valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 01:15:17 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/SigmaHQ/sigma into SigmaHQ-master

Browse Source
This commit is contained in:
joker2013 2021-11-01 21:34:14 +03:00
commit a005464395
932 changed files with 19279 additions and 3526 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
.github/workflows/sigma-test.yml vendored
View File

@ -8,7 +8,9 @@ on:
branches:
- "*"
pull_request:
branches: [ master, oscd ]
branches:
- master
- oscd
jobs:
test-sigma:
@ -31,3 +33,9 @@ jobs:
- name: Test SQL(ite) Backend
run: |
pipenv run make test-backend-sql
yamllint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: yaml-lint
uses: ibiqlik/action-yamllint@v3

36
CHANGELOG.md
View File

@ -6,6 +6,42 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html)
from version 0.14.0.
## 0.20 - 2021-08-14
### Added
* Devo backend
* Fields selection added to SQL backend
* Linux/MacOS support for MDATP backend
* Output results as generic YAML/JSON
* Hash normalization option (hash_normalize) for Elasticsearch wildcard handling
* ALA AWS Cloudtrail and Azure mappings
* Logrhytm backend
* Splunk Data Models backend
* Further log sources used in open source Sigma ruleset
* CarbonBlack EDR backend
* Elastic EQL backend
* Additional conversion selection filters
* Filter negation
* Specify table in SQL backend
* Generic registry event log source
* Chronicle backend
### Changed
* Elastic Watcher backend populates name attribute instead of title.
* One item list optimization.
* Updated Winlogbeat mapping
* Generic mapping for Powershell backend
### Fixed
* Elastalert multi output file
* Fixed duplicate output in ElastAlert backend
* Escaping in Graylog backend
* es-rule ndjson output
* Various fixes of known bugs
## 0.19.1 - 2021-02-28
### Changed

7
LICENSE Normal file
View File

@ -0,0 +1,7 @@
# Licenses
The content of this repository is released under the following licenses:
- The toolchain (everything under tools/) is licensed under the GNU Lesser General Public License
- The Sigma specification is public domain
- The rules contained in the rules/ directory are released under the Detection Rule License (DRL) 1.1

6
LICENSE.Detection.Rules.md
View File

@ -1,4 +1,4 @@
# Detection Rule License (DRL) 1.0
# Detection Rule License (DRL) 1.1
Permission is hereby granted, free of charge, to any person obtaining a copy of this rule set and associated documentation files (the "Rules"), to deal in the Rules without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Rules, and to permit persons to whom the Rules are furnished to do so, subject to the following conditions:
@ -10,4 +10,8 @@ If you share the Rules (including in modified form), you must retain the followi
3. indicate the Rules are licensed under this Detection Rule License, and include the text of, or the URI or hyperlink to, this Detection Rule License to the extent reasonably practicable
If you use the Rules (including in modified form) on data, messages based on matches with the Rules must retain the following if it is supplied within the Rules:
1. identification of the authors(s) ("author" field) of the Rule and any others designated to receive attribution, in any reasonable manner requested by the Rule author (including by pseudonym if designated).
THE RULES ARE PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE RULES OR THE USE OR OTHER DEALINGS IN THE RULES.

9
Makefile
View File

@ -48,7 +48,11 @@ test-sigmac:
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunkxml -c tools/config/splunk-windows.yml rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunkdm -c tools/config/splunk-windows.yml rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t logpoint -c tools/config/logpoint-windows.yml rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t devo -c tools/config/devo-windows.yml rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t lacework rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t mdatp rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t uberagent rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t athena -c tools/config/athena.yml rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t ala rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t ala-rule rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t ala --backend-config tests/backend_config.yml rules/windows/process_creation/ > /dev/null
@ -96,6 +100,7 @@ test-sigmac:
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/filebeat-defaultindex.yml -t xpack-watcher rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/splunk-windows.yml -t splunk rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/generic/sysmon.yml -c tools/config/splunk-windows.yml -t splunk rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/hawk.yml -t hawk rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t grep rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t fieldlist rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t xpack-watcher -c tools/config/winlogbeat.yml -O output=plain -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null
@ -104,7 +109,7 @@ test-sigmac:
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml -o $(TMPOUT) - < tests/collection_repeat.yml > /dev/null
! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t xpack-watcher -c tools/config/winlogbeat.yml -O output=foobar -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null
! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/not_existing.yml > /dev/null
! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_yaml.yml > /dev/null
! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_yaml.badyml > /dev/null
! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_sigma-no_identifiers.yml > /dev/null
! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_sigma-no_condition.yml > /dev/null
! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_sigma-invalid_identifier_reference.yml > /dev/null
@ -113,7 +118,7 @@ test-sigmac:
! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml rules/windows/builtin/win_susp_failed_logons_single_source.yml
! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml -o /not_possible rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c not_existing rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tests/invalid_yaml.yml rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tests/invalid_yaml.badyml rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tests/invalid_config.yml rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
test-merge:

1
Pipfile
View File

@ -20,6 +20,7 @@ urllib3 = "~=1.26"
progressbar2 = "~=3.47"
pymisp = "~=2.4.123"
PyYAML = "~=5.1"
"ruamel.yaml" = "*"
[requires]
python_version = "3.8"

265
Pipfile.lock generated
View File

@ -1,7 +1,7 @@
{
"_meta": {
"hash": {
"sha256": "9d6e50bfd41bb3de5ebbae350555fe4b67c24e2c186aac053905a7740a69e8b2"
"sha256": "08bbbed72c177a3a7a43aff79af8fdde3a0ac42e15d7e112d64cac2c5d5b6e68"
},
"pipfile-spec": 6,
"requires": {
@ -21,6 +21,7 @@
"sha256:149e90d6d8ac20db7a955ad60cf0e6881a3f20d37096140088356da6c716b0b1",
"sha256:ef6aaac3ca6cd92904cdd0d83f629a15f18053ec84e6432106f7a4d04ae4f5fb"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'",
"version": "==21.2.0"
},
"certifi": {
@ -30,26 +31,29 @@
],
"version": "==2021.5.30"
},
"chardet": {
"charset-normalizer": {
"hashes": [
"sha256:0d6f53a15db4120f2b08c94f11e7d93d2c911ee118b6b30a04ec3ee8310179fa",
"sha256:f864054d66fd9118f2e67044ac8981a54775ec5b67aed0441892edb553d21da5"
"sha256:0c8911edd15d19223366a194a513099a302055a962bca2cec0f54b8b63175d8b",
"sha256:f23667ebe1084be45f6ae0538e4a5a865206544097e4e8bbcacf42cd02a348f3"
],
"version": "==4.0.0"
"markers": "python_version >= '3'",
"version": "==2.0.4"
},
"deprecated": {
"hashes": [
"sha256:08452d69b6b5bc66e8330adde0a4f8642e969b9e1702904d137eeb29c8ffc771",
"sha256:6d2de2de7931a968874481ef30208fd4e08da39177d61d3d4ebdf4366e7dbca1"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==1.2.12"
},
"idna": {
"hashes": [
"sha256:b307872f855b18632ce0c21c5e45be78c0ea7ae4c15c828c20788b26921eb3f6",
"sha256:b97d804b1e9b523befed77c48dacec60e6dcb0b5391d57af6a65a312a90648c0"
"sha256:14475042e284991034cb48e06f6851428fb14c4dc953acd9be9a5e95c7b6dd7a",
"sha256:467fbad99067910785144ce333826c71fb0e63a425657295239737f7ecd125f3"
],
"version": "==2.10"
"markers": "python_version >= '3'",
"version": "==3.2"
},
"jsonschema": {
"hashes": [
@ -68,24 +72,46 @@
},
"pymisp": {
"hashes": [
"sha256:7ab159ba589f54d105c59cb990722369c57d8f587b5df215a79ed4059cb57b8a",
"sha256:c6496a6884fe3a671e9dd3c314564b4e94b8827845f5ea0004ab3649373e9db2"
"sha256:5971eba9a4d3b7f5ee47035417c7692fc0ec45d581afcaa63e3f7e2d6a400923",
"sha256:641e3db1af1010cff3a652df6eb51ac4f4e540b1801b811d5e009c59114bf26a"
],
"index": "pypi",
"version": "==2.4.141.1"
"version": "==2.4.148"
},
"pyrsistent": {
"hashes": [
"sha256:2e636185d9eb976a18a8a8e96efce62f2905fea90041958d8cc2a189756ebf3e"
"sha256:097b96f129dd36a8c9e33594e7ebb151b1515eb52cceb08474c10a5479e799f2",
"sha256:2aaf19dc8ce517a8653746d98e962ef480ff34b6bc563fc067be6401ffb457c7",
"sha256:404e1f1d254d314d55adb8d87f4f465c8693d6f902f67eb6ef5b4526dc58e6ea",
"sha256:48578680353f41dca1ca3dc48629fb77dfc745128b56fc01096b2530c13fd426",
"sha256:4916c10896721e472ee12c95cdc2891ce5890898d2f9907b1b4ae0f53588b710",
"sha256:527be2bfa8dc80f6f8ddd65242ba476a6c4fb4e3aedbf281dfbac1b1ed4165b1",
"sha256:58a70d93fb79dc585b21f9d72487b929a6fe58da0754fa4cb9f279bb92369396",
"sha256:5e4395bbf841693eaebaa5bb5c8f5cdbb1d139e07c975c682ec4e4f8126e03d2",
"sha256:6b5eed00e597b5b5773b4ca30bd48a5774ef1e96f2a45d105db5b4ebb4bca680",
"sha256:73ff61b1411e3fb0ba144b8f08d6749749775fe89688093e1efef9839d2dcc35",
"sha256:772e94c2c6864f2cd2ffbe58bb3bdefbe2a32afa0acb1a77e472aac831f83427",
"sha256:773c781216f8c2900b42a7b638d5b517bb134ae1acbebe4d1e8f1f41ea60eb4b",
"sha256:a0c772d791c38bbc77be659af29bb14c38ced151433592e326361610250c605b",
"sha256:b29b869cf58412ca5738d23691e96d8aff535e17390128a1a52717c9a109da4f",
"sha256:c1a9ff320fa699337e05edcaae79ef8c2880b52720bc031b219e5b5008ebbdef",
"sha256:cd3caef37a415fd0dae6148a1b6957a8c5f275a62cca02e18474608cb263640c",
"sha256:d5ec194c9c573aafaceebf05fc400656722793dac57f254cd4741f3c27ae57b4",
"sha256:da6e5e818d18459fa46fac0a4a4e543507fe1110e808101277c5a2b5bab0cd2d",
"sha256:e79d94ca58fcafef6395f6352383fa1a76922268fa02caa2272fff501c2fdc78",
"sha256:f3ef98d7b76da5eb19c37fda834d50262ff9167c65658d1d8f974d2e4d90676b",
"sha256:f4c8cabb46ff8e5d61f56a037974228e978f26bfefce4f61a4b1ac0ba7a2ab72"
],
"version": "==0.17.3"
"markers": "python_version >= '3.6'",
"version": "==0.18.0"
},
"python-dateutil": {
"hashes": [
"sha256:73ebfe9dbf22e832286dafa60473e4cd239f8592f699aa5adaf10050e6e1823c",
"sha256:75bb3f31ea686f1197762692a9ee6a7550b59fc6ca3a1f4b5d7e32fb98e2da2a"
"sha256:0123cacc1627ae19ddf3c27a5de5bd67ee4586fbdd6440d9748f8abb483d3e86",
"sha256:961d03dc3453ebbc59dbdea9e4e11c5651520a876d0f4db161e8674aae935da9"
],
"version": "==2.8.1"
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==2.8.2"
},
"python-utils": {
"hashes": [
@ -131,26 +157,62 @@
},
"requests": {
"hashes": [
"sha256:27973dd4a904a4f13b263a19c866c13b92a39ed1c964655f025f3f8d3d75b804",
"sha256:c210084e36a42ae6b9219e00e48287def368a26d03a048ddad7bfee44f75871e"
"sha256:6c1246513ecd5ecd4528a0906f910e8f0f9c6b8ec72030dc9fd154dc1a6efd24",
"sha256:b8aa58f8cf793ffd8782d3d8cb19e66ef36f7aba4353eec859e74678b01b07a7"
],
"index": "pypi",
"version": "==2.25.1"
"version": "==2.26.0"
},
"ruamel.yaml": {
"hashes": [
"sha256:106bc8d6dc6a0ff7c9196a47570432036f41d556b779c6b4e618085f57e39e67",
"sha256:ffb9b703853e9e8b7861606dfdab1026cf02505bade0653d1880f4b2db47f815"
],
"index": "pypi",
"version": "==0.17.10"
},
"ruamel.yaml.clib": {
"hashes": [
"sha256:0847201b767447fc33b9c235780d3aa90357d20dd6108b92be544427bea197dd",
"sha256:1866cf2c284a03b9524a5cc00daca56d80057c5ce3cdc86a52020f4c720856f0",
"sha256:31ea73e564a7b5fbbe8188ab8b334393e06d997914a4e184975348f204790277",
"sha256:3fb9575a5acd13031c57a62cc7823e5d2ff8bc3835ba4d94b921b4e6ee664104",
"sha256:4ff604ce439abb20794f05613c374759ce10e3595d1867764dd1ae675b85acbd",
"sha256:72a2b8b2ff0a627496aad76f37a652bcef400fd861721744201ef1b45199ab78",
"sha256:78988ed190206672da0f5d50c61afef8f67daa718d614377dcd5e3ed85ab4a99",
"sha256:7b2927e92feb51d830f531de4ccb11b320255ee95e791022555971c466af4527",
"sha256:7f7ecb53ae6848f959db6ae93bdff1740e651809780822270eab111500842a84",
"sha256:825d5fccef6da42f3c8eccd4281af399f21c02b32d98e113dbc631ea6a6ecbc7",
"sha256:846fc8336443106fe23f9b6d6b8c14a53d38cef9a375149d61f99d78782ea468",
"sha256:89221ec6d6026f8ae859c09b9718799fea22c0e8da8b766b0b2c9a9ba2db326b",
"sha256:9efef4aab5353387b07f6b22ace0867032b900d8e91674b5d8ea9150db5cae94",
"sha256:a32f8d81ea0c6173ab1b3da956869114cae53ba1e9f72374032e33ba3118c233",
"sha256:a49e0161897901d1ac9c4a79984b8410f450565bbad64dbfcbf76152743a0cdb",
"sha256:ada3f400d9923a190ea8b59c8f60680c4ef8a4b0dfae134d2f2ff68429adfab5",
"sha256:bf75d28fa071645c529b5474a550a44686821decebdd00e21127ef1fd566eabe",
"sha256:cfdb9389d888c5b74af297e51ce357b800dd844898af9d4a547ffc143fa56751",
"sha256:d67f273097c368265a7b81e152e07fb90ed395df6e552b9fa858c6d2c9f42502",
"sha256:dc6a613d6c74eef5a14a214d433d06291526145431c3b964f5e16529b1842bed",
"sha256:de9c6b8a1ba52919ae919f3ae96abb72b994dd0350226e28f3686cb4f142165c"
],
"markers": "python_version < '3.10' and platform_python_implementation == 'CPython'",
"version": "==0.2.6"
},
"six": {
"hashes": [
"sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926",
"sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==1.16.0"
},
"urllib3": {
"hashes": [
"sha256:753a0374df26658f99d826cfe40394a686d05985786d946fbe4165b5148f5a7c",
"sha256:a7acd0977125325f516bda9735fa7142b909a8d01e8b2e4c8108d0984e6e0098"
"sha256:39fb8672126159acb139a7718dd10806104dec1e2f0f6c88aab05d17df10c8d4",
"sha256:f57b4c16c62fa2760b7e3d97c35b255512fb6b59a259730f36ba32ce9f8e342f"
],
"index": "pypi",
"version": "==1.26.5"
"version": "==1.26.6"
},
"wrapt": {
"hashes": [
@ -200,6 +262,7 @@
"sha256:f881853d2643a29e643609da57b96d5f9c9b93f62429dcc1cbb413c7d07f0e1a",
"sha256:fe60131d21b31fd1a14bd43e6bb88256f69dfc3188b3a89d736d6c71ed43ec95"
],
"markers": "python_version >= '3.6'",
"version": "==3.7.4.post0"
},
"antlr4-python3-runtime": {
@ -214,21 +277,23 @@
"sha256:0c3c816a028d47f659d6ff5c745cb2acf1f966da1fe5c19c77a70282b25f4c5f",
"sha256:4291ca197d287d274d0b6cb5d6f8f8f82d434ed288f962539ff18cc9012f9ea3"
],
"markers": "python_full_version >= '3.5.3'",
"version": "==3.0.1"
},
"attackcti": {
"hashes": [
"sha256:60059c597f39074db979482931c8771c31581c76e0ae6451c04214a1330a5d2f",
"sha256:a0c44c7065d2568b728e62a8325b0c5fde9d6901e4e0199bde7a9bab974bdcb9"
"sha256:2516b00631d4f0f8e05e950281ed94566774587b968901c02296e174835f0786",
"sha256:98d9c80a2c566847aa6d95fe824f48e8c45a418bbbb212e96dcf468693754cea"
],
"index": "pypi",
"version": "==0.3.4.3"
"version": "==0.3.4.4"
},
"attrs": {
"hashes": [
"sha256:149e90d6d8ac20db7a955ad60cf0e6881a3f20d37096140088356da6c716b0b1",
"sha256:ef6aaac3ca6cd92904cdd0d83f629a15f18053ec84e6432106f7a4d04ae4f5fb"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'",
"version": "==21.2.0"
},
"certifi": {
@ -243,8 +308,17 @@
"sha256:0d6f53a15db4120f2b08c94f11e7d93d2c911ee118b6b30a04ec3ee8310179fa",
"sha256:f864054d66fd9118f2e67044ac8981a54775ec5b67aed0441892edb553d21da5"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'",
"version": "==4.0.0"
},
"charset-normalizer": {
"hashes": [
"sha256:0c8911edd15d19223366a194a513099a302055a962bca2cec0f54b8b63175d8b",
"sha256:f23667ebe1084be45f6ae0538e4a5a865206544097e4e8bbcacf42cd02a348f3"
],
"markers": "python_version >= '3'",
"version": "==2.0.4"
},
"colorama": {
"hashes": [
"sha256:5941b2b48a20143d2267e95b1c2a7603ce057ee39fd88e7329b0c292aa16869b",
@ -313,11 +387,11 @@
},
"elasticsearch": {
"hashes": [
"sha256:9a77172be02bc4855210d83f0f1346a1e7d421e3cb2ca47ba81ac0c5a717b3a0",
"sha256:c67b0f6541eda6de9f92eaea319c070aa2710c5d4d4ee5e3dfa3c21bd95aa378"
"sha256:084979d21cc2955903ecc215bb40b8180207b2bcb5e52ec0ec7dd6f60affd01e",
"sha256:f3ab1454e646170bbc6796b8707e4bff125234391d2acc022221e1c0313becb4"
],
"index": "pypi",
"version": "==7.12.0"
"version": "==7.14.0"
},
"elasticsearch-async": {
"hashes": [
@ -329,16 +403,18 @@
},
"idna": {
"hashes": [
"sha256:b307872f855b18632ce0c21c5e45be78c0ea7ae4c15c828c20788b26921eb3f6",
"sha256:b97d804b1e9b523befed77c48dacec60e6dcb0b5391d57af6a65a312a90648c0"
"sha256:14475042e284991034cb48e06f6851428fb14c4dc953acd9be9a5e95c7b6dd7a",
"sha256:467fbad99067910785144ce333826c71fb0e63a425657295239737f7ecd125f3"
],
"version": "==2.10"
"markers": "python_version >= '3'",
"version": "==3.2"
},
"more-itertools": {
"hashes": [
"sha256:2cf89ec599962f2ddc4d568a05defc40e0a587fbc10d5989713638864c36be4d",
"sha256:83f0308e05477c68f56ea3a888172c78ed5d5b3c282addb67508e7ba6c8f813a"
],
"markers": "python_version >= '3.5'",
"version": "==8.8.0"
},
"multidict": {
@ -381,27 +457,30 @@
"sha256:f21756997ad8ef815d8ef3d34edd98804ab5ea337feedcd62fb52d22bf531281",
"sha256:fc13a9524bc18b6fb6e0dbec3533ba0496bbed167c56d0aabefd965584557d80"
],
"markers": "python_version >= '3.6'",
"version": "==5.1.0"
},
"packaging": {
"hashes": [
"sha256:5b327ac1320dc863dca72f4514ecc086f31186744b84a230374cc1fd776feae5",
"sha256:67714da7f7bc052e064859c05c595155bd1ee9f69f76557e21f051443c20947a"
"sha256:7dc96269f53a4ccec5c0670940a4281106dd0bb343f47b7471f779df49c2fbe7",
"sha256:c86254f9220d55e31cc94d69bade760f0847da8000def4dfe1c6b872fd14ff14"
],
"version": "==20.9"
"markers": "python_version >= '3.6'",
"version": "==21.0"
},
"pathspec": {
"hashes": [
"sha256:86379d6b86d75816baba717e64b1a3a3469deb93bb76d613c9ce79edc5cb68fd",
"sha256:aa0cb481c4041bf52ffa7b0d8fa6cd3e88a2ca4879c533c9153882ee2556790d"
"sha256:7d15c4ddb0b5c802d161efc417ec1a2558ea2653c2e8ad9c19098201dc1c993a",
"sha256:e564499435a2673d586f6b2130bb5b95f04a3ba06f81b8f895b651a3c76aabb1"
],
"version": "==0.8.1"
"version": "==0.9.0"
},
"pluggy": {
"hashes": [
"sha256:15b2acde666561e1298d71b523007ed7364de07029219b604cf808bfa1c765b0",
"sha256:966c145cd83c96502c3c3868f50408687b38434af77734af1e9ca461a4081d2d"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==0.13.1"
},
"py": {
@ -409,6 +488,7 @@
"sha256:21b81bda15b66ef5e1a777a21c4dcd9c20ad3efd0b3f817e7a809035269e1bd3",
"sha256:3b80836aa6d1feeaa108e046da6423ab8f6ceda6468545ae8d02d9d58d18818a"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==1.10.0"
},
"pyparsing": {
@ -416,6 +496,7 @@
"sha256:c203ec8783bf771a155b207279b9bccb8dea02d8f0c9e5f8ead507bc3246ecc1",
"sha256:ef9d7589ef3c200abe66653d3f1ab1033c3c419ae9b9bdb1240a85b024efc88b"
],
"markers": "python_version >= '2.6' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==2.4.7"
},
"pytest": {
@ -470,76 +551,70 @@
},
"requests": {
"hashes": [
"sha256:27973dd4a904a4f13b263a19c866c13b92a39ed1c964655f025f3f8d3d75b804",
"sha256:c210084e36a42ae6b9219e00e48287def368a26d03a048ddad7bfee44f75871e"
"sha256:6c1246513ecd5ecd4528a0906f910e8f0f9c6b8ec72030dc9fd154dc1a6efd24",
"sha256:b8aa58f8cf793ffd8782d3d8cb19e66ef36f7aba4353eec859e74678b01b07a7"
],
"index": "pypi",
"version": "==2.25.1"
"version": "==2.26.0"
},
"simplejson": {
"hashes": [
"sha256:034550078a11664d77bc1a8364c90bb7eef0e44c2dbb1fd0a4d92e3997088667",
"sha256:05b43d568300c1cd43f95ff4bfcff984bc658aa001be91efb3bb21df9d6288d3",
"sha256:0dd9d9c738cb008bfc0862c9b8fa6743495c03a0ed543884bf92fb7d30f8d043",
"sha256:10fc250c3edea4abc15d930d77274ddb8df4803453dde7ad50c2f5565a18a4bb",
"sha256:2862beabfb9097a745a961426fe7daf66e1714151da8bb9a0c430dde3d59c7c0",
"sha256:292c2e3f53be314cc59853bd20a35bf1f965f3bc121e007ab6fd526ed412a85d",
"sha256:2d3eab2c3fe52007d703a26f71cf649a8c771fcdd949a3ae73041ba6797cfcf8",
"sha256:2e7b57c2c146f8e4dadf84977a83f7ee50da17c8861fd7faf694d55e3274784f",
"sha256:311f5dc2af07361725033b13cc3d0351de3da8bede3397d45650784c3f21fbcf",
"sha256:344e2d920a7f27b4023c087ab539877a1e39ce8e3e90b867e0bfa97829824748",
"sha256:3fabde09af43e0cbdee407555383063f8b45bfb52c361bc5da83fcffdb4fd278",
"sha256:42b8b8dd0799f78e067e2aaae97e60d58a8f63582939af60abce4c48631a0aa4",
"sha256:4b3442249d5e3893b90cb9f72c7d6ce4d2ea144d2c0d9f75b9ae1e5460f3121a",
"sha256:55d65f9cc1b733d85ef95ab11f559cce55c7649a2160da2ac7a078534da676c8",
"sha256:5c659a0efc80aaaba57fcd878855c8534ecb655a28ac8508885c50648e6e659d",
"sha256:72d8a3ffca19a901002d6b068cf746be85747571c6a7ba12cbcf427bfb4ed971",
"sha256:75ecc79f26d99222a084fbdd1ce5aad3ac3a8bd535cd9059528452da38b68841",
"sha256:76ac9605bf2f6d9b56abf6f9da9047a8782574ad3531c82eae774947ae99cc3f",
"sha256:7d276f69bfc8c7ba6c717ba8deaf28f9d3c8450ff0aa8713f5a3280e232be16b",
"sha256:7f10f8ba9c1b1430addc7dd385fc322e221559d3ae49b812aebf57470ce8de45",
"sha256:8042040af86a494a23c189b5aa0ea9433769cc029707833f261a79c98e3375f9",
"sha256:813846738277729d7db71b82176204abc7fdae2f566e2d9fcf874f9b6472e3e6",
"sha256:845a14f6deb124a3bcb98a62def067a67462a000e0508f256f9c18eff5847efc",
"sha256:869a183c8e44bc03be1b2bbcc9ec4338e37fa8557fc506bf6115887c1d3bb956",
"sha256:8acf76443cfb5c949b6e781c154278c059b09ac717d2757a830c869ba000cf8d",
"sha256:8f713ea65958ef40049b6c45c40c206ab363db9591ff5a49d89b448933fa5746",
"sha256:934115642c8ba9659b402c8bdbdedb48651fb94b576e3b3efd1ccb079609b04a",
"sha256:9551f23e09300a9a528f7af20e35c9f79686d46d646152a0c8fc41d2d074d9b0",
"sha256:9a2b7543559f8a1c9ed72724b549d8cc3515da7daf3e79813a15bdc4a769de25",
"sha256:a55c76254d7cf8d4494bc508e7abb993a82a192d0db4552421e5139235604625",
"sha256:ad8f41c2357b73bc9e8606d2fa226233bf4d55d85a8982ecdfd55823a6959995",
"sha256:af4868da7dd53296cd7630687161d53a7ebe2e63814234631445697bd7c29f46",
"sha256:afebfc3dd3520d37056f641969ce320b071bc7a0800639c71877b90d053e087f",
"sha256:b59aa298137ca74a744c1e6e22cfc0bf9dca3a2f41f51bc92eb05695155d905a",
"sha256:bc00d1210567a4cdd215ac6e17dc00cb9893ee521cee701adfd0fa43f7c73139",
"sha256:c1cb29b1fced01f97e6d5631c3edc2dadb424d1f4421dad079cb13fc97acb42f",
"sha256:c94dc64b1a389a416fc4218cd4799aa3756f25940cae33530a4f7f2f54f166da",
"sha256:ceaa28a5bce8a46a130cd223e895080e258a88d51bf6e8de2fc54a6ef7e38c34",
"sha256:cff6453e25204d3369c47b97dd34783ca820611bd334779d22192da23784194b",
"sha256:d0b64409df09edb4c365d95004775c988259efe9be39697d7315c42b7a5e7e94",
"sha256:d4813b30cb62d3b63ccc60dd12f2121780c7a3068db692daeb90f989877aaf04",
"sha256:da3c55cdc66cfc3fffb607db49a42448785ea2732f055ac1549b69dcb392663b",
"sha256:e058c7656c44fb494a11443191e381355388443d543f6fc1a245d5d238544396",
"sha256:fed0f22bf1313ff79c7fc318f7199d6c2f96d4de3234b2f12a1eab350e597c06",
"sha256:ffd4e4877a78c84d693e491b223385e0271278f5f4e1476a4962dca6824ecfeb"
"sha256:02bc0b7b643fa255048862f580bb4b7121b88b456bc64dabf9bf11df116b05d7",
"sha256:02c04b89b0a456a97d5313357dd9f2259c163a82c5307e39e7d35bb38d7fd085",
"sha256:05cd392c1c9b284bda91cf9d7b6f3f46631da459e8546fe823622e42cf4794bb",
"sha256:1331a54fda3c957b9136402943cf8ebcd29c0c92101ba70fa8c2fc9cdf1b8476",
"sha256:18302970ce341c3626433d4ffbdac19c7cca3d6e2d54b12778bcb8095f695473",
"sha256:1ebbaa48447b60a68043f58e612021e8893ebcf1662a1b18a2595ca262776d7e",
"sha256:2104475a0263ff2a3dffca214c9676eb261e90d06d604ac7063347bd289ac84c",
"sha256:23169d78f74fd25f891e89c779a63fcb857e66ab210096f4069a5b1c9e2dc732",
"sha256:32edf4e491fe174c54bf6682d794daf398736158d1082dbcae526e4a5af6890b",
"sha256:3904b528e3dc0facab73a4406ebf17f007f32f0a8d7f4c6aa9ed5cbad3ea0f34",
"sha256:391a8206e698557a4155354cf6996c002aa447a21c5c50fb94a0d26fd6cca586",
"sha256:3c80b343503da8b13fa7d48d1a2395be67e97b67a849eb79d88ad3b12783e7da",
"sha256:3dddd31857d8230aee88c24f485ebca36d1d875404b2ef11ac15fa3c8a01dc34",
"sha256:56f57c231cdd01b6a1c0532ea9088dff2afe7f4f4bda61c060bcb1a853e6b564",
"sha256:5b080be7de4c647fa84252cf565298a13842658123bd1a322a8c32b6359c8f1e",
"sha256:6285b91cfa37e024f372b9b77d14f279380eebc4f709db70c593c069602e1926",
"sha256:6510e886d9e9006213de2090c55f504b12f915178a2056b94840ed1d89abe68e",
"sha256:6ff6710b824947ef5a360a5a5ae9809c32cedc6110df3b64f01080c1bc1a1f08",
"sha256:79545a6d93bb38f86a00fbc6129cb091a86bb858e7d53b1aaa10d927d3b6732e",
"sha256:88a69c7e8059a4fd7aa2a31d2b3d89077eaae72eb741f18a32cb57d04018ff4c",
"sha256:8f174567c53413383b8b7ec2fbe88d41e924577bc854051f265d4c210cd72999",
"sha256:a52b80b9d1085db6e216980d1d28a8f090b8f2203a8c71b4ea13441bd7a2e86e",
"sha256:b25748e71c5df3c67b5bda2cdece373762d319cb5f773f14ae2f90dfb4320314",
"sha256:b45b5f6c9962953250534217b18002261c5b9383349b95fb0140899cdac2bf95",
"sha256:b4ed7b233e812ef1244a29fb0dfd3e149dbc34a2bd13b174a84c92d0cb580277",
"sha256:b60f48f780130f27f8d9751599925c3b78cf045f5d62dd918003effb65b45bda",
"sha256:c69a213ae72b75e8948f06a87d3675855bccb3037671222ffd235095e62f5a61",
"sha256:c91d0f2fc2ee1bd376f5a991c24923f12416d8c31a9b74a82c4b38b942fc2640",
"sha256:d61fb151be068127a0ce7758341cbe778495819622bc1e15eadf59fdb3a0481e",
"sha256:da72a452bcf4349fc467a12b54ab0e63e654a571cacc44084826d52bde12b6ee",
"sha256:dbcd6cd1a9abb5a13c5df93cdc5687f6877efcfefdc9350c22d4094dc4a7dd86",
"sha256:e056056718246c9cdd82d1e3d4ad854a7ceb057498bf994b529750a190a6bd98",
"sha256:e3aa10cce4053f3c1487aaf847a0faa4ae208e11f85a8e6f98de2291713a6616",
"sha256:e7433c604077a17dd71e8b29c96a15e486a70a97f4ed9c7f5e0df6e428af2f0b",
"sha256:f02db159e0afa9cb350f15f4f7b86755eae95267b9012ee90bde329aa643f76c",
"sha256:f32a703fe10cfc2d1020e296eeeeb650faa039678f6b79d9b820413a4c015ddc",
"sha256:fed5e862d9b501c5673c163c8593ebdb2c5422386089c529dfac28d70cd55858",
"sha256:ff7fe042169dd6fce8213c173a4c337f2e807ed5178093143c778eb0484c12ec"
],
"version": "==3.17.2"
"markers": "python_version >= '2.5' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==3.17.3"
},
"six": {
"hashes": [
"sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926",
"sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==1.16.0"
},
"stix2": {
"hashes": [
"sha256:15c9cf599f5c43124e76fe71b883e4918f6f4cf65b084c58ec64b6180f45c938",
"sha256:3ab60082e4bffb39f75ea9ddc338b64126ff1cd086e6173d39b860191ac26ff4"
"sha256:b9b2200e5c429a0a49d67c8902638d2f97df2ba4321e15dde067c5cb80c9e8e1"
],
"index": "pypi",
"version": "==2.1.0"
"version": "==3.0.0"
},
"stix2-patterns": {
"hashes": [
@ -565,11 +640,11 @@
},
"urllib3": {
"hashes": [
"sha256:753a0374df26658f99d826cfe40394a686d05985786d946fbe4165b5148f5a7c",
"sha256:a7acd0977125325f516bda9735fa7142b909a8d01e8b2e4c8108d0984e6e0098"
"sha256:39fb8672126159acb139a7718dd10806104dec1e2f0f6c88aab05d17df10c8d4",
"sha256:f57b4c16c62fa2760b7e3d97c35b255512fb6b59a259730f36ba32ce9f8e342f"
],
"index": "pypi",
"version": "==1.26.5"
"version": "==1.26.6"
},
"wcwidth": {
"hashes": [
@ -580,11 +655,10 @@
},
"yamllint": {
"hashes": [
"sha256:8a5f8e442f49309eaf3e9d7232ce76f2fc8026f5c0c0b164b83f33fed1399637",
"sha256:b0e4c89985c7f5f8451c2eb8c67d804d10ac13a4abe031cbf49bdf3465d01087"
"sha256:0b08a96750248fdf21f1e8193cb7787554ef75ed57b27f621cd6b3bf09af11a1"
],
"index": "pypi",
"version": "==1.26.0"
"version": "==1.26.2"
},
"yarl": {
"hashes": [
@ -626,6 +700,7 @@
"sha256:f0b059678fd549c66b89bed03efcabb009075bd131c248ecdf087bdb6faba24a",
"sha256:fcbb48a93e8699eae920f8d92f7160c03567b421bc17362a9ffbbd706a816f71"
],
"markers": "python_version >= '3.6'",
"version": "==1.6.3"
}
}

9
README.md
View File

@ -1,4 +1,4 @@
[![Build Status](https://travis-ci.org/Neo23x0/sigma.svg?branch=master)](https://travis-ci.org/Neo23x0/sigma)
[![sigma build status](https://github.com/SigmaHQ/sigma/actions/workflows/sigma-test.yml/badge.svg?branch=master)](https://github.com/SigmaHQ/sigma/actions?query=branch%3Amaster)
![sigma_logo](./images/Sigma_0.3.png)
@ -318,6 +318,7 @@ These tools are not part of the main toolchain and maintained separately by thei
# Projects or Products that use Sigma
* [MISP](http://www.misp-project.org/2017/03/26/MISP.2.4.70.released.html) (since version 2.4.70, March 2017)
* [Atomic Threat Coverage](https://github.com/atc-project/atomic-threat-coverage) (since December 2018)
* [SOC Prime - Sigma Rule Editor](https://tdm.socprime.com/sigma/)
* [uncoder.io](https://uncoder.io/) - Online Translator for SIEM Searches
* [THOR](https://www.nextron-systems.com/2018/06/28/spark-applies-sigma-rules-in-eventlog-scan/) - Scan with Sigma rules on endpoints
@ -360,9 +361,9 @@ Last but not least, the more people use Sigma, the better, so help promote it by
The content of this repository is released under the following licenses:
* The toolchain (everything under `tools/`) is licensed under the [GNU Lesser General Public License](https://www.gnu.org/licenses/lgpl-3.0.en.html).
* The [Sigma specification](https://github.com/Neo23x0/sigma/wiki) is public domain.
* Everything else, especially the rules contained in the `rules/` directory is released under the [Detection Rule License (DRL) 1.0](https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md).
* The toolchain (everything under `tools/`) is licensed under the [GNU Lesser General Public License](https://www.gnu.org/licenses/lgpl-3.0.en.html)
* The [Sigma specification](https://github.com/Neo23x0/sigma/wiki) is public domain
* The rules contained in the `rules/` directory are released under the [Detection Rule License (DRL) 1.1](https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md)
# Credits

63
contrib/sigma2CSV.py Normal file
View File

@ -0,0 +1,63 @@
#!/usr/bin/env python3
# Copyright 2021 wagga40 (https://github.com/wagga40)
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
"""
Project: sigma2CSV.py
Date: 07 aug 2021
Author: wagga40 (https://github.com/wagga40)
Version: 1.0
Description:
Asked by frak113 in issue #1787 (https://github.com/SigmaHQ/sigma/issues/1787#issuecomment-894618060)
This script converts sigma rules to a CSV format for statistics puprpose.
For now, it only keeps title, description, level, tags and author fields.
Feel free to modify it according to your needs.
Requirements:
$ pip install pyyaml
"""
import yaml
import glob
import argparse
parser = argparse.ArgumentParser()
parser.add_argument("-r", "--rulesdirectory", help="Sub-directory generated by rules-search", required=True, type=str)
parser.add_argument("-f", "--fileext", help="Rule file extension", default="yml", type=str)
parser.add_argument("-d", "--delimiter", help="Separator", default=",", type=str)
parser.add_argument("--oneline", help="Put all tags on a single line", action="store_true")
args = parser.parse_args()
files = glob.glob(args.rulesdirectory + "/**/*." + args.fileext, recursive=True)
# for each file in the given directory
for file in files:
d={}
with open(file, 'r') as stream:
docs = yaml.load_all(stream, Loader=yaml.FullLoader)
for doc in docs:
for k,v in doc.items():
if k in ['title','description','tags','level','author']: # Modify here if you want to include other fields
d[k]=v
# Check for optional fields
if "author" not in d: d["author"]=""
if "level" not in d: d["level"]=""
if args.oneline: # All tags will be on a single line
if "tags" in d:
expandTags = args.delimiter.join([ tags for tags in d["tags"] if "attack" in tags ]) # Only output attack related tags
print(f'{d["title"]}{args.delimiter}{d["description"]}{args.delimiter}{d["level"]}{args.delimiter}{d["author"]}{args.delimiter}{expandTags}')
else:
print(f'{d["title"]}{args.delimiter}{d["description"]}{args.delimiter}{d["level"]}{args.delimiter}{d["author"]}')
else:
if "tags" in d:
for tag in d["tags"]:
if "attack" in tag: # Only output attack related tags
print(f'{d["title"]}{args.delimiter}{d["description"]}{args.delimiter}{d["level"]}{args.delimiter}{d["author"]}{args.delimiter}{tag}')

160
contrib/sigmacover.py Normal file
View File

@ -0,0 +1,160 @@
# GNU Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
"""
Project: sigmacover.py
Date: 26/09/2021
Author: frack113
Version: 1.1
Description:
get cover of the rules vs backend
Requirements:
python 3.7 min
$ pip install ruyaml
Todo:
- clean code and bug
- better use of subprocess.run
- have idea
"""
import re
import subprocess
import pathlib
import ruyaml
import json
import copy
import platform
import argparse
def get_sigmac(name,conf):
infos = []
if conf == None:
options = ["python","../tools/sigmac","-t",name,"--debug","-rI","-o","dump.txt","../rules"]
else:
options = ["python","../tools/sigmac","-t",name,"-c",conf,"--debug","-rI","-o","dump.txt","../rules"]
if platform.system() == "Windows":
si = subprocess.STARTUPINFO()
si.dwFlags |= subprocess.STARTF_USESHOWWINDOW
ret = subprocess.run(options,
stdout=subprocess.PIPE,
stderr=subprocess.STDOUT,
startupinfo=si
)
my_regex = "Convertion Sigma input \S+\\\\(\w+\.yml) (\w+)"
else:
ret = subprocess.run(options,
stdout=subprocess.PIPE,
stderr=subprocess.STDOUT,
)
my_regex = "Convertion Sigma input \S+/(\w+\.yml) (\w+)"
if not ret.returncode == 0:
print (f"error {ret.returncode} in sigmac")
log = pathlib.Path("sigmac.log")
with log.open() as f:
lines = f.readlines()
for line in lines:
if "Convertion Sigma input" in line:
info = re.findall(my_regex,line)[0]
infos.append(info)
log.unlink()
dump = pathlib.Path("dump.txt")
if dump.exists():
dump.unlink()
return infos
def update_dict(my_dict,my_data,backend):
for file,state in my_data:
my_dict[file][backend] = state
#the backend dict command line options
backend_dict = {
"ala": None,
"ala-rule": None,
"arcsight": "../tools/config/elk-winlogbeat.yml",
"arcsight-esm": "../tools/config/elk-winlogbeat.yml",
"carbonblack": "../tools/config/elk-winlogbeat.yml",
"chronicle": "../tools/config/elk-winlogbeat.yml",
"crowdstrike": "../tools/config/elk-winlogbeat.yml",
"csharp" : None,
"devo": "../tools/config/elk-winlogbeat.yml",
"ee-outliers": "../tools/config/winlogbeat-modules-enabled.yml",
"elastalert": "../tools/config/winlogbeat-modules-enabled.yml",
"elastalert-dsl": "../tools/config/winlogbeat-modules-enabled.yml",
"es-dsl": "../tools/config/winlogbeat-modules-enabled.yml",
"es-eql": "../tools/config/winlogbeat-modules-enabled.yml",
"es-qs": "../tools/config/winlogbeat-modules-enabled.yml",
"es-qs-lr": "../tools/config/logrhythm_winevent.yml",
"es-rule": "../tools/config/winlogbeat-modules-enabled.yml",
"es-rule-eql": "../tools/config/winlogbeat-modules-enabled.yml",
"fireeye-helix": "../tools/config/elk-winlogbeat.yml",
"graylog" : None,
"grep" : None,
"humio": "../tools/config/elk-winlogbeat.yml",
"kibana": "../tools/config/winlogbeat-modules-enabled.yml",
"kibana-ndjson": "../tools/config/winlogbeat-modules-enabled.yml",
"lacework" : None,
"limacharlie" : None,
"logiq" : None,
"logpoint" : None,
"mdatp" : None,
"netwitness" : None,
"netwitness-epl" : None,
"opensearch-monitor": "../tools/config/winlogbeat.yml",
"powershell" : None,
"qradar" : None,
"qualys" : None,
"sentinel-rule" : None,
"splunk": "../tools/config/splunk-windows.yml",
"splunkdm": "../tools/config/splunk-windows.yml",
"splunkxml": "../tools/config/splunk-windows.yml",
"sql": "../tools/config/elk-winlogbeat.yml",
"sqlite": "../tools/config/elk-winlogbeat.yml",
"stix": "../tools/config/stix2.0.yml",
"sumologic" : None,
"sumologic-cse" : None,
"sumologic-cse-rule" : None,
"sysmon": "../tools/config/elk-windows.yml",
"uberagent" : None,
"xpack-watcher": "../tools/config/winlogbeat-modules-enabled.yml",
}
print("""
v1.1 bugfix
please wait during the tests
""")
argparser = argparse.ArgumentParser(description="Check Sigma rules with all backend.")
argparser.add_argument("--target", "-t", choices=["yaml","json"], help="Output target format")
cmdargs = argparser.parse_args()
if cmdargs.target == None:
print("No outpout use -h to see help")
exit()
#init dict of all rules
default_key_test = {key : "NO TEST" for key in backend_dict.keys()}
the_dico ={}
rules = pathlib.Path("../rules").glob("**/*.yml")
for rule in rules:
the_dico[rule.name] = copy.deepcopy(default_key_test)
#Check all the backend
for name,opt in backend_dict.items():
print (f"check backend : {name}")
result = get_sigmac(name,opt)
update_dict(the_dico,result,name)
#Save
if cmdargs.target.lower() == "yaml":
cover = pathlib.Path("sigmacover.yml")
with cover.open("w") as file:
ruyaml.dump(the_dico, file, Dumper=ruyaml.RoundTripDumper)
else:
cover = pathlib.Path("sigmacover.json")
with cover.open("w") as file:
json_dumps_str = json.dumps(the_dico, indent=4)
file.write(json_dumps_str)

27
rules-unsupported/driver_load_invoke_obfuscation_clip+_services.yml Normal file
View File

@ -0,0 +1,27 @@
title: Invoke-Obfuscation CLIP+ Launcher
id: 21e4b3c1-4985-4aa4-a6c0-f8639590a5f3
related:
- id: f7385ee2-0e0c-11eb-adc1-0242ac120002
type: derived
description: Detects Obfuscated use of Clip.exe to execute PowerShell
status: unsupported
author: Jonathan Cheong, oscd.community
date: 2020/10/13
modified: 2021/09/16
references:
- https://github.com/Neo23x0/sigma/issues/1009 #(Task 26)
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: driver_load
detection:
selection:
ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"'
condition: selection
falsepositives:
- Unknown
level: high

29
rules-unsupported/driver_load_invoke_obfuscation_obfuscated_iex_services.yml Normal file
View File

@ -0,0 +1,29 @@
title: Invoke-Obfuscation Obfuscated IEX Invocation
id: e75c48bd-3434-4d61-94b7-ddfaa2c08487
related:
- id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9
type: derived
description: "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888"
status: unsupported
author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
date: 2019/11/08
modified: 2021/09/16
tags:
- attack.defense_evasion
- attack.t1027
logsource:
product: windows
category: driver_load
detection:
selection:
- ImagePath|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\['
- ImagePath|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\['
- ImagePath|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\['
- ImagePath|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}'
- ImagePath|re: '\\*mdr\*\W\s*\)\.Name'
- ImagePath|re: '\$VerbosePreference\.ToString\('
- ImagePath|re: '\String\]\s*\$VerbosePreference'
condition: selection
falsepositives:
- Unknown
level: high

27
rules-unsupported/driver_load_invoke_obfuscation_stdin+_services.yml Normal file
View File

@ -0,0 +1,27 @@
title: Invoke-Obfuscation STDIN+ Launcher
id: de7fb680-6efa-4bf3-af2c-14b6d33c8e6e
related:
- id: 72862bf2-0eb1-11eb-adc1-0242ac120002
type: derived
description: Detects Obfuscated use of stdin to execute PowerShell
status: unsupported
author: Jonathan Cheong, oscd.community
date: 2020/10/15
modified: 2021/09/17
references:
- https://github.com/Neo23x0/sigma/issues/1009 #(Task 25)
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: driver_load
detection:
selection:
ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"'
condition: selection
falsepositives:
- Unknown
level: high

28
rules-unsupported/driver_load_invoke_obfuscation_var+_services.yml Normal file
View File

@ -0,0 +1,28 @@
title: Invoke-Obfuscation VAR+ Launcher
id: 3e27b010-2cf2-4577-8ef0-3ea44aaea0dc
related:
- id: 8ca7004b-e620-4ecb-870e-86129b5b8e75
type: derived
description: Detects Obfuscated use of Environment Variables to execute PowerShell
status: unsupported
author: Jonathan Cheong, oscd.community
date: 2020/10/15
modified: 2021/09/17
references:
- https://github.com/Neo23x0/sigma/issues/1009 #(Task 24)
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: driver_load
detection:
selection:
ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"'
condition: selection
falsepositives:
- Unknown
level: high

28
rules-unsupported/driver_load_invoke_obfuscation_via_compress_services.yml Normal file
View File

@ -0,0 +1,28 @@
title: Invoke-Obfuscation COMPRESS OBFUSCATION
id: c70731dd-0097-40ff-b112-f7032f29c16c
related:
- id: 175997c5-803c-4b08-8bb0-70b099f47595
type: derived
description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
status: unsupported
author: Timur Zinniatullin, oscd.community
date: 2020/10/18
modified: 2021/09/18
references:
- https://github.com/Neo23x0/sigma/issues/1009 #(Task 19)
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: driver_load
detection:
selection:
ImagePath|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend'
condition: selection
falsepositives:
- unknown
level: medium

27
rules-unsupported/driver_load_invoke_obfuscation_via_rundll_services.yml Normal file
View File

@ -0,0 +1,27 @@
title: Invoke-Obfuscation RUNDLL LAUNCHER
id: 03b024c6-aad1-4da5-9f60-e9e8c00fa64c
related:
- id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9
type: derived
description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
status: unsupported
author: Timur Zinniatullin, oscd.community
date: 2020/10/18
modified: 2021/09/18
references:
- https://github.com/Neo23x0/sigma/issues/1009 #(Task 23)
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: driver_load
detection:
selection:
ImagePath|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"'
condition: selection
falsepositives:
- Unknown
level: medium

27
rules-unsupported/driver_load_invoke_obfuscation_via_stdin_services.yml Normal file
View File

@ -0,0 +1,27 @@
title: Invoke-Obfuscation Via Stdin
id: 82b66143-53ee-4369-ab02-de2c70cd6352
related:
- id: 487c7524-f892-4054-b263-8a0ace63fc25
type: derived
description: Detects Obfuscated Powershell via Stdin in Scripts
status: unsupported
author: Nikita Nazarov, oscd.community
date: 2020/10/12
modified: 2021/09/18
references:
- https://github.com/Neo23x0/sigma/issues/1009 #(Task28)
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: driver_load
detection:
selection:
ImagePath|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"'
condition: selection
falsepositives:
- Unknown
level: high

27
rules-unsupported/driver_load_invoke_obfuscation_via_use_clip_services.yml Normal file
View File

@ -0,0 +1,27 @@
title: Invoke-Obfuscation Via Use Clip
id: 1fc02cb5-8acf-4d2c-bf9c-a28b6e0ad851
related:
- id: 63e3365d-4824-42d8-8b82-e56810fefa0c
type: derived
description: Detects Obfuscated Powershell via use Clip.exe in Scripts
status: unsupported
author: Nikita Nazarov, oscd.community
date: 2020/10/09
modified: 2021/09/18
references:
- https://github.com/Neo23x0/sigma/issues/1009 #(Task29)
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: driver_load
detection:
selection:
ImagePath|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*'
condition: selection
falsepositives:
- Unknown
level: high

27
rules-unsupported/driver_load_invoke_obfuscation_via_use_mshta_services.yml Normal file
View File

@ -0,0 +1,27 @@
title: Invoke-Obfuscation Via Use MSHTA
id: a4e82ad2-7430-4ee8-b858-6ad6099773fa
related:
- id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4
type: derived
description: Detects Obfuscated Powershell via use MSHTA in Scripts
status: unsupported
author: Nikita Nazarov, oscd.community
date: 2020/10/09
modified: 2021/09/18
references:
- https://github.com/Neo23x0/sigma/issues/1009 #(Task31)
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: driver_load
detection:
selection:
ImagePath|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"'
condition: selection
falsepositives:
- Unknown
level: high

27
rules-unsupported/driver_load_invoke_obfuscation_via_use_rundll32_services.yml Normal file
View File

@ -0,0 +1,27 @@
title: Invoke-Obfuscation Via Use Rundll32
id: 4e1518d9-2136-4015-ab49-c31d7c8588e1
related:
- id: 641a4bfb-c017-44f7-800c-2aee0184ce9b
type: derived
description: Detects Obfuscated Powershell via use Rundll32 in Scripts
status: unsupported
author: Nikita Nazarov, oscd.community
date: 2020/10/09
modified: 2021/09/18
references:
- https://github.com/Neo23x0/sigma/issues/1009 #(Task30)
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: driver_load
detection:
selection:
ImagePath|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"'
condition: selection
falsepositives:
- Unknown
level: high

27
rules-unsupported/driver_load_invoke_obfuscation_via_var++_services.yml Normal file
View File

@ -0,0 +1,27 @@
title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
id: 7b9a650e-6788-4fdf-888d-ec7c0a62810d
related:
- id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6
type: derived
description: Detects Obfuscated Powershell via VAR++ LAUNCHER
status: unsupported
author: Timur Zinniatullin, oscd.community
date: 2020/10/13
modified: 2021/09/18
references:
- https://github.com/Neo23x0/sigma/issues/1009 #(Task27)
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: driver_load
detection:
selection:
ImagePath|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r
condition: selection
falsepositives:
- Unknown
level: high

23
rules-unsupported/driver_load_tap_driver_installation.yml Normal file
View File

@ -0,0 +1,23 @@
title: Tap Driver Installation
id: 8bd47424-53e9-41ea-8a6a-a1f97b1bb0eb
related:
- id: 8e4cf0e5-aa5d-4dc3-beff-dc26917744a9
type: derived
description: Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques
status: unsupported
author: Daniil Yugoslavskiy, Ian Davis, oscd.community
date: 2019/10/24
modified: 2021/09/21
tags:
- attack.exfiltration
- attack.t1048
logsource:
product: windows
category: driver_load
detection:
selection:
ImagePath|contains: 'tap0901'
condition: selection
falsepositives:
- Legitimate OpenVPN TAP insntallation
level: medium

2
rules-unsupported/net_dns_high_subdomain_rate.yml
View File

@ -39,4 +39,4 @@ detection:
falsepositives:
- Legitimate domain name requested, which should be added to whitelist
level: high
status: experimental
status: unsupported

2
rules-unsupported/net_dns_large_domain_name.yml
View File

@ -34,4 +34,4 @@ detection:
falsepositives:
- Legitimate domain name requested, which should be added to whitelist
level: high
status: experimental
status: unsupported

2
rules-unsupported/net_possible_dns_rebinding.yml
View File

@ -1,6 +1,6 @@
title: Possible DNS Rebinding
id: ec5b8711-b550-4879-9660-568aaae2c3ea
status: experimental
status: unsupported
description: 'Detects DNS-answer with TTL <10.'
date: 2019/10/25
author: Ilyas Ochkov, oscd.community

4
rules-unsupported/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml
View File

@ -1,7 +1,7 @@
title: MSI Spawned Cmd and Powershell Spawned Processes
id: 38cf8340-461b-4857-bf99-23a41f772b18
description: This rule will looks for Windows Installer service (msiexec.exe) spawned command line and/or powershell that spawned other processes
status: experimental
status: unsupported
author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
date: 2020/10/13
references:
@ -13,7 +13,7 @@ tags:
logsource:
product: windows
category: process_creation
definition : Works only if Enrich Sysmon events with additional information about process in ParentOfParentImage check enrichment section
definition: Works only if Enrich Sysmon events with additional information about process in ParentOfParentImage check enrichment section
detection:
parent_image:
ParentImage|endswith:

4
rules-unsupported/sysmon_always_install_elevated_parent_child_correlated.yml
View File

@ -3,7 +3,7 @@ id: 078235c5-6ec5-48e7-94b2-f8b5474379ea
description: This rule will looks any process with low privilege launching Windows Installer service (msiexec.exe) that tries to install MSI packages with SYSTEM privilege
#look for MSI start by low privilege user, write the process guid to the suspicious_guid variable
#look for child process from the suspicious_guid, alert if it's Windows Installer trying to install package with SYSTEM privilege
status: experimental
status: unsupported
author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
date: 2020/10/13
references:
@ -35,7 +35,7 @@ fields:
- IntegrityLevel
- User
- Image
ParentProcessGuid
- ParentProcessGuid
falsepositives:
- System administrator usage
- Penetration test

2
rules-unsupported/sysmon_process_reimaging.yml
View File

@ -11,7 +11,7 @@ description: Detects process reimaging defense evasion technique
# Rule must trigger if selection1 and selection2 both occurs in timeframe of 120 sec.
# Rule logic is currently not supported by SIGMA.
# Sysmon v.10.0 or newer is required for proper detection.
status: experimental
status: unsupported
author: Alexey Balandin, oscd.community
references:
- https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/in-ntdll-i-trust-process-reimaging-and-endpoint-security-solution-bypass/

2
rules-unsupported/win_access_fake_files_with_stored_credentials.yml
View File

@ -1,7 +1,7 @@
title: Stored Credentials in Fake Files
id: 692b979c-f747-41dc-ad72-1f11c01b110e
description: Search for accessing of fake files with stored credentials
status: experimental
status: unsupported
author: Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community
date: 2020/10/05
references:

5
rules/windows/builtin/win_apt_apt29_tor.yml → rules-unsupported/win_apt_apt29_tor.yml
View File

@ -1,6 +1,5 @@
action: global
title: APT29 Google Update Service Install
id: c069f460-2b87-4010-8dcf-e45bab362624
description: This method detects malicious services mentioned in APT29 report by FireEye. The legitimate path for the Google update service is C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
so the service names and executable locations used by APT29 are specific enough to be detected in log files.
references:
@ -12,7 +11,8 @@ tags:
- attack.t1543.003
date: 2017/11/01
modified: 2020/08/23
author: Thomas Patzke
author: Thomas Patzke
status: unsupported
logsource:
product: windows
service: system
@ -26,6 +26,7 @@ falsepositives:
- Unknown
level: high
---
id: c069f460-2b87-4010-8dcf-e45bab362624
logsource:
category: process_creation
product: windows

2
rules-unsupported/win_dumping_ntdsdit_via_dcsync.yml
View File

@ -31,4 +31,4 @@ detection:
falsepositives:
- Legitimate administrator adding new domain controller to already existing domain
level: medium
status: experimental
status: unsupported

2
rules-unsupported/win_dumping_ntdsdit_via_netsync.yml
View File

@ -27,4 +27,4 @@ detection:
falsepositives:
- Legitimate administrator adding new domain controller to already existing domain
level: medium
status: experimental
status: unsupported

4
rules-unsupported/win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml
View File

@ -6,13 +6,13 @@ references:
tags:
- attack.privilege_escalation
- attack.t1068
status: experimental
status: unsupported
author: Teymur Kheirkhabarov (source), Daniil Yugoslavskiy (rule)
date: 2019/06/03
logsource:
category: process_creation
product: windows
definition : Works only if Enrich Sysmon events with additional information about process in ParentIntegrityLevel check enrichment section
definition: Works only if Enrich Sysmon events with additional information about process in ParentIntegrityLevel check enrichment section
detection:
selection:
ParentIntegrityLevel: Medium

23
rules/windows/builtin/win_mal_service_installs.yml → rules-unsupported/win_mal_service_installs.yml
View File

@ -1,10 +1,9 @@
action: global
title: Malicious Service Installations
id: 2cfe636e-317a-4bee-9f2c-1066d9f54d1a
description: Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.
author: Florian Roth, Daniil Yugoslavskiy, oscd.community (update)
date: 2017/03/27
modified: 2021/07/06
modified: 2021/09/21
references:
- https://awakesecurity.com/blog/threat-hunting-for-paexec/
- https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html
@ -18,12 +17,6 @@ tags:
- car.2013-09-005
- attack.t1543.003
- attack.t1569.002
detection:
condition: selection and 1 of malsvc_*
falsepositives:
- Penetration testing
level: critical
---
logsource:
product: windows
service: system
@ -38,12 +31,8 @@ detection:
ServiceFileName|contains: 'net user'
malsvc_apt29:
ServiceName: 'Java(TM) Virtual Machine Support Service'
---
logsource:
product: windows
service: security
detection:
selection:
EventID: 4697
malsvc_apt29:
ServiceName: 'javamtsup'
condition: selection and 1 of malsvc_*
falsepositives:
- Penetration testing
level: critical
status: unsupported

29
rules/windows/builtin/win_metasploit_or_impacket_smb_psexec_service_install.yml → rules-unsupported/win_metasploit_or_impacket_smb_psexec_service_install.yml
View File

@ -3,7 +3,7 @@ id: 1a17ce75-ff0d-4f02-9709-2b7bb5618cf0
description: Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation
author: Bartlomiej Czyz, Relativity
date: 2021/01/21
action: global
modified: 2021/09/21
references:
- https://bczyz1.github.io/2021/01/30/psexec.html
tags:
@ -12,10 +12,17 @@ tags:
- attack.t1570
- attack.execution
- attack.t1569.002
logsource:
product: windows
service: system
detection:
selection:
EventID: 7045
selection_1:
ServiceFileName|re: '^.*\\[a-zA-Z]{8}\.exe$'
ServiceFileName|re: '^%systemroot%\\[a-zA-Z]{8}\.exe$'
ServiceName|re: '(^[a-zA-Z]{4}$)|(^[a-zA-Z]{8}$)|(^[a-zA-Z]{16}$)'
ServiceStartType: '3' # on-demand start, see https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4697
ServiceType: '0x10'
filter:
ServiceName: 'PSEXESVC'
condition: selection and selection_1 and not filter
@ -26,20 +33,6 @@ fields:
- ServiceName
- ServiceFileName
falsepositives:
- Highly unlikely
- Possible, different agents with a 8 character binary and a 4, 8 or 16 character service name
level: high
---
logsource:
product: windows
service: system
detection:
selection:
EventID: 7045
---
logsource:
product: windows
service: security
detection:
selection:
EventID: 4697
status: unsupported

4
rules-unsupported/win_possible_privilege_escalation_using_rotten_potato.yml
View File

@ -8,14 +8,14 @@ tags:
- attack.privilege_escalation
- attack.t1134 # an old one
- attack.t1134.002
status: experimental
status: unsupported
author: Teymur Kheirkhabarov
date: 2019/10/26
modified: 2020/09/01
logsource:
category: process_creation
product: windows
definition : Works only if Enrich Sysmon events with additional information about process in ParentUser check enrichment section
definition: Works only if Enrich Sysmon events with additional information about process in ParentUser check enrichment section
detection:
selection:
ParentUser:

2
rules-unsupported/win_remote_schtask.yml
View File

@ -1,6 +1,6 @@
title: Remote Schtasks Creation
id: cf349c4b-99af-40fa-a051-823aa2307a84
status: experimental
status: unsupported
description: Detects remote execution via scheduled task creation or update on the destination host
author: Jai Minton, oscd.community
date: 2020/10/05

2
rules-unsupported/win_remote_service.yml
View File

@ -1,7 +1,7 @@
action: global
title: Remote Service Creation
id: 4a3a2b96-d7fc-4cb9-80e4-4a545fe95f46
status: experimental
status: unsupported
description: Detects remote execution via service creation on the destination host
author: Jai Minton, oscd.community
date: 2020/10/05

21
rules/cloud/aws/aws_attached_malicious_lambda_layer.yml Normal file
View File

@ -0,0 +1,21 @@
title: AWS Attached Malicious Lambda Layer
id: 97fbabf8-8e1b-47a2-b7d5-a418d2b95e3d
description: Detects when an user attached a Lambda layer to an existing function to override a library that is in use by the function, where their malicious code could utilize the function's IAM role for AWS API calls. This would give an adversary access to the privileges associated with the Lambda service role that is attached to that function.
author: Austin Songer
status: experimental
date: 2021/09/23
references:
- https://docs.aws.amazon.com/lambda/latest/dg/API_UpdateFunctionConfiguration.html
logsource:
service: cloudtrail
detection:
selection:
eventSource: lambda.amazonaws.com
eventName|startswith: UpdateFunctionConfiguration
condition: selection
level: medium
tags:
- attack.privilege_escalation
falsepositives:
- Lambda Layer being attached may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Lambda Layer being attached from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

8
rules/cloud/aws_cloudtrail_disable_logging.yml → rules/cloud/aws/aws_cloudtrail_disable_logging.yml
View File

@ -4,19 +4,19 @@ status: experimental
description: Detects disabling, deleting and updating of a Trail
author: vitaliy0x1
date: 2020/01/21
modified: 2021/08/09
references:
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html
logsource:
service: cloudtrail
detection:
selection_source:
- eventSource: cloudtrail.amazonaws.com
events:
- eventName:
eventSource: cloudtrail.amazonaws.com
eventName:
- StopLogging
- UpdateTrail
- DeleteTrail
condition: selection_source AND events
condition: selection_source
falsepositives:
- Valid change in a Trail
level: medium

8
rules/cloud/aws_config_disable_recording.yml → rules/cloud/aws/aws_config_disable_recording.yml
View File

@ -4,16 +4,16 @@ status: experimental
description: Detects AWS Config Service disabling
author: vitaliy0x1
date: 2020/01/21
modified: 2021/08/09
logsource:
service: cloudtrail
detection:
selection_source:
- eventSource: config.amazonaws.com
events:
- eventName:
eventSource: config.amazonaws.com
eventName:
- DeleteDeliveryChannel
- StopConfigurationRecorder
condition: selection_source AND events
condition: selection_source
falsepositives:
- Valid change in AWS Config Service
level: high

5
rules/cloud/aws_ec2_disable_encryption.yml → rules/cloud/aws/aws_ec2_disable_encryption.yml
View File

@ -4,6 +4,7 @@ status: stable
description: Identifies disabling of default Amazon Elastic Block Store (EBS) encryption in the current region. Disabling default encryption does not change the encryption status of your existing volumes.
author: Sittikorn S
date: 2021/06/29
modified: 2021/08/20
references:
- https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html
tags:
@ -15,9 +16,7 @@ logsource:
detection:
selection:
eventSource: ec2.amazonaws.com
eventName:
- DisableEbsEncryptionByDefault
status: success
eventName: DisableEbsEncryptionByDefault
condition: selection
falsepositives:
- System Administrator Activities

14
rules/cloud/aws_ec2_download_userdata.yml → rules/cloud/aws/aws_ec2_download_userdata.yml
View File

@ -4,20 +4,18 @@ status: experimental
description: Detects bulk downloading of User Data associated with AWS EC2 instances. Instance User Data may include installation scripts and hard-coded secrets for deployment.
author: faloker
date: 2020/02/11
modified: 2020/09/01
modified: 2021/08/20
references:
- https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/ec2__download_userdata/main.py#L24
- https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/ec2__download_userdata/main.py
logsource:
service: cloudtrail
detection:
selection_source:
- eventSource: ec2.amazonaws.com
selection_requesttype:
- requestParameters.attribute: userData
selection_eventname:
- eventName: DescribeInstanceAttribute
eventSource: ec2.amazonaws.com
requestParameters.attribute: userData
eventName: DescribeInstanceAttribute
timeframe: 30m
condition: all of them | count() > 10
condition: selection_source | count() > 10
falsepositives:
- Assets management software like device42
level: medium

12
rules/cloud/aws_ec2_startup_script_change.yml → rules/cloud/aws/aws_ec2_startup_script_change.yml
View File

@ -4,19 +4,17 @@ status: experimental
description: Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up.
author: faloker
date: 2020/02/12
modified: 2020/09/01
modified: 2021/08/09
references:
- https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/ec2__startup_shell_script/main.py#L9
logsource:
service: cloudtrail
detection:
selection_source:
- eventSource: ec2.amazonaws.com
selection_userdata:
- requestParameters.userData: "*"
selection_eventname:
- eventName: ModifyInstanceAttribute
condition: all of them
eventSource: ec2.amazonaws.com
requestParameters.userData: "*"
eventName: ModifyInstanceAttribute
condition: selection_source
falsepositives:
- Valid changes to the startup script
level: high

2
rules/cloud/aws_ec2_vm_export_failure.yml → rules/cloud/aws/aws_ec2_vm_export_failure.yml
View File

@ -4,6 +4,7 @@ status: experimental
description: An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance.
author: Diogo Braz
date: 2020/04/16
modified: 2021/08/20
references:
- https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance
logsource:
@ -17,7 +18,6 @@ detection:
filter2:
errorCode: '*'
filter3:
eventName: 'ConsoleLogin'
responseElements|contains: 'Failure'
condition: selection and (filter1 or filter2 or filter3)
level: low

20
rules/cloud/aws/aws_efs_fileshare_modified_or_deleted.yml Normal file
View File

@ -0,0 +1,20 @@
title: AWS EFS Fileshare Modified or Deleted
id: 25cb1ba1-8a19-4a23-a198-d252664c8cef
status: experimental
description: Detects when a EFS Fileshare is modified or deleted. You can't delete a file system that is in use. If the file system has any mount targets, the adversary must first delete them, so deletion of a mount will occur before deletion of a fileshare.
author: Austin Songer @austinsonger
date: 2021/08/15
references:
- https://docs.aws.amazon.com/efs/latest/ug/API_DeleteFileSystem.html
logsource:
service: cloudtrail
detection:
selection:
eventSource: elasticfilesystem.amazonaws.com
eventName: DeleteFileSystem
condition: selection
falsepositives:
- unknown
level: medium
tags:
- attack.impact

21
rules/cloud/aws/aws_efs_fileshare_mount_modified_or_deleted.yml Normal file
View File

@ -0,0 +1,21 @@
title: AWS EFS Fileshare Mount Modified or Deleted
id: 6a7ba45c-63d8-473e-9736-2eaabff79964
status: experimental
description: Detects when a EFS Fileshare Mount is modified or deleted. An adversary breaking any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts.
author: Austin Songer @austinsonger
date: 2021/08/15
references:
- https://docs.aws.amazon.com/efs/latest/ug/API_DeleteMountTarget.html
logsource:
service: cloudtrail
detection:
selection:
eventSource: elasticfilesystem.amazonaws.com
eventName: DeleteMountTarget
condition: selection
falsepositives:
- unknown
level: medium
tags:
- attack.impact
- attack.t1485

25
rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml Normal file
View File

@ -0,0 +1,25 @@
title: AWS EKS Cluster Created or Deleted
id: 33d50d03-20ec-4b74-a74e-1e65a38af1c0
description: Identifies when an EKS cluster is created or deleted.
author: Austin Songer
status: experimental
date: 2021/08/16
references:
- https://any-api.com/amazonaws_com/eks/docs/API_Description
logsource:
service: cloudtrail
detection:
selection:
eventSource: eks.amazonaws.com
eventName:
- CreateCluster
- DeleteCluster
condition: selection
level: low
tags:
- attack.impact
- attack.t1485
falsepositives:
- EKS Cluster being created or deleted may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- EKS Cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

25
rules/cloud/aws/aws_elasticache_security_group_created.yml Normal file
View File

@ -0,0 +1,25 @@
title: AWS ElastiCache Security Group Created
id: 4ae68615-866f-4304-b24b-ba048dfa5ca7
description: Detects when an ElastiCache security group has been created.
author: Austin Songer @austinsonger
status: experimental
date: 2021/07/24
modified: 2021/08/19
references:
- https://github.com/elastic/detection-rules/blob/598f3d7e0a63221c0703ad9a0ea7e22e7bc5961e/rules/integrations/aws/persistence_elasticache_security_group_creation.toml
logsource:
service: cloudtrail
detection:
selection:
eventSource: elasticache.amazonaws.com
eventName: "CreateCacheSecurityGroup"
condition: selection
level: low
tags:
- attack.persistence
- attack.t1136
- attack.t1136.003
falsepositives:
- A ElastiCache security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

29
rules/cloud/aws/aws_elasticache_security_group_modified_or_deleted.yml Normal file
View File

@ -0,0 +1,29 @@
title: AWS ElastiCache Security Group Modified or Deleted
id: 7c797da2-9cf2-4523-ba64-33b06339f0cc
description: Identifies when an ElastiCache security group has been modified or deleted.
author: Austin Songer @austinsonger
status: experimental
date: 2021/07/24
modified: 2021/08/19
references:
- https://github.com/elastic/detection-rules/blob/7d5efd68603f42be5e125b5a6a503b2ef3ac0f4e/rules/integrations/aws/impact_elasticache_security_group_modified_or_deleted.toml
logsource:
service: cloudtrail
detection:
selection:
eventSource: elasticache.amazonaws.com
eventName:
- "DeleteCacheSecurityGroup"
- "AuthorizeCacheSecurityGroupIngress"
- "RevokeCacheSecurityGroupIngress"
- "AuthorizeCacheSecurityGroupEgress"
- "RevokeCacheSecurityGroupEgress"
condition: selection
level: low
tags:
- attack.impact
- attack.t1531
falsepositives:
- A ElastiCache security group deletion may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security Group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

5
rules/cloud/aws_enum_listing.yml → rules/cloud/aws/aws_enum_listing.yml
View File

@ -4,13 +4,14 @@ status: experimental
description: Detects enumeration of accounts configuration via api call to list different instances and services within a short period of time.
author: toffeebr33k
date: 2020/11/21
modified: 2021/08/09
logsource:
service: cloudtrail
detection:
selection_eventname:
- eventName: list*
eventName: list*
timeframe: 10m
condition: all of them | count() > 50
condition: selection_eventname | count() > 50
fields:
- userIdentity.arn
falsepositives:

8
rules/cloud/aws_guardduty_disruption.yml → rules/cloud/aws/aws_guardduty_disruption.yml
View File

@ -4,16 +4,16 @@ status: experimental
description: Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs.
author: faloker
date: 2020/02/11
modified: 2021/08/09
references:
- https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/guardduty__whitelist_ip/main.py#L9
logsource:
service: cloudtrail
detection:
selection_source:
- eventSource: guardduty.amazonaws.com
selection_eventName:
- eventName: CreateIPSet
condition: all of them
eventSource: guardduty.amazonaws.com
eventName: CreateIPSet
condition: selection_source
falsepositives:
- Valid change in the GuardDuty (e.g. to ignore internal scanners)
level: high

11
rules/cloud/aws_iam_backdoor_users_keys.yml → rules/cloud/aws/aws_iam_backdoor_users_keys.yml
View File

@ -4,19 +4,18 @@ status: experimental
description: Detects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment. Also with this alert, you can detect a flow of AWS keys in your org.
author: faloker
date: 2020/02/12
modified: 2020/09/01
modified: 2021/08/20
references:
- https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/iam__backdoor_users_keys/main.py#L6
- https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/iam__backdoor_users_keys/main.py
logsource:
service: cloudtrail
detection:
selection_source:
- eventSource: iam.amazonaws.com
selection_eventname:
- eventName: CreateAccessKey
eventSource: iam.amazonaws.com
eventName: CreateAccessKey
filter:
userIdentity.arn|contains: responseElements.accessKey.userName
condition: all of selection* and not filter
condition: selection_source and not filter
fields:
- userIdentity.arn
- responseElements.accessKey.userName

26
rules/cloud/aws/aws_lambda_function_created_or_invoked.yml Normal file
View File

@ -0,0 +1,26 @@
title: AWS Lambda Function Created or Invoked
id: d914951b-52c8-485f-875e-86abab710c0b
description: Detects when an user creates or invokes a lambda function.
author: Austin Songer @austinsonger
status: experimental
date: 2021/10/03
update: 2021/10/13
references:
- https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
logsource:
service: cloudtrail
detection:
selection1:
eventSource: lambda.amazonaws.com
eventName: CreateFunction
selection2:
eventSource: lambda.amazonaws.com
eventName: Invoke
condition: selection1 | near selection2
level: low
tags:
- attack.privilege_escalation
- attack.t1078
falsepositives:
- Lambda Function created or invoked may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- If known behavior is causing false positives, it can be exempted from the rule.

35
rules/cloud/aws/aws_macic_evasion.yml Normal file
View File

@ -0,0 +1,35 @@
title: AWS Macie Evasion
id: 91f6a16c-ef71-437a-99ac-0b070e3ad221
status: experimental
description: Detects evade to Macie detection.
author: Sittikorn S
date: 2021/07/06
references:
- https://docs.aws.amazon.com/cli/latest/reference/macie/
tags:
- attack.defense_evasion
- attack.t1562.001
logsource:
service: cloudtrail
detection:
selection:
eventName:
- 'ArchiveFindings'
- 'CreateFindingsFilter'
- 'DeleteMember'
- 'DisassociateFromMasterAccount'
- 'DisassociateMember'
- 'DisableMacie'
- 'DisableOrganizationAdminAccount'
- 'UpdateFindingsFilter'
- 'UpdateMacieSession'
- 'UpdateMemberSession'
- 'UpdateClassificationJob'
timeframe: 10m
condition: selection | count() by sourceIPAddress > 5
fields:
- sourceIPAddress
- userIdentity.arn
falsepositives:
- System or Network administrator behaviors
level: medium

14
rules/cloud/aws_rds_change_master_password.yml → rules/cloud/aws/aws_rds_change_master_password.yml
View File

@ -4,19 +4,17 @@ status: experimental
description: Detects the change of database master password. It may be a part of data exfiltration.
author: faloker
date: 2020/02/12
modified: 2020/09/01
modified: 2021/08/20
references:
- https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/rds__explore_snapshots/main.py#L10
- https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/rds__explore_snapshots/main.py
logsource:
service: cloudtrail
detection:
selection_source:
- eventSource: rds.amazonaws.com
selection_modified_values:
- responseElements.pendingModifiedValues.masterUserPassword: "*"
selection_eventname:
- eventName: ModifyDBInstance
condition: all of them
eventSource: rds.amazonaws.com
responseElements.pendingModifiedValues.masterUserPassword: "*"
eventName: ModifyDBInstance
condition: selection_source
falsepositives:
- Benign changes to a db instance
level: medium

14
rules/cloud/aws_rds_public_db_restore.yml → rules/cloud/aws/aws_rds_public_db_restore.yml
View File

@ -4,19 +4,17 @@ status: experimental
description: Detects the recovery of a new public database instance from a snapshot. It may be a part of data exfiltration.
author: faloker
date: 2020/02/12
modified: 2020/09/01
modified: 2021/08/20
references:
- https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/rds__explore_snapshots/main.py#L10
- https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/rds__explore_snapshots/main.py
logsource:
service: cloudtrail
detection:
selection_source:
- eventSource: rds.amazonaws.com
selection_ispublic:
- responseElements.publiclyAccessible: "true"
selection_eventname:
- eventName: RestoreDBInstanceFromDBSnapshot
condition: all of them
eventSource: rds.amazonaws.com
responseElements.publiclyAccessible: "true"
eventName: RestoreDBInstanceFromDBSnapshot
condition: selection_source
falsepositives:
- unknown
level: high

8
rules/cloud/aws_root_account_usage.yml → rules/cloud/aws/aws_root_account_usage.yml
View File

@ -4,17 +4,17 @@ status: experimental
description: Detects AWS root account usage
author: vitaliy0x1
date: 2020/01/21
modified: 2020/09/01
modified: 2021/08/09
references:
- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html
logsource:
service: cloudtrail
detection:
selection_usertype:
- userIdentity.type: Root
userIdentity.type: Root
selection_eventtype:
- eventType: AwsServiceEvent
condition: selection_usertype AND NOT selection_eventtype
eventType: AwsServiceEvent
condition: selection_usertype and not selection_eventtype
falsepositives:
- AWS Tasks That Require AWS Account Root User Credentials https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html
level: medium

25
rules/cloud/aws/aws_route_53_domain_transferred_lock_disabled.yml Normal file
View File

@ -0,0 +1,25 @@
title: AWS Route 53 Domain Transfer Lock Disabled
id: 3940b5f1-3f46-44aa-b746-ebe615b879e0
description: Detects when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar.
author: Elastic, Austin Songer @austinsonger
status: experimental
date: 2021/07/22
references:
- https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml
- https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html
- https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html
logsource:
service: cloudtrail
detection:
selection:
eventSource: route53.amazonaws.com
eventName: DisableDomainTransferLock
condition: selection
level: low
tags:
- attack.persistence
- attack.credential_access
- attack.t1098
falsepositives:
- A domain transfer lock may be disabled by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Activity from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

22
rules/cloud/aws/aws_route_53_domain_transferred_to_another_account.yml Normal file
View File

@ -0,0 +1,22 @@
title: AWS Route 53 Domain Transferred to Another Account
id: b056de1a-6e6e-4e40-a67e-97c9808cf41b
description: Detects when a request has been made to transfer a Route 53 domain to another AWS account.
author: Elastic, Austin Songer @austinsonger
status: experimental
date: 2021/07/22
references:
- https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml
logsource:
service: cloudtrail
detection:
selection:
eventSource: route53.amazonaws.com
eventName: TransferDomainToAnotherAwsAccount
condition: selection
tags:
- attack.persistence
- attack.credential_access
- attack.t1098
falsepositives:
- A domain may be transferred to another AWS account by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Domain transfers from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: low

35
rules/cloud/aws/aws_s3_data_management_tampering.yml Normal file
View File

@ -0,0 +1,35 @@
title: AWS S3 Data Management Tampering
id: 78b3756a-7804-4ef7-8555-7b9024a02e2d
description: Detects when a user tampers with S3 data management in Amazon Web Services.
author: Austin Songer @austinsonger
status: experimental
date: 2021/07/24
modified: 2021/08/19
references:
- https://github.com/elastic/detection-rules/pull/1145/files
- https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html
- https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html
- https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html
- https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html
- https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html
logsource:
service: cloudtrail
detection:
selection:
eventSource: s3.amazonaws.com
eventName:
- PutBucketLogging
- PutBucketWebsite
- PutEncryptionConfiguration
- PutLifecycleConfiguration
- PutReplicationConfiguration
- ReplicateObject
- RestoreObject
condition: selection
level: low
tags:
- attack.exfiltration
- attack.t1537
falsepositives:
- A S3 configuration change may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. S3 configuration change from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

0
rules/cloud/aws_securityhub_finding_evasion.yml → rules/cloud/aws/aws_securityhub_finding_evasion.yml
View File

9
rules/cloud/aws_snapshot_backup_exfiltration.yml → rules/cloud/aws/aws_snapshot_backup_exfiltration.yml
View File

@ -4,6 +4,7 @@ status: test
description: Detects the modification of an EC2 snapshot's permissions to enable access from another account
author: Darin Smith
date: 2021/05/17
modified: 2021/08/19
references:
- https://www.justice.gov/file/1080281/download
- https://attack.mitre.org/techniques/T1537/
@ -11,11 +12,9 @@ logsource:
service: cloudtrail
detection:
selection_source:
- eventSource: cloudtrail.amazonaws.com
events:
- eventName:
- ModifySnapshotAttribute
condition: selection_source AND events
eventSource: ec2.amazonaws.com
eventName: ModifySnapshotAttribute
condition: selection_source
falsepositives:
- Valid change to a snapshot's permissions
level: medium

28
rules/cloud/aws/aws_sts_assumerole_misuse.yml Normal file
View File

@ -0,0 +1,28 @@
title: AWS STS AssumeRole Misuse
id: 905d389b-b853-46d0-9d3d-dea0d3a3cd49
description: Identifies the suspicious use of AssumeRole. Attackers could move laterally and escalate privileges.
author: Austin Songer @austinsonger
status: experimental
date: 2021/07/24
modified: 2021/08/20
references:
- https://github.com/elastic/detection-rules/pull/1214
- https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
logsource:
service: cloudtrail
detection:
selection:
userIdentity.type: AssumedRole
userIdentity.sessionContext.sessionIssuer.type: Role
condition: selection
level: low
tags:
- attack.lateral_movement
- attack.privilege_escalation
- attack.t1548
- attack.t1550
- attack.t1550.001
falsepositives:
- AssumeRole may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- AssumeRole from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
- Automated processes that uses Terraform may lead to false positives.

26
rules/cloud/aws/aws_sts_getsessiontoken_misuse.yml Normal file
View File

@ -0,0 +1,26 @@
title: AWS STS GetSessionToken Misuse
id: b45ab1d2-712f-4f01-a751-df3826969807
description: Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.
author: Austin Songer @austinsonger
status: experimental
date: 2021/07/24
references:
- https://github.com/elastic/detection-rules/pull/1213
- https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html
logsource:
service: cloudtrail
detection:
selection:
eventSource: sts.amazonaws.com
eventName: GetSessionToken
userIdentity.type: IAMUser
condition: selection
level: low
tags:
- attack.lateral_movement
- attack.privilege_escalation
- attack.t1548
- attack.t1550
- attack.t1550.001
falsepositives:
- GetSessionToken may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. GetSessionToken from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

32
rules/cloud/aws/aws_suspicious_saml_activity.yml Normal file
View File

@ -0,0 +1,32 @@
title: AWS Suspicious SAML Activity
id: f43f5d2f-3f2a-4cc8-b1af-81fde7dbaf0e
description: Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.
author: Austin Songer
status: experimental
date: 2021/09/22
references:
- https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html
- https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html
logsource:
service: cloudtrail
detection:
selection1:
eventSource: sts.amazonaws.com
eventName: AssumeRoleWithSAML
selection2:
eventSource: iam.amazonaws.com
eventName: UpdateSAMLProvider
condition: selection1 or selection2
level: medium
tags:
- attack.initial_access
- attack.t1078
- attack.lateral_movement
- attack.t1548
- attack.privilege_escalation
- attack.t1550
- attack.t1550.001
falsepositives:
- Automated processes that uses Terraform may lead to false positives.
- SAML Provider could be updated by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- SAML Provider being updated from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

30
rules/cloud/aws/aws_update_login_profile.yml Normal file
View File

@ -0,0 +1,30 @@
title: AWS User Login Profile Was Modified
id: 055fb148-60f8-462d-ad16-26926ce050f1
status: experimental
description: |
An attacker with the iam:UpdateLoginProfile permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup.
With this alert, it is used to detect anyone is changing password on behalf of other users.
author: toffeebr33k
date: 2021/08/09
references:
- https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation
logsource:
service: cloudtrail
detection:
selection_source:
eventSource: iam.amazonaws.com
eventName: UpdateLoginProfile
filter:
userIdentity.arn|contains: requestParameters.userName
condition: selection_source and not filter
fields:
- userIdentity.arn
- requestParameters.userName
- errorCode
- errorMessage
falsepositives:
- Legit User Account Administration
level: high
tags:
- attack.persistence
- attack.t1098

29
rules/cloud/aws/passed_role_to_glue_development_endpoint.yml Normal file
View File

@ -0,0 +1,29 @@
title: AWS Glue Development Endpoint Activity
id: 4990c2e3-f4b8-45e3-bc3c-30b14ff0ed26
description: Detects possible suspicious glue development endpoint activity.
author: Austin Songer @austinsonger
status: experimental
date: 2021/10/03
update: 2021/10/13
references:
- https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
- https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html
logsource:
service: cloudtrail
detection:
selection1:
eventSource: glue.amazonaws.com
eventName: CreateDevEndpoint
selection2:
eventSource: glue.amazonaws.com
eventName: DeleteDevEndpoint
selection3:
eventSource: glue.amazonaws.com
eventName: UpdateDevEndpoint
condition: selection1 or selection2 or selection3
level: low
tags:
- attack.privilege_escalation
falsepositives:
- Glue Development Endpoint Activity may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- If known behavior is causing false positives, it can be exempted from the rule.

29
rules/cloud/aws_update_login_profile.yml
View File

@ -1,29 +0,0 @@
title: AWS User Login Profile Was Modified
id: 055fb148-60f8-462d-ad16-26926ce050f1
status: experimental
description: An attacker with the iam:UpdateLoginProfile permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup. With this alert, it is used to detect anyone is changing password on behalf of other users.
author: toffeebr33k
date: 2020/11/21
references:
- https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation
logsource:
service: cloudtrail
detection:
selection_source:
- eventSource: iam.amazonaws.com
selection_eventname:
- eventName: UpdateLoginProfile
filter:
userIdentity.arn|contains: responseElements.accessKey.userName
condition: all of selection* and not filter
fields:
- userIdentity.arn
- responseElements.accessKey.userName
- errorCode
- errorMessage
falsepositives:
- Legit User Account Administration
level: high
tags:
- attack.persistence
- attack.t1098

26
rules/cloud/azure/azure_aadhybridhealth_adfs_new_server.yml Normal file
View File

@ -0,0 +1,26 @@
title: Azure Active Directory Hybrid Health AD FS New Server
id: 288a39fc-4914-4831-9ada-270e9dc12cb4
description: |
This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.
A threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.
This can be done programmatically via HTTP requests to Azure.
status: experimental
date: 2021/08/26
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
tags:
- attack.defense_evasion
- attack.t1578
references:
- https://o365blog.com/post/hybridhealthagent/
logsource:
service: AzureActivity
detection:
selection:
CategoryValue: 'Administrative'
ResourceProviderValue: 'Microsoft.ADHybridHealthService'
ResourceId|contains: 'AdFederationService'
OperationNameValue: 'Microsoft.ADHybridHealthService/services/servicemembers/action'
condition: selection
falsepositives:
- legitimate AD FS servers added to an AAD Health AD FS service instance
level: medium

26
rules/cloud/azure/azure_aadhybridhealth_adfs_service_delete.yml Normal file
View File

@ -0,0 +1,26 @@
title: Azure Active Directory Hybrid Health AD FS Service Delete
id: 48739819-8230-4ee3-a8ea-e0289d1fb0ff
description: |
This detection uses AzureActivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.
A threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.
The health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.
status: experimental
date: 2021/08/26
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
tags:
- attack.defense_evasion
- attack.t1578.003
references:
- https://o365blog.com/post/hybridhealthagent/
logsource:
service: AzureActivity
detection:
selection:
CategoryValue: 'Administrative'
ResourceProviderValue: 'Microsoft.ADHybridHealthService'
ResourceId|contains: 'AdFederationService'
OperationNameValue: 'Microsoft.ADHybridHealthService/services/delete'
condition: selection
falsepositives:
- legitimate AAD Health AD FS service instances being deleted in a tenant
level: medium

20
rules/cloud/azure/azure_account_lockout.yml Normal file
View File

@ -0,0 +1,20 @@
title: Account Lockout
id: 2b7d6fc0-71ac-4cf7-8ed1-b5788ee5257a
status: experimental
author: AlertIQ
date: 2021/10/10
description: Identifies user account which has been locked because the user tried to sign in too many times with an incorrect user ID or password.
references:
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
logsource:
service: azure.signinlogs
detection:
selection:
ResultType: 50053
condition: selection
level: medium
falsepositives:
- Unknown
tags:
- attack.credential_access
- attack.t1110

25
rules/cloud/azure/azure_ad_user_added_to_admin_role.yml Normal file
View File

@ -0,0 +1,25 @@
title: User Added to an Administrator's Azure AD Role
id: ebbeb024-5b1d-4e16-9c0c-917f86c708a7
description: User Added to an Administrator's Azure AD Role
author: Raphaël CALVET, @MetallicHack
date: 2021/10/04
references:
- https://attack.mitre.org/techniques/T1098/003/
- https://m365internals.com/2021/07/13/what-ive-learned-from-doing-a-year-of-cloud-forensics-in-azure-ad/
logsource:
service: azure.activitylogs
detection:
selection:
Operation: 'Add member to role.'
Workload: 'AzureActiveDirectory'
ModifiedProperties{}.NewValue|endswith:
- 'Admins'
- 'Administrator'
condition: selection
falsepositives:
- PIM (Privileged Identity Management) generates this event each time 'eligible role' is enabled.
level: medium
status: experimental
tags:
- attack.persistence
- attack.t1098.003

21
rules/cloud/azure/azure_app_credential_modification.yml Normal file
View File

@ -0,0 +1,21 @@
title: Azure Application Credential Modified
id: cdeef967-f9a1-4375-90ee-6978c5f23974
description: Identifies when a application credential is modified.
author: Austin Songer @austinsonger
status: experimental
date: 2021/09/02
references:
- https://www.cloud-architekt.net/auditing-of-msi-and-service-principals/
logsource:
service: azure.activitylogs
detection:
selection:
properties.message: "Update application - Certificates and secrets management"
condition: selection
level: medium
tags:
- attack.impact
falsepositives:
- Application credential added may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Application credential added from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

23
rules/cloud/azure/azure_application_deleted.yml Normal file
View File

@ -0,0 +1,23 @@
title: Azure Application Deleted
id: 410d2a41-1e6d-452f-85e5-abdd8257a823
description: Identifies when a application is deleted in Azure.
author: Austin Songer @austinsonger
status: experimental
date: 2021/09/03
references:
- https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy
logsource:
service: azure.activitylogs
detection:
selection:
properties.message:
- Delete application
- Hard Delete application
condition: selection
level: medium
tags:
- attack.defense_evasion
falsepositives:
- Application being deleted may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Application deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

23
rules/cloud/azure/azure_application_gateway_modified_or_deleted.yml Normal file
View File

@ -0,0 +1,23 @@
title: Azure Application Gateway Modified or Deleted
id: ad87d14e-7599-4633-ba81-aeb60cfe8cd6
description: Identifies when a application gateway is modified or deleted.
author: Austin Songer
status: experimental
date: 2021/08/16
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
logsource:
service: azure.activitylogs
detection:
selection:
properties.message:
- MICROSOFT.NETWORK/APPLICATIONGATEWAYS/WRITE
- MICROSOFT.NETWORK/APPLICATIONGATEWAYS/DELETE
condition: selection
level: medium
tags:
- attack.impact
falsepositives:
- Application gateway being modified or deleted may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Application gateway modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

23
rules/cloud/azure/azure_application_security_group_modified_or_deleted.yml Normal file
View File

@ -0,0 +1,23 @@
title: Azure Application Security Group Modified or Deleted
id: 835747f1-9329-40b5-9cc3-97d465754ce6
description: Identifies when a application security group is modified or deleted.
author: Austin Songer
status: experimental
date: 2021/08/16
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
logsource:
service: azure.activitylogs
detection:
selection:
properties.message:
- MICROSOFT.NETWORK/APPLICATIONSECURITYGROUPS/WRITE
- MICROSOFT.NETWORK/APPLICATIONSECURITYGROUPS/DELETE
condition: selection
level: medium
tags:
- attack.impact
falsepositives:
- Application security group being modified or deleted may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Application security group modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

21
rules/cloud/azure/azure_change_to_authentication_method.yml Normal file
View File

@ -0,0 +1,21 @@
title: Change to Authentication Method
id: 4d78a000-ab52-4564-88a5-7ab5242b20c7
status: experimental
author: AlertIQ
date: 2021/10/10
description: Change to authentication method could be an indicated of an attacker adding an auth method to the account so they can have continued access.
references:
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
logsource:
service: azure.auditlogs
detection:
selection:
LoggedByService: 'Authentication Methods'
Category: 'UserManagement'
OperationName: 'User registered security info'
condition: selection
level: medium
falsepositives:
- Unknown
tags:
- attack.credential_access

26
rules/cloud/azure/azure_container_registry_created_or_deleted.yml Normal file
View File

@ -0,0 +1,26 @@
title: Azure Container Registry Created or Deleted
id: 93e0ef48-37c8-49ed-a02c-038aab23628e
description: Detects when a Container Registry is created or deleted.
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/07
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
- https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
- https://attack.mitre.org/matrices/enterprise/cloud/
logsource:
service: azure.activitylogs
detection:
selection:
properties.message:
- MICROSOFT.CONTAINERREGISTRY/REGISTRIES/WRITE
- MICROSOFT.CONTAINERREGISTRY/REGISTRIES/DELETE
condition: selection
level: low
tags:
- attack.impact
falsepositives:
- Container Registry being created or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Container Registry created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

20
rules/cloud/azure/azure_creating_number_of_resources_detection.yml Normal file
View File

@ -0,0 +1,20 @@
title: Number Of Resource Creation Or Deployment Activities
id: d2d901db-7a75-45a1-bc39-0cbf00812192
status: experimental
author: sawwinnnaung
date: 2020/05/07
description: Number of VM creations or deployment activities occur in Azure via the AzureActivity log.
references:
- https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/Creating_Anomalous_Number_Of_Resources_detection.yaml
logsource:
service: AzureActivity
detection:
keywords:
- Microsoft.Compute/virtualMachines/write
- Microsoft.Resources/deployments/write
condition: keywords
level: medium
falsepositives:
- Valid change
tags:
- attack.t1098

21
rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml Normal file
View File

@ -0,0 +1,21 @@
title: Azure Device No Longer Managed or Compliant
id: 542b9912-c01f-4e3f-89a8-014c48cdca7d
description: Identifies when a device in azure is no longer managed or compliant
author: Austin Songer @austinsonger
status: experimental
date: 2021/09/03
references:
- https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#core-directory
logsource:
service: azure.activitylogs
detection:
selection:
properties.message:
- Device no longer compliant
- Device no longer managed
condition: selection
level: medium
tags:
- attack.impact
falsepositives:
- Administrator may have forgotten to review the device.

25
rules/cloud/azure/azure_device_or_configuration_modified_or_deleted.yml Normal file
View File

@ -0,0 +1,25 @@
title: Azure Device or Configuration Modified or Deleted
id: 46530378-f9db-4af9-a9e5-889c177d3881
description: Identifies when a device or device configuration in azure is modified or deleted.
author: Austin Songer @austinsonger
status: experimental
date: 2021/09/03
references:
- https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#core-directory
logsource:
service: azure.activitylogs
detection:
selection:
properties.message:
- Delete device
- Delete device configuration
- Update device
- Update device configuration
condition: selection
level: medium
tags:
- attack.impact
falsepositives:
- Device or device configuration being modified or deleted may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Device or device configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

23
rules/cloud/azure/azure_dns_zone_modified_or_deleted.yml Normal file
View File

@ -0,0 +1,23 @@
title: Azure DNS Zone Modified or Deleted
id: af6925b0-8826-47f1-9324-337507a0babd
description: Identifies when DNS zone is modified or deleted.
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/08
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
logsource:
service: azure.activitylogs
detection:
selection:
properties.message|startswith: MICROSOFT.NETWORK/DNSZONES
properties.message|endswith:
- /WRITE
- /DELETE
condition: selection
level: medium
tags:
- attack.impact
falsepositives:
- DNS zone modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- DNS zone modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

23
rules/cloud/azure/azure_federation_modified.yml Normal file
View File

@ -0,0 +1,23 @@
title: Azure Domain Federation Settings Modified
id: 352a54e1-74ba-4929-9d47-8193d67aba1e
description: Identifies when an user or application modified the federation settings on the domain.
author: Austin Songer
status: experimental
date: 2021/09/06
references:
- https://attack.mitre.org/techniques/T1078
logsource:
service: azure.signinlogs
detection:
selection:
properties.message: Set federation settings on domain
condition: selection
level: medium
tags:
- attack.initial_access
- attack.t1078
falsepositives:
- Federation Settings being modified or deleted may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Federation Settings modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

22
rules/cloud/azure/azure_firewall_modified_or_deleted.yml Normal file
View File

@ -0,0 +1,22 @@
title: Azure Firewall Modified or Deleted
id: 512cf937-ea9b-4332-939c-4c2c94baadcd
description: Identifies when a firewall is created, modified, or deleted.
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/08
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
logsource:
service: azure.activitylogs
detection:
selection:
properties.message:
- MICROSOFT.NETWORK/AZUREFIREWALLS/WRITE
- MICROSOFT.NETWORK/AZUREFIREWALLS/DELETE
condition: selection
level: medium
tags:
- attack.impact
falsepositives:
- Firewall being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Firewall modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

26
rules/cloud/azure/azure_firewall_rule_collection_modified_or_deleted.yml Normal file
View File

@ -0,0 +1,26 @@
title: Azure Firewall Rule Collection Modified or Deleted
id: 025c9fe7-db72-49f9-af0d-31341dd7dd57
description: Identifies when Rule Collections (Application, NAT, and Network) is being modified or deleted.
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/08
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
logsource:
service: azure.activitylogs
detection:
selection:
properties.message:
- MICROSOFT.NETWORK/AZUREFIREWALLS/APPLICATIONRULECOLLECTIONS/WRITE
- MICROSOFT.NETWORK/AZUREFIREWALLS/APPLICATIONRULECOLLECTIONS/DELETE
- MICROSOFT.NETWORK/AZUREFIREWALLS/NATRULECOLLECTIONS/WRITE
- MICROSOFT.NETWORK/AZUREFIREWALLS/NATRULECOLLECTIONS/DELETE
- MICROSOFT.NETWORK/AZUREFIREWALLS/NETWORKRULECOLLECTIONS/WRITE
- MICROSOFT.NETWORK/AZUREFIREWALLS/NETWORKRULECOLLECTIONS/DELETE
condition: selection
level: medium
tags:
- attack.impact
falsepositives:
- Rule Collections (Application, NAT, and Network) being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Rule Collections (Application, NAT, and Network) modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

19
rules/cloud/azure/azure_granting_permission_detection.yml Normal file
View File

@ -0,0 +1,19 @@
title: Granting Of Permissions To An Account
id: a622fcd2-4b5a-436a-b8a2-a4171161833c
status: experimental
author: sawwinnnaung
date: 2020/05/07
description: Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.
references:
- https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/Granting_Permissions_To_Account_detection.yaml
logsource:
service: AzureActivity
detection:
keywords:
- Microsoft.Authorization/roleAssignments/write
condition: keywords
level: medium
falsepositives:
- Valid change
tags:
- attack.t1098

33
rules/cloud/azure/azure_keyvault_key_modified_or_deleted.yml Normal file
View File

@ -0,0 +1,33 @@
title: Azure Keyvault Key Modified or Deleted
id: 80eeab92-0979-4152-942d-96749e11df40
description: Identifies when a Keyvault Key is modified or deleted in Azure.
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/16
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
logsource:
service: azure.activitylogs
detection:
selection:
properties.message:
- MICROSOFT.KEYVAULT/VAULTS/KEYS/UPDATE/ACTION
- MICROSOFT.KEYVAULT/VAULTS/KEYS/CREATE
- MICROSOFT.KEYVAULT/VAULTS/KEYS/CREATE/ACTION
- MICROSOFT.KEYVAULT/VAULTS/KEYS/IMPORT/ACTION
- MICROSOFT.KEYVAULT/VAULTS/KEYS/RECOVER/ACTION
- MICROSOFT.KEYVAULT/VAULTS/KEYS/RESTORE/ACTION
- MICROSOFT.KEYVAULT/VAULTS/KEYS/DELETE
- MICROSOFT.KEYVAULT/VAULTS/KEYS/BACKUP/ACTION
- MICROSOFT.KEYVAULT/VAULTS/KEYS/PURGE/ACTION
condition: selection
level: medium
tags:
- attack.impact
- attack.credential_access
- attack.t1552
- attack.t1552.001
falsepositives:
- Key being modified or deleted may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Key modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

28
rules/cloud/azure/azure_keyvault_modified_or_deleted.yml Normal file
View File

@ -0,0 +1,28 @@
title: Azure Key Vault Modified or Deleted.
id: 459a2970-bb84-4e6a-a32e-ff0fbd99448d
description: Identifies when a key vault is modified or deleted.
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/16
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
logsource:
service: azure.activitylogs
detection:
selection:
properties.message:
- MICROSOFT.KEYVAULT/VAULTS/WRITE
- MICROSOFT.KEYVAULT/VAULTS/DELETE
- MICROSOFT.KEYVAULT/VAULTS/DEPLOY/ACTION
- MICROSOFT.KEYVAULT/VAULTS/ACCESSPOLICIES/WRITE
condition: selection
level: medium
tags:
- attack.impact
- attack.credential_access
- attack.t1552
- attack.t1552.001
falsepositives:
- Key Vault being modified or deleted may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Key Vault modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

32
rules/cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml Normal file
View File

@ -0,0 +1,32 @@
title: Azure Keyvault Secrets Modified or Deleted
id: b831353c-1971-477b-abb6-2828edc3bca1
description: Identifies when secrets are modified or deleted in Azure.
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/16
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
logsource:
service: azure.activitylogs
detection:
selection:
properties.message:
- MICROSOFT.KEYVAULT/VAULTS/SECRETS/WRITE
- MICROSOFT.KEYVAULT/VAULTS/SECRETS/DELETE
- MICROSOFT.KEYVAULT/VAULTS/SECRETS/BACKUP/ACTION
- MICROSOFT.KEYVAULT/VAULTS/SECRETS/PURGE/ACTION
- MICROSOFT.KEYVAULT/VAULTS/SECRETS/UPDATE/ACTION
- MICROSOFT.KEYVAULT/VAULTS/SECRETS/RECOVER/ACTION
- MICROSOFT.KEYVAULT/VAULTS/SECRETS/RESTORE/ACTION
- MICROSOFT.KEYVAULT/VAULTS/SECRETS/SETSECRET/ACTION
condition: selection
level: medium
tags:
- attack.impact
- attack.credential_access
- attack.t1552
- attack.t1552.001
falsepositives:
- Secrets being modified or deleted may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Secrets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

27
rules/cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml Normal file
View File

@ -0,0 +1,27 @@
title: Azure Kubernetes Cluster Created or Deleted
id: 9541f321-7cba-4b43-80fc-fbd1fb922808
description: Detects when a Azure Kubernetes Cluster is created or deleted.
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/07
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
- https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
- https://attack.mitre.org/matrices/enterprise/cloud/
logsource:
service: azure.activitylogs
detection:
selection:
properties.message:
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/DELETE
condition: selection
level: low
tags:
- attack.impact
falsepositives:
- Kubernetes cluster being created or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Kubernetes cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

23
rules/cloud/azure/azure_kubernetes_events_deleted.yml Normal file
View File

@ -0,0 +1,23 @@
title: Azure Kubernetes Events Deleted
id: 225d8b09-e714-479c-a0e4-55e6f29adf35
description: Detects when Events are deleted in Azure Kubernetes. An adversary may delete events in Azure Kubernetes in an attempt to evade detection.
author: Austin Songer @austinsonger
status: experimental
date: 2021/07/24
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml
logsource:
service: azure.activitylogs
detection:
selection_operation_name:
properties.message: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE
condition: selection_operation_name
level: medium
tags:
- attack.defense_evasion
- attack.t1562
- attack.t1562.001
falsepositives:
- Event deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Events deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

29
rules/cloud/azure/azure_kubernetes_network_policy_change.yml Normal file
View File

@ -0,0 +1,29 @@
title: Azure Kubernetes Network Policy Change
id: 08d6ac24-c927-4469-b3b7-2e422d6e3c43
description: Identifies when a Azure Kubernetes network policy is modified or deleted.
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/07
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
- https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
- https://attack.mitre.org/matrices/enterprise/cloud/
logsource:
service: azure.activitylogs
detection:
selection:
properties.message:
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/NETWORKING.K8S.IO/NETWORKPOLICIES/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/NETWORKING.K8S.IO/NETWORKPOLICIES/DELETE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EXTENSIONS/NETWORKPOLICIES/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EXTENSIONS/NETWORKPOLICIES/DELETE
condition: selection
level: medium
tags:
- attack.impact
- attack.credential_access
falsepositives:
- Network Policy being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Network Policy being modified and deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

21
rules/cloud/azure/azure_kubernetes_pods_deleted.yml Normal file
View File

@ -0,0 +1,21 @@
title: Azure Kubernetes Pods Deleted
id: b02f9591-12c3-4965-986a-88028629b2e1
description: Identifies the deletion of Azure Kubernetes Pods.
author: Austin Songer @austinsonger
status: experimental
date: 2021/07/24
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml
logsource:
service: azure.activitylogs
detection:
selection_operation_name:
properties.message: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE
condition: selection_operation_name
level: medium
tags:
- attack.impact
falsepositives:
- Pods may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Pods deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

32
rules/cloud/azure/azure_kubernetes_role_access.yml Normal file
View File

@ -0,0 +1,32 @@
title: Azure Kubernetes Sensitive Role Access
id: 818fee0c-e0ec-4e45-824e-83e4817b0887
description: Identifies when ClusterRoles/Roles are being modified or deleted.
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/07
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
- https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
- https://attack.mitre.org/matrices/enterprise/cloud/
logsource:
service: azure.activitylogs
detection:
selection:
properties.message:
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/DELETE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/BIND/ACTION
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/ESCALATE/ACTION
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/DELETE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/BIND/ACTION
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/ESCALATE/ACTION
condition: selection
level: medium
tags:
- attack.impact
falsepositives:
- ClusterRoles/Roles being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- ClusterRoles/Roles modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

30
rules/cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml Normal file
View File

@ -0,0 +1,30 @@
title: Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted
id: 25cb259b-bbdc-4b87-98b7-90d7c72f8743
description: Detects the creation or patching of potential malicious RoleBinding/ClusterRoleBinding.
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/07
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
- https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
- https://attack.mitre.org/matrices/enterprise/cloud/
logsource:
service: azure.activitylogs
detection:
selection:
properties.message:
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/DELETE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/DELETE
condition: selection
level: medium
tags:
- attack.impact
- attack.credential_access
falsepositives:
- RoleBinding/ClusterRoleBinding being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- RoleBinding/ClusterRoleBinding modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

27
rules/cloud/azure/azure_kubernetes_secret_or_config_object_access.yml Normal file
View File

@ -0,0 +1,27 @@
title: Azure Kubernetes Secret or Config Object Access
id: 7ee0b4aa-d8d4-4088-b661-20efdf41a04c
description: Identifies when a Kubernetes account access a sensitive objects such as configmaps or secrets.
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/07
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
- https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
- https://attack.mitre.org/matrices/enterprise/cloud/
logsource:
service: azure.activitylogs
detection:
selection:
properties.message:
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/DELETE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/DELETE
condition: selection
level: medium
tags:
- attack.impact
falsepositives:
- Sensitive objects may be accessed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Sensitive objects accessed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

27
rules/cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml Normal file
View File

@ -0,0 +1,27 @@
title: Azure Kubernetes Service Account Modified or Deleted
id: 12d027c3-b48c-4d9d-8bb6-a732200034b2
description: Identifies when a service account is modified or deleted.
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/07
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
- https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
- https://attack.mitre.org/matrices/enterprise/cloud/
logsource:
service: azure.activitylogs
detection:
selection:
properties.message:
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/DELETE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/IMPERSONATE/ACTION
condition: selection
level: medium
tags:
- attack.impact
falsepositives:
- Service account being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Service account modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

21
rules/cloud/azure/azure_login_to_disabled_account.yml Normal file
View File

@ -0,0 +1,21 @@
title: Login to Disabled Account
id: 908655e0-25cf-4ae1-b775-1c8ce9cf43d8
status: experimental
author: AlertIQ
date: 2021/10/10
description: Detect failed attempts to sign in to disabled accounts.
references:
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
logsource:
service: azure.signinlogs
detection:
selection:
ResultType: 50057
ResultDescription: 'User account is disabled. The account has been disabled by an administrator.'
condition: selection
level: medium
falsepositives:
- Unknown
tags:
- attack.initial_access
- attack.t1078

24
rules/cloud/azure/azure_mfa_interrupted.yml Normal file
View File

@ -0,0 +1,24 @@
title: Multifactor Authentication Interupted
id: 5496ff55-42ec-4369-81cb-00f417029e25
status: experimental
author: AlertIQ
date: 2021/10/10
description: Identifies user login with multifactor authentication failures, which might be an indication an attacker has the password for the account but can't pass the MFA challenge.
references:
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
logsource:
service: azure.signinlogs
detection:
selection:
ResultType: 50074
ResultDescription|contains: 'Strong Auth required'
selection1:
ResultType: 500121
ResultDescription|contains: 'Authentication failed during strong authentication request'
condition: selection or selection1
level: medium
falsepositives:
- Unknown
tags:
- attack.initial_access
- attack.t1078.004

Some files were not shown because too many files have changed in this diff Show More