security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: security-tools/blue-team-tools:0.10
Branches Tags
security-tools/blue-team-tools:master
security-tools/blue-team-tools:r2026-04-01 security-tools/blue-team-tools:r2026-01-01 security-tools/blue-team-tools:r2025-12-01 security-tools/blue-team-tools:r2025-11-01 security-tools/blue-team-tools:r2025-10-01 security-tools/blue-team-tools:r2025-07-08 security-tools/blue-team-tools:r2025-05-21 security-tools/blue-team-tools:r2025-02-03 security-tools/blue-team-tools:r2024-12-19 security-tools/blue-team-tools:r2024-11-10 security-tools/blue-team-tools:r2024-09-02 security-tools/blue-team-tools:r2024-07-17 security-tools/blue-team-tools:r2024-05-13 security-tools/blue-team-tools:r2024-04-29 security-tools/blue-team-tools:r2024-03-26 security-tools/blue-team-tools:r2024-03-11 security-tools/blue-team-tools:r2024-02-26 security-tools/blue-team-tools:r2024-02-12 security-tools/blue-team-tools:r2024-01-29 security-tools/blue-team-tools:r2024-01-15 security-tools/blue-team-tools:r2023-12-21 security-tools/blue-team-tools:r2023-12-04 security-tools/blue-team-tools:r2023-11-20 security-tools/blue-team-tools:r2023-11-06 security-tools/blue-team-tools:r2023-10-23 security-tools/blue-team-tools:r2023-10-09 security-tools/blue-team-tools:r2023-08-24 security-tools/blue-team-tools:0.22 security-tools/blue-team-tools:0.21 security-tools/blue-team-tools:0.20 security-tools/blue-team-tools:0.19.1 security-tools/blue-team-tools:0.19 security-tools/blue-team-tools:0.18.1 security-tools/blue-team-tools:0.17.0 security-tools/blue-team-tools:0.16.0 security-tools/blue-team-tools:0.15.0 security-tools/blue-team-tools:0.14 security-tools/blue-team-tools:0.13 security-tools/blue-team-tools:0.12.1 security-tools/blue-team-tools:0.12 security-tools/blue-team-tools:0.11 security-tools/blue-team-tools:0.10 security-tools/blue-team-tools:0.9 security-tools/blue-team-tools:0.8 security-tools/blue-team-tools:0.7.1 security-tools/blue-team-tools:0.6 security-tools/blue-team-tools:0.5 security-tools/blue-team-tools:0.4 security-tools/blue-team-tools:0.3.3 security-tools/blue-team-tools:0.3.2 security-tools/blue-team-tools:0.3.1 security-tools/blue-team-tools:0.3 security-tools/blue-team-tools:0.2 security-tools/blue-team-tools:0.1.3 security-tools/blue-team-tools:0.1.2 security-tools/blue-team-tools:0.1.1 security-tools/blue-team-tools:0.1
...
compare: security-tools/blue-team-tools:0.12
Branches Tags
security-tools/blue-team-tools:master
security-tools/blue-team-tools:r2026-04-01 security-tools/blue-team-tools:r2026-01-01 security-tools/blue-team-tools:r2025-12-01 security-tools/blue-team-tools:r2025-11-01 security-tools/blue-team-tools:r2025-10-01 security-tools/blue-team-tools:r2025-07-08 security-tools/blue-team-tools:r2025-05-21 security-tools/blue-team-tools:r2025-02-03 security-tools/blue-team-tools:r2024-12-19 security-tools/blue-team-tools:r2024-11-10 security-tools/blue-team-tools:r2024-09-02 security-tools/blue-team-tools:r2024-07-17 security-tools/blue-team-tools:r2024-05-13 security-tools/blue-team-tools:r2024-04-29 security-tools/blue-team-tools:r2024-03-26 security-tools/blue-team-tools:r2024-03-11 security-tools/blue-team-tools:r2024-02-26 security-tools/blue-team-tools:r2024-02-12 security-tools/blue-team-tools:r2024-01-29 security-tools/blue-team-tools:r2024-01-15 security-tools/blue-team-tools:r2023-12-21 security-tools/blue-team-tools:r2023-12-04 security-tools/blue-team-tools:r2023-11-20 security-tools/blue-team-tools:r2023-11-06 security-tools/blue-team-tools:r2023-10-23 security-tools/blue-team-tools:r2023-10-09 security-tools/blue-team-tools:r2023-08-24 security-tools/blue-team-tools:0.22 security-tools/blue-team-tools:0.21 security-tools/blue-team-tools:0.20 security-tools/blue-team-tools:0.19.1 security-tools/blue-team-tools:0.19 security-tools/blue-team-tools:0.18.1 security-tools/blue-team-tools:0.17.0 security-tools/blue-team-tools:0.16.0 security-tools/blue-team-tools:0.15.0 security-tools/blue-team-tools:0.14 security-tools/blue-team-tools:0.13 security-tools/blue-team-tools:0.12.1 security-tools/blue-team-tools:0.12 security-tools/blue-team-tools:0.11 security-tools/blue-team-tools:0.10 security-tools/blue-team-tools:0.9 security-tools/blue-team-tools:0.8 security-tools/blue-team-tools:0.7.1 security-tools/blue-team-tools:0.6 security-tools/blue-team-tools:0.5 security-tools/blue-team-tools:0.4 security-tools/blue-team-tools:0.3.3 security-tools/blue-team-tools:0.3.2 security-tools/blue-team-tools:0.3.1 security-tools/blue-team-tools:0.3 security-tools/blue-team-tools:0.2 security-tools/blue-team-tools:0.1.3 security-tools/blue-team-tools:0.1.2 security-tools/blue-team-tools:0.1.1 security-tools/blue-team-tools:0.1

304 Commits
0.10 ... 0.12

Author SHA1 Message Date
Thomas Patzke d5885686fc Sigmatools release 0.12 
* Value modifiers
* Config name cleanup
 2019-08-01 23:45:07 +02:00
Thomas Patzke 805c739611 Merge branch 'devel-modifiers' 2019-07-31 23:44:10 +02:00
Thomas Patzke 31c6ffcb61 No escaping for typed values 2019-07-31 23:43:29 +02:00
Florian Roth 2c57b443e4 docs: modification date in rule 2019-07-17 09:21:35 +02:00
Florian Roth de74eb4eb7 Merge pull request #400 from yugoslavskiy/win_susp_dhcp_config_failed_fix 
Win susp dhcp config failed fix
 2019-07-17 09:20:25 +02:00
Florian Roth bf0179c0d5 Merge pull request #397 from neu5ron/patch-5 
prevent EventID collision for dhcp
 2019-07-17 09:17:05 +02:00
yugoslavskiy e8b9a6500e author string modified 2019-07-17 07:02:59 +03:00
yugoslavskiy a295334355 win_susp_dhcp_config_failed fixed 2019-07-17 07:01:58 +03:00
Thomas Patzke 0ca15e5c5e Added test case for value modifiers 2019-07-16 23:14:55 +02:00
Thomas Patzke 8a3117d73e Nested list handling for chained value modifiers 2019-07-16 23:03:19 +02:00
Nate Guagenti e2050404bc prevent EventID collision for dhcp 
This prevents EventID collision for this rule with other sources/logs that share the same EventIDs.
specifically a lot with Microsoft-Windows-Security-SPP
 2019-07-16 15:30:52 -04:00
Thomas Patzke 6881967889 Further modifiers 
* base64
* base64offset
 2019-07-16 00:00:35 +02:00
Thomas Patzke 1bb29dca26 Implemented type modifiers and regular expressions 2019-07-15 22:52:10 +02:00
Thomas Patzke b9ff280209 Cleanup of configuration names 2019-07-14 00:50:15 +02:00
Thomas Patzke b20b42b9c9 Added breaking changes file 2019-07-14 00:24:32 +02:00
Thomas Patzke 5489f870cc Merge pull request #393 from HacknowledgeCH/master 
Explicit OR for list elements
 2019-07-13 23:11:44 +02:00
Thomas Patzke 134bfebe57 Ignore "timeframe" detection keyword in "all/any of" conditions 
Fixes #395
 2019-07-13 00:35:35 +02:00
christophetd 576912eb7a Support OR queries for Elasticsearch 6 and above 2019-07-08 17:12:53 +02:00
Florian Roth 2b062a0de7 Merge pull request #389 from christophetd/patch-1 
Include Github raw URLs in suspicious downloads detection rule
 2019-07-05 16:54:09 +02:00
Christophe Tafani-Dereeper 5bc10a4855 Include Github raw URLs in suspicious downloads detection rule 2019-07-05 09:01:35 +00:00
Florian Roth f7ba2b3976 fix: bug in sumologic backend with 'null' values 2019-07-02 22:31:10 +02:00
Florian Roth 0b883a90b6 fix: null value in separate expression 2019-07-02 20:14:45 +02:00
Florian Roth f5a8a81ff7 fix: linux cmds rule 2019-07-02 15:22:26 +02:00
Florian Roth ce43d600e3 fix: added null value / application to 4688 problem 2019-07-02 10:51:48 +02:00
Thomas Patzke 337681cfce Value modifiers 
* First transformation modfiers: contains, all
* Sigma converter modifier list
 2019-06-30 23:41:28 +02:00
Thomas Patzke 161965d14c Added version information to Winlogbeat configs 2019-06-30 22:44:12 +02:00
Thomas Patzke 66f7f5b516 Merge pull request #385 from herrBez/fix-beat-fieldnames 
Modified winlogbeat config to adhere to winlogbeat 7 field names
 2019-06-30 22:42:59 +02:00
Thomas Patzke 141c4f42f3 Merge pull request #383 from TareqAlKhatib/typos 
fixed typos
 2019-06-30 22:39:56 +02:00
herrBez 74021d53d8 Modified winlogbeat config to adhere to winlogbeat 7 field names breaking changes 
ref: https://www.elastic.co/guide/en/beats/libbeat/current/breaking-changes-7.0.html
 2019-06-30 12:13:21 +02:00
Tareq AlKhatib 15e2f5df5f fixed typos 2019-06-29 15:35:59 +03:00
Thomas Patzke f4c8745cde Merge branch 'juju4-devel-sumo' 2019-06-29 00:12:25 +02:00
Thomas Patzke 6fab5d7f23 Improved testing and removed dead&debug code 2019-06-29 00:09:53 +02:00
Thomas Patzke 377872c91e Merge branch 'devel-sumo' of https://github.com/juju4/sigma into juju4-devel-sumo 2019-06-28 23:39:15 +02:00
Thomas Patzke 1cb84d0592 Merge pull request #381 from vburov/patch-6 
Added command that stops services.
 2019-06-28 23:33:54 +02:00
Thomas Patzke a61ad9c9a6 Merge branch 'master' of https://github.com/Neo23x0/sigma 2019-06-28 23:32:37 +02:00
Thomas Patzke c09c1c1b6e Merge branch 'sacx-master' 2019-06-28 23:31:09 +02:00
Thomas Patzke 0c7151c901 Watcher backend default options, refactoring and testing 2019-06-28 23:22:16 +02:00
Vasiliy Burov 2f123f64a7 Added command that stops services. 2019-06-28 19:46:34 +03:00
Adrian Constantin Stanila feac0be8a4 Added 2 more actions on Elasticsearch X-pack Watcher: index and webhook 
Added timestamp filter query.
 2019-06-27 08:54:59 +03:00
Florian Roth ad386474bf fix: removed unusable extensions in proc exec context 2019-06-26 17:03:01 +02:00
Florian Roth 708f3ef002 fix: fixed duplicate element in new double extension rule 2019-06-26 16:00:58 +02:00
Florian Roth 41dc076959 Rule: suspicious double extension 2019-06-26 15:57:25 +02:00
Thomas Patzke 0ea3a681df Merge pull request #378 from cclauss/patch-1 
Use print() function in both Python 2 and Python 3
 2019-06-26 15:15:49 +02:00
cclauss 2cbefb208b Use print() function in both Python 2 and Python 3 
Legacy __print__ statements are syntax errors in Python 3 but __print()__ function works as expected in both Python 2 and Python 3.

[flake8](http://flake8.pycqa.org) testing of https://github.com/Neo23x0/sigma on Python 3.7.1

$ __flake8 . --count --select=E9,F63,F72,F82 --show-source --statistics__
```
./contrib/sigma2sumologic.py:123:5: F821 undefined name 'parser_print_help'
    parser_print_help()
    ^
./contrib/sigma2sumologic.py:211:32: F821 undefined name 'r'
            f.write(json.dumps(r, indent=4, sort_keys=True) + " ERROR: %s\n\nQUERY: %s" % (e, sumo_query))
                               ^
./contrib/sigma2elastalert.py:165:32: E999 SyntaxError: invalid syntax
        print "Converting file " + file
                               ^
./tools/sigma/parser/collection.py:52:27: F821 undefined name 'SigmaCollectionParseError'
                    raise SigmaCollectionParseError("action 'repeat' is only applicable after first valid Sigma rule")
                          ^
1     E999 SyntaxError: invalid syntax
3     F821 undefined name 'parser_print_help'
4
```
__E901,E999,F821,F822,F823__ are the "_showstopper_" [flake8](http://flake8.pycqa.org) issues that can halt the runtime with a SyntaxError, NameError, etc. These 5 are different from most other flake8 issues which are merely "style violations" -- useful for readability but they do not effect runtime safety.
* F821: undefined name `name`
* F822: undefined name `name` in `__all__`
* F823: local variable name referenced before assignment
* E901: SyntaxError or IndentationError
* E999: SyntaxError -- failed to compile a file into an Abstract Syntax Tree
 2019-06-26 14:44:09 +02:00
Florian Roth 39b5eddfc7 Rule: Suspicious userinit.exe child process 2019-06-23 13:27:06 +02:00
juju4 654a009c9e sumologic backend: remove TypeError 2019-06-22 16:49:46 -04:00
juju4 559d0f4ba8 sumologic backend: force as string 2019-06-22 16:43:50 -04:00
juju4 2df0e9765c sumologic backend: pycodestyle review - E501 2019-06-22 16:41:57 -04:00
juju4 49533a5909 sumologic backend: pycodestyle review 2019-06-22 16:39:13 -04:00
juju4 84de12635e self.debug option, fix multiple keyvalue escapings/cleanValue, inline index for now 2019-06-22 16:19:45 -04:00
juju4 059957138d pycodestyle review, openpyxl, error at query generation=continue 2019-06-22 16:18:17 -04:00
juju4 a11d800353 Merge branch 'master' into devel-sumo 2019-06-22 09:18:23 -04:00
Florian Roth 26036e0d35 fix: fixed image in taskmgr rule 2019-06-21 17:15:53 +02:00
Thomas Patzke ff7128209e Adjusted level 2019-06-20 00:03:48 +02:00
Thomas Patzke 5aecb6a5af Merge branch 'mgreen27-master' 2019-06-20 00:02:57 +02:00
Thomas Patzke 0f8849a652 Rule fixes 
* tagging
* removed spaces
* converted to generic log source
* typos/case
 2019-06-20 00:01:56 +02:00
Thomas Patzke f4c86f15b8 Merge branch 'master' of https://github.com/mgreen27/sigma into mgreen27-master 2019-06-19 23:49:20 +02:00
Thomas Patzke 429c29ed5a Merge pull request #363 from yugoslavskiy/win_kernel_and_3rd_party_drivers_exploits_token_stealing 
rule added: Windows Kernel and 3rd-party drivers exploits. Token stea…
 2019-06-19 23:43:10 +02:00
Thomas Patzke f4da0c5540 Added field SecurityID to Winlogbeat config 2019-06-19 23:35:50 +02:00
Thomas Patzke 960cd69d50 Merge branch 'patch-4' of https://github.com/dvas0004/sigma into dvas0004-patch-4 2019-06-19 23:34:25 +02:00
Thomas Patzke f271685f59 Merge pull request #372 from dvas0004/patch-2 
Addition of KeyLength field
 2019-06-19 23:28:31 +02:00
Thomas Patzke e4e8ebbf95 Merge pull request #368 from JayPowerUser/web-source-code-enumeration 
Web Source Code Enumeration via .git
 2019-06-19 23:27:37 +02:00
Thomas Patzke dbbc1751ef Converted rule to generic log source 2019-06-19 23:25:25 +02:00
Thomas Patzke d14f5c3436 Merge pull request #371 from savvyspoon/issue285 
CAR tagging
 2019-06-19 23:21:43 +02:00
Thomas Patzke d82df83ef1 Merge pull request #369 from TareqAlKhatib/refactors 
Refactors
 2019-06-19 23:16:19 +02:00
Thomas Patzke 84c7320849 Merge pull request #370 from SherifEldeeb/patch-1 
Add detection for recent Mimikatz versions
 2019-06-16 12:50:42 +02:00
mgreen27 07e2ee474c sigma/Add sysmon_renamed_binary 2019-06-15 20:20:52 +10:00
mgreen27 1d26708887 sigma/Add sysmon_renamed_binary 2019-06-15 20:19:35 +10:00
David Vassallo d7443d71a4 Create win_pass_the_hash_2.yml 
alternative detection methods
 2019-06-14 18:08:36 +03:00
David Vassallo fdce7ad9bf Addition of KeyLength field 2019-06-14 17:58:47 +03:00
Michael Wade f70549ec54 First Pass 2019-06-13 23:15:38 -05:00
Sherif Eldeeb 2d22a3fe02 Add detection for recent Mimikatz versions 
GrantedAccess is 0x1010 not 0x1410 in recent versions of mimikatz.
This modification should address both
 2019-06-12 12:13:31 +03:00
Thomas Patzke a23f15d42b Converted rule to generic log source 2019-06-11 13:20:15 +02:00
Thomas Patzke 5715413da9 Usage of Channel field name in ELK Windows config 2019-06-11 13:15:43 +02:00
Tareq AlKhatib d61a971874 Minor refactors 2019-06-10 09:55:52 +03:00
Tareq AlKhatib 3bcfc53905 Corrected Typo 2019-06-10 09:54:37 +03:00
Tareq AlKhatib fce2a45dac Corrected Typo 2019-06-10 09:51:34 +03:00
James Ahearn eae7e3ab10 Web Source Code Enumeration via .git 2019-06-08 22:40:28 -04:00
Thomas Patzke 407d8214f7 Added APT40 Dropbox exfiltration proxy rule 2019-06-07 14:03:41 +02:00
yugoslavskiy 5827165c2d event id deleted 2019-06-03 15:51:54 +02:00
yugoslavskiy cf947e3720 changed to process_creation category 2019-06-03 15:47:24 +02:00
yugoslavskiy 6a39b4fb41 date added 2019-06-03 15:42:02 +02:00
yugoslavskiy 10db09c596 rule added: Windows Kernel and 3rd-party drivers exploits. Token stealing 2019-06-03 15:37:41 +02:00
Florian Roth a0c9f1594e Rule: renamed file - name was too generic 2019-06-02 10:57:44 +02:00
Florian Roth 491c519d1f Rule: added wmic SHADOWCOPY DELETE 2019-06-02 10:56:13 +02:00
Florian Roth 80560dc12f Rule: Scanner PoC for CVE-2019-0708 RDP RCE vuln 2019-06-02 09:52:18 +02:00
Florian Roth 5e7ae0590c Rule: Split up WanaCry rule into two separate rules 2019-06-02 09:52:18 +02:00
Florian Roth df35d70ab1 Merge pull request #361 from neu5ron/patch-4 
update correct process name
 2019-06-01 20:51:55 +02:00
Nate Guagenti 2163208e9c update correct process name 
incorrect process name. accidentally had fsutil, should be bcdedit.

thanks to https://twitter.com/INIT_3 for pointing this out
 2019-06-01 09:50:50 -04:00
Thomas Patzke 8a0f706cca Merge branch 'master' of https://github.com/Neo23x0/sigma 2019-05-30 23:24:37 +02:00
Thomas Patzke 1986bcb843 Sigma tools release 0.11 2019-05-30 22:56:38 +02:00
Thomas Patzke 4e96666c04 Merge pull request #336 from petermat/added_rule_T1156 
added rule .bash_profile and .bashrc T1156
 2019-05-30 22:43:33 +02:00
Thomas Patzke 673973e523 Merge pull request #357 from agix/es_dsl_bug 
fix missing condition when unique plus timeframe
 2019-05-30 22:42:09 +02:00
Thomas Patzke fa0aaa7d2b Merge branch 'agix-elastalert_dsl_backend' 2019-05-30 22:38:41 +02:00
Thomas Patzke 67707b6c82 Added test for new elastalert-dsl backend 2019-05-30 22:38:12 +02:00
Thomas Patzke 8023011bb1 Merge branch 'elastalert_dsl_backend' of https://github.com/agix/sigma into agix-elastalert_dsl_backend 2019-05-30 22:33:57 +02:00
Florian GAULTIER 89c1d7b63d Wrong fix, self.queries should be emptied after copied to rule_object 2019-05-29 16:10:14 +02:00
Florian GAULTIER 748ac2e206 Dont combine multiple queries 2019-05-29 16:05:53 +02:00
Florian Roth 2cf402aa1f Merge pull request #360 from spellanser/patch-1 
win_disable_event_logging.yml: typo in audit policy name;
 2019-05-29 15:07:46 +02:00
Sarkis Nanyan 60bc5253cf win_disable_event_logging.yml: typo in audit policy name; 2019-05-29 15:43:44 +03:00
Thomas Patzke 04d91573f3 Merge pull request #355 from agix/allow_empty_keyword 
Allow empty keyword_field
 2019-05-28 21:45:55 +02:00
Thomas Patzke 2ecc55c13f Merge pull request #351 from ipninichuck/master 
added metadata field to the watcher alert
 2019-05-28 21:42:27 +02:00
Thomas Patzke f3edc39535 Merge pull request #346 from tuckner/master 
Add Azure Log Analytics / Azure Sentinel to README list of integrations
 2019-05-28 21:41:19 +02:00
Florian GAULTIER d866e75750 Be sure there is a key in the single condition 2019-05-27 17:27:16 +02:00
Florian GAULTIER e8a7c5f7b9 fix missing condition when unique plus timeframe 2019-05-27 17:22:28 +02:00
Florian GAULTIER 6bf010fb4b introduce elastalert-dsl 
(cherry picked from commit 0235ec23200e62766d9f21fbd26ed834991a0b61)
 2019-05-27 17:18:19 +02:00
Florian GAULTIER 4168c0ec64 Allow empty keyword_field 2019-05-27 15:08:33 +02:00
Thomas Patzke 36ba9f78da Improved message if configuration is missing 2019-05-27 13:18:36 +02:00
Florian Roth 7c1e856095 Merge pull request #353 from lprat/master 
Add rule for CVE-2019-0708
 2019-05-27 09:11:17 +02:00
Florian Roth 323a7313fd FP adjustments 
We have checked the False Positive rate in different environments and noticed these event IDs in cases in which systems had bad network connections / we accessed via VPN. Therefore we reduced the level to "high" and added that note to the "False Positives" list.
 2019-05-27 08:54:18 +02:00
Thomas Patzke 38f3966751 Changed backend list formatting to new method 2019-05-26 22:58:14 +02:00
Thomas Patzke eb9564557e Moved generic class discovery code into new tools module 2019-05-26 22:29:07 +02:00
Thomas Patzke 84690280c5 Improved behavior on missing configuration 
Listing all configus usable with chosen backend
 2019-05-24 22:41:47 +02:00
Thomas Patzke 241d814221 Merged WannaCry rules 2019-05-24 22:17:36 +02:00
Lionel PRAT f65f693a88 Add rule for CVE-2019-0708 2019-05-24 10:01:19 +02:00
Florian Roth 7b63c92fc0 Rule: applying recommendation 
https://twitter.com/SwiftOnSecurity/status/1131464234901094400
 2019-05-23 09:44:25 +02:00
Florian Roth 253417a367 Merge pull request #350 from olafhartong/master 
Rule Windows 10 scheduled task SandboxEscaper 0-day
 2019-05-22 13:54:45 +02:00
ipninichuck 75ec169d5c added metadata field to the watcher alert 
While utilizing Kibana to track watches directly from the watch index it became quickly apparent that useful metadata was not available. In my project's case it was the title, description and tags from the sigma rule. By adding them to the metadata field it makes it easier to utilize them in visualizations of the watches themselves. In the future perhaps the contents of the metadata field could be given as an option for each user.
 2019-05-22 04:30:47 -07:00
Olaf Hartong b60cfbe244 Added password flag 2019-05-22 13:20:26 +02:00
Florian Roth 346022cfe8 Transformed to process creation rule 2019-05-22 12:50:49 +02:00
Olaf Hartong 4a775650a2 Rule Windows 10 scheduled task SandboxEscaper 0-day 2019-05-22 12:36:03 +02:00
Olaf Hartong e675cdf9c4 Rule Windows 10 scheduled task SandboxEscaper 0-day 2019-05-22 12:32:07 +02:00
Olaf Hartong 544dfe3704 Rule Windows 10 scheduled task SandboxEscaper 0-day 2019-05-22 12:28:42 +02:00
Florian Roth c937fe3c1b Rule: Terminal Service Process Spawn 2019-05-22 10:38:27 +02:00
Florian Roth 74ca0eeb88 Rule: Renamed PsExec 2019-05-21 09:49:40 +02:00
Thomas Patzke 2d0c08cc8b Added wildcards to rule values 
These values appear somewhere in a log message, therefore wildcards are
required.
 2019-05-21 01:03:20 +02:00
tuckner 7d10491bf2 Update README.md 2019-05-20 17:46:28 -05:00
tuckner 5867b5da74 Update README.md 2019-05-20 17:45:18 -05:00
Thomas Patzke 194afa739f Generate rule name for each condition 
In backends kibana and xpack-watcher.

Fixes #329
 2019-05-21 00:36:19 +02:00
Thomas Patzke af0bd1b082 Removed debug code from backend option handling 
Additionally: code simplification
 2019-05-21 00:21:52 +02:00
Thomas Patzke 97541ac267 Added -C shortcut for --backend-config 2019-05-21 00:15:01 +02:00
Thomas Patzke 7e163d71eb Added option to use old URL in xpack-watcher backend 2019-05-21 00:01:21 +02:00
Thomas Patzke 4e63e925cf Merge branch 'patch-1' of https://github.com/lliknart/sigma into lliknart-patch-1 2019-05-20 23:43:49 +02:00
Thomas Patzke 11ed7e7ef8 Check for valid configuration/backend combinations 2019-05-20 01:00:33 +02:00
Thomas Patzke e271484eef Load configurations via new config management 2019-05-20 00:27:35 +02:00
Thomas Patzke 3d20e0bc98 Sigma configuration management with listing 
Missing:
* Use config by identifier
 2019-05-17 09:13:59 +02:00
Thomas Patzke 71ff6bd943 Catch type errors in configuration handling 2019-05-16 23:34:44 +02:00
Thomas Patzke 36aeb19721 Added title to all configurations 2019-05-16 23:33:51 +02:00
lliknart f86342012a Update elasticsearch.py 
From ElasticSearch 7.0, the URI to access to Watcher API changes

Deprecation: [PUT /_xpack/watcher/watch/{id}] is deprecated! Use [PUT /_watcher/watch/{id}] instead.
 2019-05-16 16:17:57 +02:00
Florian Roth 9e2345c491 Merge pull request #338 from yt0ng/development 
Suspicious Outbound RDP Rule likely identifying CVE-2019-0708
 2019-05-15 21:35:52 +02:00
Florian Roth a6d2a5d79b fix: more general fixes of the var type issue 2019-05-15 21:25:53 +02:00
Florian Roth 9f1bbb0a0d fix: missing type check in WDATP backend 2019-05-15 21:20:20 +02:00
Florian Roth 694fa567b6 Reformatted 2019-05-15 20:22:53 +02:00
Florian Roth 1c36bfde79 Bugfix - Swisscom in Newline 2019-05-15 15:03:55 +02:00
Florian Roth d5f49c5777 Fixed syntax 2019-05-15 14:50:57 +02:00
Florian Roth 508d1cdae0 Removed double back slashes 2019-05-15 14:46:45 +02:00
Unknown 13522b97a7 Adjusting Newline 2019-05-15 12:15:41 +02:00
Unknown 275896dbe6 Suspicious Outbound RDP Rule likely identifying CVE-2019-0708 2019-05-15 11:47:12 +02:00
petermmm b6c4e64a9b fixed attack category number 2->3 2019-05-12 11:59:13 +02:00
petermmm 2778558ae3 added rule .bash_profile and .bashrc T1156 2019-05-12 02:07:13 +02:00
Florian Roth 5dfe39c05b Merge pull request #335 from Codehardt/master 
fix: fixed reference list, otherwise it's not valid string list
 2019-05-10 14:06:11 +02:00
Codehardt 1ca57719b0 fix: fixed reference list, otherwise it's not valid string list 2019-05-10 10:37:12 +02:00
Thomas Patzke 1c2bc87946 Merge pull request #334 from Codehardt/master 
fix: fixed reference list, otherwise it's not valid string list
 2019-05-10 10:19:56 +02:00
Codehardt 6585c83077 fix: fixed reference list, otherwise it's not valid string list 2019-05-10 10:13:35 +02:00
Thomas Patzke 526468bec3 Merge pull request #298 from christophetd/elastalert-allow-rules-without-http-post-url 
Allow generating Elastalert rules with the http_post alert type without specifying a URL at generation time
 2019-05-10 00:31:33 +02:00
Thomas Patzke f4d8dcaa1e Merge branch 'Karneades-patch-1' 2019-05-10 00:21:15 +02:00
Thomas Patzke 25c0330dca Added filter 2019-05-10 00:20:56 +02:00
Thomas Patzke 995c03eef9 Merge branch 'patch-1' of https://github.com/Karneades/sigma into Karneades-patch-1 2019-05-10 00:15:51 +02:00
Thomas Patzke a361664ed2 Merge pull request #318 from HacknowledgeCH/es-qs-not-parenthesis-fix 
Correct parenthesization for NOT expressions in the ES-QS backend
 2019-05-10 00:14:29 +02:00
Thomas Patzke 56f64ca47d Merge pull request #315 from P4T12ICK/feature/net_dnc_c2_detection 
New C2 DNS Tunneling Sigma Detection Rule
 2019-05-10 00:12:39 +02:00
Thomas Patzke c50119b913 Merge branch 'P4T12ICK-feature/lnx-priv-esc-prep' 2019-05-10 00:08:48 +02:00
Thomas Patzke 46c789105b Fix and ordering 2019-05-10 00:08:26 +02:00
Thomas Patzke 595f22552d Merge branch 'feature/lnx-priv-esc-prep' of https://github.com/P4T12ICK/sigma into P4T12ICK-feature/lnx-priv-esc-prep 2019-05-10 00:05:06 +02:00
Thomas Patzke 27199fc231 Merge branch 'neu5ron-patch-3' 2019-05-10 00:02:33 +02:00
Thomas Patzke 15a4c7e477 Fixed rule 2019-05-10 00:02:20 +02:00
Thomas Patzke 666e859d14 Merge branch 'patch-3' of https://github.com/neu5ron/sigma into neu5ron-patch-3 2019-05-10 00:00:14 +02:00
Thomas Patzke 14b10c232e Merge branch 'MadsRC-MadsRC-patch-1' 2019-05-09 23:58:14 +02:00
Thomas Patzke f51e918a2e Small rule change 2019-05-09 23:57:55 +02:00
Thomas Patzke 31946426a5 Merge branch 'MadsRC-patch-1' of https://github.com/MadsRC/sigma into MadsRC-MadsRC-patch-1 2019-05-09 23:54:18 +02:00
Thomas Patzke f01fbd6b79 Merge branch 2019-05-09 23:51:15 +02:00
Thomas Patzke e60fe1f46d Changed rule 
* Adapted false positive notice to observation
* Decreased level
 2019-05-09 23:49:39 +02:00
Florian Roth 3dd76a9c5e Converted to generic process creation rule 
Previous rule was prone to FPs; more generic form
 2019-05-09 23:48:42 +02:00
Vasiliy Burov 792095734d Update win_proc_wrong_parent.yml 
changes accordingly this documents:
https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/
https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf
 2019-05-09 23:48:36 +02:00
Florian Roth 378ba5b38f Transformed rule 
I would try it like this - the 4th selection for uncommon parents of explorer.exe looks prone to FPs

Fixed Typo

Changes to title and description
 2019-05-09 23:48:36 +02:00
Vasiliy Burov 8e6295e402 Windows processes with wrong parent 
Detect scenarios when malicious program is disguised as legitimate process
 2019-05-09 23:48:36 +02:00
Thomas Patzke 1e2ef92104 Merge branch 'vburov-patch-2' 2019-05-09 23:10:52 +02:00
Thomas Patzke 121e21960e Rule changes 
* Replaced variables with usual path names
* Removed Temp directories due to many false positives
* Matching on Image field, CommandLines often contain these paths
 2019-05-09 23:09:22 +02:00
Thomas Patzke 9b67705799 Merge branch 'patch-2' of https://github.com/vburov/sigma into vburov-patch-2 2019-05-09 22:55:07 +02:00
Thomas Patzke 763939a8ca Hide --shoot-yourself-in-the-foot 2019-04-25 23:42:13 +02:00
Thomas Patzke eb022f3908 Conditional field mapping for null values 
Fixes #326
 2019-04-25 23:24:05 +02:00
Thomas Patzke cfb4f32651 Backend es-dsl tolerates rules without title and log source 2019-04-25 22:41:31 +02:00
Florian Roth 16bf5eef0f Merge pull request #327 from Codehardt/master 
Added logsources for generic sigma rules to spark config, renamed spa…
 2019-04-25 10:10:51 +02:00
Codehardt 17ae9ea91c Renamed spark config in setup.py 2019-04-25 09:56:29 +02:00
Codehardt 8cf505fcb3 Accidentally removed windows-dhcp logsource in spark's config file 2019-04-25 08:23:48 +02:00
Codehardt 79f7edb6b4 Added logsources for generic sigma rules to spark config, renamed spark config to thor config 2019-04-25 08:15:50 +02:00
Thomas Patzke 6918784e87 Configuration order checking 2019-04-23 00:54:10 +02:00
Thomas Patzke c90d3e811e Formatted error code definitions 2019-04-23 00:53:52 +02:00
Thomas Patzke e9af99c147 Completed error codes 2019-04-23 00:52:31 +02:00
Thomas Patzke 4559aa4e00 Fixed es-qs backend check 2019-04-23 00:05:36 +02:00
Thomas Patzke d0bd8a2a41 Mandatory configuration for most backends 2019-04-22 23:40:21 +02:00
Thomas Patzke 87abd20c0f Removed deprecated PyYAML API from rule test 2019-04-22 23:21:08 +02:00
Thomas Patzke 34c426a95b Moved error codes to constants defined centrally 2019-04-22 23:15:35 +02:00
Thomas Patzke f0b0f54500 Merge improved pull request #322 2019-04-21 23:56:36 +02:00
Thomas Patzke 765fe9dcd9 Further improved Windows user creation rule 
* Decreased level
* Fixed field names
* Added false positive possibility
 2019-04-21 23:54:18 +02:00
Florian Roth d0950bd077 fix: yaml.load() issue 
https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation
 2019-04-21 20:30:31 +02:00
Karneades b47900fbee Add default path to filter for explorer in exe anomaly rule 2019-04-21 17:42:47 +02:00
Florian Roth 38d548868d Merge pull request #324 from Neo23x0/revert-322-feature/win_user_creation 
Revert "New Sigma rule detecting local user creation"
 2019-04-21 09:20:48 +02:00
Florian Roth dd9648b31e Revert "New Sigma rule detecting local user creation" 2019-04-21 09:09:25 +02:00
Florian Roth a85acdfd02 Changed title and description 2019-04-21 08:54:56 +02:00
Florian Roth 0713360443 Fixed MITRE ATT&CK tags 2019-04-21 08:52:07 +02:00
Thomas Patzke 49beb5d1a8 Integrated PR from @P4T12ICK in existing rule 
PR #321
 2019-04-21 00:28:40 +02:00
Thomas Patzke bdd184a24c Merge pull request #322 from P4T12ICK/feature/win_user_creation 
New Sigma rule detecting local user creation
 2019-04-21 00:20:15 +02:00
Thomas Patzke 80f45349ed Modified rule 
* Adjusted ATT&CK tagging
* Set status
 2019-04-21 00:14:57 +02:00
Florian Roth aab3dbee4f Rule: Detect Empire PowerShell Default Cmdline Params 2019-04-20 09:38:41 +02:00
Florian Roth 03d8184990 Rule: Extended PowerShell Susp Cmdline Enc Commands 2019-04-20 09:38:41 +02:00
Florian Roth 5249279a66 Rule: another MSF payload user agent 2019-04-20 09:38:41 +02:00
Florian Roth d5fa51eab9 Merge pull request #305 from Karneades/patch-3 
Remove too loose filter in notepad++ updater rule
 2019-04-19 12:40:24 +02:00
Florian Roth e32708154f Merge pull request #304 from Karneades/patch-2 
Remove too loose filter in mshta rule
 2019-04-19 09:51:45 +02:00
Florian Roth 74dd008b10 FP note for HP software 2019-04-19 09:51:32 +02:00
Florian Roth 8a5ae01f0e Merge pull request #323 from Karneades/filterFix 
Restrict filter in system exe anomaly rule
 2019-04-19 09:17:16 +02:00
Karneades d75ea35295 Restrict whitelist filter in system exe anomaly rule 2019-04-18 22:06:12 +02:00
patrick 8609fc7ece New Sigma rule detecting local user creation 2019-04-18 19:59:43 +02:00
Florian Roth f78413deab Merge pull request #309 from jmlynch/master 
added rules for renamed wscript, cscript and paexec. Added two direct…
 2019-04-17 23:59:27 +02:00
Florian Roth 4808f49e0d More exact path 2019-04-17 23:45:15 +02:00
Florian Roth 1a4a74b64b fix: dot mustn't be escaped 2019-04-17 23:44:36 +02:00
Florian Roth 76780ccce2 Too many different trusted cscript imphashes 2019-04-17 23:33:56 +02:00
Florian Roth 7c5f985f6f Modifications 2019-04-17 23:30:49 +02:00
Florian Roth 4298abffb7 Modifications 2019-04-17 23:29:29 +02:00
Florian Roth 615a802a8e Modifications 2019-04-17 23:26:20 +02:00
Florian Roth 0a960ed3cd Merge pull request #319 from Sam0x90/master 
Update win_susp_svchost rule
 2019-04-17 23:22:08 +02:00
Sam0x90 0e8a46aaf7 Update win_subp_svchost rule 
Adding rpcnet.exe as ParentImage
 2019-04-16 15:00:06 +02:00
christophetd 4e16bbafa8 Correct parenthesization for NOT expressions in the ES-QS backend 2019-04-16 10:30:18 +02:00
Florian Roth 17470d1545 Rule: extended parent list for legitimate svchost starts 
https://twitter.com/Sam0x90/status/1117768799816753153
 2019-04-15 14:54:35 +02:00
Florian Roth daaee558a1 Rule: added date to Tom's WMI rule 2019-04-15 09:06:53 +02:00
Florian Roth 612a7642d2 Added Local directory 2019-04-15 08:47:53 +02:00
Florian Roth 65b81dad32 Rule: Suspicious scripting in a WMI consumer 2019-04-15 08:13:35 +02:00
Florian Roth 1d3159bef0 Rule: Extended Office Shell rule 2019-04-15 08:13:35 +02:00
Karneades d872c52a43 Add restricted filters to notepad++ gup.exe rule 2019-04-15 08:12:12 +02:00
Thomas Patzke 5194e8778c Fail on missing target selection 2019-04-14 23:50:07 +02:00
Florian Roth 1e262f5055 Merge pull request #303 from Karneades/patch-1 
Remove too loose filter in wmi spwns powershell rule
 2019-04-14 23:11:57 +02:00
Florian Roth cb0a87e21e Merge pull request #316 from megan201296/patch-19 
Update win_mal_ursnif.yml
 2019-04-14 23:10:16 +02:00
Florian Roth 08ec8597a5 Merge pull request #317 from megan201296/patch-20 
Create apt_oceanlotus_registry.yml
 2019-04-14 23:09:42 +02:00
Thomas Patzke 5463128ea0 Merge pull request #314 from Karneades/patch-4 
Remove loose wildcard filter in powershell encoded cmd rule
 2019-04-14 23:02:42 +02:00
megan201296 74fce5f511 Create apt_oceanlotus_registry.yml 
Rule based on https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/. Based on OSINT, these keys are unique to the oceanlotus activity and not at all legitimate.
 2019-04-14 12:01:52 -05:00
megan201296 eb8a0636c5 Update win_mal_ursnif.yml 
After @thomaspatzke changed to HKU, I did some reading. HKU is for HKEY_User, not HKEY_Current_User (what this threat is tied to. However, he was correct that HKCU does not exist as a prefix for sysmon (see the notes section under event id 13 here: https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml). Changed to ignore the key name, confirmed that the key is still uniique.
 2019-04-14 11:51:13 -05:00
patrick 51d19b36cc Add new Sigma Rule for C2 DNS Tunneling 2019-04-13 20:28:55 +02:00
patrick 4b43db2aac Add new Sigma Rule for C2 DNS Tunneling 2019-04-13 20:27:36 +02:00
Florian Roth 6351c5a350 Sigma ATT&CK coverage by @jmallette 2019-04-11 18:27:52 +02:00
Florian Roth 038918d2c0 Merge pull request #311 from jmallette/master 
ATT&CK Navigator Coverage Layer
 2019-04-11 18:18:16 +02:00
Karneades 75d36165fc Remove non-generic falsepositives 
There are tons of FPs for that... :)
 2019-04-11 12:55:24 +02:00
Karneades 51e65be98b Remove loose wildcard filter in powershell encoded cmd rule 2019-04-11 12:53:12 +02:00
Jon cd456a1d2b initial SIGMA ATTACK Navigator layer release 2019-04-09 22:49:28 -04:00
jmallette c775b7a033 Merge pull request #1 from Neo23x0/master 
update fork
 2019-04-09 22:43:32 -04:00
Jason Lynch 89fb726875 added win_office_spawn_exe_from_users_directory.yml. Detects executable in users directory started via office program. Helpful for adversaries that tend to drop and execute renamed binaries in this location such as fin7 2019-04-09 09:45:07 -04:00
Jason Lynch f0c8c428bb added rules for renamed wscript, cscript and paexec. Added two directories to the existing sysmon_susp_prog_location_network_connection rule. These additions are all fin7 related. 2019-04-08 08:07:30 -04:00
juju4 152febcea2 sumologic: fixing non-pushed cleannode() 2019-04-07 13:04:15 -04:00
patrick ca4b710c01 Added Sigma Use Case detecting Privilege Escalation Preparation in Linux 2019-04-07 15:36:19 +02:00
Karneades 97376c00de Fix condition 2019-04-04 22:33:32 +02:00
Karneades 766b8b8d18 Fix condition 2019-04-04 22:32:47 +02:00
Karneades 788e75ef1b Fix condition 2019-04-04 22:32:21 +02:00
Karneades 840eb2f519 Remove too loose filter in notepad updater rule 2019-04-04 22:25:05 +02:00
Karneades eb690d8902 Remove too loose filter in mshta rule 2019-04-04 22:16:24 +02:00
Karneades 1915561351 Remove to loose wildcard from wmi spwns powershell rule 2019-04-04 22:12:28 +02:00
Florian Roth 81693d81b6 Merge pull request #295 from sbousseaden/master 
Create win_atsvc_task.yml
 2019-04-04 18:32:13 +02:00
sbousseaden c4b8f75940 Update win_lm_namedpipe.yml 2019-04-04 18:22:50 +02:00
MadsRC 41b4d800c5 Update net_susp_dns_txt_exec_strings.yml 
Fixed my botched YAML syntax...
 2019-04-04 08:35:37 +02:00
sbousseaden 22958c45a3 Update win_GPO_scheduledtasks.yml 2019-04-03 21:50:55 +02:00
sbousseaden b4ac9a432f Update win_susp_psexec.yml 2019-04-03 21:50:25 +02:00
sbousseaden 353e457104 Update win_lm_namedpipe.yml 2019-04-03 21:49:58 +02:00
sbousseaden d5818a417b Update win_impacket_secretdump.yml 2019-04-03 21:49:30 +02:00
sbousseaden 9c5575d003 Update win_atsvc_task.yml 2019-04-03 21:48:38 +02:00
sbousseaden edb98f2781 Update win_account_discovery.yml 2019-04-03 21:40:59 +02:00
MadsRC d0d51b6601 Update net_susp_dns_txt_exec_strings.yml 
The references indicate that this rule should apply to TXT records, but without specifying that the "record_type" must be "TXT" there's the potential for a lot of false positives.

"record_type" was chosen as that fits with Splunks "Network Resolution (DNS)" datamodel.
 2019-04-03 20:31:31 +02:00
Florian Roth 2b814011cd Merge pull request #287 from P4T12ICK/feature/lnx-clear-cmd-history-signature 
Add new signature for linux clear command history
 2019-04-03 19:45:06 +02:00
Florian Roth 13f86e9333 Merge pull request #296 from Karneades/patch-1 
Remove backslashes in CommandLine for sticky key rule
 2019-04-03 19:44:02 +02:00
Florian Roth b4b7d810fc Merge pull request #300 from yt0ng/development 
Sqirrel packages manager, EmpireMonkey, WMI Spawning PowerShel
 2019-04-03 19:20:46 +02:00
yt0ng e0459cec1c renamed file 2019-04-03 17:39:17 +02:00
christophetd d32e5c10b8 Allow generating Elastalert rules with the http_post alert type without specifying a URL at generation time 2019-04-03 17:22:58 +02:00
t0x1c-1 7e058e611c WMI spawning PowerShell seen in various attacks 2019-04-03 16:56:45 +02:00
Unknown 9ada22b8e0 adjusted link 2019-04-03 16:40:18 +02:00
Unknown d2e605fc5c Auto stash before rebase of "Neo23x0/master" 2019-04-03 16:25:18 +02:00
Karneades 865d971704 Remove backslashes in CommandLine for sticky key rule 
Example command line is exactly "cmd.exe sethc.exe 211".
=> the detection with *\cmd.exe... would not match.
 2019-04-03 16:16:18 +02:00
sbousseaden eda5298457 Create win_account_backdoor_dcsync_rights.yml 2019-04-03 16:16:05 +02:00
sbousseaden 0756b00cdf Create win_susp_psexec.yml 2019-04-03 15:59:46 +02:00
sbousseaden 9c1a5a5264 Create win_lm_namedpipe.yml 2019-04-03 15:48:42 +02:00
sbousseaden 56b68a0266 Create win_GPO_scheduledtasks.yml 2019-04-03 15:36:24 +02:00
sbousseaden b941f6411f Create win_impacket_secretdump.yml 2019-04-03 15:18:42 +02:00
sbousseaden 516c8f3ea1 Create win_account_discovery.yml 2019-04-03 14:41:11 +02:00
sbousseaden 3d69727332 Create sysmon_rdp_settings_hijack.yml 2019-04-03 14:16:25 +02:00
sbousseaden 016261cacf Update sysmon_lsass_memdump.yml 2019-04-03 14:06:49 +02:00
sbousseaden a85c668f6f Update sysmon_lsass_memdump.yml 2019-04-03 14:00:51 +02:00
sbousseaden d62bc41bfb Create win_svcctl_remote_service.yml 2019-04-03 13:58:20 +02:00
sbousseaden 32c6b34746 Create sysmon_lsass_memdump.yml 2019-04-03 13:51:59 +02:00
sbousseaden 548145ce10 Create win_susp_raccess_sensitive_fext.yml 2019-04-03 13:22:42 +02:00
sbousseaden ddb2d92a98 Create sysmon_tsclient_filewrite_startup.yml 2019-04-03 13:19:59 +02:00
sbousseaden e3f99c323b Create win_atsvc_task.yml 2019-04-03 13:08:12 +02:00
Florian Roth 6cc1770351 Merge pull request #294 from Pr0t3an/patch-3 
Update lnx_shell_susp_rev_shells.yml
 2019-04-03 01:07:07 +02:00
Florian Roth b76925f838 Rule: extending rule with /dev/udp 2019-04-02 20:09:13 +02:00
Pr0t3an d067087632 Update lnx_shell_susp_rev_shells.yml 
added 
 - 'bash -i >& /dev/udp/'
        - 'sh -I >$ /dev/udp/'
        - 'sh -i   >$ /dev/tcp/'
 2019-04-02 18:22:18 +01:00
Florian Roth 5c5a16c4d5 Rule: adding xterm -display string to rule 2019-04-02 18:48:18 +02:00
Florian Roth 453bd10e6e Rule: Suspicious reverse shell command lines 2019-04-02 17:03:57 +02:00
Thomas Patzke 8e854b06f6 Specified source to prevent EventID collisions 
Issue #263
 2019-04-01 23:45:55 +02:00
Thomas Patzke 0419ff215a Fixed quoting of single quotes in grep backend 2019-04-01 23:22:05 +02:00
Florian Roth d06a5431eb Changes 2019-04-01 14:03:54 +02:00
Florian Roth c7553dc8a1 Merge pull request #292 from yt0ng/development 
Allow Incoming Connections by Port or Application on Windows Firewall
 2019-04-01 14:02:10 +02:00
Florian Roth e473efb7c3 Trying to fix ATT&CK framework tag 2019-04-01 10:36:35 +02:00
Florian Roth 3f2ce4b71f Lowered level to medium 2019-04-01 09:47:14 +02:00
t0x1c-1 51c42a15a7 Allow Incoming Connections by Port or Application on Windows Firewall 2019-04-01 08:16:56 +02:00
patrick 0242c40360 Add new signature for linux clear command history 2019-03-24 10:10:14 +01:00
Nate Guagenti 60c4fed2e0 Create win_etw_trace_evasion.yml 
there are two versions of clear and two variations of set that can be used with something like wevtutil
`wevtutil cl | wevtutil clear-log | wevtutil sl | wevtutil set-log `

Also, I am adding a `*` match at the end, because there are other parameters that could be placed on the end -- so unless this was used on a general search on a text/analyzed field then the `*` is necessary.

example `wevtutil set-log Microsoft-Windows-WMI-Activity/Trace /e:disable /q:true`
 2019-03-22 11:36:55 -04:00
Florian Roth ffac77fb37 Rule: extended LockerGoga description 2019-03-22 11:03:48 +01:00
Florian Roth 1adb040e0b Rule: LockerGoga 2019-03-22 10:59:31 +01:00
Florian Roth 2ad2ba9589 fix: rule field fix in proc_creation rule 2019-03-22 10:59:18 +01:00
Vasiliy Burov f0c89239d3 Added some unusual paths. 2019-02-23 17:45:08 +03:00
168 changed files with 5434 additions and 513 deletions
Expand all files Collapse all files
BREAKING_CHANGES.md
+30
View File
@@ -0,0 +1,30 @@
# Breaking Changes in Sigma
Improvement sometimes makes it inavoidable to break with the past. This file describes the planned and implemented
breaking changes since 2019. Monitor this file if you use Sigma in productive environments.
Columns:
* Date: The date the change was or will be implemented. Planned dates may be sunject of changes.
* Status may be one of:
* Planned: there's the idea, but work hasn't begun.
* Development: the change is currently developed.
* Implemented: the development is finished, but the change was not yet merged to the master.
* Merged: the change has been merged to the master branch. Breaking changes affecting only rules
skip this state.
* Released: the change has been released officially, this means:
* Code or configuration of Sigma tools was pushed as [PyPI release](https://pypi.org/project/sigmatools/)
* Sigma rules were merged to master.
* Issues: GitHub issues in the project repository for further details.
* Commit/Branch:
* a development branch for the states *Development* and *Implemented*.
* a commit reference to the merge commit for states from *Merged*.
* Release: [PyPI release](https://pypi.org/project/sigmatools/) that implements or will implement the change.
* Description: contains a short description of the change.
| Date | Status | Issues | Commit/Branch | Release | Description |
|------------|----------|---------------------|-----------------|---------|-------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 2019-10-01 | Planned | - | - | - | Field name cleanup |
| 2019-08-01 | Released | - | config-cleanup | 0.12 | Configuration name cleanup |
| 2019-08-01 | Released | - | devel-modifiers | 0.12 | Pipe character must be escaped with backslash in field value names due to introduction of value modifiers |
| 2019-03-02 | Released | #136 #137 #139 #147 | 56a1ed1 | 0.9 | Introduction of [generic log sources](https://patzke.org/introducing-generic-log-sources-in-sigma.html) and *process_creation* as first generic log source. |
Makefile
+49 -46
View File
@@ -19,65 +19,68 @@ test-sigmac:
coverage run -a --include=$(COVSCOPE) tools/sigmac -h
coverage run -a --include=$(COVSCOPE) tools/sigmac -l
! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvd -t es-qs rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-qs rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -O rulecomment -rvdI -t es-qs rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t kibana rules/ > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-qs rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-qs --shoot-yourself-in-the-foot rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c winlogbeat tests/test-modifiers.yml > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -O rulecomment -rvdI -c tools/config/winlogbeat.yml -t es-qs rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t kibana -c tools/config/winlogbeat.yml rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t graylog rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t xpack-watcher rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t elastalert -O alert_methods=http_post,email -O emails=test@test.invalid -O http_post_url=http://test.invalid rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunkxml rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t logpoint rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t xpack-watcher -O email,index,webhook -c tools/config/winlogbeat.yml rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t elastalert -c tools/config/winlogbeat.yml -O alert_methods=http_post,email -O emails=test@test.invalid -O http_post_url=http://test.invalid rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t elastalert-dsl -c tools/config/winlogbeat.yml -O alert_methods=http_post,email -O emails=test@test.invalid -O http_post_url=http://test.invalid rules/ > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunkxml -c tools/config/splunk-windows.yml rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t logpoint -c tools/config/logpoint-windows.yml rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t wdatp rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t ala rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t ala --backend-config tests/backend_config.yml rules/windows/process_creation/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-dsl rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t powershell -c tools/config/powershell-windows-all.yml -Ocsv rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-dsl -c tools/config/winlogbeat.yml rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t powershell -c tools/config/powershell.yml -Ocsv rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t arcsight -c tools/config/arcsight.yml rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t qradar -c tools/config/arcsight.yml rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t qradar -c tools/config/qradar.yml rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t qualys -c tools/config/qualys.yml rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t netwitness -c tools/config/netwitness.yml rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t sumologic -c tools/config/sumologic.yml rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level>=high,level<=critical,status=stable,logsource=windows,tag=attack.execution' rules/ > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level>=high,level<=critical,status=xstable,logsource=windows' rules/ > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level>=high,level<=xcritical,status=stable,logsource=windows' rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level=critical' rules/ > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level=xcritical' rules/ > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'foo=bar' rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-windows.yml -t es-qs rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/generic/sysmon.yml -c tools/config/elk-windows.yml -t es-qs rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-linux.yml -t es-qs rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-windows.yml -t kibana rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-windows.yml -Ooutput=curl -t kibana rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-linux.yml -t kibana rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-linux.yml -Ooutput=curl -t kibana rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-windows.yml -t xpack-watcher rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-linux.yml -t xpack-watcher rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-defaultindex.yml -t xpack-watcher rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/splunk-windows-all.yml -t splunk rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/splunk-windows-all-index.yml -t splunk rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/generic/sysmon.yml -c tools/config/splunk-windows-all.yml -t splunk rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/logpoint-windows-all.yml -t logpoint rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t sumologic -O rulecomment -c tools/config/sumologic.yml rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'level>=high,level<=critical,status=stable,logsource=windows,tag=attack.execution' rules/ > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'level>=high,level<=critical,status=xstable,logsource=windows' rules/ > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'level>=high,level<=xcritical,status=stable,logsource=windows' rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'level=critical' rules/ > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'level=xcritical' rules/ > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'foo=bar' rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/logstash-windows.yml -t es-qs rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c sysmon -c logstash-windows -t es-qs rules/ > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c sysmon -c logstash-windows -t splunk rules/ > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/logstash-windows.yml -c tools/config/generic/sysmon.yml -t es-qs rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/logstash-linux.yml -t es-qs rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/logstash-windows.yml -t kibana rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/logstash-windows.yml -Ooutput=curl -t kibana rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/logstash-linux.yml -t kibana rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/logstash-linux.yml -Ooutput=curl -t kibana rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/logstash-windows.yml -t xpack-watcher rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/logstash-linux.yml -t xpack-watcher rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/filebeat-defaultindex.yml -t xpack-watcher rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/splunk-windows.yml -t splunk rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/generic/sysmon.yml -c tools/config/splunk-windows.yml -t splunk rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t grep rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t fieldlist rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -t xpack-watcher -O output=plain -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -t xpack-watcher -c tools/config/winlogbeat.yml -O output=plain -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -t kibana -c tests/config-multiple_mapping.yml -c tests/config-multiple_mapping-2.yml tests/mapping-conditional-multi.yml > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -t xpack-watcher -O output=json -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -o $(TMPOUT) - < tests/collection_repeat.yml > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -t xpack-watcher -O output=foobar -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs tests/not_existing.yml > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs tests/invalid_yaml.yml > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs tests/invalid_sigma-no_identifiers.yml > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs tests/invalid_sigma-no_condition.yml > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs tests/invalid_sigma-invalid_identifier_reference.yml > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs tests/invalid_sigma-invalid_aggregation.yml > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs tests/invalid_sigma-wrong_identifier_definition.yml > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs rules/windows/builtin/win_susp_failed_logons_single_source.yml
! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -o /not_possible rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
coverage run -a --include=$(COVSCOPE) tools/sigmac -t xpack-watcher -c tools/config/winlogbeat.yml -O output=json -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml -o $(TMPOUT) - < tests/collection_repeat.yml > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -t xpack-watcher -c tools/config/winlogbeat.yml -O output=foobar -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/not_existing.yml > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_yaml.yml > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_sigma-no_identifiers.yml > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_sigma-no_condition.yml > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_sigma-invalid_identifier_reference.yml > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_sigma-invalid_aggregation.yml > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_sigma-wrong_identifier_definition.yml > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml rules/windows/builtin/win_susp_failed_logons_single_source.yml
! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml -o /not_possible rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c not_existing rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tests/invalid_yaml.yml rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tests/invalid_config.yml rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
! coverage run -a --include=$(COVSCOPE) tools/sigmac -rv -c tools/config/elk-defaultindex.yml -t kibana rules/ > /dev/null
test-merge:
tests/test-merge.sh
README.md
+1
View File
@@ -187,6 +187,7 @@ tools/sigmac -t splunk -c ~/my-splunk-mapping.yml -c tools/config/generic/window
* [Elastic X-Pack Watcher](https://www.elastic.co/guide/en/x-pack/current/xpack-alerting.html)
* [Logpoint](https://www.logpoint.com)
* [Windows Defender Advanced Threat Protection (WDATP)](https://www.microsoft.com/en-us/windowsforbusiness/windows-atp)
* [Azure Sentinel / Azure Log Analytics](https://azure.microsoft.com/en-us/services/azure-sentinel/)
* [ArcSight](https://software.microfocus.com/en-us/products/siem-security-information-event-management/overview)
* [QRadar](https://www.ibm.com/de-de/marketplace/ibm-qradar-siem)
* [Qualys](https://www.qualys.com/apps/threat-protection/)
contrib/sigma2elastalert.py
+2 -2
View File
@@ -162,12 +162,12 @@ for file in glob.glob(args.ruledir + "/*"):
output_elast_config = re.sub(entry, str(convert_args[entry]), output_elast_config)
for entry in translate_func:
output_elast_config = re.sub(entry, translate_func[entry], output_elast_config)
print "Converting file " + file
print("Converting file " + file)
with open(os.path.join(args.outdir, "sigma-" + file.split("/")[-1]), "w") as f:
f.write(output_elast_config)
except Exception as e:
if args.debug:
traceback.print_exc()
print "error " + str(file) + "----" + str(e)
print("error " + str(file) + "----" + str(e))
pass
contrib/sigma2sumologic.py
+37 -23
View File
@@ -25,11 +25,13 @@ Workflow:
3. Format
4. Get results and save to txt/xlsx files
Requirements:
$ pip install sumologic-sdk pyyaml pandas
$ pip install sumologic-sdk pyyaml pandas openpyxl
"""
import re
import os, sys, stat
import os
import sys
import stat
import glob
import subprocess
import argparse
@@ -64,6 +66,7 @@ args = parser.parse_args()
LIMIT = 100
delay = 5
def rule_element(file_content, elements):
"""
Function used to get specific element from yaml document and return content
@@ -75,19 +78,20 @@ def rule_element(file_content, elements):
"""
try:
logger.debug("file_content: %s" % file_content)
yaml.safe_load(file_content.replace("---",""))
except:
yaml.safe_load(file_content.replace("---", ""))
except TypeError:
raise Exception('Unsupported')
element_output = ""
for e in elements:
try:
element_output = yaml.safe_load(file_content.replace("---",""))[e]
except:
element_output = yaml.safe_load(file_content.replace("---", ""))[e]
except TypeError:
pass
if element_output is None:
return ""
return element_output
def get_rule_as_sumologic(file):
"""
Function used to get sumologic query output from rule file
@@ -99,7 +103,7 @@ def get_rule_as_sumologic(file):
logger.error("Cannot find sigmac rule coverter at '%s', please set a correct location via '--sigmac'")
cmd = [args.sigmac, file, "--target", "sumologic"]
logger.info('get_rule_as_sumologic cmd: %s' % cmd)
process = subprocess.Popen(cmd,stdout=subprocess.PIPE, stderr=subprocess.PIPE)
process = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
output, err = process.communicate()
# output is byte-string...
@@ -133,7 +137,7 @@ if args.conf:
args.sigmac = cfg['sigmac']
try:
args.recursive = cfg['recursive']
except:
except TypeError:
args.recursive = False
if args.recursive:
globpath = args.ruledir + "/**/*.yml"
@@ -145,10 +149,10 @@ if args.conf:
if args.outdir and not os.path.isdir(args.outdir):
os.mkdir(args.outdir, stat.S_IRWXU)
# recursive
for file in glob.iglob(globpath):
# non-recursive (above, not working...)
#for file in glob.iglob(args.ruledir + "/*.yml"):
# for file in glob.iglob(args.ruledir + "/*.yml"):
# recursive
for file in glob.iglob(globpath, recursive=True):
file_basename = os.path.basename(os.path.splitext(file)[0])
file_basenamepath = os.path.splitext(file)[0]
@@ -170,26 +174,34 @@ for file in glob.iglob(globpath):
# FIXME! want to add something in the middle for parsing for example...
logger.info(" Adding custom part to end query from: %s" % file_basenamepath + '.custom')
with open(file_basenamepath + '.custom', "rb") as f:
sumo_query += " " + f.read().decode('utf-8')
# FIXME ! manage pipe inside queries
if "| count" in sumo_query:
pos = sumo_query.find('| count')
sumo_query = sumo_query[:pos] + f.read().decode('utf-8') + sumo_query[pos:]
else:
sumo_query += " " + f.read().decode('utf-8')
elif 'count ' not in sumo_query and ('EventID=' in sumo_query):
sumo_query += " | count _sourceCategory, hostname, EventID, msg_summary, _raw"
sumo_query += " | count _sourceCategory, hostname, EventID, msg_summary, _raw"
elif 'count ' not in sumo_query:
sumo_query += " | count _sourceCategory, hostname, _raw"
sumo_query += " | count _sourceCategory, hostname, _raw"
logger.info("Final sumo query: %s" % sumo_query)
logger.debug("Final sumo query: %s" % sumo_query)
except Exception as e:
if args.debug:
traceback.print_exc()
logger.exception("error generating sumo query " + str(file) + "----" + str(e))
pass
with open(os.path.join(args.outdir, "sigma-" + file_basename + '-error-generation.txt'), "w") as f:
# f.write(json.dumps(r, indent=4, sort_keys=True) + " ERROR: %s\n\nQUERY: %s" % (e, sumo_query))
f.write(" ERROR for file: %s\n\Exception:\n %s" % (file, e))
continue
try:
# Run query
# https://github.com/SumoLogic/sumologic-python-sdk/blob/master/scripts/search-job.py
sumo = SumoLogic(args.accessid, args.accesskey, args.endpoint)
toTime = datetime.datetime.now().strftime("%Y-%m-%dT%H:%M:%S")
fromTime = datetime.datetime.strptime(toTime, "%Y-%m-%dT%H:%M:%S") - datetime.timedelta(hours = 24)
fromTime = datetime.datetime.strptime(toTime, "%Y-%m-%dT%H:%M:%S") - datetime.timedelta(hours=24)
fromTime = fromTime.strftime("%Y-%m-%dT%H:%M:%S")
timeZone = 'UTC'
byReceiptTime = True
@@ -208,19 +220,21 @@ for file in glob.iglob(globpath):
traceback.print_exc()
logger.exception("error seaching sumo " + str(file) + "----" + str(e))
with open(os.path.join(args.outdir, "sigma-" + file_basename + '-error.txt'), "w") as f:
f.write(json.dumps(r, indent=4, sort_keys=True) + " ERROR: %s\n\nQUERY: %s" % (e, sumo_query))
# f.write(json.dumps(r, indent=4, sort_keys=True) + " ERROR: %s\n\nQUERY: %s" % (e, sumo_query))
f.write(" ERROR: %s\n\nQUERY: %s" % (e, sumo_query))
pass
logger.info("Sumo search job status: %s" % status['state'])
logger.debug("Sumo search job status: %s" % status['state'])
try:
if status['state'] == 'DONE GATHERING RESULTS':
count = status['recordCount']
limit = count if count < LIMIT and count != 0 else LIMIT # compensate bad limit check
# compensate bad limit check
limit = count if count < LIMIT and count != 0 else LIMIT
r = sumo.search_job_records(sj, limit=limit)
logger.info("Sumo search results: %s" % r)
logger.debug("Sumo search results: %s" % r)
logger.info("Saving final sumo query for %s to %s" % (file, os.path.join(args.outdir, "sigma-" + file_basename + '.sumo')))
logger.debug("Saving final sumo query for %s to %s" % (file, os.path.join(args.outdir, "sigma-" + file_basename + '.sumo')))
with open(os.path.join(args.outdir, "sigma-" + file_basename + '.sumo'), "w") as f:
f.write(sumo_query)
if r and r['records'] != []:
@@ -236,7 +250,7 @@ for file in glob.iglob(globpath):
"timeframe: from %s to %s" % (fromTime, toTime),
"Sumo endpoint: %s" % args.endpoint,
"Sumo query: %s" % sumo_query
]}).to_excel(writer, 'comments')
]}).to_excel(writer, 'comments')
# and do whatever you want, email alert, report, ticket...
other/sigma_attack_nav_coverage.json
+2653
View File
@@ -0,0 +1,2653 @@
{
"name": "SIGMA Rule Coverage",
"version": "2.1",
"domain": "mitre-enterprise",
"description": "Accurate to commit #: 81693d81b6823bb5f064919453eac70c1d097d3e\nhttps://github.com/Neo23x0/sigma/commit/81693d81b6823bb5f064919453eac70c1d097d3e",
"filters": {
"stages": [
"act"
],
"platforms": [
"windows",
"linux",
"mac"
]
},
"sorting": 0,
"viewMode": 0,
"hideDisabled": false,
"techniques": [
{
"techniqueID": "T1156",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1134",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1134",
"tactic": "privilege-escalation",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1015",
"tactic": "persistence",
"score": 1,
"color": "",
"comment": "sysmon_stickykey_like_backdoor.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1015",
"tactic": "privilege-escalation",
"score": 1,
"color": "",
"comment": "sysmon_stickykey_like_backdoor.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1087",
"tactic": "discovery",
"score": 5,
"color": "",
"comment": "win_account_discovery.yml\nwin_alert_hacktool_use.yml\nwin_susp_net_recon_activity.yml\nwin_susp_commands_recon_activity.yml\nwin_susp_recon_activity.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1098",
"tactic": "credential-access",
"score": 3,
"color": "",
"comment": "apt_judgement_panda_gtr19.yml\nwin_alert_ad_user_backdoors.yml\nwin_susp_dsrm_password_change.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1098",
"tactic": "persistence",
"score": 3,
"color": "",
"comment": "apt_judgement_panda_gtr19.yml\nwin_alert_ad_user_backdoors.yml\nwin_susp_dsrm_password_change.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1182",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1182",
"tactic": "privilege-escalation",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1103",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1103",
"tactic": "privilege-escalation",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1155",
"tactic": "execution",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1155",
"tactic": "lateral-movement",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1017",
"tactic": "lateral-movement",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1138",
"tactic": "persistence",
"score": 1,
"color": "",
"comment": "win_sdbinst_shim_persistence.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1138",
"tactic": "privilege-escalation",
"score": 1,
"color": "",
"comment": "win_sdbinst_shim_persistence.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1010",
"tactic": "discovery",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1123",
"tactic": "collection",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1131",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1119",
"tactic": "collection",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1020",
"tactic": "exfiltration",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1197",
"tactic": "defense-evasion",
"score": 1,
"color": "",
"comment": "win_process_creation_bitsadmin_download.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1197",
"tactic": "persistence",
"score": 1,
"color": "",
"comment": "win_process_creation_bitsadmin_download.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1139",
"tactic": "credential-access",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1009",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1067",
"tactic": "persistence",
"score": 1,
"color": "",
"comment": "win_susp_bcdedit.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1217",
"tactic": "discovery",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1176",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1110",
"tactic": "credential-access",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1088",
"tactic": "defense-evasion",
"score": 3,
"color": "",
"comment": "win_cmstp_com_object_access.yml\nsysmon_uac_bypass_eventvwr.yml\nsysmon_uac_bypass_sdclt.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1088",
"tactic": "privilege-escalation",
"score": 3,
"color": "",
"comment": "win_cmstp_com_object_access.yml\nsysmon_uac_bypass_eventvwr.yml\nsysmon_uac_bypass_sdclt.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1191",
"tactic": "defense-evasion",
"score": 2,
"color": "",
"comment": "win_cmstp_com_object_access.yml\nsysmon_cmstp_execution.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1191",
"tactic": "execution",
"score": 2,
"color": "",
"comment": "win_cmstp_com_object_access.yml\nsysmon_cmstp_execution.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1042",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1146",
"tactic": "defense-evasion",
"score": 1,
"color": "",
"comment": "lnx_shell_clear_cmd_history.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1115",
"tactic": "collection",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1116",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1059",
"tactic": "execution",
"score": 12,
"color": "",
"comment": "apt_babyshark.yml\napt_equationgroup_dll_u_load.yml\napt_equationgroup_lnx.yml\napt_sofacy.yml\napt_sofacy_zebrocy.yml\napt_turla_commands.yml\napt_zxshell.yml\ncrime_fireball.yml\nwin_alert_hacktool_use.yml\nwin_office_shell.yml\nwin_susp_cmd_http_appdata.yml\nwin_susp_outlook.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1043",
"tactic": "command-and-control",
"score": 1,
"color": "",
"comment": "sysmon_malware_backconnect_ports.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1092",
"tactic": "command-and-control",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1223",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1223",
"tactic": "execution",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1109",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1109",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1122",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1122",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1090",
"tactic": "command-and-control",
"score": 2,
"color": "",
"comment": "win_netsh_fw_add.yml\nwin_netsh_port_fwd.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1196",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1196",
"tactic": "execution",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1136",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1003",
"tactic": "credential-access",
"score": 23,
"color": "",
"comment": "apt_bear_activity_gtr19.yml\nwin_alert_lsass_access.yml\nwin_alert_mimikatz_keywords.yml\nwin_dcsync.yml\nwin_impacket_secretdump.yml\nwin_mal_creddumper.yml\nwin_mal_wceaux_dll.yml\nwin_susp_lsass_dump.yml\nwin_susp_sam_dump.yml\nav_password_dumper.yml\nwin_cmdkey_recon.yml\nwin_hack_rubeus.yml\nwin_malware_notpetya.yml\nwin_susp_ntdsutil.yml\nwin_susp_procdump.yml\nwin_susp_sysvol_access.yml\nwin_susp_vssadmin_ntds_activity.yml\nsysmon_ghostpack_safetykatz.yml\nsysmon_lsass_memdump.yml\nsysmon_mimikatz_detection_lsass.yml\nsysmon_mimikatz_inmemory_detection.yml\nsysmon_password_dumper_lsass.yml\nsysmon_quarkspw_filedump.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1081",
"tactic": "credential-access",
"score": 1,
"color": "",
"comment": "apt_bear_activity_gtr19.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1214",
"tactic": "credential-access",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1094",
"tactic": "command-and-control",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1024",
"tactic": "command-and-control",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1207",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1038",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1038",
"tactic": "privilege-escalation",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1038",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1073",
"tactic": "defense-evasion",
"score": 9,
"color": "",
"comment": "win_susp_dhcp_config.yml\nwin_susp_dhcp_config_failed.yml\nwin_susp_dns_config.yml\nwin_plugx_susp_exe_locations.yml\nwin_susp_control_dll_load.yml\nwin_susp_gup.yml\nsysmon_dhcp_calloutdll.yml\nsysmon_dns_serverlevelplugindll.yml\nsysmon_susp_image_load.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1002",
"tactic": "exfiltration",
"score": 1,
"color": "",
"comment": "apt_judgement_panda_gtr19.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1132",
"tactic": "command-and-control",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1022",
"tactic": "exfiltration",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1001",
"tactic": "command-and-control",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1074",
"tactic": "collection",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1030",
"tactic": "exfiltration",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1213",
"tactic": "collection",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1005",
"tactic": "collection",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1039",
"tactic": "collection",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1025",
"tactic": "collection",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1140",
"tactic": "defense-evasion",
"score": 4,
"color": "",
"comment": "win_susp_mshta_execution.yml\nwin_susp_certutil_command.yml\nwin_susp_cli_escape.yml\nwin_susp_ping_hex_ip.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1089",
"tactic": "defense-evasion",
"score": 2,
"color": "",
"comment": "win_alert_enable_weak_encryption.yml\nwin_susp_msmpeng_crash.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1175",
"tactic": "lateral-movement",
"score": 1,
"color": "",
"comment": "win_susp_mmc_source.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1172",
"tactic": "command-and-control",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1189",
"tactic": "initial-access",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1157",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1157",
"tactic": "privilege-escalation",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1173",
"tactic": "execution",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1114",
"tactic": "collection",
"score": 1,
"color": "",
"comment": "win_alert_hacktool_use.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1106",
"tactic": "execution",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1129",
"tactic": "execution",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1048",
"tactic": "exfiltration",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1041",
"tactic": "exfiltration",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1011",
"tactic": "exfiltration",
"score": 1,
"color": "",
"comment": "sysmon_ssp_added_lsa_config.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1052",
"tactic": "exfiltration",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1190",
"tactic": "initial-access",
"score": 1,
"color": "",
"comment": "web_cve_2018_2894_weblogic_exploit.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1203",
"tactic": "execution",
"score": 2,
"color": "",
"comment": "av_exploiting.yml\nwin_exploit_cve_2017_8759.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1212",
"tactic": "credential-access",
"score": 3,
"color": "",
"comment": "win_net_ntlm_downgrade.yml\nwin_susp_kerberos_manipulation.yml\nwin_susp_samr_pwset.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1211",
"tactic": "defense-evasion",
"score": 2,
"color": "",
"comment": "win_susp_msmpeng_crash.yml\nwin_exploit_cve_2017_11882.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1068",
"tactic": "privilege-escalation",
"score": 1,
"color": "",
"comment": "apt_hurricane_panda.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1210",
"tactic": "lateral-movement",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1133",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1181",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1181",
"tactic": "privilege-escalation",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1008",
"tactic": "command-and-control",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1107",
"tactic": "defense-evasion",
"score": 2,
"color": "",
"comment": "win_susp_backup_delete.yml\nwin_susp_sdelete.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1222",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1006",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1044",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1044",
"tactic": "privilege-escalation",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1083",
"tactic": "discovery",
"score": 1,
"color": "",
"comment": "apt_turla_commands.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1187",
"tactic": "credential-access",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1144",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1061",
"tactic": "execution",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1148",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1200",
"tactic": "initial-access",
"score": 1,
"color": "",
"comment": "win_usb_device_plugged.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1158",
"tactic": "defense-evasion",
"score": 1,
"color": "",
"comment": "win_attrib_hiding_files.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1158",
"tactic": "persistence",
"score": 1,
"color": "",
"comment": "win_attrib_hiding_files.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1147",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1143",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1179",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1179",
"tactic": "privilege-escalation",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1179",
"tactic": "credential-access",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1062",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1183",
"tactic": "privilege-escalation",
"score": 1,
"color": "",
"comment": "sysmon_win_reg_persistence.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1183",
"tactic": "persistence",
"score": 1,
"color": "",
"comment": "sysmon_win_reg_persistence.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1183",
"tactic": "defense-evasion",
"score": 1,
"color": "",
"comment": "sysmon_win_reg_persistence.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1054",
"tactic": "defense-evasion",
"score": 1,
"color": "",
"comment": "win_disable_event_logging.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1066",
"tactic": "defense-evasion",
"score": 1,
"color": "",
"comment": "win_susp_sdelete.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1070",
"tactic": "defense-evasion",
"score": 4,
"color": "",
"comment": "win_susp_eventlog_cleared.yml\nwin_susp_security_eventlog_cleared.yml\nwin_malware_notpetya.yml\nwin_susp_bcdedit.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1202",
"tactic": "defense-evasion",
"score": 2,
"color": "",
"comment": "win_office_shell.yml\nwin_susp_outlook.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1056",
"tactic": "collection",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1056",
"tactic": "credential-access",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1141",
"tactic": "credential-access",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1130",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1118",
"tactic": "defense-evasion",
"score": 1,
"color": "",
"comment": "win_possible_applocker_bypass.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1118",
"tactic": "execution",
"score": 1,
"color": "",
"comment": "win_possible_applocker_bypass.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1208",
"tactic": "credential-access",
"score": 2,
"color": "",
"comment": "win_susp_rc4_kerberos.yml\nwin_spn_enum.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1215",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1142",
"tactic": "credential-access",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1161",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1149",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1171",
"tactic": "credential-access",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1177",
"tactic": "execution",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1177",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1159",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1160",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1160",
"tactic": "privilege-escalation",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1152",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1152",
"tactic": "execution",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1152",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1168",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1168",
"tactic": "execution",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1162",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1037",
"tactic": "lateral-movement",
"score": 1,
"color": "",
"comment": "sysmon_logon_scripts_userinitmprlogonscript.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1037",
"tactic": "persistence",
"score": 1,
"color": "",
"comment": "sysmon_logon_scripts_userinitmprlogonscript.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1185",
"tactic": "collection",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1036",
"tactic": "defense-evasion",
"score": 14,
"color": "",
"comment": "apt_ta17_293a_ps.yml\nwin_exploit_cve_2015_1641.yml\nwin_powershell_b64_shellcode.yml\nwin_susp_calc.yml\nwin_susp_csc.yml\nwin_susp_execution_path.yml\nwin_susp_exec_folder.yml\nwin_susp_procdump.yml\nwin_susp_prog_location_process_starts.yml\nwin_susp_run_locations.yml\nwin_susp_svchost.yml\nwin_susp_taskmgr_localsystem.yml\nwin_susp_taskmgr_parent.yml\nwin_system_exe_anomaly.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1031",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1112",
"tactic": "defense-evasion",
"score": 3,
"color": "",
"comment": "apt_chafer_mar18.yml\nwin_mal_ursnif.yml\nsysmon_dhcp_calloutdll.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1170",
"tactic": "defense-evasion",
"score": 4,
"color": "",
"comment": "apt_babyshark.yml\nwin_lethalhta.yml\nwin_mshta_spawn_shell.yml\nwin_possible_applocker_bypass.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1170",
"tactic": "execution",
"score": 4,
"color": "",
"comment": "apt_babyshark.yml\nwin_lethalhta.yml\nwin_mshta_spawn_shell.yml\nwin_possible_applocker_bypass.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1104",
"tactic": "command-and-control",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1188",
"tactic": "command-and-control",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1026",
"tactic": "command-and-control",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1079",
"tactic": "command-and-control",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1096",
"tactic": "defense-evasion",
"score": 1,
"color": "",
"comment": "powershell_ntfs_ads_access.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1128",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1046",
"tactic": "discovery",
"score": 1,
"color": "",
"comment": "win_vul_java_remote_debugging.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1126",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1135",
"tactic": "discovery",
"score": 1,
"color": "",
"comment": "apt_turla_commands.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1040",
"tactic": "credential-access",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1040",
"tactic": "discovery",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1050",
"tactic": "persistence",
"score": 7,
"color": "",
"comment": "apt_apt29_tor.yml\napt_carbonpaper_turla.yml\napt_stonedrill.yml\napt_turla_service_png.yml\nwin_mal_service_installs.yml\nwin_rare_service_installs.yml\nsysmon_susp_driver_load.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1050",
"tactic": "privilege-escalation",
"score": 7,
"color": "",
"comment": "apt_apt29_tor.yml\napt_carbonpaper_turla.yml\napt_stonedrill.yml\napt_turla_service_png.yml\nwin_mal_service_installs.yml\nwin_rare_service_installs.yml\nsysmon_susp_driver_load.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1027",
"tactic": "defense-evasion",
"score": 2,
"color": "",
"comment": "win_susp_ping_hex_ip.yml\nsysmon_ads_executable.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1137",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1075",
"tactic": "lateral-movement",
"score": 4,
"color": "",
"comment": "win_alert_hacktool_use.yml\nwin_overpass_the_hash.yml\nwin_pass_the_hash.yml\nwin_susp_ntlm_auth.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1097",
"tactic": "lateral-movement",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1174",
"tactic": "credential-access",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1201",
"tactic": "discovery",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1034",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1034",
"tactic": "privilege-escalation",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1120",
"tactic": "discovery",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1069",
"tactic": "discovery",
"score": 1,
"color": "",
"comment": "win_susp_net_recon_activity.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1150",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1150",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1150",
"tactic": "privilege-escalation",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1205",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1205",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1205",
"tactic": "command-and-control",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1013",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1013",
"tactic": "privilege-escalation",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1086",
"tactic": "execution",
"score": 28,
"color": "",
"comment": "apt_apt29_thinktanks.yml\napt_babyshark.yml\napt_empiremonkey.yml\npowershell_downgrade_attack.yml\npowershell_exe_calling_ps.yml\npowershell_malicious_commandlets.yml\npowershell_malicious_keywords.yml\npowershell_prompt_credentials.yml\npowershell_psattack.yml\npowershell_shellcode_b64.yml\npowershell_suspicious_download.yml\npowershell_suspicious_invocation_generic.yml\npowershell_suspicious_invocation_specific.yml\npowershell_suspicious_keywords.yml\npowershell_xor_commandline.yml\nwin_powershell_amsi_bypass.yml\nwin_powershell_dll_execution.yml\nwin_powershell_download.yml\nwin_powershell_renamed_ps.yml\nwin_powershell_suspicious_parameter_variation.yml\nwin_susp_powershell_enc_cmd.yml\nwin_susp_powershell_hidden_b64_cmd.yml\nwin_susp_powershell_parent_combo.yml\nwin_susp_ps_appdata.yml\nsysmon_powershell_exploit_scripts.yml\nsysmon_powershell_network_connection.yml\nsysmon_powersploit_schtasks.yml\nsysmon_susp_powershell_rundll32.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1145",
"tactic": "credential-access",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1057",
"tactic": "discovery",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1186",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1093",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1055",
"tactic": "defense-evasion",
"score": 8,
"color": "",
"comment": "powershell_shellcode_b64.yml\nwin_exploit_cve_2017_0261.yml\nwin_malware_dridex.yml\nwin_mavinject_proc_inj.yml\nsysmon_cactustorch.yml\nsysmon_cobaltstrike_process_injection.yml\nsysmon_malware_verclsid_shellcode.yml\nsysmon_mal_namedpipes.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1055",
"tactic": "privilege-escalation",
"score": 8,
"color": "",
"comment": "powershell_shellcode_b64.yml\nwin_exploit_cve_2017_0261.yml\nwin_malware_dridex.yml\nwin_mavinject_proc_inj.yml\nsysmon_cactustorch.yml\nsysmon_cobaltstrike_process_injection.yml\nsysmon_malware_verclsid_shellcode.yml\nsysmon_mal_namedpipes.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1012",
"tactic": "discovery",
"score": 1,
"color": "",
"comment": "apt_babyshark.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1163",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1164",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1108",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1108",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1060",
"tactic": "persistence",
"score": 2,
"color": "",
"comment": "sysmon_susp_reg_persist_explorer_run.yml\nsysmon_susp_run_key_img_folder.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1121",
"tactic": "defense-evasion",
"score": 1,
"color": "",
"comment": "win_possible_applocker_bypass.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1121",
"tactic": "execution",
"score": 1,
"color": "",
"comment": "win_possible_applocker_bypass.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1117",
"tactic": "defense-evasion",
"score": 1,
"color": "",
"comment": "win_susp_regsvr32_anomalies.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1117",
"tactic": "execution",
"score": 1,
"color": "",
"comment": "win_susp_regsvr32_anomalies.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1219",
"tactic": "command-and-control",
"score": 2,
"color": "",
"comment": "av_exploiting.yml\nwin_susp_tscon_localsystem.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1076",
"tactic": "lateral-movement",
"score": 4,
"color": "",
"comment": "win_rdp_localhost_login.yml\nwin_rdp_reverse_tunnel.yml\nwin_susp_tscon_rdp_redirect.yml\nsysmon_rdp_reverse_tunnel.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1105",
"tactic": "command-and-control",
"score": 4,
"color": "",
"comment": "apt_pandemic.yml\nwin_susp_certutil_command.yml\nsysmon_win_binary_github_com.yml\nsysmon_win_binary_susp_com.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1105",
"tactic": "lateral-movement",
"score": 4,
"color": "",
"comment": "apt_pandemic.yml\nwin_susp_certutil_command.yml\nsysmon_win_binary_github_com.yml\nsysmon_win_binary_susp_com.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1021",
"tactic": "lateral-movement",
"score": 1,
"color": "",
"comment": "win_netsh_port_fwd_3389.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1018",
"tactic": "discovery",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1091",
"tactic": "lateral-movement",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1091",
"tactic": "initial-access",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1014",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1085",
"tactic": "defense-evasion",
"score": 11,
"color": "",
"comment": "apt_equationgroup_dll_u_load.yml\napt_sofacy.yml\napt_tropictrooper.yml\napt_unidentified_nov_18.yml\napt_zxshell.yml\ncrime_fireball.yml\nwin_malware_notpetya.yml\nwin_susp_control_dll_load.yml\nwin_susp_rundll32_activity.yml\nsysmon_rundll32_net_connections.yml\nsysmon_susp_powershell_rundll32.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1085",
"tactic": "execution",
"score": 11,
"color": "",
"comment": "apt_equationgroup_dll_u_load.yml\napt_sofacy.yml\napt_tropictrooper.yml\napt_unidentified_nov_18.yml\napt_zxshell.yml\ncrime_fireball.yml\nwin_malware_notpetya.yml\nwin_susp_control_dll_load.yml\nwin_susp_rundll32_activity.yml\nsysmon_rundll32_net_connections.yml\nsysmon_susp_powershell_rundll32.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1178",
"tactic": "privilege-escalation",
"score": 1,
"color": "",
"comment": "win_susp_add_sid_history.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1198",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1198",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1184",
"tactic": "lateral-movement",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1053",
"tactic": "execution",
"score": 8,
"color": "",
"comment": "apt_chafer_mar18.yml\napt_slingshot.yml\nwin_atsvc_task.yml\nwin_GPO_scheduledtasks.yml\nwin_rare_schtasks_creations.yml\nwin_rare_schtask_creation.yml\nwin_susp_schtask_creation.yml\nsysmon_powersploit_schtasks.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1053",
"tactic": "persistence",
"score": 8,
"color": "",
"comment": "apt_chafer_mar18.yml\napt_slingshot.yml\nwin_atsvc_task.yml\nwin_GPO_scheduledtasks.yml\nwin_rare_schtasks_creations.yml\nwin_rare_schtask_creation.yml\nwin_susp_schtask_creation.yml\nsysmon_powersploit_schtasks.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1053",
"tactic": "privilege-escalation",
"score": 8,
"color": "",
"comment": "apt_chafer_mar18.yml\napt_slingshot.yml\nwin_atsvc_task.yml\nwin_GPO_scheduledtasks.yml\nwin_rare_schtasks_creations.yml\nwin_rare_schtask_creation.yml\nwin_susp_schtask_creation.yml\nsysmon_powersploit_schtasks.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1029",
"tactic": "exfiltration",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1113",
"tactic": "collection",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1180",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1064",
"tactic": "defense-evasion",
"score": 10,
"color": "",
"comment": "apt_cloudhopper.yml\nwin_malware_script_dropper.yml\nwin_mal_adwind.yml\nwin_mal_lockergoga.yml\nwin_shell_spawn_susp_program.yml\nwin_susp_rasdial_activity.yml\nwin_susp_script_execution.yml\nwin_wmi_spwns_powershell.yml\nsysmon_cactustorch.yml\nsysmon_susp_file_characteristics.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1064",
"tactic": "execution",
"score": 10,
"color": "",
"comment": "apt_cloudhopper.yml\nwin_malware_script_dropper.yml\nwin_mal_adwind.yml\nwin_mal_lockergoga.yml\nwin_shell_spawn_susp_program.yml\nwin_susp_rasdial_activity.yml\nwin_susp_script_execution.yml\nwin_wmi_spwns_powershell.yml\nsysmon_cactustorch.yml\nsysmon_susp_file_characteristics.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1063",
"tactic": "discovery",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1101",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1167",
"tactic": "credential-access",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1035",
"tactic": "execution",
"score": 3,
"color": "",
"comment": "win_hack_smbexec.yml\nwin_tool_psexec.yml\nwin_psexesvc_start.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1058",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1058",
"tactic": "privilege-escalation",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1166",
"tactic": "privilege-escalation",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1166",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1051",
"tactic": "lateral-movement",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1023",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1218",
"tactic": "defense-evasion",
"score": 1,
"color": "",
"comment": "win_mavinject_proc_inj.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1218",
"tactic": "execution",
"score": 1,
"color": "",
"comment": "win_mavinject_proc_inj.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1216",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1216",
"tactic": "execution",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1045",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1153",
"tactic": "execution",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1151",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1151",
"tactic": "execution",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1193",
"tactic": "initial-access",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1192",
"tactic": "initial-access",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1194",
"tactic": "initial-access",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1071",
"tactic": "command-and-control",
"score": 1,
"color": "",
"comment": "net_susp_dns_txt_exec_strings.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1032",
"tactic": "command-and-control",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1095",
"tactic": "command-and-control",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1165",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1165",
"tactic": "privilege-escalation",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1169",
"tactic": "privilege-escalation",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1206",
"tactic": "privilege-escalation",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1195",
"tactic": "initial-access",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1019",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1082",
"tactic": "discovery",
"score": 1,
"color": "",
"comment": "win_susp_commands_recon_activity.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1016",
"tactic": "discovery",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1049",
"tactic": "discovery",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1033",
"tactic": "discovery",
"score": 1,
"color": "",
"comment": "win_susp_whoami.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1007",
"tactic": "discovery",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1124",
"tactic": "discovery",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1080",
"tactic": "lateral-movement",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1221",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1072",
"tactic": "execution",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1072",
"tactic": "lateral-movement",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1209",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1099",
"tactic": "defense-evasion",
"score": 1,
"color": "",
"comment": "win_susp_time_modification.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1154",
"tactic": "execution",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1154",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1127",
"tactic": "defense-evasion",
"score": 2,
"color": "",
"comment": "win_possible_applocker_bypass.yml\nwin_workflow_compiler.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1127",
"tactic": "execution",
"score": 2,
"color": "",
"comment": "win_possible_applocker_bypass.yml\nwin_workflow_compiler.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1199",
"tactic": "initial-access",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1111",
"tactic": "credential-access",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1065",
"tactic": "command-and-control",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1204",
"tactic": "execution",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1078",
"tactic": "defense-evasion",
"score": 6,
"color": "",
"comment": "win_admin_rdp_login.yml\nwin_alert_active_directory_user_control.yml\nwin_susp_failed_logons_single_source.yml\nwin_susp_failed_logon_reasons.yml\nwin_susp_interactive_logons.yml\nwin_user_added_to_local_administrators.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1078",
"tactic": "persistence",
"score": 6,
"color": "",
"comment": "win_admin_rdp_login.yml\nwin_alert_active_directory_user_control.yml\nwin_susp_failed_logons_single_source.yml\nwin_susp_failed_logon_reasons.yml\nwin_susp_interactive_logons.yml\nwin_user_added_to_local_administrators.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1078",
"tactic": "privilege-escalation",
"score": 6,
"color": "",
"comment": "win_admin_rdp_login.yml\nwin_alert_active_directory_user_control.yml\nwin_susp_failed_logons_single_source.yml\nwin_susp_failed_logon_reasons.yml\nwin_susp_interactive_logons.yml\nwin_user_added_to_local_administrators.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1078",
"tactic": "initial-access",
"score": 6,
"color": "",
"comment": "win_admin_rdp_login.yml\nwin_alert_active_directory_user_control.yml\nwin_susp_failed_logons_single_source.yml\nwin_susp_failed_logon_reasons.yml\nwin_susp_interactive_logons.yml\nwin_user_added_to_local_administrators.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1125",
"tactic": "collection",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1102",
"tactic": "command-and-control",
"score": 3,
"color": "",
"comment": "proxy_cobalt_amazon.yml\nproxy_cobalt_ocsp.yml\nproxy_cobalt_onedrive.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1102",
"tactic": "defense-evasion",
"score": 3,
"color": "",
"comment": "proxy_cobalt_amazon.yml\nproxy_cobalt_ocsp.yml\nproxy_cobalt_onedrive.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1100",
"tactic": "persistence",
"score": 6,
"color": "",
"comment": "web_cve_2018_2894_weblogic_exploit.yml\nav_webshell.yml\nwin_susp_execution_path_webserver.yml\nwin_susp_iss_module_install.yml\nwin_webshell_detection.yml\nwin_webshell_spawn.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1100",
"tactic": "privilege-escalation",
"score": 6,
"color": "",
"comment": "web_cve_2018_2894_weblogic_exploit.yml\nav_webshell.yml\nwin_susp_execution_path_webserver.yml\nwin_susp_iss_module_install.yml\nwin_webshell_detection.yml\nwin_webshell_spawn.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1077",
"tactic": "lateral-movement",
"score": 5,
"color": "",
"comment": "apt_turla_commands.yml\nwin_admin_share_access.yml\nwin_hack_smbexec.yml\nwin_lm_namedpipe.yml\nwin_susp_psexec.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1047",
"tactic": "execution",
"score": 4,
"color": "",
"comment": "win_wmi_persistence.yml\nwin_bypass_squiblytwo.yml\nwin_susp_wmi_execution.yml\nwin_wmi_persistence_script_event_consumer.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1084",
"tactic": "persistence",
"score": 3,
"color": "",
"comment": "sysmon_wmi_event_subscription.yml\nsysmon_wmi_persistence_commandline_event_consumer.yml\nsysmon_wmi_persistence_script_event_consumer_write.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1028",
"tactic": "execution",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1028",
"tactic": "lateral-movement",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1004",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1220",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1220",
"tactic": "execution",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
}
],
"gradient": {
"colors": [
"#ffffff",
"#66b1ff"
],
"minValue": 0,
"maxValue": 2
},
"legendItems": [],
"metadata": [],
"showTacticRowBackground": false,
"tacticRowBackground": "#dddddd",
"selectTechniquesAcrossTactics": true
}
other/sigma_attack_nav_coverage.png
BIN
View File
Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 373 KiB

rules/apt/apt_empiremonkey.yml
+32
View File
@@ -0,0 +1,32 @@
---
action: global
title: Empire Monkey
description: Detects EmpireMonkey APT reported Activity
references:
- https://app.any.run/tasks/a4107649-8cb0-41af-ad75-113152d4d57b
tags:
- attack.t1086
- attack.execution
date: 2019/04/02
author: Markus Neis
detection:
condition: 1 of them
falsepositives:
- Very Unlikely
level: critical
---
logsource:
category: process_creation
product: windows
detection:
selection_cutil:
CommandLine:
- '*/i:%APPDATA%\logs.txt scrobj.dll'
Image:
- '*\cutil.exe'
selection_regsvr32:
CommandLine:
- '*/i:%APPDATA%\logs.txt scrobj.dll'
Description:
- Microsoft(C) Registerserver
rules/apt/apt_oceanlotus_registry.yml
+27
View File
@@ -0,0 +1,27 @@
title: OceanLotus Registry Activity
status: experimental
description: Detects registry keys created in OceanLotus (also known as APT32) attacks
references:
- https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/
tags:
- attack.t1112
author: megan201296
date: 2019/04/14
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 13
TargetObject:
- '*\SOFTWARE\Classes\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model'
- '*\SOFTWARE\App\AppXbf13d4ea2945444d8b13e2121cb6b663\Application'
- '*\SOFTWARE\App\AppXbf13d4ea2945444d8b13e2121cb6b663\DefaultIcon'
- '*\SOFTWARE\App\AppX70162486c7554f7f80f481985d67586d\Application'
- '*\SOFTWARE\App\AppX70162486c7554f7f80f481985d67586d\DefaultIcon'
- '*\SOFTWARE\App\AppX37cc7fdccd644b4f85f4b22d5a3f105a\Application'
- '*\SOFTWARE\App\AppX37cc7fdccd644b4f85f4b22d5a3f105a\DefaultIcon'
condition: selection
falsepositives:
- Unknown
level: critical
rules/apt/apt_sofacy.yml
+1
View File
@@ -12,6 +12,7 @@ tags:
- attack.t1059
- attack.defense_evasion
- attack.t1085
- car.2013-10-002
logsource:
category: process_creation
product: windows
rules/apt/apt_ta17_293a_ps.yml
+2 -1
View File
@@ -1,11 +1,12 @@
title: Ps.exe Renamed SysInternals Tool
description: Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documentied in TA17-293A report
description: Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report
references:
- https://www.us-cert.gov/ncas/alerts/TA17-293A
tags:
- attack.defense_evasion
- attack.g0035
- attack.t1036
- car.2013-05-009
author: Florian Roth
date: 2017/10/22
logsource:
rules/linux/auditd/lnx_auditd_alter_bash_profile.yml
+30
View File
@@ -0,0 +1,30 @@
title: Detects Suspicious edit of .bash_profile and .bashrc on Linux systems
status: experimental
description: Detects change of user environment. Adversaries can insert code into these files to gain persistence each time a user logs in or opens a new shell.
references:
- 'MITRE Attack technique T1156; .bash_profile and .bashrc. '
date: 2019/05/12
tags:
- attack.s0003
- attack.t1156
- attack.persistence
author: Peter Matkovski
logsource:
product: linux
service: auditd
detection:
selection:
type: 'PATH'
name:
- '/home/*/.bashrc'
- '/home/*/.bash_profile'
- '/home/*/.profile'
- '/etc/profile'
- '/etc/shells'
- '/etc/bashrc'
- '/etc/csh.cshrc'
- '/etc/csh.login'
condition: selection
falsepositives:
- Admin or User activity
level: medium
rules/linux/auditd/lnx_auditd_susp_cmds.yml
+17 -14
View File
@@ -9,20 +9,23 @@ logsource:
product: linux
service: auditd
detection:
cmds:
- type: 'EXECVE'
a0: 'chmod'
a1: '777'
- type: 'EXECVE'
a0: 'chmod'
a1: 'u+s'
- type: 'EXECVE'
a0: 'cp'
a1: '/bin/ksh'
- type: 'EXECVE'
a0: 'cp'
a1: '/bin/sh'
condition: 1 of cmds
cmd1:
type: 'EXECVE'
a0: 'chmod'
a1: '777'
cmd2:
type: 'EXECVE'
a0: 'chmod'
a1: 'u+s'
cmd3:
type: 'EXECVE'
a0: 'cp'
a1: '/bin/ksh'
cmd4:
type: 'EXECVE'
a0: 'cp'
a1: '/bin/sh'
condition: 1 of them
falsepositives:
- Admin activity
level: medium
rules/linux/lnx_shell_clear_cmd_history.yml
+27
View File
@@ -0,0 +1,27 @@
title: Clear Command History
status: experimental
description: Clear command history in linux which is used for defense evasion.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1146/T1146.yaml
- https://attack.mitre.org/techniques/T1146/
author: Patrick Bareiss
date: 2019/03/24
logsource:
product: linux
detection:
keywords:
- 'rm *bash_history'
- 'echo "" > *bash_history'
- 'cat /dev/null > *bash_history'
- 'ln -sf /dev/null *bash_history'
- 'truncate -s0 *bash_history'
# - 'unset HISTFILE' # prone to false positives
- 'export HISTFILESIZE=0'
- 'history -c'
condition: keywords
falsepositives:
- Unknown
level: high
tags:
- attack.defense_evasion
- attack.t1146
rules/linux/lnx_shell_priv_esc_prep.yml
+64
View File
@@ -0,0 +1,64 @@
title: Privilege Escalation Preparation
status: experimental
description: Detects suspicious shell commands indicating the information gathering phase as preparation for the Privilege Escalation.
references:
- https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
- https://patrick-bareiss.com/detect-privilege-escalation-preparation-in-linux-with-sigma/
author: Patrick Bareiss
date: 2019/04/05
tags:
- attack.privilege_escalation
- attack.t1068
level: medium
logsource:
product: linux
detection:
keywords:
# distribution type and kernel version
- 'cat /etc/issue'
- 'cat /etc/*-release'
- 'cat /proc/version'
- 'uname -a'
- 'uname -mrs'
- 'rpm -q kernel'
- 'dmesg | grep Linux'
- 'ls /boot | grep vmlinuz-'
# environment variables
- 'cat /etc/profile'
- 'cat /etc/bashrc'
- 'cat ~/.bash_profile'
- 'cat ~/.bashrc'
- 'cat ~/.bash_logout'
# applications and services as root
- 'ps -aux | grep root'
- 'ps -ef | grep root'
# scheduled tasks
- 'crontab -l'
- 'cat /etc/cron*'
- 'cat /etc/cron.allow'
- 'cat /etc/cron.deny'
- 'cat /etc/crontab'
# search for plain text user/passwords
- 'grep -i user *'
- 'grep -i pass *'
# networking
- 'ifconfig'
- 'cat /etc/network/interfaces'
- 'cat /etc/sysconfig/network'
- 'cat /etc/resolv.conf'
- 'cat /etc/networks'
- 'iptables -L'
- 'lsof -i'
- 'netstat -antup'
- 'netstat -antpx'
- 'netstat -tulpn'
- 'arp -e'
- 'route'
# sensitive files
- 'cat /etc/passwd'
- 'cat /etc/group'
- 'cat /etc/shadow'
timeframe: 30m
condition: keywords | count() by host > 6
falsepositives:
- Troubleshooting on Linux Machines
rules/linux/lnx_shell_susp_rev_shells.yml
+40
View File
@@ -0,0 +1,40 @@
title: Suspicious Reverse Shell Command Line
status: experimental
description: Detects suspicious shell commands or program code that may be exected or used in command line to establish a reverse shell
references:
- https://alamot.github.io/reverse_shells/
author: Florian Roth
date: 2019/04/02
logsource:
product: linux
detection:
keywords:
- 'BEGIN {s = "/inet/tcp/0/'
- 'bash -i >& /dev/tcp/'
- 'bash -i >& /dev/udp/'
- 'sh -i >$ /dev/udp/'
- 'sh -i >$ /dev/tcp/'
- '&& while read line 0<&5; do'
- '/bin/bash -c exec 5<>/dev/tcp/'
- '/bin/bash -c exec 5<>/dev/udp/'
- 'nc -e /bin/sh '
- '/bin/sh | nc'
- 'rm -f backpipe; mknod /tmp/backpipe p && nc '
- ';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i))))'
- ';STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
- '/bin/sh -i <&3 >&3 2>&3'
- 'uname -a; w; id; /bin/bash -i'
- '$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()};'
- ";os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);os.putenv('HISTFILE','/dev/null');"
- '.to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
- ';while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print'
- "socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:"
- 'rm -f /tmp/p; mknod /tmp/p p &&'
- ' | /bin/bash | telnet '
- ',echo=0,raw tcp-listen:'
- 'nc -lvvp '
- 'xterm -display 1'
condition: keywords
falsepositives:
- Unknown
level: high
rules/network/net_dns_c2_detection.yml
+19
View File
@@ -0,0 +1,19 @@
title: Possible DNS Tunneling
status: experimental
description: Normally, DNS logs contain a limited amount of different dns queries for a single domain. This rule detects a high amount of queries for a single domain, which can be an indicator that DNS is used to transfer data.
references:
- https://zeltser.com/c2-dns-tunneling/
- https://patrick-bareiss.com/detect-c2-traffic-over-dns-using-sigma/
author: Patrick Bareiss
date: 2019/04/07
logsource:
product: dns
detection:
selection:
parent_domain: '*'
condition: selection | count(dns_query) by parent_domain > 1000
falsepositives:
- Valid software, which uses dns for transferring data
level: high
tags:
- attack.t1043
rules/network/net_susp_dns_txt_exec_strings.yml
+5 -4
View File
@@ -12,10 +12,11 @@ logsource:
category: dns
detection:
selection:
answer:
- '*IEX*'
- '*Invoke-Expression*'
- '*cmd.exe*'
record_type: 'TXT'
answer:
- '*IEX*'
- '*Invoke-Expression*'
- '*cmd.exe*'
condition: selection
falsepositives:
- Unknown
rules/proxy/proxy_apt40.yml
+20
View File
@@ -0,0 +1,20 @@
title: APT40 Dropbox Tool User Agent
status: experimental
description: Detects suspicious user agent string of APT40 Dropbox tool
references:
- Internal research from Florian Roth
author: Thomas Patzke
logsource:
category: proxy
detection:
selection:
UserAgent: 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36'
r-dns: 'api.dropbox.com'
condition: selection
fields:
- c-ip
- cs-uri
falsepositives:
- Old browsers
level: high
rules/proxy/proxy_ua_frameworks.yml
+1
View File
@@ -22,6 +22,7 @@ detection:
- 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; SIMBAR={7DB0F6DE-8DE7-4841-9084-28FA914B0F2E}; SLCC1; .N'
- 'Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)' # only use in proxy logs - not for detection in web server logs
- 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/4.0.221.6 Safari/525.13'
- 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MAAU)' # Payloads
# Metasploit Update by Florian Roth 08.07.2017
- 'Mozilla/5.0'
rules/web/web_source_code_enumeration.yml
+20
View File
@@ -0,0 +1,20 @@
title: Source Code Enumeration Detection by Keyword
description: Detects source code enumeration that use GET requests by keyword searches in URL strings
author: James Ahearn
references:
- 'https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html'
- 'https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1'
logsource:
category: webserver
detection:
keywords:
- '*.git/*'
condition: keywords
fields:
- client_ip
- vhost
- url
- response
falsepositives:
- unknown
level: medium
rules/windows/builtin/win_GPO_scheduledtasks.yml
+23
View File
@@ -0,0 +1,23 @@
title: Persistence and Execution at scale via GPO scheduled task
description: Detect lateral movement using GPO scheduled task, ususally used to deploy ransomware at scale
author: Samir Bousseaden
references:
- https://twitter.com/menasec1/status/1106899890377052160
tags:
- attack.persistence
- attack.lateral_movement
- attack.t1053
logsource:
product: windows
service: security
description: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
selection:
EventID: 5145
ShareName: \\*\SYSVOL
RelativeTargetName: '*ScheduledTasks.xml'
Accesses: '*WriteData*'
condition: selection
falsepositives:
- if the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduledtasks
level: high
rules/windows/builtin/win_account_backdoor_dcsync_rights.yml
+25
View File
@@ -0,0 +1,25 @@
title: Powerview Add-DomainObjectAcl DCSync AD Extend Right
description: backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer
status: experimental
date: 2019/04/03
author: Samir Bousseaden
references:
- https://twitter.com/menasec1/status/1111556090137903104
- https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
tags:
- attack.credential_access
- attack.persistence
logsource:
product: windows
service: security
detection:
selection:
EventID: 5136
LDAPDisplayName: 'ntSecurityDescriptor'
Value:
- '*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*'
- '*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*'
condition: selection
falsepositives:
- New Domain Controller computer account, check user SIDs witin the value attribute of event 5136 and verify if it's a regular user or DC computer account.
level: critical
rules/windows/builtin/win_account_discovery.yml
+34
View File
@@ -0,0 +1,34 @@
title: AD Privileged Users or Groups Reconnaissance
description: Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs
references:
- https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html
tags:
- attack.discovery
- attack.t1087
status: experimental
author: Samir Bousseaden
logsource:
product: windows
service: security
definition: 'Requirements: enable Object Access SAM on your Domain Controllers'
detection:
selection:
EventID: 4661
ObjectType:
- 'SAM_USER'
- 'SAM_GROUP'
ObjectName:
- '*-512'
- '*-502'
- '*-500'
- '*-505'
- '*-519'
- '*-520'
- '*-544'
- '*-551'
- '*-555'
- '*admin*'
condition: selection
falsepositives:
- if source account name is not an admin then its super suspicious
level: high
rules/windows/builtin/win_alert_mimikatz_keywords.yml
+10 -8
View File
@@ -6,18 +6,20 @@ tags:
- attack.t1003
- attack.lateral_movement
- attack.credential_access
- car.2013-07-001
- car.2019-04-004
logsource:
product: windows
detection:
keywords:
- mimikatz
- mimilib
- <3 eo.oe
- eo.oe.kiwi
- privilege::debug
- sekurlsa::logonpasswords
- lsadump::sam
- mimidrv.sys
- "* mimikatz *"
- "* mimilib *"
- "* <3 eo.oe *"
- "* eo.oe.kiwi *"
- "* privilege::debug *"
- "* sekurlsa::logonpasswords *"
- "* lsadump::sam *"
- "* mimidrv.sys *"
condition: keywords
falsepositives:
- Naughty administrators
rules/windows/builtin/win_atsvc_task.yml
+25
View File
@@ -0,0 +1,25 @@
title: Remote Task Creation via ATSVC named pipe
description: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe
author: Samir Bousseaden
references:
- https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html
tags:
- attack.lateral_movement
- attack.persistence
- attack.t1053
- car.2013-05-004
- car.2015-04-001
logsource:
product: windows
service: security
description: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
selection:
EventID: 5145
ShareName: \\*\IPC$
RelativeTargetName: atsvc
Accesses: '*WriteData*'
condition: selection
falsepositives:
- pentesting
level: medium
rules/windows/builtin/win_disable_event_logging.yml
+1 -1
View File
@@ -14,7 +14,7 @@ author: '@neu5ron'
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Computer Management > Audit Policy Configuration, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Audit Policy Change'
definition: 'Requirements: Audit Policy : Computer Management > Audit Policy Configuration, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization Policy Change'
detection:
selection:
EventID: 4719
rules/windows/builtin/win_impacket_secretdump.yml
+21
View File
@@ -0,0 +1,21 @@
title: Possible Impacket SecretDump remote activity
description: Detect AD credential dumping using impacket secretdump HKTL
author: Samir Bousseaden
references:
- https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html
tags:
- attack.credential_access
- attack.t1003
logsource:
product: windows
service: security
description: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
selection:
EventID: 5145
ShareName: \\*\ADMIN$
RelativeTargetName: 'SYSTEM32\*.tmp'
condition: selection
falsepositives:
- pentesting
level: high
rules/windows/builtin/win_lm_namedpipe.yml
+34
View File
@@ -0,0 +1,34 @@
title: First time seen remote named pipe
description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes
author: Samir Bousseaden
references:
- https://twitter.com/menasec1/status/1104489274387451904
tags:
- attack.lateral_movement
- attack.t1077
logsource:
product: windows
service: security
description: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
selection1:
EventID: 5145
ShareName: \\*\IPC$
selection2:
EventID: 5145
ShareName: \\*\IPC$
RelativeTargetName:
- 'atsvc'
- 'samr'
- 'lsarpc'
- 'winreg'
- 'netlogon'
- 'srvsvc'
- 'protected_storage'
- 'wkssvc'
- 'browser'
- 'netdfs'
condition: selection1 and not selection2
falsepositives:
- update the excluded named pipe to filter out any newly observed legit named pipe
level: high
rules/windows/builtin/win_mal_service_installs.yml
+1
View File
@@ -5,6 +5,7 @@ tags:
- attack.persistence
- attack.privilege_escalation
- attack.t1050
- car.2013-09-005
logsource:
product: windows
service: system
rules/windows/builtin/win_pass_the_hash.yml
+1
View File
@@ -7,6 +7,7 @@ author: Ilias el Matani (rule), The Information Assurance Directorate at the NSA
tags:
- attack.lateral_movement
- attack.t1075
- car.2016-04-004
logsource:
product: windows
service: security
rules/windows/builtin/win_pass_the_hash_2.yml
+32
View File
@@ -0,0 +1,32 @@
title: Pass the Hash Activity
status: production
description: 'Detects the attack technique pass the hash which is used to move laterally inside the network'
references:
- https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events
- https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis
- https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/
author: Dave Kennedy, Jeff Warren (method) / David Vassallo (rule)
tags:
- attack.lateral_movement
- attack.t1075
logsource:
product: windows
service: security
definition: The successful use of PtH for lateral movement between workstations would trigger event ID 4624
detection:
selection:
- EventID: 4624
SecurityID: 'NULL SID'
LogonType: '3'
LogonProcessName: 'NtLmSsp'
KeyLength: '0'
- EventID: 4624
LogonType: '9'
LogonProcessName: 'seclogo'
filter:
AccountName: 'ANONYMOUS LOGON'
condition: selection and not filter
falsepositives:
- Administrator activity
- Penetration tests
level: medium
rules/windows/builtin/win_rare_schtasks_creations.yml
+1
View File
@@ -7,6 +7,7 @@ tags:
- attack.privilege_escalation
- attack.persistence
- attack.t1053
- car.2013-08-001
logsource:
product: windows
service: security
rules/windows/builtin/win_rare_service_installs.yml
+1
View File
@@ -6,6 +6,7 @@ tags:
- attack.persistence
- attack.privilege_escalation
- attack.t1050
- car.2013-09-005
logsource:
product: windows
service: system
rules/windows/builtin/win_rdp_bluekeep_poc_scanner.yml
+22
View File
@@ -0,0 +1,22 @@
title: Scanner PoC for CVE-2019-0708 RDP RCE vuln
description: Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep
references:
- https://twitter.com/AdamTheAnalyst/status/1134394070045003776
- https://github.com/zerosum0x0/CVE-2019-0708
tags:
- attack.lateral_movement
- attack.t1210
- car.2013-07-002
author: Florian Roth (rule), Adam Bradbury (idea)
date: 2019/06/02
logsource:
product: windows
service: security
detection:
selection:
EventID: 4625
AccountName: AAAAAAA
condition: selection
falsepositives:
- Unlikely
level: critical
rules/windows/builtin/win_rdp_localhost_login.yml
+1
View File
@@ -7,6 +7,7 @@ modified: 2019/01/29
tags:
- attack.lateral_movement
- attack.t1076
- car.2013-07-002
status: experimental
author: Thomas Patzke
logsource:
rules/windows/builtin/win_rdp_potential_cve-2019-0708.yml
+21
View File
@@ -0,0 +1,21 @@
title: Potential RDP exploit CVE-2019-0708
description: Detect suspicious error on protocol RDP, potential CVE-2019-0708
references:
- https://github.com/zerosum0x0/CVE-2019-0708
tags:
- attack.initial_access
- car.2013-07-002
status: experimental
author: Lionel PRAT, Christophe BROCAS
logsource:
product: windows
service: system
detection:
selection:
EventID: 56
Source: TermDD
condition: selection
falsepositives:
- Bad connections or network interruptions
level: high
rules/windows/builtin/win_rdp_reverse_tunnel.yml
+1
View File
@@ -9,6 +9,7 @@ tags:
- attack.defense_evasion
- attack.command_and_control
- attack.t1076
- car.2013-07-002
logsource:
product: windows
service: security
rules/windows/builtin/win_susp_dhcp_config_failed.yml
+4 -2
View File
@@ -6,19 +6,21 @@ references:
- https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
- https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
date: 2017/05/15
modified: 2019/07/17
tags:
- attack.defense_evasion
- attack.t1073
author: Dimitrios Slamaris
author: "Dimitrios Slamaris, @atc_project (fix)"
logsource:
product: windows
service: dhcp
service: system
detection:
selection:
EventID:
- 1031
- 1032
- 1034
Source: Microsoft-Windows-DHCP-Server
condition: selection
falsepositives:
- Unknown
rules/windows/builtin/win_susp_eventlog_cleared.yml
+2
View File
@@ -7,12 +7,14 @@ author: Florian Roth
tags:
- attack.defense_evasion
- attack.t1070
- car.2016-04-002
logsource:
product: windows
service: system
detection:
selection:
EventID: 104
Source: Microsoft-Windows-Eventlog
condition: selection
falsepositives:
- Unknown
rules/windows/builtin/win_susp_net_recon_activity.yml
+1 -1
View File
@@ -12,7 +12,7 @@ tags:
logsource:
product: windows
service: security
definition: The volume of Event ID 4661 is high on Domain Controllers and therefore "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not configured in the recommandations for server systems
definition: The volume of Event ID 4661 is high on Domain Controllers and therefore "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not configured in the recommendations for server systems
detection:
selection:
- EventID: 4661
rules/windows/builtin/win_susp_psexec.yml
+28
View File
@@ -0,0 +1,28 @@
title: Suspicious PsExec execution
description: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one
author: Samir Bousseaden
references:
- https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html
tags:
- attack.lateral_movement
- attack.t1077
logsource:
product: windows
service: security
description: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
selection1:
EventID: 5145
ShareName: \\*\IPC$
RelativeTargetName:
- '*-stdin'
- '*-stdout'
- '*-stderr'
selection2:
EventID: 5145
ShareName: \\*\IPC$
RelativeTargetName: 'PSEXESVC*'
condition: selection1 and not selection2
falsepositives:
- nothing observed so far
level: high
rules/windows/builtin/win_susp_raccess_sensitive_fext.yml
+30
View File
@@ -0,0 +1,30 @@
title: Suspicious access to sensitive file extensions
description: Detects known sensitive file extensions
author: Samir Bousseaden
tags:
- attack.collection
logsource:
product: windows
service: security
detection:
selection:
EventID:
- 5145
RelativeTargetName:
- '*.pst'
- '*.ost'
- '*.msg'
- '*.nst'
- '*.oab'
- '*.edb'
- '*.nsf'
- '*.bak'
- '*.dmp'
- '*.kirbi'
- '*\ntds.dit'
- '*\groups.xml'
- '*.rdp'
condition: selection
falsepositives:
- Help Desk operator doing backup or re-imaging end user machine or pentest or backup software
level: high
rules/windows/builtin/win_susp_security_eventlog_cleared.yml
+1
View File
@@ -3,6 +3,7 @@ description: Some threat groups tend to delete the local 'Security' Eventlog usi
tags:
- attack.defense_evasion
- attack.t1070
- car.2016-04-002
author: Florian Roth
logsource:
product: windows
rules/windows/builtin/win_svcctl_remote_service.yml
+22
View File
@@ -0,0 +1,22 @@
title: Remote Service Activity Detected via SVCCTL named pipe
description: Detects remote remote service activity via remote access to the svcctl named pipe
author: Samir Bousseaden
references:
- https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html
tags:
- attack.lateral_movement
- attack.persistence
logsource:
product: windows
service: security
description: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
selection:
EventID: 5145
ShareName: \\*\IPC$
RelativeTargetName: svcctl
Accesses: '*WriteData*'
condition: selection
falsepositives:
- pentesting
level: medium
rules/windows/builtin/win_user_creation.yml
+26
View File
@@ -0,0 +1,26 @@
title: Detects local user creation
description: Detects local user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your windows server logs and not on your DC logs.
status: experimental
tags:
- attack.persistence
- attack.t1136
references:
- https://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/
author: Patrick Bareiss
logsource:
product: windows
service: security
detection:
selection:
EventID: 4720
condition: selection
fields:
- EventCode
- AccountName
- AccountDomain
falsepositives:
- Domain Controller Logs
- Local accounts managed by privileged account management tools
level: low
rules/windows/malware/win_mal_ursnif.yml
+1 -1
View File
@@ -15,7 +15,7 @@ logsource:
detection:
selection:
EventID: 13
TargetObject: 'HKU\Software\AppDataLow\Software\Microsoft\\*'
TargetObject: '*\Software\AppDataLow\Software\Microsoft\\*'
condition: selection
falsepositives:
- Unknown
rules/windows/powershell/powershell_malicious_commandlets.yml
+1 -1
View File
@@ -11,7 +11,7 @@ author: Sean Metcalf (source), Florian Roth (rule)
logsource:
product: windows
service: powershell
definition: 'It is recommanded to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
detection:
keywords:
- Invoke-DllInjection
rules/windows/powershell/powershell_malicious_keywords.yml
+1 -1
View File
@@ -11,7 +11,7 @@ author: Sean Metcalf (source), Florian Roth (rule)
logsource:
product: windows
service: powershell
definition: 'It is recommanded to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
detection:
keywords:
- AdjustTokenPrivileges
rules/windows/powershell/powershell_psattack.yml
+1 -1
View File
@@ -10,7 +10,7 @@ author: Sean Metcalf (source), Florian Roth (rule)
logsource:
product: windows
service: powershell
definition: 'It is recommanded to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
detection:
selection:
EventID: 4103
rules/windows/powershell/powershell_suspicious_keywords.yml
+1 -1
View File
@@ -11,7 +11,7 @@ tags:
logsource:
product: windows
service: powershell
definition: 'It is recommanded to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
detection:
keywords:
- System.Reflection.Assembly.Load
rules/windows/process_creation/win_cmstp_com_object_access.yml
+1
View File
@@ -8,6 +8,7 @@ tags:
- attack.t1088
- attack.t1191
- attack.g0069
- car.2019-04-001
author: Nik Seetharaman
references:
- http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
rules/windows/process_creation/win_etw_trace_evasion.yml
+26
View File
@@ -0,0 +1,26 @@
title: Disable of ETW Trace
description: Detects a command that clears or disables any ETW trace log which could indicate a logging evasion.
references:
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
- https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_mal_lockergoga.yml
- https://abuse.io/lockergoga.txt
author: '@neu5ron, Florian Roth'
date: 2019/03/22
tags:
- attack.execution
- attack.t1070
- car.2016-04-002
level: high
logsource:
category: process_creation
product: windows
detection:
selection_clear_1:
CommandLine: '* cl */Trace*'
selection_clear_2:
CommandLine: '* clear-log */Trace*'
selection_disable_1:
CommandLine: '* sl* /e:false*'
selection_disable_2:
CommandLine: '* set-log* /e:false*'
condition: selection_clear_1 or selection_clear_2 or selection_disable_1 or selection_disable_2
rules/windows/process_creation/win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml
+25
View File
@@ -0,0 +1,25 @@
title: Windows Kernel and 3rd-party drivers exploits. Token stealing
description: Detection of child processes spawned with SYSTEM privileges by parents with non-SYSTEM privileges and Medium integrity level
references:
- https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
tags:
- attack.privilege_escalation
- attack.t1068
status: experimental
author: Teymur Kheirkhabarov (source), Daniil Yugoslavskiy (rule)
date: 2019/06/03
logsource:
category: process_creation
product: windows
detection:
selection:
ParentIntegrityLevel: Medium
IntegrityLevel: System
User: "NT AUTHORITY\\SYSTEM"
condition: selection
falsepositives:
- Unknown
level: critical
enrichment:
- EN_0001_cache_sysmon_event_id_1_info # http://bit.ly/314zc6x
- EN_0002_enrich_sysmon_event_id_1_with_parent_info # http://bit.ly/2KmSC0l
rules/windows/process_creation/win_mal_adwind.yml
+1 -1
View File
@@ -20,7 +20,7 @@ logsource:
product: windows
detection:
selection:
ProcessCommandLine:
CommandLine:
- '*\AppData\Roaming\Oracle*\java*.exe *'
- '*cscript.exe *Retrive*.vbs *'
---
rules/windows/process_creation/win_mal_lockergoga.yml
+18
View File
@@ -0,0 +1,18 @@
title: LockerGoga Ransomware
description: Detects a command that clears the WMI trace log which indicates LockaerGoga ransomware activity
references:
- https://abuse.io/lockergoga.txt
author: Florian Roth
date: 2019/03/22
tags:
- attack.execution
- attack.t1064
level: high
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine: '* cl Microsoft-Windows-WMI-Activity/Trace'
condition: selection
rules/windows/process_creation/win_mal_wannacry.yml
-33
View File
@@ -1,33 +0,0 @@
title: WannaCry Ransomware
description: Detects WannaCry Ransomware Activity
status: experimental
references:
- https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
author: Florian Roth
logsource:
category: process_creation
product: windows
detection:
selection1:
CommandLine:
- '*vssadmin delete shadows*'
- '*icacls * /grant Everyone:F /T /C /Q*'
- '*bcdedit /set {default} recoveryenabled no*'
- '*wbadmin delete catalog -quiet*'
selection2:
Image:
- '*\tasksche.exe'
- '*\mssecsvc.exe'
- '*\taskdl.exe'
- '*\WanaDecryptor*'
- '*\taskhsvc.exe'
- '*\taskse.exe'
- '*\111.exe'
- '*\lhdfrgui.exe'
- '*\diskpart.exe'
- '*\linuxnew.exe'
- '*\wannacry.exe'
condition: 1 of them
falsepositives:
- Unknown
level: critical
rules/windows/process_creation/win_malware_notpetya.yml
+1
View File
@@ -13,6 +13,7 @@ tags:
- attack.t1085
- attack.t1070
- attack.t1003
- car.2016-04-002
logsource:
category: process_creation
product: windows
rules/windows/process_creation/win_malware_wannacry.yml
+3 -3
View File
@@ -1,6 +1,6 @@
title: WannaCry Ransomware via Sysmon
title: WannaCry Ransomware
status: experimental
description: Detects WannaCry ransomware activity via Sysmon
description: Detects WannaCry ransomware activity
references:
- https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
author: Florian Roth (rule), Tom U. @c_APT_ure (collection)
@@ -14,6 +14,7 @@ detection:
- '*\mssecsvc.exe'
- '*\taskdl.exe'
- '*\@WanaDecryptor@*'
- '*\WanaDecryptor*'
- '*\taskhsvc.exe'
- '*\taskse.exe'
- '*\111.exe'
@@ -23,7 +24,6 @@ detection:
- '*\wannacry.exe'
selection2:
CommandLine:
- '*vssadmin delete shadows*'
- '*icacls * /grant Everyone:F /T /C /Q*'
- '*bcdedit /set {default} recoveryenabled no*'
- '*wbadmin delete catalog -quiet*'
rules/windows/process_creation/win_mshta_spawn_shell.yml
+5 -5
View File
@@ -20,11 +20,7 @@ detection:
- '*\reg.exe'
- '*\regsvr32.exe'
- '*\BITSADMIN*'
filter:
CommandLine:
- '*/HP/HP*'
- '*\HP\HP*'
condition: selection and not filter
condition: selection
fields:
- CommandLine
- ParentCommandLine
@@ -32,6 +28,10 @@ tags:
- attack.defense_evasion
- attack.execution
- attack.t1170
- car.2013-02-003
- car.2013-03-001
- car.2014-04-003
falsepositives:
- Printer software / driver installations
- HP software
level: high
rules/windows/process_creation/win_netsh_fw_add.yml
+23
View File
@@ -0,0 +1,23 @@
title: Netsh
description: Allow Incoming Connections by Port or Application on Windows Firewall
references:
- https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN)
- https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf
date: 2019/01/29
tags:
- attack.lateral_movement
- attack.command_and_control
- attack.t1090
status: experimental
author: Markus Neis
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine:
- '*netsh firewall add*'
condition: selection
falsepositives:
- Legitimate administration
level: medium
rules/windows/process_creation/win_netsh_port_fwd_3389.yml
+1
View File
@@ -6,6 +6,7 @@ date: 2019/01/29
tags:
- attack.lateral_movement
- attack.t1021
- car.2013-07-002
status: experimental
author: Florian Roth
logsource:
rules/windows/process_creation/win_office_shell.yml
+3
View File
@@ -9,6 +9,8 @@ tags:
- attack.defense_evasion
- attack.t1059
- attack.t1202
- car.2013-02-003
- car.2014-04-003
author: Michael Haag, Florian Roth, Markus Neis
date: 2018/04/06
logsource:
@@ -42,6 +44,7 @@ detection:
- '*\scriptrunner.exe'
- '*\mftrace.exe'
- '*\AppVLP.exe'
- '*\svchost.exe' # https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html
condition: selection
fields:
- CommandLine
rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml
+36
View File
@@ -0,0 +1,36 @@
title: MS Office Product Spawning Exe in User Dir
status: experimental
description: Detects an executable in the users directory started from Microsoft Word, Excel, Powerpoint, Publisher or Visio
references:
- sha256=23160972c6ae07f740800fa28e421a81d7c0ca5d5cab95bc082b4a986fbac57c
- https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign
tags:
- attack.execution
- attack.defense_evasion
- attack.t1059
- attack.t1202
- FIN7
- car.2013-05-002
author: Jason Lynch
date: 2019/04/02
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage:
- '*\WINWORD.EXE'
- '*\EXCEL.EXE'
- '*\POWERPNT.exe'
- '*\MSPUB.exe'
- '*\VISIO.exe'
- '*\OUTLOOK.EXE'
Image:
- 'C:\users\*.exe'
condition: selection
fields:
- CommandLine
- ParentCommandLine
falsepositives:
- unknown
level: high
rules/windows/process_creation/win_powershell_dll_execution.yml
+1
View File
@@ -6,6 +6,7 @@ references:
tags:
- attack.execution
- attack.t1086
- car.2014-04-003
author: Markus Neis
date: 2018/08/25
logsource:
rules/windows/process_creation/win_powershell_renamed_ps.yml
+1
View File
@@ -7,6 +7,7 @@ references:
tags:
- attack.t1086
- attack.execution
- car.2013-05-009
author: Tom Ueltschi (@c_APT_ure)
logsource:
category: process_creation
rules/windows/process_creation/win_proc_wrong_parent.yml
+36
View File
@@ -0,0 +1,36 @@
title: Windows Processes Suspicious Parent Directory
status: experimental
description: Detect suspicious parent processes of well-known Windows processes
author: 'vburov'
references:
- https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2
- https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/
- https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf
- https://attack.mitre.org/techniques/T1036/
date: 2019/02/23
tags:
- attack.defense_evasion
- attack.t1036
logsource:
category: process_creation
product: windows
detection:
selection:
Image:
- '*\svchost.exe'
- '*\taskhost.exe'
- '*\lsm.exe'
- '*\lsass.exe'
- '*\services.exe'
- '*\lsaiso.exe'
- '*\csrss.exe'
- '*\wininit.exe'
- '*\winlogon.exe'
filter:
ParentImage:
- '*\System32\\*'
- '*\SysWOW64\\*'
condition: selection and not filter
falsepositives:
- Some security products seem to spawn these
level: low
rules/windows/process_creation/win_ransomware_shadowcopy.yml
+22
View File
@@ -0,0 +1,22 @@
title: Ransomware Deleting Shadow Volume Copies
status: experimental
description: Detects a command that deletes all local shadow volume copies as often used by Ransomware
references:
- https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
author: Florian Roth
date: 2019/06/01
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine:
- '*vssadmin delete shadows*'
- '*wmic SHADOWCOPY DELETE*'
condition: selection
fields:
- CommandLine
- ParentCommandLine
falsepositives:
- Adminsitrative scripts - e.g. to prepare image for golden image creation
level: critical
rules/windows/process_creation/win_renamed_binary.yml
+55
View File
@@ -0,0 +1,55 @@
title: Renamed Binary
status: experimental
description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
author: Matthew Green - @mgreen27
date: 2019/06/15
references:
- https://attack.mitre.org/techniques/T1036/
- https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html
- https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html
tags:
- attack.t1036
- attack.defense_evasion
logsource:
category: process_creation
product: windows
detection:
selection:
OriginalFileName:
- "cmd.exe"
- "powershell.exe"
- "powershell_ise.exe"
- "psexec.exe"
- "cscript.exe"
- "wscript.exe"
- "mshta.exe"
- "regsvr32.exe"
- "wmic.exe"
- "certutil.exe"
- "rundll32.exe"
- "cmstp.exe"
- "msiexec.exe"
- "7z.exe"
- "winrar.exe"
filter:
Image:
- '*\cmd.exe'
- '*\powershell.exe'
- '*\powershell_ise.exe'
- '*\psexec.exe'
- '*\psexec64.exe'
- '*\cscript.exe'
- '*\wscript.exe'
- '*\mshta.exe'
- '*\regsvr32.exe'
- '*\wmic.exe'
- '*\certutil.exe'
- '*\rundll32.exe'
- '*\cmstp.exe'
- '*\msiexec.exe'
- '*\7z.exe'
- '*\winrar.exe'
condition: selection and not filter
falsepositives:
- Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist
level: medium
rules/windows/process_creation/win_renamed_paexec.yml
+32
View File
@@ -0,0 +1,32 @@
title: Execution of Renamed PaExec
status: experimental
description: Detects execution of renamed paexec via imphash and executable product string
references:
- sha256=01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc
- https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf
tags:
- attack.defense_evasion
- attack.t1036
- FIN7
- car.2013-05-009
date: 2019/04/17
author: Jason Lynch
falsepositives:
- Unknown imphashes
level: medium
logsource:
category: process_creation
product: windows
detection:
selection1:
Product:
- '*PAExec*'
selection2:
Imphash:
- 11D40A7B7876288F919AB819CC2D9802
- 6444f8a34e99b8f7d9647de66aabe516
- dfd6aa3f7b2b1035b76b718f1ddc689f
- 1a6cca4d5460b1710a12dea39e4a592c
filter1:
Image: '*paexec*'
condition: (selection1 and selection2) and not filter1
rules/windows/process_creation/win_susp_bcdedit.yml
+1 -1
View File
@@ -15,7 +15,7 @@ logsource:
product: windows
detection:
selection:
NewProcessName: '*\fsutil.exe'
NewProcessName: '*\bcdedit.exe'
ProcessCommandLine:
- '*delete*'
- '*deletevalue*'
rules/windows/process_creation/win_susp_commands_recon_activity.yml
+1
View File
@@ -12,6 +12,7 @@ tags:
- attack.discovery
- attack.t1087
- attack.t1082
- car.2016-03-001
logsource:
category: process_creation
product: windows
rules/windows/process_creation/win_susp_control_dll_load.yml
+1
View File
@@ -9,6 +9,7 @@ tags:
- attack.defense_evasion
- attack.t1073
- attack.t1085
- car.2013-10-002
logsource:
category: process_creation
product: windows
rules/windows/process_creation/win_susp_double_extension.yml
+31
View File
@@ -0,0 +1,31 @@
title: Suspicious Double Extension
description: Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns
references:
- https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html
- https://twitter.com/blackorbird/status/1140519090961825792
author: Florian Roth (rule), @blu3_team (idea)
date: 2019/06/26
tags:
- attack.initial_access
- attack.t1193
logsource:
category: process_creation
product: windows
detection:
selection:
Image:
- '*.doc.exe'
- '*.docx.exe'
- '*.xls.exe'
- '*.xlsx.exe'
- '*.ppt.exe'
- '*.pptx.exe'
- '*.rtf.exe'
- '*.pdf.exe'
- '*.txt.exe'
- '* .exe'
- '*______.exe'
condition: selection
falsepositives:
- Unknown
level: critical
rules/windows/process_creation/win_susp_gup.yml
+5 -1
View File
@@ -15,7 +15,11 @@ detection:
selection:
Image: '*\GUP.exe'
filter:
Image: '*\updater\*'
Image:
- 'C:\Users\*\AppData\Local\Notepad++\updater\gup.exe'
- 'C:\Users\*\AppData\Roaming\Notepad++\updater\gup.exe'
- 'C:\Program Files\Notepad++\updater\gup.exe'
- 'C:\Program Files (x86)\Notepad++\updater\gup.exe'
condition: selection and not filter
falsepositives:
- Execution of tools named GUP.exe and located in folders different than Notepad++\updater
rules/windows/process_creation/win_susp_mmc_source.yml
+1
View File
@@ -6,6 +6,7 @@ references:
tags:
- attack.lateral_movement
- attack.t1175
- car.2013-02-003
logsource:
category: process_creation
product: windows
rules/windows/process_creation/win_susp_net_execution.yml
+1
View File
@@ -24,6 +24,7 @@ detection:
- '* share'
- '* accounts*'
- '* use*'
- '* stop *'
condition: selection
fields:
- CommandLine
rules/windows/process_creation/win_susp_powershell_empire_lanuch.yml
+22
View File
@@ -0,0 +1,22 @@
title: Empire PowerShell Launch Parameters
description: Detects suspicious powershell command line parameters used in Empire
status: experimental
references:
- https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165
- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191
- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178
author: Florian Roth
date: 2019/04/20
tags:
- attack.execution
- attack.t1086
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine:
- '* -NoP -sta -NonI -W Hidden -Enc *'
- '* -noP -sta -w 1 -enc *'
condition: selection
level: critical
rules/windows/process_creation/win_susp_powershell_enc_cmd.yml
+10 -6
View File
@@ -5,6 +5,7 @@ references:
- https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e
author: Florian Roth, Markus Neis
date: 2018/09/03
modified: 2019/04/20
tags:
- attack.execution
- attack.t1086
@@ -18,12 +19,15 @@ detection:
- '* -enc JAB*'
- '* -encodedcommand JAB*'
- '* BA^J e-'
- '* -e SUVYI*'
- '* -e aWV4I*'
- '* -e SQBFAFgA*'
- '* -e aQBlAHgA*'
- '* -enc SUVYI*'
- '* -enc aWV4I*'
- '* -enc SQBFAFgA*'
- '* -enc aQBlAHgA*'
falsepositive1:
Image: '*\GRR\\*'
falsepositive2:
CommandLine: '* -ExecutionPolicy remotesigned *'
condition: selection and not 1 of falsepositive*
falsepositives:
- GRR powershell hacks
- PowerSponse Deployments
condition: selection and not falsepositive1
level: high
rules/windows/process_creation/win_susp_procdump.yml
+1
View File
@@ -11,6 +11,7 @@ tags:
- attack.t1036
- attack.credential_access
- attack.t1003
- car.2013-05-009
logsource:
category: process_creation
product: windows
rules/windows/process_creation/win_susp_process_creations.yml
+2
View File
@@ -16,6 +16,8 @@ references:
- http://security-research.dyndns.org/pub/slides/FIRST-TC-2018/FIRST-TC-2018_Tom-Ueltschi_Sysmon_PUBLIC.pdf
author: Florian Roth
modified: 2018/12/11
tags:
- car.2013-07-001
logsource:
category: process_creation
product: windows
rules/windows/process_creation/win_susp_regsvr32_anomalies.yml
+2
View File
@@ -8,6 +8,8 @@ tags:
- attack.t1117
- attack.defense_evasion
- attack.execution
- car.2019-04-002
- car.2019-04-003
logsource:
category: process_creation
product: windows
rules/windows/process_creation/win_susp_run_locations.yml
+10 -3
View File
@@ -13,11 +13,18 @@ logsource:
product: windows
detection:
selection:
CommandLine:
Image:
- '*:\RECYCLER\\*'
- '*:\SystemVolumeInformation\\*'
- '%windir%\Tasks\\*'
- '%systemroot%\debug\\*'
- 'C:\\Windows\\Tasks\\*'
- 'C:\\Windows\\debug\\*'
- 'C:\\Windows\\fonts\\*'
- 'C:\\Windows\\help\\*'
- 'C:\\Windows\\drivers\\*'
- 'C:\\Windows\\addins\\*'
- 'C:\\Windows\\cursors\\*'
- 'C:\\Windows\\system32\tasks\\*'
condition: selection
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
rules/windows/process_creation/win_susp_schtask_creation.yml
+1
View File
@@ -21,6 +21,7 @@ tags:
- attack.privilege_escalation
- attack.t1053
- attack.s0111
- car.2013-08-001
falsepositives:
- Administrative activity
- Software installation
rules/windows/process_creation/win_susp_squirrel_lolbin.yml
+55
View File
@@ -0,0 +1,55 @@
title: Squirrel Lolbin
status: experimental
description: Detects Possible Squirrel Packages Manager as Lolbin
references:
- http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/
tags:
- attack.execution
author: Karneades / Markus Neis
falsepositives:
- 1Clipboard
- Beaker Browser
- Caret
- Collectie
- Discord
- Figma
- Flow
- Ghost
- GitHub Desktop
- GitKraken
- Hyper
- Insomnia
- JIBO
- Kap
- Kitematic
- Now Desktop
- Postman
- PostmanCanary
- Rambox
- Simplenote
- Skype
- Slack
- SourceTree
- Stride
- Svgsus
- WebTorrent
- WhatsApp
- WordPress.com
- atom
- gitkraken
- slack
- teams
level: high
logsource:
category: process_creation
product: windows
detection:
selection:
Image:
- '*\update.exe' # Check if folder Name matches executed binary \\(?P<first>[^\\]*)\\Update.*Start.{2}(?P<second>\1)\.exe (example: https://regex101.com/r/SGSQGz/2)
CommandLine:
- '*--processStart*.exe*'
- '*createShortcut*.exe*'
condition: selection
rules/windows/process_creation/win_susp_svchost.yml
+5 -1
View File
@@ -16,7 +16,11 @@ detection:
ParentImage:
- '*\services.exe'
- '*\MsMpEng.exe'
condition: selection and not filter
- '*\Mrt.exe'
- '*\rpcnet.exe'
filter_null:
ParentImage: null
condition: selection and not filter and not filter_null
fields:
- CommandLine
- ParentCommandLine
rules/windows/process_creation/win_susp_taskmgr_parent.yml
+2 -2
View File
@@ -14,8 +14,8 @@ detection:
ParentImage: '*\taskmgr.exe'
filter:
Image:
- resmon.exe
- mmc.exe
- '*\resmon.exe'
- '*\mmc.exe'
condition: selection and not filter
fields:
- Image
rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml
+1
View File
@@ -8,6 +8,7 @@ tags:
- attack.lateral_movement
- attack.privilege_escalation
- attack.t1076
- car.2013-07-002
author: Florian Roth
date: 2018/03/17
modified: 2018/12/11
rules/windows/process_creation/win_susp_userinit_child.yml
+24
View File
@@ -0,0 +1,24 @@
title: Suspicious Userinit Child Process
status: experimental
description: Detects the creation of a process from Windows task manager
references:
- https://twitter.com/SBousseaden/status/1139811587760562176
author: Florian Roth (rule), Samir Bousseaden (idea)
date: 2019/06/17
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage: '*\userinit.exe'
filter:
CommandLine:
- '*\explorer.exe*'
- '*\\netlogon\\*'
condition: selection and not filter
fields:
- CommandLine
- ParentCommandLine
falsepositives:
- Administrative scripts
level: high
rules/windows/process_creation/win_susp_whoami.yml
+1
View File
@@ -9,6 +9,7 @@ date: 2018/05/22
tags:
- attack.discovery
- attack.t1033
- car.2016-03-001
logsource:
category: process_creation
product: windows
rules/windows/process_creation/win_system_exe_anomaly.yml
+10 -3
View File
@@ -3,7 +3,7 @@ status: experimental
description: Detects a Windows program executable started in a suspicious folder
references:
- https://twitter.com/GelosSnake/status/934900723426439170
author: Florian Roth
author: Florian Roth, Patrick Bareiss
date: 2017/11/27
tags:
- attack.defense_evasion
@@ -24,10 +24,17 @@ detection:
- '*\smss.exe'
- '*\csrss.exe'
- '*\conhost.exe'
- '*\wininit.exe'
- '*\lsm.exe'
- '*\winlogon.exe'
- '*\explorer.exe'
- '*\taskhost.exe'
filter:
Image:
- '*\System32\\*'
- '*\SysWow64\\*'
- 'C:\Windows\System32\\*'
- 'C:\Windows\SysWow64\\*'
- 'C:\Windows\explorer.exe'
- 'C:\Windows\winsxs\*'
condition: selection and not filter
falsepositives:
- Exotic software
rules/windows/process_creation/win_termserv_proc_spawn.yml
+22
View File
@@ -0,0 +1,22 @@
title: Terminal Service Process Spawn
status: experimental
description: Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)
references:
- https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/
author: Florian Roth
date: 2019/05/22
tags:
- car.2013-07-002
logsource:
product: windows
category: process_creation
detection:
selection:
ParentCommandLine: '*\svchost.exe*termsvcs'
filter:
Image: '*\rdpclip.exe'
condition: selection and not filter
falsepositives:
- Unknown
level: high
rules/windows/process_creation/win_wmi_spwns_powershell.yml
+26
View File
@@ -0,0 +1,26 @@
title: WMI Spawning Windows PowerShell
status: experimental
description: Detects WMI spawning PowerShell
references:
- https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_shell_spawn_susp_program.yml
- https://any.run/report/68bc255f9b0db6a0d30a8f2dadfbee3256acfe12497bf93943bc1eab0735e45e/a2385d6f-34f7-403c-90d3-b1f9d2a90a5e
author: Markus Neis / @Karneades
date: 2019/04/03
tags:
- attack.execution
- attack.defense_evasion
- attack.t1064
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage:
- '*\wmiprvse.exe'
Image:
- '*\powershell.exe'
condition: selection
falsepositives:
- AppvClient
- CCM
level: high
rules/windows/sysmon/sysmon_cmstp_execution.yml
+1
View File
@@ -8,6 +8,7 @@ tags:
- attack.execution
- attack.t1191
- attack.g0069
- car.2019-04-001
author: Nik Seetharaman
references:
- http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
rules/windows/sysmon/sysmon_lsass_memdump.yml
+25
View File
@@ -0,0 +1,25 @@
title: LSASS Memory Dump
status: experimental
description: Detects process LSASS memory dump using procdump or taskmgr based on the CallTrace pointing to dbghelp.dll or dbgcore.dll for win10
author: Samir Bousseaden
references:
- https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html
tags:
- attack.t1003
- attack.s0002
- attack.credential_access
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 10
TargetImage: 'C:\windows\system32\lsass.exe'
GrantedAccess: '0x1fffff'
CallTrace:
- '*dbghelp.dll*'
- '*dbgcore.dll*'
condition: selection
falsepositives:
- unknown
level: high
rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
+6 -2
View File
@@ -1,12 +1,14 @@
title: Mimikatz Detection LSASS Access
status: experimental
description: Detects process access to LSASS which is typical for Mimikatz (0x1000 PROCESS_QUERY_ LIMITED_INFORMATION, 0x0400 PROCESS_QUERY_ INFORMATION, 0x0010 PROCESS_VM_READ)
description: Detects process access to LSASS which is typical for Mimikatz (0x1000 PROCESS_QUERY_ LIMITED_INFORMATION, 0x0400 PROCESS_QUERY_ INFORMATION "only old versions", 0x0010 PROCESS_VM_READ)
references:
- https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
- https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
tags:
- attack.t1003
- attack.s0002
- attack.credential_access
- car.2019-04-004
logsource:
product: windows
service: sysmon
@@ -14,7 +16,9 @@ detection:
selection:
EventID: 10
TargetImage: 'C:\windows\system32\lsass.exe'
GrantedAccess: '0x1410'
GrantedAccess:
- '0x1410'
- '0x1010'
condition: selection
falsepositives:
- unknown
rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml
+1
View File
@@ -8,6 +8,7 @@ tags:
- attack.t1003
- attack.lateral_movement
- attack.credential_access
- car.2019-04-004
logsource:
product: windows
service: sysmon
rules/windows/sysmon/sysmon_powersploit_schtasks.yml
+1
View File
@@ -27,6 +27,7 @@ tags:
- attack.s0111
- attack.g0022
- attack.g0060
- car.2013-08-001
falsepositives:
- False positives are possible, depends on organisation and processes
level: high
rules/windows/sysmon/sysmon_rdp_reverse_tunnel.yml
+1
View File
@@ -9,6 +9,7 @@ tags:
- attack.defense_evasion
- attack.command_and_control
- attack.t1076
- car.2013-07-002
logsource:
product: windows
service: sysmon
rules/windows/sysmon/sysmon_rdp_settings_hijack.yml
+22
View File
@@ -0,0 +1,22 @@
title: RDP Sensitive Settings Changed
description: Detects changes to RDP terminal service sensitive settings
references:
- https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html
date: 2019/04/03
author: Samir Bousseaden
logsource:
product: windows
service: sysmon
detection:
selection_reg:
EventID: 13
TargetObject:
- '*\services\TermService\Parameters\ServiceDll*'
- '*\Control\Terminal Server\fSingleSessionPerUser*'
- '*\Control\Terminal Server\fDenyTSConnections*'
condition: selection_reg
tags:
- attack.defense_evasion
falsepositives:
- unknown
level: high

Some files were not shown because too many files have changed in this diff Show More