Mei Liu
b85482a9bc
-O:
attackMapFile: It's used to set subFunction in XML rule. It's a map of subFunction and tags.attack in YML file.
ruleIndex: It's used to set rule id in XML rule. The format of rule id is PH_Rule_{ruleType}_SIGMA_{ruleIndex}
ruleType: It's used to set rule id in XML rule.
1. Generate rule for one YML file
a. tools/sigmac -t fortisiem -c fortisiem-windows rules/windows/network_connection/win_net_python.yml
b. tools/sigmac -t fortisiem -c fortisiem-windows -O attackMapFile=tools/config/fortisiem/MITRE-Attack-matrix.csv -O ruleIndex=0 -O ruleType=Windows rules/windows/network_connection/win_net_python.yml
Output:
<Rules>
<Rule group="PH_SYS_RULE_THREAT_HUNTING" natural_id="PH_Rule_Windows_SIGMA_0" phIncidentCategory="Server" function="Security" subFunction="Discovery" technique="T1046">
<Name>Python Initiated Connection </Name>
<IncidentTitle>Python Initiated Connection</IncidentTitle>
<active>true</active>
<Description> Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation </Description>
<SigmaFileName> rules/windows/network_connection/win_net_python.yml </SigmaFileName>
<CustomerScope groupByEachCustomer="true">
<Include all="true"/>
<Exclude/>
</CustomerScope>
<IncidentDef eventType="PH_RULE_Python_Initiated_Connection" severity="7">
<ArgList> compEventType = Filter.eventType,hostName = Filter.hostName,isInitialed = Filter.isInitialed,procName = Filter.procName </ArgList>
</IncidentDef>
<PatternClause window="300">
<SubPattern displayName="Filter" name="Filter">
<SingleEvtConstr> eventType REGEXP ( "Win-Sysmon-3-Network-Connect.*" ) AND isInitialed="true" AND procName REGEXP ( ".*python.*" ) </SingleEvtConstr>
<GroupByAttr> eventType,hostName,isInitialed,procName </GroupByAttr>
<GroupEvtConstr> COUNT(*) >= 1 </GroupEvtConstr>
</SubPattern>
</PatternClause>
<TriggerEventDisplay>
<AttrList> phRecvTime,hostName,isInitialed,procName,rawEventMsg </AttrList>
</TriggerEventDisplay>
</Rule>
</Rules>
2. Generate rules for YML files under rules/windows
a. tools/sigmac -t fortisiem -c fortisiem-windows -r rules/windows -o rule.xml
b. tools/sigmac -t fortisiem -c fortisiem-windows -r rules/windows -O attackMapFile=tools/config/fortisiem/MITRE-Attack-matrix.csv -O ruleIndex=0 -O ruleType=Windows -o rule.xml
Generate rules for YML files under rules/windows
3. Find files that is modified after some date.
a. tools/sigmac --lists-files-after-date 2020/06/04 rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml
b. tools/sigmac --lists-files-after-date 2020/06/04 -r rules/windows/
Output:
rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml, Updated
rules/windows/wmi_event/TestFile.yml, No date
183 lines
4.1 KiB
CSV
183 lines
4.1 KiB
CSV
##YmlAttributeName,FortiSIEMAttributeName,FortiSIEMAttributeType
|
|
##need define new inter attribute for it
|
|
DestinationIsIpv6,isIpv6
|
|
Initiated,isInitialed
|
|
AllowedToDelegateTo,isAllowedToDelegateTo
|
|
##not find in WinOSWmiParser.xml
|
|
TargetDetails,details
|
|
Account_Name,user
|
|
Computer_Name,computer
|
|
Originating_Computer,srcName
|
|
FileHash,hashCode
|
|
FilePath,filePath
|
|
Fqbn,hostName
|
|
RuleId,ruleId,int
|
|
RuleName,ruleName
|
|
CallTrace,procPath
|
|
IntegrityLevel,integrityLevel
|
|
ParentIntegrityLevel,procTrustLevel,int
|
|
Company,company
|
|
ParentProcessGuid,procOwner
|
|
LogonGuid,uuid
|
|
ParentUser,userGrp
|
|
Hashes,hashCode
|
|
Imphash,hashIMP
|
|
OriginalFilename,srcFileName
|
|
OriginalFileName,srcFileName
|
|
ParentProcess,parentProcName
|
|
Product,product
|
|
sha1,hashSHA1
|
|
DestPort,destIpPort,int
|
|
Destination,destIpAddr,ip
|
|
destination.port,destIpPort,int
|
|
HostApplication,appName
|
|
TargetName,targetName
|
|
TargetProcessAddress,destMACAddr
|
|
Service,serviceName
|
|
Source,eventSource
|
|
ImagePath,procPath
|
|
Path,procPath
|
|
Payload,dataPayload
|
|
Properties,propName
|
|
QueryName,queryId
|
|
QueryResults,actionResult
|
|
QueryStatus,status
|
|
LogonProcessName,procName
|
|
ServicePrincipalNames,principal
|
|
HostVersion,version
|
|
FailureCode,errorNoInt,int
|
|
EngineVersion,version
|
|
DeviceClassName,deviceType
|
|
DeviceDescription,description
|
|
Status,status
|
|
AccessList,srcIpAddrList
|
|
AccessMask,fileAccess
|
|
AttributeLDAPDisplayName,propName
|
|
ContextInfo,lineContent
|
|
AttributeValue,propValue
|
|
GroupSid,groupID
|
|
AuditPolicyChanges,actionName
|
|
CallingProcessName,procName
|
|
GrantedAccess,accessKeyId
|
|
KeyLength,msgLen
|
|
keywords,msg
|
|
Keywords,msg
|
|
LayerRTID,permissionLevelID
|
|
Level,permissionLevelType
|
|
LDAPDisplayName,propName
|
|
Value,propValue
|
|
ObjectClass,osObjType
|
|
ObjectServer,serverName
|
|
ObjectValueName,osObjValue
|
|
PipeName,vpnTunnelName
|
|
PrivilegeList,privName
|
|
RelativeTargetName,targetName
|
|
SAMAccountName,accountName
|
|
ScriptBlockText,script
|
|
ShareName,fileName
|
|
SidHistory,essId
|
|
Signed,authResult
|
|
StartFunction,funName
|
|
StartModule,module
|
|
TicketEncryptionType,encryptAlgo
|
|
TicketOptions,paraName
|
|
IpAddress,srcIpAddr,ip
|
|
HiveName,procName
|
|
##find in WinOSWmiParser.xml
|
|
ComputerName,computer
|
|
CurrentDirectory,dirName
|
|
Description,description
|
|
FileVersion,fileVersion
|
|
GroupName,targetUserGrp
|
|
LogonId,winLogonId
|
|
NewName,newObjValue
|
|
ProcessName,procName
|
|
QNAME,destName
|
|
TargetFilename,fileName
|
|
User,user
|
|
Image,procName
|
|
ParentImage,parentProcName
|
|
CommandLine,command
|
|
TaskName,task
|
|
ServiceName,winSrvcName
|
|
TargetObject,regKeyPath
|
|
EventType,osObjAction
|
|
EventID,eventType
|
|
EventCode,eventType
|
|
Details,details
|
|
ParentCommandLine,parentCommand
|
|
Message,msg
|
|
HostName,hostName
|
|
FileName,fileName
|
|
TargetImage,targetProcName
|
|
Accesses,osObjAccessType
|
|
AccountName,user
|
|
DestinationIp,destIpAddr,ip
|
|
DestinationPort,destIpPort,int
|
|
DestinationHostname,destName
|
|
DestinationAddress,destIpAddr,ip
|
|
ObjectType,osObjType
|
|
ObjectName,osObjName
|
|
SourceImage,procName
|
|
SourceAddress,srcIpAddr,ip
|
|
SourcePort,srcIpPort,int
|
|
SourceNetworkAddress,srcIpAddr,ip
|
|
SourceWorkstation,srcName
|
|
TargetUserName,targetUser
|
|
UserName,user
|
|
SubjectDomainName,targetDomain
|
|
SubjectLogonId,winLogonId
|
|
SubjectUserName,user
|
|
SubjectUserSid,userId
|
|
Workstation,computer
|
|
WorkstationName,computer
|
|
ServiceFileName,serviceFileName
|
|
Signature,signatureName
|
|
ImageLoaded,loadedProcName
|
|
LogonType,winLogonType,int
|
|
AuthenticationPackage,procName
|
|
AuthenticationPackageName,procName
|
|
Device,deviceIdentification
|
|
PolicyName,policyName
|
|
TargetProcessId,targetProcId
|
|
TargetUser,targetUser
|
|
NewValue,newObjValue
|
|
SubjectAccountName,user
|
|
ClientAddress,srcIpAddr,ip
|
|
ProcessID,procId
|
|
TargetFileName,fileName
|
|
AccountDomain,domain
|
|
Computer,computer
|
|
DomainName,targetDomain
|
|
#network
|
|
dst_ip,destIpAddr,ip
|
|
src_ip,srcIpAddr,ip
|
|
dst_port,destIpPort,int
|
|
src_port,srcIpPort,int
|
|
dns_query,uriQuery
|
|
uri_query,uriQuery
|
|
parent_domain,domain
|
|
record_type,type
|
|
query,queryId
|
|
action,activityName
|
|
operation,opName
|
|
c-useragent,httpUserAgent
|
|
c-uri,httpEndUri
|
|
endpoint,targetName
|
|
service,serviceName
|
|
path,procPath
|
|
name,procName
|
|
cipher,password
|
|
request_type,type
|
|
answer,actionResult
|
|
resp_mime_types,type
|
|
message_size,msgLen,int
|
|
question_length,size,int
|
|
cs-method,httpMethod
|
|
sc-status,status
|
|
method,httpMethod
|
|
referer,httpReferrer
|
|
useragent,httpUserAgent
|
|
clientip,srcIpAddr,ip
|
|
MachineName,hostName
|