Carbonblack, Arcsight ESM, Elastic Rule

This commit is contained in:
vh 2020-02-24 19:29:45 +02:00
commit 5dc30bd388
412 changed files with 11765 additions and 614 deletions

3
.gitignore vendored
View File

@ -91,3 +91,6 @@ ENV/
# vi(m)
*.swp
settings.json
# VisualStudio
.vs/

View File

@ -1,9 +1,9 @@
language: python
dist: xenial
python:
# - 3.5 # Deactivated because Travis CI tests failed randomly (Travis's problem)
- 3.6
- 3.7
# - 3.5 # Deactivated because Travis CI tests failed randomly (Travis's problem)
- 3.6
- 3.7
sudo: true
services:
- elasticsearch
@ -11,14 +11,15 @@ cache: pip
before_install:
- curl -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.2.4.deb && sudo dpkg -i --force-confnew elasticsearch-6.2.4.deb && sudo service elasticsearch restart
install:
- pip install -r tools/requirements-devel.txt
- pip install -r tools/requirements-devel.txt
- pip install -r tests/requirements-test.txt
script:
- make test
- make test-backend-es-qs
- make test
- make test-backend-es-qs
notifications:
email:
recipients:
- venom14@gmail.com
- thomas@patzke.org
on_success: change
on_failure: always
email:
recipients:
- venom14@gmail.com
- thomas@patzke.org
on_success: change
on_failure: always

View File

@ -14,6 +14,11 @@ from version 0.14.0.
* False positives metadata to LimaCharlie backend
* Additional aggregation capabilitied for es-dsl backend.
### Changed
* Kibana object id is now Sigma rule id if available. Else
the old naming scheme is used.
## 0.15.0 - 2019-12-06
### Added
@ -117,4 +122,4 @@ from version 0.14.0.
* Conditions in es-dsl backend
* Sumologic handling of null values
* Ignore timeframe detection keyword in all/any of conditions
* Ignore timeframe detection keyword in all/any of conditions

View File

@ -35,6 +35,7 @@ test-sigmac:
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t logpoint -c tools/config/logpoint-windows.yml rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t wdatp rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t ala rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t ala-rule rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t ala --backend-config tests/backend_config.yml rules/windows/process_creation/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-dsl -c tools/config/winlogbeat.yml rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t powershell -c tools/config/powershell.yml -Ocsv rules/ > /dev/null
@ -44,6 +45,7 @@ test-sigmac:
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t qualys -c tools/config/qualys.yml rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t netwitness -c tools/config/netwitness.yml rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t sumologic -O rulecomment -c tools/config/sumologic.yml rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t sql -O rulecomment -c sysmon rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'level>=high,level<=critical,status=stable,logsource=windows,tag=attack.execution' rules/ > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'level>=high,level<=critical,status=xstable,logsource=windows' rules/ > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'level>=high,level<=xcritical,status=stable,logsource=windows' rules/ > /dev/null

View File

@ -13,6 +13,7 @@ elasticsearch-async = "*"
pymisp = "*"
PyYAML = ">=3.11"
progressbar2 = "*"
colorama = "*"
[requires]
python_version = "3.6"

259
Pipfile.lock generated
View File

@ -1,7 +1,7 @@
{
"_meta": {
"hash": {
"sha256": "f3f1c14d8b9cfcd5608e018017012b8712a94fb7a56f633ae179bd3451d636fb"
"sha256": "c553c014d5959f8c30ffdb23d4648ff872dbffd5f6f982d8c029a5b4533a959d"
},
"pipfile-spec": 6,
"requires": {
@ -49,10 +49,10 @@
},
"certifi": {
"hashes": [
"sha256:e4f3620cfea4f83eedc95b24abd9cd56f3c4b146dd0177e83a21b4eb49e21e50",
"sha256:fd7c7c74727ddcf00e9acd26bba8da604ffec95bf1c2144e67aff7a8b50e6cef"
"sha256:017c25db2a153ce562900032d5bc68e9f191e44e9a0f762f373977de9df1fbb3",
"sha256:25b64c7da4cd7479594d035c08c2d809eb4aab3a26e5a990ea98cc450c320f1f"
],
"version": "==2019.9.11"
"version": "==2019.11.28"
},
"chardet": {
"hashes": [
@ -61,58 +61,65 @@
],
"version": "==3.0.4"
},
"coverage": {
"colorama": {
"hashes": [
"sha256:08907593569fe59baca0bf152c43f3863201efb6113ecb38ce7e97ce339805a6",
"sha256:0be0f1ed45fc0c185cfd4ecc19a1d6532d72f86a2bac9de7e24541febad72650",
"sha256:141f08ed3c4b1847015e2cd62ec06d35e67a3ac185c26f7635f4406b90afa9c5",
"sha256:19e4df788a0581238e9390c85a7a09af39c7b539b29f25c89209e6c3e371270d",
"sha256:23cc09ed395b03424d1ae30dcc292615c1372bfba7141eb85e11e50efaa6b351",
"sha256:245388cda02af78276b479f299bbf3783ef0a6a6273037d7c60dc73b8d8d7755",
"sha256:331cb5115673a20fb131dadd22f5bcaf7677ef758741312bee4937d71a14b2ef",
"sha256:386e2e4090f0bc5df274e720105c342263423e77ee8826002dcffe0c9533dbca",
"sha256:3a794ce50daee01c74a494919d5ebdc23d58873747fa0e288318728533a3e1ca",
"sha256:60851187677b24c6085248f0a0b9b98d49cba7ecc7ec60ba6b9d2e5574ac1ee9",
"sha256:63a9a5fc43b58735f65ed63d2cf43508f462dc49857da70b8980ad78d41d52fc",
"sha256:6b62544bb68106e3f00b21c8930e83e584fdca005d4fffd29bb39fb3ffa03cb5",
"sha256:6ba744056423ef8d450cf627289166da65903885272055fb4b5e113137cfa14f",
"sha256:7494b0b0274c5072bddbfd5b4a6c6f18fbbe1ab1d22a41e99cd2d00c8f96ecfe",
"sha256:826f32b9547c8091679ff292a82aca9c7b9650f9fda3e2ca6bf2ac905b7ce888",
"sha256:93715dffbcd0678057f947f496484e906bf9509f5c1c38fc9ba3922893cda5f5",
"sha256:9a334d6c83dfeadae576b4d633a71620d40d1c379129d587faa42ee3e2a85cce",
"sha256:af7ed8a8aa6957aac47b4268631fa1df984643f07ef00acd374e456364b373f5",
"sha256:bf0a7aed7f5521c7ca67febd57db473af4762b9622254291fbcbb8cd0ba5e33e",
"sha256:bf1ef9eb901113a9805287e090452c05547578eaab1b62e4ad456fcc049a9b7e",
"sha256:c0afd27bc0e307a1ffc04ca5ec010a290e49e3afbe841c5cafc5c5a80ecd81c9",
"sha256:dd579709a87092c6dbee09d1b7cfa81831040705ffa12a1b248935274aee0437",
"sha256:df6712284b2e44a065097846488f66840445eb987eb81b3cc6e4149e7b6982e1",
"sha256:e07d9f1a23e9e93ab5c62902833bf3e4b1f65502927379148b6622686223125c",
"sha256:e2ede7c1d45e65e209d6093b762e98e8318ddeff95317d07a27a2140b80cfd24",
"sha256:e4ef9c164eb55123c62411f5936b5c2e521b12356037b6e1c2617cef45523d47",
"sha256:eca2b7343524e7ba246cab8ff00cab47a2d6d54ada3b02772e908a45675722e2",
"sha256:eee64c616adeff7db37cc37da4180a3a5b6177f5c46b187894e633f088fb5b28",
"sha256:ef824cad1f980d27f26166f86856efe11eff9912c4fed97d3804820d43fa550c",
"sha256:efc89291bd5a08855829a3c522df16d856455297cf35ae827a37edac45f466a7",
"sha256:fa964bae817babece5aa2e8c1af841bebb6d0b9add8e637548809d040443fee0",
"sha256:ff37757e068ae606659c28c3bd0d923f9d29a85de79bf25b2b34b148473b5025"
"sha256:7d73d2a99753107a36ac6b455ee49046802e59d9d076ef8e47b61499fa29afff",
"sha256:e96da0d330793e2cb9485e9ddfd918d456036c7149416295932478192f4436a1"
],
"index": "pypi",
"version": "==4.5.4"
"version": "==0.4.3"
},
"coverage": {
"hashes": [
"sha256:15cf13a6896048d6d947bf7d222f36e4809ab926894beb748fc9caa14605d9c3",
"sha256:1daa3eceed220f9fdb80d5ff950dd95112cd27f70d004c7918ca6dfc6c47054c",
"sha256:1e44a022500d944d42f94df76727ba3fc0a5c0b672c358b61067abb88caee7a0",
"sha256:25dbf1110d70bab68a74b4b9d74f30e99b177cde3388e07cc7272f2168bd1477",
"sha256:3230d1003eec018ad4a472d254991e34241e0bbd513e97a29727c7c2f637bd2a",
"sha256:3dbb72eaeea5763676a1a1efd9b427a048c97c39ed92e13336e726117d0b72bf",
"sha256:5012d3b8d5a500834783689a5d2292fe06ec75dc86ee1ccdad04b6f5bf231691",
"sha256:51bc7710b13a2ae0c726f69756cf7ffd4362f4ac36546e243136187cfcc8aa73",
"sha256:527b4f316e6bf7755082a783726da20671a0cc388b786a64417780b90565b987",
"sha256:722e4557c8039aad9592c6a4213db75da08c2cd9945320220634f637251c3894",
"sha256:76e2057e8ffba5472fd28a3a010431fd9e928885ff480cb278877c6e9943cc2e",
"sha256:77afca04240c40450c331fa796b3eab6f1e15c5ecf8bf2b8bee9706cd5452fef",
"sha256:7afad9835e7a651d3551eab18cbc0fdb888f0a6136169fbef0662d9cdc9987cf",
"sha256:9bea19ac2f08672636350f203db89382121c9c2ade85d945953ef3c8cf9d2a68",
"sha256:a8b8ac7876bc3598e43e2603f772d2353d9931709345ad6c1149009fd1bc81b8",
"sha256:b0840b45187699affd4c6588286d429cd79a99d509fe3de0f209594669bb0954",
"sha256:b26aaf69713e5674efbde4d728fb7124e429c9466aeaf5f4a7e9e699b12c9fe2",
"sha256:b63dd43f455ba878e5e9f80ba4f748c0a2156dde6e0e6e690310e24d6e8caf40",
"sha256:be18f4ae5a9e46edae3f329de2191747966a34a3d93046dbdf897319923923bc",
"sha256:c312e57847db2526bc92b9bfa78266bfbaabac3fdcd751df4d062cd4c23e46dc",
"sha256:c60097190fe9dc2b329a0eb03393e2e0829156a589bd732e70794c0dd804258e",
"sha256:c62a2143e1313944bf4a5ab34fd3b4be15367a02e9478b0ce800cb510e3bbb9d",
"sha256:cc1109f54a14d940b8512ee9f1c3975c181bbb200306c6d8b87d93376538782f",
"sha256:cd60f507c125ac0ad83f05803063bed27e50fa903b9c2cfee3f8a6867ca600fc",
"sha256:d513cc3db248e566e07a0da99c230aca3556d9b09ed02f420664e2da97eac301",
"sha256:d649dc0bcace6fcdb446ae02b98798a856593b19b637c1b9af8edadf2b150bea",
"sha256:d7008a6796095a79544f4da1ee49418901961c97ca9e9d44904205ff7d6aa8cb",
"sha256:da93027835164b8223e8e5af2cf902a4c80ed93cb0909417234f4a9df3bcd9af",
"sha256:e69215621707119c6baf99bda014a45b999d37602cb7043d943c76a59b05bf52",
"sha256:ea9525e0fef2de9208250d6c5aeeee0138921057cd67fcef90fbed49c4d62d37",
"sha256:fca1669d464f0c9831fd10be2eef6b86f5ebd76c724d1e0706ebdff86bb4adf0"
],
"index": "pypi",
"version": "==5.0.3"
},
"deprecated": {
"hashes": [
"sha256:a515c4cf75061552e0284d123c3066fbbe398952c87333a92b8fc3dd8e4f9cc1",
"sha256:b07b414c8aac88f60c1d837d21def7e83ba711052e03b3cbaff27972567a8f8d"
"sha256:408038ab5fdeca67554e8f6742d1521cd3cd0ee0ff9d47f29318a4f4da31c308",
"sha256:8b6a5aa50e482d8244a62e5582b96c372e87e3a28e8b49c316e46b95c76a611d"
],
"version": "==1.2.6"
"version": "==1.2.7"
},
"elasticsearch": {
"hashes": [
"sha256:693935914d59a517dfffdaab547ff906712a386d9e25027517464960221cbd4c",
"sha256:7644fa0a9ae524344185bda561826a781a5c6bd4d3eb98a24515c567aab88327"
"sha256:1815ee1377e7d3cf32770738a70785fe4ab1f05be28336a330ed71cb295a7c6c",
"sha256:2a0ca516378ae9b87ac840e7bb529ec508f3010360dd9feed605dff2a898aff5"
],
"index": "pypi",
"version": "==7.0.5"
"version": "==7.5.1"
},
"elasticsearch-async": {
"hashes": [
@ -138,64 +145,47 @@
},
"importlib-metadata": {
"hashes": [
"sha256:aa18d7378b00b40847790e7c27e11673d7fed219354109d0e7b9e5b25dc3ad26",
"sha256:d5f18a79777f3aa179c145737780282e27b508fc8fd688cb17c7a813e8bd39af"
"sha256:06f5b3a99029c7134207dd882428a66992a9de2bef7c2b699b5641f9886c3302",
"sha256:b97607a1a18a5100839aec1dc26a1ea17ee0d93b20b0f008d80a5a050afb200b"
],
"version": "==0.23"
"markers": "python_version < '3.8'",
"version": "==1.5.0"
},
"jsonschema": {
"hashes": [
"sha256:2fa0684276b6333ff3c0b1b27081f4b2305f0a36cf702a23db50edb141893c3f",
"sha256:94c0a13b4a0616458b42529091624e66700a17f847453e52279e35509a5b7631"
"sha256:4e5b3cf8216f577bee9ce139cbe72eca3ea4f292ec60928ff24758ce626cd163",
"sha256:c8a85b28d377cc7737e46e2d9f2b4f44ee3c0e1deac6bf46ddefc7187d30797a"
],
"version": "==3.1.1"
},
"more-itertools": {
"hashes": [
"sha256:409cd48d4db7052af495b09dec721011634af3753ae1ef92d2b32f73a745f832",
"sha256:92b8c4b06dac4f0611c0729b2f2ede52b2e1bac1ab48f089c7ddc12e26bb60c4"
],
"version": "==7.2.0"
"version": "==3.2.0"
},
"multidict": {
"hashes": [
"sha256:024b8129695a952ebd93373e45b5d341dbb87c17ce49637b34000093f243dd4f",
"sha256:041e9442b11409be5e4fc8b6a97e4bcead758ab1e11768d1e69160bdde18acc3",
"sha256:045b4dd0e5f6121e6f314d81759abd2c257db4634260abcfe0d3f7083c4908ef",
"sha256:047c0a04e382ef8bd74b0de01407e8d8632d7d1b4db6f2561106af812a68741b",
"sha256:068167c2d7bbeebd359665ac4fff756be5ffac9cda02375b5c5a7c4777038e73",
"sha256:148ff60e0fffa2f5fad2eb25aae7bef23d8f3b8bdaf947a65cdbe84a978092bc",
"sha256:1d1c77013a259971a72ddaa83b9f42c80a93ff12df6a4723be99d858fa30bee3",
"sha256:1d48bc124a6b7a55006d97917f695effa9725d05abe8ee78fd60d6588b8344cd",
"sha256:31dfa2fc323097f8ad7acd41aa38d7c614dd1960ac6681745b6da124093dc351",
"sha256:34f82db7f80c49f38b032c5abb605c458bac997a6c3142e0d6c130be6fb2b941",
"sha256:3d5dd8e5998fb4ace04789d1d008e2bb532de501218519d70bb672c4c5a2fc5d",
"sha256:4a6ae52bd3ee41ee0f3acf4c60ceb3f44e0e3bc52ab7da1c2b2aa6703363a3d1",
"sha256:4b02a3b2a2f01d0490dd39321c74273fed0568568ea0e7ea23e02bd1fb10a10b",
"sha256:4b843f8e1dd6a3195679d9838eb4670222e8b8d01bc36c9894d6c3538316fa0a",
"sha256:5de53a28f40ef3c4fd57aeab6b590c2c663de87a5af76136ced519923d3efbb3",
"sha256:61b2b33ede821b94fa99ce0b09c9ece049c7067a33b279f343adfe35108a4ea7",
"sha256:6a3a9b0f45fd75dc05d8e93dc21b18fc1670135ec9544d1ad4acbcf6b86781d0",
"sha256:76ad8e4c69dadbb31bad17c16baee61c0d1a4a73bed2590b741b2e1a46d3edd0",
"sha256:7ba19b777dc00194d1b473180d4ca89a054dd18de27d0ee2e42a103ec9b7d014",
"sha256:7c1b7eab7a49aa96f3db1f716f0113a8a2e93c7375dd3d5d21c4941f1405c9c5",
"sha256:7fc0eee3046041387cbace9314926aa48b681202f8897f8bff3809967a049036",
"sha256:8ccd1c5fff1aa1427100ce188557fc31f1e0a383ad8ec42c559aabd4ff08802d",
"sha256:8e08dd76de80539d613654915a2f5196dbccc67448df291e69a88712ea21e24a",
"sha256:c18498c50c59263841862ea0501da9f2b3659c00db54abfbf823a80787fde8ce",
"sha256:c49db89d602c24928e68c0d510f4fcf8989d77defd01c973d6cbe27e684833b1",
"sha256:ce20044d0317649ddbb4e54dab3c1bcc7483c78c27d3f58ab3d0c7e6bc60d26a",
"sha256:d1071414dd06ca2eafa90c85a079169bfeb0e5f57fd0b45d44c092546fcd6fd9",
"sha256:d3be11ac43ab1a3e979dac80843b42226d5d3cccd3986f2e03152720a4297cd7",
"sha256:db603a1c235d110c860d5f39988ebc8218ee028f07a7cbc056ba6424372ca31b"
"sha256:13f3ebdb5693944f52faa7b2065b751cb7e578b8dd0a5bb8e4ab05ad0188b85e",
"sha256:26502cefa86d79b86752e96639352c7247846515c864d7c2eb85d036752b643c",
"sha256:4fba5204d32d5c52439f88437d33ad14b5f228e25072a192453f658bddfe45a7",
"sha256:527124ef435f39a37b279653ad0238ff606b58328ca7989a6df372fd75d7fe26",
"sha256:5414f388ffd78c57e77bd253cf829373721f450613de53dc85a08e34d806e8eb",
"sha256:5eee66f882ab35674944dfa0d28b57fa51e160b4dce0ce19e47f495fdae70703",
"sha256:63810343ea07f5cd86ba66ab66706243a6f5af075eea50c01e39b4ad6bc3c57a",
"sha256:6bd10adf9f0d6a98ccc792ab6f83d18674775986ba9bacd376b643fe35633357",
"sha256:83c6ddf0add57c6b8a7de0bc7e2d656be3eefeff7c922af9a9aae7e49f225625",
"sha256:93166e0f5379cf6cd29746989f8a594fa7204dcae2e9335ddba39c870a287e1c",
"sha256:9a7b115ee0b9b92d10ebc246811d8f55d0c57e82dbb6a26b23c9a9a6ad40ce0c",
"sha256:a38baa3046cce174a07a59952c9f876ae8875ef3559709639c17fdf21f7b30dd",
"sha256:a6d219f49821f4b2c85c6d426346a5d84dab6daa6f85ca3da6c00ed05b54022d",
"sha256:a8ed33e8f9b67e3b592c56567135bb42e7e0e97417a4b6a771e60898dfd5182b",
"sha256:d7d428488c67b09b26928950a395e41cc72bb9c3d5abfe9f0521940ee4f796d4",
"sha256:dcfed56aa085b89d644af17442cdc2debaa73388feba4b8026446d168ca8dad7",
"sha256:f29b885e4903bd57a7789f09fe9d60b6475a6c1a4c0eca874d8558f00f9d4b51"
],
"version": "==4.5.2"
"version": "==4.7.4"
},
"pathspec": {
"hashes": [
"sha256:e285ccc8b0785beadd4c18e5708b12bb8fcf529a1e61215b3feff1d1e559ea5c"
"sha256:163b0632d4e31cef212976cf57b43d9fd6b0bac6e67c26015d611a647d5e7424",
"sha256:562aa70af2e0d434367d9790ad37aed893de47f1693e4201fd1d3dca15d19b96"
],
"version": "==0.6.0"
"version": "==0.7.0"
},
"progressbar2": {
"hashes": [
@ -207,18 +197,17 @@
},
"pymisp": {
"hashes": [
"sha256:17b145dbc39a1ba4ebce60e8b75a479d2c8fd3c2a239f32682f2e1a3636469ec",
"sha256:814023f346f9e1dcf6763d93450df44ff0157f2061c612a7eaf2020280f588a3",
"sha256:de67196f6a8916b9c52a84a1c45ea967c53fa9d2b3795b070ad2c1cbc28d79d7"
"sha256:4359953881c70d8c851ba847ebd41fe636ecc155ee92a6b653dcae2d241a6fef",
"sha256:be4c2a2d311ba1aaeb73e1124e8a97ac4eec52a871e02d373c455936095aac72"
],
"index": "pypi",
"version": "==2.4.117.2"
"version": "==2.4.120"
},
"pyrsistent": {
"hashes": [
"sha256:eb6545dbeb1aa69ab1fb4809bfbf5a8705e44d92ef8fc7c2361682a47c46c778"
"sha256:cdc7b5e3ed77bed61270a47d35434a30617b9becdf2478af76ad2c6ade307280"
],
"version": "==0.15.5"
"version": "==0.15.7"
},
"python-dateutil": {
"hashes": [
@ -236,22 +225,20 @@
},
"pyyaml": {
"hashes": [
"sha256:0113bc0ec2ad727182326b61326afa3d1d8280ae1122493553fd6f4397f33df9",
"sha256:01adf0b6c6f61bd11af6e10ca52b7d4057dd0be0343eb9283c878cf3af56aee4",
"sha256:5124373960b0b3f4aa7df1707e63e9f109b5263eca5976c66e08b1c552d4eaf8",
"sha256:5ca4f10adbddae56d824b2c09668e91219bb178a1eee1faa56af6f99f11bf696",
"sha256:7907be34ffa3c5a32b60b95f4d95ea25361c951383a894fec31be7252b2b6f34",
"sha256:7ec9b2a4ed5cad025c2278a1e6a19c011c80a3caaac804fd2d329e9cc2c287c9",
"sha256:87ae4c829bb25b9fe99cf71fbb2140c448f534e24c998cc60f39ae4f94396a73",
"sha256:9de9919becc9cc2ff03637872a440195ac4241c80536632fffeb6a1e25a74299",
"sha256:a5a85b10e450c66b49f98846937e8cfca1db3127a9d5d1e31ca45c3d0bef4c5b",
"sha256:b0997827b4f6a7c286c01c5f60384d218dca4ed7d9efa945c3e1aa623d5709ae",
"sha256:b631ef96d3222e62861443cc89d6563ba3eeb816eeb96b2629345ab795e53681",
"sha256:bf47c0607522fdbca6c9e817a6e81b08491de50f3766a7a0e6a5be7905961b41",
"sha256:f81025eddd0327c7d4cfe9b62cf33190e1e736cc6e97502b3ec425f574b3e7a8"
"sha256:059b2ee3194d718896c0ad077dd8c043e5e909d9180f387ce42012662a4946d6",
"sha256:1cf708e2ac57f3aabc87405f04b86354f66799c8e62c28c5fc5f88b5521b2dbf",
"sha256:24521fa2890642614558b492b473bee0ac1f8057a7263156b02e8b14c88ce6f5",
"sha256:4fee71aa5bc6ed9d5f116327c04273e25ae31a3020386916905767ec4fc5317e",
"sha256:70024e02197337533eef7b85b068212420f950319cc8c580261963aefc75f811",
"sha256:74782fbd4d4f87ff04159e986886931456a1894c61229be9eaf4de6f6e44b99e",
"sha256:940532b111b1952befd7db542c370887a8611660d2b9becff75d39355303d82d",
"sha256:cb1f2f5e426dc9f07a7681419fe39cee823bb74f723f36f70399123f439e9b20",
"sha256:dbbb2379c19ed6042e8f11f2a2c66d39cceb8aeace421bfc29d085d93eda3689",
"sha256:e3a057b7a64f1222b56e47bcff5e4b94c4f61faac04c7c4ecb1985e18caa3994",
"sha256:e9f45bd5b92c7974e59bcd2dcc8631a6b6cc380a904725fce7bc08872e691615"
],
"index": "pypi",
"version": "==5.1.2"
"version": "==5.3"
},
"requests": {
"hashes": [
@ -262,10 +249,10 @@
},
"six": {
"hashes": [
"sha256:1f1b7d42e254082a9db6279deae68afb421ceba6158efa6131de7b3003ee93fd",
"sha256:30f610279e8b2578cab6db20741130331735c781b56053c59c4076da27f06b66"
"sha256:236bdbdce46e6e6a3d61a337c0f8b763ca1e8717c03b369e87a7ec7ce1319c0a",
"sha256:8f3cd2e254d8f793e7f3d6d9df77b92252b52637291d0f0da013c76ea2724b6c"
],
"version": "==1.13.0"
"version": "==1.14.0"
},
"typing-extensions": {
"hashes": [
@ -278,10 +265,10 @@
},
"urllib3": {
"hashes": [
"sha256:3de946ffbed6e6746608990594d08faac602528ac7015ac28d33cee6a45b7398",
"sha256:9a107b99a5393caf59c7aa3c1249c16e6879447533d0887f4336dde834c7be86"
"sha256:2f3db8b19923a873b3e5256dc9c2dedfa883e33d87c690d9c7913e1f40673cdc",
"sha256:87716c2d2a7121198ebcb7ce7cccf6ce5e9ba539041cfbaeecfb641dc0bf6acc"
],
"version": "==1.25.6"
"version": "==1.25.8"
},
"wrapt": {
"hashes": [
@ -291,34 +278,40 @@
},
"yamllint": {
"hashes": [
"sha256:24f05b7ff1a604120eeb5ff7afb7ed8792253bfa96ee83db9cec6d5c20feaf64",
"sha256:d42dbb35b3d28722a8c5c25de4593add0a6215b2732eb6932d89f38482c3d01c"
"sha256:7318e189027951983c3cb4d6bcaa1e75deef7c752320ca3ce84e407f2551e8ce",
"sha256:76912b6262fd7e0815d7b14c4c2bb2642c754d0aa38f2d3e4b4e21c77872a3bf"
],
"index": "pypi",
"version": "==1.18.0"
"version": "==1.20.0"
},
"yarl": {
"hashes": [
"sha256:024ecdc12bc02b321bc66b41327f930d1c2c543fa9a561b39861da9388ba7aa9",
"sha256:2f3010703295fbe1aec51023740871e64bb9664c789cba5a6bdf404e93f7568f",
"sha256:3890ab952d508523ef4881457c4099056546593fa05e93da84c7250516e632eb",
"sha256:3e2724eb9af5dc41648e5bb304fcf4891adc33258c6e14e2a7414ea32541e320",
"sha256:5badb97dd0abf26623a9982cd448ff12cb39b8e4c94032ccdedf22ce01a64842",
"sha256:73f447d11b530d860ca1e6b582f947688286ad16ca42256413083d13f260b7a0",
"sha256:7ab825726f2940c16d92aaec7d204cfc34ac26c0040da727cf8ba87255a33829",
"sha256:b25de84a8c20540531526dfbb0e2d2b648c13fd5dd126728c496d7c3fea33310",
"sha256:c6e341f5a6562af74ba55205dbd56d248daf1b5748ec48a0200ba227bb9e33f4",
"sha256:c9bb7c249c4432cd47e75af3864bc02d26c9594f49c82e2a28624417f0ae63b8",
"sha256:e060906c0c585565c718d1c3841747b61c5439af2211e185f6739a9412dfbde1"
"sha256:0c2ab325d33f1b824734b3ef51d4d54a54e0e7a23d13b86974507602334c2cce",
"sha256:0ca2f395591bbd85ddd50a82eb1fde9c1066fafe888c5c7cc1d810cf03fd3cc6",
"sha256:2098a4b4b9d75ee352807a95cdf5f10180db903bc5b7270715c6bbe2551f64ce",
"sha256:25e66e5e2007c7a39541ca13b559cd8ebc2ad8fe00ea94a2aad28a9b1e44e5ae",
"sha256:26d7c90cb04dee1665282a5d1a998defc1a9e012fdca0f33396f81508f49696d",
"sha256:308b98b0c8cd1dfef1a0311dc5e38ae8f9b58349226aa0533f15a16717ad702f",
"sha256:3ce3d4f7c6b69c4e4f0704b32eca8123b9c58ae91af740481aa57d7857b5e41b",
"sha256:58cd9c469eced558cd81aa3f484b2924e8897049e06889e8ff2510435b7ef74b",
"sha256:5b10eb0e7f044cf0b035112446b26a3a2946bca9d7d7edb5e54a2ad2f6652abb",
"sha256:6faa19d3824c21bcbfdfce5171e193c8b4ddafdf0ac3f129ccf0cdfcb083e462",
"sha256:944494be42fa630134bf907714d40207e646fd5a94423c90d5b514f7b0713fea",
"sha256:a161de7e50224e8e3de6e184707476b5a989037dcb24292b391a3d66ff158e70",
"sha256:a4844ebb2be14768f7994f2017f70aca39d658a96c786211be5ddbe1c68794c1",
"sha256:c2b509ac3d4b988ae8769901c66345425e361d518aecbe4acbfc2567e416626a",
"sha256:c9959d49a77b0e07559e579f38b2f3711c2b8716b8410b320bf9713013215a1b",
"sha256:d8cdee92bc930d8b09d8bd2043cedd544d9c8bd7436a77678dd602467a993080",
"sha256:e15199cdb423316e15f108f51249e44eb156ae5dba232cb73be555324a1d49c2"
],
"version": "==1.3.0"
"version": "==1.4.2"
},
"zipp": {
"hashes": [
"sha256:3718b1cbcd963c7d4c5511a8240812904164b7f381b647143a89d3b98f9bcd8e",
"sha256:f06903e9f1f43b12d371004b4ac7b06ab39a44adc747266928ae6debfa7b3335"
"sha256:ccc94ed0909b58ffe34430ea5451f07bc0c76467d7081619a454bf5c98b89e28",
"sha256:feae2f18633c32fc71f2de629bfb3bd3c9325cd4419642b1f1da42ee488d9b98"
],
"version": "==0.6.0"
"version": "==2.1.0"
}
},
"develop": {}

View File

@ -14,9 +14,9 @@ Sigma is for log files what [Snort](https://www.snort.org/) is for network traff
This repository contains:
* Sigma rule specification in the [Wiki](https://github.com/Neo23x0/sigma/wiki/Specification)
* Open repository for sigma signatures in the `./rules`subfolder
* A converter that generate searches/queries for different SIEM systems [work in progress]
1. Sigma rule specification in the [Wiki](https://github.com/Neo23x0/sigma/wiki/Specification)
2. Open repository for sigma signatures in the `./rules` subfolder
3. A converter named `sigmac` located in the `./tools/` sub folder that generates search queries for different SIEM systems from Sigma rules
![sigma_description](./images/Sigma-description.png)
@ -33,7 +33,7 @@ The SANS webcast on Sigma contains a very good 20 min introduction to the projec
# Use Cases
* Describe your detection method in Sigma to make it sharable
* Write and your SIEM searches in Sigma to avoid a vendor lock-in
* Write your SIEM searches in Sigma to avoid a vendor lock-in
* Share the signature in the appendix of your analysis along with IOCs and YARA rules
* Share the signature in threat intel communities - e.g. via MISP
* Provide Sigma signatures for malicious behaviour in your own application
@ -154,12 +154,17 @@ optional arguments:
#### Single Rule Translation
Translate a single rule
```
tools/sigmac -t splunk rules/windows/sysmon/sysmon_susp_image_load.yml
tools/sigmac -t splunk -c splunk-windows rules/windows/sysmon/sysmon_susp_image_load.yml
```
#### Rule Set Translation
Translate a whole rule directory and ignore backend errors (`-I`) in rule conversion for the selected backend (`-t splunk`)
```
tools/sigmac -I -t splunk -r rules/windows/sysmon/
tools/sigmac -I -t splunk -c splunk-windows -r rules/windows/sysmon/
```
#### Translate Only Rules of Level High or Critical
Translate a whole rule directory and ignore backend errors (`-I`) in rule conversion for the selected backend (`-t splunk`) and select only rules of level `high` and `critical`
```
tools/sigmac -I -t splunk -c splunk-windows -f 'level>=high' -r rules/windows/sysmon/
```
#### Rule Set Translation with Custom Config
Apply your own config file (`-c ~/my-elk-winlogbeat.yml`) during conversion, which can contain you custom field and source mappings
@ -300,6 +305,7 @@ These tools are not part of the main toolchain and maintained separately by thei
* [ypsilon](https://github.com/P4T12ICK/ypsilon) - Automated Use Case Testing
* [RANK VASA](https://globenewswire.com/news-release/2019/03/04/1745907/0/en/RANK-Software-to-Help-MSSPs-Scale-Cybersecurity-Offerings.html)
* [TA-Sigma-Searches](https://github.com/dstaulcu/TA-Sigma-Searches) (Splunk App)
* [TimeSketch](https://github.com/google/timesketch/commit/0c6c4b65a6c0f2051d074e87bbb2da2424fa6c35)
# Contribution

View File

@ -0,0 +1,42 @@
title: High DNS subdomain requests rate per domain
id: 8198e9a8-e38f-4ba5-8f16-882b1c0f880e
description: High rate of unique Fully Qualified Domain Names (FQDN) requests per root domain (eTLD+1) in short period of time
author: Daniil Yugoslavskiy, oscd.community
date: 2019/10/21
modified: 2019/11/04
tags:
- attack.exfiltration
- attack.t1048
logsource:
category: dns
detection:
dns_question_name:
query: "*"
default_list_of_well_known_domains:
query_etld_plus_one:
- "akadns.net"
- "akamaiedge.net"
- "amazonaws.com"
- "apple.com"
- "apple-dns.net"
- "cloudfront.net"
- "icloud.com"
- "in-addr.arpa"
- "google.com"
- "yahoo.com"
- "dropbox.com"
- "windowsupdate.com"
- "microsoftonline.com"
- "s-microsoft.com"
- "office365.com"
- "linkedin.com"
timeframe: 15m
condition: count(subdomain) per query_etld_plus_one per computer_name > 200 and not default_list_of_well_known_domains
# for each host in timeframe
# for each dns_question_etld_plus_one
# if number of dns_question_name > 200
# dns_question_etld_plus_one is not in default_list_of_well_known_domains
falsepositives:
- Legitimate domain name requested, which should be added to whitelist
level: high
status: experimental

View File

@ -0,0 +1,37 @@
title: Large domain name request
id: 14aa0d9e-c70a-4a49-bdc1-e5cbc4fc6af7
description: Detects large DNS domain names
author: Daniil Yugoslavskiy, oscd.community
date: 2019/10/21
modified: 2019/11/04
tags:
- attack.exfiltration
- attack.t1048
logsource:
category: dns
detection:
selection:
query_length: "> 70" # IS MORE THAN 70 bytes
default_list_of_well_known_domains:
query_etld_plus_one:
- "akadns.net"
- "akamaiedge.net"
- "amazonaws.com"
- "apple.com"
- "apple-dns.net"
- "cloudfront.net"
- "icloud.com"
- "in-addr.arpa"
- "google.com"
- "yahoo.com"
- "dropbox.com"
- "windowsupdate.com"
- "microsoftonline.com"
- "s-microsoft.com"
- "office365.com"
- "linkedin.com"
condition: selection and not default_list_of_well_known_domains
falsepositives:
- Legitimate domain name requested, which should be added to whitelist
level: high
status: experimental

View File

@ -0,0 +1,23 @@
title: Possible DNS Rebinding
id: ec5b8711-b550-4879-9660-568aaae2c3ea
status: experimental
description: 'Detects DNS-answer with TTL <10.'
date: 2019/10/25
author: Ilyas Ochkov, oscd.community
references:
- https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325
tags:
- attack.command_and_control
- attack.t1043
logsource:
product: dns
detection:
selection:
answer: '*'
filter1:
ttl: '>0'
filter2:
ttl: '<10'
timeframe: 30s
condition: selection and filter1 and filter2 | count(answer) by src_ip > 3
level: medium

View File

@ -0,0 +1,48 @@
action: global
title: Defense evasion via process reimaging
id: 7fa4f550-850e-4117-b543-428c86ebb849
description: Detects process reimaging defense evasion technique
# where
# selection1: ImageFileName != selection1: OriginalFileName
# selection1: ParentProcessGuid = selection2: ProcessGuid
# selection1: Image = selection2: TargetFileName
# and new field ImageFileName is coming from enrichment
# selection1: Image = ^.+\\<ImageFileName>$
# Rule must trigger if selection1 and selection2 both occurs in timeframe of 120 sec.
# Rule logic is currently not supported by SIGMA.
# Sysmon v.10.0 or newer is required for proper detection.
status: experimental
author: Alexey Balandin, oscd.community
references:
- https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/in-ntdll-i-trust-process-reimaging-and-endpoint-security-solution-bypass/
tags:
- attack.defense_evasion
date: 2019/10/25
detection:
condition: all of them
falsepositives:
- unknown
level: high
---
logsource:
product: windows
service: sysmon
detection:
selection1:
category: process_creation
fields:
- Image
- OriginalFileName
- ParentProcessGuid
new_fields:
- ImageFileName
---
logsource:
product: windows
service: sysmon
detection:
selection2:
EventID: 11
fields:
- ProcessGuid
- TargetFileName

View File

@ -0,0 +1,34 @@
title: Dumping ntds.dit remotely via DCSync
id: 51238c62-2b29-4539-ad75-e94575368a12
description: ntds.dit retrieving using synchronisation with legitimate domain controller using Directory Replication Service Remote Protocol
author: Teymur Kheirkhabarov, oscd.community
date: 2019/10/24
modified: 2019/11/13
references:
- https://twitter.com/gentilkiwi/status/1003236624925413376
- https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
tags:
- attack.credential_access
- attack.t1003
logsource:
product: windows
service: security
detection:
selection1:
EventID: 4624
ComputerName: '%DomainControllersNamesList%'
selection2:
IpAddress: '%DomainControllersIpsList%'
selection3:
EventID: 4662
ComputerName: '%DomainControllersNamesList%'
SubjectLogonId: '%SuspiciousTargetLogonIdList%'
Properties|contains:
- '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'
- '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'
condition: write TargetLogonId from selection1 (if not selection2) to list %SuspiciousTargetLogonIdList%; then if selection3 -> alert
falsepositives:
- Legitimate administrator adding new domain controller to already existing domain
level: medium
status: experimental

View File

@ -0,0 +1,30 @@
title: Dumping ntds.dit remotely via NetSync
id: 757b2a11-73e7-411a-bd46-141d906e0167
description: ntds.dit retrieving (only computer accounts) using synchronisation with legit domain controller using Netlogon Remote Protocol
author: Teymur Kheirkhabarov, oscd.community
date: 2019/11/01
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
tags:
- attack.credential_access
- attack.t1003
logsource:
product: windows
service: security
detection:
selection1:
EventID: 4624
ComputerName: '%DomainControllersNamesList%'
selection2:
IpAddress: '%DomainControllersIpsList%'
selection3:
EventID: 5145
ComputerName: '%DomainControllersNamesList%'
ShareName|contains: '\IPC$'
SubjectLogonId: '%SuspiciousTargetLogonIdList%'
RelativeTargetName: 'netlogon'
condition: write TargetLogonId from selection1 (if not selection2) to list %SuspiciousTargetLogonIdList%; then if selection3 -> alert
falsepositives:
- Legitimate administrator adding new domain controller to already existing domain
level: medium
status: experimental

View File

@ -2,6 +2,7 @@ title: Python SQL Exceptions
id: 19aefed0-ffd4-47dc-a7fc-f8b1425e84f9
description: Generic rule for SQL exceptions in Python according to PEP 249
author: Thomas Patzke
date: 2017/08/12
references:
- https://www.python.org/dev/peps/pep-0249/#exceptions
logsource:
@ -18,4 +19,3 @@ falsepositives:
- Application bugs
- Penetration testing
level: medium

View File

@ -3,6 +3,7 @@ id: 8a670c6d-7189-4b1c-8017-a417ca84a086
status: experimental
description: Detects SQL error messages that indicate probing for an injection attack
author: Bjoern Kimminich
date: 2017/11/27
references:
- http://www.sqlinjection.net/errors
logsource:

View File

@ -1,7 +1,8 @@
title: Django framework exceptions
title: Django Framework Exceptions
id: fd435618-981e-4a7c-81f8-f78ce480d616
description: Detects suspicious Django web application framework exceptions that could indicate exploitation attempts
author: Thomas Patzke
date: 2017/08/05
references:
- https://docs.djangoproject.com/en/1.11/ref/exceptions/
- https://docs.djangoproject.com/en/1.11/topics/logging/#django-security
@ -29,4 +30,3 @@ falsepositives:
- Application bugs
- Penetration testing
level: medium

View File

@ -1,7 +1,8 @@
title: Ruby on Rails framework exceptions
title: Ruby on Rails Framework Exceptions
id: 0d2c3d4c-4b48-4ac3-8f23-ea845746bb1a
description: Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts
author: Thomas Patzke
date: 2017/08/06
references:
- http://edgeguides.rubyonrails.org/security.html
- http://guides.rubyonrails.org/action_controller_overview.html
@ -22,4 +23,3 @@ falsepositives:
- Application bugs
- Penetration testing
level: medium

View File

@ -1,7 +1,8 @@
title: Spring framework exceptions
title: Spring Framework Exceptions
id: ae48ab93-45f7-4051-9dfe-5d30a3f78e33
description: Detects suspicious Spring framework exceptions that could indicate exploitation attempts
author: Thomas Patzke
date: 2017/08/06
references:
- https://docs.spring.io/spring-security/site/docs/current/apidocs/overview-tree.html
logsource:
@ -21,4 +22,3 @@ falsepositives:
- Application bugs
- Penetration testing
level: medium

View File

@ -0,0 +1,33 @@
title: Silence.Downloader V3
id: 170901d1-de11-4de7-bccb-8fa13678d857
status: experimental
description: Detects Silence downloader. These commands are hardcoded into the binary.
author: Alina Stepchenkova, Roman Rezvukhin, Group-IB, oscd.community
date: 2019/11/01
modified: 2019/11/22
tags:
- attack.persistence
- attack.g0091
logsource:
category: process_creation
product: windows
detection:
selection_recon:
Image|endswith:
- '\tasklist.exe'
- '\qwinsta.exe'
- '\ipconfig.exe'
- '\hostname.exe'
CommandLine|contains: '>>'
CommandLine|endswith: 'temps.dat'
selection_persistence:
CommandLine|contains: '/C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WinNetworkSecurity" /t REG_SZ /d'
condition: selection_recon | near selection_persistence # requires both
fields:
- ComputerName
- User
- Image
- CommandLine
falsepositives:
- Unknown
level: high

View File

@ -0,0 +1,34 @@
title: Silence.EDA Detection
id: 3ceb2083-a27f-449a-be33-14ec1b7cc973
status: experimental
description: Detects Silence empireDNSagent
author: Alina Stepchenkova, Group-IB, oscd.community
date: 2019/11/01
modified: 2019/11/20
tags:
- attack.g0091
- attack.s0363
logsource:
product: windows
service: powershell
detection:
empire:
ScriptBlockText|contains|all: # better to randomise the order
- 'System.Diagnostics.Process'
- 'Stop-Computer'
- 'Restart-Computer'
- 'Exception in execution'
- '$cmdargs'
- 'Close-Dnscat2Tunnel'
dnscat:
ScriptBlockText|contains|all: # better to randomise the order
- 'set type=$LookupType`nserver'
- '$Command | nslookup 2>&1 | Out-String'
- 'New-RandomDNSField'
- '[Convert]::ToString($SYNOptions, 16)'
- '$Session.Dead = $True'
- '$Session["Driver"] -eq'
condition: empire and dnscat
falsepositives:
- Unknown
level: critical

View File

@ -0,0 +1,24 @@
title: AWS CloudTrail Important Change
id: 4db60cc0-36fb-42b7-9b58-a5b53019fb74
status: experimental
author: vitaliy0x1
date: 2020/01/21
description: Detects disabling, deleting and updating of a Trail
references:
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html
logsource:
service: cloudtrail
detection:
selection_source:
- eventSource: cloudtrail.amazonaws.com
events:
- eventName:
- StopLogging
- UpdateTrail
- DeleteTrail
condition: selection_source AND events
level: medium
falsepositives:
- Valid change in a Trail
tags:
- attack.t1089

View File

@ -0,0 +1,21 @@
title: AWS Config Disabling Channel/Recorder
id: 07330162-dba1-4746-8121-a9647d49d297
status: experimental
author: vitaliy0x1
date: 2020/01/21
description: Detects AWS Config Service disabling
logsource:
service: cloudtrail
detection:
selection_source:
- eventSource: config.amazonaws.com
events:
- eventName:
- DeleteDeliveryChannel
- StopConfigurationRecorder
condition: selection_source AND events
level: high
falsepositives:
- Valid change in AWS Config Service
tags:
- attack.t1089

View File

@ -0,0 +1,24 @@
title: AWS EC2 Download Userdata
id: 26ff4080-194e-47e7-9889-ef7602efed0c
status: experimental
author: faloker
date: 2020/02/11
description: Detects bulk downloading of User Data associated with AWS EC2 instances. Instance User Data may include installation scripts and hard-coded secrets for deployment.
references:
- https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/ec2__download_userdata/main.py#L24
logsource:
service: cloudtrail
detection:
selection_source:
- eventSource: ec2.amazonaws.com
selection_requesttype:
- requestParameters.attribute: userData
selection_eventname:
- eventName: DescribeInstanceAttribute
timeframe: 30m
condition: all of them | count() > 10
level: medium
falsepositives:
- Assets management software like device42
tags:
- attack.t1020

View File

@ -0,0 +1,23 @@
title: AWS EC2 Startup Shell Script Change
id: 1ab3c5ed-5baf-417b-bb6b-78ca33f6c3df
status: experimental
author: faloker
date: 2020/02/12
description: Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM everytime the specific instances are booted up.
references:
- https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/ec2__startup_shell_script/main.py#L9
logsource:
service: cloudtrail
detection:
selection_source:
- eventSource: ec2.amazonaws.com
selection_userdata:
- requestParameters.userData: "*"
selection_eventname:
- eventName: ModifyInstanceAttribute
condition: all of them
level: high
falsepositives:
- Valid changes to the startup script
tags:
- attack.t1064

View File

@ -0,0 +1,21 @@
title: AWS GuardDuty Important Change
id: 6e61ee20-ce00-4f8d-8aee-bedd8216f7e3
status: experimental
author: faloker
date: 2020/02/11
description: Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs.
references:
- https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/guardduty__whitelist_ip/main.py#L9
logsource:
service: cloudtrail
detection:
selection_source:
- eventSource: guardduty.amazonaws.com
selection_eventName:
- eventName: CreateIPSet
condition: all of them
level: high
falsepositives:
- Valid change in the GuardDuty (e.g. to ignore internal scanners)
tags:
- attack.t1089

View File

@ -0,0 +1,29 @@
title: AWS IAM Backdoor Users Keys
id: 0a5177f4-6ca9-44c2-aacf-d3f3d8b6e4d2
status: experimental
author: faloker
date: 2020/02/12
description: Detects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment. Also with this alert, you can detect a flow of AWS keys in your org.
references:
- https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/iam__backdoor_users_keys/main.py#L6
logsource:
service: cloudtrail
detection:
selection_source:
- eventSource: iam.amazonaws.com
selection_eventname:
- eventName: CreateAccessKey
filter:
userIdentity.arn|contains: responseElements.accessKey.userName
condition: all of selection* and not filter
fields:
- userIdentity.arn
- responseElements.accessKey.userName
- errorCode
- errorMessage
level: medium
falsepositives:
- Adding user keys to their own accounts (the filter cannot cover all possible variants of user naming)
- AWS API keys legitimate exchange workflows
tags:
- attack.t1098

View File

@ -0,0 +1,23 @@
title: AWS RDS Master Password Change
id: 8a63cdd4-6207-414a-85bc-7e032bd3c1a2
status: experimental
author: faloker
date: 2020/02/12
description: Detects the change of database master password. It may be a part of data exfiltration.
references:
- https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/rds__explore_snapshots/main.py#L10
logsource:
service: cloudtrail
detection:
selection_source:
- eventSource: rds.amazonaws.com
selection_modified_values:
- responseElements.pendingModifiedValues.masterUserPassword: "*"
selection_eventname:
- eventName: ModifyDBInstance
condition: all of them
level: medium
falsepositives:
- Benign changes to a db instance
tags:
- attack.t1020

View File

@ -0,0 +1,23 @@
title: Restore Public AWS RDS Instance
id: c3f265c7-ff03-4056-8ab2-d486227b4599
status: experimental
author: faloker
date: 2020/02/12
description: Detects the recovery of a new public database instance from a snapshot. It may be a part of data exfiltration.
references:
- https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/rds__explore_snapshots/main.py#L10
logsource:
service: cloudtrail
detection:
selection_source:
- eventSource: rds.amazonaws.com
selection_ispublic:
- responseElements.publiclyAccessible: "true"
selection_eventname:
- eventName: RestoreDBInstanceFromDBSnapshot
condition: all of them
level: high
falsepositives:
- unknown
tags:
- attack.t1020

View File

@ -0,0 +1,21 @@
title: AWS Root Credentials
id: 8ad1600d-e9dc-4251-b0ee-a65268f29add
status: experimental
author: vitaliy0x1
date: 2020/01/21
description: Detects AWS root account usage
references:
- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html
logsource:
service: cloudtrail
detection:
selection_usertype:
- userIdentity.type: Root
selection_eventtype:
- eventType: AwsServiceEvent
condition: selection_usertype AND NOT selection_eventtype
level: medium
falsepositives:
- AWS Tasks That Require AWS Account Root User Credentials https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html
tags:
- attack.t1078

View File

@ -0,0 +1,25 @@
title: Brute Force
id: 53c7cca0-2901-493a-95db-d00d6fcf0a37
description: Detects many authentication failures from one source to one destination which is may indicate Brute Force activity
tags:
- attack.t1110
author: Aleksandr Akhremchik, oscd.community
date: 2019/10/25
status: experimental
logsource:
category: authentication
detection:
selection:
action: failure
timeframe: 600s
condition: selection | count(category) by dst_ip > 30
fields:
- src_ip
- dst_ip
- user
falsepositives:
- Inventarization
- Penetration testing
- Vulnerability scanner
- Legitimate application
level: medium

View File

@ -1,4 +1,4 @@
title: Detects Suspicious edit of .bash_profile and .bashrc on Linux systems
title: Edit of .bash_profile and .bashrc
id: e74e15cc-c4b6-4c80-b7eb-dfe49feb7fe9
status: experimental
description: Detects change of user environment. Adversaries can insert code into these files to gain persistence each time a user logs in or opens a new shell.
@ -18,7 +18,7 @@ detection:
type: 'PATH'
name:
- '/home/*/.bashrc'
- '/home/*/.bash_profile'
- '/home/*/.bash_profile'
- '/home/*/.profile'
- '/etc/profile'
- '/etc/shells'

View File

@ -0,0 +1,34 @@
title: Auditing Configuration Changes on Linux Host
id: 977ef627-4539-4875-adf4-ed8f780c4922
description: Detect changes in auditd configuration files
# Example config for this one (place it at the top of audit.rules)
# -w /etc/audit/ -p wa -k etc_modify_auditconfig
# -w /etc/libaudit.conf -p wa -k etc_modify_libauditconfig
# -w /etc/audisp/ -p wa -k etc_modify_audispconfig
references:
- https://github.com/Neo23x0/auditd/blob/master/audit.rules
- self experience
tags:
- attack.defense_evasion
- attack.t1054
author: Mikhail Larin, oscd.community
status: experimental
date: 2019/10/25
logsource:
product: linux
service: auditd
detection:
selection:
type: PATH
name:
- /etc/audit/*
- /etc/libaudit.conf
- /etc/audisp/*
condition: selection
fields:
- exe
- comm
- key
falsepositives:
- Legitimate administrative activity
level: high

View File

@ -0,0 +1,24 @@
title: Modification of ld.so.preload
id: 4b3cb710-5e83-4715-8c45-8b2b5b3e5751
description: Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes.
status: experimental
author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community
date: 2019/10/24
modified: 2019/11/11
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.yaml
- https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html
tags:
- attack.defense_evasion
- attack.t1055
logsource:
product: linux
service: auditd
detection:
selection:
type: 'PATH'
name: '/etc/ld.so.preload'
condition: selection
falsepositives:
- Unknown
level: high

View File

@ -0,0 +1,33 @@
title: Logging Configuration Changes on Linux Host
id: c830f15d-6f6e-430f-8074-6f73d6807841
description: Detect changes of syslog daemons configuration files
# Example config for this one (place it at the top of audit.rules)
# -w /etc/syslog.conf -p wa -k etc_modify_syslogconfig
# -w /etc/rsyslog.conf -p wa -k etc_modify_rsyslogconfig
# -w /etc/syslog-ng/syslog-ng.conf -p wa -k etc_modify_syslogngconfig
references:
- self experience
tags:
- attack.defense_evasion
- attack.t1054
author: Mikhail Larin, oscd.community
status: experimental
date: 2019/10/25
logsource:
product: linux
service: auditd
detection:
selection:
type: 'PATH'
name:
- /etc/syslog.conf
- /etc/rsyslog.conf
- /etc/syslog-ng/syslog-ng.conf
condition: selection
fields:
- exe
- comm
- key
falsepositives:
- Legitimate administrative activity
level: high

View File

@ -1,4 +1,4 @@
title: Masquerading as Linux crond process
title: Masquerading as Linux Crond Process
id: 9d4548fa-bba0-4e88-bd66-5d5bf516cda0
status: experimental
description: Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and

View File

@ -1,4 +1,4 @@
title: Detects Suspicious Commands on Linux systems
title: Suspicious Commands Linux
id: 1543ae20-cbdf-4ec1-8d12-7664d667a825
status: experimental
description: Detects relevant commands often related to malware or hacking activity
@ -18,7 +18,7 @@ detection:
type: 'EXECVE'
a0: 'chmod'
a1: 'u+s'
cmd3:
cmd3:
type: 'EXECVE'
a0: 'cp'
a1: '/bin/ksh'
@ -29,4 +29,4 @@ detection:
condition: 1 of them
falsepositives:
- Admin activity
level: medium
level: medium

View File

@ -8,6 +8,7 @@ tags:
- attack.g0020
- attack.t1059
author: Florian Roth
date: 2017/04/09
logsource:
product: linux
detection:

View File

@ -1,6 +1,8 @@
title: Buffer Overflow Attempts
id: 18b042f0-2ecd-4b6e-9f8d-aa7a7e7de781
description: Detects buffer overflow attempts in Unix system log files
author: Florian Roth
date: 2017/03/01
references:
- https://github.com/ossec/ossec-hids/blob/master/etc/rules/attack_rules.xml
logsource:

View File

@ -0,0 +1,23 @@
title: Remove Immutable File Attribute
id: a5b977d6-8a81-4475-91b9-49dbfcd941f7
description: Detects removing immutable file attribute
status: experimental
tags:
- attack.defense_evasion
- attack.t1222
author: Jakob Weinzettl, oscd.community
date: 2019/09/23
logsource:
product: linux
service: auditd
detection:
selection:
type: 'EXECVE'
a0|contains: 'chattr'
a1|contains: '-i'
condition: selection
falsepositives:
- Administrator interacting with immutable files (for instance backups)
level: medium
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.yaml

View File

@ -1,6 +1,8 @@
title: Relevant ClamAV Message
id: 36aa86ca-fd9d-4456-814e-d3b1b8e1e0bb
description: Detects relevant ClamAV messages
author: Florian Roth
date: 2017/03/01
references:
- https://github.com/ossec/ossec-hids/blob/master/etc/rules/clam_av_rules.xml
logsource:

View File

@ -0,0 +1,25 @@
title: Overwriting the File with Dev Zero or Null
id: 37222991-11e9-4b6d-8bdf-60fbe48f753e
date: 2019/10/23
description: Detects overwriting (effectively wiping/deleting) the file
author: Jakob Weinzettl, oscd.community
tags:
- attack.impact
- attack.t1485
logsource:
product: linux
service: auditd
detection:
selection:
type: 'EXECVE'
a0|contains: 'dd'
a1|contains:
- 'if=/dev/null'
- 'if=/dev/zero'
condition: selection
falsepositives:
- Appending null bytes to files
- Legitimate overwrite of files
level: low
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.yaml

View File

@ -0,0 +1,24 @@
title: File or Folder Permissions Change
description: Detects
id: 74c01ace-0152-4094-8ae2-6fd776dd43e5
status: experimental
tags:
- attack.defense_evasion
- attack.t1222
author: Jakob Weinzettl, oscd.community
date: 2019/09/23
logsource:
product: linux
service: auditd
detection:
selection:
type: 'EXECVE'
a0|contains:
- 'chmod'
- 'chown'
condition: selection
falsepositives:
- User interracting with files permissions (normal/daily behaviour)
level: low
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.yaml

View File

@ -0,0 +1,27 @@
title: Systemd Service Reload or Start
id: 2625cc59-0634-40d0-821e-cb67382a3dd7
description: Detects a reload or a start of a service
status: experimental
tags:
- attack.persistence
- attack.t1501
author: Jakob Weinzettl, oscd.community
date: 2019/09/23
logsource:
product: linux
service: auditd
detection:
selection:
type: 'EXECVE'
a0|contains: 'systemctl'
a1|contains:
- 'daemon-reload'
- 'start'
condition: selection
falsepositives:
- Installation of legitimate service
- Legitimate reconfiguration of service
level: low
references:
- https://attack.mitre.org/techniques/T1501/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1501/T1501.yaml

View File

@ -2,6 +2,7 @@ title: Suspicious Log Entries
id: f64b6e9a-5d9d-48a5-8289-e1dd2b3876e1
description: Detects suspicious log entries in Linux log files
author: Florian Roth
date: 2017/03/25
logsource:
product: linux
detection:

View File

@ -1,6 +1,8 @@
title: Shellshock Expression
id: c67e0c98-4d39-46ee-8f6b-437ebf6b950e
description: Detects shellshock expressions in log files
date: 2017/03/14
author: Florian Roth
references:
- http://rubular.com/r/zxBfjWfFYs
logsource:

View File

@ -1,5 +1,7 @@
title: Multiple Failed Logins with Different Accounts from Single Source System
title: Failed Logins with Different Accounts from Single Source System
id: fc947f8e-ea81-4b14-9a7b-13f888f94e18
author: Florian Roth
date: 2017/02/16
description: Detects suspicious failed logins with different user accounts from a single source system
logsource:
product: linux

View File

@ -31,4 +31,3 @@ detection:
falsepositives:
- Unknown
level: medium

View File

@ -1,6 +1,8 @@
title: Multiple Modsecurity Blocks
id: a06eea10-d932-4aa6-8ba9-186df72c8d23
description: Detects multiple blocks by the mod_security module (Web Application Firewall)
date: 2017/02/28
author: Florian Roth
logsource:
product: linux
service: modsecurity
@ -9,10 +11,9 @@ detection:
- 'mod_security: Access denied'
- 'ModSecurity: Access denied'
- 'mod_security-message: Access denied'
timeframe: 120m
timeframe: 120m
condition: selection | count() > 6
falsepositives:
- Vulnerability scanners
- Frequent attacks if system faces Internet
level: medium

View File

@ -0,0 +1,31 @@
title: Cisco Clear Logs
id: ceb407f6-8277-439b-951f-e4210e3ed956
status: experimental
description: Clear command history in network OS which is used for defense evasion.
references:
- https://attack.mitre.org/techniques/T1146/
- https://attack.mitre.org/techniques/T1070/
author: Austin Clark
date: 2019/08/12
tags:
- attack.defense_evasion
- attack.t1146
- attack.t1070
logsource:
product: cisco
service: aaa
category: accounting
fields:
- src
- CmdSet
- User
- Privilege_Level
- Remote_Address
detection:
keywords:
- 'clear logging'
- 'clear archive'
condition: keywords
falsepositives:
- Legitimate administrators may run these commands.
level: high

View File

@ -0,0 +1,39 @@
title: Cisco Collect Data
id: cd072b25-a418-4f98-8ebc-5093fb38fe1a
status: experimental
description: Collect pertinent data from the configuration files
references:
- https://attack.mitre.org/techniques/T1087/
- https://attack.mitre.org/techniques/T1003/
- https://attack.mitre.org/techniques/T1081/
- https://attack.mitre.org/techniques/T1005/
author: Austin Clark
date: 2019/08/11
tags:
- attack.discovery
- attack.credential_access
- attack.collection
- attack.t1087
- attack.t1003
- attack.t1081
- attack.t1005
logsource:
product: cisco
service: aaa
category: accounting
fields:
- src
- CmdSet
- User
- Privilege_Level
- Remote_Address
detection:
keywords:
- 'show running-config'
- 'show startup-config'
- 'show archive config'
- 'more'
condition: keywords
falsepositives:
- Commonly run by administrators.
level: low

View File

@ -0,0 +1,33 @@
title: Cisco Crypto Commands
id: 1f978c6a-4415-47fb-aca5-736a44d7ca3d
status: experimental
description: Show when private keys are being exported from the device, or when new certificates are installed.
references:
- https://attack.mitre.org/techniques/T1145/
- https://attack.mitre.org/techniques/T1130/
author: Austin Clark
date: 2019/08/12
tags:
- attack.credential_access
- attack.defense_evasion
- attack.t1130
- attack.t1145
logsource:
product: cisco
service: aaa
category: accounting
fields:
- src
- CmdSet
- User
- Privilege_Level
- Remote_Address
detection:
keywords:
- 'crypto pki export'
- 'crypto pki import'
- 'crypto pki trustpoint'
condition: keywords
falsepositives:
- Not commonly run by administrators. Also whitelist your known good certificates.
level: high

View File

@ -0,0 +1,29 @@
title: Cisco Disabling Logging
id: 9e8f6035-88bf-4a63-96b6-b17c0508257e
status: experimental
description: Turn off logging locally or remote
references:
- https://attack.mitre.org/techniques/T1089
author: Austin Clark
date: 2019/08/11
tags:
- attack.defense_evasion
- attack.t1089
logsource:
product: cisco
service: aaa
category: accounting
fields:
- src
- CmdSet
- User
- Privilege_Level
- Remote_Address
detection:
keywords:
- 'no logging'
- 'no aaa new-model'
condition: keywords
falsepositives:
- Unknown
level: high

View File

@ -0,0 +1,46 @@
title: Cisco Discovery
id: 9705a6a1-6db6-4a16-a987-15b7151e299b
status: experimental
description: Find information about network devices that are not stored in config files.
references:
- https://attack.mitre.org/tactics/TA0007/
author: Austin Clark
date: 2019/08/12
tags:
- attack.discovery
- attack.t1083
- attack.t1201
- attack.t1057
- attack.t1018
- attack.t1082
- attack.t1016
- attack.t1049
- attack.t1033
- attack.t1124
logsource:
product: cisco
service: aaa
category: accounting
fields:
- src
- CmdSet
- User
- Privilege_Level
- Remote_Address
detection:
keywords:
- 'dir'
- 'show processes'
- 'show arp'
- 'show cdp'
- 'show version'
- 'show ip route'
- 'show ip interface'
- 'show ip sockets'
- 'show users'
- 'show ssh'
- 'show clock'
condition: keywords
falsepositives:
- Commonly used by administrators for troubleshooting
level: low

View File

@ -0,0 +1,28 @@
title: Cisco Denial of Service
id: d94a35f0-7a29-45f6-90a0-80df6159967c
status: experimental
description: Detect a system being shutdown or put into different boot mode
references:
- https://attack.mitre.org/techniques/T1499/
- https://attack.mitre.org/techniques/T1495/
author: Austin Clark
date: 2019/08/15
tags:
- attack.impact
- attack.t1499
- attack.t1495
logsource:
product: cisco
service: aaa
category: accounting
fields:
- CmdSet
detection:
keywords:
- 'shutdown'
- 'config-register 0x2100'
- 'config-register 0x2142'
condition: keywords
falsepositives:
- Legitimate administrators may run these commands, though rarely.
level: medium

View File

@ -0,0 +1,31 @@
title: Cisco Show Commands Input
id: 71d65515-c436-43c0-841b-236b1f32c21e
status: experimental
description: See what files are being deleted from flash file systems
references:
- https://attack.mitre.org/techniques/T1107/
- https://attack.mitre.org/techniques/T1488/
- https://attack.mitre.org/techniques/T1487/
author: Austin Clark
date: 2019/08/12
tags:
- attack.defense_evasion
- attack.impact
- attack.t1107
- attack.t1488
- attack.t1487
logsource:
product: cisco
service: aaa
category: accounting
fields:
- CmdSet
detection:
keywords:
- 'erase'
- 'delete'
- 'format'
condition: keywords
falsepositives:
- Will be used sometimes by admins to clean up local flash space.
level: medium

View File

@ -0,0 +1,29 @@
title: Cisco Show Commands Input
id: b094d9fb-b1ad-4650-9f1a-fb7be9f1d34b
status: experimental
description: See what commands are being input into the device by other people, full credentials can be in the history
references:
- https://attack.mitre.org/techniques/T1056/
- https://attack.mitre.org/techniques/T1139/
author: Austin Clark
date: 2019/08/11
tags:
- attack.collection
- attack.credential_access
- attack.t1139
- attack.t1056
logsource:
product: cisco
service: aaa
category: accounting
fields:
- CmdSet
detection:
keywords:
- 'show history'
- 'show history all'
- 'show logging'
condition: keywords
falsepositives:
- Not commonly run by administrators, especially if remote logging is configured.
level: medium

View File

@ -0,0 +1,27 @@
title: Cisco Local Accounts
id: 6d844f0f-1c18-41af-8f19-33e7654edfc3
status: experimental
description: Find local accounts being created or modified as well as remote authentication configurations
references:
- https://attack.mitre.org/techniques/T1098/
- https://attack.mitre.org/techniques/T1136/
author: Austin Clark
date: 2019/08/12
tags:
- attack.persistence
- attack.t1136
- attack.t1098
logsource:
product: cisco
service: aaa
category: accounting
fields:
- CmdSet
detection:
keywords:
- 'username'
- 'aaa'
condition: keywords
falsepositives:
- When remote authentication is in place, this should not change often.
level: high

View File

@ -0,0 +1,38 @@
title: Cisco Modify Configuration
id: 671ffc77-50a7-464f-9e3d-9ea2b493b26b
status: experimental
description: Modifications to a config that will serve an adversary's impacts or persistence
references:
- https://attack.mitre.org/techniques/T1100/
- https://attack.mitre.org/techniques/T1168/
- https://attack.mitre.org/techniques/T1493/
author: Austin Clark
date: 2019/08/12
tags:
- attack.persistence
- attack.privilege_escalation
- attack.impact
- attack.t1493
- attack.t1100
- attack.t1168
- attack.t1490
logsource:
product: cisco
service: aaa
category: accounting
fields:
- CmdSet
detection:
keywords:
- 'ip http server'
- 'ip https server'
- 'kron policy-list'
- 'kron occurrence'
- 'policy-list'
- 'access-list'
- 'ip access-group'
- 'archive maximum'
condition: keywords
falsepositives:
- Legitimate administrators may run these commands.
level: medium

View File

@ -0,0 +1,39 @@
title: Cisco Stage Data
id: 5e51acb2-bcbe-435b-99c6-0e3cd5e2aa59
status: experimental
description: Various protocols maybe used to put data on the device for exfil or infil
references:
- https://attack.mitre.org/techniques/T1074/
- https://attack.mitre.org/techniques/T1105/
- https://attack.mitre.org/techniques/T1498/
- https://attack.mitre.org/techniques/T1002/
author: Austin Clark
date: 2019/08/12
tags:
- attack.collection
- attack.lateral_movement
- attack.command_and_control
- attack.exfiltration
- attack.impact
- attack.t1074
- attack.t1105
- attack.t1492
- attack.t1002
logsource:
product: cisco
service: aaa
category: accounting
fields:
- CmdSet
detection:
keywords:
- 'tftp'
- 'rcp'
- 'puts'
- 'copy'
- 'configure replace'
- 'archive tar'
condition: keywords
falsepositives:
- Generally used to copy configs or IOS images.
level: low

View File

@ -0,0 +1,27 @@
title: Cisco Sniffing
id: b9e1f193-d236-4451-aaae-2f3d2102120d
status: experimental
description: Show when a monitor or a span/rspan is setup or modified
references:
- https://attack.mitre.org/techniques/T1040
author: Austin Clark
date: 2019/08/11
tags:
- attack.credential_access
- attack.discovery
- attack.t1040
logsource:
product: cisco
service: aaa
category: accounting
fields:
- CmdSet
detection:
keywords:
- 'monitor capture point'
- 'set span'
- 'set rspan'
condition: keywords
falsepositives:
- Admins may setup new or modify old spans, or use a monitor for troubleshooting.
level: medium

View File

@ -8,6 +8,7 @@ tags:
- attack.command_and_control
- attack.g0020
author: Florian Roth
date: 2017/04/15
logsource:
category: firewall
detection:

View File

@ -9,7 +9,7 @@ references:
author: Patrick Bareiss
date: 2019/04/07
logsource:
product: dns
category: dns
detection:
selection:
parent_domain: '*'
@ -18,4 +18,5 @@ falsepositives:
- Valid software, which uses dns for transferring data
level: high
tags:
- attack.t1043
- attack.t1048
- attack.exfiltration

View File

@ -0,0 +1,29 @@
action: global
title: High DNS Bytes Out
id: 0f6c1bf5-70a5-4963-aef9-aab1eefb50bd
description: High DNS queries bytes amount from host per short period of time
status: experimental
author: Daniil Yugoslavskiy, oscd.community
date: 2019/10/24
tags:
- attack.exfiltration
- attack.t1048
falsepositives:
- Legitimate high DNS bytes out rate to domain name which should be added to whitelist
level: medium
---
logsource:
category: dns
detection:
selection:
query: '*'
timeframe: 1m
condition: selection | sum(question_length) by src_ip > 300000
---
logsource:
category: firewall
detection:
selection:
dst_port: 53
timeframe: 1m
condition: selection | sum(message_size) by src_ip > 300000

View File

@ -0,0 +1,29 @@
action: global
title: High DNS Requests Rate
id: b4163085-4001-46a3-a79a-55d8bbbc7a3a
description: High DNS requests amount from host per short period of time
status: experimental
author: Daniil Yugoslavskiy, oscd.community
date: 2019/10/24
tags:
- attack.exfiltration
- attack.t1048
falsepositives:
- Legitimate high DNS requests rate to domain name which should be added to whitelist
level: medium
---
logsource:
category: dns
detection:
selection:
query: '*'
timeframe: 1m
condition: selection | count() by src_ip > 1000
---
logsource:
category: firewall
detection:
selection:
dst_port: 53
timeframe: 1m
condition: selection | count() by src_ip > 1000

View File

@ -0,0 +1,19 @@
title: High NULL Records Requests Rate
id: 44ae5117-9c44-40cf-9c7c-7edad385ca70
description: Extremely high rate of NULL record type DNS requests from host per short period of time. Possible result of iodine tool execution
status: experimental
author: Daniil Yugoslavskiy, oscd.community
date: 2019/10/24
tags:
- attack.exfiltration
- attack.t1048
logsource:
category: dns
detection:
selection:
record_type: "NULL"
timeframe: 1m
condition: selection | count() by src_ip > 50
falsepositives:
- Legitimate high DNS NULL requests rate to domain name which should be added to whitelist
level: medium

View File

@ -0,0 +1,19 @@
title: High TXT Records Requests Rate
id: f0a8cedc-1d22-4453-9c44-8d9f4ebd5d35
description: Extremely high rate of TXT record type DNS requests from host per short period of time. Possible result of Do-exfiltration tool execution
status: experimental
author: Daniil Yugoslavskiy, oscd.community
date: 2019/10/24
tags:
- attack.exfiltration
- attack.t1048
logsource:
category: dns
detection:
selection:
record_type: "TXT"
timeframe: 1m
condition: selection | count() by src_ip > 50
falsepositives:
- Legitimate high DNS TXT requests rate to domain name which should be added to whitelist
level: medium

View File

@ -1,4 +1,4 @@
title: DNS TXT Answer with possible execution strings
title: DNS TXT Answer with Possible Execution Strings
id: 8ae51330-899c-4641-8125-e39f2e07da72
status: experimental
description: Detects strings used in command execution in DNS TXT Answer

View File

@ -2,6 +2,7 @@ title: Network Scans
id: fab0ddf0-b8a9-4d70-91ce-a20547209afb
description: Detects many failed connection attempts to different ports or hosts
author: Thomas Patzke
date: 2017/02/19
logsource:
category: firewall
detection:

View File

@ -0,0 +1,23 @@
title: Kerberos Network Traffic RC4 Ticket Encryption
id: 503fe26e-b5f2-4944-a126-eab405cc06e5
status: experimental
date: 2020/02/12
description: Detects kerberos TGS request using RC4 encryption which may be indicative of kerberoasting
references:
- https://adsecurity.org/?p=3458
tags:
- attack.credential_access
- attack.t1208
logsource:
product: zeek
service: kerberos
detection:
selection:
request_type: 'TGS'
cipher: 'rc4-hmac'
computer_acct:
service: '$*'
condition: selection and not computer_acct
falsepositives:
- normal enterprise SPN requests activity
level: medium

View File

@ -5,6 +5,7 @@ description: Detects suspicious user agent string of APT40 Dropbox tool
references:
- Internal research from Florian Roth
author: Thomas Patzke
date: 2019/11/12
logsource:
category: proxy
detection:
@ -18,4 +19,3 @@ fields:
falsepositives:
- Old browsers
level: high

View File

@ -1,4 +1,4 @@
title: CobaltStrike Malleable Amazon browsing traffic profile
title: CobaltStrike Malleable Amazon Browsing Traffic Profile
id: 953b895e-5cc9-454b-b183-7f3db555452e
status: experimental
description: Detects Malleable Amazon Profile
@ -6,6 +6,7 @@ references:
- https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/amazon.profile
- https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100
author: Markus Neis
date: 2019/11/12
tags:
- attack.t1102
logsource:

View File

@ -5,6 +5,7 @@ description: Detects Malleable (OCSP) Profile with Typo (OSCP) in URL
references:
- https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/ocsp.profile
author: Markus Neis
date: 2019/11/12
tags:
- attack.t1102
logsource:
@ -13,8 +14,8 @@ detection:
selection:
c-uri: '*/oscp/*'
cs-host: 'ocsp.verisign.com'
condition: selection
condition: selection
falsepositives:
- Unknown
level: high

View File

@ -1,10 +1,11 @@
title: CobaltStrike Malleable OneDrive browsing traffic profile
title: CobaltStrike Malleable OneDrive Browsing Traffic Profile
id: c9b33401-cc6a-4cf6-83bb-57ddcb2407fc
status: experimental
description: Detects Malleable OneDrive Profile
references:
- https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/onedrive_getonly.profile
author: Markus Neis
date: 2019/11/12
tags:
- attack.t1102
logsource:
@ -15,7 +16,7 @@ detection:
c-uri: '*?manifest=wac'
cs-host: 'onedrive.live.com'
filter:
c-uri: 'http*://onedrive.live.com/*'
c-uri: 'http*://onedrive.live.com/*'
condition: selection and not filter
falsepositives:
- Unknown

View File

@ -8,12 +8,13 @@ references:
- https://www.spamhaus.org/statistics/tlds/
- https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/
author: Florian Roth
date: 2018/06/13
date: 2017/11/07
modified: 2018/06/13
logsource:
category: proxy
detection:
selection:
c-uri-extension:
c-uri-extension:
- 'exe'
- 'vbs'
- 'bat'
@ -32,8 +33,8 @@ detection:
- 'sct'
- 'zip'
# If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/
r-dns:
# Symantec / Chris Larsen analysis
r-dns:
# Symantec / Chris Larsen analysis
- '*.country'
- '*.stream'
- '*.gdn'
@ -60,7 +61,7 @@ detection:
- '*.zip'
- '*.cricket'
- '*.space'
# McAfee report
# McAfee report
- '*.info'
- '*.vn'
- '*.cm'
@ -97,7 +98,7 @@ detection:
- '*.gq'
- '*.ml'
- '*.ga'
# Custom
# Custom
- '*.pw'
condition: selection
fields:

View File

@ -3,11 +3,12 @@ id: b5de2919-b74a-4805-91a7-5049accbaefe
status: experimental
description: Detects executable downloads from suspicious remote systems
author: Florian Roth
date: 2017/03/13
logsource:
category: proxy
detection:
selection:
c-uri-extension:
c-uri-extension:
- 'exe'
- 'vbs'
- 'bat'
@ -27,7 +28,7 @@ detection:
- 'zip'
# If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/
filter:
r-dns:
r-dns:
- '*.com'
- '*.org'
- '*.net'

View File

@ -5,11 +5,12 @@ description: Detects suspicious empty user agent strings in proxy logs
references:
- https://twitter.com/Carlos_Perez/status/883455096645931008
author: Florian Roth
date: 2017/07/08
logsource:
category: proxy
detection:
selection:
# Empty string - as used by Powershell's (New-Object Net.WebClient).DownloadString
# Empty string - as used by Powershell's (New-Object Net.WebClient).DownloadString
c-useragent: ''
condition: selection
fields:

View File

@ -5,6 +5,7 @@ description: Detects Windows PowerShell Web Access
references:
- https://msdn.microsoft.com/powershell/reference/5.1/microsoft.powershell.utility/Invoke-WebRequest
author: Florian Roth
date: 2017/03/13
logsource:
category: proxy
detection:

View File

@ -5,6 +5,7 @@ description: Detects a flashplayer update from an unofficial location
references:
- https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb
author: Florian Roth
date: 2017/10/25
logsource:
category: proxy
detection:

View File

@ -5,6 +5,7 @@ description: Detects suspicious user agent strings used in APT malware in proxy
references:
- Internal Research
author: Florian Roth, Markus Neis
date: 2019/11/12
logsource:
category: proxy
detection:
@ -22,7 +23,7 @@ detection:
- 'Mozilla/5.0 (Windows NT 6.2; WOW64; rv:20.0) Gecko/20100101 Firefox/' # Sofacy - Xtunnel
- 'Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/2' # Sofacy - Xtunnel
- 'Mozilla/4.0' # Derusbi backdoor ELF https://github.com/fideliscyber/indicators/tree/master/FTA-1021
- 'Netscape' # Unit78020 Malware
- 'Netscape' # Unit78020 Malware
- 'Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719 Firefox/1.0.7' # Unit78020 Malware
- 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Firefox/3.6.13 GTB7.1' # Winnti related
- 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)' # Winnti related
@ -34,7 +35,7 @@ detection:
- 'Mozilla/6.1 (compatible; MSIE 9.0; Windows NT 5.3; Trident/5.0)' # VPNFilter https://blog.talosintelligence.com/2018/05/VPNFilter.html
- 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.1)' # Sofacy User-Agent https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/
- 'Mozilla/5.0 (Windows NT 6.1; WOW64) WinHttp/1.6.3.8 (WinHTTP/5.1) like Gecko' # Sofacy User-Agent https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/
- 'Mozilla v5.1 *' # Sofacy Zebrocy samples
- 'Mozilla v5.1 *' # Sofacy Zebrocy samples
- 'MSIE 8.0' # Sofacy Azzy Backdoor from https://www.hybrid-analysis.com/sample/a80e29c0757bee05338fd5c22a542d852ad86c477068e3eb4aacc1c3e59e2eef?environmentId=100
- 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)' # https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html
- 'Mozilla/4.0 (compatible; RMS)' # Attacks on industrial enterprises using RMS and TeamViewer https://goo.gl/GthvTw
@ -43,6 +44,7 @@ detection:
- 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; Trident/5.0*' # KerrDown UA https://goo.gl/s2WU6o
- 'Mozilla/5.0 (Windows NT 9; *' # Suspicious 'Windows NT 9' user agent - used by APT33 malware in 2018
- 'hots scot' # Unkown iOS zero-day implant https://twitter.com/craiu/status/1176437994288484352?s=20
- 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT)' # https://blog.telsy.com/meeting-powerband-the-apt33-net-powerton-variant/
condition: selection
fields:
- ClientIP
@ -51,4 +53,3 @@ fields:
falsepositives:
- Old browsers
level: high

View File

@ -12,7 +12,7 @@ logsource:
detection:
selection:
c-useragent:
# XMRig
# XMRig
- 'XMRig *'
# CCMiner
- 'ccminer*'

View File

@ -5,6 +5,7 @@ description: Detects suspicious user agent strings used by exploit / pentest fra
references:
- https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/
author: Florian Roth
date: 2017/07/08
logsource:
category: proxy
detection:

View File

@ -6,6 +6,7 @@ references:
- https://github.com/fastly/waf_testbed/blob/master/templates/default/scanners-user-agents.data.erb
- http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules
author: Florian Roth
date: 2017/07/08
logsource:
category: proxy
detection:

View File

@ -9,6 +9,7 @@ references:
- https://perishablepress.com/blacklist/ua-2013.txt
- https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents
author: Florian Roth
date: 2017/07/08
logsource:
category: proxy
detection:
@ -55,7 +56,9 @@ detection:
# Ursnif
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)'
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64)'
# Others
# Emotet
- 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3)' # https://twitter.com/webbthewombat/status/1225827092132179968
# Others
- '* pxyscand*'
- '* asd'
- '* mdms'

View File

@ -5,6 +5,7 @@ description: Detects suspicious malformed user agent strings in proxy logs
references:
- https://github.com/fastly/waf_testbed/blob/master/templates/default/scanners-user-agents.data.erb
author: Florian Roth
date: 2017/07/08
logsource:
category: proxy
detection:
@ -18,13 +19,13 @@ detection:
- 'Mozilla/2.0 *'
- 'Mozilla/1.0 *'
- 'Mozilla *' # missing slash
- ' Mozilla/*' # leading space
- ' Mozilla/*' # leading space
- 'Mozila/*' # single 'l'
- '_'
- 'CertUtil URL Agent' # https://twitter.com/stvemillertime/status/985150675527974912
- 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0)' # CobaltStrike Beacon https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/
- 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0' # used by APT28 malware https://threatvector.cylance.com/en_us/home/inside-the-apt28-dll-backdoor-blitz.html
- 'HTTPS' # https://twitter.com/stvemillertime/status/1204437531632250880
- 'HTTPS' # https://twitter.com/stvemillertime/status/1204437531632250880
falsepositives:
c-useragent:
- 'Mozilla/3.0 * Acrobat *' # Acrobat with linked content

View File

@ -3,6 +3,7 @@ id: a36ce77e-30db-4ea0-8795-644d7af5dfb4
status: stable
description: Detects download of Ursnif malware done by dropper documents.
author: Thomas Patzke
date: 2019/12/19
logsource:
category: proxy
detection:

View File

@ -2,6 +2,7 @@ title: Apache Segmentation Fault
id: 1da8ce0b-855d-4004-8860-7d64d42063b1
description: Detects a segmentation fault error message caused by a creashing apacke worker process
author: Florian Roth
date: 2017/02/28
references:
- http://www.securityfocus.com/infocus/1633
logsource:
@ -13,4 +14,3 @@ detection:
falsepositives:
- Unknown
level: high

View File

@ -0,0 +1,32 @@
title: Citrix Netscaler Attack CVE-2019-19781
description: Detects CVE-2019-19781 exploitation attempt against Citrix Netscaler, Application Delivery Controller and Citrix Gateway Attack
id: ac5a6409-8c89-44c2-8d64-668c29a2d756
references:
- https://support.citrix.com/article/CTX267679
- https://support.citrix.com/article/CTX267027
- https://isc.sans.edu/diary/25686
- https://twitter.com/mpgn_x64/status/1216787131210829826
- https://github.com/x1sec/x1sec.github.io/blob/master/CVE-2019-19781-DFIR.md
author: Arnim Rupp, Florian Roth
status: experimental
date: 2020/01/02
modified: 2020/01/15
logsource:
category: webserver
description: 'Make sure that your Netscaler appliance logs all kinds of attacks (test with http://your-citrix-gw.net/robots.txt). The directory traversal with ../ might not be needed on certain cloud instances or for authenticated users, so we also check for direct paths. All scripts in portal/scripts are exploitable except logout.pl.'
detection:
selection:
c-uri-path:
- '*/../vpns/*'
- '*/vpns/cfg/smb.conf'
- '*/vpns/portal/scripts/*.pl*'
condition: selection
fields:
- client_ip
- vhost
- url
- response
falsepositives:
- Unknown
level: critical

View File

@ -1,7 +1,8 @@
title: Multiple suspicious Response Codes caused by Single Client
title: Multiple Suspicious Resp Codes Caused by Single Client
id: 6fdfc796-06b3-46e8-af08-58f3505318af
description: Detects possible exploitation activity or bugs in a web application
author: Thomas Patzke
date: 2017/02/19
logsource:
category: webserver
detection:

View File

@ -4,6 +4,7 @@ description: Detects CVE-2019-11510 exploitation attempt - URI contains Guacamol
references:
- https://www.exploit-db.com/exploits/47297
author: Florian Roth
date: 2019/11/18
logsource:
category: webserver
detection:
@ -17,4 +18,4 @@ fields:
- response
falsepositives:
- Unknown
level: critical
level: critical

View File

@ -2,6 +2,7 @@ title: Source Code Enumeration Detection by Keyword
id: 953d460b-f810-420a-97a2-cfca4c98e602
description: Detects source code enumeration that use GET requests by keyword searches in URL strings
author: James Ahearn
date: 2019/06/08
references:
- https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html
- https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1
@ -18,4 +19,4 @@ fields:
- response
falsepositives:
- unknown
level: medium
level: medium

View File

@ -2,6 +2,7 @@ title: Webshell Detection by Keyword
id: 7ff9db12-1b94-4a79-ba68-a2402c5d6729
description: Detects webshells that use GET requests by keyword searches in URL strings
author: Florian Roth
date: 2017/02/19
logsource:
category: webserver
detection:
@ -19,4 +20,3 @@ falsepositives:
- Web sites like wikis with articles on os commands and pages that include the os commands in the URLs
- User searches in search boxes of the respective website
level: high

View File

@ -1,7 +1,8 @@
title: Persistence and Execution at scale via GPO scheduled task
title: Persistence and Execution at Scale via GPO Scheduled Task
id: a8f29a7b-b137-4446-80a0-b804272f3da2
description: Detect lateral movement using GPO scheduled task, ususally used to deploy ransomware at scale
author: Samir Bousseaden
date: 2019/04/03
references:
- https://twitter.com/menasec1/status/1106899890377052160
tags:
@ -19,6 +20,6 @@ detection:
RelativeTargetName: '*ScheduledTasks.xml'
Accesses: '*WriteData*'
condition: selection
falsepositives:
falsepositives:
- if the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduledtasks
level: high

View File

@ -4,7 +4,7 @@ description: backdooring domain object to grant the rights associated with DCSyn
Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer
status: experimental
date: 2019/04/03
author: Samir Bousseaden
author: Samir Bousseaden; Roberto Rodriguez @Cyb3rWard0g; oscd.community
references:
- https://twitter.com/menasec1/status/1111556090137903104
- https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
@ -18,9 +18,10 @@ detection:
selection:
EventID: 5136
LDAPDisplayName: 'ntSecurityDescriptor'
Value:
- '*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*'
- '*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*'
Value|contains:
- '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'
- '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'
- '89e95b76-444d-4c62-991a-0facbeda640c'
condition: selection
falsepositives:
- New Domain Controller computer account, check user SIDs witin the value attribute of event 5136 and verify if it's a regular user or DC computer account.

View File

@ -8,6 +8,7 @@ tags:
- attack.t1087
status: experimental
author: Samir Bousseaden
date: 2019/04/03
logsource:
product: windows
service: security

View File

@ -0,0 +1,26 @@
title: AD Object WriteDAC Access
id: 028c7842-4243-41cd-be6f-12f3cf1a26c7
description: Detects WRITE_DAC access to a domain object
status: experimental
date: 2019/09/12
author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1222_file_permissions_modification/ad_replication_user_backdoor.md
tags:
- attack.defense_evasion
- attack.t1222
logsource:
product: windows
service: security
detection:
selection:
EventID: 4662
ObjectServer: 'DS'
AccessMask: 0x40000
ObjectType:
- '19195a5b-6da0-11d0-afd3-00c04fd930c9'
- 'domainDNS'
condition: selection
falsepositives:
- Unknown
level: critical

View File

@ -0,0 +1,33 @@
title: Active Directory Replication from Non Machine Account
id: 17d619c1-e020-4347-957e-1d1207455c93
description: Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.
status: experimental
date: 2019/07/26
modified: 2019/11/10
author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/ad_replication_non_machine_account.md
tags:
- attack.credential_access
- attack.t1003
logsource:
product: windows
service: security
detection:
selection:
EventID: 4662
AccessMask: '0x100'
Properties|contains:
- '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'
- '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'
- '89e95b76-444d-4c62-991a-0facbeda640c'
filter:
SubjectUserName|endswith: '$'
condition: selection and not filter
fields:
- ComputerName
- SubjectDomainName
- SubjectUserName
falsepositives:
- Unknown
level: critical

View File

@ -9,6 +9,7 @@ tags:
- car.2016-04-005
status: experimental
author: juju4
date: 2017/10/29
logsource:
product: windows
service: security

View File

@ -6,6 +6,7 @@ tags:
- attack.t1077
status: experimental
author: Florian Roth
date: 2017/03/04
logsource:
product: windows
service: security
@ -17,6 +18,6 @@ detection:
filter:
SubjectUserName: '*$'
condition: selection and not filter
falsepositives:
falsepositives:
- Legitimate administrative activity
level: low

View File

@ -7,6 +7,7 @@ tags:
references:
- https://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
author: '@neu5ron'
date: 2017/07/30
logsource:
product: windows
service: security
@ -18,6 +19,6 @@ detection:
Message:
- '*SeEnableDelegationPrivilege*'
condition: all of them
falsepositives:
falsepositives:
- Unknown
level: high

View File

@ -6,6 +6,7 @@ references:
- https://adsecurity.org/?p=3466
- https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/
author: '@neu5ron'
date: 2017/04/13
tags:
- attack.t1098
- attack.credential_access
@ -19,9 +20,9 @@ detection:
selection1:
EventID: 4738
filter1:
AllowedToDelegateTo: null
filter2:
AllowedToDelegateTo: '-'
AllowedToDelegateTo:
- null
- '-'
selection2:
EventID: 5136
AttributeLDAPDisplayName: 'msDS-AllowedToDelegateTo'
@ -31,8 +32,8 @@ detection:
AttributeLDAPDisplayName: 'servicePrincipalName'
selection4:
EventID: 5136
AttributeLDAPDisplayName: 'msDS-AllowedToActOnBehalfOfOtherIdentity'
AttributeLDAPDisplayName: 'msDS-AllowedToActOnBehalfOfOtherIdentity'
condition: (selection1 and not 1 of filter*) or selection2 or selection3 or selection4
falsepositives:
falsepositives:
- Unknown
level: high

Some files were not shown because too many files have changed in this diff Show More