valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 17:35:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Rule review and cleanup

Browse Source 
* removed unnecessary one element lists from definitions
* converted some lists of one element maps to maps because the resulting
  OR linkage would cause wrong result.
This commit is contained in:
Thomas Patzke 2017-02-15 23:53:08 +01:00
parent 193436c7fc
commit 88270fcf2d
19 changed files with 139 additions and 139 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
rules/linux/lnx_susp_failed_logons_single_source.yml
View File

@ -2,9 +2,9 @@ title: Multiple Failed Logins with Different Accounts from Single Source System
description: Detects suspicious failed logins with different user accounts from a single source system
detection:
selection:
- log: auth
pam_user: not null
pam_rhost: not null
log: auth
pam_user: not null
pam_rhost: not null
timeframe: last 24h
condition: selection | count(pam_user) by pam_rhost > 3
falsepositives:

4
rules/network/net_susp_network_scan.yml
View File

@ -2,8 +2,8 @@ title: Network Scans
description: Detects many failed connection attempts to different ports or hosts
detection:
selection:
- log: network
action: denied
log: network
action: denied
timeframe: last 24h
condition:
- selection | count(dst_port) > 10 by src_ip

16
rules/web/web_multiple_suspicious_resp_codes_single_source.yml
View File

@ -2,14 +2,14 @@ title: Multiple suspicious Response Codes caused by Single Client
description: Detects possible exploitation activity or bugs in a web application
detection:
selection:
- log:
- access.log
- error.log
response:
- 400
- 401
- 403
- 500
log:
- access.log
- error.log
response:
- 400
- 401
- 403
- 500
condition: selection | count() by clientip > 10
falsepositives:
- Unstable application

6
rules/web/web_webshell_keyword.yml
View File

@ -2,9 +2,9 @@ title: Webshell Detection by Keyword
description: Detects webshells that use GET requests by keyword sarches in URL strings
detection:
selection:
- log:
- access.log
- error.log
log:
- access.log
- error.log
keywords:
- '=whoami'
- '=net%20user'

12
rules/windows/builtin/win_alert_mimikatz_keywords.yml
View File

@ -2,11 +2,11 @@ title: Mimikatz Usage
description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)
detection:
selection:
- EventLog:
- Security
- System
- Application
- Microsoft-Windows-Sysmon/Operational
EventLog:
- Security
- System
- Application
- Microsoft-Windows-Sysmon/Operational
keywords:
- mimikatz
- mimilib
@ -19,5 +19,5 @@ detection:
condition: selection and 1 of keywords
falsepositives:
- Naughty administrators
- Penetraion test
- Penetration test
level: 100

2
rules/windows/builtin/win_av_relevant_match.yml
View File

@ -2,7 +2,7 @@ title: Relevant Anti-Virus Event
description: This detection method points out highly relevant Antivirus events
detection:
selection:
- EventLog: Application
EventLog: Application
keywords:
- HTool
- Hacktool

8
rules/windows/builtin/win_susp_eventlog_cleared.yml
View File

@ -2,10 +2,10 @@ title: Eventlog Cleared
description: Some threat groups tend to delete the local 'Security' Eventlog using certain utitlities
detection:
selection:
- EventLog: Security
EventID:
- 517
- 1102
EventLog: Security
EventID:
- 517
- 1102
condition: selection
falsepositives:
- Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)

20
rules/windows/builtin/win_susp_failed_logon_reasons.yml
View File

@ -2,16 +2,16 @@ title: Account Tampering - Suspicious Failed Logon Reasons
description: This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.
detection:
selection:
- EventLog: Security
EventID:
- 4625
- 4776
Status:
- 0xC0000072
- 0xC000006F
- 0xC0000070
- 0xC0000413
- 0xC000018C
EventLog: Security
EventID:
- 4625
- 4776
Status:
- 0xC0000072
- 0xC000006F
- 0xC0000070
- 0xC0000413
- 0xC000018C
condition: selection
falsepositives:
- User using a disabled account

14
rules/windows/builtin/win_susp_failed_logons_single_source.yml
View File

@ -2,13 +2,13 @@ title: Multiple Failed Logins with Different Accounts from Single Source System
description: Detects suspicious failed logins with different user accounts from a single source system
detection:
selection:
- EventLog: Security
EventID:
- 529
- 4625
- 4776
UserName: not null
SourceWorkstation: not null
EventLog: Security
EventID:
- 529
- 4625
- 4776
UserName: not null
SourceWorkstation: not null
timeframe: last 24h
condition: selection | count(UserName) by SourceWorkstation > 3
falsepositives:

74
rules/windows/builtin/win_susp_kerberos_manipulation.yml
View File

@ -2,43 +2,43 @@ title: Kerberos Manipulation
description: This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages
detection:
selection:
- EventLog: Security
EventID:
- 675
- 4768
- 4769
- 4771
FailureCode:
- '0x9'
- '0xA'
- '0xB'
- '0xF'
- '0x10'
- '0x11'
- '0x13'
- '0x14'
- '0x1A'
- '0x1F'
- '0x21'
- '0x22'
- '0x23'
- '0x24'
- '0x26'
- '0x27'
- '0x28'
- '0x29'
- '0x2C'
- '0x2D'
- '0x2E'
- '0x2F'
- '0x31'
- '0x32'
- '0x3E'
- '0x3F'
- '0x40'
- '0x41'
- '0x43'
- '0x44'
EventLog: Security
EventID:
- 675
- 4768
- 4769
- 4771
FailureCode:
- '0x9'
- '0xA'
- '0xB'
- '0xF'
- '0x10'
- '0x11'
- '0x13'
- '0x14'
- '0x1A'
- '0x1F'
- '0x21'
- '0x22'
- '0x23'
- '0x24'
- '0x26'
- '0x27'
- '0x28'
- '0x29'
- '0x2C'
- '0x2D'
- '0x2E'
- '0x2F'
- '0x31'
- '0x32'
- '0x3E'
- '0x3F'
- '0x40'
- '0x41'
- '0x43'
- '0x44'
condition: selection
falsepositives:
- Faulty legacy applications

10
rules/windows/builtin/win_susp_lsass_dump.yml
View File

@ -4,11 +4,11 @@ status: experimental
reference: https://twitter.com/jackcr/status/807385668833968128
detection:
selection:
- EventLog: Security
EventID: 4656
ProcessName: 'C:\Windows\System32\lsass.exe'
AccessMask: '0x705'
ObjectType: 'SAM_DOMAIN'
EventLog: Security
EventID: 4656
ProcessName: 'C:\Windows\System32\lsass.exe'
AccessMask: '0x705'
ObjectType: 'SAM_DOMAIN'
condition: selection
falsepositives:
- Unkown

10
rules/windows/builtin/win_susp_rc4_kerberos.yml
View File

@ -4,10 +4,10 @@ reference: https://adsecurity.org/?p=3458
description: Detects logons using RC4 encryption type
detection:
selection:
- EventLog: Security
EventID: 4769
TicketOptions: '0x40810000'
TicketEncryption: '0x17'
EventLog: Security
EventID: 4769
TicketOptions: '0x40810000'
TicketEncryption: '0x17'
reduction:
- ServiceName: '$*'
- Type: 'Success Audit'
@ -15,4 +15,4 @@ detection:
falsepositives:
- Service accounts used on legacy systems (e.g. NetApp)
- Windows Domains with DFL 2003 and legacy systems
level: 40
level: 40

26
rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml
View File

@ -4,20 +4,20 @@ description: Detects certain DLL loads when Mimikatz gets executed
reference: https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/
detection:
dllload1:
- EventLog: Microsoft-Windows-Sysmon/Operational
- EventID: 7
- Image: 'C:\Windows\System32\rundll32.exe'
- ImageLoaded: '*\vaultcli.dll'
EventLog: Microsoft-Windows-Sysmon/Operational
EventID: 7
Image: 'C:\Windows\System32\rundll32.exe'
ImageLoaded: '*\vaultcli.dll'
dllload2:
- EventLog: Microsoft-Windows-Sysmon/Operational
- EventID: 7
- Image: 'C:\Windows\System32\rundll32.exe'
- ImageLoaded: '*\wlanapi.dll'
EventLog: Microsoft-Windows-Sysmon/Operational
EventID: 7
Image: 'C:\Windows\System32\rundll32.exe'
ImageLoaded: '*\wlanapi.dll'
exclusion:
- EventLog: Microsoft-Windows-Sysmon/Operational
- EventID: 7
- Image: 'C:\Windows\System32\rundll32.exe'
- ImageLoaded:
EventLog: Microsoft-Windows-Sysmon/Operational
EventID: 7
Image: 'C:\Windows\System32\rundll32.exe'
ImageLoaded:
- 'ntdsapi.dll'
- 'netapi32.dll'
- 'imm32.dll'
@ -32,4 +32,4 @@ detection:
condition: ( dllload1 and dllload2 ) and not exclusion
falsepositives:
- unknown
level: 50
level: 50

8
rules/windows/sysmon/sysmon_password_dumper_lsass.yml
View File

@ -3,10 +3,10 @@ description: Detects password dumper activity by monitoring remote thread creati
reference: Internal research
detection:
selection:
- EventLog: Microsoft-Windows-Sysmon/Operational
EventID: 8
TargetProcess: 'C:\Windows\System32\lsass.exe'
StartModule: ''
EventLog: Microsoft-Windows-Sysmon/Operational
EventID: 8
TargetProcess: 'C:\Windows\System32\lsass.exe'
StartModule: ''
condition: selection
falsepositives:
- unknown

6
rules/windows/sysmon/sysmon_susp_driver_load.yml
View File

@ -2,9 +2,9 @@ title: Suspicious Driver Load from Temp
description: Detetcs a driver load from a temporary directory
detection:
selection:
- EventLog: Microsoft-Windows-Sysmon/Operational
EventID: 6
ImageLoaded: '*\Temp\*'
EventLog: Microsoft-Windows-Sysmon/Operational
EventID: 6
ImageLoaded: '*\Temp\*'
condition: selection
falsepositives:
- there is a relevant set of false positives depending on applications in the envirnment

10
rules/windows/sysmon/sysmon_susp_mmc_source.yml
View File

@ -4,12 +4,12 @@ description: Processes started by MMC could by a sign of lateral movement using
reference: https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
detection:
selection:
- EventLog: Microsoft-Windows-Sysmon/Operational
EventID: 1
ParentImage: '*\mmc.exe'
Image: '*\cmd.exe'
EventLog: Microsoft-Windows-Sysmon/Operational
EventID: 1
ParentImage: '*\mmc.exe'
Image: '*\cmd.exe'
exclusion:
- CommandLine: '*\RunCmd.cmd'
CommandLine: '*\RunCmd.cmd'
condition: selection and not exclusion
falsepositives:
- unknown

8
rules/windows/sysmon/sysmon_vul_java_remote_debugging.yml
View File

@ -2,13 +2,13 @@ title: Java running with Remote Debugging
description: Detcts a JAVA process running with remote debugging allowing more than just localhost to connect
detection:
selection:
- EventLog: Microsoft-Windows-Sysmon/Operational
- EventID: 1
- CommandLine: '*transport=dt_socket,address=*'
EventLog: Microsoft-Windows-Sysmon/Operational
EventID: 1
CommandLine: '*transport=dt_socket,address=*'
exclusion:
- CommandLine: '*address=127.0.0.1*'
- CommandLine: '*address=localhost*'
condition: selection and not exclusion
falsepositives:
- unknown
level: 30
level: 30

18
rules/windows/sysmon/sysmon_webshell_detection.yml
View File

@ -2,15 +2,15 @@ title: Webshell Detection With Command Line Keywords
description: Detects certain command line parameters often used during reconnissaince activity via web shells
detection:
selection:
- EventLog: Microsoft-Windows-Sysmon/Operational
EventID: 1
ParentImage:
- '*\apache*'
- '*\tomcat*'
CommandLine:
- 'whoami'
- 'net user'
- 'ping -n'
EventLog: Microsoft-Windows-Sysmon/Operational
EventID: 1
ParentImage:
- '*\apache*'
- '*\tomcat*'
CommandLine:
- 'whoami'
- 'net user'
- 'ping -n'
condition: selection
falsepositives:
- unknown

20
rules/windows/sysmon/sysmon_webshell_spawn.yml
View File

@ -3,16 +3,16 @@ status: experimental
description: Web servers that spawn shell processes could be the result of a successfully placed web shell or an other attack
detection:
selection:
- EventLog: Microsoft-Windows-Sysmon/Operational
EventID: 1
ParentImage:
- '*\w3wp.exe'
- '*\httpd.exe'
- '*\nginx.exe'
Image:
- '*\cmd.exe'
- '*\sh.exe'
- '*\bash.exe'
EventLog: Microsoft-Windows-Sysmon/Operational
EventID: 1
ParentImage:
- '*\w3wp.exe'
- '*\httpd.exe'
- '*\nginx.exe'
Image:
- '*\cmd.exe'
- '*\sh.exe'
- '*\bash.exe'
condition: selection
falsepositives:
- Particular web applications may spawn a shell process legitimately