Merge branch 'devel-sigmac'

This commit is contained in:
Thomas Patzke 2018-03-06 23:19:45 +01:00
commit 3b8b04fe09
21 changed files with 60 additions and 61 deletions

View File

@ -16,7 +16,7 @@ detection:
selection2: selection2:
EventID: 1 EventID: 1
CommandLine: '*\AppData\Roaming\MICROS~1\Windows\Caches\NavShExt.dll,Setting' CommandLine: '*\AppData\Roaming\MICROS~1\Windows\Caches\NavShExt.dll,Setting'
condition: selection1 or selection2 condition: 1 of them
falsepositives: falsepositives:
- Unknown - Unknown
level: critical level: critical

View File

@ -15,7 +15,7 @@ detection:
src: src:
- '69.42.98.86' - '69.42.98.86'
- '89.185.234.145' - '89.185.234.145'
condition: outgoing or incoming condition: 1 of them
falsepositives: falsepositives:
- Unknown - Unknown
level: high level: high

View File

@ -18,7 +18,7 @@ detection:
selection2: selection2:
EventID: 1 EventID: 1
Command: 'loaddll -a *' Command: 'loaddll -a *'
condition: selection1 or selection2 condition: 1 of them
fields: fields:
- EventID - EventID
- CommandLine - CommandLine

View File

@ -12,7 +12,7 @@ detection:
EventID: 4707 EventID: 4707
keywords: keywords:
- 'SeEnableDelegationPrivilege' - 'SeEnableDelegationPrivilege'
condition: selection and keywords condition: all of them
falsepositives: falsepositives:
- Unknown - Unknown
level: high level: high

View File

@ -20,7 +20,7 @@ detection:
EventID: 5136 EventID: 5136
ObjectClass: 'user' ObjectClass: 'user'
AttributeLDAPDisplayName: 'servicePrincipalName' AttributeLDAPDisplayName: 'servicePrincipalName'
condition: selection1 or selection2 or selection3 condition: 1 of them
falsepositives: falsepositives:
- Unknown - Unknown
level: high level: high

View File

@ -7,26 +7,26 @@ logsource:
detection: detection:
selection: selection:
EventID: 7045 EventID: 7045
wce: malsvc_wce:
ServiceName: ServiceName:
- 'WCESERVICE' - 'WCESERVICE'
- 'WCE SERVICE' - 'WCE SERVICE'
paexec: malsvc_paexec:
ServiceFileName: '*\PAExec*' ServiceFileName: '*\PAExec*'
winexe: malsvc_winexe:
ServiceFileName: 'winexesvc.exe*' ServiceFileName: 'winexesvc.exe*'
pwdumpx: malsvc_pwdumpx:
ServiceFileName: '*\DumpSvc.exe' ServiceFileName: '*\DumpSvc.exe'
wannacry: malsvc_wannacry:
ServiceName: 'mssecsvc2.0' ServiceName: 'mssecsvc2.0'
persistence: malsvc_persistence:
ServiceFileName: '* net user *' ServiceFileName: '* net user *'
others: malsvc_others:
ServiceName: ServiceName:
- 'pwdump*' - 'pwdump*'
- 'gsecdump*' - 'gsecdump*'
- 'cachedump*' - 'cachedump*'
condition: selection and ( wce or paexec or winexe or pwdumpx or wannacry or persistence or others ) condition: selection and 1 of malsvc_*
falsepositives: falsepositives:
- Penetration testing - Penetration testing
level: critical level: critical

View File

@ -16,11 +16,10 @@ detection:
selection2: selection2:
Source: 'Windows Error Reporting' Source: 'Windows Error Reporting'
EventID: 1001 EventID: 1001
keyword1: keywords:
- 'MsMpEng.exe' - 'MsMpEng.exe'
keyword2:
- 'mpengine.dll' - 'mpengine.dll'
condition: (selection1 or selection2) and keyword1 and keyword2 condition: 1 of selection* and all of keywords
falsepositives: falsepositives:
- Unknown - Unknown
level: high level: high

View File

@ -11,7 +11,7 @@ detection:
EventID: 16 EventID: 16
keywords: keywords:
- '*\AppData\Local\Temp\SAM-*.dmp *' - '*\AppData\Local\Temp\SAM-*.dmp *'
condition: selection and keywords condition: all of them
falsepositives: falsepositives:
- Penetration testing - Penetration testing
level: high level: high

View File

@ -26,7 +26,7 @@ detection:
CommandLine: '*.dat,#1' CommandLine: '*.dat,#1'
perfc_keyword: perfc_keyword:
- '*\perfc.dat*' - '*\perfc.dat*'
condition: fsutil_clean_journal or pipe_com or event_clean or rundll32_dash1 or perfc_keyword condition: 1 of them
fields: fields:
- CommandLine - CommandLine
- ParentCommandLine - ParentCommandLine

View File

@ -30,7 +30,7 @@ detection:
- '*bcdedit /set {default} recoveryenabled no*' - '*bcdedit /set {default} recoveryenabled no*'
- '*wbadmin delete catalog -quiet*' - '*wbadmin delete catalog -quiet*'
- '*@Please_Read_Me@.txt*' - '*@Please_Read_Me@.txt*'
condition: selection1 or selection2 condition: 1 of them
fields: fields:
- CommandLine - CommandLine
- ParentCommandLine - ParentCommandLine

View File

@ -12,7 +12,7 @@ detection:
- '*icacls * /grant Everyone:F /T /C /Q*' - '*icacls * /grant Everyone:F /T /C /Q*'
- '*bcdedit /set {default} recoveryenabled no*' - '*bcdedit /set {default} recoveryenabled no*'
- '*wbadmin delete catalog -quiet*' - '*wbadmin delete catalog -quiet*'
condition: selection1 or selection2 condition: 1 of them
falsepositives: falsepositives:
- Unknown - Unknown
level: critical level: critical

View File

@ -18,7 +18,7 @@ detection:
EventID: 1 EventID: 1
Image: '*\PSEXESVC.exe' Image: '*\PSEXESVC.exe'
User: 'NT AUTHORITY\SYSTEM' User: 'NT AUTHORITY\SYSTEM'
condition: service_installation or service_execution or sysmon_processcreation condition: 1 of them
fields: fields:
- EventID - EventID
- CommandLine - CommandLine

View File

@ -14,7 +14,7 @@ detection:
EventID: 4104 EventID: 4104
keyword: keyword:
- 'PromptForCredential' - 'PromptForCredential'
condition: selection and keyword condition: all of them
falsepositives: falsepositives:
- Unknown - Unknown
level: high level: high

View File

@ -11,9 +11,9 @@ logsource:
detection: detection:
selection: selection:
EventID: 4103 EventID: 4103
keywords: keyword:
- 'PS ATTACK!!!' - 'PS ATTACK!!!'
condition: selection and keywords condition: all of them
falsepositives: falsepositives:
- Pentesters - Pentesters
level: high level: high

View File

@ -16,8 +16,9 @@ detection:
noninteractive: noninteractive:
- ' -noni ' - ' -noni '
- ' -noninteractive ' - ' -noninteractive '
condition: encoded and hidden and noninteractive condition: all of them
falsepositives: falsepositives:
- Penetration tests - Penetration tests
- Very special / sneaky PowerShell scripts
level: high level: high

View File

@ -15,7 +15,7 @@ detection:
dnsregmod: dnsregmod:
EventID: 13 EventID: 13
TargetObject: '*\services\DNS\Parameters\ServerLevelPluginDll' TargetObject: '*\services\DNS\Parameters\ServerLevelPluginDll'
condition: dnsadmin or dnsregmod condition: 1 of them
fields: fields:
- EventID - EventID
- CommandLine - CommandLine

View File

@ -19,7 +19,7 @@ detection:
combination2: combination2:
SourceImage: '*\Microsoft Office\*' SourceImage: '*\Microsoft Office\*'
CallTrace: '*|UNKNOWN*' CallTrace: '*|UNKNOWN*'
condition: selection and ( combination1 or combination2 ) condition: selection and 1 of combination*
falsepositives: falsepositives:
- unknown - unknown
level: high level: high

View File

@ -1,25 +0,0 @@
title: Suspicious PowerShell Parameter Combination
status: experimental
description: Detects suspicious PowerShell invocation command parameters
author: Florian Roth
logsource:
product: windows
service: sysmon
detection:
keywords:
- 'powershell'
encoded:
- ' -enc '
- ' -EncodedCommand '
hidden:
- ' -w hidden '
- ' -window hidden '
- ' -windowstyle hidden '
noninteractive:
- ' -noni '
- ' -noninteractive '
condition: keywords and encoded and hidden and noninteractive
falsepositives:
- Penetration tests
- Very special / sneaky PowerShell scripts
level: high

View File

@ -51,7 +51,7 @@ detection:
- ' -encod ' - ' -encod '
- ' -enco ' - ' -enco '
- ' -en ' - ' -en '
condition: keywords and substrings condition: all of them
falsepositives: falsepositives:
- Penetration tests - Penetration tests
level: high level: high

View File

@ -31,7 +31,7 @@ detection:
EventID: 1 EventID: 1
Image: '*\wscript.exe' Image: '*\wscript.exe'
ParentImage: '*\regsvr32.exe' ParentImage: '*\regsvr32.exe'
condition: selection1 or selection2 or selection3 or selection4 condition: 1 of them
fields: fields:
- CommandLine - CommandLine
- ParentCommandLine - ParentCommandLine

View File

@ -101,8 +101,9 @@ class SigmaParser:
def parse_sigma(self): def parse_sigma(self):
try: # definition uniqueness check try: # definition uniqueness check
for definitionName, definition in self.parsedyaml["detection"].items(): for definitionName, definition in self.parsedyaml["detection"].items():
self.definitions[definitionName] = definition if definitionName != "condition":
self.extract_values(definition) # builds key-values-table in self.values self.definitions[definitionName] = definition
self.extract_values(definition) # builds key-values-table in self.values
except KeyError: except KeyError:
raise SigmaParseError("No detection definitions found") raise SigmaParseError("No detection definitions found")
@ -283,7 +284,7 @@ class SigmaConditionTokenizer:
(SigmaConditionToken.TOKEN_AND, re.compile("and", re.IGNORECASE)), (SigmaConditionToken.TOKEN_AND, re.compile("and", re.IGNORECASE)),
(SigmaConditionToken.TOKEN_OR, re.compile("or", re.IGNORECASE)), (SigmaConditionToken.TOKEN_OR, re.compile("or", re.IGNORECASE)),
(SigmaConditionToken.TOKEN_NOT, re.compile("not", re.IGNORECASE)), (SigmaConditionToken.TOKEN_NOT, re.compile("not", re.IGNORECASE)),
(SigmaConditionToken.TOKEN_ID, re.compile("\\w+")), (SigmaConditionToken.TOKEN_ID, re.compile("[\\w*]+")),
(SigmaConditionToken.TOKEN_LPAR, re.compile("\\(")), (SigmaConditionToken.TOKEN_LPAR, re.compile("\\(")),
(SigmaConditionToken.TOKEN_RPAR, re.compile("\\)")), (SigmaConditionToken.TOKEN_RPAR, re.compile("\\)")),
] ]
@ -417,13 +418,36 @@ class NodeSubexpression(ParseTreeNode):
self.items = subexpr self.items = subexpr
# Parse tree converters: convert something into one of the parse tree node classes defined above # Parse tree converters: convert something into one of the parse tree node classes defined above
def convertXOf(sigma, val, condclass):
"""
Generic implementation of (1|all) of x expressions.
* condclass across all list items if x is name of definition
* condclass across all definitions if x is keyword 'them'
* condclass across all matching definition if x is wildcard expression, e.g. 'selection*'
"""
if val.matched == "them": # OR across all definitions
cond = condclass()
for definition in sigma.definitions.values():
cond.add(NodeSubexpression(sigma.parse_definition(definition)))
return NodeSubexpression(cond)
elif val.matched.find("*") > 0: # OR across all matching definitions
cond = condclass()
reDefPat = re.compile("^" + val.matched.replace("*", ".*") + "$")
for name, definition in sigma.definitions.items():
if reDefPat.match(name):
cond.add(NodeSubexpression(sigma.parse_definition(definition)))
return NodeSubexpression(cond)
else: # OR across all items of definition
return NodeSubexpression(sigma.parse_definition_byname(val.matched, condclass))
def convertAllOf(sigma, op, val): def convertAllOf(sigma, op, val):
"""Convert 'all of x' into ConditionAND""" """Convert 'all of x' expressions into ConditionAND"""
return NodeSubexpression(sigma.parse_definition_byname(val.matched, ConditionAND)) return convertXOf(sigma, val, ConditionAND)
def convertOneOf(sigma, op, val): def convertOneOf(sigma, op, val):
"""Convert '1 of x' into ConditionOR""" """Convert '1 of x' expressions into ConditionOR"""
return NodeSubexpression(sigma.parse_definition_byname(val.matched, ConditionOR)) return convertXOf(sigma, val, ConditionOR)
def convertId(sigma, op): def convertId(sigma, op):
"""Convert search identifiers (lists or maps) into condition nodes according to spec defaults""" """Convert search identifiers (lists or maps) into condition nodes according to spec defaults"""