows/process_access/win_susp_shell_spawn_from_winrm.yml b/rules/windows/process_access/win_susp_shell_spawn_from_winrm.yml new file mode 100644 index 000000000..44e421b35 --- /dev/null +++ b/rules/windows/process_access/win_susp_shell_spawn_from_winrm.yml @@ -0,0 +1,31 @@ +title: Suspicious Shells Spawn by WinRM +id: 5cc2cda8-f261-4d88-a2de-e9e193c86716 +description: Detects suspicious shell spawn from WinRM host process +status: experimental +author: Andreas Hunkeler (@Karneades), Markus Neis +date: 2021/05/20 +modified: 2021/05/22 +tags: + - attack.t1190 + - attack.initial_access + - attack.persistence + - attack.privilege_escalation +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage: '*\wsmprovhost.exe' + Image: + - '*\cmd.exe' + - '*\sh.exe' + - '*\bash.exe' + - '*\powershell.exe' + - '*\schtasks.exe' + - '*\certutil.exe' + - '*\whoami.exe' + - '*\bitsadmin.exe' + condition: selection +falsepositives: + - Legitimate WinRM usage +level: high diff --git a/rules/windows/process_creation/process_creation_SDelete.yml b/rules/windows/process_creation/process_creation_SDelete.yml new file mode 100644 index 000000000..78d444273 --- /dev/null +++ b/rules/windows/process_creation/process_creation_SDelete.yml @@ -0,0 +1,32 @@ +title: Sysinternals SDelete Delete File +id: a4824fca-976f-4964-b334-0621379e84c4 +status: experimental +author: frack113 +date: 2021/06/03 +description: Use of SDelete to erase a file not the free space +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md +tags: + - attack.impact + - attack.t1485 +logsource: + category: process_creation + product: windows +detection: + selection: + OriginalFileName: sdelete.exe + filter: + CommandLine|contains: + - ' -h' + - ' -c' + - ' -z' + - ' /?' + condition: selection and not filter +fields: + - ComputerName + - User + - CommandLine + - ParentCommandLine +falsepositives: + - System administrator Usage +level: medium diff --git a/rules/windows/process_creation/process_creation_c3_load_by_rundll32.yml b/rules/windows/process_creation/process_creation_c3_load_by_rundll32.yml new file mode 100644 index 000000000..5289718b6 --- /dev/null +++ b/rules/windows/process_creation/process_creation_c3_load_by_rundll32.yml @@ -0,0 +1,24 @@ +title: F-Secure C3 Load by Rundll32 +status: experimental +id: b18c9d4c-fac9-4708-bd06-dd5bfacf200f +author: Alfie Champion (ajpc500) +date: 2021/06/02 +description: F-Secure C3 produces DLLs with a default exported StartNodeRelay function. +references: + - https://github.com/FSecureLABS/C3/blob/master/Src/NodeRelayDll/NodeRelayDll.cpp#L12 +tags: + - attack.defense_evasion + - attack.t1218.011 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - 'rundll32.exe' + - '.dll' + - 'StartNodeRelay' + condition: selection +falsepositives: + - Unknown +level: critical diff --git a/rules/windows/process_creation/process_creation_cobaltstrike_load_by_rundll32.yml b/rules/windows/process_creation/process_creation_cobaltstrike_load_by_rundll32.yml new file mode 100644 index 000000000..580898f69 --- /dev/null +++ b/rules/windows/process_creation/process_creation_cobaltstrike_load_by_rundll32.yml @@ -0,0 +1,26 @@ +title: CobaltStrike Load by Rundll32 +status: experimental +id: ae9c6a7c-9521-42a6-915e-5aaa8689d529 +author: Wojciech Lesicki +date: 2021/06/01 +description: Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line. +references: + - https://www.cobaltstrike.com/help-windows-executable + - https://redcanary.com/threat-detection-report/ + - https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/ +tags: + - attack.defense_evasion + - attack.t1218.011 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - 'rundll32.exe' + - '.dll' + - 'StartW' + condition: selection +falsepositives: + - Unknown +level: critical diff --git a/rules/windows/process_creation/process_creation_dotnet.yml b/rules/windows/process_creation/process_creation_dotnet.yml index bbc19c20a..1c7b2054c 100644 --- a/rules/windows/process_creation/process_creation_dotnet.yml +++ b/rules/windows/process_creation/process_creation_dotnet.yml @@ -16,7 +16,7 @@ logsource: product: windows detection: selection: - Commandline|endswith: + CommandLine|endswith: - '.dll' - '.csproj' Image|endswith: @@ -30,4 +30,4 @@ fields: falsepositives: - System administrator Usage - Penetration test -level: medium \ No newline at end of file +level: medium diff --git a/rules/windows/process_creation/process_creation_msdeploy.yml b/rules/windows/process_creation/process_creation_msdeploy.yml index cf35510fa..08b586762 100644 --- a/rules/windows/process_creation/process_creation_msdeploy.yml +++ b/rules/windows/process_creation/process_creation_msdeploy.yml @@ -1,6 +1,6 @@ title: Execute Files with Msdeploy.exe status: experimental -id: d80d5c81-04ba-45b4-84e4-92eba40e0ad3 +id: 646bc99f-6682-4b47-a73a-17b1b64c9d34 author: Beyu Denis, oscd.community date: 2020/10/18 description: Detects file execution using the msdeploy.exe lolbin @@ -16,7 +16,7 @@ logsource: product: windows detection: selection: - Commandline|contains|all: + CommandLine|contains|all: - 'verb:sync' - '-source:RunCommand' - '-dest:runCommand' @@ -31,4 +31,4 @@ fields: falsepositives: - System administrator Usage - Penetration test -level: medium \ No newline at end of file +level: medium diff --git a/rules/windows/process_creation/cmstp_execution.yml b/rules/windows/process_creation/sysmon_cmstp_execution.yml similarity index 100% rename from rules/windows/process_creation/cmstp_execution.yml rename to rules/windows/process_creation/sysmon_cmstp_execution.yml diff --git a/rules/windows/process_creation/sysmon_long_powershell_commandline.yml b/rules/windows/process_creation/sysmon_long_powershell_commandline.yml index 2feca4fc3..52ffcbc05 100644 --- a/rules/windows/process_creation/sysmon_long_powershell_commandline.yml +++ b/rules/windows/process_creation/sysmon_long_powershell_commandline.yml @@ -9,6 +9,7 @@ tags: status: experimental author: oscd.community, Natalia Shornikova date: 2020/10/06 +modified: 2021/05/21 logsource: category: process_creation product: windows @@ -22,5 +23,6 @@ detection: Length_selection: CommandLine|re: '.{1000,}' condition: all of them -falsepositives: Unknown +falsepositives: + - Unknown level: medium diff --git a/rules/windows/process_creation/sysmon_proxy_execution_wuauclt.yml b/rules/windows/process_creation/sysmon_proxy_execution_wuauclt.yml index 1a680821f..439e99a78 100644 --- a/rules/windows/process_creation/sysmon_proxy_execution_wuauclt.yml +++ b/rules/windows/process_creation/sysmon_proxy_execution_wuauclt.yml @@ -1,9 +1,9 @@ title: Proxy Execution via Wuauclt -id: c649a6c7-cd8c-4a78-9c04-000fc76df954 +id: af77cf95-c469-471c-b6a0-946c685c4798 description: Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code. status: experimental date: 2020/10/12 -modified: 2021/04/12 +modified: 2021/05/10 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth tags: - attack.defense_evasion @@ -23,7 +23,9 @@ detection: - '.dll' - 'RunHandlerComServer' filter: - CommandLine|contains: ' /UpdateDeploymentProvider UpdateDeploymentProvider.dll ' + CommandLine|contains: + - ' /UpdateDeploymentProvider UpdateDeploymentProvider.dll ' + - ' wuaueng.dll ' condition: selection_one and selection_two and not filter falsepositives: - Unknown diff --git a/rules/windows/process_creation/sysmon_rclone_execution.yml b/rules/windows/process_creation/sysmon_rclone_execution.yml new file mode 100644 index 000000000..6cf58dc45 --- /dev/null +++ b/rules/windows/process_creation/sysmon_rclone_execution.yml @@ -0,0 +1,32 @@ +title: RClone Execution +id: a0d63692-a531-4912-ad39-4393325b2a9c +status: experimental +description: Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc +tags: + - attack.exfiltration + - attack.t1567.002 +author: Bhabesh Raj +date: 2021/05/10 +references: + - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware + - https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a + - https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone +fields: + - CommandLine + - ParentCommandLine + - Details +falsepositives: + - Legitimate RClone use +level: high +logsource: + category: process_creation + product: windows +detection: + selection: + Description: 'Rsync for cloud storage' + selection2: + CommandLine|contains|all: + - '--config ' + - '--no-check-certificate ' + - ' copy ' + condition: 1 of them diff --git a/rules/windows/process_creation/sysmon_susp_webdav_client_execution.yml b/rules/windows/process_creation/sysmon_susp_webdav_client_execution.yml index 300599791..6e66c04a3 100644 --- a/rules/windows/process_creation/sysmon_susp_webdav_client_execution.yml +++ b/rules/windows/process_creation/sysmon_susp_webdav_client_execution.yml @@ -1,5 +1,5 @@ title: Suspicious WebDav Client Execution -id: 40f9af16-589d-4984-b78d-8c2aec023197 +id: 2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5 description: A General detection for svchost.exe spawning rundll32.exe with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server). status: experimental date: 2020/05/02 diff --git a/rules/windows/process_creation/win_CL_Invocation_LOLScript.yml b/rules/windows/process_creation/win_CL_Invocation_LOLScript.yml index d7136f783..04a8b5dd2 100644 --- a/rules/windows/process_creation/win_CL_Invocation_LOLScript.yml +++ b/rules/windows/process_creation/win_CL_Invocation_LOLScript.yml @@ -4,6 +4,7 @@ description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module status: experimental author: oscd.community, Natalia Shornikova date: 2020/10/14 +modified: 2021/05/21 references: - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Cl_invocation.yml - https://twitter.com/bohops/status/948061991012327424 @@ -20,5 +21,6 @@ detection: - 'SyncInvoke' # Example Commandline: "powershell Import-Module c:\Windows\diagnostics\system\Audio\CL_Invocation.ps1; SyncInvoke c:\Evil.exe" condition: selection -falsepositives: Unknown +falsepositives: + - Unknown level: high diff --git a/rules/windows/process_creation/win_CL_Mutexverifiers_LOLScript.yml b/rules/windows/process_creation/win_CL_Mutexverifiers_LOLScript.yml index 984557a01..4fd2f44c7 100644 --- a/rules/windows/process_creation/win_CL_Mutexverifiers_LOLScript.yml +++ b/rules/windows/process_creation/win_CL_Mutexverifiers_LOLScript.yml @@ -4,6 +4,7 @@ description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps status: experimental author: oscd.community, Natalia Shornikova date: 2020/10/14 +modified: 2021/05/21 references: - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/CL_mutexverifiers.yml - https://twitter.com/pabraeken/status/995111125447577600 @@ -20,5 +21,6 @@ detection: - 'runAfterCancelProcess' # Example Commandline: "powershell Import-Module c:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1; runAfterCancelProcess c:\Evil.exe" condition: selection -falsepositives: Unknown +falsepositives: + - Unknown level: high diff --git a/rules/windows/process_creation/win_advanced_ip_scanner.yml b/rules/windows/process_creation/win_advanced_ip_scanner.yml index 4f3e93244..a62d72602 100644 --- a/rules/windows/process_creation/win_advanced_ip_scanner.yml +++ b/rules/windows/process_creation/win_advanced_ip_scanner.yml @@ -1,3 +1,4 @@ +action: global title: Advanced IP Scanner id: bef37fa2-f205-4a7b-b484-0759bfd5f86f status: experimental @@ -5,11 +6,19 @@ description: Detects the use of Advanced IP Scanner. Seems to be a popular tool references: - https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/ - https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html + - https://labs.f-secure.com/blog/prelude-to-ransomware-systembc + - https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf + - https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer author: '@ROxPinTeddy' date: 2020/05/12 +modified: 2021/05/11 tags: - attack.discovery - attack.t1046 +falsepositives: + - Legitimate administrative use +level: medium +--- logsource: category: process_creation product: windows @@ -17,6 +26,11 @@ detection: selection: Image|contains: '\advanced_ip_scanner' condition: selection -falsepositives: - - Legitimate administrative use -level: medium +--- +logsource: + category: file_event + product: windows +detection: + selection: + TargetFilename|contains: '\AppData\Local\Temp\Advanced IP Scanner 2' + condition: selection diff --git a/rules/windows/process_creation/win_apt_chafer_mar18.yml b/rules/windows/process_creation/win_apt_chafer_mar18.yml index c167ff6ed..a64f96298 100755 --- a/rules/windows/process_creation/win_apt_chafer_mar18.yml +++ b/rules/windows/process_creation/win_apt_chafer_mar18.yml @@ -54,11 +54,6 @@ detection: TargetObject|endswith: - 'SOFTWARE\Microsoft\Windows\CurrentVersion\UMe' - 'SOFTWARE\Microsoft\Windows\CurrentVersion\UT' - EventType: 'SetValue' - selection_reg2: - TargetObject|endswith: '\Control\SecurityProviders\WDigest\UseLogonCredential' - EventType: 'SetValue' - Details: 'DWORD (0x00000001)' --- logsource: category: process_creation diff --git a/rules/windows/process_creation/win_apt_lazarus_activity_apr21.yml b/rules/windows/process_creation/win_apt_lazarus_activity_apr21.yml new file mode 100644 index 000000000..47ee4dc41 --- /dev/null +++ b/rules/windows/process_creation/win_apt_lazarus_activity_apr21.yml @@ -0,0 +1,32 @@ +title: Lazarus Activity +id: 4a12fa47-c735-4032-a214-6fab5b120670 +description: Detects different process creation events as described in Malwarebytes's threat report on Lazarus group activity +status: experimental +references: + - https://blog.malwarebytes.com/malwarebytes-news/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/ +tags: + - attack.g0032 +author: Bhabesh Raj +date: 2021/04/20 +logsource: + category: process_creation + product: windows +detection: + selection1: + CommandLine|contains|all: + - 'mshta' + - '.zip' + selection2: + ParentImage: + - 'C:\Windows\System32\wbem\wmiprvse.exe' + Image: + - 'C:\Windows\System32\mshta.exe' + selection3: + ParentImage: + - 'C:\Users\Public\*' + Image: + - 'C:\Windows\System32\rundll32.exe' + condition: 1 of them +falsepositives: + - Should not be any false positives +level: critical \ No newline at end of file diff --git a/rules/windows/process_creation/win_apt_unidentified_nov_18.yml b/rules/windows/process_creation/win_apt_unidentified_nov_18.yml index e238b8785..20e60b324 100644 --- a/rules/windows/process_creation/win_apt_unidentified_nov_18.yml +++ b/rules/windows/process_creation/win_apt_unidentified_nov_18.yml @@ -28,9 +28,8 @@ detection: # Sysmon: File Creation (ID 11) logsource: product: windows - service: sysmon + category: file_event detection: selection2: - EventID: 11 TargetFilename|contains: - 'ds7002.lnk' diff --git a/rules/windows/process_creation/win_hack_secutyxploded.yml b/rules/windows/process_creation/win_hack_secutyxploded.yml index d36b3844d..d8899df42 100644 --- a/rules/windows/process_creation/win_hack_secutyxploded.yml +++ b/rules/windows/process_creation/win_hack_secutyxploded.yml @@ -6,7 +6,7 @@ references: - https://securityxploded.com/ - https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/ date: 2018/12/19 -modified: 2020/09/01 +modified: 2021/05/11 tags: - attack.credential_access - attack.t1555 @@ -21,7 +21,7 @@ detection: selection2: Image|endswith: 'PasswordDump.exe' selection3: - OriginalFilename|endswith: 'PasswordDump.exe' + OriginalFileName|endswith: 'PasswordDump.exe' condition: 1 of them falsepositives: - unlikely diff --git a/rules/windows/process_creation/win_hktl_createminidump.yml b/rules/windows/process_creation/win_hktl_createminidump.yml index b1e40cded..821c3cd91 100644 --- a/rules/windows/process_creation/win_hktl_createminidump.yml +++ b/rules/windows/process_creation/win_hktl_createminidump.yml @@ -26,7 +26,7 @@ detection: --- logsource: product: windows - service: sysmon + category: file_event detection: selection: EventID: 11 diff --git a/rules/windows/process_creation/win_invoke_obfuscation_via_var++.yml b/rules/windows/process_creation/win_invoke_obfuscation_via_var++.yml index caeadc4e8..dd02c69ae 100644 --- a/rules/windows/process_creation/win_invoke_obfuscation_via_var++.yml +++ b/rules/windows/process_creation/win_invoke_obfuscation_via_var++.yml @@ -1,5 +1,5 @@ title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION -id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6 +id: e9f55347-2928-4c06-88e5-1a7f8169942e description: Detects Obfuscated Powershell via VAR++ LAUNCHER status: experimental author: Timur Zinniatullin, oscd.community diff --git a/rules/windows/process_creation/win_manage-bde_lolbas.yml b/rules/windows/process_creation/win_manage-bde_lolbas.yml index 3dcdeac85..384015178 100644 --- a/rules/windows/process_creation/win_manage-bde_lolbas.yml +++ b/rules/windows/process_creation/win_manage-bde_lolbas.yml @@ -11,15 +11,17 @@ tags: - attack.defense_evasion - attack.t1216 date: 2020/10/13 +modified: 2021/05/21 author: oscd.community, Natalia Shornikova logsource: category: process_creation product: windows detection: selection: - Commandline|contains|all: + CommandLine|contains|all: - 'cscript' - 'manage-bde.wsf' condition: selection -falsepositives: Unknown +falsepositives: + - Unknown level: medium diff --git a/rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml b/rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml index 633e060ec..cb775d882 100644 --- a/rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml +++ b/rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml @@ -1,9 +1,9 @@ title: Meterpreter or Cobalt Strike Getsystem Service Start id: 15619216-e993-4721-b590-4c520615a67d description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting -author: Teymur Kheirkhabarov, Ecco +author: Teymur Kheirkhabarov, Ecco, Florian Roth date: 2019/10/26 -modified: 2020/09/01 +modified: 2021/05/20 references: - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ @@ -31,6 +31,12 @@ detection: - '/c' - 'echo' - '\pipe\' + # cobaltstrike getsystem technique 1b (expanded env var): %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a + - CommandLine|contains|all: + - 'cmd.exe' + - '/c' + - 'echo' + - '\pipe\' # meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn - CommandLine|contains|all: - 'rundll32' diff --git a/rules/windows/process_creation/win_non_interactive_powershell.yml b/rules/windows/process_creation/win_non_interactive_powershell.yml index 32caed855..80be22f95 100644 --- a/rules/windows/process_creation/win_non_interactive_powershell.yml +++ b/rules/windows/process_creation/win_non_interactive_powershell.yml @@ -3,10 +3,10 @@ id: f4bbd493-b796-416e-bbf2-121235348529 description: Detects non-interactive PowerShell activity by looking at powershell.exe with not explorer.exe as a parent. status: experimental date: 2019/09/12 -modified: 2019/11/10 +modified: 2021/05/10 author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements) references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/basic_powershell_execution.md + - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html tags: - attack.execution - attack.t1086 # an old one @@ -18,7 +18,9 @@ detection: selection: Image|endswith: '\powershell.exe' filter: - ParentImage|endswith: '\explorer.exe' + ParentImage|endswith: + - '\explorer.exe' + - '\CompatTelRunner.exe' condition: selection and not filter falsepositives: - Legitimate programs executing PowerShell scripts diff --git a/rules/windows/process_creation/win_powershell_defender_exclusion.yml b/rules/windows/process_creation/win_powershell_defender_exclusion.yml new file mode 100644 index 000000000..2a6191fc0 --- /dev/null +++ b/rules/windows/process_creation/win_powershell_defender_exclusion.yml @@ -0,0 +1,32 @@ +title: Powershell Defender Exclusion +id: 17769c90-230e-488b-a463-e05c08e9d48f +status: experimental +description: Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets +references: + - https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus +tags: + - attack.defense_evasion + - attack.t1562.001 +author: Florian Roth +date: 2021/04/29 +logsource: + category: process_creation + product: windows +detection: + selection1: + CommandLine: 'Add-MpPreference' + selection2: + CommandLine|contains: + - ' -ExclusionPath ' + - ' -ExclusionExtension ' + - ' -ExclusionProcess ' + selection_encoded: + CommandLine|contains: + - 'QWRkLU1wUHJlZmVyZW5jZ' + - 'FkZC1NcFByZWZlcmVuY2' + - 'BZGQtTXBQcmVmZXJlbmNl' + condition: ( selection1 and selection2 ) or selection_encoded +falsepositives: + - Possible Admin Activity + - Other Cmdlets that may use the same parameters +level: high diff --git a/rules/windows/process_creation/win_process_dump_rundll32_comsvcs.yml b/rules/windows/process_creation/win_process_dump_rundll32_comsvcs.yml index 7e1eb8cb6..d75fdc85a 100644 --- a/rules/windows/process_creation/win_process_dump_rundll32_comsvcs.yml +++ b/rules/windows/process_creation/win_process_dump_rundll32_comsvcs.yml @@ -4,9 +4,10 @@ description: Detects a process memory dump performed via ordinal function 24 in status: experimental references: - https://twitter.com/shantanukhande/status/1229348874298388484 + - https://twitter.com/pythonresponder/status/1385064506049630211?s=21 author: Florian Roth date: 2020/02/18 -modified: 2020/09/06 +modified: 2021/04/23 tags: - attack.defense_evasion - attack.t1036 @@ -22,6 +23,7 @@ detection: CommandLine|contains: - 'comsvcs.dll,#24' - 'comsvcs.dll,MiniDump' + - 'comsvcs.dll MiniDump' condition: selection falsepositives: - Unlikely, because no one should dump the process memory in that way diff --git a/rules/windows/process_creation/win_regini.yml b/rules/windows/process_creation/win_regini.yml index 51ab7d7f9..3f1a340c1 100644 --- a/rules/windows/process_creation/win_regini.yml +++ b/rules/windows/process_creation/win_regini.yml @@ -11,6 +11,7 @@ tags: - attack.defense_evasion author: Eli Salem, Sander Wiebing, oscd.community date: 2020/10/08 +modified: 2021/05/24 logsource: category: process_creation product: windows @@ -20,7 +21,7 @@ detection: filter: CommandLine|re: ':[^ \\]' # to avoid intersection with ADS rule condition: selection and not filter -fieds: +fields: - ParentImage - CommandLine falsepositives: diff --git a/rules/windows/process_creation/win_regini_ads.yml b/rules/windows/process_creation/win_regini_ads.yml index f6a238593..9844421cd 100644 --- a/rules/windows/process_creation/win_regini_ads.yml +++ b/rules/windows/process_creation/win_regini_ads.yml @@ -11,6 +11,7 @@ tags: - attack.defense_evasion author: Eli Salem, Sander Wiebing, oscd.community date: 2020/10/12 +modified: 2021/05/24 logsource: category: process_creation product: windows @@ -19,7 +20,7 @@ detection: Image|endswith: '\regini.exe' CommandLine|re: ':[^ \\]' condition: selection -fieds: +fields: - ParentImage - CommandLine falsepositives: diff --git a/rules/windows/process_creation/win_remote_powershell_session_process.yml b/rules/windows/process_creation/win_remote_powershell_session_process.yml index 7490d9b6d..00a033cb0 100644 --- a/rules/windows/process_creation/win_remote_powershell_session_process.yml +++ b/rules/windows/process_creation/win_remote_powershell_session_process.yml @@ -1,12 +1,12 @@ -title: Remote PowerShell Session +title: Remote PowerShell Session Host Process (WinRM) id: 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8 -description: Detects remote PowerShell sections by monitoring for wsmprovhost as a parent or child process (sign of an active ps remote session) +description: Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active ps remote session) status: experimental date: 2019/09/12 -modified: 2019/11/10 +modified: 2021/05/21 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md + - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html tags: - attack.execution - attack.t1086 # an old one diff --git a/rules/windows/process_creation/win_renamed_procdump.yml b/rules/windows/process_creation/win_renamed_procdump.yml index 6a8fe0a84..8b9bad991 100644 --- a/rules/windows/process_creation/win_renamed_procdump.yml +++ b/rules/windows/process_creation/win_renamed_procdump.yml @@ -6,7 +6,7 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/procdump author: Florian Roth date: 2019/11/18 -modified: 2020/09/06 +modified: 2021/04/29 tags: - attack.defense_evasion - attack.t1036 # an old one @@ -15,13 +15,21 @@ logsource: product: windows category: process_creation detection: - selection: + selection1: OriginalFileName: 'procdump' - filter: + filter1: Image|endswith: - '\procdump.exe' - '\procdump64.exe' - condition: selection and not filter + selection2: + CommandLine|contains|all: + - ' -ma ' + - ' -accepteula ' + filter2: + CommandLine|contains: + - '\procdump.exe' + - '\procdump64.exe' + condition: ( selection1 and not filter1 ) or ( selection2 and not filter2 ) falsepositives: - Procdump illegaly bundled with legitimate software - Weird admins who renamed binaries diff --git a/rules/windows/process_creation/win_shadow_copies_deletion.yml b/rules/windows/process_creation/win_shadow_copies_deletion.yml index 43bdfd90c..45e71b95f 100644 --- a/rules/windows/process_creation/win_shadow_copies_deletion.yml +++ b/rules/windows/process_creation/win_shadow_copies_deletion.yml @@ -2,14 +2,17 @@ title: Shadow Copies Deletion Using Operating Systems Utilities id: c947b146-0abc-4c87-9c64-b17e9d7274a2 status: stable description: Shadow Copies deletion using operating systems utilities -author: Florian Roth, Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community +author: Florian Roth, Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades) date: 2019/10/22 +modified: 2021/06/02 references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment - https://blog.talosintelligence.com/2017/05/wannacry.html - https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/ - https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/ - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100 + - https://github.com/Neo23x0/Raccine#the-process + - https://github.com/Neo23x0/Raccine/blob/main/yara/gen_ransomware_command_lines.yar tags: - attack.defense_evasion - attack.impact @@ -19,15 +22,23 @@ logsource: category: process_creation product: windows detection: - selection: + selection1: Image|endswith: - '\powershell.exe' - '\wmic.exe' - '\vssadmin.exe' + - '\diskshadow.exe' CommandLine|contains|all: - - shadow # will mach "delete shadows" and "shadowcopy delete" + - shadow # will match "delete shadows" and "shadowcopy delete" and "shadowstorage" - delete - condition: selection + selection2: + Image|endswith: + - '\wbadmin.exe' + CommandLine|contains|all: + - delete + - catalog + - quiet # will match -quiet or /quiet + condition: 1 of selection* fields: - CommandLine - ParentCommandLine diff --git a/rules/windows/process_creation/win_silenttrinity_stage_use.yml b/rules/windows/process_creation/win_silenttrinity_stage_use.yml index 41e4e6cc1..66fa5a3f6 100644 --- a/rules/windows/process_creation/win_silenttrinity_stage_use.yml +++ b/rules/windows/process_creation/win_silenttrinity_stage_use.yml @@ -23,8 +23,5 @@ logsource: product: windows --- logsource: + category: image_load product: windows - service: sysmon -detection: - selection: - EventID: 7 diff --git a/rules/windows/process_creation/win_susp_adfind.yml b/rules/windows/process_creation/win_susp_adfind.yml index eca94458b..831fefe48 100644 --- a/rules/windows/process_creation/win_susp_adfind.yml +++ b/rules/windows/process_creation/win_susp_adfind.yml @@ -8,7 +8,7 @@ references: - https://thedfirreport.com/2020/05/08/adfind-recon/ author: FPT.EagleEye Team, omkar72, oscd.community date: 2020/09/26 -modified: 2020/10/11 +modified: 2021/05/12 tags: - attack.discovery - attack.t1018 @@ -17,7 +17,7 @@ tags: - attack.t1069.002 logsource: product: windows - service: process_creation + category: process_creation detection: selection: CommandLine|contains: diff --git a/rules/windows/process_creation/win_susp_certutil_command.yml b/rules/windows/process_creation/win_susp_certutil_command.yml index 8137eafe6..b643eb4fc 100644 --- a/rules/windows/process_creation/win_susp_certutil_command.yml +++ b/rules/windows/process_creation/win_susp_certutil_command.yml @@ -5,11 +5,9 @@ description: Detects a suspicious Microsoft certutil execution with sub commands the built-in certutil utility author: Florian Roth, juju4, keepwatch date: 2019/01/16 -modified: 2020/11/28 +modified: 2021/04/23 references: - https://twitter.com/JohnLaTwC/status/835149808817991680 - - https://twitter.com/subTee/status/888102593838362624 - - https://twitter.com/subTee/status/888071631528235010 - https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/ - https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/ - https://twitter.com/egre55/status/1087685529016193025 @@ -20,11 +18,16 @@ logsource: detection: parameters: CommandLine|contains: - - 'decode ' - - 'decodehex ' - - 'urlcache ' - - 'verifyctl ' - - 'encode ' + - ' -decode ' + - ' -decodehex ' + - ' -urlcache ' + - ' -verifyctl ' + - ' -encode ' + - ' /decode ' + - ' /decodehex ' + - ' /urlcache ' + - ' /verifyctl ' + - ' /encode ' certutil: Image|endswith: '\certutil.exe' CommandLine|contains: diff --git a/rules/windows/process_creation/win_susp_csi.yml b/rules/windows/process_creation/win_susp_csi.yml index 6599c02b5..ee19fca90 100644 --- a/rules/windows/process_creation/win_susp_csi.yml +++ b/rules/windows/process_creation/win_susp_csi.yml @@ -4,6 +4,7 @@ description: Csi.exe is a signed binary from Micosoft that comes with Visual Stu status: experimental author: Konstantin Grishchenko, oscd.community date: 2020/10/17 +modified: 2021/05/11 references: - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Csi.yml - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Rcsi.yml @@ -22,8 +23,8 @@ detection: - Image|endswith: '\csi.exe' - Image|endswith: '\rcsi.exe' renamed: - - OriginalFilename: 'csi.exe' - - OriginalFilename: 'rcsi.exe' + - OriginalFileName: 'csi.exe' + - OriginalFileName: 'rcsi.exe' selection: Company: 'Microsoft Corporation' condition: (basic or renamed) and selection diff --git a/rules/windows/process_creation/win_susp_ngrok_pua.yml b/rules/windows/process_creation/win_susp_ngrok_pua.yml new file mode 100644 index 000000000..d67b98750 --- /dev/null +++ b/rules/windows/process_creation/win_susp_ngrok_pua.yml @@ -0,0 +1,31 @@ +title: Ngrok Usage +id: ee37eb7c-a4e7-4cd5-8fa4-efa27f1c3f31 +description: Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available +status: experimental +references: + - https://ngrok.com/docs + - https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html + - https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp + - https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection +author: Florian Roth +date: 2021/05/14 +tags: + - attack.command_and_control + - attack.t1572 +logsource: + category: process_creation + product: windows +detection: + selection1: + CommandLine|contains: + - ' tcp 3389' + selection2: + CommandLine|contains|all: + - ' start ' + - '--all' + - '--config' + - '.yml' + condition: 1 of them +falsepositives: + - Another tool that uses the command line switches of Ngrok +level: high diff --git a/rules/windows/process_creation/win_susp_powershell_getprocess_lsass.yml b/rules/windows/process_creation/win_susp_powershell_getprocess_lsass.yml new file mode 100644 index 000000000..bffd87a36 --- /dev/null +++ b/rules/windows/process_creation/win_susp_powershell_getprocess_lsass.yml @@ -0,0 +1,22 @@ +title: PowerShell Get-Process LSASS +id: b2815d0d-7481-4bf0-9b6c-a4c48a94b349 +description: Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity +status: experimental +references: + - https://twitter.com/PythonResponder/status/1385064506049630211 +author: Florian Roth +date: 2021/04/23 +tags: + - attack.credential_access + - attack.t1552.004 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains: + - 'Get-Process lsass' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_susp_procs_req_dlls.yml b/rules/windows/process_creation/win_susp_procs_req_dlls.yml new file mode 100644 index 000000000..d52158f85 --- /dev/null +++ b/rules/windows/process_creation/win_susp_procs_req_dlls.yml @@ -0,0 +1,33 @@ +title: Suspicious Process Start Without DLL +id: f5647edc-a7bf-4737-ab50-ef8c60dc3add +description: Detects suspicious start of program that usually requires a DLL as parameter, which can be a sign of process injection or hollowing activity +status: experimental +references: + - https://twitter.com/CyberRaiju/status/1251492025678983169 + - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32 + - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32 + - https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool + - https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback +author: Florian Roth +date: 2021/05/27 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|endswith: + - '\rundll32.exe' + - '\regsvcs.exe' + - '\regasm.exe' + - '\regsvr32.exe' + filter1: + ParentImage|contains: + - '\AppData\Local\' + - '\Microsoft\Edge\' + condition: selection and not filter1 +fields: + - ParentImage + - ParentCommandLine +falsepositives: + - Possible but rare +level: high diff --git a/rules/windows/process_creation/win_susp_psexex_paexec_flags.yml b/rules/windows/process_creation/win_susp_psexex_paexec_flags.yml new file mode 100644 index 000000000..404f2d7a3 --- /dev/null +++ b/rules/windows/process_creation/win_susp_psexex_paexec_flags.yml @@ -0,0 +1,34 @@ +title: PsExec/PAExec Flags +id: 207b0396-3689-42d9-8399-4222658efc99 +status: experimental +description: Detects suspicious flags used by PsExec and PAExec but no usual program name in command line +references: + - https://docs.microsoft.com/en-us/sysinternals/downloads/psexec + - https://www.poweradmin.com/paexec/ + - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html +author: Florian Roth +date: 2021/05/22 +logsource: + category: process_creation + product: windows +detection: + selection_flags_1: # Escalation to LOCAL_SYSTEM + CommandLine|contains|all: + - '\\127.0.0.1' + - ' -s ' + - 'cmd.exe' + selection_flags_2: + CommandLine|contains|all: # Accepting EULA in commandline - often used in automated attacks + - ' /accepteula ' + - 'cmd /c ' + - ' -u ' + - ' -p ' + filter: + CommandLine|contains: + - 'paexec' + - 'PsExec' + condition: ( selection_flags_1 or selection_flags_2 ) and not filter +falsepositives: + - Weird admins that rename their tools + - Software companies that bundle PsExec/PAExec with their software and rename it, so that it is less embarrassing +level: high diff --git a/rules/windows/process_creation/win_susp_rclone_exec.yml b/rules/windows/process_creation/win_susp_rclone_exec.yml new file mode 100644 index 000000000..b6e35d7a2 --- /dev/null +++ b/rules/windows/process_creation/win_susp_rclone_exec.yml @@ -0,0 +1,37 @@ +title: Rclone Execution via Command Line or PowerShell +id: cb7286ba-f207-44ab-b9e6-760d82b84253 +description: Detects Rclone which is commonly used by ransomware groups for exfiltration +status: experimental +date: 2021/05/26 +author: Aaron Greetham (@beardofbinary) - NCC Group +references: + - https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/ +tags: + - attack.exfiltration + - attack.t1567.002 +falsepositives: + - Legitimate Rclone usage (rare) +level: high +logsource: + product: windows + category: process_creation +detection: + exec_selection: + Image|endswith: '\rclone.exe' + ParentImage|endswith: + - '\PowerShell.exe' + - '\cmd.exe' + command_selection: + CommandLine|contains: + - ' pass ' + - ' user ' + - ' copy ' + - ' mega ' + - ' sync ' + - ' config ' + - ' lsd ' + - ' remote ' + - ' ls ' + description_selection: + Description: 'Rsync for cloud storage' + condition: command_selection and ( description_selection or exec_selection ) \ No newline at end of file diff --git a/rules/windows/process_creation/win_susp_regedit_trustedinstaller.yml b/rules/windows/process_creation/win_susp_regedit_trustedinstaller.yml new file mode 100644 index 000000000..f6dc13602 --- /dev/null +++ b/rules/windows/process_creation/win_susp_regedit_trustedinstaller.yml @@ -0,0 +1,20 @@ +title: Regedit as Trusted Installer +id: 883835a7-df45-43e4-bf1d-4268768afda4 +description: Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe +references: + - https://twitter.com/1kwpeter/status/1397816101455765504 +author: Florian Roth +date: 2021/05/27 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\regedit.exe' + ParentImage|endswith: + - '\TrustedInstaller.exe' + - '\ProcessHacker.exe' + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/process_creation/win_susp_Register_cimprovider.yml b/rules/windows/process_creation/win_susp_register_cimprovider.yml similarity index 100% rename from rules/windows/process_creation/win_susp_Register_cimprovider.yml rename to rules/windows/process_creation/win_susp_register_cimprovider.yml diff --git a/rules/windows/process_creation/win_susp_renamed_debugview.yml b/rules/windows/process_creation/win_susp_renamed_debugview.yml index dcab5bd63..f421c1cd6 100644 --- a/rules/windows/process_creation/win_susp_renamed_debugview.yml +++ b/rules/windows/process_creation/win_susp_renamed_debugview.yml @@ -15,7 +15,7 @@ detection: - 'Sysinternals DebugView' - 'Sysinternals Debugview' filter: - OriginalFilename: 'Dbgview.exe' + OriginalFileName: 'Dbgview.exe' Image|endswith: '\Dbgview.exe' condition: selection and not filter falsepositives: diff --git a/rules/windows/process_creation/win_susp_renamed_paexec.yml b/rules/windows/process_creation/win_susp_renamed_paexec.yml new file mode 100644 index 000000000..cc1d5f209 --- /dev/null +++ b/rules/windows/process_creation/win_susp_renamed_paexec.yml @@ -0,0 +1,25 @@ +title: Renamed PAExec +id: c4e49831-1496-40cf-8ce1-b53f942b02f9 +status: experimental +description: Detects suspicious renamed PAExec execution as often used by attackers +references: + - https://www.poweradmin.com/paexec/ +author: Florian Roth +date: 2021/05/22 +logsource: + category: process_creation + product: windows +detection: + selection1: + Description: 'PAExec Application' + selection2: + OriginalFilename: 'PAExec.exe' + filter: + Image|endswith: + - '\PAexec.exe' + - '\paexec.exe' + condition: ( selection1 or selection2 ) and not filter +falsepositives: + - Weird admins that rename their tools + - Software companies that bundle PAExec with their software and rename it, so that it is less embarrassing +level: high diff --git a/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml b/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml index 2a850916d..e51a968d9 100644 --- a/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml +++ b/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml @@ -13,7 +13,7 @@ tags: - attack.t1085 # an old one author: Florian Roth date: 2019/10/22 -modified: 2020/11/28 +modified: 2021/04/29 logsource: category: process_creation product: windows @@ -22,7 +22,11 @@ detection: CommandLine|contains|all: - '\rundll32.exe' - ',#' - condition: selection + filter: + CommandLine|contains|all: + - 'EDGEHTML.dll' + - '#141' + condition: selection and not filter falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment - Windows control panel elements have been identified as source (mmc) diff --git a/rules/windows/process_creation/win_susp_rundll32_no_params.yml b/rules/windows/process_creation/win_susp_rundll32_no_params.yml new file mode 100644 index 000000000..b45e3b4e0 --- /dev/null +++ b/rules/windows/process_creation/win_susp_rundll32_no_params.yml @@ -0,0 +1,27 @@ +title: Suspicious Rundll32 Without Any CommandLine Params +id: 1775e15e-b61b-4d14-a1a3-80981298085a +description: Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity +status: experimental +references: + - https://www.cobaltstrike.com/help-opsec +author: Florian Roth +date: 2021/05/27 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|endswith: '\rundll32.exe' + filter1: + ParentImage|endswith: '\svchost.exe' + filter2: + ParentImage|contains: + - '\AppData\Local\' + - '\Microsoft\Edge\' + condition: selection and not filter1 and not filter2 +fields: + - ParentImage + - ParentCommandLine +falsepositives: + - Possible but rare +level: high diff --git a/rules/windows/process_creation/win_susp_wuauclt.yml b/rules/windows/process_creation/win_susp_wuauclt.yml index 55659f9a0..9d36bc717 100644 --- a/rules/windows/process_creation/win_susp_wuauclt.yml +++ b/rules/windows/process_creation/win_susp_wuauclt.yml @@ -6,6 +6,7 @@ references: - https://dtm.uk/wuauclt/ author: FPT.EagleEye Team date: 2020/10/17 +modified: 2021/05/12 tags: - attack.command_and_control - attack.execution @@ -13,7 +14,7 @@ tags: - attack.t1218 logsource: product: windows - service: process_creation + category: process_creation detection: selection: ProcessCommandLine|contains|all: diff --git a/rules/windows/process_creation/win_task_folder_evasion.yml b/rules/windows/process_creation/win_task_folder_evasion.yml index a10446c67..402ff3615 100644 --- a/rules/windows/process_creation/win_task_folder_evasion.yml +++ b/rules/windows/process_creation/win_task_folder_evasion.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/subTee/status/1216465628946563073 - https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26 date: 2020/01/13 -modified: 2020/08/29 +modified: 2021/05/30 author: Sreeman tags: - attack.defense_evasion @@ -17,7 +17,7 @@ tags: - attack.t1064 # an old one logsource: - product: Windows + product: windows detection: selection1: CommandLine|contains: diff --git a/rules/windows/process_creation/win_whoami_priv.yml b/rules/windows/process_creation/win_whoami_priv.yml new file mode 100644 index 000000000..3cd02819c --- /dev/null +++ b/rules/windows/process_creation/win_whoami_priv.yml @@ -0,0 +1,23 @@ +title: Run Whoami Showing Privileges +id: 97a80ec7-0e2f-4d05-9ef4-65760e634f6b +status: experimental +description: Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privieleges. This is often used after a privilege escalation attempt. +references: + - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/whoami +author: Florian Roth +date: 2021/05/05 +tags: + - attack.privilege_escalation + - attack.discovery + - attack.t1033 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\whoami.exe' + CommandLine|contains: '/priv' + condition: selection +falsepositives: + - Administrative activity (rare lookups on current privileges) +level: high diff --git a/rules/windows/process_creation/win_wmiprvse_spawning_process.yml b/rules/windows/process_creation/win_wmiprvse_spawning_process.yml index 042df7de0..d5a59f6e0 100644 --- a/rules/windows/process_creation/win_wmiprvse_spawning_process.yml +++ b/rules/windows/process_creation/win_wmiprvse_spawning_process.yml @@ -6,7 +6,7 @@ date: 2019/08/15 modified: 2021/02/24 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1047_windows_management_instrumentation/wmi_win32_process_create_remote.md + - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190810201010.html tags: - attack.execution - attack.t1047 diff --git a/rules/windows/sysmon/sysmon_raw_disk_access_using_illegitimate_tools.yml b/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml similarity index 91% rename from rules/windows/sysmon/sysmon_raw_disk_access_using_illegitimate_tools.yml rename to rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml index 0f4ec0b92..72fbafb62 100644 --- a/rules/windows/sysmon/sysmon_raw_disk_access_using_illegitimate_tools.yml +++ b/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml @@ -10,10 +10,8 @@ tags: - attack.t1006 logsource: product: windows - service: sysmon + category: raw_access_thread detection: - selection: - EventID: 9 filter_1: Device|contains: floppy filter_2: @@ -32,7 +30,7 @@ detection: - '\dfsrs.exe' - '\vds.exe' - '\lsass.exe' - condition: selection and not filter_1 and not filter_2 + condition: not filter_1 and not filter_2 fields: - ComputerName - Image diff --git a/rules/windows/registry_event/sysmon_comhijack_sdclt.yml b/rules/windows/registry_event/sysmon_comhijack_sdclt.yml index bf76b00d8..dedf925a5 100644 --- a/rules/windows/registry_event/sysmon_comhijack_sdclt.yml +++ b/rules/windows/registry_event/sysmon_comhijack_sdclt.yml @@ -18,8 +18,6 @@ detection: selection: TargetObject: - 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute' - EventType: - - SetValue condition: selection falsepositives: - unknown diff --git a/rules/windows/registry_event/sysmon_cve-2020-1048.yml b/rules/windows/registry_event/sysmon_cve-2020-1048.yml index e5e17ef11..8a02f889e 100644 --- a/rules/windows/registry_event/sysmon_cve-2020-1048.yml +++ b/rules/windows/registry_event/sysmon_cve-2020-1048.yml @@ -18,10 +18,6 @@ logsource: detection: selection: TargetObject|startswith: 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports' - EventType: - - SetValue - - DeleteValue - - CreateValue Details|contains: - '.dll' - '.exe' diff --git a/rules/windows/sysmon/sysmon_new_application_appcompat.yml b/rules/windows/registry_event/sysmon_new_application_appcompat.yml similarity index 93% rename from rules/windows/sysmon/sysmon_new_application_appcompat.yml rename to rules/windows/registry_event/sysmon_new_application_appcompat.yml index b390fec1b..298f2660f 100644 --- a/rules/windows/sysmon/sysmon_new_application_appcompat.yml +++ b/rules/windows/registry_event/sysmon_new_application_appcompat.yml @@ -12,10 +12,9 @@ references: - https://threathunterplaybook.com/evals/apt29/detections/1.A.1_DFD6A782-9BDB-4550-AB6B-525E825B095E.html logsource: product: windows - service: sysmon + category: registry_event detection: selection: - EventID: 13 TargetObject|contains: '\AppCompatFlags\Compatibility Assistant\Store\' condition: selection falsepositives: diff --git a/rules/windows/registry_event/sysmon_office_vsto_persistence.yml b/rules/windows/registry_event/sysmon_office_vsto_persistence.yml index 4afc0fbc3..8eac61ee8 100644 --- a/rules/windows/registry_event/sysmon_office_vsto_persistence.yml +++ b/rules/windows/registry_event/sysmon_office_vsto_persistence.yml @@ -9,6 +9,7 @@ tags: - attack.persistence author: Bhabesh Raj date: 2021/01/10 +modified: 2021/06/01 logsource: category: registry_event product: windows @@ -20,7 +21,9 @@ detection: - '\Software\Microsoft\Office\Excel\Addins\' - '\Software\Microsoft\Office\Powerpoint\Addins\' - '\Software\Microsoft\VSTO\Security\Inclusion\' - condition: selection + filter: + Image|endswith: '\msiexec.exe' + condition: selection and not filter falsepositives: - Unknown level: high \ No newline at end of file diff --git a/rules/windows/registry_event/sysmon_powershell_as_service.yml b/rules/windows/registry_event/sysmon_powershell_as_service.yml index a26556cb7..a297c6680 100644 --- a/rules/windows/registry_event/sysmon_powershell_as_service.yml +++ b/rules/windows/registry_event/sysmon_powershell_as_service.yml @@ -4,6 +4,7 @@ description: Detects that a powershell code is written to the registry as a serv status: experimental author: oscd.community, Natalia Shornikova date: 2020/10/06 +modified: 2021/05/21 references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse tags: @@ -20,5 +21,6 @@ detection: - 'powershell' - 'pwsh' condition: selection -falsepositives: Unknown +falsepositives: + - Unknown level: high diff --git a/rules/windows/registry_event/sysmon_rdp_registry_modification.yml b/rules/windows/registry_event/sysmon_rdp_registry_modification.yml index 3fe7d6cda..3df09fb62 100755 --- a/rules/windows/registry_event/sysmon_rdp_registry_modification.yml +++ b/rules/windows/registry_event/sysmon_rdp_registry_modification.yml @@ -6,7 +6,7 @@ date: 2019/09/12 modified: 2019/11/10 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1112_Modify_Registry/enable_rdp_registry.md + - https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190407183310.html tags: - attack.defense_evasion - attack.t1112 diff --git a/rules/windows/registry_event/sysmon_reg_office_security.yml b/rules/windows/registry_event/sysmon_reg_office_security.yml index fb3975c6a..27e6957c5 100644 --- a/rules/windows/registry_event/sysmon_reg_office_security.yml +++ b/rules/windows/registry_event/sysmon_reg_office_security.yml @@ -19,10 +19,6 @@ detection: - '\Security\Trusted Documents\TrustRecords' - '\Security\AccessVBOM' - '\Security\VBAWarnings' - EventType: - - SetValue - - DeleteValue - - CreateValue condition: sec_settings falsepositives: - Valid Macros and/or internal documents diff --git a/rules/windows/registry_event/sysmon_reg_silentprocessexit.yml b/rules/windows/registry_event/sysmon_reg_silentprocessexit.yml index fe6b5f5a5..c8404f2cc 100644 --- a/rules/windows/registry_event/sysmon_reg_silentprocessexit.yml +++ b/rules/windows/registry_event/sysmon_reg_silentprocessexit.yml @@ -16,9 +16,6 @@ detection: selection: TargetObject|contains: 'Microsoft\Windows NT\CurrentVersion\SilentProcessExit' Details|contains: 'MonitorProcess' - EventType: - - SetValue - - CreateValue condition: selection falsepositives: - Unknown diff --git a/rules/windows/registry_event/sysmon_reg_silentprocessexit_lsass.yml b/rules/windows/registry_event/sysmon_reg_silentprocessexit_lsass.yml index bafd3cbd2..66a5dc12a 100644 --- a/rules/windows/registry_event/sysmon_reg_silentprocessexit_lsass.yml +++ b/rules/windows/registry_event/sysmon_reg_silentprocessexit_lsass.yml @@ -15,9 +15,6 @@ logsource: detection: selection: TargetObject|contains: 'Microsoft\Windows NT\CurrentVersion\SilentProcessExit\lsass.exe' - EventType: - - SetValue - - CreateValue condition: selection falsepositives: - Unknown diff --git a/rules/windows/registry_event/sysmon_registry_add_local_hidden_user.yml b/rules/windows/registry_event/sysmon_registry_add_local_hidden_user.yml new file mode 100644 index 000000000..0b9558835 --- /dev/null +++ b/rules/windows/registry_event/sysmon_registry_add_local_hidden_user.yml @@ -0,0 +1,24 @@ +title: Creation of a Local Hidden User Account by Registry +id: 460479f3-80b7-42da-9c43-2cc1d54dbccd +description: Sysmon registry detection of a local hidden user account. +status: experimental +date: 2021/05/03 +modified: 2021/05/12 +author: Christian Burkard +tags: + - attack.persistence + - attack.t1136.001 +references: + - https://twitter.com/SBousseaden/status/1387530414185664538 +logsource: + product: windows + category: registry_event +detection: + selection: + TargetObject|startswith: 'HKLM\SAM\SAM\Domains\Account\Users\Names\' + TargetObject|endswith: '$' + Image|endswith: "lsass.exe" + condition: selection +falsepositives: + - unknown +level: high diff --git a/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml b/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml index 8e31caf6f..7f4b07fc4 100755 --- a/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml +++ b/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml @@ -4,9 +4,9 @@ status: experimental description: Detects potential COM object hijacking leveraging the COM Search Order references: - https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/ -author: Maxime Thiebaut (@0xThiebaut), oscd.community +author: Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien date: 2020/04/14 -modified: 2020/11/28 +modified: 2021/05/01 tags: - attack.persistence - attack.t1038 # an old one @@ -20,20 +20,26 @@ detection: - 'HKU\' - '_Classes\CLSID\' - '\InProcServer32\(Default)' - filter: + filter1: - Details|contains: # Exclude privileged directories and observed FPs - '%%systemroot%%\system32\' - '%%systemroot%%\SysWow64\' - - Details|contains|all: - - '\AppData\Local\Microsoft\OneDrive\' + filterOneDrive: + - Details|contains: '\AppData\Local\Microsoft\OneDrive\' + filterOneDrive2: + - Details|contains: - '\FileCoAuthLib64.dll' - - Details|contains|all: - - '\AppData\Local\Microsoft\OneDrive\' - '\FileSyncShell64.dll' + - '\FileSyncApi64.dll' + filter2: - Details|contains|all: - '\AppData\Local\Microsoft\TeamsMeetingAddin\' - '\Microsoft.Teams.AddinLoader.dll' - condition: selection and not filter + filter3: + - Details|contains|all: + - '\AppData\Roaming\Dropbox\' + - '\DropboxExt64.*.dll' + condition: selection and not ( filter1 or ( filterOneDrive and filterOneDrive2 ) or filter2 or filter3 ) falsepositives: - Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level level: medium diff --git a/rules/windows/sysmon/sysmon_removal_com_hijacking_registry_key.yml b/rules/windows/registry_event/sysmon_removal_com_hijacking_registry_key.yml similarity index 95% rename from rules/windows/sysmon/sysmon_removal_com_hijacking_registry_key.yml rename to rules/windows/registry_event/sysmon_removal_com_hijacking_registry_key.yml index 0e5846220..d834dcb1b 100644 --- a/rules/windows/sysmon/sysmon_removal_com_hijacking_registry_key.yml +++ b/rules/windows/registry_event/sysmon_removal_com_hijacking_registry_key.yml @@ -15,10 +15,9 @@ references: - https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code logsource: product: windows - service: sysmon + category: registry_event detection: selection: - EventID: 12 EventType: 'DeleteKey' TargetObject|endswith: '\shell\open\command' condition: selection diff --git a/rules/windows/registry_event/sysmon_runonce_persistence.yml b/rules/windows/registry_event/sysmon_runonce_persistence.yml index aff6c60e7..6e74aedb5 100644 --- a/rules/windows/registry_event/sysmon_runonce_persistence.yml +++ b/rules/windows/registry_event/sysmon_runonce_persistence.yml @@ -15,7 +15,6 @@ logsource: category: registry_event detection: selection: - EventType: 'SetValue' TargetObject|startswith: 'HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components' TargetObject|endswith: '\StubPath' condition: selection diff --git a/rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml b/rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml index 667c8448a..7f23a3298 100755 --- a/rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml +++ b/rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml @@ -31,7 +31,6 @@ detection: - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe\Debugger' - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe\Debugger' - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe\Debugger' - EventType: 'SetValue' condition: 1 of them --- logsource: diff --git a/rules/windows/registry_event/sysmon_susp_atbroker_change.yml b/rules/windows/registry_event/sysmon_susp_atbroker_change.yml index 9f36c3763..55850ba37 100644 --- a/rules/windows/registry_event/sysmon_susp_atbroker_change.yml +++ b/rules/windows/registry_event/sysmon_susp_atbroker_change.yml @@ -6,6 +6,7 @@ references: - http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Atbroker.yml date: 2020/10/13 +modified: 2021/05/24 tags: - attack.defense_evasion - attack.t1218 @@ -22,4 +23,4 @@ detection: condition: creation or persistance falsepositives: - Creation of non-default, legitimate AT. -level: High +level: high diff --git a/rules/windows/registry_event/sysmon_sysinternals_sdelete_registry_keys.yml b/rules/windows/registry_event/sysmon_sysinternals_sdelete_registry_keys.yml index 5a0e5fb05..ea6a92f21 100644 --- a/rules/windows/registry_event/sysmon_sysinternals_sdelete_registry_keys.yml +++ b/rules/windows/registry_event/sysmon_sysinternals_sdelete_registry_keys.yml @@ -3,6 +3,7 @@ id: 9841b233-8df8-4ad7-9133-b0b4402a9014 description: A General detection to trigger for the creation or modification of .*\Software\Sysinternals\SDelete registry keys. Indicators of the use of Sysinternals SDelete tool. status: experimental date: 2020/05/02 +modified: 2021/05/12 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.defense_evasion @@ -12,7 +13,7 @@ references: - https://threathunterplaybook.com/evals/apt29/detections/4.B.2_59A9AC92-124D-4C4B-A6BF-3121C98677C3.html logsource: product: windows - service: registry_event + category: registry_event detection: selection: TargetObject|contains: '\Software\Sysinternals\SDelete' diff --git a/rules/windows/registry_event/sysmon_volume_shadow_copy_service_keys.yml b/rules/windows/registry_event/sysmon_volume_shadow_copy_service_keys.yml index eb8f10b6b..eb48e9352 100644 --- a/rules/windows/registry_event/sysmon_volume_shadow_copy_service_keys.yml +++ b/rules/windows/registry_event/sysmon_volume_shadow_copy_service_keys.yml @@ -3,6 +3,7 @@ id: 5aad0995-46ab-41bd-a9ff-724f41114971 description: Detects the volume shadow copy service initialization and processing. Registry keys such as HKLM\\System\\CurrentControlSet\\Services\\VSS\\Diag\\VolSnap\\Volume are captured. status: experimental date: 2020/10/20 +modified: 2021/06/02 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.credential_access @@ -15,7 +16,9 @@ logsource: detection: selection: TargetObject|contains: 'System\CurrentControlSet\Services\VSS' - condition: selection + filter: + TargetObject|contains: 'System\CurrentControlSet\Services\VSS\Start' + condition: selection and not filter falsepositives: - - Unknown + - Other services accessing that key or sub keys level: high diff --git a/rules/windows/registry_event/sysmon_wab_dllpath_reg_change.yml b/rules/windows/registry_event/sysmon_wab_dllpath_reg_change.yml index 63a654317..351020fc0 100644 --- a/rules/windows/registry_event/sysmon_wab_dllpath_reg_change.yml +++ b/rules/windows/registry_event/sysmon_wab_dllpath_reg_change.yml @@ -10,6 +10,7 @@ tags: - attack.defense_evasion - attack.t1218 date: 2020/10/13 +modified: 2021/05/21 author: oscd.community, Natalia Shornikova logsource: category: registry_event @@ -20,5 +21,6 @@ detection: filter: Details: '%CommonProgramFiles%\System\wab32.dll' condition: selection and not filter -falsepositives: Unknown +falsepositives: + - Unknown level: high diff --git a/rules/windows/registry_event/sysmon_wdigest_enable_uselogoncredential.yml b/rules/windows/registry_event/sysmon_wdigest_enable_uselogoncredential.yml index 9b67116f1..6a53796b6 100644 --- a/rules/windows/registry_event/sysmon_wdigest_enable_uselogoncredential.yml +++ b/rules/windows/registry_event/sysmon_wdigest_enable_uselogoncredential.yml @@ -1,8 +1,9 @@ title: Wdigest Enable UseLogonCredential -id: 1a2d6c47-75b0-45bd-b133-2c0be75349fd +id: d6a9b252-c666-4de6-8806-5561bbbd3bdc description: Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to enable clear-text credentials status: experimental date: 2019/09/12 +modified: 2021/05/27 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.defense_evasion diff --git a/rules/windows/registry_event/sysmon_win_reg_persistence.yml b/rules/windows/registry_event/sysmon_win_reg_persistence.yml index dea029f4f..883c5863a 100755 --- a/rules/windows/registry_event/sysmon_win_reg_persistence.yml +++ b/rules/windows/registry_event/sysmon_win_reg_persistence.yml @@ -13,7 +13,6 @@ detection: selection_reg1: TargetObject|contains: - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion' - EventType: SetValue selection_reg2: - TargetObject|contains|all: - '\Image File Execution Options\' diff --git a/rules/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml b/rules/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml index 67963ff93..6cdb6cb24 100644 --- a/rules/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml +++ b/rules/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml @@ -19,7 +19,6 @@ detection: - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\' - '\Command' Details|contains: '.exe' - EventType: 'SetValue' filter: Details|contains: - '\system32\CompatTelRunner.exe' diff --git a/rules/windows/registry_event/win_outlook_C2_registry_key.yml b/rules/windows/registry_event/win_outlook_C2_registry_key.yml new file mode 100644 index 000000000..4d6524277 --- /dev/null +++ b/rules/windows/registry_event/win_outlook_C2_registry_key.yml @@ -0,0 +1,25 @@ +title: Outlook C2 Registry Key +id: e3b50fa5-3c3f-444e-937b-0a99d33731cd +status: experimental +description: Detects the modification of Outlook Security Setting to allow unprompted execution. Goes with win_outlook_c2_macro_creation.yml and is particularly interesting if both events occur near to each other. +references: + - https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/ +author: '@ScoubiMtl' +tags: + - attack.persistence + - attack.command_and_control + - attack.t1137 + - attack.t1008 + - attack.t1546 +date: 2021/04/05 +logsource: + category: registry_event + product: windows +detection: + selection_registry: + TargetObject: 'HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security\Level' + Details|contains: '0x00000001' + condition: selection_registry +falsepositives: + - Unlikely +level: medium diff --git a/rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml b/rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml index 96e861348..0eabbe262 100644 --- a/rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml +++ b/rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml @@ -4,9 +4,10 @@ description: Detects Accessing to lsass.exe by Powershell status: experimental author: oscd.community, Natalia Shornikova date: 2020/10/06 +modified: 2021/05/24 references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse -tag: +tags: - attack.credential_access - attack.t1003.001 logsource: @@ -20,5 +21,6 @@ detection: SourceImage|endswith: '\powershell.exe' TargetImage|endswith: '\lsass.exe' condition: selection -falsepositives: Unknown +falsepositives: + - Unknown level: high diff --git a/rules/windows/sysmon/sysmon_pingback_backdoor.yml b/rules/windows/sysmon/sysmon_pingback_backdoor.yml new file mode 100644 index 000000000..085c739e9 --- /dev/null +++ b/rules/windows/sysmon/sysmon_pingback_backdoor.yml @@ -0,0 +1,47 @@ +action: global +title: Pingback Backdoor +id: 2bd63d53-84d4-4210-80ff-bf0658f1bf78 +status: experimental +description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report +author: Bhabesh Raj +date: 2021/05/05 +falsepositives: + - Very unlikely +level: high +references: + - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel + - https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406 +tags: + - attack.persistence + - attack.t1574.001 +--- +logsource: + product: windows + category: file_event +detection: + selection: + Image|endswith: updata.exe + TargetFilename: 'C:\Windows\oci.dll' + condition: selection +--- +logsource: + product: windows + category: image_load +detection: + selection: + Image|endswith: 'msdtc.exe' + ImageLoaded: 'C:\Windows\oci.dll' + condition: selection +--- +logsource: + product: windows + category: process_creation +detection: + selection: + ParentImage|endswith: 'updata.exe' + CommandLine|contains|all: + - 'config' + - 'msdtc' + - 'start' + - 'auto' + condition: selection diff --git a/rules/windows/sysmon/sysmon_wmi_event_subscription.yml b/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml similarity index 95% rename from rules/windows/sysmon/sysmon_wmi_event_subscription.yml rename to rules/windows/wmi_event/sysmon_wmi_event_subscription.yml index df6b6e440..fc1bb7513 100644 --- a/rules/windows/sysmon/sysmon_wmi_event_subscription.yml +++ b/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml @@ -10,7 +10,7 @@ author: Tom Ueltschi (@c_APT_ure) date: 2019/01/12 logsource: product: windows - service: sysmon + category: wmi_event detection: selector: EventID: diff --git a/rules/windows/sysmon/sysmon_wmi_susp_scripting.yml b/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml similarity index 98% rename from rules/windows/sysmon/sysmon_wmi_susp_scripting.yml rename to rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml index cf33afa51..bea1f3afb 100644 --- a/rules/windows/sysmon/sysmon_wmi_susp_scripting.yml +++ b/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml @@ -13,7 +13,7 @@ tags: - attack.t1059.005 logsource: product: windows - service: sysmon + category: wmi_event detection: selection: EventID: 20 diff --git a/tests/test_rules.py b/tests/test_rules.py index 160c98dfa..9849bbdd0 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -17,6 +17,8 @@ from colorama import Fore class TestRules(unittest.TestCase): MITRE_TECHNIQUE_NAMES = ["process_injection", "signed_binary_proxy_execution", "process_injection"] # incomplete list MITRE_TACTICS = ["initial_access", "execution", "persistence", "privilege_escalation", "defense_evasion", "credential_access", "discovery", "lateral_movement", "collection", "exfiltration", "command_and_control", "impact", "launch"] + # Don't use trademarks in rules - they require non-ASCII characters to be used on we don't want them in our rules + TRADE_MARKS = {"MITRE ATT&CK", "ATT&CK"} path_to_rules = "rules" @@ -58,6 +60,19 @@ class TestRules(unittest.TestCase): self.assertEqual(files_with_incorrect_extensions, [], Fore.RED + "There are rule files with extensions other than .yml") + def test_legal_trademark_violations(self): + files_with_legal_issues = [] + + for file in self.yield_next_rule_file_path(self.path_to_rules): + with open(file, 'r') as fh: + file_data = fh.read() + for tm in self.TRADE_MARKS: + if tm in file_data: + files_with_legal_issues.append(file) + + self.assertEqual(files_with_legal_issues, [], Fore.RED + + "There are rule files which contains a trademark or reference that doesn't comply with the respective trademark requirements - please remove the trademark to avoid legal issues") + def test_confirm_correct_mitre_tags(self): files_with_incorrect_mitre_tags = [] @@ -357,9 +372,10 @@ class TestRules(unittest.TestCase): for key in logsource: if key.lower() not in ['category', 'product', 'service', 'definition']: print(Fore.RED + "Rule {} has a logsource with an invalid field ({})".format(file, key)) + def get_mitre_data(): """ - Generate tags from live MITRE ATT&CK® TAXI service to get up-to-date data + Generate tags from live TAXI service to get up-to-date data """ # Get ATT&CK information lift = attack_client() diff --git a/tools/config/ecs-zeek-elastic-beats-implementation.yml b/tools/config/ecs-zeek-elastic-beats-implementation.yml index ac9b8a45c..c79b4e892 100644 --- a/tools/config/ecs-zeek-elastic-beats-implementation.yml +++ b/tools/config/ecs-zeek-elastic-beats-implementation.yml @@ -3,6 +3,7 @@ order: 20 backends: - es-qs - es-dsl + - es-rule - elasticsearch-rule - kibana - kibana-ndjson @@ -1016,4 +1017,4 @@ fieldmappings: - host - server_name dest_ip: destination.ip - dest_port: destination.port \ No newline at end of file + dest_port: destination.port diff --git a/tools/config/generic/sysmon.yml b/tools/config/generic/sysmon.yml index 2d650f703..e9d81e1fd 100644 --- a/tools/config/generic/sysmon.yml +++ b/tools/config/generic/sysmon.yml @@ -17,11 +17,59 @@ logsources: rewrite: product: windows service: sysmon - dns_query: - category: dns_query + process_terminated: + category: process_termination product: windows conditions: - EventID: 22 + EventID: 5 + rewrite: + product: windows + service: sysmon + driver_loaded: + category: driver_load + product: windows + conditions: + EventID: 6 + rewrite: + product: windows + service: sysmon + image_loaded: + category: image_load + product: windows + conditions: + EventID: 7 + rewrite: + product: windows + service: sysmon + create_remote_thread: + category: create_remote_thread + product: windows + conditions: + EventID: 8 + rewrite: + product: windows + service: sysmon + raw_access_thread: + category: raw_access_thread + product: windows + conditions: + EventID: 9 + rewrite: + product: windows + service: sysmon + process_access: + category: process_access + product: windows + conditions: + EventID: 10 + rewrite: + product: windows + service: sysmon + file_creation: + category: file_event + product: windows + conditions: + EventID: 11 rewrite: product: windows service: sysmon @@ -36,44 +84,48 @@ logsources: rewrite: product: windows service: sysmon - file_creation: - category: file_event + create_stream_hash: + category: create_stream_hash product: windows conditions: - EventID: 11 + EventID: 15 rewrite: product: windows service: sysmon - process_access: - category: process_access + pipe_created: + category: pipe_created product: windows conditions: - EventID: 10 + EventID: + - 17 + - 18 rewrite: product: windows service: sysmon - image_loaded: - category: image_load + wmi_event: + category: wmi_event product: windows conditions: - EventID: 7 + EventID: + - 19 + - 20 + - 21 rewrite: product: windows service: sysmon - driver_loaded: - category: driver_load + dns_query: + category: dns_query product: windows conditions: - EventID: 6 + EventID: 22 rewrite: product: windows service: sysmon - process_terminated: - category: process_termination + file_delete: + category: file_delete product: windows conditions: - EventID: 5 + EventID: 23 rewrite: product: windows - service: sysmon - + service: sysmon \ No newline at end of file diff --git a/tools/config/generic/windows-audit.yml b/tools/config/generic/windows-audit.yml index 83b143c96..63080759e 100644 --- a/tools/config/generic/windows-audit.yml +++ b/tools/config/generic/windows-audit.yml @@ -1,4 +1,4 @@ -title: Conversion of generic process_creation rules into Security/4688 +title: Conversion for Windows Native Auditing Events order: 10 logsources: process_creation: @@ -9,6 +9,18 @@ logsources: rewrite: product: windows service: security + registry_event: + category: registry_event + product: windows + conditions: + EventID: 4657 + OperationType: + - 'New registry value created' + - 'Existing registry value modified' + rewrite: + product: windows + service: security fieldmappings: Image: NewProcessName ParentImage: ParentProcessName + Details: NewValue diff --git a/tools/config/thor.yml b/tools/config/thor.yml index eb9ee0fad..f08e541f1 100644 --- a/tools/config/thor.yml +++ b/tools/config/thor.yml @@ -25,6 +25,126 @@ logsources: fieldmappings: Image: NewProcessName ParentImage: ParentProcessName + network_connection: + category: network_connection + product: windows + conditions: + EventID: 3 + rewrite: + product: windows + service: sysmon + process_terminated: + category: process_termination + product: windows + conditions: + EventID: 5 + rewrite: + product: windows + service: sysmon + driver_loaded: + category: driver_load + product: windows + conditions: + EventID: 6 + rewrite: + product: windows + service: sysmon + image_loaded: + category: image_load + product: windows + conditions: + EventID: 7 + rewrite: + product: windows + service: sysmon + create_remote_thread: + category: create_remote_thread + product: windows + conditions: + EventID: 8 + rewrite: + product: windows + service: sysmon + raw_access_thread: + category: raw_access_thread + product: windows + conditions: + EventID: 9 + rewrite: + product: windows + service: sysmon + process_access: + category: process_access + product: windows + conditions: + EventID: 10 + rewrite: + product: windows + service: sysmon + file_creation: + category: file_event + product: windows + conditions: + EventID: 11 + rewrite: + product: windows + service: sysmon + registry_event: + category: registry_event + product: windows + conditions: + EventID: + - 12 + - 13 + - 14 + rewrite: + product: windows + service: sysmon + create_stream_hash: + category: create_stream_hash + product: windows + conditions: + EventID: 15 + rewrite: + product: windows + service: sysmon + pipe_created: + category: pipe_created + product: windows + conditions: + EventID: + - 17 + - 18 + rewrite: + product: windows + service: sysmon + wmi_event: + category: wmi_event + product: windows + conditions: + EventID: + - 19 + - 20 + - 21 + rewrite: + product: windows + service: sysmon + dns_query: + category: dns_query + product: windows + conditions: + EventID: 22 + rewrite: + product: windows + service: sysmon + file_delete: + category: file_delete + product: windows + conditions: + EventID: 23 + rewrite: + product: windows + service: sysmon # target system configurations windows-application: product: windows diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index 7e91eb360..25debf7d8 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -25,11 +25,26 @@ logsources: service: security conditions: winlog.channel: Security + windows-system: + product: windows + service: system + conditions: + winlog.channel: System windows-sysmon: product: windows service: sysmon conditions: winlog.channel: 'Microsoft-Windows-Sysmon/Operational' + windows-powershell: + product: windows + service: powershell + conditions: + winlog.channel: 'Microsoft-Windows-PowerShell/Operational' + windows-classicpowershell: + product: windows + service: powershell-classic + conditions: + winlog.channel: 'Windows PowerShell' windows-dns-server: product: windows service: dns-server @@ -135,6 +150,7 @@ fieldmappings: Product: winlog.event_data.Product Properties: winlog.event_data.Properties RuleName: winlog.event_data.RuleName + ScriptBlockText: powershell.file.script_block_text SecurityID: winlog.event_data.SecurityID ServiceFileName: winlog.event_data.ServiceFileName ServiceName: winlog.event_data.ServiceName diff --git a/tools/config/winlogbeat-old.yml b/tools/config/winlogbeat-old.yml index 34fef1fdd..be68b3193 100644 --- a/tools/config/winlogbeat-old.yml +++ b/tools/config/winlogbeat-old.yml @@ -24,11 +24,26 @@ logsources: service: security conditions: log_name: Security + windows-system: + product: windows + service: system + conditions: + winlog.channel: System windows-sysmon: product: windows service: sysmon conditions: log_name: 'Microsoft-Windows-Sysmon/Operational' + windows-powershell: + product: windows + service: powershell + conditions: + winlog.channel: 'Microsoft-Windows-PowerShell/Operational' + windows-classicpowershell: + product: windows + service: powershell-classic + conditions: + winlog.channel: 'Windows PowerShell' windows-dns-server: product: windows service: dns-server @@ -119,6 +134,7 @@ fieldmappings: ProcessName: event_data.ProcessName Product: event_data.Product Properties: event_data.Properties + ScriptBlockText: winlog.event_data.ScriptBlockText SecurityID: event_data.SecurityID ServiceFileName: event_data.ServiceFileName ServiceName: event_data.ServiceName diff --git a/tools/config/winlogbeat.yml b/tools/config/winlogbeat.yml index 9bb3c5559..679ebed8c 100644 --- a/tools/config/winlogbeat.yml +++ b/tools/config/winlogbeat.yml @@ -24,11 +24,26 @@ logsources: service: security conditions: winlog.channel: Security + windows-system: + product: windows + service: system + conditions: + winlog.channel: System windows-sysmon: product: windows service: sysmon conditions: winlog.channel: 'Microsoft-Windows-Sysmon/Operational' + windows-powershell: + product: windows + service: powershell + conditions: + winlog.channel: 'Microsoft-Windows-PowerShell/Operational' + windows-classicpowershell: + product: windows + service: powershell-classic + conditions: + winlog.channel: 'Windows PowerShell' windows-dns-server: product: windows service: dns-server @@ -125,6 +140,7 @@ fieldmappings: Properties: winlog.event_data.Properties RuleName: winlog.event_data.RuleName SAMAccountName: winlog.event_data.SamAccountName + ScriptBlockText: winlog.event_data.ScriptBlockText SecurityID: winlog.event_data.SecurityID ServiceFileName: winlog.event_data.ServiceFileName ServiceName: winlog.event_data.ServiceName diff --git a/tools/sigma/backends/elasticsearch.py b/tools/sigma/backends/elasticsearch.py index e7bf3ec21..1fb4cfb37 100644 --- a/tools/sigma/backends/elasticsearch.py +++ b/tools/sigma/backends/elasticsearch.py @@ -21,6 +21,7 @@ import sys import os from random import randrange from distutils.util import strtobool +from uuid import uuid4 import sigma import yaml @@ -509,16 +510,22 @@ class ElasticsearchDSLBackend(DeepFieldMappingMixin, RulenameCommentMixin, Elast } else: # if the condition is count() by MyGroupedField > XYZ group_aggname = "{}_count".format(agg.groupfield) + count_agg_name = "single_{}_count".format(agg.groupfield) self.queries[-1]['aggs'] = { group_aggname: { 'terms': { 'field': '%s' % (agg.groupfield) }, 'aggs': { + count_agg_name: { + 'value_count': { + 'field': '%s' % agg.groupfield + } + }, 'limit': { 'bucket_selector': { 'buckets_path': { - 'count': group_aggname + 'count': count_agg_name }, 'script': 'params.count %s %s' % (agg.cond_op, agg.condition) } @@ -1215,7 +1222,14 @@ class ElasticSearchRuleBackend(ElasticsearchQuerystringBackend): """Elasticsearch detection rule backend""" identifier = "es-rule" active = True - + uuid_black_list = [] + options = ElasticsearchQuerystringBackend.options + ( + ("put_filename_in_ref", False, "Want to have yml name in reference ?", None), + ("convert_to_url", False, "Want to convert to a URL ?", None), + ("path_to_replace", "../", "The local path to replace with dest_base_url", None), + ("dest_base_url", "https://github.com/SigmaHQ/sigma/tree/master/", "The URL prefix", None), + ("custom_tag", None , "Add a custom tag", None), + ) def __init__(self, *args, **kwargs): super().__init__(*args, **kwargs) self.tactics = self._load_mitre_file("tactics") @@ -1298,6 +1312,8 @@ class ElasticSearchRuleBackend(ElasticsearchQuerystringBackend): return technique def map_risk_score(self, level): + if level not in ["low","medium","high","critical"]: + level = "medium" if level == "low": return 5 elif level == "medium": @@ -1307,6 +1323,35 @@ class ElasticSearchRuleBackend(ElasticsearchQuerystringBackend): elif level == "critical": return 95 + def map_severity(self, severity): + severity = severity.lower() + if severity in ["low","medium","high","critical"]: + return severity + elif severity == "informational": + return "low" + else: + return "medium" + + def build_ymlfile_ref(self, configs): + if self.put_filename_in_ref == False: # Dont want + return None + + yml_filename = configs.get("yml_filename") + yml_path = configs.get("yml_path") + if yml_filename == None or yml_path == None: + return None + + if self.convert_to_url: + yml_path = yml_path.replace('\\','/') #windows path to url + self.path_to_replace = self.path_to_replace.replace('\\','/') #windows path to url + if self.path_to_replace not in yml_path: #Error to change + return None + + new_ref = yml_path.replace(self.path_to_replace,self.dest_base_url) + '/' + yml_filename + else: + new_ref = yml_filename + return new_ref + def create_rule(self, configs, index): tags = configs.get("tags", []) tactics_list = list() @@ -1338,17 +1383,43 @@ class ElasticSearchRuleBackend(ElasticsearchQuerystringBackend): if tact: new_tags.append(tag.title()) tactics_list.append(tact) + + if self.custom_tag: + new_tags.append(self.custom_tag) + threat = self.create_threat_description(tactics_list=tactics_list, techniques_list=technics_list) rule_name = configs.get("title", "").lower() - rule_id = re.sub(re.compile('[()*+!,\[\].\s"]'), "_", rule_name) + rule_uuid = configs.get("id", "").lower() + if rule_uuid == "": + rule_uuid = str(uuid4()) + if rule_uuid in self.uuid_black_list: + rule_uuid = str(uuid4()) + self.uuid_black_list.append(rule_uuid) + rule_id = re.sub(re.compile('[()*+!,\[\].\s"]'), "_", rule_uuid) risk_score = self.map_risk_score(configs.get("level", "medium")) references = configs.get("reference") if references is None: references = configs.get("references") + falsepositives = [] + yml_falsepositives = configs.get('falsepositives',["Unknown"]) + if isinstance(yml_falsepositives,str): + falsepositives.append(yml_falsepositives) + else: + falsepositives=yml_falsepositives + + add_ref_yml= self.build_ymlfile_ref(configs) + if add_ref_yml: + if references is None: # No ref + references=[] + if add_ref_yml in references: + pass # else put a duplicate ref for multi rule file + else: + references.append(add_ref_yml) + rule = { "description": configs.get("description", ""), "enabled": True, - "false_positives": configs.get('falsepositives', "Unknown"), + "false_positives": falsepositives, "filters": [], "from": "now-360s", "immutable": False, @@ -1364,7 +1435,7 @@ class ElasticSearchRuleBackend(ElasticsearchQuerystringBackend): "meta": { "from": "1m" }, - "severity": configs.get("level", "medium"), + "severity": self.map_severity(configs.get("level", "medium")), "tags": new_tags, "to": "now", "type": self.rule_type, @@ -1375,6 +1446,8 @@ class ElasticSearchRuleBackend(ElasticsearchQuerystringBackend): rule.update({"threshold": self.rule_threshold}) if references: rule.update({"references": references}) + self.rule_type = "query" + self.rule_threshold = {} return json.dumps(rule) class KibanaNdjsonBackend(ElasticsearchQuerystringBackend, MultiRuleOutputMixin): diff --git a/tools/sigma/backends/fireeye-helix.py b/tools/sigma/backends/fireeye-helix.py index edf999a21..fca445da9 100644 --- a/tools/sigma/backends/fireeye-helix.py +++ b/tools/sigma/backends/fireeye-helix.py @@ -125,14 +125,14 @@ class FireEyeHelixBackend(SingleTextQueryBackend): def generateNULLValueNode(self, node): # Don't generate null value nodes for fields we don't map - if node.item is "rawmsg": + if node.item == "rawmsg": return None else: return self.notNullExpression % (node.item) def generateNotNULLValueNode(self, node): # Don't generate not null value nodes for fields we don't map - if node.item is "rawmsg": + if node.item == "rawmsg": return None else: return self.nullExpression % (node.item) diff --git a/tools/sigma/backends/limacharlie.py b/tools/sigma/backends/limacharlie.py index 4ae813633..383134a40 100644 --- a/tools/sigma/backends/limacharlie.py +++ b/tools/sigma/backends/limacharlie.py @@ -68,6 +68,7 @@ SigmaLCConfig = namedtuple('SigmaLCConfig', [ 'isAllStringValues', 'keywordField', 'postOpMapper', + 'isCaseSensitive', ]) _allFieldMappings = { 'edr': { @@ -81,7 +82,8 @@ _allFieldMappings = { fieldMappings = _windowsEventLogEDRFieldName, isAllStringValues = True, keywordField = None, - postOpMapper = None + postOpMapper = None, + isCaseSensitive = [] ), "windows_defender//": SigmaLCConfig( topLevelParams = { @@ -93,7 +95,8 @@ _allFieldMappings = { fieldMappings = _windowsEventLogEDRFieldName, isAllStringValues = True, keywordField = None, - postOpMapper = None + postOpMapper = None, + isCaseSensitive = [] ), "windows/process_creation/": SigmaLCConfig( topLevelParams = { @@ -120,7 +123,8 @@ _allFieldMappings = { }, isAllStringValues = False, keywordField = "event/COMMAND_LINE", - postOpMapper = _mapProcessCreationOperations + postOpMapper = _mapProcessCreationOperations, + isCaseSensitive = [] ), "dns//": SigmaLCConfig( topLevelParams = { @@ -132,7 +136,8 @@ _allFieldMappings = { }, isAllStringValues = False, keywordField = None, - postOpMapper = None + postOpMapper = None, + isCaseSensitive = [] ), "linux//": SigmaLCConfig( topLevelParams = { @@ -150,7 +155,8 @@ _allFieldMappings = { }, isAllStringValues = False, keywordField = 'event/COMMAND_LINE', - postOpMapper = None + postOpMapper = None, + isCaseSensitive = ['event/FILE_PATH'] ), "unix//": SigmaLCConfig( topLevelParams = { @@ -168,7 +174,8 @@ _allFieldMappings = { }, isAllStringValues = False, keywordField = 'event/COMMAND_LINE', - postOpMapper = None + postOpMapper = None, + isCaseSensitive = ['event/FILE_PATH'] ), "netflow//": SigmaLCConfig( topLevelParams = { @@ -181,7 +188,8 @@ _allFieldMappings = { }, isAllStringValues = False, keywordField = None, - postOpMapper = None + postOpMapper = None, + isCaseSensitive = [] ), "/proxy/": SigmaLCConfig( topLevelParams = { @@ -197,7 +205,37 @@ _allFieldMappings = { }, isAllStringValues = False, keywordField = None, - postOpMapper = None + postOpMapper = None, + isCaseSensitive = [] + ), + "macos/process_creation/": SigmaLCConfig( + topLevelParams = { + "events": [ + "NEW_PROCESS", + "EXISTING_PROCESS", + ] + }, + preConditions = { + "op": "is mac", + }, + fieldMappings = { + "CommandLine": "event/COMMAND_LINE", + "Commandline": "event/COMMAND_LINE", + "Image": "event/FILE_PATH", + "ParentImage": "event/PARENT/FILE_PATH", + "ParentCommandLine": "event/PARENT/COMMAND_LINE", + "User": "event/USER_NAME", + "OriginalFileName": "event/ORIGINAL_FILE_NAME", + # Custom field names coming from somewhere unknown. + "NewProcessName": "event/FILE_PATH", + "ProcessCommandLine": "event/COMMAND_LINE", + # Another one-off command line. + "Command": "event/COMMAND_LINE", + }, + isAllStringValues = False, + keywordField = "event/COMMAND_LINE", + postOpMapper = _mapProcessCreationOperations, + isCaseSensitive = ['event/FILE_PATH'] ), }, "artifact": { @@ -210,7 +248,8 @@ _allFieldMappings = { fieldMappings = _windowsEventLogArtifactFieldName, isAllStringValues = True, keywordField = None, - postOpMapper = None + postOpMapper = None, + isCaseSensitive = [] ), "windows_defender//": SigmaLCConfig( topLevelParams = { @@ -221,7 +260,8 @@ _allFieldMappings = { fieldMappings = _windowsEventLogArtifactFieldName, isAllStringValues = True, keywordField = None, - postOpMapper = None + postOpMapper = None, + isCaseSensitive = [] ), } } @@ -272,7 +312,7 @@ class LimaCharlieBackend(BaseBackend): # See if we have a definition for the source combination. mappingKey = "%s/%s/%s" % (product, category, service) - topFilter, preCond, mappings, isAllStringValues, keywordField, postOpMapper = _allFieldMappings.get(self.lc_target, {}).get(mappingKey, tuple([None, None, None, None, None, None])) + topFilter, preCond, mappings, isAllStringValues, keywordField, postOpMapper, isCaseSensitive = _allFieldMappings.get(self.lc_target, {}).get(mappingKey, tuple([None, None, None, None, None, None, None])) if mappings is None: raise NotImplementedError("Log source %s/%s/%s not supported by backend." % (product, category, service)) @@ -291,6 +331,9 @@ class LimaCharlieBackend(BaseBackend): # Call to fixup all operations after the fact. self._postOpMapper = postOpMapper + # Event paths that are case sensitive. + self._isCaseSensitiveFS = isCaseSensitive + # Call the original generation code. detectComponent = super().generate(sigmaparser) @@ -453,7 +496,7 @@ class LimaCharlieBackend(BaseBackend): newOp = { "op": op, "path": fieldname, - "case sensitive": False, + "case sensitive": fieldname in self._isCaseSensitiveFS, } if op == "matches": newOp["re"] = newVal @@ -471,7 +514,7 @@ class LimaCharlieBackend(BaseBackend): newOp = { "op": op, "path": fieldname, - "case sensitive": False, + "case sensitive": fieldname in self._isCaseSensitiveFS, } if op == "matches": newOp["re"] = newVal diff --git a/tools/sigma/backends/sql.py b/tools/sigma/backends/sql.py index bd734bfa6..bc55a1ba1 100644 --- a/tools/sigma/backends/sql.py +++ b/tools/sigma/backends/sql.py @@ -1,6 +1,7 @@ # Output backends for sigmac # Copyright 2019 Jayden Zheng # Copyright 2020 Jonas Hagg +# Copyright 2021 wagga (https://github.com/wagga40/) # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU Lesser General Public License as published by @@ -43,9 +44,16 @@ class SQLBackend(SingleTextQueryBackend): mapListValueExpression = "%s OR %s" # Syntax for field/value condititons where map value is a list mapLength = "(%s %s)" - def __init__(self, sigmaconfig, table): + options = SingleTextQueryBackend.options + ( + ("table", False, "Use this option to specify table name, default is \"eventlog\"", None), + ) + + def __init__(self, sigmaconfig, options): super().__init__(sigmaconfig) - self.table = table + if "table" in options: + self.table = options["table"] + else: + self.table = "eventlog" def generateANDNode(self, node): generated = [ self.generateNode(val) for val in node ] @@ -162,10 +170,10 @@ class SQLBackend(SingleTextQueryBackend): group_by = "" if agg.aggfield: - select = "{}({}) AS agg".format(agg.aggfunc_notrans, self.fieldNameMapping(agg.aggfield, None)) + select = "*,{}({}) AS agg".format(agg.aggfunc_notrans, self.fieldNameMapping(agg.aggfield, None)) else: if agg.aggfunc == SigmaAggregationParser.AGGFUNC_COUNT: - select = "{}(*) AS agg".format(agg.aggfunc_notrans) + select = "*,{}(*) AS agg".format(agg.aggfunc_notrans) else: raise SigmaParseError("For {} aggregation a fieldname needs to be specified".format(agg.aggfunc_notrans)) diff --git a/tools/sigma/backends/sysmon.py b/tools/sigma/backends/sysmon.py index 66832d576..963021815 100644 --- a/tools/sigma/backends/sysmon.py +++ b/tools/sigma/backends/sysmon.py @@ -20,6 +20,7 @@ class SysmonConfigBackend(SingleTextQueryBackend, MultiRuleOutputMixin): conditionDict = { "startswith": "begin with", "endswith": "end with", + "all": "contains all" } def __init__(self, *args, **kwargs): @@ -78,14 +79,19 @@ class SysmonConfigBackend(SingleTextQueryBackend, MultiRuleOutputMixin): def mapFiledValue(self, field, value): condition = None + any_selector = "contains any" if "|" in field: field, *pipes = field.split("|") if len(pipes) == 1: - condition = pipes[0] + modifier = pipes[0] + if modifier in self.conditionDict: + condition = self.conditionDict[modifier] + if modifier == "all": + any_selector = "contains all" else: raise NotImplementedError("not implemented condition") if isinstance(value, list) and len(value) > 1: - condition = "contains any" + condition = any_selector value = ";".join(value) elif "*" in value: if value.startswith("*") and value.endswith("*"): diff --git a/tools/sigma/backends/uberagent.py b/tools/sigma/backends/uberagent.py index 569675091..682e91161 100644 --- a/tools/sigma/backends/uberagent.py +++ b/tools/sigma/backends/uberagent.py @@ -34,7 +34,8 @@ def convert_sigma_name_to_uberagent_tag(name): def convert_sigma_category_to_uberagent_event_type(category): categories = { "process_creation": "Process.Start", - "image_load": "Image.Load" + "image_load": "Image.Load", + "dns": "Dns.Query" } if category in categories: @@ -48,6 +49,14 @@ def is_sigma_category_supported(category): return convert_sigma_category_to_uberagent_event_type(category) is not None +class IgnoreTypedModifierException(Exception): + """ + IgnoreTypedModifierException + Helper class to ignore exceptions of type identifiers that are not yet supported. + """ + pass + + class IgnoreFieldException(Exception): """ IgnoreFieldException @@ -56,6 +65,13 @@ class IgnoreFieldException(Exception): pass +class IgnoreAggregationException(Exception): + """ + IgnoreAggregationException + Helper class to ignore exceptions of aggregation rules that are not yet supported. + """ + + class MalformedRuleException(Exception): """ MalformedRuleException @@ -79,6 +95,46 @@ class ActivityMonitoringRule: self.description = "" self.sigma_level = "" + # Specifies the properties that are being evaluated and send to the backend + # if an Activity Monitoring rule is matched. + self.generic_properties = { + "Process.": [ + "Process.Hash.MD5", + "Process.Hash.SHA1", + "Process.Hash.SHA256", + "Process.Hash.IMP" + ], + "Image.": [ + "Image.Name", + "Image.Path", + "Image.Hash.MD5", + "Image.Hash.SHA1", + "Image.Hash.SHA256", + "Image.Hash.IMP" + ], + "Net.": [ + "Net.Target.Ip", + "Net.Target.Name", + "Net.Target.Port", + "Net.Target.Protocol" + ], + "Reg.": [ + "Reg.Key.Path", + "Reg.Key.Path.New", + "Reg.Key.Path.Old" + "Reg.Key.Name", + "Reg.Parent.Key.Path", + "Reg.Value.Name", + "Reg.File.Name", + "Reg.Key.Sddl", + "Reg.Key.Hive", + ], + "Dns.": [ + "Dns.QueryRequest", + "Dns.QueryResponse" + ] + } + def set_query(self, query): """Sets the generated query.""" self.query = query @@ -148,6 +204,18 @@ class ActivityMonitoringRule: result += "RiskScore = {}\n".format(self.risk_score) result += "Query = {}\n".format(self.query) + + counter = 1 + for event_type_prefix in self.generic_properties: + if self.event_type.startswith(event_type_prefix): + for prop in self.generic_properties[event_type_prefix]: + # Generic properties are limited to 10. + if counter > 10: + break + + result += "GenericProperty{} = {}\n".format(counter, prop) + counter += 1 + return result @@ -190,6 +258,7 @@ class uberAgentBackend(SingleTextQueryBackend): active = True config_required = False rule = None + current_category = None # # SingleTextQueryBackend @@ -201,8 +270,8 @@ class uberAgentBackend(SingleTextQueryBackend): listExpression = "[%s]" listSeparator = ", " valueExpression = "\"%s\"" - nullExpression = "is null" - notNullExpression = "is not null" + nullExpression = "%s == ''" + notNullExpression = "%s != ''" mapExpression = "%s == %s" mapListsSpecialHandling = True mapListValueExpression = "%s in %s" @@ -229,7 +298,31 @@ class uberAgentBackend(SingleTextQueryBackend): "command": "Process.CommandLine", "processname": "Process.Name", "user": "Process.User", - "username": "Process.User" + "username": "Process.User", + "company": "Process.Company" + } + + fieldMappingPerCategory = { + "process_creation": { + "sha1": "Process.Hash.SHA1", + "imphash": "Process.Hash.IMP", + "childimage": "Process.Path" + # Not yet supported. + # "signed": "Process.IsSigned" + }, + "image_load": { + "sha1": "Image.Hash.SHA1", + "imphash": "Image.Hash.IMP", + "childimage": "Image.Path" + # Not yet supported. + # "signed": "Image.IsSigned" + }, + "dns": { + "query": "Dns.QueryRequest", + # Not yet supported. + # "record_type": "Dns.QueryResponseType", + "answer": "Dns.QueryResponse" + } } # We ignore some fields that we don't support yet but we don't want them to @@ -240,19 +333,25 @@ class uberAgentBackend(SingleTextQueryBackend): "logonid", "integritylevel", "currentdirectory", - "company", "parentintegritylevel", - "sha1", "eventid", "parentuser", - "imphash" + "parent_domain", + "signed", + "parentofparentimage", + "record_type" ] rules = [] def fieldNameMapping(self, fieldname, value): - """Maps field names to uberAgent field names.""" key = fieldname.lower() + + if self.current_category is not None: + if self.current_category in self.fieldMappingPerCategory: + if key in self.fieldMappingPerCategory[self.current_category]: + return self.fieldMappingPerCategory[self.current_category][key] + if key not in self.fieldMapping: if key in self.ignoreFieldList: raise IgnoreFieldException() @@ -261,18 +360,26 @@ class uberAgentBackend(SingleTextQueryBackend): return self.fieldMapping[key] + def generateQuery(self, parsed): + if parsed.parsedAgg: + raise IgnoreAggregationException() + + return self.generateNode(parsed.parsedSearch) + def generate(self, sigmaparser): """Method is called for each sigma rule and receives the parsed rule (SigmaParser)""" product, category, service, title, level, condition, description = get_parser_properties(sigmaparser) - if product not in ["windows"]: - return "" # Do not generate a rule if the given category is unsupported by now. if not is_sigma_category_supported(category): return "" - if category not in ["process_creation", "image_load"]: + + # We support windows rules and generic rules that don't have a specific product specifier - such as DNS. + if product not in ["windows", ""]: return "" + self.current_category = category + try: rule = ActivityMonitoringRule() @@ -287,6 +394,10 @@ class uberAgentBackend(SingleTextQueryBackend): rule.set_description(description) self.rules.append(rule) print("Generated rule <{}>.. [level: {}]".format(rule.name, level)) + except IgnoreTypedModifierException: + return "" + except IgnoreAggregationException: + return "" except IgnoreFieldException: return "" except MalformedRuleException: @@ -313,16 +424,17 @@ class uberAgentBackend(SingleTextQueryBackend): count_low = self.serialize_file("uberAgent-ESA-am-sigma-proc-creation-low.conf", "low") count_medium = self.serialize_file("uberAgent-ESA-am-sigma-proc-creation-medium.conf", "medium") print("Generated {} activity monitoring rules..".format(len(self.rules))) - print("This includes {} critical rules, {} high rules, {} medium rules and {} low rules..".format(count_critical, count_high, count_medium, count_low)) + print( + "This includes {} critical rules, {} high rules, {} medium rules and {} low rules..".format(count_critical, + count_high, + count_medium, + count_low)) def generateTypedValueNode(self, node): - raise NotImplementedError("Default implementation for identifier {} not available.".format(node.identifier)) + raise IgnoreTypedModifierException() def generateMapItemTypedNode(self, fieldname, value): - try: - return self.typedValueExpression[type(value)] % (fieldname, str(value)) - except KeyError: - raise NotImplementedError("Type modifier '{}' is not supported by backend".format(value.identifier)) + raise IgnoreTypedModifierException() def generateMapItemListNode(self, key, value): return "(" + (" or ".join([self.mapWildcard % (key, self.generateValueNode(item)) for item in value])) + ")" @@ -331,6 +443,9 @@ class uberAgentBackend(SingleTextQueryBackend): fieldname, value = node transformed_fieldname = self.fieldNameMapping(fieldname, value) + if value is None: + return self.nullExpression % (transformed_fieldname,) + has_wildcard = re.search(r"((\\(\*|\?|\\))|\*|\?|_|%)", self.generateNode(value)) if "," in self.generateNode(value) and not has_wildcard: diff --git a/tools/sigma/filter.py b/tools/sigma/filter.py index 5ec72b621..ca40dbc2e 100644 --- a/tools/sigma/filter.py +++ b/tools/sigma/filter.py @@ -15,6 +15,7 @@ # along with this program. If not, see . # Rule Filtering +import datetime class SigmaRuleFilter: """Filter for Sigma rules with conditions""" LEVELS = { @@ -26,11 +27,14 @@ class SigmaRuleFilter: STATES = ["experimental", "testing", "stable"] def __init__(self, expr): - self.minlevel = None - self.maxlevel = None - self.status = None - self.logsources = list() - self.tags = list() + self.minlevel = None + self.maxlevel = None + self.status = None + self.logsources = list() + self.notlogsources = list() + self.tags = list() + self.nottags = list() + self.inlastday = None for cond in [c.replace(" ", "") for c in expr.split(",")]: if cond.startswith("level<="): @@ -58,8 +62,18 @@ class SigmaRuleFilter: raise SigmaRuleFilterParseException("Unknown status '%s' in condition '%s'" % (self.status, cond)) elif cond.startswith("logsource="): self.logsources.append(cond[cond.index("=") + 1:]) + elif cond.startswith("logsource!="): + self.notlogsources.append(cond[cond.index("=") + 1:]) elif cond.startswith("tag="): self.tags.append(cond[cond.index("=") + 1:].lower()) + elif cond.startswith("tag!="): + self.nottags.append(cond[cond.index("=") + 1:].lower()) + elif cond.startswith("inlastday="): + nbday = cond[cond.index("=") + 1:] + try: + self.inlastday = int(nbday) + except ValueError as e: + raise SigmaRuleFilterParseException("Unknown number '%s' in condition '%s'" % (nbday, cond)) from e else: raise SigmaRuleFilterParseException("Unknown condition '%s'" % cond) @@ -101,6 +115,17 @@ class SigmaRuleFilter: if logsrc not in logsources: return False + # NOT Log Sources + if self.notlogsources: + try: + notlogsources = { value for key, value in yamldoc['logsource'].items() } + except (KeyError, AttributeError): # no log source set + return False # User wants status restriction, but it's not possible here + + for logsrc in self.notlogsources: + if logsrc in notlogsources: + return False + # Tags if self.tags: try: @@ -111,7 +136,37 @@ class SigmaRuleFilter: for tag in self.tags: if tag not in tags: return False + # NOT Tags + if self.nottags: + try: + nottags = [ tag.lower() for tag in yamldoc['tags']] + except (KeyError, AttributeError): # no tags set + return False + for tag in self.nottags: + if tag in nottags: + return False + + # date in the last N days + if self.inlastday: + try: + date_str = yamldoc['date'] + except KeyError: # missing date + return False # User wants date time restriction, but it's not possible here + + try: + modified_str = yamldoc['modified'] + except KeyError: # no update + modified_str = None + if modified_str: + date_str = modified_str + + date_object = datetime.datetime.strptime(date_str, '%Y/%m/%d') + today_objet = datetime.datetime.now() + delta = today_objet - date_object + if delta.days > self.inlastday: + return False + # all tests passed return True diff --git a/tools/sigma/parser/collection.py b/tools/sigma/parser/collection.py index 7de47cce7..b7cc9ccf1 100644 --- a/tools/sigma/parser/collection.py +++ b/tools/sigma/parser/collection.py @@ -28,7 +28,7 @@ class SigmaCollectionParser: * reset: resets global attributes from previous set_global statements * repeat: takes attributes from this YAML document, merges into previous rule YAML and regenerates the rule """ - def __init__(self, content, config=None, rulefilter=None): + def __init__(self, content, config=None, rulefilter=None, filename=None): if config is None: from sigma.configuration import SigmaConfiguration config = SigmaConfiguration() @@ -36,6 +36,13 @@ class SigmaCollectionParser: globalyaml = dict() self.parsers = list() prevrule = None + if filename: + try: + globalyaml['yml_filename']=str(filename.name) + globalyaml['yml_path']=str(filename.parent) + except: + filename = None + for yamldoc in self.yamls: action = None try: @@ -48,6 +55,9 @@ class SigmaCollectionParser: deep_update_dict(globalyaml, yamldoc) elif action == "reset": globalyaml = dict() + if filename: + globalyaml['yml_filename']=str(filename.name) + globalyaml['yml_path']=str(filename.parent) elif action == "repeat": if prevrule is None: raise SigmaCollectionParseError("action 'repeat' is only applicable after first valid Sigma rule") diff --git a/tools/sigma/sigmac.py b/tools/sigma/sigmac.py index a3994e615..5d50a3733 100755 --- a/tools/sigma/sigmac.py +++ b/tools/sigma/sigmac.py @@ -233,7 +233,7 @@ def main(): f = sigmafile else: f = sigmafile.open(encoding='utf-8') - parser = SigmaCollectionParser(f, sigmaconfigs, rulefilter) + parser = SigmaCollectionParser(f, sigmaconfigs, rulefilter, sigmafile) results = parser.generate(backend) newline_separator = '\0' if cmdargs.print0 else '\n' @@ -243,23 +243,23 @@ def main(): print("Failed to open Sigma file %s: %s" % (sigmafile, str(e)), file=sys.stderr) error = ERR_OPEN_SIGMA_RULE except (yaml.parser.ParserError, yaml.scanner.ScannerError) as e: - print("Sigma file %s is no valid YAML: %s" % (sigmafile, str(e)), file=sys.stderr) + print("Error: Sigma file %s is no valid YAML: %s" % (sigmafile, str(e)), file=sys.stderr) error = ERR_INVALID_YAML if not cmdargs.defer_abort: sys.exit(error) except (SigmaParseError, SigmaCollectionParseError) as e: - print("Sigma parse error in %s: %s" % (sigmafile, str(e)), file=sys.stderr) + print("Error: Sigma parse error in %s: %s" % (sigmafile, str(e)), file=sys.stderr) error = ERR_SIGMA_PARSING if not cmdargs.defer_abort: sys.exit(error) except NotSupportedError as e: - print("The Sigma rule requires a feature that is not supported by the target system: " + str(e), file=sys.stderr) + print("Error: The Sigma rule requires a feature that is not supported by the target system: " + str(e), file=sys.stderr) if not cmdargs.ignore_backend_errors: error = ERR_NOT_SUPPORTED if not cmdargs.defer_abort: sys.exit(error) except BackendError as e: - print("Backend error in %s: %s" % (sigmafile, str(e)), file=sys.stderr) + print("Error: Backend error in %s: %s" % (sigmafile, str(e)), file=sys.stderr) if not cmdargs.ignore_backend_errors: error = ERR_BACKEND if not cmdargs.defer_abort: @@ -272,13 +272,13 @@ def main(): if not cmdargs.defer_abort: sys.exit(error) except PartialMatchError as e: - print("Partial field match error: %s" % str(e), file=sys.stderr) + print("Error: Partial field match error: %s" % str(e), file=sys.stderr) if not cmdargs.ignore_backend_errors: error = ERR_PARTIAL_FIELD_MATCH if not cmdargs.defer_abort: sys.exit(error) except FullMatchError as e: - print("Full field match error", file=sys.stderr) + print("Error: Full field match error", file=sys.stderr) if not cmdargs.ignore_backend_errors: error = ERR_FULL_FIELD_MATCH if not cmdargs.defer_abort: diff --git a/tools/tests/test_backend_sql.py b/tools/tests/test_backend_sql.py index b4bd82026..b30da675d 100644 --- a/tools/tests/test_backend_sql.py +++ b/tools/tests/test_backend_sql.py @@ -125,7 +125,7 @@ class TestGenerateQuery(unittest.TestCase): # count detection = {"selection": {"fieldname": "test"}, "condition": "selection | count() > 5"} - inner_query = 'SELECT count(*) AS agg FROM {} WHERE fieldname = "test"'.format( + inner_query = 'SELECT *,count(*) AS agg FROM {} WHERE fieldname = "test"'.format( self.table) expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query) self.validate(detection, expected_result) @@ -133,7 +133,7 @@ class TestGenerateQuery(unittest.TestCase): # min detection = {"selection": {"fieldname1": "test"}, "condition": "selection | min(fieldname2) > 5"} - inner_query = 'SELECT min(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format( + inner_query = 'SELECT *,min(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format( self.table) expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query) self.validate(detection, expected_result) @@ -141,7 +141,7 @@ class TestGenerateQuery(unittest.TestCase): # max detection = {"selection": {"fieldname1": "test"}, "condition": "selection | max(fieldname2) > 5"} - inner_query = 'SELECT max(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format( + inner_query = 'SELECT *,max(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format( self.table) expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query) self.validate(detection, expected_result) @@ -149,7 +149,7 @@ class TestGenerateQuery(unittest.TestCase): # avg detection = {"selection": {"fieldname1": "test"}, "condition": "selection | avg(fieldname2) > 5"} - inner_query = 'SELECT avg(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format( + inner_query = 'SELECT *,avg(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format( self.table) expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query) self.validate(detection, expected_result) @@ -157,7 +157,7 @@ class TestGenerateQuery(unittest.TestCase): # sum detection = {"selection": {"fieldname1": "test"}, "condition": "selection | sum(fieldname2) > 5"} - inner_query = 'SELECT sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format( + inner_query = 'SELECT *,sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format( self.table) expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query) self.validate(detection, expected_result) @@ -165,7 +165,7 @@ class TestGenerateQuery(unittest.TestCase): # < detection = {"selection": {"fieldname1": "test"}, "condition": "selection | sum(fieldname2) < 5"} - inner_query = 'SELECT sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format( + inner_query = 'SELECT *,sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format( self.table) expected_result = 'SELECT * FROM ({}) WHERE agg < 5'.format(inner_query) self.validate(detection, expected_result) @@ -173,7 +173,7 @@ class TestGenerateQuery(unittest.TestCase): # == detection = {"selection": {"fieldname1": "test"}, "condition": "selection | sum(fieldname2) == 5"} - inner_query = 'SELECT sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format( + inner_query = 'SELECT *,sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format( self.table) expected_result = 'SELECT * FROM ({}) WHERE agg == 5'.format(inner_query) self.validate(detection, expected_result) @@ -181,7 +181,7 @@ class TestGenerateQuery(unittest.TestCase): # group by detection = {"selection": {"fieldname1": "test"}, "condition": "selection | sum(fieldname2) by fieldname3 == 5"} - inner_query = 'SELECT sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test" GROUP BY fieldname3'.format( + inner_query = 'SELECT *,sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test" GROUP BY fieldname3'.format( self.table) expected_result = 'SELECT * FROM ({}) WHERE agg == 5'.format(inner_query) self.validate(detection, expected_result) @@ -189,7 +189,7 @@ class TestGenerateQuery(unittest.TestCase): # multiple conditions detection = {"selection": {"fieldname1": "test"}, "filter": { "fieldname2": "tessst"}, "condition": "selection OR filter | sum(fieldname2) == 5"} - inner_query = 'SELECT sum(fieldname2) AS agg FROM {} WHERE (fieldname1 = "test" OR fieldname2 = "tessst")'.format( + inner_query = 'SELECT *,sum(fieldname2) AS agg FROM {} WHERE (fieldname1 = "test" OR fieldname2 = "tessst")'.format( self.table) expected_result = 'SELECT * FROM ({}) WHERE agg == 5'.format(inner_query) self.validate(detection, expected_result) diff --git a/tools/tests/test_backend_sqlite.py b/tools/tests/test_backend_sqlite.py index ac7647739..294a59de2 100644 --- a/tools/tests/test_backend_sqlite.py +++ b/tools/tests/test_backend_sqlite.py @@ -71,14 +71,14 @@ class TestFullTextSearch(unittest.TestCase): # aggregation with fts detection = {"selection": ["test"], "condition": "selection | count() > 5"} - inner_query = 'SELECT count(*) AS agg FROM {0} WHERE {0} MATCH (\'"test"\')'.format( + inner_query = 'SELECT *,count(*) AS agg FROM {0} WHERE {0} MATCH (\'"test"\')'.format( self.table) expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query) self.validate(detection, expected_result) detection = {"selection": ["test1", "test2"], "condition": "selection | count() > 5"} - inner_query = 'SELECT count(*) AS agg FROM {0} WHERE ({0} MATCH (\'"test1" OR "test2"\'))'.format( + inner_query = 'SELECT *,count(*) AS agg FROM {0} WHERE ({0} MATCH (\'"test1" OR "test2"\'))'.format( self.table) expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query) self.validate(detection, expected_result) @@ -86,7 +86,7 @@ class TestFullTextSearch(unittest.TestCase): # aggregation + group by + fts detection = {"selection": ["test1", "test2"], "condition": "selection | count() by fieldname > 5"} - inner_query = 'SELECT count(*) AS agg FROM {0} WHERE ({0} MATCH (\'"test1" OR "test2"\')) GROUP BY fieldname'.format( + inner_query = 'SELECT *,count(*) AS agg FROM {0} WHERE ({0} MATCH (\'"test1" OR "test2"\')) GROUP BY fieldname'.format( self.table) expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query) self.validate(detection, expected_result)