From 88270fcf2d8484434411df793c802094c4102a10 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Wed, 15 Feb 2017 23:53:08 +0100 Subject: [PATCH] Rule review and cleanup * removed unnecessary one element lists from definitions * converted some lists of one element maps to maps because the resulting OR linkage would cause wrong result. --- .../lnx_susp_failed_logons_single_source.yml | 6 +- rules/network/net_susp_network_scan.yml | 4 +- ...le_suspicious_resp_codes_single_source.yml | 16 ++-- rules/web/web_webshell_keyword.yml | 6 +- .../builtin/win_alert_mimikatz_keywords.yml | 12 +-- .../windows/builtin/win_av_relevant_match.yml | 2 +- .../builtin/win_susp_eventlog_cleared.yml | 8 +- .../builtin/win_susp_failed_logon_reasons.yml | 20 ++--- .../win_susp_failed_logons_single_source.yml | 14 ++-- .../win_susp_kerberos_manipulation.yml | 74 +++++++++---------- rules/windows/builtin/win_susp_lsass_dump.yml | 10 +-- .../windows/builtin/win_susp_rc4_kerberos.yml | 10 +-- .../sysmon_mimikatz_inmemory_detection.yml | 26 +++---- .../sysmon/sysmon_password_dumper_lsass.yml | 8 +- .../sysmon/sysmon_susp_driver_load.yml | 6 +- .../windows/sysmon/sysmon_susp_mmc_source.yml | 10 +-- .../sysmon_vul_java_remote_debugging.yml | 8 +- .../sysmon/sysmon_webshell_detection.yml | 18 ++--- .../windows/sysmon/sysmon_webshell_spawn.yml | 20 ++--- 19 files changed, 139 insertions(+), 139 deletions(-) diff --git a/rules/linux/lnx_susp_failed_logons_single_source.yml b/rules/linux/lnx_susp_failed_logons_single_source.yml index ceeec27a..081c78a6 100644 --- a/rules/linux/lnx_susp_failed_logons_single_source.yml +++ b/rules/linux/lnx_susp_failed_logons_single_source.yml @@ -2,9 +2,9 @@ title: Multiple Failed Logins with Different Accounts from Single Source System description: Detects suspicious failed logins with different user accounts from a single source system detection: selection: - - log: auth - pam_user: not null - pam_rhost: not null + log: auth + pam_user: not null + pam_rhost: not null timeframe: last 24h condition: selection | count(pam_user) by pam_rhost > 3 falsepositives: diff --git a/rules/network/net_susp_network_scan.yml b/rules/network/net_susp_network_scan.yml index 284d08cf..df3271ef 100644 --- a/rules/network/net_susp_network_scan.yml +++ b/rules/network/net_susp_network_scan.yml @@ -2,8 +2,8 @@ title: Network Scans description: Detects many failed connection attempts to different ports or hosts detection: selection: - - log: network - action: denied + log: network + action: denied timeframe: last 24h condition: - selection | count(dst_port) > 10 by src_ip diff --git a/rules/web/web_multiple_suspicious_resp_codes_single_source.yml b/rules/web/web_multiple_suspicious_resp_codes_single_source.yml index a5a61759..82d5e02d 100644 --- a/rules/web/web_multiple_suspicious_resp_codes_single_source.yml +++ b/rules/web/web_multiple_suspicious_resp_codes_single_source.yml @@ -2,14 +2,14 @@ title: Multiple suspicious Response Codes caused by Single Client description: Detects possible exploitation activity or bugs in a web application detection: selection: - - log: - - access.log - - error.log - response: - - 400 - - 401 - - 403 - - 500 + log: + - access.log + - error.log + response: + - 400 + - 401 + - 403 + - 500 condition: selection | count() by clientip > 10 falsepositives: - Unstable application diff --git a/rules/web/web_webshell_keyword.yml b/rules/web/web_webshell_keyword.yml index acfa3ee6..7617fe33 100644 --- a/rules/web/web_webshell_keyword.yml +++ b/rules/web/web_webshell_keyword.yml @@ -2,9 +2,9 @@ title: Webshell Detection by Keyword description: Detects webshells that use GET requests by keyword sarches in URL strings detection: selection: - - log: - - access.log - - error.log + log: + - access.log + - error.log keywords: - '=whoami' - '=net%20user' diff --git a/rules/windows/builtin/win_alert_mimikatz_keywords.yml b/rules/windows/builtin/win_alert_mimikatz_keywords.yml index 551e87d9..ac482e86 100644 --- a/rules/windows/builtin/win_alert_mimikatz_keywords.yml +++ b/rules/windows/builtin/win_alert_mimikatz_keywords.yml @@ -2,11 +2,11 @@ title: Mimikatz Usage description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups) detection: selection: - - EventLog: - - Security - - System - - Application - - Microsoft-Windows-Sysmon/Operational + EventLog: + - Security + - System + - Application + - Microsoft-Windows-Sysmon/Operational keywords: - mimikatz - mimilib @@ -19,5 +19,5 @@ detection: condition: selection and 1 of keywords falsepositives: - Naughty administrators - - Penetraion test + - Penetration test level: 100 diff --git a/rules/windows/builtin/win_av_relevant_match.yml b/rules/windows/builtin/win_av_relevant_match.yml index fd305a79..29d959b3 100644 --- a/rules/windows/builtin/win_av_relevant_match.yml +++ b/rules/windows/builtin/win_av_relevant_match.yml @@ -2,7 +2,7 @@ title: Relevant Anti-Virus Event description: This detection method points out highly relevant Antivirus events detection: selection: - - EventLog: Application + EventLog: Application keywords: - HTool - Hacktool diff --git a/rules/windows/builtin/win_susp_eventlog_cleared.yml b/rules/windows/builtin/win_susp_eventlog_cleared.yml index fcd4576b..e75b9111 100644 --- a/rules/windows/builtin/win_susp_eventlog_cleared.yml +++ b/rules/windows/builtin/win_susp_eventlog_cleared.yml @@ -2,10 +2,10 @@ title: Eventlog Cleared description: Some threat groups tend to delete the local 'Security' Eventlog using certain utitlities detection: selection: - - EventLog: Security - EventID: - - 517 - - 1102 + EventLog: Security + EventID: + - 517 + - 1102 condition: selection falsepositives: - Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog) diff --git a/rules/windows/builtin/win_susp_failed_logon_reasons.yml b/rules/windows/builtin/win_susp_failed_logon_reasons.yml index f5abef83..80b02606 100644 --- a/rules/windows/builtin/win_susp_failed_logon_reasons.yml +++ b/rules/windows/builtin/win_susp_failed_logon_reasons.yml @@ -2,16 +2,16 @@ title: Account Tampering - Suspicious Failed Logon Reasons description: This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted. detection: selection: - - EventLog: Security - EventID: - - 4625 - - 4776 - Status: - - 0xC0000072 - - 0xC000006F - - 0xC0000070 - - 0xC0000413 - - 0xC000018C + EventLog: Security + EventID: + - 4625 + - 4776 + Status: + - 0xC0000072 + - 0xC000006F + - 0xC0000070 + - 0xC0000413 + - 0xC000018C condition: selection falsepositives: - User using a disabled account diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source.yml b/rules/windows/builtin/win_susp_failed_logons_single_source.yml index dfa68c97..0b4f19a7 100644 --- a/rules/windows/builtin/win_susp_failed_logons_single_source.yml +++ b/rules/windows/builtin/win_susp_failed_logons_single_source.yml @@ -2,13 +2,13 @@ title: Multiple Failed Logins with Different Accounts from Single Source System description: Detects suspicious failed logins with different user accounts from a single source system detection: selection: - - EventLog: Security - EventID: - - 529 - - 4625 - - 4776 - UserName: not null - SourceWorkstation: not null + EventLog: Security + EventID: + - 529 + - 4625 + - 4776 + UserName: not null + SourceWorkstation: not null timeframe: last 24h condition: selection | count(UserName) by SourceWorkstation > 3 falsepositives: diff --git a/rules/windows/builtin/win_susp_kerberos_manipulation.yml b/rules/windows/builtin/win_susp_kerberos_manipulation.yml index 6b7e6a45..0e250618 100644 --- a/rules/windows/builtin/win_susp_kerberos_manipulation.yml +++ b/rules/windows/builtin/win_susp_kerberos_manipulation.yml @@ -2,43 +2,43 @@ title: Kerberos Manipulation description: This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages detection: selection: - - EventLog: Security - EventID: - - 675 - - 4768 - - 4769 - - 4771 - FailureCode: - - '0x9' - - '0xA' - - '0xB' - - '0xF' - - '0x10' - - '0x11' - - '0x13' - - '0x14' - - '0x1A' - - '0x1F' - - '0x21' - - '0x22' - - '0x23' - - '0x24' - - '0x26' - - '0x27' - - '0x28' - - '0x29' - - '0x2C' - - '0x2D' - - '0x2E' - - '0x2F' - - '0x31' - - '0x32' - - '0x3E' - - '0x3F' - - '0x40' - - '0x41' - - '0x43' - - '0x44' + EventLog: Security + EventID: + - 675 + - 4768 + - 4769 + - 4771 + FailureCode: + - '0x9' + - '0xA' + - '0xB' + - '0xF' + - '0x10' + - '0x11' + - '0x13' + - '0x14' + - '0x1A' + - '0x1F' + - '0x21' + - '0x22' + - '0x23' + - '0x24' + - '0x26' + - '0x27' + - '0x28' + - '0x29' + - '0x2C' + - '0x2D' + - '0x2E' + - '0x2F' + - '0x31' + - '0x32' + - '0x3E' + - '0x3F' + - '0x40' + - '0x41' + - '0x43' + - '0x44' condition: selection falsepositives: - Faulty legacy applications diff --git a/rules/windows/builtin/win_susp_lsass_dump.yml b/rules/windows/builtin/win_susp_lsass_dump.yml index 8ce0b9c0..ebb7f32a 100644 --- a/rules/windows/builtin/win_susp_lsass_dump.yml +++ b/rules/windows/builtin/win_susp_lsass_dump.yml @@ -4,11 +4,11 @@ status: experimental reference: https://twitter.com/jackcr/status/807385668833968128 detection: selection: - - EventLog: Security - EventID: 4656 - ProcessName: 'C:\Windows\System32\lsass.exe' - AccessMask: '0x705' - ObjectType: 'SAM_DOMAIN' + EventLog: Security + EventID: 4656 + ProcessName: 'C:\Windows\System32\lsass.exe' + AccessMask: '0x705' + ObjectType: 'SAM_DOMAIN' condition: selection falsepositives: - Unkown diff --git a/rules/windows/builtin/win_susp_rc4_kerberos.yml b/rules/windows/builtin/win_susp_rc4_kerberos.yml index 42a2b484..94b7fd88 100644 --- a/rules/windows/builtin/win_susp_rc4_kerberos.yml +++ b/rules/windows/builtin/win_susp_rc4_kerberos.yml @@ -4,10 +4,10 @@ reference: https://adsecurity.org/?p=3458 description: Detects logons using RC4 encryption type detection: selection: - - EventLog: Security - EventID: 4769 - TicketOptions: '0x40810000' - TicketEncryption: '0x17' + EventLog: Security + EventID: 4769 + TicketOptions: '0x40810000' + TicketEncryption: '0x17' reduction: - ServiceName: '$*' - Type: 'Success Audit' @@ -15,4 +15,4 @@ detection: falsepositives: - Service accounts used on legacy systems (e.g. NetApp) - Windows Domains with DFL 2003 and legacy systems -level: 40 \ No newline at end of file +level: 40 diff --git a/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml b/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml index 092e6c5e..c05876a4 100644 --- a/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml +++ b/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml @@ -4,20 +4,20 @@ description: Detects certain DLL loads when Mimikatz gets executed reference: https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/ detection: dllload1: - - EventLog: Microsoft-Windows-Sysmon/Operational - - EventID: 7 - - Image: 'C:\Windows\System32\rundll32.exe' - - ImageLoaded: '*\vaultcli.dll' + EventLog: Microsoft-Windows-Sysmon/Operational + EventID: 7 + Image: 'C:\Windows\System32\rundll32.exe' + ImageLoaded: '*\vaultcli.dll' dllload2: - - EventLog: Microsoft-Windows-Sysmon/Operational - - EventID: 7 - - Image: 'C:\Windows\System32\rundll32.exe' - - ImageLoaded: '*\wlanapi.dll' + EventLog: Microsoft-Windows-Sysmon/Operational + EventID: 7 + Image: 'C:\Windows\System32\rundll32.exe' + ImageLoaded: '*\wlanapi.dll' exclusion: - - EventLog: Microsoft-Windows-Sysmon/Operational - - EventID: 7 - - Image: 'C:\Windows\System32\rundll32.exe' - - ImageLoaded: + EventLog: Microsoft-Windows-Sysmon/Operational + EventID: 7 + Image: 'C:\Windows\System32\rundll32.exe' + ImageLoaded: - 'ntdsapi.dll' - 'netapi32.dll' - 'imm32.dll' @@ -32,4 +32,4 @@ detection: condition: ( dllload1 and dllload2 ) and not exclusion falsepositives: - unknown -level: 50 \ No newline at end of file +level: 50 diff --git a/rules/windows/sysmon/sysmon_password_dumper_lsass.yml b/rules/windows/sysmon/sysmon_password_dumper_lsass.yml index 9378e25d..c5e3222c 100644 --- a/rules/windows/sysmon/sysmon_password_dumper_lsass.yml +++ b/rules/windows/sysmon/sysmon_password_dumper_lsass.yml @@ -3,10 +3,10 @@ description: Detects password dumper activity by monitoring remote thread creati reference: Internal research detection: selection: - - EventLog: Microsoft-Windows-Sysmon/Operational - EventID: 8 - TargetProcess: 'C:\Windows\System32\lsass.exe' - StartModule: '' + EventLog: Microsoft-Windows-Sysmon/Operational + EventID: 8 + TargetProcess: 'C:\Windows\System32\lsass.exe' + StartModule: '' condition: selection falsepositives: - unknown diff --git a/rules/windows/sysmon/sysmon_susp_driver_load.yml b/rules/windows/sysmon/sysmon_susp_driver_load.yml index 1f77b38c..3d447210 100644 --- a/rules/windows/sysmon/sysmon_susp_driver_load.yml +++ b/rules/windows/sysmon/sysmon_susp_driver_load.yml @@ -2,9 +2,9 @@ title: Suspicious Driver Load from Temp description: Detetcs a driver load from a temporary directory detection: selection: - - EventLog: Microsoft-Windows-Sysmon/Operational - EventID: 6 - ImageLoaded: '*\Temp\*' + EventLog: Microsoft-Windows-Sysmon/Operational + EventID: 6 + ImageLoaded: '*\Temp\*' condition: selection falsepositives: - there is a relevant set of false positives depending on applications in the envirnment diff --git a/rules/windows/sysmon/sysmon_susp_mmc_source.yml b/rules/windows/sysmon/sysmon_susp_mmc_source.yml index 0bc22199..ceae0025 100644 --- a/rules/windows/sysmon/sysmon_susp_mmc_source.yml +++ b/rules/windows/sysmon/sysmon_susp_mmc_source.yml @@ -4,12 +4,12 @@ description: Processes started by MMC could by a sign of lateral movement using reference: https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/ detection: selection: - - EventLog: Microsoft-Windows-Sysmon/Operational - EventID: 1 - ParentImage: '*\mmc.exe' - Image: '*\cmd.exe' + EventLog: Microsoft-Windows-Sysmon/Operational + EventID: 1 + ParentImage: '*\mmc.exe' + Image: '*\cmd.exe' exclusion: - - CommandLine: '*\RunCmd.cmd' + CommandLine: '*\RunCmd.cmd' condition: selection and not exclusion falsepositives: - unknown diff --git a/rules/windows/sysmon/sysmon_vul_java_remote_debugging.yml b/rules/windows/sysmon/sysmon_vul_java_remote_debugging.yml index e5ddba94..54deeceb 100644 --- a/rules/windows/sysmon/sysmon_vul_java_remote_debugging.yml +++ b/rules/windows/sysmon/sysmon_vul_java_remote_debugging.yml @@ -2,13 +2,13 @@ title: Java running with Remote Debugging description: Detcts a JAVA process running with remote debugging allowing more than just localhost to connect detection: selection: - - EventLog: Microsoft-Windows-Sysmon/Operational - - EventID: 1 - - CommandLine: '*transport=dt_socket,address=*' + EventLog: Microsoft-Windows-Sysmon/Operational + EventID: 1 + CommandLine: '*transport=dt_socket,address=*' exclusion: - CommandLine: '*address=127.0.0.1*' - CommandLine: '*address=localhost*' condition: selection and not exclusion falsepositives: - unknown -level: 30 \ No newline at end of file +level: 30 diff --git a/rules/windows/sysmon/sysmon_webshell_detection.yml b/rules/windows/sysmon/sysmon_webshell_detection.yml index 0152c7c9..cff128fd 100644 --- a/rules/windows/sysmon/sysmon_webshell_detection.yml +++ b/rules/windows/sysmon/sysmon_webshell_detection.yml @@ -2,15 +2,15 @@ title: Webshell Detection With Command Line Keywords description: Detects certain command line parameters often used during reconnissaince activity via web shells detection: selection: - - EventLog: Microsoft-Windows-Sysmon/Operational - EventID: 1 - ParentImage: - - '*\apache*' - - '*\tomcat*' - CommandLine: - - 'whoami' - - 'net user' - - 'ping -n' + EventLog: Microsoft-Windows-Sysmon/Operational + EventID: 1 + ParentImage: + - '*\apache*' + - '*\tomcat*' + CommandLine: + - 'whoami' + - 'net user' + - 'ping -n' condition: selection falsepositives: - unknown diff --git a/rules/windows/sysmon/sysmon_webshell_spawn.yml b/rules/windows/sysmon/sysmon_webshell_spawn.yml index d58a882d..064692f4 100644 --- a/rules/windows/sysmon/sysmon_webshell_spawn.yml +++ b/rules/windows/sysmon/sysmon_webshell_spawn.yml @@ -3,16 +3,16 @@ status: experimental description: Web servers that spawn shell processes could be the result of a successfully placed web shell or an other attack detection: selection: - - EventLog: Microsoft-Windows-Sysmon/Operational - EventID: 1 - ParentImage: - - '*\w3wp.exe' - - '*\httpd.exe' - - '*\nginx.exe' - Image: - - '*\cmd.exe' - - '*\sh.exe' - - '*\bash.exe' + EventLog: Microsoft-Windows-Sysmon/Operational + EventID: 1 + ParentImage: + - '*\w3wp.exe' + - '*\httpd.exe' + - '*\nginx.exe' + Image: + - '*\cmd.exe' + - '*\sh.exe' + - '*\bash.exe' condition: selection falsepositives: - Particular web applications may spawn a shell process legitimately