Merge pull request #208 from Cyb3rWard0g/master

Elastalert-HELK integration Updates

rules/windows/builtin/win_disable_event_logging.yml

@@ -1,11 +1,10 @@
 title: Disabling Windows Event Auditing
-description: >
+description: 'Detects scenarios where system auditing (ie: windows event log auditing) is disabled. This may be used in a scenario
-    Detects scenarios where system auditing (ie: windows event log auditing) is disabled. This may be used in a scenario
     where an entity would want to bypass local logging to evade detection when windows event logging is enabled and
     reviewed. Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure
     that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc".
     Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off
-    specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways.
+    specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways.'
 references:
     - https://bit.ly/WinLogsZero2Hero
 tags:

rules/windows/sysmon/sysmon_powershell_suspicious_parameter_variation.yml

@@ -6,55 +6,57 @@ references:
 tags:
     - attack.execution
     - attack.t1086
-author: Florian Roth (rule), Daniel Bohannon (idea)
+author: Florian Roth (rule), Daniel Bohannon (idea), Roberto Rodriguez (Fix)
 logsource:
     product: windows
     service: sysmon
 detection:
-    keywords:
+    selection:
-        Image: '*\powershell.exe'
+        Image:
-    substrings:
+            - '*\Powershell.exe'
-        - ' -windowstyle h '
+        EventID: 1
-        - ' -windowstyl h'
+        CommandLine:
-        - ' -windowsty h'
+            - ' -windowstyle h '
-        - ' -windowst h'
+            - ' -windowstyl h'
-        - ' -windows h'
+            - ' -windowsty h'
-        - ' -windo h'
+            - ' -windowst h'
-        - ' -wind h'
+            - ' -windows h'
-        - ' -win h'
+            - ' -windo h'
-        - ' -wi h'
+            - ' -wind h'
-        - ' -win h '
+            - ' -win h'
-        - ' -win hi '
+            - ' -wi h'
-        - ' -win hid '
+            - ' -win h '
-        - ' -win hidd '
+            - ' -win hi '
-        - ' -win hidde '
+            - ' -win hid '
-        - ' -NoPr '
+            - ' -win hidd '
-        - ' -NoPro '
+            - ' -win hidde '
-        - ' -NoProf '
+            - ' -NoPr '
-        - ' -NoProfi '
+            - ' -NoPro '
-        - ' -NoProfil ' 
+            - ' -NoProf '
-        - ' -nonin '
+            - ' -NoProfi '
-        - ' -nonint '
+            - ' -NoProfil ' 
-        - ' -noninte '
+            - ' -nonin '
-        - ' -noninter '
+            - ' -nonint '
-        - ' -nonintera '
+            - ' -noninte '
-        - ' -noninterac '
+            - ' -noninter '
-        - ' -noninteract '
+            - ' -nonintera '
-        - ' -noninteracti '
+            - ' -noninterac '
-        - ' -noninteractiv '
+            - ' -noninteract '
-        - ' -ec '
+            - ' -noninteracti '
-        - ' -encodedComman '
+            - ' -noninteractiv '
-        - ' -encodedComma '
+            - ' -ec '
-        - ' -encodedComm '
+            - ' -encodedComman '
-        - ' -encodedCom '
+            - ' -encodedComma '
-        - ' -encodedCo '
+            - ' -encodedComm '
-        - ' -encodedC '
+            - ' -encodedCom '
-        - ' -encoded '
+            - ' -encodedCo '
-        - ' -encode '
+            - ' -encodedC '
-        - ' -encod '
+            - ' -encoded '
-        - ' -enco '
+            - ' -encode '
-        - ' -en '
+            - ' -encod '
-    condition: all of them
+            - ' -enco '
+            - ' -en '
+    condition: selection
 falsepositives:
     - Penetration tests
 level: high

tools/config/helk.yml

@@ -30,64 +30,118 @@ logsources:
 defaultindex: logs-*
 fieldmappings:
     AccessMask: object_access_mask_requested
-    AccountName: service_account_name
+    AccountName: 
+        EventID=7045: service_account_name
+        EventID=4624: user_name
     AllowedToDelegateTo: user_attribute_allowed_todelegate
     AttributeLDAPDisplayName: dsobject_attribute_name
     AuditPolicyChanges: policy_changes
     AuthenticationPackageName: logon_authentication_package
-    CallTrace: process_calltrace
+    CallTrace: process_call_trace
-    CommandLine: command_line
+    CommandLine: process_command_line
+    Company: file_company
     ComputerName: host_name
+    Configuration:
+        EventID=16: sysmon_configuration
     CurrentDirectory: process_current_directory
-    DestinationHostname: dst_host
+    Description: file_description
+    Destination:
+        EventID=20: wmi_consumer_destination
+    DestinationHostname: dst_host_name
     DestinationIp: dst_ip
     DestinationIsIpv6: dst_isipv6
-    DestinationPort: dst_port_number
+    DestinationPort: dst_port
-    Details: registry_details
+    DestinationPortName: dst_port_name
+    Details: 
+        EventID=13: registry_key_value
+    Device: device_name
     EngineVersion: powershell.engine.version
     EventID: event_id
-    EventType: 
+    EventType: event_type
-        EventID=12: registry_event_type
+    EventNamespace:
-        EventID=13: registry_event_type
+        EventID=19: wmi_namespace
-        EventID=14: registry_event_type
+    Filter:
-        EventID=19: wmi_event_type
+        EventID=21: wmi_filter_path
-        EventID=20: wmi_event_type
-        EventID=21: wmi_event_type
     FailureCode: ticket_failure_code
+    FileVersion: file_version
     GrantedAccess: process_granted_access
     GroupName: group_name
     HiveName: hive_name
     HostVersion: powershell.host.version
     Image: process_path
-    ImageLoaded: image_loaded
+    ImageLoaded:
+        EventID=6: driver_loaded
+        EventID=7: module_loaded
+    Imphash: hash_imphash
+    Initiated:
+        EventID=3: network_initiated"
+    IntegrityLevel:
+        EventID=1: process_integrity_level
     LogonProcessName: logon_process_name
     LogonType: logon_type
+    MachineName: host_name
+    Name:
+        EventID=19: wmi_name
+        EventID=20: wmi_name
     NewProcessName: process_path
+    NewName:
+        EventID=14: registry_key_new_name
     ObjectClass: dsobject_class
     ObjectName: object_name
     ObjectType: object_type
     ObjectValueName: object_value_name
+    Operation:
+        EventID=19: wmi_operation
+        EventID=20: wmi_operation
+        EventID=21: wmi_operation
     OperationType: object_operation_type
     ParentImage: process_parent_path
+    ParentCommandLine: process_parent_command_line
     PipeName: pipe_name
     ProcessName: process_path
+    ProcesssCommandLine: process_command_line
+    Product: file_product
+    Properties: object_properties
+    Protocol:
+        EventID=3: network_protocol
+    Query:
+        EventID=19: wmi_query
     RelativeTargetName: share_relative_target_name
+    SchemaVersion:
+        EventID=4: sysmon_schema_version
     ServiceFileName: service_image_path
     ServiceName: service_name
     ShareName: share_name
+    Signature: signature
+    SignatureStatus: signature_status
+    Signed: signed
     Source: source_name
+    SourceHostname: src_host_name
     SourceImage: process_path
-    StartModule: thread_startmodule
+    SourcePort: src_port
-    Status: logon_failure_status
+    SourcePortName: src_port_name
-    SubjectUserName: user_name
+    StartAddress: thread_start_address
+    StartFunction: thread_start_function
+    StartModule: thread_start_module
+    Status: event_status
+    State:
+        EventID=4: service_state
+        EventID=16: sysmon_configuration_state
+    SubjectUserName: 
+        EventID=4624: user_reporter_name
+        EventID=5140: user_name
     TargetFilename: file_name
-    TargetImage: process_target_path
+    TargetImage: target_process_path
-    TargetObject: registry_target_object
+    TargetObject: registry_key_path
     TargetImage: target_process_path
     TaskName: task_name
     TicketEncryptionType: ticket_encryption_type
     TicketOptions: ticket_options
+    Type:
+        EventID=20: wmi_consumer_type
     User: user
     UserName: user_name
-    Workstation: src_host
+    Version:
-    WorkstationName: src_host
+        EventID=4: sysmon_version
+    Workstation: source_host_name
+    WorkstationName: source_host_name