Merge remote-tracking branch 'upstream/master'

rules/compliance/cleartext_protocols.yml

@@ -30,8 +30,6 @@ tags:
     - NIST CSF 1.1 PR.AC-7
     - NIST CSF 1.1 PR.DS-1
     - NIST CSF 1.1 PR.DS-2
-    - NIST CSF 1.1 PR.PT-3
-    - NIST CSF 1.1 PR.PT-3
     - ISO 27002-2013 A.9.2.1
     - ISO 27002-2013 A.9.2.2
     - ISO 27002-2013 A.9.2.3

rules/network/cisco/aaa/cisco_cli_clear_logs.yml

@@ -12,7 +12,6 @@ tags:
     - attack.t1146
     - attack.t1070
     - attack.t1070.003
-    - attack.t1070
 logsource:
     product: cisco
     service: aaa

rules/windows/builtin/win_susp_eventlog_cleared.yml

@@ -10,7 +10,6 @@ tags:
     - attack.defense_evasion
     - attack.t1070
     - car.2016-04-002
-    - attack.t1070
 logsource:
     product: windows
     service: system

rules/windows/builtin/win_susp_security_eventlog_cleared.yml

@@ -5,7 +5,6 @@ tags:
     - attack.defense_evasion
     - attack.t1070
     - car.2016-04-002
-    - attack.t1070
 author: Florian Roth
 date: 2017/02/19
 logsource:

rules/windows/process_creation/win_etw_trace_evasion.yml

@@ -12,7 +12,6 @@ tags:
     - attack.execution
     - attack.t1070
     - car.2016-04-002
-    - attack.t1070
 level: high
 logsource:
     category: process_creation

rules/windows/process_creation/win_malware_notpetya.yml

@@ -16,7 +16,6 @@ tags:
     - attack.t1003
     - car.2016-04-002
     - attack.t1218.011
-    - attack.t1070
 logsource:
     category: process_creation
     product: windows

rules/windows/process_creation/win_shadow_copies_deletion.yml

@@ -15,7 +15,6 @@ tags:
     - attack.impact
     - attack.t1070
     - attack.t1490
-    - attack.t1070
 logsource:
     category: process_creation
     product: windows

rules/windows/process_creation/win_susp_bcdedit.yml

@@ -11,7 +11,6 @@ tags:
     - attack.t1070
     - attack.persistence
     - attack.t1067
-    - attack.t1070
     - attack.t1542.003
 logsource:
     category: process_creation

rules/windows/process_creation/win_susp_eventlog_clear.yml

@@ -11,7 +11,6 @@ tags:
     - attack.defense_evasion
     - attack.t1070
     - car.2016-04-002
-    - attack.t1070
 level: high
 logsource:
     category: process_creation

rules/windows/process_creation/win_susp_svchost_no_cli.yml

@@ -6,6 +6,7 @@ references:
     - https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2
 author: David Burkett
 date: 2019/12/28
+modified: 2020/07/23
 tags:
     - attack.t1055
 logsource:
@@ -13,13 +14,13 @@ logsource:
     product: windows
 detection:
     selection1:
-        CommandLine: null
+        CommandLine|endswith: 'svchost.exe' 
     selection2:
-        Image: '*\svchost.exe'
+        Image|endswith: '\svchost.exe'
     filter:
-        ParentImage:
-            - '*\rpcnet.exe'
-            - '*\rpcnetp.exe'
+        ParentImage|endswith:
+            - '\rpcnet.exe'
+            - '\rpcnetp.exe'
     condition: (selection1 and selection2) and not filter
 fields:
     - CommandLine

rules/windows/process_creation/win_webshell_recon_detection.yml

@@ -0,0 +1,40 @@
+title: Webshell Recon Detection Via CommandLine & Processes
+id: f64e5c19-879c-4bae-b471-6d84c8339677
+status: experimental
+description: Looking for processes spawned by web server components that indicate reconnaissance by popular public domain webshells for whether perl, python or wget are installed.
+author: Cian Heasley
+reference:
+    - https://ragged-lab.blogspot.com/2020/07/webshells-automating-reconnaissance.html
+date: 2020/07/22
+tags:
+    - attack.privilege_escalation
+    - attack.persistence
+    - attack.t1100
+    - attack.t1505.003
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        ParentImage|contains:
+            - '*\apache*'
+            - '*\tomcat*'
+            - '*\w3wp.exe'
+            - '*\php-cgi.exe'
+            - '*\nginx.exe'
+            - '*\httpd.exe'
+        Image|endswith:
+            - '*\cmd.exe'
+        CommandLine|contains:
+            - '*perl --help*'
+            - '*python --help*'
+            - '*wget --help*'
+            - '*perl -h*'
+    condition: selection
+fields:
+    - Image
+    - CommandLine
+    - ParentCommandLine
+falsepositives:
+    - unknown
+level: high

tests/test_rules.py

@@ -72,6 +72,23 @@ class TestRules(unittest.TestCase):
         self.assertEqual(files_with_incorrect_mitre_tags, [], Fore.RED + 
                          "There are rules with incorrect/unknown MITRE Tags. (please inform us about new tags that are not yet supported in our tests) and check the correct tags here: https://attack.mitre.org/ ")
 
+    def test_duplicate_tags(self):
+        files_with_incorrect_mitre_tags = []
+
+        for file in self.yield_next_rule_file_path(self.path_to_rules):
+            tags = self.get_rule_part(file_path=file, part_name="tags")
+            if tags:
+                known_tags = []
+                for tag in tags:
+                    if tag in known_tags:
+                        print(Fore.RED + "Rule {} has the duplicate tag {}".format(file, tag))
+                        files_with_incorrect_mitre_tags.append(file)
+                    else: 
+                        known_tags.append(tag)
+
+        self.assertEqual(files_with_incorrect_mitre_tags, [], Fore.RED + 
+                         "There are rules with duplicate tags")
+
     def test_look_for_duplicate_filters(self):
         def check_list_or_recurse_on_dict(item, depth:int) -> None:
             if type(item) == list: