Add deprecated status

2024-11-06 01:15:17 +00:00 · 2021-10-28 20:08:27 +02:00 · 2021-10-28 20:08:27 +02:00 · c49b0d49fa
commit c49b0d49fa
parent e9d163cdd1
12 changed files with 22 additions and 12 deletions
--- a/rules/windows/deprecated/powershell_suspicious_download.yml
+++ b/rules/windows/deprecated/powershell_suspicious_download.yml
@ -1,6 +1,6 @@
 title: Suspicious PowerShell Download
 id: 65531a81-a694-4e31-ae04-f8ba5bc33759
-status: experimental
+status: deprecated
 description: Detects suspicious PowerShell download command
 tags:
    - attack.execution
--- a/rules/windows/deprecated/powershell_suspicious_invocation_generic.yml
+++ b/rules/windows/deprecated/powershell_suspicious_invocation_generic.yml
@ -1,6 +1,6 @@
 title: Suspicious PowerShell Invocations - Generic
 id: 3d304fda-78aa-43ed-975c-d740798a49c1
-status: experimental
+status: deprecated
 description: Detects suspicious PowerShell invocation command parameters
 tags:
    - attack.execution
--- a/rules/windows/deprecated/powershell_suspicious_invocation_specific.yml
+++ b/rules/windows/deprecated/powershell_suspicious_invocation_specific.yml
@ -1,6 +1,6 @@
 title: Suspicious PowerShell Invocations - Specific
 id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c
-status: experimental
+status: deprecated
 description: Detects suspicious PowerShell invocation command parameters
 tags:
    - attack.execution
--- a/rules/windows/deprecated/powershell_syncappvpublishingserver_exe.yml
+++ b/rules/windows/deprecated/powershell_syncappvpublishingserver_exe.yml
@ -21,4 +21,5 @@ detection:
    condition: selection
 falsepositives:
    - App-V clients
-level: medium
+level: medium
+status: deprecated
--- a/rules/windows/deprecated/process_creation_syncappvpublishingserver_exe.yml
+++ b/rules/windows/deprecated/process_creation_syncappvpublishingserver_exe.yml
@ -18,4 +18,5 @@ detection:
    condition: selection
 falsepositives:
    - App-V clients
-level: medium
+level: medium
+status: deprecated
--- a/rules/windows/deprecated/sysmon_mimikatz_detection_lsass.yml
+++ b/rules/windows/deprecated/sysmon_mimikatz_detection_lsass.yml
@ -1,6 +1,6 @@
 title: Mimikatz Detection LSASS Access
 id: 0d894093-71bc-43c3-8c4d-ecfc28dcf5d9
-status: experimental
+status: deprecated
 description: Detects process access to LSASS which is typical for Mimikatz (0x1000 PROCESS_QUERY_ LIMITED_INFORMATION, 0x0400 PROCESS_QUERY_ INFORMATION "only old
    versions", 0x0010 PROCESS_VM_READ)
 references:
--- a/rules/windows/deprecated/sysmon_rclone_execution.yml
+++ b/rules/windows/deprecated/sysmon_rclone_execution.yml
@ -1,6 +1,6 @@
 title: RClone Execution
 id: a0d63692-a531-4912-ad39-4393325b2a9c
-status: experimental
+status: deprecated
 description: Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc
 tags:
    - attack.exfiltration
--- a/rules/windows/deprecated/win_susp_esentutl_activity.yml
+++ b/rules/windows/deprecated/win_susp_esentutl_activity.yml
@ -1,6 +1,6 @@
 title: Suspicious Esentutl Use
 id: 56a8189f-11b2-48c8-8ca7-c54b03c2fbf7
-status: experimental
+status: deprecated
 description: Detects flags often used with the LOLBAS Esentutl for malicious activity. It could be used in rare cases by administrators to access locked files or during maintenance. 
 author: Florian Roth
 date: 2020/05/23
--- a/rules/windows/deprecated/win_susp_rclone_exec.yml
+++ b/rules/windows/deprecated/win_susp_rclone_exec.yml
@ -1,7 +1,7 @@
 title: Rclone Execution via Command Line or PowerShell
 id: cb7286ba-f207-44ab-b9e6-760d82b84253
 description: Detects Rclone which is commonly used by ransomware groups for exfiltration
-status: experimental
+status: deprecated
 date: 2021/05/26
 author: Aaron Greetham (@beardofbinary) - NCC Group
 references:
--- a/rules/windows/deprecated/win_susp_vssadmin_ntds_activity.yml
+++ b/rules/windows/deprecated/win_susp_vssadmin_ntds_activity.yml
@ -1,6 +1,6 @@
 title: Activity Related to NTDS.dit Domain Hash Retrieval
 id: b932b60f-fdda-4d53-8eda-a170c1d97bbd
-status: experimental
+status: deprecated
 description: Detects suspicious commands that could be related to activity that uses volume shadow copy to steal and retrieve hashes from the NTDS.dit file remotely
 author: Florian Roth, Michael Haag
 date: 2019/01/16
--- a/tests/test_rules.py
+++ b/tests/test_rules.py
@ -386,6 +386,8 @@ class TestRules(unittest.TestCase):
            "stable",
            "test",
            "experimental",
+            "deprecated",
+            "unsupported"
            ]
        for file in self.yield_next_rule_file_path(self.path_to_rules):
            status_str = self.get_rule_part(file_path=file, part_name="status")
@ -393,7 +395,10 @@ class TestRules(unittest.TestCase):
                if not status_str in valid_status:
                    print(Fore.YELLOW + "Rule {} has a invalid 'status' (check wiki).".format(file))
                    faulty_rules.append(file) 
-
+                elif status_str == "unsupported":
+                    print(Fore.YELLOW + "Rule {} has the unsupported 'status', can not be in rules directory".format(file))
+                    faulty_rules.append(file)
+                    
        self.assertEqual(faulty_rules, [], Fore.RED +
                         "There are rules with malformed 'status' fields. (check https://github.com/SigmaHQ/sigma/wiki/Specification)")

--- a/tools/sigma/filter.py
+++ b/tools/sigma/filter.py
@ -24,7 +24,10 @@ class SigmaRuleFilter:
            "high"     : 2,
            "critical" : 3
            }
-    STATES = ["experimental",
+    STATES = [
+              "unsupported",
+              "deprecated",
+              "experimental",
              "test",
              "stable"]