mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-06 01:15:17 +00:00
Merge branch 'master' of https://github.com/redsand/sigma into HAWK_Backend
This commit is contained in:
Tim Shelton
commit
276961e8bb
@ -8,12 +8,11 @@ author: Bhabesh Raj
|
||||
date: 2021/02/01
|
||||
modified: 2021/09/14
|
||||
references:
|
||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3156
|
||||
- https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit
|
||||
- https://nvd.nist.gov/vuln/detail/cve-2021-3156
|
||||
tags:
|
||||
- attack.privilege_escalation
|
||||
- attack.t1068
|
||||
- cve.2021.3156
|
||||
logsource:
|
||||
product: linux
|
||||
service: auditd
|
||||
|
||||
@ -11,12 +11,11 @@ author: Bhabesh Raj
|
||||
date: 2021/02/01
|
||||
modified: 2021/09/14
|
||||
references:
|
||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3156
|
||||
- https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit
|
||||
- https://nvd.nist.gov/vuln/detail/cve-2021-3156
|
||||
tags:
|
||||
- attack.privilege_escalation
|
||||
- attack.t1068
|
||||
- cve.2021.3156
|
||||
logsource:
|
||||
product: linux
|
||||
service: auditd
|
||||
|
||||
@ -16,6 +16,7 @@ tags:
|
||||
- attack.t1068
|
||||
- attack.t1169 # an old one
|
||||
- attack.t1548.003
|
||||
- cve.2019.14287
|
||||
detection:
|
||||
selection_keywords:
|
||||
- '* -u#*'
|
||||
|
||||
@ -19,6 +19,7 @@ tags:
|
||||
- attack.t1068
|
||||
- attack.t1169 # an old one
|
||||
- attack.t1548.003
|
||||
- cve.2019.14287
|
||||
detection:
|
||||
selection_user:
|
||||
USER:
|
||||
|
||||
@ -13,10 +13,12 @@ references:
|
||||
- https://github.com/SigmaHQ/sigma/blob/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml
|
||||
- https://old.zeek.org/zeekweek2019/slides/bzar.pdf
|
||||
- https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/
|
||||
- https://nvd.nist.gov/vuln/detail/cve-2021-1675
|
||||
- https://nvd.nist.gov/vuln/detail/cve-2021-1678
|
||||
|
||||
tags:
|
||||
- attack.execution
|
||||
- cve.2021.1678
|
||||
- cve.2021.1675
|
||||
- cve.2021.34527
|
||||
logsource:
|
||||
product: zeek
|
||||
service: dce_rpc
|
||||
|
||||
@ -3,8 +3,6 @@ id: f0500377-bc70-425d-ac8c-e956cd906871
|
||||
status: experimental
|
||||
description: Detects exploitation of vulnerabilities in Arcadyan routers as reported in CVE-2021-20090 and CVE-2021-20091.
|
||||
references:
|
||||
- https://nvd.nist.gov/vuln/detail/cve-2021-20090
|
||||
- https://nvd.nist.gov/vuln/detail/cve-2021-20091
|
||||
- https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2
|
||||
- https://www.tenable.com/security/research/tra-2021-13
|
||||
- https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild
|
||||
@ -17,6 +15,8 @@ level: critical
|
||||
tags:
|
||||
- attack.initial_access
|
||||
- attack.t1190
|
||||
- cve.2021.20090
|
||||
- cve.2021.20091
|
||||
logsource:
|
||||
category: webserver
|
||||
detection:
|
||||
|
||||
@ -6,10 +6,8 @@ author: Florian Roth
|
||||
date: 2018/07/22
|
||||
modified: 2021/08/09
|
||||
references:
|
||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2894
|
||||
- https://twitter.com/pyn3rd/status/1020620932967223296
|
||||
- https://github.com/LandGrey/CVE-2018-2894
|
||||
- https://nvd.nist.gov/vuln/detail/cve-2018-2894
|
||||
logsource:
|
||||
category: webserver
|
||||
detection:
|
||||
@ -28,3 +26,4 @@ tags:
|
||||
- attack.initial_access
|
||||
- attack.persistence
|
||||
- attack.t1505.003
|
||||
- cve.2018.2894
|
||||
|
||||
@ -6,11 +6,9 @@ author: Florian Roth
|
||||
date: 2020/11/02
|
||||
modified: 2020/11/04
|
||||
references:
|
||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14882
|
||||
- https://isc.sans.edu/diary/26734
|
||||
- https://twitter.com/jas502n/status/1321416053050667009?s=20
|
||||
- https://twitter.com/sudo_sudoka/status/1323951871078223874
|
||||
- https://nvd.nist.gov/vuln/detail/cve-2020-14882
|
||||
logsource:
|
||||
category: webserver
|
||||
detection:
|
||||
@ -29,3 +27,4 @@ tags:
|
||||
- attack.t1100 # an old one
|
||||
- attack.t1190
|
||||
- attack.initial_access
|
||||
- cve.2020.14882
|
||||
|
||||
@ -5,10 +5,8 @@ description: Detects exploitation attempts on Cisco ASA FTD systems exploiting C
|
||||
author: Florian Roth
|
||||
date: 2021/01/07
|
||||
references:
|
||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3452
|
||||
- https://twitter.com/aboul3la/status/1286012324722155525
|
||||
- https://github.com/darklotuskdb/CISCO-CVE-2020-3452-Scanner-Exploiter
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-3452
|
||||
logsource:
|
||||
category: webserver
|
||||
detection:
|
||||
@ -35,3 +33,4 @@ tags:
|
||||
- attack.t1100 # an old one
|
||||
- attack.t1190
|
||||
- attack.initial_access
|
||||
- cve.2020.3452
|
||||
@ -7,7 +7,6 @@ date: 2021/01/20
|
||||
references:
|
||||
- https://twitter.com/pyn3rd/status/1351696768065409026
|
||||
- https://mp.weixin.qq.com/s/wX9TMXl1KVWwB_k6EZOklw
|
||||
- https://nvd.nist.gov/vuln/detail/cve-2021-2109
|
||||
logsource:
|
||||
category: webserver
|
||||
detection:
|
||||
@ -27,3 +26,4 @@ level: critical
|
||||
tags:
|
||||
- attack.t1190
|
||||
- attack.initial_access
|
||||
- cve.2021.2109
|
||||
@ -5,10 +5,8 @@ description: Detects the exploitation of the VMware View Planner vulnerability d
|
||||
author: Bhabesh Raj
|
||||
date: 2020/03/10
|
||||
references:
|
||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21978
|
||||
- https://twitter.com/wugeej/status/1369476795255320580
|
||||
- https://paper.seebug.org/1495/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-21978
|
||||
logsource:
|
||||
category: webserver
|
||||
detection:
|
||||
@ -28,3 +26,4 @@ level: high
|
||||
tags:
|
||||
- attack.initial_access
|
||||
- attack.t1190
|
||||
- cve.2021.21978
|
||||
|
||||
@ -5,9 +5,7 @@ description: Detects the exploitation of the Wazuh RCE vulnerability described i
|
||||
author: Florian Roth
|
||||
date: 2021/05/22
|
||||
references:
|
||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-26814
|
||||
- https://github.com/WickdDavid/CVE-2021-26814/blob/main/PoC.py
|
||||
- https://nvd.nist.gov/vuln/detail/cve-2021-21978
|
||||
logsource:
|
||||
category: webserver
|
||||
detection:
|
||||
@ -23,3 +21,5 @@ level: high
|
||||
tags:
|
||||
- attack.initial_access
|
||||
- attack.t1190
|
||||
- cve.2021.21978
|
||||
- cve.2021.26814
|
||||
@ -6,9 +6,7 @@ author: Bhabesh Raj
|
||||
date: 2021/01/25
|
||||
references:
|
||||
- https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-28188
|
||||
- https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/
|
||||
- https://nvd.nist.gov/vuln/detail/cve-2020-28188
|
||||
logsource:
|
||||
category: webserver
|
||||
detection:
|
||||
@ -35,3 +33,4 @@ level: critical
|
||||
tags:
|
||||
- attack.t1190
|
||||
- attack.initial_access
|
||||
- cve.2020.28188
|
||||
@ -8,11 +8,11 @@ references:
|
||||
- https://github.com/hhlxf/PrintNightmare
|
||||
- https://github.com/afwu/PrintNightmare
|
||||
- https://twitter.com/fuzzyf10w/status/1410202370835898371
|
||||
- https://nvd.nist.gov/vuln/detail/cve-2021-1675
|
||||
date: 2021/06/30
|
||||
modified: 2021/07/08
|
||||
tags:
|
||||
- attack.execution
|
||||
- cve.2021.1675
|
||||
logsource:
|
||||
product: windows
|
||||
service: printservice-admin
|
||||
|
||||
@ -6,10 +6,10 @@ status: experimental
|
||||
level: critical
|
||||
references:
|
||||
- https://twitter.com/MalwareJake/status/1410421967463731200
|
||||
- https://nvd.nist.gov/vuln/detail/cve-2021-1675
|
||||
date: 2021/07/01
|
||||
tags:
|
||||
- attack.execution
|
||||
- cve.2021.1675
|
||||
logsource:
|
||||
product: windows
|
||||
service: printservice-operational
|
||||
|
||||
@ -6,11 +6,11 @@ status: experimental
|
||||
level: critical
|
||||
references:
|
||||
- https://twitter.com/INIT_3/status/1410662463641731075
|
||||
- https://nvd.nist.gov/vuln/detail/cve-2021-1675
|
||||
- https://nvd.nist.gov/vuln/detail/cve-2021-34527
|
||||
date: 2021/07/02
|
||||
tags:
|
||||
- attack.execution
|
||||
- cve.2021.1675
|
||||
- cve.2021.34527
|
||||
logsource:
|
||||
product: windows
|
||||
service: security
|
||||
|
||||
@ -34,4 +34,4 @@ detection:
|
||||
- ' ls '
|
||||
description_selection:
|
||||
Description: 'Rsync for cloud storage'
|
||||
condition: command_selection and ( description_selection or exec_selection )
|
||||
condition: command_selection and ( description_selection or exec_selection )
|
||||
@ -5,12 +5,12 @@ author: Florian Roth
|
||||
date: 2021/05/05
|
||||
references:
|
||||
- https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/
|
||||
- https://nvd.nist.gov/vuln/detail/cve-2021-21551
|
||||
logsource:
|
||||
category: driver_load
|
||||
product: windows
|
||||
tags:
|
||||
- attack.privilege_escalation
|
||||
- cve.2021.21551
|
||||
detection:
|
||||
selection_image:
|
||||
ImageLoaded|contains: '\DBUtil_2_3.Sys'
|
||||
|
||||
@ -5,7 +5,6 @@ description: Detect DLL deletions from Spooler Service driver folder
|
||||
references:
|
||||
- https://github.com/hhlxf/PrintNightmare
|
||||
- https://github.com/cube0x0/CVE-2021-1675
|
||||
- https://nvd.nist.gov/vuln/detail/cve-2021-1675
|
||||
author: Bhabesh Raj
|
||||
date: 2021/07/01
|
||||
modified: 2021/08/24
|
||||
@ -14,6 +13,7 @@ tags:
|
||||
- attack.defense_evasion
|
||||
- attack.privilege_escalation
|
||||
- attack.t1574
|
||||
- cve.2021.1675
|
||||
logsource:
|
||||
category: file_delete
|
||||
product: windows
|
||||
|
||||
@ -8,12 +8,12 @@ modified: 2021/09/09
|
||||
references:
|
||||
- https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/
|
||||
- https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/
|
||||
- https://nvd.nist.gov/vuln/detail/cve-2021-33771
|
||||
- https://nvd.nist.gov/vuln/detail/cve-2021-31979
|
||||
tags:
|
||||
- attack.credential_access
|
||||
- attack.t1566
|
||||
- attack.t1203
|
||||
- cve.2021.33771
|
||||
- cve.2021.31979
|
||||
# - threat_group.Sourgum
|
||||
logsource:
|
||||
product: windows
|
||||
|
||||
33
rules/windows/file_event/file_event_mal_vhd_download.yml
Normal file
33
rules/windows/file_event/file_event_mal_vhd_download.yml
Normal file
@ -0,0 +1,33 @@
|
||||
title: Suspicious VHD Image Download From Browser
|
||||
id: 8468111a-ef07-4654-903b-b863a80bbc95
|
||||
status: experimental
|
||||
description: Malware can use mountable Virtual Hard Disk .vhd file to encapsulate payloads and evade security controls
|
||||
references:
|
||||
- https://redcanary.com/blog/intelligence-insights-october-2021/
|
||||
- https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/
|
||||
- https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
|
||||
author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'
|
||||
date: 2021/10/25
|
||||
tags:
|
||||
- attack.resource_development
|
||||
- attack.t1587.001
|
||||
logsource:
|
||||
category: file_event
|
||||
product: windows
|
||||
definition: in sysmon add "<TargetFilename condition="end with">.vhd</TargetFilename> <!--vhd files for ZLoader and lazarus malware vectors -->"
|
||||
detection:
|
||||
selection:
|
||||
- Image|endswith:
|
||||
- chrome.exe
|
||||
- firefox.exe
|
||||
- microsoftedge.exe
|
||||
- microsoftedgecp.exe
|
||||
- msedge.exe
|
||||
- iexplorer.exe
|
||||
- brave.exe
|
||||
- opera.exe
|
||||
- TargetFilename|contains: '.vhd' #not endswith to get the alternate data stream log Too TargetFilename: C:\Users\Frack113\Downloads\windows.vhd:Zone.Identifier
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- Legitimate user creation
|
||||
level: medium
|
||||
@ -7,13 +7,12 @@ author: Bhabesh Raj
|
||||
status: experimental
|
||||
level: critical
|
||||
references:
|
||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26858
|
||||
- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
|
||||
- https://nvd.nist.gov/vuln/detail/cve-2021-26858
|
||||
date: 2021/03/03
|
||||
tags:
|
||||
- attack.t1203
|
||||
- attack.execution
|
||||
- cve.2021.26858
|
||||
logsource:
|
||||
category: file_event
|
||||
product: windows
|
||||
|
||||
@ -0,0 +1,25 @@
|
||||
title: PowerShell Writing Startup Shortcuts
|
||||
id: 92fa78e7-4d39-45f1-91a3-8b23f3f1088d
|
||||
description: Attempts to detect PowerShell writing startup shortcuts. This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence. Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats. In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL"
|
||||
status: experimental
|
||||
references:
|
||||
- https://redcanary.com/blog/intelligence-insights-october-2021/
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder
|
||||
tags:
|
||||
- attack.registry_run_keys_/_startup_folder
|
||||
- attack.t1547.001
|
||||
date: 2021/10/24
|
||||
author: Christopher Peacock '@securepeacock', SCYTHE
|
||||
level: high
|
||||
logsource:
|
||||
product: windows
|
||||
category: file_event
|
||||
detection:
|
||||
selection:
|
||||
Image|endswith: '\powershell.exe'
|
||||
TargetFilename|contains: '\start menu\programs\startup\'
|
||||
TargetFilename|endswith: '.lnk'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- Unknown
|
||||
- Depending on your environment accepted applications may leverage this at times. It is recomended to search for anomolies inidicative of malware.
|
||||
@ -8,12 +8,12 @@ references:
|
||||
- https://github.com/hhlxf/PrintNightmare
|
||||
- https://github.com/afwu/PrintNightmare
|
||||
- https://github.com/cube0x0/CVE-2021-1675
|
||||
- https://nvd.nist.gov/vuln/detail/cve-2021-1675
|
||||
date: 2021/06/29
|
||||
modified: 2021/07/01
|
||||
tags:
|
||||
- attack.execution
|
||||
- attack.privilege_escalation
|
||||
- cve.2021.1675
|
||||
logsource:
|
||||
category: file_event
|
||||
product: windows
|
||||
|
||||
@ -9,13 +9,13 @@ references:
|
||||
- https://github.com/FireFart/hivenightmare/
|
||||
- https://github.com/WiredPulse/Invoke-HiveNightmare
|
||||
- https://twitter.com/cube0x0/status/1418920190759378944
|
||||
- https://nvd.nist.gov/vuln/detail/cve-2021-36934
|
||||
logsource:
|
||||
product: windows
|
||||
category: file_event
|
||||
tags:
|
||||
- attack.credential_access
|
||||
- attack.t1552.001
|
||||
- cve.2021.36934
|
||||
detection:
|
||||
selection:
|
||||
- TargetFilename|contains:
|
||||
|
||||
@ -4,8 +4,6 @@ status: experimental
|
||||
description: Detect DLL Load from Spooler Service backup folder
|
||||
references:
|
||||
- https://github.com/hhlxf/PrintNightmare
|
||||
- https://nvd.nist.gov/vuln/detail/cve-2021-1675
|
||||
- https://nvd.nist.gov/vuln/detail/cve-2021-34527
|
||||
author: FPT.EagleEye, Thomas Patzke (improvements)
|
||||
date: 2021/06/29
|
||||
modified: 2021/08/24
|
||||
@ -14,6 +12,8 @@ tags:
|
||||
- attack.defense_evasion
|
||||
- attack.privilege_escalation
|
||||
- attack.t1574
|
||||
- cve.2021.1675
|
||||
- cve.2021.34527
|
||||
logsource:
|
||||
category: image_load
|
||||
product: windows
|
||||
|
||||
@ -27,10 +27,11 @@ fields:
|
||||
logsource:
|
||||
category: pipe_created
|
||||
product: windows
|
||||
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
|
||||
detection:
|
||||
sysmon_pipecreated:
|
||||
PipeName: '\PSEXESVC'
|
||||
condition: sysmon_pipecreated
|
||||
falsepositives:
|
||||
- unknown
|
||||
level: low
|
||||
level: low
|
||||
|
||||
@ -11,7 +11,7 @@ author: Markus Neis
|
||||
logsource:
|
||||
product: windows
|
||||
category: pipe_created
|
||||
definition: 'Note that you have to configure logging for PipeEvents in Symson config'
|
||||
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
|
||||
detection:
|
||||
selection:
|
||||
PipeName:
|
||||
@ -25,4 +25,3 @@ detection:
|
||||
falsepositives:
|
||||
- Unknown
|
||||
level: critical
|
||||
|
||||
|
||||
@ -16,6 +16,7 @@ tags:
|
||||
logsource:
|
||||
product: windows
|
||||
category: pipe_created
|
||||
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
|
||||
detection:
|
||||
selection:
|
||||
PipeName|contains:
|
||||
|
||||
@ -10,7 +10,7 @@ author: Florian Roth
|
||||
logsource:
|
||||
product: windows
|
||||
category: pipe_created
|
||||
definition: 'Note that you have to configure logging for PipeEvents in Sysmon config'
|
||||
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
|
||||
detection:
|
||||
selection:
|
||||
PipeName|contains:
|
||||
|
||||
@ -16,7 +16,7 @@ tags:
|
||||
logsource:
|
||||
product: windows
|
||||
category: pipe_created
|
||||
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular'
|
||||
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can always use Cobalt Strike, but also you can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
|
||||
detection:
|
||||
selection_MSSE:
|
||||
PipeName|contains|all:
|
||||
|
||||
@ -15,7 +15,7 @@ tags:
|
||||
logsource:
|
||||
product: windows
|
||||
category: pipe_created
|
||||
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular'
|
||||
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can always use Cobalt Strike, but also you can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
|
||||
detection:
|
||||
selection:
|
||||
- PipeName|re: '\\\\mojo\.5688\.8052\.(?:183894939787088877|35780273329370473)[0-9a-f]{2}'
|
||||
|
||||
@ -9,7 +9,7 @@ author: Florian Roth, blueteam0ps
|
||||
logsource:
|
||||
product: windows
|
||||
category: pipe_created
|
||||
definition: 'Note that you have to configure logging for PipeEvents in Sysmon config'
|
||||
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
|
||||
detection:
|
||||
selection:
|
||||
PipeName:
|
||||
|
||||
@ -12,7 +12,7 @@ tags:
|
||||
logsource:
|
||||
product: windows
|
||||
category: pipe_created
|
||||
definition: 'Note that you have to configure logging for PipeEvents in Symson config'
|
||||
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
|
||||
detection:
|
||||
selection:
|
||||
PipeName|startswith:
|
||||
|
||||
@ -15,7 +15,7 @@ tags:
|
||||
logsource:
|
||||
product: windows
|
||||
category: pipe_created
|
||||
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular'
|
||||
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can always use Cobalt Strike, but also you can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
|
||||
detection:
|
||||
selection_malleable_profiles:
|
||||
- PipeName|startswith:
|
||||
|
||||
@ -9,7 +9,7 @@ author: Florian Roth
|
||||
logsource:
|
||||
product: windows
|
||||
category: pipe_created
|
||||
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular'
|
||||
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
|
||||
detection:
|
||||
selection:
|
||||
Image|endswith: '\scrcons.exe'
|
||||
|
||||
@ -0,0 +1,30 @@
|
||||
title: AzureHound PowerShell Commands
|
||||
id: 83083ac6-1816-4e76-97d7-59af9a9ae46e
|
||||
status: experimental
|
||||
description:
|
||||
references:
|
||||
- https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/AzureHound.ps1
|
||||
- https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html
|
||||
author: Austin Songer (@austinsonger)
|
||||
date: 2021/10/23
|
||||
logsource:
|
||||
product: windows
|
||||
category: ps_script
|
||||
definition: Script Block Logging must be enable
|
||||
detection:
|
||||
selection:
|
||||
ScriptBlockText|contains:
|
||||
- "Invoke-AzureHound"
|
||||
condition: selection
|
||||
tags:
|
||||
- attack.discovery
|
||||
- attack.t1482
|
||||
- attack.t1087
|
||||
- attack.t1087.001
|
||||
- attack.t1087.002
|
||||
- attack.t1069.001
|
||||
- attack.t1069.002
|
||||
- attack.t1069
|
||||
falsepositives:
|
||||
- Penetration testing
|
||||
level: high
|
||||
@ -6,13 +6,12 @@ author: Bhabesh Raj
|
||||
status: experimental
|
||||
level: critical
|
||||
references:
|
||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-26857
|
||||
- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
|
||||
- https://nvd.nist.gov/vuln/detail/cve-2021-26857
|
||||
date: 2021/03/03
|
||||
tags:
|
||||
- attack.t1203
|
||||
- attack.execution
|
||||
- cve.2021.26857
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
|
||||
@ -14,6 +14,7 @@ tags:
|
||||
- attack.t1059.003
|
||||
- attack.t1059 # an old one
|
||||
- attack.t1574
|
||||
- cve.2019.1378
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
|
||||
@ -4,8 +4,6 @@ status: experimental
|
||||
description: Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189
|
||||
references:
|
||||
- https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-10189
|
||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10189
|
||||
- https://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224
|
||||
author: Florian Roth
|
||||
date: 2020/03/25
|
||||
@ -18,6 +16,7 @@ tags:
|
||||
- attack.t1059.003
|
||||
- attack.t1059 # an old one
|
||||
- attack.s0190
|
||||
- cve.2020.10189
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
|
||||
@ -4,7 +4,7 @@ status: stable
|
||||
description: Shadow Copies deletion using operating systems utilities
|
||||
author: Florian Roth, Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades)
|
||||
date: 2019/10/22
|
||||
modified: 2021/06/02
|
||||
modified: 2021/10/24
|
||||
references:
|
||||
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
|
||||
- https://blog.talosintelligence.com/2017/05/wannacry.html
|
||||
@ -13,6 +13,7 @@ references:
|
||||
- https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
|
||||
- https://github.com/Neo23x0/Raccine#the-process
|
||||
- https://github.com/Neo23x0/Raccine/blob/main/yara/gen_ransomware_command_lines.yar
|
||||
- https://redcanary.com/blog/intelligence-insights-october-2021/
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
- attack.impact
|
||||
@ -38,6 +39,12 @@ detection:
|
||||
- delete
|
||||
- catalog
|
||||
- quiet # will match -quiet or /quiet
|
||||
selection3:
|
||||
Image|endswith: '\vssadmin.exe'
|
||||
CommandLine|contains|all:
|
||||
- resize
|
||||
- shadowstorage
|
||||
- unbounded
|
||||
condition: 1 of selection*
|
||||
fields:
|
||||
- CommandLine
|
||||
|
||||
63
rules/windows/process_creation/win_susp_rclone_execution.yml
Normal file
63
rules/windows/process_creation/win_susp_rclone_execution.yml
Normal file
@ -0,0 +1,63 @@
|
||||
title: Rclone Execution via Command Line or PowerShell
|
||||
id: e37db05d-d1f9-49c8-b464-cee1a4b11638
|
||||
related:
|
||||
- id: a0d63692-a531-4912-ad39-4393325b2a9c
|
||||
type: obsoletes
|
||||
- id: cb7286ba-f207-44ab-b9e6-760d82b84253
|
||||
type: obsoletes
|
||||
description: Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc
|
||||
status: experimental
|
||||
date: 2021/05/10
|
||||
modified: 2021/10/24
|
||||
author: Bhabesh Raj, Sittikorn S, Aaron Greetham (@beardofbinary) - NCC Group
|
||||
references:
|
||||
- https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
|
||||
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware
|
||||
- https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a
|
||||
- https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone
|
||||
- https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html
|
||||
logsource:
|
||||
product: windows
|
||||
category: process_creation
|
||||
detection:
|
||||
detect_by_option:
|
||||
CommandLine|contains|all:
|
||||
- '--config '
|
||||
- '--no-check-certificate '
|
||||
- ' copy '
|
||||
exec_selection:
|
||||
Image|endswith: '\rclone.exe'
|
||||
ParentImage|endswith:
|
||||
- '\PowerShell.exe'
|
||||
- '\cmd.exe'
|
||||
command_selection:
|
||||
CommandLine|contains:
|
||||
- 'pass'
|
||||
- 'user'
|
||||
- 'copy'
|
||||
- 'sync'
|
||||
- 'config'
|
||||
- 'lsd'
|
||||
- 'remote'
|
||||
- 'ls'
|
||||
- 'mega'
|
||||
- 'pcloud'
|
||||
- 'ftp'
|
||||
- 'ignore-existing'
|
||||
- 'auto-confirm'
|
||||
- 'transfers'
|
||||
- 'multi-thread-streams'
|
||||
- 'no-check-certificate '
|
||||
description_selection:
|
||||
Description: 'Rsync for cloud storage'
|
||||
condition: detect_by_option or command_selection and ( description_selection or exec_selection )
|
||||
fields:
|
||||
- CommandLine
|
||||
- ParentCommandLine
|
||||
- Details
|
||||
tags:
|
||||
- attack.exfiltration
|
||||
- attack.t1567.002
|
||||
falsepositives:
|
||||
- Legitimate RClone use
|
||||
level: high
|
||||
@ -6,13 +6,13 @@ author: Florian Roth
|
||||
date: 2021/07/14
|
||||
references:
|
||||
- https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/
|
||||
- https://nvd.nist.gov/vuln/detail/cve-2021-35211
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
tags:
|
||||
- attack.persistence
|
||||
- attack.t1136.001
|
||||
- cve.2021.35211
|
||||
# - threat_group.DEV-0322
|
||||
detection:
|
||||
selection1:
|
||||
|
||||
@ -6,12 +6,12 @@ author: Florian Roth
|
||||
date: 2021/07/14
|
||||
references:
|
||||
- https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/
|
||||
- https://nvd.nist.gov/vuln/detail/cve-2021-35211
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
tags:
|
||||
- attack.credential_access
|
||||
- cve.2021.35211
|
||||
detection:
|
||||
selection:
|
||||
ParentImage|endswith: '\Serv-U.exe'
|
||||
|
||||
@ -8,12 +8,12 @@ modified: 2021/09/09
|
||||
references:
|
||||
- https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/
|
||||
- https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/
|
||||
- https://nvd.nist.gov/vuln/detail/cve-2021-33771
|
||||
- https://nvd.nist.gov/vuln/detail/cve-2021-31979
|
||||
tags:
|
||||
- attack.credential_access
|
||||
- attack.t1566
|
||||
- attack.t1203
|
||||
- cve.2021.33771
|
||||
- cve.2021.31979
|
||||
# - threat_group.Sourgum
|
||||
logsource:
|
||||
product: windows
|
||||
|
||||
@ -4,11 +4,11 @@ status: experimental
|
||||
description: Detects a suspicious printer driver installation with an empty Manufacturer value
|
||||
references:
|
||||
- https://twitter.com/SBousseaden/status/1410545674773467140
|
||||
- https://nvd.nist.gov/vuln/detail/cve-2021-1675
|
||||
author: Florian Roth
|
||||
date: 2020/07/01
|
||||
tags:
|
||||
- attack.privilege_escalation
|
||||
- cve.2021.1675
|
||||
logsource:
|
||||
category: registry_event
|
||||
product: windows
|
||||
|
||||
@ -6,11 +6,11 @@ references:
|
||||
- https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760
|
||||
- https://www.lexjansen.com/sesug/1993/SESUG93035.pdf
|
||||
- https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913
|
||||
- https://nvd.nist.gov/vuln/detail/cve-2021-1675
|
||||
- https://nvd.nist.gov/vuln/detail/cve-2021-34527
|
||||
author: Markus Neis, @markus_neis, Florian Roth
|
||||
tags:
|
||||
- attack.execution
|
||||
- cve.2021.1675
|
||||
- cve.2021.34527
|
||||
date: 2021/07/04
|
||||
modified: 2021/07/28
|
||||
logsource:
|
||||
|
||||
@ -75,20 +75,13 @@ class TestRules(unittest.TestCase):
|
||||
|
||||
def test_optional_tags(self):
|
||||
files_with_incorrect_tags = []
|
||||
|
||||
tags_pattern = re.compile(r"cve\.\d+\.\d+|attack\.t\d+\.*\d*|attack\.[a-z_]+|car\.\d{4}-\d{2}-\d{3}")
|
||||
for file in self.yield_next_rule_file_path(self.path_to_rules):
|
||||
tags = self.get_rule_part(file_path=file, part_name="tags")
|
||||
if tags:
|
||||
for tag in tags:
|
||||
if tag.startswith("attack."):
|
||||
continue
|
||||
elif tag.startswith("car."):
|
||||
continue
|
||||
elif tag.startswith("cve."):
|
||||
print(Fore.RED + "Rule {} has the cve tag <{}> but is it a references (https://nvd.nist.gov/)".format(file, tag))
|
||||
files_with_incorrect_tags.append(file)
|
||||
else:
|
||||
print(Fore.RED + "Rule {} has the unknown tag <{}>".format(file, tag))
|
||||
if tags_pattern.match(tag) == None:
|
||||
print(Fore.RED + "Rule {} has the invalid tag <{}>".format(file, tag))
|
||||
files_with_incorrect_tags.append(file)
|
||||
|
||||
self.assertEqual(files_with_incorrect_tags, [], Fore.RED +
|
||||
@ -191,31 +184,33 @@ class TestRules(unittest.TestCase):
|
||||
self.assertEqual(faulty_detections, [], Fore.RED +
|
||||
"There are rules using '1/all of them' style conditions but only have one condition")
|
||||
|
||||
def test_duplicate_titles(self):
|
||||
def test_duplicate_detections(self):
|
||||
def compare_detections(detection1:dict, detection2:dict) -> bool:
|
||||
|
||||
# detections not the same length can't be the same
|
||||
# detections not the same count can't be the same
|
||||
if len(detection1) != len(detection2):
|
||||
return False
|
||||
|
||||
return False
|
||||
|
||||
for named_condition in detection1:
|
||||
#don't check timeframes
|
||||
if named_condition == "timeframe":
|
||||
continue
|
||||
|
||||
|
||||
# condition clause must be the same too
|
||||
if named_condition == "condition":
|
||||
if detection1["condition"] != detection2["condition"]:
|
||||
return False
|
||||
else:
|
||||
continue
|
||||
|
||||
|
||||
# Named condition must exist in both rule files
|
||||
if named_condition not in detection2:
|
||||
return False
|
||||
|
||||
|
||||
#can not be the same if len is not equal
|
||||
if len(detection1[named_condition]) != len(detection2[named_condition]):
|
||||
return False
|
||||
|
||||
|
||||
for condition in detection1[named_condition]:
|
||||
if type(condition) != str:
|
||||
@ -223,10 +218,9 @@ class TestRules(unittest.TestCase):
|
||||
|
||||
if condition not in detection2[named_condition]:
|
||||
return False
|
||||
|
||||
|
||||
condition_value1 = detection1[named_condition][condition]
|
||||
condition_value2 = detection2[named_condition][condition]
|
||||
|
||||
if condition_value1 != condition_value2:
|
||||
return False
|
||||
|
||||
@ -238,7 +232,8 @@ class TestRules(unittest.TestCase):
|
||||
for file in self.yield_next_rule_file_path(self.path_to_rules):
|
||||
detection = self.get_rule_part(file_path = file, part_name = "detection")
|
||||
logsource = self.get_rule_part(file_path = file, part_name = "logsource")
|
||||
detection.update(logsource)
|
||||
detection["logsource"] = {}
|
||||
detection["logsource"].update(logsource)
|
||||
yaml = self.get_rule_yaml(file_path = file)
|
||||
|
||||
is_multipart_yaml_file = len(yaml) != 1
|
||||
@ -450,7 +445,7 @@ class TestRules(unittest.TestCase):
|
||||
"There are rules with malformed optional 'falsepositives' fields. (has to be a list of values even if it contains only a single value)")
|
||||
|
||||
# Upgrade Detection Rule License 1.1
|
||||
def test_author(self):
|
||||
def test_optional_author(self):
|
||||
faulty_rules = []
|
||||
for file in self.yield_next_rule_file_path(self.path_to_rules):
|
||||
author_str = self.get_rule_part(file_path=file, part_name="author")
|
||||
@ -459,9 +454,6 @@ class TestRules(unittest.TestCase):
|
||||
if not isinstance(author_str, str):
|
||||
print(Fore.YELLOW + "Rule {} has a 'author' field that isn't a string.".format(file))
|
||||
faulty_rules.append(file)
|
||||
else:
|
||||
print(Fore.YELLOW + "Rule {} has no 'author' field".format(file))
|
||||
faulty_rules.append(file)
|
||||
|
||||
self.assertEqual(faulty_rules, [], Fore.RED +
|
||||
"There are rules with malformed 'author' fields. (has to be a string even if it contains many author)")
|
||||
|
||||
Loading…
Reference in New Issue
Block a user