mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-07 09:48:58 +00:00
frack113
GitHub
commit
7bca85e406
@ -1,6 +1,6 @@
|
||||
title: Azure Kubernetes Secret or Config Object Access
|
||||
id: 7ee0b4aa-d8d4-4088-b661-20efdf41a04c
|
||||
description: Identifies when a Kubernetes account access a sensitve objects such as configmaps or secrets.
|
||||
description: Identifies when a Kubernetes account access a sensitive objects such as configmaps or secrets.
|
||||
author: Austin Songer @austinsonger
|
||||
status: experimental
|
||||
date: 2021/08/07
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
title: Azure Virtual Network Device Modified or Deleted
|
||||
id: 15ef3fac-f0f0-4dc4-ada0-660aa72980b3
|
||||
description: Identifies when a virtual network device is being modified or deleted. This can be a network interface, network virtual applicance, vitual hub, or virtual router.
|
||||
description: Identifies when a virtual network device is being modified or deleted. This can be a network interface, network virtual appliance, virtual hub, or virtual router.
|
||||
author: Austin Songer
|
||||
status: experimental
|
||||
date: 2021/08/08
|
||||
|
||||
@ -17,4 +17,4 @@ tags:
|
||||
- attack.impact
|
||||
- attack.t1565
|
||||
falsepositives:
|
||||
- Unkown
|
||||
- Unknown
|
||||
|
||||
@ -19,4 +19,4 @@ level: medium
|
||||
tags:
|
||||
- attack.impact
|
||||
falsepositives:
|
||||
- Unkown
|
||||
- Unknown
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
title: Default Cobalt Strike Certificate
|
||||
id: 7100f7e3-92ce-4584-b7b7-01b40d3d4118
|
||||
description: Detects the presense of default Cobalt Strike certificate in the HTTPS traffic
|
||||
description: Detects the presence of default Cobalt Strike certificate in the HTTPS traffic
|
||||
author: Bhabesh Raj
|
||||
date: 2021/06/23
|
||||
references:
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
title: BabyShark Agent Pattern
|
||||
id: 304810ed-8853-437f-9e36-c4975c3dfd7e
|
||||
status: experimental
|
||||
description: Detects Baby Shark C2 Framework communcation patterns
|
||||
description: Detects Baby Shark C2 Framework communication patterns
|
||||
author: Florian Roth
|
||||
date: 2021/06/09
|
||||
references:
|
||||
|
||||
@ -13,7 +13,7 @@ logsource:
|
||||
detection:
|
||||
selection:
|
||||
c-useragent|contains:
|
||||
# Vulnerbility scanner and brute force tools
|
||||
# Vulnerability scanner and brute force tools
|
||||
- '(hydra)'
|
||||
- ' arachni/'
|
||||
- ' BFAC '
|
||||
|
||||
@ -30,5 +30,5 @@ detection:
|
||||
- 'metric'
|
||||
condition: selection1 and selection2
|
||||
falsepositives:
|
||||
- Vulnerability Scaning/Pentesting
|
||||
- Vulnerability Scanning/Pentesting
|
||||
level: high
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
title: Exchange Exploitation CVE-2021-28480
|
||||
id: a2a9d722-0acb-4096-bccc-daaf91a5037b
|
||||
status: experimental
|
||||
description: Detects successfull exploitation of Exchange vulnerability as reported in CVE-2021-28480
|
||||
description: Detects successful exploitation of Exchange vulnerability as reported in CVE-2021-28480
|
||||
references:
|
||||
- https://twitter.com/GossiTheDog/status/1392965209132871683?s=20
|
||||
author: Florian Roth
|
||||
|
||||
@ -21,5 +21,5 @@ fields:
|
||||
- EventCode
|
||||
- AccountName
|
||||
falsepositives:
|
||||
- unkown
|
||||
- unknown
|
||||
level: high
|
||||
|
||||
@ -24,7 +24,7 @@ detection:
|
||||
- selection and not filter_computer | count(TargetUserName) by IpAddress > 10
|
||||
falsepositives:
|
||||
- Vulnerability scanners
|
||||
- Missconfigured systems
|
||||
- Misconfigured systems
|
||||
- Remote administration tools
|
||||
- VPN terminators
|
||||
- Multiuser systems like Citrix server farms
|
||||
|
||||
@ -24,7 +24,7 @@ detection:
|
||||
- selection and not filter_computer | count(TargetUserName) by IpAddress > 10
|
||||
falsepositives:
|
||||
- Vulnerability scanners
|
||||
- Missconfigured systems
|
||||
- Misconfigured systems
|
||||
- Remote administration tools
|
||||
- VPN terminators
|
||||
- Multiuser systems like Citrix server farms
|
||||
|
||||
@ -24,7 +24,7 @@ detection:
|
||||
- selection and not filter_computer | count(TargetUserName) by IpAddress > 10
|
||||
falsepositives:
|
||||
- Vulnerability scanners
|
||||
- Missconfigured systems
|
||||
- Misconfigured systems
|
||||
- Remote administration tools
|
||||
- VPN terminators
|
||||
- Multiuser systems like Citrix server farms
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
title: Suspicous Remote Logon with Explicit Credentials
|
||||
title: Suspicious Remote Logon with Explicit Credentials
|
||||
id: 941e5c45-cda7-4864-8cea-bbb7458d194a
|
||||
status: experimental
|
||||
description: Detects suspicious processes logging on with explicit credentials
|
||||
|
||||
@ -24,5 +24,5 @@ detection:
|
||||
ObjectName: '\Device\ConDrv'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- Penetration tests where lateral movement has occured. This event will be created on the target host.
|
||||
- Penetration tests where lateral movement has occurred. This event will be created on the target host.
|
||||
level: high
|
||||
|
||||
@ -19,7 +19,7 @@ detection:
|
||||
EventID: 4104
|
||||
selection_basic:
|
||||
ScriptBlockText|contains: 'Get-Keystrokes'
|
||||
selection_high: # want to run in backgroud and keybord
|
||||
selection_high: # want to run in background and keyboard
|
||||
ScriptBlockText|contains|all:
|
||||
- 'Get-ProcAddress user32.dll GetAsyncKeyState'
|
||||
- 'Get-ProcAddress user32.dll GetForegroundWindow'
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
title: Suspicious Export-PfxCertificate
|
||||
id: aa7a3fce-bef5-4311-9cc1-5f04bb8c308c
|
||||
status: experimental
|
||||
description: Detects Commandlet that is used to export certificates from the local certificate store and sometimes used by threat actors to steal provate keys from compromised machines
|
||||
description: Detects Commandlet that is used to export certificates from the local certificate store and sometimes used by threat actors to steal private keys from compromised machines
|
||||
references:
|
||||
- https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a
|
||||
- https://docs.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate
|
||||
|
||||
@ -18,7 +18,7 @@ detection:
|
||||
- '0x1fffff'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- unkown
|
||||
- unknown
|
||||
level: high
|
||||
tags:
|
||||
- attack.execution
|
||||
|
||||
@ -14,7 +14,7 @@ detection:
|
||||
CallTrace|startswith: 'UNKNOWN'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- unkown
|
||||
- unknown
|
||||
level: critical
|
||||
tags:
|
||||
- attack.execution
|
||||
|
||||
@ -17,7 +17,7 @@ detection:
|
||||
- 'UNKNOWN'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- unkown
|
||||
- unknown
|
||||
level: high
|
||||
tags:
|
||||
- attack.execution
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
title: Accesschk Usage After Privilege Escalation
|
||||
id: c625d754-6a3d-4f65-9c9a-536aea960d37
|
||||
description: Accesschk is an access and privilege audit tool developed by SysInternal and often being used by attacker to verify if a privilege escalation process succesfull or not
|
||||
description: Accesschk is an access and privilege audit tool developed by SysInternal and often being used by attacker to verify if a privilege escalation process successful or not
|
||||
status: experimental
|
||||
author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
|
||||
date: 2020/10/13
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
title: Exchange Exploitation Activity
|
||||
id: bbb2dedd-a0e3-46ab-ba6c-6c82ae7a9aa7
|
||||
description: Detects activity observed by different researchers to be HAFNIUM group acitivity (or related) on Exchange servers
|
||||
description: Detects activity observed by different researchers to be HAFNIUM group activity (or related) on Exchange servers
|
||||
author: Florian Roth
|
||||
date: 2021/03/09
|
||||
modified: 2021/03/16
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
title: ProxyLogon MSExchange OabVirtualDirectory
|
||||
id: 550d3350-bb8a-4ff3-9533-2ba533f4a1c0
|
||||
status: experimental
|
||||
description: Detects specific patterns found after a successful ProxyLogon exploitation in relation to a Commandlet invokation of Set-OabVirtualDirectory
|
||||
description: Detects specific patterns found after a successful ProxyLogon exploitation in relation to a Commandlet invocation of Set-OabVirtualDirectory
|
||||
references:
|
||||
- https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c
|
||||
author: Florian Roth
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
title: Writing Of Malicious Files To The Fonts Folder
|
||||
id: ae9b0bd7-8888-4606-b444-0ed7410cb728
|
||||
description: Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesnt require admin privillege to be written and executed from.
|
||||
description: Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn't require admin privillege to be written and executed from.
|
||||
references:
|
||||
- https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/
|
||||
date: 2020/21/04
|
||||
|
||||
@ -23,7 +23,7 @@ detection:
|
||||
- 'UpdateDeploymentProvider.dll /ClassId'
|
||||
condition: selection and not filter
|
||||
falsepositives:
|
||||
- Wuaueng.dll which is a module belonging to Microsoft Wnidows Update.
|
||||
- Wuaueng.dll which is a module belonging to Microsoft Windows Update.
|
||||
fields:
|
||||
- CommandLine
|
||||
level: medium
|
||||
@ -20,7 +20,7 @@ detection:
|
||||
- '.*(?i)winget install (--m|-m).*'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- Admin activity installing packages not in the official Microsoft repo. Winget probably wont be used by most users.
|
||||
- Admin activity installing packages not in the official Microsoft repo. Winget probably won't be used by most users.
|
||||
fields:
|
||||
- CommandLine
|
||||
level: medium
|
||||
@ -1,4 +1,4 @@
|
||||
title: Script Event Consumer Spawning Processs
|
||||
title: Script Event Consumer Spawning Process
|
||||
id: f6d1dd2f-b8ce-40ca-bc23-062efb686b34
|
||||
status: experimental
|
||||
description: Detects a suspicious child process of Script Event Consumer (scrcons.exe).
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
title: Suspicious Csi.exe Usage
|
||||
id: 40b95d31-1afc-469e-8d34-9a3a667d058e
|
||||
description: Csi.exe is a signed binary from Micosoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe'
|
||||
description: Csi.exe is a signed binary from Microsoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe'
|
||||
status: experimental
|
||||
author: Konstantin Grishchenko, oscd.community
|
||||
date: 2020/10/17
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
title: Suspicious VBoxDrvInst.exe Parameters
|
||||
id: b7b19cb6-9b32-4fc4-a108-73f19acfe262
|
||||
description: Detect VBoxDrvInst.exe run whith parameters allowing processing INF file. This allows to create values in the registry and install drivers.
|
||||
description: Detect VBoxDrvInst.exe run with parameters allowing processing INF file. This allows to create values in the registry and install drivers.
|
||||
For example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys
|
||||
status: experimental
|
||||
author: Konstantin Grishchenko, oscd.community
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
title: Remote Code Execute via Winrm.vbs
|
||||
id: 9df0dd3a-1a5c-47e3-a2bc-30ed177646a0
|
||||
description: Detects an attempt to execude code or create service on remote host via winrm.vbs.
|
||||
description: Detects an attempt to execute code or create service on remote host via winrm.vbs.
|
||||
status: experimental
|
||||
references:
|
||||
- https://twitter.com/bohops/status/994405551751815170
|
||||
|
||||
@ -25,7 +25,7 @@ detection:
|
||||
- '\powershell.exe'
|
||||
filter_null1:
|
||||
CommandLine: 'null'
|
||||
filter_null2: # some backends need the null value in a seperate expression
|
||||
filter_null2: # some backends need the null value in a separate expression
|
||||
CommandLine: null
|
||||
condition: selection and not filter_null1 and not filter_null2
|
||||
falsepositives:
|
||||
|
||||
@ -27,9 +27,9 @@ detection:
|
||||
- Image|endswith:
|
||||
- '\WmiPrvSE.exe'
|
||||
- '\WerFault.exe'
|
||||
filter_null1: # some backends need the null value in a seperate expression
|
||||
filter_null1: # some backends need the null value in a separate expression
|
||||
LogonId: null
|
||||
filter_null2: # some backends need the null value in a seperate expression
|
||||
filter_null2: # some backends need the null value in a separate expression
|
||||
SubjectLogonId: null
|
||||
condition: selection and not filter and not filter_null1 and not filter_null2
|
||||
falsepositives:
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
title: Office Application Startup - Office Test
|
||||
id: 3d27f6dd-1c74-4687-b4fa-ca849d128d1c
|
||||
status: experimental
|
||||
description: Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed everytime an Office application is started
|
||||
description: Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started
|
||||
references:
|
||||
- https://attack.mitre.org/techniques/T1137/002/
|
||||
author: omkar72
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
title: Atbroker Registry Change
|
||||
id: 9577edbb-851f-4243-8c91-1d5b50c1a39b
|
||||
description: Detects creation/modification of Assisitive Technology applications and persistance with usage of ATs
|
||||
description: Detects creation/modification of Assisitive Technology applications and persistence with usage of ATs
|
||||
author: Mateusz Wydra, oscd.community
|
||||
references:
|
||||
- http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
|
||||
@ -18,9 +18,9 @@ logsource:
|
||||
detection:
|
||||
creation:
|
||||
TargetObject|contains: 'Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs'
|
||||
persistance:
|
||||
persistence:
|
||||
TargetObject|contains: 'Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration'
|
||||
condition: creation or persistance
|
||||
condition: creation or persistence
|
||||
falsepositives:
|
||||
- Creation of non-default, legitimate AT.
|
||||
level: high
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
title: Persistent Outlook Landing Pages
|
||||
id: 487bb375-12ef-41f6-baae-c6a1572b4dd1
|
||||
description: Detects the manipulation of persistant URLs which could execute malicious code
|
||||
description: Detects the manipulation of persistent URLs which could execute malicious code
|
||||
status: experimental
|
||||
references:
|
||||
- https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
title: Persistent Outlook Landing Pages
|
||||
id: ddd171b5-2cc6-4975-9e78-f0eccd08cc76
|
||||
description: Detects the manipulation of persistant URLs which can be malicious
|
||||
description: Detects the manipulation of persistent URLs which can be malicious
|
||||
status: experimental
|
||||
references:
|
||||
- https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70
|
||||
|
||||
@ -344,7 +344,7 @@ class TestRules(unittest.TestCase):
|
||||
status_str = self.get_rule_part(file_path=file, part_name="status")
|
||||
if status_str:
|
||||
if not status_str in valid_status:
|
||||
print(Fore.YELLOW + "Rule {} has a invalide 'status' (check wiki).".format(file))
|
||||
print(Fore.YELLOW + "Rule {} has a invalid 'status' (check wiki).".format(file))
|
||||
faulty_rules.append(file)
|
||||
|
||||
self.assertEqual(faulty_rules, [], Fore.RED +
|
||||
@ -365,7 +365,7 @@ class TestRules(unittest.TestCase):
|
||||
print(Fore.YELLOW + "Rule {} has no field 'level'.".format(file))
|
||||
faulty_rules.append(file)
|
||||
elif not level_str in valid_level:
|
||||
print(Fore.YELLOW + "Rule {} has a invalide 'level' (check wiki).".format(file))
|
||||
print(Fore.YELLOW + "Rule {} has a invalid 'level' (check wiki).".format(file))
|
||||
faulty_rules.append(file)
|
||||
|
||||
self.assertEqual(faulty_rules, [], Fore.RED +
|
||||
@ -562,7 +562,7 @@ class TestRules(unittest.TestCase):
|
||||
for key in logsource:
|
||||
if key.lower() not in valid_logsource:
|
||||
print(Fore.RED + "Rule {} has a logsource with an invalid field ({})".format(file, key))
|
||||
valide = False
|
||||
valid = False
|
||||
if not valid:
|
||||
faulty_rules.append(file)
|
||||
|
||||
|
||||
@ -40,7 +40,7 @@ class DevoBackend(SingleTextQueryBackend):
|
||||
mapMulti = "has(%s, %s)" # Syntax for field/value conditions. First %s is fieldname, second is value
|
||||
mapWildcard = "matches(%s, nameglob(%s))" # Syntax for globbing conditions
|
||||
mapRe = "matches(%s, %s)" # Syntax for regex conditions that already were transformed by SigmaRegularExpressionModifier
|
||||
mapContains = "toktains(%s, %s, true, true)" # Systax for token value searches
|
||||
mapContains = "toktains(%s, %s, true, true)" # Syntax for token value searches
|
||||
mapListValueExpression = "%s or %s" # Syntax for field/value condititons where map value is a list
|
||||
mapFullTextSearch = "weaktoktains(raw, \"%s\", true, true)" # Expression for full text searches
|
||||
typedValueExpression = {
|
||||
|
||||
@ -65,7 +65,7 @@ class SigmaRuleFilter:
|
||||
if self.status not in self.STATES:
|
||||
raise SigmaRuleFilterParseException("Unknown status '%s' in condition '%s'" % (self.status, cond))
|
||||
elif cond.startswith("tlp="):
|
||||
self.tlp = cond[cond.index("=") + 1:].upper() #tlp is allways uppercase
|
||||
self.tlp = cond[cond.index("=") + 1:].upper() #tlp is always uppercase
|
||||
elif cond.startswith("target="):
|
||||
self.target = cond[cond.index("=") + 1:].lower() # lower to make caseinsensitive
|
||||
elif cond.startswith("logsource="):
|
||||
|
||||
@ -7,7 +7,7 @@ from uuid import uuid4, UUID
|
||||
import yaml
|
||||
from sigma.output import SigmaYAMLDumper
|
||||
|
||||
argparser = ArgumentParser(description="Assign and verfify UUIDs of Sigma rules")
|
||||
argparser = ArgumentParser(description="Assign and verify UUIDs of Sigma rules")
|
||||
argparser.add_argument("--verify", "-V", action="store_true", help="Verify existence and uniqueness of UUID assignments. Exits with error code if verification fails.")
|
||||
argparser.add_argument("--verbose", "-v", action="store_true", help="Be verbose.")
|
||||
argparser.add_argument("--recursive", "-r", action="store_true", help="Recurse into directories.")
|
||||
|
||||
@ -15,7 +15,7 @@ def yaml_preserve_order(self, dict_data):
|
||||
return self.represent_mapping("tag:yaml.org,2002:map", dict_data.items())
|
||||
|
||||
def main():
|
||||
argparser = ArgumentParser(description="Assign and verfify UUIDs of Sigma rules")
|
||||
argparser = ArgumentParser(description="Assign and verify UUIDs of Sigma rules")
|
||||
argparser.add_argument("--verify", "-V", action="store_true", help="Verify existence and uniqueness of UUID assignments. Exits with error code if verification fails.")
|
||||
argparser.add_argument("--verbose", "-v", action="store_true", help="Be verbose.")
|
||||
argparser.add_argument("--recursive", "-r", action="store_true", help="Recurse into directories.")
|
||||
|
||||
@ -114,7 +114,7 @@ def set_argparser():
|
||||
available additional fields : title, id, status, description, author, references, fields, falsepositives, level, tags.
|
||||
This option do not have any effect for backends that already format output : elastalert, kibana, splukxml etc. """)
|
||||
argparser.add_argument("--output-format", "-oF", choices=["json", "yaml"], help="Use only if you want to have JSON or YAML output (default is raw text)")
|
||||
argparser.add_argument("--output-extention", "-e", default=None, help="Extention of Output file for filename prefix use")
|
||||
argparser.add_argument("--output-extention", "-e", default=None, help="Extension of Output file for filename prefix use")
|
||||
argparser.add_argument("--print0", action="store_true", help="Delimit results by NUL-character")
|
||||
argparser.add_argument("--backend-option", "-O", action="append", help="Options and switches that are passed to the backend")
|
||||
argparser.add_argument("--backend-config", "-C", help="Configuration file (YAML format) containing options to pass to the backend")
|
||||
|
||||
Loading…
Reference in New Issue
Block a user