valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge branch 'SigmaHQ:master' into master

Browse Source
This commit is contained in:
Austin Songer 2021-07-06 16:52:12 -05:00 committed by GitHub
commit 35fa401f38
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
58 changed files with 291 additions and 136 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
rules/cloud/aws_securityhub_finding_evasion.yml Normal file
View File

@ -0,0 +1,29 @@
title: AWS SecurityHub Findings Evasion
id: a607e1fe-74bf-4440-a3ec-b059b9103157
status: stable
description: Detects the modification of the findings on SecurityHub.
author: Sittikorn S
date: 2021/06/28
references:
- https://docs.aws.amazon.com/cli/latest/reference/securityhub/
tags:
- attack.defense_evasion
- attack.t1562
logsource:
service: cloudtrail
detection:
selection:
eventSource: securityhub.amazonaws.com
eventName:
- 'BatchUpdateFindings'
- 'DeleteInsight'
- 'UpdateFindings'
- 'UpdateInsight'
condition: selection
fields:
- sourceIPAddress
- userIdentity.arn
falsepositives:
- System or Network administrator behaviors
- DEV, UAT, SAT environment. You should apply this rule with PROD environment only.
level: high

4
rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml
View File

@ -6,7 +6,7 @@ author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd
date: 2019/10/24
modified: 2019/11/11
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md
- https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html
logsource:
product: linux
@ -21,4 +21,4 @@ falsepositives:
level: high
tags:
- attack.defense_evasion
- attack.t1574.006
- attack.t1574.006

2
rules/linux/auditd/lnx_auditd_masquerading_crond.yml
View File

@ -6,7 +6,7 @@ description: Masquerading occurs when the name or location of an executable, leg
author: Timur Zinniatullin, oscd.community
date: 2019/10/21
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md
logsource:
product: linux
service: auditd

2
rules/linux/auditd/lnx_auditd_user_discovery.yml
View File

@ -6,7 +6,7 @@ description: Adversaries may use the information from System Owner/User Discover
author: Timur Zinniatullin, oscd.community
date: 2019/10/21
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md
logsource:
product: linux
service: auditd

8
rules/linux/auditd/lnx_data_compressed.yml
View File

@ -1,12 +1,12 @@
title: Data Compressed
id: a3b5e3e9-1b49-4119-8b8e-0344a01f21ee
status: experimental
description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network
description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
author: Timur Zinniatullin, oscd.community
date: 2019/10/21
modified: 2019/11/04
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md
logsource:
product: linux
service: auditd
@ -24,8 +24,8 @@ detection:
a1|contains: '-c'
condition: 1 of them
falsepositives:
- Legitimate use of archiving tools by legitimate user
- Legitimate use of archiving tools by legitimate user.
level: low
tags:
- attack.exfiltration
- attack.t1560.001
- attack.t1560.001

4
rules/linux/auditd/lnx_network_sniffing.yml
View File

@ -7,7 +7,7 @@ author: Timur Zinniatullin, oscd.community
date: 2019/10/21
modified: 2019/11/04
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md
logsource:
product: linux
service: auditd
@ -24,7 +24,7 @@ detection:
a3: '-i'
condition: selection1 or selection2
falsepositives:
- Legitimate administrator or user uses network sniffing tool for legitimate reason
- Legitimate administrator or user uses network sniffing tool for legitimate reasons.
level: low
tags:
- attack.credential_access

8
rules/linux/lnx_chattr_immutable_removal.yml
View File

@ -1,11 +1,11 @@
title: Remove Immutable File Attribute
id: a5b977d6-8a81-4475-91b9-49dbfcd941f7
status: experimental
description: Detects removing immutable file attribute
description: Detects removing immutable file attribute.
author: Jakob Weinzettl, oscd.community
date: 2019/09/23
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md
logsource:
product: linux
service: auditd
@ -16,8 +16,8 @@ detection:
a1|contains: '-i'
condition: selection
falsepositives:
- Administrator interacting with immutable files (for instance backups)
- Administrator interacting with immutable files (e.g. for instance backups).
level: medium
tags:
- attack.defense_evasion
- attack.t1222.002
- attack.t1222.002

10
rules/linux/lnx_dd_delete_file.yml
View File

@ -1,11 +1,11 @@
title: Overwriting the File with Dev Zero or Null
id: 37222991-11e9-4b6d-8bdf-60fbe48f753e
status: stable
description: Detects overwriting (effectively wiping/deleting) the file
description: Detects overwriting (effectively wiping/deleting) of a file.
author: Jakob Weinzettl, oscd.community
date: 2019/10/23
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md
logsource:
product: linux
service: auditd
@ -18,10 +18,10 @@ detection:
- 'if=/dev/zero'
condition: selection
falsepositives:
- Appending null bytes to files
- Legitimate overwrite of files
- Appending null bytes to files.
- Legitimate overwrite of files.
level: low
tags:
- attack.impact
- attack.t1485
- attack.t1485

8
rules/linux/lnx_file_or_folder_permissions.yml
View File

@ -1,11 +1,11 @@
title: File or Folder Permissions Change
id: 74c01ace-0152-4094-8ae2-6fd776dd43e5
status: experimental
description: Detects file and folder permission changes
description: Detects file and folder permission changes.
author: Jakob Weinzettl, oscd.community
date: 2019/09/23
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md
logsource:
product: linux
service: auditd
@ -17,8 +17,8 @@ detection:
- 'chown'
condition: selection
falsepositives:
- User interacting with files permissions (normal/daily behaviour)
- User interacting with files permissions (normal/daily behaviour).
level: low
tags:
- attack.defense_evasion
- attack.t1222.002
- attack.t1222.002

10
rules/linux/lnx_pers_systemd_reload.yml
View File

@ -1,12 +1,12 @@
title: Systemd Service Reload or Start
id: 2625cc59-0634-40d0-821e-cb67382a3dd7
status: experimental
description: Detects a reload or a start of a service
description: Detects a reload or a start of a service.
author: Jakob Weinzettl, oscd.community
date: 2019/09/23
references:
- https://attack.mitre.org/techniques/T1543/002/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md
logsource:
product: linux
service: auditd
@ -19,9 +19,9 @@ detection:
- 'start'
condition: selection
falsepositives:
- Installation of legitimate service
- Legitimate reconfiguration of service
- Installation of legitimate service.
- Legitimate reconfiguration of service.
level: low
tags:
- attack.persistence
- attack.t1543.002
- attack.t1543.002

2
rules/linux/lnx_shell_clear_cmd_history.yml
View File

@ -13,7 +13,7 @@ author: Patrick Bareiss
date: 2019/03/24
modified: 2020/07/13
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md
- https://attack.mitre.org/techniques/T1070/003/
- https://www.hackers-arise.com/single-post/2016/06/20/Covering-your-BASH-Shell-Tracks-AntiForensics
logsource:

14
rules/windows/builtin/win_mal_service_installs.yml
View File

@ -1,9 +1,13 @@
title: Malicious Service Installations
id: 2cfe636e-317a-4bee-9f2c-1066d9f54d1a
description: Detects known malicious service installs that only appear in cases of lateral movement, credential dumping and other suspicious activity
description: Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.
author: Florian Roth, Daniil Yugoslavskiy, oscd.community (update)
date: 2017/03/27
modified: 2021/05/27
modified: 2021/07/06
references:
- https://awakesecurity.com/blog/threat-hunting-for-paexec/
- https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html
- https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf
tags:
- attack.persistence
- attack.privilege_escalation
@ -18,13 +22,17 @@ logsource:
service: system
detection:
selection:
EventID: 7045
EventID:
- 4697
- 7045
malsvc_paexec:
ServiceFileName|contains: '\PAExec'
malsvc_wannacry:
ServiceName: 'mssecsvc2.0'
malsvc_persistence:
ServiceFileName|contains: 'net user'
malsvc_apt29:
ServiceName: 'javamtsup'
condition: selection and 1 of malsvc_*
falsepositives:
- Penetration testing

4
rules/windows/builtin/win_smb_file_creation_admin_shares.yml
View File

@ -9,7 +9,7 @@ tags:
- attack.t1021.002
references:
- https://github.com/OTRF/ThreatHunter-Playbook/blob/master/playbooks/WIN-201012004336.yaml
- https://mordordatasets.com/notebooks/small/windows/08_lateral_movement/SDWIN-200806015757.html?highlight=create%20file
- https://securitydatasets.com/notebooks/small/windows/08_lateral_movement/SDWIN-200806015757.html?highlight=create%20file
logsource:
product: windows
service: security
@ -23,4 +23,4 @@ detection:
condition: selection and not filter
falsepositives:
- Unknown
level: high
level: high

3
rules/windows/builtin/win_susp_failed_guest_logon.yml
View File

@ -1,6 +1,6 @@
title: Suspicious Rejected SMB Guest Logon From IP
id: 71886b70-d7b4-4dbf-acce-87d2ca135262
description:
description: Detect Attempt PrintNightmare (CVE-2021-1675) Remote code execution in Windows Spooler Service
author: Florian Roth, KevTheHermit, fuzzyf10w
status: experimental
level: medium
@ -9,6 +9,7 @@ references:
- https://github.com/hhlxf/PrintNightmare
- https://github.com/afwu/PrintNightmare
date: 2021/06/30
modified: 2021/07/05
logsource:
product: windows
service: smbclient-security

13
rules/windows/builtin/win_susp_failed_logons_single_source_kerberos.yml
View File

@ -1,8 +1,9 @@
title: Valid Users Failing to Authenticate From Single Source Using Kerberos
id: 5d1d946e-32e6-4d9a-a0dc-0ac022c7eb98
description: Detects multiple failed logins with multiple valid domain accounts from a single source system using the Kerberos protocol.
author: Mauricio Velazco
author: Mauricio Velazco, frack113
date: 2021/06/01
modified: 2021/07/06
references:
- https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
tags:
@ -14,13 +15,13 @@ logsource:
service: security
detection:
selection:
EventID: '4771'
Failure_Code: '0x18'
filter:
Account_Name: '*$'
EventID: 4771
Status: '0x18'
filter_computer:
TargetUserName|endswith: '$'
timeframe: 24h
condition:
- selection and not filter | count(Account_Name) by Client_Address > 10
- selection and not filter_computer | count(TargetUserName) by IpAddress > 10
falsepositives:
- Vulnerability scanners
- Missconfigured systems

13
rules/windows/builtin/win_susp_failed_logons_single_source_kerberos2.yml
View File

@ -1,8 +1,9 @@
title: Disabled Users Failing To Authenticate From Source Using Kerberos
id: 4b6fe998-b69c-46d8-901b-13677c9fb663
description: Detects failed logins with multiple disabled domain accounts from a single source system using the Kerberos protocol.
author: Mauricio Velazco
author: Mauricio Velazco, frack113
date: 2021/06/01
modified: 2021/07/06
references:
- https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
tags:
@ -14,13 +15,13 @@ logsource:
service: security
detection:
selection:
EventID: '4768'
Result_Code: '0x12'
filter:
Account_Name: '*$'
EventID: 4768
Status: '0x12'
filter_computer:
TargetUserName|endswith: '$'
timeframe: 24h
condition:
- selection and not filter | count(Account_Name) by Client_Address > 10
- selection and not filter_computer | count(TargetUserName) by IpAddress > 10
falsepositives:
- Vulnerability scanners
- Missconfigured systems

13
rules/windows/builtin/win_susp_failed_logons_single_source_kerberos3.yml
View File

@ -1,8 +1,9 @@
title: Invalid Users Failing To Authenticate From Source Using Kerberos
id: bc93dfe6-8242-411e-a2dd-d16fa0cc8564
description: Detects failed logins with multiple invalid domain accounts from a single source system using the Kerberos protocol.
author: Mauricio Velazco
author: Mauricio Velazco, frack113
date: 2021/06/01
modified: 2021/07/06
references:
- https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
tags:
@ -14,13 +15,13 @@ logsource:
service: security
detection:
selection:
EventID: '4768'
Result_Code: '0x6'
filter:
Account_Name: '*$'
EventID: 4768
Status: '0x6'
filter_computer:
TargetUserName|endswith: '$'
timeframe: 24h
condition:
- selection and not filter | count(Account_Name) by Client_Address > 10
- selection and not filter_computer | count(TargetUserName) by IpAddress > 10
falsepositives:
- Vulnerability scanners
- Missconfigured systems

8
rules/windows/builtin/win_susp_sdelete.yml
View File

@ -1,14 +1,14 @@
title: Secure Deletion with SDelete
id: 39a80702-d7ca-4a83-b776-525b1f86a36d
status: experimental
description: Detects renaming of file while deletion with SDelete tool
description: Detects renaming of file while deletion with SDelete tool.
author: Thomas Patzke
date: 2017/06/14
modified: 2020/08/2
references:
- https://jpcertcc.github.io/ToolAnalysisResultSheet
- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm
- https://www.jpcert.or.jp/english/pub/sr/ir_research.html
- https://technet.microsoft.com/en-us/en-en/sysinternals/sdelete.aspx
- https://docs.microsoft.com/en-gb/sysinternals/downloads/sdelete
tags:
- attack.impact
- attack.defense_evasion
@ -33,5 +33,5 @@ detection:
- '.ZZZ'
condition: selection
falsepositives:
- Legitime usage of SDelete
- Legitimate usage of SDelete
level: medium

6
rules/windows/file_event/sysmon_susp_pfx_file_creation.yml
View File

@ -1,6 +1,6 @@
title: Suspicious PFX File Creation
id: dca1b3e8-e043-4ec8-85d7-867f334b5724
description: A General detection for processes creating PFX files. This could be an inidicator of an adversary exporting a local certificate to a pfx file.
description: A general detection for processes creating PFX files. This could be an indicator of an adversary exporting a local certificate to a PFX file.
status: experimental
date: 2020/05/02
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
@ -18,5 +18,5 @@ detection:
TargetFilename|endswith: '.pfx'
condition: selection
falsepositives:
- unknown
level: medium
- System administrators managing certififcates.
level: medium

4
rules/windows/image_load/sysmon_uipromptforcreds_dlls.yml
View File

@ -9,7 +9,7 @@ tags:
- attack.collection
- attack.t1056.002
references:
- https://mordordatasets.com/notebooks/small/windows/06_credential_access/SDWIN-201020013208.html
- https://securitydatasets.com/notebooks/small/windows/06_credential_access/SDWIN-201020013208.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password
- https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa
logsource:
@ -26,4 +26,4 @@ detection:
condition: selection
falsepositives:
- other legitimate processes loading those DLLs in your environment.
level: medium
level: medium

4
rules/windows/image_load/sysmon_wmic_remote_xsl_scripting_dlls.yml
View File

@ -8,7 +8,7 @@ tags:
- attack.defense_evasion
- attack.t1220
references:
- https://mordordatasets.com/notebooks/small/windows/05_defense_evasion/SDWIN-201017061100.html
- https://securitydatasets.com/notebooks/small/windows/05_defense_evasion/SDWIN-201017061100.html
- https://twitter.com/dez_/status/986614411711442944
- https://lolbas-project.github.io/lolbas/Binaries/Wmic/
logsource:
@ -23,4 +23,4 @@ detection:
condition: selection
falsepositives:
- Apparently, wmic os get lastboottuptime loads vbscript.dll
level: high
level: high

11
rules/windows/other/win_defender_disabled.yml
View File

@ -3,7 +3,7 @@ title: Windows Defender Threat Detection Disabled
id: fe34868f-6e0e-4882-81f6-c43aa8f15b62
description: Detects disabling Windows Defender threat protection
date: 2020/07/28
modified: 2021/06/07
modified: 2021/07/05
author: Ján Trenčanský, frack113
references:
- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus
@ -44,3 +44,12 @@ detection:
TargetObject: 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware'
Details: 'DWORD (0x00000001)'
condition: tamper_registry
---
logsource:
product: windows
category: system
detection:
selection3:
EventID: 7036
Message: 'The Windows Defender Antivirus Service service entered the stopped state'
condition: selection3

26
rules/windows/other/win_defender_tamper_protection_trigger.yml Normal file
View File

@ -0,0 +1,26 @@
title: Microsoft Defender Tamper Protection Trigger
id: 49e5bc24-8b86-49f1-b743-535f332c2856
description: Detects block of attempt to disable real time protection of Microsoft Defender by tamper protection
date: 2021/07/05
author: Bhabesh Raj
references:
- https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection
status: stable
tags:
- attack.defense_evasion
- attack.t1089 # an old one
- attack.t1562.001
falsepositives:
- Administrator actions
level: critical
logsource:
product: windows
service: windefend
detection:
selection:
EventID:
- 5013
Value|endswith:
- '\Windows Defender\DisableAntiSpyware = 0x1()'
- '\Real-Time Protection\DisableRealtimeMonitoring = (Current)'
condition: selection

8
rules/windows/powershell/powershell_data_compressed.yml
View File

@ -1,11 +1,11 @@
title: Data Compressed - Powershell
title: Data Compressed - PowerShell
id: 6dc5d284-69ea-42cf-9311-fb1c3932a69a
status: experimental
description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network
description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
author: Timur Zinniatullin, oscd.community
date: 2019/10/21
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md
logsource:
product: windows
service: powershell
@ -19,7 +19,7 @@ detection:
- 'Compress-Archive'
condition: selection
falsepositives:
- highly likely if archive ops are done via PS
- Highly likely if archive operations are done via PowerShell.
level: low
tags:
- attack.exfiltration

26
rules/windows/powershell/powershell_renamed_powershell.yml Normal file
View File

@ -0,0 +1,26 @@
title: Renamed Powershell
id: 30a8cb77-8eb3-4cfb-8e79-ad457c5a4592
description: Detects renamed powershell
status: experimental
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
author: Harish Segar, frack113
date: 2020/06/29
modified: 2021/07/04
tags:
- attack.execution
- attack.t1086
logsource:
product: windows
service: powershell-classic
detection:
selection:
EventID: 400
HostName: "ConsoleHost"
filter:
HostApplication|startswith:
- "powershell"
condition: selection and not filter
falsepositives:
- unknown
level: low

2
rules/windows/powershell/powershell_winlogon_helper_dll.yml
View File

@ -6,7 +6,7 @@ author: Timur Zinniatullin, oscd.community
date: 2019/10/21
modified: 2020/12/01
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1004/T1004.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md
logsource:
product: windows
service: powershell

11
rules/windows/process_creation/win_apt_revil_kaseya.yml
View File

@ -7,8 +7,10 @@ references:
- https://www.joesandbox.com/analysis/443736/0/html
- https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b
- https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/
- https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/
author: Florian Roth
date: 2021/07/03
modified: 2021/07/05
tags:
- attack.execution
- attack.g0115
@ -23,11 +25,20 @@ detection:
- 'del /q /f c:\kworking\agent.crt'
- 'Kaseya VSA Agent Hot-fix'
- '\AppData\Local\Temp\MsMpEng.exe'
- 'rmdir /s /q %SystemDrive%\inetpub\logs'
- 'del /s /q /f %SystemDrive%\\*.log'
- 'c:\kworking1\agent.exe'
- 'c:\kworking1\agent.crt'
selection2:
Image:
- 'C:\Windows\MsMpEng.exe'
- 'C:\Windows\cert.exe'
- 'C:\kworking\agent.exe'
- 'C:\kworking1\agent.exe'
selection3:
CommandLine|contains|all:
- 'del /s /q /f'
- 'WebPages\Errors\webErrorLog.txt'
condition: selection1 and selection2
falsepositives:
- Unknown

2
rules/windows/process_creation/win_bootconf_mod.yml
View File

@ -7,7 +7,7 @@ author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.comm
date: 2019/10/24
modified: 2019/11/11
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md
- https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html
tags:
- attack.impact

2
rules/windows/process_creation/win_change_default_file_association.yml
View File

@ -6,7 +6,7 @@ author: Timur Zinniatullin, oscd.community
date: 2019/10/21
modified: 2019/11/04
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1042/T1042.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md
logsource:
category: process_creation
product: windows

6
rules/windows/process_creation/win_data_compressed_with_rar.yml
View File

@ -1,12 +1,12 @@
title: Data Compressed - rar.exe
id: 6f3e2987-db24-4c78-a860-b4f4095a7095
status: experimental
description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network
description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
author: Timur Zinniatullin, E.M. Anhaus, oscd.community
date: 2019/10/21
modified: 2020/08/29
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md
- https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html
logsource:
category: process_creation
@ -25,7 +25,7 @@ fields:
- ParentProcessGuid
- ParentCommandLine
falsepositives:
- highly likely if rar is default archiver in the monitored environment
- Highly likely if rar is a default archiver in the monitored environment.
level: low
tags:
- attack.exfiltration # an old one

6
rules/windows/process_creation/win_dsquery_domain_trust_discovery.yml
View File

@ -1,9 +1,9 @@
title: Domain Trust Discovery
id: 77815820-246c-47b8-9741-e0def3f57308
status: experimental
description: Detects a discovery of domain trusts
description: Detects a discovery of domain trusts.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md
author: Jakob Weinzettl, oscd.community
date: 2019/10/23
modified: 2019/11/08
@ -23,5 +23,5 @@ detection:
CommandLine|contains: 'domain_trusts'
condition: selection
falsepositives:
- Administration of systems
- Administration of systems.
level: medium

9
rules/windows/process_creation/win_file_permission_modifications.yml
View File

@ -1,15 +1,16 @@
title: File or Folder Permissions Modifications
id: 37ae075c-271b-459b-8d7b-55ad5f993dd8
status: experimental
description: Detects a file or folder permissions modifications
description: Detects a file or folder's permissions being modified.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md
author: Jakob Weinzettl, oscd.community
date: 2019/10/23
modified: 2019/11/08
tags:
- attack.defense_evasion
- attack.t1222
- attack.t1222.001
- attack.t1222 # an old one
logsource:
category: process_creation
product: windows
@ -28,5 +29,5 @@ fields:
- User
- CommandLine
falsepositives:
- Users interacting with the files on their own (unlikely unless power users)
- Users interacting with the files on their own (unlikely unless privileged users).
level: medium

2
rules/windows/process_creation/win_hh_chm.yml
View File

@ -4,7 +4,7 @@ description: Identifies usage of hh.exe executing recently modified .chm files.
status: experimental
author: E.M. Anhaus (originally from Atomic Blue Detections, Dan Beavin), oscd.community
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1223/T1223.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md
- https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html
date: 2019/10/24
modified: 2019/11/11

8
rules/windows/process_creation/win_indirect_cmd.yml
View File

@ -1,10 +1,10 @@
title: Indirect Command Execution
id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02
description: Detect indirect command execution via Program Compatibility Assistant pcalua.exe or forfiles.exe
description: Detect indirect command execution via Program Compatibility Assistant (pcalua.exe or forfiles.exe).
status: experimental
author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md
- https://eqllib.readthedocs.io/en/latest/analytics/884a7ccd-7305-4130-82d0-d4f90bc118b6.html
date: 2019/10/24
modified: 2019/11/11
@ -26,6 +26,6 @@ fields:
- ParentCommandLine
- CommandLine
falsepositives:
- Need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts
- Legit usage of scripts
- Need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts.
- Legitimate usage of scripts.
level: low

4
rules/windows/process_creation/win_interactive_at.yml
View File

@ -1,10 +1,10 @@
title: Interactive AT Job
id: 60fc936d-2eb0-4543-8a13-911c750a1dfc
description: Detect an interactive AT job, which may be used as a form of privilege escalation
description: Detect an interactive AT job, which may be used as a form of privilege escalation.
status: experimental
author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md
- https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html
date: 2019/10/24
modified: 2019/11/11

4
rules/windows/process_creation/win_local_system_owner_account_discovery.yml
View File

@ -6,7 +6,7 @@ author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
date: 2019/10/21
modified: 2020/09/01
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md
logsource:
category: process_creation
product: windows
@ -46,7 +46,7 @@ detection:
- '/scriptpath' # discovery only
- '/times' # discovery only
- '/workstations' # discovery only
condition: (selection_1 and not filter_1) or ( selection_2 and not filter_2)
condition: (selection_1 and not filter_1) or (selection_2 and not filter_2)
fields:
- Image
- CommandLine

2
rules/windows/process_creation/win_lsass_dump.yml
View File

@ -8,7 +8,7 @@ modified: 2019/11/11
references:
- https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html
- https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md
tags:
- attack.credential_access
- attack.t1003.001

4
rules/windows/process_creation/win_mshta_javascript.yml
View File

@ -1,13 +1,13 @@
title: Mshta JavaScript Execution
id: 67f113fa-e23d-4271-befa-30113b3e08b1
description: Identifies suspicious mshta.exe commands
description: Identifies suspicious mshta.exe commands.
status: experimental
author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
date: 2019/10/24
modified: 2020/09/01
references:
- https://eqllib.readthedocs.io/en/latest/analytics/6bc283c4-21f2-4aed-a05c-a9a3ffa95dd4.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1170/T1170.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md
tags:
- attack.defense_evasion
- attack.t1170 # an old one

2
rules/windows/process_creation/win_net_enum.yml
View File

@ -4,7 +4,7 @@ status: stable
description: Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool.
references:
- https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md
author: Endgame, JHasenbusch (ported for oscd.community)
date: 2018/10/30
modified: 2019/11/11

10
rules/windows/process_creation/win_net_user_add.yml
View File

@ -1,11 +1,11 @@
title: Net.exe User Account Creation
id: cd219ff3-fa99-45d4-8380-a7d15116c6dc
status: experimental
description: Identifies creation of local users via the net.exe command
description: Identifies creation of local users via the net.exe command.
references:
- https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.yaml
author: Endgame, JHasenbusch (adapted to sigma for oscd.community)
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md
author: Endgame, JHasenbusch (adapted to Sigma for oscd.community)
date: 2018/10/30
modified: 2020/09/01
tags:
@ -29,6 +29,6 @@ fields:
- User
- CommandLine
falsepositives:
- Legit user creation
- Better use event ids for user creation rather than command line rules
- Legitimate user creation.
- Better use event IDs for user creation rather than command line rules.
level: medium

2
rules/windows/process_creation/win_network_sniffing.yml
View File

@ -7,7 +7,7 @@ author: Timur Zinniatullin, oscd.community
date: 2019/10/21
modified: 2019/11/04
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md
logsource:
category: process_creation
product: windows

6
rules/windows/process_creation/win_new_service_creation.yml
View File

@ -1,7 +1,7 @@
title: New Service Creation
id: 7fe71fc9-de3b-432a-8d57-8c809efc10ab
status: experimental
description: Detects creation of a new service
description: Detects creation of a new service.
author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
date: 2019/10/21
modified: 2019/11/04
@ -11,7 +11,7 @@ tags:
- attack.t1050 # an old one
- attack.t1543.003
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1050/T1050.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md
logsource:
category: process_creation
product: windows
@ -25,5 +25,5 @@ detection:
CommandLine|contains: 'new-service'
condition: selection
falsepositives:
- Legitimate administrator or user creates a service for legitimate reason
- Legitimate administrator or user creates a service for legitimate reasons.
level: low

6
rules/windows/process_creation/win_powershell_audio_capture.yml
View File

@ -1,12 +1,12 @@
title: Audio Capture via PowerShell
id: 932fb0d8-692b-4b0f-a26e-5643a50fe7d6
description: Detects audio capture via PowerShell Cmdlet
description: Detects audio capture via PowerShell Cmdlet.
status: experimental
author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
date: 2019/10/24
modified: 2019/11/11
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md
- https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html
tags:
- attack.collection
@ -16,7 +16,7 @@ detection:
CommandLine|contains: 'WindowsAudioDevice-Powershell-Cmdlet'
condition: selection
falsepositives:
- Legitimate audio capture by legitimate user
- Legitimate audio capture by legitimate user.
level: medium
logsource:
category: process_creation

3
rules/windows/process_creation/win_purplesharp_indicators.yml
View File

@ -4,6 +4,7 @@ status: experimental
description: Detect
author: Florian Roth
date: 2021/06/18
modified: 2021/07/06
references:
- https://github.com/mvelazc0/PurpleSharp
logsource:
@ -15,7 +16,7 @@ detection:
- xyz123456.exe
- PurpleSharp
selection2:
OriginalFilename:
OriginalFileName:
- 'PurpleSharp.exe'
condition: selection1 or selection2
falsepositives:

2
rules/windows/process_creation/win_query_registry.yml
View File

@ -6,7 +6,7 @@ author: Timur Zinniatullin, oscd.community
date: 2019/10/21
modified: 2019/11/04
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md
logsource:
category: process_creation
product: windows

6
rules/windows/process_creation/win_service_execution.yml
View File

@ -1,12 +1,12 @@
title: Service Execution
id: 2a072a96-a086-49fa-bcb5-15cc5a619093
status: experimental
description: Detects manual service execution (start) via system utilities
description: Detects manual service execution (start) via system utilities.
author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
date: 2019/10/21
modified: 2019/11/04
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1035/T1035.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md
logsource:
category: process_creation
product: windows
@ -18,7 +18,7 @@ detection:
CommandLine|contains: ' start ' # space character after the 'start' keyword indicates that a service name follows, in contrast to `net start` discovery expression
condition: selection
falsepositives:
- Legitimate administrator or user executes a service for legitimate reason
- Legitimate administrator or user executes a service for legitimate reasons.
level: low
tags:
- attack.execution

6
rules/windows/process_creation/win_soundrec_audio_capture.yml
View File

@ -1,12 +1,12 @@
title: Audio Capture via SoundRecorder
id: 83865853-59aa-449e-9600-74b9d89a6d6e
description: Detect attacker collecting audio via SoundRecorder application
description: Detect attacker collecting audio via SoundRecorder application.
status: experimental
author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
date: 2019/10/24
modified: 2019/11/11
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md
- https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html
tags:
- attack.collection
@ -20,5 +20,5 @@ detection:
CommandLine|contains: '/FILE'
condition: selection
falsepositives:
- Legitimate audio capture by legitimate user
- Legitimate audio capture by legitimate user.
level: medium

6
rules/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml
View File

@ -3,7 +3,7 @@ id: 24357373-078f-44ed-9ac4-6d334a668a11
description: Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.
status: experimental
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md
tags:
- attack.persistence
- attack.t1547.001
@ -35,6 +35,6 @@ fields:
- CommandLine
- ParentCommandLine
falsepositives:
- Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
- Legitimate administrator sets up autorun keys for legitimate reason
- Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.
- Legitimate administrator sets up autorun keys for legitimate reasons.
level: medium

4
rules/windows/process_creation/win_susp_eventlog_clear.yml
View File

@ -1,9 +1,9 @@
title: Suspicious Eventlog Clear or Configuration Using Wevtutil
id: cc36992a-4671-4f21-a91d-6c2b72a2edf5
description: Detects clearing or configuration of eventlogs uwing wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others)
description: Detects clearing or configuration of eventlogs using wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others).
author: Ecco, Daniil Yugoslavskiy, oscd.community
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md
- https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html
date: 2019/09/26
modified: 2019/11/11

4
rules/windows/process_creation/win_susp_fsutil_usage.yml
View File

@ -1,13 +1,13 @@
title: Fsutil Suspicious Invocation
id: add64136-62e5-48ea-807e-88638d02df1e
description: Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size..). Might be used by ransomwares during the attack (seen by NotPetya and others)
description: Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc). Might be used by ransomwares during the attack (seen by NotPetya and others).
author: Ecco, E.M. Anhaus, oscd.community
date: 2019/09/26
modified: 2019/11/11
level: high
references:
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md
- https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html
tags:
- attack.defense_evasion

3
rules/windows/process_creation/win_susp_renamed_paexec.yml
View File

@ -6,6 +6,7 @@ references:
- https://www.poweradmin.com/paexec/
author: Florian Roth
date: 2021/05/22
modified: 2021/07/06
logsource:
category: process_creation
product: windows
@ -13,7 +14,7 @@ detection:
selection1:
Description: 'PAExec Application'
selection2:
OriginalFilename: 'PAExec.exe'
OriginalFileName: 'PAExec.exe'
filter:
Image|endswith:
- '\PAexec.exe'

4
rules/windows/process_creation/win_susp_service_path_modification.yml
View File

@ -1,9 +1,9 @@
title: Suspicious Service Path Modification
id: 138d3531-8793-4f50-a2cd-f291b2863d78
description: Detects service path modification to powershell/cmd
description: Detects service path modification to PowerShell or cmd.
status: experimental
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1031/T1031.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md
tags:
- attack.persistence
- attack.privilege_escalation

5
rules/windows/process_creation/win_susp_use_of_vsjitdebugger_bin.yml
View File

@ -11,6 +11,7 @@ tags:
- attack.defense_evasion
author: Agro (@agro_sev), Ensar Şamil (@sblmsrsn), oscd.community
date: 2020/10/14
modified: 2021/07/06
logsource:
category: process_creation
product: windows
@ -18,9 +19,9 @@ detection:
selection:
ParentImage|endswith: '\vsjitdebugger.exe'
reduction1:
ChildImage|endswith: '\vsimmersiveactivatehelper*.exe'
Image|endswith: '\vsimmersiveactivatehelper*.exe'
reduction2:
ChildImage|endswith: '\devenv.exe'
Image|endswith: '\devenv.exe'
condition: selection and not (reduction1 or reduction2)
falsepositives:
- the process spawned by vsjitdebugger.exe is uncommon.

10
rules/windows/process_creation/win_xsl_script_processing.yml
View File

@ -1,13 +1,13 @@
title: XSL Script Processing
id: 05c36dd6-79d6-4a9a-97da-3db20298ab2d
status: experimental
description: Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files, rule detects when adversaries
abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses
description: Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. Rule detects when adversaries
abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.
author: Timur Zinniatullin, oscd.community
date: 2019/10/21
modified: 2019/11/04
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md
logsource:
category: process_creation
product: windows
@ -18,8 +18,8 @@ detection:
- Image|endswith: '\msxsl.exe'
condition: selection
falsepositives:
- WMIC.exe FP depend on scripts and administrative methods used in the monitored environment
- msxsl.exe is not installed by default so unlikely.
- WMIC.exe FP depend on scripts and administrative methods used in the monitored environment.
- msxsl.exe is not installed by default, so unlikely.
level: medium
tags:
- attack.defense_evasion

31
rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml Normal file
View File

@ -0,0 +1,31 @@
title: Printnightmare Mimimkatz Driver Name
id: ba6b9e43-1d45-4d3c-a504-1043a64c8469
status: experimental
description: Detects static QMS 810 driver name used by Mimikatz
references:
- https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760
- https://www.lexjansen.com/sesug/1993/SESUG93035.pdf
- https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913
author: Markus Neis, @markus_neis, Florian Roth
tags:
- attack.execution
- cve.2021-1675
- cve.2021-34527
date: 2021/07/04
modified: 2021/07/05
logsource:
product: windows
category: registry_event
detection:
selection:
TargetObject|startswith:
-'HKLM\System\CurrentControlSet\Control\Print\Environments\Windows x64\Drivers\Version-3\QMS 810\'
- 'HKLM\System\CurrentControlSet\Control\Print\Environments\Windows x64\Drivers\Version-3\mimikatz'
selection_alt:
TargetObject|contains|all:
- 'legitprinter'
- '\Control\Print\Environments\Windows'
condition: selection or selection_alt
falsepositives:
- Legitimate installation of printer driver QMS 810, Texas Instruments microLaser printer (unlikely)
level: critical

2
tools/sigma/backends/elasticsearch.py
View File

@ -1171,7 +1171,7 @@ class ElastalertBackend(DeepFieldMappingMixin, MultiRuleOutputMixin):
for parsed in sigmaparser.condparsed:
#Static data
rule_object = {
"name": rulename + "_" + str(rule_number),
"name": rulename,
"description": description,
"index": index,
"priority": self.convertLevel(level),

2
tools/sigma/backends/graylog.py
View File

@ -23,5 +23,5 @@ class GraylogQuerystringBackend(ElasticsearchQuerystringBackend):
active = True
config_required = False
reEscape = re.compile("([+\\-!(){}\\[\\]^\"~:/]|(?<!\\\\)\\\\(?![*?\\\\])|&&|\\|\\|)")
reEscape = re.compile("([\s+\\-!(){}\\[\\]^\"~:/]|(?<!\\\\)\\\\(?![*?\\\\])|&&|\\|\\|)")
listSeparator = " "

11
tools/sigma/backends/mixins.py
View File

@ -68,9 +68,16 @@ class MultiRuleOutputMixin:
"""
try:
rulename = sigmaparser.parsedyaml["id"]
yaml_id = sigmaparser.parsedyaml["id"]
except KeyError:
rulename = sigmaparser.parsedyaml["title"].replace(" ", "-").replace("(", "").replace(")", "")
yaml_id = "00000000-0000-0000-0000-000000000000"
try:
yaml_title = sigmaparser.parsedyaml["title"]
except KeyError:
yaml_title = "No Title"
yaml_title = yaml_title.replace(" ", "-").replace("(", "").replace(")", "")
rulename = "%s-%s" % (yaml_id, yaml_title)
if rulename in self.rulenames: # add counter if name collides
cnt = 2
while "%s-%d" % (rulename, cnt) in self.rulenames: