diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index a68fc115..d94d319d 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -23,6 +23,7 @@ jobs: run: | python -m pip install --upgrade pip pip install pipenv + pipenv lock pipenv install --dev --deploy - name: Test Sigma Tools and Rules run: | diff --git a/Pipfile b/Pipfile index 7df1021b..c8a35894 100644 --- a/Pipfile +++ b/Pipfile @@ -15,7 +15,7 @@ stix2 = "*" attackcti = "*" [packages] -requests = "~=2.23" +requests = "~=2.25" urllib3 = "~=1.25" progressbar2 = "~=3.47" pymisp = "~=2.4.123" diff --git a/rules/linux/lnx_symlink_etc_passwd.yml b/rules/linux/lnx_symlink_etc_passwd.yml new file mode 100644 index 00000000..af79eef7 --- /dev/null +++ b/rules/linux/lnx_symlink_etc_passwd.yml @@ -0,0 +1,19 @@ +title: Symlink Etc Passwd +id: c67fc22a-0be5-4b4f-aad5-2b32c4b69523 +status: experimental +description: Detects suspicious command lines that look as if they would create symbolic links from or to /etc/passwd +author: Florian Roth +date: 2019/04/05 +references: + - https://www.qualys.com/2021/05/04/21nails/21nails.txt +logsource: + product: linux +detection: + keywords|contains|all: + - 'ln ' + - ' -s ' + - '/etc/passwd' + condition: keywords +falsepositives: + - Unknown +level: high diff --git a/rules/windows/file_event/win_outlook_c2_macro_creation.yml b/rules/windows/file_event/win_outlook_c2_macro_creation.yml new file mode 100644 index 00000000..e2b9f0c1 --- /dev/null +++ b/rules/windows/file_event/win_outlook_c2_macro_creation.yml @@ -0,0 +1,24 @@ +title: Outlook C2 Macro Creation +id: 8c31f563-f9a7-450c-bfa8-35f8f32f1f61 +status: experimental +description: Detects the creation of a macro file for Outlook. Goes with win_outlook_c2_registry_key. VbaProject.OTM is explicitly mentioned in T1137. Particularly interesting if both events Registry & File Creation happens at the same time. +references: + - https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/ +author: '@ScoubiMtl' +tags: + - attack.persistence + - command_and_control + - attack.t1137 + - attack.t1008 + - attack.t1546 +date: 2021/04/05 +logsource: + category: file_event + product: windows +detection: + selection: + TargetFilename|endswith: '\Microsoft\Outlook\VbaProject.OTM' + condition: selection +falsepositives: + - User genuinly creates a VB Macro for their email +level: medium diff --git a/rules/windows/other/win_lateral_movement_condrv.yml b/rules/windows/other/win_lateral_movement_condrv.yml new file mode 100644 index 00000000..73713305 --- /dev/null +++ b/rules/windows/other/win_lateral_movement_condrv.yml @@ -0,0 +1,28 @@ +title: Lateral Movement Indicator ConDrv +id: 29d31aee-30f4-4006-85a9-a4a02d65306c +status: stable +description: This event was observed on the target host during lateral movement. The process name within the event contains the process spawned post compromise. Account Name within the event contains the compromised user account name. This event should to be correlated with 4624 and 4688 for further intrusion context. +author: Janantha Marasinghe +date: 2021/04/27 +references: + - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/wmiexec-vbs.htm + - https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-one.html +tags: + - attack.lateral_movement + - attack.execution + - attack.t1021 + - attack.t1059 +logsource: + product: windows + service: security + definition: +detection: + selection: + EventID: 4674 + ObjectServer: 'Security' + ObjectType: 'File' + ObjectName: '\Device\ConDrv' + condition: selection +falsepositives: + - Penetration tests where lateral movement has occured. This event will be created on the target host. +level: high diff --git a/rules/windows/pipe_created/sysmon_mal_namedpipes.yml b/rules/windows/pipe_created/sysmon_mal_namedpipes.yml index badc331b..e425bf51 100644 --- a/rules/windows/pipe_created/sysmon_mal_namedpipes.yml +++ b/rules/windows/pipe_created/sysmon_mal_namedpipes.yml @@ -5,7 +5,7 @@ description: Detects the creation of a named pipe used by known APT malware references: - Various sources date: 2017/11/06 -author: Florian Roth +author: Florian Roth, blueteam0ps logsource: product: windows category: pipe_created @@ -30,6 +30,10 @@ detection: # - '\status_*' # CS default named pipes https://github.com/Neo23x0/sigma/issues/253 - '\583da945-62af-10e8-4902-a8f205c72b2e' # SolarWinds SUNBURST malware report https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html - '\bizkaz' # Snatch Ransomware https://thedfirreport.com/2020/06/21/snatch-ransomware/ + - '\svcctl' #Crackmapexec smbexec default named pipe + - '\Posh*' #PoshC2 default + - '\jaccdpqnvbrrxlaf' #PoshC2 default + - '\csexecsvc' #CSEXEC default condition: selection tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/process_creation_msdeploy.yml b/rules/windows/process_creation/process_creation_msdeploy.yml index cf35510f..6fabd768 100644 --- a/rules/windows/process_creation/process_creation_msdeploy.yml +++ b/rules/windows/process_creation/process_creation_msdeploy.yml @@ -16,7 +16,7 @@ logsource: product: windows detection: selection: - Commandline|contains|all: + CommandLine|contains|all: - 'verb:sync' - '-source:RunCommand' - '-dest:runCommand' @@ -31,4 +31,4 @@ fields: falsepositives: - System administrator Usage - Penetration test -level: medium \ No newline at end of file +level: medium diff --git a/rules/windows/process_creation/win_apt_lazarus_activity_apr21.yml b/rules/windows/process_creation/win_apt_lazarus_activity_apr21.yml new file mode 100644 index 00000000..47ee4dc4 --- /dev/null +++ b/rules/windows/process_creation/win_apt_lazarus_activity_apr21.yml @@ -0,0 +1,32 @@ +title: Lazarus Activity +id: 4a12fa47-c735-4032-a214-6fab5b120670 +description: Detects different process creation events as described in Malwarebytes's threat report on Lazarus group activity +status: experimental +references: + - https://blog.malwarebytes.com/malwarebytes-news/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/ +tags: + - attack.g0032 +author: Bhabesh Raj +date: 2021/04/20 +logsource: + category: process_creation + product: windows +detection: + selection1: + CommandLine|contains|all: + - 'mshta' + - '.zip' + selection2: + ParentImage: + - 'C:\Windows\System32\wbem\wmiprvse.exe' + Image: + - 'C:\Windows\System32\mshta.exe' + selection3: + ParentImage: + - 'C:\Users\Public\*' + Image: + - 'C:\Windows\System32\rundll32.exe' + condition: 1 of them +falsepositives: + - Should not be any false positives +level: critical \ No newline at end of file diff --git a/rules/windows/process_creation/win_manage-bde_lolbas.yml b/rules/windows/process_creation/win_manage-bde_lolbas.yml index 3dcdeac8..06216b62 100644 --- a/rules/windows/process_creation/win_manage-bde_lolbas.yml +++ b/rules/windows/process_creation/win_manage-bde_lolbas.yml @@ -17,7 +17,7 @@ logsource: product: windows detection: selection: - Commandline|contains|all: + CommandLine|contains|all: - 'cscript' - 'manage-bde.wsf' condition: selection diff --git a/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml b/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml index 8e31caf6..7f4b07fc 100755 --- a/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml +++ b/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml @@ -4,9 +4,9 @@ status: experimental description: Detects potential COM object hijacking leveraging the COM Search Order references: - https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/ -author: Maxime Thiebaut (@0xThiebaut), oscd.community +author: Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien date: 2020/04/14 -modified: 2020/11/28 +modified: 2021/05/01 tags: - attack.persistence - attack.t1038 # an old one @@ -20,20 +20,26 @@ detection: - 'HKU\' - '_Classes\CLSID\' - '\InProcServer32\(Default)' - filter: + filter1: - Details|contains: # Exclude privileged directories and observed FPs - '%%systemroot%%\system32\' - '%%systemroot%%\SysWow64\' - - Details|contains|all: - - '\AppData\Local\Microsoft\OneDrive\' + filterOneDrive: + - Details|contains: '\AppData\Local\Microsoft\OneDrive\' + filterOneDrive2: + - Details|contains: - '\FileCoAuthLib64.dll' - - Details|contains|all: - - '\AppData\Local\Microsoft\OneDrive\' - '\FileSyncShell64.dll' + - '\FileSyncApi64.dll' + filter2: - Details|contains|all: - '\AppData\Local\Microsoft\TeamsMeetingAddin\' - '\Microsoft.Teams.AddinLoader.dll' - condition: selection and not filter + filter3: + - Details|contains|all: + - '\AppData\Roaming\Dropbox\' + - '\DropboxExt64.*.dll' + condition: selection and not ( filter1 or ( filterOneDrive and filterOneDrive2 ) or filter2 or filter3 ) falsepositives: - Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level level: medium diff --git a/rules/windows/registry_event_write/win_outlook_C2_registry_key.yml b/rules/windows/registry_event_write/win_outlook_C2_registry_key.yml new file mode 100644 index 00000000..e3055016 --- /dev/null +++ b/rules/windows/registry_event_write/win_outlook_C2_registry_key.yml @@ -0,0 +1,25 @@ +title: Outlook C2 Registry Key +id: e3b50fa5-3c3f-444e-937b-0a99d33731cd +status: experimental +description: Detects the modification of Outlook Security Setting to allow unprompted execution. Goes with win_outlook_c2_macro_creation.yml and is particularly interesting if both events occur near to each other. +references: + - https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/ +author: '@ScoubiMtl' +tags: + - attack.persistence + - attack.command_and_control + - attack.t1137 + - attack.t1008 + - attack.t1546 +date: 2021/04/05 +logsource: + category: registry_event_write + product: windows +detection: + selection_registry: + TargetObject: 'HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security\Level' + Details|contains: '0x00000001' + condition: selection_registry +falsepositives: + - Unlikely +level: medium diff --git a/tools/config/thor.yml b/tools/config/thor.yml index 4c4ded45..f08e541f 100644 --- a/tools/config/thor.yml +++ b/tools/config/thor.yml @@ -222,10 +222,6 @@ logsources: sources: - "File:/var/log/syslog" - "File:/var/log/syslog.?" - linux-log: - product: linux - sources: - - "File:*.log" logfiles: category: logfile sources: diff --git a/tools/sigma/backends/limacharlie.py b/tools/sigma/backends/limacharlie.py index 4ae81363..383134a4 100644 --- a/tools/sigma/backends/limacharlie.py +++ b/tools/sigma/backends/limacharlie.py @@ -68,6 +68,7 @@ SigmaLCConfig = namedtuple('SigmaLCConfig', [ 'isAllStringValues', 'keywordField', 'postOpMapper', + 'isCaseSensitive', ]) _allFieldMappings = { 'edr': { @@ -81,7 +82,8 @@ _allFieldMappings = { fieldMappings = _windowsEventLogEDRFieldName, isAllStringValues = True, keywordField = None, - postOpMapper = None + postOpMapper = None, + isCaseSensitive = [] ), "windows_defender//": SigmaLCConfig( topLevelParams = { @@ -93,7 +95,8 @@ _allFieldMappings = { fieldMappings = _windowsEventLogEDRFieldName, isAllStringValues = True, keywordField = None, - postOpMapper = None + postOpMapper = None, + isCaseSensitive = [] ), "windows/process_creation/": SigmaLCConfig( topLevelParams = { @@ -120,7 +123,8 @@ _allFieldMappings = { }, isAllStringValues = False, keywordField = "event/COMMAND_LINE", - postOpMapper = _mapProcessCreationOperations + postOpMapper = _mapProcessCreationOperations, + isCaseSensitive = [] ), "dns//": SigmaLCConfig( topLevelParams = { @@ -132,7 +136,8 @@ _allFieldMappings = { }, isAllStringValues = False, keywordField = None, - postOpMapper = None + postOpMapper = None, + isCaseSensitive = [] ), "linux//": SigmaLCConfig( topLevelParams = { @@ -150,7 +155,8 @@ _allFieldMappings = { }, isAllStringValues = False, keywordField = 'event/COMMAND_LINE', - postOpMapper = None + postOpMapper = None, + isCaseSensitive = ['event/FILE_PATH'] ), "unix//": SigmaLCConfig( topLevelParams = { @@ -168,7 +174,8 @@ _allFieldMappings = { }, isAllStringValues = False, keywordField = 'event/COMMAND_LINE', - postOpMapper = None + postOpMapper = None, + isCaseSensitive = ['event/FILE_PATH'] ), "netflow//": SigmaLCConfig( topLevelParams = { @@ -181,7 +188,8 @@ _allFieldMappings = { }, isAllStringValues = False, keywordField = None, - postOpMapper = None + postOpMapper = None, + isCaseSensitive = [] ), "/proxy/": SigmaLCConfig( topLevelParams = { @@ -197,7 +205,37 @@ _allFieldMappings = { }, isAllStringValues = False, keywordField = None, - postOpMapper = None + postOpMapper = None, + isCaseSensitive = [] + ), + "macos/process_creation/": SigmaLCConfig( + topLevelParams = { + "events": [ + "NEW_PROCESS", + "EXISTING_PROCESS", + ] + }, + preConditions = { + "op": "is mac", + }, + fieldMappings = { + "CommandLine": "event/COMMAND_LINE", + "Commandline": "event/COMMAND_LINE", + "Image": "event/FILE_PATH", + "ParentImage": "event/PARENT/FILE_PATH", + "ParentCommandLine": "event/PARENT/COMMAND_LINE", + "User": "event/USER_NAME", + "OriginalFileName": "event/ORIGINAL_FILE_NAME", + # Custom field names coming from somewhere unknown. + "NewProcessName": "event/FILE_PATH", + "ProcessCommandLine": "event/COMMAND_LINE", + # Another one-off command line. + "Command": "event/COMMAND_LINE", + }, + isAllStringValues = False, + keywordField = "event/COMMAND_LINE", + postOpMapper = _mapProcessCreationOperations, + isCaseSensitive = ['event/FILE_PATH'] ), }, "artifact": { @@ -210,7 +248,8 @@ _allFieldMappings = { fieldMappings = _windowsEventLogArtifactFieldName, isAllStringValues = True, keywordField = None, - postOpMapper = None + postOpMapper = None, + isCaseSensitive = [] ), "windows_defender//": SigmaLCConfig( topLevelParams = { @@ -221,7 +260,8 @@ _allFieldMappings = { fieldMappings = _windowsEventLogArtifactFieldName, isAllStringValues = True, keywordField = None, - postOpMapper = None + postOpMapper = None, + isCaseSensitive = [] ), } } @@ -272,7 +312,7 @@ class LimaCharlieBackend(BaseBackend): # See if we have a definition for the source combination. mappingKey = "%s/%s/%s" % (product, category, service) - topFilter, preCond, mappings, isAllStringValues, keywordField, postOpMapper = _allFieldMappings.get(self.lc_target, {}).get(mappingKey, tuple([None, None, None, None, None, None])) + topFilter, preCond, mappings, isAllStringValues, keywordField, postOpMapper, isCaseSensitive = _allFieldMappings.get(self.lc_target, {}).get(mappingKey, tuple([None, None, None, None, None, None, None])) if mappings is None: raise NotImplementedError("Log source %s/%s/%s not supported by backend." % (product, category, service)) @@ -291,6 +331,9 @@ class LimaCharlieBackend(BaseBackend): # Call to fixup all operations after the fact. self._postOpMapper = postOpMapper + # Event paths that are case sensitive. + self._isCaseSensitiveFS = isCaseSensitive + # Call the original generation code. detectComponent = super().generate(sigmaparser) @@ -453,7 +496,7 @@ class LimaCharlieBackend(BaseBackend): newOp = { "op": op, "path": fieldname, - "case sensitive": False, + "case sensitive": fieldname in self._isCaseSensitiveFS, } if op == "matches": newOp["re"] = newVal @@ -471,7 +514,7 @@ class LimaCharlieBackend(BaseBackend): newOp = { "op": op, "path": fieldname, - "case sensitive": False, + "case sensitive": fieldname in self._isCaseSensitiveFS, } if op == "matches": newOp["re"] = newVal