From 5d37c0ee1e4bacbf9c25a3f1a531c3f52d7e65d5 Mon Sep 17 00:00:00 2001 From: Alejandro Ortuno Date: Thu, 22 Oct 2020 10:22:00 +0200 Subject: [PATCH 1/7] Added some modifications to firewall disabling --- rules/linux/lnx_security_tools_disabling.yml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/rules/linux/lnx_security_tools_disabling.yml b/rules/linux/lnx_security_tools_disabling.yml index 206c9a49..05f6564d 100644 --- a/rules/linux/lnx_security_tools_disabling.yml +++ b/rules/linux/lnx_security_tools_disabling.yml @@ -2,11 +2,11 @@ title: Disabling Security Tools id: e3a8a052-111f-4606-9aee-f28ebeb76776 status: experimental description: Detects disabling security tools -author: Ömer Günal +author: Ömer Günal, Alejandro Ortuno date: 2020/06/17 references: - - https://attack.mitre.org/techniques/T1089/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1089/T1089.md + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md logsource: product: linux detection: @@ -16,6 +16,8 @@ detection: - 'chkconfig off iptables' - 'service ip6tables stop' - 'chkconfig off ip6tables' + - 'systemctl stop firewalld' + - 'systemctl disable firewalld' - CarbonBlack|contains: - 'service cbdaemon stop' - 'chkconfig off cbdaemon' @@ -31,4 +33,6 @@ falsepositives: - Legitimate administration activities level: medium tags: - - attack.defense_evasion \ No newline at end of file + - attack.defense_evasion + - attack.t1562.004 + - attack.t1089 From e31c8f96e94e49b8a1b1e906794d73eb69cb1770 Mon Sep 17 00:00:00 2001 From: Alejandro Ortuno Date: Wed, 28 Oct 2020 09:56:01 +0100 Subject: [PATCH 2/7] added the category --- rules/linux/lnx_security_tools_disabling.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/linux/lnx_security_tools_disabling.yml b/rules/linux/lnx_security_tools_disabling.yml index 05f6564d..c90168d7 100644 --- a/rules/linux/lnx_security_tools_disabling.yml +++ b/rules/linux/lnx_security_tools_disabling.yml @@ -8,6 +8,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1089/T1089.md - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md logsource: + category: process_creation product: linux detection: keywords: From 0c0c1725fa1359e0c78901b81516465c1ef2e294 Mon Sep 17 00:00:00 2001 From: Alejandro Ortuno Date: Thu, 29 Oct 2020 09:34:47 +0100 Subject: [PATCH 3/7] refactor detections --- rules/linux/lnx_security_tools_disabling.yml | 97 ++++++++++++++++---- 1 file changed, 78 insertions(+), 19 deletions(-) diff --git a/rules/linux/lnx_security_tools_disabling.yml b/rules/linux/lnx_security_tools_disabling.yml index c90168d7..609c095d 100644 --- a/rules/linux/lnx_security_tools_disabling.yml +++ b/rules/linux/lnx_security_tools_disabling.yml @@ -11,25 +11,84 @@ logsource: category: process_creation product: linux detection: - keywords: - - Command|contains: - - 'service iptables stop' - - 'chkconfig off iptables' - - 'service ip6tables stop' - - 'chkconfig off ip6tables' - - 'systemctl stop firewalld' - - 'systemctl disable firewalld' - - CarbonBlack|contains: - - 'service cbdaemon stop' - - 'chkconfig off cbdaemon' - - 'systemctl stop cbdaemon' - - 'systemctl disable cbdaemon' - - SELinux: - - 'setenforce 0' - - Crowdstrike|contains: - - 'systemctl stop falcon-sensor.service' - - 'systemctl disable falcon-sensor.service' - condition: keywords + iptables_1: + ProcessName|endswith: + - 'service' + CommandLine|contains|all: + - 'iptables' + - 'stop' + iptables_2: + ProcessName|endswith: + - 'service' + CommandLine|contains|all: + - 'ip6tables' + - 'stop' + iptables_3: + ProcessName|endswith: + - 'chkconfig' + CommandLine|contains|all: + - 'iptables' + - 'stop' + iptables_4: + ProcessName|endswith: + - 'chkconfig' + CommandLine|contains|all: + - 'ip6tables' + - 'stop' + firewall_1: + ProcessName|endswith: + - 'systemctl' + CommandLine|contains|all: + - 'firewalld' + - 'stop' + firewall_2: + ProcessName|endswith: + - 'systemctl' + CommandLine|contains|all: + - 'firewalld' + - 'disable' + carbonblack_1: + ProcessName|endswith: + - 'service' + CommandLine|contains|all: + - 'cbdaemon' + - 'stop' + carbonblack_2: + ProcessName|endswith: + - 'chkconfig' + CommandLine|contains|all: + - 'cbdaemon' + - 'off' + carbonblack_3: + ProcessName|endswith: + - 'systemctl' + CommandLine|contains|all: + - 'cbdaemon' + - 'stop' + carbonblack_4: + ProcessName|endswith: + - 'systemctl' + CommandLine|contains|all: + - 'cbdaemon' + - 'disable' + selinux: + ProcessName|endswith: + - 'setenforce' + CommandLine|contains: + - '0' + crowdstrike_1: + ProcessName|endswith: + - 'systemctl' + CommandLine|contains|all: + - 'stop' + - 'falcon-sensor.service' + crowdstrike_2: + ProcessName|endswith: + - 'systemctl' + CommandLine|contains|all: + - 'disable' + - 'falcon-sensor.service' + condition: 1 of them falsepositives: - Legitimate administration activities level: medium From 7c5067ade43023e86e19c8b213adfcb3bea7f412 Mon Sep 17 00:00:00 2001 From: Alejandro Ortuno Date: Fri, 6 Nov 2020 10:25:59 +0100 Subject: [PATCH 4/7] Making it a global rule --- rules/linux/lnx_security_tools_disabling.yml | 28 +++++++++++++++----- 1 file changed, 21 insertions(+), 7 deletions(-) diff --git a/rules/linux/lnx_security_tools_disabling.yml b/rules/linux/lnx_security_tools_disabling.yml index 609c095d..a6a5fe01 100644 --- a/rules/linux/lnx_security_tools_disabling.yml +++ b/rules/linux/lnx_security_tools_disabling.yml @@ -1,3 +1,4 @@ +action: global title: Disabling Security Tools id: e3a8a052-111f-4606-9aee-f28ebeb76776 status: experimental @@ -7,6 +8,14 @@ date: 2020/06/17 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1089/T1089.md - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md +falsepositives: + - Legitimate administration activities +level: medium +tags: + - attack.defense_evasion + - attack.t1562.004 + - attack.t1089 +--- logsource: category: process_creation product: linux @@ -89,10 +98,15 @@ detection: - 'disable' - 'falcon-sensor.service' condition: 1 of them -falsepositives: - - Legitimate administration activities -level: medium -tags: - - attack.defense_evasion - - attack.t1562.004 - - attack.t1089 +--- +logsource: + product: linux + service: syslog +detection: + keywords: + - '*stopping iptables*' + - '*stopping ip6tables*' + - '*stopping firewalld*' + - '*stopping cbdaemon*' + - '*stopping falcon-sensor*' + condition: keywords From c17e8574d0bbe0d2082bfbce6608965dc9db497b Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Fri, 6 Nov 2020 20:56:08 +0100 Subject: [PATCH 5/7] change the syntax a bit and removed `.service` suffix as it is MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [redundant](https://www.freedesktop.org/software/systemd/man/systemctl.html]: ``` Unit commands listed above take either a single unit name (designated as UNIT), or multiple unit specifications (designated as PATTERN…). In the first case, the unit name with or without a suffix must be given. If the suffix is not specified (unit name is "abbreviated"), systemctl will append a suitable suffix, ".service" by default, and a type-specific suffix in case of commands which operate only on specific unit types. For example, # systemctl start sshd and # systemctl start sshd.service are equivalent ``` --- rules/linux/lnx_security_tools_disabling.yml | 49 +++++++------------- 1 file changed, 17 insertions(+), 32 deletions(-) diff --git a/rules/linux/lnx_security_tools_disabling.yml b/rules/linux/lnx_security_tools_disabling.yml index a6a5fe01..72643ae3 100644 --- a/rules/linux/lnx_security_tools_disabling.yml +++ b/rules/linux/lnx_security_tools_disabling.yml @@ -3,10 +3,9 @@ title: Disabling Security Tools id: e3a8a052-111f-4606-9aee-f28ebeb76776 status: experimental description: Detects disabling security tools -author: Ömer Günal, Alejandro Ortuno +author: Ömer Günal, Alejandro Ortuno, oscd.community date: 2020/06/17 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1089/T1089.md - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md falsepositives: - Legitimate administration activities @@ -21,82 +20,68 @@ logsource: product: linux detection: iptables_1: - ProcessName|endswith: - - 'service' + ProcessName|endswith: '/service' CommandLine|contains|all: - 'iptables' - 'stop' iptables_2: - ProcessName|endswith: - - 'service' + ProcessName|endswith: '/service' CommandLine|contains|all: - 'ip6tables' - 'stop' iptables_3: - ProcessName|endswith: - - 'chkconfig' + ProcessName|endswith: '/chkconfig' CommandLine|contains|all: - 'iptables' - 'stop' iptables_4: - ProcessName|endswith: - - 'chkconfig' + ProcessName|endswith: '/chkconfig' CommandLine|contains|all: - 'ip6tables' - 'stop' firewall_1: - ProcessName|endswith: - - 'systemctl' + ProcessName|endswith: '/systemctl' CommandLine|contains|all: - 'firewalld' - 'stop' firewall_2: - ProcessName|endswith: - - 'systemctl' + ProcessName|endswith: '/systemctl' CommandLine|contains|all: - 'firewalld' - 'disable' carbonblack_1: - ProcessName|endswith: - - 'service' + ProcessName|endswith: '/service' CommandLine|contains|all: - 'cbdaemon' - 'stop' carbonblack_2: - ProcessName|endswith: - - 'chkconfig' + ProcessName|endswith: '/chkconfig' CommandLine|contains|all: - 'cbdaemon' - 'off' carbonblack_3: - ProcessName|endswith: - - 'systemctl' + ProcessName|endswith: '/systemctl' CommandLine|contains|all: - 'cbdaemon' - 'stop' carbonblack_4: - ProcessName|endswith: - - 'systemctl' + ProcessName|endswith: '/systemctl' CommandLine|contains|all: - 'cbdaemon' - 'disable' selinux: - ProcessName|endswith: - - 'setenforce' - CommandLine|contains: - - '0' + ProcessName|endswith: '/setenforce' + CommandLine|contains: '0' crowdstrike_1: - ProcessName|endswith: - - 'systemctl' + ProcessName|endswith: '/systemctl' CommandLine|contains|all: - 'stop' - - 'falcon-sensor.service' + - 'falcon-sensor' crowdstrike_2: - ProcessName|endswith: - - 'systemctl' + ProcessName|endswith: '/systemctl' CommandLine|contains|all: - 'disable' - - 'falcon-sensor.service' + - 'falcon-sensor' condition: 1 of them --- logsource: From a0a5bfe2043ff4eae380c0ff0732c71dff3f0516 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Mon, 2 Nov 2020 22:57:01 +0100 Subject: [PATCH 6/7] Removed ES query tests --- .github/workflows/sigma-test.yml | 9 --------- 1 file changed, 9 deletions(-) diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index 8703e1bf..d451debb 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -23,18 +23,9 @@ jobs: run: | python -m pip install --upgrade pip pip install -r tools/requirements.txt -r tools/requirements-devel.txt - wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add - - sudo apt install -y apt-transport-https - echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic.list - sudo apt update - sudo apt install -y elasticsearch - sudo systemctl start elasticsearch - name: Test Sigma Tools and Rules run: | make test - - name: Test Generated Elasticsearch Query Strings - run: | - make test-backend-es-qs - name: Test SQL(ite) Backend run: | make test-backend-sql From cfcda8d25fd191efa28d611f94d7a45829e81786 Mon Sep 17 00:00:00 2001 From: Alejandro Ortuno Date: Fri, 20 Nov 2020 09:29:09 +0100 Subject: [PATCH 7/7] Trigger new test execution --- rules/linux/lnx_security_tools_disabling.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/lnx_security_tools_disabling.yml b/rules/linux/lnx_security_tools_disabling.yml index 72643ae3..8f812b38 100644 --- a/rules/linux/lnx_security_tools_disabling.yml +++ b/rules/linux/lnx_security_tools_disabling.yml @@ -87,7 +87,7 @@ detection: logsource: product: linux service: syslog -detection: +detection: keywords: - '*stopping iptables*' - '*stopping ip6tables*'