valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 09:25:17 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix: fixed missing date fields in proxy rules

Browse Source
This commit is contained in:
Florian Roth 2020-01-30 15:20:52 +01:00
parent f84b3abf2d
commit 617ece1aa2
16 changed files with 33 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
rules/proxy/proxy_apt40.yml
View File

@ -5,6 +5,7 @@ description: Detects suspicious user agent string of APT40 Dropbox tool
references:
- Internal research from Florian Roth
author: Thomas Patzke
date: 2019/11/12
logsource:
category: proxy
detection:
@ -18,4 +19,3 @@ fields:
falsepositives:
- Old browsers
level: high

1
rules/proxy/proxy_cobalt_amazon.yml
View File

@ -6,6 +6,7 @@ references:
- https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/amazon.profile
- https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100
author: Markus Neis
date: 2019/11/12
tags:
- attack.t1102
logsource:

5
rules/proxy/proxy_cobalt_ocsp.yml
View File

@ -5,6 +5,7 @@ description: Detects Malleable (OCSP) Profile with Typo (OSCP) in URL
references:
- https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/ocsp.profile
author: Markus Neis
date: 2019/11/12
tags:
- attack.t1102
logsource:
@ -13,8 +14,8 @@ detection:
selection:
c-uri: '*/oscp/*'
cs-host: 'ocsp.verisign.com'
condition: selection
condition: selection
falsepositives:
- Unknown
level: high

3
rules/proxy/proxy_cobalt_onedrive.yml
View File

@ -5,6 +5,7 @@ description: Detects Malleable OneDrive Profile
references:
- https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/onedrive_getonly.profile
author: Markus Neis
date: 2019/11/12
tags:
- attack.t1102
logsource:
@ -15,7 +16,7 @@ detection:
c-uri: '*?manifest=wac'
cs-host: 'onedrive.live.com'
filter:
c-uri: 'http*://onedrive.live.com/*'
c-uri: 'http*://onedrive.live.com/*'
condition: selection and not filter
falsepositives:
- Unknown

13
rules/proxy/proxy_download_susp_tlds_blacklist.yml
View File

@ -8,12 +8,13 @@ references:
- https://www.spamhaus.org/statistics/tlds/
- https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/
author: Florian Roth
date: 2018/06/13
date: 2017/11/07
modified: 2018/06/13
logsource:
category: proxy
detection:
selection:
c-uri-extension:
c-uri-extension:
- 'exe'
- 'vbs'
- 'bat'
@ -32,8 +33,8 @@ detection:
- 'sct'
- 'zip'
# If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/
r-dns:
# Symantec / Chris Larsen analysis
r-dns:
# Symantec / Chris Larsen analysis
- '*.country'
- '*.stream'
- '*.gdn'
@ -60,7 +61,7 @@ detection:
- '*.zip'
- '*.cricket'
- '*.space'
# McAfee report
# McAfee report
- '*.info'
- '*.vn'
- '*.cm'
@ -97,7 +98,7 @@ detection:
- '*.gq'
- '*.ml'
- '*.ga'
# Custom
# Custom
- '*.pw'
condition: selection
fields:

5
rules/proxy/proxy_download_susp_tlds_whitelist.yml
View File

@ -3,11 +3,12 @@ id: b5de2919-b74a-4805-91a7-5049accbaefe
status: experimental
description: Detects executable downloads from suspicious remote systems
author: Florian Roth
date: 2017/03/13
logsource:
category: proxy
detection:
selection:
c-uri-extension:
c-uri-extension:
- 'exe'
- 'vbs'
- 'bat'
@ -27,7 +28,7 @@ detection:
- 'zip'
# If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/
filter:
r-dns:
r-dns:
- '*.com'
- '*.org'
- '*.net'

3
rules/proxy/proxy_empty_ua.yml
View File

@ -5,11 +5,12 @@ description: Detects suspicious empty user agent strings in proxy logs
references:
- https://twitter.com/Carlos_Perez/status/883455096645931008
author: Florian Roth
date: 2017/07/08
logsource:
category: proxy
detection:
selection:
# Empty string - as used by Powershell's (New-Object Net.WebClient).DownloadString
# Empty string - as used by Powershell's (New-Object Net.WebClient).DownloadString
c-useragent: ''
condition: selection
fields:

1
rules/proxy/proxy_powershell_ua.yml
View File

@ -5,6 +5,7 @@ description: Detects Windows PowerShell Web Access
references:
- https://msdn.microsoft.com/powershell/reference/5.1/microsoft.powershell.utility/Invoke-WebRequest
author: Florian Roth
date: 2017/03/13
logsource:
category: proxy
detection:

1
rules/proxy/proxy_susp_flash_download_loc.yml
View File

@ -5,6 +5,7 @@ description: Detects a flashplayer update from an unofficial location
references:
- https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb
author: Florian Roth
date: 2017/10/25
logsource:
category: proxy
detection:

6
rules/proxy/proxy_ua_apt.yml
View File

@ -5,6 +5,7 @@ description: Detects suspicious user agent strings used in APT malware in proxy
references:
- Internal Research
author: Florian Roth, Markus Neis
date: 2019/11/12
logsource:
category: proxy
detection:
@ -22,7 +23,7 @@ detection:
- 'Mozilla/5.0 (Windows NT 6.2; WOW64; rv:20.0) Gecko/20100101 Firefox/' # Sofacy - Xtunnel
- 'Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/2' # Sofacy - Xtunnel
- 'Mozilla/4.0' # Derusbi backdoor ELF https://github.com/fideliscyber/indicators/tree/master/FTA-1021
- 'Netscape' # Unit78020 Malware
- 'Netscape' # Unit78020 Malware
- 'Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719 Firefox/1.0.7' # Unit78020 Malware
- 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Firefox/3.6.13 GTB7.1' # Winnti related
- 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)' # Winnti related
@ -34,7 +35,7 @@ detection:
- 'Mozilla/6.1 (compatible; MSIE 9.0; Windows NT 5.3; Trident/5.0)' # VPNFilter https://blog.talosintelligence.com/2018/05/VPNFilter.html
- 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.1)' # Sofacy User-Agent https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/
- 'Mozilla/5.0 (Windows NT 6.1; WOW64) WinHttp/1.6.3.8 (WinHTTP/5.1) like Gecko' # Sofacy User-Agent https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/
- 'Mozilla v5.1 *' # Sofacy Zebrocy samples
- 'Mozilla v5.1 *' # Sofacy Zebrocy samples
- 'MSIE 8.0' # Sofacy Azzy Backdoor from https://www.hybrid-analysis.com/sample/a80e29c0757bee05338fd5c22a542d852ad86c477068e3eb4aacc1c3e59e2eef?environmentId=100
- 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)' # https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html
- 'Mozilla/4.0 (compatible; RMS)' # Attacks on industrial enterprises using RMS and TeamViewer https://goo.gl/GthvTw
@ -51,4 +52,3 @@ fields:
falsepositives:
- Old browsers
level: high

2
rules/proxy/proxy_ua_cryptominer.yml
View File

@ -12,7 +12,7 @@ logsource:
detection:
selection:
c-useragent:
# XMRig
# XMRig
- 'XMRig *'
# CCMiner
- 'ccminer*'

1
rules/proxy/proxy_ua_frameworks.yml
View File

@ -5,6 +5,7 @@ description: Detects suspicious user agent strings used by exploit / pentest fra
references:
- https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/
author: Florian Roth
date: 2017/07/08
logsource:
category: proxy
detection:

1
rules/proxy/proxy_ua_hacktool.yml
View File

@ -6,6 +6,7 @@ references:
- https://github.com/fastly/waf_testbed/blob/master/templates/default/scanners-user-agents.data.erb
- http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules
author: Florian Roth
date: 2017/07/08
logsource:
category: proxy
detection:

3
rules/proxy/proxy_ua_malware.yml
View File

@ -9,6 +9,7 @@ references:
- https://perishablepress.com/blacklist/ua-2013.txt
- https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents
author: Florian Roth
date: 2017/07/08
logsource:
category: proxy
detection:
@ -55,7 +56,7 @@ detection:
# Ursnif
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)'
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64)'
# Others
# Others
- '* pxyscand*'
- '* asd'
- '* mdms'

5
rules/proxy/proxy_ua_suspicious.yml
View File

@ -5,6 +5,7 @@ description: Detects suspicious malformed user agent strings in proxy logs
references:
- https://github.com/fastly/waf_testbed/blob/master/templates/default/scanners-user-agents.data.erb
author: Florian Roth
date: 2017/07/08
logsource:
category: proxy
detection:
@ -18,13 +19,13 @@ detection:
- 'Mozilla/2.0 *'
- 'Mozilla/1.0 *'
- 'Mozilla *' # missing slash
- ' Mozilla/*' # leading space
- ' Mozilla/*' # leading space
- 'Mozila/*' # single 'l'
- '_'
- 'CertUtil URL Agent' # https://twitter.com/stvemillertime/status/985150675527974912
- 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0)' # CobaltStrike Beacon https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/
- 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0' # used by APT28 malware https://threatvector.cylance.com/en_us/home/inside-the-apt28-dll-backdoor-blitz.html
- 'HTTPS' # https://twitter.com/stvemillertime/status/1204437531632250880
- 'HTTPS' # https://twitter.com/stvemillertime/status/1204437531632250880
falsepositives:
c-useragent:
- 'Mozilla/3.0 * Acrobat *' # Acrobat with linked content

1
rules/proxy/proxy_ursnif_malware.yml
View File

@ -3,6 +3,7 @@ id: a36ce77e-30db-4ea0-8795-644d7af5dfb4
status: stable
description: Detects download of Ursnif malware done by dropper documents.
author: Thomas Patzke
date: 2019/12/19
logsource:
category: proxy
detection: