valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 01:45:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

conflict

Browse Source
This commit is contained in:
vunx2 2020-02-28 16:50:30 +07:00
commit 139600009b
628 changed files with 12088 additions and 3398 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.gitignore vendored
View File

@ -91,3 +91,6 @@ ENV/
# vi(m)
*.swp
settings.json
# VisualStudio
.vs/

25
.travis.yml
View File

@ -1,9 +1,9 @@
language: python
dist: xenial
python:
# - 3.5 # Deactivated because Travis CI tests failed randomly (Travis's problem)
- 3.6
- 3.7
# - 3.5 # Deactivated because Travis CI tests failed randomly (Travis's problem)
- 3.6
- 3.7
sudo: true
services:
- elasticsearch
@ -11,14 +11,15 @@ cache: pip
before_install:
- curl -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.2.4.deb && sudo dpkg -i --force-confnew elasticsearch-6.2.4.deb && sudo service elasticsearch restart
install:
- pip install -r tools/requirements-devel.txt
- pip install -r tools/requirements-devel.txt
- pip install -r tests/requirements-test.txt
script:
- make test
- make test-backend-es-qs
- make test
- make test-backend-es-qs
notifications:
email:
recipients:
- venom14@gmail.com
- thomas@patzke.org
on_success: change
on_failure: always
email:
recipients:
- venom14@gmail.com
- thomas@patzke.org
on_success: change
on_failure: always

142
CHANGELOG.md Normal file
View File

@ -0,0 +1,142 @@
# Release Notes
All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html)
from version 0.14.0.
## 0.16.0 - 2020-02-25
### Added
* Proxy field names to ECS mapping (ecs-proxy) configuration
* False positives metadata to LimaCharlie backend
* Additional aggregation capabilitied for es-dsl backend.
* Azure log analytics rule backend (ala-rule)
* SQL backend
* Splunk Zeek sourcetype mapping config
* sigma2attack script
* Carbon Black backend and configuration
* ArcSight ESM backend
* Elasticsearch detection rule backend
### Changed
* Kibana object id is now Sigma rule id if available. Else
the old naming scheme is used.
* sigma2misp: replacement of deprecated method usage.
* Various configuration updates
* Extended ArcSight mapping
### Fixed
* Fixed aggregation queries for Elastalert backend
* Fixed aggregation queries for es-dsl backend
* Backend and configuration lists are sorted.
* Escaping in ala backend
## 0.15.0 - 2019-12-06
### Added
* sigma-uuid tool for addition and check of Sigma rule identifiers
* Default configurations
* Restriction of compared rules in sigma-similarity
* Regular expression support in es-dsl backend
* LimaCharlie support for proxy rule category
* Source distribution for PyPI
### Changed
* Type errors are now ignored with -I
### Fixed
* Removed wrong mapping of CommandLine field mapping in THOR config
## 0.14 - 2019-11-10
### Added
* sigma-similarity tool
* LimaCharlie backend
* Default configurations for some backends that are used if no configuration is passed.
* Regular expression support for es-dsl backend (propagates to backends derived from this like elastalert-dsl)
* Value modifiers:
* startswith
* endswith
### Changed
* Removal of line breaks in elastalert output
* Searches not bound to fields are restricted to keyword fields in es-qs backend
* Graylog backend now based on es-qs backend
### Fixed
* Removed ProcessCommandLine mapping for Windows Security EventID 4688 in generic
process creation log source configuration.
## 0.13 - 2019-10-21
### Added
* Index mappings for Sumologic
* Malicious cmdlets in wdatp
* QRadar support for keyword searches
* QRadar mapping improvements
* QRadar field selection
* QRadar type regex modifier support
* Elasticsearch keyword field blacklisting with wildcards
* Added dateField configuration parameter in xpack-watcher backend
* Field mappings in configurations
* Field name mapping for conditional fields
* Value modifiers:
* utf16
* utf16le
* wide
* utf16be
### Changed
* Improved --backend-config help text
### Fixed
* Backend errors in ala
* Slash escaping within es-dsl wildcard queries
* QRadar backend config
* QRadar field name and value escaping and handling
* Elasticsearch wildcard detection pattern
* Aggregation on keyword field in es-dsl backend
## 0.12.1 - 2019-08-05
### Fixed
* Missing build dependency
## 0.12 - 2019-08-01
### Added
* Usage of "Channel" field in ELK Windows configuration
* Fields to mappings
* xpack-watcher actions index and webhook
* Config for Winlogbeat 7.x
* Value modifiers
* Regular expression support
### Changed
* Warning/error messages
* Sumologic value cleaning
* Explicit OR for Elasticsearch query strings
* Listing of available configurations on missing configuration error
### Fixed
* Conditions in es-dsl backend
* Sumologic handling of null values
* Ignore timeframe detection keyword in all/any of conditions

38
CHANGELOG.md.j2 Normal file
View File

@ -0,0 +1,38 @@
## {{ version.minor }}.{{ version.major }}.{{ version.patch }} ({{ date }})
### Added
{% for item in added %}
* {{ item | indent(2) }}
{% endfor %}
### Changed
{% for item in changed %}
* {{ item | indent(2) }}
{% endfor %}
### Deprecated
{% for item in deprecated %}
* {{ item | indent(2) }}
{% endfor %}
### Removed
{% for item in removed %}
* {{ item | indent(2) }}
{% endfor %}
### Fixed
{% for item in fixed %}
* {{ item | indent(2) }}
{% endfor %}
### Security
{% for item in security %}
* {{ item | indent(2) }}
{% endfor %}

13
LICENSE.Detection.Rules.md Normal file
View File

@ -0,0 +1,13 @@
# Detection Rule License (DRL) 1.0
Permission is hereby granted, free of charge, to any person obtaining a copy of this rule set and associated documentation files (the "Rules"), to deal in the Rules without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Rules, and to permit persons to whom the Rules are furnished to do so, subject to the following conditions:
If you share the Rules (including in modified form), you must retain the following if it is supplied within the Rules:
1. identification of the authors(s) ("author" field) of the Rule and any others designated to receive attribution, in any reasonable manner requested by the Rule author (including by pseudonym if designated).
2. a URI or hyperlink to the Rule set or explicit Rule to the extent reasonably practicable
3. indicate the Rules are licensed under this Detection Rule License, and include the text of, or the URI or hyperlink to, this Detection Rule License
THE RULES ARE PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE RULES OR THE USE OR OTHER DEALINGS IN THE RULES.

19
Makefile
View File

@ -1,7 +1,7 @@
.PHONY: test test-rules test-sigmac
.PHONY: test test-rules test-sigmac test-sigma2attack
TMPOUT = $(shell tempfile||mktemp)
COVSCOPE = tools/sigma/*.py,tools/sigma/backends/*.py,tools/sigmac,tools/merge_sigma
test: clearcov test-rules test-sigmac test-merge build finish
COVSCOPE = tools/sigma/*.py,tools/sigma/backends/*.py,tools/sigmac,tools/merge_sigma,tools/sigma2attack
test: clearcov test-rules test-sigmac test-merge test-sigma2attack build finish
clearcov:
rm -f .coverage
@ -13,6 +13,7 @@ finish:
test-rules:
yamllint rules
tests/test_rules.py
tools/sigma-uuid -Ver rules/
test-sigmac:
coverage run -a --include=$(COVSCOPE) tools/sigmac
@ -34,14 +35,20 @@ test-sigmac:
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t logpoint -c tools/config/logpoint-windows.yml rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t wdatp rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t ala rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t ala-rule rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t ala --backend-config tests/backend_config.yml rules/windows/process_creation/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-dsl -c tools/config/winlogbeat.yml rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-rule -c tools/config/winlogbeat.yml rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t powershell -c tools/config/powershell.yml -Ocsv rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t arcsight -c tools/config/arcsight.yml rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t arcsight-esm -c tools/config/arcsight.yml rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t qradar -c tools/config/qradar.yml rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t limacharlie -c tools/config/limacharlie.yml rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t carbonblack -c tools/config/carbon-black.yml rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t qualys -c tools/config/qualys.yml rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t netwitness -c tools/config/netwitness.yml rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t sumologic -O rulecomment -c tools/config/sumologic.yml rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t sql -c sysmon rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'level>=high,level<=critical,status=stable,logsource=windows,tag=attack.execution' rules/ > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'level>=high,level<=critical,status=xstable,logsource=windows' rules/ > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'level>=high,level<=xcritical,status=stable,logsource=windows' rules/ > /dev/null
@ -49,6 +56,7 @@ test-sigmac:
! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'level=xcritical' rules/ > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'foo=bar' rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/logstash-windows.yml -t es-qs rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c ecs-proxy -t es-qs rules/proxy > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c sysmon -c logstash-windows -t es-qs rules/ > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c sysmon -c logstash-windows -t splunk rules/ > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/logstash-windows.yml -c tools/config/generic/sysmon.yml -t es-qs rules/ > /dev/null
@ -89,8 +97,11 @@ test-merge:
test-backend-es-qs:
tests/test-backend-es-qs.py
test-sigma2attack:
coverage run -a --include=$(COVSCOPE) tools/sigma2attack
build: tools/sigmac tools/merge_sigma tools/sigma/*.py tools/setup.py tools/setup.cfg
cd tools && python3 setup.py bdist_wheel
cd tools && python3 setup.py bdist_wheel sdist
upload-test: build
twine upload --repository-url https://test.pypi.org/legacy/ tools/dist/*

2
Pipfile
View File

@ -12,6 +12,8 @@ elasticsearch = "*"
elasticsearch-async = "*"
pymisp = "*"
PyYAML = ">=3.11"
progressbar2 = "*"
colorama = "*"
[requires]
python_version = "3.6"

325
Pipfile.lock generated
View File

@ -1,7 +1,7 @@
{
"_meta": {
"hash": {
"sha256": "5e571aa1a1b4f78e71563cc30e3f457c8359c36888c76b6ed68376dadce445bb"
"sha256": "c553c014d5959f8c30ffdb23d4648ff872dbffd5f6f982d8c029a5b4533a959d"
},
"pipfile-spec": 6,
"requires": {
@ -18,30 +18,20 @@
"default": {
"aiohttp": {
"hashes": [
"sha256:00d198585474299c9c3b4f1d5de1a576cc230d562abc5e4a0e81d71a20a6ca55",
"sha256:0155af66de8c21b8dba4992aaeeabf55503caefae00067a3b1139f86d0ec50ed",
"sha256:09654a9eca62d1bd6d64aa44db2498f60a5c1e0ac4750953fdd79d5c88955e10",
"sha256:199f1d106e2b44b6dacdf6f9245493c7d716b01d0b7fbe1959318ba4dc64d1f5",
"sha256:296f30dedc9f4b9e7a301e5cc963012264112d78a1d3094cd83ef148fdf33ca1",
"sha256:368ed312550bd663ce84dc4b032a962fcb3c7cae099dbbd48663afc305e3b939",
"sha256:40d7ea570b88db017c51392349cf99b7aefaaddd19d2c78368aeb0bddde9d390",
"sha256:629102a193162e37102c50713e2e31dc9a2fe7ac5e481da83e5bb3c0cee700aa",
"sha256:6d5ec9b8948c3d957e75ea14d41e9330e1ac3fed24ec53766c780f82805140dc",
"sha256:87331d1d6810214085a50749160196391a712a13336cd02ce1c3ea3d05bcf8d5",
"sha256:9a02a04bbe581c8605ac423ba3a74999ec9d8bce7ae37977a3d38680f5780b6d",
"sha256:9c4c83f4fa1938377da32bc2d59379025ceeee8e24b89f72fcbccd8ca22dc9bf",
"sha256:9cddaff94c0135ee627213ac6ca6d05724bfe6e7a356e5e09ec57bd3249510f6",
"sha256:a25237abf327530d9561ef751eef9511ab56fd9431023ca6f4803f1994104d72",
"sha256:a5cbd7157b0e383738b8e29d6e556fde8726823dae0e348952a61742b21aeb12",
"sha256:a97a516e02b726e089cffcde2eea0d3258450389bbac48cbe89e0f0b6e7b0366",
"sha256:acc89b29b5f4e2332d65cd1b7d10c609a75b88ef8925d487a611ca788432dfa4",
"sha256:b05bd85cc99b06740aad3629c2585bda7b83bd86e080b44ba47faf905fdf1300",
"sha256:c2bec436a2b5dafe5eaeb297c03711074d46b6eb236d002c13c42f25c4a8ce9d",
"sha256:cc619d974c8c11fe84527e4b5e1c07238799a8c29ea1c1285149170524ba9303",
"sha256:d4392defd4648badaa42b3e101080ae3313e8f4787cb517efd3f5b8157eaefd6",
"sha256:e1c3c582ee11af7f63a34a46f0448fca58e59889396ffdae1f482085061a2889"
"sha256:1e984191d1ec186881ffaed4581092ba04f7c61582a177b187d3a2f07ed9719e",
"sha256:259ab809ff0727d0e834ac5e8a283dc5e3e0ecc30c4d80b3cd17a4139ce1f326",
"sha256:2f4d1a4fdce595c947162333353d4a44952a724fba9ca3205a3df99a33d1307a",
"sha256:32e5f3b7e511aa850829fbe5aa32eb455e5534eaa4b1ce93231d00e2f76e5654",
"sha256:344c780466b73095a72c616fac5ea9c4665add7fc129f285fbdbca3cccf4612a",
"sha256:460bd4237d2dbecc3b5ed57e122992f60188afe46e7319116da5eb8a9dfedba4",
"sha256:4c6efd824d44ae697814a2a85604d8e992b875462c6655da161ff18fd4f29f17",
"sha256:50aaad128e6ac62e7bf7bd1f0c0a24bc968a0c0590a726d5a955af193544bcec",
"sha256:6206a135d072f88da3e71cc501c59d5abffa9d0bb43269a6dcd28d66bfafdbdd",
"sha256:65f31b622af739a802ca6fd1a3076fd0ae523f8485c52924a89561ba10c49b48",
"sha256:ae55bac364c405caa23a4f2d6cfecc6a0daada500274ffca4a9230e7129eac59",
"sha256:b778ce0c909a2653741cb4b1ac7015b5c130ab9c897611df43ae6a58523cb965"
],
"version": "==3.5.4"
"version": "==3.6.2"
},
"async-timeout": {
"hashes": [
@ -52,17 +42,17 @@
},
"attrs": {
"hashes": [
"sha256:69c0dbf2ed392de1cb5ec704444b08a5ef81680a61cb899dc08127123af36a79",
"sha256:f0b870f674851ecbfbbbd364d6b5cbdff9dcedbc7f3f5e18a6891057f21fe399"
"sha256:08a96c641c3a74e44eb59afb61a24f2cb9f4d7188748e76ba4bb5edfa3cb7d1c",
"sha256:f7b7ce16570fe9965acd6d30101a28f62fb4a7f9e926b3bbc9b61f8b04247e72"
],
"version": "==19.1.0"
"version": "==19.3.0"
},
"certifi": {
"hashes": [
"sha256:046832c04d4e752f37383b628bc601a7ea7211496b4638f6514d0e5b9acc4939",
"sha256:945e3ba63a0b9f577b1395204e13c3a231f9bc0223888be653286534e5873695"
"sha256:017c25db2a153ce562900032d5bc68e9f191e44e9a0f762f373977de9df1fbb3",
"sha256:25b64c7da4cd7479594d035c08c2d809eb4aab3a26e5a990ea98cc450c320f1f"
],
"version": "==2019.6.16"
"version": "==2019.11.28"
},
"chardet": {
"hashes": [
@ -71,58 +61,65 @@
],
"version": "==3.0.4"
},
"coverage": {
"colorama": {
"hashes": [
"sha256:08907593569fe59baca0bf152c43f3863201efb6113ecb38ce7e97ce339805a6",
"sha256:0be0f1ed45fc0c185cfd4ecc19a1d6532d72f86a2bac9de7e24541febad72650",
"sha256:141f08ed3c4b1847015e2cd62ec06d35e67a3ac185c26f7635f4406b90afa9c5",
"sha256:19e4df788a0581238e9390c85a7a09af39c7b539b29f25c89209e6c3e371270d",
"sha256:23cc09ed395b03424d1ae30dcc292615c1372bfba7141eb85e11e50efaa6b351",
"sha256:245388cda02af78276b479f299bbf3783ef0a6a6273037d7c60dc73b8d8d7755",
"sha256:331cb5115673a20fb131dadd22f5bcaf7677ef758741312bee4937d71a14b2ef",
"sha256:386e2e4090f0bc5df274e720105c342263423e77ee8826002dcffe0c9533dbca",
"sha256:3a794ce50daee01c74a494919d5ebdc23d58873747fa0e288318728533a3e1ca",
"sha256:60851187677b24c6085248f0a0b9b98d49cba7ecc7ec60ba6b9d2e5574ac1ee9",
"sha256:63a9a5fc43b58735f65ed63d2cf43508f462dc49857da70b8980ad78d41d52fc",
"sha256:6b62544bb68106e3f00b21c8930e83e584fdca005d4fffd29bb39fb3ffa03cb5",
"sha256:6ba744056423ef8d450cf627289166da65903885272055fb4b5e113137cfa14f",
"sha256:7494b0b0274c5072bddbfd5b4a6c6f18fbbe1ab1d22a41e99cd2d00c8f96ecfe",
"sha256:826f32b9547c8091679ff292a82aca9c7b9650f9fda3e2ca6bf2ac905b7ce888",
"sha256:93715dffbcd0678057f947f496484e906bf9509f5c1c38fc9ba3922893cda5f5",
"sha256:9a334d6c83dfeadae576b4d633a71620d40d1c379129d587faa42ee3e2a85cce",
"sha256:af7ed8a8aa6957aac47b4268631fa1df984643f07ef00acd374e456364b373f5",
"sha256:bf0a7aed7f5521c7ca67febd57db473af4762b9622254291fbcbb8cd0ba5e33e",
"sha256:bf1ef9eb901113a9805287e090452c05547578eaab1b62e4ad456fcc049a9b7e",
"sha256:c0afd27bc0e307a1ffc04ca5ec010a290e49e3afbe841c5cafc5c5a80ecd81c9",
"sha256:dd579709a87092c6dbee09d1b7cfa81831040705ffa12a1b248935274aee0437",
"sha256:df6712284b2e44a065097846488f66840445eb987eb81b3cc6e4149e7b6982e1",
"sha256:e07d9f1a23e9e93ab5c62902833bf3e4b1f65502927379148b6622686223125c",
"sha256:e2ede7c1d45e65e209d6093b762e98e8318ddeff95317d07a27a2140b80cfd24",
"sha256:e4ef9c164eb55123c62411f5936b5c2e521b12356037b6e1c2617cef45523d47",
"sha256:eca2b7343524e7ba246cab8ff00cab47a2d6d54ada3b02772e908a45675722e2",
"sha256:eee64c616adeff7db37cc37da4180a3a5b6177f5c46b187894e633f088fb5b28",
"sha256:ef824cad1f980d27f26166f86856efe11eff9912c4fed97d3804820d43fa550c",
"sha256:efc89291bd5a08855829a3c522df16d856455297cf35ae827a37edac45f466a7",
"sha256:fa964bae817babece5aa2e8c1af841bebb6d0b9add8e637548809d040443fee0",
"sha256:ff37757e068ae606659c28c3bd0d923f9d29a85de79bf25b2b34b148473b5025"
"sha256:7d73d2a99753107a36ac6b455ee49046802e59d9d076ef8e47b61499fa29afff",
"sha256:e96da0d330793e2cb9485e9ddfd918d456036c7149416295932478192f4436a1"
],
"index": "pypi",
"version": "==4.5.4"
"version": "==0.4.3"
},
"coverage": {
"hashes": [
"sha256:15cf13a6896048d6d947bf7d222f36e4809ab926894beb748fc9caa14605d9c3",
"sha256:1daa3eceed220f9fdb80d5ff950dd95112cd27f70d004c7918ca6dfc6c47054c",
"sha256:1e44a022500d944d42f94df76727ba3fc0a5c0b672c358b61067abb88caee7a0",
"sha256:25dbf1110d70bab68a74b4b9d74f30e99b177cde3388e07cc7272f2168bd1477",
"sha256:3230d1003eec018ad4a472d254991e34241e0bbd513e97a29727c7c2f637bd2a",
"sha256:3dbb72eaeea5763676a1a1efd9b427a048c97c39ed92e13336e726117d0b72bf",
"sha256:5012d3b8d5a500834783689a5d2292fe06ec75dc86ee1ccdad04b6f5bf231691",
"sha256:51bc7710b13a2ae0c726f69756cf7ffd4362f4ac36546e243136187cfcc8aa73",
"sha256:527b4f316e6bf7755082a783726da20671a0cc388b786a64417780b90565b987",
"sha256:722e4557c8039aad9592c6a4213db75da08c2cd9945320220634f637251c3894",
"sha256:76e2057e8ffba5472fd28a3a010431fd9e928885ff480cb278877c6e9943cc2e",
"sha256:77afca04240c40450c331fa796b3eab6f1e15c5ecf8bf2b8bee9706cd5452fef",
"sha256:7afad9835e7a651d3551eab18cbc0fdb888f0a6136169fbef0662d9cdc9987cf",
"sha256:9bea19ac2f08672636350f203db89382121c9c2ade85d945953ef3c8cf9d2a68",
"sha256:a8b8ac7876bc3598e43e2603f772d2353d9931709345ad6c1149009fd1bc81b8",
"sha256:b0840b45187699affd4c6588286d429cd79a99d509fe3de0f209594669bb0954",
"sha256:b26aaf69713e5674efbde4d728fb7124e429c9466aeaf5f4a7e9e699b12c9fe2",
"sha256:b63dd43f455ba878e5e9f80ba4f748c0a2156dde6e0e6e690310e24d6e8caf40",
"sha256:be18f4ae5a9e46edae3f329de2191747966a34a3d93046dbdf897319923923bc",
"sha256:c312e57847db2526bc92b9bfa78266bfbaabac3fdcd751df4d062cd4c23e46dc",
"sha256:c60097190fe9dc2b329a0eb03393e2e0829156a589bd732e70794c0dd804258e",
"sha256:c62a2143e1313944bf4a5ab34fd3b4be15367a02e9478b0ce800cb510e3bbb9d",
"sha256:cc1109f54a14d940b8512ee9f1c3975c181bbb200306c6d8b87d93376538782f",
"sha256:cd60f507c125ac0ad83f05803063bed27e50fa903b9c2cfee3f8a6867ca600fc",
"sha256:d513cc3db248e566e07a0da99c230aca3556d9b09ed02f420664e2da97eac301",
"sha256:d649dc0bcace6fcdb446ae02b98798a856593b19b637c1b9af8edadf2b150bea",
"sha256:d7008a6796095a79544f4da1ee49418901961c97ca9e9d44904205ff7d6aa8cb",
"sha256:da93027835164b8223e8e5af2cf902a4c80ed93cb0909417234f4a9df3bcd9af",
"sha256:e69215621707119c6baf99bda014a45b999d37602cb7043d943c76a59b05bf52",
"sha256:ea9525e0fef2de9208250d6c5aeeee0138921057cd67fcef90fbed49c4d62d37",
"sha256:fca1669d464f0c9831fd10be2eef6b86f5ebd76c724d1e0706ebdff86bb4adf0"
],
"index": "pypi",
"version": "==5.0.3"
},
"deprecated": {
"hashes": [
"sha256:a515c4cf75061552e0284d123c3066fbbe398952c87333a92b8fc3dd8e4f9cc1",
"sha256:b07b414c8aac88f60c1d837d21def7e83ba711052e03b3cbaff27972567a8f8d"
"sha256:408038ab5fdeca67554e8f6742d1521cd3cd0ee0ff9d47f29318a4f4da31c308",
"sha256:8b6a5aa50e482d8244a62e5582b96c372e87e3a28e8b49c316e46b95c76a611d"
],
"version": "==1.2.6"
"version": "==1.2.7"
},
"elasticsearch": {
"hashes": [
"sha256:cbc73831c63fa2824538df76fcb2c4be007b43dbd9e7788ae70ea6d24109925b",
"sha256:d1b176b87a7fb75dca82978c82a4023e8b21cbc98f4018cb51190fb0b8b43764"
"sha256:1815ee1377e7d3cf32770738a70785fe4ab1f05be28336a330ed71cb295a7c6c",
"sha256:2a0ca516378ae9b87ac840e7bb529ec508f3010360dd9feed605dff2a898aff5"
],
"index": "pypi",
"version": "==7.0.2"
"version": "==7.5.1"
},
"elasticsearch-async": {
"hashes": [
@ -146,93 +143,102 @@
"markers": "python_version < '3.7'",
"version": "==1.1.0"
},
"importlib-metadata": {
"hashes": [
"sha256:06f5b3a99029c7134207dd882428a66992a9de2bef7c2b699b5641f9886c3302",
"sha256:b97607a1a18a5100839aec1dc26a1ea17ee0d93b20b0f008d80a5a050afb200b"
],
"markers": "python_version < '3.8'",
"version": "==1.5.0"
},
"jsonschema": {
"hashes": [
"sha256:5f9c0a719ca2ce14c5de2fd350a64fd2d13e8539db29836a86adc990bb1a068f",
"sha256:8d4a2b7b6c2237e0199c8ea1a6d3e05bf118e289ae2b9d7ba444182a2959560d"
"sha256:4e5b3cf8216f577bee9ce139cbe72eca3ea4f292ec60928ff24758ce626cd163",
"sha256:c8a85b28d377cc7737e46e2d9f2b4f44ee3c0e1deac6bf46ddefc7187d30797a"
],
"version": "==3.0.2"
"version": "==3.2.0"
},
"multidict": {
"hashes": [
"sha256:024b8129695a952ebd93373e45b5d341dbb87c17ce49637b34000093f243dd4f",
"sha256:041e9442b11409be5e4fc8b6a97e4bcead758ab1e11768d1e69160bdde18acc3",
"sha256:045b4dd0e5f6121e6f314d81759abd2c257db4634260abcfe0d3f7083c4908ef",
"sha256:047c0a04e382ef8bd74b0de01407e8d8632d7d1b4db6f2561106af812a68741b",
"sha256:068167c2d7bbeebd359665ac4fff756be5ffac9cda02375b5c5a7c4777038e73",
"sha256:148ff60e0fffa2f5fad2eb25aae7bef23d8f3b8bdaf947a65cdbe84a978092bc",
"sha256:1d1c77013a259971a72ddaa83b9f42c80a93ff12df6a4723be99d858fa30bee3",
"sha256:1d48bc124a6b7a55006d97917f695effa9725d05abe8ee78fd60d6588b8344cd",
"sha256:31dfa2fc323097f8ad7acd41aa38d7c614dd1960ac6681745b6da124093dc351",
"sha256:34f82db7f80c49f38b032c5abb605c458bac997a6c3142e0d6c130be6fb2b941",
"sha256:3d5dd8e5998fb4ace04789d1d008e2bb532de501218519d70bb672c4c5a2fc5d",
"sha256:4a6ae52bd3ee41ee0f3acf4c60ceb3f44e0e3bc52ab7da1c2b2aa6703363a3d1",
"sha256:4b02a3b2a2f01d0490dd39321c74273fed0568568ea0e7ea23e02bd1fb10a10b",
"sha256:4b843f8e1dd6a3195679d9838eb4670222e8b8d01bc36c9894d6c3538316fa0a",
"sha256:5de53a28f40ef3c4fd57aeab6b590c2c663de87a5af76136ced519923d3efbb3",
"sha256:61b2b33ede821b94fa99ce0b09c9ece049c7067a33b279f343adfe35108a4ea7",
"sha256:6a3a9b0f45fd75dc05d8e93dc21b18fc1670135ec9544d1ad4acbcf6b86781d0",
"sha256:76ad8e4c69dadbb31bad17c16baee61c0d1a4a73bed2590b741b2e1a46d3edd0",
"sha256:7ba19b777dc00194d1b473180d4ca89a054dd18de27d0ee2e42a103ec9b7d014",
"sha256:7c1b7eab7a49aa96f3db1f716f0113a8a2e93c7375dd3d5d21c4941f1405c9c5",
"sha256:7fc0eee3046041387cbace9314926aa48b681202f8897f8bff3809967a049036",
"sha256:8ccd1c5fff1aa1427100ce188557fc31f1e0a383ad8ec42c559aabd4ff08802d",
"sha256:8e08dd76de80539d613654915a2f5196dbccc67448df291e69a88712ea21e24a",
"sha256:c18498c50c59263841862ea0501da9f2b3659c00db54abfbf823a80787fde8ce",
"sha256:c49db89d602c24928e68c0d510f4fcf8989d77defd01c973d6cbe27e684833b1",
"sha256:ce20044d0317649ddbb4e54dab3c1bcc7483c78c27d3f58ab3d0c7e6bc60d26a",
"sha256:d1071414dd06ca2eafa90c85a079169bfeb0e5f57fd0b45d44c092546fcd6fd9",
"sha256:d3be11ac43ab1a3e979dac80843b42226d5d3cccd3986f2e03152720a4297cd7",
"sha256:db603a1c235d110c860d5f39988ebc8218ee028f07a7cbc056ba6424372ca31b"
"sha256:13f3ebdb5693944f52faa7b2065b751cb7e578b8dd0a5bb8e4ab05ad0188b85e",
"sha256:26502cefa86d79b86752e96639352c7247846515c864d7c2eb85d036752b643c",
"sha256:4fba5204d32d5c52439f88437d33ad14b5f228e25072a192453f658bddfe45a7",
"sha256:527124ef435f39a37b279653ad0238ff606b58328ca7989a6df372fd75d7fe26",
"sha256:5414f388ffd78c57e77bd253cf829373721f450613de53dc85a08e34d806e8eb",
"sha256:5eee66f882ab35674944dfa0d28b57fa51e160b4dce0ce19e47f495fdae70703",
"sha256:63810343ea07f5cd86ba66ab66706243a6f5af075eea50c01e39b4ad6bc3c57a",
"sha256:6bd10adf9f0d6a98ccc792ab6f83d18674775986ba9bacd376b643fe35633357",
"sha256:83c6ddf0add57c6b8a7de0bc7e2d656be3eefeff7c922af9a9aae7e49f225625",
"sha256:93166e0f5379cf6cd29746989f8a594fa7204dcae2e9335ddba39c870a287e1c",
"sha256:9a7b115ee0b9b92d10ebc246811d8f55d0c57e82dbb6a26b23c9a9a6ad40ce0c",
"sha256:a38baa3046cce174a07a59952c9f876ae8875ef3559709639c17fdf21f7b30dd",
"sha256:a6d219f49821f4b2c85c6d426346a5d84dab6daa6f85ca3da6c00ed05b54022d",
"sha256:a8ed33e8f9b67e3b592c56567135bb42e7e0e97417a4b6a771e60898dfd5182b",
"sha256:d7d428488c67b09b26928950a395e41cc72bb9c3d5abfe9f0521940ee4f796d4",
"sha256:dcfed56aa085b89d644af17442cdc2debaa73388feba4b8026446d168ca8dad7",
"sha256:f29b885e4903bd57a7789f09fe9d60b6475a6c1a4c0eca874d8558f00f9d4b51"
],
"version": "==4.5.2"
"version": "==4.7.4"
},
"pathspec": {
"hashes": [
"sha256:54a5eab895d89f342b52ba2bffe70930ef9f8d96e398cccf530d21fa0516a873"
"sha256:163b0632d4e31cef212976cf57b43d9fd6b0bac6e67c26015d611a647d5e7424",
"sha256:562aa70af2e0d434367d9790ad37aed893de47f1693e4201fd1d3dca15d19b96"
],
"version": "==0.5.9"
"version": "==0.7.0"
},
"progressbar2": {
"hashes": [
"sha256:7538d02045a1fd3aa2b2834bfda463da8755bd3ff050edc6c5ddff3bc616215f",
"sha256:eb774d1e0d03ea4730f381c13c2c6ae7abb5ddfb14d8321d7a58a61aa708f0d0"
],
"index": "pypi",
"version": "==3.47.0"
},
"pymisp": {
"hashes": [
"sha256:5bff5e7705d2697fd6e7110d1f316688d6106795cba4d453eec8c78c18b0e9f7",
"sha256:85d319e0e1d4e53a901501ad74679f3802201b5e12df2da443aaae1d2443e3b1",
"sha256:a2fe66bada1186abc6237dc151473e307619685b8168aaeb31b6112528638d9e"
"sha256:4359953881c70d8c851ba847ebd41fe636ecc155ee92a6b653dcae2d241a6fef",
"sha256:be4c2a2d311ba1aaeb73e1124e8a97ac4eec52a871e02d373c455936095aac72"
],
"index": "pypi",
"version": "==2.4.112"
"version": "==2.4.120"
},
"pyrsistent": {
"hashes": [
"sha256:34b47fa169d6006b32e99d4b3c4031f155e6e68ebcc107d6454852e8e0ee6533"
"sha256:cdc7b5e3ed77bed61270a47d35434a30617b9becdf2478af76ad2c6ade307280"
],
"version": "==0.15.4"
"version": "==0.15.7"
},
"python-dateutil": {
"hashes": [
"sha256:7e6584c74aeed623791615e26efd690f29817a27c73085b78e4bad02493df2fb",
"sha256:c89805f6f4d64db21ed966fda138f8a5ed7a4fdbc1a8ee329ce1b74e3c74da9e"
"sha256:73ebfe9dbf22e832286dafa60473e4cd239f8592f699aa5adaf10050e6e1823c",
"sha256:75bb3f31ea686f1197762692a9ee6a7550b59fc6ca3a1f4b5d7e32fb98e2da2a"
],
"version": "==2.8.0"
"version": "==2.8.1"
},
"python-utils": {
"hashes": [
"sha256:34aaf26b39b0b86628008f2ae0ac001b30e7986a8d303b61e1357dfcdad4f6d3",
"sha256:e25f840564554eaded56eaa395bca507b0b9e9f0ae5ecb13a8cb785305c56d25"
],
"version": "==2.3.0"
},
"pyyaml": {
"hashes": [
"sha256:0113bc0ec2ad727182326b61326afa3d1d8280ae1122493553fd6f4397f33df9",
"sha256:01adf0b6c6f61bd11af6e10ca52b7d4057dd0be0343eb9283c878cf3af56aee4",
"sha256:5124373960b0b3f4aa7df1707e63e9f109b5263eca5976c66e08b1c552d4eaf8",
"sha256:5ca4f10adbddae56d824b2c09668e91219bb178a1eee1faa56af6f99f11bf696",
"sha256:7907be34ffa3c5a32b60b95f4d95ea25361c951383a894fec31be7252b2b6f34",
"sha256:7ec9b2a4ed5cad025c2278a1e6a19c011c80a3caaac804fd2d329e9cc2c287c9",
"sha256:87ae4c829bb25b9fe99cf71fbb2140c448f534e24c998cc60f39ae4f94396a73",
"sha256:9de9919becc9cc2ff03637872a440195ac4241c80536632fffeb6a1e25a74299",
"sha256:a5a85b10e450c66b49f98846937e8cfca1db3127a9d5d1e31ca45c3d0bef4c5b",
"sha256:b0997827b4f6a7c286c01c5f60384d218dca4ed7d9efa945c3e1aa623d5709ae",
"sha256:b631ef96d3222e62861443cc89d6563ba3eeb816eeb96b2629345ab795e53681",
"sha256:bf47c0607522fdbca6c9e817a6e81b08491de50f3766a7a0e6a5be7905961b41",
"sha256:f81025eddd0327c7d4cfe9b62cf33190e1e736cc6e97502b3ec425f574b3e7a8"
"sha256:059b2ee3194d718896c0ad077dd8c043e5e909d9180f387ce42012662a4946d6",
"sha256:1cf708e2ac57f3aabc87405f04b86354f66799c8e62c28c5fc5f88b5521b2dbf",
"sha256:24521fa2890642614558b492b473bee0ac1f8057a7263156b02e8b14c88ce6f5",
"sha256:4fee71aa5bc6ed9d5f116327c04273e25ae31a3020386916905767ec4fc5317e",
"sha256:70024e02197337533eef7b85b068212420f950319cc8c580261963aefc75f811",
"sha256:74782fbd4d4f87ff04159e986886931456a1894c61229be9eaf4de6f6e44b99e",
"sha256:940532b111b1952befd7db542c370887a8611660d2b9becff75d39355303d82d",
"sha256:cb1f2f5e426dc9f07a7681419fe39cee823bb74f723f36f70399123f439e9b20",
"sha256:dbbb2379c19ed6042e8f11f2a2c66d39cceb8aeace421bfc29d085d93eda3689",
"sha256:e3a057b7a64f1222b56e47bcff5e4b94c4f61faac04c7c4ecb1985e18caa3994",
"sha256:e9f45bd5b92c7974e59bcd2dcc8631a6b6cc380a904725fce7bc08872e691615"
],
"index": "pypi",
"version": "==5.1.2"
"version": "==5.3"
},
"requests": {
"hashes": [
@ -243,26 +249,26 @@
},
"six": {
"hashes": [
"sha256:3350809f0555b11f552448330d0b52d5f24c91a322ea4a15ef22629740f3761c",
"sha256:d16a0141ec1a18405cd4ce8b4613101da75da0e9a7aec5bdd4fa804d0e0eba73"
"sha256:236bdbdce46e6e6a3d61a337c0f8b763ca1e8717c03b369e87a7ec7ce1319c0a",
"sha256:8f3cd2e254d8f793e7f3d6d9df77b92252b52637291d0f0da013c76ea2724b6c"
],
"version": "==1.12.0"
"version": "==1.14.0"
},
"typing-extensions": {
"hashes": [
"sha256:2ed632b30bb54fc3941c382decfd0ee4148f5c591651c9272473fea2c6397d95",
"sha256:b1edbbf0652660e32ae780ac9433f4231e7339c7f9a8057d0f042fcbcea49b87",
"sha256:d8179012ec2c620d3791ca6fe2bf7979d979acdbef1fca0bc56b37411db682ed"
"sha256:091ecc894d5e908ac75209f10d5b4f118fbdb2eb1ede6a63544054bb1edb41f2",
"sha256:910f4656f54de5993ad9304959ce9bb903f90aadc7c67a0bef07e678014e892d",
"sha256:cf8b63fedea4d89bab840ecbb93e75578af28f76f66c35889bd7065f5af88575"
],
"markers": "python_version < '3.7'",
"version": "==3.7.4"
"version": "==3.7.4.1"
},
"urllib3": {
"hashes": [
"sha256:b246607a25ac80bedac05c6f282e3cdaf3afb65420fd024ac94435cabe6e18d1",
"sha256:dbe59173209418ae49d485b87d1681aefa36252ee85884c31346debd19463232"
"sha256:2f3db8b19923a873b3e5256dc9c2dedfa883e33d87c690d9c7913e1f40673cdc",
"sha256:87716c2d2a7121198ebcb7ce7cccf6ce5e9ba539041cfbaeecfb641dc0bf6acc"
],
"version": "==1.25.3"
"version": "==1.25.8"
},
"wrapt": {
"hashes": [
@ -272,27 +278,40 @@
},
"yamllint": {
"hashes": [
"sha256:9a4fec2d40804979de5f54453fd1551bc1f8b59a7ad4a26fd7f26aeca34a83af",
"sha256:f97cd763fe7b588444a94cc44fd3764b832a613b5250baa2bfe8b84c91e4c330"
"sha256:7318e189027951983c3cb4d6bcaa1e75deef7c752320ca3ce84e407f2551e8ce",
"sha256:76912b6262fd7e0815d7b14c4c2bb2642c754d0aa38f2d3e4b4e21c77872a3bf"
],
"index": "pypi",
"version": "==1.16.0"
"version": "==1.20.0"
},
"yarl": {
"hashes": [
"sha256:024ecdc12bc02b321bc66b41327f930d1c2c543fa9a561b39861da9388ba7aa9",
"sha256:2f3010703295fbe1aec51023740871e64bb9664c789cba5a6bdf404e93f7568f",
"sha256:3890ab952d508523ef4881457c4099056546593fa05e93da84c7250516e632eb",
"sha256:3e2724eb9af5dc41648e5bb304fcf4891adc33258c6e14e2a7414ea32541e320",
"sha256:5badb97dd0abf26623a9982cd448ff12cb39b8e4c94032ccdedf22ce01a64842",
"sha256:73f447d11b530d860ca1e6b582f947688286ad16ca42256413083d13f260b7a0",
"sha256:7ab825726f2940c16d92aaec7d204cfc34ac26c0040da727cf8ba87255a33829",
"sha256:b25de84a8c20540531526dfbb0e2d2b648c13fd5dd126728c496d7c3fea33310",
"sha256:c6e341f5a6562af74ba55205dbd56d248daf1b5748ec48a0200ba227bb9e33f4",
"sha256:c9bb7c249c4432cd47e75af3864bc02d26c9594f49c82e2a28624417f0ae63b8",
"sha256:e060906c0c585565c718d1c3841747b61c5439af2211e185f6739a9412dfbde1"
"sha256:0c2ab325d33f1b824734b3ef51d4d54a54e0e7a23d13b86974507602334c2cce",
"sha256:0ca2f395591bbd85ddd50a82eb1fde9c1066fafe888c5c7cc1d810cf03fd3cc6",
"sha256:2098a4b4b9d75ee352807a95cdf5f10180db903bc5b7270715c6bbe2551f64ce",
"sha256:25e66e5e2007c7a39541ca13b559cd8ebc2ad8fe00ea94a2aad28a9b1e44e5ae",
"sha256:26d7c90cb04dee1665282a5d1a998defc1a9e012fdca0f33396f81508f49696d",
"sha256:308b98b0c8cd1dfef1a0311dc5e38ae8f9b58349226aa0533f15a16717ad702f",
"sha256:3ce3d4f7c6b69c4e4f0704b32eca8123b9c58ae91af740481aa57d7857b5e41b",
"sha256:58cd9c469eced558cd81aa3f484b2924e8897049e06889e8ff2510435b7ef74b",
"sha256:5b10eb0e7f044cf0b035112446b26a3a2946bca9d7d7edb5e54a2ad2f6652abb",
"sha256:6faa19d3824c21bcbfdfce5171e193c8b4ddafdf0ac3f129ccf0cdfcb083e462",
"sha256:944494be42fa630134bf907714d40207e646fd5a94423c90d5b514f7b0713fea",
"sha256:a161de7e50224e8e3de6e184707476b5a989037dcb24292b391a3d66ff158e70",
"sha256:a4844ebb2be14768f7994f2017f70aca39d658a96c786211be5ddbe1c68794c1",
"sha256:c2b509ac3d4b988ae8769901c66345425e361d518aecbe4acbfc2567e416626a",
"sha256:c9959d49a77b0e07559e579f38b2f3711c2b8716b8410b320bf9713013215a1b",
"sha256:d8cdee92bc930d8b09d8bd2043cedd544d9c8bd7436a77678dd602467a993080",
"sha256:e15199cdb423316e15f108f51249e44eb156ae5dba232cb73be555324a1d49c2"
],
"version": "==1.3.0"
"version": "==1.4.2"
},
"zipp": {
"hashes": [
"sha256:ccc94ed0909b58ffe34430ea5451f07bc0c76467d7081619a454bf5c98b89e28",
"sha256:feae2f18633c32fc71f2de629bfb3bd3c9325cd4419642b1f1da42ee488d9b98"
],
"version": "==2.1.0"
}
},
"develop": {}

21
README.md
View File

@ -1,21 +0,0 @@
1. Sửa host và API Token trong code:
* Đường dẫn: *sigma/tools/sigma/backends/carbonblack.py* - line 145.
> url = host CarbonBlack
> X-Auth-Token = API Token từ profile admin
2. Chạy lệnh gọi chuyển rules lên watchlist qua API:
**cd /sigma/tools**
**python3 sigmac -t carbonblack -c carbonblack -r <rule directory>**
Example:
python3 sigmac -t carbonblack -c carbonblack -r /sigmaRules_tuned

2
_config.yml
View File

@ -1 +1 @@
theme: jekyll-theme-hacker
theme: jekyll-theme-minimal

32
contrib/filter-uuid-patch Executable file
View File

@ -0,0 +1,32 @@
#!/usr/bin/env python3
# Remove all hunks from a patch that don't add the id attribute to minimize the impact (removed
# comments etc.) of sigma-uuid script.
#
# Usually used as follows:
# 1. Add UUIDs to rules:
# tools/sigma-uuid -er rules
# 2. Generate and filter patch
# git diff | contrib/filter-uuid-patch > rule-uuid.diff
# 3. Reset to previous state
# git reset --hard
# 4. Apply filtered patch
# patch -p1 < rule-uuid.diff
#
# This tool requires an installed unidiff package.
from unidiff import PatchSet
from sys import argv, stdin
try:
with open(argv[1], "r") as f:
patch = PatchSet(f.readlines())
except IndexError:
patch = PatchSet(stdin.readlines())
for patched_file in patch:
for h in reversed(range(len(patched_file))):
hunk = patched_file[h]
if not any([ line.is_added and line.value.startswith("id: ") for line in hunk ]):
del patched_file[h]
print(str(patch))

BIN
images/sigma2attack.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 344 KiB

42
rules-unsupported/net_dns_high_subdomain_rate.yml Normal file
View File

@ -0,0 +1,42 @@
title: High DNS subdomain requests rate per domain
id: 8198e9a8-e38f-4ba5-8f16-882b1c0f880e
description: High rate of unique Fully Qualified Domain Names (FQDN) requests per root domain (eTLD+1) in short period of time
author: Daniil Yugoslavskiy, oscd.community
date: 2019/10/21
modified: 2019/11/04
tags:
- attack.exfiltration
- attack.t1048
logsource:
category: dns
detection:
dns_question_name:
query: "*"
default_list_of_well_known_domains:
query_etld_plus_one:
- "akadns.net"
- "akamaiedge.net"
- "amazonaws.com"
- "apple.com"
- "apple-dns.net"
- "cloudfront.net"
- "icloud.com"
- "in-addr.arpa"
- "google.com"
- "yahoo.com"
- "dropbox.com"
- "windowsupdate.com"
- "microsoftonline.com"
- "s-microsoft.com"
- "office365.com"
- "linkedin.com"
timeframe: 15m
condition: count(subdomain) per query_etld_plus_one per computer_name > 200 and not default_list_of_well_known_domains
# for each host in timeframe
# for each dns_question_etld_plus_one
# if number of dns_question_name > 200
# dns_question_etld_plus_one is not in default_list_of_well_known_domains
falsepositives:
- Legitimate domain name requested, which should be added to whitelist
level: high
status: experimental

37
rules-unsupported/net_dns_large_domain_name.yml Normal file
View File

@ -0,0 +1,37 @@
title: Large domain name request
id: 14aa0d9e-c70a-4a49-bdc1-e5cbc4fc6af7
description: Detects large DNS domain names
author: Daniil Yugoslavskiy, oscd.community
date: 2019/10/21
modified: 2019/11/04
tags:
- attack.exfiltration
- attack.t1048
logsource:
category: dns
detection:
selection:
query_length: "> 70" # IS MORE THAN 70 bytes
default_list_of_well_known_domains:
query_etld_plus_one:
- "akadns.net"
- "akamaiedge.net"
- "amazonaws.com"
- "apple.com"
- "apple-dns.net"
- "cloudfront.net"
- "icloud.com"
- "in-addr.arpa"
- "google.com"
- "yahoo.com"
- "dropbox.com"
- "windowsupdate.com"
- "microsoftonline.com"
- "s-microsoft.com"
- "office365.com"
- "linkedin.com"
condition: selection and not default_list_of_well_known_domains
falsepositives:
- Legitimate domain name requested, which should be added to whitelist
level: high
status: experimental

23
rules-unsupported/net_possible_dns_rebinding.yml Normal file
View File

@ -0,0 +1,23 @@
title: Possible DNS Rebinding
id: ec5b8711-b550-4879-9660-568aaae2c3ea
status: experimental
description: 'Detects DNS-answer with TTL <10.'
date: 2019/10/25
author: Ilyas Ochkov, oscd.community
references:
- https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325
tags:
- attack.command_and_control
- attack.t1043
logsource:
product: dns
detection:
selection:
answer: '*'
filter1:
ttl: '>0'
filter2:
ttl: '<10'
timeframe: 30s
condition: selection and filter1 and filter2 | count(answer) by src_ip > 3
level: medium

48
rules-unsupported/sysmon_process_reimaging.yml Normal file
View File

@ -0,0 +1,48 @@
action: global
title: Defense evasion via process reimaging
id: 7fa4f550-850e-4117-b543-428c86ebb849
description: Detects process reimaging defense evasion technique
# where
# selection1: ImageFileName != selection1: OriginalFileName
# selection1: ParentProcessGuid = selection2: ProcessGuid
# selection1: Image = selection2: TargetFileName
# and new field ImageFileName is coming from enrichment
# selection1: Image = ^.+\\<ImageFileName>$
# Rule must trigger if selection1 and selection2 both occurs in timeframe of 120 sec.
# Rule logic is currently not supported by SIGMA.
# Sysmon v.10.0 or newer is required for proper detection.
status: experimental
author: Alexey Balandin, oscd.community
references:
- https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/in-ntdll-i-trust-process-reimaging-and-endpoint-security-solution-bypass/
tags:
- attack.defense_evasion
date: 2019/10/25
detection:
condition: all of them
falsepositives:
- unknown
level: high
---
logsource:
product: windows
service: sysmon
detection:
selection1:
category: process_creation
fields:
- Image
- OriginalFileName
- ParentProcessGuid
new_fields:
- ImageFileName
---
logsource:
product: windows
service: sysmon
detection:
selection2:
EventID: 11
fields:
- ProcessGuid
- TargetFileName

34
rules-unsupported/win_dumping_ntdsdit_via_dcsync.yml Normal file
View File

@ -0,0 +1,34 @@
title: Dumping ntds.dit remotely via DCSync
id: 51238c62-2b29-4539-ad75-e94575368a12
description: ntds.dit retrieving using synchronisation with legitimate domain controller using Directory Replication Service Remote Protocol
author: Teymur Kheirkhabarov, oscd.community
date: 2019/10/24
modified: 2019/11/13
references:
- https://twitter.com/gentilkiwi/status/1003236624925413376
- https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
tags:
- attack.credential_access
- attack.t1003
logsource:
product: windows
service: security
detection:
selection1:
EventID: 4624
ComputerName: '%DomainControllersNamesList%'
selection2:
IpAddress: '%DomainControllersIpsList%'
selection3:
EventID: 4662
ComputerName: '%DomainControllersNamesList%'
SubjectLogonId: '%SuspiciousTargetLogonIdList%'
Properties|contains:
- '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'
- '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'
condition: write TargetLogonId from selection1 (if not selection2) to list %SuspiciousTargetLogonIdList%; then if selection3 -> alert
falsepositives:
- Legitimate administrator adding new domain controller to already existing domain
level: medium
status: experimental

30
rules-unsupported/win_dumping_ntdsdit_via_netsync.yml Normal file
View File

@ -0,0 +1,30 @@
title: Dumping ntds.dit remotely via NetSync
id: 757b2a11-73e7-411a-bd46-141d906e0167
description: ntds.dit retrieving (only computer accounts) using synchronisation with legit domain controller using Netlogon Remote Protocol
author: Teymur Kheirkhabarov, oscd.community
date: 2019/11/01
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
tags:
- attack.credential_access
- attack.t1003
logsource:
product: windows
service: security
detection:
selection1:
EventID: 4624
ComputerName: '%DomainControllersNamesList%'
selection2:
IpAddress: '%DomainControllersIpsList%'
selection3:
EventID: 5145
ComputerName: '%DomainControllersNamesList%'
ShareName|contains: '\IPC$'
SubjectLogonId: '%SuspiciousTargetLogonIdList%'
RelativeTargetName: 'netlogon'
condition: write TargetLogonId from selection1 (if not selection2) to list %SuspiciousTargetLogonIdList%; then if selection3 -> alert
falsepositives:
- Legitimate administrator adding new domain controller to already existing domain
level: medium
status: experimental

3
rules/application/app_python_sql_exceptions.yml
View File

@ -1,6 +1,8 @@
title: Python SQL Exceptions
id: 19aefed0-ffd4-47dc-a7fc-f8b1425e84f9
description: Generic rule for SQL exceptions in Python according to PEP 249
author: Thomas Patzke
date: 2017/08/12
references:
- https://www.python.org/dev/peps/pep-0249/#exceptions
logsource:
@ -17,4 +19,3 @@ falsepositives:
- Application bugs
- Penetration testing
level: medium

2
rules/application/app_sqlinjection_errors.yml
View File

@ -1,7 +1,9 @@
title: Suspicious SQL Error Messages
id: 8a670c6d-7189-4b1c-8017-a417ca84a086
status: experimental
description: Detects SQL error messages that indicate probing for an injection attack
author: Bjoern Kimminich
date: 2017/11/27
references:
- http://www.sqlinjection.net/errors
logsource:

5
rules/application/appframework_django_exceptions.yml
View File

@ -1,6 +1,8 @@
title: Django framework exceptions
title: Django Framework Exceptions
id: fd435618-981e-4a7c-81f8-f78ce480d616
description: Detects suspicious Django web application framework exceptions that could indicate exploitation attempts
author: Thomas Patzke
date: 2017/08/05
references:
- https://docs.djangoproject.com/en/1.11/ref/exceptions/
- https://docs.djangoproject.com/en/1.11/topics/logging/#django-security
@ -28,4 +30,3 @@ falsepositives:
- Application bugs
- Penetration testing
level: medium

5
rules/application/appframework_ruby_on_rails_exceptions.yml
View File

@ -1,6 +1,8 @@
title: Ruby on Rails framework exceptions
title: Ruby on Rails Framework Exceptions
id: 0d2c3d4c-4b48-4ac3-8f23-ea845746bb1a
description: Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts
author: Thomas Patzke
date: 2017/08/06
references:
- http://edgeguides.rubyonrails.org/security.html
- http://guides.rubyonrails.org/action_controller_overview.html
@ -21,4 +23,3 @@ falsepositives:
- Application bugs
- Penetration testing
level: medium

5
rules/application/appframework_spring_exceptions.yml
View File

@ -1,6 +1,8 @@
title: Spring framework exceptions
title: Spring Framework Exceptions
id: ae48ab93-45f7-4051-9dfe-5d30a3f78e33
description: Detects suspicious Spring framework exceptions that could indicate exploitation attempts
author: Thomas Patzke
date: 2017/08/06
references:
- https://docs.spring.io/spring-security/site/docs/current/apidocs/overview-tree.html
logsource:
@ -20,4 +22,3 @@ falsepositives:
- Application bugs
- Penetration testing
level: medium

33
rules/apt/apt_silence_downloader_v3.yml Normal file
View File

@ -0,0 +1,33 @@
title: Silence.Downloader V3
id: 170901d1-de11-4de7-bccb-8fa13678d857
status: experimental
description: Detects Silence downloader. These commands are hardcoded into the binary.
author: Alina Stepchenkova, Roman Rezvukhin, Group-IB, oscd.community
date: 2019/11/01
modified: 2019/11/22
tags:
- attack.persistence
- attack.g0091
logsource:
category: process_creation
product: windows
detection:
selection_recon:
Image|endswith:
- '\tasklist.exe'
- '\qwinsta.exe'
- '\ipconfig.exe'
- '\hostname.exe'
CommandLine|contains: '>>'
CommandLine|endswith: 'temps.dat'
selection_persistence:
CommandLine|contains: '/C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WinNetworkSecurity" /t REG_SZ /d'
condition: selection_recon | near selection_persistence # requires both
fields:
- ComputerName
- User
- Image
- CommandLine
falsepositives:
- Unknown
level: high

34
rules/apt/apt_silence_eda.yml Normal file
View File

@ -0,0 +1,34 @@
title: Silence.EDA Detection
id: 3ceb2083-a27f-449a-be33-14ec1b7cc973
status: experimental
description: Detects Silence empireDNSagent
author: Alina Stepchenkova, Group-IB, oscd.community
date: 2019/11/01
modified: 2019/11/20
tags:
- attack.g0091
- attack.s0363
logsource:
product: windows
service: powershell
detection:
empire:
ScriptBlockText|contains|all: # better to randomise the order
- 'System.Diagnostics.Process'
- 'Stop-Computer'
- 'Restart-Computer'
- 'Exception in execution'
- '$cmdargs'
- 'Close-Dnscat2Tunnel'
dnscat:
ScriptBlockText|contains|all: # better to randomise the order
- 'set type=$LookupType`nserver'
- '$Command | nslookup 2>&1 | Out-String'
- 'New-RandomDNSField'
- '[Convert]::ToString($SYNOptions, 16)'
- '$Session.Dead = $True'
- '$Session["Driver"] -eq'
condition: empire and dnscat
falsepositives:
- Unknown
level: critical

19
rules/apt/apt_sofacy_zebrocy.yml
View File

@ -1,19 +0,0 @@
title: Sofacy Zebrocy
author: Florian Roth
description: Detects Sofacy's Zebrocy malware execution
references:
- https://app.any.run/tasks/54acca9a-394e-4384-a0c8-91a96d36c81d
tags:
- attack.execution
- attack.g0020
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine: '*cmd.exe /c SYSTEMINFO & TASKLIST'
condition: selection
falsepositives:
- Unknown
level: critical

24
rules/cloud/aws_cloudtrail_disable_logging.yml Normal file
View File

@ -0,0 +1,24 @@
title: AWS CloudTrail Important Change
id: 4db60cc0-36fb-42b7-9b58-a5b53019fb74
status: experimental
author: vitaliy0x1
date: 2020/01/21
description: Detects disabling, deleting and updating of a Trail
references:
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html
logsource:
service: cloudtrail
detection:
selection_source:
- eventSource: cloudtrail.amazonaws.com
events:
- eventName:
- StopLogging
- UpdateTrail
- DeleteTrail
condition: selection_source AND events
level: medium
falsepositives:
- Valid change in a Trail
tags:
- attack.t1089

21
rules/cloud/aws_config_disable_recording.yml Normal file
View File

@ -0,0 +1,21 @@
title: AWS Config Disabling Channel/Recorder
id: 07330162-dba1-4746-8121-a9647d49d297
status: experimental
author: vitaliy0x1
date: 2020/01/21
description: Detects AWS Config Service disabling
logsource:
service: cloudtrail
detection:
selection_source:
- eventSource: config.amazonaws.com
events:
- eventName:
- DeleteDeliveryChannel
- StopConfigurationRecorder
condition: selection_source AND events
level: high
falsepositives:
- Valid change in AWS Config Service
tags:
- attack.t1089

24
rules/cloud/aws_ec2_download_userdata.yml Normal file
View File

@ -0,0 +1,24 @@
title: AWS EC2 Download Userdata
id: 26ff4080-194e-47e7-9889-ef7602efed0c
status: experimental
author: faloker
date: 2020/02/11
description: Detects bulk downloading of User Data associated with AWS EC2 instances. Instance User Data may include installation scripts and hard-coded secrets for deployment.
references:
- https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/ec2__download_userdata/main.py#L24
logsource:
service: cloudtrail
detection:
selection_source:
- eventSource: ec2.amazonaws.com
selection_requesttype:
- requestParameters.attribute: userData
selection_eventname:
- eventName: DescribeInstanceAttribute
timeframe: 30m
condition: all of them | count() > 10
level: medium
falsepositives:
- Assets management software like device42
tags:
- attack.t1020

23
rules/cloud/aws_ec2_startup_script_change.yml Normal file
View File

@ -0,0 +1,23 @@
title: AWS EC2 Startup Shell Script Change
id: 1ab3c5ed-5baf-417b-bb6b-78ca33f6c3df
status: experimental
author: faloker
date: 2020/02/12
description: Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM everytime the specific instances are booted up.
references:
- https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/ec2__startup_shell_script/main.py#L9
logsource:
service: cloudtrail
detection:
selection_source:
- eventSource: ec2.amazonaws.com
selection_userdata:
- requestParameters.userData: "*"
selection_eventname:
- eventName: ModifyInstanceAttribute
condition: all of them
level: high
falsepositives:
- Valid changes to the startup script
tags:
- attack.t1064

21
rules/cloud/aws_guardduty_disruption.yml Normal file
View File

@ -0,0 +1,21 @@
title: AWS GuardDuty Important Change
id: 6e61ee20-ce00-4f8d-8aee-bedd8216f7e3
status: experimental
author: faloker
date: 2020/02/11
description: Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs.
references:
- https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/guardduty__whitelist_ip/main.py#L9
logsource:
service: cloudtrail
detection:
selection_source:
- eventSource: guardduty.amazonaws.com
selection_eventName:
- eventName: CreateIPSet
condition: all of them
level: high
falsepositives:
- Valid change in the GuardDuty (e.g. to ignore internal scanners)
tags:
- attack.t1089

29
rules/cloud/aws_iam_backdoor_users_keys.yml Normal file
View File

@ -0,0 +1,29 @@
title: AWS IAM Backdoor Users Keys
id: 0a5177f4-6ca9-44c2-aacf-d3f3d8b6e4d2
status: experimental
author: faloker
date: 2020/02/12
description: Detects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment. Also with this alert, you can detect a flow of AWS keys in your org.
references:
- https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/iam__backdoor_users_keys/main.py#L6
logsource:
service: cloudtrail
detection:
selection_source:
- eventSource: iam.amazonaws.com
selection_eventname:
- eventName: CreateAccessKey
filter:
userIdentity.arn|contains: responseElements.accessKey.userName
condition: all of selection* and not filter
fields:
- userIdentity.arn
- responseElements.accessKey.userName
- errorCode
- errorMessage
level: medium
falsepositives:
- Adding user keys to their own accounts (the filter cannot cover all possible variants of user naming)
- AWS API keys legitimate exchange workflows
tags:
- attack.t1098

23
rules/cloud/aws_rds_change_master_password.yml Normal file
View File

@ -0,0 +1,23 @@
title: AWS RDS Master Password Change
id: 8a63cdd4-6207-414a-85bc-7e032bd3c1a2
status: experimental
author: faloker
date: 2020/02/12
description: Detects the change of database master password. It may be a part of data exfiltration.
references:
- https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/rds__explore_snapshots/main.py#L10
logsource:
service: cloudtrail
detection:
selection_source:
- eventSource: rds.amazonaws.com
selection_modified_values:
- responseElements.pendingModifiedValues.masterUserPassword: "*"
selection_eventname:
- eventName: ModifyDBInstance
condition: all of them
level: medium
falsepositives:
- Benign changes to a db instance
tags:
- attack.t1020

23
rules/cloud/aws_rds_public_db_restore.yml Normal file
View File

@ -0,0 +1,23 @@
title: Restore Public AWS RDS Instance
id: c3f265c7-ff03-4056-8ab2-d486227b4599
status: experimental
author: faloker
date: 2020/02/12
description: Detects the recovery of a new public database instance from a snapshot. It may be a part of data exfiltration.
references:
- https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/rds__explore_snapshots/main.py#L10
logsource:
service: cloudtrail
detection:
selection_source:
- eventSource: rds.amazonaws.com
selection_ispublic:
- responseElements.publiclyAccessible: "true"
selection_eventname:
- eventName: RestoreDBInstanceFromDBSnapshot
condition: all of them
level: high
falsepositives:
- unknown
tags:
- attack.t1020

21
rules/cloud/aws_root_account_usage.yml Normal file
View File

@ -0,0 +1,21 @@
title: AWS Root Credentials
id: 8ad1600d-e9dc-4251-b0ee-a65268f29add
status: experimental
author: vitaliy0x1
date: 2020/01/21
description: Detects AWS root account usage
references:
- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html
logsource:
service: cloudtrail
detection:
selection_usertype:
- userIdentity.type: Root
selection_eventtype:
- eventType: AwsServiceEvent
condition: selection_usertype AND NOT selection_eventtype
level: medium
falsepositives:
- AWS Tasks That Require AWS Account Root User Credentials https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html
tags:
- attack.t1078

109
rules/compliance/cleartext_protocols.yml
View File

@ -1,109 +0,0 @@
action: global
title: Cleartext Protocol Usage
description: Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels. Ensure that an encryption is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access.
references:
- https://www.cisecurity.org/controls/cis-controls-list/
- https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
- https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
author: Alexandr Yampolskyi, SOC Prime
status: stable
date: 2019/03/26
falsepositives:
- unknown
level: low
tags:
- CSC4
- CSC4.5
- CSC14
- CSC14.4
- CSC16
- CSC16.5
- NIST CSF 1.1 PR.AT-2
- NIST CSF 1.1 PR.MA-2
- NIST CSF 1.1 PR.PT-3
- NIST CSF 1.1 PR.AC-1
- NIST CSF 1.1 PR.AC-4
- NIST CSF 1.1 PR.AC-5
- NIST CSF 1.1 PR.AC-6
- NIST CSF 1.1 PR.AC-7
- NIST CSF 1.1 PR.DS-1
- NIST CSF 1.1 PR.DS-2
- NIST CSF 1.1 PR.PT-3
- NIST CSF 1.1 PR.PT-3
- ISO 27002-2013 A.9.2.1
- ISO 27002-2013 A.9.2.2
- ISO 27002-2013 A.9.2.3
- ISO 27002-2013 A.9.2.4
- ISO 27002-2013 A.9.2.5
- ISO 27002-2013 A.9.2.6
- ISO 27002-2013 A.9.3.1
- ISO 27002-2013 A.9.4.1
- ISO 27002-2013 A.9.4.2
- ISO 27002-2013 A.9.4.3
- ISO 27002-2013 A.9.4.4
- ISO 27002-2013 A.8.3.1
- ISO 27002-2013 A.9.1.1
- ISO 27002-2013 A.10.1.1
- PCI DSS 3.2 2.1
- PCI DSS 3.2 8.1
- PCI DSS 3.2 8.2
- PCI DSS 3.2 8.3
- PCI DSS 3.2 8.7
- PCI DSS 3.2 8.8
- PCI DSS 3.2 1.3
- PCI DSS 3.2 1.4
- PCI DSS 3.2 4.3
- PCI DSS 3.2 7.1
- PCI DSS 3.2 7.2
- PCI DSS 3.2 7.3
---
logsource:
product: netflow
detection:
selection:
destination.port:
- 8080
- 21
- 80
- 23
- 50000
- 1521
- 27017
- 1433
- 11211
- 3306
- 15672
- 5900
- 5901
- 5902
- 5903
- 5904
condition: selection
---
logsource:
product: firewall
detection:
selection1:
destination.port:
- 8080
- 21
- 80
- 23
- 50000
- 1521
- 27017
- 3306
- 1433
- 11211
- 15672
- 5900
- 5901
- 5902
- 5903
- 5904
selection2:
action:
- forward
- accept
- 2
condition: selection1 AND selection2

107
rules/compliance/default_credentials_usage.yml
View File

@ -1,107 +0,0 @@
title: Default Credentials Usage
description: Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts. Sigma detects default credentials usage. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management.
author: Alexandr Yampolskyi, SOC Prime
status: stable
references:
- https://www.cisecurity.org/controls/cis-controls-list/
- https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
- https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
- https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists
date: 2019/03/26
logsource:
product: qualys
detection:
selection:
host.scan.vuln:
- 10693
- 11507
- 11633
- 11804
- 11821
- 11847
- 11867
- 11931
- 11935
- 11950
- 12541
- 12558
- 12559
- 12560
- 12562
- 12563
- 12565
- 12587
- 12590
- 12599
- 12702
- 12705
- 12706
- 12907
- 12928
- 12929
- 13053
- 13178
- 13200
- 13218
- 13241
- 13253
- 13274
- 13296
- 13301
- 13327
- 13373
- 13374
- 13409
- 13530
- 13532
- 20065
- 20073
- 20081
- 27202
- 27358
- 38702
- 38719
- 42045
- 42417
- 43029
- 43220
- 43221
- 43222
- 43223
- 43225
- 43246
- 43431
- 43484
- 86857
- 87098
- 87106
condition: selection
falsepositives:
- unknown
level: medium
tags:
- CSC4
- CSC4.2
- NIST CSF 1.1 PR.AC-4
- NIST CSF 1.1 PR.AT-2
- NIST CSF 1.1 PR.MA-2
- NIST CSF 1.1 PR.PT-3
- ISO 27002-2013 A.9.1.1
- ISO 27002-2013 A.9.2.2
- ISO 27002-2013 A.9.2.3
- ISO 27002-2013 A.9.2.4
- ISO 27002-2013 A.9.2.5
- ISO 27002-2013 A.9.2.6
- ISO 27002-2013 A.9.3.1
- ISO 27002-2013 A.9.4.1
- ISO 27002-2013 A.9.4.2
- ISO 27002-2013 A.9.4.3
- ISO 27002-2013 A.9.4.4
- PCI DSS 3.2 2.1
- PCI DSS 3.2 7.1
- PCI DSS 3.2 7.2
- PCI DSS 3.2 7.3
- PCI DSS 3.2 8.1
- PCI DSS 3.2 8.2
- PCI DSS 3.2 8.3
- PCI DSS 3.2 8.7

51
rules/compliance/group_modification_logging.yml
View File

@ -1,51 +0,0 @@
title: Group Modification Logging
description: Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges. Sigma detects Event ID 4728 indicates a Member is added to a Security Group. Event ID 4729 indicates a Member is removed from a Security enabled-group. Event ID 4730 indicates aSecurity Group is deleted. The case is not applicable for Unix OS. Supported OS - Windows 2008 R2 and 7, Windows 2012 R2 and 8.1, Windows 2016 and 10 Windows Server 2019, Windows Server 2000, Windows 2003 and XP.
author: Alexandr Yampolskyi, SOC Prime
status: stable
references:
- https://www.cisecurity.org/controls/cis-controls-list/
- https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
- https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634
date: 2019/03/26
logsource:
product: windows
service: security
detection:
selection:
EventID: 178
condition: selection
falsepositives:
- unknown
level: low
tags:
- CSC4
- CSC4.8
- NIST CSF 1.1 PR.AC-4
- NIST CSF 1.1 PR.AT-2
- NIST CSF 1.1 PR.MA-2
- NIST CSF 1.1 PR.PT-3
- ISO 27002-2013 A.9.1.1
- ISO 27002-2013 A.9.2.2
- ISO 27002-2013 A.9.2.3
- ISO 27002-2013 A.9.2.4
- ISO 27002-2013 A.9.2.5
- ISO 27002-2013 A.9.2.6
- ISO 27002-2013 A.9.3.1
- ISO 27002-2013 A.9.4.1
- ISO 27002-2013 A.9.4.2
- ISO 27002-2013 A.9.4.3
- ISO 27002-2013 A.9.4.4
- PCI DSS 3.2 2.1
- PCI DSS 3.2 7.1
- PCI DSS 3.2 7.2
- PCI DSS 3.2 7.3
- PCI DSS 3.2 8.1
- PCI DSS 3.2 8.2
- PCI DSS 3.2 8.3
- PCI DSS 3.2 8.7

29
rules/compliance/host_without_firewall.yml
View File

@ -1,29 +0,0 @@
title: Host Without Firewall
description: Host Without Firewall. Alert means not complied. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management.
author: Alexandr Yampolskyi, SOC Prime
references:
- https://www.cisecurity.org/controls/cis-controls-list/
- https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
- https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
date: 2019/03/19
status: stable
level: low
logsource:
product: Qualys
detection:
selection:
event.category: Security Policy
host.scan.vuln_name: Firewall Product Not Detected*
condition: selection
tags:
- CSC9
- CSC9.4
- NIST CSF 1.1 PR.AC-5
- NIST CSF 1.1 PR.AC-6
- NIST CSF 1.1 PR.AC-7
- NIST CSF 1.1 DE.AE-1
- ISO 27002-2013 A.9.1.2
- ISO 27002-2013 A.13.2.1
- ISO 27002-2013 A.13.2.2
- ISO 27002-2013 A.14.1.2
- PCI DSS 3.2 1.4

44
rules/compliance/workstation_was_locked.yml
View File

@ -1,44 +0,0 @@
title: Locked Workstation
description: Automatically lock workstation sessions after a standard period of inactivity. The case is not applicable for Unix OS. Supported OS - Windows 2008 R2 and 7, Windows 2012 R2 and 8.1, Windows 2016 and 10 Windows Server 2019.
author: Alexandr Yampolskyi, SOC Prime
status: stable
references:
- https://www.cisecurity.org/controls/cis-controls-list/
- https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
- https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800
date: 2019/03/26
logsource:
product: windows
service: security
detection:
selection:
EventID: 4800
condition: selection
falsepositives:
- unknown
level: low
tags:
- CSC16
- CSC16.11
- ISO27002-2013 A.9.1.1
- ISO27002-2013 A.9.2.1
- ISO27002-2013 A.9.2.2
- ISO27002-2013 A.9.2.3
- ISO27002-2013 A.9.2.4
- ISO27002-2013 A.9.2.5
- ISO27002-2013 A.9.2.6
- ISO27002-2013 A.9.3.1
- ISO27002-2013 A.9.4.1
- ISO27002-2013 A.9.4.3
- ISO27002-2013 A.11.2.8
- PCI DSS 3.1 7.1
- PCI DSS 3.1 7.2
- PCI DSS 3.1 7.3
- PCI DSS 3.1 8.7
- PCI DSS 3.1 8.8
- NIST CSF 1.1 PR.AC-1
- NIST CSF 1.1 PR.AC-4
- NIST CSF 1.1 PR.AC-6
- NIST CSF 1.1 PR.AC-7
- NIST CSF 1.1 PR.PT-3

25
rules/generic/generic_brute_force.yml Normal file
View File

@ -0,0 +1,25 @@
title: Brute Force
id: 53c7cca0-2901-493a-95db-d00d6fcf0a37
description: Detects many authentication failures from one source to one destination which is may indicate Brute Force activity
tags:
- attack.t1110
author: Aleksandr Akhremchik, oscd.community
date: 2019/10/25
status: experimental
logsource:
category: authentication
detection:
selection:
action: failure
timeframe: 600s
condition: selection | count(category) by dst_ip > 30
fields:
- src_ip
- dst_ip
- user
falsepositives:
- Inventarization
- Penetration testing
- Vulnerability scanner
- Legitimate application
level: medium

5
rules/linux/auditd/lnx_auditd_alter_bash_profile.yml
View File

@ -1,4 +1,5 @@
title: Detects Suspicious edit of .bash_profile and .bashrc on Linux systems
title: Edit of .bash_profile and .bashrc
id: e74e15cc-c4b6-4c80-b7eb-dfe49feb7fe9
status: experimental
description: Detects change of user environment. Adversaries can insert code into these files to gain persistence each time a user logs in or opens a new shell.
references:
@ -17,7 +18,7 @@ detection:
type: 'PATH'
name:
- '/home/*/.bashrc'
- '/home/*/.bash_profile'
- '/home/*/.bash_profile'
- '/home/*/.profile'
- '/etc/profile'
- '/etc/shells'

34
rules/linux/auditd/lnx_auditd_auditing_config_change.yml Normal file
View File

@ -0,0 +1,34 @@
title: Auditing Configuration Changes on Linux Host
id: 977ef627-4539-4875-adf4-ed8f780c4922
description: Detect changes in auditd configuration files
# Example config for this one (place it at the top of audit.rules)
# -w /etc/audit/ -p wa -k etc_modify_auditconfig
# -w /etc/libaudit.conf -p wa -k etc_modify_libauditconfig
# -w /etc/audisp/ -p wa -k etc_modify_audispconfig
references:
- https://github.com/Neo23x0/auditd/blob/master/audit.rules
- self experience
tags:
- attack.defense_evasion
- attack.t1054
author: Mikhail Larin, oscd.community
status: experimental
date: 2019/10/25
logsource:
product: linux
service: auditd
detection:
selection:
type: PATH
name:
- /etc/audit/*
- /etc/libaudit.conf
- /etc/audisp/*
condition: selection
fields:
- exe
- comm
- key
falsepositives:
- Legitimate administrative activity
level: high

24
rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml Normal file
View File

@ -0,0 +1,24 @@
title: Modification of ld.so.preload
id: 4b3cb710-5e83-4715-8c45-8b2b5b3e5751
description: Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes.
status: experimental
author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community
date: 2019/10/24
modified: 2019/11/11
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.yaml
- https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html
tags:
- attack.defense_evasion
- attack.t1055
logsource:
product: linux
service: auditd
detection:
selection:
type: 'PATH'
name: '/etc/ld.so.preload'
condition: selection
falsepositives:
- Unknown
level: high

33
rules/linux/auditd/lnx_auditd_logging_config_change.yml Normal file
View File

@ -0,0 +1,33 @@
title: Logging Configuration Changes on Linux Host
id: c830f15d-6f6e-430f-8074-6f73d6807841
description: Detect changes of syslog daemons configuration files
# Example config for this one (place it at the top of audit.rules)
# -w /etc/syslog.conf -p wa -k etc_modify_syslogconfig
# -w /etc/rsyslog.conf -p wa -k etc_modify_rsyslogconfig
# -w /etc/syslog-ng/syslog-ng.conf -p wa -k etc_modify_syslogngconfig
references:
- self experience
tags:
- attack.defense_evasion
- attack.t1054
author: Mikhail Larin, oscd.community
status: experimental
date: 2019/10/25
logsource:
product: linux
service: auditd
detection:
selection:
type: 'PATH'
name:
- /etc/syslog.conf
- /etc/rsyslog.conf
- /etc/syslog-ng/syslog-ng.conf
condition: selection
fields:
- exe
- comm
- key
falsepositives:
- Legitimate administrative activity
level: high

24
rules/linux/auditd/lnx_auditd_masquerading_crond.yml Normal file
View File

@ -0,0 +1,24 @@
title: Masquerading as Linux Crond Process
id: 9d4548fa-bba0-4e88-bd66-5d5bf516cda0
status: experimental
description: Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and
observation. Several different variations of this technique have been observed.
author: Timur Zinniatullin, oscd.community
date: 2019/10/21
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.yaml
logsource:
product: linux
service: auditd
detection:
selection:
type: 'execve'
a0: 'cp'
a1: '-i'
a2: '/bin/sh'
a3: '*/crond'
condition: selection
level: medium
tags:
- attack.defense_evasion
- attack.t1036

9
rules/linux/auditd/lnx_auditd_susp_cmds.yml
View File

@ -1,8 +1,9 @@
title: Detects Suspicious Commands on Linux systems
title: Suspicious Commands Linux
id: 1543ae20-cbdf-4ec1-8d12-7664d667a825
status: experimental
description: Detects relevant commands often related to malware or hacking activity
references:
- 'Internal Research - mostly derived from exploit code including code in MSF'
- Internal Research - mostly derived from exploit code including code in MSF
date: 2017/12/12
author: Florian Roth
logsource:
@ -17,7 +18,7 @@ detection:
type: 'EXECVE'
a0: 'chmod'
a1: 'u+s'
cmd3:
cmd3:
type: 'EXECVE'
a0: 'cp'
a1: '/bin/ksh'
@ -28,4 +29,4 @@ detection:
condition: 1 of them
falsepositives:
- Admin activity
level: medium
level: medium

3
rules/linux/auditd/lnx_auditd_susp_exe_folders.yml
View File

@ -1,8 +1,9 @@
title: Program Executions in Suspicious Folders
id: a39d7fa7-3fbd-4dc2-97e1-d87f546b1bbc
status: experimental
description: Detects program executions in suspicious non-program folders related to malware or hacking activity
references:
- 'Internal Research'
- Internal Research
date: 2018/01/23
author: Florian Roth
logsource:

26
rules/linux/auditd/lnx_auditd_user_discovery.yml Normal file
View File

@ -0,0 +1,26 @@
title: System Owner or User Discovery
id: 9a0d8ca0-2385-4020-b6c6-cb6153ca56f3
status: experimental
description: Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not
the adversary fully infects the target and/or attempts specific actions.
author: Timur Zinniatullin, oscd.community
date: 2019/10/21
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.yaml
logsource:
product: linux
service: auditd
detection:
selection:
type: 'EXECVE'
a0:
- 'users'
- 'w'
- 'who'
condition: selection
falsepositives:
- Admin activity
level: low
tags:
- attack.discovery
- attack.t1033

25
rules/linux/auditd/lnx_auditd_web_rce.yml Normal file
View File

@ -0,0 +1,25 @@
title: Webshell Remote Command Execution
id: c0d3734d-330f-4a03-aae2-65dacc6a8222
status: experimental
description: Detects posible command execution by web application/web shell
tags:
- attack.persistence
- attack.t1100
references:
- personal experience
author: Ilyas Ochkov, Beyu Denis, oscd.community
date: 2019/10/12
modified: 2019/11/04
logsource:
product: linux
service: auditd
detection:
selection:
type: 'SYSCALL'
SYSCALL: 'execve'
key: 'detect_execve_www'
condition: selection
falsepositives:
- Admin activity
- Crazy web applications
level: critical

32
rules/linux/auditd/lnx_data_compressed.yml Normal file
View File

@ -0,0 +1,32 @@
title: Data Compressed
id: a3b5e3e9-1b49-4119-8b8e-0344a01f21ee
status: experimental
description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount
of data sent over the network
author: Timur Zinniatullin, oscd.community
date: 2019/10/21
modified: 2019/11/04
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml
logsource:
product: linux
service: auditd
detection:
selection1:
type: 'execve'
a0: 'zip'
selection2:
type: 'execve'
a0: 'gzip'
a1: '-f'
selection3:
type: 'execve'
a0: 'tar'
a1|contains: '-c'
condition: 1 of them
falsepositives:
- Legitimate use of archiving tools by legitimate user
level: low
tags:
- attack.exfiltration
- attack.t1002

32
rules/linux/auditd/lnx_network_sniffing.yml Normal file
View File

@ -0,0 +1,32 @@
title: Network Sniffing
id: f4d3748a-65d1-4806-bd23-e25728081d01
status: experimental
description: Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary
may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
author: Timur Zinniatullin, oscd.community
date: 2019/10/21
modified: 2019/11/04
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.yaml
logsource:
product: linux
service: auditd
detection:
selection1:
type: 'execve'
a0: 'tcpdump'
a1: '-c'
a3|contains: '-i'
selection2:
type: 'execve'
a0: 'tshark'
a1: '-c'
a3: '-i'
condition: selection1 or selection2
falsepositives:
- Legitimate administrator or user uses network sniffing tool for legitimate reason
level: low
tags:
- attack.credential_access
- attack.discovery
- attack.t1040

2
rules/apt/apt_equationgroup_lnx.yml → rules/linux/lnx_apt_equationgroup_lnx.yml
View File

@ -1,4 +1,5 @@
title: Equation Group Indicators
id: 41e5c73d-9983-4b69-bd03-e13b67e9623c
description: Detects suspicious shell commands used in various Equation Group scripts and tools
references:
- https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
@ -7,6 +8,7 @@ tags:
- attack.g0020
- attack.t1059
author: Florian Roth
date: 2017/04/09
logsource:
product: linux
detection:

3
rules/linux/lnx_buffer_overflows.yml
View File

@ -1,5 +1,8 @@
title: Buffer Overflow Attempts
id: 18b042f0-2ecd-4b6e-9f8d-aa7a7e7de781
description: Detects buffer overflow attempts in Unix system log files
author: Florian Roth
date: 2017/03/01
references:
- https://github.com/ossec/ossec-hids/blob/master/etc/rules/attack_rules.xml
logsource:

23
rules/linux/lnx_chattr_immutable_removal.yml Normal file
View File

@ -0,0 +1,23 @@
title: Remove Immutable File Attribute
id: a5b977d6-8a81-4475-91b9-49dbfcd941f7
description: Detects removing immutable file attribute
status: experimental
tags:
- attack.defense_evasion
- attack.t1222
author: Jakob Weinzettl, oscd.community
date: 2019/09/23
logsource:
product: linux
service: auditd
detection:
selection:
type: 'EXECVE'
a0|contains: 'chattr'
a1|contains: '-i'
condition: selection
falsepositives:
- Administrator interacting with immutable files (for instance backups)
level: medium
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.yaml

3
rules/linux/lnx_clamav.yml
View File

@ -1,5 +1,8 @@
title: Relevant ClamAV Message
id: 36aa86ca-fd9d-4456-814e-d3b1b8e1e0bb
description: Detects relevant ClamAV messages
author: Florian Roth
date: 2017/03/01
references:
- https://github.com/ossec/ossec-hids/blob/master/etc/rules/clam_av_rules.xml
logsource:

25
rules/linux/lnx_dd_delete_file.yml Normal file
View File

@ -0,0 +1,25 @@
title: Overwriting the File with Dev Zero or Null
id: 37222991-11e9-4b6d-8bdf-60fbe48f753e
date: 2019/10/23
description: Detects overwriting (effectively wiping/deleting) the file
author: Jakob Weinzettl, oscd.community
tags:
- attack.impact
- attack.t1485
logsource:
product: linux
service: auditd
detection:
selection:
type: 'EXECVE'
a0|contains: 'dd'
a1|contains:
- 'if=/dev/null'
- 'if=/dev/zero'
condition: selection
falsepositives:
- Appending null bytes to files
- Legitimate overwrite of files
level: low
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.yaml

24
rules/linux/lnx_file_or_folder_permissions.yml Normal file
View File

@ -0,0 +1,24 @@
title: File or Folder Permissions Change
description: Detects
id: 74c01ace-0152-4094-8ae2-6fd776dd43e5
status: experimental
tags:
- attack.defense_evasion
- attack.t1222
author: Jakob Weinzettl, oscd.community
date: 2019/09/23
logsource:
product: linux
service: auditd
detection:
selection:
type: 'EXECVE'
a0|contains:
- 'chmod'
- 'chown'
condition: selection
falsepositives:
- User interracting with files permissions (normal/daily behaviour)
level: low
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.yaml

27
rules/linux/lnx_pers_systemd_reload.yml Normal file
View File

@ -0,0 +1,27 @@
title: Systemd Service Reload or Start
id: 2625cc59-0634-40d0-821e-cb67382a3dd7
description: Detects a reload or a start of a service
status: experimental
tags:
- attack.persistence
- attack.t1501
author: Jakob Weinzettl, oscd.community
date: 2019/09/23
logsource:
product: linux
service: auditd
detection:
selection:
type: 'EXECVE'
a0|contains: 'systemctl'
a1|contains:
- 'daemon-reload'
- 'start'
condition: selection
falsepositives:
- Installation of legitimate service
- Legitimate reconfiguration of service
level: low
references:
- https://attack.mitre.org/techniques/T1501/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1501/T1501.yaml

6
rules/linux/lnx_shell_clear_cmd_history.yml
View File

@ -1,9 +1,11 @@
title: Clear Command History
id: fdc88d25-96fb-4b7c-9633-c0e417fdbd4e
status: experimental
description: Clear command history in linux which is used for defense evasion.
description: Clear command history in linux which is used for defense evasion.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1146/T1146.yaml
- https://attack.mitre.org/techniques/T1146/
- https://www.hackers-arise.com/single-post/2016/06/20/Covering-your-BASH-Shell-Tracks-AntiForensics
author: Patrick Bareiss
date: 2019/03/24
logsource:
@ -18,6 +20,8 @@ detection:
# - 'unset HISTFILE' # prone to false positives
- 'export HISTFILESIZE=0'
- 'history -c'
- 'history -w'
- 'shred *bash_history'
condition: keywords
falsepositives:
- Unknown

8
rules/linux/lnx_shell_priv_esc_prep.yml
View File

@ -1,4 +1,5 @@
title: Privilege Escalation Preparation
title: Privilege Escalation Preparation
id: 444ade84-c362-4260-b1f3-e45e20e1a905
status: experimental
description: Detects suspicious shell commands indicating the information gathering phase as preparation for the Privilege Escalation.
references:
@ -58,6 +59,11 @@ detection:
- 'cat /etc/passwd'
- 'cat /etc/group'
- 'cat /etc/shadow'
# sticky bits
- 'find / -perm -u=s'
- 'find / -perm -g=s'
- 'find / -perm -4000'
- 'find / -perm -2000'
timeframe: 30m
condition: keywords | count() by host > 6
falsepositives:

1
rules/linux/lnx_shell_susp_commands.yml
View File

@ -1,4 +1,5 @@
title: Suspicious Activity in Shell Commands
id: 2aa1440c-9ae9-4d92-84a7-a9e5f5e31695
description: Detects suspicious shell commands used in various exploit codes (see references)
references:
- http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html

12
rules/linux/lnx_shell_susp_log_entries.yml
View File

@ -1,16 +1,16 @@
title: Suspicious Log Entries
id: f64b6e9a-5d9d-48a5-8289-e1dd2b3876e1
description: Detects suspicious log entries in Linux log files
author: Florian Roth
date: 2017/03/25
logsource:
product: linux
detection:
keywords:
# Generic suspicious log lines
- 'entered promiscuous mode'
# OSSEC https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml
- 'Deactivating service'
- 'Oversized packet received from'
- 'imuxsock begins to drop messages'
- entered promiscuous mode
- Deactivating service
- Oversized packet received from
- imuxsock begins to drop messages
condition: keywords
falsepositives:
- Unknown

1
rules/linux/lnx_shell_susp_rev_shells.yml
View File

@ -1,4 +1,5 @@
title: Suspicious Reverse Shell Command Line
id: 738d9bcf-6999-4fdb-b4ac-3033037db8ab
status: experimental
description: Detects suspicious shell commands or program code that may be exected or used in command line to establish a reverse shell
references:

3
rules/linux/lnx_shellshock.yml
View File

@ -1,5 +1,8 @@
title: Shellshock Expression
id: c67e0c98-4d39-46ee-8f6b-437ebf6b950e
description: Detects shellshock expressions in log files
date: 2017/03/14
author: Florian Roth
references:
- http://rubular.com/r/zxBfjWfFYs
logsource:

1
rules/linux/lnx_ssh_cve_2018_15473.yml
View File

@ -1,4 +1,5 @@
title: SSHD Error Message CVE-2018-15473
id: 4c9d903d-4939-4094-ade0-3cb748f4d7da
description: Detects exploitation attempt using public exploit code for CVE-2018-15473
references:
- https://github.com/Rhynorater/CVE-2018-15473-Exploit

33
rules/linux/lnx_sudo_cve_2019_14287.yml Normal file
View File

@ -0,0 +1,33 @@
action: global
title: Sudo Privilege Escalation CVE-2019-14287
id: f74107df-b6c6-4e80-bf00-4170b658162b
status: experimental
description: Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287
references:
- https://www.openwall.com/lists/oss-security/2019/10/14/1
- https://access.redhat.com/security/cve/cve-2019-14287
- https://twitter.com/matthieugarin/status/1183970598210412546
author: Florian Roth
date: 2019/10/15
modified: 2019/10/20
tags:
- attack.privilege_escalation
- attack.t1068
- attack.t1169
logsource:
product: linux
falsepositives:
- Unlikely
level: critical
---
detection:
selection_keywords:
- '* -u#*'
condition: selection_keywords
---
detection:
selection_user:
USER:
- '#-*'
- '#*4294967295'
condition: selection_user

12
rules/linux/lnx_susp_failed_logons_single_source.yml
View File

@ -1,18 +1,20 @@
title: Multiple Failed Logins with Different Accounts from Single Source System
title: Failed Logins with Different Accounts from Single Source System
id: fc947f8e-ea81-4b14-9a7b-13f888f94e18
author: Florian Roth
date: 2017/02/16
description: Detects suspicious failed logins with different user accounts from a single source system
logsource:
product: linux
service: auth
detection:
selection:
pam_message: "authentication failure"
pam_message: authentication failure
pam_user: '*'
pam_rhost: '*'
timeframe: 24h
timeframe: 24h
condition: selection | count(pam_user) by pam_rhost > 3
falsepositives:
- Terminal servers
- Jump servers
- Workstations with frequently changing users
- Workstations with frequently changing users
level: medium

1
rules/linux/lnx_susp_jexboss.yml
View File

@ -1,4 +1,5 @@
title: JexBoss Command Sequence
id: 8ec2c8b4-557a-4121-b87c-5dfb3a602fae
description: Detects suspicious command sequence that JexBoss
references:
- https://www.us-cert.gov/ncas/analysis-reports/AR18-312A

3
rules/linux/lnx_susp_named.yml
View File

@ -1,6 +1,7 @@
title: Suspicious Named Error
id: c8e35e96-19ce-4f16-aeb6-fd5588dc5365
status: experimental
description: Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
description: Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
references:
- https://github.com/ossec/ossec-hids/blob/master/etc/rules/named_rules.xml
author: Florian Roth

3
rules/linux/lnx_susp_ssh.yml
View File

@ -1,5 +1,6 @@
title: Suspicious SSHD Error
description: Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
id: e76b413a-83d0-4b94-8e4c-85db4a5b8bdc
description: Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
references:
- https://github.com/openssh/openssh-portable/blob/master/ssherr.c
- https://github.com/ossec/ossec-hids/blob/master/etc/rules/sshd_rules.xml

4
rules/linux/lnx_susp_vsftp.yml
View File

@ -1,5 +1,6 @@
title: Suspicious VSFTPD Error Messages
description: Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
id: 377f33a1-4b36-4ee1-acee-1dbe4b43cfbe
description: Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
references:
- https://github.com/dagwieers/vsftpd/
author: Florian Roth
@ -30,4 +31,3 @@ detection:
falsepositives:
- Unknown
level: medium

8
rules/linux/modsecurity/modsec_mulitple_blocks.yml
View File

@ -1,5 +1,8 @@
title: Multiple Modsecurity Blocks
description: Detects multiple blocks by the mod_security module (Web Application Firewall)
id: a06eea10-d932-4aa6-8ba9-186df72c8d23
description: Detects multiple blocks by the mod_security module (Web Application Firewall)
date: 2017/02/28
author: Florian Roth
logsource:
product: linux
service: modsecurity
@ -8,10 +11,9 @@ detection:
- 'mod_security: Access denied'
- 'ModSecurity: Access denied'
- 'mod_security-message: Access denied'
timeframe: 120m
timeframe: 120m
condition: selection | count() > 6
falsepositives:
- Vulnerability scanners
- Frequent attacks if system faces Internet
level: medium

31
rules/network/cisco/aaa/cisco_cli_clear_logs.yml Normal file
View File

@ -0,0 +1,31 @@
title: Cisco Clear Logs
id: ceb407f6-8277-439b-951f-e4210e3ed956
status: experimental
description: Clear command history in network OS which is used for defense evasion.
references:
- https://attack.mitre.org/techniques/T1146/
- https://attack.mitre.org/techniques/T1070/
author: Austin Clark
date: 2019/08/12
tags:
- attack.defense_evasion
- attack.t1146
- attack.t1070
logsource:
product: cisco
service: aaa
category: accounting
fields:
- src
- CmdSet
- User
- Privilege_Level
- Remote_Address
detection:
keywords:
- 'clear logging'
- 'clear archive'
condition: keywords
falsepositives:
- Legitimate administrators may run these commands.
level: high

39
rules/network/cisco/aaa/cisco_cli_collect_data.yml Normal file
View File

@ -0,0 +1,39 @@
title: Cisco Collect Data
id: cd072b25-a418-4f98-8ebc-5093fb38fe1a
status: experimental
description: Collect pertinent data from the configuration files
references:
- https://attack.mitre.org/techniques/T1087/
- https://attack.mitre.org/techniques/T1003/
- https://attack.mitre.org/techniques/T1081/
- https://attack.mitre.org/techniques/T1005/
author: Austin Clark
date: 2019/08/11
tags:
- attack.discovery
- attack.credential_access
- attack.collection
- attack.t1087
- attack.t1003
- attack.t1081
- attack.t1005
logsource:
product: cisco
service: aaa
category: accounting
fields:
- src
- CmdSet
- User
- Privilege_Level
- Remote_Address
detection:
keywords:
- 'show running-config'
- 'show startup-config'
- 'show archive config'
- 'more'
condition: keywords
falsepositives:
- Commonly run by administrators.
level: low

33
rules/network/cisco/aaa/cisco_cli_crypto_actions.yml Normal file
View File

@ -0,0 +1,33 @@
title: Cisco Crypto Commands
id: 1f978c6a-4415-47fb-aca5-736a44d7ca3d
status: experimental
description: Show when private keys are being exported from the device, or when new certificates are installed.
references:
- https://attack.mitre.org/techniques/T1145/
- https://attack.mitre.org/techniques/T1130/
author: Austin Clark
date: 2019/08/12
tags:
- attack.credential_access
- attack.defense_evasion
- attack.t1130
- attack.t1145
logsource:
product: cisco
service: aaa
category: accounting
fields:
- src
- CmdSet
- User
- Privilege_Level
- Remote_Address
detection:
keywords:
- 'crypto pki export'
- 'crypto pki import'
- 'crypto pki trustpoint'
condition: keywords
falsepositives:
- Not commonly run by administrators. Also whitelist your known good certificates.
level: high

29
rules/network/cisco/aaa/cisco_cli_disable_logging.yml Normal file
View File

@ -0,0 +1,29 @@
title: Cisco Disabling Logging
id: 9e8f6035-88bf-4a63-96b6-b17c0508257e
status: experimental
description: Turn off logging locally or remote
references:
- https://attack.mitre.org/techniques/T1089
author: Austin Clark
date: 2019/08/11
tags:
- attack.defense_evasion
- attack.t1089
logsource:
product: cisco
service: aaa
category: accounting
fields:
- src
- CmdSet
- User
- Privilege_Level
- Remote_Address
detection:
keywords:
- 'no logging'
- 'no aaa new-model'
condition: keywords
falsepositives:
- Unknown
level: high

46
rules/network/cisco/aaa/cisco_cli_discovery.yml Normal file
View File

@ -0,0 +1,46 @@
title: Cisco Discovery
id: 9705a6a1-6db6-4a16-a987-15b7151e299b
status: experimental
description: Find information about network devices that are not stored in config files.
references:
- https://attack.mitre.org/tactics/TA0007/
author: Austin Clark
date: 2019/08/12
tags:
- attack.discovery
- attack.t1083
- attack.t1201
- attack.t1057
- attack.t1018
- attack.t1082
- attack.t1016
- attack.t1049
- attack.t1033
- attack.t1124
logsource:
product: cisco
service: aaa
category: accounting
fields:
- src
- CmdSet
- User
- Privilege_Level
- Remote_Address
detection:
keywords:
- 'dir'
- 'show processes'
- 'show arp'
- 'show cdp'
- 'show version'
- 'show ip route'
- 'show ip interface'
- 'show ip sockets'
- 'show users'
- 'show ssh'
- 'show clock'
condition: keywords
falsepositives:
- Commonly used by administrators for troubleshooting
level: low

28
rules/network/cisco/aaa/cisco_cli_dos.yml Normal file
View File

@ -0,0 +1,28 @@
title: Cisco Denial of Service
id: d94a35f0-7a29-45f6-90a0-80df6159967c
status: experimental
description: Detect a system being shutdown or put into different boot mode
references:
- https://attack.mitre.org/techniques/T1499/
- https://attack.mitre.org/techniques/T1495/
author: Austin Clark
date: 2019/08/15
tags:
- attack.impact
- attack.t1499
- attack.t1495
logsource:
product: cisco
service: aaa
category: accounting
fields:
- CmdSet
detection:
keywords:
- 'shutdown'
- 'config-register 0x2100'
- 'config-register 0x2142'
condition: keywords
falsepositives:
- Legitimate administrators may run these commands, though rarely.
level: medium

31
rules/network/cisco/aaa/cisco_cli_file_deletion.yml Normal file
View File

@ -0,0 +1,31 @@
title: Cisco Show Commands Input
id: 71d65515-c436-43c0-841b-236b1f32c21e
status: experimental
description: See what files are being deleted from flash file systems
references:
- https://attack.mitre.org/techniques/T1107/
- https://attack.mitre.org/techniques/T1488/
- https://attack.mitre.org/techniques/T1487/
author: Austin Clark
date: 2019/08/12
tags:
- attack.defense_evasion
- attack.impact
- attack.t1107
- attack.t1488
- attack.t1487
logsource:
product: cisco
service: aaa
category: accounting
fields:
- CmdSet
detection:
keywords:
- 'erase'
- 'delete'
- 'format'
condition: keywords
falsepositives:
- Will be used sometimes by admins to clean up local flash space.
level: medium

29
rules/network/cisco/aaa/cisco_cli_input_capture.yml Normal file
View File

@ -0,0 +1,29 @@
title: Cisco Show Commands Input
id: b094d9fb-b1ad-4650-9f1a-fb7be9f1d34b
status: experimental
description: See what commands are being input into the device by other people, full credentials can be in the history
references:
- https://attack.mitre.org/techniques/T1056/
- https://attack.mitre.org/techniques/T1139/
author: Austin Clark
date: 2019/08/11
tags:
- attack.collection
- attack.credential_access
- attack.t1139
- attack.t1056
logsource:
product: cisco
service: aaa
category: accounting
fields:
- CmdSet
detection:
keywords:
- 'show history'
- 'show history all'
- 'show logging'
condition: keywords
falsepositives:
- Not commonly run by administrators, especially if remote logging is configured.
level: medium

27
rules/network/cisco/aaa/cisco_cli_local_accounts.yml Normal file
View File

@ -0,0 +1,27 @@
title: Cisco Local Accounts
id: 6d844f0f-1c18-41af-8f19-33e7654edfc3
status: experimental
description: Find local accounts being created or modified as well as remote authentication configurations
references:
- https://attack.mitre.org/techniques/T1098/
- https://attack.mitre.org/techniques/T1136/
author: Austin Clark
date: 2019/08/12
tags:
- attack.persistence
- attack.t1136
- attack.t1098
logsource:
product: cisco
service: aaa
category: accounting
fields:
- CmdSet
detection:
keywords:
- 'username'
- 'aaa'
condition: keywords
falsepositives:
- When remote authentication is in place, this should not change often.
level: high

38
rules/network/cisco/aaa/cisco_cli_modify_config.yml Normal file
View File

@ -0,0 +1,38 @@
title: Cisco Modify Configuration
id: 671ffc77-50a7-464f-9e3d-9ea2b493b26b
status: experimental
description: Modifications to a config that will serve an adversary's impacts or persistence
references:
- https://attack.mitre.org/techniques/T1100/
- https://attack.mitre.org/techniques/T1168/
- https://attack.mitre.org/techniques/T1493/
author: Austin Clark
date: 2019/08/12
tags:
- attack.persistence
- attack.privilege_escalation
- attack.impact
- attack.t1493
- attack.t1100
- attack.t1168
- attack.t1490
logsource:
product: cisco
service: aaa
category: accounting
fields:
- CmdSet
detection:
keywords:
- 'ip http server'
- 'ip https server'
- 'kron policy-list'
- 'kron occurrence'
- 'policy-list'
- 'access-list'
- 'ip access-group'
- 'archive maximum'
condition: keywords
falsepositives:
- Legitimate administrators may run these commands.
level: medium

39
rules/network/cisco/aaa/cisco_cli_moving_data.yml Normal file
View File

@ -0,0 +1,39 @@
title: Cisco Stage Data
id: 5e51acb2-bcbe-435b-99c6-0e3cd5e2aa59
status: experimental
description: Various protocols maybe used to put data on the device for exfil or infil
references:
- https://attack.mitre.org/techniques/T1074/
- https://attack.mitre.org/techniques/T1105/
- https://attack.mitre.org/techniques/T1498/
- https://attack.mitre.org/techniques/T1002/
author: Austin Clark
date: 2019/08/12
tags:
- attack.collection
- attack.lateral_movement
- attack.command_and_control
- attack.exfiltration
- attack.impact
- attack.t1074
- attack.t1105
- attack.t1492
- attack.t1002
logsource:
product: cisco
service: aaa
category: accounting
fields:
- CmdSet
detection:
keywords:
- 'tftp'
- 'rcp'
- 'puts'
- 'copy'
- 'configure replace'
- 'archive tar'
condition: keywords
falsepositives:
- Generally used to copy configs or IOS images.
level: low

27
rules/network/cisco/aaa/cisco_cli_net_sniff.yml Normal file
View File

@ -0,0 +1,27 @@
title: Cisco Sniffing
id: b9e1f193-d236-4451-aaae-2f3d2102120d
status: experimental
description: Show when a monitor or a span/rspan is setup or modified
references:
- https://attack.mitre.org/techniques/T1040
author: Austin Clark
date: 2019/08/11
tags:
- attack.credential_access
- attack.discovery
- attack.t1040
logsource:
product: cisco
service: aaa
category: accounting
fields:
- CmdSet
detection:
keywords:
- 'monitor capture point'
- 'set span'
- 'set rspan'
condition: keywords
falsepositives:
- Admins may setup new or modify old spans, or use a monitor for troubleshooting.
level: medium

6
rules/apt/apt_equationgroup_c2.yml → rules/network/net_apt_equationgroup_c2.yml
View File

@ -1,12 +1,14 @@
title: Equation Group C2 Communication
id: 881834a4-6659-4773-821e-1c151789d873
description: Detects communication to C2 servers mentioned in the operational notes of the ShadowBroker leak of EquationGroup C2 tools
references:
- 'https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation'
- 'https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195'
- https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
- https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195
tags:
- attack.command_and_control
- attack.g0020
author: Florian Roth
date: 2017/04/15
logsource:
category: firewall
detection:

9
rules/network/net_dns_c2_detection.yml
View File

@ -1,13 +1,15 @@
title: Possible DNS Tunneling
id: 1ec4b281-aa65-46a2-bdae-5fd830ed914e
status: experimental
description: Normally, DNS logs contain a limited amount of different dns queries for a single domain. This rule detects a high amount of queries for a single domain, which can be an indicator that DNS is used to transfer data.
description: Normally, DNS logs contain a limited amount of different dns queries for a single domain. This rule detects a high amount of queries for a single domain,
which can be an indicator that DNS is used to transfer data.
references:
- https://zeltser.com/c2-dns-tunneling/
- https://patrick-bareiss.com/detect-c2-traffic-over-dns-using-sigma/
author: Patrick Bareiss
date: 2019/04/07
logsource:
product: dns
category: dns
detection:
selection:
parent_domain: '*'
@ -16,4 +18,5 @@ falsepositives:
- Valid software, which uses dns for transferring data
level: high
tags:
- attack.t1043
- attack.t1048
- attack.exfiltration

29
rules/network/net_high_dns_bytes_out.yml Normal file
View File

@ -0,0 +1,29 @@
action: global
title: High DNS Bytes Out
id: 0f6c1bf5-70a5-4963-aef9-aab1eefb50bd
description: High DNS queries bytes amount from host per short period of time
status: experimental
author: Daniil Yugoslavskiy, oscd.community
date: 2019/10/24
tags:
- attack.exfiltration
- attack.t1048
falsepositives:
- Legitimate high DNS bytes out rate to domain name which should be added to whitelist
level: medium
---
logsource:
category: dns
detection:
selection:
query: '*'
timeframe: 1m
condition: selection | sum(question_length) by src_ip > 300000
---
logsource:
category: firewall
detection:
selection:
dst_port: 53
timeframe: 1m
condition: selection | sum(message_size) by src_ip > 300000

29
rules/network/net_high_dns_requests_rate.yml Normal file
View File

@ -0,0 +1,29 @@
action: global
title: High DNS Requests Rate
id: b4163085-4001-46a3-a79a-55d8bbbc7a3a
description: High DNS requests amount from host per short period of time
status: experimental
author: Daniil Yugoslavskiy, oscd.community
date: 2019/10/24
tags:
- attack.exfiltration
- attack.t1048
falsepositives:
- Legitimate high DNS requests rate to domain name which should be added to whitelist
level: medium
---
logsource:
category: dns
detection:
selection:
query: '*'
timeframe: 1m
condition: selection | count() by src_ip > 1000
---
logsource:
category: firewall
detection:
selection:
dst_port: 53
timeframe: 1m
condition: selection | count() by src_ip > 1000

19
rules/network/net_high_null_records_requests_rate.yml Normal file
View File

@ -0,0 +1,19 @@
title: High NULL Records Requests Rate
id: 44ae5117-9c44-40cf-9c7c-7edad385ca70
description: Extremely high rate of NULL record type DNS requests from host per short period of time. Possible result of iodine tool execution
status: experimental
author: Daniil Yugoslavskiy, oscd.community
date: 2019/10/24
tags:
- attack.exfiltration
- attack.t1048
logsource:
category: dns
detection:
selection:
record_type: "NULL"
timeframe: 1m
condition: selection | count() by src_ip > 50
falsepositives:
- Legitimate high DNS NULL requests rate to domain name which should be added to whitelist
level: medium

19
rules/network/net_high_txt_records_requests_rate.yml Normal file
View File

@ -0,0 +1,19 @@
title: High TXT Records Requests Rate
id: f0a8cedc-1d22-4453-9c44-8d9f4ebd5d35
description: Extremely high rate of TXT record type DNS requests from host per short period of time. Possible result of Do-exfiltration tool execution
status: experimental
author: Daniil Yugoslavskiy, oscd.community
date: 2019/10/24
tags:
- attack.exfiltration
- attack.t1048
logsource:
category: dns
detection:
selection:
record_type: "TXT"
timeframe: 1m
condition: selection | count() by src_ip > 50
falsepositives:
- Legitimate high DNS TXT requests rate to domain name which should be added to whitelist
level: medium

1
rules/network/net_mal_dns_cobaltstrike.yml
View File

@ -1,4 +1,5 @@
title: Cobalt Strike DNS Beaconing
id: 2975af79-28c4-4d2f-a951-9095f229df29
status: experimental
description: Detects suspicious DNS queries known from Cobalt Strike beacons
references:

3
rules/network/net_susp_dns_b64_queries.yml
View File

@ -1,4 +1,5 @@
title: Suspicious DNS Query with B64 Encoded String
title: Suspicious DNS Query with B64 Encoded String
id: 4153a907-2451-4e4f-a578-c52bb6881432
status: experimental
description: Detects suspicious DNS queries using base64 encoding
references:

5
rules/network/net_susp_dns_txt_exec_strings.yml
View File

@ -1,6 +1,7 @@
title: DNS TXT Answer with possible execution strings
title: DNS TXT Answer with Possible Execution Strings
id: 8ae51330-899c-4641-8125-e39f2e07da72
status: experimental
description: Detects strings used in command execution in DNS TXT Answer
description: Detects strings used in command execution in DNS TXT Answer
references:
- https://twitter.com/stvemillertime/status/1024707932447854592
- https://github.com/samratashok/nishang/blob/master/Backdoors/DNS_TXT_Pwnage.ps1

2
rules/network/net_susp_network_scan.yml
View File

@ -1,6 +1,8 @@
title: Network Scans
id: fab0ddf0-b8a9-4d70-91ce-a20547209afb
description: Detects many failed connection attempts to different ports or hosts
author: Thomas Patzke
date: 2017/02/19
logsource:
category: firewall
detection:

1
rules/network/net_susp_telegram_api.yml
View File

@ -1,4 +1,5 @@
title: Telegram Bot API Request
id: c64c5175-5189-431b-a55e-6d9882158251
status: experimental
description: Detects suspicious DNS queries to api.telegram.org used by Telegram Bots of any kind
references:

23
rules/network/zeek_susp_kerberos_rc4.yml Normal file
View File

@ -0,0 +1,23 @@
title: Kerberos Network Traffic RC4 Ticket Encryption
id: 503fe26e-b5f2-4944-a126-eab405cc06e5
status: experimental
date: 2020/02/12
description: Detects kerberos TGS request using RC4 encryption which may be indicative of kerberoasting
references:
- https://adsecurity.org/?p=3458
tags:
- attack.credential_access
- attack.t1208
logsource:
product: zeek
service: kerberos
detection:
selection:
request_type: 'TGS'
cipher: 'rc4-hmac'
computer_acct:
service: '$*'
condition: selection and not computer_acct
falsepositives:
- normal enterprise SPN requests activity
level: medium

41
rules/proxy/proxy_apt40.yml
View File

@ -1,20 +1,21 @@
title: APT40 Dropbox Tool User Agent
status: experimental
description: Detects suspicious user agent string of APT40 Dropbox tool
references:
- Internal research from Florian Roth
author: Thomas Patzke
logsource:
category: proxy
detection:
selection:
UserAgent: 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36'
r-dns: 'api.dropbox.com'
condition: selection
fields:
- c-ip
- cs-uri
falsepositives:
- Old browsers
level: high
title: APT40 Dropbox Tool User Agent
id: 5ba715b6-71b7-44fd-8245-f66893e81b3d
status: experimental
description: Detects suspicious user agent string of APT40 Dropbox tool
references:
- Internal research from Florian Roth
author: Thomas Patzke
date: 2019/11/12
logsource:
category: proxy
detection:
selection:
c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36'
r-dns: 'api.dropbox.com'
condition: selection
fields:
- c-ip
- c-uri
falsepositives:
- Old browsers
level: high

7
rules/proxy/proxy_chafer_malware.yml
View File

@ -1,4 +1,5 @@
title: Chafer Malware URL Pattern
id: fb502828-2db0-438e-93e6-801c7548686d
status: experimental
description: Detects HTTP requests used by Chafer malware
references:
@ -9,12 +10,12 @@ logsource:
category: proxy
detection:
selection:
c-uri-query: '*/asp.asp?ui=*'
c-uri: '*/asp.asp?ui=*'
condition: selection
fields:
- ClientIP
- URL
- UserAgent
- c-uri
- c-useragent
falsepositives:
- Unknown
level: critical

56
rules/proxy/proxy_cobalt_amazon.yml
View File

@ -1,27 +1,29 @@
title: CobaltStrike Malleable Amazon browsing traffic profile
status: experimental
description: Detects Malleable Amazon Profile
references:
- https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/amazon.profile
- https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100
author: Markus Neis
tags:
- attack.t1102
logsource:
category: proxy
detection:
selection1:
UserAgent: "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
HttpMethod: 'GET'
URL: '/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books'
Host: 'www.amazon.com'
Cookie: '*=csm-hit=s-24KU11BB82RZSYGJ3BDK|1419899012996'
selection2:
UserAgent: "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
HttpMethod: 'POST'
URL: '/N4215/adj/amzn.us.sr.aps'
Host: 'www.amazon.com'
condition: selection1 or selection2
falsepositives:
- Unknown
level: high
title: CobaltStrike Malleable Amazon Browsing Traffic Profile
id: 953b895e-5cc9-454b-b183-7f3db555452e
status: experimental
description: Detects Malleable Amazon Profile
references:
- https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/amazon.profile
- https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100
author: Markus Neis
date: 2019/11/12
tags:
- attack.t1102
logsource:
category: proxy
detection:
selection1:
c-useragent: "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
cs-method: 'GET'
c-uri: '/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books'
cs-host: 'www.amazon.com'
cs-cookie: '*=csm-hit=s-24KU11BB82RZSYGJ3BDK|1419899012996'
selection2:
c-useragent: "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
cs-method: 'POST'
c-uri: '/N4215/adj/amzn.us.sr.aps'
cs-host: 'www.amazon.com'
condition: selection1 or selection2
falsepositives:
- Unknown
level: high

Some files were not shown because too many files have changed in this diff Show More