mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-06 17:35:19 +00:00
Merge branch 'devel-sigmac'
This commit is contained in:
Thomas Patzke
commit
3b8b04fe09
@ -16,7 +16,7 @@ detection:
|
||||
selection2:
|
||||
EventID: 1
|
||||
CommandLine: '*\AppData\Roaming\MICROS~1\Windows\Caches\NavShExt.dll,Setting'
|
||||
condition: selection1 or selection2
|
||||
condition: 1 of them
|
||||
falsepositives:
|
||||
- Unknown
|
||||
level: critical
|
||||
|
||||
@ -15,7 +15,7 @@ detection:
|
||||
src:
|
||||
- '69.42.98.86'
|
||||
- '89.185.234.145'
|
||||
condition: outgoing or incoming
|
||||
condition: 1 of them
|
||||
falsepositives:
|
||||
- Unknown
|
||||
level: high
|
||||
|
||||
@ -18,7 +18,7 @@ detection:
|
||||
selection2:
|
||||
EventID: 1
|
||||
Command: 'loaddll -a *'
|
||||
condition: selection1 or selection2
|
||||
condition: 1 of them
|
||||
fields:
|
||||
- EventID
|
||||
- CommandLine
|
||||
|
||||
@ -12,7 +12,7 @@ detection:
|
||||
EventID: 4707
|
||||
keywords:
|
||||
- 'SeEnableDelegationPrivilege'
|
||||
condition: selection and keywords
|
||||
condition: all of them
|
||||
falsepositives:
|
||||
- Unknown
|
||||
level: high
|
||||
|
||||
@ -20,7 +20,7 @@ detection:
|
||||
EventID: 5136
|
||||
ObjectClass: 'user'
|
||||
AttributeLDAPDisplayName: 'servicePrincipalName'
|
||||
condition: selection1 or selection2 or selection3
|
||||
condition: 1 of them
|
||||
falsepositives:
|
||||
- Unknown
|
||||
level: high
|
||||
|
||||
@ -7,26 +7,26 @@ logsource:
|
||||
detection:
|
||||
selection:
|
||||
EventID: 7045
|
||||
wce:
|
||||
malsvc_wce:
|
||||
ServiceName:
|
||||
- 'WCESERVICE'
|
||||
- 'WCE SERVICE'
|
||||
paexec:
|
||||
malsvc_paexec:
|
||||
ServiceFileName: '*\PAExec*'
|
||||
winexe:
|
||||
malsvc_winexe:
|
||||
ServiceFileName: 'winexesvc.exe*'
|
||||
pwdumpx:
|
||||
malsvc_pwdumpx:
|
||||
ServiceFileName: '*\DumpSvc.exe'
|
||||
wannacry:
|
||||
malsvc_wannacry:
|
||||
ServiceName: 'mssecsvc2.0'
|
||||
persistence:
|
||||
malsvc_persistence:
|
||||
ServiceFileName: '* net user *'
|
||||
others:
|
||||
malsvc_others:
|
||||
ServiceName:
|
||||
- 'pwdump*'
|
||||
- 'gsecdump*'
|
||||
- 'cachedump*'
|
||||
condition: selection and ( wce or paexec or winexe or pwdumpx or wannacry or persistence or others )
|
||||
condition: selection and 1 of malsvc_*
|
||||
falsepositives:
|
||||
- Penetration testing
|
||||
level: critical
|
||||
|
||||
@ -16,11 +16,10 @@ detection:
|
||||
selection2:
|
||||
Source: 'Windows Error Reporting'
|
||||
EventID: 1001
|
||||
keyword1:
|
||||
keywords:
|
||||
- 'MsMpEng.exe'
|
||||
keyword2:
|
||||
- 'mpengine.dll'
|
||||
condition: (selection1 or selection2) and keyword1 and keyword2
|
||||
condition: 1 of selection* and all of keywords
|
||||
falsepositives:
|
||||
- Unknown
|
||||
level: high
|
||||
|
||||
@ -11,7 +11,7 @@ detection:
|
||||
EventID: 16
|
||||
keywords:
|
||||
- '*\AppData\Local\Temp\SAM-*.dmp *'
|
||||
condition: selection and keywords
|
||||
condition: all of them
|
||||
falsepositives:
|
||||
- Penetration testing
|
||||
level: high
|
||||
|
||||
@ -26,7 +26,7 @@ detection:
|
||||
CommandLine: '*.dat,#1'
|
||||
perfc_keyword:
|
||||
- '*\perfc.dat*'
|
||||
condition: fsutil_clean_journal or pipe_com or event_clean or rundll32_dash1 or perfc_keyword
|
||||
condition: 1 of them
|
||||
fields:
|
||||
- CommandLine
|
||||
- ParentCommandLine
|
||||
|
||||
@ -30,7 +30,7 @@ detection:
|
||||
- '*bcdedit /set {default} recoveryenabled no*'
|
||||
- '*wbadmin delete catalog -quiet*'
|
||||
- '*@Please_Read_Me@.txt*'
|
||||
condition: selection1 or selection2
|
||||
condition: 1 of them
|
||||
fields:
|
||||
- CommandLine
|
||||
- ParentCommandLine
|
||||
|
||||
@ -12,7 +12,7 @@ detection:
|
||||
- '*icacls * /grant Everyone:F /T /C /Q*'
|
||||
- '*bcdedit /set {default} recoveryenabled no*'
|
||||
- '*wbadmin delete catalog -quiet*'
|
||||
condition: selection1 or selection2
|
||||
condition: 1 of them
|
||||
falsepositives:
|
||||
- Unknown
|
||||
level: critical
|
||||
|
||||
@ -18,7 +18,7 @@ detection:
|
||||
EventID: 1
|
||||
Image: '*\PSEXESVC.exe'
|
||||
User: 'NT AUTHORITY\SYSTEM'
|
||||
condition: service_installation or service_execution or sysmon_processcreation
|
||||
condition: 1 of them
|
||||
fields:
|
||||
- EventID
|
||||
- CommandLine
|
||||
|
||||
@ -14,7 +14,7 @@ detection:
|
||||
EventID: 4104
|
||||
keyword:
|
||||
- 'PromptForCredential'
|
||||
condition: selection and keyword
|
||||
condition: all of them
|
||||
falsepositives:
|
||||
- Unknown
|
||||
level: high
|
||||
|
||||
@ -11,9 +11,9 @@ logsource:
|
||||
detection:
|
||||
selection:
|
||||
EventID: 4103
|
||||
keywords:
|
||||
keyword:
|
||||
- 'PS ATTACK!!!'
|
||||
condition: selection and keywords
|
||||
condition: all of them
|
||||
falsepositives:
|
||||
- Pentesters
|
||||
level: high
|
||||
|
||||
@ -16,8 +16,9 @@ detection:
|
||||
noninteractive:
|
||||
- ' -noni '
|
||||
- ' -noninteractive '
|
||||
condition: encoded and hidden and noninteractive
|
||||
condition: all of them
|
||||
falsepositives:
|
||||
- Penetration tests
|
||||
- Very special / sneaky PowerShell scripts
|
||||
level: high
|
||||
|
||||
|
||||
@ -15,7 +15,7 @@ detection:
|
||||
dnsregmod:
|
||||
EventID: 13
|
||||
TargetObject: '*\services\DNS\Parameters\ServerLevelPluginDll'
|
||||
condition: dnsadmin or dnsregmod
|
||||
condition: 1 of them
|
||||
fields:
|
||||
- EventID
|
||||
- CommandLine
|
||||
|
||||
@ -19,7 +19,7 @@ detection:
|
||||
combination2:
|
||||
SourceImage: '*\Microsoft Office\*'
|
||||
CallTrace: '*|UNKNOWN*'
|
||||
condition: selection and ( combination1 or combination2 )
|
||||
condition: selection and 1 of combination*
|
||||
falsepositives:
|
||||
- unknown
|
||||
level: high
|
||||
|
||||
@ -1,25 +0,0 @@
|
||||
title: Suspicious PowerShell Parameter Combination
|
||||
status: experimental
|
||||
description: Detects suspicious PowerShell invocation command parameters
|
||||
author: Florian Roth
|
||||
logsource:
|
||||
product: windows
|
||||
service: sysmon
|
||||
detection:
|
||||
keywords:
|
||||
- 'powershell'
|
||||
encoded:
|
||||
- ' -enc '
|
||||
- ' -EncodedCommand '
|
||||
hidden:
|
||||
- ' -w hidden '
|
||||
- ' -window hidden '
|
||||
- ' -windowstyle hidden '
|
||||
noninteractive:
|
||||
- ' -noni '
|
||||
- ' -noninteractive '
|
||||
condition: keywords and encoded and hidden and noninteractive
|
||||
falsepositives:
|
||||
- Penetration tests
|
||||
- Very special / sneaky PowerShell scripts
|
||||
level: high
|
||||
@ -51,7 +51,7 @@ detection:
|
||||
- ' -encod '
|
||||
- ' -enco '
|
||||
- ' -en '
|
||||
condition: keywords and substrings
|
||||
condition: all of them
|
||||
falsepositives:
|
||||
- Penetration tests
|
||||
level: high
|
||||
|
||||
@ -31,7 +31,7 @@ detection:
|
||||
EventID: 1
|
||||
Image: '*\wscript.exe'
|
||||
ParentImage: '*\regsvr32.exe'
|
||||
condition: selection1 or selection2 or selection3 or selection4
|
||||
condition: 1 of them
|
||||
fields:
|
||||
- CommandLine
|
||||
- ParentCommandLine
|
||||
|
||||
@ -101,8 +101,9 @@ class SigmaParser:
|
||||
def parse_sigma(self):
|
||||
try: # definition uniqueness check
|
||||
for definitionName, definition in self.parsedyaml["detection"].items():
|
||||
self.definitions[definitionName] = definition
|
||||
self.extract_values(definition) # builds key-values-table in self.values
|
||||
if definitionName != "condition":
|
||||
self.definitions[definitionName] = definition
|
||||
self.extract_values(definition) # builds key-values-table in self.values
|
||||
except KeyError:
|
||||
raise SigmaParseError("No detection definitions found")
|
||||
|
||||
@ -283,7 +284,7 @@ class SigmaConditionTokenizer:
|
||||
(SigmaConditionToken.TOKEN_AND, re.compile("and", re.IGNORECASE)),
|
||||
(SigmaConditionToken.TOKEN_OR, re.compile("or", re.IGNORECASE)),
|
||||
(SigmaConditionToken.TOKEN_NOT, re.compile("not", re.IGNORECASE)),
|
||||
(SigmaConditionToken.TOKEN_ID, re.compile("\\w+")),
|
||||
(SigmaConditionToken.TOKEN_ID, re.compile("[\\w*]+")),
|
||||
(SigmaConditionToken.TOKEN_LPAR, re.compile("\\(")),
|
||||
(SigmaConditionToken.TOKEN_RPAR, re.compile("\\)")),
|
||||
]
|
||||
@ -417,13 +418,36 @@ class NodeSubexpression(ParseTreeNode):
|
||||
self.items = subexpr
|
||||
|
||||
# Parse tree converters: convert something into one of the parse tree node classes defined above
|
||||
def convertXOf(sigma, val, condclass):
|
||||
"""
|
||||
Generic implementation of (1|all) of x expressions.
|
||||
|
||||
* condclass across all list items if x is name of definition
|
||||
* condclass across all definitions if x is keyword 'them'
|
||||
* condclass across all matching definition if x is wildcard expression, e.g. 'selection*'
|
||||
"""
|
||||
if val.matched == "them": # OR across all definitions
|
||||
cond = condclass()
|
||||
for definition in sigma.definitions.values():
|
||||
cond.add(NodeSubexpression(sigma.parse_definition(definition)))
|
||||
return NodeSubexpression(cond)
|
||||
elif val.matched.find("*") > 0: # OR across all matching definitions
|
||||
cond = condclass()
|
||||
reDefPat = re.compile("^" + val.matched.replace("*", ".*") + "$")
|
||||
for name, definition in sigma.definitions.items():
|
||||
if reDefPat.match(name):
|
||||
cond.add(NodeSubexpression(sigma.parse_definition(definition)))
|
||||
return NodeSubexpression(cond)
|
||||
else: # OR across all items of definition
|
||||
return NodeSubexpression(sigma.parse_definition_byname(val.matched, condclass))
|
||||
|
||||
def convertAllOf(sigma, op, val):
|
||||
"""Convert 'all of x' into ConditionAND"""
|
||||
return NodeSubexpression(sigma.parse_definition_byname(val.matched, ConditionAND))
|
||||
"""Convert 'all of x' expressions into ConditionAND"""
|
||||
return convertXOf(sigma, val, ConditionAND)
|
||||
|
||||
def convertOneOf(sigma, op, val):
|
||||
"""Convert '1 of x' into ConditionOR"""
|
||||
return NodeSubexpression(sigma.parse_definition_byname(val.matched, ConditionOR))
|
||||
"""Convert '1 of x' expressions into ConditionOR"""
|
||||
return convertXOf(sigma, val, ConditionOR)
|
||||
|
||||
def convertId(sigma, op):
|
||||
"""Convert search identifiers (lists or maps) into condition nodes according to spec defaults"""
|
||||
|
||||
Loading…
Reference in New Issue
Block a user