mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-07 01:45:21 +00:00
Merge branch 'master' into rule-devel
This commit is contained in:
commit
55c39122e3
1
.github/workflows/sigma-test.yml
vendored
1
.github/workflows/sigma-test.yml
vendored
@ -23,6 +23,7 @@ jobs:
|
||||
run: |
|
||||
python -m pip install --upgrade pip
|
||||
pip install pipenv
|
||||
pipenv lock
|
||||
pipenv install --dev --deploy
|
||||
- name: Test Sigma Tools and Rules
|
||||
run: |
|
||||
|
2
Pipfile
2
Pipfile
@ -15,7 +15,7 @@ stix2 = "*"
|
||||
attackcti = "*"
|
||||
|
||||
[packages]
|
||||
requests = "~=2.23"
|
||||
requests = "~=2.25"
|
||||
urllib3 = "~=1.25"
|
||||
progressbar2 = "~=3.47"
|
||||
pymisp = "~=2.4.123"
|
||||
|
19
rules/linux/lnx_symlink_etc_passwd.yml
Normal file
19
rules/linux/lnx_symlink_etc_passwd.yml
Normal file
@ -0,0 +1,19 @@
|
||||
title: Symlink Etc Passwd
|
||||
id: c67fc22a-0be5-4b4f-aad5-2b32c4b69523
|
||||
status: experimental
|
||||
description: Detects suspicious command lines that look as if they would create symbolic links from or to /etc/passwd
|
||||
author: Florian Roth
|
||||
date: 2019/04/05
|
||||
references:
|
||||
- https://www.qualys.com/2021/05/04/21nails/21nails.txt
|
||||
logsource:
|
||||
product: linux
|
||||
detection:
|
||||
keywords|contains|all:
|
||||
- 'ln '
|
||||
- ' -s '
|
||||
- '/etc/passwd'
|
||||
condition: keywords
|
||||
falsepositives:
|
||||
- Unknown
|
||||
level: high
|
24
rules/windows/file_event/win_outlook_c2_macro_creation.yml
Normal file
24
rules/windows/file_event/win_outlook_c2_macro_creation.yml
Normal file
@ -0,0 +1,24 @@
|
||||
title: Outlook C2 Macro Creation
|
||||
id: 8c31f563-f9a7-450c-bfa8-35f8f32f1f61
|
||||
status: experimental
|
||||
description: Detects the creation of a macro file for Outlook. Goes with win_outlook_c2_registry_key. VbaProject.OTM is explicitly mentioned in T1137. Particularly interesting if both events Registry & File Creation happens at the same time.
|
||||
references:
|
||||
- https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/
|
||||
author: '@ScoubiMtl'
|
||||
tags:
|
||||
- attack.persistence
|
||||
- command_and_control
|
||||
- attack.t1137
|
||||
- attack.t1008
|
||||
- attack.t1546
|
||||
date: 2021/04/05
|
||||
logsource:
|
||||
category: file_event
|
||||
product: windows
|
||||
detection:
|
||||
selection:
|
||||
TargetFilename|endswith: '\Microsoft\Outlook\VbaProject.OTM'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- User genuinly creates a VB Macro for their email
|
||||
level: medium
|
28
rules/windows/other/win_lateral_movement_condrv.yml
Normal file
28
rules/windows/other/win_lateral_movement_condrv.yml
Normal file
@ -0,0 +1,28 @@
|
||||
title: Lateral Movement Indicator ConDrv
|
||||
id: 29d31aee-30f4-4006-85a9-a4a02d65306c
|
||||
status: stable
|
||||
description: This event was observed on the target host during lateral movement. The process name within the event contains the process spawned post compromise. Account Name within the event contains the compromised user account name. This event should to be correlated with 4624 and 4688 for further intrusion context.
|
||||
author: Janantha Marasinghe
|
||||
date: 2021/04/27
|
||||
references:
|
||||
- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/wmiexec-vbs.htm
|
||||
- https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-one.html
|
||||
tags:
|
||||
- attack.lateral_movement
|
||||
- attack.execution
|
||||
- attack.t1021
|
||||
- attack.t1059
|
||||
logsource:
|
||||
product: windows
|
||||
service: security
|
||||
definition:
|
||||
detection:
|
||||
selection:
|
||||
EventID: 4674
|
||||
ObjectServer: 'Security'
|
||||
ObjectType: 'File'
|
||||
ObjectName: '\Device\ConDrv'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- Penetration tests where lateral movement has occured. This event will be created on the target host.
|
||||
level: high
|
@ -5,7 +5,7 @@ description: Detects the creation of a named pipe used by known APT malware
|
||||
references:
|
||||
- Various sources
|
||||
date: 2017/11/06
|
||||
author: Florian Roth
|
||||
author: Florian Roth, blueteam0ps
|
||||
logsource:
|
||||
product: windows
|
||||
category: pipe_created
|
||||
@ -30,6 +30,10 @@ detection:
|
||||
# - '\status_*' # CS default named pipes https://github.com/Neo23x0/sigma/issues/253
|
||||
- '\583da945-62af-10e8-4902-a8f205c72b2e' # SolarWinds SUNBURST malware report https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
|
||||
- '\bizkaz' # Snatch Ransomware https://thedfirreport.com/2020/06/21/snatch-ransomware/
|
||||
- '\svcctl' #Crackmapexec smbexec default named pipe
|
||||
- '\Posh*' #PoshC2 default
|
||||
- '\jaccdpqnvbrrxlaf' #PoshC2 default
|
||||
- '\csexecsvc' #CSEXEC default
|
||||
condition: selection
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
|
@ -16,7 +16,7 @@ logsource:
|
||||
product: windows
|
||||
detection:
|
||||
selection:
|
||||
Commandline|contains|all:
|
||||
CommandLine|contains|all:
|
||||
- 'verb:sync'
|
||||
- '-source:RunCommand'
|
||||
- '-dest:runCommand'
|
||||
|
@ -0,0 +1,32 @@
|
||||
title: Lazarus Activity
|
||||
id: 4a12fa47-c735-4032-a214-6fab5b120670
|
||||
description: Detects different process creation events as described in Malwarebytes's threat report on Lazarus group activity
|
||||
status: experimental
|
||||
references:
|
||||
- https://blog.malwarebytes.com/malwarebytes-news/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/
|
||||
tags:
|
||||
- attack.g0032
|
||||
author: Bhabesh Raj
|
||||
date: 2021/04/20
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
detection:
|
||||
selection1:
|
||||
CommandLine|contains|all:
|
||||
- 'mshta'
|
||||
- '.zip'
|
||||
selection2:
|
||||
ParentImage:
|
||||
- 'C:\Windows\System32\wbem\wmiprvse.exe'
|
||||
Image:
|
||||
- 'C:\Windows\System32\mshta.exe'
|
||||
selection3:
|
||||
ParentImage:
|
||||
- 'C:\Users\Public\*'
|
||||
Image:
|
||||
- 'C:\Windows\System32\rundll32.exe'
|
||||
condition: 1 of them
|
||||
falsepositives:
|
||||
- Should not be any false positives
|
||||
level: critical
|
@ -17,7 +17,7 @@ logsource:
|
||||
product: windows
|
||||
detection:
|
||||
selection:
|
||||
Commandline|contains|all:
|
||||
CommandLine|contains|all:
|
||||
- 'cscript'
|
||||
- 'manage-bde.wsf'
|
||||
condition: selection
|
||||
|
@ -4,9 +4,9 @@ status: experimental
|
||||
description: Detects potential COM object hijacking leveraging the COM Search Order
|
||||
references:
|
||||
- https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/
|
||||
author: Maxime Thiebaut (@0xThiebaut), oscd.community
|
||||
author: Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien
|
||||
date: 2020/04/14
|
||||
modified: 2020/11/28
|
||||
modified: 2021/05/01
|
||||
tags:
|
||||
- attack.persistence
|
||||
- attack.t1038 # an old one
|
||||
@ -20,20 +20,26 @@ detection:
|
||||
- 'HKU\'
|
||||
- '_Classes\CLSID\'
|
||||
- '\InProcServer32\(Default)'
|
||||
filter:
|
||||
filter1:
|
||||
- Details|contains: # Exclude privileged directories and observed FPs
|
||||
- '%%systemroot%%\system32\'
|
||||
- '%%systemroot%%\SysWow64\'
|
||||
- Details|contains|all:
|
||||
- '\AppData\Local\Microsoft\OneDrive\'
|
||||
filterOneDrive:
|
||||
- Details|contains: '\AppData\Local\Microsoft\OneDrive\'
|
||||
filterOneDrive2:
|
||||
- Details|contains:
|
||||
- '\FileCoAuthLib64.dll'
|
||||
- Details|contains|all:
|
||||
- '\AppData\Local\Microsoft\OneDrive\'
|
||||
- '\FileSyncShell64.dll'
|
||||
- '\FileSyncApi64.dll'
|
||||
filter2:
|
||||
- Details|contains|all:
|
||||
- '\AppData\Local\Microsoft\TeamsMeetingAddin\'
|
||||
- '\Microsoft.Teams.AddinLoader.dll'
|
||||
condition: selection and not filter
|
||||
filter3:
|
||||
- Details|contains|all:
|
||||
- '\AppData\Roaming\Dropbox\'
|
||||
- '\DropboxExt64.*.dll'
|
||||
condition: selection and not ( filter1 or ( filterOneDrive and filterOneDrive2 ) or filter2 or filter3 )
|
||||
falsepositives:
|
||||
- Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level
|
||||
level: medium
|
||||
|
@ -0,0 +1,25 @@
|
||||
title: Outlook C2 Registry Key
|
||||
id: e3b50fa5-3c3f-444e-937b-0a99d33731cd
|
||||
status: experimental
|
||||
description: Detects the modification of Outlook Security Setting to allow unprompted execution. Goes with win_outlook_c2_macro_creation.yml and is particularly interesting if both events occur near to each other.
|
||||
references:
|
||||
- https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/
|
||||
author: '@ScoubiMtl'
|
||||
tags:
|
||||
- attack.persistence
|
||||
- attack.command_and_control
|
||||
- attack.t1137
|
||||
- attack.t1008
|
||||
- attack.t1546
|
||||
date: 2021/04/05
|
||||
logsource:
|
||||
category: registry_event_write
|
||||
product: windows
|
||||
detection:
|
||||
selection_registry:
|
||||
TargetObject: 'HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security\Level'
|
||||
Details|contains: '0x00000001'
|
||||
condition: selection_registry
|
||||
falsepositives:
|
||||
- Unlikely
|
||||
level: medium
|
@ -222,10 +222,6 @@ logsources:
|
||||
sources:
|
||||
- "File:/var/log/syslog"
|
||||
- "File:/var/log/syslog.?"
|
||||
linux-log:
|
||||
product: linux
|
||||
sources:
|
||||
- "File:*.log"
|
||||
logfiles:
|
||||
category: logfile
|
||||
sources:
|
||||
|
@ -68,6 +68,7 @@ SigmaLCConfig = namedtuple('SigmaLCConfig', [
|
||||
'isAllStringValues',
|
||||
'keywordField',
|
||||
'postOpMapper',
|
||||
'isCaseSensitive',
|
||||
])
|
||||
_allFieldMappings = {
|
||||
'edr': {
|
||||
@ -81,7 +82,8 @@ _allFieldMappings = {
|
||||
fieldMappings = _windowsEventLogEDRFieldName,
|
||||
isAllStringValues = True,
|
||||
keywordField = None,
|
||||
postOpMapper = None
|
||||
postOpMapper = None,
|
||||
isCaseSensitive = []
|
||||
),
|
||||
"windows_defender//": SigmaLCConfig(
|
||||
topLevelParams = {
|
||||
@ -93,7 +95,8 @@ _allFieldMappings = {
|
||||
fieldMappings = _windowsEventLogEDRFieldName,
|
||||
isAllStringValues = True,
|
||||
keywordField = None,
|
||||
postOpMapper = None
|
||||
postOpMapper = None,
|
||||
isCaseSensitive = []
|
||||
),
|
||||
"windows/process_creation/": SigmaLCConfig(
|
||||
topLevelParams = {
|
||||
@ -120,7 +123,8 @@ _allFieldMappings = {
|
||||
},
|
||||
isAllStringValues = False,
|
||||
keywordField = "event/COMMAND_LINE",
|
||||
postOpMapper = _mapProcessCreationOperations
|
||||
postOpMapper = _mapProcessCreationOperations,
|
||||
isCaseSensitive = []
|
||||
),
|
||||
"dns//": SigmaLCConfig(
|
||||
topLevelParams = {
|
||||
@ -132,7 +136,8 @@ _allFieldMappings = {
|
||||
},
|
||||
isAllStringValues = False,
|
||||
keywordField = None,
|
||||
postOpMapper = None
|
||||
postOpMapper = None,
|
||||
isCaseSensitive = []
|
||||
),
|
||||
"linux//": SigmaLCConfig(
|
||||
topLevelParams = {
|
||||
@ -150,7 +155,8 @@ _allFieldMappings = {
|
||||
},
|
||||
isAllStringValues = False,
|
||||
keywordField = 'event/COMMAND_LINE',
|
||||
postOpMapper = None
|
||||
postOpMapper = None,
|
||||
isCaseSensitive = ['event/FILE_PATH']
|
||||
),
|
||||
"unix//": SigmaLCConfig(
|
||||
topLevelParams = {
|
||||
@ -168,7 +174,8 @@ _allFieldMappings = {
|
||||
},
|
||||
isAllStringValues = False,
|
||||
keywordField = 'event/COMMAND_LINE',
|
||||
postOpMapper = None
|
||||
postOpMapper = None,
|
||||
isCaseSensitive = ['event/FILE_PATH']
|
||||
),
|
||||
"netflow//": SigmaLCConfig(
|
||||
topLevelParams = {
|
||||
@ -181,7 +188,8 @@ _allFieldMappings = {
|
||||
},
|
||||
isAllStringValues = False,
|
||||
keywordField = None,
|
||||
postOpMapper = None
|
||||
postOpMapper = None,
|
||||
isCaseSensitive = []
|
||||
),
|
||||
"/proxy/": SigmaLCConfig(
|
||||
topLevelParams = {
|
||||
@ -197,7 +205,37 @@ _allFieldMappings = {
|
||||
},
|
||||
isAllStringValues = False,
|
||||
keywordField = None,
|
||||
postOpMapper = None
|
||||
postOpMapper = None,
|
||||
isCaseSensitive = []
|
||||
),
|
||||
"macos/process_creation/": SigmaLCConfig(
|
||||
topLevelParams = {
|
||||
"events": [
|
||||
"NEW_PROCESS",
|
||||
"EXISTING_PROCESS",
|
||||
]
|
||||
},
|
||||
preConditions = {
|
||||
"op": "is mac",
|
||||
},
|
||||
fieldMappings = {
|
||||
"CommandLine": "event/COMMAND_LINE",
|
||||
"Commandline": "event/COMMAND_LINE",
|
||||
"Image": "event/FILE_PATH",
|
||||
"ParentImage": "event/PARENT/FILE_PATH",
|
||||
"ParentCommandLine": "event/PARENT/COMMAND_LINE",
|
||||
"User": "event/USER_NAME",
|
||||
"OriginalFileName": "event/ORIGINAL_FILE_NAME",
|
||||
# Custom field names coming from somewhere unknown.
|
||||
"NewProcessName": "event/FILE_PATH",
|
||||
"ProcessCommandLine": "event/COMMAND_LINE",
|
||||
# Another one-off command line.
|
||||
"Command": "event/COMMAND_LINE",
|
||||
},
|
||||
isAllStringValues = False,
|
||||
keywordField = "event/COMMAND_LINE",
|
||||
postOpMapper = _mapProcessCreationOperations,
|
||||
isCaseSensitive = ['event/FILE_PATH']
|
||||
),
|
||||
},
|
||||
"artifact": {
|
||||
@ -210,7 +248,8 @@ _allFieldMappings = {
|
||||
fieldMappings = _windowsEventLogArtifactFieldName,
|
||||
isAllStringValues = True,
|
||||
keywordField = None,
|
||||
postOpMapper = None
|
||||
postOpMapper = None,
|
||||
isCaseSensitive = []
|
||||
),
|
||||
"windows_defender//": SigmaLCConfig(
|
||||
topLevelParams = {
|
||||
@ -221,7 +260,8 @@ _allFieldMappings = {
|
||||
fieldMappings = _windowsEventLogArtifactFieldName,
|
||||
isAllStringValues = True,
|
||||
keywordField = None,
|
||||
postOpMapper = None
|
||||
postOpMapper = None,
|
||||
isCaseSensitive = []
|
||||
),
|
||||
}
|
||||
}
|
||||
@ -272,7 +312,7 @@ class LimaCharlieBackend(BaseBackend):
|
||||
|
||||
# See if we have a definition for the source combination.
|
||||
mappingKey = "%s/%s/%s" % (product, category, service)
|
||||
topFilter, preCond, mappings, isAllStringValues, keywordField, postOpMapper = _allFieldMappings.get(self.lc_target, {}).get(mappingKey, tuple([None, None, None, None, None, None]))
|
||||
topFilter, preCond, mappings, isAllStringValues, keywordField, postOpMapper, isCaseSensitive = _allFieldMappings.get(self.lc_target, {}).get(mappingKey, tuple([None, None, None, None, None, None, None]))
|
||||
if mappings is None:
|
||||
raise NotImplementedError("Log source %s/%s/%s not supported by backend." % (product, category, service))
|
||||
|
||||
@ -291,6 +331,9 @@ class LimaCharlieBackend(BaseBackend):
|
||||
# Call to fixup all operations after the fact.
|
||||
self._postOpMapper = postOpMapper
|
||||
|
||||
# Event paths that are case sensitive.
|
||||
self._isCaseSensitiveFS = isCaseSensitive
|
||||
|
||||
# Call the original generation code.
|
||||
detectComponent = super().generate(sigmaparser)
|
||||
|
||||
@ -453,7 +496,7 @@ class LimaCharlieBackend(BaseBackend):
|
||||
newOp = {
|
||||
"op": op,
|
||||
"path": fieldname,
|
||||
"case sensitive": False,
|
||||
"case sensitive": fieldname in self._isCaseSensitiveFS,
|
||||
}
|
||||
if op == "matches":
|
||||
newOp["re"] = newVal
|
||||
@ -471,7 +514,7 @@ class LimaCharlieBackend(BaseBackend):
|
||||
newOp = {
|
||||
"op": op,
|
||||
"path": fieldname,
|
||||
"case sensitive": False,
|
||||
"case sensitive": fieldname in self._isCaseSensitiveFS,
|
||||
}
|
||||
if op == "matches":
|
||||
newOp["re"] = newVal
|
||||
|
Loading…
Reference in New Issue
Block a user