valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 17:35:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge branch 'master' into rule-devel

Browse Source
This commit is contained in:
Florian Roth 2021-05-05 11:56:20 +02:00
commit 55c39122e3
13 changed files with 208 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.github/workflows/sigma-test.yml vendored
View File

@ -23,6 +23,7 @@ jobs:
run: |
python -m pip install --upgrade pip
pip install pipenv
pipenv lock
pipenv install --dev --deploy
- name: Test Sigma Tools and Rules
run: |

2
Pipfile
View File

@ -15,7 +15,7 @@ stix2 = "*"
attackcti = "*"
[packages]
requests = "~=2.23"
requests = "~=2.25"
urllib3 = "~=1.25"
progressbar2 = "~=3.47"
pymisp = "~=2.4.123"

19
rules/linux/lnx_symlink_etc_passwd.yml Normal file
View File

@ -0,0 +1,19 @@
title: Symlink Etc Passwd
id: c67fc22a-0be5-4b4f-aad5-2b32c4b69523
status: experimental
description: Detects suspicious command lines that look as if they would create symbolic links from or to /etc/passwd
author: Florian Roth
date: 2019/04/05
references:
- https://www.qualys.com/2021/05/04/21nails/21nails.txt
logsource:
product: linux
detection:
keywords|contains|all:
- 'ln '
- ' -s '
- '/etc/passwd'
condition: keywords
falsepositives:
- Unknown
level: high

24
rules/windows/file_event/win_outlook_c2_macro_creation.yml Normal file
View File

@ -0,0 +1,24 @@
title: Outlook C2 Macro Creation
id: 8c31f563-f9a7-450c-bfa8-35f8f32f1f61
status: experimental
description: Detects the creation of a macro file for Outlook. Goes with win_outlook_c2_registry_key. VbaProject.OTM is explicitly mentioned in T1137. Particularly interesting if both events Registry & File Creation happens at the same time.
references:
- https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/
author: '@ScoubiMtl'
tags:
- attack.persistence
- command_and_control
- attack.t1137
- attack.t1008
- attack.t1546
date: 2021/04/05
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith: '\Microsoft\Outlook\VbaProject.OTM'
condition: selection
falsepositives:
- User genuinly creates a VB Macro for their email
level: medium

28
rules/windows/other/win_lateral_movement_condrv.yml Normal file
View File

@ -0,0 +1,28 @@
title: Lateral Movement Indicator ConDrv
id: 29d31aee-30f4-4006-85a9-a4a02d65306c
status: stable
description: This event was observed on the target host during lateral movement. The process name within the event contains the process spawned post compromise. Account Name within the event contains the compromised user account name. This event should to be correlated with 4624 and 4688 for further intrusion context.
author: Janantha Marasinghe
date: 2021/04/27
references:
- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/wmiexec-vbs.htm
- https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-one.html
tags:
- attack.lateral_movement
- attack.execution
- attack.t1021
- attack.t1059
logsource:
product: windows
service: security
definition:
detection:
selection:
EventID: 4674
ObjectServer: 'Security'
ObjectType: 'File'
ObjectName: '\Device\ConDrv'
condition: selection
falsepositives:
- Penetration tests where lateral movement has occured. This event will be created on the target host.
level: high

6
rules/windows/pipe_created/sysmon_mal_namedpipes.yml
View File

@ -5,7 +5,7 @@ description: Detects the creation of a named pipe used by known APT malware
references:
- Various sources
date: 2017/11/06
author: Florian Roth
author: Florian Roth, blueteam0ps
logsource:
product: windows
category: pipe_created
@ -30,6 +30,10 @@ detection:
# - '\status_*' # CS default named pipes https://github.com/Neo23x0/sigma/issues/253
- '\583da945-62af-10e8-4902-a8f205c72b2e' # SolarWinds SUNBURST malware report https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
- '\bizkaz' # Snatch Ransomware https://thedfirreport.com/2020/06/21/snatch-ransomware/
- '\svcctl' #Crackmapexec smbexec default named pipe
- '\Posh*' #PoshC2 default
- '\jaccdpqnvbrrxlaf' #PoshC2 default
- '\csexecsvc' #CSEXEC default
condition: selection
tags:
- attack.defense_evasion

4
rules/windows/process_creation/process_creation_msdeploy.yml
View File

@ -16,7 +16,7 @@ logsource:
product: windows
detection:
selection:
Commandline|contains|all:
CommandLine|contains|all:
- 'verb:sync'
- '-source:RunCommand'
- '-dest:runCommand'
@ -31,4 +31,4 @@ fields:
falsepositives:
- System administrator Usage
- Penetration test
level: medium
level: medium

32
rules/windows/process_creation/win_apt_lazarus_activity_apr21.yml Normal file
View File

@ -0,0 +1,32 @@
title: Lazarus Activity
id: 4a12fa47-c735-4032-a214-6fab5b120670
description: Detects different process creation events as described in Malwarebytes's threat report on Lazarus group activity
status: experimental
references:
- https://blog.malwarebytes.com/malwarebytes-news/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/
tags:
- attack.g0032
author: Bhabesh Raj
date: 2021/04/20
logsource:
category: process_creation
product: windows
detection:
selection1:
CommandLine|contains|all:
- 'mshta'
- '.zip'
selection2:
ParentImage:
- 'C:\Windows\System32\wbem\wmiprvse.exe'
Image:
- 'C:\Windows\System32\mshta.exe'
selection3:
ParentImage:
- 'C:\Users\Public\*'
Image:
- 'C:\Windows\System32\rundll32.exe'
condition: 1 of them
falsepositives:
- Should not be any false positives
level: critical

2
rules/windows/process_creation/win_manage-bde_lolbas.yml
View File

@ -17,7 +17,7 @@ logsource:
product: windows
detection:
selection:
Commandline|contains|all:
CommandLine|contains|all:
- 'cscript'
- 'manage-bde.wsf'
condition: selection

22
rules/windows/registry_event/sysmon_registry_persistence_search_order.yml
View File

@ -4,9 +4,9 @@ status: experimental
description: Detects potential COM object hijacking leveraging the COM Search Order
references:
- https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/
author: Maxime Thiebaut (@0xThiebaut), oscd.community
author: Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien
date: 2020/04/14
modified: 2020/11/28
modified: 2021/05/01
tags:
- attack.persistence
- attack.t1038 # an old one
@ -20,20 +20,26 @@ detection:
- 'HKU\'
- '_Classes\CLSID\'
- '\InProcServer32\(Default)'
filter:
filter1:
- Details|contains: # Exclude privileged directories and observed FPs
- '%%systemroot%%\system32\'
- '%%systemroot%%\SysWow64\'
- Details|contains|all:
- '\AppData\Local\Microsoft\OneDrive\'
filterOneDrive:
- Details|contains: '\AppData\Local\Microsoft\OneDrive\'
filterOneDrive2:
- Details|contains:
- '\FileCoAuthLib64.dll'
- Details|contains|all:
- '\AppData\Local\Microsoft\OneDrive\'
- '\FileSyncShell64.dll'
- '\FileSyncApi64.dll'
filter2:
- Details|contains|all:
- '\AppData\Local\Microsoft\TeamsMeetingAddin\'
- '\Microsoft.Teams.AddinLoader.dll'
condition: selection and not filter
filter3:
- Details|contains|all:
- '\AppData\Roaming\Dropbox\'
- '\DropboxExt64.*.dll'
condition: selection and not ( filter1 or ( filterOneDrive and filterOneDrive2 ) or filter2 or filter3 )
falsepositives:
- Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level
level: medium

25
rules/windows/registry_event_write/win_outlook_C2_registry_key.yml Normal file
View File

@ -0,0 +1,25 @@
title: Outlook C2 Registry Key
id: e3b50fa5-3c3f-444e-937b-0a99d33731cd
status: experimental
description: Detects the modification of Outlook Security Setting to allow unprompted execution. Goes with win_outlook_c2_macro_creation.yml and is particularly interesting if both events occur near to each other.
references:
- https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/
author: '@ScoubiMtl'
tags:
- attack.persistence
- attack.command_and_control
- attack.t1137
- attack.t1008
- attack.t1546
date: 2021/04/05
logsource:
category: registry_event_write
product: windows
detection:
selection_registry:
TargetObject: 'HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security\Level'
Details|contains: '0x00000001'
condition: selection_registry
falsepositives:
- Unlikely
level: medium

4
tools/config/thor.yml
View File

@ -222,10 +222,6 @@ logsources:
sources:
- "File:/var/log/syslog"
- "File:/var/log/syslog.?"
linux-log:
product: linux
sources:
- "File:*.log"
logfiles:
category: logfile
sources:

69
tools/sigma/backends/limacharlie.py
View File

@ -68,6 +68,7 @@ SigmaLCConfig = namedtuple('SigmaLCConfig', [
'isAllStringValues',
'keywordField',
'postOpMapper',
'isCaseSensitive',
])
_allFieldMappings = {
'edr': {
@ -81,7 +82,8 @@ _allFieldMappings = {
fieldMappings = _windowsEventLogEDRFieldName,
isAllStringValues = True,
keywordField = None,
postOpMapper = None
postOpMapper = None,
isCaseSensitive = []
),
"windows_defender//": SigmaLCConfig(
topLevelParams = {
@ -93,7 +95,8 @@ _allFieldMappings = {
fieldMappings = _windowsEventLogEDRFieldName,
isAllStringValues = True,
keywordField = None,
postOpMapper = None
postOpMapper = None,
isCaseSensitive = []
),
"windows/process_creation/": SigmaLCConfig(
topLevelParams = {
@ -120,7 +123,8 @@ _allFieldMappings = {
},
isAllStringValues = False,
keywordField = "event/COMMAND_LINE",
postOpMapper = _mapProcessCreationOperations
postOpMapper = _mapProcessCreationOperations,
isCaseSensitive = []
),
"dns//": SigmaLCConfig(
topLevelParams = {
@ -132,7 +136,8 @@ _allFieldMappings = {
},
isAllStringValues = False,
keywordField = None,
postOpMapper = None
postOpMapper = None,
isCaseSensitive = []
),
"linux//": SigmaLCConfig(
topLevelParams = {
@ -150,7 +155,8 @@ _allFieldMappings = {
},
isAllStringValues = False,
keywordField = 'event/COMMAND_LINE',
postOpMapper = None
postOpMapper = None,
isCaseSensitive = ['event/FILE_PATH']
),
"unix//": SigmaLCConfig(
topLevelParams = {
@ -168,7 +174,8 @@ _allFieldMappings = {
},
isAllStringValues = False,
keywordField = 'event/COMMAND_LINE',
postOpMapper = None
postOpMapper = None,
isCaseSensitive = ['event/FILE_PATH']
),
"netflow//": SigmaLCConfig(
topLevelParams = {
@ -181,7 +188,8 @@ _allFieldMappings = {
},
isAllStringValues = False,
keywordField = None,
postOpMapper = None
postOpMapper = None,
isCaseSensitive = []
),
"/proxy/": SigmaLCConfig(
topLevelParams = {
@ -197,7 +205,37 @@ _allFieldMappings = {
},
isAllStringValues = False,
keywordField = None,
postOpMapper = None
postOpMapper = None,
isCaseSensitive = []
),
"macos/process_creation/": SigmaLCConfig(
topLevelParams = {
"events": [
"NEW_PROCESS",
"EXISTING_PROCESS",
]
},
preConditions = {
"op": "is mac",
},
fieldMappings = {
"CommandLine": "event/COMMAND_LINE",
"Commandline": "event/COMMAND_LINE",
"Image": "event/FILE_PATH",
"ParentImage": "event/PARENT/FILE_PATH",
"ParentCommandLine": "event/PARENT/COMMAND_LINE",
"User": "event/USER_NAME",
"OriginalFileName": "event/ORIGINAL_FILE_NAME",
# Custom field names coming from somewhere unknown.
"NewProcessName": "event/FILE_PATH",
"ProcessCommandLine": "event/COMMAND_LINE",
# Another one-off command line.
"Command": "event/COMMAND_LINE",
},
isAllStringValues = False,
keywordField = "event/COMMAND_LINE",
postOpMapper = _mapProcessCreationOperations,
isCaseSensitive = ['event/FILE_PATH']
),
},
"artifact": {
@ -210,7 +248,8 @@ _allFieldMappings = {
fieldMappings = _windowsEventLogArtifactFieldName,
isAllStringValues = True,
keywordField = None,
postOpMapper = None
postOpMapper = None,
isCaseSensitive = []
),
"windows_defender//": SigmaLCConfig(
topLevelParams = {
@ -221,7 +260,8 @@ _allFieldMappings = {
fieldMappings = _windowsEventLogArtifactFieldName,
isAllStringValues = True,
keywordField = None,
postOpMapper = None
postOpMapper = None,
isCaseSensitive = []
),
}
}
@ -272,7 +312,7 @@ class LimaCharlieBackend(BaseBackend):
# See if we have a definition for the source combination.
mappingKey = "%s/%s/%s" % (product, category, service)
topFilter, preCond, mappings, isAllStringValues, keywordField, postOpMapper = _allFieldMappings.get(self.lc_target, {}).get(mappingKey, tuple([None, None, None, None, None, None]))
topFilter, preCond, mappings, isAllStringValues, keywordField, postOpMapper, isCaseSensitive = _allFieldMappings.get(self.lc_target, {}).get(mappingKey, tuple([None, None, None, None, None, None, None]))
if mappings is None:
raise NotImplementedError("Log source %s/%s/%s not supported by backend." % (product, category, service))
@ -291,6 +331,9 @@ class LimaCharlieBackend(BaseBackend):
# Call to fixup all operations after the fact.
self._postOpMapper = postOpMapper
# Event paths that are case sensitive.
self._isCaseSensitiveFS = isCaseSensitive
# Call the original generation code.
detectComponent = super().generate(sigmaparser)
@ -453,7 +496,7 @@ class LimaCharlieBackend(BaseBackend):
newOp = {
"op": op,
"path": fieldname,
"case sensitive": False,
"case sensitive": fieldname in self._isCaseSensitiveFS,
}
if op == "matches":
newOp["re"] = newVal
@ -471,7 +514,7 @@ class LimaCharlieBackend(BaseBackend):
newOp = {
"op": op,
"path": fieldname,
"case sensitive": False,
"case sensitive": fieldname in self._isCaseSensitiveFS,
}
if op == "matches":
newOp["re"] = newVal