valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #913 from ryanplasma/master

Browse Source 
Update logsources description->definition
This commit is contained in:
Florian Roth 2020-07-15 21:30:33 +02:00 committed by GitHub
commit b50d234cb5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
14 changed files with 21 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
rules/web/web_citrix_cve_2019_19781_exploit.yml
View File

@ -13,7 +13,7 @@ date: 2020/01/02
modified: 2020/03/14
logsource:
category: webserver
description: 'Make sure that your Netscaler appliance logs all kinds of attacks (test with http://your-citrix-gw.net/robots.txt). The directory traversal with ../ might not be needed on certain cloud instances or for authenticated users, so we also check for direct paths. All scripts in portal/scripts are exploitable except logout.pl.'
definition: 'Make sure that your Netscaler appliance logs all kinds of attacks (test with http://your-citrix-gw.net/robots.txt). The directory traversal with ../ might not be needed on certain cloud instances or for authenticated users, so we also check for direct paths. All scripts in portal/scripts are exploitable except logout.pl.'
detection:
selection:
c-uri:

2
rules/windows/builtin/win_GPO_scheduledtasks.yml
View File

@ -14,7 +14,7 @@ tags:
logsource:
product: windows
service: security
description: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
selection:
EventID: 5145

4
rules/windows/builtin/win_alert_ad_user_backdoors.yml
View File

@ -14,8 +14,8 @@ tags:
logsource:
product: windows
service: security
definition1: 'Requirements: Audit Policy : Account Management > Audit User Account Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit User Account Management'
definition2: 'Requirements: Audit Policy : DS Access > Audit Directory Service Changes, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\DS Access\Audit Directory Service Changes'
definition: 'Requirements: Audit Policy : Account Management > Audit User Account Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit User Account Management,
DS Access > Audit Directory Service Changes, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\DS Access\Audit Directory Service Changes'
detection:
selection1:
EventID: 4738

2
rules/windows/builtin/win_atsvc_task.yml
View File

@ -15,7 +15,7 @@ tags:
logsource:
product: windows
service: security
description: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
selection:
EventID: 5145

2
rules/windows/builtin/win_global_catalog_enumeration.yml
View File

@ -9,7 +9,7 @@ tags:
logsource:
product: windows
service: system
description: 'The advanced audit policy setting "Windows Filtering Platform > Filtering Platform Connection" must be configured for Success'
definition: 'The advanced audit policy setting "Windows Filtering Platform > Filtering Platform Connection" must be configured for Success'
detection:
selection:
EventID: 5156

2
rules/windows/builtin/win_impacket_secretdump.yml
View File

@ -14,7 +14,7 @@ tags:
logsource:
product: windows
service: security
description: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
selection:
EventID: 5145

2
rules/windows/builtin/win_lm_namedpipe.yml
View File

@ -12,7 +12,7 @@ tags:
logsource:
product: windows
service: security
description: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
selection1:
EventID: 5145

2
rules/windows/builtin/win_susp_psexec.yml
View File

@ -12,7 +12,7 @@ tags:
logsource:
product: windows
service: security
description: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
selection1:
EventID: 5145

2
rules/windows/builtin/win_svcctl_remote_service.yml
View File

@ -11,7 +11,7 @@ tags:
logsource:
product: windows
service: security
description: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
selection:
EventID: 5145

2
rules/windows/powershell/powershell_data_compressed.yml
View File

@ -10,7 +10,7 @@ references:
logsource:
product: windows
service: powershell
description: 'Script block logging must be enabled'
definition: 'Script block logging must be enabled'
detection:
selection:
EventID: 4104

2
rules/windows/powershell/powershell_shellcode_b64.yml
View File

@ -15,7 +15,7 @@ date: 2018/11/17
logsource:
product: windows
service: powershell
description: 'Script block logging must be enabled'
definition: 'Script block logging must be enabled'
detection:
selection:
EventID: 4104

2
rules/windows/powershell/powershell_winlogon_helper_dll.yml
View File

@ -10,7 +10,7 @@ references:
logsource:
product: windows
service: powershell
description: 'Script block logging must be enabled'
definition: 'Script block logging must be enabled'
detection:
selection:
EventID: 4104

2
rules/windows/powershell/powershell_wmimplant.yml
View File

@ -12,7 +12,7 @@ date: 2020/03/26
logsource:
product: windows
service: powershell
description: "Script block logging must be enabled"
definition: "Script block logging must be enabled"
detection:
selection:
ScriptBlockText|contains:

7
tests/test_rules.py
View File

@ -323,6 +323,13 @@ class TestRules(unittest.TestCase):
self.assertEqual(faulty_rules, [], Fore.RED +
"There are rules with non-conform 'title' fields. Please check: https://github.com/Neo23x0/sigma/wiki/Rule-Creation-Guide#title")
def test_invalid_logsource_attributes(self):
faulty_rules = []
for file in self.yield_next_rule_file_path(self.path_to_rules):
logsource = self.get_rule_part(file_path=file, part_name="logsource")
for key in logsource:
if key.lower() not in ['category', 'product', 'service', 'definition']:
print(Fore.RED + "Rule {} has a logsource with an invalid field ({})".format(file, key))
def get_mitre_data():
"""
Generate tags from live MITRE ATT&CK TAXI service to get up-to-date data