security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: security-tools/blue-team-tools:0.7.1
Branches Tags
security-tools/blue-team-tools:master
security-tools/blue-team-tools:r2026-04-01 security-tools/blue-team-tools:r2026-01-01 security-tools/blue-team-tools:r2025-12-01 security-tools/blue-team-tools:r2025-11-01 security-tools/blue-team-tools:r2025-10-01 security-tools/blue-team-tools:r2025-07-08 security-tools/blue-team-tools:r2025-05-21 security-tools/blue-team-tools:r2025-02-03 security-tools/blue-team-tools:r2024-12-19 security-tools/blue-team-tools:r2024-11-10 security-tools/blue-team-tools:r2024-09-02 security-tools/blue-team-tools:r2024-07-17 security-tools/blue-team-tools:r2024-05-13 security-tools/blue-team-tools:r2024-04-29 security-tools/blue-team-tools:r2024-03-26 security-tools/blue-team-tools:r2024-03-11 security-tools/blue-team-tools:r2024-02-26 security-tools/blue-team-tools:r2024-02-12 security-tools/blue-team-tools:r2024-01-29 security-tools/blue-team-tools:r2024-01-15 security-tools/blue-team-tools:r2023-12-21 security-tools/blue-team-tools:r2023-12-04 security-tools/blue-team-tools:r2023-11-20 security-tools/blue-team-tools:r2023-11-06 security-tools/blue-team-tools:r2023-10-23 security-tools/blue-team-tools:r2023-10-09 security-tools/blue-team-tools:r2023-08-24 security-tools/blue-team-tools:0.22 security-tools/blue-team-tools:0.21 security-tools/blue-team-tools:0.20 security-tools/blue-team-tools:0.19.1 security-tools/blue-team-tools:0.19 security-tools/blue-team-tools:0.18.1 security-tools/blue-team-tools:0.17.0 security-tools/blue-team-tools:0.16.0 security-tools/blue-team-tools:0.15.0 security-tools/blue-team-tools:0.14 security-tools/blue-team-tools:0.13 security-tools/blue-team-tools:0.12.1 security-tools/blue-team-tools:0.12 security-tools/blue-team-tools:0.11 security-tools/blue-team-tools:0.10 security-tools/blue-team-tools:0.9 security-tools/blue-team-tools:0.8 security-tools/blue-team-tools:0.7.1 security-tools/blue-team-tools:0.6 security-tools/blue-team-tools:0.5 security-tools/blue-team-tools:0.4 security-tools/blue-team-tools:0.3.3 security-tools/blue-team-tools:0.3.2 security-tools/blue-team-tools:0.3.1 security-tools/blue-team-tools:0.3 security-tools/blue-team-tools:0.2 security-tools/blue-team-tools:0.1.3 security-tools/blue-team-tools:0.1.2 security-tools/blue-team-tools:0.1.1 security-tools/blue-team-tools:0.1
...
compare: security-tools/blue-team-tools:0.11
Branches Tags
security-tools/blue-team-tools:master
security-tools/blue-team-tools:r2026-04-01 security-tools/blue-team-tools:r2026-01-01 security-tools/blue-team-tools:r2025-12-01 security-tools/blue-team-tools:r2025-11-01 security-tools/blue-team-tools:r2025-10-01 security-tools/blue-team-tools:r2025-07-08 security-tools/blue-team-tools:r2025-05-21 security-tools/blue-team-tools:r2025-02-03 security-tools/blue-team-tools:r2024-12-19 security-tools/blue-team-tools:r2024-11-10 security-tools/blue-team-tools:r2024-09-02 security-tools/blue-team-tools:r2024-07-17 security-tools/blue-team-tools:r2024-05-13 security-tools/blue-team-tools:r2024-04-29 security-tools/blue-team-tools:r2024-03-26 security-tools/blue-team-tools:r2024-03-11 security-tools/blue-team-tools:r2024-02-26 security-tools/blue-team-tools:r2024-02-12 security-tools/blue-team-tools:r2024-01-29 security-tools/blue-team-tools:r2024-01-15 security-tools/blue-team-tools:r2023-12-21 security-tools/blue-team-tools:r2023-12-04 security-tools/blue-team-tools:r2023-11-20 security-tools/blue-team-tools:r2023-11-06 security-tools/blue-team-tools:r2023-10-23 security-tools/blue-team-tools:r2023-10-09 security-tools/blue-team-tools:r2023-08-24 security-tools/blue-team-tools:0.22 security-tools/blue-team-tools:0.21 security-tools/blue-team-tools:0.20 security-tools/blue-team-tools:0.19.1 security-tools/blue-team-tools:0.19 security-tools/blue-team-tools:0.18.1 security-tools/blue-team-tools:0.17.0 security-tools/blue-team-tools:0.16.0 security-tools/blue-team-tools:0.15.0 security-tools/blue-team-tools:0.14 security-tools/blue-team-tools:0.13 security-tools/blue-team-tools:0.12.1 security-tools/blue-team-tools:0.12 security-tools/blue-team-tools:0.11 security-tools/blue-team-tools:0.10 security-tools/blue-team-tools:0.9 security-tools/blue-team-tools:0.8 security-tools/blue-team-tools:0.7.1 security-tools/blue-team-tools:0.6 security-tools/blue-team-tools:0.5 security-tools/blue-team-tools:0.4 security-tools/blue-team-tools:0.3.3 security-tools/blue-team-tools:0.3.2 security-tools/blue-team-tools:0.3.1 security-tools/blue-team-tools:0.3 security-tools/blue-team-tools:0.2 security-tools/blue-team-tools:0.1.3 security-tools/blue-team-tools:0.1.2 security-tools/blue-team-tools:0.1.1 security-tools/blue-team-tools:0.1

469 Commits
0.7.1 ... 0.11

Author SHA1 Message Date
Thomas Patzke 1986bcb843 Sigma tools release 0.11 2019-05-30 22:56:38 +02:00
Thomas Patzke fa0aaa7d2b Merge branch 'agix-elastalert_dsl_backend' 2019-05-30 22:38:41 +02:00
Thomas Patzke 67707b6c82 Added test for new elastalert-dsl backend 2019-05-30 22:38:12 +02:00
Thomas Patzke 8023011bb1 Merge branch 'elastalert_dsl_backend' of https://github.com/agix/sigma into agix-elastalert_dsl_backend 2019-05-30 22:33:57 +02:00
Florian GAULTIER 89c1d7b63d Wrong fix, self.queries should be emptied after copied to rule_object 2019-05-29 16:10:14 +02:00
Florian GAULTIER 748ac2e206 Dont combine multiple queries 2019-05-29 16:05:53 +02:00
Florian Roth 2cf402aa1f Merge pull request #360 from spellanser/patch-1 
win_disable_event_logging.yml: typo in audit policy name;
 2019-05-29 15:07:46 +02:00
Sarkis Nanyan 60bc5253cf win_disable_event_logging.yml: typo in audit policy name; 2019-05-29 15:43:44 +03:00
Thomas Patzke 04d91573f3 Merge pull request #355 from agix/allow_empty_keyword 
Allow empty keyword_field
 2019-05-28 21:45:55 +02:00
Thomas Patzke 2ecc55c13f Merge pull request #351 from ipninichuck/master 
added metadata field to the watcher alert
 2019-05-28 21:42:27 +02:00
Thomas Patzke f3edc39535 Merge pull request #346 from tuckner/master 
Add Azure Log Analytics / Azure Sentinel to README list of integrations
 2019-05-28 21:41:19 +02:00
Florian GAULTIER 6bf010fb4b introduce elastalert-dsl 
(cherry picked from commit 0235ec23200e62766d9f21fbd26ed834991a0b61)
 2019-05-27 17:18:19 +02:00
Florian GAULTIER 4168c0ec64 Allow empty keyword_field 2019-05-27 15:08:33 +02:00
Thomas Patzke 36ba9f78da Improved message if configuration is missing 2019-05-27 13:18:36 +02:00
Florian Roth 7c1e856095 Merge pull request #353 from lprat/master 
Add rule for CVE-2019-0708
 2019-05-27 09:11:17 +02:00
Florian Roth 323a7313fd FP adjustments 
We have checked the False Positive rate in different environments and noticed these event IDs in cases in which systems had bad network connections / we accessed via VPN. Therefore we reduced the level to "high" and added that note to the "False Positives" list.
 2019-05-27 08:54:18 +02:00
Thomas Patzke 84690280c5 Improved behavior on missing configuration 
Listing all configus usable with chosen backend
 2019-05-24 22:41:47 +02:00
Thomas Patzke 241d814221 Merged WannaCry rules 2019-05-24 22:17:36 +02:00
Lionel PRAT f65f693a88 Add rule for CVE-2019-0708 2019-05-24 10:01:19 +02:00
Florian Roth 7b63c92fc0 Rule: applying recommendation 
https://twitter.com/SwiftOnSecurity/status/1131464234901094400
 2019-05-23 09:44:25 +02:00
Florian Roth 253417a367 Merge pull request #350 from olafhartong/master 
Rule Windows 10 scheduled task SandboxEscaper 0-day
 2019-05-22 13:54:45 +02:00
ipninichuck 75ec169d5c added metadata field to the watcher alert 
While utilizing Kibana to track watches directly from the watch index it became quickly apparent that useful metadata was not available. In my project's case it was the title, description and tags from the sigma rule. By adding them to the metadata field it makes it easier to utilize them in visualizations of the watches themselves. In the future perhaps the contents of the metadata field could be given as an option for each user.
 2019-05-22 04:30:47 -07:00
Olaf Hartong b60cfbe244 Added password flag 2019-05-22 13:20:26 +02:00
Florian Roth 346022cfe8 Transformed to process creation rule 2019-05-22 12:50:49 +02:00
Olaf Hartong 4a775650a2 Rule Windows 10 scheduled task SandboxEscaper 0-day 2019-05-22 12:36:03 +02:00
Olaf Hartong e675cdf9c4 Rule Windows 10 scheduled task SandboxEscaper 0-day 2019-05-22 12:32:07 +02:00
Olaf Hartong 544dfe3704 Rule Windows 10 scheduled task SandboxEscaper 0-day 2019-05-22 12:28:42 +02:00
Florian Roth c937fe3c1b Rule: Terminal Service Process Spawn 2019-05-22 10:38:27 +02:00
Florian Roth 74ca0eeb88 Rule: Renamed PsExec 2019-05-21 09:49:40 +02:00
Thomas Patzke 2d0c08cc8b Added wildcards to rule values 
These values appear somewhere in a log message, therefore wildcards are
required.
 2019-05-21 01:03:20 +02:00
tuckner 7d10491bf2 Update README.md 2019-05-20 17:46:28 -05:00
tuckner 5867b5da74 Update README.md 2019-05-20 17:45:18 -05:00
Thomas Patzke 194afa739f Generate rule name for each condition 
In backends kibana and xpack-watcher.

Fixes #329
 2019-05-21 00:36:19 +02:00
Thomas Patzke af0bd1b082 Removed debug code from backend option handling 
Additionally: code simplification
 2019-05-21 00:21:52 +02:00
Thomas Patzke 97541ac267 Added -C shortcut for --backend-config 2019-05-21 00:15:01 +02:00
Thomas Patzke 7e163d71eb Added option to use old URL in xpack-watcher backend 2019-05-21 00:01:21 +02:00
Thomas Patzke 4e63e925cf Merge branch 'patch-1' of https://github.com/lliknart/sigma into lliknart-patch-1 2019-05-20 23:43:49 +02:00
Thomas Patzke 11ed7e7ef8 Check for valid configuration/backend combinations 2019-05-20 01:00:33 +02:00
Thomas Patzke e271484eef Load configurations via new config management 2019-05-20 00:27:35 +02:00
Thomas Patzke 3d20e0bc98 Sigma configuration management with listing 
Missing:
* Use config by identifier
 2019-05-17 09:13:59 +02:00
Thomas Patzke 71ff6bd943 Catch type errors in configuration handling 2019-05-16 23:34:44 +02:00
Thomas Patzke 36aeb19721 Added title to all configurations 2019-05-16 23:33:51 +02:00
lliknart f86342012a Update elasticsearch.py 
From ElasticSearch 7.0, the URI to access to Watcher API changes

Deprecation: [PUT /_xpack/watcher/watch/{id}] is deprecated! Use [PUT /_watcher/watch/{id}] instead.
 2019-05-16 16:17:57 +02:00
Florian Roth 9e2345c491 Merge pull request #338 from yt0ng/development 
Suspicious Outbound RDP Rule likely identifying CVE-2019-0708
 2019-05-15 21:35:52 +02:00
Florian Roth a6d2a5d79b fix: more general fixes of the var type issue 2019-05-15 21:25:53 +02:00
Florian Roth 9f1bbb0a0d fix: missing type check in WDATP backend 2019-05-15 21:20:20 +02:00
Florian Roth 694fa567b6 Reformatted 2019-05-15 20:22:53 +02:00
Florian Roth 1c36bfde79 Bugfix - Swisscom in Newline 2019-05-15 15:03:55 +02:00
Florian Roth d5f49c5777 Fixed syntax 2019-05-15 14:50:57 +02:00
Florian Roth 508d1cdae0 Removed double back slashes 2019-05-15 14:46:45 +02:00
Unknown 13522b97a7 Adjusting Newline 2019-05-15 12:15:41 +02:00
Unknown 275896dbe6 Suspicious Outbound RDP Rule likely identifying CVE-2019-0708 2019-05-15 11:47:12 +02:00
Florian Roth 5dfe39c05b Merge pull request #335 from Codehardt/master 
fix: fixed reference list, otherwise it's not valid string list
 2019-05-10 14:06:11 +02:00
Codehardt 1ca57719b0 fix: fixed reference list, otherwise it's not valid string list 2019-05-10 10:37:12 +02:00
Thomas Patzke 1c2bc87946 Merge pull request #334 from Codehardt/master 
fix: fixed reference list, otherwise it's not valid string list
 2019-05-10 10:19:56 +02:00
Codehardt 6585c83077 fix: fixed reference list, otherwise it's not valid string list 2019-05-10 10:13:35 +02:00
Thomas Patzke 526468bec3 Merge pull request #298 from christophetd/elastalert-allow-rules-without-http-post-url 
Allow generating Elastalert rules with the http_post alert type without specifying a URL at generation time
 2019-05-10 00:31:33 +02:00
Thomas Patzke f4d8dcaa1e Merge branch 'Karneades-patch-1' 2019-05-10 00:21:15 +02:00
Thomas Patzke 25c0330dca Added filter 2019-05-10 00:20:56 +02:00
Thomas Patzke 995c03eef9 Merge branch 'patch-1' of https://github.com/Karneades/sigma into Karneades-patch-1 2019-05-10 00:15:51 +02:00
Thomas Patzke a361664ed2 Merge pull request #318 from HacknowledgeCH/es-qs-not-parenthesis-fix 
Correct parenthesization for NOT expressions in the ES-QS backend
 2019-05-10 00:14:29 +02:00
Thomas Patzke 56f64ca47d Merge pull request #315 from P4T12ICK/feature/net_dnc_c2_detection 
New C2 DNS Tunneling Sigma Detection Rule
 2019-05-10 00:12:39 +02:00
Thomas Patzke c50119b913 Merge branch 'P4T12ICK-feature/lnx-priv-esc-prep' 2019-05-10 00:08:48 +02:00
Thomas Patzke 46c789105b Fix and ordering 2019-05-10 00:08:26 +02:00
Thomas Patzke 595f22552d Merge branch 'feature/lnx-priv-esc-prep' of https://github.com/P4T12ICK/sigma into P4T12ICK-feature/lnx-priv-esc-prep 2019-05-10 00:05:06 +02:00
Thomas Patzke 27199fc231 Merge branch 'neu5ron-patch-3' 2019-05-10 00:02:33 +02:00
Thomas Patzke 15a4c7e477 Fixed rule 2019-05-10 00:02:20 +02:00
Thomas Patzke 666e859d14 Merge branch 'patch-3' of https://github.com/neu5ron/sigma into neu5ron-patch-3 2019-05-10 00:00:14 +02:00
Thomas Patzke 14b10c232e Merge branch 'MadsRC-MadsRC-patch-1' 2019-05-09 23:58:14 +02:00
Thomas Patzke f51e918a2e Small rule change 2019-05-09 23:57:55 +02:00
Thomas Patzke 31946426a5 Merge branch 'MadsRC-patch-1' of https://github.com/MadsRC/sigma into MadsRC-MadsRC-patch-1 2019-05-09 23:54:18 +02:00
Thomas Patzke f01fbd6b79 Merge branch 2019-05-09 23:51:15 +02:00
Thomas Patzke e60fe1f46d Changed rule 
* Adapted false positive notice to observation
* Decreased level
 2019-05-09 23:49:39 +02:00
Florian Roth 3dd76a9c5e Converted to generic process creation rule 
Previous rule was prone to FPs; more generic form
 2019-05-09 23:48:42 +02:00
Vasiliy Burov 792095734d Update win_proc_wrong_parent.yml 
changes accordingly this documents:
https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/
https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf
 2019-05-09 23:48:36 +02:00
Florian Roth 378ba5b38f Transformed rule 
I would try it like this - the 4th selection for uncommon parents of explorer.exe looks prone to FPs

Fixed Typo

Changes to title and description
 2019-05-09 23:48:36 +02:00
Vasiliy Burov 8e6295e402 Windows processes with wrong parent 
Detect scenarios when malicious program is disguised as legitimate process
 2019-05-09 23:48:36 +02:00
Thomas Patzke 1e2ef92104 Merge branch 'vburov-patch-2' 2019-05-09 23:10:52 +02:00
Thomas Patzke 121e21960e Rule changes 
* Replaced variables with usual path names
* Removed Temp directories due to many false positives
* Matching on Image field, CommandLines often contain these paths
 2019-05-09 23:09:22 +02:00
Thomas Patzke 9b67705799 Merge branch 'patch-2' of https://github.com/vburov/sigma into vburov-patch-2 2019-05-09 22:55:07 +02:00
Thomas Patzke 763939a8ca Hide --shoot-yourself-in-the-foot 2019-04-25 23:42:13 +02:00
Thomas Patzke eb022f3908 Conditional field mapping for null values 
Fixes #326
 2019-04-25 23:24:05 +02:00
Thomas Patzke cfb4f32651 Backend es-dsl tolerates rules without title and log source 2019-04-25 22:41:31 +02:00
Florian Roth 16bf5eef0f Merge pull request #327 from Codehardt/master 
Added logsources for generic sigma rules to spark config, renamed spa…
 2019-04-25 10:10:51 +02:00
Codehardt 17ae9ea91c Renamed spark config in setup.py 2019-04-25 09:56:29 +02:00
Codehardt 8cf505fcb3 Accidentally removed windows-dhcp logsource in spark's config file 2019-04-25 08:23:48 +02:00
Codehardt 79f7edb6b4 Added logsources for generic sigma rules to spark config, renamed spark config to thor config 2019-04-25 08:15:50 +02:00
Thomas Patzke 6918784e87 Configuration order checking 2019-04-23 00:54:10 +02:00
Thomas Patzke c90d3e811e Formatted error code definitions 2019-04-23 00:53:52 +02:00
Thomas Patzke e9af99c147 Completed error codes 2019-04-23 00:52:31 +02:00
Thomas Patzke 4559aa4e00 Fixed es-qs backend check 2019-04-23 00:05:36 +02:00
Thomas Patzke d0bd8a2a41 Mandatory configuration for most backends 2019-04-22 23:40:21 +02:00
Thomas Patzke 87abd20c0f Removed deprecated PyYAML API from rule test 2019-04-22 23:21:08 +02:00
Thomas Patzke 34c426a95b Moved error codes to constants defined centrally 2019-04-22 23:15:35 +02:00
Thomas Patzke f0b0f54500 Merge improved pull request #322 2019-04-21 23:56:36 +02:00
Thomas Patzke 765fe9dcd9 Further improved Windows user creation rule 
* Decreased level
* Fixed field names
* Added false positive possibility
 2019-04-21 23:54:18 +02:00
Florian Roth d0950bd077 fix: yaml.load() issue 
https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation
 2019-04-21 20:30:31 +02:00
Karneades b47900fbee Add default path to filter for explorer in exe anomaly rule 2019-04-21 17:42:47 +02:00
Florian Roth 38d548868d Merge pull request #324 from Neo23x0/revert-322-feature/win_user_creation 
Revert "New Sigma rule detecting local user creation"
 2019-04-21 09:20:48 +02:00
Florian Roth dd9648b31e Revert "New Sigma rule detecting local user creation" 2019-04-21 09:09:25 +02:00
Florian Roth a85acdfd02 Changed title and description 2019-04-21 08:54:56 +02:00
Florian Roth 0713360443 Fixed MITRE ATT&CK tags 2019-04-21 08:52:07 +02:00
Thomas Patzke 49beb5d1a8 Integrated PR from @P4T12ICK in existing rule 
PR #321
 2019-04-21 00:28:40 +02:00
Thomas Patzke bdd184a24c Merge pull request #322 from P4T12ICK/feature/win_user_creation 
New Sigma rule detecting local user creation
 2019-04-21 00:20:15 +02:00
Thomas Patzke 80f45349ed Modified rule 
* Adjusted ATT&CK tagging
* Set status
 2019-04-21 00:14:57 +02:00
Florian Roth aab3dbee4f Rule: Detect Empire PowerShell Default Cmdline Params 2019-04-20 09:38:41 +02:00
Florian Roth 03d8184990 Rule: Extended PowerShell Susp Cmdline Enc Commands 2019-04-20 09:38:41 +02:00
Florian Roth 5249279a66 Rule: another MSF payload user agent 2019-04-20 09:38:41 +02:00
Florian Roth d5fa51eab9 Merge pull request #305 from Karneades/patch-3 
Remove too loose filter in notepad++ updater rule
 2019-04-19 12:40:24 +02:00
Florian Roth e32708154f Merge pull request #304 from Karneades/patch-2 
Remove too loose filter in mshta rule
 2019-04-19 09:51:45 +02:00
Florian Roth 74dd008b10 FP note for HP software 2019-04-19 09:51:32 +02:00
Florian Roth 8a5ae01f0e Merge pull request #323 from Karneades/filterFix 
Restrict filter in system exe anomaly rule
 2019-04-19 09:17:16 +02:00
Karneades d75ea35295 Restrict whitelist filter in system exe anomaly rule 2019-04-18 22:06:12 +02:00
patrick 8609fc7ece New Sigma rule detecting local user creation 2019-04-18 19:59:43 +02:00
Florian Roth f78413deab Merge pull request #309 from jmlynch/master 
added rules for renamed wscript, cscript and paexec. Added two direct…
 2019-04-17 23:59:27 +02:00
Florian Roth 4808f49e0d More exact path 2019-04-17 23:45:15 +02:00
Florian Roth 1a4a74b64b fix: dot mustn't be escaped 2019-04-17 23:44:36 +02:00
Florian Roth 76780ccce2 Too many different trusted cscript imphashes 2019-04-17 23:33:56 +02:00
Florian Roth 7c5f985f6f Modifications 2019-04-17 23:30:49 +02:00
Florian Roth 4298abffb7 Modifications 2019-04-17 23:29:29 +02:00
Florian Roth 615a802a8e Modifications 2019-04-17 23:26:20 +02:00
Florian Roth 0a960ed3cd Merge pull request #319 from Sam0x90/master 
Update win_susp_svchost rule
 2019-04-17 23:22:08 +02:00
Sam0x90 0e8a46aaf7 Update win_subp_svchost rule 
Adding rpcnet.exe as ParentImage
 2019-04-16 15:00:06 +02:00
christophetd 4e16bbafa8 Correct parenthesization for NOT expressions in the ES-QS backend 2019-04-16 10:30:18 +02:00
Florian Roth 17470d1545 Rule: extended parent list for legitimate svchost starts 
https://twitter.com/Sam0x90/status/1117768799816753153
 2019-04-15 14:54:35 +02:00
Florian Roth daaee558a1 Rule: added date to Tom's WMI rule 2019-04-15 09:06:53 +02:00
Florian Roth 612a7642d2 Added Local directory 2019-04-15 08:47:53 +02:00
Florian Roth 65b81dad32 Rule: Suspicious scripting in a WMI consumer 2019-04-15 08:13:35 +02:00
Florian Roth 1d3159bef0 Rule: Extended Office Shell rule 2019-04-15 08:13:35 +02:00
Karneades d872c52a43 Add restricted filters to notepad++ gup.exe rule 2019-04-15 08:12:12 +02:00
Thomas Patzke 5194e8778c Fail on missing target selection 2019-04-14 23:50:07 +02:00
Florian Roth 1e262f5055 Merge pull request #303 from Karneades/patch-1 
Remove too loose filter in wmi spwns powershell rule
 2019-04-14 23:11:57 +02:00
Florian Roth cb0a87e21e Merge pull request #316 from megan201296/patch-19 
Update win_mal_ursnif.yml
 2019-04-14 23:10:16 +02:00
Florian Roth 08ec8597a5 Merge pull request #317 from megan201296/patch-20 
Create apt_oceanlotus_registry.yml
 2019-04-14 23:09:42 +02:00
Thomas Patzke 5463128ea0 Merge pull request #314 from Karneades/patch-4 
Remove loose wildcard filter in powershell encoded cmd rule
 2019-04-14 23:02:42 +02:00
megan201296 74fce5f511 Create apt_oceanlotus_registry.yml 
Rule based on https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/. Based on OSINT, these keys are unique to the oceanlotus activity and not at all legitimate.
 2019-04-14 12:01:52 -05:00
megan201296 eb8a0636c5 Update win_mal_ursnif.yml 
After @thomaspatzke changed to HKU, I did some reading. HKU is for HKEY_User, not HKEY_Current_User (what this threat is tied to. However, he was correct that HKCU does not exist as a prefix for sysmon (see the notes section under event id 13 here: https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml). Changed to ignore the key name, confirmed that the key is still uniique.
 2019-04-14 11:51:13 -05:00
patrick 51d19b36cc Add new Sigma Rule for C2 DNS Tunneling 2019-04-13 20:28:55 +02:00
patrick 4b43db2aac Add new Sigma Rule for C2 DNS Tunneling 2019-04-13 20:27:36 +02:00
Florian Roth 6351c5a350 Sigma ATT&CK coverage by @jmallette 2019-04-11 18:27:52 +02:00
Florian Roth 038918d2c0 Merge pull request #311 from jmallette/master 
ATT&CK Navigator Coverage Layer
 2019-04-11 18:18:16 +02:00
Karneades 75d36165fc Remove non-generic falsepositives 
There are tons of FPs for that... :)
 2019-04-11 12:55:24 +02:00
Karneades 51e65be98b Remove loose wildcard filter in powershell encoded cmd rule 2019-04-11 12:53:12 +02:00
Jon cd456a1d2b initial SIGMA ATTACK Navigator layer release 2019-04-09 22:49:28 -04:00
jmallette c775b7a033 Merge pull request #1 from Neo23x0/master 
update fork
 2019-04-09 22:43:32 -04:00
Jason Lynch 89fb726875 added win_office_spawn_exe_from_users_directory.yml. Detects executable in users directory started via office program. Helpful for adversaries that tend to drop and execute renamed binaries in this location such as fin7 2019-04-09 09:45:07 -04:00
Jason Lynch f0c8c428bb added rules for renamed wscript, cscript and paexec. Added two directories to the existing sysmon_susp_prog_location_network_connection rule. These additions are all fin7 related. 2019-04-08 08:07:30 -04:00
patrick ca4b710c01 Added Sigma Use Case detecting Privilege Escalation Preparation in Linux 2019-04-07 15:36:19 +02:00
Karneades 97376c00de Fix condition 2019-04-04 22:33:32 +02:00
Karneades 766b8b8d18 Fix condition 2019-04-04 22:32:47 +02:00
Karneades 788e75ef1b Fix condition 2019-04-04 22:32:21 +02:00
Karneades 840eb2f519 Remove too loose filter in notepad updater rule 2019-04-04 22:25:05 +02:00
Karneades eb690d8902 Remove too loose filter in mshta rule 2019-04-04 22:16:24 +02:00
Karneades 1915561351 Remove to loose wildcard from wmi spwns powershell rule 2019-04-04 22:12:28 +02:00
Florian Roth 81693d81b6 Merge pull request #295 from sbousseaden/master 
Create win_atsvc_task.yml
 2019-04-04 18:32:13 +02:00
sbousseaden c4b8f75940 Update win_lm_namedpipe.yml 2019-04-04 18:22:50 +02:00
MadsRC 41b4d800c5 Update net_susp_dns_txt_exec_strings.yml 
Fixed my botched YAML syntax...
 2019-04-04 08:35:37 +02:00
sbousseaden 22958c45a3 Update win_GPO_scheduledtasks.yml 2019-04-03 21:50:55 +02:00
sbousseaden b4ac9a432f Update win_susp_psexec.yml 2019-04-03 21:50:25 +02:00
sbousseaden 353e457104 Update win_lm_namedpipe.yml 2019-04-03 21:49:58 +02:00
sbousseaden d5818a417b Update win_impacket_secretdump.yml 2019-04-03 21:49:30 +02:00
sbousseaden 9c5575d003 Update win_atsvc_task.yml 2019-04-03 21:48:38 +02:00
sbousseaden edb98f2781 Update win_account_discovery.yml 2019-04-03 21:40:59 +02:00
MadsRC d0d51b6601 Update net_susp_dns_txt_exec_strings.yml 
The references indicate that this rule should apply to TXT records, but without specifying that the "record_type" must be "TXT" there's the potential for a lot of false positives.

"record_type" was chosen as that fits with Splunks "Network Resolution (DNS)" datamodel.
 2019-04-03 20:31:31 +02:00
Florian Roth 2b814011cd Merge pull request #287 from P4T12ICK/feature/lnx-clear-cmd-history-signature 
Add new signature for linux clear command history
 2019-04-03 19:45:06 +02:00
Florian Roth 13f86e9333 Merge pull request #296 from Karneades/patch-1 
Remove backslashes in CommandLine for sticky key rule
 2019-04-03 19:44:02 +02:00
Florian Roth b4b7d810fc Merge pull request #300 from yt0ng/development 
Sqirrel packages manager, EmpireMonkey, WMI Spawning PowerShel
 2019-04-03 19:20:46 +02:00
yt0ng e0459cec1c renamed file 2019-04-03 17:39:17 +02:00
christophetd d32e5c10b8 Allow generating Elastalert rules with the http_post alert type without specifying a URL at generation time 2019-04-03 17:22:58 +02:00
t0x1c-1 7e058e611c WMI spawning PowerShell seen in various attacks 2019-04-03 16:56:45 +02:00
Unknown 9ada22b8e0 adjusted link 2019-04-03 16:40:18 +02:00
Unknown d2e605fc5c Auto stash before rebase of "Neo23x0/master" 2019-04-03 16:25:18 +02:00
Karneades 865d971704 Remove backslashes in CommandLine for sticky key rule 
Example command line is exactly "cmd.exe sethc.exe 211".
=> the detection with *\cmd.exe... would not match.
 2019-04-03 16:16:18 +02:00
sbousseaden eda5298457 Create win_account_backdoor_dcsync_rights.yml 2019-04-03 16:16:05 +02:00
sbousseaden 0756b00cdf Create win_susp_psexec.yml 2019-04-03 15:59:46 +02:00
sbousseaden 9c1a5a5264 Create win_lm_namedpipe.yml 2019-04-03 15:48:42 +02:00
sbousseaden 56b68a0266 Create win_GPO_scheduledtasks.yml 2019-04-03 15:36:24 +02:00
sbousseaden b941f6411f Create win_impacket_secretdump.yml 2019-04-03 15:18:42 +02:00
sbousseaden 516c8f3ea1 Create win_account_discovery.yml 2019-04-03 14:41:11 +02:00
sbousseaden 3d69727332 Create sysmon_rdp_settings_hijack.yml 2019-04-03 14:16:25 +02:00
sbousseaden 016261cacf Update sysmon_lsass_memdump.yml 2019-04-03 14:06:49 +02:00
sbousseaden a85c668f6f Update sysmon_lsass_memdump.yml 2019-04-03 14:00:51 +02:00
sbousseaden d62bc41bfb Create win_svcctl_remote_service.yml 2019-04-03 13:58:20 +02:00
sbousseaden 32c6b34746 Create sysmon_lsass_memdump.yml 2019-04-03 13:51:59 +02:00
sbousseaden 548145ce10 Create win_susp_raccess_sensitive_fext.yml 2019-04-03 13:22:42 +02:00
sbousseaden ddb2d92a98 Create sysmon_tsclient_filewrite_startup.yml 2019-04-03 13:19:59 +02:00
sbousseaden e3f99c323b Create win_atsvc_task.yml 2019-04-03 13:08:12 +02:00
Florian Roth 6cc1770351 Merge pull request #294 from Pr0t3an/patch-3 
Update lnx_shell_susp_rev_shells.yml
 2019-04-03 01:07:07 +02:00
Florian Roth b76925f838 Rule: extending rule with /dev/udp 2019-04-02 20:09:13 +02:00
Pr0t3an d067087632 Update lnx_shell_susp_rev_shells.yml 
added 
 - 'bash -i >& /dev/udp/'
        - 'sh -I >$ /dev/udp/'
        - 'sh -i   >$ /dev/tcp/'
 2019-04-02 18:22:18 +01:00
Florian Roth 5c5a16c4d5 Rule: adding xterm -display string to rule 2019-04-02 18:48:18 +02:00
Florian Roth 453bd10e6e Rule: Suspicious reverse shell command lines 2019-04-02 17:03:57 +02:00
Thomas Patzke 8e854b06f6 Specified source to prevent EventID collisions 
Issue #263
 2019-04-01 23:45:55 +02:00
Thomas Patzke 0419ff215a Fixed quoting of single quotes in grep backend 2019-04-01 23:22:05 +02:00
Florian Roth d06a5431eb Changes 2019-04-01 14:03:54 +02:00
Florian Roth c7553dc8a1 Merge pull request #292 from yt0ng/development 
Allow Incoming Connections by Port or Application on Windows Firewall
 2019-04-01 14:02:10 +02:00
Florian Roth e473efb7c3 Trying to fix ATT&CK framework tag 2019-04-01 10:36:35 +02:00
Florian Roth 3f2ce4b71f Lowered level to medium 2019-04-01 09:47:14 +02:00
t0x1c-1 51c42a15a7 Allow Incoming Connections by Port or Application on Windows Firewall 2019-04-01 08:16:56 +02:00
patrick 0242c40360 Add new signature for linux clear command history 2019-03-24 10:10:14 +01:00
Nate Guagenti 60c4fed2e0 Create win_etw_trace_evasion.yml 
there are two versions of clear and two variations of set that can be used with something like wevtutil
`wevtutil cl | wevtutil clear-log | wevtutil sl | wevtutil set-log `

Also, I am adding a `*` match at the end, because there are other parameters that could be placed on the end -- so unless this was used on a general search on a text/analyzed field then the `*` is necessary.

example `wevtutil set-log Microsoft-Windows-WMI-Activity/Trace /e:disable /q:true`
 2019-03-22 11:36:55 -04:00
Florian Roth ffac77fb37 Rule: extended LockerGoga description 2019-03-22 11:03:48 +01:00
Florian Roth 1adb040e0b Rule: LockerGoga 2019-03-22 10:59:31 +01:00
Florian Roth 2ad2ba9589 fix: rule field fix in proc_creation rule 2019-03-22 10:59:18 +01:00
Thomas Patzke 140a32d8c9 Sigma tools release 0.10 2019-03-16 01:02:48 +01:00
Thomas Patzke 2dda9a7b77 Moved Sysmon schema XML from contrib directory into module 2019-03-16 00:59:29 +01:00
Thomas Patzke be25aa2c37 Added CAR tags 2019-03-16 00:37:09 +01:00
Thomas Patzke 8512417de0 Incorporated MITRE CAR mapping from #55 2019-03-16 00:03:27 +01:00
Thomas Patzke 5c4d8bc2ca Merge branch 'christophetd-backend-config-file' 2019-03-15 23:47:24 +01:00
Thomas Patzke 5e973a6321 Fixes and CI testing of --backend-config 2019-03-15 23:46:38 +01:00
Thomas Patzke 0864d05aa5 Merge branch 'backend-config-file' of https://github.com/christophetd/sigma into christophetd-backend-config-file 2019-03-15 23:35:11 +01:00
Thomas Patzke 9be6b8b1a5 Merge branch 'tuckner-master' 2019-03-15 23:27:40 +01:00
Thomas Patzke 3f7e08733a Added backend option 'sysmon' for ala backend 2019-03-15 23:26:15 +01:00
Thomas Patzke 8d1723e65c Merge branch 'master' of https://github.com/tuckner/sigma into tuckner-master 2019-03-15 23:06:08 +01:00
Thomas Patzke 5e3a25537e Merge pull request #283 from LiamSennitt/master 
Added and fixed tags on APT rules
 2019-03-15 23:00:25 +01:00
Florian Roth 4650271117 Merge pull request #284 from krakow2600/master 
added missed service
 2019-03-14 08:20:48 +01:00
yugoslavskiy 33db032a16 added missed service 2019-03-14 00:44:26 +01:00
Liam Sennitt bb026e4692 fixed tag typo on rules 2019-03-13 10:25:41 +00:00
Liam Sennitt 0aaac1a48e add tags to crime fireball rule 2019-03-13 10:10:12 +00:00
Liam Sennitt 1e29c9c1ce add tags to apt zxshell rule 2019-03-13 10:09:05 +00:00
Liam Sennitt 1f47dc1cdc add tags to apt turla commands rule 2019-03-13 10:06:34 +00:00
Liam Sennitt 96492834c5 add tags to apt sofacy rule 2019-03-13 09:53:02 +00:00
Liam Sennitt aca36c88cc add tags to apt slingshot rule 2019-03-13 09:50:39 +00:00
Liam Sennitt aac632bb41 add tags on apt equationgroup dll_u load rule 2019-03-13 09:48:27 +00:00
Liam Sennitt 5ffc027f22 fix tags in apt carbonpaper turla rule 2019-03-13 09:43:18 +00:00
Liam Sennitt 25b680bfec fix and add tags to apt bear activity gtr19 rule 2019-03-13 09:40:28 +00:00
Liam Sennitt 3b193fb691 add tags to apt babyshark rule 2019-03-13 09:32:10 +00:00
Liam Sennitt aee0d1dd67 fix tags on apt29 tor rule 2019-03-13 09:25:28 +00:00
Liam Sennitt 5dc229b590 add tags to apt29 thinktanks rule 2019-03-13 09:22:41 +00:00
Florian Roth 95b47972f0 fix: transformed rule to new proc_creation format 2019-03-12 09:03:30 +01:00
Florian Roth c4003ff410 Merge pull request #264 from darkquasar/master 
adding rule win-susp-mshta-execution.yml
 2019-03-11 23:50:56 +01:00
Florian Roth bd38cff042 Merge pull request #272 from LiamSennitt/master 
fix tagging in turla png dropper service rule
 2019-03-11 23:48:18 +01:00
Florian Roth 909c09f4ac Merge pull request #282 from krakow2600/master 
updated detection logic
 2019-03-11 23:47:53 +01:00
Yugoslavskiy Daniil 5d54e9c8a1 nbstat.exe -> nbtstat.exe 2019-03-11 19:28:29 +01:00
Yugoslavskiy Daniil c22265c655 updated detection logic 2019-03-11 16:58:57 +01:00
Florian Roth 8dd39a2653 Merge pull request #281 from TareqAlKhatib/oops 
Migrated the last detections to process_creation
 2019-03-09 19:40:25 +01:00
Tareq AlKhatib 783d8c4268 Reverting back to regular Sysmon 1 to fix CI test 2019-03-09 21:31:56 +03:00
Tareq AlKhatib 7f4557d183 Enabled check for process_creation 2019-03-09 21:00:11 +03:00
Tareq AlKhatib 075df83118 Converted to use the new process_creation data source 2019-03-09 20:57:59 +03:00
Tareq AlKhatib c3b079990a Properly end anchored the regex 2019-03-09 19:23:50 +03:00
Florian Roth 361f2ffa5f Product Support - RANK VASA 2019-03-08 16:32:22 +01:00
Florian Roth fe9e50167f Rule: renamed bitsadmin rule 2019-03-08 16:25:16 +01:00
Florian Roth 49532438eb Rule: Bitsadmin wot uncommon TLD 2019-03-08 16:20:10 +01:00
John Tuckner a1ba04aec8 modified process creation logic 2019-03-08 00:01:43 -06:00
Thomas Patzke 082ee586bf Merge branch 'christophetd-elastalert-alert-types' 2019-03-08 00:05:08 +01:00
Thomas Patzke 6d97c6d0bb Extended elastalert CI testing 2019-03-08 00:04:43 +01:00
Thomas Patzke a429f09cc1 Merge branch 'elastalert-alert-types' of https://github.com/christophetd/sigma into christophetd-elastalert-alert-types 2019-03-07 23:54:05 +01:00
Thomas Patzke 3c1948f089 Merge pull request #277 from megan201296/patch-18 
Remove invalid link
 2019-03-07 23:49:13 +01:00
Thomas Patzke c235944a0c Merge pull request #278 from krakow2600/master 
fixed incorrect date format
 2019-03-07 23:46:12 +01:00
tuckner c97f0f097b Merge branch 'master' of https://github.com/tuckner/sigma 2019-03-07 16:29:01 -06:00
tuckner e9ddd933f8 more fixes for process creation 2019-03-07 16:28:35 -06:00
Yugoslavskiy Daniil 475113b1c1 fixed incorrect date format 2019-03-07 22:52:11 +01:00
megan201296 c2a16591af Remove invalid link 
Cybereason link was broken. Couldn't find anything with a super similar file path. The below link might be a valid replacement but went better safe than sorry and just removed it completely. https://www.cybereason.com/hubfs/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty-Part1.pdf
 2019-03-07 14:22:29 -06:00
John Tuckner 1182ee2de2 added ala to makefile 2019-03-07 10:43:22 -06:00
John Tuckner 5a64f572e3 update 2019-03-07 10:32:59 -06:00
Florian Roth a82ea0a022 Merge pull request #276 from krakow2600/master 
ATC windows rules review
 2019-03-06 17:16:32 +01:00
Florian Roth 83c0c71bc7 Reworked for process_creation rules 2019-03-06 17:09:43 +01:00
Florian Roth d7c25adfb6 Merge pull request #274 from TareqAlKhatib/multifile_yamls 
Updated to use the new process_creation logsource
 2019-03-06 17:06:04 +01:00
Yugoslavskiy Daniil cb7243de5d fixed wrong tags 2019-03-06 06:18:38 +01:00
Yugoslavskiy Daniil 8bec627ff1 fixed multiple tags issue 2019-03-06 06:09:37 +01:00
Yugoslavskiy Daniil 5154460726 changed service to product 2019-03-06 05:57:01 +01:00
Yugoslavskiy Daniil 05cc7e455d atc review 2019-03-06 05:25:12 +01:00
yugoslavskiy 725ab99e90 Merge pull request #1 from AverageS/master 
Fix rules
 2019-03-06 04:31:01 +01:00
John Tuckner 283bd278f4 added eventid to sysmon process creation 2019-03-05 20:58:23 -06:00
John Tuckner 971bd49071 accomodated process creation and slash escapes 2019-03-05 20:50:30 -06:00
Wydra Mateusz 534f250c35 Merge branch 'master' of https://github.com/krakow2600/sigma 2019-03-06 00:45:16 +01:00
Wydra Mateusz bb95347745 rules update 2019-03-06 00:43:42 +01:00
mrblacyk 6232362f04 Missing tags 2019-03-06 00:16:40 +01:00
mrblacyk 07807837ee Missing tags 2019-03-06 00:02:37 +01:00
mikhail be108d95cc Merge branch 'master' of https://github.com/AverageS/sigma 2019-03-06 01:57:38 +03:00
mikhail 40241c1fdf Fix 4 rules 2019-03-06 01:56:05 +03:00
mrblacyk 99595a7f89 Added missing tags and some minor improvements 2019-03-05 23:25:49 +01:00
Tareq AlKhatib 879017818f More conversions to the new process_creation logsource 2019-03-05 09:46:53 +03:00
tuckner 2c0cc87ab8 Added schema file checking 2019-03-04 11:57:30 -06:00
tuckner cf186387af Added schema file checking 2019-03-04 11:53:51 -06:00
tuckner c5796d7853 Added Azure Log Analytics backend 2019-03-04 10:49:50 -06:00
tuckner 8179d182c4 added azure log analytics 2019-03-04 10:44:45 -06:00
Tareq AlKhatib b2952b9f78 Fixing failed CI build - take 2 2019-03-04 16:51:39 +03:00
Tareq AlKhatib c8be6e649b Fixing failed CI build 2019-03-04 16:44:30 +03:00
Tareq AlKhatib 45458121c6 Updated to use the new process_creation logsource 2019-03-04 16:13:27 +03:00
Florian Roth ae1541242c New custom suspicious TLD in rule ".pw" 2019-03-03 10:58:12 +01:00
Thomas Patzke 17e9729ddd Merge pull request #273 from TareqAlKhatib/process_create 
Process create
 2019-03-02 21:57:59 +01:00
Tareq AlKhatib 58c61430a2 updated to use process_creation 2019-03-02 21:05:15 +03:00
Tareq AlKhatib be2ca8dc4d Added checks for Sysmon 1 or EID 4688 instead of process_creation 2019-03-02 20:51:49 +03:00
Florian Roth 33e490e4fa Titles in Examples 2019-03-02 12:23:44 +01:00
Florian Roth 7b3d67ae66 fix: bugfix in new proc creation rule 2019-03-02 11:28:13 +01:00
Florian Roth 9a3ceb8421 Sigmac Usage Examples 2019-03-02 10:58:02 +01:00
Liam Sennitt bef5f03015 fix tagging in turla png dropper service rule 2019-03-02 09:01:00 +00:00
Florian Roth 1a583c158d fixed typo as in pull request by @m0jtaba 2019-03-02 08:16:25 +01:00
Florian Roth 2188001f98 Extended filter list provided by @Ov3rflow 2019-03-02 08:13:29 +01:00
Florian Roth bd4e61acd8 Merge pull request #271 from vburov/patch-4 
Update win_susp_failed_logon_reasons.yml
 2019-03-02 07:21:28 +01:00
Florian Roth f80cf52982 Expired happens too often 
Back then when we created this rule, we noticed that "logon attempt with expired account" happens pretty often, so we decided to not include it. All event codes in this rule did not appear in a 30 day time period and therefore the rule's "level" was set to "high".
 2019-03-02 07:20:59 +01:00
Thomas Patzke 99b15edf8a Sigma tools release 0.9 2019-03-02 00:47:03 +01:00
Thomas Patzke 56a1ed1eac Merge branch 'project-1' 2019-03-02 00:26:10 +01:00
Thomas Patzke 7602309138 Increased indentation to 4 
* Converted (to generic sigma) rules
* Converter outputs by default with indentation 4
 2019-03-02 00:14:20 +01:00
Florian Roth 1aac9baaed Merge pull request #270 from LiamSennitt/master 
fix bug in chafer activity rule #269
 2019-03-01 17:13:04 +01:00
Vasiliy Burov 7bebedbac1 Update win_susp_failed_logon_reasons.yml 
Added descriptions for logon failure statuses and new logon failure status that may indicate suspicious logon.
 2019-03-01 18:18:39 +03:00
Florian Roth af6a1ff26a Extended rule, modified timestamp 2019-03-01 13:36:54 +01:00
Florian Roth f560e83886 Added modified date 2019-03-01 12:07:31 +01:00
Florian Roth fc683ac7ee Added error code for denied logon type 2019-03-01 12:06:54 +01:00
Liam Sennitt 2345cbf7bd fix bug in chafer activity rule #269 2019-03-01 10:23:02 +00:00
Thomas Patzke 690807c846 Sigma tools release 0.8 2019-02-28 09:08:22 +01:00
Thomas Patzke 6bdb4ab78a Merge cleanup 2019-02-27 22:05:27 +01:00
darkquasar 155e273a1c adding rule win-susp-mshta-execution.yml 2019-02-27 15:55:39 +11:00
Florian Roth 8ce4b1530d Rule: added SAM export 2019-02-26 09:00:47 +01:00
Thomas Patzke c922f7d73f Merge branch 'master' into project-1 2019-02-26 00:24:46 +01:00
Thomas Patzke 58a32f35d9 Merge pull request #246 from james0d0a/master 
Added esentutl copy command to sysmon_susp_vssadmin_ntds_activity.yml
 2019-02-24 16:53:49 +01:00
Florian Roth f278a00174 Rule: certutil encode 2019-02-24 14:10:40 +01:00
Florian Roth e7f5cbc22a Rule: BabyShark activity 2019-02-24 14:04:44 +01:00
Florian Roth a60b53a7df fix: bugfix in BEAR activity rule 2019-02-24 14:04:44 +01:00
Florian Roth 8b7f0508a7 Merge pull request #262 from TareqAlKhatib/sysinternals 
Added a detection path through process spawn
 2019-02-24 09:19:00 +01:00
Tareq AlKhatib 7d3d819ea5 Added a detection path through process spawn 2019-02-24 10:29:58 +03:00
Florian Roth bdf0dd8e21 Merge pull request #260 from TareqAlKhatib/malware_backconnect 
Added private IP filter to reduce FPs
 2019-02-23 22:47:14 +01:00
Tareq AlKhatib a022333382 Added private IP filter to reduce FPs 2019-02-23 21:15:03 +03:00
Vasiliy Burov f0c89239d3 Added some unusual paths. 2019-02-23 17:45:08 +03:00
christophetd 1a6faf385c Add HTTP POST alert type to the Elastalert backend 2019-02-23 14:12:14 +01:00
christophetd 3a7160d52b Accept backend options from a configuration file (closes #213) 2019-02-23 13:20:20 +01:00
Florian Roth f25416bd65 chore: workaround Travis Python 3.5 problems 2019-02-23 07:43:41 +01:00
Florian Roth afa18245bf Merge pull request #254 from darkquasar/master 
adding MPreter as McAfee classifies it
 2019-02-23 07:34:04 +01:00
Thomas Patzke c17f9d172f Merge pull request #248 from megan201296/patch-17 
Create win_mal_ursnif.yml
 2019-02-22 21:30:49 +01:00
Thomas Patzke 02239fa288 Changed registry root key 
According to [this](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-12-registryevent-object-create-and-delete) it is abbreviated to HKU.
 2019-02-22 21:30:30 +01:00
Thomas Patzke 18d012cc2e Merge pull request #255 from vburov/patch-1 
Update win_susp_process_creations.yml
 2019-02-22 21:15:52 +01:00
Thomas Patzke 5c63ef17d2 Added further NirSoft tool parameters 2019-02-22 21:15:03 +01:00
vburov bdf44be077 Update win_susp_process_creations.yml 2019-02-22 22:46:57 +03:00
darkquasar 87994ca46b adding MPreter as McAfee classifies it 
McAfee classifies some Meterpreter events with the "Mpreter" keyword
 2019-02-22 15:22:10 +11:00
Florian Roth d3b623e92a Rule: suspicious pipes extended 
https://github.com/Neo23x0/sigma/issues/253
 2019-02-21 13:26:48 +01:00
Florian Roth 343a40ced7 Rule: extended exec location rule to support 4688 events 2019-02-21 13:26:48 +01:00
Florian Roth c8701ac6e9 Merge pull request #252 from keepwatch/patch-1 
Fixing yara condition
 2019-02-21 10:17:09 +01:00
Florian Roth 8ae37f5d64 BEAR activity - CrowdStrike GTR 2019 
https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
 2019-02-21 09:54:01 +01:00
Florian Roth 3a994d0d63 fix: bugfix in Judgement Panda rule 2019-02-21 09:50:49 +01:00
Florian Roth 5935eaa572 fix: added MITRE ATT&CK tags to APT rule 2019-02-21 09:27:59 +01:00
Florian Roth aca470961a fix: bugfix in Judgement Panda rule 2019-02-21 09:20:52 +01:00
Florian Roth c474bfcae5 Judgement Panda - Crowdstrike GTR 2019 
https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
 2019-02-21 09:20:52 +01:00
Keep Watcher 07dec06222 Fixing yara condition 2019-02-20 10:57:24 -05:00
Thomas Patzke 9ef314486e Grep backend escapes + 2019-02-19 14:49:06 +01:00
Florian Roth eeae74e245 Merge pull request #249 from TareqAlKhatib/duplicate_filters 
Duplicate Detections
 2019-02-18 21:58:39 +01:00
Tareq AlKhatib ae62acf3d2 Added a test for duplicate filters and a test for Source: Eventlog 2019-02-18 21:05:58 +03:00
Tareq AlKhatib 2e3a2b9ba6 Merged 'Eventlog Cleared' and 'Eventlog Cleared Experimental' 2019-02-18 21:03:53 +03:00
Florian Roth f0a4aede24 Rule: RDP over Reverse SSH Tunnel 2019-02-16 19:36:13 +01:00
Florian Roth 08e00945aa doc: SANS webcast link in README 2019-02-16 09:51:02 +01:00
megan201296 34f9d17b26 Create win_mal_ursnif.yml 2019-02-13 15:22:57 -06:00
Florian Roth 2e61233e31 Merge pull request #247 from TareqAlKhatib/duplicate_filters 
Unnecessary 1/all of them
 2019-02-13 20:30:53 +01:00
Tareq AlKhatib 97b28f4308 Added a test for unnecessary use of '1 of them' in condition 2019-02-13 21:27:27 +03:00
Tareq AlKhatib cd3cdc9451 Removed unnecessary '1 of them' in condition 2019-02-13 21:26:02 +03:00
Florian Roth 8d819cfeea Rule: fixed bug in Renamed PowerShell rule 2019-02-13 13:23:02 +01:00
Florian Roth 004497075d fix: spark source config bug 2019-02-12 23:27:38 +01:00
Florian Roth c2eda887fa Rule: Suspicious Windows NT 9 UA 2019-02-12 10:33:33 +01:00
james dickenson b16bb4bf9b Added esentutl copy command to sysmon_susp_vssadmin_ntds_activity.yml 2019-02-11 21:10:49 -08:00
Florian Roth be26ada875 Rule: Suspicious csc.exe parents 2019-02-11 13:50:51 +01:00
Florian Roth 74e3c79f40 Rule: Suspicious PowerShell keywords 2019-02-11 13:02:38 +01:00
Thomas Patzke a5af134bfe Merge branch 'neu5ron-patch-2' 2019-02-10 00:16:55 +01:00
Thomas Patzke 01570f88db YAML fixes 2019-02-10 00:16:27 +01:00
Thomas Patzke 6dd4b4775a Merge branch 'patch-2' of https://github.com/neu5ron/sigma into neu5ron-patch-2 2019-02-10 00:15:25 +01:00
Thomas Patzke ff5081f186 Merge branch 'yt0ng-development' 2019-02-10 00:09:29 +01:00
Thomas Patzke 14769938e9 Fixed condition keyword 2019-02-10 00:07:30 +01:00
Thomas Patzke d43e67a882 Merge branch 'development' of https://github.com/yt0ng/sigma into yt0ng-development 2019-02-10 00:00:45 +01:00
Thomas Patzke 3cd6de2864 Merge pull request #240 from neu5ron/master 
new rule and updated false positive note
 2019-02-09 23:57:39 +01:00
Thomas Patzke 01dfc23a26 Merge pull request #234 from juju4/devel-sumo 
Sumologic support update
 2019-02-09 23:54:23 +01:00
Thomas Patzke d9aceeb7eb Merge pull request #228 from keepwatch/ssp-regkey-detection 
SSP added to LSA configuration
 2019-02-09 23:44:55 +01:00
Thomas Patzke 5866d8eb71 Merge pull request #238 from sisecbe/patch-1 
Adapt count function when aggfield not present
 2019-02-09 23:38:20 +01:00
juju4 4429d7564f remove 'escape' of '_' - not needed 2019-02-09 12:57:43 -05:00
juju4 a815b7eb9b add custom cleanValue function for wildcards in keyvalue: OK with lists, NOK with string 2019-02-09 12:57:07 -05:00
Florian Roth aab703a4b4 Suspicious calc.exe usage 2019-02-09 14:03:23 +01:00
Florian Roth 05424883dd Added Info Graphic to README 2019-02-09 09:38:01 +01:00
Florian Roth efb223b147 Merge pull request #245 from kpolley/master 
2nd method to call downloadString or downloadFile in Powershell
 2019-02-09 09:35:19 +01:00
Florian Roth 7e732a2a89 Merge pull request #232 from TareqAlKhatib/duplicate_filters 
Duplicate filters
 2019-02-09 09:23:57 +01:00
Florian Roth d2743351e7 Minor fix: indentation 2019-02-09 09:19:40 +01:00
Kyle Polley c8c06763b4 added keywords & source to sysmon_powershell_download.yml 2019-02-07 18:25:04 -08:00
Nate Guagenti d151deaa29 Rename win_susp_bcdedit to win_susp_bcdedit.yml 2019-02-07 00:21:57 -05:00
Nate Guagenti 91862f284b Create win_susp_bcdedit 
This is a more general rule for possible boot/mbr value edits using bcdedit that I have seen in the wild.
It is different than https://github.com/Neo23x0/sigma/blob/3288f6425b1a868c66f6f0a255956f8f041bc666/rules/windows/malware/win_mal_wannacry.yml
because it is not specific to anyone family (of malware) and also has different CLI options
 2019-02-07 00:19:38 -05:00
Kyle Polley 423fdca32c Merge pull request #1 from Neo23x0/master 
Get updates from head repo
 2019-02-06 17:02:41 -08:00
Florian Roth adb6690c80 Rule: Suspicious GUP.exe usage 2019-02-06 19:21:16 +01:00
Florian Roth f0f0bdae40 Rule: fixed date - wrong year 2019-02-06 19:21:16 +01:00
Florian Roth 7192f149a3 Merge pull request #243 from keepwatch/broadening-suspicious-certutil 
Added '/' prefix, -encode switch, better renamed certutil coverage
 2019-02-06 16:58:27 +01:00
keepwatch e6217928f3 Added '/' prefix, -encode switch, better renamed certutil coverage 2019-02-06 10:45:32 -05:00
Unknown 2f66ba25f0 adjusted MITRE ATTCK tag 2019-02-06 11:27:51 +01:00
Unknown a9731d211d removed my garbage 2019-02-06 11:16:40 +01:00
Unknown 4d048c71bb adjusted spaces 2019-02-06 11:10:42 +01:00
Unknown 54ec01bcdd adjusted space 2019-02-06 11:10:00 +01:00
Unknown a0bac993ed adjusted spaces 2019-02-06 11:07:09 +01:00
t0x1c-1 04f1edd171 added reverted base64 with dosfuscation 2019-02-06 10:59:09 +01:00
Unknown 22b67a67ac Initial Commit Cobalt Malleable for OneDrive 2019-02-06 10:59:02 +01:00
Unknown 353f66dd7c CobaltStrike Malleable OCSP) Profile with Typo (OSCP) in URL 2019-02-06 10:58:48 +01:00
t0x1c-1 150499d151 Detects Executables without FileVersion,Description,Product,Company likely created with py2exe 2019-02-06 10:58:37 +01:00
Unknown c78ac9333c adjusted formatting 2019-02-06 10:54:12 +01:00
t0x1c-1 21f34ab8ba suspicious behaviour 2019-02-06 10:52:41 +01:00
neu5ron 35ebcff543 add new rule 2019-02-05 18:56:24 -05:00
neu5ron 65e4ba5aba added false positive possibility 2019-02-05 18:45:53 -05:00
keepwatch bad80ffa78 Update sysmon_ssp_added_lsa_config.yml 
Syntax fix
 2019-02-05 16:28:06 -05:00
Florian Roth cc8a89b679 Merge pull request #239 from neu5ron/master 
update helk config
 2019-02-05 20:01:28 +01:00
neu5ron 046510f021 updated HELK Destination IP name 2019-02-05 13:11:06 -05:00
sisecbe 5d94b9f0bc Changed stats to eventstats 
Changed 'stats' to 'eventstats' when using aggregation, this keeps the original data of the event in the result.
 2019-02-05 17:36:46 +01:00
Florian Roth 5092b1e603 Rule: removed overlapping strings in Linux rule 2019-02-05 16:12:07 +01:00
Florian Roth 32c098294f Rule: extended suspicious command lines 2019-02-05 15:58:15 +01:00
Florian Roth 8f684ddd06 Rule: FP in WMI persistence with SCCM 2019-02-05 15:57:54 +01:00
sisecbe 2f5eb08b41 Adapt count function when aggfield not present 
When no field is present, use "count" , when field is present use "dc(field)". As described in the Sigma specifications.
Splunk throws errors when using "count()" with empy fields. use "count" instead.
 2019-02-05 15:44:05 +01:00
Florian Roth a276d3083d DHCP log source in sigmac configs 2019-02-05 14:35:23 +01:00
Florian Roth dfd4ce878f Rule: limiting rule to DHCP log 2019-02-05 14:35:23 +01:00
Florian Roth 5b92790e3f Rule: WMI Persistence - FPs 2019-02-05 14:35:23 +01:00
Florian Roth abf5a5088e Rule: more malicious UAs 2019-02-05 14:35:23 +01:00
juju4 98a18fd4a2 add sigma2sumologic.py as test/example script 2019-02-03 12:54:03 -05:00
juju4 7d159fb980 sumologic backend: review with inspiration from arcsight 2019-02-03 12:53:58 -05:00
Thomas Patzke 3ef930b094 Escaped '\*' to '\\*' where required 2019-02-03 00:24:57 +01:00
Thomas Patzke 9c44bb04a7 Added mail address to CI fail notification 2019-02-02 23:52:54 +01:00
Thomas Patzke 9403128aef Merge branch 'master' of https://github.com/Neo23x0/sigma 2019-02-02 23:52:06 +01:00
Thomas Patzke 6215a694a8 Remove escaping from '\\*' in es-dsl backend 2019-02-02 23:51:11 +01:00
Florian Roth 37e13c9f41 Notify me 2019-02-02 08:56:00 +01:00
Thomas Patzke 8a0784ad33 Fixed escaping of \\* 2019-02-02 00:18:58 +01:00
Thomas Patzke 6440bc962b CACTUSTORCH detection 2019-02-01 23:27:53 +01:00
Thomas Patzke 6436cb3ae1 Added missing conditions 2019-02-01 23:02:03 +01:00
Florian Roth 27c2684a0f Rule: Chafer malware proxy pattern 2019-01-31 12:31:48 +01:00
Florian Roth a8d1e7c62b Rule: Fixed ntdsutil rule field in 4688 events 2019-01-29 15:59:39 +01:00
Florian Roth 6c8d08942e Rule: Fixed field in RDP rule 2019-01-29 15:17:29 +01:00
Florian Roth f61b44efa8 Rule: Netsh port forwarding 2019-01-29 14:04:48 +01:00
Florian Roth 086e62a495 Rule: Netsh RDP port forwarding rule 2019-01-29 14:04:28 +01:00
Florian Roth a2eac623a6 Rule: Adjusted RDP login from localhost rule level 2019-01-29 14:04:10 +01:00
Florian Roth c9ec469180 style: cosmetics - removed empty lines at file end 2019-01-29 12:54:07 +01:00
Thomas Patzke 516bfc88ff Added rule: RDP login from localhost 2019-01-28 22:43:22 +01:00
Tareq AlKhatib cd2af196e3 Corrected path to rules 2019-01-25 12:25:51 +03:00
Tareq AlKhatib 96220e776f Added a test to check for duplicate filters in rules 2019-01-25 12:22:28 +03:00
Tareq AlKhatib 7e4bb1d21a Removed duplicate filters 2019-01-25 12:21:57 +03:00
Thomas Patzke 3c7f46a6cd Added rule test to CI testing 2019-01-23 23:31:36 +01:00
Thomas Patzke 9ce7d18712 Merge pull request #231 from TareqAlKhatib/rule_testing_framework 
Rule testing framework
 2019-01-23 23:16:46 +01:00
Tareq AlKhatib ecffe28933 Correct MITRE tag 2019-01-22 21:26:07 +03:00
Tareq AlKhatib e3d61047bb Added two tests. One for MITRE and another for file extension. 2019-01-22 21:25:13 +03:00
Florian Roth 90e8eba530 rule: false positive reduction in PowerShell rules 2019-01-22 16:37:36 +01:00
Florian Roth cc6e0baef1 rule: extended certutil rule to include verifyctl and allows renamed certutil 
https://twitter.com/egre55/status/1087685529016193025
 2019-01-22 16:20:06 +01:00
Florian Roth b1ea976f66 fix: fixed bug inntdsutil rule that included a white space 2019-01-22 16:18:43 +01:00
Florian Roth 8c4b21f063 Rule: Apache threading errors 2019-01-22 08:49:10 +01:00
keepwatch f99df33b01 SSP added to LSA configuration 2019-01-18 14:05:21 -05:00
Thomas Patzke 3eaf83cf5a Improved configurations 
Added Security/4688 field mappings
 2019-01-16 23:37:18 +01:00
Thomas Patzke 96eb460944 Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00
Thomas Patzke ba64f485ac Added generic Windows audit log configuration 2019-01-16 22:41:42 +01:00
Thomas Patzke 4bc4c94a91 sigma2genericsigma: preserve dict order 2019-01-16 22:37:32 +01:00
Florian Roth 5645c75576 Rule: updated relevant AV signatures - exploiting 
https://twitter.com/haroldogden/status/1085556071891173376
 2019-01-16 18:43:28 +01:00
Florian Roth f759e8b07c Rule: Suspicious Program Location Process Starts 2019-01-15 15:40:51 +01:00
Thomas Patzke 7622b17415 Moved test rule to final location/naming scheme 2019-01-14 23:58:25 +01:00
Thomas Patzke 2fd88c837d Added generic sigma rule support to WDATP backend 
* Process creation rules
 2019-01-14 23:54:05 +01:00
Thomas Patzke 4e83bfeb16 Fixed merge bugs 2019-01-14 22:54:26 +01:00
Thomas Patzke a9cf14438c Merge branch 'master' into project-1 2019-01-14 22:36:15 +01:00
Thomas Patzke 8336b47530 Merge branch 'master' of https://github.com/Neo23x0/sigma 2019-01-14 22:12:37 +01:00
Thomas Patzke 5cba0b9946 Merge pull request #223 from m0jtaba/master 
extending the qradar backend to allow for timeframe query
 2019-01-13 23:55:55 +01:00
Thomas Patzke ed1ee80f2d Merge pull request #221 from adrienverge/fix/yamllint 
Fix yamllint config
 2019-01-13 23:55:14 +01:00
Thomas Patzke 7634128143 Generate list of converted file in conversion to generic rules 2019-01-13 23:53:11 +01:00
Thomas Patzke e585858128 Optimization in conversion to generic rules 
* only create necessary output files in directory output mode
* delete empty detections and empty detection sections
* Merge equal documents
* Merge reduced collections into one YAML document in common case
 2019-01-13 23:45:11 +01:00
Mo Amiri aa37ef2559 extending the qradar backend to allow for timeframe query 2019-01-11 03:33:49 +00:00
Adrien Vergé 44f18db80d Fix YAML errors reported by yamllint 
Especially the config for ArcSight, that was invalid:

    tools/config/arcsight.yml
      89:5      error    duplication of key "product" in mapping  (key-duplicates)
      90:5      error    duplication of key "conditions" in mapping  (key-duplicates)

    rules/windows/builtin/win_susp_commands_recon_activity.yml
      10:9      error    too many spaces after colon  (colons)
 2019-01-10 09:51:39 +01:00
Adrien Vergé b5531be4bf Really run yamllint (it wasn't checking any rule) 
Fix the yamllint config in `.yamllint` to "extend" the default rule.
Previously, it didn't extend anything and only disabled a rule, which
means no rule at all were checked.

Also disable some rules in this file, because they report many errors in
the Sigma code base.

In the future, I suggest fixing these errors and re-enabling standard
rules like `trailing-spaces` or `indentation`.

Fixes #220.
 2019-01-10 09:51:33 +01:00
Thomas Patzke 9f56b9e99b Output all YAML documents if one changed 
Some Sigma rule collections contain YAML documents that reduce to almost
nothing because they only contain EventID definitions. Previous behavior
would filter the part with the remaining selection.
 2019-01-08 23:27:16 +01:00
Thomas Patzke bf9a567afd Fixed issues in converter 2019-01-06 23:57:09 +01:00
Thomas Patzke faeaf1dfef Added first version of generic sigma rules conversion tool 2019-01-06 23:46:23 +01:00
Thomas Patzke 42ed8acec9 Improved test coverage 
* Adding tests
* Removal of coverage measurement for debugging code
 2018-11-04 23:28:40 +01:00
Thomas Patzke 418f8d10a3 Wrap conditions generated by mappings into sub-expression 2018-11-04 23:00:04 +01:00
Thomas Patzke 0e4842962b Added tests 2018-11-04 22:16:20 +01:00
Thomas Patzke 44ff9d154e Increased test coverage for mapping corner cases 2018-10-16 14:53:12 +02:00
Thomas Patzke 265ce115a0 Fixed conditional field mapping usage in mapping chains 2018-10-16 13:57:51 +02:00
Thomas Patzke a61b3d352a Added test cases 
* Generic log sources
* Splunk index queries
 2018-10-15 15:24:18 +02:00
Thomas Patzke e28bc35cad Apply field mappings in generation of log source condition 2018-10-06 23:38:35 +02:00
Thomas Patzke 2fbf17ff34 Addition and resolution of field mapping chains explicitely checks for list 2018-09-13 16:22:29 +02:00
Thomas Patzke 41a8ef2fd9 Implemented resolve_fieldname in FieldMappingChain 2018-09-13 14:56:31 +02:00
Thomas Patzke 2330306db1 Added merged field mapping and log sources dict to config chain 2018-09-13 14:55:05 +02:00
Thomas Patzke ba76f04fe6 Merging of raw configurations in configuration chains 2018-09-13 13:49:36 +02:00
Thomas Patzke d81946df39 Stacked configurations 
- Added log source rewriting
- Removed log source merging condition type setting
- Simplified SigmaLogsourceConfiguration constructor
- Condition is generated in SigmaParser instead of SigmaLogsourceConfiguration

Missing:
- Merging of raw config dict for backends that rely on this (es-dsl)
 2018-09-12 23:40:22 +02:00
Thomas Patzke 210f7ac044 Rewrote logsource definition merging to set generator 2018-09-12 22:29:51 +02:00
Thomas Patzke 1d7722c1cb Added configuration and field mapping chains 
Missing: field name mapping of log source conditions.
 2018-08-27 00:17:27 +02:00
Thomas Patzke 320bb9f8c4 Added rewrite config to generic sysmon configuration 2018-08-14 21:34:54 +02:00
Thomas Patzke 430972231f Added generic sysmon configuration with process_execution config 2018-08-14 21:34:54 +02:00
Thomas Patzke 2715c44173 Converted first Sysmon rule to generic process_execution rule 2018-08-14 21:34:54 +02:00
Thomas Patzke e0b3f91b2a Removed empty line 2018-08-08 23:15:13 +02:00
304 changed files with 8439 additions and 2784 deletions
Expand all files Collapse all files
.travis.yml
+8 -1
View File
@@ -1,7 +1,7 @@
language: python
dist: xenial
python:
- 3.5
# - 3.5 # Deactivated because Travis CI tests failed randomly (Travis's problem)
- 3.6
- 3.7
sudo: true
@@ -15,3 +15,10 @@ install:
script:
- make test
- make test-backend-es-qs
notifications:
email:
recipients:
- venom14@gmail.com
- thomas@patzke.org
on_success: change
on_failure: always
.yamllint
+8
View File
@@ -1,4 +1,12 @@
---
# https://yamllint.readthedocs.io/en/latest/configuration.html
extends: default
rules:
comments: disable
comments-indentation: disable
document-start: disable
empty-lines: {max: 2, max-start: 2, max-end: 2}
indentation: disable
line-length: disable
new-line-at-end-of-file: disable
trailing-spaces: disable
Makefile
+46 -33
View File
@@ -1,7 +1,7 @@
.PHONY: test test-yaml test-sigmac
.PHONY: test test-rules test-sigmac
TMPOUT = $(shell tempfile||mktemp)
COVSCOPE = tools/sigma/*.py,tools/sigma/backends/*.py,tools/sigmac,tools/merge_sigma
test: clearcov test-yaml test-sigmac test-merge build finish
test: clearcov test-rules test-sigmac test-merge build finish
clearcov:
rm -f .coverage
@@ -10,35 +10,47 @@ finish:
coverage report --fail-under=90
rm -f $(TMPOUT)
test-yaml:
test-rules:
yamllint rules
tests/test_rules.py
test-sigmac:
coverage run -a --include=$(COVSCOPE) tools/sigmac
coverage run -a --include=$(COVSCOPE) tools/sigmac -h
coverage run -a --include=$(COVSCOPE) tools/sigmac -l
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-qs rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -O rulecomment -rvdI -t es-qs rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t kibana rules/ > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvd -t es-qs rules/ > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-qs rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-qs --shoot-yourself-in-the-foot rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -O rulecomment -rvdI -c tools/config/elk-winlogbeat.yml -t es-qs rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t kibana -c tools/config/elk-winlogbeat.yml rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t graylog rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t xpack-watcher rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t elastalert rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunkxml rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t logpoint rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t xpack-watcher -c tools/config/elk-winlogbeat.yml rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t elastalert -c tools/config/elk-winlogbeat.yml -O alert_methods=http_post,email -O emails=test@test.invalid -O http_post_url=http://test.invalid rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t elastalert-dsl -c tools/config/elk-winlogbeat.yml -O alert_methods=http_post,email -O emails=test@test.invalid -O http_post_url=http://test.invalid rules/ > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-all-index.yml rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunkxml -c tools/config/splunk-windows-all-index.yml rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t logpoint -c tools/config/logpoint-windows-all.yml rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t wdatp rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-dsl rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t ala rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t ala --backend-config tests/backend_config.yml rules/windows/process_creation/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-dsl -c tools/config/elk-winlogbeat.yml rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t powershell -c tools/config/powershell-windows-all.yml -Ocsv rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t arcsight -c tools/config/arcsight.yml rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t qradar -c tools/config/arcsight.yml rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t qradar -c tools/config/qradar.yml rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t qualys -c tools/config/qualys.yml rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t netwitness -c tools/config/netwitness.yml rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t sumologic -c tools/config/sumologic.yml rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level>=high,level<=critical,status=stable,logsource=windows,tag=attack.execution' rules/ > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level>=high,level<=critical,status=xstable,logsource=windows' rules/ > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level>=high,level<=xcritical,status=stable,logsource=windows' rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level=critical' rules/ > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level=xcritical' rules/ > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'foo=bar' rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-all-index.yml -f 'level>=high,level<=critical,status=stable,logsource=windows,tag=attack.execution' rules/ > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-all-index.yml -f 'level>=high,level<=critical,status=xstable,logsource=windows' rules/ > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-all-index.yml -f 'level>=high,level<=xcritical,status=stable,logsource=windows' rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-all-index.yml -f 'level=critical' rules/ > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-all-index.yml -f 'level=xcritical' rules/ > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-all-index.yml -f 'foo=bar' rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-windows.yml -t es-qs rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c sysmon -c elk-windows -t es-qs rules/ > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c sysmon -c elk-windows -t splunk rules/ > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-windows.yml -c tools/config/generic/sysmon.yml -t es-qs rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-linux.yml -t es-qs rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-windows.yml -t kibana rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-windows.yml -Ooutput=curl -t kibana rules/ > /dev/null
@@ -48,22 +60,23 @@ test-sigmac:
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-linux.yml -t xpack-watcher rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-defaultindex.yml -t xpack-watcher rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/splunk-windows-all.yml -t splunk rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/logpoint-windows-all.yml -t logpoint rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/generic/sysmon.yml -c tools/config/splunk-windows-all.yml -t splunk rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t grep rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t fieldlist rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -t xpack-watcher -O output=plain -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -t xpack-watcher -O output=json -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -o $(TMPOUT) - < tests/collection_repeat.yml > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -t xpack-watcher -O output=foobar -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs tests/not_existing.yml > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs tests/invalid_yaml.yml > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs tests/invalid_sigma-no_identifiers.yml > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs tests/invalid_sigma-no_condition.yml > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs tests/invalid_sigma-invalid_identifier_reference.yml > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs tests/invalid_sigma-invalid_aggregation.yml > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs tests/invalid_sigma-wrong_identifier_definition.yml > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs rules/windows/builtin/win_susp_failed_logons_single_source.yml
! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -o /not_possible rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
coverage run -a --include=$(COVSCOPE) tools/sigmac -t xpack-watcher -c tools/config/elk-winlogbeat.yml -O output=plain -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -t kibana -c tests/config-multiple_mapping.yml -c tests/config-multiple_mapping-2.yml tests/mapping-conditional-multi.yml > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -t xpack-watcher -c tools/config/elk-winlogbeat.yml -O output=json -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/elk-winlogbeat.yml -o $(TMPOUT) - < tests/collection_repeat.yml > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -t xpack-watcher -c tools/config/elk-winlogbeat.yml -O output=foobar -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/elk-winlogbeat.yml tests/not_existing.yml > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/elk-winlogbeat.yml tests/invalid_yaml.yml > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/elk-winlogbeat.yml tests/invalid_sigma-no_identifiers.yml > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/elk-winlogbeat.yml tests/invalid_sigma-no_condition.yml > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/elk-winlogbeat.yml tests/invalid_sigma-invalid_identifier_reference.yml > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/elk-winlogbeat.yml tests/invalid_sigma-invalid_aggregation.yml > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/elk-winlogbeat.yml tests/invalid_sigma-wrong_identifier_definition.yml > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/elk-winlogbeat.yml rules/windows/builtin/win_susp_failed_logons_single_source.yml
! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/elk-winlogbeat.yml -o /not_possible rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c not_existing rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tests/invalid_yaml.yml rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tests/invalid_config.yml rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
README.md
+94 -4
View File
@@ -24,6 +24,12 @@ This repository contains:
[![Sigma - Generic Signatures for Log Events](https://preview.ibb.co/cMCigR/Screen_Shot_2017_10_18_at_15_47_15.png)](https://www.youtube.com/watch?v=OheVuE9Ifhs "Sigma - Generic Signatures for Log Events")
## SANS Webcast on MITRE ATT&CK and Sigma
The SANS webcast on Sigma contains a very good 20 min introduction to the project by John Hubbart from minute 39 onward. (SANS account required; registration is free)
[MITRE ATT&CK and Sigma Alerting Webcast Recording](https://www.sans.org/webcasts/mitre-att-ck-sigma-alerting-110010 "MITRE ATT&CK and Sigma Alerting")
# Use Cases
* Describe your detection method in Sigma to make it sharable
@@ -61,7 +67,7 @@ Florian wrote a short [rule creation tutorial](https://www.nextron-systems.com/2
1. Download or clone the respository
2. Check the `./rules` sub directory for an overview on the rule base
3. Run `python sigmac --help` in folder `./tools` to get a help on the rule converter
4. Convert a rule of your choice with `sigmac` like `python sigmac -t splunk ../rules/windows/builtin/win_susp_process_creations.yml`
4. Convert a rule of your choice with `sigmac` like `./sigmac -t splunk -c tools/config/generic/sysmon.yml ./rules/windows/process_creation/win_susp_whoami.yml`
5. Convert a whole rule directory with `python sigmac -t splunk -r ../rules/proxy/`
6. Check the `./tools/config` folder and the [wiki](https://github.com/Neo23x0/sigma/wiki/Converter-Tool-Sigmac) if you need custom field or log source mappings in your environment
@@ -90,7 +96,87 @@ Sigmac converts sigma rules into queries or inputs of the supported targets list
Sigma library that may be used to integrate Sigma support in other projects. Further, there's `merge_sigma.py` which
merges multiple YAML documents of a Sigma rule collection into simple Sigma rules.
![sigmac_converter](./images/Sigmac-win_susp_rc4_kerberos.png)
### Usage
```
usage: sigmac [-h] [--recurse] [--filter FILTER]
[--target {arcsight,es-qs,es-dsl,kibana,xpack-watcher,elastalert,graylog,logpoint,grep,netwitness,powershell,qradar,qualys,splunk,splunkxml,sumologic,fieldlist,wdatp}]
[--target-list] [--config CONFIG] [--output OUTPUT]
[--backend-option BACKEND_OPTION] [--defer-abort]
[--ignore-backend-errors] [--verbose] [--debug]
[inputs [inputs ...]]
Convert Sigma rules into SIEM signatures.
positional arguments:
inputs Sigma input files ('-' for stdin)
optional arguments:
-h, --help show this help message and exit
--recurse, -r Use directory as input (recurse into subdirectories is
not implemented yet)
--filter FILTER, -f FILTER
Define comma-separated filters that must match (AND-
linked) to rule to be processed. Valid filters:
level<=x, level>=x, level=x, status=y, logsource=z,
tag=t. x is one of: low, medium, high, critical. y is
one of: experimental, testing, stable. z is a word
appearing in an arbitrary log source attribute. t is a
tag that must appear in the rules tag list, case-
insensitive matching. Multiple log source
specifications are AND linked.
--target {arcsight,es-qs,es-dsl,kibana,xpack-watcher,elastalert,graylog,logpoint,grep,netwitness,powershell,qradar,qualys,splunk,splunkxml,sumologic,fieldlist,wdatp}, -t {arcsight,es-qs,es-dsl,kibana,xpack-watcher,elastalert,graylog,logpoint,grep,netwitness,powershell,qradar,qualys,splunk,splunkxml,sumologic,fieldlist,wdatp}
Output target format
--target-list, -l List available output target formats
--config CONFIG, -c CONFIG
Configurations with field name and index mapping for
target environment. Multiple configurations are merged
into one. Last config is authorative in case of
conflicts.
--output OUTPUT, -o OUTPUT
Output file or filename prefix if multiple files are
generated
--backend-option BACKEND_OPTION, -O BACKEND_OPTION
Options and switches that are passed to the backend
--defer-abort, -d Don't abort on parse or conversion errors, proceed
with next rule. The exit code from the last error is
returned
--ignore-backend-errors, -I
Only return error codes for parse errors and ignore
errors for rules that cause backend errors. Useful,
when you want to get as much queries as possible.
--verbose, -v Be verbose
--debug, -D Debugging output
```
### Examples
#### Single Rule Translation
Translate a single rule
```
tools/sigmac -t splunk rules/windows/sysmon/sysmon_susp_image_load.yml
```
#### Rule Set Translation
Translate a whole rule directory and ignore backend errors (`-I`) in rule conversion for the selected backend (`-t splunk`)
```
tools/sigmac -I -t splunk -r rules/windows/sysmon/
```
#### Rule Set Translation with Custom Config
Apply your own config file (`-c ~/my-elk-winlogbeat.yml`) during conversion, which can contain you custom field and source mappings
```
tools/sigmac -t es-qs -c ~/my-elk-winlogbeat.yml -r rules/windows/sysmon
```
#### Generic Rule Set Translation
Use a config file for `process_creation` rules (`-r rules/windows/process_creation`) that instructs sigmac to create queries for a Sysmon log source (`-c tools/config/generic/sysmon.yml`) and the ElasticSearch target backend (`-t es-qs`)
```
tools/sigmac -t es-qs -c tools/config/generic/sysmon.yml -r rules/windows/process_creation
```
#### Generic Rule Set Translation with Custom Config
Use a config file for a single `process_creation` rule (`./rules/windows/process_creation/win_susp_outlook.yml`) that instructs sigmac to create queries for process creation events generated in the Windows Security Eventlog (`-c tools/config/generic/windows-audit.yml`) and a Splunk target backend (`-t splunk`)
```
tools/sigmac -t splunk -c ~/my-splunk-mapping.yml -c tools/config/generic/windows-audit.yml ./rules/windows/process_creation/win_susp_outlook.yml
```
(See @blubbfiction's [blog post](https://patzke.org/a-guide-to-generic-log-sources-in-sigma.html) for more information)
### Supported Targets
@@ -101,6 +187,7 @@ merges multiple YAML documents of a Sigma rule collection into simple Sigma rule
* [Elastic X-Pack Watcher](https://www.elastic.co/guide/en/x-pack/current/xpack-alerting.html)
* [Logpoint](https://www.logpoint.com)
* [Windows Defender Advanced Threat Protection (WDATP)](https://www.microsoft.com/en-us/windowsforbusiness/windows-atp)
* [Azure Sentinel / Azure Log Analytics](https://azure.microsoft.com/en-us/services/azure-sentinel/)
* [ArcSight](https://software.microfocus.com/en-us/products/siem-security-information-event-management/overview)
* [QRadar](https://www.ibm.com/de-de/marketplace/ibm-qradar-siem)
* [Qualys](https://www.qualys.com/apps/threat-protection/)
@@ -180,7 +267,7 @@ These tools are not part of the main toolchain and maintained separately by thei
* Integration into Threat Intel Exchanges
* Attempts to convince others to use the rule format in their reports, threat feeds, blog posts, threat sharing platforms
# Projects that use Sigma
# Projects or Products that use Sigma
* [MISP](http://www.misp-project.org/2017/03/26/MISP.2.4.70.released.html) (since version 2.4.70, March 2017)
* [TA-Sigma-Searches](https://github.com/dstaulcu/TA-Sigma-Searches) (Splunk App)
@@ -188,6 +275,7 @@ These tools are not part of the main toolchain and maintained separately by thei
* [ypsilon](https://github.com/P4T12ICK/ypsilon) - Automated Use Case Testing
* [uncoder.io](https://uncoder.io/) - Online Translator for SIEM Searches
* [SPARK](https://www.nextron-systems.com/2018/06/28/spark-applies-sigma-rules-in-eventlog-scan/) - Scan with Sigma rules on endpoints
* [RANK VASA](https://globenewswire.com/news-release/2019/03/04/1745907/0/en/RANK-Software-to-Help-MSSPs-Scale-Cybersecurity-Offerings.html)
# Licenses
@@ -201,4 +289,6 @@ The content of this repository is released under the following licenses:
This is a private project mainly developed by Florian Roth and Thomas Patzke with feedback from many fellow analysts and friends. Rules are our own or have been drived from blog posts, tweets or other public sources that are referenced in the rules.
Copyright for Tree Image: [studiobarcelona / 123RF Stock Photo](http://www.123rf.com/profile_studiobarcelona)
# Info Graphic
![sigmac_info_graphic](./images/sigma_infographic_lq.png)
contrib/sigma2sumologic.py
+247
View File
@@ -0,0 +1,247 @@
#!/usr/bin/python
# Copyright 2018 juju4
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Lesser General Public License for more details.
# You should have received a copy of the GNU Lesser General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
"""
Project: sigma2sumologic.py
Date: 11 Jan 2019
Author: juju4
Version: 1.0
Description: This script executes sumologic search queries from Sigma SIEM rules.
Workflow:
1. Convert rules with sigmac
2. Enrich: add ignore+local custom rules, priority
3. Format
4. Get results and save to txt/xlsx files
Requirements:
$ pip install sumologic-sdk pyyaml pandas
"""
import re
import os, sys, stat
import glob
import subprocess
import argparse
import yaml
import traceback
import logging
from sumologic import SumoLogic
import time
import datetime
import json
import pandas
logging.basicConfig(level=logging.DEBUG)
logger = logging.getLogger(__name__)
formatter = logging.Formatter('%(asctime)s - %(name)s - p%(process)s {%(pathname)s:%(lineno)d} - %(levelname)s - %(message)s')
handler = logging.FileHandler('sigma2sumo.log')
handler.setFormatter(formatter)
logger.addHandler(handler)
parser = argparse.ArgumentParser(description='Execute sigma rules in sumologic')
parser.add_argument("--conf", help="script yaml config file", type=str, required=True)
parser.add_argument("--accessid", help="Sumologic Access ID", type=str, required=False)
parser.add_argument("--accesskey", help="Sumologic Access Key", type=str, required=False)
parser.add_argument("--endpoint", help="Sumologic url endpoint", type=str, required=False)
parser.add_argument("--ruledir", help="sigma rule directory path to convert", type=str, required=False)
parser.add_argument("--outdir", help="output directory to create rules", type=str, required=False)
parser.add_argument("--sigmac", help="Sigmac location", default="../tools/sigmac", type=str)
parser.add_argument("--realerttime", help="Realert time (optional value, default 5 minutes)", type=str, default=5)
parser.add_argument("--debug", help="Show debug output", type=bool, default=False)
args = parser.parse_args()
LIMIT = 100
delay = 5
def rule_element(file_content, elements):
"""
Function used to get specific element from yaml document and return content
:type file_content: str
:type elements: list
:param file_content:
:param elements: list of elements of the yaml document to get "title", "description"
:return: the value of the key in the yaml document
"""
try:
logger.debug("file_content: %s" % file_content)
yaml.safe_load(file_content.replace("---",""))
except:
raise Exception('Unsupported')
element_output = ""
for e in elements:
try:
element_output = yaml.safe_load(file_content.replace("---",""))[e]
except:
pass
if element_output is None:
return ""
return element_output
def get_rule_as_sumologic(file):
"""
Function used to get sumologic query output from rule file
:type file: str
:param file: rule filename
:return: string query
"""
if not os.path.exists(args.sigmac):
logger.error("Cannot find sigmac rule coverter at '%s', please set a correct location via '--sigmac'")
cmd = [args.sigmac, file, "--target", "sumologic"]
logger.info('get_rule_as_sumologic cmd: %s' % cmd)
process = subprocess.Popen(cmd,stdout=subprocess.PIPE, stderr=subprocess.PIPE)
output, err = process.communicate()
# output is byte-string...
output = output.decode("utf-8")
err = err.decode("utf-8")
logger.info('get_rule_as_sumologic output: %s' % output)
logger.info('get_rule_as_sumologic stderr: %s' % err)
if err or "unsupported" in err:
logger.error('Unsupported output at this time')
raise Exception('Unsupported output at this time')
output = output.split("\n")
# Remove empty string from \n
output = [a for a in output if a]
# Handle case of multiple queries returned
if len(output) > 1:
return " OR ".join(output)
return "".join(output)
if args.help:
parser_print_help()
if args.conf:
with open(args.conf, 'r') as ymlfile:
cfg = yaml.load(ymlfile)
args.accessid = cfg['accessid']
args.accesskey = cfg['accesskey']
args.endpoint = cfg['endpoint']
args.ruledir = cfg['ruledir']
args.outdir = cfg['outdir']
args.sigmac = cfg['sigmac']
try:
args.recursive = cfg['recursive']
except:
args.recursive = False
if args.recursive:
globpath = args.ruledir + "/**/*.yml"
else:
globpath = args.ruledir + "/*.yml"
logger.debug("args: %s" % args)
logger.debug("globpath: %s" % globpath)
if args.outdir and not os.path.isdir(args.outdir):
os.mkdir(args.outdir, stat.S_IRWXU)
# recursive
for file in glob.iglob(globpath):
# non-recursive (above, not working...)
#for file in glob.iglob(args.ruledir + "/*.yml"):
file_basename = os.path.basename(os.path.splitext(file)[0])
file_basenamepath = os.path.splitext(file)[0]
file_ext = os.path.splitext(file)[1]
try:
if file_ext != '.yml':
continue
logger.info("Processing %s ..." % file_basename)
with open(file, "rb") as f:
file_content = f.read()
logger.info("Rule file: %s" % file)
sumo_query = get_rule_as_sumologic(file)
logger.info(" Checking if custom query file: %s" % file_basenamepath + '.custom')
if os.path.isfile(file_basenamepath + '.custom'):
# FIXME! want to add something in the middle for parsing for example...
logger.info(" Adding custom part to end query from: %s" % file_basenamepath + '.custom')
with open(file_basenamepath + '.custom', "rb") as f:
sumo_query += " " + f.read().decode('utf-8')
elif 'count ' not in sumo_query and ('EventID=' in sumo_query):
sumo_query += " | count _sourceCategory, hostname, EventID, msg_summary, _raw"
elif 'count ' not in sumo_query:
sumo_query += " | count _sourceCategory, hostname, _raw"
logger.info("Final sumo query: %s" % sumo_query)
except Exception as e:
if args.debug:
traceback.print_exc()
logger.exception("error generating sumo query " + str(file) + "----" + str(e))
pass
try:
# Run query
# https://github.com/SumoLogic/sumologic-python-sdk/blob/master/scripts/search-job.py
sumo = SumoLogic(args.accessid, args.accesskey, args.endpoint)
toTime = datetime.datetime.now().strftime("%Y-%m-%dT%H:%M:%S")
fromTime = datetime.datetime.strptime(toTime, "%Y-%m-%dT%H:%M:%S") - datetime.timedelta(hours = 24)
fromTime = fromTime.strftime("%Y-%m-%dT%H:%M:%S")
timeZone = 'UTC'
byReceiptTime = True
sj = sumo.search_job(sumo_query, fromTime, toTime, timeZone, byReceiptTime)
status = sumo.search_job_status(sj)
while status['state'] != 'DONE GATHERING RESULTS':
if status['state'] == 'CANCELLED':
break
time.sleep(delay)
status = sumo.search_job_status(sj)
except Exception as e:
if args.debug:
traceback.print_exc()
logger.exception("error seaching sumo " + str(file) + "----" + str(e))
with open(os.path.join(args.outdir, "sigma-" + file_basename + '-error.txt'), "w") as f:
f.write(json.dumps(r, indent=4, sort_keys=True) + " ERROR: %s\n\nQUERY: %s" % (e, sumo_query))
pass
logger.info("Sumo search job status: %s" % status['state'])
try:
if status['state'] == 'DONE GATHERING RESULTS':
count = status['recordCount']
limit = count if count < LIMIT and count != 0 else LIMIT # compensate bad limit check
r = sumo.search_job_records(sj, limit=limit)
logger.info("Sumo search results: %s" % r)
logger.info("Saving final sumo query for %s to %s" % (file, os.path.join(args.outdir, "sigma-" + file_basename + '.sumo')))
with open(os.path.join(args.outdir, "sigma-" + file_basename + '.sumo'), "w") as f:
f.write(sumo_query)
if r and r['records'] != []:
logger.info("Saving results")
# as json text file
with open(os.path.join(args.outdir, "sigma-" + file_basename + '.txt'), "w") as f:
f.write(json.dumps(r, indent=4, sort_keys=True))
# as excel file
df = pandas.io.json.json_normalize(r['records'])
with pandas.ExcelWriter(os.path.join(args.outdir, "sigma-" + file_basename + ".xlsx")) as writer:
df.to_excel(writer, 'data')
pandas.DataFrame({'References': [
"timeframe: from %s to %s" % (fromTime, toTime),
"Sumo endpoint: %s" % args.endpoint,
"Sumo query: %s" % sumo_query
]}).to_excel(writer, 'comments')
# and do whatever you want, email alert, report, ticket...
except Exception as e:
if args.debug:
traceback.print_exc()
logger.exception("error saving results " + str(file) + "----" + str(e))
pass
other/sigma_attack_nav_coverage.json
+2653
View File
@@ -0,0 +1,2653 @@
{
"name": "SIGMA Rule Coverage",
"version": "2.1",
"domain": "mitre-enterprise",
"description": "Accurate to commit #: 81693d81b6823bb5f064919453eac70c1d097d3e\nhttps://github.com/Neo23x0/sigma/commit/81693d81b6823bb5f064919453eac70c1d097d3e",
"filters": {
"stages": [
"act"
],
"platforms": [
"windows",
"linux",
"mac"
]
},
"sorting": 0,
"viewMode": 0,
"hideDisabled": false,
"techniques": [
{
"techniqueID": "T1156",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1134",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1134",
"tactic": "privilege-escalation",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1015",
"tactic": "persistence",
"score": 1,
"color": "",
"comment": "sysmon_stickykey_like_backdoor.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1015",
"tactic": "privilege-escalation",
"score": 1,
"color": "",
"comment": "sysmon_stickykey_like_backdoor.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1087",
"tactic": "discovery",
"score": 5,
"color": "",
"comment": "win_account_discovery.yml\nwin_alert_hacktool_use.yml\nwin_susp_net_recon_activity.yml\nwin_susp_commands_recon_activity.yml\nwin_susp_recon_activity.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1098",
"tactic": "credential-access",
"score": 3,
"color": "",
"comment": "apt_judgement_panda_gtr19.yml\nwin_alert_ad_user_backdoors.yml\nwin_susp_dsrm_password_change.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1098",
"tactic": "persistence",
"score": 3,
"color": "",
"comment": "apt_judgement_panda_gtr19.yml\nwin_alert_ad_user_backdoors.yml\nwin_susp_dsrm_password_change.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1182",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1182",
"tactic": "privilege-escalation",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1103",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1103",
"tactic": "privilege-escalation",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1155",
"tactic": "execution",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1155",
"tactic": "lateral-movement",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1017",
"tactic": "lateral-movement",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1138",
"tactic": "persistence",
"score": 1,
"color": "",
"comment": "win_sdbinst_shim_persistence.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1138",
"tactic": "privilege-escalation",
"score": 1,
"color": "",
"comment": "win_sdbinst_shim_persistence.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1010",
"tactic": "discovery",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1123",
"tactic": "collection",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1131",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1119",
"tactic": "collection",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1020",
"tactic": "exfiltration",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1197",
"tactic": "defense-evasion",
"score": 1,
"color": "",
"comment": "win_process_creation_bitsadmin_download.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1197",
"tactic": "persistence",
"score": 1,
"color": "",
"comment": "win_process_creation_bitsadmin_download.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1139",
"tactic": "credential-access",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1009",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1067",
"tactic": "persistence",
"score": 1,
"color": "",
"comment": "win_susp_bcdedit.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1217",
"tactic": "discovery",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1176",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1110",
"tactic": "credential-access",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1088",
"tactic": "defense-evasion",
"score": 3,
"color": "",
"comment": "win_cmstp_com_object_access.yml\nsysmon_uac_bypass_eventvwr.yml\nsysmon_uac_bypass_sdclt.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1088",
"tactic": "privilege-escalation",
"score": 3,
"color": "",
"comment": "win_cmstp_com_object_access.yml\nsysmon_uac_bypass_eventvwr.yml\nsysmon_uac_bypass_sdclt.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1191",
"tactic": "defense-evasion",
"score": 2,
"color": "",
"comment": "win_cmstp_com_object_access.yml\nsysmon_cmstp_execution.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1191",
"tactic": "execution",
"score": 2,
"color": "",
"comment": "win_cmstp_com_object_access.yml\nsysmon_cmstp_execution.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1042",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1146",
"tactic": "defense-evasion",
"score": 1,
"color": "",
"comment": "lnx_shell_clear_cmd_history.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1115",
"tactic": "collection",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1116",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1059",
"tactic": "execution",
"score": 12,
"color": "",
"comment": "apt_babyshark.yml\napt_equationgroup_dll_u_load.yml\napt_equationgroup_lnx.yml\napt_sofacy.yml\napt_sofacy_zebrocy.yml\napt_turla_commands.yml\napt_zxshell.yml\ncrime_fireball.yml\nwin_alert_hacktool_use.yml\nwin_office_shell.yml\nwin_susp_cmd_http_appdata.yml\nwin_susp_outlook.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1043",
"tactic": "command-and-control",
"score": 1,
"color": "",
"comment": "sysmon_malware_backconnect_ports.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1092",
"tactic": "command-and-control",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1223",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1223",
"tactic": "execution",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1109",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1109",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1122",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1122",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1090",
"tactic": "command-and-control",
"score": 2,
"color": "",
"comment": "win_netsh_fw_add.yml\nwin_netsh_port_fwd.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1196",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1196",
"tactic": "execution",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1136",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1003",
"tactic": "credential-access",
"score": 23,
"color": "",
"comment": "apt_bear_activity_gtr19.yml\nwin_alert_lsass_access.yml\nwin_alert_mimikatz_keywords.yml\nwin_dcsync.yml\nwin_impacket_secretdump.yml\nwin_mal_creddumper.yml\nwin_mal_wceaux_dll.yml\nwin_susp_lsass_dump.yml\nwin_susp_sam_dump.yml\nav_password_dumper.yml\nwin_cmdkey_recon.yml\nwin_hack_rubeus.yml\nwin_malware_notpetya.yml\nwin_susp_ntdsutil.yml\nwin_susp_procdump.yml\nwin_susp_sysvol_access.yml\nwin_susp_vssadmin_ntds_activity.yml\nsysmon_ghostpack_safetykatz.yml\nsysmon_lsass_memdump.yml\nsysmon_mimikatz_detection_lsass.yml\nsysmon_mimikatz_inmemory_detection.yml\nsysmon_password_dumper_lsass.yml\nsysmon_quarkspw_filedump.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1081",
"tactic": "credential-access",
"score": 1,
"color": "",
"comment": "apt_bear_activity_gtr19.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1214",
"tactic": "credential-access",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1094",
"tactic": "command-and-control",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1024",
"tactic": "command-and-control",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1207",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1038",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1038",
"tactic": "privilege-escalation",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1038",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1073",
"tactic": "defense-evasion",
"score": 9,
"color": "",
"comment": "win_susp_dhcp_config.yml\nwin_susp_dhcp_config_failed.yml\nwin_susp_dns_config.yml\nwin_plugx_susp_exe_locations.yml\nwin_susp_control_dll_load.yml\nwin_susp_gup.yml\nsysmon_dhcp_calloutdll.yml\nsysmon_dns_serverlevelplugindll.yml\nsysmon_susp_image_load.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1002",
"tactic": "exfiltration",
"score": 1,
"color": "",
"comment": "apt_judgement_panda_gtr19.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1132",
"tactic": "command-and-control",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1022",
"tactic": "exfiltration",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1001",
"tactic": "command-and-control",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1074",
"tactic": "collection",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1030",
"tactic": "exfiltration",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1213",
"tactic": "collection",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1005",
"tactic": "collection",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1039",
"tactic": "collection",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1025",
"tactic": "collection",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1140",
"tactic": "defense-evasion",
"score": 4,
"color": "",
"comment": "win_susp_mshta_execution.yml\nwin_susp_certutil_command.yml\nwin_susp_cli_escape.yml\nwin_susp_ping_hex_ip.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1089",
"tactic": "defense-evasion",
"score": 2,
"color": "",
"comment": "win_alert_enable_weak_encryption.yml\nwin_susp_msmpeng_crash.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1175",
"tactic": "lateral-movement",
"score": 1,
"color": "",
"comment": "win_susp_mmc_source.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1172",
"tactic": "command-and-control",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1189",
"tactic": "initial-access",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1157",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1157",
"tactic": "privilege-escalation",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1173",
"tactic": "execution",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1114",
"tactic": "collection",
"score": 1,
"color": "",
"comment": "win_alert_hacktool_use.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1106",
"tactic": "execution",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1129",
"tactic": "execution",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1048",
"tactic": "exfiltration",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1041",
"tactic": "exfiltration",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1011",
"tactic": "exfiltration",
"score": 1,
"color": "",
"comment": "sysmon_ssp_added_lsa_config.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1052",
"tactic": "exfiltration",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1190",
"tactic": "initial-access",
"score": 1,
"color": "",
"comment": "web_cve_2018_2894_weblogic_exploit.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1203",
"tactic": "execution",
"score": 2,
"color": "",
"comment": "av_exploiting.yml\nwin_exploit_cve_2017_8759.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1212",
"tactic": "credential-access",
"score": 3,
"color": "",
"comment": "win_net_ntlm_downgrade.yml\nwin_susp_kerberos_manipulation.yml\nwin_susp_samr_pwset.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1211",
"tactic": "defense-evasion",
"score": 2,
"color": "",
"comment": "win_susp_msmpeng_crash.yml\nwin_exploit_cve_2017_11882.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1068",
"tactic": "privilege-escalation",
"score": 1,
"color": "",
"comment": "apt_hurricane_panda.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1210",
"tactic": "lateral-movement",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1133",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1181",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1181",
"tactic": "privilege-escalation",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1008",
"tactic": "command-and-control",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1107",
"tactic": "defense-evasion",
"score": 2,
"color": "",
"comment": "win_susp_backup_delete.yml\nwin_susp_sdelete.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1222",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1006",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1044",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1044",
"tactic": "privilege-escalation",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1083",
"tactic": "discovery",
"score": 1,
"color": "",
"comment": "apt_turla_commands.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1187",
"tactic": "credential-access",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1144",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1061",
"tactic": "execution",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1148",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1200",
"tactic": "initial-access",
"score": 1,
"color": "",
"comment": "win_usb_device_plugged.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1158",
"tactic": "defense-evasion",
"score": 1,
"color": "",
"comment": "win_attrib_hiding_files.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1158",
"tactic": "persistence",
"score": 1,
"color": "",
"comment": "win_attrib_hiding_files.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1147",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1143",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1179",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1179",
"tactic": "privilege-escalation",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1179",
"tactic": "credential-access",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1062",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1183",
"tactic": "privilege-escalation",
"score": 1,
"color": "",
"comment": "sysmon_win_reg_persistence.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1183",
"tactic": "persistence",
"score": 1,
"color": "",
"comment": "sysmon_win_reg_persistence.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1183",
"tactic": "defense-evasion",
"score": 1,
"color": "",
"comment": "sysmon_win_reg_persistence.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1054",
"tactic": "defense-evasion",
"score": 1,
"color": "",
"comment": "win_disable_event_logging.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1066",
"tactic": "defense-evasion",
"score": 1,
"color": "",
"comment": "win_susp_sdelete.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1070",
"tactic": "defense-evasion",
"score": 4,
"color": "",
"comment": "win_susp_eventlog_cleared.yml\nwin_susp_security_eventlog_cleared.yml\nwin_malware_notpetya.yml\nwin_susp_bcdedit.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1202",
"tactic": "defense-evasion",
"score": 2,
"color": "",
"comment": "win_office_shell.yml\nwin_susp_outlook.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1056",
"tactic": "collection",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1056",
"tactic": "credential-access",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1141",
"tactic": "credential-access",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1130",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1118",
"tactic": "defense-evasion",
"score": 1,
"color": "",
"comment": "win_possible_applocker_bypass.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1118",
"tactic": "execution",
"score": 1,
"color": "",
"comment": "win_possible_applocker_bypass.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1208",
"tactic": "credential-access",
"score": 2,
"color": "",
"comment": "win_susp_rc4_kerberos.yml\nwin_spn_enum.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1215",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1142",
"tactic": "credential-access",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1161",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1149",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1171",
"tactic": "credential-access",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1177",
"tactic": "execution",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1177",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1159",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1160",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1160",
"tactic": "privilege-escalation",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1152",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1152",
"tactic": "execution",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1152",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1168",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1168",
"tactic": "execution",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1162",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1037",
"tactic": "lateral-movement",
"score": 1,
"color": "",
"comment": "sysmon_logon_scripts_userinitmprlogonscript.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1037",
"tactic": "persistence",
"score": 1,
"color": "",
"comment": "sysmon_logon_scripts_userinitmprlogonscript.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1185",
"tactic": "collection",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1036",
"tactic": "defense-evasion",
"score": 14,
"color": "",
"comment": "apt_ta17_293a_ps.yml\nwin_exploit_cve_2015_1641.yml\nwin_powershell_b64_shellcode.yml\nwin_susp_calc.yml\nwin_susp_csc.yml\nwin_susp_execution_path.yml\nwin_susp_exec_folder.yml\nwin_susp_procdump.yml\nwin_susp_prog_location_process_starts.yml\nwin_susp_run_locations.yml\nwin_susp_svchost.yml\nwin_susp_taskmgr_localsystem.yml\nwin_susp_taskmgr_parent.yml\nwin_system_exe_anomaly.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1031",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1112",
"tactic": "defense-evasion",
"score": 3,
"color": "",
"comment": "apt_chafer_mar18.yml\nwin_mal_ursnif.yml\nsysmon_dhcp_calloutdll.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1170",
"tactic": "defense-evasion",
"score": 4,
"color": "",
"comment": "apt_babyshark.yml\nwin_lethalhta.yml\nwin_mshta_spawn_shell.yml\nwin_possible_applocker_bypass.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1170",
"tactic": "execution",
"score": 4,
"color": "",
"comment": "apt_babyshark.yml\nwin_lethalhta.yml\nwin_mshta_spawn_shell.yml\nwin_possible_applocker_bypass.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1104",
"tactic": "command-and-control",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1188",
"tactic": "command-and-control",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1026",
"tactic": "command-and-control",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1079",
"tactic": "command-and-control",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1096",
"tactic": "defense-evasion",
"score": 1,
"color": "",
"comment": "powershell_ntfs_ads_access.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1128",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1046",
"tactic": "discovery",
"score": 1,
"color": "",
"comment": "win_vul_java_remote_debugging.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1126",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1135",
"tactic": "discovery",
"score": 1,
"color": "",
"comment": "apt_turla_commands.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1040",
"tactic": "credential-access",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1040",
"tactic": "discovery",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1050",
"tactic": "persistence",
"score": 7,
"color": "",
"comment": "apt_apt29_tor.yml\napt_carbonpaper_turla.yml\napt_stonedrill.yml\napt_turla_service_png.yml\nwin_mal_service_installs.yml\nwin_rare_service_installs.yml\nsysmon_susp_driver_load.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1050",
"tactic": "privilege-escalation",
"score": 7,
"color": "",
"comment": "apt_apt29_tor.yml\napt_carbonpaper_turla.yml\napt_stonedrill.yml\napt_turla_service_png.yml\nwin_mal_service_installs.yml\nwin_rare_service_installs.yml\nsysmon_susp_driver_load.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1027",
"tactic": "defense-evasion",
"score": 2,
"color": "",
"comment": "win_susp_ping_hex_ip.yml\nsysmon_ads_executable.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1137",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1075",
"tactic": "lateral-movement",
"score": 4,
"color": "",
"comment": "win_alert_hacktool_use.yml\nwin_overpass_the_hash.yml\nwin_pass_the_hash.yml\nwin_susp_ntlm_auth.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1097",
"tactic": "lateral-movement",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1174",
"tactic": "credential-access",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1201",
"tactic": "discovery",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1034",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1034",
"tactic": "privilege-escalation",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1120",
"tactic": "discovery",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1069",
"tactic": "discovery",
"score": 1,
"color": "",
"comment": "win_susp_net_recon_activity.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1150",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1150",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1150",
"tactic": "privilege-escalation",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1205",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1205",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1205",
"tactic": "command-and-control",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1013",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1013",
"tactic": "privilege-escalation",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1086",
"tactic": "execution",
"score": 28,
"color": "",
"comment": "apt_apt29_thinktanks.yml\napt_babyshark.yml\napt_empiremonkey.yml\npowershell_downgrade_attack.yml\npowershell_exe_calling_ps.yml\npowershell_malicious_commandlets.yml\npowershell_malicious_keywords.yml\npowershell_prompt_credentials.yml\npowershell_psattack.yml\npowershell_shellcode_b64.yml\npowershell_suspicious_download.yml\npowershell_suspicious_invocation_generic.yml\npowershell_suspicious_invocation_specific.yml\npowershell_suspicious_keywords.yml\npowershell_xor_commandline.yml\nwin_powershell_amsi_bypass.yml\nwin_powershell_dll_execution.yml\nwin_powershell_download.yml\nwin_powershell_renamed_ps.yml\nwin_powershell_suspicious_parameter_variation.yml\nwin_susp_powershell_enc_cmd.yml\nwin_susp_powershell_hidden_b64_cmd.yml\nwin_susp_powershell_parent_combo.yml\nwin_susp_ps_appdata.yml\nsysmon_powershell_exploit_scripts.yml\nsysmon_powershell_network_connection.yml\nsysmon_powersploit_schtasks.yml\nsysmon_susp_powershell_rundll32.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1145",
"tactic": "credential-access",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1057",
"tactic": "discovery",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1186",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1093",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1055",
"tactic": "defense-evasion",
"score": 8,
"color": "",
"comment": "powershell_shellcode_b64.yml\nwin_exploit_cve_2017_0261.yml\nwin_malware_dridex.yml\nwin_mavinject_proc_inj.yml\nsysmon_cactustorch.yml\nsysmon_cobaltstrike_process_injection.yml\nsysmon_malware_verclsid_shellcode.yml\nsysmon_mal_namedpipes.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1055",
"tactic": "privilege-escalation",
"score": 8,
"color": "",
"comment": "powershell_shellcode_b64.yml\nwin_exploit_cve_2017_0261.yml\nwin_malware_dridex.yml\nwin_mavinject_proc_inj.yml\nsysmon_cactustorch.yml\nsysmon_cobaltstrike_process_injection.yml\nsysmon_malware_verclsid_shellcode.yml\nsysmon_mal_namedpipes.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1012",
"tactic": "discovery",
"score": 1,
"color": "",
"comment": "apt_babyshark.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1163",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1164",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1108",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1108",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1060",
"tactic": "persistence",
"score": 2,
"color": "",
"comment": "sysmon_susp_reg_persist_explorer_run.yml\nsysmon_susp_run_key_img_folder.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1121",
"tactic": "defense-evasion",
"score": 1,
"color": "",
"comment": "win_possible_applocker_bypass.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1121",
"tactic": "execution",
"score": 1,
"color": "",
"comment": "win_possible_applocker_bypass.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1117",
"tactic": "defense-evasion",
"score": 1,
"color": "",
"comment": "win_susp_regsvr32_anomalies.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1117",
"tactic": "execution",
"score": 1,
"color": "",
"comment": "win_susp_regsvr32_anomalies.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1219",
"tactic": "command-and-control",
"score": 2,
"color": "",
"comment": "av_exploiting.yml\nwin_susp_tscon_localsystem.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1076",
"tactic": "lateral-movement",
"score": 4,
"color": "",
"comment": "win_rdp_localhost_login.yml\nwin_rdp_reverse_tunnel.yml\nwin_susp_tscon_rdp_redirect.yml\nsysmon_rdp_reverse_tunnel.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1105",
"tactic": "command-and-control",
"score": 4,
"color": "",
"comment": "apt_pandemic.yml\nwin_susp_certutil_command.yml\nsysmon_win_binary_github_com.yml\nsysmon_win_binary_susp_com.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1105",
"tactic": "lateral-movement",
"score": 4,
"color": "",
"comment": "apt_pandemic.yml\nwin_susp_certutil_command.yml\nsysmon_win_binary_github_com.yml\nsysmon_win_binary_susp_com.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1021",
"tactic": "lateral-movement",
"score": 1,
"color": "",
"comment": "win_netsh_port_fwd_3389.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1018",
"tactic": "discovery",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1091",
"tactic": "lateral-movement",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1091",
"tactic": "initial-access",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1014",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1085",
"tactic": "defense-evasion",
"score": 11,
"color": "",
"comment": "apt_equationgroup_dll_u_load.yml\napt_sofacy.yml\napt_tropictrooper.yml\napt_unidentified_nov_18.yml\napt_zxshell.yml\ncrime_fireball.yml\nwin_malware_notpetya.yml\nwin_susp_control_dll_load.yml\nwin_susp_rundll32_activity.yml\nsysmon_rundll32_net_connections.yml\nsysmon_susp_powershell_rundll32.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1085",
"tactic": "execution",
"score": 11,
"color": "",
"comment": "apt_equationgroup_dll_u_load.yml\napt_sofacy.yml\napt_tropictrooper.yml\napt_unidentified_nov_18.yml\napt_zxshell.yml\ncrime_fireball.yml\nwin_malware_notpetya.yml\nwin_susp_control_dll_load.yml\nwin_susp_rundll32_activity.yml\nsysmon_rundll32_net_connections.yml\nsysmon_susp_powershell_rundll32.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1178",
"tactic": "privilege-escalation",
"score": 1,
"color": "",
"comment": "win_susp_add_sid_history.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1198",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1198",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1184",
"tactic": "lateral-movement",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1053",
"tactic": "execution",
"score": 8,
"color": "",
"comment": "apt_chafer_mar18.yml\napt_slingshot.yml\nwin_atsvc_task.yml\nwin_GPO_scheduledtasks.yml\nwin_rare_schtasks_creations.yml\nwin_rare_schtask_creation.yml\nwin_susp_schtask_creation.yml\nsysmon_powersploit_schtasks.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1053",
"tactic": "persistence",
"score": 8,
"color": "",
"comment": "apt_chafer_mar18.yml\napt_slingshot.yml\nwin_atsvc_task.yml\nwin_GPO_scheduledtasks.yml\nwin_rare_schtasks_creations.yml\nwin_rare_schtask_creation.yml\nwin_susp_schtask_creation.yml\nsysmon_powersploit_schtasks.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1053",
"tactic": "privilege-escalation",
"score": 8,
"color": "",
"comment": "apt_chafer_mar18.yml\napt_slingshot.yml\nwin_atsvc_task.yml\nwin_GPO_scheduledtasks.yml\nwin_rare_schtasks_creations.yml\nwin_rare_schtask_creation.yml\nwin_susp_schtask_creation.yml\nsysmon_powersploit_schtasks.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1029",
"tactic": "exfiltration",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1113",
"tactic": "collection",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1180",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1064",
"tactic": "defense-evasion",
"score": 10,
"color": "",
"comment": "apt_cloudhopper.yml\nwin_malware_script_dropper.yml\nwin_mal_adwind.yml\nwin_mal_lockergoga.yml\nwin_shell_spawn_susp_program.yml\nwin_susp_rasdial_activity.yml\nwin_susp_script_execution.yml\nwin_wmi_spwns_powershell.yml\nsysmon_cactustorch.yml\nsysmon_susp_file_characteristics.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1064",
"tactic": "execution",
"score": 10,
"color": "",
"comment": "apt_cloudhopper.yml\nwin_malware_script_dropper.yml\nwin_mal_adwind.yml\nwin_mal_lockergoga.yml\nwin_shell_spawn_susp_program.yml\nwin_susp_rasdial_activity.yml\nwin_susp_script_execution.yml\nwin_wmi_spwns_powershell.yml\nsysmon_cactustorch.yml\nsysmon_susp_file_characteristics.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1063",
"tactic": "discovery",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1101",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1167",
"tactic": "credential-access",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1035",
"tactic": "execution",
"score": 3,
"color": "",
"comment": "win_hack_smbexec.yml\nwin_tool_psexec.yml\nwin_psexesvc_start.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1058",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1058",
"tactic": "privilege-escalation",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1166",
"tactic": "privilege-escalation",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1166",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1051",
"tactic": "lateral-movement",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1023",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1218",
"tactic": "defense-evasion",
"score": 1,
"color": "",
"comment": "win_mavinject_proc_inj.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1218",
"tactic": "execution",
"score": 1,
"color": "",
"comment": "win_mavinject_proc_inj.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1216",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1216",
"tactic": "execution",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1045",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1153",
"tactic": "execution",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1151",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1151",
"tactic": "execution",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1193",
"tactic": "initial-access",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1192",
"tactic": "initial-access",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1194",
"tactic": "initial-access",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1071",
"tactic": "command-and-control",
"score": 1,
"color": "",
"comment": "net_susp_dns_txt_exec_strings.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1032",
"tactic": "command-and-control",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1095",
"tactic": "command-and-control",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1165",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1165",
"tactic": "privilege-escalation",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1169",
"tactic": "privilege-escalation",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1206",
"tactic": "privilege-escalation",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1195",
"tactic": "initial-access",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1019",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1082",
"tactic": "discovery",
"score": 1,
"color": "",
"comment": "win_susp_commands_recon_activity.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1016",
"tactic": "discovery",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1049",
"tactic": "discovery",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1033",
"tactic": "discovery",
"score": 1,
"color": "",
"comment": "win_susp_whoami.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1007",
"tactic": "discovery",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1124",
"tactic": "discovery",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1080",
"tactic": "lateral-movement",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1221",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1072",
"tactic": "execution",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1072",
"tactic": "lateral-movement",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1209",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1099",
"tactic": "defense-evasion",
"score": 1,
"color": "",
"comment": "win_susp_time_modification.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1154",
"tactic": "execution",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1154",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1127",
"tactic": "defense-evasion",
"score": 2,
"color": "",
"comment": "win_possible_applocker_bypass.yml\nwin_workflow_compiler.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1127",
"tactic": "execution",
"score": 2,
"color": "",
"comment": "win_possible_applocker_bypass.yml\nwin_workflow_compiler.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1199",
"tactic": "initial-access",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1111",
"tactic": "credential-access",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1065",
"tactic": "command-and-control",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1204",
"tactic": "execution",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1078",
"tactic": "defense-evasion",
"score": 6,
"color": "",
"comment": "win_admin_rdp_login.yml\nwin_alert_active_directory_user_control.yml\nwin_susp_failed_logons_single_source.yml\nwin_susp_failed_logon_reasons.yml\nwin_susp_interactive_logons.yml\nwin_user_added_to_local_administrators.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1078",
"tactic": "persistence",
"score": 6,
"color": "",
"comment": "win_admin_rdp_login.yml\nwin_alert_active_directory_user_control.yml\nwin_susp_failed_logons_single_source.yml\nwin_susp_failed_logon_reasons.yml\nwin_susp_interactive_logons.yml\nwin_user_added_to_local_administrators.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1078",
"tactic": "privilege-escalation",
"score": 6,
"color": "",
"comment": "win_admin_rdp_login.yml\nwin_alert_active_directory_user_control.yml\nwin_susp_failed_logons_single_source.yml\nwin_susp_failed_logon_reasons.yml\nwin_susp_interactive_logons.yml\nwin_user_added_to_local_administrators.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1078",
"tactic": "initial-access",
"score": 6,
"color": "",
"comment": "win_admin_rdp_login.yml\nwin_alert_active_directory_user_control.yml\nwin_susp_failed_logons_single_source.yml\nwin_susp_failed_logon_reasons.yml\nwin_susp_interactive_logons.yml\nwin_user_added_to_local_administrators.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1125",
"tactic": "collection",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1102",
"tactic": "command-and-control",
"score": 3,
"color": "",
"comment": "proxy_cobalt_amazon.yml\nproxy_cobalt_ocsp.yml\nproxy_cobalt_onedrive.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1102",
"tactic": "defense-evasion",
"score": 3,
"color": "",
"comment": "proxy_cobalt_amazon.yml\nproxy_cobalt_ocsp.yml\nproxy_cobalt_onedrive.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1100",
"tactic": "persistence",
"score": 6,
"color": "",
"comment": "web_cve_2018_2894_weblogic_exploit.yml\nav_webshell.yml\nwin_susp_execution_path_webserver.yml\nwin_susp_iss_module_install.yml\nwin_webshell_detection.yml\nwin_webshell_spawn.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1100",
"tactic": "privilege-escalation",
"score": 6,
"color": "",
"comment": "web_cve_2018_2894_weblogic_exploit.yml\nav_webshell.yml\nwin_susp_execution_path_webserver.yml\nwin_susp_iss_module_install.yml\nwin_webshell_detection.yml\nwin_webshell_spawn.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1077",
"tactic": "lateral-movement",
"score": 5,
"color": "",
"comment": "apt_turla_commands.yml\nwin_admin_share_access.yml\nwin_hack_smbexec.yml\nwin_lm_namedpipe.yml\nwin_susp_psexec.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1047",
"tactic": "execution",
"score": 4,
"color": "",
"comment": "win_wmi_persistence.yml\nwin_bypass_squiblytwo.yml\nwin_susp_wmi_execution.yml\nwin_wmi_persistence_script_event_consumer.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1084",
"tactic": "persistence",
"score": 3,
"color": "",
"comment": "sysmon_wmi_event_subscription.yml\nsysmon_wmi_persistence_commandline_event_consumer.yml\nsysmon_wmi_persistence_script_event_consumer_write.yml",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1028",
"tactic": "execution",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1028",
"tactic": "lateral-movement",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1004",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1220",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1220",
"tactic": "execution",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": []
}
],
"gradient": {
"colors": [
"#ffffff",
"#66b1ff"
],
"minValue": 0,
"maxValue": 2
},
"legendItems": [],
"metadata": [],
"showTacticRowBackground": false,
"tacticRowBackground": "#dddddd",
"selectTechniquesAcrossTactics": true
}
other/sigma_attack_nav_coverage.png
BIN
View File
Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 373 KiB

rules/apt/apt_apt29_thinktanks.yml
+9 -21
View File
@@ -1,32 +1,20 @@
---
action: global
title: APT29
description: 'This method detects a suspicious powershell command line combination as used by APT29 in a campaign against US think tanks'
references:
- https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/
logsource:
product: windows
tags:
- attack.execution
- attack.g0016
- attack.t1086
author: Florian Roth
date: 2018/12/04
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine: '*-noni -ep bypass $*'
condition: selection
falsepositives:
- unknown
level: critical
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
CommandLine: '*-noni -ep bypass $*'
---
logsource:
product: windows
service: security
description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
ProcessCommandLine: '*-noni -ep bypass $*'
rules/apt/apt_apt29_tor.yml
+9 -14
View File
@@ -5,33 +5,28 @@ description: 'This method detects malicious services mentioned in APT29 report b
references:
- https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html
tags:
- attack.command_and_control
- attack.persistence
- attack.g0016
- attack.t1172
- attack.t1050
logsource:
product: windows
service: system
detection:
service:
service_install:
EventID: 7045
ServiceName: 'Google Update'
timeframe: 5m
condition: service | near process
condition: service_install | near process
falsepositives:
- Unknown
level: high
---
# Windows Audit Log
logsource:
category: process_creation
product: windows
detection:
process:
EventID: 4688
NewProcessName:
- 'C:\Program Files(x86)\Google\GoogleService.exe'
- 'C:\Program Files(x86)\Google\GoogleUpdate.exe'
---
# Sysmon
detection:
process:
EventID: 1
Image:
- 'C:\Program Files(x86)\Google\GoogleService.exe'
- 'C:\Program Files(x86)\Google\GoogleUpdate.exe'
rules/apt/apt_babyshark.yml
+28
View File
@@ -0,0 +1,28 @@
title: Baby Shark Activity
status: experimental
description: Detects activity that could be related to Baby Shark malware
references:
- https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
tags:
- attack.execution
- attack.t1059
- attack.t1086
- attack.discovery
- attack.t1012
- attack.defense_evasion
- attack.t1170
logsource:
category: process_creation
product: windows
author: Florian Roth
date: 2019/02/24
detection:
selection:
CommandLine:
- reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default"
- powershell.exe mshta.exe http*
- cmd.exe /c taskkill /im cmd.exe
condition: selection
falsepositives:
- unknown
level: high
rules/apt/apt_bear_activity_gtr19.yml
+24
View File
@@ -0,0 +1,24 @@
title: Judgement Panda Exfil Activity
description: Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike
references:
- https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
author: Florian Roth
date: 2019/02/21
tags:
- attack.credential_access
- attack.t1081
- attack.t1003
logsource:
category: process_creation
product: windows
detection:
selection1:
Image: '*\xcopy.exe'
CommandLine: '* /S /E /C /Q /H \\*'
selection2:
Image: '*\adexplorer.exe'
CommandLine: '* -snapshot "" c:\users\\*'
condition: selection1 or selection2
falsepositives:
- unknown
level: critical
rules/apt/apt_carbonpaper_turla.yml
+1 -1
View File
@@ -3,7 +3,7 @@ description: 'This method detects a service install of malicious services mentio
references:
- https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/
tags:
- attack.command_and_control
- attack.persistence
- attack.g0010
- attack.t1050
logsource:
rules/apt/apt_chafer_mar18.yml
+23 -5
View File
@@ -5,8 +5,14 @@ description: Detects Chafer activity attributed to OilRig as reported in Nyotron
references:
- https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
tags:
- attack.persistence
- attack.g0049
- attack.t1053
- attack.s0111
- attack.defense_evasion
- attack.t1112
date: 2018/03/23
modified: 2019/03/01
author: Florian Roth, Markus Neis
detection:
condition: 1 of them
@@ -24,6 +30,16 @@ detection:
- 'SC Scheduled Scan'
- 'UpdatMachine'
---
logsource:
product: windows
service: security
detection:
selection_service:
EventID: 4698
TaskName:
- 'SC Scheduled Scan'
- 'UpdatMachine'
---
logsource:
product: windows
service: sysmon
@@ -39,17 +55,19 @@ detection:
TargetObject: '*\Control\SecurityProviders\WDigest\UseLogonCredential'
EventType: 'SetValue'
Details: 'DWORD (0x00000001)'
---
logsource:
category: process_creation
product: windows
detection:
selection_process1:
EventID: 1
CommandLine:
- '*\Service.exe i'
- '*\Service.exe u'
- '*\microsoft\Taskbar\autoit3.exe'
- 'C:\wsc.exe*'
selection_process2:
EventID: 1
Image: '*\Windows\Temp\DB\*.exe'
Image: '*\Windows\Temp\DB\\*.exe'
selection_process3:
EventID: 1
CommandLine: '*\nslookup.exe -q=TXT*'
ParentImage: '*\Autoit*'
ParentImage: '*\Autoit*'
rules/apt/apt_cloudhopper.yml
+1 -2
View File
@@ -8,11 +8,10 @@ tags:
- attack.g0045
- attack.t1064
logsource:
category: process_creation
product: windows
service: sysmon
detection:
selection:
EventID: 1
Image: '*\cscript.exe'
CommandLine: '*.vbs /shell *'
condition: selection
rules/apt/apt_dragonfly.yml
+6 -25
View File
@@ -1,5 +1,3 @@
---
action: global
title: CrackMapExecWin
description: Detects CrackMapExecWin Activity as Described by NCSC
status: experimental
@@ -8,31 +6,14 @@ references:
tags:
- attack.g0035
author: Markus Neis
detection:
condition: 1 of them
falsepositives:
- None
level: critical
---
# Windows Audit Log
logsource:
category: process_creation
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection1:
# Does not require group policy 'Audit Process Creation' > Include command line in process creation events
EventID: 4688
NewProcessName:
- '*\crackmapexec.exe'
---
# Sysmon
logsource:
product: windows
service: sysmon
detection:
selection1:
# Does not require group policy 'Audit Process Creation' > Include command line in process creation events
EventID: 1
selection:
Image:
- '*\crackmapexec.exe'
condition: selection
falsepositives:
- None
level: critical
rules/apt/apt_elise.yml
+1 -3
View File
@@ -10,15 +10,13 @@ tags:
author: Florian Roth
date: 2018/01/31
logsource:
category: process_creation
product: windows
service: sysmon
detection:
selection1:
EventID: 1
Image: 'C:\Windows\SysWOW64\cmd.exe'
CommandLine: '*\Windows\Caches\NavShExt.dll *'
selection2:
EventID: 1
CommandLine: '*\AppData\Roaming\MICROS~1\Windows\Caches\NavShExt.dll,Setting'
condition: 1 of them
falsepositives:
rules/apt/apt_empiremonkey.yml
+32
View File
@@ -0,0 +1,32 @@
---
action: global
title: Empire Monkey
description: Detects EmpireMonkey APT reported Activity
references:
- https://app.any.run/tasks/a4107649-8cb0-41af-ad75-113152d4d57b
tags:
- attack.t1086
- attack.execution
date: 2019/04/02
author: Markus Neis
detection:
condition: 1 of them
falsepositives:
- Very Unlikely
level: critical
---
logsource:
category: process_creation
product: windows
detection:
selection_cutil:
CommandLine:
- '*/i:%APPDATA%\logs.txt scrobj.dll'
Image:
- '*\cutil.exe'
selection_regsvr32:
CommandLine:
- '*/i:%APPDATA%\logs.txt scrobj.dll'
Description:
- Microsoft(C) Registerserver
rules/apt/apt_equationgroup_dll_u_load.yml
+11 -30
View File
@@ -1,6 +1,5 @@
---
action: global
title: Equation Group DLL_U Load
author: Florian Roth
description: Detects a specific tool and export used by EquationGroup
references:
- https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=
@@ -10,36 +9,18 @@ tags:
- attack.execution
- attack.g0020
- attack.t1059
author: Florian Roth
date: 2018/03/10
modified: 2018/12/11
- attack.defense_evasion
- attack.t1085
logsource:
category: process_creation
product: windows
detection:
selection1:
Image: '*\rundll32.exe'
CommandLine: '*,dll_u'
selection2:
CommandLine: '* -export dll_u *'
condition: 1 of them
falsepositives:
- Unknown
level: critical
---
logsource:
product: windows
service: sysmon
detection:
selection1:
EventID: 1
Image: '*\rundll32.exe'
CommandLine: '*,dll_u'
selection2:
EventID: 1
CommandLine: '* -export dll_u *'
---
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection1:
EventID: 4688
Image: '*\rundll32.exe'
ProcessCommandLine: '*,dll_u'
selection2:
EventID: 4688
ProcessCommandLine: '* -export dll_u *'
rules/apt/apt_equationgroup_lnx.yml
-1
View File
@@ -68,7 +68,6 @@ detection:
- 'chmod 755 /usr/vmsys/bin/pipe'
- 'chmod -R 755 /usr/vmsys'
- 'chmod 755 $opbin/*tunnel'
- '< /dev/console | uudecode && uncompress'
- 'chmod 700 sendmail'
- 'chmod 0700 sendmail'
- '/usr/bin/wget http*sendmail;chmod +x sendmail;'
rules/apt/apt_hurricane_panda.yml
+8 -27
View File
@@ -1,6 +1,5 @@
---
action: global
title: Hurricane Panda Activity
author: Florian Roth
status: experimental
description: Detects Hurricane Panda Activity
references:
@@ -9,34 +8,16 @@ tags:
- attack.privilege_escalation
- attack.g0009
- attack.t1068
author: Florian Roth
date: 2018/02/25
modified: 2018/12/11
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine:
- '* localgroup administrators admin /add'
- '*\Win64.exe*'
condition: selection
falsepositives:
- Unknown
level: high
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
CommandLine:
- '* localgroup administrators admin /add'
- '*\Win64.exe*'
---
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
ProcessCommandLine:
- '* localgroup administrators admin /add'
- '*\Win64.exe*'
rules/apt/apt_judgement_panda_gtr19.yml
+33
View File
@@ -0,0 +1,33 @@
title: Judgement Panda Exfil Activity
description: Detects Judgement Panda activity as described in Global Threat Report 2019 by Crowdstrike
references:
- https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
author: Florian Roth
date: 2019/02/21
tags:
- attack.lateral_movement
- attack.g0010
- attack.credential_access
- attack.t1098
- attack.exfiltration
- attack.t1002
logsource:
category: process_creation
product: windows
detection:
selection1:
CommandLine:
- '*\ldifde.exe -f -n *'
- '*\7za.exe a 1.7z *'
- '* eprod.ldf'
- '*\aaaa\procdump64.exe*'
- '*\aaaa\netsess.exe*'
- '*\aaaa\7za.exe*'
- '*copy .\1.7z \\*'
- '*copy \\client\c$\aaaa\*'
selection2:
Image: C:\Users\Public\7za.exe
condition: selection1 or selection2
falsepositives:
- unknown
level: critical
rules/apt/apt_oceanlotus_registry.yml
+27
View File
@@ -0,0 +1,27 @@
title: OceanLotus Registry Activity
status: experimental
description: Detects registry keys created in OceanLotus (also known as APT32) attacks
references:
- https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/
tags:
- attack.t1112
author: megan201296
date: 2019/04/14
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 13
TargetObject:
- '*\SOFTWARE\Classes\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model'
- '*\SOFTWARE\App\AppXbf13d4ea2945444d8b13e2121cb6b663\Application'
- '*\SOFTWARE\App\AppXbf13d4ea2945444d8b13e2121cb6b663\DefaultIcon'
- '*\SOFTWARE\App\AppX70162486c7554f7f80f481985d67586d\Application'
- '*\SOFTWARE\App\AppX70162486c7554f7f80f481985d67586d\DefaultIcon'
- '*\SOFTWARE\App\AppX37cc7fdccd644b4f85f4b22d5a3f105a\Application'
- '*\SOFTWARE\App\AppX37cc7fdccd644b4f85f4b22d5a3f105a\DefaultIcon'
condition: selection
falsepositives:
- Unknown
level: critical
rules/apt/apt_pandemic.yml
+20 -12
View File
@@ -1,3 +1,5 @@
---
action: global
title: Pandemic Registry Key
status: experimental
description: Detects Pandemic Windows Implant
@@ -8,19 +10,7 @@ tags:
- attack.lateral_movement
- attack.t1105
author: Florian Roth
logsource:
product: windows
service: sysmon
detection:
selection1:
EventID: 13
TargetObject:
- '\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\services\null\Instance*'
- '\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\null\Instance*'
- '\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\null\Instance*'
selection2:
EventID: 1
Command: 'loaddll -a *'
condition: 1 of them
fields:
- EventID
@@ -32,4 +22,22 @@ fields:
falsepositives:
- unknown
level: critical
---
logsource:
product: windows
service: sysmon
detection:
selection1:
EventID: 13
TargetObject:
- '\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\services\null\Instance*'
- '\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\null\Instance*'
- '\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\null\Instance*'
---
logsource:
category: process_creation
product: windows
detection:
selection2:
Command: 'loaddll -a *'
rules/apt/apt_slingshot.yml
+8 -12
View File
@@ -1,29 +1,25 @@
---
action: global
title: Defrag Deactivation
author: Florian Roth
description: Detects the deactivation of the Scheduled defragmentation task as seen by Slingshot APT group
references:
- https://securelist.com/apt-slingshot/84312/
tags:
- attack.persistence
author: Florian Roth
date: 2018/03/10
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Audit Other Object Access Events > Success'
- attack.t1053
- attack.s0111
detection:
condition: selection
condition: 1 of them
falsepositives:
- Unknown
level: medium
---
logsource:
category: process_creation
product: windows
service: sysmon
detection:
selection:
EventID: 1
selection1:
CommandLine:
- '*schtasks* /delete *Defrag\ScheduledDefrag*'
---
@@ -32,6 +28,6 @@ logsource:
service: security
definition: 'Requirements: Audit Policy : Audit Other Object Access Events > Success'
detection:
selection:
selection2:
EventID: 4701
TaskName: '\Microsoft\Windows\Defrag\ScheduledDefrag'
TaskName: '\Microsoft\Windows\Defrag\ScheduledDefrag'
rules/apt/apt_sofacy.yml
+12 -26
View File
@@ -1,6 +1,5 @@
---
action: global
title: Sofacy Trojan Loader Activity
author: Florian Roth
status: experimental
description: Detects Trojan loader acitivty as used by APT28
references:
@@ -9,32 +8,19 @@ references:
- https://twitter.com/ClearskySec/status/960924755355369472
tags:
- attack.g0007
author: Florian Roth
date: 2018/03/01
modified: 2018/12/11
- attack.execution
- attack.t1059
- attack.defense_evasion
- attack.t1085
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine:
- 'rundll32.exe %APPDATA%\\*.dat",*'
- 'rundll32.exe %APPDATA%\\*.dll",#1'
condition: selection
falsepositives:
- Unknown
level: critical
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
CommandLine:
- 'rundll32.exe %APPDATA%\*.dat",*'
- 'rundll32.exe %APPDATA%\*.dll",#1'
---
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
ProcessCommandLine:
- 'rundll32.exe %APPDATA%\*.dat",*'
- 'rundll32.exe %APPDATA%\*.dll",#1'
rules/apt/apt_sofacy_zebrocy.yml
+6 -21
View File
@@ -1,6 +1,5 @@
---
action: global
title: Sofacy Zebrocy
author: Florian Roth
description: Detects Sofacy's Zebrocy malware execution
references:
- https://app.any.run/tasks/54acca9a-394e-4384-a0c8-91a96d36c81d
@@ -8,27 +7,13 @@ tags:
- attack.execution
- attack.g0020
- attack.t1059
author: Florian Roth
date: 2018/03/10
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine: '*cmd.exe /c SYSTEMINFO & TASKLIST'
condition: selection
falsepositives:
- Unknown
level: critical
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
CommandLine: '*cmd.exe /c SYSTEMINFO & TASKLIST'
---
logsource:
product: windows
service: security
description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
ProcessCommandLine: '*cmd.exe /c SYSTEMINFO & TASKLIST'
rules/apt/apt_ta17_293a_ps.yml
+1 -2
View File
@@ -9,11 +9,10 @@ tags:
author: Florian Roth
date: 2017/10/22
logsource:
category: process_creation
product: windows
service: sysmon
detection:
selection:
EventID: 1
CommandLine: 'ps.exe -accepteula'
condition: selection
falsepositives:
rules/apt/apt_tropictrooper.yml
+7 -24
View File
@@ -1,34 +1,17 @@
action: global
title: TropicTrooper Campaign November 2018
author: "@41thexplorer, Windows Defender ATP"
status: stable
description: Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia
references:
- https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/
author: "@41thexplorer, Windows Defender ATP"
date: 2018/11/30
modified: 2018/12/11
tags:
- attack.execution
- attack.t1085
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine: '*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*'
condition: selection
level: high
---
# Windows Security Eventlog: Process Creation with Full Command Line
logsource:
product: windows
service: security
description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
ProcessCommandLine: '*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*'
---
# Sysmon: Process Creation (ID 1)
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
CommandLine: '*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*'
level: high
rules/apt/apt_turla_commands.yml
+11 -9
View File
@@ -6,35 +6,37 @@ description: Detects automated lateral movement by Turla group
references:
- https://securelist.com/the-epic-turla-operation/65545/
tags:
- attack.lateral_movement
- attack.g0010
- attack.execution
- attack.t1059
- attack.lateral_movement
- attack.t1077
- attack.discovery
- attack.t1083
- attack.t1135
author: Markus Neis
date: 2017/11/07
logsource:
product: windows
service: sysmon
category: process_creation
product: windows
falsepositives:
- Unknown
---
detection:
selection:
EventID: 1
CommandLine:
- 'net use \\%DomainController%\C$ "P@ssw0rd" *'
- 'dir c:\*.doc* /s'
- 'dir %TEMP%\*.exe'
- 'dir c:\\*.doc* /s'
- 'dir %TEMP%\\*.exe'
condition: selection
level: critical
---
detection:
netCommand1:
EventID: 1
CommandLine: 'net view /DOMAIN'
netCommand2:
EventID: 1
CommandLine: 'net session'
netCommand3:
EventID: 1
CommandLine: 'net share'
timeframe: 1m
condition: netCommand1 | near netCommand2 and netCommand3
rules/apt/apt_turla_service_png.yml
+3 -3
View File
@@ -5,9 +5,9 @@ references:
author: Florian Roth
date: 2018/11/23
tags:
- attack.command_and_control
- attack.g0016
- attack.t1172
- attack.persistence
- attack.g0010
- attack.t1050
logsource:
product: windows
service: system
rules/apt/apt_unidentified_nov_18.yml
+5 -16
View File
@@ -1,3 +1,4 @@
---
action: global
title: Unidentified Attacker November 2018
status: stable
@@ -11,26 +12,14 @@ tags:
- attack.execution
- attack.t1085
detection:
condition: selection
condition: 1 of them
level: high
---
# Windows Security Eventlog: Process Creation with Full Command Line
logsource:
category: process_creation
product: windows
service: security
description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
ProcessCommandLine: '*cyzfc.dat, PointFunctionCall'
---
# Sysmon: Process Creation (ID 1)
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
selection1:
CommandLine: '*cyzfc.dat, PointFunctionCall'
---
# Sysmon: File Creation (ID 11)
@@ -38,7 +27,7 @@ logsource:
product: windows
service: sysmon
detection:
selection:
selection2:
EventID: 11
TargetFilename:
- '*ds7002.lnk*'
rules/apt/apt_zxshell.yml
+5 -2
View File
@@ -5,12 +5,15 @@ references:
- https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100
tags:
- attack.g0001
- attack.execution
- attack.t1059
- attack.defense_evasion
- attack.t1085
logsource:
category: process_creation
product: windows
service: sysmon
detection:
selection:
EventID: 1
Command:
- 'rundll32.exe *,zxFunction*'
- 'rundll32.exe *,RemoteDiskXXXXX'
rules/apt/crime_fireball.yml
+6 -2
View File
@@ -6,12 +6,16 @@ date: 2017/06/03
references:
- https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/
- https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100
tags:
- attack.execution
- attack.t1059
- attack.defense_evasion
- attack.t1085
logsource:
category: process_creation
product: windows
service: sysmon
detection:
selection:
EventID: 1
CommandLine: '*\rundll32.exe *,InstallArcherSvc'
condition: selection
fields:
rules/linux/lnx_shell_clear_cmd_history.yml
+27
View File
@@ -0,0 +1,27 @@
title: Clear Command History
status: experimental
description: Clear command history in linux which is used for defense evasion.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1146/T1146.yaml
- https://attack.mitre.org/techniques/T1146/
author: Patrick Bareiss
date: 2019/03/24
logsource:
product: linux
detection:
keywords:
- 'rm *bash_history'
- 'echo "" > *bash_history'
- 'cat /dev/null > *bash_history'
- 'ln -sf /dev/null *bash_history'
- 'truncate -s0 *bash_history'
# - 'unset HISTFILE' # prone to false positives
- 'export HISTFILESIZE=0'
- 'history -c'
condition: keywords
falsepositives:
- Unknown
level: high
tags:
- attack.defense_evasion
- attack.t1146
rules/linux/lnx_shell_priv_esc_prep.yml
+64
View File
@@ -0,0 +1,64 @@
title: Privilege Escalation Preparation
status: experimental
description: Detects suspicious shell commands indicating the information gathering phase as preparation for the Privilege Escalation.
references:
- https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
- https://patrick-bareiss.com/detect-privilege-escalation-preparation-in-linux-with-sigma/
author: Patrick Bareiss
date: 2019/04/05
tags:
- attack.privilege_escalation
- attack.t1068
level: medium
logsource:
product: linux
detection:
keywords:
# distribution type and kernel version
- 'cat /etc/issue'
- 'cat /etc/*-release'
- 'cat /proc/version'
- 'uname -a'
- 'uname -mrs'
- 'rpm -q kernel'
- 'dmesg | grep Linux'
- 'ls /boot | grep vmlinuz-'
# environment variables
- 'cat /etc/profile'
- 'cat /etc/bashrc'
- 'cat ~/.bash_profile'
- 'cat ~/.bashrc'
- 'cat ~/.bash_logout'
# applications and services as root
- 'ps -aux | grep root'
- 'ps -ef | grep root'
# scheduled tasks
- 'crontab -l'
- 'cat /etc/cron*'
- 'cat /etc/cron.allow'
- 'cat /etc/cron.deny'
- 'cat /etc/crontab'
# search for plain text user/passwords
- 'grep -i user *'
- 'grep -i pass *'
# networking
- 'ifconfig'
- 'cat /etc/network/interfaces'
- 'cat /etc/sysconfig/network'
- 'cat /etc/resolv.conf'
- 'cat /etc/networks'
- 'iptables -L'
- 'lsof -i'
- 'netstat -antup'
- 'netstat -antpx'
- 'netstat -tulpn'
- 'arp -e'
- 'route'
# sensitive files
- 'cat /etc/passwd'
- 'cat /etc/group'
- 'cat /etc/shadow'
timeframe: 30m
condition: keywords | count() by host > 6
falsepositives:
- Troubleshooting on Linux Machines
rules/linux/lnx_shell_susp_commands.yml
+27 -18
View File
@@ -6,6 +6,8 @@ references:
- http://pastebin.com/FtygZ1cg
- https://artkond.com/2017/03/23/pivoting-guide/
author: Florian Roth
date: 2017/08/21
modified: 2019/02/05
logsource:
product: linux
detection:
@@ -15,30 +17,37 @@ detection:
- 'wget * - http* | sh'
- 'wget * - http* | bash'
- 'python -m SimpleHTTPServer'
- 'import pty; pty.spawn'
- '-m http.server' # Python 3
- 'import pty; pty.spawn*'
- 'socat exec:*'
- 'socat -O /tmp/*'
- 'socat tcp-connect*'
- '*echo binary >>*'
# Malware
- '*wget *; chmod +x*'
- '*wget *; chmod 777 *'
- '*cd /tmp || cd /var/run || cd /mnt*'
# Apache Struts in-the-wild exploit codes
- 'stop;service iptables stop;'
- 'stop;SuSEfirewall2 stop;'
- 'chmod 777 2020'
- '">>/etc/rc.local;'
- 'wget -c *;chmod 777'
- '*stop;service iptables stop;*'
- '*stop;SuSEfirewall2 stop;*'
- 'chmod 777 2020*'
- '*>>/etc/rc.local'
# Metasploit framework exploit codes
- 'base64 -d /tmp/'
- ' | base64 -d'
- '/bin/chmod u+s'
- 'chmod +s /tmp/'
- 'chmod u+s /tmp/'
- '/tmp/haxhax'
- '/tmp/ns_sploit'
- 'nc -l -p '
- 'cp /bin/ksh '
- 'cp /bin/sh '
- ' /tmp/*.b64 '
- '/tmp/ysocereal.jar'
- '*base64 -d /tmp/*'
- '* | base64 -d *'
- '*/chmod u+s *'
- '*chmod +s /tmp/*'
- '*chmod u+s /tmp/*'
- '* /tmp/haxhax*'
- '* /tmp/ns_sploit*'
- 'nc -l -p *'
- 'cp /bin/ksh *'
- 'cp /bin/sh *'
- '* /tmp/*.b64 *'
- '*/tmp/ysocereal.jar*'
- '*/tmp/x *'
- '*; chmod +x /tmp/*'
- '*;chmod +x /tmp/*'
condition: keywords
falsepositives:
- Unknown
rules/linux/lnx_shell_susp_rev_shells.yml
+40
View File
@@ -0,0 +1,40 @@
title: Suspicious Reverse Shell Command Line
status: experimental
description: Detects suspicious shell commands or program code that may be exected or used in command line to establish a reverse shell
references:
- https://alamot.github.io/reverse_shells/
author: Florian Roth
date: 2019/04/02
logsource:
product: linux
detection:
keywords:
- 'BEGIN {s = "/inet/tcp/0/'
- 'bash -i >& /dev/tcp/'
- 'bash -i >& /dev/udp/'
- 'sh -i >$ /dev/udp/'
- 'sh -i >$ /dev/tcp/'
- '&& while read line 0<&5; do'
- '/bin/bash -c exec 5<>/dev/tcp/'
- '/bin/bash -c exec 5<>/dev/udp/'
- 'nc -e /bin/sh '
- '/bin/sh | nc'
- 'rm -f backpipe; mknod /tmp/backpipe p && nc '
- ';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i))))'
- ';STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
- '/bin/sh -i <&3 >&3 2>&3'
- 'uname -a; w; id; /bin/bash -i'
- '$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()};'
- ";os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);os.putenv('HISTFILE','/dev/null');"
- '.to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
- ';while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print'
- "socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:"
- 'rm -f /tmp/p; mknod /tmp/p p &&'
- ' | /bin/bash | telnet '
- ',echo=0,raw tcp-listen:'
- 'nc -lvvp '
- 'xterm -display 1'
condition: keywords
falsepositives:
- Unknown
level: high
rules/network/net_dns_c2_detection.yml
+19
View File
@@ -0,0 +1,19 @@
title: Possible DNS Tunneling
status: experimental
description: Normally, DNS logs contain a limited amount of different dns queries for a single domain. This rule detects a high amount of queries for a single domain, which can be an indicator that DNS is used to transfer data.
references:
- https://zeltser.com/c2-dns-tunneling/
- https://patrick-bareiss.com/detect-c2-traffic-over-dns-using-sigma/
author: Patrick Bareiss
date: 2019/04/07
logsource:
product: dns
detection:
selection:
parent_domain: '*'
condition: selection | count(dns_query) by parent_domain > 1000
falsepositives:
- Valid software, which uses dns for transferring data
level: high
tags:
- attack.t1043
rules/network/net_susp_dns_txt_exec_strings.yml
+5 -4
View File
@@ -12,10 +12,11 @@ logsource:
category: dns
detection:
selection:
answer:
- '*IEX*'
- '*Invoke-Expression*'
- '*cmd.exe*'
record_type: 'TXT'
answer:
- '*IEX*'
- '*Invoke-Expression*'
- '*cmd.exe*'
condition: selection
falsepositives:
- Unknown
rules/proxy/proxy_chafer_malware.yml
+20
View File
@@ -0,0 +1,20 @@
title: Chafer Malware URL Pattern
status: experimental
description: Detects HTTP requests used by Chafer malware
references:
- https://securelist.com/chafer-used-remexi-malware/89538/
author: Florian Roth
date: 2019/01/31
logsource:
category: proxy
detection:
selection:
c-uri-query: '*/asp.asp?ui=*'
condition: selection
fields:
- ClientIP
- URL
- UserAgent
falsepositives:
- Unknown
level: critical
rules/proxy/proxy_cobalt_ocsp.yml
+19
View File
@@ -0,0 +1,19 @@
title: CobaltStrike Malleable (OCSP) Profile
status: experimental
description: Detects Malleable (OCSP) Profile with Typo (OSCP) in URL
references:
- https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/ocsp.profile
author: Markus Neis
tags:
- attack.t1102
logsource:
category: proxy
detection:
selection:
URL: '*/oscp/*'
Host: 'ocsp.verisign.com'
condition: selection
falsepositives:
- Unknown
level: high
rules/proxy/proxy_cobalt_onedrive.yml
+21
View File
@@ -0,0 +1,21 @@
title: CobaltStrike Malleable OneDrive browsing traffic profile
status: experimental
description: Detects Malleable OneDrive Profile
references:
- https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/onedrive_getonly.profile
author: Markus Neis
tags:
- attack.t1102
logsource:
category: proxy
detection:
selection:
HttpMethod: 'GET'
URL: '*?manifest=wac'
Host: 'onedrive.live.com'
filter:
URL: 'http*://onedrive.live.com/*'
condition: selection and not filter
falsepositives:
- Unknown
level: high
rules/proxy/proxy_download_susp_dyndns.yml
-1
View File
@@ -56,7 +56,6 @@ detection:
- '*.mooo.com'
- '*.dns-dns.com'
- '*.strangled.net'
- '*.ddns.info'
- '*.adultdns.net'
- '*.craftx.biz'
- '*.ddns01.com'
rules/proxy/proxy_download_susp_tlds_blacklist.yml
+2 -3
View File
@@ -53,14 +53,12 @@ detection:
- '*.vip'
- '*.party'
- '*.tech'
- '*.tech'
- '*.xyz'
- '*.date'
- '*.faith'
- '*.zip'
- '*.cricket'
- '*.space'
- '*.top'
# McAfee report
- '*.info'
- '*.vn'
@@ -94,11 +92,12 @@ detection:
- '*.trade'
- '*.accountant'
# Spamhaus 2018 https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/
- '*.click'
- '*.cf'
- '*.gq'
- '*.ml'
- '*.ga'
# Custom
- '*.pw'
condition: selection
fields:
- ClientIP
rules/proxy/proxy_ua_apt.yml
+2
View File
@@ -39,6 +39,8 @@ detection:
- 'Mozilla/4.0 (compatible; RMS)' # Attacks on industrial enterprises using RMS and TeamViewer https://goo.gl/GthvTw
- 'Mozilla/4.0 (compatible; MSIE 6.0; DynGate)' # Attacks on industrial enterprises using RMS and TeamViewer https://goo.gl/GthvTw
- 'O/9.27 (W; U; Z)' # Cmstar https://www.virustotal.com/#/file/e4328011bb2b04abc856ccd04404c9f95d67167f6c291d343e8ffa8aa2aa2099/details
- 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; Trident/5.0*' # KerrDown UA https://goo.gl/s2WU6o
- 'Mozilla/5.0 (Windows NT 9; *' # Suspicious 'Windows NT 9' user agent - used by APT33 malware in 2018
condition: selection
fields:
- ClientIP
rules/proxy/proxy_ua_bitsadmin_susp_tld.yml
+26
View File
@@ -0,0 +1,26 @@
title: Bitsadmin to Uncommon TLD
status: experimental
description: Detects Bitsadmin connections to domains with uncommon TLDs
- https://twitter.com/jhencinski/status/1102695118455349248
- https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/
author: Florian Roth
date: 2019/03/07
logsource:
category: proxy
detection:
selection:
UserAgent:
- 'Microsoft BITS/*'
falsepositives:
r-dns:
- '*.com'
- '*.net'
- '*.org'
condition: selection and not falsepositives
fields:
- ClientIP
- URL
- UserAgent
falsepositives:
- Rare programs that use Bitsadmin and update from regional TLDs e.g. .uk or .ca
level: high
rules/proxy/proxy_ua_frameworks.yml
+2
View File
@@ -22,6 +22,7 @@ detection:
- 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; SIMBAR={7DB0F6DE-8DE7-4841-9084-28FA914B0F2E}; SLCC1; .N'
- 'Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)' # only use in proxy logs - not for detection in web server logs
- 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/4.0.221.6 Safari/525.13'
- 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MAAU)' # Payloads
# Metasploit Update by Florian Roth 08.07.2017
- 'Mozilla/5.0'
@@ -33,6 +34,7 @@ detection:
- 'X-FORWARDED-FOR'
- 'DotDotPwn v2.1'
- 'SIPDROID'
- 'Mozilla/5.0 (Windows NT 10.0; Win32; x32; rv:60.0)' # CobaltStrike https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/
# Exploits
- '*wordpress hash grabber*'
rules/proxy/proxy_ua_suspicious.yml
+1
View File
@@ -21,6 +21,7 @@ detection:
- 'Mozila/*' # single 'l'
- '_'
- 'CertUtil URL Agent' # https://twitter.com/stvemillertime/status/985150675527974912
- 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0)' # CobaltStrike Beacon https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/
falsepositives:
UserAgent:
- 'Mozilla/3.0 * Acrobat *' # Acrobat with linked content
rules/web/web_apache_threading_error.yml
+16
View File
@@ -0,0 +1,16 @@
title: Apache Threading Error
status: experimental
description: Detects an issue in apache logs that reports threading related errors
author: Florian Roth
date: 2019/01/22
references:
- https://github.com/hannob/apache-uaf/blob/master/README.md
logsource:
product: apache
detection:
keywords:
- '__pthread_tpp_change_priority: Assertion `new_prio == -1 || (new_prio >= fifo_min_prio && new_prio <= fifo_max_prio)'
condition: keywords
falsepositives:
- https://bz.apache.org/bugzilla/show_bug.cgi?id=46185
level: medium
rules/windows/builtin/win_GPO_scheduledtasks.yml
+23
View File
@@ -0,0 +1,23 @@
title: Persistence and Execution at scale via GPO scheduled task
description: Detect lateral movement using GPO scheduled task, ususally used to deploy ransomware at scale
author: Samir Bousseaden
references:
- https://twitter.com/menasec1/status/1106899890377052160
tags:
- attack.persistence
- attack.lateral_movement
- attack.t1053
logsource:
product: windows
service: security
description: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
selection:
EventID: 5145
ShareName: \\*\SYSVOL
RelativeTargetName: '*ScheduledTasks.xml'
Accesses: '*WriteData*'
condition: selection
falsepositives:
- if the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduledtasks
level: high
rules/windows/builtin/win_account_backdoor_dcsync_rights.yml
+25
View File
@@ -0,0 +1,25 @@
title: Powerview Add-DomainObjectAcl DCSync AD Extend Right
description: backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer
status: experimental
date: 2019/04/03
author: Samir Bousseaden
references:
- https://twitter.com/menasec1/status/1111556090137903104
- https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
tags:
- attack.credential_access
- attack.persistence
logsource:
product: windows
service: security
detection:
selection:
EventID: 5136
LDAPDisplayName: 'ntSecurityDescriptor'
Value:
- '*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*'
- '*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*'
condition: selection
falsepositives:
- New Domain Controller computer account, check user SIDs witin the value attribute of event 5136 and verify if it's a regular user or DC computer account.
level: critical
rules/windows/builtin/win_account_discovery.yml
+34
View File
@@ -0,0 +1,34 @@
title: AD Privileged Users or Groups Reconnaissance
description: Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs
references:
- https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html
tags:
- attack.discovery
- attack.t1087
status: experimental
author: Samir Bousseaden
logsource:
product: windows
service: security
definition: 'Requirements: enable Object Access SAM on your Domain Controllers'
detection:
selection:
EventID: 4661
ObjectType:
- 'SAM_USER'
- 'SAM_GROUP'
ObjectName:
- '*-512'
- '*-502'
- '*-500'
- '*-505'
- '*-519'
- '*-520'
- '*-544'
- '*-551'
- '*-555'
- '*admin*'
condition: selection
falsepositives:
- if source account name is not an admin then its super suspicious
level: high
rules/windows/builtin/win_admin_rdp_login.yml
+2 -1
View File
@@ -5,6 +5,7 @@ references:
tags:
- attack.lateral_movement
- attack.t1078
- car.2016-04-005
status: experimental
author: juju4
logsource:
@@ -18,6 +19,6 @@ detection:
AuthenticationPackageName: Negotiate
AccountName: 'Admin-*'
condition: selection
falsepositives:
falsepositives:
- Legitimate administrative activity
level: low
rules/windows/builtin/win_alert_ad_user_backdoors.yml
+1
View File
@@ -8,6 +8,7 @@ author: '@neu5ron'
tags:
- attack.t1098
- attack.credential_access
- attack.persistence
logsource:
product: windows
service: security
rules/windows/builtin/win_alert_enable_weak_encryption.yml
+3
View File
@@ -4,6 +4,9 @@ references:
- https://adsecurity.org/?p=2053
- https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/
author: '@neu5ron'
tags:
- attack.defense_evasion
- attack.t1089
logsource:
product: windows
service: security
rules/windows/builtin/win_alert_mimikatz_keywords.yml
+8 -8
View File
@@ -10,14 +10,14 @@ logsource:
product: windows
detection:
keywords:
- mimikatz
- mimilib
- <3 eo.oe
- eo.oe.kiwi
- privilege::debug
- sekurlsa::logonpasswords
- lsadump::sam
- mimidrv.sys
- "* mimikatz *"
- "* mimilib *"
- "* <3 eo.oe *"
- "* eo.oe.kiwi *"
- "* privilege::debug *"
- "* sekurlsa::logonpasswords *"
- "* lsadump::sam *"
- "* mimidrv.sys *"
condition: keywords
falsepositives:
- Naughty administrators
rules/windows/builtin/win_atsvc_task.yml
+23
View File
@@ -0,0 +1,23 @@
title: Remote Task Creation via ATSVC named pipe
description: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe
author: Samir Bousseaden
references:
- https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html
tags:
- attack.lateral_movement
- attack.persistence
- attack.t1053
logsource:
product: windows
service: security
description: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
selection:
EventID: 5145
ShareName: \\*\IPC$
RelativeTargetName: atsvc
Accesses: '*WriteData*'
condition: selection
falsepositives:
- pentesting
level: medium
rules/windows/builtin/win_disable_event_logging.yml
+1 -1
View File
@@ -14,7 +14,7 @@ author: '@neu5ron'
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Computer Management > Audit Policy Configuration, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Audit Policy Change'
definition: 'Requirements: Audit Policy : Computer Management > Audit Policy Configuration, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization Policy Change'
detection:
selection:
EventID: 4719
rules/windows/builtin/win_eventlog_cleared.yml
-21
View File
@@ -1,21 +0,0 @@
title: Eventlog Cleared Experimental
status: experimental
description: Detects a cleared Windows Eventlog as e.g. caused by "wevtutil cl" command execution
author: Florian Roth
date: 2017/06/27
references:
- https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100
tags:
- attack.defense_evasion
- attack.t1070
logsource:
product: windows
service: system
detection:
selection:
EventID: 104
Source: Eventlog
condition: selection
falsepositives:
- unknown
level: high
rules/windows/builtin/win_hack_rubeus.yml
-52
View File
@@ -1,52 +0,0 @@
---
action: global
title: Rubeus Hack Tool
description: Detects command line parameters used by Rubeus hack tool
author: Florian Roth
references:
- https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/
date: 2018/12/19
tags:
- attack.credential_access
- attack.t1003
- attack.s0005
detection:
condition: selection
falsepositives:
- unlikely
level: critical
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
CommandLine:
- '* asreproast *'
- '* dump /service:krbtgt *'
- '* kerberoast *'
- '* createnetonly /program:*'
- '* ptt /ticket:*'
- '* /impersonateuser:*'
- '* renew /ticket:*'
- '* asktgt /user:*'
- '* harvest /interval:*'
---
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
ProcessCommandLine:
- '* asreproast *'
- '* dump /service:krbtgt *'
- '* kerberoast *'
- '* createnetonly /program:*'
- '* ptt /ticket:*'
- '* /impersonateuser:*'
- '* renew /ticket:*'
- '* asktgt /user:*'
- '* harvest /interval:*'
rules/windows/builtin/win_hack_smbexec.yml
+1
View File
@@ -11,6 +11,7 @@ tags:
- attack.t1035
logsource:
product: windows
service: system
detection:
service_installation:
EventID: 7045
rules/windows/builtin/win_impacket_secretdump.yml
+21
View File
@@ -0,0 +1,21 @@
title: Possible Impacket SecretDump remote activity
description: Detect AD credential dumping using impacket secretdump HKTL
author: Samir Bousseaden
references:
- https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html
tags:
- attack.credential_access
- attack.t1003
logsource:
product: windows
service: security
description: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
selection:
EventID: 5145
ShareName: \\*\ADMIN$
RelativeTargetName: 'SYSTEM32\*.tmp'
condition: selection
falsepositives:
- pentesting
level: high
rules/windows/builtin/win_lm_namedpipe.yml
+34
View File
@@ -0,0 +1,34 @@
title: First time seen remote named pipe
description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes
author: Samir Bousseaden
references:
- https://twitter.com/menasec1/status/1104489274387451904
tags:
- attack.lateral_movement
- attack.t1077
logsource:
product: windows
service: security
description: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
selection1:
EventID: 5145
ShareName: \\*\IPC$
selection2:
EventID: 5145
ShareName: \\*\IPC$
RelativeTargetName:
- 'atsvc'
- 'samr'
- 'lsarpc'
- 'winreg'
- 'netlogon'
- 'srvsvc'
- 'protected_storage'
- 'wkssvc'
- 'browser'
- 'netdfs'
condition: selection1 and not selection2
falsepositives:
- update the excluded named pipe to filter out any newly observed legit named pipe
level: high
rules/windows/builtin/win_mal_creddumper.yml
+11 -3
View File
@@ -1,3 +1,5 @@
---
action: global
title: Malicious Service Install
description: This method detects well-known keywords of malicious services in the Windows System Eventlog
author: Florian Roth
@@ -9,10 +11,9 @@ logsource:
product: windows
service: system
detection:
selection:
selection1:
EventID:
- 7045
- 4697
keywords:
- 'WCE SERVICE'
- 'WCESERVICE'
@@ -20,7 +21,14 @@ detection:
quarkspwdump:
EventID: 16
HiveName: '*\AppData\Local\Temp\SAM*.dmp'
condition: ( selection and keywords ) or quarkspwdump
condition: ( selection1 and keywords ) or ( selection2 and keywords ) or quarkspwdump
falsepositives:
- Unlikely
level: high
---
logsource:
product: windows
service: security
detection:
selection2:
EventID: 4697
rules/windows/builtin/win_multiple_suspicious_cli.yml
-112
View File
@@ -1,112 +0,0 @@
action: global
title: Quick Execution of a Series of Suspicious Commands
description: Detects multiple suspicious process in a limited timeframe
status: experimental
references:
- https://car.mitre.org/wiki/CAR-2013-04-002
author: juju4
modified: 2012/12/11
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: low
---
# Windows Audit Log
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
ProcessCommandLine:
- arp.exe
- at.exe
- attrib.exe
- cscript.exe
- dsquery.exe
- hostname.exe
- ipconfig.exe
- mimikatz.exe
- nbstat.exe
- net.exe
- netsh.exe
- nslookup.exe
- ping.exe
- quser.exe
- qwinsta.exe
- reg.exe
- runas.exe
- sc.exe
- schtasks.exe
- ssh.exe
- systeminfo.exe
- taskkill.exe
- telnet.exe
- tracert.exe
- wscript.exe
- xcopy.exe
# others
- pscp.exe
- copy.exe
- robocopy.exe
- certutil.exe
- vssadmin.exe
- powershell.exe
- wevtutil.exe
- psexec.exe
- bcedit.exe
- wbadmin.exe
- icacls.exe
- diskpart.exe
timeframe: 5m
condition: selection | count() by MachineName > 5
---
# Sysmon
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
CommandLine:
- arp.exe
- at.exe
- attrib.exe
- cscript.exe
- dsquery.exe
- hostname.exe
- ipconfig.exe
- mimikatz.exe
- nbstat.exe
- net.exe
- netsh.exe
- nslookup.exe
- ping.exe
- quser.exe
- qwinsta.exe
- reg.exe
- runas.exe
- sc.exe
- schtasks.exe
- ssh.exe
- systeminfo.exe
- taskkill.exe
- telnet.exe
- tracert.exe
- wscript.exe
- xcopy.exe
# others
- pscp.exe
- copy.exe
- robocopy.exe
- certutil.exe
- vssadmin.exe
- powershell.exe
- wevtutil.exe
- psexec.exe
- bcedit.exe
- wbadmin.exe
- icacls.exe
- diskpart.exe
timeframe: 5m
condition: selection | count() by MachineName > 5
rules/windows/builtin/win_net_ntlm_downgrade.yml
+4 -4
View File
@@ -22,9 +22,9 @@ detection:
selection1:
EventID: 13
TargetObject:
- '*SYSTEM\*ControlSet*\Control\Lsa\lmcompatibilitylevel'
- '*SYSTEM\*ControlSet*\Control\Lsa\NtlmMinClientSec'
- '*SYSTEM\*ControlSet*\Control\Lsa\RestrictSendingNTLMTraffic'
- '*SYSTEM\\*ControlSet*\Control\Lsa\lmcompatibilitylevel'
- '*SYSTEM\\*ControlSet*\Control\Lsa\NtlmMinClientSec'
- '*SYSTEM\\*ControlSet*\Control\Lsa\RestrictSendingNTLMTraffic'
---
# Windows Security Eventlog: Process Creation with Full Command Line
logsource:
@@ -34,7 +34,7 @@ logsource:
detection:
selection2:
EventID: 4657
ObjectName: '\REGISTRY\MACHINE\SYSTEM\*ControlSet*\Control\Lsa'
ObjectName: '\REGISTRY\MACHINE\SYSTEM\\*ControlSet*\Control\Lsa'
ObjectValueName:
- 'LmCompatibilityLevel'
- 'NtlmMinClientSec'
rules/windows/builtin/win_plugx_susp_exe_locations.yml
-146
View File
@@ -1,146 +0,0 @@
title: Executable used by PlugX in Uncommon Location
status: experimental
description: Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location
references:
- 'http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/'
- 'https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/'
author: Florian Roth
date: 2017/06/12
tags:
- attack.s0013
logsource:
product: windows
service: security
detection:
# CamMute
selection_cammute:
EventID: 4688
CommandLine: '*\CamMute.exe'
filter_cammute:
EventID: 4688
CommandLine: '*\Lenovo\Communication Utility\*'
# Chrome Frame Helper
selection_chrome_frame:
EventID: 4688
CommandLine: '*\chrome_frame_helper.exe'
filter_chrome_frame:
EventID: 4688
CommandLine: '*\Google\Chrome\application\*'
# Microsoft Device Emulator
selection_devemu:
EventID: 4688
CommandLine: '*\dvcemumanager.exe'
filter_devemu:
EventID: 4688
CommandLine: '*\Microsoft Device Emulator\*'
# Windows Media Player Gadget
selection_gadget:
EventID: 4688
CommandLine: '*\Gadget.exe'
filter_gadget:
EventID: 4688
CommandLine: '*\Windows Media Player\*'
# HTML Help Workshop
selection_hcc:
EventID: 4688
CommandLine: '*\hcc.exe'
filter_hcc:
EventID: 4688
CommandLine: '*\HTML Help Workshop\*'
# Hotkey Command Module for Intel Graphics Contollers
selection_hkcmd:
EventID: 4688
CommandLine: '*\hkcmd.exe'
filter_hkcmd:
EventID: 4688
CommandLine:
- '*\System32\*'
- '*\SysNative\*'
- '*\SysWowo64\*'
# McAfee component
selection_mc:
EventID: 4688
CommandLine: '*\Mc.exe'
filter_mc:
EventID: 4688
CommandLine:
- '*\Microsoft Visual Studio*'
- '*\Microsoft SDK*'
- '*\Windows Kit*'
# MsMpEng - Microsoft Malware Protection Engine
selection_msmpeng:
EventID: 4688
CommandLine: '*\MsMpEng.exe'
filter_msmpeng:
EventID: 4688
CommandLine:
- '*\Microsoft Security Client\*'
- '*\Windows Defender\*'
- '*\AntiMalware\*'
# Microsoft Security Center
selection_msseces:
EventID: 4688
CommandLine: '*\msseces.exe'
filter_msseces:
EventID: 4688
CommandLine: '*\Microsoft Security Center\*'
# Microsoft Office 2003 OInfo
selection_oinfo:
EventID: 4688
CommandLine: '*\OInfoP11.exe'
filter_oinfo:
EventID: 4688
CommandLine: '*\Common Files\Microsoft Shared\*'
# OLE View
selection_oleview:
EventID: 4688
CommandLine: '*\OleView.exe'
filter_oleview:
EventID: 4688
CommandLine:
- '*\Microsoft Visual Studio*'
- '*\Microsoft SDK*'
- '*\Windows Kit*'
- '*\Windows Resource Kit\*'
# RC
selection_rc:
EventID: 4688
CommandLine: '*\rc.exe'
filter_rc:
EventID: 4688
CommandLine:
- '*\Microsoft Visual Studio*'
- '*\Microsoft SDK*'
- '*\Windows Kit*'
- '*\Windows Resource Kit\*'
- '*\Microsoft.NET\*'
condition: ( selection_cammute and not filter_cammute ) or
( selection_chrome_frame and not filter_chrome_frame ) or
( selection_devemu and not filter_devemu ) or
( selection_gadget and not filter_gadget ) or
( selection_hcc and not filter_hcc ) or
( selection_hkcmd and not filter_hkcmd ) or
( selection_mc and not filter_mc ) or
( selection_msmpeng and not filter_msmpeng ) or
( selection_msseces and not filter_msseces ) or
( selection_oinfo and not filter_oinfo ) or
( selection_oleview and not filter_oleview ) or
( selection_rc and not filter_rc )
falsepositives:
- Unknown
level: high
rules/windows/builtin/win_powershell_b64_shellcode.yml
-44
View File
@@ -1,44 +0,0 @@
action: global
title: PowerShell Base64 Encoded Shellcode
description: Detects Base64 encoded Shellcode
status: experimental
references:
- https://twitter.com/cyb3rops/status/1063072865992523776
author: Florian Roth
date: 2018/11/17
tags:
- attack.defense_evasion
- attack.t1036
detection:
condition: selection1 and selection2
falsepositives:
- Unknown
level: critical
---
# Windows Audit Log
logsource:
product: windows
service: security
description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection1:
EventID: 4688
ProcessCommandLine: '*AAAAYInlM*'
selection2:
ProcessCommandLine:
- '*OiCAAAAYInlM*'
- '*OiJAAAAYInlM*'
---
# Sysmon
logsource:
product: windows
service: sysmon
detection:
selection1:
EventID: 1
CommandLine: '*AAAAYInlM*'
selection2:
CommandLine:
- '*OiCAAAAYInlM*'
- '*OiJAAAAYInlM*'
rules/windows/builtin/win_rdp_localhost_login.yml
+25
View File
@@ -0,0 +1,25 @@
title: RDP Login from localhost
description: RDP login with localhost source address may be a tunnelled login
references:
- https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
date: 2019/01/28
modified: 2019/01/29
tags:
- attack.lateral_movement
- attack.t1076
status: experimental
author: Thomas Patzke
logsource:
product: windows
service: security
detection:
selection:
EventID: 4624
LogonType: 10
SourceNetworkAddress:
- "::1"
- "127.0.0.1"
condition: selection
falsepositives:
- Unknown
level: high
rules/windows/builtin/win_rdp_potential_cve-2019-0708.yml
+20
View File
@@ -0,0 +1,20 @@
title: Potential RDP exploit CVE-2019-0708
description: Detect suspicious error on protocol RDP, potential CVE-2019-0708
references:
- https://github.com/zerosum0x0/CVE-2019-0708
tags:
- attack.initial_access
status: experimental
author: Lionel PRAT, Christophe BROCAS
logsource:
product: windows
service: system
detection:
selection:
EventID: 56
Source: TermDD
condition: selection
falsepositives:
- Bad connections or network interruptions
level: high
rules/windows/builtin/win_rdp_reverse_tunnel.yml
+31
View File
@@ -0,0 +1,31 @@
title: RDP over Reverse SSH Tunnel WFP
status: experimental
description: Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389
references:
- https://twitter.com/SBousseaden/status/1096148422984384514
author: Samir Bousseaden
date: 2019/02/16
tags:
- attack.defense_evasion
- attack.command_and_control
- attack.t1076
logsource:
product: windows
service: security
detection:
selection:
EventID: 5156
sourceRDP:
SourcePort: 3389
DestinationAddress:
- '127.*'
- '::1'
destinationRDP:
DestinationPort: 3389
SourceAddress:
- '127.*'
- '::1'
condition: selection and ( sourceRDP or destinationRDP )
falsepositives:
- unknown
level: high
rules/windows/builtin/win_susp_cli_escape.yml
-57
View File
@@ -1,57 +0,0 @@
action: global
title: Suspicious Commandline Escape
description: Detects suspicious process that use escape characters
status: experimental
references:
- https://twitter.com/vysecurity/status/885545634958385153
- https://twitter.com/Hexacorn/status/885553465417756673
- https://twitter.com/Hexacorn/status/885570278637678592
- https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html
- http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/
author: juju4
modified: 2018/12/11
tags:
- attack.defense_evasion
- attack.t1140
detection:
condition: selection
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: low
---
# Windows Audit Log
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
ProcessCommandLine:
#- '^'
#- '@'
# 0x002D -, 0x2013 , 0x2014 , 0x2015 ― ... FIXME! how to match hexa form?
# - '-'
# - '―'
#- 'c:/'
- '<TAB>'
- '^h^t^t^p'
- 'h"t"t"p'
---
# Sysmon
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
CommandLine:
#- '^'
#- '@'
# 0x002D -, 0x2013 , 0x2014 , 0x2015 ― ... FIXME! how to match hexa form?
# - '-'
# - '―'
#- 'c:/'
- '<TAB>'
- '^h^t^t^p'
- 'h"t"t"p'
rules/windows/builtin/win_susp_commands_recon_activity.yml
-73
View File
@@ -1,73 +0,0 @@
---
action: global
title: Reconnaissance Activity with Net Command
status: experimental
description: 'Detects a set of commands often used in recon stages by different attack groups'
references:
- https://twitter.com/haroonmeer/status/939099379834658817
- https://twitter.com/c_APT_ure/status/939475433711722497
- https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html
author: Florian Roth, Markus Neis
date: 2018/08/22
modified: 2018/12/11
tags:
- attack.discovery
- attack.t1073
- attack.t1012
detection:
timeframe: 15s
condition: selection | count() by CommandLine > 4
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: medium
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
CommandLine:
- 'tasklist'
- 'net time'
- 'systeminfo'
- 'whoami'
- 'nbtstat'
- 'net start'
- '*\net1 start'
- 'qprocess'
- 'nslookup'
- 'hostname.exe'
- '*\net1 user /domain'
- '*\net1 group /domain'
- '*\net1 group "domain admins" /domain'
- '*\net1 group "Exchange Trusted Subsystem" /domain'
- '*\net1 accounts /domain'
- '*\net1 user net localgroup administrators'
- 'netstat -an'
---
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
ProcessCommandLine:
- 'tasklist'
- 'net time'
- 'systeminfo'
- 'whoami'
- 'nbtstat'
- 'net start'
- '*\net1 start'
- 'qprocess'
- 'nslookup'
- 'hostname.exe'
- '*\net1 user /domain'
- '*\net1 group /domain'
- '*\net1 group "domain admins" /domain'
- '*\net1 group "Exchange Trusted Subsystem" /domain'
- '*\net1 accounts /domain'
- '*\net1 user net localgroup administrators'
- 'netstat -an'
rules/windows/builtin/win_susp_dhcp_config.yml
+1
View File
@@ -9,6 +9,7 @@ date: 2017/05/15
author: Dimitrios Slamaris
tags:
- attack.defense_evasion
- attack.t1073
logsource:
product: windows
service: system
rules/windows/builtin/win_susp_dhcp_config_failed.yml
+5 -2
View File
@@ -6,13 +6,16 @@ references:
- https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
- https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
date: 2017/05/15
tags:
- attack.defense_evasion
- attack.t1073
author: Dimitrios Slamaris
logsource:
product: windows
service: system
service: dhcp
detection:
selection:
EventID:
EventID:
- 1031
- 1032
- 1034
rules/windows/builtin/win_susp_dns_config.yml
+3
View File
@@ -6,6 +6,9 @@ references:
- https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
- https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx
- https://twitter.com/gentilkiwi/status/861641945944391680
tags:
- attack.defense_evasion
- attack.t1073
author: Florian Roth
logsource:
product: windows
rules/windows/builtin/win_susp_dsrm_password_change.yml
+1
View File
@@ -7,6 +7,7 @@ author: Thomas Patzke
tags:
- attack.persistence
- attack.privilege_escalation
- attack.t1098
logsource:
product: windows
service: security
rules/windows/builtin/win_susp_eventlog_cleared.yml
+3 -1
View File
@@ -1,7 +1,8 @@
title: Eventlog Cleared
description: One of the Windows Eventlogs has been cleared
description: One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution
references:
- https://twitter.com/deviouspolack/status/832535435960209408
- https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100
author: Florian Roth
tags:
- attack.defense_evasion
@@ -12,6 +13,7 @@ logsource:
detection:
selection:
EventID: 104
Source: Microsoft-Windows-Eventlog
condition: selection
falsepositives:
- Unknown
rules/windows/builtin/win_susp_failed_logon_reasons.yml
+9 -5
View File
@@ -1,6 +1,9 @@
title: Account Tampering - Suspicious Failed Logon Reasons
description: This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.
author: Florian Roth
modified: 2019/03/01
references:
- https://twitter.com/SBousseaden/status/1101431884540710913
tags:
- attack.persistence
- attack.privilege_escalation
@@ -14,11 +17,12 @@ detection:
- 4625
- 4776
Status:
- '0xC0000072'
- '0xC000006F'
- '0xC0000070'
- '0xC0000413'
- '0xC000018C'
- '0xC0000072' # User logon to account disabled by administrator
- '0xC000006F' # User logon outside authorized hours
- '0xC0000070' # User logon from unauthorized workstation
- '0xC0000413' # Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine
- '0xC000018C' # The logon request failed because the trust relationship between the primary domain and the trusted domain failed
- '0xC000015B' # The user has not been granted the requested logon type (aka logon right) at this machine
condition: selection
falsepositives:
- User using a disabled account
rules/windows/builtin/win_susp_mshta_execution.yml
+39
View File
@@ -0,0 +1,39 @@
title: MSHTA Suspicious Execution 01
status: experimental
description: Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism
date: 22/02/2019
modified: 22/02/2019
author: Diego Perez (@darkquassar)
references:
- http://blog.sevagas.com/?Hacking-around-HTA-files
- https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356
- https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script
- https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997
tags:
- attack.defense_evasion
- attack.t1140
logsource:
category: process_creation
product: windows
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: high
detection:
selection1:
CommandLine:
- '*mshta vbscript:CreateObject("Wscript.Shell")*'
- '*mshta vbscript:Execute("Execute*'
- '*mshta vbscript:CreateObject("Wscript.Shell").Run("mshta.exe*'
selection2:
Image:
- 'C:\Windows\system32\mshta.exe'
CommandLine:
- '*.jpg*'
- '*.png*'
- '*.lnk*'
# - '*.chm*' # could be prone to false positives
- '*.xls*'
- '*.doc*'
- '*.zip*'
condition:
selection1 or selection2
rules/windows/builtin/win_susp_msiexec_web_install.yml
-34
View File
@@ -1,34 +0,0 @@
---
action: global
title: MsiExec Web Install
status: experimental
description: Detects suspicious msiexec proess starts with web addreses as parameter
references:
- https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/
author: Florian Roth
date: 2018/02/09
modified: 2012/12/11
detection:
condition: selection
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: medium
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
CommandLine:
- '* msiexec*:\/\/*'
---
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
ProcessCommandLine:
- '* msiexec*:\/\/*'
rules/windows/builtin/win_susp_ntlm_auth.yml
+2 -2
View File
@@ -7,8 +7,8 @@ references:
author: Florian Roth
date: 2018/06/08
tags:
- attack.credential_access
- attack.t1208
- attack.lateral_movement
- attack.t1075
logsource:
product: windows
service: ntlm
rules/windows/builtin/win_susp_powershell_enc_cmd.yml
-43
View File
@@ -1,43 +0,0 @@
---
action: global
title: Suspicious Encoded PowerShell Command Line
description: Detects suspicious powershell process starts with base64 encoded commands
status: experimental
references:
- https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e
author: Florian Roth
date: 2018/09/03
detection:
selection:
CommandLine:
# Command starts with '$' symbol
- '* -e JAB*'
- '* -enc JAB*'
- '* -encodedcommand JAB*'
# Google Rapid Response
falsepositive1:
Image: '*\GRR\*'
# PowerSponse deployments
falsepositive2:
CommandLine: '* -ExecutionPolicy remotesigned *'
condition: selection and not 1 of falsepositive*
falsepositives:
- GRR powershell hacks
- PowerSponse Deployments
level: high
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
---
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
rules/windows/builtin/win_susp_procdump.yml
-49
View File
@@ -1,49 +0,0 @@
action: global
title: Suspicious Use of Procdump
description: Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable.
status: experimental
references:
- Internal Research
author: Florian Roth
date: 2018/10/30
tags:
- attack.defense_evasion
- attack.t1036
- attack.credential_access
- attack.t1003
detection:
condition: selection and selection1 and selection2
falsepositives:
- Unlikely, because no one should dump an lsass process memory
- Another tool that uses the command line switches of Procdump
level: medium
---
# Windows Audit Log
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
selection1:
ProcessCommandLine:
- "* -ma *"
selection2:
ProcessCommandLine:
- '* lsass.exe*'
---
# Sysmon
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
selection1:
CommandLine:
- "* -ma *"
selection2:
CommandLine:
- '* lsass.exe*'
rules/windows/builtin/win_susp_process_creations.yml
-136
View File
@@ -1,136 +0,0 @@
---
action: global
title: Suspicious Process Creation
description: Detects suspicious process starts on Windows systems based on keywords
status: experimental
references:
- https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/
- https://www.youtube.com/watch?v=H3t_kHQG1Js&feature=youtu.be&t=15m35s
- https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/
- https://twitter.com/subTee/status/872244674609676288
- https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/remote-tool-examples
- https://tyranidslair.blogspot.ca/2017/07/dg-on-windows-10-s-executing-arbitrary.html
- https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/
- https://subt0x10.blogspot.ca/2017/04/bypassing-application-whitelisting.html
- https://gist.github.com/subTee/7937a8ef07409715f15b84781e180c46#file-rat-bat
- https://twitter.com/vector_sec/status/896049052642533376
author: Florian Roth
modified: 2012/12/11
detection:
condition: selection
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: medium
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
CommandLine:
# Hacking activity
- 'vssadmin.exe delete shadows*'
- 'vssadmin delete shadows*'
- 'vssadmin create shadow /for=C:*'
- 'copy \\?\GLOBALROOT\Device\*\windows\ntds\ntds.dit*'
- 'copy \\?\GLOBALROOT\Device\*\config\SAM*'
- 'reg SAVE HKLM\SYSTEM *'
- '* sekurlsa:*'
- 'net localgroup adminstrators * /add'
- 'net group "Domain Admins" * /ADD /DOMAIN'
- 'certutil.exe *-urlcache* http*'
- 'certutil.exe *-urlcache* ftp*'
# Malware
- 'netsh advfirewall firewall *\AppData\*'
- 'attrib +S +H +R *\AppData\*'
- 'schtasks* /create *\AppData\*'
- 'schtasks* /sc minute*'
- '*\Regasm.exe *\AppData\*'
- '*\Regasm *\AppData\*'
- '*\bitsadmin* /transfer*'
- '*\certutil.exe * -decode *'
- '*\certutil.exe * -decodehex *'
- '*\certutil.exe -ping *'
- 'icacls * /grant Everyone:F /T /C /Q'
- '* wmic shadowcopy delete *'
- '* wbadmin.exe delete catalog -quiet*' # http://blog.talosintelligence.com/2018/02/olympic-destroyer.html
# Scripts
- '*\wscript.exe *.jse'
- '*\wscript.exe *.js'
- '*\wscript.exe *.vba'
- '*\wscript.exe *.vbe'
- '*\cscript.exe *.jse'
- '*\cscript.exe *.js'
- '*\cscript.exe *.vba'
- '*\cscript.exe *.vbe'
# UAC bypass
- '*\fodhelper.exe'
# persistence
- '*waitfor*/s*'
- '*waitfor*/si persist*'
# remote
- '*remote*/s*'
- '*remote*/c*'
- '*remote*/q*'
# AddInProcess
- '*AddInProcess*'
# NotPowershell (nps) attack
# - '*msbuild*' # too many false positives
---
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
ProcessCommandLine:
# Hacking activity
- 'vssadmin.exe delete shadows*'
- 'vssadmin delete shadows*'
- 'vssadmin create shadow /for=C:*'
- 'copy \\?\GLOBALROOT\Device\*\windows\ntds\ntds.dit*'
- 'copy \\?\GLOBALROOT\Device\*\config\SAM*'
- 'reg SAVE HKLM\SYSTEM *'
- '* sekurlsa:*'
- 'net localgroup adminstrators * /add'
- 'net group "Domain Admins" * /ADD /DOMAIN'
- 'certutil.exe *-urlcache* http*'
- 'certutil.exe *-urlcache* ftp*'
# Malware
- 'netsh advfirewall firewall *\AppData\*'
- 'attrib +S +H +R *\AppData\*'
- 'schtasks* /create *\AppData\*'
- 'schtasks* /sc minute*'
- '*\Regasm.exe *\AppData\*'
- '*\Regasm *\AppData\*'
- '*\bitsadmin* /transfer*'
- '*\certutil.exe * -decode *'
- '*\certutil.exe * -decodehex *'
- '*\certutil.exe -ping *'
- 'icacls * /grant Everyone:F /T /C /Q'
- '* wmic shadowcopy delete *'
- '* wbadmin.exe delete catalog -quiet*' # http://blog.talosintelligence.com/2018/02/olympic-destroyer.html
# Scripts
- '*\wscript.exe *.jse'
- '*\wscript.exe *.js'
- '*\wscript.exe *.vba'
- '*\wscript.exe *.vbe'
- '*\cscript.exe *.jse'
- '*\cscript.exe *.js'
- '*\cscript.exe *.vba'
- '*\cscript.exe *.vbe'
# UAC bypass
- '*\fodhelper.exe'
# persistence
- '*waitfor*/s*'
- '*waitfor*/si persist*'
# remote
- '*remote*/s*'
- '*remote*/c*'
- '*remote*/q*'
# AddInProcess
- '*AddInProcess*'
# NotPowershell (nps) attack
# - '*msbuild*' # too many false positives
rules/windows/builtin/win_susp_ps_appdata.yml
-39
View File
@@ -1,39 +0,0 @@
---
action: global
title: PowerShell Script Run in AppData
status: experimental
description: Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder
references:
- https://twitter.com/JohnLaTwC/status/1082851155481288706
- https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03
author: Florian Roth
date: 2019/01/09
logsource:
product: windows
service: sysmon
detection:
condition: selection
falsepositives:
- Administrative scripts
level: medium
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
CommandLine:
- '* /c powershell*\AppData\Local\*'
- '* /c powershell*\AppData\Roaming\*'
---
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
ProcessCommandLine:
- '* /c powershell*\AppData\Local\*'
- '* /c powershell*\AppData\Roaming\*'
rules/windows/builtin/win_susp_psexec.yml
+28
View File
@@ -0,0 +1,28 @@
title: Suspicious PsExec execution
description: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one
author: Samir Bousseaden
references:
- https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html
tags:
- attack.lateral_movement
- attack.t1077
logsource:
product: windows
service: security
description: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
selection1:
EventID: 5145
ShareName: \\*\IPC$
RelativeTargetName:
- '*-stdin'
- '*-stdout'
- '*-stderr'
selection2:
EventID: 5145
ShareName: \\*\IPC$
RelativeTargetName: 'PSEXESVC*'
condition: selection1 and not selection2
falsepositives:
- nothing observed so far
level: high
rules/windows/builtin/win_susp_raccess_sensitive_fext.yml
+30
View File
@@ -0,0 +1,30 @@
title: Suspicious access to sensitive file extensions
description: Detects known sensitive file extensions
author: Samir Bousseaden
tags:
- attack.collection
logsource:
product: windows
service: security
detection:
selection:
EventID:
- 5145
RelativeTargetName:
- '*.pst'
- '*.ost'
- '*.msg'
- '*.nst'
- '*.oab'
- '*.edb'
- '*.nsf'
- '*.bak'
- '*.dmp'
- '*.kirbi'
- '*\ntds.dit'
- '*\groups.xml'
- '*.rdp'
condition: selection
falsepositives:
- Help Desk operator doing backup or re-imaging end user machine or pentest or backup software
level: high
rules/windows/builtin/win_susp_rasdial_activity.yml
-32
View File
@@ -1,32 +0,0 @@
action: global
title: Suspicious RASdial Activity
description: Detects suspicious process related to rasdial.exe
status: experimental
references:
- https://twitter.com/subTee/status/891298217907830785
author: juju4
detection:
selection:
CommandLine:
- 'rasdial'
condition: selection
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: medium
---
# Windows Audit Log
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
---
# Sysmon
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
rules/windows/builtin/win_susp_run_locations.yml
-38
View File
@@ -1,38 +0,0 @@
action: global
title: Suspicious Process Start Locations
description: Detects suspicious process run from unusual locations
status: experimental
references:
- https://car.mitre.org/wiki/CAR-2013-05-002
author: juju4
tags:
- attack.defense_evasion
- attack.t1036
detection:
selection:
CommandLine:
- "*:\\RECYCLER\\*"
- "*:\\SystemVolumeInformation\\*"
- "%windir%\\Tasks\\*"
- "%systemroot%\\debug\\*"
condition: selection
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: medium
---
# Windows Audit Log
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
---
# Sysmon
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
rules/windows/builtin/win_susp_sdelete.yml
+1 -1
View File
@@ -9,7 +9,7 @@ references:
tags:
- attack.defense_evasion
- attack.t1107
- attack.t1116
- attack.t1066
- attack.s0195
logsource:
product: windows
rules/windows/builtin/win_susp_svchost.yml
-49
View File
@@ -1,49 +0,0 @@
---
action: global
title: Suspicious Svchost Processes
description: Detects suspicious svchost processes with parent process that is not services.exe, command line missing -k parameter or running outside Windows folder
author: Florian Roth, @c_APT_ure
date: 2018/10/26
status: experimental
references:
- https://twitter.com/Moti_B/status/1002280132143394816
- https://twitter.com/Moti_B/status/1002280287840153601
falsepositives:
- Renamed %SystemRoot%s
level: high
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
Image: '*\svchost.exe'
filter1:
ParentImage:
- '*\services.exe'
- '*\MsMpEng.exe'
filter2:
CommandLine: '* -k *'
filter3:
Image: 'C:\Windows\S*' # \* is a reserved expression
condition: selection and not ( filter1 or filter2 or filter3 )
---
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
NewProcessName: '*\svchost.exe'
# Deactivated as long as some backends do not fully support the 'null' expression
# filter2:
# ProcessCommandLine:
# - null # Missing KB3004375 and Group Policy setting
# - '* -k *'
filter3:
NewProcessName: 'C:\Windows\S*' # \* is a reserved expression
condition: selection and not filter3
rules/windows/builtin/win_susp_time_modification.yml
+29
View File
@@ -0,0 +1,29 @@
title: Unauthorized System Time Modification
status: experimental
description: Detect scenarios where a potentially unauthorized application or user is modifying the system time.
author: '@neu5ron'
references:
- Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)
- Live environment caused by malware
date: 2019/02/05
tags:
- attack.defense_evasion
- attack.t1099
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : System > Audit Security State Change, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\System\Audit Security State Change'
detection:
selection:
EventID: 4616
filter1:
ProcessName: 'C:\Program Files\VMware\VMware Tools\vmtoolsd.exe'
filter2:
ProcessName: 'C:\Windows\System32\VBoxService.exe'
filter3:
ProcessName: 'C:\Windows\System32\svchost.exe'
SubjectUserSid: 'S-1-5-19'
condition: selection and not ( filter1 or filter2 or filter3 )
falsepositives:
- HyperV or other virtualization technologies with binary not listed in filter portion of detection
level: high
rules/windows/builtin/win_susp_whoami.yml
-36
View File
@@ -1,36 +0,0 @@
---
action: global
title: Whoami Execution
status: experimental
description: 'Detects the execution of whoami, which is often used by attackers after exloitation / privilege escalation but rarely used by administrators'
references:
- https://twitter.com/haroonmeer/status/939099379834658817
- https://twitter.com/c_APT_ure/status/939475433711722497
author: Florian Roth
date: 2018/05/22
tags:
- attack.discovery
- attack.t1033
detection:
condition: selection
falsepositives:
- Admin activity
- Scripts and administrative tools used in the monitored environment
level: high
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
CommandLine: 'whoami'
---
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
NewProcessName: '*\whoami.exe'
rules/windows/builtin/win_svcctl_remote_service.yml
+22
View File
@@ -0,0 +1,22 @@
title: Remote Service Activity Detected via SVCCTL named pipe
description: Detects remote remote service activity via remote access to the svcctl named pipe
author: Samir Bousseaden
references:
- https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html
tags:
- attack.lateral_movement
- attack.persistence
logsource:
product: windows
service: security
description: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
selection:
EventID: 5145
ShareName: \\*\IPC$
RelativeTargetName: svcctl
Accesses: '*WriteData*'
condition: selection
falsepositives:
- pentesting
level: medium
rules/windows/builtin/win_usb_device_plugged.yml
+3
View File
@@ -5,6 +5,9 @@ references:
- https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/
status: experimental
author: Florian Roth
tags:
- attack.initial_access
- attack.t1200
logsource:
product: windows
service: driver-framework
rules/windows/builtin/win_user_added_to_local_administrators.yml
+1
View File
@@ -4,6 +4,7 @@ status: stable
author: Florian Roth
tags:
- attack.privilege_escalation
- attack.t1078
logsource:
product: windows
service: security
rules/windows/builtin/win_user_creation.yml
+26
View File
@@ -0,0 +1,26 @@
title: Detects local user creation
description: Detects local user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your windows server logs and not on your DC logs.
status: experimental
tags:
- attack.persistence
- attack.t1136
references:
- https://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/
author: Patrick Bareiss
logsource:
product: windows
service: security
detection:
selection:
EventID: 4720
condition: selection
fields:
- EventCode
- AccountName
- AccountDomain
falsepositives:
- Domain Controller Logs
- Local accounts managed by privileged account management tools
level: low
rules/windows/builtin/win_wmi_persistence_script_event_consumer.yml
-36
View File
@@ -1,36 +0,0 @@
---
action: global
title: WMI Persistence - Script Event Consumer
status: experimental
description: Detects WMI script event consumers
references:
- https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
author: Thomas Patzke
date: 2018/03/07
tags:
- attack.execution
- attack.persistence
- attack.t1047
detection:
selection:
Image: 'C:\WINDOWS\system32\wbem\scrcons.exe'
ParentImage: 'C:\Windows\System32\svchost.exe'
condition: selection
falsepositives:
- Legitimate event consumers
level: high
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
---
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
rules/windows/malware/av_exploiting.yml
+3
View File
@@ -1,6 +1,7 @@
title: Antivirus Exploitation Framework Detection
description: Detects a highly relevant Antivirus alert that reports an exploitation framework
date: 2018/09/09
modified: 2019/01/16
author: Florian Roth
references:
- https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/
@@ -15,10 +16,12 @@ detection:
selection:
Signature:
- "*MeteTool*"
- "*MPreter*"
- "*Meterpreter*"
- "*Metasploit*"
- "*PowerSploit*"
- "*CobaltSrike*"
- "*Swrort*"
condition: selection
fields:
- FileName

Some files were not shown because too many files have changed in this diff Show More