Renamed rule files, new rules

2024-11-06 17:35:19 +00:00 · 2017-02-10 19:17:02 +01:00 · 2017-02-10 19:17:02 +01:00 · a2adb1ddb5
commit a2adb1ddb5
parent 97847a29de
17 changed files with 165 additions and 4 deletions
--- a/rules/linux/lnx_susp_failed_logons_single_source.yml
+++ b/rules/linux/lnx_susp_failed_logons_single_source.yml
--- a/rules/network/net_susp_network_scan.yml
+++ b/rules/network/net_susp_network_scan.yml
--- a/rules/web/web_multiple_suspicious_resp_codes_single_source.yml
+++ b/rules/web/web_multiple_suspicious_resp_codes_single_source.yml
@ -2,7 +2,9 @@ title: Multiple suspicious Response Codes caused by Single Client
 description: Detects possible exploitation activity or bugs in a web application
 detection:
    selection:
-        - log: web
+        - log: 
+            - access.log
+            - error.log
          response:
              - 400
              - 401
@ -12,4 +14,4 @@ detection:
 falsepositives:
    - Unstable application
    - Application that misuses the response codes
-level: 60
+level: 40
--- a/rules/web/web_shell_spawn.yml
+++ b/rules/web/web_shell_spawn.yml
--- a/rules/web/web_webshell_keyword.yml
+++ b/rules/web/web_webshell_keyword.yml
@ -0,0 +1,16 @@
+title: Webshell Detection by Keyword
+description: Detects webshells that use GET requests by keyword sarches in URL strings 
+detection:
+    selection:
+        - log: 
+            - access.log
+            - error.log
+    keywords:
+        - '=whoami'
+        - '=net%20user'
+        - '=cmd%20/c%20'
+    condition: selection and keywords
+falsepositives:
+    - Web sites like wikis with articles on os commands and pages that include the os commands in the URLs
+    - User searches in search boxes of the respective website
+level: 70
--- a/rules/windows/builtin/win_alert_mimikatz_keywords.yml
+++ b/rules/windows/builtin/win_alert_mimikatz_keywords.yml
@ -6,6 +6,7 @@ detection:
              - Security 
              - System
              - Application
+              - Microsoft-Windows-Sysmon/Operational
    keywords:
        - mimikatz
        - mimilib
@ -14,6 +15,7 @@ detection:
        - privilege::debug
        - sekurlsa::logonpasswords
        - lsadump::sam
+        - mimidrv.sys
    condition: selection and 1 of keywords
 falsepositives:
    - Naughty administrators
--- a/rules/windows/builtin/win_av_relevant_match.yml
+++ b/rules/windows/builtin/win_av_relevant_match.yml
--- a/rules/windows/builtin/win_susp_eventlog_cleared.yml
+++ b/rules/windows/builtin/win_susp_eventlog_cleared.yml
--- a/rules/windows/builtin/win_susp_failed_logon_reasons.yml
+++ b/rules/windows/builtin/win_susp_failed_logon_reasons.yml
--- a/rules/windows/builtin/win_susp_failed_logons_single_source.yml
+++ b/rules/windows/builtin/win_susp_failed_logons_single_source.yml
--- a/rules/windows/builtin/win_susp_kerberos_manipulation.yml
+++ b/rules/windows/builtin/win_susp_kerberos_manipulation.yml
@ -0,0 +1,45 @@
+title: Kerberos Manipulation
+description: This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages
+detection:
+    selection:
+        - EventLog: Security
+          EventID:
+            - 675
+            - 4768
+            - 4769
+            - 4771
+          FailureCode:
+            - '0x9'
+            - '0xA'
+            - '0xB'
+            - '0xF'
+            - '0x10'
+            - '0x11'
+            - '0x13'
+            - '0x14'
+            - '0x1A'
+            - '0x1F'
+            - '0x21'
+            - '0x22'
+            - '0x23'
+            - '0x24'
+            - '0x26'
+            - '0x27'
+            - '0x28'
+            - '0x29'
+            - '0x2C'
+            - '0x2D'
+            - '0x2E'
+            - '0x2F'
+            - '0x31'
+            - '0x32'
+            - '0x3E'
+            - '0x3F'
+            - '0x40'
+            - '0x41'
+            - '0x43'
+            - '0x44'
+    condition: selection
+falsepositives:
+    - Faulty legacy applications
+level: 70
--- a/rules/windows/builtin/win_susp_lsass_dump.yml
+++ b/rules/windows/builtin/win_susp_lsass_dump.yml
@ -0,0 +1,45 @@
+title: Kerberos Manipulation
+description: This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages
+detection:
+    selection:
+        - EventLog: Security
+          EventID:
+            - 675
+            - 4768
+            - 4769
+            - 4771
+          FailureCode:
+            - '0x9'
+            - '0xA'
+            - '0xB'
+            - '0xF'
+            - '0x10'
+            - '0x11'
+            - '0x13'
+            - '0x14'
+            - '0x1A'
+            - '0x1F'
+            - '0x21'
+            - '0x22'
+            - '0x23'
+            - '0x24'
+            - '0x26'
+            - '0x27'
+            - '0x28'
+            - '0x29'
+            - '0x2C'
+            - '0x2D'
+            - '0x2E'
+            - '0x2F'
+            - '0x31'
+            - '0x32'
+            - '0x3E'
+            - '0x3F'
+            - '0x40'
+            - '0x41'
+            - '0x43'
+            - '0x44'
+    condition: selection
+falsepositives:
+    - Faulty legacy applications
+level: 70
--- a/rules/windows/builtin/win_susp_rc4_kerberos.yml
+++ b/rules/windows/builtin/win_susp_rc4_kerberos.yml
--- a/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml
+++ b/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml
@ -0,0 +1,35 @@
+title: Mimikatz In-Memory Detection
+status: experimental
+description: Detects certain DLL loads when Mimikatz gets executed
+reference: https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/
+detection:
+    dllload1:
+        - EventLog: Microsoft-Windows-Sysmon/Operational
+        - EventID: 7
+        - Image: 'C:\Windows\System32\rundll32.exe'
+        - ImageLoaded: '*\vaultcli.dll'
+    dllload2:
+        - EventLog: Microsoft-Windows-Sysmon/Operational
+        - EventID: 7
+        - Image: 'C:\Windows\System32\rundll32.exe'
+        - ImageLoaded: '*\wlanapi.dll'        
+    exclusion:
+        - EventLog: Microsoft-Windows-Sysmon/Operational
+        - EventID: 7
+        - Image: 'C:\Windows\System32\rundll32.exe'
+        - ImageLoaded:
+            - 'ntdsapi.dll'
+            - 'netapi32.dll'
+            - 'imm32.dll'
+            - 'samlib.dll'
+            - 'combase.dll'
+            - 'srvcli.dll'
+            - 'shcore.dll'
+            - 'ntasn1.dll'
+            - 'cryptdll.dll'
+            - 'logoncli.dll'
+    timeframe: last 30s
+    condition: ( dllload1 and dllload2 ) and not exclusion
+falsepositives:
+    - unknown
+level: 50
--- a/rules/windows/sysmon/sysmon_susp_mmc_source.yml
+++ b/rules/windows/sysmon/sysmon_susp_mmc_source.yml
--- a/rules/windows/sysmon/sysmon_vul_java_remote_debugging.yml
+++ b/rules/windows/sysmon/sysmon_vul_java_remote_debugging.yml
@ -1,6 +1,5 @@
 title: Java running with Remote Debugging
-description: 
-reference: 
+description: Detcts a JAVA process running with remote debugging allowing more than just localhost to connect
 detection:
    selection:
        - EventLog: Microsoft-Windows-Sysmon/Operational
--- a/rules/windows/sysmon/sysmon_webshell_detection.yml
+++ b/rules/windows/sysmon/sysmon_webshell_detection.yml
@ -0,0 +1,17 @@
+title: Webshell Detection With Command Line Keywords 
+description: Detects certain command line parameters often used during reconnissaince activity via web shells  
+detection:
+    selection:
+        - EventLog: Microsoft-Windows-Sysmon/Operational
+          EventID: 1
+          ParentImage:
+            - '*\apache*'
+            - '*\tomcat*'
+          CommandLine: 
+            - 'whoami'
+            - 'net user'
+            - 'ping -n'
+    condition: selection
+falsepositives:
+    - unknown
+level: 70