Sigma tools release 0.3.3

* Field name: LogonProcess -> LogonProcessName
* Field name: Message -> AuditPolicyChanges
* Field name: ProcessCommandLine -> CommandLine
* Removed Type match in Kerberos RC4 encryption rule
  Problematic because text representation not unified and audit failures are possibly interesting events
* Removed field 'Severity' from rules (Redundant)
* Rule decomposition of win_susp_failed_logons_single_source) because of different field names
* Field name: SubjectAccountName -> SubjectUserName
* Field name: TargetProcess -> TargetImage
* Field name: TicketEncryption -> TicketEncryptionType
* Field name: TargetFileName -> TargetFilename

rules/apt/apt_chafer_mar18.yml

@@ -0,0 +1,53 @@
+---
+action: global
+title: Chafer Activity
+description: Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018 
+references:
+    - https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
+date: 2018/03/23
+author: Florian Roth, Markus Neis
+detection:
+    condition: 1 of them
+falsepositives:
+    - Unknown
+level: critical
+---
+logsource:
+    product: windows
+    service: system
+detection:
+    selection_service:
+        EventID: 7045
+        ServiceName:
+            - 'SC Scheduled Scan'
+            - 'UpdatMachine'
+---
+logsource:
+   product: windows
+   service: sysmon
+detection:
+    selection_reg1:
+        EventID: 13 
+        TargetObject: 
+            - '*SOFTWARE\Microsoft\Windows\CurrentVersion\UMe'
+            - '*SOFTWARE\Microsoft\Windows\CurrentVersion\UT'
+        EventType: 'SetValue'
+    selection_reg2:
+        EventID: 13 
+        TargetObject: '*\Control\SecurityProviders\WDigest\UseLogonCredential'
+        EventType: 'SetValue'
+        Details: 'DWORD (0x00000001)'
+    selection_process1:
+        EventID: 1 
+        CommandLine: 
+            - '*\Service.exe i'
+            - '*\Service.exe u'
+            - '*\microsoft\Taskbar\autoit3.exe'
+            - 'C:\wsc.exe*'
+    selection_process2:
+        EventID: 1
+        Image: '*\Windows\Temp\DB\*.exe'
+    selection_process3:
+        EventID: 1
+        CommandLine: '*\nslookup.exe -q=TXT*'
+        ParentImage: '*\Autoit*'

rules/windows/builtin/win_admin_rdp_login.yml

@@ -13,7 +13,6 @@ detection:
         EventID: 4624
         LogonType: 10
         AuthenticationPackageName: Negotiate
-        Severity: Information
         AccountName: 'Admin-*'
     condition: selection
 falsepositives: 

rules/windows/builtin/win_admin_share_access.yml

@@ -11,7 +11,7 @@ detection:
         EventID: 5140
         ShareName: Admin$
     filter:
-        SubjectAccountName: '*$'
+        SubjectUserName: '*$'
     condition: selection and not filter
 falsepositives: 
     - Legitimate administrative activity

rules/windows/builtin/win_disable_event_logging.yml

@@ -16,7 +16,7 @@ logsource:
 detection:
     selection:
         EventID: 4719
-        Message: 'removed'
+        AuditPolicyChanges: 'removed'
     condition: selection
 falsepositives: 
     - Unknown

rules/windows/builtin/win_hack_smbexec.yml

@@ -0,0 +1,21 @@
+title: smbexec.py Service Installation
+description: Detects the use of smbexec.py tool by detecting a specific service installation
+author: Omer Faruk Celik
+date: 2018/03/20
+references:
+    - https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/
+logsource:
+    product: windows
+detection:
+    service_installation:
+        EventID: 7045
+        ServiceName: 'BTOBTO'
+        ServiceFileName: '*\execute.bat'
+    condition: service_installation
+fields:
+    - ServiceName
+    - ServiceFileName
+falsepositives:
+    - Penetration Test
+    - Unknown
+level: critical

rules/windows/builtin/win_net_ntlm_downgrade.yml

@@ -19,9 +19,9 @@ detection:
     selection1:
         EventID: 13
         TargetObject: 
-            - '*SYSTEM\CurrentControlSet\Control\Lsa\lmcompatibilitylevel'
-            - '*SYSTEM\CurrentControlSet\Control\Lsa\NtlmMinClientSec'
-            - '*SYSTEM\CurrentControlSet\Control\Lsa\RestrictSendingNTLMTraffic'
+            - '*SYSTEM\*ControlSet*\Control\Lsa\lmcompatibilitylevel'
+            - '*SYSTEM\*ControlSet*\Control\Lsa\NtlmMinClientSec'
+            - '*SYSTEM\*ControlSet*\Control\Lsa\RestrictSendingNTLMTraffic'
         EventType: 'SetValue'
 ---
 # Windows Security Eventlog: Process Creation with Full Command Line
@@ -33,7 +33,7 @@ detection:
     selection2:
         EventID: 4657
         OperationType: 'Existing registry value modified'
-        ObjectName: '\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Control\Lsa'
+        ObjectName: '\REGISTRY\MACHINE\SYSTEM\*ControlSet*\Control\Lsa'
         ObjectValueName: 
             - 'LmCompatibilityLevel'
             - 'NtlmMinClientSec'

rules/windows/builtin/win_pass_the_hash.yml

@@ -12,12 +12,12 @@ detection:
     selection:
         - EventID: 4624
           LogonType: '3'
-          LogonProcess: 'NtLmSsp'
+          LogonProcessName: 'NtLmSsp'
           WorkstationName: '%Workstations%'
           ComputerName: '%Workstations%'
         - EventID: 4625
           LogonType: '3'
-          LogonProcess: 'NtLmSsp'
+          LogonProcessName: 'NtLmSsp'
           WorkstationName: '%Workstations%'
           ComputerName: '%Workstations%'
     filter:

rules/windows/builtin/win_plugx_susp_exe_locations.yml

@@ -14,50 +14,50 @@ detection:
     # CamMute
     selection_cammute:
         EventID: 4688
-        ProcessCommandLine: '*\CamMute.exe'
+        CommandLine: '*\CamMute.exe'
     filter_cammute:
         EventID: 4688
-        ProcessCommandLine: '*\Lenovo\Communication Utility\*'
+        CommandLine: '*\Lenovo\Communication Utility\*'
 
     # Chrome Frame Helper
     selection_chrome_frame:
         EventID: 4688
-        ProcessCommandLine: '*\chrome_frame_helper.exe'
+        CommandLine: '*\chrome_frame_helper.exe'
     filter_chrome_frame:
         EventID: 4688
-        ProcessCommandLine: '*\Google\Chrome\application\*'    
+        CommandLine: '*\Google\Chrome\application\*'    
 
     # Microsoft Device Emulator
     selection_devemu:
         EventID: 4688
-        ProcessCommandLine: '*\dvcemumanager.exe'
+        CommandLine: '*\dvcemumanager.exe'
     filter_devemu:
         EventID: 4688
-        ProcessCommandLine: '*\Microsoft Device Emulator\*'   
+        CommandLine: '*\Microsoft Device Emulator\*'   
 
     # Windows Media Player Gadget
     selection_gadget:
         EventID: 4688
-        ProcessCommandLine: '*\Gadget.exe'
+        CommandLine: '*\Gadget.exe'
     filter_gadget:
         EventID: 4688
-        ProcessCommandLine: '*\Windows Media Player\*'
+        CommandLine: '*\Windows Media Player\*'
 
     # HTML Help Workshop
     selection_hcc:
         EventID: 4688
-        ProcessCommandLine: '*\hcc.exe'
+        CommandLine: '*\hcc.exe'
     filter_hcc:
         EventID: 4688
-        ProcessCommandLine: '*\HTML Help Workshop\*'
+        CommandLine: '*\HTML Help Workshop\*'
 
     # Hotkey Command Module for Intel Graphics Contollers
     selection_hkcmd:
         EventID: 4688
-        ProcessCommandLine: '*\hkcmd.exe'
+        CommandLine: '*\hkcmd.exe'
     filter_hkcmd:
         EventID: 4688
-        ProcessCommandLine: 
+        CommandLine: 
             - '*\System32\*'
             - '*\SysNative\*'
             - '*\SysWowo64\*'
@@ -65,10 +65,10 @@ detection:
     # McAfee component
     selection_mc:
         EventID: 4688
-        ProcessCommandLine: '*\Mc.exe'
+        CommandLine: '*\Mc.exe'
     filter_mc:
         EventID: 4688
-        ProcessCommandLine: 
+        CommandLine: 
             - '*\Microsoft Visual Studio*'
             - '*\Microsoft SDK*'
             - '*\Windows Kit*'
@@ -76,10 +76,10 @@ detection:
     # MsMpEng - Microsoft Malware Protection Engine
     selection_msmpeng:
         EventID: 4688
-        ProcessCommandLine: '*\MsMpEng.exe'
+        CommandLine: '*\MsMpEng.exe'
     filter_msmpeng:
         EventID: 4688
-        ProcessCommandLine: 
+        CommandLine: 
             - '*\Microsoft Security Client\*'
             - '*\Windows Defender\*'
             - '*\AntiMalware\*'
@@ -87,26 +87,26 @@ detection:
     # Microsoft Security Center
     selection_msseces:
         EventID: 4688
-        ProcessCommandLine: '*\msseces.exe'
+        CommandLine: '*\msseces.exe'
     filter_msseces:
         EventID: 4688
-        ProcessCommandLine: '*\Microsoft Security Center\*'
+        CommandLine: '*\Microsoft Security Center\*'
 
     # Microsoft Office 2003 OInfo
     selection_oinfo:
         EventID: 4688
-        ProcessCommandLine: '*\OInfoP11.exe'
+        CommandLine: '*\OInfoP11.exe'
     filter_oinfo:
         EventID: 4688
-        ProcessCommandLine: '*\Common Files\Microsoft Shared\*'      
+        CommandLine: '*\Common Files\Microsoft Shared\*'      
 
     # OLE View
     selection_oleview:
         EventID: 4688
-        ProcessCommandLine: '*\OleView.exe'
+        CommandLine: '*\OleView.exe'
     filter_oleview:
         EventID: 4688
-        ProcessCommandLine: 
+        CommandLine: 
             - '*\Microsoft Visual Studio*'
             - '*\Microsoft SDK*'
             - '*\Windows Kit*'   
@@ -115,10 +115,10 @@ detection:
     # RC
     selection_rc:
         EventID: 4688
-        ProcessCommandLine: '*\OleView.exe'
+        CommandLine: '*\OleView.exe'
     filter_rc:
         EventID: 4688
-        ProcessCommandLine: 
+        CommandLine: 
             - '*\Microsoft Visual Studio*'
             - '*\Microsoft SDK*'
             - '*\Windows Kit*'   

rules/windows/builtin/win_susp_dhcp_config.yml

@@ -12,7 +12,6 @@ logsource:
     service: system
 detection:
     selection:
-        EventLog: System
         EventID: 1033
     condition: selection
 falsepositives: 

rules/windows/builtin/win_susp_dhcp_config_failed.yml

@@ -12,7 +12,6 @@ logsource:
     service: system
 detection:
     selection:
-        - EventLog: System
           EventID: 
             - 1031
             - 1032

rules/windows/builtin/win_susp_failed_logons_single_source.yml

@@ -5,15 +5,20 @@ logsource:
     product: windows
     service: security
 detection:
-    selection:
+    selection1:
         EventID:
             - 529
             - 4625
-            - 4776
         UserName: not null
-        SourceWorkstation: not null
+        WorkstationName: not null
+    selection2:
+        EventID: 4776
+        UserName: not null
+        Workstation: not null
     timeframe: 24h 
-    condition: selection | count(UserName) by SourceWorkstation > 3
+    condition:
+        - selection1 | count(UserName) by WorkstationName > 3
+        - selection2 | count(UserName) by Workstation > 3
 falsepositives:
     - Terminal servers
     - Jump servers

rules/windows/builtin/win_susp_rc4_kerberos.yml

@@ -2,7 +2,8 @@ title: Suspicious Kerberos RC4 Ticket Encryption
 status: experimental
 references:
     - https://adsecurity.org/?p=3458
-description: Detects logons using RC4 encryption type
+    - https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity
+description: Detects service ticket requests using RC4 encryption type
 logsource:
     product: windows
     service: security
@@ -10,10 +11,9 @@ detection:
     selection:
         EventID: 4769
         TicketOptions: '0x40810000'
-        TicketEncryption: '0x17'
+        TicketEncryptionType: '0x17'
     reduction:
         - ServiceName: '$*'
-        - Type: 'Success Audit'
     condition: selection and not reduction
 falsepositives:
     - Service accounts used on legacy systems (e.g. NetApp)

rules/windows/builtin/win_susp_samr_pwset.yml

@@ -6,11 +6,9 @@ logsource:
     service: security
 detection:
     samrpipe:
-            - EventLog: Security
               EventID: 5145
               RelativeTargetName: samr
     passwordchanged:
-            - EventLog: Security
               EventID: 4738
               PasswordLastSet: (any) 
     timeframe: 15s 

rules/windows/builtin/win_user_added_to_local_administrators.yml

@@ -10,7 +10,7 @@ detection:
         EventID: 4732
         GroupName: Administrators
     filter:
-        SubjectAccountName: '*$'
+        SubjectUserName: '*$'
     condition: selection and not filter
 falsepositives: 
     - Legitimate administrative activity

rules/windows/malware/win_mal_adwind.yml

@@ -40,7 +40,7 @@ logsource:
 detection:
     selection:
         EventID: 11
-        TargetFileName: 
+        TargetFilename: 
             - '*\AppData\Roaming\Oracle\bin\java*.exe'
             - '*\Retrive*.vbs'
 ---

rules/windows/sysmon/sysmon_mshta_spawn_shell.yml

@@ -22,7 +22,7 @@ detection:
             - '*\regsvr32.exe'
             - '*\BITSADMIN*'
     filter:
-        Commandline:
+        CommandLine:
             - '*/HP/HP*'
             - '*\HP\HP*'
     condition: selection and not filter

rules/windows/sysmon/sysmon_password_dumper_lsass.yml

@@ -7,7 +7,7 @@ logsource:
 detection:
     selection:
         EventID: 8
-        TargetProcess: 'C:\Windows\System32\lsass.exe'
+        TargetImage: 'C:\Windows\System32\lsass.exe'
         StartModule: null
     condition: selection
 falsepositives:

rules/windows/sysmon/sysmon_quarkspw_filedump.yml

@@ -13,7 +13,7 @@ detection:
     selection:
         # Sysmon: File Creation (ID 11)
         EventID: 11
-        TargetFileName: '*\AppData\Local\Temp\SAM-*.dmp*'
+        TargetFilename: '*\AppData\Local\Temp\SAM-*.dmp*'
     condition: selection
 falsepositives:
     - Unknown

rules/windows/sysmon/sysmon_susp_ping_hex_ip.yml

@@ -0,0 +1,23 @@
+title: Ping Hex IP
+description: Detects a ping command that uses a hex encoded IP address
+references:
+    - https://github.com/vysec/Aggressor-VYSEC/blob/master/ping.cna
+    - https://twitter.com/vysecurity/status/977198418354491392
+author: Florian Roth
+date: 2018/03/23
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+        CommandLine:
+            - '*\ping.exe 0x*'
+            - '*\ping 0x*'
+    condition: selection
+fields:
+    - ParentCommandLine
+falsepositives:
+    - Unlikely, because no sane admin pings IP addresses in a hexadecimal form
+level: high
+

rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml

@@ -22,7 +22,7 @@ detection:
     selection3:
         EventID: 1
         Image: '*\regsvr32.exe'
-        Commandline: 
+        CommandLine: 
             - '*/i:http* scrobj.dll'
             - '*/i:ftp* scrobj.dll'
     # Regsvr32.exe spawned wscript.exe process - indicator of COM scriptlet

tools/config/helk.yml

@@ -28,3 +28,66 @@ logsources:
     service: powershell-classic
     index: logs-endpoint-winevent-powershell-*
 defaultindex: logs-*
+fieldmappings:
+    AccessMask: object_access_mask_requested
+    AccountName: service_account_name
+    AllowedToDelegateTo: user_attribute_allowed_todelegate
+    AttributeLDAPDisplayName: dsobject_attribute_name
+    AuditPolicyChanges: policy_changes
+    AuthenticationPackageName: logon_authentication_package
+    CallTrace: process_calltrace
+    CommandLine: command_line
+    ComputerName: host_name
+    CurrentDirectory: process_current_directory
+    DestinationHostname: dst_host
+    DestinationIp: dst_ip
+    DestinationIsIpv6: dst_isipv6
+    DestinationPort: dst_port_number
+    Details: registry_details
+    EngineVersion: powershell.engine.version
+    EventID: event_id
+    EventType: 
+        EventID=12: registry_event_type
+        EventID=13: registry_event_type
+        EventID=14: registry_event_type
+        EventID=19: wmi_event_type
+        EventID=20: wmi_event_type
+        EventID=21: wmi_event_type
+    FailureCode: ticket_failure_code
+    GrantedAccess: process_granted_access
+    GroupName: group_name
+    HiveName: hive_name
+    HostVersion: powershell.host.version
+    Image: process_path
+    ImageLoaded: image_loaded
+    LogonProcessName: logon_process_name
+    LogonType: logon_type
+    NewProcessName: process_path
+    ObjectClass: dsobject_class
+    ObjectName: object_name
+    ObjectType: object_type
+    ObjectValueName: object_value_name
+    OperationType: object_operation_type
+    ParentImage: process_parent_path
+    PipeName: pipe_name
+    ProcessName: process_path
+    RelativeTargetName: share_relative_target_name
+    ServiceFileName: service_image_path
+    ServiceName: service_name
+    ShareName: share_name
+    Source: source_name
+    SourceImage: process_path
+    StartModule: thread_startmodule
+    Status: logon_failure_status
+    SubjectUserName: user_name
+    TargetFilename: file_name
+    TargetImage: process_target_path
+    TargetObject: registry_target_object
+    TargetImage: target_process_path
+    TaskName: task_name
+    TicketEncryptionType: ticket_encryption_type
+    TicketOptions: ticket_options
+    User: user
+    UserName: user_name
+    Workstation: src_host
+    WorkstationName: src_host

tools/config/logpoint-windows-all.yml

@@ -24,7 +24,7 @@ fieldmappings:
     FailureCode: result_code
     GroupName: group_name
     KeyLength: key_length
-    LogonProcess: logon_process
+    LogonProcessName: logon_process
     LogonType: logon_type
     ServiceName: service
     SubjectAccountName:

tools/setup.py

@@ -13,7 +13,7 @@ with open(path.join(here, 'README.md'), encoding='utf-8') as f:
 
 setup(
     name='sigmatools',
-    version='0.3.1',
+    version='0.3.3',
     description='Tools for the Generic Signature Format for SIEM Systems',
     long_description=long_description,
     url='https://github.com/Neo23x0/sigma',

tools/sigma/backends.py

@@ -105,7 +105,9 @@ class BaseBackend:
             before = self.generateBefore(parsed)
             if before is not None:
                 self.output.print(before, end="")
-            self.output.print(self.generateQuery(parsed))
+            query = self.generateQuery(parsed)
+            if query is not None:
+                self.output.print(query)
             after = self.generateAfter(parsed)
             if after is not None:
                 self.output.print(after, end="")
@@ -200,9 +202,12 @@ class QuoteCharMixin:
 class RulenameCommentMixin:
     """Prefixes each rule with the rule title."""
     prefix = "# "
+    options = (
+            ("rulecomment", False, "Prefix generated query with comment containing title", None),
+            )
 
     def generateBefore(self, parsed):
-        if "rulecomment" in self.options:
+        if self.rulecomment:
             try:
                 return "\n%s%s\n" % (self.prefix, parsed.sigmaParser.parsedyaml['title'])
             except KeyError:
@@ -299,7 +304,7 @@ class ElasticsearchQuerystringBackend(SingleTextQueryBackend):
     identifier = "es-qs"
     active = True
 
-    reEscape = re.compile("([+\\-=!(){}\\[\\]^\"~:\\\\/]|&&|\\|\\|)")
+    reEscape = re.compile("([+\\-=!(){}\\[\\]^\"~:/]|\\\\(!>[*?])|&&|\\|\\|)")
     reClear = re.compile("[<>]")
     andToken = " AND "
     orToken = " OR "
@@ -622,7 +627,7 @@ class LogPointBackend(SingleTextQueryBackend):
     identifier = "logpoint"
     active = True
 
-    reEscape = re.compile('(["\\\\])')
+    reEscape = re.compile('("|\\\\(!>[*?]))')
     reClear = None
     andToken = " "
     orToken = " OR "
@@ -653,7 +658,7 @@ class SplunkBackend(SingleTextQueryBackend):
     active = True
     index_field = "index"
 
-    reEscape = re.compile('(["\\\\])')
+    reEscape = re.compile('("|\\\\(!>[*?]))')
     reClear = None
     andToken = " "
     orToken = " OR "
@@ -728,8 +733,15 @@ class FieldnameListBackend(BaseBackend):
     active = True
     output_class = SingleOutput
 
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.fields = set()
+
     def generateQuery(self, parsed):
-        return "\n".join(sorted(set(list(flatten(self.generateNode(parsed.parsedSearch))))))
+        fields = list(flatten(self.generateNode(parsed.parsedSearch)))
+        if parsed.parsedAgg:
+            fields += self.generateAggregation(parsed.parsedAgg)
+        self.fields.update(fields)
 
     def generateANDNode(self, node):
         return [self.generateNode(val) for val in node]
@@ -757,6 +769,23 @@ class FieldnameListBackend(BaseBackend):
     def generateValueNode(self, node):
         return []
 
+    def generateNULLValueNode(self, node):
+        return [node.item]
+
+    def generateNotNULLValueNode(self, node):
+        return [node.item]
+
+    def generateAggregation(self, agg):
+        fields = list()
+        if agg.groupfield is not None:
+            fields.append(agg.groupfield)
+        if agg.aggfield is not None:
+            fields.append(agg.aggfield)
+        return fields
+
+    def finalize(self):
+        self.output.print("\n".join(sorted(self.fields)))
+
 # Helpers
 def flatten(l):
   for i in l: