From 0078ee795b27305e3dfe41be6bf036930fb6b792 Mon Sep 17 00:00:00 2001 From: Lei Chen Date: Fri, 6 Aug 2021 16:47:35 +0800 Subject: [PATCH 001/108] chore: update sigma ci badge Replace travis-ci tatus badge with github actions tatus badge --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 424533b5..c5ead69f 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -[![Build Status](https://travis-ci.org/Neo23x0/sigma.svg?branch=master)](https://travis-ci.org/Neo23x0/sigma) +![sigma build sttaus](https://github.com/SigmaHQ/sigma/actions/workflows/sigma-test.yml/badge.svg?branch=master) ![sigma_logo](./images/Sigma_0.3.png) From 932fe14cf69be50e65d567caaa87c33e12d2acdd Mon Sep 17 00:00:00 2001 From: Lei Chen Date: Fri, 6 Aug 2021 16:51:19 +0800 Subject: [PATCH 002/108] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index c5ead69f..3fb50937 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -![sigma build sttaus](https://github.com/SigmaHQ/sigma/actions/workflows/sigma-test.yml/badge.svg?branch=master) +[![sigma build sttaus](https://github.com/SigmaHQ/sigma/actions/workflows/sigma-test.yml/badge.svg?branch=master)](https://github.com/SigmaHQ/sigma/actions?query=branch%3Amaster) ![sigma_logo](./images/Sigma_0.3.png) From 4c3a7007e682ea00673972e85755b7c68bab5993 Mon Sep 17 00:00:00 2001 From: Lei Chen Date: Sat, 7 Aug 2021 21:13:19 +0800 Subject: [PATCH 003/108] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 3fb50937..864235a6 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -[![sigma build sttaus](https://github.com/SigmaHQ/sigma/actions/workflows/sigma-test.yml/badge.svg?branch=master)](https://github.com/SigmaHQ/sigma/actions?query=branch%3Amaster) +[![sigma build status](https://github.com/SigmaHQ/sigma/actions/workflows/sigma-test.yml/badge.svg?branch=master)](https://github.com/SigmaHQ/sigma/actions?query=branch%3Amaster) ![sigma_logo](./images/Sigma_0.3.png) From a75859a976409df0a3c3705f01efba97859eda23 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 15 Aug 2021 16:00:14 +0200 Subject: [PATCH 004/108] First commit --- ...reating_number_of_resources_detection.yaml | 20 + .../azure_granting_permission_detection.yml | 20 + rules/cloud/azure/azure_rare_operations.yml | 25 ++ rules/network/zeek/zeek_dns_mining_pools.yml | 43 +++ rules/network/zeek/zeek_dns_torproxy.yml | 21 + rules/web/sql_injection_keywords.yml | 23 ++ rules/web/xss_keywords.yml | 24 ++ .../builtin/win_anomaly_process_execution.yml | 22 ++ .../windows/builtin/win_event_log_cleared.yml | 22 ++ .../builtin/win_powershelll_empire.yml | 363 ++++++++++++++++++ .../builtin/win_user_acc_added_removed.yml | 25 ++ .../builtin/win_user_acc_created_deleted.yml | 18 + .../builtin/win_user_acc_enabled_disabled.yml | 20 + ...in_user_created_added_to_bultin_admins.yml | 21 + 14 files changed, 667 insertions(+) create mode 100644 rules/cloud/azure/azure_creating_number_of_resources_detection.yaml create mode 100644 rules/cloud/azure/azure_granting_permission_detection.yml create mode 100644 rules/cloud/azure/azure_rare_operations.yml create mode 100644 rules/network/zeek/zeek_dns_mining_pools.yml create mode 100644 rules/network/zeek/zeek_dns_torproxy.yml create mode 100644 rules/web/sql_injection_keywords.yml create mode 100644 rules/web/xss_keywords.yml create mode 100644 rules/windows/builtin/win_anomaly_process_execution.yml create mode 100644 rules/windows/builtin/win_event_log_cleared.yml create mode 100644 rules/windows/builtin/win_powershelll_empire.yml create mode 100644 rules/windows/builtin/win_user_acc_added_removed.yml create mode 100644 rules/windows/builtin/win_user_acc_created_deleted.yml create mode 100644 rules/windows/builtin/win_user_acc_enabled_disabled.yml create mode 100644 rules/windows/builtin/win_user_created_added_to_bultin_admins.yml diff --git a/rules/cloud/azure/azure_creating_number_of_resources_detection.yaml b/rules/cloud/azure/azure_creating_number_of_resources_detection.yaml new file mode 100644 index 00000000..d1a60829 --- /dev/null +++ b/rules/cloud/azure/azure_creating_number_of_resources_detection.yaml @@ -0,0 +1,20 @@ +title: number of resource creation or deployment activities +id: d2d901db-7a75-45a1-bc39-0cbf00812192 +status: experimental +author: sawwinnnaung +date: 2020/05/07 +description: Number of VM creations or deployment activities occur in Azure via the AzureActivity log. +references: + - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/Creating_Anomalous_Number_Of_Resources_detection.yaml +logsource: + service: AzureActivity +detection: + keywords: + - Microsoft.Compute/virtualMachines/write + - Microsoft.Resources/deployments/write + condition: keywords +level: medium +falsepositives: + - Valid change +tags: + - attack.t1098 diff --git a/rules/cloud/azure/azure_granting_permission_detection.yml b/rules/cloud/azure/azure_granting_permission_detection.yml new file mode 100644 index 00000000..cf644a6b --- /dev/null +++ b/rules/cloud/azure/azure_granting_permission_detection.yml @@ -0,0 +1,20 @@ +title: Granting of permissions to an account +id: a622fcd2-4b5a-436a-b8a2-a4171161833c +status: experimental +author: sawwinnnaung +date: 2020/05/07 +description: Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used. +references: + - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/Granting_Permissions_To_Account_detection.yaml +logsource: + service: AzureActivity +detection: + keywords: + - Microsoft.Authorization/roleAssignments/write + + condition: keywords +level: medium +falsepositives: + - Valid change +tags: + - attack.t1098 diff --git a/rules/cloud/azure/azure_rare_operations.yml b/rules/cloud/azure/azure_rare_operations.yml new file mode 100644 index 00000000..caa65c03 --- /dev/null +++ b/rules/cloud/azure/azure_rare_operations.yml @@ -0,0 +1,25 @@ +title: Rare subscription-level operations in Azure +id: c1182e02-49a3-481c-b3de-0fadc4091488 +status: experimental +author: sawwinnnaung +date: 2020/05/07 +description: Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used. +references: + - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/RareOperations.yaml +logsource: + service: AzureActivity +detection: + keywords: -Microsoft.DocumentDB/databaseAccounts/listKeys/action + -Microsoft.Maps/accounts/listKeys/action + -Microsoft.Media/mediaservices/listKeys/action + -Microsoft.CognitiveServices/accounts/listKeys/action + -Microsoft.Storage/storageAccounts/listKeys/action + -Microsoft.Compute/snapshots/write + -Microsoft.Network/networkSecurityGroups/write + + condition: keywords +level: medium +falsepositives: + - Valid change +tags: + - attack.t1003 diff --git a/rules/network/zeek/zeek_dns_mining_pools.yml b/rules/network/zeek/zeek_dns_mining_pools.yml new file mode 100644 index 00000000..f45df340 --- /dev/null +++ b/rules/network/zeek/zeek_dns_mining_pools.yml @@ -0,0 +1,43 @@ +id: bf74135c-18e8-4a72-a926-0e4f47888c19 +title: DNS events related to mining pools +description: | + 'Identifies IPs that may be performing DNS lookups associated with common currency mining pools.' +reference: Azure Sentinel +author: Saw Winn Naung +severity: Medium +logsource: + service: dns + product: zeek +tags: + - attack.t1035 + - attack.t1496 +detection: + selection: + query: + - 'monerohash.com' + - 'do-dear.com' + - 'xmrminerpro.com' + - 'secumine.net' + - 'xmrpool.com' + - 'minexmr.org' + - 'hashanywhere.com' + - 'xmrget.com' + - 'mininglottery.eu' + - 'minergate.com' + - 'moriaxmr.com' + - 'multipooler.com' + - 'moneropools.com' + - 'xmrpool.eu' + - 'coolmining.club' + - 'supportxmr.com' + - 'minexmr.com' + - 'coinfoundry.org' + - 'cryptoknight.cc' + - 'fairhash.org' + - 'baikalmine.com' + - 'tubepool.xyz' + - 'fairpool.xyz' + - 'asiapool.io' + condition: selection +fields: + - clientip diff --git a/rules/network/zeek/zeek_dns_torproxy.yml b/rules/network/zeek/zeek_dns_torproxy.yml new file mode 100644 index 00000000..1249c6ad --- /dev/null +++ b/rules/network/zeek/zeek_dns_torproxy.yml @@ -0,0 +1,21 @@ +id: a8322756-015c-42e7-afb1-436e85ed3ff5 +title: DNS tor proxies +description: | + 'Identifies IPs performing DNS lookups associated with common Tor proxies.' +reference: Azure Sentinel +author: Saw Winn Naung +severity: Medium +logsource: + service: dns + product: zeek +tags: + - attack.t1048 +detection: + selection: + query: + - 'tor2web.*' + - 'onion.*' + - '*tor-gateways*' + condition: selection +fields: + - clientip diff --git a/rules/web/sql_injection_keywords.yml b/rules/web/sql_injection_keywords.yml new file mode 100644 index 00000000..f1dd7972 --- /dev/null +++ b/rules/web/sql_injection_keywords.yml @@ -0,0 +1,23 @@ +title: Detect sql injection by keywords +id: 5513deaf-f49a-46c2-a6c8-3f111b5cb453 +status: experimental +description: Detects sql injection that use GET requests by keyword searches in URL strings +author: Saw Win Naung +date: 2020/02/22 +logsource: + category: webserver +detection: + keywords: + - '=select' + - '=union' + - '=concat' + condition: keywords +fields: + - client_ip + - vhost + - url + - response +falsepositives: + - Java scripts and CSS Files + - User searches in search boxes of the respective website +level: high diff --git a/rules/web/xss_keywords.yml b/rules/web/xss_keywords.yml new file mode 100644 index 00000000..2c17f38b --- /dev/null +++ b/rules/web/xss_keywords.yml @@ -0,0 +1,24 @@ +title: Detect XSS Attempts by keywords +id: 553a450b8-604d-41a9-8587-a28334aaddfb +status: experimental +description: Detects XSS that use GET requests by keyword searches in URL strings +author: Saw Win Naung +date: 2020/02/22 +logsource: + category: webserver +detection: + keywords: + - '=cookie' + - '=script' + - '=onload' + - '=onmouseover' + condition: keywords +fields: + - client_ip + - vhost + - url + - response +falsepositives: + - Java scripts,CSS Files and PNG files + - User searches in search boxes of the respective website +level: high diff --git a/rules/windows/builtin/win_anomaly_process_execution.yml b/rules/windows/builtin/win_anomaly_process_execution.yml new file mode 100644 index 00000000..1a38f02a --- /dev/null +++ b/rules/windows/builtin/win_anomaly_process_execution.yml @@ -0,0 +1,22 @@ +title: Process execution anomaly +id: 2c55fe7a-b06f-4029-a5b9-c54a2320d7b8 +description: 'Identifies anomalous executions of sensitive processes which are often leveraged as attack vectors.' +references: Azure Sentinel +level: Medium +logsource: + service: Security + product: windows +tags: + - attack.execution + - attack.t1064 +detection: + selection: + EventID: 4688 + NewProcessName|contains: + - 'powershell.exe' + - 'cmd.exe' + - 'wmic.exe' + - 'psexec.exe' + - 'cacls.exe' + - 'rundll.exe' + condition: selection diff --git a/rules/windows/builtin/win_event_log_cleared.yml b/rules/windows/builtin/win_event_log_cleared.yml new file mode 100644 index 00000000..2540d98e --- /dev/null +++ b/rules/windows/builtin/win_event_log_cleared.yml @@ -0,0 +1,22 @@ +id: a122ac13-daf8-4175-83a2-72c387be339d +title: Security Event log cleared +status: experimental +description: | + 'Checks for event id 1102 which indicates the security event log was cleared.' +reference: Azure Sentinel +author: Saw Winn Naung +severity: Medium +logsource: + service: security + product: windows +tags: + + - attack.t1107 +detection: + selection: + EventID: 1102 + condition: selection +fields: + - fields in the log source that are important to investigate further +falsepositives: + - Legitimate administrative activity diff --git a/rules/windows/builtin/win_powershelll_empire.yml b/rules/windows/builtin/win_powershelll_empire.yml new file mode 100644 index 00000000..f3883029 --- /dev/null +++ b/rules/windows/builtin/win_powershelll_empire.yml @@ -0,0 +1,363 @@ +title: Powershell Empire cmdlets seen in command line +id: ef88eb96-861c-43a0-ab16-f3835a97c928 +description: | + 'Identifies instances of PowerShell Empire cmdlets in powershell process command line data.' +references: Azure Sentinel +level: Medium +logsource: + service: Security + product: windows +tags: + - attack.execution + - attack.persistence + - attack.t1208 +detection: + selection1: + EventID: 4688 + CommandLine|contains: ' -encodedCommand' + selection2: + CommandLine: + - 'SetDelay' + - 'GetDelay' + - 'Set-LostLimit' + - 'Get-LostLimit' + - 'Set-Killdate' + - 'Get-Killdate' + - 'Set-WorkingHours' + - 'Get-WorkingHours' + - 'Get-Sysinfo' + - 'Add-Servers' + - 'Invoke-ShellCommand' + - 'Start-AgentJob' + - 'Update-Profile' + - 'Get-FilePart' + - 'Encrypt-Bytes' + - 'Decrypt-Bytes' + - 'Encode-Packet' + - 'Decode-Packet' + - 'Send-Message' + - 'Process-Packet' + - 'Process-Tasking' + - 'Get-Task' + - 'Start-Negotiate' + - 'Invoke-DllInjection' + - 'Invoke-ReflectivePEInjection' + - 'Invoke-Shellcode' + - 'Invoke-ShellcodeMSIL' + - 'Get-ChromeDump' + - 'Get-ClipboardContents' + - 'Get-IndexedItem' + - 'Get-Keystrokes' + - 'Invoke-Inveigh' + - 'Invoke-NetRipper' + - 'local:Invoke-PatchDll' + - 'Invoke-NinjaCopy' + - 'Get-Win32Types' + - 'Get-Win32Constants' + - 'Get-Win32Functions' + - 'Sub-SignedIntAsUnsigned' + - 'Add-SignedIntAsUnsigned' + - 'Compare-Val1GreaterThanVal2AsUInt' + - 'Convert-UIntToInt' + - 'Test-MemoryRangeValid' + - 'Write-BytesToMemory' + - 'Get-DelegateType' + - 'Get-ProcAddress' + - 'Enable-SeDebugPrivilege' + - 'Invoke-CreateRemoteThread' + - 'Get-ImageNtHeaders' + - 'Get-PEBasicInfo' + - 'Get-PEDetailedInfo' + - 'Import-DllInRemoteProcess' + - 'Get-RemoteProcAddress' + - 'Copy-Sections' + - 'Update-MemoryAddresses' + - 'Import-DllImports' + - 'Get-VirtualProtectValue' + - 'Update-MemoryProtectionFlags' + - 'Update-ExeFunctions' + - 'Copy-ArrayOfMemAddresses' + - 'Get-MemoryProcAddress' + - 'Invoke-MemoryLoadLibrary' + - 'Invoke-MemoryFreeLibrary' + - 'Out-Minidump' + - 'Get-VaultCredential' + - 'Invoke-DCSync' + - 'Translate-Name' + - 'Get-NetDomain' + - 'Get-NetForest' + - 'Get-NetForestDomain' + - 'Get-DomainSearcher' + - 'Get-NetComputer' + - 'Get-NetGroupMember' + - 'Get-NetUser' + - 'Invoke-Mimikatz' + - 'Invoke-PowerDump' + - 'Invoke-TokenManipulation' + - 'Exploit-JMXConsole' + - 'Exploit-JBoss' + - 'Invoke-Thunderstruck' + - 'Invoke-VoiceTroll' + - 'Set-WallPaper' + - 'Invoke-PsExec' + - 'Invoke-SSHCommand' + - 'Invoke-PSInject' + - 'Invoke-RunAs' + - 'Invoke-SendMail' + - 'Invoke-Rule' + - 'Get-OSVersion' + - 'Select-EmailItem' + - 'View-Email' + - 'Get-OutlookFolder' + - 'Get-EmailItems' + - 'Invoke-MailSearch' + - 'Get-SubFolders' + - 'Get-GlobalAddressList' + - 'Invoke-SearchGAL' + - 'Get-SMTPAddress' + - 'Disable-SecuritySettings' + - 'Reset-SecuritySettings' + - 'Get-OutlookInstance' + - 'New-HoneyHash' + - 'Set-MacAttribute' + - 'Invoke-PatchDll' + - 'Get-SecurityPackages' + - 'Install-SSP' + - 'Invoke-BackdoorLNK' + - 'New-ElevatedPersistenceOption' + - 'New-UserPersistenceOption' + - 'Add-Persistence' + - 'Invoke-CallbackIEX' + - 'Add-PSFirewallRules' + - 'Invoke-EventLoop' + - 'Invoke-PortBind' + - 'Invoke-DNSLoop' + - 'Invoke-PacketKnock' + - 'Invoke-CallbackLoop' + - 'Invoke-BypassUAC' + - 'Get-DecryptedCpassword' + - 'Get-GPPInnerFields' + - 'Invoke-WScriptBypassUAC' + - 'Get-ModifiableFile' + - 'Get-ServiceUnquoted' + - 'Get-ServiceFilePermission' + - 'Get-ServicePermission' + - 'Invoke-ServiceUserAdd' + - 'Invoke-ServiceCMD' + - 'Write-UserAddServiceBinary' + - 'Write-CMDServiceBinary' + - 'Write-ServiceEXE' + - 'Write-ServiceEXECMD' + - 'Restore-ServiceEXE' + - 'Invoke-ServiceStart' + - 'Invoke-ServiceStop' + - 'Invoke-ServiceEnable' + - 'Invoke-ServiceDisable' + - 'Get-ServiceDetail' + - 'Find-DLLHijack' + - 'Find-PathHijack' + - 'Write-HijackDll' + - 'Get-RegAlwaysInstallElevated' + - 'Get-RegAutoLogon' + - 'Get-VulnAutoRun' + - 'Get-VulnSchTask' + - 'Get-UnattendedInstallFile' + - 'Get-Webconfig' + - 'Get-ApplicationHost' + - 'Write-UserAddMSI' + - 'Invoke-AllChecks' + - 'Invoke-ThreadedFunction' + - 'Test-Login' + - 'Get-UserAgent' + - 'Test-Password' + - 'Get-ComputerDetails' + - 'Find-4648Logons' + - 'Find-4624Logons' + - 'Find-AppLockerLogs' + - 'Find-PSScriptsInPSAppLog' + - 'Find-RDPClientConnections' + - 'Get-SystemDNSServer' + - 'Invoke-Paranoia' + - 'Invoke-WinEnum{' + - 'Get-SPN' + - 'Invoke-ARPScan' + - 'Invoke-Portscan' + - 'Invoke-ReverseDNSLookup' + - 'Invoke-SMBScanner' + - 'New-InMemoryModule' + - 'Add-Win32Type' + - 'Export-PowerViewCSV' + - 'Get-MacAttribute' + - 'Copy-ClonedFile' + - 'Get-IPAddress' + - 'Convert-NameToSid' + - 'Convert-SidToName' + - 'Convert-NT4toCanonical' + - 'Get-Proxy' + - 'Get-PathAcl' + - 'Get-NameField' + - 'Convert-LDAPProperty' + - 'Get-NetDomainController' + - 'Add-NetUser' + - 'Add-NetGroupUser' + - 'Get-UserProperty' + - 'Find-UserField' + - 'Get-UserEvent' + - 'Get-ObjectAcl' + - 'Add-ObjectAcl' + - 'Invoke-ACLScanner' + - 'Get-GUIDMap' + - 'Get-ADObject' + - 'Set-ADObject' + - 'Get-ComputerProperty' + - 'Find-ComputerField' + - 'Get-NetOU' + - 'Get-NetSite' + - 'Get-NetSubnet' + - 'Get-DomainSID' + - 'Get-NetGroup' + - 'Get-NetFileServer' + - 'SplitPath' + - 'Get-DFSshare' + - 'Get-DFSshareV1' + - 'Get-DFSshareV2' + - 'Get-GptTmpl' + - 'Get-GroupsXML' + - 'Get-NetGPO' + - 'Get-NetGPOGroup' + - 'Find-GPOLocation' + - 'Find-GPOComputerAdmin' + - 'Get-DomainPolicy' + - 'Get-NetLocalGroup' + - 'Get-NetShare' + - 'Get-NetLoggedon' + - 'Get-NetSession' + - 'Get-NetRDPSession' + - 'Invoke-CheckLocalAdminAccess' + - 'Get-LastLoggedOn' + - 'Get-NetProcess' + - 'Find-InterestingFile' + - 'Invoke-CheckWrite' + - 'Invoke-UserHunter' + - 'Invoke-StealthUserHunter' + - 'Invoke-ProcessHunter' + - 'Invoke-EventHunter' + - 'Invoke-ShareFinder' + - 'Invoke-FileFinder' + - 'Find-LocalAdminAccess' + - 'Get-ExploitableSystem' + - 'Invoke-EnumerateLocalAdmin' + - 'Get-NetDomainTrust' + - 'Get-NetForestTrust' + - 'Find-ForeignUser' + - 'Find-ForeignGroup' + - 'Invoke-MapDomainTrust' + - 'Get-Hex' + - 'Create-RemoteThread' + - 'Get-FoxDump' + - 'Decrypt-CipherText' + - 'Get-Screenshot' + - 'Start-HTTP-Server' + - 'Local:Invoke-CreateRemoteThread' + - 'Local:Get-Win32Functions' + - 'Local:Inject-NetRipper' + - 'GetCommandLine' + - 'ElevatePrivs' + - 'Get-RegKeyClass' + - 'Get-BootKey' + - 'Get-HBootKey' + - 'Get-UserName' + - 'Get-UserHashes' + - 'DecryptHashes' + - 'DecryptSingleHash' + - 'Get-UserKeys' + - 'DumpHashes' + - 'Enable-SeAssignPrimaryTokenPrivilege' + - 'Enable-Privilege' + - 'Set-DesktopACLs' + - 'Set-DesktopACLToAllowEveryone' + - 'Get-PrimaryToken' + - 'Get-ThreadToken' + - 'Get-TokenInformation' + - 'Get-UniqueTokens' + - 'Find-GPOLocation' + - 'Find-GPOComputerAdmin' + - 'Get-DomainPolicy' + - 'Get-NetLocalGroup' + - 'Get-NetShare' + - 'Get-NetLoggedon' + - 'Get-NetSession' + - 'Get-NetRDPSession' + - 'Invoke-CheckLocalAdminAccess' + - 'Get-LastLoggedOn' + - 'Get-NetProcess' + - 'Find-InterestingFile' + - 'Invoke-CheckWrite' + - 'Invoke-UserHunter' + - 'Invoke-StealthUserHunter' + - 'Invoke-ProcessHunter' + - 'Invoke-EventHunter' + - 'Invoke-ShareFinder' + - 'Invoke-FileFinder' + - 'Find-LocalAdminAccess' + - 'Get-ExploitableSystem' + - 'Invoke-EnumerateLocalAdmin' + - 'Get-NetDomainTrust' + - 'Get-NetForestTrust' + - 'Find-ForeignUser' + - 'Find-ForeignGroup' + - 'Invoke-MapDomainTrust' + - 'Get-Hex' + - 'Create-RemoteThread' + - 'Get-FoxDump' + - 'Decrypt-CipherText' + - 'Get-Screenshot' + - 'Start-HTTP-Server' + - 'Local:Invoke-CreateRemoteThread' + - 'Local:Get-Win32Functions' + - 'Local:Inject-NetRipper' + - 'GetCommandLine' + - 'ElevatePrivs' + - 'Get-RegKeyClass' + - 'Get-BootKey' + - 'Get-HBootKey' + - 'Get-UserName' + - 'Get-UserHashes' + - 'DecryptHashes' + - 'DecryptSingleHash' + - 'Get-UserKeys' + - 'DumpHashes' + - 'Enable-SeAssignPrimaryTokenPrivilege' + - 'Enable-Privilege' + - 'Set-DesktopACLs' + - 'Set-DesktopACLToAllowEveryone' + - 'Get-PrimaryToken' + - 'Get-ThreadToken' + - 'Get-TokenInformation' + - 'Get-UniqueTokens' + - 'Invoke-ImpersonateUser' + - 'Create-ProcessWithToken' + - 'Free-AllTokens' + - 'Enum-AllTokens' + - 'Invoke-RevertToSelf' + - 'Set-Speaker(\$Volume){\$wshShell' + - 'Local:Get-RandomString' + - 'Local:Invoke-PsExecCmd' + - 'Get-GPPPassword' + - 'Local:Inject-BypassStuff' + - 'Local:Invoke-CopyFile\(\$sSource,' + - 'ind-Fruit' + - 'New-IPv4Range' + - 'New-IPv4RangeFromCIDR' + - 'Parse-Hosts' + - 'Parse-ILHosts' + - 'Exclude-Hosts' + - 'Get-TopPort' + - 'Parse-Ports' + - 'Parse-IpPorts' + - 'Remove-Ports' + - 'Write-PortscanOut' + - 'Convert-SwitchtoBool' + - 'Get-ForeignUser' + - 'Get-ForeignGroup' + condition: selection1 or selection2 \ No newline at end of file diff --git a/rules/windows/builtin/win_user_acc_added_removed.yml b/rules/windows/builtin/win_user_acc_added_removed.yml new file mode 100644 index 00000000..d827a04c --- /dev/null +++ b/rules/windows/builtin/win_user_acc_added_removed.yml @@ -0,0 +1,25 @@ +title: Account added and removed from privileged groups +id: 7efc75ce-e2a4-400f-a8b1-283d3b0f2c60 +description: 'Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise.' +references: Azure Sentinel +level: Low +logsource: + service: Security + product: windows +tags: + - attack.persistence + - attack.privilege_escalation + - attack.t1098 + - attack.t1078 +detection: + selection1: + EventID: + - 4728 + - 4732 + - 4756 + selection2: + EventID: + - 4729 + - 4733 + - 4757 + condition: selection1 or selection2 diff --git a/rules/windows/builtin/win_user_acc_created_deleted.yml b/rules/windows/builtin/win_user_acc_created_deleted.yml new file mode 100644 index 00000000..48bd4be5 --- /dev/null +++ b/rules/windows/builtin/win_user_acc_created_deleted.yml @@ -0,0 +1,18 @@ +title: User account created and deleted within 10 mins +id: 4b93c5af-d20b-4236-b696-a28b8c51407f +description: 'Identifies when a user account is created and then deleted within 10 minutes. This can be an indication of compromise and + an adversary attempting to hide in the noise.' +references: Azure Sentinel +level: Medium +logsource: + service: Security + product: windows +tags: + - attack.persistence + - attack.privilege_escalation + - attack.t1098 + - attack.t1078 +detection: + selection: + EventID: 4720 + condition: selection \ No newline at end of file diff --git a/rules/windows/builtin/win_user_acc_enabled_disabled.yml b/rules/windows/builtin/win_user_acc_enabled_disabled.yml new file mode 100644 index 00000000..91559202 --- /dev/null +++ b/rules/windows/builtin/win_user_acc_enabled_disabled.yml @@ -0,0 +1,20 @@ +title: User account enabled and disabled +id: 3d023f64-8225-41a2-9570-2bd7c2c4535e +description: 'Identifies when a user account is enabled and then disabled. This can be an indication of compromise and + an adversary attempting to hide in the noise.' +references: Azure Sentinel +level: Medium +logsource: + service: Security + product: windows +tags: + - attack.persistence + - attack.privilege_escalation + - attack.t1098 + - attack.t1078 +detection: + selection: + EventID: + - 4722 + - 4725 + condition: selection diff --git a/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml b/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml new file mode 100644 index 00000000..831dfea2 --- /dev/null +++ b/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml @@ -0,0 +1,21 @@ +title: New user created and added to the built-in administrators group +id: aa1eff90-29d4-49dc-a3ea-b65199f516db +description: 'Identifies when a user account was created and then added to the builtin Administrators group. + This should be monitored closely and all additions reviewed.' +references: Azure Sentinel +level: Low +logsource: + service: Security + product: windows +tags: + - attack.persistence + - attack.privilege_escalation +relevantTechniques: + - attack.t1098 + - attack.t1078 +detection: + selection: + EventID: + - 4720 + - 4732 + condition: selection \ No newline at end of file From 12396f615c9f0528c8dc028a8317892fd1a389cc Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 15 Aug 2021 16:52:24 +0200 Subject: [PATCH 005/108] remove duplicate rule and fix errors --- ...creating_number_of_resources_detection.yml} | 0 rules/network/zeek/zeek_dns_mining_pools.yml | 5 ++--- rules/network/zeek/zeek_dns_torproxy.yml | 2 +- .../builtin/win_anomaly_process_execution.yml | 5 ++--- .../windows/builtin/win_event_log_cleared.yml | 2 +- .../windows/builtin/win_powershelll_empire.yml | 10 ++++------ .../builtin/win_user_acc_added_removed.yml | 2 +- .../builtin/win_user_acc_created_deleted.yml | 18 ------------------ .../builtin/win_user_acc_enabled_disabled.yml | 2 +- ...win_user_created_added_to_bultin_admins.yml | 2 +- 10 files changed, 13 insertions(+), 35 deletions(-) rename rules/cloud/azure/{azure_creating_number_of_resources_detection.yaml => azure_creating_number_of_resources_detection.yml} (100%) delete mode 100644 rules/windows/builtin/win_user_acc_created_deleted.yml diff --git a/rules/cloud/azure/azure_creating_number_of_resources_detection.yaml b/rules/cloud/azure/azure_creating_number_of_resources_detection.yml similarity index 100% rename from rules/cloud/azure/azure_creating_number_of_resources_detection.yaml rename to rules/cloud/azure/azure_creating_number_of_resources_detection.yml diff --git a/rules/network/zeek/zeek_dns_mining_pools.yml b/rules/network/zeek/zeek_dns_mining_pools.yml index f45df340..281e3779 100644 --- a/rules/network/zeek/zeek_dns_mining_pools.yml +++ b/rules/network/zeek/zeek_dns_mining_pools.yml @@ -1,10 +1,9 @@ id: bf74135c-18e8-4a72-a926-0e4f47888c19 title: DNS events related to mining pools -description: | - 'Identifies IPs that may be performing DNS lookups associated with common currency mining pools.' +description: Identifies IPs that may be performing DNS lookups associated with common currency mining pools. reference: Azure Sentinel author: Saw Winn Naung -severity: Medium +severity: medium logsource: service: dns product: zeek diff --git a/rules/network/zeek/zeek_dns_torproxy.yml b/rules/network/zeek/zeek_dns_torproxy.yml index 1249c6ad..6a3e8a77 100644 --- a/rules/network/zeek/zeek_dns_torproxy.yml +++ b/rules/network/zeek/zeek_dns_torproxy.yml @@ -4,7 +4,7 @@ description: | 'Identifies IPs performing DNS lookups associated with common Tor proxies.' reference: Azure Sentinel author: Saw Winn Naung -severity: Medium +severity: medium logsource: service: dns product: zeek diff --git a/rules/windows/builtin/win_anomaly_process_execution.yml b/rules/windows/builtin/win_anomaly_process_execution.yml index 1a38f02a..2746bf8f 100644 --- a/rules/windows/builtin/win_anomaly_process_execution.yml +++ b/rules/windows/builtin/win_anomaly_process_execution.yml @@ -2,16 +2,15 @@ title: Process execution anomaly id: 2c55fe7a-b06f-4029-a5b9-c54a2320d7b8 description: 'Identifies anomalous executions of sensitive processes which are often leveraged as attack vectors.' references: Azure Sentinel -level: Medium +level: medium logsource: - service: Security product: windows + category: process_creation tags: - attack.execution - attack.t1064 detection: selection: - EventID: 4688 NewProcessName|contains: - 'powershell.exe' - 'cmd.exe' diff --git a/rules/windows/builtin/win_event_log_cleared.yml b/rules/windows/builtin/win_event_log_cleared.yml index 2540d98e..ac7e1691 100644 --- a/rules/windows/builtin/win_event_log_cleared.yml +++ b/rules/windows/builtin/win_event_log_cleared.yml @@ -5,7 +5,7 @@ description: | 'Checks for event id 1102 which indicates the security event log was cleared.' reference: Azure Sentinel author: Saw Winn Naung -severity: Medium +severity: medium logsource: service: security product: windows diff --git a/rules/windows/builtin/win_powershelll_empire.yml b/rules/windows/builtin/win_powershelll_empire.yml index f3883029..e4883f3e 100644 --- a/rules/windows/builtin/win_powershelll_empire.yml +++ b/rules/windows/builtin/win_powershelll_empire.yml @@ -1,19 +1,17 @@ title: Powershell Empire cmdlets seen in command line id: ef88eb96-861c-43a0-ab16-f3835a97c928 -description: | - 'Identifies instances of PowerShell Empire cmdlets in powershell process command line data.' +description: Identifies instances of PowerShell Empire cmdlets in powershell process command line data. references: Azure Sentinel -level: Medium +level: medium logsource: - service: Security - product: windows + product: windows + category: process_creation tags: - attack.execution - attack.persistence - attack.t1208 detection: selection1: - EventID: 4688 CommandLine|contains: ' -encodedCommand' selection2: CommandLine: diff --git a/rules/windows/builtin/win_user_acc_added_removed.yml b/rules/windows/builtin/win_user_acc_added_removed.yml index d827a04c..e3fe87b9 100644 --- a/rules/windows/builtin/win_user_acc_added_removed.yml +++ b/rules/windows/builtin/win_user_acc_added_removed.yml @@ -2,7 +2,7 @@ title: Account added and removed from privileged groups id: 7efc75ce-e2a4-400f-a8b1-283d3b0f2c60 description: 'Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise.' references: Azure Sentinel -level: Low +level: low logsource: service: Security product: windows diff --git a/rules/windows/builtin/win_user_acc_created_deleted.yml b/rules/windows/builtin/win_user_acc_created_deleted.yml deleted file mode 100644 index 48bd4be5..00000000 --- a/rules/windows/builtin/win_user_acc_created_deleted.yml +++ /dev/null @@ -1,18 +0,0 @@ -title: User account created and deleted within 10 mins -id: 4b93c5af-d20b-4236-b696-a28b8c51407f -description: 'Identifies when a user account is created and then deleted within 10 minutes. This can be an indication of compromise and - an adversary attempting to hide in the noise.' -references: Azure Sentinel -level: Medium -logsource: - service: Security - product: windows -tags: - - attack.persistence - - attack.privilege_escalation - - attack.t1098 - - attack.t1078 -detection: - selection: - EventID: 4720 - condition: selection \ No newline at end of file diff --git a/rules/windows/builtin/win_user_acc_enabled_disabled.yml b/rules/windows/builtin/win_user_acc_enabled_disabled.yml index 91559202..a6cd343c 100644 --- a/rules/windows/builtin/win_user_acc_enabled_disabled.yml +++ b/rules/windows/builtin/win_user_acc_enabled_disabled.yml @@ -3,7 +3,7 @@ id: 3d023f64-8225-41a2-9570-2bd7c2c4535e description: 'Identifies when a user account is enabled and then disabled. This can be an indication of compromise and an adversary attempting to hide in the noise.' references: Azure Sentinel -level: Medium +level: medium logsource: service: Security product: windows diff --git a/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml b/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml index 831dfea2..639debc5 100644 --- a/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml +++ b/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml @@ -3,7 +3,7 @@ id: aa1eff90-29d4-49dc-a3ea-b65199f516db description: 'Identifies when a user account was created and then added to the builtin Administrators group. This should be monitored closely and all additions reviewed.' references: Azure Sentinel -level: Low +level: low logsource: service: Security product: windows From 245cb6d5101ee8f024eb75747f4ad6f682da85a1 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 15 Aug 2021 18:55:44 +0200 Subject: [PATCH 006/108] fix more errors --- rules/network/zeek/zeek_dns_mining_pools.yml | 6 +- rules/network/zeek/zeek_dns_torproxy.yml | 9 +- rules/web/xss_keywords.yml | 4 +- .../builtin/win_anomaly_process_execution.yml | 6 +- .../windows/builtin/win_event_log_cleared.yml | 10 +- .../builtin/win_powershelll_empire.yml | 635 ++++++++---------- .../builtin/win_user_acc_added_removed.yml | 6 +- .../builtin/win_user_acc_enabled_disabled.yml | 7 +- ...in_user_created_added_to_bultin_admins.yml | 7 +- 9 files changed, 323 insertions(+), 367 deletions(-) diff --git a/rules/network/zeek/zeek_dns_mining_pools.yml b/rules/network/zeek/zeek_dns_mining_pools.yml index 281e3779..0de24200 100644 --- a/rules/network/zeek/zeek_dns_mining_pools.yml +++ b/rules/network/zeek/zeek_dns_mining_pools.yml @@ -1,9 +1,11 @@ id: bf74135c-18e8-4a72-a926-0e4f47888c19 title: DNS events related to mining pools description: Identifies IPs that may be performing DNS lookups associated with common currency mining pools. -reference: Azure Sentinel +references: + - Azure Sentinel +date: 2021/08/15 author: Saw Winn Naung -severity: medium +level: medium logsource: service: dns product: zeek diff --git a/rules/network/zeek/zeek_dns_torproxy.yml b/rules/network/zeek/zeek_dns_torproxy.yml index 6a3e8a77..466ab203 100644 --- a/rules/network/zeek/zeek_dns_torproxy.yml +++ b/rules/network/zeek/zeek_dns_torproxy.yml @@ -1,10 +1,11 @@ id: a8322756-015c-42e7-afb1-436e85ed3ff5 title: DNS tor proxies -description: | - 'Identifies IPs performing DNS lookups associated with common Tor proxies.' -reference: Azure Sentinel +description: Identifies IPs performing DNS lookups associated with common Tor proxies. +references: + - Azure Sentinel +date: 2021/08/15 author: Saw Winn Naung -severity: medium +level: medium logsource: service: dns product: zeek diff --git a/rules/web/xss_keywords.yml b/rules/web/xss_keywords.yml index 2c17f38b..775ec871 100644 --- a/rules/web/xss_keywords.yml +++ b/rules/web/xss_keywords.yml @@ -1,9 +1,9 @@ title: Detect XSS Attempts by keywords -id: 553a450b8-604d-41a9-8587-a28334aaddfb +id: 65354b83-a2ea-4ea6-8414-3ab38be0d409 status: experimental description: Detects XSS that use GET requests by keyword searches in URL strings author: Saw Win Naung -date: 2020/02/22 +date: 2021/08/15 logsource: category: webserver detection: diff --git a/rules/windows/builtin/win_anomaly_process_execution.yml b/rules/windows/builtin/win_anomaly_process_execution.yml index 2746bf8f..176d64bd 100644 --- a/rules/windows/builtin/win_anomaly_process_execution.yml +++ b/rules/windows/builtin/win_anomaly_process_execution.yml @@ -1,7 +1,9 @@ -title: Process execution anomaly +title: Process Execution Anomaly id: 2c55fe7a-b06f-4029-a5b9-c54a2320d7b8 description: 'Identifies anomalous executions of sensitive processes which are often leveraged as attack vectors.' -references: Azure Sentinel +references: + - Azure Sentinel +date: 2021/08/15 level: medium logsource: product: windows diff --git a/rules/windows/builtin/win_event_log_cleared.yml b/rules/windows/builtin/win_event_log_cleared.yml index ac7e1691..0fdbdd54 100644 --- a/rules/windows/builtin/win_event_log_cleared.yml +++ b/rules/windows/builtin/win_event_log_cleared.yml @@ -1,16 +1,16 @@ id: a122ac13-daf8-4175-83a2-72c387be339d title: Security Event log cleared status: experimental -description: | - 'Checks for event id 1102 which indicates the security event log was cleared.' -reference: Azure Sentinel +description: Checks for event id 1102 which indicates the security event log was cleared. +references: + - Azure Sentinel +date: 2021/08/15 author: Saw Winn Naung -severity: medium +level: medium logsource: service: security product: windows tags: - - attack.t1107 detection: selection: diff --git a/rules/windows/builtin/win_powershelll_empire.yml b/rules/windows/builtin/win_powershelll_empire.yml index e4883f3e..8aa638ef 100644 --- a/rules/windows/builtin/win_powershelll_empire.yml +++ b/rules/windows/builtin/win_powershelll_empire.yml @@ -1,7 +1,9 @@ title: Powershell Empire cmdlets seen in command line id: ef88eb96-861c-43a0-ab16-f3835a97c928 description: Identifies instances of PowerShell Empire cmdlets in powershell process command line data. -references: Azure Sentinel +references: + - Azure Sentinel +date: 2021/08/15 level: medium logsource: product: windows @@ -15,347 +17,292 @@ detection: CommandLine|contains: ' -encodedCommand' selection2: CommandLine: - - 'SetDelay' - - 'GetDelay' - - 'Set-LostLimit' - - 'Get-LostLimit' - - 'Set-Killdate' - - 'Get-Killdate' - - 'Set-WorkingHours' - - 'Get-WorkingHours' - - 'Get-Sysinfo' - - 'Add-Servers' - - 'Invoke-ShellCommand' - - 'Start-AgentJob' - - 'Update-Profile' - - 'Get-FilePart' - - 'Encrypt-Bytes' - - 'Decrypt-Bytes' - - 'Encode-Packet' - - 'Decode-Packet' - - 'Send-Message' - - 'Process-Packet' - - 'Process-Tasking' - - 'Get-Task' - - 'Start-Negotiate' - - 'Invoke-DllInjection' - - 'Invoke-ReflectivePEInjection' - - 'Invoke-Shellcode' - - 'Invoke-ShellcodeMSIL' - - 'Get-ChromeDump' - - 'Get-ClipboardContents' - - 'Get-IndexedItem' - - 'Get-Keystrokes' - - 'Invoke-Inveigh' - - 'Invoke-NetRipper' - - 'local:Invoke-PatchDll' - - 'Invoke-NinjaCopy' - - 'Get-Win32Types' - - 'Get-Win32Constants' - - 'Get-Win32Functions' - - 'Sub-SignedIntAsUnsigned' - - 'Add-SignedIntAsUnsigned' - - 'Compare-Val1GreaterThanVal2AsUInt' - - 'Convert-UIntToInt' - - 'Test-MemoryRangeValid' - - 'Write-BytesToMemory' - - 'Get-DelegateType' - - 'Get-ProcAddress' - - 'Enable-SeDebugPrivilege' - - 'Invoke-CreateRemoteThread' - - 'Get-ImageNtHeaders' - - 'Get-PEBasicInfo' - - 'Get-PEDetailedInfo' - - 'Import-DllInRemoteProcess' - - 'Get-RemoteProcAddress' - - 'Copy-Sections' - - 'Update-MemoryAddresses' - - 'Import-DllImports' - - 'Get-VirtualProtectValue' - - 'Update-MemoryProtectionFlags' - - 'Update-ExeFunctions' - - 'Copy-ArrayOfMemAddresses' - - 'Get-MemoryProcAddress' - - 'Invoke-MemoryLoadLibrary' - - 'Invoke-MemoryFreeLibrary' - - 'Out-Minidump' - - 'Get-VaultCredential' - - 'Invoke-DCSync' - - 'Translate-Name' - - 'Get-NetDomain' - - 'Get-NetForest' - - 'Get-NetForestDomain' - - 'Get-DomainSearcher' - - 'Get-NetComputer' - - 'Get-NetGroupMember' - - 'Get-NetUser' - - 'Invoke-Mimikatz' - - 'Invoke-PowerDump' - - 'Invoke-TokenManipulation' - - 'Exploit-JMXConsole' - - 'Exploit-JBoss' - - 'Invoke-Thunderstruck' - - 'Invoke-VoiceTroll' - - 'Set-WallPaper' - - 'Invoke-PsExec' - - 'Invoke-SSHCommand' - - 'Invoke-PSInject' - - 'Invoke-RunAs' - - 'Invoke-SendMail' - - 'Invoke-Rule' - - 'Get-OSVersion' - - 'Select-EmailItem' - - 'View-Email' - - 'Get-OutlookFolder' - - 'Get-EmailItems' - - 'Invoke-MailSearch' - - 'Get-SubFolders' - - 'Get-GlobalAddressList' - - 'Invoke-SearchGAL' - - 'Get-SMTPAddress' - - 'Disable-SecuritySettings' - - 'Reset-SecuritySettings' - - 'Get-OutlookInstance' - - 'New-HoneyHash' - - 'Set-MacAttribute' - - 'Invoke-PatchDll' - - 'Get-SecurityPackages' - - 'Install-SSP' - - 'Invoke-BackdoorLNK' - - 'New-ElevatedPersistenceOption' - - 'New-UserPersistenceOption' - - 'Add-Persistence' - - 'Invoke-CallbackIEX' - - 'Add-PSFirewallRules' - - 'Invoke-EventLoop' - - 'Invoke-PortBind' - - 'Invoke-DNSLoop' - - 'Invoke-PacketKnock' - - 'Invoke-CallbackLoop' - - 'Invoke-BypassUAC' - - 'Get-DecryptedCpassword' - - 'Get-GPPInnerFields' - - 'Invoke-WScriptBypassUAC' - - 'Get-ModifiableFile' - - 'Get-ServiceUnquoted' - - 'Get-ServiceFilePermission' - - 'Get-ServicePermission' - - 'Invoke-ServiceUserAdd' - - 'Invoke-ServiceCMD' - - 'Write-UserAddServiceBinary' - - 'Write-CMDServiceBinary' - - 'Write-ServiceEXE' - - 'Write-ServiceEXECMD' - - 'Restore-ServiceEXE' - - 'Invoke-ServiceStart' - - 'Invoke-ServiceStop' - - 'Invoke-ServiceEnable' - - 'Invoke-ServiceDisable' - - 'Get-ServiceDetail' - - 'Find-DLLHijack' - - 'Find-PathHijack' - - 'Write-HijackDll' - - 'Get-RegAlwaysInstallElevated' - - 'Get-RegAutoLogon' - - 'Get-VulnAutoRun' - - 'Get-VulnSchTask' - - 'Get-UnattendedInstallFile' - - 'Get-Webconfig' - - 'Get-ApplicationHost' - - 'Write-UserAddMSI' - - 'Invoke-AllChecks' - - 'Invoke-ThreadedFunction' - - 'Test-Login' - - 'Get-UserAgent' - - 'Test-Password' - - 'Get-ComputerDetails' - - 'Find-4648Logons' - - 'Find-4624Logons' - - 'Find-AppLockerLogs' - - 'Find-PSScriptsInPSAppLog' - - 'Find-RDPClientConnections' - - 'Get-SystemDNSServer' - - 'Invoke-Paranoia' - - 'Invoke-WinEnum{' - - 'Get-SPN' - - 'Invoke-ARPScan' - - 'Invoke-Portscan' - - 'Invoke-ReverseDNSLookup' - - 'Invoke-SMBScanner' - - 'New-InMemoryModule' - - 'Add-Win32Type' - - 'Export-PowerViewCSV' - - 'Get-MacAttribute' - - 'Copy-ClonedFile' - - 'Get-IPAddress' - - 'Convert-NameToSid' - - 'Convert-SidToName' - - 'Convert-NT4toCanonical' - - 'Get-Proxy' - - 'Get-PathAcl' - - 'Get-NameField' - - 'Convert-LDAPProperty' - - 'Get-NetDomainController' - - 'Add-NetUser' - - 'Add-NetGroupUser' - - 'Get-UserProperty' - - 'Find-UserField' - - 'Get-UserEvent' - - 'Get-ObjectAcl' - - 'Add-ObjectAcl' - - 'Invoke-ACLScanner' - - 'Get-GUIDMap' - - 'Get-ADObject' - - 'Set-ADObject' - - 'Get-ComputerProperty' - - 'Find-ComputerField' - - 'Get-NetOU' - - 'Get-NetSite' - - 'Get-NetSubnet' - - 'Get-DomainSID' - - 'Get-NetGroup' - - 'Get-NetFileServer' - - 'SplitPath' - - 'Get-DFSshare' - - 'Get-DFSshareV1' - - 'Get-DFSshareV2' - - 'Get-GptTmpl' - - 'Get-GroupsXML' - - 'Get-NetGPO' - - 'Get-NetGPOGroup' - - 'Find-GPOLocation' - - 'Find-GPOComputerAdmin' - - 'Get-DomainPolicy' - - 'Get-NetLocalGroup' - - 'Get-NetShare' - - 'Get-NetLoggedon' - - 'Get-NetSession' - - 'Get-NetRDPSession' - - 'Invoke-CheckLocalAdminAccess' - - 'Get-LastLoggedOn' - - 'Get-NetProcess' - - 'Find-InterestingFile' - - 'Invoke-CheckWrite' - - 'Invoke-UserHunter' - - 'Invoke-StealthUserHunter' - - 'Invoke-ProcessHunter' - - 'Invoke-EventHunter' - - 'Invoke-ShareFinder' - - 'Invoke-FileFinder' - - 'Find-LocalAdminAccess' - - 'Get-ExploitableSystem' - - 'Invoke-EnumerateLocalAdmin' - - 'Get-NetDomainTrust' - - 'Get-NetForestTrust' - - 'Find-ForeignUser' - - 'Find-ForeignGroup' - - 'Invoke-MapDomainTrust' - - 'Get-Hex' - - 'Create-RemoteThread' - - 'Get-FoxDump' - - 'Decrypt-CipherText' - - 'Get-Screenshot' - - 'Start-HTTP-Server' - - 'Local:Invoke-CreateRemoteThread' - - 'Local:Get-Win32Functions' - - 'Local:Inject-NetRipper' - - 'GetCommandLine' - - 'ElevatePrivs' - - 'Get-RegKeyClass' - - 'Get-BootKey' - - 'Get-HBootKey' - - 'Get-UserName' - - 'Get-UserHashes' - - 'DecryptHashes' - - 'DecryptSingleHash' - - 'Get-UserKeys' - - 'DumpHashes' - - 'Enable-SeAssignPrimaryTokenPrivilege' - - 'Enable-Privilege' - - 'Set-DesktopACLs' - - 'Set-DesktopACLToAllowEveryone' - - 'Get-PrimaryToken' - - 'Get-ThreadToken' - - 'Get-TokenInformation' - - 'Get-UniqueTokens' - - 'Find-GPOLocation' - - 'Find-GPOComputerAdmin' - - 'Get-DomainPolicy' - - 'Get-NetLocalGroup' - - 'Get-NetShare' - - 'Get-NetLoggedon' - - 'Get-NetSession' - - 'Get-NetRDPSession' - - 'Invoke-CheckLocalAdminAccess' - - 'Get-LastLoggedOn' - - 'Get-NetProcess' - - 'Find-InterestingFile' - - 'Invoke-CheckWrite' - - 'Invoke-UserHunter' - - 'Invoke-StealthUserHunter' - - 'Invoke-ProcessHunter' - - 'Invoke-EventHunter' - - 'Invoke-ShareFinder' - - 'Invoke-FileFinder' - - 'Find-LocalAdminAccess' - - 'Get-ExploitableSystem' - - 'Invoke-EnumerateLocalAdmin' - - 'Get-NetDomainTrust' - - 'Get-NetForestTrust' - - 'Find-ForeignUser' - - 'Find-ForeignGroup' - - 'Invoke-MapDomainTrust' - - 'Get-Hex' - - 'Create-RemoteThread' - - 'Get-FoxDump' - - 'Decrypt-CipherText' - - 'Get-Screenshot' - - 'Start-HTTP-Server' - - 'Local:Invoke-CreateRemoteThread' - - 'Local:Get-Win32Functions' - - 'Local:Inject-NetRipper' - - 'GetCommandLine' - - 'ElevatePrivs' - - 'Get-RegKeyClass' - - 'Get-BootKey' - - 'Get-HBootKey' - - 'Get-UserName' - - 'Get-UserHashes' - - 'DecryptHashes' - - 'DecryptSingleHash' - - 'Get-UserKeys' - - 'DumpHashes' - - 'Enable-SeAssignPrimaryTokenPrivilege' - - 'Enable-Privilege' - - 'Set-DesktopACLs' - - 'Set-DesktopACLToAllowEveryone' - - 'Get-PrimaryToken' - - 'Get-ThreadToken' - - 'Get-TokenInformation' - - 'Get-UniqueTokens' - - 'Invoke-ImpersonateUser' - - 'Create-ProcessWithToken' - - 'Free-AllTokens' - - 'Enum-AllTokens' - - 'Invoke-RevertToSelf' - - 'Set-Speaker(\$Volume){\$wshShell' - - 'Local:Get-RandomString' - - 'Local:Invoke-PsExecCmd' - - 'Get-GPPPassword' - - 'Local:Inject-BypassStuff' - - 'Local:Invoke-CopyFile\(\$sSource,' - - 'ind-Fruit' - - 'New-IPv4Range' - - 'New-IPv4RangeFromCIDR' - - 'Parse-Hosts' - - 'Parse-ILHosts' - - 'Exclude-Hosts' - - 'Get-TopPort' - - 'Parse-Ports' - - 'Parse-IpPorts' - - 'Remove-Ports' - - 'Write-PortscanOut' - - 'Convert-SwitchtoBool' - - 'Get-ForeignUser' - - 'Get-ForeignGroup' + - 'SetDelay' + - 'GetDelay' + - 'Set-LostLimit' + - 'Get-LostLimit' + - 'Set-Killdate' + - 'Get-Killdate' + - 'Set-WorkingHours' + - 'Get-WorkingHours' + - 'Get-Sysinfo' + - 'Add-Servers' + - 'Invoke-ShellCommand' + - 'Start-AgentJob' + - 'Update-Profile' + - 'Get-FilePart' + - 'Encrypt-Bytes' + - 'Decrypt-Bytes' + - 'Encode-Packet' + - 'Decode-Packet' + - 'Send-Message' + - 'Process-Packet' + - 'Process-Tasking' + - 'Get-Task' + - 'Start-Negotiate' + - 'Invoke-DllInjection' + - 'Invoke-ReflectivePEInjection' + - 'Invoke-Shellcode' + - 'Invoke-ShellcodeMSIL' + - 'Get-ChromeDump' + - 'Get-ClipboardContents' + - 'Get-IndexedItem' + - 'Get-Keystrokes' + - 'Invoke-Inveigh' + - 'Invoke-NetRipper' + - 'local:Invoke-PatchDll' + - 'Invoke-NinjaCopy' + - 'Get-Win32Types' + - 'Get-Win32Constants' + - 'Get-Win32Functions' + - 'Sub-SignedIntAsUnsigned' + - 'Add-SignedIntAsUnsigned' + - 'Compare-Val1GreaterThanVal2AsUInt' + - 'Convert-UIntToInt' + - 'Test-MemoryRangeValid' + - 'Write-BytesToMemory' + - 'Get-DelegateType' + - 'Get-ProcAddress' + - 'Enable-SeDebugPrivilege' + - 'Invoke-CreateRemoteThread' + - 'Get-ImageNtHeaders' + - 'Get-PEBasicInfo' + - 'Get-PEDetailedInfo' + - 'Import-DllInRemoteProcess' + - 'Get-RemoteProcAddress' + - 'Copy-Sections' + - 'Update-MemoryAddresses' + - 'Import-DllImports' + - 'Get-VirtualProtectValue' + - 'Update-MemoryProtectionFlags' + - 'Update-ExeFunctions' + - 'Copy-ArrayOfMemAddresses' + - 'Get-MemoryProcAddress' + - 'Invoke-MemoryLoadLibrary' + - 'Invoke-MemoryFreeLibrary' + - 'Out-Minidump' + - 'Get-VaultCredential' + - 'Invoke-DCSync' + - 'Translate-Name' + - 'Get-NetDomain' + - 'Get-NetForest' + - 'Get-NetForestDomain' + - 'Get-DomainSearcher' + - 'Get-NetComputer' + - 'Get-NetGroupMember' + - 'Get-NetUser' + - 'Invoke-Mimikatz' + - 'Invoke-PowerDump' + - 'Invoke-TokenManipulation' + - 'Exploit-JMXConsole' + - 'Exploit-JBoss' + - 'Invoke-Thunderstruck' + - 'Invoke-VoiceTroll' + - 'Set-WallPaper' + - 'Invoke-PsExec' + - 'Invoke-SSHCommand' + - 'Invoke-PSInject' + - 'Invoke-RunAs' + - 'Invoke-SendMail' + - 'Invoke-Rule' + - 'Get-OSVersion' + - 'Select-EmailItem' + - 'View-Email' + - 'Get-OutlookFolder' + - 'Get-EmailItems' + - 'Invoke-MailSearch' + - 'Get-SubFolders' + - 'Get-GlobalAddressList' + - 'Invoke-SearchGAL' + - 'Get-SMTPAddress' + - 'Disable-SecuritySettings' + - 'Reset-SecuritySettings' + - 'Get-OutlookInstance' + - 'New-HoneyHash' + - 'Set-MacAttribute' + - 'Invoke-PatchDll' + - 'Get-SecurityPackages' + - 'Install-SSP' + - 'Invoke-BackdoorLNK' + - 'New-ElevatedPersistenceOption' + - 'New-UserPersistenceOption' + - 'Add-Persistence' + - 'Invoke-CallbackIEX' + - 'Add-PSFirewallRules' + - 'Invoke-EventLoop' + - 'Invoke-PortBind' + - 'Invoke-DNSLoop' + - 'Invoke-PacketKnock' + - 'Invoke-CallbackLoop' + - 'Invoke-BypassUAC' + - 'Get-DecryptedCpassword' + - 'Get-GPPInnerFields' + - 'Invoke-WScriptBypassUAC' + - 'Get-ModifiableFile' + - 'Get-ServiceUnquoted' + - 'Get-ServiceFilePermission' + - 'Get-ServicePermission' + - 'Invoke-ServiceUserAdd' + - 'Invoke-ServiceCMD' + - 'Write-UserAddServiceBinary' + - 'Write-CMDServiceBinary' + - 'Write-ServiceEXE' + - 'Write-ServiceEXECMD' + - 'Restore-ServiceEXE' + - 'Invoke-ServiceStart' + - 'Invoke-ServiceStop' + - 'Invoke-ServiceEnable' + - 'Invoke-ServiceDisable' + - 'Get-ServiceDetail' + - 'Find-DLLHijack' + - 'Find-PathHijack' + - 'Write-HijackDll' + - 'Get-RegAlwaysInstallElevated' + - 'Get-RegAutoLogon' + - 'Get-VulnAutoRun' + - 'Get-VulnSchTask' + - 'Get-UnattendedInstallFile' + - 'Get-Webconfig' + - 'Get-ApplicationHost' + - 'Write-UserAddMSI' + - 'Invoke-AllChecks' + - 'Invoke-ThreadedFunction' + - 'Test-Login' + - 'Get-UserAgent' + - 'Test-Password' + - 'Get-ComputerDetails' + - 'Find-4648Logons' + - 'Find-4624Logons' + - 'Find-AppLockerLogs' + - 'Find-PSScriptsInPSAppLog' + - 'Find-RDPClientConnections' + - 'Get-SystemDNSServer' + - 'Invoke-Paranoia' + - 'Invoke-WinEnum{' + - 'Get-SPN' + - 'Invoke-ARPScan' + - 'Invoke-Portscan' + - 'Invoke-ReverseDNSLookup' + - 'Invoke-SMBScanner' + - 'New-InMemoryModule' + - 'Add-Win32Type' + - 'Export-PowerViewCSV' + - 'Get-MacAttribute' + - 'Copy-ClonedFile' + - 'Get-IPAddress' + - 'Convert-NameToSid' + - 'Convert-SidToName' + - 'Convert-NT4toCanonical' + - 'Get-Proxy' + - 'Get-PathAcl' + - 'Get-NameField' + - 'Convert-LDAPProperty' + - 'Get-NetDomainController' + - 'Add-NetUser' + - 'Add-NetGroupUser' + - 'Get-UserProperty' + - 'Find-UserField' + - 'Get-UserEvent' + - 'Get-ObjectAcl' + - 'Add-ObjectAcl' + - 'Invoke-ACLScanner' + - 'Get-GUIDMap' + - 'Get-ADObject' + - 'Set-ADObject' + - 'Get-ComputerProperty' + - 'Find-ComputerField' + - 'Get-NetOU' + - 'Get-NetSite' + - 'Get-NetSubnet' + - 'Get-DomainSID' + - 'Get-NetGroup' + - 'Get-NetFileServer' + - 'SplitPath' + - 'Get-DFSshare' + - 'Get-DFSshareV1' + - 'Get-DFSshareV2' + - 'Get-GptTmpl' + - 'Get-GroupsXML' + - 'Get-NetGPO' + - 'Get-NetGPOGroup' + - 'Find-GPOLocation' + - 'Get-DomainPolicy' + - 'Get-NetLocalGroup' + - 'Get-NetShare' + - 'Get-NetLoggedon' + - 'Get-NetSession' + - 'Get-NetRDPSession' + - 'Invoke-CheckLocalAdminAccess' + - 'Get-LastLoggedOn' + - 'Get-NetProcess' + - 'Find-InterestingFile' + - 'Invoke-CheckWrite' + - 'Invoke-UserHunter' + - 'Invoke-StealthUserHunter' + - 'Invoke-ProcessHunter' + - 'Invoke-EventHunter' + - 'Invoke-ShareFinder' + - 'Invoke-FileFinder' + - 'Find-LocalAdminAccess' + - 'Get-ExploitableSystem' + - 'Invoke-EnumerateLocalAdmin' + - 'Get-NetDomainTrust' + - 'Get-NetForestTrust' + - 'Find-ForeignUser' + - 'Find-ForeignGroup' + - 'Invoke-MapDomainTrust' + - 'Get-Hex' + - 'Create-RemoteThread' + - 'Get-FoxDump' + - 'Decrypt-CipherText' + - 'Get-Screenshot' + - 'Start-HTTP-Server' + - 'Local:Invoke-CreateRemoteThread' + - 'Local:Get-Win32Functions' + - 'Local:Inject-NetRipper' + - 'GetCommandLine' + - 'ElevatePrivs' + - 'Get-RegKeyClass' + - 'Get-BootKey' + - 'Get-HBootKey' + - 'Get-UserName' + - 'Get-UserHashes' + - 'DecryptHashes' + - 'DecryptSingleHash' + - 'Get-UserKeys' + - 'DumpHashes' + - 'Enable-SeAssignPrimaryTokenPrivilege' + - 'Enable-Privilege' + - 'Set-DesktopACLs' + - 'Set-DesktopACLToAllowEveryone' + - 'Get-PrimaryToken' + - 'Get-ThreadToken' + - 'Get-TokenInformation' + - 'Get-UniqueTokens' + - 'Find-GPOComputerAdmin' + - 'Invoke-ImpersonateUser' + - 'Create-ProcessWithToken' + - 'Free-AllTokens' + - 'Enum-AllTokens' + - 'Invoke-RevertToSelf' + - 'Set-Speaker(\$Volume){\$wshShell' + - 'Local:Get-RandomString' + - 'Local:Invoke-PsExecCmd' + - 'Get-GPPPassword' + - 'Local:Inject-BypassStuff' + - 'Local:Invoke-CopyFile\(\$sSource,' + - 'ind-Fruit' + - 'New-IPv4Range' + - 'New-IPv4RangeFromCIDR' + - 'Parse-Hosts' + - 'Parse-ILHosts' + - 'Exclude-Hosts' + - 'Get-TopPort' + - 'Parse-Ports' + - 'Parse-IpPorts' + - 'Remove-Ports' + - 'Write-PortscanOut' + - 'Convert-SwitchtoBool' + - 'Get-ForeignUser' + - 'Get-ForeignGroup' condition: selection1 or selection2 \ No newline at end of file diff --git a/rules/windows/builtin/win_user_acc_added_removed.yml b/rules/windows/builtin/win_user_acc_added_removed.yml index e3fe87b9..daf67003 100644 --- a/rules/windows/builtin/win_user_acc_added_removed.yml +++ b/rules/windows/builtin/win_user_acc_added_removed.yml @@ -1,7 +1,9 @@ title: Account added and removed from privileged groups id: 7efc75ce-e2a4-400f-a8b1-283d3b0f2c60 -description: 'Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise.' -references: Azure Sentinel +description: Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise. +references: + - Azure Sentinel +date: 2021/08/15 level: low logsource: service: Security diff --git a/rules/windows/builtin/win_user_acc_enabled_disabled.yml b/rules/windows/builtin/win_user_acc_enabled_disabled.yml index a6cd343c..7751dd33 100644 --- a/rules/windows/builtin/win_user_acc_enabled_disabled.yml +++ b/rules/windows/builtin/win_user_acc_enabled_disabled.yml @@ -1,8 +1,9 @@ title: User account enabled and disabled id: 3d023f64-8225-41a2-9570-2bd7c2c4535e -description: 'Identifies when a user account is enabled and then disabled. This can be an indication of compromise and - an adversary attempting to hide in the noise.' -references: Azure Sentinel +description: Identifies when a user account is enabled and then disabled. This can be an indication of compromise and an adversary attempting to hide in the noise. +references: + - Azure Sentinel +date: 2021/08/15 level: medium logsource: service: Security diff --git a/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml b/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml index 639debc5..264ac030 100644 --- a/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml +++ b/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml @@ -1,8 +1,9 @@ title: New user created and added to the built-in administrators group id: aa1eff90-29d4-49dc-a3ea-b65199f516db -description: 'Identifies when a user account was created and then added to the builtin Administrators group. - This should be monitored closely and all additions reviewed.' -references: Azure Sentinel +description: Identifies when a user account was created and then added to the builtin Administrators group. This should be monitored closely and all additions reviewed. +references: + - Azure Sentinel +date: 2021/08/15 level: low logsource: service: Security From c3457c9911691314ca348dfc264fe7682418abd0 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 15 Aug 2021 19:05:00 +0200 Subject: [PATCH 007/108] fix titles --- .../azure/azure_creating_number_of_resources_detection.yml | 2 +- rules/cloud/azure/azure_granting_permission_detection.yml | 2 +- rules/network/zeek/zeek_dns_mining_pools.yml | 2 +- rules/network/zeek/zeek_dns_torproxy.yml | 2 +- rules/web/sql_injection_keywords.yml | 2 +- rules/web/xss_keywords.yml | 2 +- rules/windows/builtin/win_event_log_cleared.yml | 2 +- rules/windows/builtin/win_powershelll_empire.yml | 2 +- rules/windows/builtin/win_user_acc_added_removed.yml | 2 +- rules/windows/builtin/win_user_acc_enabled_disabled.yml | 2 +- .../windows/builtin/win_user_created_added_to_bultin_admins.yml | 2 +- 11 files changed, 11 insertions(+), 11 deletions(-) diff --git a/rules/cloud/azure/azure_creating_number_of_resources_detection.yml b/rules/cloud/azure/azure_creating_number_of_resources_detection.yml index d1a60829..74041d51 100644 --- a/rules/cloud/azure/azure_creating_number_of_resources_detection.yml +++ b/rules/cloud/azure/azure_creating_number_of_resources_detection.yml @@ -1,4 +1,4 @@ -title: number of resource creation or deployment activities +title: Number Of Resource Creation Or Deployment Activities id: d2d901db-7a75-45a1-bc39-0cbf00812192 status: experimental author: sawwinnnaung diff --git a/rules/cloud/azure/azure_granting_permission_detection.yml b/rules/cloud/azure/azure_granting_permission_detection.yml index cf644a6b..1a93acee 100644 --- a/rules/cloud/azure/azure_granting_permission_detection.yml +++ b/rules/cloud/azure/azure_granting_permission_detection.yml @@ -1,4 +1,4 @@ -title: Granting of permissions to an account +title: Granting Of Permissions To An Account id: a622fcd2-4b5a-436a-b8a2-a4171161833c status: experimental author: sawwinnnaung diff --git a/rules/network/zeek/zeek_dns_mining_pools.yml b/rules/network/zeek/zeek_dns_mining_pools.yml index 0de24200..c6b4cde5 100644 --- a/rules/network/zeek/zeek_dns_mining_pools.yml +++ b/rules/network/zeek/zeek_dns_mining_pools.yml @@ -1,5 +1,5 @@ +title: DNS Events Related To Mining Pools id: bf74135c-18e8-4a72-a926-0e4f47888c19 -title: DNS events related to mining pools description: Identifies IPs that may be performing DNS lookups associated with common currency mining pools. references: - Azure Sentinel diff --git a/rules/network/zeek/zeek_dns_torproxy.yml b/rules/network/zeek/zeek_dns_torproxy.yml index 466ab203..b3f89c18 100644 --- a/rules/network/zeek/zeek_dns_torproxy.yml +++ b/rules/network/zeek/zeek_dns_torproxy.yml @@ -1,5 +1,5 @@ +title: DNS TOR Proxies id: a8322756-015c-42e7-afb1-436e85ed3ff5 -title: DNS tor proxies description: Identifies IPs performing DNS lookups associated with common Tor proxies. references: - Azure Sentinel diff --git a/rules/web/sql_injection_keywords.yml b/rules/web/sql_injection_keywords.yml index f1dd7972..f3d8985f 100644 --- a/rules/web/sql_injection_keywords.yml +++ b/rules/web/sql_injection_keywords.yml @@ -1,4 +1,4 @@ -title: Detect sql injection by keywords +title: Detect Sql Injection By Keywords id: 5513deaf-f49a-46c2-a6c8-3f111b5cb453 status: experimental description: Detects sql injection that use GET requests by keyword searches in URL strings diff --git a/rules/web/xss_keywords.yml b/rules/web/xss_keywords.yml index 775ec871..c5d1470f 100644 --- a/rules/web/xss_keywords.yml +++ b/rules/web/xss_keywords.yml @@ -1,4 +1,4 @@ -title: Detect XSS Attempts by keywords +title: Detect XSS Attempts By Keywords id: 65354b83-a2ea-4ea6-8414-3ab38be0d409 status: experimental description: Detects XSS that use GET requests by keyword searches in URL strings diff --git a/rules/windows/builtin/win_event_log_cleared.yml b/rules/windows/builtin/win_event_log_cleared.yml index 0fdbdd54..f8c56070 100644 --- a/rules/windows/builtin/win_event_log_cleared.yml +++ b/rules/windows/builtin/win_event_log_cleared.yml @@ -1,5 +1,5 @@ +title: Security Event Log Cleared id: a122ac13-daf8-4175-83a2-72c387be339d -title: Security Event log cleared status: experimental description: Checks for event id 1102 which indicates the security event log was cleared. references: diff --git a/rules/windows/builtin/win_powershelll_empire.yml b/rules/windows/builtin/win_powershelll_empire.yml index 8aa638ef..6dc937fe 100644 --- a/rules/windows/builtin/win_powershelll_empire.yml +++ b/rules/windows/builtin/win_powershelll_empire.yml @@ -1,4 +1,4 @@ -title: Powershell Empire cmdlets seen in command line +title: Powershell Empire Cmdlets Seen In Command Line id: ef88eb96-861c-43a0-ab16-f3835a97c928 description: Identifies instances of PowerShell Empire cmdlets in powershell process command line data. references: diff --git a/rules/windows/builtin/win_user_acc_added_removed.yml b/rules/windows/builtin/win_user_acc_added_removed.yml index daf67003..f8ee4d37 100644 --- a/rules/windows/builtin/win_user_acc_added_removed.yml +++ b/rules/windows/builtin/win_user_acc_added_removed.yml @@ -1,4 +1,4 @@ -title: Account added and removed from privileged groups +title: Account Added And Removed From Privileged Groups id: 7efc75ce-e2a4-400f-a8b1-283d3b0f2c60 description: Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise. references: diff --git a/rules/windows/builtin/win_user_acc_enabled_disabled.yml b/rules/windows/builtin/win_user_acc_enabled_disabled.yml index 7751dd33..72857cbc 100644 --- a/rules/windows/builtin/win_user_acc_enabled_disabled.yml +++ b/rules/windows/builtin/win_user_acc_enabled_disabled.yml @@ -1,4 +1,4 @@ -title: User account enabled and disabled +title: User Account Enabled And Disabled id: 3d023f64-8225-41a2-9570-2bd7c2c4535e description: Identifies when a user account is enabled and then disabled. This can be an indication of compromise and an adversary attempting to hide in the noise. references: diff --git a/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml b/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml index 264ac030..3eb3c977 100644 --- a/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml +++ b/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml @@ -1,4 +1,4 @@ -title: New user created and added to the built-in administrators group +title: New Uer Created And Added To The Built-in Administrators Group id: aa1eff90-29d4-49dc-a3ea-b65199f516db description: Identifies when a user account was created and then added to the builtin Administrators group. This should be monitored closely and all additions reviewed. references: From 0de1949c59750c626cf1f3e6950c13479ac99b2e Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 15 Aug 2021 19:11:43 +0200 Subject: [PATCH 008/108] fix azure_rare_operations.yml --- rules/cloud/azure/azure_rare_operations.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/cloud/azure/azure_rare_operations.yml b/rules/cloud/azure/azure_rare_operations.yml index caa65c03..1796dd12 100644 --- a/rules/cloud/azure/azure_rare_operations.yml +++ b/rules/cloud/azure/azure_rare_operations.yml @@ -1,4 +1,4 @@ -title: Rare subscription-level operations in Azure +title: Rare Subscription-level Operations In Azure id: c1182e02-49a3-481c-b3de-0fadc4091488 status: experimental author: sawwinnnaung @@ -9,14 +9,14 @@ references: logsource: service: AzureActivity detection: - keywords: -Microsoft.DocumentDB/databaseAccounts/listKeys/action + keywords: + -Microsoft.DocumentDB/databaseAccounts/listKeys/action -Microsoft.Maps/accounts/listKeys/action -Microsoft.Media/mediaservices/listKeys/action -Microsoft.CognitiveServices/accounts/listKeys/action -Microsoft.Storage/storageAccounts/listKeys/action -Microsoft.Compute/snapshots/write -Microsoft.Network/networkSecurityGroups/write - condition: keywords level: medium falsepositives: From 050fb2b77df50a1bd8294890b253fe0897d5148a Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 15 Aug 2021 19:17:56 +0200 Subject: [PATCH 009/108] fix more errors --- .../azure/azure_granting_permission_detection.yml | 1 - rules/cloud/azure/azure_rare_operations.yml | 14 +++++++------- 2 files changed, 7 insertions(+), 8 deletions(-) diff --git a/rules/cloud/azure/azure_granting_permission_detection.yml b/rules/cloud/azure/azure_granting_permission_detection.yml index 1a93acee..2cfb1fe8 100644 --- a/rules/cloud/azure/azure_granting_permission_detection.yml +++ b/rules/cloud/azure/azure_granting_permission_detection.yml @@ -11,7 +11,6 @@ logsource: detection: keywords: - Microsoft.Authorization/roleAssignments/write - condition: keywords level: medium falsepositives: diff --git a/rules/cloud/azure/azure_rare_operations.yml b/rules/cloud/azure/azure_rare_operations.yml index 1796dd12..49ae1bb7 100644 --- a/rules/cloud/azure/azure_rare_operations.yml +++ b/rules/cloud/azure/azure_rare_operations.yml @@ -10,13 +10,13 @@ logsource: service: AzureActivity detection: keywords: - -Microsoft.DocumentDB/databaseAccounts/listKeys/action - -Microsoft.Maps/accounts/listKeys/action - -Microsoft.Media/mediaservices/listKeys/action - -Microsoft.CognitiveServices/accounts/listKeys/action - -Microsoft.Storage/storageAccounts/listKeys/action - -Microsoft.Compute/snapshots/write - -Microsoft.Network/networkSecurityGroups/write + - Microsoft.DocumentDB/databaseAccounts/listKeys/action + - Microsoft.Maps/accounts/listKeys/action + - Microsoft.Media/mediaservices/listKeys/action + - Microsoft.CognitiveServices/accounts/listKeys/action + - Microsoft.Storage/storageAccounts/listKeys/action + - Microsoft.Compute/snapshots/write + - Microsoft.Network/networkSecurityGroups/write condition: keywords level: medium falsepositives: From 40018eef7f102e85ce4788a3540b07806d70c2c1 Mon Sep 17 00:00:00 2001 From: Theo Guidoux Date: Mon, 16 Aug 2021 10:44:01 +0200 Subject: [PATCH 010/108] edit help + case where 'select=' --- tools/sigma/backends/sql.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/tools/sigma/backends/sql.py b/tools/sigma/backends/sql.py index cd0b8647..18f8ab30 100644 --- a/tools/sigma/backends/sql.py +++ b/tools/sigma/backends/sql.py @@ -45,19 +45,21 @@ class SQLBackend(SingleTextQueryBackend): mapLength = "(%s %s)" options = SingleTextQueryBackend.options + ( - ("table", False, "Use this option to specify table name, default is \"eventlog\"", None), + ("table", "eventlog", "Use this option to specify table name.", None), + ("select", "*", "Use this option to specify fields you want to select. Example: \"--backend-option select=xxx,yyy\"", None), ) def __init__(self, sigmaconfig, options): super().__init__(sigmaconfig) + if "table" in options: self.table = options["table"] else: self.table = "eventlog" - if "select" in options: + if "select" in options and options["select"]: self.select_fields = options["select"].split(',') else: self.select_fields = list() From 16269c0d6388b15f72cf5ca416496a66199a22e5 Mon Sep 17 00:00:00 2001 From: Theo Guidoux Date: Mon, 16 Aug 2021 10:47:05 +0200 Subject: [PATCH 011/108] cleaner default value handling --- tools/sigma/backends/sql.py | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/tools/sigma/backends/sql.py b/tools/sigma/backends/sql.py index 18f8ab30..31afbb58 100644 --- a/tools/sigma/backends/sql.py +++ b/tools/sigma/backends/sql.py @@ -48,7 +48,6 @@ class SQLBackend(SingleTextQueryBackend): ("table", "eventlog", "Use this option to specify table name.", None), ("select", "*", "Use this option to specify fields you want to select. Example: \"--backend-option select=xxx,yyy\"", None), ) - def __init__(self, sigmaconfig, options): @@ -62,7 +61,7 @@ class SQLBackend(SingleTextQueryBackend): if "select" in options and options["select"]: self.select_fields = options["select"].split(',') else: - self.select_fields = list() + self.select_fields = list("*") def generateANDNode(self, node): generated = [ self.generateNode(val) for val in node ] @@ -197,10 +196,7 @@ class SQLBackend(SingleTextQueryBackend): if self._recursiveFtsSearch(parsed.parsedSearch): raise NotImplementedError("FullTextSearch not implemented for SQL Backend.") result = self.generateNode(parsed.parsedSearch) - select = "*" - - if self.select_fields: - select = ", ".join(self.select_fields) + select = ", ".join(self.select_fields) if parsed.parsedAgg: #Handle aggregation From c1876b9ff68af739f55889f09e1cadcedf982c1b Mon Sep 17 00:00:00 2001 From: Theo Guidoux Date: Mon, 16 Aug 2021 13:33:43 +0200 Subject: [PATCH 012/108] add fields from rules to query + sqlite --- tools/sigma/backends/sql.py | 60 +++++++++++++++++++++++++++++++--- tools/sigma/backends/sqlite.py | 15 +++------ 2 files changed, 61 insertions(+), 14 deletions(-) diff --git a/tools/sigma/backends/sql.py b/tools/sigma/backends/sql.py index 31afbb58..f18cac2f 100644 --- a/tools/sigma/backends/sql.py +++ b/tools/sigma/backends/sql.py @@ -21,7 +21,6 @@ import sigma from sigma.backends.base import SingleTextQueryBackend from sigma.parser.condition import SigmaAggregationParser, NodeSubexpression, ConditionAND, ConditionOR, ConditionNOT from sigma.parser.exceptions import SigmaParseError - class SQLBackend(SingleTextQueryBackend): """Converts Sigma rule into SQL query""" identifier = "sql" @@ -61,7 +60,7 @@ class SQLBackend(SingleTextQueryBackend): if "select" in options and options["select"]: self.select_fields = options["select"].split(',') else: - self.select_fields = list("*") + self.select_fields = list() def generateANDNode(self, node): generated = [ self.generateNode(val) for val in node ] @@ -142,6 +141,47 @@ class SQLBackend(SingleTextQueryBackend): """ return fieldname + def generate(self, sigmaparser): + """Method is called for each sigma rule and receives the parsed rule (SigmaParser)""" + fields = list() + + # First add fields specified in the rule + try: + for field in sigmaparser.parsedyaml["fields"]: + mapped = sigmaparser.config.get_fieldmapping(field).resolve_fieldname(field, sigmaparser) + if type(mapped) == str: + fields.append(mapped) + elif type(mapped) == list: + fields.extend(mapped) + else: + raise TypeError("Field mapping must return string or list") + + except KeyError: # no 'fields' attribute + pass + + # Then add fields specified in the backend configuration + fields.extend(self.select_fields) + + # Finally, in case fields is empty, add the default value + if not fields: + fields = list("*") + + for parsed in sigmaparser.condparsed: + #query = self.generateQuery(parsed) + query = self._generateQueryWithFields(parsed, fields) + before = self.generateBefore(parsed) + after = self.generateAfter(parsed) + + result = "" + if before is not None: + result = before + if query is not None: + result += query + if after is not None: + result += after + + return result + def cleanValue(self, val): if not isinstance(val, str): return str(val) @@ -191,12 +231,24 @@ class SQLBackend(SingleTextQueryBackend): return temp_table, agg_condition raise NotImplementedError("{} aggregation not implemented in SQL Backend".format(agg.aggfunc_notrans)) - + def generateQuery(self, parsed): + return self._generateQueryWithFields(parsed, list("*")) + + def checkFTS(self, parsed, result): if self._recursiveFtsSearch(parsed.parsedSearch): raise NotImplementedError("FullTextSearch not implemented for SQL Backend.") + + def _generateQueryWithFields(self, parsed, fields): + """ + Return a SQL query with fields specified. + """ + result = self.generateNode(parsed.parsedSearch) - select = ", ".join(self.select_fields) + + self.checkFTS(parsed, result) + + select = ", ".join(fields) if parsed.parsedAgg: #Handle aggregation diff --git a/tools/sigma/backends/sqlite.py b/tools/sigma/backends/sqlite.py index 8eec13ea..1f7e4e7e 100644 --- a/tools/sigma/backends/sqlite.py +++ b/tools/sigma/backends/sqlite.py @@ -18,7 +18,6 @@ from sigma.backends.sql import SQLBackend from sigma.parser.condition import NodeSubexpression, ConditionAND, ConditionOR, ConditionNOT import re - class SQLiteBackend(SQLBackend): """Converts Sigma rule into SQL query for SQLite""" identifier = "sqlite" @@ -26,6 +25,8 @@ class SQLiteBackend(SQLBackend): mapFullTextSearch = "%s MATCH ('\"%s\"')" + countFTS = 0 + def __init__(self, sigmaconfig, table): super().__init__(sigmaconfig, table) self.mappingItem = False @@ -108,16 +109,10 @@ class SQLiteBackend(SQLBackend): return self.generateFTS(self.cleanValue(str(node))) def generateQuery(self, parsed): - self.countFTS = 0 - result = self.generateNode(parsed.parsedSearch) + return self._generateQueryWithFields(parsed, list("*")) + + def checkFTS(self, parsed, result): if self.countFTS > 1: raise NotImplementedError( "Match operator ({}) is allowed only once in SQLite, parse rule in a different way:\n{}".format(self.countFTS, result)) self.countFTS = 0 - - if parsed.parsedAgg: - # Handle aggregation - fro, whe = self.generateAggregation(parsed.parsedAgg, result) - return "SELECT * FROM {} WHERE {}".format(fro, whe) - - return "SELECT * FROM {} WHERE {}".format(self.table, result) From 06840be3e7fa65d9fd12031786dbc13c70b1f41d Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 16 Aug 2021 18:46:25 +0200 Subject: [PATCH 013/108] fix author --- rules/windows/builtin/win_anomaly_process_execution.yml | 1 + rules/windows/builtin/win_powershelll_empire.yml | 1 + rules/windows/builtin/win_user_acc_added_removed.yml | 1 + rules/windows/builtin/win_user_acc_enabled_disabled.yml | 1 + .../windows/builtin/win_user_created_added_to_bultin_admins.yml | 1 + 5 files changed, 5 insertions(+) diff --git a/rules/windows/builtin/win_anomaly_process_execution.yml b/rules/windows/builtin/win_anomaly_process_execution.yml index 176d64bd..c49f18c2 100644 --- a/rules/windows/builtin/win_anomaly_process_execution.yml +++ b/rules/windows/builtin/win_anomaly_process_execution.yml @@ -1,6 +1,7 @@ title: Process Execution Anomaly id: 2c55fe7a-b06f-4029-a5b9-c54a2320d7b8 description: 'Identifies anomalous executions of sensitive processes which are often leveraged as attack vectors.' +author: sawwinnnaung references: - Azure Sentinel date: 2021/08/15 diff --git a/rules/windows/builtin/win_powershelll_empire.yml b/rules/windows/builtin/win_powershelll_empire.yml index 6dc937fe..a765f45d 100644 --- a/rules/windows/builtin/win_powershelll_empire.yml +++ b/rules/windows/builtin/win_powershelll_empire.yml @@ -1,6 +1,7 @@ title: Powershell Empire Cmdlets Seen In Command Line id: ef88eb96-861c-43a0-ab16-f3835a97c928 description: Identifies instances of PowerShell Empire cmdlets in powershell process command line data. +author: sawwinnnaung references: - Azure Sentinel date: 2021/08/15 diff --git a/rules/windows/builtin/win_user_acc_added_removed.yml b/rules/windows/builtin/win_user_acc_added_removed.yml index f8ee4d37..8e083b64 100644 --- a/rules/windows/builtin/win_user_acc_added_removed.yml +++ b/rules/windows/builtin/win_user_acc_added_removed.yml @@ -1,6 +1,7 @@ title: Account Added And Removed From Privileged Groups id: 7efc75ce-e2a4-400f-a8b1-283d3b0f2c60 description: Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise. +author: sawwinnnaung references: - Azure Sentinel date: 2021/08/15 diff --git a/rules/windows/builtin/win_user_acc_enabled_disabled.yml b/rules/windows/builtin/win_user_acc_enabled_disabled.yml index 72857cbc..920efc48 100644 --- a/rules/windows/builtin/win_user_acc_enabled_disabled.yml +++ b/rules/windows/builtin/win_user_acc_enabled_disabled.yml @@ -1,6 +1,7 @@ title: User Account Enabled And Disabled id: 3d023f64-8225-41a2-9570-2bd7c2c4535e description: Identifies when a user account is enabled and then disabled. This can be an indication of compromise and an adversary attempting to hide in the noise. +author: sawwinnnaung references: - Azure Sentinel date: 2021/08/15 diff --git a/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml b/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml index 3eb3c977..57bb606c 100644 --- a/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml +++ b/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml @@ -1,6 +1,7 @@ title: New Uer Created And Added To The Built-in Administrators Group id: aa1eff90-29d4-49dc-a3ea-b65199f516db description: Identifies when a user account was created and then added to the builtin Administrators group. This should be monitored closely and all additions reviewed. +author: sawwinnnaung references: - Azure Sentinel date: 2021/08/15 From 2a3acd7d119f561bc9f17bac2de6bd4fc2f3ca16 Mon Sep 17 00:00:00 2001 From: Theo Guidoux Date: Mon, 16 Aug 2021 19:32:54 +0200 Subject: [PATCH 014/108] add selection flag for backward compatibility --- tools/sigma/backends/sql.py | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/tools/sigma/backends/sql.py b/tools/sigma/backends/sql.py index f18cac2f..b31fba2b 100644 --- a/tools/sigma/backends/sql.py +++ b/tools/sigma/backends/sql.py @@ -46,7 +46,10 @@ class SQLBackend(SingleTextQueryBackend): options = SingleTextQueryBackend.options + ( ("table", "eventlog", "Use this option to specify table name.", None), ("select", "*", "Use this option to specify fields you want to select. Example: \"--backend-option select=xxx,yyy\"", None), + ("selection", False, "Use this option to enable fields selection from Sigma rules.", None), ) + + selection_enabled = False def __init__(self, sigmaconfig, options): @@ -62,6 +65,9 @@ class SQLBackend(SingleTextQueryBackend): else: self.select_fields = list() + if "selection" in options: + self.selection_enabled = True + def generateANDNode(self, node): generated = [ self.generateNode(val) for val in node ] filtered = [ g for g in generated if g is not None ] @@ -162,13 +168,19 @@ class SQLBackend(SingleTextQueryBackend): # Then add fields specified in the backend configuration fields.extend(self.select_fields) + # In case select is specified in backend option, we want to enable selection + if len(self.select_fields) > 0: + self.selection_enabled = True + # Finally, in case fields is empty, add the default value if not fields: fields = list("*") for parsed in sigmaparser.condparsed: - #query = self.generateQuery(parsed) - query = self._generateQueryWithFields(parsed, fields) + if self.selection_enabled: + query = self._generateQueryWithFields(parsed, fields) + else: + query = self.generateQuery(parsed) before = self.generateBefore(parsed) after = self.generateAfter(parsed) From b4a029ac3c40d2297abbf4d197ae2d4c368b3625 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 19 Aug 2021 13:55:09 +0200 Subject: [PATCH 015/108] Add win_susp_screensaver_reg.yml --- .../win_susp_netsh_dll_persistence.yml | 6 +-- .../win_susp_screensaver_reg.yml | 52 +++++++++++++++++++ 2 files changed, 55 insertions(+), 3 deletions(-) create mode 100644 rules/windows/process_creation/win_susp_screensaver_reg.yml diff --git a/rules/windows/process_creation/win_susp_netsh_dll_persistence.yml b/rules/windows/process_creation/win_susp_netsh_dll_persistence.yml index 20eaa79e..3ee75393 100644 --- a/rules/windows/process_creation/win_susp_netsh_dll_persistence.yml +++ b/rules/windows/process_creation/win_susp_netsh_dll_persistence.yml @@ -3,12 +3,12 @@ id: 56321594-9087-49d9-bf10-524fe8479452 description: Detects persitence via netsh helper status: test references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1128/T1128.md + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md + - https://attack.mitre.org/software/S0108/ tags: - - attack.persistence + - attack.privilege_escalation - attack.t1546.007 - attack.s0108 - - attack.t1128 # an old one date: 2019/10/25 modified: 2020/08/30 author: Victor Sergeev, oscd.community diff --git a/rules/windows/process_creation/win_susp_screensaver_reg.yml b/rules/windows/process_creation/win_susp_screensaver_reg.yml new file mode 100644 index 00000000..5d49d1c8 --- /dev/null +++ b/rules/windows/process_creation/win_susp_screensaver_reg.yml @@ -0,0 +1,52 @@ +title: Suspicious ScreenSave Change by Reg.exe +id: 0fc35fc3-efe6-4898-8a37-0b233339524f +status: experimental +author: frack113 +date: 2021/08/19 +description: | + Adversaries may establish persistence by executing malicious content triggered by user inactivity. + Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md + - https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf +tags: + - attack.privilege_escalation + - attack.t1546.002 +logsource: + category: process_creation + product: windows +detection: + selection_reg: + Image|endswith: reg.exe + CommandLine|contains: + - 'HKEY_CURRENT_USER\Control Panel\Desktop' + - 'HKCU\Control Panel\Desktop' + selection_option_1: # /force Active ScreenSaveActive + CommandLine|contains|all: + - '/v ScreenSaveActive' + - '/t REG_SZ' + - '/d 1' + - '/f' + selection_option_2: # /force set ScreenSaveTimeout + CommandLine|contains|all: + - '/v ScreenSaveTimeout' + - '/t REG_SZ' + - '/d ' + - '/f' + selection_option_3: # /force set ScreenSaverIsSecure + CommandLine|contains|all: + - '/v ScreenSaverIsSecure' + - '/t REG_SZ' + - '/d 0' + - '/f' + selection_option_4: # /force set a .scr + CommandLine|contains|all: + - '/v SCRNSAVE.EXE' + - '/t REG_SZ' + - '/d ' + - '.scr' + - '/f' + condition: selection_reg and 1 of selection_option_* +falsepositives: + - GPO +level: medium \ No newline at end of file From 1266a66a8d5cb6ea745e672de6a5f8965b8571ce Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 19 Aug 2021 15:37:28 +0200 Subject: [PATCH 016/108] add powershell_wmi_persistence.yml --- .../powershell/powershell_wmi_persistence.yml | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 rules/windows/powershell/powershell_wmi_persistence.yml diff --git a/rules/windows/powershell/powershell_wmi_persistence.yml b/rules/windows/powershell/powershell_wmi_persistence.yml new file mode 100644 index 00000000..c5a43e78 --- /dev/null +++ b/rules/windows/powershell/powershell_wmi_persistence.yml @@ -0,0 +1,34 @@ +title: Powershell WMI persistence +id: 9e07f6e7-83aa-45c6-998e-0af26efd0a85 +status: experimental +author: frack113 +date: 2021/08/19 +description: Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md + - https://github.com/EmpireProject/Empire/blob/master/data/module_source/persistence/Persistence.psm1#L545 +tags: + - attack.privilege_escalation + - attack.t1546.003 +logsource: + product: windows + service: powershell + definition: EnableScriptBlockLogging must be set to enable +detection: + selection_id: + EventID: 4104 + selection_ioc: + - ScriptBlockText|contains|all: + - 'New-CimInstance ' + - '-Namespace root/subscription ' + - '-ClassName __EventFilter + - '-Property ' #is a variable name + - ScriptBlockText|contains|all: + - 'New-CimInstance ' + - '-Namespace root/subscription ' + - '-ClassName CommandLineEventConsumer ' + - '-Property ' #is a variable name + condition: all all them +falsepositives: + - Unknown +level: medium \ No newline at end of file From 89b6e1108ba3abe67396b5d1b6d2de13ee8578e2 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 19 Aug 2021 15:42:19 +0200 Subject: [PATCH 017/108] powershell_wmi_persistence fix errors --- rules/windows/powershell/powershell_wmi_persistence.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/powershell/powershell_wmi_persistence.yml b/rules/windows/powershell/powershell_wmi_persistence.yml index c5a43e78..90559541 100644 --- a/rules/windows/powershell/powershell_wmi_persistence.yml +++ b/rules/windows/powershell/powershell_wmi_persistence.yml @@ -21,14 +21,14 @@ detection: - ScriptBlockText|contains|all: - 'New-CimInstance ' - '-Namespace root/subscription ' - - '-ClassName __EventFilter + - '-ClassName __EventFilter ' - '-Property ' #is a variable name - ScriptBlockText|contains|all: - 'New-CimInstance ' - '-Namespace root/subscription ' - '-ClassName CommandLineEventConsumer ' - '-Property ' #is a variable name - condition: all all them + condition: all of them falsepositives: - Unknown level: medium \ No newline at end of file From 90c9c08743271bc8bd71b0a7872d4c71c1dc17c6 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 19 Aug 2021 16:09:31 +0200 Subject: [PATCH 018/108] fix title --- rules/windows/powershell/powershell_wmi_persistence.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_wmi_persistence.yml b/rules/windows/powershell/powershell_wmi_persistence.yml index 90559541..514bf453 100644 --- a/rules/windows/powershell/powershell_wmi_persistence.yml +++ b/rules/windows/powershell/powershell_wmi_persistence.yml @@ -1,4 +1,4 @@ -title: Powershell WMI persistence +title: Powershell WMI Persistence id: 9e07f6e7-83aa-45c6-998e-0af26efd0a85 status: experimental author: frack113 From f1a84536c3bbf95ae420cad12cbe2ae98fe6a554 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 19 Aug 2021 17:55:41 +0200 Subject: [PATCH 019/108] update fix --- rules/network/zeek/zeek_dns_mining_pools.yml | 103 +++++++++++++----- rules/network/zeek/zeek_dns_torproxy.yml | 39 ++++++- .../builtin/win_anomaly_process_execution.yml | 8 +- .../windows/builtin/win_event_log_cleared.yml | 2 +- 4 files changed, 115 insertions(+), 37 deletions(-) diff --git a/rules/network/zeek/zeek_dns_mining_pools.yml b/rules/network/zeek/zeek_dns_mining_pools.yml index c6b4cde5..8adfe85d 100644 --- a/rules/network/zeek/zeek_dns_mining_pools.yml +++ b/rules/network/zeek/zeek_dns_mining_pools.yml @@ -2,9 +2,9 @@ title: DNS Events Related To Mining Pools id: bf74135c-18e8-4a72-a926-0e4f47888c19 description: Identifies IPs that may be performing DNS lookups associated with common currency mining pools. references: - - Azure Sentinel -date: 2021/08/15 -author: Saw Winn Naung + - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_Miners.yaml +date: 2021/08/19 +author: Saw Winn Naung , Azure-Sentinel level: medium logsource: service: dns @@ -15,30 +15,79 @@ tags: detection: selection: query: - - 'monerohash.com' - - 'do-dear.com' - - 'xmrminerpro.com' - - 'secumine.net' - - 'xmrpool.com' - - 'minexmr.org' - - 'hashanywhere.com' - - 'xmrget.com' - - 'mininglottery.eu' - - 'minergate.com' - - 'moriaxmr.com' - - 'multipooler.com' - - 'moneropools.com' - - 'xmrpool.eu' - - 'coolmining.club' - - 'supportxmr.com' - - 'minexmr.com' - - 'coinfoundry.org' - - 'cryptoknight.cc' - - 'fairhash.org' - - 'baikalmine.com' - - 'tubepool.xyz' - - 'fairpool.xyz' - - 'asiapool.io' + - "monerohash.com" + - "do-dear.com" + - "xmrminerpro.com" + - "secumine.net" + - "xmrpool.com" + - "minexmr.org" + - "hashanywhere.com" + - "xmrget.com" + - "mininglottery.eu" + - "minergate.com" + - "moriaxmr.com" + - "multipooler.com" + - "moneropools.com" + - "xmrpool.eu" + - "coolmining.club" + - "supportxmr.com" + - "minexmr.com" + - "hashvault.pro" + - "xmrpool.net" + - "crypto-pool.fr" + - "xmr.pt" + - "miner.rocks" + - "walpool.com" + - "herominers.com" + - "gntl.co.uk" + - "semipool.com" + - "coinfoundry.org" + - "cryptoknight.cc" + - "fairhash.org" + - "baikalmine.com" + - "tubepool.xyz" + - "fairpool.xyz" + - "asiapool.io" + - "coinpoolit.webhop.me" + - "nanopool.org" + - "moneropool.com" + - "miner.center" + - "prohash.net" + - "poolto.be" + - "cryptoescrow.eu" + - "monerominers.net" + - "cryptonotepool.org" + - "extrmepool.org" + - "webcoin.me" + - "kippo.eu" + - "hashinvest.ws" + - "monero.farm" + - "supportxmr.com" + - "xmrpool.eu" + - "linux-repository-updates.com" + - "1gh.com" + - "dwarfpool.com" + - "hash-to-coins.com" + - "hashvault.pro" + - "pool-proxy.com" + - "hashfor.cash" + - "fairpool.cloud" + - "litecoinpool.org" + - "mineshaft.ml" + - "abcxyz.stream" + - "moneropool.ru" + - "cryptonotepool.org.uk" + - "extremepool.org" + - "extremehash.com" + - "hashinvest.net" + - "unipool.pro" + - "crypto-pools.org" + - "monero.net" + - "backup-pool.com" + - "mooo.com" + - "freeyy.me" + - "cryptonight.net" + - "shscrypto.net" condition: selection fields: - clientip diff --git a/rules/network/zeek/zeek_dns_torproxy.yml b/rules/network/zeek/zeek_dns_torproxy.yml index b3f89c18..e073a15e 100644 --- a/rules/network/zeek/zeek_dns_torproxy.yml +++ b/rules/network/zeek/zeek_dns_torproxy.yml @@ -2,9 +2,9 @@ title: DNS TOR Proxies id: a8322756-015c-42e7-afb1-436e85ed3ff5 description: Identifies IPs performing DNS lookups associated with common Tor proxies. references: - - Azure Sentinel + - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_TorProxies.yaml date: 2021/08/15 -author: Saw Winn Naung +author: Saw Winn Naung , Azure-Sentinel level: medium logsource: service: dns @@ -14,9 +14,38 @@ tags: detection: selection: query: - - 'tor2web.*' - - 'onion.*' - - '*tor-gateways*' + - "tor2web.org" + - "tor2web.com" + - "torlink.co" + - "onion.to" + - "onion.ink" + - "onion.cab" + - "onion.nu" + - "onion.link" + - "onion.it" + - "onion.city" + - "onion.direct" + - "onion.top" + - "onion.casa" + - "onion.plus" + - "onion.rip" + - "onion.dog" + - "tor2web.fi" + - "tor2web.blutmagie.de" + - "onion.sh" + - "onion.lu" + - "onion.pet" + - "t2w.pw" + - "tor2web.ae.org" + - "tor2web.io" + - "tor2web.xyz" + - "onion.lt" + - "s1.tor-gateways.de" + - "s2.tor-gateways.de" + - "s3.tor-gateways.de" + - "s4.tor-gateways.de" + - "s5.tor-gateways.de" + - "hiddenservice.net" condition: selection fields: - clientip diff --git a/rules/windows/builtin/win_anomaly_process_execution.yml b/rules/windows/builtin/win_anomaly_process_execution.yml index c49f18c2..163af479 100644 --- a/rules/windows/builtin/win_anomaly_process_execution.yml +++ b/rules/windows/builtin/win_anomaly_process_execution.yml @@ -3,15 +3,15 @@ id: 2c55fe7a-b06f-4029-a5b9-c54a2320d7b8 description: 'Identifies anomalous executions of sensitive processes which are often leveraged as attack vectors.' author: sawwinnnaung references: - - Azure Sentinel + - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/TimeSeriesAnomaly-ProcessExecutions.yaml date: 2021/08/15 level: medium -logsource: - product: windows - category: process_creation tags: - attack.execution - attack.t1064 +logsource: + product: windows + category: process_creation detection: selection: NewProcessName|contains: diff --git a/rules/windows/builtin/win_event_log_cleared.yml b/rules/windows/builtin/win_event_log_cleared.yml index f8c56070..e3a88f08 100644 --- a/rules/windows/builtin/win_event_log_cleared.yml +++ b/rules/windows/builtin/win_event_log_cleared.yml @@ -3,7 +3,7 @@ id: a122ac13-daf8-4175-83a2-72c387be339d status: experimental description: Checks for event id 1102 which indicates the security event log was cleared. references: - - Azure Sentinel + - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/SecurityEventLogCleared.yaml date: 2021/08/15 author: Saw Winn Naung level: medium From 3283664154cc1cccd63cd9e40cdf2cac9d0616a2 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 19 Aug 2021 18:28:44 +0200 Subject: [PATCH 020/108] Update remove useless rules --- rules/network/zeek/zeek_dns_mining_pools.yml | 3 - .../builtin/win_anomaly_process_execution.yml | 24 -- .../builtin/win_powershelll_empire.yml | 309 ------------------ 3 files changed, 336 deletions(-) delete mode 100644 rules/windows/builtin/win_anomaly_process_execution.yml delete mode 100644 rules/windows/builtin/win_powershelll_empire.yml diff --git a/rules/network/zeek/zeek_dns_mining_pools.yml b/rules/network/zeek/zeek_dns_mining_pools.yml index 8adfe85d..71003888 100644 --- a/rules/network/zeek/zeek_dns_mining_pools.yml +++ b/rules/network/zeek/zeek_dns_mining_pools.yml @@ -62,13 +62,10 @@ detection: - "kippo.eu" - "hashinvest.ws" - "monero.farm" - - "supportxmr.com" - - "xmrpool.eu" - "linux-repository-updates.com" - "1gh.com" - "dwarfpool.com" - "hash-to-coins.com" - - "hashvault.pro" - "pool-proxy.com" - "hashfor.cash" - "fairpool.cloud" diff --git a/rules/windows/builtin/win_anomaly_process_execution.yml b/rules/windows/builtin/win_anomaly_process_execution.yml deleted file mode 100644 index 163af479..00000000 --- a/rules/windows/builtin/win_anomaly_process_execution.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: Process Execution Anomaly -id: 2c55fe7a-b06f-4029-a5b9-c54a2320d7b8 -description: 'Identifies anomalous executions of sensitive processes which are often leveraged as attack vectors.' -author: sawwinnnaung -references: - - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/TimeSeriesAnomaly-ProcessExecutions.yaml -date: 2021/08/15 -level: medium -tags: - - attack.execution - - attack.t1064 -logsource: - product: windows - category: process_creation -detection: - selection: - NewProcessName|contains: - - 'powershell.exe' - - 'cmd.exe' - - 'wmic.exe' - - 'psexec.exe' - - 'cacls.exe' - - 'rundll.exe' - condition: selection diff --git a/rules/windows/builtin/win_powershelll_empire.yml b/rules/windows/builtin/win_powershelll_empire.yml deleted file mode 100644 index a765f45d..00000000 --- a/rules/windows/builtin/win_powershelll_empire.yml +++ /dev/null @@ -1,309 +0,0 @@ -title: Powershell Empire Cmdlets Seen In Command Line -id: ef88eb96-861c-43a0-ab16-f3835a97c928 -description: Identifies instances of PowerShell Empire cmdlets in powershell process command line data. -author: sawwinnnaung -references: - - Azure Sentinel -date: 2021/08/15 -level: medium -logsource: - product: windows - category: process_creation -tags: - - attack.execution - - attack.persistence - - attack.t1208 -detection: - selection1: - CommandLine|contains: ' -encodedCommand' - selection2: - CommandLine: - - 'SetDelay' - - 'GetDelay' - - 'Set-LostLimit' - - 'Get-LostLimit' - - 'Set-Killdate' - - 'Get-Killdate' - - 'Set-WorkingHours' - - 'Get-WorkingHours' - - 'Get-Sysinfo' - - 'Add-Servers' - - 'Invoke-ShellCommand' - - 'Start-AgentJob' - - 'Update-Profile' - - 'Get-FilePart' - - 'Encrypt-Bytes' - - 'Decrypt-Bytes' - - 'Encode-Packet' - - 'Decode-Packet' - - 'Send-Message' - - 'Process-Packet' - - 'Process-Tasking' - - 'Get-Task' - - 'Start-Negotiate' - - 'Invoke-DllInjection' - - 'Invoke-ReflectivePEInjection' - - 'Invoke-Shellcode' - - 'Invoke-ShellcodeMSIL' - - 'Get-ChromeDump' - - 'Get-ClipboardContents' - - 'Get-IndexedItem' - - 'Get-Keystrokes' - - 'Invoke-Inveigh' - - 'Invoke-NetRipper' - - 'local:Invoke-PatchDll' - - 'Invoke-NinjaCopy' - - 'Get-Win32Types' - - 'Get-Win32Constants' - - 'Get-Win32Functions' - - 'Sub-SignedIntAsUnsigned' - - 'Add-SignedIntAsUnsigned' - - 'Compare-Val1GreaterThanVal2AsUInt' - - 'Convert-UIntToInt' - - 'Test-MemoryRangeValid' - - 'Write-BytesToMemory' - - 'Get-DelegateType' - - 'Get-ProcAddress' - - 'Enable-SeDebugPrivilege' - - 'Invoke-CreateRemoteThread' - - 'Get-ImageNtHeaders' - - 'Get-PEBasicInfo' - - 'Get-PEDetailedInfo' - - 'Import-DllInRemoteProcess' - - 'Get-RemoteProcAddress' - - 'Copy-Sections' - - 'Update-MemoryAddresses' - - 'Import-DllImports' - - 'Get-VirtualProtectValue' - - 'Update-MemoryProtectionFlags' - - 'Update-ExeFunctions' - - 'Copy-ArrayOfMemAddresses' - - 'Get-MemoryProcAddress' - - 'Invoke-MemoryLoadLibrary' - - 'Invoke-MemoryFreeLibrary' - - 'Out-Minidump' - - 'Get-VaultCredential' - - 'Invoke-DCSync' - - 'Translate-Name' - - 'Get-NetDomain' - - 'Get-NetForest' - - 'Get-NetForestDomain' - - 'Get-DomainSearcher' - - 'Get-NetComputer' - - 'Get-NetGroupMember' - - 'Get-NetUser' - - 'Invoke-Mimikatz' - - 'Invoke-PowerDump' - - 'Invoke-TokenManipulation' - - 'Exploit-JMXConsole' - - 'Exploit-JBoss' - - 'Invoke-Thunderstruck' - - 'Invoke-VoiceTroll' - - 'Set-WallPaper' - - 'Invoke-PsExec' - - 'Invoke-SSHCommand' - - 'Invoke-PSInject' - - 'Invoke-RunAs' - - 'Invoke-SendMail' - - 'Invoke-Rule' - - 'Get-OSVersion' - - 'Select-EmailItem' - - 'View-Email' - - 'Get-OutlookFolder' - - 'Get-EmailItems' - - 'Invoke-MailSearch' - - 'Get-SubFolders' - - 'Get-GlobalAddressList' - - 'Invoke-SearchGAL' - - 'Get-SMTPAddress' - - 'Disable-SecuritySettings' - - 'Reset-SecuritySettings' - - 'Get-OutlookInstance' - - 'New-HoneyHash' - - 'Set-MacAttribute' - - 'Invoke-PatchDll' - - 'Get-SecurityPackages' - - 'Install-SSP' - - 'Invoke-BackdoorLNK' - - 'New-ElevatedPersistenceOption' - - 'New-UserPersistenceOption' - - 'Add-Persistence' - - 'Invoke-CallbackIEX' - - 'Add-PSFirewallRules' - - 'Invoke-EventLoop' - - 'Invoke-PortBind' - - 'Invoke-DNSLoop' - - 'Invoke-PacketKnock' - - 'Invoke-CallbackLoop' - - 'Invoke-BypassUAC' - - 'Get-DecryptedCpassword' - - 'Get-GPPInnerFields' - - 'Invoke-WScriptBypassUAC' - - 'Get-ModifiableFile' - - 'Get-ServiceUnquoted' - - 'Get-ServiceFilePermission' - - 'Get-ServicePermission' - - 'Invoke-ServiceUserAdd' - - 'Invoke-ServiceCMD' - - 'Write-UserAddServiceBinary' - - 'Write-CMDServiceBinary' - - 'Write-ServiceEXE' - - 'Write-ServiceEXECMD' - - 'Restore-ServiceEXE' - - 'Invoke-ServiceStart' - - 'Invoke-ServiceStop' - - 'Invoke-ServiceEnable' - - 'Invoke-ServiceDisable' - - 'Get-ServiceDetail' - - 'Find-DLLHijack' - - 'Find-PathHijack' - - 'Write-HijackDll' - - 'Get-RegAlwaysInstallElevated' - - 'Get-RegAutoLogon' - - 'Get-VulnAutoRun' - - 'Get-VulnSchTask' - - 'Get-UnattendedInstallFile' - - 'Get-Webconfig' - - 'Get-ApplicationHost' - - 'Write-UserAddMSI' - - 'Invoke-AllChecks' - - 'Invoke-ThreadedFunction' - - 'Test-Login' - - 'Get-UserAgent' - - 'Test-Password' - - 'Get-ComputerDetails' - - 'Find-4648Logons' - - 'Find-4624Logons' - - 'Find-AppLockerLogs' - - 'Find-PSScriptsInPSAppLog' - - 'Find-RDPClientConnections' - - 'Get-SystemDNSServer' - - 'Invoke-Paranoia' - - 'Invoke-WinEnum{' - - 'Get-SPN' - - 'Invoke-ARPScan' - - 'Invoke-Portscan' - - 'Invoke-ReverseDNSLookup' - - 'Invoke-SMBScanner' - - 'New-InMemoryModule' - - 'Add-Win32Type' - - 'Export-PowerViewCSV' - - 'Get-MacAttribute' - - 'Copy-ClonedFile' - - 'Get-IPAddress' - - 'Convert-NameToSid' - - 'Convert-SidToName' - - 'Convert-NT4toCanonical' - - 'Get-Proxy' - - 'Get-PathAcl' - - 'Get-NameField' - - 'Convert-LDAPProperty' - - 'Get-NetDomainController' - - 'Add-NetUser' - - 'Add-NetGroupUser' - - 'Get-UserProperty' - - 'Find-UserField' - - 'Get-UserEvent' - - 'Get-ObjectAcl' - - 'Add-ObjectAcl' - - 'Invoke-ACLScanner' - - 'Get-GUIDMap' - - 'Get-ADObject' - - 'Set-ADObject' - - 'Get-ComputerProperty' - - 'Find-ComputerField' - - 'Get-NetOU' - - 'Get-NetSite' - - 'Get-NetSubnet' - - 'Get-DomainSID' - - 'Get-NetGroup' - - 'Get-NetFileServer' - - 'SplitPath' - - 'Get-DFSshare' - - 'Get-DFSshareV1' - - 'Get-DFSshareV2' - - 'Get-GptTmpl' - - 'Get-GroupsXML' - - 'Get-NetGPO' - - 'Get-NetGPOGroup' - - 'Find-GPOLocation' - - 'Get-DomainPolicy' - - 'Get-NetLocalGroup' - - 'Get-NetShare' - - 'Get-NetLoggedon' - - 'Get-NetSession' - - 'Get-NetRDPSession' - - 'Invoke-CheckLocalAdminAccess' - - 'Get-LastLoggedOn' - - 'Get-NetProcess' - - 'Find-InterestingFile' - - 'Invoke-CheckWrite' - - 'Invoke-UserHunter' - - 'Invoke-StealthUserHunter' - - 'Invoke-ProcessHunter' - - 'Invoke-EventHunter' - - 'Invoke-ShareFinder' - - 'Invoke-FileFinder' - - 'Find-LocalAdminAccess' - - 'Get-ExploitableSystem' - - 'Invoke-EnumerateLocalAdmin' - - 'Get-NetDomainTrust' - - 'Get-NetForestTrust' - - 'Find-ForeignUser' - - 'Find-ForeignGroup' - - 'Invoke-MapDomainTrust' - - 'Get-Hex' - - 'Create-RemoteThread' - - 'Get-FoxDump' - - 'Decrypt-CipherText' - - 'Get-Screenshot' - - 'Start-HTTP-Server' - - 'Local:Invoke-CreateRemoteThread' - - 'Local:Get-Win32Functions' - - 'Local:Inject-NetRipper' - - 'GetCommandLine' - - 'ElevatePrivs' - - 'Get-RegKeyClass' - - 'Get-BootKey' - - 'Get-HBootKey' - - 'Get-UserName' - - 'Get-UserHashes' - - 'DecryptHashes' - - 'DecryptSingleHash' - - 'Get-UserKeys' - - 'DumpHashes' - - 'Enable-SeAssignPrimaryTokenPrivilege' - - 'Enable-Privilege' - - 'Set-DesktopACLs' - - 'Set-DesktopACLToAllowEveryone' - - 'Get-PrimaryToken' - - 'Get-ThreadToken' - - 'Get-TokenInformation' - - 'Get-UniqueTokens' - - 'Find-GPOComputerAdmin' - - 'Invoke-ImpersonateUser' - - 'Create-ProcessWithToken' - - 'Free-AllTokens' - - 'Enum-AllTokens' - - 'Invoke-RevertToSelf' - - 'Set-Speaker(\$Volume){\$wshShell' - - 'Local:Get-RandomString' - - 'Local:Invoke-PsExecCmd' - - 'Get-GPPPassword' - - 'Local:Inject-BypassStuff' - - 'Local:Invoke-CopyFile\(\$sSource,' - - 'ind-Fruit' - - 'New-IPv4Range' - - 'New-IPv4RangeFromCIDR' - - 'Parse-Hosts' - - 'Parse-ILHosts' - - 'Exclude-Hosts' - - 'Get-TopPort' - - 'Parse-Ports' - - 'Parse-IpPorts' - - 'Remove-Ports' - - 'Write-PortscanOut' - - 'Convert-SwitchtoBool' - - 'Get-ForeignUser' - - 'Get-ForeignGroup' - condition: selection1 or selection2 \ No newline at end of file From 23ad8cd14e9d0b71c1a1e45c0fb2f7c0538df534 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 19 Aug 2021 18:30:32 +0200 Subject: [PATCH 021/108] remove bad rules --- .../builtin/win_user_acc_added_removed.yml | 28 ------------------- .../builtin/win_user_acc_enabled_disabled.yml | 22 --------------- ...in_user_created_added_to_bultin_admins.yml | 23 --------------- 3 files changed, 73 deletions(-) delete mode 100644 rules/windows/builtin/win_user_acc_added_removed.yml delete mode 100644 rules/windows/builtin/win_user_acc_enabled_disabled.yml delete mode 100644 rules/windows/builtin/win_user_created_added_to_bultin_admins.yml diff --git a/rules/windows/builtin/win_user_acc_added_removed.yml b/rules/windows/builtin/win_user_acc_added_removed.yml deleted file mode 100644 index 8e083b64..00000000 --- a/rules/windows/builtin/win_user_acc_added_removed.yml +++ /dev/null @@ -1,28 +0,0 @@ -title: Account Added And Removed From Privileged Groups -id: 7efc75ce-e2a4-400f-a8b1-283d3b0f2c60 -description: Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise. -author: sawwinnnaung -references: - - Azure Sentinel -date: 2021/08/15 -level: low -logsource: - service: Security - product: windows -tags: - - attack.persistence - - attack.privilege_escalation - - attack.t1098 - - attack.t1078 -detection: - selection1: - EventID: - - 4728 - - 4732 - - 4756 - selection2: - EventID: - - 4729 - - 4733 - - 4757 - condition: selection1 or selection2 diff --git a/rules/windows/builtin/win_user_acc_enabled_disabled.yml b/rules/windows/builtin/win_user_acc_enabled_disabled.yml deleted file mode 100644 index 920efc48..00000000 --- a/rules/windows/builtin/win_user_acc_enabled_disabled.yml +++ /dev/null @@ -1,22 +0,0 @@ -title: User Account Enabled And Disabled -id: 3d023f64-8225-41a2-9570-2bd7c2c4535e -description: Identifies when a user account is enabled and then disabled. This can be an indication of compromise and an adversary attempting to hide in the noise. -author: sawwinnnaung -references: - - Azure Sentinel -date: 2021/08/15 -level: medium -logsource: - service: Security - product: windows -tags: - - attack.persistence - - attack.privilege_escalation - - attack.t1098 - - attack.t1078 -detection: - selection: - EventID: - - 4722 - - 4725 - condition: selection diff --git a/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml b/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml deleted file mode 100644 index 57bb606c..00000000 --- a/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml +++ /dev/null @@ -1,23 +0,0 @@ -title: New Uer Created And Added To The Built-in Administrators Group -id: aa1eff90-29d4-49dc-a3ea-b65199f516db -description: Identifies when a user account was created and then added to the builtin Administrators group. This should be monitored closely and all additions reviewed. -author: sawwinnnaung -references: - - Azure Sentinel -date: 2021/08/15 -level: low -logsource: - service: Security - product: windows -tags: - - attack.persistence - - attack.privilege_escalation -relevantTechniques: - - attack.t1098 - - attack.t1078 -detection: - selection: - EventID: - - 4720 - - 4732 - condition: selection \ No newline at end of file From 4e895da471f221aff0ed5f94db6c622bb00634e3 Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 20 Aug 2021 09:20:56 +0200 Subject: [PATCH 022/108] fix error "has no len()" --- tools/sigma/backends/base.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/tools/sigma/backends/base.py b/tools/sigma/backends/base.py index 08d29b4b..469c0648 100644 --- a/tools/sigma/backends/base.py +++ b/tools/sigma/backends/base.py @@ -277,9 +277,10 @@ class SingleTextQueryBackend(RulenameCommentMixin, BaseBackend, QuoteCharMixin): def generateSubexpressionNode(self, node): generated = self.generateNode(node.items) - if len(node.items) == 1: - # A sub expression with length 1 is not a proper sub expression, no self.subExpression required - return generated + if 'len'in dir(node.items): # fix the "TypeError: object of type 'NodeSubexpression' has no len()" + if len(node.items) == 1: + # A sub expression with length 1 is not a proper sub expression, no self.subExpression required + return generated if generated: return self.subExpression % generated else: From f09b3ea4b18842866b9f2e007e9340649b275730 Mon Sep 17 00:00:00 2001 From: Rachel Rice Date: Fri, 20 Aug 2021 13:43:00 +0100 Subject: [PATCH 023/108] Update AWS CloudTrail rules aws_ec2_disable_encryption.yml Remove `status: success` from selection criteria, not required aws_ec2_vm_export_failure.yml Remove filter3: ``` eventName: 'ConsoleLogin' responseElements|contains: 'Failure' ``` Incompatible with selection criteria `eventName: 'CreateInstanceExportTask'` aws_ec2_download_userdata.yml, aws_iam_backdoor_users_keys.yml, aws_rds_change_master_password.yml, aws_rds_public_db_restore.yml Update reference aws_sts_assumedrole_misuse.yml Rename to aws_sts_assumerole_misuse.yml Update references to "AssumedRole" to "AssumeRole" Update selection criteria of `userIdentity.sessionContext: Role` to `userIdentity.sessionContext.sessionIssuer.type: Role` --- rules/cloud/aws/aws_ec2_disable_encryption.yml | 3 +-- rules/cloud/aws/aws_ec2_download_userdata.yml | 4 ++-- rules/cloud/aws/aws_ec2_vm_export_failure.yml | 6 ++---- rules/cloud/aws/aws_iam_backdoor_users_keys.yml | 4 ++-- rules/cloud/aws/aws_rds_change_master_password.yml | 4 ++-- rules/cloud/aws/aws_rds_public_db_restore.yml | 4 ++-- ...drole_misuse.yml => aws_sts_assumerole_misuse.yml} | 11 ++++++----- 7 files changed, 17 insertions(+), 19 deletions(-) rename rules/cloud/aws/{aws_sts_assumedrole_misuse.yml => aws_sts_assumerole_misuse.yml} (51%) diff --git a/rules/cloud/aws/aws_ec2_disable_encryption.yml b/rules/cloud/aws/aws_ec2_disable_encryption.yml index ea7330a3..e383c949 100644 --- a/rules/cloud/aws/aws_ec2_disable_encryption.yml +++ b/rules/cloud/aws/aws_ec2_disable_encryption.yml @@ -4,7 +4,7 @@ status: stable description: Identifies disabling of default Amazon Elastic Block Store (EBS) encryption in the current region. Disabling default encryption does not change the encryption status of your existing volumes. author: Sittikorn S date: 2021/06/29 -modified: 2021/08/09 +modified: 2021/08/20 references: - https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html tags: @@ -17,7 +17,6 @@ detection: selection: eventSource: ec2.amazonaws.com eventName: DisableEbsEncryptionByDefault - status: success condition: selection falsepositives: - System Administrator Activities diff --git a/rules/cloud/aws/aws_ec2_download_userdata.yml b/rules/cloud/aws/aws_ec2_download_userdata.yml index 073bdf6b..be6b7438 100644 --- a/rules/cloud/aws/aws_ec2_download_userdata.yml +++ b/rules/cloud/aws/aws_ec2_download_userdata.yml @@ -4,9 +4,9 @@ status: experimental description: Detects bulk downloading of User Data associated with AWS EC2 instances. Instance User Data may include installation scripts and hard-coded secrets for deployment. author: faloker date: 2020/02/11 -modified: 2021/08/09 +modified: 2021/08/20 references: - - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/ec2__download_userdata/main.py#L24 + - https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/ec2__download_userdata/main.py logsource: service: cloudtrail detection: diff --git a/rules/cloud/aws/aws_ec2_vm_export_failure.yml b/rules/cloud/aws/aws_ec2_vm_export_failure.yml index dff7a078..2fed0c66 100644 --- a/rules/cloud/aws/aws_ec2_vm_export_failure.yml +++ b/rules/cloud/aws/aws_ec2_vm_export_failure.yml @@ -4,6 +4,7 @@ status: experimental description: An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance. author: Diogo Braz date: 2020/04/16 +modified: 2021/08/20 references: - https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance logsource: @@ -16,10 +17,7 @@ detection: errorMessage: '*' filter2: errorCode: '*' - filter3: - eventName: 'ConsoleLogin' - responseElements|contains: 'Failure' - condition: selection and (filter1 or filter2 or filter3) + condition: selection and (filter1 or filter2) level: low tags: - attack.collection diff --git a/rules/cloud/aws/aws_iam_backdoor_users_keys.yml b/rules/cloud/aws/aws_iam_backdoor_users_keys.yml index 2af725c8..7991b3ae 100644 --- a/rules/cloud/aws/aws_iam_backdoor_users_keys.yml +++ b/rules/cloud/aws/aws_iam_backdoor_users_keys.yml @@ -4,9 +4,9 @@ status: experimental description: Detects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment. Also with this alert, you can detect a flow of AWS keys in your org. author: faloker date: 2020/02/12 -modified: 2021/08/09 +modified: 2021/08/20 references: - - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/iam__backdoor_users_keys/main.py#L6 + - https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/iam__backdoor_users_keys/main.py logsource: service: cloudtrail detection: diff --git a/rules/cloud/aws/aws_rds_change_master_password.yml b/rules/cloud/aws/aws_rds_change_master_password.yml index 4204cbaf..cfdfb70a 100644 --- a/rules/cloud/aws/aws_rds_change_master_password.yml +++ b/rules/cloud/aws/aws_rds_change_master_password.yml @@ -4,9 +4,9 @@ status: experimental description: Detects the change of database master password. It may be a part of data exfiltration. author: faloker date: 2020/02/12 -modified: 2021/08/09 +modified: 2021/08/20 references: - - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/rds__explore_snapshots/main.py#L10 + - https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/rds__explore_snapshots/main.py logsource: service: cloudtrail detection: diff --git a/rules/cloud/aws/aws_rds_public_db_restore.yml b/rules/cloud/aws/aws_rds_public_db_restore.yml index 41497778..fdc8c19d 100644 --- a/rules/cloud/aws/aws_rds_public_db_restore.yml +++ b/rules/cloud/aws/aws_rds_public_db_restore.yml @@ -4,9 +4,9 @@ status: experimental description: Detects the recovery of a new public database instance from a snapshot. It may be a part of data exfiltration. author: faloker date: 2020/02/12 -modified: 2021/08/09 +modified: 2021/08/20 references: - - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/rds__explore_snapshots/main.py#L10 + - https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/rds__explore_snapshots/main.py logsource: service: cloudtrail detection: diff --git a/rules/cloud/aws/aws_sts_assumedrole_misuse.yml b/rules/cloud/aws/aws_sts_assumerole_misuse.yml similarity index 51% rename from rules/cloud/aws/aws_sts_assumedrole_misuse.yml rename to rules/cloud/aws/aws_sts_assumerole_misuse.yml index 2e9d22f4..3bc5af7f 100644 --- a/rules/cloud/aws/aws_sts_assumedrole_misuse.yml +++ b/rules/cloud/aws/aws_sts_assumerole_misuse.yml @@ -1,9 +1,10 @@ -title: AWS STS AssumedRole Misuse +title: AWS STS AssumeRole Misuse id: 905d389b-b853-46d0-9d3d-dea0d3a3cd49 -description: Identifies the suspicious use of AssumedRole. Attackers could move laterally and escalate privileges. +description: Identifies the suspicious use of AssumeRole. Attackers could move laterally and escalate privileges. author: Austin Songer @austinsonger status: experimental date: 2021/07/24 +modified: 2021/08/20 references: - https://github.com/elastic/detection-rules/pull/1214 - https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html @@ -12,8 +13,8 @@ logsource: detection: selection: eventSource: sts.amazonaws.com - eventName: AssumedRole - userIdentity.sessionContext: Role + eventName: AssumeRole + userIdentity.sessionContext.sessionIssuer.type: Role condition: selection level: low tags: @@ -23,5 +24,5 @@ tags: - attack.t1550 - attack.t1550.001 falsepositives: - - AssumedRole may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. AssumedRole from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - AssumeRole may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. AssumeRole from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. - Automated processes that uses Terraform may lead to false positives. From f037f5b0a928bacc97ebf991e9cbbc0e47103be3 Mon Sep 17 00:00:00 2001 From: Rachel Rice Date: Fri, 20 Aug 2021 15:42:49 +0100 Subject: [PATCH 024/108] Add filter3 back for vm export failure, without consolelogin Signed-off-by: Rachel Rice --- rules/cloud/aws/aws_ec2_vm_export_failure.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/cloud/aws/aws_ec2_vm_export_failure.yml b/rules/cloud/aws/aws_ec2_vm_export_failure.yml index 2fed0c66..05baed24 100644 --- a/rules/cloud/aws/aws_ec2_vm_export_failure.yml +++ b/rules/cloud/aws/aws_ec2_vm_export_failure.yml @@ -17,7 +17,9 @@ detection: errorMessage: '*' filter2: errorCode: '*' - condition: selection and (filter1 or filter2) + filter3: + responseElements|contains: 'Failure' + condition: selection and (filter1 or filter2 or filter3) level: low tags: - attack.collection From b9a355e3f428906023a78ca6678491890477d0be Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 20 Aug 2021 17:18:32 +0200 Subject: [PATCH 025/108] cleanup falsepositives --- rules/cloud/aws/aws_sts_assumerole_misuse.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/cloud/aws/aws_sts_assumerole_misuse.yml b/rules/cloud/aws/aws_sts_assumerole_misuse.yml index 3bc5af7f..f7464612 100644 --- a/rules/cloud/aws/aws_sts_assumerole_misuse.yml +++ b/rules/cloud/aws/aws_sts_assumerole_misuse.yml @@ -24,5 +24,6 @@ tags: - attack.t1550 - attack.t1550.001 falsepositives: - - AssumeRole may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. AssumeRole from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - AssumeRole may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - AssumeRole from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. - Automated processes that uses Terraform may lead to false positives. From cb95582077c675b9fc47a389bb93f3cefcbd8ce8 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sat, 21 Aug 2021 09:08:38 +0200 Subject: [PATCH 026/108] Update PowerShell rule --- .../powershell_malicious_keywords.yml | 47 ++++++++++--------- ...wershell_nishang_malicious_commandlets.yml | 11 +++-- 2 files changed, 31 insertions(+), 27 deletions(-) diff --git a/rules/windows/powershell/powershell_malicious_keywords.yml b/rules/windows/powershell/powershell_malicious_keywords.yml index 03858d39..071f3725 100644 --- a/rules/windows/powershell/powershell_malicious_keywords.yml +++ b/rules/windows/powershell/powershell_malicious_keywords.yml @@ -10,33 +10,36 @@ tags: - attack.t1086 #an old one author: Sean Metcalf (source), Florian Roth (rule) date: 2017/03/05 +modified: 2021/08/21 logsource: product: windows service: powershell definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' detection: - keywords: - - "AdjustTokenPrivileges" - - "IMAGE_NT_OPTIONAL_HDR64_MAGIC" - - "Microsoft.Win32.UnsafeNativeMethods" - - "ReadProcessMemory.Invoke" - - "SE_PRIVILEGE_ENABLED" - - "LSA_UNICODE_STRING" - - "MiniDumpWriteDump" - - "PAGE_EXECUTE_READ" - - "SECURITY_DELEGATION" - - "TOKEN_ADJUST_PRIVILEGES" - - "TOKEN_ALL_ACCESS" - - "TOKEN_ASSIGN_PRIMARY" - - "TOKEN_DUPLICATE" - - "TOKEN_ELEVATION" - - "TOKEN_IMPERSONATE" - - "TOKEN_INFORMATION_CLASS" - - "TOKEN_PRIVILEGES" - - "TOKEN_QUERY" - - "Metasploit" - - "Mimikatz" - condition: keywords + Malicious: + EventID: 4104 + ScriptBlockText|contains: + - "AdjustTokenPrivileges" + - "IMAGE_NT_OPTIONAL_HDR64_MAGIC" + - "Microsoft.Win32.UnsafeNativeMethods" + - "ReadProcessMemory.Invoke" + - "SE_PRIVILEGE_ENABLED" + - "LSA_UNICODE_STRING" + - "MiniDumpWriteDump" + - "PAGE_EXECUTE_READ" + - "SECURITY_DELEGATION" + - "TOKEN_ADJUST_PRIVILEGES" + - "TOKEN_ALL_ACCESS" + - "TOKEN_ASSIGN_PRIMARY" + - "TOKEN_DUPLICATE" + - "TOKEN_ELEVATION" + - "TOKEN_IMPERSONATE" + - "TOKEN_INFORMATION_CLASS" + - "TOKEN_PRIVILEGES" + - "TOKEN_QUERY" + - "Metasploit" + - "Mimikatz" + condition: Malicious falsepositives: - Penetration tests level: high diff --git a/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml b/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml index e8a9ef6c..90b3e7a7 100644 --- a/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml @@ -3,7 +3,7 @@ id: f772cee9-b7c2-4cb2-8f07-49870adc02e0 status: experimental description: Detects Commandlet names and arguments from the Nishang exploitation framework date: 2019/05/16 -modified: 2021/07/21 +modified: 2021/08/21 references: - https://github.com/samratashok/nishang tags: @@ -14,10 +14,11 @@ author: Alec Costello logsource: product: windows service: powershell - definition: It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277 + definition: Script block logging must be enabled detection: - keywords: - Payload|contains: + Nishang: + EventID: 4104 + ScriptBlockText|contains: - Add-ConstrainedDelegationBackdoor - Set-DCShadowPermissions - DNS_TXT_Pwnage @@ -89,7 +90,7 @@ detection: - NotAllNameSpaces - exfill - FakeDC - condition: keywords + condition: Nishang falsepositives: - Penetration testing level: high From 6c529f7ab27c9574da2d5a50dc661714e4d03a00 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sat, 21 Aug 2021 09:33:52 +0200 Subject: [PATCH 027/108] Update PS rules --- .../powershell_clear_powershell_history.yml | 2 +- .../powershell/powershell_ntfs_ads_access.yml | 20 +++++++++++-------- .../powershell/powershell_powercat.yml | 1 + ...rshell_powerview_malicious_commandlets.yml | 6 +++--- .../powershell_prompt_credentials.yml | 7 +++---- .../powershell/powershell_psattack.yml | 8 ++++---- .../powershell_remote_powershell_session.yml | 1 + .../powershell/powershell_shellcode_b64.yml | 2 +- ...shell_shellintel_malicious_commandlets.yml | 5 +++-- 9 files changed, 29 insertions(+), 23 deletions(-) diff --git a/rules/windows/powershell/powershell_clear_powershell_history.yml b/rules/windows/powershell/powershell_clear_powershell_history.yml index e937037d..ff01b153 100644 --- a/rules/windows/powershell/powershell_clear_powershell_history.yml +++ b/rules/windows/powershell/powershell_clear_powershell_history.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: 4104 Script block logging must be enabled , 4103 Module Logging must be enabled detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_ntfs_ads_access.yml b/rules/windows/powershell/powershell_ntfs_ads_access.yml index 9ee13a9f..0d38b0d7 100644 --- a/rules/windows/powershell/powershell_ntfs_ads_access.yml +++ b/rules/windows/powershell/powershell_ntfs_ads_access.yml @@ -13,18 +13,22 @@ tags: - attack.t1086 # an old one author: Sami Ruohonen date: 2018/07/24 -modified: 2020/08/24 +modified: 2021/08/21 logsource: product: windows service: powershell - definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' + definition: Script block logging must be enabled detection: - keyword1: - - "set-content" - - "add-content" - keyword2: - - "-stream" - condition: keyword1 and keyword2 + event: + EventID: 4104 + content: + ScriptBlockText|contains: + - "set-content" + - "add-content" + stream: + ScriptBlockText|contains: + - "-stream" + condition: all of them falsepositives: - unknown level: high diff --git a/rules/windows/powershell/powershell_powercat.yml b/rules/windows/powershell/powershell_powercat.yml index 553a8059..c4c5cb0c 100644 --- a/rules/windows/powershell/powershell_powercat.yml +++ b/rules/windows/powershell/powershell_powercat.yml @@ -31,6 +31,7 @@ detection: logsource: product: windows service: powershell + definition: Module Logging must be enable detection: selection: EventID: 4103 diff --git a/rules/windows/powershell/powershell_powerview_malicious_commandlets.yml b/rules/windows/powershell/powershell_powerview_malicious_commandlets.yml index b98fbb4c..1b2b7454 100644 --- a/rules/windows/powershell/powershell_powerview_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_powerview_malicious_commandlets.yml @@ -3,7 +3,7 @@ id: dcd74b95-3f36-4ed9-9598-0490951643aa status: experimental description: Detects Commandlet names from PowerView of PowerSploit exploitation framework. date: 2021/05/18 -modified: 2021/07/02 +modified: 2021/08/21 references: - https://powersploit.readthedocs.io/en/stable/Recon/README - https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon @@ -16,11 +16,11 @@ author: Bhabesh Raj logsource: product: windows service: powershell - definition: It is recommended to use the new "Script Block Logging" of PowerShell v5. + definition: Script Block Logging must be enable detection: selection: EventID: 4104 - ScriptBlockText: + ScriptBlockText|contains: - Export-PowerViewCSV - Get-IPAddress - Resolve-IPAddress diff --git a/rules/windows/powershell/powershell_prompt_credentials.yml b/rules/windows/powershell/powershell_prompt_credentials.yml index 8ef73b44..b3d5e713 100644 --- a/rules/windows/powershell/powershell_prompt_credentials.yml +++ b/rules/windows/powershell/powershell_prompt_credentials.yml @@ -16,13 +16,12 @@ modified: 2021/08/04 logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection: EventID: 4104 - keyword: ScriptBlockText|contains: 'PromptForCredential' - condition: all of them -falsepositives: + condition: selection +falsepositives: - Unknown level: high diff --git a/rules/windows/powershell/powershell_psattack.yml b/rules/windows/powershell/powershell_psattack.yml index 0b3d4167..78690987 100644 --- a/rules/windows/powershell/powershell_psattack.yml +++ b/rules/windows/powershell/powershell_psattack.yml @@ -10,15 +10,15 @@ tags: - attack.t1086 #an old one author: Sean Metcalf (source), Florian Roth (rule) date: 2017/03/05 +modified: 2021/08/21 logsource: product: windows service: powershell - definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' + definition: Script block logging must be enabled detection: selection: - EventID: 4103 - keyword: - - 'PS ATTACK!!!' + EventID: 4104 + ScriptBlockText|contains: 'PS ATTACK!!!' condition: all of them falsepositives: - Pentesters diff --git a/rules/windows/powershell/powershell_remote_powershell_session.yml b/rules/windows/powershell/powershell_remote_powershell_session.yml index 3e345947..237c546b 100644 --- a/rules/windows/powershell/powershell_remote_powershell_session.yml +++ b/rules/windows/powershell/powershell_remote_powershell_session.yml @@ -22,6 +22,7 @@ level: high logsource: product: windows service: powershell + definition: Module Logging must be enable and fields have to be extract from event detection: selection: EventID: 4103 diff --git a/rules/windows/powershell/powershell_shellcode_b64.yml b/rules/windows/powershell/powershell_shellcode_b64.yml index ba269aca..45ea2909 100644 --- a/rules/windows/powershell/powershell_shellcode_b64.yml +++ b/rules/windows/powershell/powershell_shellcode_b64.yml @@ -17,7 +17,7 @@ modified: 2020/12/01 logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_shellintel_malicious_commandlets.yml b/rules/windows/powershell/powershell_shellintel_malicious_commandlets.yml index e65c3c23..62dfb25f 100644 --- a/rules/windows/powershell/powershell_shellintel_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_shellintel_malicious_commandlets.yml @@ -3,6 +3,7 @@ id: 402e1e1d-ad59-47b6-bf80-1ee44985b3a7 status: experimental description: Detects Commandlet names from ShellIntel exploitation scripts. date: 2021/08/09 +modified: 2021/08/21 references: - https://github.com/Shellntel/scripts/ tags: @@ -12,11 +13,11 @@ author: Max Altgelt, Tobias Michalski logsource: product: windows service: powershell - definition: It is recommended to use the new "Script Block Logging" of PowerShell v5. + definition: Script Block Logging must be enable detection: selection: EventID: 4104 - ScriptBlockText: + ScriptBlockText|contains: - Invoke-SMBAutoBrute - Invoke-GPOLinks - Out-Minidump From da839775fe800c41fed9eea420b290a142368675 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sat, 21 Aug 2021 09:50:59 +0200 Subject: [PATCH 028/108] Update PS rules --- .../sysmon_suspicious_powershell_profile_create.yml} | 0 .../powershell/powershell_CL_Invocation_LOLScript.yml | 2 +- .../powershell/powershell_CL_Invocation_LOLScript_v2.yml | 2 +- .../powershell/powershell_CL_Mutexverifiers_LOLScript.yml | 2 +- rules/windows/powershell/powershell_accessing_win_api.yml | 2 +- rules/windows/powershell/powershell_adrecon_execution.yml | 2 +- .../windows/powershell/powershell_automated_collection.yml | 2 +- rules/windows/powershell/powershell_bad_opsec_artifacts.yml | 2 +- rules/windows/powershell/powershell_decompress_commands.yml | 2 +- rules/windows/powershell/powershell_get_clipboard.yml | 2 +- .../powershell/powershell_invoke_obfuscation_clip+.yml | 2 +- .../powershell_invoke_obfuscation_obfuscated_iex.yml | 2 +- .../powershell/powershell_invoke_obfuscation_stdin+.yml | 2 +- .../powershell/powershell_invoke_obfuscation_var+.yml | 2 +- .../powershell_invoke_obfuscation_via_compress.yml | 2 +- .../powershell/powershell_invoke_obfuscation_via_rundll.yml | 2 +- .../powershell_invoke_obfuscation_via_use_clip.yml | 2 +- .../powershell_invoke_obfuscation_via_use_mhsta.yml | 2 +- .../powershell_invoke_obfuscation_via_use_rundll32.yml | 2 +- .../powershell/powershell_invoke_obfuscation_via_var++.yml | 2 +- .../powershell_suspicious_export_pfxcertificate.yml | 6 +++--- .../powershell/powershell_suspicious_getprocess_lsass.yml | 6 +++--- .../powershell_suspicious_invocation_specific.yml | 1 + rules/windows/powershell/powershell_suspicious_keywords.yml | 2 +- .../windows/powershell/powershell_suspicious_mail_acces.yml | 2 +- .../powershell_suspicious_mounted_share_deletion.yml | 2 +- rules/windows/powershell/powershell_suspicious_recon.yml | 2 +- rules/windows/powershell/powershell_winlogon_helper_dll.yml | 2 +- rules/windows/powershell/powershell_wmimplant.yml | 2 +- 29 files changed, 32 insertions(+), 31 deletions(-) rename rules/windows/{powershell/powershell_suspicious_profile_create.yml => file_event/sysmon_suspicious_powershell_profile_create.yml} (100%) diff --git a/rules/windows/powershell/powershell_suspicious_profile_create.yml b/rules/windows/file_event/sysmon_suspicious_powershell_profile_create.yml similarity index 100% rename from rules/windows/powershell/powershell_suspicious_profile_create.yml rename to rules/windows/file_event/sysmon_suspicious_powershell_profile_create.yml diff --git a/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml b/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml index 3976c19f..054cd341 100644 --- a/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml +++ b/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_CL_Invocation_LOLScript_v2.yml b/rules/windows/powershell/powershell_CL_Invocation_LOLScript_v2.yml index 5cd1d3ad..246803a0 100644 --- a/rules/windows/powershell/powershell_CL_Invocation_LOLScript_v2.yml +++ b/rules/windows/powershell/powershell_CL_Invocation_LOLScript_v2.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection2: EventID: 4104 diff --git a/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript.yml b/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript.yml index a9e742a2..3430cdd7 100644 --- a/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript.yml +++ b/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_accessing_win_api.yml b/rules/windows/powershell/powershell_accessing_win_api.yml index aa74974e..f7ed287e 100644 --- a/rules/windows/powershell/powershell_accessing_win_api.yml +++ b/rules/windows/powershell/powershell_accessing_win_api.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_adrecon_execution.yml b/rules/windows/powershell/powershell_adrecon_execution.yml index f041ac68..af2ba36a 100644 --- a/rules/windows/powershell/powershell_adrecon_execution.yml +++ b/rules/windows/powershell/powershell_adrecon_execution.yml @@ -14,7 +14,7 @@ date: 2021/07/16 logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_automated_collection.yml b/rules/windows/powershell/powershell_automated_collection.yml index d482a22b..d19a88ea 100644 --- a/rules/windows/powershell/powershell_automated_collection.yml +++ b/rules/windows/powershell/powershell_automated_collection.yml @@ -12,7 +12,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection_eventid: EventID: 4104 diff --git a/rules/windows/powershell/powershell_bad_opsec_artifacts.yml b/rules/windows/powershell/powershell_bad_opsec_artifacts.yml index 0479fcd1..98ec3052 100644 --- a/rules/windows/powershell/powershell_bad_opsec_artifacts.yml +++ b/rules/windows/powershell/powershell_bad_opsec_artifacts.yml @@ -16,7 +16,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104 , Module Logging must be enable for 4103 detection: selection_4104: EventID: 4104 diff --git a/rules/windows/powershell/powershell_decompress_commands.yml b/rules/windows/powershell/powershell_decompress_commands.yml index bdef59f8..19028f6a 100644 --- a/rules/windows/powershell/powershell_decompress_commands.yml +++ b/rules/windows/powershell/powershell_decompress_commands.yml @@ -13,7 +13,7 @@ references: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 detection: selection1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_get_clipboard.yml b/rules/windows/powershell/powershell_get_clipboard.yml index 26282f89..542c432c 100644 --- a/rules/windows/powershell/powershell_get_clipboard.yml +++ b/rules/windows/powershell/powershell_get_clipboard.yml @@ -13,7 +13,7 @@ references: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 detection: selection1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_clip+.yml b/rules/windows/powershell/powershell_invoke_obfuscation_clip+.yml index 8438323a..45c57fa3 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_clip+.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_clip+.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104 , Module Logging must be enabled for 4103 detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_obfuscated_iex.yml b/rules/windows/powershell/powershell_invoke_obfuscation_obfuscated_iex.yml index dd5771b8..9b030a97 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_obfuscated_iex.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_obfuscated_iex.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_stdin+.yml b/rules/windows/powershell/powershell_invoke_obfuscation_stdin+.yml index f1969a38..a8b5d343 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_stdin+.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_stdin+.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_var+.yml b/rules/windows/powershell/powershell_invoke_obfuscation_var+.yml index 61e5ee7e..f8476262 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_var+.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_var+.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104,Module Logging must be enabled for 4103 detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_compress.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_compress.yml index 8fde7bb9..165d13d2 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_compress.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_compress.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_rundll.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_rundll.yml index e26c5a29..e47cf4f4 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_rundll.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_rundll.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_clip.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_clip.yml index 5adbdedc..30749fc4 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_clip.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_clip.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml index 07f71af3..ceaab349 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml index cc5e50e6..445355bc 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml index f1d98861..60a0fe2b 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml @@ -15,7 +15,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_suspicious_export_pfxcertificate.yml b/rules/windows/powershell/powershell_suspicious_export_pfxcertificate.yml index 6a621346..b39cf109 100644 --- a/rules/windows/powershell/powershell_suspicious_export_pfxcertificate.yml +++ b/rules/windows/powershell/powershell_suspicious_export_pfxcertificate.yml @@ -14,12 +14,12 @@ modified: 2021/08/04 logsource: product: windows service: powershell - definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' + definition: Script Block Logging must be enable detection: - keywords: + PfxCertificate: EventID: 4104 ScriptBlockText|contains: "Export-PfxCertificate" - condition: keywords + condition: PfxCertificate falsepositives: - Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable) level: high diff --git a/rules/windows/powershell/powershell_suspicious_getprocess_lsass.yml b/rules/windows/powershell/powershell_suspicious_getprocess_lsass.yml index c08f0ca5..eccd3337 100644 --- a/rules/windows/powershell/powershell_suspicious_getprocess_lsass.yml +++ b/rules/windows/powershell/powershell_suspicious_getprocess_lsass.yml @@ -13,12 +13,12 @@ modified: 2021/08/04 logsource: product: windows service: powershell - definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' + definition: Script Block Logging must be enable detection: - keywords: + select_LSASS: EventID: 4104 ScriptBlockText|contains: 'Get-Process lsass' - condition: keywords + condition: select_LSASS falsepositives: - Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable) level: high diff --git a/rules/windows/powershell/powershell_suspicious_invocation_specific.yml b/rules/windows/powershell/powershell_suspicious_invocation_specific.yml index 39da524b..7ae574e1 100644 --- a/rules/windows/powershell/powershell_suspicious_invocation_specific.yml +++ b/rules/windows/powershell/powershell_suspicious_invocation_specific.yml @@ -11,6 +11,7 @@ date: 2017/03/05 logsource: product: windows service: powershell + definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 detection: convert_b64: - '-nop' diff --git a/rules/windows/powershell/powershell_suspicious_keywords.yml b/rules/windows/powershell/powershell_suspicious_keywords.yml index 991dfc3c..35673048 100644 --- a/rules/windows/powershell/powershell_suspicious_keywords.yml +++ b/rules/windows/powershell/powershell_suspicious_keywords.yml @@ -17,7 +17,7 @@ tags: logsource: product: windows service: powershell - definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277. Monitor for EventID 4104' + definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 detection: keywords: - "System.Reflection.Assembly.Load($" diff --git a/rules/windows/powershell/powershell_suspicious_mail_acces.yml b/rules/windows/powershell/powershell_suspicious_mail_acces.yml index 13210d4a..18b6b460 100644 --- a/rules/windows/powershell/powershell_suspicious_mail_acces.yml +++ b/rules/windows/powershell/powershell_suspicious_mail_acces.yml @@ -12,7 +12,7 @@ tags: logsource: product: windows service: powershell - definition: EnableScriptBlockLogging must be set to enable + definition: Script block logging must be enabled detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_suspicious_mounted_share_deletion.yml b/rules/windows/powershell/powershell_suspicious_mounted_share_deletion.yml index c040e3a5..941ef606 100644 --- a/rules/windows/powershell/powershell_suspicious_mounted_share_deletion.yml +++ b/rules/windows/powershell/powershell_suspicious_mounted_share_deletion.yml @@ -12,7 +12,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_suspicious_recon.yml b/rules/windows/powershell/powershell_suspicious_recon.yml index 78368cdf..a46b1d1b 100644 --- a/rules/windows/powershell/powershell_suspicious_recon.yml +++ b/rules/windows/powershell/powershell_suspicious_recon.yml @@ -12,7 +12,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection_eventid: EventID: 4104 diff --git a/rules/windows/powershell/powershell_winlogon_helper_dll.yml b/rules/windows/powershell/powershell_winlogon_helper_dll.yml index 026d8240..d15724be 100644 --- a/rules/windows/powershell/powershell_winlogon_helper_dll.yml +++ b/rules/windows/powershell/powershell_winlogon_helper_dll.yml @@ -10,7 +10,7 @@ references: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_wmimplant.yml b/rules/windows/powershell/powershell_wmimplant.yml index 8ff61cde..ec0915ff 100644 --- a/rules/windows/powershell/powershell_wmimplant.yml +++ b/rules/windows/powershell/powershell_wmimplant.yml @@ -14,7 +14,7 @@ date: 2020/03/26 logsource: product: windows service: powershell - definition: "Script block logging must be enabled" + definition: Script block logging must be enabled detection: selection: ScriptBlockText|contains: From 0fb6c35b1fe80decd09cccdeae23abf24497e222 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sat, 21 Aug 2021 09:58:58 +0200 Subject: [PATCH 029/108] Cleanup PS rules --- .../sysmon_powershell_code_injection.yml} | 0 .../powershell_CL_Mutexverifiers_LOLScript_v2.yml | 2 +- .../powershell/powershell_create_local_user.yml | 2 +- .../powershell/powershell_data_compressed.yml | 2 +- .../powershell/powershell_dnscat_execution.yml | 2 +- .../powershell/powershell_icmp_exfiltration.yml | 2 +- .../powershell/powershell_invoke_nightmare.yml | 2 +- .../powershell_invoke_obfuscation_via_stdin.yml | 2 +- .../powershell/powershell_malicious_commandlets.yml | 12 +++++------- .../win_powershell_cmdline_reversed_strings.yml} | 0 .../win_powershell_cmdline_special_characters.yml} | 0 ...win_powershell_cmdline_specific_comb_methods.yml} | 0 12 files changed, 12 insertions(+), 14 deletions(-) rename rules/windows/{powershell/powershell_code_injection.yml => create_remote_thread/sysmon_powershell_code_injection.yml} (100%) rename rules/windows/{powershell/powershell_cmdline_reversed_strings.yml => process_creation/win_powershell_cmdline_reversed_strings.yml} (100%) rename rules/windows/{powershell/powershell_cmdline_special_characters.yml => process_creation/win_powershell_cmdline_special_characters.yml} (100%) rename rules/windows/{powershell/powershell_cmdline_specific_comb_methods.yml => process_creation/win_powershell_cmdline_specific_comb_methods.yml} (100%) diff --git a/rules/windows/powershell/powershell_code_injection.yml b/rules/windows/create_remote_thread/sysmon_powershell_code_injection.yml similarity index 100% rename from rules/windows/powershell/powershell_code_injection.yml rename to rules/windows/create_remote_thread/sysmon_powershell_code_injection.yml diff --git a/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript_v2.yml b/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript_v2.yml index 8a0fa3a3..cc7de5f4 100644 --- a/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript_v2.yml +++ b/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript_v2.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection2: EventID: 4104 diff --git a/rules/windows/powershell/powershell_create_local_user.yml b/rules/windows/powershell/powershell_create_local_user.yml index 6fd05f5c..29961866 100644 --- a/rules/windows/powershell/powershell_create_local_user.yml +++ b/rules/windows/powershell/powershell_create_local_user.yml @@ -17,7 +17,7 @@ modified: 2021/08/04 logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_data_compressed.yml b/rules/windows/powershell/powershell_data_compressed.yml index ada73d64..72ba0304 100644 --- a/rules/windows/powershell/powershell_data_compressed.yml +++ b/rules/windows/powershell/powershell_data_compressed.yml @@ -10,7 +10,7 @@ references: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_dnscat_execution.yml b/rules/windows/powershell/powershell_dnscat_execution.yml index 63a590f3..bfe388a4 100644 --- a/rules/windows/powershell/powershell_dnscat_execution.yml +++ b/rules/windows/powershell/powershell_dnscat_execution.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_icmp_exfiltration.yml b/rules/windows/powershell/powershell_icmp_exfiltration.yml index c6e83568..a9d9036a 100644 --- a/rules/windows/powershell/powershell_icmp_exfiltration.yml +++ b/rules/windows/powershell/powershell_icmp_exfiltration.yml @@ -12,7 +12,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_nightmare.yml b/rules/windows/powershell/powershell_invoke_nightmare.yml index 9d7443ed..64e93f5a 100644 --- a/rules/windows/powershell/powershell_invoke_nightmare.yml +++ b/rules/windows/powershell/powershell_invoke_nightmare.yml @@ -9,7 +9,7 @@ author: Max Altgelt, Tobias Michalski logsource: product: windows service: powershell - definition: It is recommended to use the new "Script Block Logging" of PowerShell v5. + definition: Script Block Logging must be enable detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_stdin.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_stdin.yml index 5b638d94..330912c9 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_stdin.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_stdin.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104, Module Logging must be enable for 4103 detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_malicious_commandlets.yml b/rules/windows/powershell/powershell_malicious_commandlets.yml index ad4609d8..34c4ccb0 100644 --- a/rules/windows/powershell/powershell_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_malicious_commandlets.yml @@ -10,13 +10,13 @@ tags: - attack.t1086 #an old one author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update) date: 2017/03/05 -modified: 2020/10/11 +modified: 2021/08/21 logsource: product: windows service: powershell - definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' + definition: Script Block Logging must be enable detection: - keywords: + select_Malicious: EventID: 4104 ScriptBlockText|contains: - "Invoke-DllInjection" @@ -115,10 +115,8 @@ detection: - "Invoke-Mimikittenz" - "Invoke-AllChecks" false_positives: - EventID: 4104 - ScriptBlockText|contains: - - Get-SystemDriveInfo # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1 - condition: keywords and not false_positives + ScriptBlockText|contains: Get-SystemDriveInfo # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1 + condition: select_Malicious and not false_positives falsepositives: - Penetration testing level: high diff --git a/rules/windows/powershell/powershell_cmdline_reversed_strings.yml b/rules/windows/process_creation/win_powershell_cmdline_reversed_strings.yml similarity index 100% rename from rules/windows/powershell/powershell_cmdline_reversed_strings.yml rename to rules/windows/process_creation/win_powershell_cmdline_reversed_strings.yml diff --git a/rules/windows/powershell/powershell_cmdline_special_characters.yml b/rules/windows/process_creation/win_powershell_cmdline_special_characters.yml similarity index 100% rename from rules/windows/powershell/powershell_cmdline_special_characters.yml rename to rules/windows/process_creation/win_powershell_cmdline_special_characters.yml diff --git a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml b/rules/windows/process_creation/win_powershell_cmdline_specific_comb_methods.yml similarity index 100% rename from rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml rename to rules/windows/process_creation/win_powershell_cmdline_specific_comb_methods.yml From 2f683b9ab79604228b4dfd5113467ab90b370457 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sat, 21 Aug 2021 10:00:48 +0200 Subject: [PATCH 030/108] fix powershell_clear_powershell_history error --- .../windows/powershell/powershell_clear_powershell_history.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_clear_powershell_history.yml b/rules/windows/powershell/powershell_clear_powershell_history.yml index ff01b153..430e9305 100644 --- a/rules/windows/powershell/powershell_clear_powershell_history.yml +++ b/rules/windows/powershell/powershell_clear_powershell_history.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 4104 Script block logging must be enabled , 4103 Module Logging must be enabled + definition: 4104 Script block logging must be enabled , 4103 Module Logging must be enabled detection: selection_1: EventID: 4104 From 42c90b9d20e4dad422b5b46e50a4944480641cac Mon Sep 17 00:00:00 2001 From: frack113 Date: Sat, 21 Aug 2021 10:05:47 +0200 Subject: [PATCH 031/108] fix powershell_psattack error --- rules/windows/powershell/powershell_psattack.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_psattack.yml b/rules/windows/powershell/powershell_psattack.yml index 78690987..8e178cb4 100644 --- a/rules/windows/powershell/powershell_psattack.yml +++ b/rules/windows/powershell/powershell_psattack.yml @@ -19,7 +19,7 @@ detection: selection: EventID: 4104 ScriptBlockText|contains: 'PS ATTACK!!!' - condition: all of them + condition: selection falsepositives: - Pentesters level: high From 645492cef56899253752216a909b6218bb6f8c25 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 21 Aug 2021 14:57:38 -0500 Subject: [PATCH 032/108] Update m365.yml just working on expanding this. --- tools/config/generic/m365.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tools/config/generic/m365.yml b/tools/config/generic/m365.yml index 51e08af6..fb816bd1 100644 --- a/tools/config/generic/m365.yml +++ b/tools/config/generic/m365.yml @@ -5,3 +5,8 @@ ThreatManagement: category: ThreatManagement conditions: eventSource: SecurityComplianceCenter +AccessGovernance: + product: m365 + category: AccessGovernance + conditions: + eventSource: SecurityComplianceCenter From 579a80411de1ec3c01b222d42c5b3fa857edc50a Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 21 Aug 2021 15:03:31 -0500 Subject: [PATCH 033/108] Update m365.yml --- tools/config/generic/m365.yml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/tools/config/generic/m365.yml b/tools/config/generic/m365.yml index fb816bd1..de769059 100644 --- a/tools/config/generic/m365.yml +++ b/tools/config/generic/m365.yml @@ -10,3 +10,23 @@ AccessGovernance: category: AccessGovernance conditions: eventSource: SecurityComplianceCenter +CloudDiscovery: + product: m365 + category: CloudDiscovery + conditions: + eventSource: SecurityComplianceCenter +DataLossPrevention: + product: m365 + category: DataLossPrevention + conditions: + eventSource: SecurityComplianceCenter +ThreatDetection: + product: m365 + category: ThreatDetection + conditions: + eventSource: SecurityComplianceCenter +SharingControl: + product: m365 + category: SharingControl + conditions: + eventSource: SecurityComplianceCenter From 7cd71b224036583a214f440f1d7308f24be4283a Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 22 Aug 2021 08:57:07 +0200 Subject: [PATCH 034/108] fix yaml error --- tools/sigma/sigma2attack.py | 38 +++++++++++++++++++------------------ 1 file changed, 20 insertions(+), 18 deletions(-) diff --git a/tools/sigma/sigma2attack.py b/tools/sigma/sigma2attack.py index 165d077f..2f6ceafc 100755 --- a/tools/sigma/sigma2attack.py +++ b/tools/sigma/sigma2attack.py @@ -8,6 +8,7 @@ import sys import yaml + def main(): parser = argparse.ArgumentParser(formatter_class=argparse.ArgumentDefaultsHelpFormatter) parser.add_argument("--rules-directory", "-d", dest="rules_dir", default="rules", help="Directory to read rules from") @@ -20,24 +21,25 @@ def main(): curr_max_technique_count = 0 num_rules_used = 0 for rule_file in rule_files: - try: - rule = yaml.safe_load(open(rule_file, encoding="utf-8").read()) - except yaml.YAMLError: - sys.stderr.write("Ignoring rule " + rule_file + " (parsing failed)\n") - continue - if "tags" not in rule: - sys.stderr.write("Ignoring rule " + rule_file + " (no tags)\n") - continue - tags = rule["tags"] - for tag in tags: - if tag.lower().startswith("attack.t"): - technique_id = tag[len("attack."):].upper() - num_rules_used += 1 - if technique_id not in techniques_to_rules: - techniques_to_rules[technique_id] = [] - techniques_to_rules[technique_id].append(os.path.basename(rule_file)) - curr_max_technique_count = max(curr_max_technique_count, len(techniques_to_rules[technique_id])) - + with open(rule_file,encoding='utf-8') as f: + docs = yaml.load_all(f, Loader=yaml.FullLoader) + double = False + for rule in docs: + if "tags" not in rule : + if double == False : # Only 1 warning + sys.stderr.write("Ignoring rule " + rule_file + " (no tags)\n") + double = True # action globle no tag + continue + tags = rule["tags"] + double = True + for tag in tags: + if tag.lower().startswith("attack.t"): + technique_id = tag[len("attack."):].upper() + num_rules_used += 1 + if technique_id not in techniques_to_rules: + techniques_to_rules[technique_id] = [] + techniques_to_rules[technique_id].append(os.path.basename(rule_file)) + curr_max_technique_count = max(curr_max_technique_count, len(techniques_to_rules[technique_id])) scores = [] for technique in techniques_to_rules: From 295054dcbe0a362d7eed143b8f37c2b5b47a2eb5 Mon Sep 17 00:00:00 2001 From: SomeOne Date: Sun, 22 Aug 2021 13:57:56 +0200 Subject: [PATCH 035/108] Replace old mitre techniques by new one --- rules/linux/lnx_security_tools_disabling.yml | 2 +- rules/linux/lnx_sudo_cve_2019_14287.yml | 3 ++- rules/network/zeek/zeek_dns_mining_pools.yml | 3 ++- rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml | 3 ++- rules/web/win_powershell_snapins_hafnium.yml | 4 ++-- rules/web/win_webshell_regeorg.yml | 2 +- .../win_arbitrary_shell_execution_via_settingcontent.yml | 3 ++- rules/windows/builtin/win_event_log_cleared.yml | 3 ++- rules/windows/malware/av_webshell.yml | 2 +- rules/windows/powershell/powershell_bad_opsec_artifacts.yml | 2 +- .../powershell/powershell_remote_powershell_session.yml | 6 +++--- rules/windows/powershell/powershell_renamed_powershell.yml | 5 +++-- .../windows/process_access/sysmon_mimikatz_trough_winrm.yml | 6 +++--- .../win_bad_opsec_sacrificial_processes.yml | 2 +- .../win_credential_access_via_password_filter.yml | 3 ++- .../process_creation/win_lolbas_execution_of_wuauclt.yml | 5 +++-- .../win_modif_of_services_for_via_commandline.yml | 6 ++++-- .../process_creation/win_powershell_disable_windef_av.yml | 2 +- .../win_powershell_reverse_shell_connection.yml | 4 ++-- ...ticky_keys_unauthenticated_privileged_console_access.yml | 5 +++-- .../process_creation/win_susp_shell_spawn_from_mssql.yml | 3 ++- .../sysmon_registry_persistence_key_linking.yml | 3 ++- 22 files changed, 45 insertions(+), 32 deletions(-) diff --git a/rules/linux/lnx_security_tools_disabling.yml b/rules/linux/lnx_security_tools_disabling.yml index 8d1f1617..2fee4c8e 100644 --- a/rules/linux/lnx_security_tools_disabling.yml +++ b/rules/linux/lnx_security_tools_disabling.yml @@ -13,7 +13,7 @@ level: medium tags: - attack.defense_evasion - attack.t1562.004 - - attack.t1089 + - attack.t1089 # an old one --- logsource: category: process_creation diff --git a/rules/linux/lnx_sudo_cve_2019_14287.yml b/rules/linux/lnx_sudo_cve_2019_14287.yml index bbd9d785..84ab95b7 100644 --- a/rules/linux/lnx_sudo_cve_2019_14287.yml +++ b/rules/linux/lnx_sudo_cve_2019_14287.yml @@ -18,7 +18,8 @@ level: critical tags: - attack.privilege_escalation - attack.t1068 - - attack.t1169 + - attack.t1169 # an old one + - attack.t1548.003 --- detection: selection_keywords: diff --git a/rules/network/zeek/zeek_dns_mining_pools.yml b/rules/network/zeek/zeek_dns_mining_pools.yml index 71003888..c43795db 100644 --- a/rules/network/zeek/zeek_dns_mining_pools.yml +++ b/rules/network/zeek/zeek_dns_mining_pools.yml @@ -10,7 +10,8 @@ logsource: service: dns product: zeek tags: - - attack.t1035 + - attack.t1035 # an old one + - attack.t1569.002 - attack.t1496 detection: selection: diff --git a/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml b/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml index 85306e0a..1690856f 100644 --- a/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml +++ b/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml @@ -10,7 +10,8 @@ references: - 'https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS' author: '@neu5ron, SOC Prime Team, Corelight' tags: - - attack.t1094 + - attack.t1094 # an old one + - attack.t1095 - attack.t1043 - attack.command_and_control logsource: diff --git a/rules/web/win_powershell_snapins_hafnium.yml b/rules/web/win_powershell_snapins_hafnium.yml index 3c35f816..b51f2b83 100644 --- a/rules/web/win_powershell_snapins_hafnium.yml +++ b/rules/web/win_powershell_snapins_hafnium.yml @@ -10,8 +10,8 @@ date: 2021/03/03 modified: 2021/08/09 tags: - attack.execution - - attack.t1086 - - attack.t1059.005 + - attack.t1086 # an old one + - attack.t1059.001 - attack.collection - attack.t1114 logsource: diff --git a/rules/web/win_webshell_regeorg.yml b/rules/web/win_webshell_regeorg.yml index b4ccdb5c..2a2b89e4 100644 --- a/rules/web/win_webshell_regeorg.yml +++ b/rules/web/win_webshell_regeorg.yml @@ -33,5 +33,5 @@ falsepositives: level: high tags: - attack.persistence - - attack.t1100 + - attack.t1100 # an old one - attack.t1505.003 diff --git a/rules/windows/builtin/win_arbitrary_shell_execution_via_settingcontent.yml b/rules/windows/builtin/win_arbitrary_shell_execution_via_settingcontent.yml index 659c0e75..fffa3a9e 100644 --- a/rules/windows/builtin/win_arbitrary_shell_execution_via_settingcontent.yml +++ b/rules/windows/builtin/win_arbitrary_shell_execution_via_settingcontent.yml @@ -8,7 +8,8 @@ references: - https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39 tags: - attack.t1204 - - attack.t1193 + - attack.t1193 # an old one + - attack.t1566.001 - attack.execution - attack.initial_access logsource: diff --git a/rules/windows/builtin/win_event_log_cleared.yml b/rules/windows/builtin/win_event_log_cleared.yml index e3a88f08..649d0d95 100644 --- a/rules/windows/builtin/win_event_log_cleared.yml +++ b/rules/windows/builtin/win_event_log_cleared.yml @@ -11,7 +11,8 @@ logsource: service: security product: windows tags: - - attack.t1107 + - attack.t1107 # an old one + - attack.t1070.001 detection: selection: EventID: 1102 diff --git a/rules/windows/malware/av_webshell.yml b/rules/windows/malware/av_webshell.yml index 3d9cc310..39960e1d 100644 --- a/rules/windows/malware/av_webshell.yml +++ b/rules/windows/malware/av_webshell.yml @@ -16,7 +16,7 @@ references: - https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection tags: - attack.persistence - - attack.t1100 + - attack.t1100 # an old one - attack.t1505.003 logsource: product: antivirus diff --git a/rules/windows/powershell/powershell_bad_opsec_artifacts.yml b/rules/windows/powershell/powershell_bad_opsec_artifacts.yml index 98ec3052..64bc41c2 100644 --- a/rules/windows/powershell/powershell_bad_opsec_artifacts.yml +++ b/rules/windows/powershell/powershell_bad_opsec_artifacts.yml @@ -12,7 +12,7 @@ modified: 2020/10/09 tags: - attack.execution - attack.t1059.001 - - attack.t1086 + - attack.t1086 # an old one logsource: product: windows service: powershell diff --git a/rules/windows/powershell/powershell_remote_powershell_session.yml b/rules/windows/powershell/powershell_remote_powershell_session.yml index 237c546b..e8e29b1a 100644 --- a/rules/windows/powershell/powershell_remote_powershell_session.yml +++ b/rules/windows/powershell/powershell_remote_powershell_session.yml @@ -11,10 +11,10 @@ references: tags: - attack.execution - attack.t1059.001 - - attack.t1086 #an old one + - attack.t1086 # an old one - attack.lateral_movement - attack.t1021.006 - - attack.t1028 #an old one + - attack.t1028 # an old one falsepositives: - Legitimate use remote PowerShell sessions level: high @@ -39,4 +39,4 @@ detection: EventID: 400 HostName: 'ServerRemoteHost' HostApplication|contains: 'wsmprovhost.exe' - condition: selection \ No newline at end of file + condition: selection diff --git a/rules/windows/powershell/powershell_renamed_powershell.yml b/rules/windows/powershell/powershell_renamed_powershell.yml index 5b6304ef..d0d732e1 100644 --- a/rules/windows/powershell/powershell_renamed_powershell.yml +++ b/rules/windows/powershell/powershell_renamed_powershell.yml @@ -9,7 +9,8 @@ date: 2020/06/29 modified: 2021/08/18 tags: - attack.execution - - attack.t1086 + - attack.t1086 # an old one + - attack.t1059.001 logsource: product: windows service: powershell-classic @@ -25,4 +26,4 @@ detection: condition: selection and not filter falsepositives: - unknown -level: low \ No newline at end of file +level: low diff --git a/rules/windows/process_access/sysmon_mimikatz_trough_winrm.yml b/rules/windows/process_access/sysmon_mimikatz_trough_winrm.yml index c433c22d..cf5b00e4 100755 --- a/rules/windows/process_access/sysmon_mimikatz_trough_winrm.yml +++ b/rules/windows/process_access/sysmon_mimikatz_trough_winrm.yml @@ -19,12 +19,12 @@ tags: - attack.credential_access - attack.execution - attack.t1003.001 - - attack.t1003 #an old one + - attack.t1003 # an old one - attack.t1059.001 - - attack.t1086 #an old one + - attack.t1086 # an old one - attack.lateral_movement - attack.t1021.006 - - attack.t1028 #an old one + - attack.t1028 # an old one - attack.s0002 falsepositives: - low diff --git a/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml b/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml index 4b9294d8..bce196ae 100644 --- a/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml +++ b/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml @@ -9,7 +9,7 @@ references: - https://www.cobaltstrike.com/help-opsec tags: - attack.defense_evasion - - attack.t1085 # legacy + - attack.t1085 # an old one - attack.t1218.011 logsource: category: process_creation diff --git a/rules/windows/process_creation/win_credential_access_via_password_filter.yml b/rules/windows/process_creation/win_credential_access_via_password_filter.yml index 2fda0365..c67033c1 100644 --- a/rules/windows/process_creation/win_credential_access_via_password_filter.yml +++ b/rules/windows/process_creation/win_credential_access_via_password_filter.yml @@ -10,7 +10,8 @@ references: - https://github.com/3gstudent/PasswordFilter/tree/master/PasswordFilter tags: - attack.credential_access - - attack.t1174 + - attack.t1174 # an old one + - attack.t1556.002 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_lolbas_execution_of_wuauclt.yml b/rules/windows/process_creation/win_lolbas_execution_of_wuauclt.yml index c603644e..44705724 100644 --- a/rules/windows/process_creation/win_lolbas_execution_of_wuauclt.yml +++ b/rules/windows/process_creation/win_lolbas_execution_of_wuauclt.yml @@ -10,7 +10,8 @@ modified: 2021/06/11 tags: - attack.defense_evasion - attack.execution - - attack.t1085 + - attack.t1085 # an old one + - attack.t1218.011 logsource: product: windows category: process_creation @@ -26,4 +27,4 @@ falsepositives: - Wuaueng.dll which is a module belonging to Microsoft Windows Update. fields: - CommandLine -level: medium \ No newline at end of file +level: medium diff --git a/rules/windows/process_creation/win_modif_of_services_for_via_commandline.yml b/rules/windows/process_creation/win_modif_of_services_for_via_commandline.yml index 05ee03d5..7b146ad2 100644 --- a/rules/windows/process_creation/win_modif_of_services_for_via_commandline.yml +++ b/rules/windows/process_creation/win_modif_of_services_for_via_commandline.yml @@ -6,8 +6,10 @@ references: status: experimental tags: - attack.persistence - - attack.t1031 - - attack.t1058 + - attack.t1031 # an old one + - attack.t1543.003 + - attack.t1058 # an old one + - attack.t1574.011 author: Sreeman date: 2020/09/29 modified: 2021/08/10 diff --git a/rules/windows/process_creation/win_powershell_disable_windef_av.yml b/rules/windows/process_creation/win_powershell_disable_windef_av.yml index ebfb84ed..4d507255 100644 --- a/rules/windows/process_creation/win_powershell_disable_windef_av.yml +++ b/rules/windows/process_creation/win_powershell_disable_windef_av.yml @@ -11,7 +11,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md tags: - attack.defense_evasion - - attack.t1089 # legacy + - attack.t1089 # an old one - attack.t1562.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/win_powershell_reverse_shell_connection.yml b/rules/windows/process_creation/win_powershell_reverse_shell_connection.yml index b044d26e..06cee06a 100644 --- a/rules/windows/process_creation/win_powershell_reverse_shell_connection.yml +++ b/rules/windows/process_creation/win_powershell_reverse_shell_connection.yml @@ -10,8 +10,8 @@ date: 2021/03/03 modified: 2021/06/27 tags: - attack.execution - - attack.t1086 - - attack.t1059.005 + - attack.t1086 # an old one + - attack.t1059.001 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml b/rules/windows/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml index 328318d1..715dfc75 100644 --- a/rules/windows/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml +++ b/rules/windows/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml @@ -9,7 +9,8 @@ date: 2020/18/02 modified: 2021/06/11 author: Sreeman tags: - - attack.t1015 + - attack.t1015 # an old one + - attack.t1546.008 - attack.privilege_escalation logsource: product: windows @@ -24,4 +25,4 @@ fields: - ParentProcess falsepositives: - Unknown -level: medium \ No newline at end of file +level: medium diff --git a/rules/windows/process_creation/win_susp_shell_spawn_from_mssql.yml b/rules/windows/process_creation/win_susp_shell_spawn_from_mssql.yml index 198851a1..11c66ddb 100644 --- a/rules/windows/process_creation/win_susp_shell_spawn_from_mssql.yml +++ b/rules/windows/process_creation/win_susp_shell_spawn_from_mssql.yml @@ -6,7 +6,8 @@ author: FPT.EagleEye Team, wagga date: 2020/12/11 modified: 2021/06/27 tags: - - attack.t1100 + - attack.t1100 # an old one + - attack.t1505.003 - attack.t1190 - attack.initial_access - attack.persistence diff --git a/rules/windows/registry_event/sysmon_registry_persistence_key_linking.yml b/rules/windows/registry_event/sysmon_registry_persistence_key_linking.yml index 2ede1d70..34447d11 100755 --- a/rules/windows/registry_event/sysmon_registry_persistence_key_linking.yml +++ b/rules/windows/registry_event/sysmon_registry_persistence_key_linking.yml @@ -9,7 +9,8 @@ date: 2019/10/23 modified: 2019/11/07 tags: - attack.persistence - - attack.t1122 + - attack.t1122 # an old one + - attack.t1546.015 logsource: category: registry_event product: windows From 9b30b487c3be60105202bd695ca90314e30f6495 Mon Sep 17 00:00:00 2001 From: Yugoslavskiy Daniil Date: Mon, 23 Aug 2021 04:25:29 +0200 Subject: [PATCH 036/108] add ATC to the Projects or Products that use Sigma section --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 864235a6..4815056d 100644 --- a/README.md +++ b/README.md @@ -318,6 +318,7 @@ These tools are not part of the main toolchain and maintained separately by thei # Projects or Products that use Sigma * [MISP](http://www.misp-project.org/2017/03/26/MISP.2.4.70.released.html) (since version 2.4.70, March 2017) +* [Atomic Threat Coverage](https://github.com/atc-project/atomic-threat-coverage) (since December 2018) * [SOC Prime - Sigma Rule Editor](https://tdm.socprime.com/sigma/) * [uncoder.io](https://uncoder.io/) - Online Translator for SIEM Searches * [THOR](https://www.nextron-systems.com/2018/06/28/spark-applies-sigma-rules-in-eventlog-scan/) - Scan with Sigma rules on endpoints From dc3ed771b52a54ed2a82d3e524ece52becd824b1 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 23 Aug 2021 08:32:50 +0200 Subject: [PATCH 037/108] rule: EfsPotato Named Pipe --- .../sysmon_efspotato_namedpipe.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/windows/pipe_created/sysmon_efspotato_namedpipe.yml diff --git a/rules/windows/pipe_created/sysmon_efspotato_namedpipe.yml b/rules/windows/pipe_created/sysmon_efspotato_namedpipe.yml new file mode 100644 index 00000000..b80687c1 --- /dev/null +++ b/rules/windows/pipe_created/sysmon_efspotato_namedpipe.yml @@ -0,0 +1,24 @@ +title: EfsPotato Named Pipe +id: 637f689e-b4a5-4a86-be0e-0100a0a33ba2 +status: experimental +description: Detects the pattern of a pipe name as used by the tool EfsPotato +references: + - https://twitter.com/SBousseaden/status/1429530155291193354?s=20 + - https://github.com/zcgonvh/EfsPotato +date: 2021/08/23 +author: Florian Roth +logsource: + product: windows + category: pipe_created + definition: 'Note that you have to configure logging for PipeEvents in Sysmon config' +detection: + selection: + PipeName|contains: '\pipe\' + condition: selection +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1055 +falsepositives: + - Unknown +level: critical From a0f72e5f6f5c2d6bd6a45e03d57e52d6358c4ce2 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 23 Aug 2021 10:41:42 +0200 Subject: [PATCH 038/108] rule: suspicious splwow64 process starts --- .../process_creation/win_susp_splwow64.yml | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_splwow64.yml diff --git a/rules/windows/process_creation/win_susp_splwow64.yml b/rules/windows/process_creation/win_susp_splwow64.yml new file mode 100644 index 00000000..3695fcec --- /dev/null +++ b/rules/windows/process_creation/win_susp_splwow64.yml @@ -0,0 +1,20 @@ +title: Suspicious Splwow64 Without Params +id: 1f1a8509-2cbb-44f5-8751-8e1571518ce2 +status: experimental +description: Detects suspicious Splwow64.exe process without any command line parameters +references: + - https://twitter.com/sbousseaden/status/1429401053229891590?s=12 +author: Florian Roth +date: 2021/08/23 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\splwow64.exe' + filter: + CommandLine|contains: 'splwow64.exe ' + condition: selection and not filter +falsepositives: + - Unknown +level: high From 82dde594d1d206289dfb479c9e788f8875e539dd Mon Sep 17 00:00:00 2001 From: Max Altgelt Date: Mon, 23 Aug 2021 11:17:10 +0200 Subject: [PATCH 039/108] feat: Add rule for malicious CSR export on Exchange --- ...ange_proxyshell_certificate_generation.yml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 rules/windows/other/win_exchange_proxyshell_certificate_generation.yml diff --git a/rules/windows/other/win_exchange_proxyshell_certificate_generation.yml b/rules/windows/other/win_exchange_proxyshell_certificate_generation.yml new file mode 100644 index 00000000..003bdd72 --- /dev/null +++ b/rules/windows/other/win_exchange_proxyshell_certificate_generation.yml @@ -0,0 +1,29 @@ +title: Certificate Request Export to Exchange Webserver +id: b7bc7038-638b-4ffd-880c-292c692209ef +status: experimental +description: Detects a write of an Exchange CSR to an untypical directory or with aspx name suffix which can be used to place a webshell +references: + - https://twitter.com/GossiTheDog/status/1429175908905127938 +author: Max Altgelt +date: 2021/08/23 +logsource: + service: msexchange-management + product: windows +detection: + export_command: + - 'New-ExchangeCertificate' + - ' -GenerateRequest' + - ' -BinaryEncoded' + - ' -RequestFile' + export_params: + - '\\\\localhost\\C$' + - '\\\\127.0.0.1\\C$' + - 'C:\\inetpub' + - '.aspx' + condition: all of export_command and export_params +falsepositives: + - unlikely +level: critical +tags: + - attack.persistence + - attack.t1505.003 From 33c6ff6b5f4af8a416cf183074fe0f528c477328 Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 23 Aug 2021 13:17:35 +0200 Subject: [PATCH 040/108] add powershell_suspicious_win32_pnpentity --- ...m_env.yml => powershell_detect_vm_env.yml} | 0 .../powershell_suspicious_win32_pnpentity.yml | 23 +++++++++++++++++++ 2 files changed, 23 insertions(+) rename rules/windows/powershell/{poweshell_detect_vm_env.yml => powershell_detect_vm_env.yml} (100%) create mode 100644 rules/windows/powershell/powershell_suspicious_win32_pnpentity.yml diff --git a/rules/windows/powershell/poweshell_detect_vm_env.yml b/rules/windows/powershell/powershell_detect_vm_env.yml similarity index 100% rename from rules/windows/powershell/poweshell_detect_vm_env.yml rename to rules/windows/powershell/powershell_detect_vm_env.yml diff --git a/rules/windows/powershell/powershell_suspicious_win32_pnpentity.yml b/rules/windows/powershell/powershell_suspicious_win32_pnpentity.yml new file mode 100644 index 00000000..3cf7777d --- /dev/null +++ b/rules/windows/powershell/powershell_suspicious_win32_pnpentity.yml @@ -0,0 +1,23 @@ +title: Powershell Suspicious Win32_PnPEntity +id: b26647de-4feb-4283-af6b-6117661283c5 +status: experimental +author: frack113 +date: 2021/08/23 +description: Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md +tags: + - attack.discovery + - attack.t1120 +logsource: + product: windows + service: powershell + definition: EnableScriptBlockLogging must be set to enable +detection: + selection: + EventID: 4104 + ScriptBlockText|contains: Win32_PnPEntity + condition: selection +falsepositives: + - admin script +level: low \ No newline at end of file From 25072e37b393bf2d6726034744b66e973f451d76 Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 23 Aug 2021 13:30:46 +0200 Subject: [PATCH 041/108] update references --- rules/windows/process_creation/win_possible_applocker_bypass.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/process_creation/win_possible_applocker_bypass.yml b/rules/windows/process_creation/win_possible_applocker_bypass.yml index 39ac4e71..6ebbdd45 100644 --- a/rules/windows/process_creation/win_possible_applocker_bypass.yml +++ b/rules/windows/process_creation/win_possible_applocker_bypass.yml @@ -5,6 +5,7 @@ status: experimental references: - https://github.com/subTee/ApplicationWhitelistBypassTechniques/blob/master/TheList.txt - https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/ + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md author: juju4 date: 2019/01/16 modified: 2020/09/01 From 45f30cb2b43a9d3a419eab6b6df85116838a7003 Mon Sep 17 00:00:00 2001 From: SomeOne Date: Mon, 23 Aug 2021 15:00:07 +0200 Subject: [PATCH 042/108] Add fields to event log cleared --- rules/windows/builtin/win_event_log_cleared.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_event_log_cleared.yml b/rules/windows/builtin/win_event_log_cleared.yml index 649d0d95..969f0630 100644 --- a/rules/windows/builtin/win_event_log_cleared.yml +++ b/rules/windows/builtin/win_event_log_cleared.yml @@ -18,6 +18,9 @@ detection: EventID: 1102 condition: selection fields: - - fields in the log source that are important to investigate further + - logon_id + - src_user + - src_user_id + - src_nt_domain falsepositives: - Legitimate administrative activity From 91b42f9077d11e202387beda5f3632251ba77d93 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 23 Aug 2021 15:03:59 +0200 Subject: [PATCH 043/108] fix: indentation --- .../pipe_created/sysmon_efspotato_namedpipe.yml | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/rules/windows/pipe_created/sysmon_efspotato_namedpipe.yml b/rules/windows/pipe_created/sysmon_efspotato_namedpipe.yml index b80687c1..9d444f88 100644 --- a/rules/windows/pipe_created/sysmon_efspotato_namedpipe.yml +++ b/rules/windows/pipe_created/sysmon_efspotato_namedpipe.yml @@ -3,8 +3,8 @@ id: 637f689e-b4a5-4a86-be0e-0100a0a33ba2 status: experimental description: Detects the pattern of a pipe name as used by the tool EfsPotato references: - - https://twitter.com/SBousseaden/status/1429530155291193354?s=20 - - https://github.com/zcgonvh/EfsPotato + - https://twitter.com/SBousseaden/status/1429530155291193354?s=20 + - https://github.com/zcgonvh/EfsPotato date: 2021/08/23 author: Florian Roth logsource: @@ -13,12 +13,14 @@ logsource: definition: 'Note that you have to configure logging for PipeEvents in Sysmon config' detection: selection: - PipeName|contains: '\pipe\' + PipeName|contains: + - '\pipe\' + - '\pipe\srvsvc' # more specific version (use only this one of the other causes too many false positives) condition: selection tags: - - attack.defense_evasion - - attack.privilege_escalation - - attack.t1055 + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1055 falsepositives: - Unknown level: critical From 037f33b5e200710140d11c9a9c644ddea01addab Mon Sep 17 00:00:00 2001 From: SomeOne Date: Mon, 23 Aug 2021 15:24:48 +0200 Subject: [PATCH 044/108] Replace by default windows fieldnames --- rules/windows/builtin/win_event_log_cleared.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/builtin/win_event_log_cleared.yml b/rules/windows/builtin/win_event_log_cleared.yml index 969f0630..92c9a2ea 100644 --- a/rules/windows/builtin/win_event_log_cleared.yml +++ b/rules/windows/builtin/win_event_log_cleared.yml @@ -18,9 +18,9 @@ detection: EventID: 1102 condition: selection fields: - - logon_id - - src_user - - src_user_id - - src_nt_domain + - SubjectLogonId + - SubjectUserName + - SubjectUserSid + - SubjectDomainName falsepositives: - Legitimate administrative activity From 96e77eb8db5327a7f45a8fbd6127da1b792c8963 Mon Sep 17 00:00:00 2001 From: Nate Guagenti Date: Mon, 23 Aug 2021 11:06:44 -0400 Subject: [PATCH 045/108] Create zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml --- ...rpc_potential_petit_potam_efs_rpc_call.yml | 46 +++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml diff --git a/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml b/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml new file mode 100644 index 00000000..e6f2ddad --- /dev/null +++ b/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml @@ -0,0 +1,46 @@ +title: Potential PetitPotam Attack via Usage of Encrypting File System RPC Calls. +id: bae2865c-5565-470d-b505-9496c87d0c30 +Description: 'Detects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam. The usage of this RPC function should be rare if ever used at all. Thus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate. View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..' +author: '@neu5ron, @Antonlovesdnb, Mike Remen' +date: 2021/08/17 +references: + - 'https://github.com/topotam/PetitPotam/blob/main/PetitPotam/PetitPotam.cpp' + - 'https://msrc.microsoft.com/update-guide/vulnerability/ADV210003' + - 'https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf' + - 'https://threatpost.com/microsoft-petitpotam-poc/168163/' +tags: + - attack.t1557.001 + - attack.t1187 +logsource: + product: zeek + service: dce_rpc +detection: + efs_operation: + endpoint|startswith: + - 'Efs' + - 'efs' + # EfsDecryptFileSrv' + # EfsRpcAddUsersToFile' + # EfsRpcAddUsersToFileEx' + # EfsRpcCloseRaw' + # EfsRpcDuplicateEncryptionInfoFile' + # EfsRpcEncryptFileExServ' + # EfsRpcEncryptFileSrv' + # EfsRpcFileKeyInfo' + # EfsRpcFileKeyInfoEx' + # EfsRpcFlushEfsCache' + # EfsRpcGetEncryptedFileMetadata' + # EfsRpcNotSupported' + # EfsRpcOpenFileRaw' + # EfsRpcQueryProtectors' + # EfsRpcQueryRecoveryAgents' + # EfsRpcQueryUsersOnFile' + # EfsRpcReadFileRaw' + # EfsRpcRemoveUsersFromFile' + # EfsRpcSetEncryptedFileMetadata' + # EfsRpcWriteFileRaw' + condition: efs_operation +falsepositives: + - 'Uncommon but legitimate windows administrator or software tasks that make use of the Encrypting File System RPC Calls. Verify if this is common activity (see description).' +level: medium +status: stable From 78c667fda1980d26915434d4142c3839076efbf6 Mon Sep 17 00:00:00 2001 From: Nate Guagenti Date: Mon, 23 Aug 2021 11:15:30 -0400 Subject: [PATCH 046/108] Update zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml shorten title --- ...rpc_potential_petit_potam_efs_rpc_call.yml | 46 ++++++++++++++++++- 1 file changed, 45 insertions(+), 1 deletion(-) diff --git a/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml b/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml index e6f2ddad..189f1843 100644 --- a/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml +++ b/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml @@ -1,4 +1,48 @@ -title: Potential PetitPotam Attack via Usage of Encrypting File System RPC Calls. +title: Potential PetitPotam Attack via EFS RPC Call +id: bae2865c-5565-470d-b505-9496c87d0c30 +Description: 'Detects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam. The usage of this RPC function should be rare if ever used at all. Thus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate. View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..' +author: '@neu5ron, @Antonlovesdnb, Mike Remen' +date: 2021/08/17 +references: + - 'https://github.com/topotam/PetitPotam/blob/main/PetitPotam/PetitPotam.cpp' + - 'https://msrc.microsoft.com/update-guide/vulnerability/ADV210003' + - 'https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf' + - 'https://threatpost.com/microsoft-petitpotam-poc/168163/' +tags: + - attack.t1557.001 + - attack.t1187 +logsource: + product: zeek + service: dce_rpc +detection: + efs_operation: + endpoint|startswith: + - 'Efs' + - 'efs' + # EfsDecryptFileSrv' + # EfsRpcAddUsersToFile' + # EfsRpcAddUsersToFileEx' + # EfsRpcCloseRaw' + # EfsRpcDuplicateEncryptionInfoFile' + # EfsRpcEncryptFileExServ' + # EfsRpcEncryptFileSrv' + # EfsRpcFileKeyInfo' + # EfsRpcFileKeyInfoEx' + # EfsRpcFlushEfsCache' + # EfsRpcGetEncryptedFileMetadata' + # EfsRpcNotSupported' + # EfsRpcOpenFileRaw' + # EfsRpcQueryProtectors' + # EfsRpcQueryRecoveryAgents' + # EfsRpcQueryUsersOnFile' + # EfsRpcReadFileRaw' + # EfsRpcRemoveUsersFromFile' + # EfsRpcSetEncryptedFileMetadata' + # EfsRpcWriteFileRaw' + condition: efs_operation +falsepositives: + - 'Uncommon but legitimate windows administrator or software tasks that make use of the Encrypting File System RPC Calls. Verify if this is common activity (see description).' +level: medium id: bae2865c-5565-470d-b505-9496c87d0c30 Description: 'Detects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam. The usage of this RPC function should be rare if ever used at all. Thus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate. View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..' author: '@neu5ron, @Antonlovesdnb, Mike Remen' From 6aea58b4d2a4a53bee1426f2d624412be4d210e7 Mon Sep 17 00:00:00 2001 From: Nate Guagenti Date: Mon, 23 Aug 2021 11:18:51 -0400 Subject: [PATCH 047/108] Update zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml --- ...rpc_potential_petit_potam_efs_rpc_call.yml | 71 +------------------ 1 file changed, 3 insertions(+), 68 deletions(-) diff --git a/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml b/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml index 189f1843..f03a8922 100644 --- a/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml +++ b/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml @@ -1,4 +1,4 @@ -title: Potential PetitPotam Attack via EFS RPC Call +title: Potential PetitPotam Attack via EFS RPC Calls id: bae2865c-5565-470d-b505-9496c87d0c30 Description: 'Detects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam. The usage of this RPC function should be rare if ever used at all. Thus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate. View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..' author: '@neu5ron, @Antonlovesdnb, Mike Remen' @@ -17,74 +17,9 @@ logsource: detection: efs_operation: endpoint|startswith: - - 'Efs' - - 'efs' - # EfsDecryptFileSrv' - # EfsRpcAddUsersToFile' - # EfsRpcAddUsersToFileEx' - # EfsRpcCloseRaw' - # EfsRpcDuplicateEncryptionInfoFile' - # EfsRpcEncryptFileExServ' - # EfsRpcEncryptFileSrv' - # EfsRpcFileKeyInfo' - # EfsRpcFileKeyInfoEx' - # EfsRpcFlushEfsCache' - # EfsRpcGetEncryptedFileMetadata' - # EfsRpcNotSupported' - # EfsRpcOpenFileRaw' - # EfsRpcQueryProtectors' - # EfsRpcQueryRecoveryAgents' - # EfsRpcQueryUsersOnFile' - # EfsRpcReadFileRaw' - # EfsRpcRemoveUsersFromFile' - # EfsRpcSetEncryptedFileMetadata' - # EfsRpcWriteFileRaw' + - 'Efs' + - 'efs' condition: efs_operation falsepositives: - 'Uncommon but legitimate windows administrator or software tasks that make use of the Encrypting File System RPC Calls. Verify if this is common activity (see description).' level: medium -id: bae2865c-5565-470d-b505-9496c87d0c30 -Description: 'Detects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam. The usage of this RPC function should be rare if ever used at all. Thus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate. View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..' -author: '@neu5ron, @Antonlovesdnb, Mike Remen' -date: 2021/08/17 -references: - - 'https://github.com/topotam/PetitPotam/blob/main/PetitPotam/PetitPotam.cpp' - - 'https://msrc.microsoft.com/update-guide/vulnerability/ADV210003' - - 'https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf' - - 'https://threatpost.com/microsoft-petitpotam-poc/168163/' -tags: - - attack.t1557.001 - - attack.t1187 -logsource: - product: zeek - service: dce_rpc -detection: - efs_operation: - endpoint|startswith: - - 'Efs' - - 'efs' - # EfsDecryptFileSrv' - # EfsRpcAddUsersToFile' - # EfsRpcAddUsersToFileEx' - # EfsRpcCloseRaw' - # EfsRpcDuplicateEncryptionInfoFile' - # EfsRpcEncryptFileExServ' - # EfsRpcEncryptFileSrv' - # EfsRpcFileKeyInfo' - # EfsRpcFileKeyInfoEx' - # EfsRpcFlushEfsCache' - # EfsRpcGetEncryptedFileMetadata' - # EfsRpcNotSupported' - # EfsRpcOpenFileRaw' - # EfsRpcQueryProtectors' - # EfsRpcQueryRecoveryAgents' - # EfsRpcQueryUsersOnFile' - # EfsRpcReadFileRaw' - # EfsRpcRemoveUsersFromFile' - # EfsRpcSetEncryptedFileMetadata' - # EfsRpcWriteFileRaw' - condition: efs_operation -falsepositives: - - 'Uncommon but legitimate windows administrator or software tasks that make use of the Encrypting File System RPC Calls. Verify if this is common activity (see description).' -level: medium -status: stable From 4f8bd4a5a254489ba43a1a8b8e9287ec7686fa13 Mon Sep 17 00:00:00 2001 From: Nate Guagenti Date: Mon, 23 Aug 2021 11:24:22 -0400 Subject: [PATCH 048/108] Update zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml try new uuid to pass check... --- .../zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml b/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml index f03a8922..b2186f1f 100644 --- a/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml +++ b/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml @@ -1,5 +1,5 @@ title: Potential PetitPotam Attack via EFS RPC Calls -id: bae2865c-5565-470d-b505-9496c87d0c30 +id: 4096842a-8f9f-4d36-92b4-d0b2a62f9b2a Description: 'Detects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam. The usage of this RPC function should be rare if ever used at all. Thus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate. View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..' author: '@neu5ron, @Antonlovesdnb, Mike Remen' date: 2021/08/17 From 6b86dacc9e1da940324de3c1cab5fbf9b98b15b7 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 23 Aug 2021 18:44:15 +0200 Subject: [PATCH 049/108] rule: razor installer --- .../win_susp_razorinstaller_explorer.yml | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_razorinstaller_explorer.yml diff --git a/rules/windows/process_creation/win_susp_razorinstaller_explorer.yml b/rules/windows/process_creation/win_susp_razorinstaller_explorer.yml new file mode 100644 index 00000000..967932cc --- /dev/null +++ b/rules/windows/process_creation/win_susp_razorinstaller_explorer.yml @@ -0,0 +1,22 @@ +title: Suspicious RazorInstaller Explorer Subprocess +id: a4eaf250-7dc1-4842-862a-5e71cd59a167 +status: experimental +description: Detects a explorer.exe sub process of the RazorInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM +references: + - https://twitter.com/j0nh4t/status/1429049506021138437 + - https://streamable.com/q2dsji +author: Florian Roth +date: 2021/08/23 +tags: + - attack.privilege_escalation +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\explorer.exe' + ParentImage|endswith: '\RazorInstaller.exe' + condition: selection +falsepositives: + - User selecting a different installation folder (check for other sub processes of this explorer.exe process) +level: high \ No newline at end of file From 998ebbe1f3bcb09ac2ebbf4818a863a5c91c2521 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 23 Aug 2021 18:46:05 +0200 Subject: [PATCH 050/108] fix: typo in name --- .../process_creation/win_susp_razorinstaller_explorer.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_susp_razorinstaller_explorer.yml b/rules/windows/process_creation/win_susp_razorinstaller_explorer.yml index 967932cc..cffed858 100644 --- a/rules/windows/process_creation/win_susp_razorinstaller_explorer.yml +++ b/rules/windows/process_creation/win_susp_razorinstaller_explorer.yml @@ -1,7 +1,7 @@ -title: Suspicious RazorInstaller Explorer Subprocess +title: Suspicious RazerInstaller Explorer Subprocess id: a4eaf250-7dc1-4842-862a-5e71cd59a167 status: experimental -description: Detects a explorer.exe sub process of the RazorInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM +description: Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM references: - https://twitter.com/j0nh4t/status/1429049506021138437 - https://streamable.com/q2dsji @@ -15,7 +15,7 @@ logsource: detection: selection: Image|endswith: '\explorer.exe' - ParentImage|endswith: '\RazorInstaller.exe' + ParentImage|endswith: '\RazerInstaller.exe' condition: selection falsepositives: - User selecting a different installation folder (check for other sub processes of this explorer.exe process) From 9d3a13b13e9b372256cd0545e1b27c21a15648a4 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 23 Aug 2021 19:04:01 +0200 Subject: [PATCH 051/108] cleanup --- ...rpc_potential_petit_potam_efs_rpc_call.yml | 22 +++++++++++-------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml b/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml index b2186f1f..c50ceb51 100644 --- a/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml +++ b/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml @@ -1,13 +1,17 @@ -title: Potential PetitPotam Attack via EFS RPC Calls +title: Potential PetitPotam Attack Via EFS RPC Calls id: 4096842a-8f9f-4d36-92b4-d0b2a62f9b2a -Description: 'Detects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam. The usage of this RPC function should be rare if ever used at all. Thus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate. View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..' +description: | + Detects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam. + The usage of this RPC function should be rare if ever used at all. + Thus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate. + View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..' author: '@neu5ron, @Antonlovesdnb, Mike Remen' date: 2021/08/17 references: - - 'https://github.com/topotam/PetitPotam/blob/main/PetitPotam/PetitPotam.cpp' - - 'https://msrc.microsoft.com/update-guide/vulnerability/ADV210003' - - 'https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf' - - 'https://threatpost.com/microsoft-petitpotam-poc/168163/' + - https://github.com/topotam/PetitPotam/blob/main/PetitPotam/PetitPotam.cpp + - https://msrc.microsoft.com/update-guide/vulnerability/ADV210003 + - https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf + - https://threatpost.com/microsoft-petitpotam-poc/168163/ tags: - attack.t1557.001 - attack.t1187 @@ -17,9 +21,9 @@ logsource: detection: efs_operation: endpoint|startswith: - - 'Efs' - - 'efs' + - 'Efs' + - 'efs' condition: efs_operation falsepositives: - - 'Uncommon but legitimate windows administrator or software tasks that make use of the Encrypting File System RPC Calls. Verify if this is common activity (see description).' + - Uncommon but legitimate windows administrator or software tasks that make use of the Encrypting File System RPC Calls. Verify if this is common activity (see description). level: medium From ae845594880b7ff3599a21785666bd71fb8dc5fa Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 17:18:16 +0000 Subject: [PATCH 052/108] M365 - Risky IP Addresses --- ...crosoft365_logon_from_risky_ip_address.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml diff --git a/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml b/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml new file mode 100644 index 00000000..0530dbcf --- /dev/null +++ b/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml @@ -0,0 +1,24 @@ +title: Microsoft 365 - Log on from a risky IP address +id: c191e2fa-f9d6-4ccf-82af-4f2aba08359f +status: experimental +description: Detects when a Microsoft Cloud App Security reported when a user signs into your sanctioned apps from a risky IP address. +author: Austin Songer @austinsonger +date: 2021/08/23 +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +logsource: + category: ThreatManagement + service: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: "Log on from a risky IP address" + status: success + condition: selection +falsepositives: + - Unkown +level: medium +tags: + - attack.initial_access + - attack.t1078 \ No newline at end of file From 3a4c61f44d63e584aea5c7abfc3122c39ae4a778 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 17:21:27 +0000 Subject: [PATCH 053/108] M365 - Inbox Manipulation Rules --- ...65_suspicious_inbox_manipulation_rules.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/cloud/m365/microsoft365_suspicious_inbox_manipulation_rules.yml diff --git a/rules/cloud/m365/microsoft365_suspicious_inbox_manipulation_rules.yml b/rules/cloud/m365/microsoft365_suspicious_inbox_manipulation_rules.yml new file mode 100644 index 00000000..5bcdf480 --- /dev/null +++ b/rules/cloud/m365/microsoft365_suspicious_inbox_manipulation_rules.yml @@ -0,0 +1,24 @@ +title: Microsoft 365 - Suspicious inbox manipulation rules +id: d2001772-f43f-4def-86d3-a9d5c47588c0 +status: experimental +description: Detects when a Microsoft Cloud App Security reported for suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address. +author: Austin Songer @austinsonger +date: 2021/08/23 +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +logsource: + category: ThreatManagement + service: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: "Suspicious inbox manipulation rules" + status: success + condition: selection +falsepositives: + - Unknown +level: medium +tags: + - attack.exfiltration + - attack.t1020.001 \ No newline at end of file From 7d211f2487977101b40188a5252bea4d45f5a945 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 17:33:00 +0000 Subject: [PATCH 054/108] Data exfiltration to unsanctioned apps --- ..._data_exfiltration_to_unsanctioned_app.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml diff --git a/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml b/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml new file mode 100644 index 00000000..1c645f00 --- /dev/null +++ b/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml @@ -0,0 +1,24 @@ +title: Microsoft 365 - Data exfiltration to unsanctioned apps +id: 2b669496-d215-47d8-bd9a-f4a45bf07cda +status: experimental +description: Detects when a Microsoft Cloud App Security reported when a user or IP address uses an app that is not sanctioned to perform an activity that resembles an attempt to exfiltrate information from your organization. +author: Austin Songer @austinsonger +date: 2021/08/23 +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +logsource: + category: + service: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: "Data exfiltration to unsanctioned apps" + status: success + condition: selection +falsepositives: + - +level: medium +tags: + - attack.exfiltration + - attack.t1537 \ No newline at end of file From 1834324a160efd896ae3727ed243add9e53d1535 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 17:33:57 +0000 Subject: [PATCH 055/108] Update --- .../m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml b/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml index 1c645f00..0d55777d 100644 --- a/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml +++ b/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml @@ -8,7 +8,7 @@ references: - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: - category: + category: ThreatManagement service: m365 detection: selection: From 23e96712f8f0b75d9cf110c8faae4a0821969c8f Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 12:59:44 -0500 Subject: [PATCH 056/108] Update microsoft365_data_exfiltration_to_unsanctioned_app.yml --- .../microsoft365_data_exfiltration_to_unsanctioned_app.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml b/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml index 0d55777d..a758f328 100644 --- a/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml +++ b/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml @@ -1,4 +1,4 @@ -title: Microsoft 365 - Data exfiltration to unsanctioned apps +title: Microsoft 365 Data exfiltration to unsanctioned apps id: 2b669496-d215-47d8-bd9a-f4a45bf07cda status: experimental description: Detects when a Microsoft Cloud App Security reported when a user or IP address uses an app that is not sanctioned to perform an activity that resembles an attempt to exfiltrate information from your organization. @@ -21,4 +21,4 @@ falsepositives: level: medium tags: - attack.exfiltration - - attack.t1537 \ No newline at end of file + - attack.t1537 From 3d151ef9f11255ac582c14e4797cebfb0dacedb8 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 12:59:53 -0500 Subject: [PATCH 057/108] Update microsoft365_logon_from_risky_ip_address.yml --- rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml b/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml index 0530dbcf..f841b3dd 100644 --- a/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml +++ b/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml @@ -1,4 +1,4 @@ -title: Microsoft 365 - Log on from a risky IP address +title: Microsoft 365 Log on from a risky IP address id: c191e2fa-f9d6-4ccf-82af-4f2aba08359f status: experimental description: Detects when a Microsoft Cloud App Security reported when a user signs into your sanctioned apps from a risky IP address. @@ -21,4 +21,4 @@ falsepositives: level: medium tags: - attack.initial_access - - attack.t1078 \ No newline at end of file + - attack.t1078 From b00e1772b3acd7c45ab24eed490381a4d2009dde Mon Sep 17 00:00:00 2001 From: Nate Guagenti Date: Mon, 23 Aug 2021 14:03:38 -0400 Subject: [PATCH 058/108] added logic and usage rule logic should be endswith. match zeek fields for `fields` section add false positive information --- rules/network/zeek/zeek_dns_mining_pools.yml | 27 +++++++++++++++----- 1 file changed, 20 insertions(+), 7 deletions(-) diff --git a/rules/network/zeek/zeek_dns_mining_pools.yml b/rules/network/zeek/zeek_dns_mining_pools.yml index c43795db..8be5222b 100644 --- a/rules/network/zeek/zeek_dns_mining_pools.yml +++ b/rules/network/zeek/zeek_dns_mining_pools.yml @@ -1,11 +1,11 @@ title: DNS Events Related To Mining Pools id: bf74135c-18e8-4a72-a926-0e4f47888c19 -description: Identifies IPs that may be performing DNS lookups associated with common currency mining pools. +description: Identifies clients that may be performing DNS lookups associated with common currency mining pools. references: - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_Miners.yaml date: 2021/08/19 -author: Saw Winn Naung , Azure-Sentinel -level: medium +author: Saw Winn Naung, Azure-Sentinel, @neu5ron +level: low logsource: service: dns product: zeek @@ -15,7 +15,7 @@ tags: - attack.t1496 detection: selection: - query: + query|endswith: - "monerohash.com" - "do-dear.com" - "xmrminerpro.com" @@ -82,10 +82,23 @@ detection: - "crypto-pools.org" - "monero.net" - "backup-pool.com" - - "mooo.com" + - "mooo.com" # Dynamic DNS, may want to exclude - "freeyy.me" - "cryptonight.net" - "shscrypto.net" - condition: selection + exclude_answers: + answers: + - "127.0.0.1" + - "0.0.0.0" + exclude_rejected: + rejected: "true" + condition: selection and not (exclude_answers OR exclude_rejected) +falsepositives: | + A DNS lookup does not necessarily mean a successful attempt, verify a) if there was a response using the zeek answers field, if there was then verify the connections (conn.log) to those IPs. b) verify if HTTP, SSL, or TLS activity to the domain that was queried. http.log field is "host" and ssl/tls is "server_name". fields: - - clientip + - id.orig_h + - id.resp_h + - query + - answers + - qtype_name + - rcode_name From feb7d0e187d2a6276d2b1ecbd0c2f8713d683bb8 Mon Sep 17 00:00:00 2001 From: Nate Guagenti Date: Mon, 23 Aug 2021 14:11:04 -0400 Subject: [PATCH 059/108] Update zeek_dns_mining_pools.yml --- rules/network/zeek/zeek_dns_mining_pools.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/network/zeek/zeek_dns_mining_pools.yml b/rules/network/zeek/zeek_dns_mining_pools.yml index 8be5222b..91d87824 100644 --- a/rules/network/zeek/zeek_dns_mining_pools.yml +++ b/rules/network/zeek/zeek_dns_mining_pools.yml @@ -93,8 +93,8 @@ detection: exclude_rejected: rejected: "true" condition: selection and not (exclude_answers OR exclude_rejected) -falsepositives: | - A DNS lookup does not necessarily mean a successful attempt, verify a) if there was a response using the zeek answers field, if there was then verify the connections (conn.log) to those IPs. b) verify if HTTP, SSL, or TLS activity to the domain that was queried. http.log field is "host" and ssl/tls is "server_name". +falsepositives: + - A DNS lookup does not necessarily mean a successful attempt, verify a) if there was a response using the zeek answers field, if there was then verify the connections (conn.log) to those IPs. b) verify if HTTP, SSL, or TLS activity to the domain that was queried. http.log field is "host" and ssl/tls is "server_name". fields: - id.orig_h - id.resp_h From 1819e4b02b6654101f9767880a102c2fbbd492be Mon Sep 17 00:00:00 2001 From: Nate Guagenti Date: Mon, 23 Aug 2021 14:12:50 -0400 Subject: [PATCH 060/108] improve rule - improve rule logic - match zeek fields for fields section - add false positive information - change rule name to match the logic of the original rule.. Rule said "first" seen, however, no logic that matches that (ie: rare, stacking, etc..) --- .../zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml b/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml index dfa15acb..a8853b8e 100644 --- a/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml +++ b/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml @@ -1,7 +1,7 @@ -title: First Time Seen Remote Named Pipe - Zeek +title: SMB Spoolss Name Piped Usage id: bae2865c-5565-470d-b505-9496c87d0c30 description: Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled. -author: OTR (Open Threat Research) +author: OTR (Open Threat Research), @neu5ron references: - https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1 - https://dirkjanm.io/a-different-way-of-abusing-zerologon/ @@ -9,15 +9,15 @@ references: tags: - attack.lateral_movement - attack.t1021.002 -date: 2018/11/28 +date: 2021/08/23 logsource: product: zeek service: smb_files detection: selection: - path: \\*\IPC$ + path|endswith: IPC$ name: spoolss condition: selection falsepositives: - - 'Domain Controllers acting as printer servers too? :)' -level: medium \ No newline at end of file + - Domain Controllers that are sometimes, commonly although should not be, acting as printer servers too +level: medium From cfc32e595063433349fd9f4a5d56f1f4e34b0d10 Mon Sep 17 00:00:00 2001 From: Nate Guagenti Date: Mon, 23 Aug 2021 14:16:55 -0400 Subject: [PATCH 061/108] correct fields for zeek_rdp_public_listener.yml correct zeek fields for `fields` section. improve false positives information --- rules/network/zeek/zeek_rdp_public_listener.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/network/zeek/zeek_rdp_public_listener.yml b/rules/network/zeek/zeek_rdp_public_listener.yml index f5e9be21..c0b70992 100644 --- a/rules/network/zeek/zeek_rdp_public_listener.yml +++ b/rules/network/zeek/zeek_rdp_public_listener.yml @@ -38,8 +38,8 @@ detection: #- x.x.x.x condition: not selection #and not approved_rdp fields: - - src_ip - - dst_ip + - id.orig_h + - id.resp_h falsepositives: - - none + - Although it is recommended to NOT have RDP exposed to the internet, verify that this is a) allowed b) the server has not already been compromised via some brute force or remote exploit since it has been exposed to the internet. Work to secure the server if you are unable to remove it from being exposed to the internet. level: high From 064d7b7b9f7a8bfd7cd990ab5bd6370944390b45 Mon Sep 17 00:00:00 2001 From: Nate Guagenti Date: Mon, 23 Aug 2021 14:23:41 -0400 Subject: [PATCH 062/108] improve rule logic zeek_default_cobalt_strike_certificate.yml zeek logging for `certificate.serial` is all letters are capitalized --- rules/network/zeek/zeek_default_cobalt_strike_certificate.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml b/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml index a4e69cc5..97460495 100644 --- a/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml +++ b/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml @@ -2,7 +2,7 @@ title: Default Cobalt Strike Certificate id: 7100f7e3-92ce-4584-b7b7-01b40d3d4118 description: Detects the presence of default Cobalt Strike certificate in the HTTPS traffic author: Bhabesh Raj -date: 2021/06/23 +date: 2021/08/26 references: - https://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468 tags: @@ -13,7 +13,7 @@ logsource: service: x509 detection: selection: - certificate.serial: 8bb00ee + certificate.serial: 8BB00EE condition: selection fields: - san.dns From 41786a1b63bf6a8f7b042c354ee552bd050fb84a Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 18:55:29 +0000 Subject: [PATCH 063/108] In-Progress --- ...crosoft365_activity_by_terminated_user.yml | 24 +++++++++++++++++++ ...ft365_activity_from_infrequent_country.yml | 24 +++++++++++++++++++ ...icrosoft365_activity_from_ip_addresses.yml | 24 +++++++++++++++++++ ...rosoft365_from_suspicious_ip_addresses.yml | 24 +++++++++++++++++++ ...crosoft365_suspicious_inbox_forwarding.yml | 24 +++++++++++++++++++ ...ous_oauth_app_file_download_activities.yml | 24 +++++++++++++++++++ 6 files changed, 144 insertions(+) create mode 100644 rules/cloud/m365/microsoft365_activity_by_terminated_user.yml create mode 100644 rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml create mode 100644 rules/cloud/m365/microsoft365_activity_from_ip_addresses.yml create mode 100644 rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml create mode 100644 rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml create mode 100644 rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml diff --git a/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml b/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml new file mode 100644 index 00000000..d79cd373 --- /dev/null +++ b/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml @@ -0,0 +1,24 @@ +title: Microsoft 365 - Activity performed by terminated user +id: +status: experimental +description: Detects when a Microsoft Cloud App Security reported +author: Austin Songer @austinsonger +date: 2021/08/23 +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +logsource: + category: ThreatManagement + service: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: "Activity performed by terminated user" + status: success + condition: selection +falsepositives: + - +level: medium +tags: + - attack.exfiltration + - attack.t1537 \ No newline at end of file diff --git a/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml b/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml new file mode 100644 index 00000000..6aa39b32 --- /dev/null +++ b/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml @@ -0,0 +1,24 @@ +title: Microsoft 365 - Activity from infrequent country +id: +status: experimental +description: Detects when a Microsoft Cloud App Security reported +author: Austin Songer @austinsonger +date: 2021/08/23 +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +logsource: + category: + service: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: "Activity from infrequent country" + status: success + condition: selection +falsepositives: + - +level: medium +tags: + - attack.initial_access + - \ No newline at end of file diff --git a/rules/cloud/m365/microsoft365_activity_from_ip_addresses.yml b/rules/cloud/m365/microsoft365_activity_from_ip_addresses.yml new file mode 100644 index 00000000..9b770204 --- /dev/null +++ b/rules/cloud/m365/microsoft365_activity_from_ip_addresses.yml @@ -0,0 +1,24 @@ +title: Microsoft 365 - Activity from anonymous IP addresses +id: +status: experimental +description: Detects when a Microsoft Cloud App Security reported +author: Austin Songer @austinsonger +date: 2021/08/23 +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +logsource: + category: + service: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: "Activity from anonymous IP addresses" + status: success + condition: selection +falsepositives: + - +level: medium +tags: + - attack.initial_access + - \ No newline at end of file diff --git a/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml b/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml new file mode 100644 index 00000000..208a9de3 --- /dev/null +++ b/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml @@ -0,0 +1,24 @@ +title: Microsoft 365 - Activity from suspicious IP addresses +id: +status: experimental +description: Detects when a Microsoft Cloud App Security reported +author: Austin Songer @austinsonger +date: 2021/08/23 +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +logsource: + category: + service: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: "Activity from suspicious IP addresses" + status: success + condition: selection +falsepositives: + - +level: medium +tags: + - attack.initial_access + - \ No newline at end of file diff --git a/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml b/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml new file mode 100644 index 00000000..7ae798f7 --- /dev/null +++ b/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml @@ -0,0 +1,24 @@ +title: Microsoft 365 - +id: +status: experimental +description: Detects when a Microsoft Cloud App Security reported +author: Austin Songer @austinsonger +date: 2021/08/22 +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +logsource: + category: + service: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: "Suspicious inbox forwarding" + status: success + condition: selection +falsepositives: + - +level: medium +tags: + - attack.initial_access + - \ No newline at end of file diff --git a/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml b/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml new file mode 100644 index 00000000..3c748083 --- /dev/null +++ b/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml @@ -0,0 +1,24 @@ +title: Microsoft 365 - +id: +status: experimental +description: Detects when a Microsoft Cloud App Security reported +author: Austin Songer @austinsonger +date: 2021/08/22 +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +logsource: + category: + service: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: "Suspicious OAuth app file download activities" + status: success + condition: selection +falsepositives: + - +level: medium +tags: + - attack.initial_access + - \ No newline at end of file From 8e4b8f45dd75a6911aec3ca5487982ae560da388 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 18:57:17 +0000 Subject: [PATCH 064/108] Update --- rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml | 2 +- ...crosoft365_suspicious_oauth_app_file_download_activities.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml b/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml index 7ae798f7..7f328a98 100644 --- a/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml +++ b/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml @@ -1,4 +1,4 @@ -title: Microsoft 365 - +title: Microsoft 365 - Suspicious inbox forwarding id: status: experimental description: Detects when a Microsoft Cloud App Security reported diff --git a/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml b/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml index 3c748083..d743264e 100644 --- a/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml +++ b/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml @@ -1,4 +1,4 @@ -title: Microsoft 365 - +title: Microsoft 365 - Suspicious OAuth app file download activities id: status: experimental description: Detects when a Microsoft Cloud App Security reported From b255586117bba130ef69e84f465d269c030d5d71 Mon Sep 17 00:00:00 2001 From: Nate Guagenti Date: Mon, 23 Aug 2021 14:59:06 -0400 Subject: [PATCH 065/108] condition fix and add fields should be `operation` not `endpoint` for the detection logic. added various fields useful for investigation --- ...zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml b/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml index c50ceb51..52cae554 100644 --- a/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml +++ b/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml @@ -20,10 +20,18 @@ logsource: service: dce_rpc detection: efs_operation: - endpoint|startswith: + operation|startswith: - 'Efs' - 'efs' condition: efs_operation falsepositives: - Uncommon but legitimate windows administrator or software tasks that make use of the Encrypting File System RPC Calls. Verify if this is common activity (see description). level: medium +fields: + - id.orig_h + - id.resp_h + - id.resp_p + - operation + - endpoint + - named_pipe + - uid From 4ab9519546102984137cdc8252a5275f5e6c22b4 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 18:59:07 +0000 Subject: [PATCH 066/108] Update --- rules/cloud/m365/microsoft365_activity_by_terminated_user.yml | 2 +- .../m365/microsoft365_activity_from_infrequent_country.yml | 2 +- rules/cloud/m365/microsoft365_activity_from_ip_addresses.yml | 2 +- rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml | 2 +- rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml | 2 +- ...crosoft365_suspicious_oauth_app_file_download_activities.yml | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml b/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml index d79cd373..4b60b111 100644 --- a/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml +++ b/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml @@ -1,5 +1,5 @@ title: Microsoft 365 - Activity performed by terminated user -id: +id: 2e669ed8-742e-4fe5-b3c4-5a59b486c2ee status: experimental description: Detects when a Microsoft Cloud App Security reported author: Austin Songer @austinsonger diff --git a/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml b/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml index 6aa39b32..6e161f7d 100644 --- a/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml +++ b/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml @@ -1,5 +1,5 @@ title: Microsoft 365 - Activity from infrequent country -id: +id: 0f2468a2-5055-4212-a368-7321198ee706 status: experimental description: Detects when a Microsoft Cloud App Security reported author: Austin Songer @austinsonger diff --git a/rules/cloud/m365/microsoft365_activity_from_ip_addresses.yml b/rules/cloud/m365/microsoft365_activity_from_ip_addresses.yml index 9b770204..ac34cd56 100644 --- a/rules/cloud/m365/microsoft365_activity_from_ip_addresses.yml +++ b/rules/cloud/m365/microsoft365_activity_from_ip_addresses.yml @@ -1,5 +1,5 @@ title: Microsoft 365 - Activity from anonymous IP addresses -id: +id: d8b0a4fe-07a8-41be-bd39-b14afa025d95 status: experimental description: Detects when a Microsoft Cloud App Security reported author: Austin Songer @austinsonger diff --git a/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml b/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml index 208a9de3..36f5e305 100644 --- a/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml +++ b/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml @@ -1,5 +1,5 @@ title: Microsoft 365 - Activity from suspicious IP addresses -id: +id: a3501e8e-af9e-43c6-8cd6-9360bdaae498 status: experimental description: Detects when a Microsoft Cloud App Security reported author: Austin Songer @austinsonger diff --git a/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml b/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml index 7f328a98..5f349d2d 100644 --- a/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml +++ b/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml @@ -1,5 +1,5 @@ title: Microsoft 365 - Suspicious inbox forwarding -id: +id: 6c220477-0b5b-4b25-bb90-66183b4089e8 status: experimental description: Detects when a Microsoft Cloud App Security reported author: Austin Songer @austinsonger diff --git a/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml b/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml index d743264e..d795148d 100644 --- a/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml +++ b/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml @@ -1,5 +1,5 @@ title: Microsoft 365 - Suspicious OAuth app file download activities -id: +id: ee111937-1fe7-40f0-962a-0eb44d57d174 status: experimental description: Detects when a Microsoft Cloud App Security reported author: Austin Songer @austinsonger From 1fa32fcd1a764127bab1c5e4fb8410c19b9d663f Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 22:02:47 +0000 Subject: [PATCH 067/108] Update --- .../microsoft365_suspicious_inbox_forwarding.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml b/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml index 5f349d2d..e583f123 100644 --- a/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml +++ b/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml @@ -1,14 +1,14 @@ title: Microsoft 365 - Suspicious inbox forwarding id: 6c220477-0b5b-4b25-bb90-66183b4089e8 status: experimental -description: Detects when a Microsoft Cloud App Security reported +description: Detects when a Microsoft Cloud App Security reported suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address. author: Austin Songer @austinsonger date: 2021/08/22 references: - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: - category: + category: ThreatManagement service: m365 detection: selection: @@ -17,8 +17,8 @@ detection: status: success condition: selection falsepositives: - - -level: medium + - Unknown +level: low tags: - - attack.initial_access - - \ No newline at end of file + - attack.exfiltration + - attack.t1020 \ No newline at end of file From 595bd3b80f34a2d997f013be2a4bf890818c7956 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 22:07:09 +0000 Subject: [PATCH 068/108] Updated --- .../m365/microsoft365_activity_by_terminated_user.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml b/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml index 4b60b111..037dcd00 100644 --- a/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml +++ b/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml @@ -1,7 +1,7 @@ title: Microsoft 365 - Activity performed by terminated user id: 2e669ed8-742e-4fe5-b3c4-5a59b486c2ee status: experimental -description: Detects when a Microsoft Cloud App Security reported +description: Detects when a Microsoft Cloud App Security reported for users whose account were terminated in Azure AD, but still perform activities in other platforms such as AWS or Salesforce. This is especially relevant for users who use another account to manage resources, since these accounts are often not terminated when a user leaves the company. author: Austin Songer @austinsonger date: 2021/08/23 references: @@ -17,8 +17,7 @@ detection: status: success condition: selection falsepositives: - - + - Unknown level: medium tags: - - attack.exfiltration - - attack.t1537 \ No newline at end of file + - attack.impact \ No newline at end of file From da69b2f531332e072be94a75e8ca525db9bc82b4 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 22:09:27 +0000 Subject: [PATCH 069/108] Update --- ..._suspicious_oauth_app_file_download_activities.yml | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml b/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml index d795148d..91cbe32c 100644 --- a/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml +++ b/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml @@ -1,14 +1,14 @@ title: Microsoft 365 - Suspicious OAuth app file download activities id: ee111937-1fe7-40f0-962a-0eb44d57d174 status: experimental -description: Detects when a Microsoft Cloud App Security reported +description: Detects when a Microsoft Cloud App Security reported when an app downloads multiple files from Microsoft SharePoint or Microsoft OneDrive in a manner that is unusual for the user. author: Austin Songer @austinsonger -date: 2021/08/22 +date: 2021/08/23 references: - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: - category: + category: ThreatManagement service: m365 detection: selection: @@ -17,8 +17,7 @@ detection: status: success condition: selection falsepositives: - - + - Unknown level: medium tags: - - attack.initial_access - - \ No newline at end of file + - attack.exfiltration \ No newline at end of file From 754158bfd24c2c0dd965a8ebadcb132df33e9e9d Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 22:18:12 +0000 Subject: [PATCH 070/108] Update --- ...5_activity_from_anonymous_ip_addresses.yml | 24 +++++++++++++++++++ ...ft365_activity_from_infrequent_country.yml | 10 ++++---- ...rosoft365_from_suspicious_ip_addresses.yml | 10 ++++---- ...ous_oauth_app_file_download_activities.yml | 3 ++- 4 files changed, 36 insertions(+), 11 deletions(-) create mode 100644 rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml diff --git a/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml b/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml new file mode 100644 index 00000000..697d6f8d --- /dev/null +++ b/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml @@ -0,0 +1,24 @@ +title: Microsoft 365 - Activity from anonymous IP addresses +id: d8b0a4fe-07a8-41be-bd39-b14afa025d95 +status: experimental +description: Detects when a Microsoft Cloud App Security reported when users were active from an IP address that has been identified as an anonymous proxy IP address. +author: Austin Songer @austinsonger +date: 2021/08/23 +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +logsource: + category: ThreatManagement + service: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: "Activity from anonymous IP addresses" + status: success + condition: selection +falsepositives: + - User using a VPN or Proxy +level: medium +tags: + - attack.command_and_control + - attack.t1573 \ No newline at end of file diff --git a/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml b/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml index 6e161f7d..8e155919 100644 --- a/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml +++ b/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml @@ -1,14 +1,14 @@ title: Microsoft 365 - Activity from infrequent country id: 0f2468a2-5055-4212-a368-7321198ee706 status: experimental -description: Detects when a Microsoft Cloud App Security reported +description: Detects when a Microsoft Cloud App Security reported when an activity occurs from a location that wasn't recently or never visited by any user in the organization. author: Austin Songer @austinsonger date: 2021/08/23 references: - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: - category: + category: ThreatManagement service: m365 detection: selection: @@ -17,8 +17,8 @@ detection: status: success condition: selection falsepositives: - - + - Unknown level: medium tags: - - attack.initial_access - - \ No newline at end of file + - attack.command_and_control + - attack.t1573 \ No newline at end of file diff --git a/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml b/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml index 36f5e305..4ade854a 100644 --- a/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml +++ b/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml @@ -1,14 +1,14 @@ title: Microsoft 365 - Activity from suspicious IP addresses id: a3501e8e-af9e-43c6-8cd6-9360bdaae498 status: experimental -description: Detects when a Microsoft Cloud App Security reported +description: Detects when a Microsoft Cloud App Security reported users were active from an IP address identified as risky by Microsoft Threat Intelligence. These IP addresses are involved in malicious activities, such as Botnet C&C, and may indicate compromised account. author: Austin Songer @austinsonger date: 2021/08/23 references: - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: - category: + category: ThreatDetection service: m365 detection: selection: @@ -17,8 +17,8 @@ detection: status: success condition: selection falsepositives: - - + - Unknown level: medium tags: - - attack.initial_access - - \ No newline at end of file + - attack.command_and_control + - attack.t1573 \ No newline at end of file diff --git a/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml b/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml index 91cbe32c..906cd100 100644 --- a/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml +++ b/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml @@ -20,4 +20,5 @@ falsepositives: - Unknown level: medium tags: - - attack.exfiltration \ No newline at end of file + - attack.exfiltration + \ No newline at end of file From 53482b7e9cb9d2fc05f5de477d0463cebd93074b Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 22:19:41 +0000 Subject: [PATCH 071/108] Update --- ...crosoft365_activity_by_terminated_user.yml | 2 +- ...5_activity_from_anonymous_ip_addresses.yml | 2 +- ...ft365_activity_from_infrequent_country.yml | 2 +- ...icrosoft365_activity_from_ip_addresses.yml | 24 ------------------- ...rosoft365_from_suspicious_ip_addresses.yml | 2 +- ...crosoft365_suspicious_inbox_forwarding.yml | 2 +- ...ous_oauth_app_file_download_activities.yml | 1 - 7 files changed, 5 insertions(+), 30 deletions(-) delete mode 100644 rules/cloud/m365/microsoft365_activity_from_ip_addresses.yml diff --git a/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml b/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml index 037dcd00..5b2e2df9 100644 --- a/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml +++ b/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml @@ -20,4 +20,4 @@ falsepositives: - Unknown level: medium tags: - - attack.impact \ No newline at end of file + - attack.impact diff --git a/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml b/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml index 697d6f8d..a46219e1 100644 --- a/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml +++ b/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml @@ -21,4 +21,4 @@ falsepositives: level: medium tags: - attack.command_and_control - - attack.t1573 \ No newline at end of file + - attack.t1573 diff --git a/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml b/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml index 8e155919..3d7862fa 100644 --- a/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml +++ b/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml @@ -21,4 +21,4 @@ falsepositives: level: medium tags: - attack.command_and_control - - attack.t1573 \ No newline at end of file + - attack.t1573 diff --git a/rules/cloud/m365/microsoft365_activity_from_ip_addresses.yml b/rules/cloud/m365/microsoft365_activity_from_ip_addresses.yml deleted file mode 100644 index ac34cd56..00000000 --- a/rules/cloud/m365/microsoft365_activity_from_ip_addresses.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: Microsoft 365 - Activity from anonymous IP addresses -id: d8b0a4fe-07a8-41be-bd39-b14afa025d95 -status: experimental -description: Detects when a Microsoft Cloud App Security reported -author: Austin Songer @austinsonger -date: 2021/08/23 -references: - - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy - - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference -logsource: - category: - service: m365 -detection: - selection: - eventSource: SecurityComplianceCenter - eventName: "Activity from anonymous IP addresses" - status: success - condition: selection -falsepositives: - - -level: medium -tags: - - attack.initial_access - - \ No newline at end of file diff --git a/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml b/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml index 4ade854a..8c703557 100644 --- a/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml +++ b/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml @@ -21,4 +21,4 @@ falsepositives: level: medium tags: - attack.command_and_control - - attack.t1573 \ No newline at end of file + - attack.t1573 diff --git a/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml b/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml index e583f123..7910c62c 100644 --- a/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml +++ b/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml @@ -21,4 +21,4 @@ falsepositives: level: low tags: - attack.exfiltration - - attack.t1020 \ No newline at end of file + - attack.t1020 diff --git a/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml b/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml index 906cd100..3ba0e326 100644 --- a/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml +++ b/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml @@ -21,4 +21,3 @@ falsepositives: level: medium tags: - attack.exfiltration - \ No newline at end of file From 84944cf84965ecba07daf0e7e50ca7cc60830443 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 22:30:11 +0000 Subject: [PATCH 072/108] Update --- rules/cloud/m365/microsoft365_activity_by_terminated_user.yml | 2 +- .../m365/microsoft365_activity_from_anonymous_ip_addresses.yml | 2 +- .../m365/microsoft365_activity_from_infrequent_country.yml | 2 +- .../m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml | 2 +- rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml | 2 +- rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml | 2 +- rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml | 2 +- ...crosoft365_suspicious_oauth_app_file_download_activities.yml | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml b/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml index 5b2e2df9..738af6e9 100644 --- a/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml +++ b/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml @@ -1,4 +1,4 @@ -title: Microsoft 365 - Activity performed by terminated user +title: Activity performed by terminated user id: 2e669ed8-742e-4fe5-b3c4-5a59b486c2ee status: experimental description: Detects when a Microsoft Cloud App Security reported for users whose account were terminated in Azure AD, but still perform activities in other platforms such as AWS or Salesforce. This is especially relevant for users who use another account to manage resources, since these accounts are often not terminated when a user leaves the company. diff --git a/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml b/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml index a46219e1..cf1cb871 100644 --- a/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml +++ b/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml @@ -1,4 +1,4 @@ -title: Microsoft 365 - Activity from anonymous IP addresses +title: Activity from anonymous IP addresses id: d8b0a4fe-07a8-41be-bd39-b14afa025d95 status: experimental description: Detects when a Microsoft Cloud App Security reported when users were active from an IP address that has been identified as an anonymous proxy IP address. diff --git a/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml b/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml index 3d7862fa..9c8a433f 100644 --- a/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml +++ b/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml @@ -1,4 +1,4 @@ -title: Microsoft 365 - Activity from infrequent country +title: Activity from infrequent country id: 0f2468a2-5055-4212-a368-7321198ee706 status: experimental description: Detects when a Microsoft Cloud App Security reported when an activity occurs from a location that wasn't recently or never visited by any user in the organization. diff --git a/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml b/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml index a758f328..09256f6a 100644 --- a/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml +++ b/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml @@ -1,4 +1,4 @@ -title: Microsoft 365 Data exfiltration to unsanctioned apps +title: Data exfiltration to unsanctioned apps id: 2b669496-d215-47d8-bd9a-f4a45bf07cda status: experimental description: Detects when a Microsoft Cloud App Security reported when a user or IP address uses an app that is not sanctioned to perform an activity that resembles an attempt to exfiltrate information from your organization. diff --git a/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml b/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml index 8c703557..1714b0cd 100644 --- a/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml +++ b/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml @@ -1,4 +1,4 @@ -title: Microsoft 365 - Activity from suspicious IP addresses +title: Activity from suspicious IP addresses id: a3501e8e-af9e-43c6-8cd6-9360bdaae498 status: experimental description: Detects when a Microsoft Cloud App Security reported users were active from an IP address identified as risky by Microsoft Threat Intelligence. These IP addresses are involved in malicious activities, such as Botnet C&C, and may indicate compromised account. diff --git a/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml b/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml index f841b3dd..99950ddc 100644 --- a/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml +++ b/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml @@ -1,4 +1,4 @@ -title: Microsoft 365 Log on from a risky IP address +title: Logon from a risky IP address id: c191e2fa-f9d6-4ccf-82af-4f2aba08359f status: experimental description: Detects when a Microsoft Cloud App Security reported when a user signs into your sanctioned apps from a risky IP address. diff --git a/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml b/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml index 7910c62c..5975e8b3 100644 --- a/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml +++ b/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml @@ -1,4 +1,4 @@ -title: Microsoft 365 - Suspicious inbox forwarding +title: Suspicious inbox forwarding id: 6c220477-0b5b-4b25-bb90-66183b4089e8 status: experimental description: Detects when a Microsoft Cloud App Security reported suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address. diff --git a/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml b/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml index 3ba0e326..29944ff4 100644 --- a/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml +++ b/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml @@ -1,4 +1,4 @@ -title: Microsoft 365 - Suspicious OAuth app file download activities +title: Suspicious OAuth app file download activities id: ee111937-1fe7-40f0-962a-0eb44d57d174 status: experimental description: Detects when a Microsoft Cloud App Security reported when an app downloads multiple files from Microsoft SharePoint or Microsoft OneDrive in a manner that is unusual for the user. From ad892eb239f10cafd6634c4fa6c17c9439391506 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 22:46:37 +0000 Subject: [PATCH 073/108] Update --- .../m365/m365_activity_by_terminated_user.yml | 23 +++++++++++++++++++ ..._activity_from_anonymous_ip_addresses.yml} | 0 ...m365_activity_from_infrequent_country.yml} | 0 ...data_exfiltration_to_unsanctioned_app.yml} | 0 ... => m365_from_suspicious_ip_addresses.yml} | 0 ...l => m365_logon_from_risky_ip_address.yml} | 0 ...l => m365_suspicious_inbox_forwarding.yml} | 0 ...us_oauth_app_file_download_activities.yml} | 0 8 files changed, 23 insertions(+) create mode 100644 rules/cloud/m365/m365_activity_by_terminated_user.yml rename rules/cloud/m365/{microsoft365_activity_from_anonymous_ip_addresses.yml => m365_activity_from_anonymous_ip_addresses.yml} (100%) rename rules/cloud/m365/{microsoft365_activity_from_infrequent_country.yml => m365_activity_from_infrequent_country.yml} (100%) rename rules/cloud/m365/{microsoft365_data_exfiltration_to_unsanctioned_app.yml => m365_data_exfiltration_to_unsanctioned_app.yml} (100%) rename rules/cloud/m365/{microsoft365_from_suspicious_ip_addresses.yml => m365_from_suspicious_ip_addresses.yml} (100%) rename rules/cloud/m365/{microsoft365_logon_from_risky_ip_address.yml => m365_logon_from_risky_ip_address.yml} (100%) rename rules/cloud/m365/{microsoft365_suspicious_inbox_forwarding.yml => m365_suspicious_inbox_forwarding.yml} (100%) rename rules/cloud/m365/{microsoft365_suspicious_oauth_app_file_download_activities.yml => m365_suspicious_oauth_app_file_download_activities.yml} (100%) diff --git a/rules/cloud/m365/m365_activity_by_terminated_user.yml b/rules/cloud/m365/m365_activity_by_terminated_user.yml new file mode 100644 index 00000000..738af6e9 --- /dev/null +++ b/rules/cloud/m365/m365_activity_by_terminated_user.yml @@ -0,0 +1,23 @@ +title: Activity performed by terminated user +id: 2e669ed8-742e-4fe5-b3c4-5a59b486c2ee +status: experimental +description: Detects when a Microsoft Cloud App Security reported for users whose account were terminated in Azure AD, but still perform activities in other platforms such as AWS or Salesforce. This is especially relevant for users who use another account to manage resources, since these accounts are often not terminated when a user leaves the company. +author: Austin Songer @austinsonger +date: 2021/08/23 +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +logsource: + category: ThreatManagement + service: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: "Activity performed by terminated user" + status: success + condition: selection +falsepositives: + - Unknown +level: medium +tags: + - attack.impact diff --git a/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml b/rules/cloud/m365/m365_activity_from_anonymous_ip_addresses.yml similarity index 100% rename from rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml rename to rules/cloud/m365/m365_activity_from_anonymous_ip_addresses.yml diff --git a/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml b/rules/cloud/m365/m365_activity_from_infrequent_country.yml similarity index 100% rename from rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml rename to rules/cloud/m365/m365_activity_from_infrequent_country.yml diff --git a/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml b/rules/cloud/m365/m365_data_exfiltration_to_unsanctioned_app.yml similarity index 100% rename from rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml rename to rules/cloud/m365/m365_data_exfiltration_to_unsanctioned_app.yml diff --git a/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml b/rules/cloud/m365/m365_from_suspicious_ip_addresses.yml similarity index 100% rename from rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml rename to rules/cloud/m365/m365_from_suspicious_ip_addresses.yml diff --git a/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml b/rules/cloud/m365/m365_logon_from_risky_ip_address.yml similarity index 100% rename from rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml rename to rules/cloud/m365/m365_logon_from_risky_ip_address.yml diff --git a/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml b/rules/cloud/m365/m365_suspicious_inbox_forwarding.yml similarity index 100% rename from rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml rename to rules/cloud/m365/m365_suspicious_inbox_forwarding.yml diff --git a/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml b/rules/cloud/m365/m365_suspicious_oauth_app_file_download_activities.yml similarity index 100% rename from rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml rename to rules/cloud/m365/m365_suspicious_oauth_app_file_download_activities.yml From 29e1ce7e8f32f85584432f023b9a44747e40a330 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 22:50:39 +0000 Subject: [PATCH 074/108] Update --- ...crosoft365_activity_by_terminated_user.yml | 23 ------------------- 1 file changed, 23 deletions(-) delete mode 100644 rules/cloud/m365/microsoft365_activity_by_terminated_user.yml diff --git a/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml b/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml deleted file mode 100644 index 738af6e9..00000000 --- a/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml +++ /dev/null @@ -1,23 +0,0 @@ -title: Activity performed by terminated user -id: 2e669ed8-742e-4fe5-b3c4-5a59b486c2ee -status: experimental -description: Detects when a Microsoft Cloud App Security reported for users whose account were terminated in Azure AD, but still perform activities in other platforms such as AWS or Salesforce. This is especially relevant for users who use another account to manage resources, since these accounts are often not terminated when a user leaves the company. -author: Austin Songer @austinsonger -date: 2021/08/23 -references: - - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy - - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference -logsource: - category: ThreatManagement - service: m365 -detection: - selection: - eventSource: SecurityComplianceCenter - eventName: "Activity performed by terminated user" - status: success - condition: selection -falsepositives: - - Unknown -level: medium -tags: - - attack.impact From c0e58d3c276ba3a9de7bc2e01af4ed554d8e5a5b Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 23:00:58 +0000 Subject: [PATCH 075/108] Update --- ...ed_user.yml => microsoft365_activity_by_terminated_user.yml} | 2 +- ...ml => microsoft365_activity_from_anonymous_ip_addresses.yml} | 2 +- ...ry.yml => microsoft365_activity_from_infrequent_country.yml} | 2 +- ...l => microsoft365_data_exfiltration_to_unsanctioned_app.yml} | 2 +- ...resses.yml => microsoft365_from_suspicious_ip_addresses.yml} | 2 +- ...address.yml => microsoft365_logon_from_risky_ip_address.yml} | 2 +- ...warding.yml => microsoft365_suspicious_inbox_forwarding.yml} | 2 +- ...rosoft365_suspicious_oauth_app_file_download_activities.yml} | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) rename rules/cloud/m365/{m365_activity_by_terminated_user.yml => microsoft365_activity_by_terminated_user.yml} (95%) rename rules/cloud/m365/{m365_activity_from_anonymous_ip_addresses.yml => microsoft365_activity_from_anonymous_ip_addresses.yml} (94%) rename rules/cloud/m365/{m365_activity_from_infrequent_country.yml => microsoft365_activity_from_infrequent_country.yml} (95%) rename rules/cloud/m365/{m365_data_exfiltration_to_unsanctioned_app.yml => microsoft365_data_exfiltration_to_unsanctioned_app.yml} (94%) rename rules/cloud/m365/{m365_from_suspicious_ip_addresses.yml => microsoft365_from_suspicious_ip_addresses.yml} (95%) rename rules/cloud/m365/{m365_logon_from_risky_ip_address.yml => microsoft365_logon_from_risky_ip_address.yml} (95%) rename rules/cloud/m365/{m365_suspicious_inbox_forwarding.yml => microsoft365_suspicious_inbox_forwarding.yml} (95%) rename rules/cloud/m365/{m365_suspicious_oauth_app_file_download_activities.yml => microsoft365_suspicious_oauth_app_file_download_activities.yml} (93%) diff --git a/rules/cloud/m365/m365_activity_by_terminated_user.yml b/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml similarity index 95% rename from rules/cloud/m365/m365_activity_by_terminated_user.yml rename to rules/cloud/m365/microsoft365_activity_by_terminated_user.yml index 738af6e9..c24d42b6 100644 --- a/rules/cloud/m365/m365_activity_by_terminated_user.yml +++ b/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml @@ -1,4 +1,4 @@ -title: Activity performed by terminated user +title: Activity Performed by Terminated User id: 2e669ed8-742e-4fe5-b3c4-5a59b486c2ee status: experimental description: Detects when a Microsoft Cloud App Security reported for users whose account were terminated in Azure AD, but still perform activities in other platforms such as AWS or Salesforce. This is especially relevant for users who use another account to manage resources, since these accounts are often not terminated when a user leaves the company. diff --git a/rules/cloud/m365/m365_activity_from_anonymous_ip_addresses.yml b/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml similarity index 94% rename from rules/cloud/m365/m365_activity_from_anonymous_ip_addresses.yml rename to rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml index cf1cb871..7b3a7271 100644 --- a/rules/cloud/m365/m365_activity_from_anonymous_ip_addresses.yml +++ b/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml @@ -1,4 +1,4 @@ -title: Activity from anonymous IP addresses +title: Activity from Anonymous IP Addresses id: d8b0a4fe-07a8-41be-bd39-b14afa025d95 status: experimental description: Detects when a Microsoft Cloud App Security reported when users were active from an IP address that has been identified as an anonymous proxy IP address. diff --git a/rules/cloud/m365/m365_activity_from_infrequent_country.yml b/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml similarity index 95% rename from rules/cloud/m365/m365_activity_from_infrequent_country.yml rename to rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml index 9c8a433f..9aa5ab39 100644 --- a/rules/cloud/m365/m365_activity_from_infrequent_country.yml +++ b/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml @@ -1,4 +1,4 @@ -title: Activity from infrequent country +title: Activity from Infrequent Country id: 0f2468a2-5055-4212-a368-7321198ee706 status: experimental description: Detects when a Microsoft Cloud App Security reported when an activity occurs from a location that wasn't recently or never visited by any user in the organization. diff --git a/rules/cloud/m365/m365_data_exfiltration_to_unsanctioned_app.yml b/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml similarity index 94% rename from rules/cloud/m365/m365_data_exfiltration_to_unsanctioned_app.yml rename to rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml index 09256f6a..831a15ed 100644 --- a/rules/cloud/m365/m365_data_exfiltration_to_unsanctioned_app.yml +++ b/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml @@ -1,4 +1,4 @@ -title: Data exfiltration to unsanctioned apps +title: Data Exfiltration to Unsanctioned Apps id: 2b669496-d215-47d8-bd9a-f4a45bf07cda status: experimental description: Detects when a Microsoft Cloud App Security reported when a user or IP address uses an app that is not sanctioned to perform an activity that resembles an attempt to exfiltrate information from your organization. diff --git a/rules/cloud/m365/m365_from_suspicious_ip_addresses.yml b/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml similarity index 95% rename from rules/cloud/m365/m365_from_suspicious_ip_addresses.yml rename to rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml index 1714b0cd..9be142d8 100644 --- a/rules/cloud/m365/m365_from_suspicious_ip_addresses.yml +++ b/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml @@ -1,4 +1,4 @@ -title: Activity from suspicious IP addresses +title: Activity from Suspicious IP Addresses id: a3501e8e-af9e-43c6-8cd6-9360bdaae498 status: experimental description: Detects when a Microsoft Cloud App Security reported users were active from an IP address identified as risky by Microsoft Threat Intelligence. These IP addresses are involved in malicious activities, such as Botnet C&C, and may indicate compromised account. diff --git a/rules/cloud/m365/m365_logon_from_risky_ip_address.yml b/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml similarity index 95% rename from rules/cloud/m365/m365_logon_from_risky_ip_address.yml rename to rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml index 99950ddc..55d1b405 100644 --- a/rules/cloud/m365/m365_logon_from_risky_ip_address.yml +++ b/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml @@ -1,4 +1,4 @@ -title: Logon from a risky IP address +title: Logon from a Risky IP Address id: c191e2fa-f9d6-4ccf-82af-4f2aba08359f status: experimental description: Detects when a Microsoft Cloud App Security reported when a user signs into your sanctioned apps from a risky IP address. diff --git a/rules/cloud/m365/m365_suspicious_inbox_forwarding.yml b/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml similarity index 95% rename from rules/cloud/m365/m365_suspicious_inbox_forwarding.yml rename to rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml index 5975e8b3..513e4f1b 100644 --- a/rules/cloud/m365/m365_suspicious_inbox_forwarding.yml +++ b/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml @@ -1,4 +1,4 @@ -title: Suspicious inbox forwarding +title: Suspicious Inbox Forwarding id: 6c220477-0b5b-4b25-bb90-66183b4089e8 status: experimental description: Detects when a Microsoft Cloud App Security reported suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address. diff --git a/rules/cloud/m365/m365_suspicious_oauth_app_file_download_activities.yml b/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml similarity index 93% rename from rules/cloud/m365/m365_suspicious_oauth_app_file_download_activities.yml rename to rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml index 29944ff4..6dbc4be4 100644 --- a/rules/cloud/m365/m365_suspicious_oauth_app_file_download_activities.yml +++ b/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml @@ -1,4 +1,4 @@ -title: Suspicious OAuth app file download activities +title: Suspicious OAuth App File Download Activities id: ee111937-1fe7-40f0-962a-0eb44d57d174 status: experimental description: Detects when a Microsoft Cloud App Security reported when an app downloads multiple files from Microsoft SharePoint or Microsoft OneDrive in a manner that is unusual for the user. From 8382bbfe09a0ee3f6e154842e393305e5b383b54 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 19:37:46 -0500 Subject: [PATCH 076/108] Create gworkspace_user_assigned_admin_role.yml --- rules/gworkspace_user_assigned_admin_role.yml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 rules/gworkspace_user_assigned_admin_role.yml diff --git a/rules/gworkspace_user_assigned_admin_role.yml b/rules/gworkspace_user_assigned_admin_role.yml new file mode 100644 index 00000000..09cfcc4f --- /dev/null +++ b/rules/gworkspace_user_assigned_admin_role.yml @@ -0,0 +1,21 @@ +title: Google Workspace User Assigned Admin Role +id: 2d1b83e4-17c6-4896-a37b-29140b40a788 +description: Detects when an admin role is assigned to a Google Workspace user. +author: Austin Songer +status: experimental +date: 2021/08/23 +references: + - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 +logsource: + service: google_workspace.admin +detection: + selection: + eventService: admin.googleapis.com + admin.alert.name: google.admin.AdminService.grantAdminPrivilege + condition: selection +level: medium +tags: + - attack.persistence + - attack.t1098 +falsepositives: + - Google Workspace admin role assigned, may be modified by system administrators. From c767da91d13062c892c76040dc414f8c55ba241c Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 19:38:01 -0500 Subject: [PATCH 077/108] Delete gworkspace_user_assigned_admin_role.yml --- rules/gworkspace_user_assigned_admin_role.yml | 21 ------------------- 1 file changed, 21 deletions(-) delete mode 100644 rules/gworkspace_user_assigned_admin_role.yml diff --git a/rules/gworkspace_user_assigned_admin_role.yml b/rules/gworkspace_user_assigned_admin_role.yml deleted file mode 100644 index 09cfcc4f..00000000 --- a/rules/gworkspace_user_assigned_admin_role.yml +++ /dev/null @@ -1,21 +0,0 @@ -title: Google Workspace User Assigned Admin Role -id: 2d1b83e4-17c6-4896-a37b-29140b40a788 -description: Detects when an admin role is assigned to a Google Workspace user. -author: Austin Songer -status: experimental -date: 2021/08/23 -references: - - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 -logsource: - service: google_workspace.admin -detection: - selection: - eventService: admin.googleapis.com - admin.alert.name: google.admin.AdminService.grantAdminPrivilege - condition: selection -level: medium -tags: - - attack.persistence - - attack.t1098 -falsepositives: - - Google Workspace admin role assigned, may be modified by system administrators. From 6b1f0b83f424ba88aec537a42d322a4008b65f04 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 19:38:47 -0500 Subject: [PATCH 078/108] Create workspace_user_assigned_admin_role.yml --- .../workspace_user_assigned_admin_role.yml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 rules/cloud/gworkspace/workspace_user_assigned_admin_role.yml diff --git a/rules/cloud/gworkspace/workspace_user_assigned_admin_role.yml b/rules/cloud/gworkspace/workspace_user_assigned_admin_role.yml new file mode 100644 index 00000000..09cfcc4f --- /dev/null +++ b/rules/cloud/gworkspace/workspace_user_assigned_admin_role.yml @@ -0,0 +1,21 @@ +title: Google Workspace User Assigned Admin Role +id: 2d1b83e4-17c6-4896-a37b-29140b40a788 +description: Detects when an admin role is assigned to a Google Workspace user. +author: Austin Songer +status: experimental +date: 2021/08/23 +references: + - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 +logsource: + service: google_workspace.admin +detection: + selection: + eventService: admin.googleapis.com + admin.alert.name: google.admin.AdminService.grantAdminPrivilege + condition: selection +level: medium +tags: + - attack.persistence + - attack.t1098 +falsepositives: + - Google Workspace admin role assigned, may be modified by system administrators. From 3dd201d36f694a4e477858bf99e7a118cd3ef5f2 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 19:38:58 -0500 Subject: [PATCH 079/108] Rename workspace_user_assigned_admin_role.yml to gworkspace_user_assigned_admin_role.yml --- ...ned_admin_role.yml => gworkspace_user_assigned_admin_role.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/cloud/gworkspace/{workspace_user_assigned_admin_role.yml => gworkspace_user_assigned_admin_role.yml} (100%) diff --git a/rules/cloud/gworkspace/workspace_user_assigned_admin_role.yml b/rules/cloud/gworkspace/gworkspace_user_assigned_admin_role.yml similarity index 100% rename from rules/cloud/gworkspace/workspace_user_assigned_admin_role.yml rename to rules/cloud/gworkspace/gworkspace_user_assigned_admin_role.yml From ede0332f222de278d3e14ed0d099fc34cf5db0a1 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 19:40:20 -0500 Subject: [PATCH 080/108] Delete microsoft365_suspicious_inbox_manipulation_rules.yml --- ...65_suspicious_inbox_manipulation_rules.yml | 24 ------------------- 1 file changed, 24 deletions(-) delete mode 100644 rules/cloud/m365/microsoft365_suspicious_inbox_manipulation_rules.yml diff --git a/rules/cloud/m365/microsoft365_suspicious_inbox_manipulation_rules.yml b/rules/cloud/m365/microsoft365_suspicious_inbox_manipulation_rules.yml deleted file mode 100644 index 5bcdf480..00000000 --- a/rules/cloud/m365/microsoft365_suspicious_inbox_manipulation_rules.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: Microsoft 365 - Suspicious inbox manipulation rules -id: d2001772-f43f-4def-86d3-a9d5c47588c0 -status: experimental -description: Detects when a Microsoft Cloud App Security reported for suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address. -author: Austin Songer @austinsonger -date: 2021/08/23 -references: - - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy - - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference -logsource: - category: ThreatManagement - service: m365 -detection: - selection: - eventSource: SecurityComplianceCenter - eventName: "Suspicious inbox manipulation rules" - status: success - condition: selection -falsepositives: - - Unknown -level: medium -tags: - - attack.exfiltration - - attack.t1020.001 \ No newline at end of file From 0fe2b3f5695a2ca9b1bb5d2dd0cd478555f810c0 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 19:52:32 -0500 Subject: [PATCH 081/108] Update and rename gworkspace_user_assigned_admin_role.yml to gworkspace_user_granted_admin_privileges.yml --- ....yml => gworkspace_user_granted_admin_privileges.yml} | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) rename rules/cloud/gworkspace/{gworkspace_user_assigned_admin_role.yml => gworkspace_user_granted_admin_privileges.yml} (51%) diff --git a/rules/cloud/gworkspace/gworkspace_user_assigned_admin_role.yml b/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml similarity index 51% rename from rules/cloud/gworkspace/gworkspace_user_assigned_admin_role.yml rename to rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml index 09cfcc4f..39d05f14 100644 --- a/rules/cloud/gworkspace/gworkspace_user_assigned_admin_role.yml +++ b/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml @@ -1,21 +1,22 @@ -title: Google Workspace User Assigned Admin Role +title: Google Workspace User Granted Admin Privileges id: 2d1b83e4-17c6-4896-a37b-29140b40a788 -description: Detects when an admin role is assigned to a Google Workspace user. +description: Detects when an Google Workspace user is granted admin privileges. author: Austin Songer status: experimental date: 2021/08/23 references: - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 + - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE logsource: service: google_workspace.admin detection: selection: eventService: admin.googleapis.com - admin.alert.name: google.admin.AdminService.grantAdminPrivilege + eventName: GRANT_ADMIN_PRIVILEGE condition: selection level: medium tags: - attack.persistence - attack.t1098 falsepositives: - - Google Workspace admin role assigned, may be modified by system administrators. + - Google Workspace admin role privileges, may be modified by system administrators. From aa7a8a3e71446183c861fb0bab850fb3555aafc5 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 19:58:20 -0500 Subject: [PATCH 082/108] Update gworkspace_user_granted_admin_privileges.yml --- .../gworkspace/gworkspace_user_granted_admin_privileges.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml b/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml index 39d05f14..c0b1f470 100644 --- a/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml +++ b/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml @@ -12,7 +12,9 @@ logsource: detection: selection: eventService: admin.googleapis.com - eventName: GRANT_ADMIN_PRIVILEGE + eventName: + - GRANT_DELEGATED_ADMIN_PRIVILEGES + - GRANT_ADMIN_PRIVILEGE condition: selection level: medium tags: From 3cd43bfd9b04f18fb84620a853f74351e62700a3 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 21:19:44 -0500 Subject: [PATCH 083/108] Create gworkspace_granted_domain_api_access.yml --- .../gworkspace_granted_domain_api_access.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml diff --git a/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml b/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml new file mode 100644 index 00000000..8857a874 --- /dev/null +++ b/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml @@ -0,0 +1,23 @@ +title: Google Workspace Granted Domain API Access +id: 04e2a23a-9b29-4a5c-be3a-3542e3f982ba +description: Detects when an API access service account is granted domain authority. +author: Austin Songer +status: experimental +date: 2021/08/23 +references: + - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 + - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#AUTHORIZE_API_CLIENT_ACCESS +logsource: + service: google_workspace.admin +detection: + selection: + eventService: admin.googleapis.com + eventName: AUTHORIZE_API_CLIENT_ACCESS + condition: selection +level: medium +tags: + - attack.persistence + - atack.t1098 +falsepositives: + - Unknown + From facd58bd0ad5972bb8c723075b38b01f2a0e8b67 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 21:19:51 -0500 Subject: [PATCH 084/108] Delete gworkspace_user_granted_admin_privileges.yml --- ...orkspace_user_granted_admin_privileges.yml | 24 ------------------- 1 file changed, 24 deletions(-) delete mode 100644 rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml diff --git a/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml b/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml deleted file mode 100644 index c0b1f470..00000000 --- a/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: Google Workspace User Granted Admin Privileges -id: 2d1b83e4-17c6-4896-a37b-29140b40a788 -description: Detects when an Google Workspace user is granted admin privileges. -author: Austin Songer -status: experimental -date: 2021/08/23 -references: - - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 - - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE -logsource: - service: google_workspace.admin -detection: - selection: - eventService: admin.googleapis.com - eventName: - - GRANT_DELEGATED_ADMIN_PRIVILEGES - - GRANT_ADMIN_PRIVILEGE - condition: selection -level: medium -tags: - - attack.persistence - - attack.t1098 -falsepositives: - - Google Workspace admin role privileges, may be modified by system administrators. From 9e588fdcf68ba9fc485e03bcf4a7fd10e8d81b75 Mon Sep 17 00:00:00 2001 From: neu5ron Date: Tue, 24 Aug 2021 00:58:36 -0400 Subject: [PATCH 085/108] Zeek dce_rpc.log Detection of print driver installs over RPC (ie: possible PrintNightmare) using the three existing known RPC functions, as well as few others "discussed" but not directly related to PrintNightmare PoC or public post-compromise write-ups. --- ...pc_printnightmare_print_driver_install.yml | 45 +++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml diff --git a/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml b/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml new file mode 100644 index 00000000..390edb4d --- /dev/null +++ b/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml @@ -0,0 +1,45 @@ +title: Possible PrintNightmare Print Driver Install +id: 7b33baef-2a75-4ca3-9da4-34f9a15382d8 +description: | + Detects the remote installation of a print driver which is possible indication of the exploitation of PrintNightmare (CVE-2021-1675). + The occurrence of print drivers being installed remotely via RPC functions should be rare, as print drivers are normally installed locally and or through group policy. +author: '@neu5ron (Nate Guagenti)' +date: 2021/08/23 +references: + - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29 + - https://github.com/zeek/zeek/blob/master/scripts/base/protocols/dce-rpc/consts.zeek + - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527 + - https://github.com/corelight/CVE-2021-1675 + - https://github.com/SigmaHQ/sigma/blob/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml + - https://old.zeek.org/zeekweek2019/slides/bzar.pdf + - https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/ + - +tags: + - attack.execution + - cve.2021-1675 + - cve.2021-1678 +logsource: + product: zeek + service: dce_rpc +detection: + printer_operation: + operation: + - "RpcAsyncInstallPrinterDriverFromPackage" # "76f03f96-cdfd-44fc-a22c-64950a001209",0x3e + - "RpcAsyncAddPrintProcessor" # "76f03f96-cdfd-44fc-a22c-64950a001209",0x2c + - "RpcAddPrintProcessor" # "12345678-1234-abcd-ef00-0123456789ab",0x0e + - "RpcAddPrinterDriverEx" # "12345678-1234-abcd-ef00-0123456789ab",0x59 + - "RpcAddPrinterDriver" # "12345678-1234-abcd-ef00-0123456789ab",0x09 + - "RpcAsyncAddPrinterDriver" # "76f03f96-cdfd-44fc-a22c-64950a001209",0x27 + condition: printer_operation +falsepositives: + - Legitimate remote alteration of a printer driver. +level: medium +fields: + - id.orig_h + - id.resp_h + - id.resp_p + - operation + - endpoint + - named_pipe + - uid +status: stable \ No newline at end of file From d8befe3a13f29b100b78c5f9534b769124a5c3d2 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Tue, 24 Aug 2021 07:34:33 +0200 Subject: [PATCH 086/108] Update References --- rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml b/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml index 8857a874..e1602e38 100644 --- a/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml +++ b/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml @@ -6,7 +6,7 @@ status: experimental date: 2021/08/23 references: - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 - - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#AUTHORIZE_API_CLIENT_ACCESS + - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS logsource: service: google_workspace.admin detection: From be43ecd70db63098b7209f2e596ef68c4978ca74 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Tue, 24 Aug 2021 07:57:16 +0200 Subject: [PATCH 087/108] Remove empty element in list Otherwise get a `null` when convert to some backend (es-rule,...) --- .../zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml b/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml index 390edb4d..e6e84085 100644 --- a/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml +++ b/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml @@ -13,7 +13,6 @@ references: - https://github.com/SigmaHQ/sigma/blob/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml - https://old.zeek.org/zeekweek2019/slides/bzar.pdf - https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/ - - tags: - attack.execution - cve.2021-1675 @@ -42,4 +41,4 @@ fields: - endpoint - named_pipe - uid -status: stable \ No newline at end of file +status: stable From 8ab90d801293189a4486e2d8a397ffe1d9396db1 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Tue, 24 Aug 2021 07:59:36 +0200 Subject: [PATCH 088/108] add modified --- rules/network/zeek/zeek_default_cobalt_strike_certificate.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml b/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml index 97460495..ed328eeb 100644 --- a/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml +++ b/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml @@ -2,7 +2,8 @@ title: Default Cobalt Strike Certificate id: 7100f7e3-92ce-4584-b7b7-01b40d3d4118 description: Detects the presence of default Cobalt Strike certificate in the HTTPS traffic author: Bhabesh Raj -date: 2021/08/26 +date: 2021/06/23 +modified: 2021/08/24 references: - https://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468 tags: From 4ee4f12f308f2da69cad4ab135f7ad9a433c86a0 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Tue, 24 Aug 2021 08:01:01 +0200 Subject: [PATCH 089/108] add modified --- rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml b/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml index a8853b8e..c4ee427d 100644 --- a/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml +++ b/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml @@ -9,7 +9,8 @@ references: tags: - attack.lateral_movement - attack.t1021.002 -date: 2021/08/23 +date: 2018/11/28 +modified: 2021/08/23 logsource: product: zeek service: smb_files From 15aa0cb70ee920560b2476f049663053fc6be551 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Tue, 24 Aug 2021 08:02:24 +0200 Subject: [PATCH 090/108] add modified --- rules/network/zeek/zeek_dns_mining_pools.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/network/zeek/zeek_dns_mining_pools.yml b/rules/network/zeek/zeek_dns_mining_pools.yml index 91d87824..c6d11204 100644 --- a/rules/network/zeek/zeek_dns_mining_pools.yml +++ b/rules/network/zeek/zeek_dns_mining_pools.yml @@ -4,6 +4,7 @@ description: Identifies clients that may be performing DNS lookups associated wi references: - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_Miners.yaml date: 2021/08/19 +modified: 2021/08/23 author: Saw Winn Naung, Azure-Sentinel, @neu5ron level: low logsource: From 272625a0052f6c0ecfa07b687a4452177bfa51f8 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 24 Aug 2021 08:34:08 +0200 Subject: [PATCH 091/108] Update win_susp_splwow64.yml --- rules/windows/process_creation/win_susp_splwow64.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_splwow64.yml b/rules/windows/process_creation/win_susp_splwow64.yml index 3695fcec..38c4a4da 100644 --- a/rules/windows/process_creation/win_susp_splwow64.yml +++ b/rules/windows/process_creation/win_susp_splwow64.yml @@ -13,7 +13,7 @@ detection: selection: Image|endswith: '\splwow64.exe' filter: - CommandLine|contains: 'splwow64.exe ' + CommandLine|endswith: 'splwow64.exe' condition: selection and not filter falsepositives: - Unknown From 8f85ac0fdefa0966399c9f71b0f7116851a644a1 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 24 Aug 2021 09:35:04 +0200 Subject: [PATCH 092/108] tags update --- rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml | 2 +- rules/web/web_cve_2018_2894_weblogic_exploit.yml | 2 +- rules/web/web_cve_2020_3452_cisco_asa_ftd.yml | 2 +- rules/web/web_cve_2021_2109_weblogic_rce_exploit.yml | 2 +- rules/web/web_cve_2021_21978_vmware_view_planner_exploit.yml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml b/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml index e1602e38..0b09904b 100644 --- a/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml +++ b/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml @@ -17,7 +17,7 @@ detection: level: medium tags: - attack.persistence - - atack.t1098 + - attack.t1098 falsepositives: - Unknown diff --git a/rules/web/web_cve_2018_2894_weblogic_exploit.yml b/rules/web/web_cve_2018_2894_weblogic_exploit.yml index cb39d1fb..b2fcd3e7 100644 --- a/rules/web/web_cve_2018_2894_weblogic_exploit.yml +++ b/rules/web/web_cve_2018_2894_weblogic_exploit.yml @@ -9,6 +9,7 @@ references: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2894 - https://twitter.com/pyn3rd/status/1020620932967223296 - https://github.com/LandGrey/CVE-2018-2894 + - https://nvd.nist.gov/vuln/detail/cve-2018-2894 logsource: category: webserver detection: @@ -26,5 +27,4 @@ tags: - attack.t1190 - attack.initial_access - attack.persistence - - cve.2018-2894 - attack.t1505.003 diff --git a/rules/web/web_cve_2020_3452_cisco_asa_ftd.yml b/rules/web/web_cve_2020_3452_cisco_asa_ftd.yml index 8fb1ae92..f7ac95eb 100644 --- a/rules/web/web_cve_2020_3452_cisco_asa_ftd.yml +++ b/rules/web/web_cve_2020_3452_cisco_asa_ftd.yml @@ -8,6 +8,7 @@ references: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3452 - https://twitter.com/aboul3la/status/1286012324722155525 - https://github.com/darklotuskdb/CISCO-CVE-2020-3452-Scanner-Exploiter + - https://nvd.nist.gov/vuln/detail/CVE-2020-3452 logsource: category: webserver detection: @@ -34,4 +35,3 @@ tags: - attack.t1100 # an old one - attack.t1190 - attack.initial_access - - cve.2020-3452 diff --git a/rules/web/web_cve_2021_2109_weblogic_rce_exploit.yml b/rules/web/web_cve_2021_2109_weblogic_rce_exploit.yml index 476408c2..df17a5de 100644 --- a/rules/web/web_cve_2021_2109_weblogic_rce_exploit.yml +++ b/rules/web/web_cve_2021_2109_weblogic_rce_exploit.yml @@ -7,6 +7,7 @@ date: 2021/01/20 references: - https://twitter.com/pyn3rd/status/1351696768065409026 - https://mp.weixin.qq.com/s/wX9TMXl1KVWwB_k6EZOklw + - https://nvd.nist.gov/vuln/detail/cve-2021-2109 logsource: category: webserver detection: @@ -26,4 +27,3 @@ level: critical tags: - attack.t1190 - attack.initial_access - - cve.2021-2109 diff --git a/rules/web/web_cve_2021_21978_vmware_view_planner_exploit.yml b/rules/web/web_cve_2021_21978_vmware_view_planner_exploit.yml index 8a240ab4..9da58de5 100644 --- a/rules/web/web_cve_2021_21978_vmware_view_planner_exploit.yml +++ b/rules/web/web_cve_2021_21978_vmware_view_planner_exploit.yml @@ -8,6 +8,7 @@ references: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21978 - https://twitter.com/wugeej/status/1369476795255320580 - https://paper.seebug.org/1495/ + - https://nvd.nist.gov/vuln/detail/CVE-2021-21978 logsource: category: webserver detection: @@ -27,4 +28,3 @@ level: high tags: - attack.initial_access - attack.t1190 - - cve.2021-21978 \ No newline at end of file From c2302a15dadc1063687846c8aaa1026633a4e778 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 24 Aug 2021 10:10:45 +0200 Subject: [PATCH 093/108] fix cve tags --- .../web_cve_2020_14882_weblogic_exploit.yml | 2 +- rules/web/web_cve_2021_26814_wzuh_rce.yml | 2 +- ...terramaster_cve_2020_28188_rce_exploit.yml | 2 +- ...cve_2021_31979_cve_2021_33771_exploits.yml | 4 ++-- tests/test_rules.py | 21 +++++++++++++++++++ 5 files changed, 26 insertions(+), 5 deletions(-) diff --git a/rules/web/web_cve_2020_14882_weblogic_exploit.yml b/rules/web/web_cve_2020_14882_weblogic_exploit.yml index 14afc0d1..cb3545ad 100644 --- a/rules/web/web_cve_2020_14882_weblogic_exploit.yml +++ b/rules/web/web_cve_2020_14882_weblogic_exploit.yml @@ -10,6 +10,7 @@ references: - https://isc.sans.edu/diary/26734 - https://twitter.com/jas502n/status/1321416053050667009?s=20 - https://twitter.com/sudo_sudoka/status/1323951871078223874 + - https://nvd.nist.gov/vuln/detail/cve-2020-14882 logsource: category: webserver detection: @@ -28,4 +29,3 @@ tags: - attack.t1100 # an old one - attack.t1190 - attack.initial_access - - cve.2020-14882 diff --git a/rules/web/web_cve_2021_26814_wzuh_rce.yml b/rules/web/web_cve_2021_26814_wzuh_rce.yml index 672226f4..03012d37 100644 --- a/rules/web/web_cve_2021_26814_wzuh_rce.yml +++ b/rules/web/web_cve_2021_26814_wzuh_rce.yml @@ -7,6 +7,7 @@ date: 2021/05/22 references: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-26814 - https://github.com/WickdDavid/CVE-2021-26814/blob/main/PoC.py + - https://nvd.nist.gov/vuln/detail/cve-2021-21978 logsource: category: webserver detection: @@ -22,4 +23,3 @@ level: high tags: - attack.initial_access - attack.t1190 - - cve.2021-21978 \ No newline at end of file diff --git a/rules/web/web_terramaster_cve_2020_28188_rce_exploit.yml b/rules/web/web_terramaster_cve_2020_28188_rce_exploit.yml index 931e2389..73316e52 100644 --- a/rules/web/web_terramaster_cve_2020_28188_rce_exploit.yml +++ b/rules/web/web_terramaster_cve_2020_28188_rce_exploit.yml @@ -8,6 +8,7 @@ references: - https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/ - https://nvd.nist.gov/vuln/detail/CVE-2020-28188 - https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/ + - https://nvd.nist.gov/vuln/detail/cve-2020-28188 logsource: category: webserver detection: @@ -34,4 +35,3 @@ level: critical tags: - attack.t1190 - attack.initial_access - - cve.2020-28188 diff --git a/rules/windows/sysmon/sysmon_cve_2021_31979_cve_2021_33771_exploits.yml b/rules/windows/sysmon/sysmon_cve_2021_31979_cve_2021_33771_exploits.yml index f2ec067c..d0117429 100644 --- a/rules/windows/sysmon/sysmon_cve_2021_31979_cve_2021_33771_exploits.yml +++ b/rules/windows/sysmon/sysmon_cve_2021_31979_cve_2021_33771_exploits.yml @@ -9,12 +9,12 @@ modified: 2021/08/06 references: - https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/ - https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/ + - https://nvd.nist.gov/vuln/detail/cve-2021-33771 + - https://nvd.nist.gov/vuln/detail/cve-2021-31979 tags: - attack.credential_access - attack.t1566 - attack.t1203 - - cve.2021-33771 - - cve.2021-31979 - threat_group.Sourgum falsepositives: - Unlikely diff --git a/tests/test_rules.py b/tests/test_rules.py index d34bd849..eefaad4a 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -72,6 +72,27 @@ class TestRules(unittest.TestCase): self.assertEqual(files_with_legal_issues, [], Fore.RED + "There are rule files which contains a trademark or reference that doesn't comply with the respective trademark requirements - please remove the trademark to avoid legal issues") + + def test_optional_tags(self): + files_with_incorrect_tags = [] + + for file in self.yield_next_rule_file_path(self.path_to_rules): + tags = self.get_rule_part(file_path=file, part_name="tags") + if tags: + for tag in tags: + if tag.startswith("attack."): + continue + elif tag.startswith("car."): + continue + elif tag.startswith("cve."): + print(Fore.RED + "Rule {} has the cve tag <{}> but is it a references (https://nvd.nist.gov/)".format(file, tag)) + # files_with_incorrect_tags.append(file) + else: + print(Fore.RED + "Rule {} has the unknown tag <{}>".format(file, tag)) + # files_with_incorrect_tags.append(file) + + self.assertEqual(files_with_incorrect_tags, [], Fore.RED + + "There are rules with incorrect/unknown MITRE Tags. (please inform us about new tags that are not yet supported in our tests) and check the correct tags here: https://attack.mitre.org/ ") def test_confirm_correct_mitre_tags(self): files_with_incorrect_mitre_tags = [] From ace46c17bee09d8d331dcd22d5551b2516d26773 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 24 Aug 2021 10:27:27 +0200 Subject: [PATCH 094/108] Update cve tags --- .../win_exploit_cve_2021_1675_printspooler.yml | 2 +- ...xploit_cve_2021_1675_printspooler_Security.yml | 4 ++-- ...oit_cve_2021_1675_printspooler_operational.yml | 2 +- .../driver_load/sysmon_vuln_dell_driver_load.yml | 3 ++- .../win_cve_2021_1675_printspooler_del.yml | 11 +++++------ .../image_load/sysmon_spoolsv_dll_load.yml | 15 ++++++--------- .../win_susp_servu_process_pattern.yml | 3 ++- 7 files changed, 19 insertions(+), 21 deletions(-) diff --git a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler.yml b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler.yml index 62e12357..26866f88 100644 --- a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler.yml +++ b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler.yml @@ -8,11 +8,11 @@ references: - https://github.com/hhlxf/PrintNightmare - https://github.com/afwu/PrintNightmare - https://twitter.com/fuzzyf10w/status/1410202370835898371 + - https://nvd.nist.gov/vuln/detail/cve-2021-1675 date: 2021/06/30 modified: 2021/07/08 tags: - attack.execution - - cve.2021-1675 logsource: product: windows service: printservice-admin diff --git a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_Security.yml b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_Security.yml index ce921b98..d36b0ea4 100644 --- a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_Security.yml +++ b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_Security.yml @@ -6,11 +6,11 @@ status: experimental level: critical references: - https://twitter.com/INIT_3/status/1410662463641731075 + - https://nvd.nist.gov/vuln/detail/cve-2021-1675 + - https://nvd.nist.gov/vuln/detail/cve-2021-34527 date: 2021/07/02 tags: - attack.execution - - cve.2021-1675 - - cve.2021-34527 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml index 9b2fa174..4fbbee51 100644 --- a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml +++ b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml @@ -6,10 +6,10 @@ status: experimental level: critical references: - https://twitter.com/MalwareJake/status/1410421967463731200 + - https://nvd.nist.gov/vuln/detail/cve-2021-1675 date: 2021/07/01 tags: - attack.execution - - cve.2021-1675 logsource: product: windows service: printservice-operational diff --git a/rules/windows/driver_load/sysmon_vuln_dell_driver_load.yml b/rules/windows/driver_load/sysmon_vuln_dell_driver_load.yml index 21868b8a..ea92afb4 100644 --- a/rules/windows/driver_load/sysmon_vuln_dell_driver_load.yml +++ b/rules/windows/driver_load/sysmon_vuln_dell_driver_load.yml @@ -5,11 +5,12 @@ author: Florian Roth date: 2021/05/05 references: - https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/ + - https://nvd.nist.gov/vuln/detail/cve-2021-21551 logsource: category: driver_load product: windows tags: - - cve.2021-21551 + - attack.privilege_escalation detection: selection_image: ImageLoaded|contains: '\DBUtil_2_3.Sys' diff --git a/rules/windows/file_delete/win_cve_2021_1675_printspooler_del.yml b/rules/windows/file_delete/win_cve_2021_1675_printspooler_del.yml index 1b97f004..397a66b1 100644 --- a/rules/windows/file_delete/win_cve_2021_1675_printspooler_del.yml +++ b/rules/windows/file_delete/win_cve_2021_1675_printspooler_del.yml @@ -5,24 +5,23 @@ description: Detect DLL deletions from Spooler Service driver folder references: - https://github.com/hhlxf/PrintNightmare - https://github.com/cube0x0/CVE-2021-1675 + - https://nvd.nist.gov/vuln/detail/cve-2021-1675 author: Bhabesh Raj date: 2021/07/01 +modified: 2021/08/24 tags: - attack.persistence - attack.defense_evasion - attack.privilege_escalation - attack.t1574 - - cve.2021-1675 logsource: category: file_delete product: windows detection: selection: - Image|endswith: - - 'spoolsv.exe' - TargetFilename|contains: - - 'C:\Windows\System32\spool\drivers\x64\3\' + Image|endswith: 'spoolsv.exe' + TargetFilename|contains: 'C:\Windows\System32\spool\drivers\x64\3\' condition: selection falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/rules/windows/image_load/sysmon_spoolsv_dll_load.yml b/rules/windows/image_load/sysmon_spoolsv_dll_load.yml index e51c20cd..38e94f80 100644 --- a/rules/windows/image_load/sysmon_spoolsv_dll_load.yml +++ b/rules/windows/image_load/sysmon_spoolsv_dll_load.yml @@ -4,27 +4,24 @@ status: experimental description: Detect DLL Load from Spooler Service backup folder references: - https://github.com/hhlxf/PrintNightmare + - https://nvd.nist.gov/vuln/detail/cve-2021-1675 + - https://nvd.nist.gov/vuln/detail/cve-2021-34527 author: FPT.EagleEye, Thomas Patzke (improvements) date: 2021/06/29 -modified: 2021/07/08 +modified: 2021/08/24 tags: - attack.persistence - attack.defense_evasion - attack.privilege_escalation - attack.t1574 - - cve.2021-1675 - - cve.2021-34527 logsource: category: image_load product: windows detection: selection: - Image|endswith: - - 'spoolsv.exe' - ImageLoaded|contains: - - '\Windows\System32\spool\drivers\x64\3\' - ImageLoaded|endswith: - - '.dll' + Image|endswith: 'spoolsv.exe' + ImageLoaded|contains: '\Windows\System32\spool\drivers\x64\3\' + ImageLoaded|endswith: '.dll' condition: selection falsepositives: - Loading of legitimate driver diff --git a/rules/windows/process_creation/win_susp_servu_process_pattern.yml b/rules/windows/process_creation/win_susp_servu_process_pattern.yml index 097a6ae6..90b50893 100644 --- a/rules/windows/process_creation/win_susp_servu_process_pattern.yml +++ b/rules/windows/process_creation/win_susp_servu_process_pattern.yml @@ -6,11 +6,12 @@ author: Florian Roth date: 2021/07/14 references: - https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/ + - https://nvd.nist.gov/vuln/detail/cve-2021-35211 logsource: category: process_creation product: windows tags: - - cve.2021-35211 + - attack.credential_access detection: selection: ParentImage|endswith: '\Serv-U.exe' From 5b869a3f427e5a7931d047f5ef4e2eedbf712305 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 24 Aug 2021 10:50:01 +0200 Subject: [PATCH 095/108] Update cve tags --- .../lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml | 2 +- .../zeek_dce_rpc_printnightmare_print_driver_install.yml | 4 ++-- .../windows/file_event/sysmon_cve_2021_26858_msexchange.yml | 2 +- rules/windows/file_event/win_cve_2021_1675_printspooler.yml | 3 ++- rules/windows/file_event/win_hivenightmare_file_exports.yml | 2 +- .../process_creation/sysmon_cve_2021_26857_msexchange.yml | 2 +- .../win_susp_servu_exploitation_cve_2021_35211.yml | 2 +- .../registry_event/sysmon_registry_susp_printer_driver.yml | 3 ++- .../win_registry_mimikatz_printernightmare.yml | 6 +++--- tests/test_rules.py | 2 +- 10 files changed, 15 insertions(+), 13 deletions(-) diff --git a/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml b/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml index e307a025..da9e53df 100644 --- a/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml +++ b/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml @@ -10,13 +10,13 @@ date: 2021/02/01 references: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3156 - https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit + - https://nvd.nist.gov/vuln/detail/cve-2021-3156 falsepositives: - Unknown level: critical tags: - attack.privilege_escalation - attack.t1068 - - cve.2021-3156 logsource: product: linux service: auditd diff --git a/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml b/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml index e6e84085..adf32660 100644 --- a/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml +++ b/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml @@ -13,10 +13,10 @@ references: - https://github.com/SigmaHQ/sigma/blob/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml - https://old.zeek.org/zeekweek2019/slides/bzar.pdf - https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/ + - https://nvd.nist.gov/vuln/detail/cve-2021-1675 + - https://nvd.nist.gov/vuln/detail/cve-2021-1678 tags: - attack.execution - - cve.2021-1675 - - cve.2021-1678 logsource: product: zeek service: dce_rpc diff --git a/rules/windows/file_event/sysmon_cve_2021_26858_msexchange.yml b/rules/windows/file_event/sysmon_cve_2021_26858_msexchange.yml index 0b4ba06e..84390c48 100644 --- a/rules/windows/file_event/sysmon_cve_2021_26858_msexchange.yml +++ b/rules/windows/file_event/sysmon_cve_2021_26858_msexchange.yml @@ -9,11 +9,11 @@ level: critical references: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26858 - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ + - https://nvd.nist.gov/vuln/detail/cve-2021-26858 date: 2021/03/03 tags: - attack.t1203 - attack.execution - - cve.2021-26858 logsource: category: file_event product: windows diff --git a/rules/windows/file_event/win_cve_2021_1675_printspooler.yml b/rules/windows/file_event/win_cve_2021_1675_printspooler.yml index 60ee7dca..9f426abd 100644 --- a/rules/windows/file_event/win_cve_2021_1675_printspooler.yml +++ b/rules/windows/file_event/win_cve_2021_1675_printspooler.yml @@ -8,11 +8,12 @@ references: - https://github.com/hhlxf/PrintNightmare - https://github.com/afwu/PrintNightmare - https://github.com/cube0x0/CVE-2021-1675 + - https://nvd.nist.gov/vuln/detail/cve-2021-1675 date: 2021/06/29 modified: 2021/07/01 tags: - attack.execution - - cve.2021-1675 + - attack.privilege_escalation logsource: category: file_event product: windows diff --git a/rules/windows/file_event/win_hivenightmare_file_exports.yml b/rules/windows/file_event/win_hivenightmare_file_exports.yml index 47292ac6..ea5cc888 100644 --- a/rules/windows/file_event/win_hivenightmare_file_exports.yml +++ b/rules/windows/file_event/win_hivenightmare_file_exports.yml @@ -9,11 +9,11 @@ references: - https://github.com/FireFart/hivenightmare/ - https://github.com/WiredPulse/Invoke-HiveNightmare - https://twitter.com/cube0x0/status/1418920190759378944 + - https://nvd.nist.gov/vuln/detail/cve-2021-36934 logsource: product: windows category: file_event tags: - - cve.2021-36934 - attack.credential_access - attack.t1552.001 detection: diff --git a/rules/windows/process_creation/sysmon_cve_2021_26857_msexchange.yml b/rules/windows/process_creation/sysmon_cve_2021_26857_msexchange.yml index 42028896..b0102bf5 100644 --- a/rules/windows/process_creation/sysmon_cve_2021_26857_msexchange.yml +++ b/rules/windows/process_creation/sysmon_cve_2021_26857_msexchange.yml @@ -8,11 +8,11 @@ level: critical references: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-26857 - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ + - https://nvd.nist.gov/vuln/detail/cve-2021-26857 date: 2021/03/03 tags: - attack.t1203 - attack.execution - - cve.2021-26857 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_servu_exploitation_cve_2021_35211.yml b/rules/windows/process_creation/win_susp_servu_exploitation_cve_2021_35211.yml index 78f543ac..f6208a36 100644 --- a/rules/windows/process_creation/win_susp_servu_exploitation_cve_2021_35211.yml +++ b/rules/windows/process_creation/win_susp_servu_exploitation_cve_2021_35211.yml @@ -6,13 +6,13 @@ author: Florian Roth date: 2021/07/14 references: - https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/ + - https://nvd.nist.gov/vuln/detail/cve-2021-35211 logsource: category: process_creation product: windows tags: - attack.persistence - attack.t1136.001 - - cve.2021-35211 - threat_group.DEV-0322 detection: selection1: diff --git a/rules/windows/registry_event/sysmon_registry_susp_printer_driver.yml b/rules/windows/registry_event/sysmon_registry_susp_printer_driver.yml index 542bd527..ad3f790d 100644 --- a/rules/windows/registry_event/sysmon_registry_susp_printer_driver.yml +++ b/rules/windows/registry_event/sysmon_registry_susp_printer_driver.yml @@ -4,10 +4,11 @@ status: experimental description: Detects a suspicious printer driver installation with an empty Manufacturer value references: - https://twitter.com/SBousseaden/status/1410545674773467140 + - https://nvd.nist.gov/vuln/detail/cve-2021-1675 author: Florian Roth date: 2020/07/01 tags: - - cve.2021-1675 + - attack.privilege_escalation logsource: category: registry_event product: windows diff --git a/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml b/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml index 44c2e943..db8f4a1f 100644 --- a/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml +++ b/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml @@ -6,11 +6,11 @@ references: - https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760 - https://www.lexjansen.com/sesug/1993/SESUG93035.pdf - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913 + - https://nvd.nist.gov/vuln/detail/cve-2021-1675 + - https://nvd.nist.gov/vuln/detail/cve-2021-34527 author: Markus Neis, @markus_neis, Florian Roth tags: - attack.execution - - cve.2021-1675 - - cve.2021-34527 date: 2021/07/04 modified: 2021/07/28 logsource: @@ -37,4 +37,4 @@ detection: condition: selection or selection_alt or (selection_print and selection_kiwi) falsepositives: - Legitimate installation of printer driver QMS 810, Texas Instruments microLaser printer (unlikely) -level: critical \ No newline at end of file +level: critical diff --git a/tests/test_rules.py b/tests/test_rules.py index eefaad4a..f712875f 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -86,7 +86,7 @@ class TestRules(unittest.TestCase): continue elif tag.startswith("cve."): print(Fore.RED + "Rule {} has the cve tag <{}> but is it a references (https://nvd.nist.gov/)".format(file, tag)) - # files_with_incorrect_tags.append(file) + files_with_incorrect_tags.append(file) else: print(Fore.RED + "Rule {} has the unknown tag <{}>".format(file, tag)) # files_with_incorrect_tags.append(file) From 3cdb88ad55a206881b67ea604b4fc3f2113990da Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 24 Aug 2021 12:30:40 +0200 Subject: [PATCH 096/108] refactor: level of suspicious parent for powershell rule --- .../process_creation/win_susp_powershell_parent_process.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_powershell_parent_process.yml b/rules/windows/process_creation/win_susp_powershell_parent_process.yml index b58535be..70b6b93f 100644 --- a/rules/windows/process_creation/win_susp_powershell_parent_process.yml +++ b/rules/windows/process_creation/win_susp_powershell_parent_process.yml @@ -56,4 +56,4 @@ detection: condition: all of them falsepositives: - Other scripts -level: medium +level: high From 7753f8c22e1137315d26fdf22c247e3ef6c71f9e Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 24 Aug 2021 12:36:31 +0200 Subject: [PATCH 097/108] fix tags --- rules/windows/file_event/win_outlook_c2_macro_creation.yml | 2 +- .../win_office_spawn_exe_from_users_directory.yml | 2 +- rules/windows/process_creation/win_renamed_paexec.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/file_event/win_outlook_c2_macro_creation.yml b/rules/windows/file_event/win_outlook_c2_macro_creation.yml index e2b9f0c1..a7b44dbb 100644 --- a/rules/windows/file_event/win_outlook_c2_macro_creation.yml +++ b/rules/windows/file_event/win_outlook_c2_macro_creation.yml @@ -7,7 +7,7 @@ references: author: '@ScoubiMtl' tags: - attack.persistence - - command_and_control + - attack.command_and_control - attack.t1137 - attack.t1008 - attack.t1546 diff --git a/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml b/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml index cf43685f..fbb81445 100644 --- a/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml +++ b/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml @@ -9,7 +9,7 @@ tags: - attack.execution - attack.t1204 # an old one - attack.t1204.002 - - FIN7 + - attack.g0046 - car.2013-05-002 author: Jason Lynch date: 2019/04/02 diff --git a/rules/windows/process_creation/win_renamed_paexec.yml b/rules/windows/process_creation/win_renamed_paexec.yml index b062debd..50de18b0 100644 --- a/rules/windows/process_creation/win_renamed_paexec.yml +++ b/rules/windows/process_creation/win_renamed_paexec.yml @@ -9,7 +9,7 @@ tags: - attack.defense_evasion - attack.t1036 # an old one - attack.t1036.003 - - FIN7 + - attack.g0046 - car.2013-05-009 date: 2019/04/17 modified: 2020/09/06 From cc519552aa7f7b282790062c85e3a422710852cb Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 24 Aug 2021 14:54:07 +0200 Subject: [PATCH 098/108] refactor: RazorInstaller integrity level system --- .../win_susp_razorinstaller_explorer.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_susp_razorinstaller_explorer.yml b/rules/windows/process_creation/win_susp_razorinstaller_explorer.yml index cffed858..1059d928 100644 --- a/rules/windows/process_creation/win_susp_razorinstaller_explorer.yml +++ b/rules/windows/process_creation/win_susp_razorinstaller_explorer.yml @@ -5,8 +5,9 @@ description: Detects a explorer.exe sub process of the RazerInstaller software w references: - https://twitter.com/j0nh4t/status/1429049506021138437 - https://streamable.com/q2dsji -author: Florian Roth +author: Florian Roth, Maxime Thiebaut date: 2021/08/23 +modified: 2021/08/24 tags: - attack.privilege_escalation logsource: @@ -14,9 +15,11 @@ logsource: product: windows detection: selection: - Image|endswith: '\explorer.exe' ParentImage|endswith: '\RazerInstaller.exe' - condition: selection + IntegrityLevel: 'System' + filter: + Image|beginswith: 'C:\Windows\Installer\Razer\Installer\' + condition: selection and not filter falsepositives: - User selecting a different installation folder (check for other sub processes of this explorer.exe process) level: high \ No newline at end of file From 46e312ff0deba8b37ec058e02bd0b64abf50ef6c Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 24 Aug 2021 15:03:23 +0200 Subject: [PATCH 099/108] fix: error in modifier --- .../process_creation/win_susp_razorinstaller_explorer.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_razorinstaller_explorer.yml b/rules/windows/process_creation/win_susp_razorinstaller_explorer.yml index 1059d928..6f1b91d8 100644 --- a/rules/windows/process_creation/win_susp_razorinstaller_explorer.yml +++ b/rules/windows/process_creation/win_susp_razorinstaller_explorer.yml @@ -18,7 +18,7 @@ detection: ParentImage|endswith: '\RazerInstaller.exe' IntegrityLevel: 'System' filter: - Image|beginswith: 'C:\Windows\Installer\Razer\Installer\' + Image|startswith: 'C:\Windows\Installer\Razer\Installer\' condition: selection and not filter falsepositives: - User selecting a different installation folder (check for other sub processes of this explorer.exe process) From 62f2affd032fff63e086fdeefc1634cb40a809e0 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Tue, 24 Aug 2021 14:15:50 +0000 Subject: [PATCH 100/108] Spelling fix --- CHANGELOG.md | 2 +- rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml | 2 +- rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ece949b9..23cb0186 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -23,7 +23,7 @@ from version 0.14.0. * Elastic EQL backend * Additional conversion selection filters * Filter negation -* Specifiy table in SQL backend +* Specify table in SQL backend * Generic registry event log source * Chronicle backend diff --git a/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml b/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml index e1602e38..0b09904b 100644 --- a/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml +++ b/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml @@ -17,7 +17,7 @@ detection: level: medium tags: - attack.persistence - - atack.t1098 + - attack.t1098 falsepositives: - Unknown diff --git a/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml b/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml index 55d1b405..b71a4344 100644 --- a/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml +++ b/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml @@ -17,7 +17,7 @@ detection: status: success condition: selection falsepositives: - - Unkown + - Unknown level: medium tags: - attack.initial_access From ce6141e3187e20bd39e3b412e353767bad99df6f Mon Sep 17 00:00:00 2001 From: Bhabesh Rai Date: Tue, 24 Aug 2021 21:11:46 +0545 Subject: [PATCH 101/108] Added rule for Arcadyan Router Exploitations --- ...uter_cve_2021_20090_2021_20091_exploit.yml | 58 +++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 rules/web/web_arcadyan_router_cve_2021_20090_2021_20091_exploit.yml diff --git a/rules/web/web_arcadyan_router_cve_2021_20090_2021_20091_exploit.yml b/rules/web/web_arcadyan_router_cve_2021_20090_2021_20091_exploit.yml new file mode 100644 index 00000000..7cda3b67 --- /dev/null +++ b/rules/web/web_arcadyan_router_cve_2021_20090_2021_20091_exploit.yml @@ -0,0 +1,58 @@ +action: global +title: Arcadyan Router Exploitations +id: f0500377-bc70-425d-ac8c-e956cd906871 +status: experimental +description: Detects exploitation of vulnerabilities in Arcadyan routers as reported in CVE-2021-20090 and CVE-2021-20091. +references: + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20090 + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20091 + - https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2 + - https://www.tenable.com/security/research/tra-2021-13 + - https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild +author: Bhabesh Raj +date: 2021/08/24 +falsepositives: + - Unknown +level: critical +tags: + - attack.initial_access + - attack.t1190 + - cve.2021-20090 + - cve.2021-20091 +--- +logsource: # CVE-2021-20090 (Path Traversal) + category: webserver +detection: + path_traversal: + c-uri|contains: + - '..%2f' + noauth_list: + c-uri|contains: + - '/images/' + - '/js/' + - '/css/' + - '/setup_top_login.htm' + - '/login.html' + - '/loginerror.html' + - '/loginexclude.html' + - '/loginlock.html' + condition: path_traversal and noauth_list +--- +logsource: # Chaining of CVE-2021-20090 (Bypass Auth) and CVE-2021-20091 (Config File Injection) + category: webserver +detection: + path_traversal: + c-uri|contains|all: + - '..%2f' + - 'apply_abstract.cgi' + noauth_list: + c-uri|contains: + - '/images/' + - '/js/' + - '/css/' + - '/setup_top_login.htm' + - '/login.html' + - '/loginerror.html' + - '/loginexclude.html' + - '/loginlock.html' + condition: path_traversal and noauth_list \ No newline at end of file From ab8cc52dc6fde1b40cd7d5552d389738192fd78c Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Tue, 24 Aug 2021 10:53:59 -0500 Subject: [PATCH 102/108] Role-Based Rules --- .../gworkspace_role_modified_or_deleted.yml | 25 +++++++++++++++++++ .../gworkspace_role_privilege_deleted.yml | 22 ++++++++++++++++ 2 files changed, 47 insertions(+) create mode 100644 rules/cloud/gworkspace/gworkspace_role_modified_or_deleted.yml create mode 100644 rules/cloud/gworkspace/gworkspace_role_privilege_deleted.yml diff --git a/rules/cloud/gworkspace/gworkspace_role_modified_or_deleted.yml b/rules/cloud/gworkspace/gworkspace_role_modified_or_deleted.yml new file mode 100644 index 00000000..9437ca57 --- /dev/null +++ b/rules/cloud/gworkspace/gworkspace_role_modified_or_deleted.yml @@ -0,0 +1,25 @@ +title: Google Workspace Role Modified or Deleted +id: 6aef64e3-60c6-4782-8db3-8448759c714e +description: Detects when an a role is modified or deleted in Google Workspace. +author: Austin Songer +status: experimental +date: 2021/08/24 +references: + - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 + - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings +logsource: + service: google_workspace.admin +detection: + selection: + eventService: admin.googleapis.com + eventName: + - DELETE_ROLE + - RENAME_ROLE + - UPDATE_ROLE + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Unknown + \ No newline at end of file diff --git a/rules/cloud/gworkspace/gworkspace_role_privilege_deleted.yml b/rules/cloud/gworkspace/gworkspace_role_privilege_deleted.yml new file mode 100644 index 00000000..f130b35e --- /dev/null +++ b/rules/cloud/gworkspace/gworkspace_role_privilege_deleted.yml @@ -0,0 +1,22 @@ +title: Google Workspace Role Privilege Deleted +id: bf638ef7-4d2d-44bb-a1dc-a238252e6267 +description: Detects when an a role privilege is deleted in Google Workspace. +author: Austin Songer +status: experimental +date: 2021/08/24 +references: + - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 + - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings +logsource: + service: google_workspace.admin +detection: + selection: + eventService: admin.googleapis.com + eventName: REMOVE_PRIVILEGE + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Unknown + \ No newline at end of file From a5f858b63c283abd96e90990bb4befecf3ce2e3a Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Tue, 24 Aug 2021 21:13:49 +0200 Subject: [PATCH 103/108] update references --- .../cloud/gworkspace/gworkspace_role_modified_or_deleted.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/cloud/gworkspace/gworkspace_role_modified_or_deleted.yml b/rules/cloud/gworkspace/gworkspace_role_modified_or_deleted.yml index 9437ca57..e0bab12f 100644 --- a/rules/cloud/gworkspace/gworkspace_role_modified_or_deleted.yml +++ b/rules/cloud/gworkspace/gworkspace_role_modified_or_deleted.yml @@ -6,7 +6,7 @@ status: experimental date: 2021/08/24 references: - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 - - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings + - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings logsource: service: google_workspace.admin detection: @@ -22,4 +22,4 @@ tags: - attack.impact falsepositives: - Unknown - \ No newline at end of file + From 09a00232fb70cc1e0c0107dcdde34ec023fb51ec Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Tue, 24 Aug 2021 21:14:59 +0200 Subject: [PATCH 104/108] update references --- rules/cloud/gworkspace/gworkspace_role_privilege_deleted.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/cloud/gworkspace/gworkspace_role_privilege_deleted.yml b/rules/cloud/gworkspace/gworkspace_role_privilege_deleted.yml index f130b35e..7a803146 100644 --- a/rules/cloud/gworkspace/gworkspace_role_privilege_deleted.yml +++ b/rules/cloud/gworkspace/gworkspace_role_privilege_deleted.yml @@ -6,7 +6,7 @@ status: experimental date: 2021/08/24 references: - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 - - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings + - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings logsource: service: google_workspace.admin detection: @@ -19,4 +19,4 @@ tags: - attack.impact falsepositives: - Unknown - \ No newline at end of file + From a4d0e3453d5a72ef39850089ab204fe17badc694 Mon Sep 17 00:00:00 2001 From: Bhabesh Rai Date: Wed, 25 Aug 2021 10:24:15 +0545 Subject: [PATCH 105/108] Fix for CVE tag --- ...b_arcadyan_router_cve_2021_20090_2021_20091_exploit.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/rules/web/web_arcadyan_router_cve_2021_20090_2021_20091_exploit.yml b/rules/web/web_arcadyan_router_cve_2021_20090_2021_20091_exploit.yml index 7cda3b67..a816bc22 100644 --- a/rules/web/web_arcadyan_router_cve_2021_20090_2021_20091_exploit.yml +++ b/rules/web/web_arcadyan_router_cve_2021_20090_2021_20091_exploit.yml @@ -4,21 +4,20 @@ id: f0500377-bc70-425d-ac8c-e956cd906871 status: experimental description: Detects exploitation of vulnerabilities in Arcadyan routers as reported in CVE-2021-20090 and CVE-2021-20091. references: - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20090 - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20091 + - https://nvd.nist.gov/vuln/detail/cve-2021-20090 + - https://nvd.nist.gov/vuln/detail/cve-2021-20091 - https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2 - https://www.tenable.com/security/research/tra-2021-13 - https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild author: Bhabesh Raj date: 2021/08/24 +modified: 2021/08/25 falsepositives: - Unknown level: critical tags: - attack.initial_access - attack.t1190 - - cve.2021-20090 - - cve.2021-20091 --- logsource: # CVE-2021-20090 (Path Traversal) category: webserver From df4180547ef43e43820f5277cc5a750f4b548e25 Mon Sep 17 00:00:00 2001 From: Bhabesh Rai Date: Wed, 25 Aug 2021 11:18:51 +0545 Subject: [PATCH 106/108] Merged rules --- ...uter_cve_2021_20090_2021_20091_exploit.yml | 27 ++++--------------- 1 file changed, 5 insertions(+), 22 deletions(-) diff --git a/rules/web/web_arcadyan_router_cve_2021_20090_2021_20091_exploit.yml b/rules/web/web_arcadyan_router_cve_2021_20090_2021_20091_exploit.yml index a816bc22..06718546 100644 --- a/rules/web/web_arcadyan_router_cve_2021_20090_2021_20091_exploit.yml +++ b/rules/web/web_arcadyan_router_cve_2021_20090_2021_20091_exploit.yml @@ -1,4 +1,3 @@ -action: global title: Arcadyan Router Exploitations id: f0500377-bc70-425d-ac8c-e956cd906871 status: experimental @@ -18,30 +17,14 @@ level: critical tags: - attack.initial_access - attack.t1190 ---- -logsource: # CVE-2021-20090 (Path Traversal) +logsource: category: webserver detection: path_traversal: - c-uri|contains: + c-uri|contains: # CVE-2021-20090 (Bypass Auth: Path Traversal) - '..%2f' - noauth_list: - c-uri|contains: - - '/images/' - - '/js/' - - '/css/' - - '/setup_top_login.htm' - - '/login.html' - - '/loginerror.html' - - '/loginexclude.html' - - '/loginlock.html' - condition: path_traversal and noauth_list ---- -logsource: # Chaining of CVE-2021-20090 (Bypass Auth) and CVE-2021-20091 (Config File Injection) - category: webserver -detection: - path_traversal: - c-uri|contains|all: + config_file_inj: + c-uri|contains|all: # Chaining of CVE-2021-20090 (Bypass Auth) and CVE-2021-20091 (Config File Injection) - '..%2f' - 'apply_abstract.cgi' noauth_list: @@ -54,4 +37,4 @@ detection: - '/loginerror.html' - '/loginexclude.html' - '/loginlock.html' - condition: path_traversal and noauth_list \ No newline at end of file + condition: (path_traversal or config_file_inj) and noauth_list \ No newline at end of file From 1d725e8519247d7bda21d6c02d826c9533cca11e Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 25 Aug 2021 08:15:18 +0200 Subject: [PATCH 107/108] add gworkspace_user_granted_admin_privileges.yml --- ...orkspace_user_granted_admin_privileges.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml diff --git a/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml b/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml new file mode 100644 index 00000000..ffc061d0 --- /dev/null +++ b/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml @@ -0,0 +1,24 @@ +title: Google Workspace User Granted Admin Privileges +id: 2d1b83e4-17c6-4896-a37b-29140b40a788 +description: Detects when an Google Workspace user is granted admin privileges. +author: Austin Songer +status: experimental +date: 2021/08/23 +references: + - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 + - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE +logsource: + service: google_workspace.admin +detection: + selection: + eventService: admin.googleapis.com + eventName: + - GRANT_DELEGATED_ADMIN_PRIVILEGES + - GRANT_ADMIN_PRIVILEGE + condition: selection +level: medium +tags: + - attack.persistence + - attack.t1098 +falsepositives: + - Google Workspace admin role privileges, may be modified by system administrators. \ No newline at end of file From a4021842de4aeecbf2dea05cf8154280da921a31 Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 25 Aug 2021 09:15:57 +0200 Subject: [PATCH 108/108] Fix invalid tags --- rules/compliance/cleartext_protocols.yml | 86 +++++++++---------- .../compliance/default_credentials_usage.yml | 52 +++++------ .../compliance/group_modification_logging.yml | 52 +++++------ rules/compliance/host_without_firewall.yml | 24 +++--- rules/compliance/workstation_was_locked.yml | 48 +++++------ .../process_creation/win_apt_unc2452_cmds.yml | 4 +- .../process_creation/win_apt_unc2452_ps.yml | 2 +- ...susp_servu_exploitation_cve_2021_35211.yml | 2 +- .../sysmon_susp_reg_persist_explorer_run.yml | 2 +- ...cve_2021_31979_cve_2021_33771_exploits.yml | 2 +- tests/test_rules.py | 22 ++--- 11 files changed, 148 insertions(+), 148 deletions(-) diff --git a/rules/compliance/cleartext_protocols.yml b/rules/compliance/cleartext_protocols.yml index eb1acd9c..40905d70 100644 --- a/rules/compliance/cleartext_protocols.yml +++ b/rules/compliance/cleartext_protocols.yml @@ -13,49 +13,49 @@ references: falsepositives: - unknown level: low -tags: - - CSC4 - - CSC4.5 - - CSC14 - - CSC14.4 - - CSC16 - - CSC16.5 - - NIST CSF 1.1 PR.AT-2 - - NIST CSF 1.1 PR.MA-2 - - NIST CSF 1.1 PR.PT-3 - - NIST CSF 1.1 PR.AC-1 - - NIST CSF 1.1 PR.AC-4 - - NIST CSF 1.1 PR.AC-5 - - NIST CSF 1.1 PR.AC-6 - - NIST CSF 1.1 PR.AC-7 - - NIST CSF 1.1 PR.DS-1 - - NIST CSF 1.1 PR.DS-2 - - ISO 27002-2013 A.9.2.1 - - ISO 27002-2013 A.9.2.2 - - ISO 27002-2013 A.9.2.3 - - ISO 27002-2013 A.9.2.4 - - ISO 27002-2013 A.9.2.5 - - ISO 27002-2013 A.9.2.6 - - ISO 27002-2013 A.9.3.1 - - ISO 27002-2013 A.9.4.1 - - ISO 27002-2013 A.9.4.2 - - ISO 27002-2013 A.9.4.3 - - ISO 27002-2013 A.9.4.4 - - ISO 27002-2013 A.8.3.1 - - ISO 27002-2013 A.9.1.1 - - ISO 27002-2013 A.10.1.1 - - PCI DSS 3.2 2.1 - - PCI DSS 3.2 8.1 - - PCI DSS 3.2 8.2 - - PCI DSS 3.2 8.3 - - PCI DSS 3.2 8.7 - - PCI DSS 3.2 8.8 - - PCI DSS 3.2 1.3 - - PCI DSS 3.2 1.4 - - PCI DSS 3.2 4.3 - - PCI DSS 3.2 7.1 - - PCI DSS 3.2 7.2 - - PCI DSS 3.2 7.3 +# tags: + # - CSC4 + # - CSC4.5 + # - CSC14 + # - CSC14.4 + # - CSC16 + # - CSC16.5 + # - NIST CSF 1.1 PR.AT-2 + # - NIST CSF 1.1 PR.MA-2 + # - NIST CSF 1.1 PR.PT-3 + # - NIST CSF 1.1 PR.AC-1 + # - NIST CSF 1.1 PR.AC-4 + # - NIST CSF 1.1 PR.AC-5 + # - NIST CSF 1.1 PR.AC-6 + # - NIST CSF 1.1 PR.AC-7 + # - NIST CSF 1.1 PR.DS-1 + # - NIST CSF 1.1 PR.DS-2 + # - ISO 27002-2013 A.9.2.1 + # - ISO 27002-2013 A.9.2.2 + # - ISO 27002-2013 A.9.2.3 + # - ISO 27002-2013 A.9.2.4 + # - ISO 27002-2013 A.9.2.5 + # - ISO 27002-2013 A.9.2.6 + # - ISO 27002-2013 A.9.3.1 + # - ISO 27002-2013 A.9.4.1 + # - ISO 27002-2013 A.9.4.2 + # - ISO 27002-2013 A.9.4.3 + # - ISO 27002-2013 A.9.4.4 + # - ISO 27002-2013 A.8.3.1 + # - ISO 27002-2013 A.9.1.1 + # - ISO 27002-2013 A.10.1.1 + # - PCI DSS 3.2 2.1 + # - PCI DSS 3.2 8.1 + # - PCI DSS 3.2 8.2 + # - PCI DSS 3.2 8.3 + # - PCI DSS 3.2 8.7 + # - PCI DSS 3.2 8.8 + # - PCI DSS 3.2 1.3 + # - PCI DSS 3.2 1.4 + # - PCI DSS 3.2 4.3 + # - PCI DSS 3.2 7.1 + # - PCI DSS 3.2 7.2 + # - PCI DSS 3.2 7.3 --- logsource: product: netflow diff --git a/rules/compliance/default_credentials_usage.yml b/rules/compliance/default_credentials_usage.yml index 297e16aa..fa9c67ce 100644 --- a/rules/compliance/default_credentials_usage.yml +++ b/rules/compliance/default_credentials_usage.yml @@ -81,29 +81,29 @@ detection: falsepositives: - unknown level: medium -tags: - - CSC4 - - CSC4.2 - - NIST CSF 1.1 PR.AC-4 - - NIST CSF 1.1 PR.AT-2 - - NIST CSF 1.1 PR.MA-2 - - NIST CSF 1.1 PR.PT-3 - - ISO 27002-2013 A.9.1.1 - - ISO 27002-2013 A.9.2.2 - - ISO 27002-2013 A.9.2.3 - - ISO 27002-2013 A.9.2.4 - - ISO 27002-2013 A.9.2.5 - - ISO 27002-2013 A.9.2.6 - - ISO 27002-2013 A.9.3.1 - - ISO 27002-2013 A.9.4.1 - - ISO 27002-2013 A.9.4.2 - - ISO 27002-2013 A.9.4.3 - - ISO 27002-2013 A.9.4.4 - - PCI DSS 3.2 2.1 - - PCI DSS 3.2 7.1 - - PCI DSS 3.2 7.2 - - PCI DSS 3.2 7.3 - - PCI DSS 3.2 8.1 - - PCI DSS 3.2 8.2 - - PCI DSS 3.2 8.3 - - PCI DSS 3.2 8.7 +# tags: + # - CSC4 + # - CSC4.2 + # - NIST CSF 1.1 PR.AC-4 + # - NIST CSF 1.1 PR.AT-2 + # - NIST CSF 1.1 PR.MA-2 + # - NIST CSF 1.1 PR.PT-3 + # - ISO 27002-2013 A.9.1.1 + # - ISO 27002-2013 A.9.2.2 + # - ISO 27002-2013 A.9.2.3 + # - ISO 27002-2013 A.9.2.4 + # - ISO 27002-2013 A.9.2.5 + # - ISO 27002-2013 A.9.2.6 + # - ISO 27002-2013 A.9.3.1 + # - ISO 27002-2013 A.9.4.1 + # - ISO 27002-2013 A.9.4.2 + # - ISO 27002-2013 A.9.4.3 + # - ISO 27002-2013 A.9.4.4 + # - PCI DSS 3.2 2.1 + # - PCI DSS 3.2 7.1 + # - PCI DSS 3.2 7.2 + # - PCI DSS 3.2 7.3 + # - PCI DSS 3.2 8.1 + # - PCI DSS 3.2 8.2 + # - PCI DSS 3.2 8.3 + # - PCI DSS 3.2 8.7 diff --git a/rules/compliance/group_modification_logging.yml b/rules/compliance/group_modification_logging.yml index 083cc2b6..0da15dea 100644 --- a/rules/compliance/group_modification_logging.yml +++ b/rules/compliance/group_modification_logging.yml @@ -33,29 +33,29 @@ detection: falsepositives: - unknown level: low -tags: - - CSC4 - - CSC4.8 - - NIST CSF 1.1 PR.AC-4 - - NIST CSF 1.1 PR.AT-2 - - NIST CSF 1.1 PR.MA-2 - - NIST CSF 1.1 PR.PT-3 - - ISO 27002-2013 A.9.1.1 - - ISO 27002-2013 A.9.2.2 - - ISO 27002-2013 A.9.2.3 - - ISO 27002-2013 A.9.2.4 - - ISO 27002-2013 A.9.2.5 - - ISO 27002-2013 A.9.2.6 - - ISO 27002-2013 A.9.3.1 - - ISO 27002-2013 A.9.4.1 - - ISO 27002-2013 A.9.4.2 - - ISO 27002-2013 A.9.4.3 - - ISO 27002-2013 A.9.4.4 - - PCI DSS 3.2 2.1 - - PCI DSS 3.2 7.1 - - PCI DSS 3.2 7.2 - - PCI DSS 3.2 7.3 - - PCI DSS 3.2 8.1 - - PCI DSS 3.2 8.2 - - PCI DSS 3.2 8.3 - - PCI DSS 3.2 8.7 +# tags: + # - CSC4 + # - CSC4.8 + # - NIST CSF 1.1 PR.AC-4 + # - NIST CSF 1.1 PR.AT-2 + # - NIST CSF 1.1 PR.MA-2 + # - NIST CSF 1.1 PR.PT-3 + # - ISO 27002-2013 A.9.1.1 + # - ISO 27002-2013 A.9.2.2 + # - ISO 27002-2013 A.9.2.3 + # - ISO 27002-2013 A.9.2.4 + # - ISO 27002-2013 A.9.2.5 + # - ISO 27002-2013 A.9.2.6 + # - ISO 27002-2013 A.9.3.1 + # - ISO 27002-2013 A.9.4.1 + # - ISO 27002-2013 A.9.4.2 + # - ISO 27002-2013 A.9.4.3 + # - ISO 27002-2013 A.9.4.4 + # - PCI DSS 3.2 2.1 + # - PCI DSS 3.2 7.1 + # - PCI DSS 3.2 7.2 + # - PCI DSS 3.2 7.3 + # - PCI DSS 3.2 8.1 + # - PCI DSS 3.2 8.2 + # - PCI DSS 3.2 8.3 + # - PCI DSS 3.2 8.7 diff --git a/rules/compliance/host_without_firewall.yml b/rules/compliance/host_without_firewall.yml index cab122e0..ae9a76a7 100644 --- a/rules/compliance/host_without_firewall.yml +++ b/rules/compliance/host_without_firewall.yml @@ -17,15 +17,15 @@ detection: host.scan.vuln_name: Firewall Product Not Detected* condition: selection level: low -tags: - - CSC9 - - CSC9.4 - - NIST CSF 1.1 PR.AC-5 - - NIST CSF 1.1 PR.AC-6 - - NIST CSF 1.1 PR.AC-7 - - NIST CSF 1.1 DE.AE-1 - - ISO 27002-2013 A.9.1.2 - - ISO 27002-2013 A.13.2.1 - - ISO 27002-2013 A.13.2.2 - - ISO 27002-2013 A.14.1.2 - - PCI DSS 3.2 1.4 +# tags: + # - CSC9 + # - CSC9.4 + # - NIST CSF 1.1 PR.AC-5 + # - NIST CSF 1.1 PR.AC-6 + # - NIST CSF 1.1 PR.AC-7 + # - NIST CSF 1.1 DE.AE-1 + # - ISO 27002-2013 A.9.1.2 + # - ISO 27002-2013 A.13.2.1 + # - ISO 27002-2013 A.13.2.2 + # - ISO 27002-2013 A.14.1.2 + # - PCI DSS 3.2 1.4 diff --git a/rules/compliance/workstation_was_locked.yml b/rules/compliance/workstation_was_locked.yml index 37fd37c9..0cb5033c 100644 --- a/rules/compliance/workstation_was_locked.yml +++ b/rules/compliance/workstation_was_locked.yml @@ -21,27 +21,27 @@ detection: falsepositives: - unknown level: low -tags: - - CSC16 - - CSC16.11 - - ISO27002-2013 A.9.1.1 - - ISO27002-2013 A.9.2.1 - - ISO27002-2013 A.9.2.2 - - ISO27002-2013 A.9.2.3 - - ISO27002-2013 A.9.2.4 - - ISO27002-2013 A.9.2.5 - - ISO27002-2013 A.9.2.6 - - ISO27002-2013 A.9.3.1 - - ISO27002-2013 A.9.4.1 - - ISO27002-2013 A.9.4.3 - - ISO27002-2013 A.11.2.8 - - PCI DSS 3.1 7.1 - - PCI DSS 3.1 7.2 - - PCI DSS 3.1 7.3 - - PCI DSS 3.1 8.7 - - PCI DSS 3.1 8.8 - - NIST CSF 1.1 PR.AC-1 - - NIST CSF 1.1 PR.AC-4 - - NIST CSF 1.1 PR.AC-6 - - NIST CSF 1.1 PR.AC-7 - - NIST CSF 1.1 PR.PT-3 +# tags: + # - CSC16 + # - CSC16.11 + # - ISO27002-2013 A.9.1.1 + # - ISO27002-2013 A.9.2.1 + # - ISO27002-2013 A.9.2.2 + # - ISO27002-2013 A.9.2.3 + # - ISO27002-2013 A.9.2.4 + # - ISO27002-2013 A.9.2.5 + # - ISO27002-2013 A.9.2.6 + # - ISO27002-2013 A.9.3.1 + # - ISO27002-2013 A.9.4.1 + # - ISO27002-2013 A.9.4.3 + # - ISO27002-2013 A.11.2.8 + # - PCI DSS 3.1 7.1 + # - PCI DSS 3.1 7.2 + # - PCI DSS 3.1 7.3 + # - PCI DSS 3.1 8.7 + # - PCI DSS 3.1 8.8 + # - NIST CSF 1.1 PR.AC-1 + # - NIST CSF 1.1 PR.AC-4 + # - NIST CSF 1.1 PR.AC-6 + # - NIST CSF 1.1 PR.AC-7 + # - NIST CSF 1.1 PR.PT-3 diff --git a/rules/windows/process_creation/win_apt_unc2452_cmds.yml b/rules/windows/process_creation/win_apt_unc2452_cmds.yml index b1c08180..be14932e 100644 --- a/rules/windows/process_creation/win_apt_unc2452_cmds.yml +++ b/rules/windows/process_creation/win_apt_unc2452_cmds.yml @@ -7,8 +7,8 @@ references: tags: - attack.execution - attack.t1059.001 - - sunburst - - unc2452 + # - sunburst + # - unc2452 author: Florian Roth date: 2021/01/22 modified: 2021/06/27 diff --git a/rules/windows/process_creation/win_apt_unc2452_ps.yml b/rules/windows/process_creation/win_apt_unc2452_ps.yml index 89de914d..5575f09f 100644 --- a/rules/windows/process_creation/win_apt_unc2452_ps.yml +++ b/rules/windows/process_creation/win_apt_unc2452_ps.yml @@ -9,7 +9,7 @@ tags: - attack.execution - attack.t1059.001 - attack.t1047 - - sunburst + # - sunburst author: Florian Roth date: 2021/01/20 modified: 2021/01/22 diff --git a/rules/windows/process_creation/win_susp_servu_exploitation_cve_2021_35211.yml b/rules/windows/process_creation/win_susp_servu_exploitation_cve_2021_35211.yml index f6208a36..4056fcdb 100644 --- a/rules/windows/process_creation/win_susp_servu_exploitation_cve_2021_35211.yml +++ b/rules/windows/process_creation/win_susp_servu_exploitation_cve_2021_35211.yml @@ -13,7 +13,7 @@ logsource: tags: - attack.persistence - attack.t1136.001 - - threat_group.DEV-0322 + # - threat_group.DEV-0322 detection: selection1: CommandLine|contains: 'whoami' diff --git a/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml b/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml index 2c6ae5ca..b1ce684a 100755 --- a/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml +++ b/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml @@ -28,7 +28,7 @@ tags: - attack.persistence - attack.t1060 # an old one - attack.t1547.001 - - capec.270 + # - capec.270 fields: - Image - ParentImage diff --git a/rules/windows/sysmon/sysmon_cve_2021_31979_cve_2021_33771_exploits.yml b/rules/windows/sysmon/sysmon_cve_2021_31979_cve_2021_33771_exploits.yml index d0117429..eea60e94 100644 --- a/rules/windows/sysmon/sysmon_cve_2021_31979_cve_2021_33771_exploits.yml +++ b/rules/windows/sysmon/sysmon_cve_2021_31979_cve_2021_33771_exploits.yml @@ -15,7 +15,7 @@ tags: - attack.credential_access - attack.t1566 - attack.t1203 - - threat_group.Sourgum + # - threat_group.Sourgum falsepositives: - Unlikely level: critical diff --git a/tests/test_rules.py b/tests/test_rules.py index f712875f..4c01de39 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -79,17 +79,17 @@ class TestRules(unittest.TestCase): for file in self.yield_next_rule_file_path(self.path_to_rules): tags = self.get_rule_part(file_path=file, part_name="tags") if tags: - for tag in tags: - if tag.startswith("attack."): - continue - elif tag.startswith("car."): - continue - elif tag.startswith("cve."): - print(Fore.RED + "Rule {} has the cve tag <{}> but is it a references (https://nvd.nist.gov/)".format(file, tag)) - files_with_incorrect_tags.append(file) - else: - print(Fore.RED + "Rule {} has the unknown tag <{}>".format(file, tag)) - # files_with_incorrect_tags.append(file) + for tag in tags: + if tag.startswith("attack."): + continue + elif tag.startswith("car."): + continue + elif tag.startswith("cve."): + print(Fore.RED + "Rule {} has the cve tag <{}> but is it a references (https://nvd.nist.gov/)".format(file, tag)) + files_with_incorrect_tags.append(file) + else: + print(Fore.RED + "Rule {} has the unknown tag <{}>".format(file, tag)) + files_with_incorrect_tags.append(file) self.assertEqual(files_with_incorrect_tags, [], Fore.RED + "There are rules with incorrect/unknown MITRE Tags. (please inform us about new tags that are not yet supported in our tests) and check the correct tags here: https://attack.mitre.org/ ")