Merge pull request #1479 from SigmaHQ/rule-devel

Rule devel, Trademark test
2024-11-06 17:35:19 +00:00 · 2021-05-15 13:42:34 +02:00 · 2021-05-15 13:42:34 +02:00 · 5a3af872d8
commit 5a3af872d8
parent 691283616f 9b32e72d0b
5 changed files with 100 additions and 2 deletions
--- a/rules/web/web_expl_exchange_cve_2021_28480.yml
+++ b/rules/web/web_expl_exchange_cve_2021_28480.yml
@ -0,0 +1,23 @@
+title: Exchange Exploitation CVE-2021-28480
+id: a2a9d722-0acb-4096-bccc-daaf91a5037b
+status: experimental
+description: Detects successfull exploitation of Exchange vulnerability as reported in CVE-2021-28480
+references:
+  - https://twitter.com/GossiTheDog/status/1392965209132871683?s=20
+author: Florian Roth
+date: 2021/05/14
+tags:
+    - attack.initial_access
+    - attack.t1190
+logsource:
+  category: webserver
+detection:
+  selection:
+    c-uri|contains: '/owa/calendar/a'
+    cs-method: 'POST'
+  filter:
+    sc-status: 503
+  condition: selection and not filter
+falsepositives:
+  - Unknown
+level: critical
--- a/rules/windows/malware/win_mal_darkside.yml
+++ b/rules/windows/malware/win_mal_darkside.yml
@ -0,0 +1,28 @@
+title: DarkSide Ransomware Pattern
+id: 965fff6c-1d7e-4e25-91fd-cdccd75f7d2c
+author: Florian Roth
+date: 2021/05/14
+description: Detects DarkSide Ransomware and helpers
+status: experimental
+references:
+    - https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
+    - https://app.any.run/tasks/8b9a571b-bcc1-4783-ba32-df4ba623b9c0/
+    - https://www.joesandbox.com/analysis/411752/0/html#7048BB9A06B8F2DD9D24C77F389D7B2B58D2
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection1:
+        CommandLine|contains: 
+            - "=[char][byte]('0x'+"
+            - ' -work worker0 -path '
+    selection2:
+        ParentCommandLine|contains:
+            - 'DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}'
+        Image|contains:
+            - '\AppData\Local\Temp\'
+    condition: 1 of them
+falsepositives:
+    - Unknown
+    - UAC bypass method used by other malware
+level: critical
--- a/rules/windows/network_connection/silenttrinity_stager_msbuild_activity.yml
+++ b/rules/windows/network_connection/silenttrinity_stager_msbuild_activity.yml
@ -4,7 +4,7 @@ description: Detects a possible remote connections to Silenttrinity c2
 references:
    - https://www.blackhillsinfosec.com/my-first-joyride-with-silenttrinity/
 tags:
-    - attack.execution # example MITRE ATT&CK category
+    - attack.execution
    - attack.t1127.001
 status: experimental
 author: Kiran kumar s, oscd.community
--- a/rules/windows/process_creation/win_susp_ngrok_pua.yml
+++ b/rules/windows/process_creation/win_susp_ngrok_pua.yml
@ -0,0 +1,31 @@
+title: Ngrok Usage
+id: ee37eb7c-a4e7-4cd5-8fa4-efa27f1c3f31
+description: Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available 
+status: experimental
+references:
+    - https://ngrok.com/docs
+    - https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
+    - https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp
+    - https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection
+author: Florian Roth
+date: 2021/05/14
+tags:
+    - attack.command_and_control
+    - attack.t1572
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection1:
+        CommandLine|contains:
+            - ' tcp 3389'
+    selection2:
+        CommandLine|contains|all:
+            - ' start '
+            - '--all'
+            - '--config'
+            - '.yml'
+    condition: 1 of them
+falsepositives:
+    - Another tool that uses the command line switches of Ngrok
+level: high
--- a/tests/test_rules.py
+++ b/tests/test_rules.py
@ -17,6 +17,8 @@ from colorama import Fore
 class TestRules(unittest.TestCase):
    MITRE_TECHNIQUE_NAMES = ["process_injection", "signed_binary_proxy_execution", "process_injection"] # incomplete list
    MITRE_TACTICS = ["initial_access", "execution", "persistence", "privilege_escalation", "defense_evasion", "credential_access", "discovery", "lateral_movement", "collection", "exfiltration", "command_and_control", "impact", "launch"]
+    # Don't use trademarks in rules - they require non-ASCII characters to be used on we don't want them in our rules
+    TRADE_MARKS = {"MITRE ATT&CK", "ATT&CK"}

    path_to_rules = "rules"

@ -58,6 +60,19 @@ class TestRules(unittest.TestCase):
        self.assertEqual(files_with_incorrect_extensions, [], Fore.RED + 
                        "There are rule files with extensions other than .yml")

+    def test_legal_trademark_violations(self):
+        files_with_legal_issues = []
+
+        for file in self.yield_next_rule_file_path(self.path_to_rules):
+            with open(file, 'r') as fh:
+                file_data = fh.read()
+                for tm in self.TRADE_MARKS:
+                    if tm in file_data:
+                        files_with_legal_issues.append(file)
+
+        self.assertEqual(files_with_legal_issues, [], Fore.RED + 
+                        "There are rule files which contains a trademark or reference that doesn't comply with the respective trademark requirements - please remove the trademark to avoid legal issues")
+
    def test_confirm_correct_mitre_tags(self):
        files_with_incorrect_mitre_tags = []

@ -357,9 +372,10 @@ class TestRules(unittest.TestCase):
            for key in logsource:
                if key.lower() not in ['category', 'product', 'service', 'definition']:
                    print(Fore.RED + "Rule {} has a logsource with an invalid field ({})".format(file, key))
+
 def get_mitre_data():
    """
-    Generate tags from live MITRE ATT&CK® TAXI service to get up-to-date data
+    Generate tags from live TAXI service to get up-to-date data
    """
    # Get ATT&CK information
    lift = attack_client()