chore: update the README file to include an additional project to the section Projects or Products that use or integrate Sigma rules
---------
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
remove: Abusing Findstr for Defense Evasion - Deprecate in favour of 2 splitted rules. 587254ee-a24b-4335-b3cd-065c0f1f4baa and 04936b66-3915-43ad-a8e5-809eadfd1141
remove: Windows Update Client LOLBIN - Deprecate in favour of 52d097e2-063e-4c9c-8fbb-855c8948d135
fix: Remote Thread Creation By Uncommon Source Image - Enhance filters to avoid false positives
fix: Suspicious Shim Database Installation via Sdbinst.EXE - Add "null" and "empty" filters to account for cases where the CLI is null or empty
new: Insenstive Subfolder Search Via Findstr.EXE
new: Remote File Download Via Findstr.EXE
new: Windows Defender Exclusion Deleted
new: Windows Defender Exclusion List Modified
new: Windows Defender Exclusion Reigstry Key - Write Access Requested
update: Renamed Office Binary Execution - Add new binaries and filters to increase coverage and tune FPs
update: EVTX Created In Uncommon Location - Enhance filters to cover other drives other than "C:"
update: Findstr GPP Passwords - Add "find.exe" binary to increase coverage
update: Findstr Launching .lnk File - Add "find.exe" binary to increase coverage
update: LSASS Process Reconnaissance Via Findstr.EXE - Add "find.exe" binary to increase coverage
update: Non-DLL Extension File Renamed With DLL Extension - Update title and logic
update: Permission Misconfiguration Reconnaissance Via Findstr.EXE - Add "find.exe" binary to increase coverage
update: Potentially Suspicious Wuauclt Network Connection - Change the logic to use the "CommandLine" field in order to avoid false positives
update: Proxy Execution Via Wuauclt.EXE - Update title and enhance filters
update: Recon Command Output Piped To Findstr.EXE - Add "find.exe" binary to increase coverage
update: Security Tools Keyword Lookup Via Findstr.EXE - Add "find.exe" binary to increase coverage
update: Suspicious Appended Extension - Enhance list of extension
update: Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE - Add "find.exe" binary to increase coverage
fix: Uncommon Userinit Child Process - Add the citrix process cmstart to the filtered processes and make it more strict to avoid abuse. Also enhances the other filters by removing the C: notation.
fix: Bad Opsec Defaults Sacrificial Processes With Improper Arguments - Add FP filter for chrome installer spawning rundll32 without arguments
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
thanks: @vj-codes for #4554
thanks: @mezzofix for #4520
thanks: @rkmbaxed for #4566 and #4569
thanks: @celalettin-turgut for #4570
remove: Abusing Findstr for Defense Evasion - Deprecate in favour of 2 splitted rules. 587254ee-a24b-4335-b3cd-065c0f1f4baa and 04936b66-3915-43ad-a8e5-809eadfd1141
remove: Windows Update Client LOLBIN - Deprecate in favour of 52d097e2-063e-4c9c-8fbb-855c8948d135
fix: Remote Thread Creation By Uncommon Source Image - Enhance filters to avoid false positives
fix: Suspicious Shim Database Installation via Sdbinst.EXE - Add "null" and "empty" filters to account for cases where the CLI is null or empty
new: Insenstive Subfolder Search Via Findstr.EXE
new: Remote File Download Via Findstr.EXE
new: Windows Defender Exclusion Deleted
new: Windows Defender Exclusion List Modified
new: Windows Defender Exclusion Reigstry Key - Write Access Requested
update: Renamed Office Binary Execution - Add new binaries and filters to increase coverage and tune FPs
update: EVTX Created In Uncommon Location - Enhance filters to cover other drives other than "C:"
update: Findstr GPP Passwords - Add "find.exe" binary to increase coverage
update: Findstr Launching .lnk File - Add "find.exe" binary to increase coverage
update: LSASS Process Reconnaissance Via Findstr.EXE - Add "find.exe" binary to increase coverage
update: Non-DLL Extension File Renamed With DLL Extension - Update title and logic
update: Permission Misconfiguration Reconnaissance Via Findstr.EXE - Add "find.exe" binary to increase coverage
update: Potentially Suspicious Wuauclt Network Connection - Change the logic to use the "CommandLine" field in order to avoid false positives
update: Proxy Execution Via Wuauclt.EXE - Update title and enhance filters
update: Recon Command Output Piped To Findstr.EXE - Add "find.exe" binary to increase coverage
update: Security Tools Keyword Lookup Via Findstr.EXE - Add "find.exe" binary to increase coverage
update: Suspicious Appended Extension - Enhance list of extension
update: Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE - Add "find.exe" binary to increase coverage
fix: Uncommon Userinit Child Process - Add the citrix process cmstart to the filtered processes and make it more strict to avoid abuse. Also enhances the other filters by removing the C: notation.
fix: Bad Opsec Defaults Sacrificial Processes With Improper Arguments - Add FP filter for chrome installer spawning rundll32 without arguments
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
thanks: @vj-codes for #4554
thanks: @mezzofix for #4520
thanks: @rkmbaxed for #4566 and #4569
thanks: @celalettin-turgut for #4570
-O:
attackMapFile: It's used to set subFunction in XML rule. It's a map of subFunction and tags.attack in YML file.
ruleIndex: It's used to set rule id in XML rule. The format of rule id is PH_Rule_{ruleType}_SIGMA_{ruleIndex}
ruleType: It's used to set rule id in XML rule.
1. Generate rule for one YML file
a. tools/sigmac -t fortisiem -c fortisiem-windows rules/windows/network_connection/win_net_python.yml
b. tools/sigmac -t fortisiem -c fortisiem-windows -O attackMapFile=tools/config/fortisiem/MITRE-Attack-matrix.csv -O ruleIndex=0 -O ruleType=Windows rules/windows/network_connection/win_net_python.yml
Output:
<Rules>
<Rule group="PH_SYS_RULE_THREAT_HUNTING" natural_id="PH_Rule_Windows_SIGMA_0" phIncidentCategory="Server" function="Security" subFunction="Discovery" technique="T1046">
<Name>Python Initiated Connection </Name>
<IncidentTitle>Python Initiated Connection</IncidentTitle>
<active>true</active>
<Description> Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation </Description>
<SigmaFileName> rules/windows/network_connection/win_net_python.yml </SigmaFileName>
<CustomerScope groupByEachCustomer="true">
<Include all="true"/>
<Exclude/>
</CustomerScope>
<IncidentDef eventType="PH_RULE_Python_Initiated_Connection" severity="7">
<ArgList> compEventType = Filter.eventType,hostName = Filter.hostName,isInitialed = Filter.isInitialed,procName = Filter.procName </ArgList>
</IncidentDef>
<PatternClause window="300">
<SubPattern displayName="Filter" name="Filter">
<SingleEvtConstr> eventType REGEXP ( "Win-Sysmon-3-Network-Connect.*" ) AND isInitialed="true" AND procName REGEXP ( ".*python.*" ) </SingleEvtConstr>
<GroupByAttr> eventType,hostName,isInitialed,procName </GroupByAttr>
<GroupEvtConstr> COUNT(*) >= 1 </GroupEvtConstr>
</SubPattern>
</PatternClause>
<TriggerEventDisplay>
<AttrList> phRecvTime,hostName,isInitialed,procName,rawEventMsg </AttrList>
</TriggerEventDisplay>
</Rule>
</Rules>
2. Generate rules for YML files under rules/windows
a. tools/sigmac -t fortisiem -c fortisiem-windows -r rules/windows -o rule.xml
b. tools/sigmac -t fortisiem -c fortisiem-windows -r rules/windows -O attackMapFile=tools/config/fortisiem/MITRE-Attack-matrix.csv -O ruleIndex=0 -O ruleType=Windows -o rule.xml
Generate rules for YML files under rules/windows
3. Find files that is modified after some date.
a. tools/sigmac --lists-files-after-date 2020/06/04 rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml
b. tools/sigmac --lists-files-after-date 2020/06/04 -r rules/windows/
Output:
rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml, Updated
rules/windows/wmi_event/TestFile.yml, No date
norbert791