valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 01:15:17 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add deprecated status

Browse Source
This commit is contained in:
frack113 2021-10-28 20:08:27 +02:00
parent e9d163cdd1
commit c49b0d49fa
12 changed files with 22 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
rules/windows/deprecated/powershell_suspicious_download.yml
View File

@ -1,6 +1,6 @@
title: Suspicious PowerShell Download title: Suspicious PowerShell Download
id: 65531a81-a694-4e31-ae04-f8ba5bc33759 id: 65531a81-a694-4e31-ae04-f8ba5bc33759
status: experimental status: deprecated
description: Detects suspicious PowerShell download command description: Detects suspicious PowerShell download command
tags: tags:
- attack.execution - attack.execution

2
rules/windows/deprecated/powershell_suspicious_invocation_generic.yml
View File

@ -1,6 +1,6 @@
title: Suspicious PowerShell Invocations - Generic title: Suspicious PowerShell Invocations - Generic
id: 3d304fda-78aa-43ed-975c-d740798a49c1 id: 3d304fda-78aa-43ed-975c-d740798a49c1
status: experimental status: deprecated
description: Detects suspicious PowerShell invocation command parameters description: Detects suspicious PowerShell invocation command parameters
tags: tags:
- attack.execution - attack.execution

2
rules/windows/deprecated/powershell_suspicious_invocation_specific.yml
View File

@ -1,6 +1,6 @@
title: Suspicious PowerShell Invocations - Specific title: Suspicious PowerShell Invocations - Specific
id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c
status: experimental status: deprecated
description: Detects suspicious PowerShell invocation command parameters description: Detects suspicious PowerShell invocation command parameters
tags: tags:
- attack.execution - attack.execution

3
rules/windows/deprecated/powershell_syncappvpublishingserver_exe.yml
View File

@ -21,4 +21,5 @@ detection:
condition: selection condition: selection
falsepositives: falsepositives:
- App-V clients - App-V clients
level: medium level: medium
status: deprecated

3
rules/windows/deprecated/process_creation_syncappvpublishingserver_exe.yml
View File

@ -18,4 +18,5 @@ detection:
condition: selection condition: selection
falsepositives: falsepositives:
- App-V clients - App-V clients
level: medium level: medium
status: deprecated

2
rules/windows/deprecated/sysmon_mimikatz_detection_lsass.yml
View File

@ -1,6 +1,6 @@
title: Mimikatz Detection LSASS Access title: Mimikatz Detection LSASS Access
id: 0d894093-71bc-43c3-8c4d-ecfc28dcf5d9 id: 0d894093-71bc-43c3-8c4d-ecfc28dcf5d9
status: experimental status: deprecated
description: Detects process access to LSASS which is typical for Mimikatz (0x1000 PROCESS_QUERY_ LIMITED_INFORMATION, 0x0400 PROCESS_QUERY_ INFORMATION "only old description: Detects process access to LSASS which is typical for Mimikatz (0x1000 PROCESS_QUERY_ LIMITED_INFORMATION, 0x0400 PROCESS_QUERY_ INFORMATION "only old
versions", 0x0010 PROCESS_VM_READ) versions", 0x0010 PROCESS_VM_READ)
references: references:

2
rules/windows/deprecated/sysmon_rclone_execution.yml
View File

@ -1,6 +1,6 @@
title: RClone Execution title: RClone Execution
id: a0d63692-a531-4912-ad39-4393325b2a9c id: a0d63692-a531-4912-ad39-4393325b2a9c
status: experimental status: deprecated
description: Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc description: Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc
tags: tags:
- attack.exfiltration - attack.exfiltration

2
rules/windows/deprecated/win_susp_esentutl_activity.yml
View File

@ -1,6 +1,6 @@
title: Suspicious Esentutl Use title: Suspicious Esentutl Use
id: 56a8189f-11b2-48c8-8ca7-c54b03c2fbf7 id: 56a8189f-11b2-48c8-8ca7-c54b03c2fbf7
status: experimental status: deprecated
description: Detects flags often used with the LOLBAS Esentutl for malicious activity. It could be used in rare cases by administrators to access locked files or during maintenance. description: Detects flags often used with the LOLBAS Esentutl for malicious activity. It could be used in rare cases by administrators to access locked files or during maintenance.
author: Florian Roth author: Florian Roth
date: 2020/05/23 date: 2020/05/23

2
rules/windows/deprecated/win_susp_rclone_exec.yml
View File

@ -1,7 +1,7 @@
title: Rclone Execution via Command Line or PowerShell title: Rclone Execution via Command Line or PowerShell
id: cb7286ba-f207-44ab-b9e6-760d82b84253 id: cb7286ba-f207-44ab-b9e6-760d82b84253
description: Detects Rclone which is commonly used by ransomware groups for exfiltration description: Detects Rclone which is commonly used by ransomware groups for exfiltration
status: experimental status: deprecated
date: 2021/05/26 date: 2021/05/26
author: Aaron Greetham (@beardofbinary) - NCC Group author: Aaron Greetham (@beardofbinary) - NCC Group
references: references:

2
rules/windows/deprecated/win_susp_vssadmin_ntds_activity.yml
View File

@ -1,6 +1,6 @@
title: Activity Related to NTDS.dit Domain Hash Retrieval title: Activity Related to NTDS.dit Domain Hash Retrieval
id: b932b60f-fdda-4d53-8eda-a170c1d97bbd id: b932b60f-fdda-4d53-8eda-a170c1d97bbd
status: experimental status: deprecated
description: Detects suspicious commands that could be related to activity that uses volume shadow copy to steal and retrieve hashes from the NTDS.dit file remotely description: Detects suspicious commands that could be related to activity that uses volume shadow copy to steal and retrieve hashes from the NTDS.dit file remotely
author: Florian Roth, Michael Haag author: Florian Roth, Michael Haag
date: 2019/01/16 date: 2019/01/16

7
tests/test_rules.py
View File

@ -386,6 +386,8 @@ class TestRules(unittest.TestCase):
"stable", "stable",
"test", "test",
"experimental", "experimental",
"deprecated",
"unsupported"
] ]
for file in self.yield_next_rule_file_path(self.path_to_rules): for file in self.yield_next_rule_file_path(self.path_to_rules):
status_str = self.get_rule_part(file_path=file, part_name="status") status_str = self.get_rule_part(file_path=file, part_name="status")
@ -393,7 +395,10 @@ class TestRules(unittest.TestCase):
if not status_str in valid_status: if not status_str in valid_status:
print(Fore.YELLOW + "Rule {} has a invalid 'status' (check wiki).".format(file)) print(Fore.YELLOW + "Rule {} has a invalid 'status' (check wiki).".format(file))
faulty_rules.append(file) faulty_rules.append(file)
elif status_str == "unsupported":
print(Fore.YELLOW + "Rule {} has the unsupported 'status', can not be in rules directory".format(file))
faulty_rules.append(file)
self.assertEqual(faulty_rules, [], Fore.RED + self.assertEqual(faulty_rules, [], Fore.RED +
"There are rules with malformed 'status' fields. (check https://github.com/SigmaHQ/sigma/wiki/Specification)") "There are rules with malformed 'status' fields. (check https://github.com/SigmaHQ/sigma/wiki/Specification)")

5
tools/sigma/filter.py
View File

@ -24,7 +24,10 @@ class SigmaRuleFilter:
"high" : 2, "high" : 2,
"critical" : 3 "critical" : 3
} }
STATES = ["experimental", STATES = [
"unsupported",
"deprecated",
"experimental",
"test", "test",
"stable"] "stable"]