mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-06 17:35:19 +00:00
Thomas Patzke
GitHub
commit
d82df83ef1
@ -1,5 +1,5 @@
|
||||
title: Ps.exe Renamed SysInternals Tool
|
||||
description: Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documentied in TA17-293A report
|
||||
description: Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report
|
||||
references:
|
||||
- https://www.us-cert.gov/ncas/alerts/TA17-293A
|
||||
tags:
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
action: global
|
||||
title: Usage of Sysinternals Tools
|
||||
status: experimental
|
||||
description: Detects the usage of Sysinternals Tools due to accepteula key beeing added to Registry
|
||||
description: Detects the usage of Sysinternals Tools due to accepteula key being added to Registry
|
||||
references:
|
||||
- https://twitter.com/Moti_B/status/1008587936735035392
|
||||
date: 2017/08/28
|
||||
|
||||
66
tools/sigmac
66
tools/sigmac
@ -35,8 +35,6 @@ import codecs
|
||||
|
||||
sys.stdout = codecs.getwriter('utf-8')(sys.stdout.detach())
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
# Error codes
|
||||
|
||||
ERR_OUTPUT = 1
|
||||
@ -57,14 +55,6 @@ ERR_NOT_IMPLEMENTED = 42
|
||||
ERR_PARTIAL_FIELD_MATCH = 80
|
||||
ERR_FULL_FIELD_MATCH = 90
|
||||
|
||||
def print_verbose(*args, **kwargs):
|
||||
if cmdargs.verbose or cmdargs.debug:
|
||||
print(*args, **kwargs)
|
||||
|
||||
def print_debug(*args, **kwargs): # pragme: no cover
|
||||
if cmdargs.debug:
|
||||
print(*args, **kwargs)
|
||||
|
||||
def alliter(path):
|
||||
for sub in path.iterdir():
|
||||
if sub.name.startswith("."):
|
||||
@ -95,33 +85,41 @@ class SigmacArgumentParser(argparse.ArgumentParser):
|
||||
|
||||
return helptext
|
||||
|
||||
argparser = SigmacArgumentParser(description="Convert Sigma rules into SIEM signatures.")
|
||||
argparser.add_argument("--recurse", "-r", action="store_true", help="Use directory as input (recurse into subdirectories is not implemented yet)")
|
||||
argparser.add_argument("--filter", "-f", help="""
|
||||
Define comma-separated filters that must match (AND-linked) to rule to be processed.
|
||||
Valid filters: level<=x, level>=x, level=x, status=y, logsource=z, tag=t.
|
||||
x is one of: low, medium, high, critical.
|
||||
y is one of: experimental, testing, stable.
|
||||
z is a word appearing in an arbitrary log source attribute.
|
||||
t is a tag that must appear in the rules tag list, case-insensitive matching.
|
||||
Multiple log source specifications are AND linked.
|
||||
""")
|
||||
argparser.add_argument("--target", "-t", choices=backends.getBackendDict().keys(), help="Output target format")
|
||||
argparser.add_argument("--lists", "-l", action="store_true", help="List available output target formats and configurations")
|
||||
argparser.add_argument("--config", "-c", action="append", help="Configurations with field name and index mapping for target environment. Multiple configurations are merged into one. Last config is authorative in case of conflicts.")
|
||||
argparser.add_argument("--output", "-o", default=None, help="Output file or filename prefix if multiple files are generated")
|
||||
argparser.add_argument("--backend-option", "-O", action="append", help="Options and switches that are passed to the backend")
|
||||
argparser.add_argument("--backend-config", "-C", help="Configuration file containing options to pass to the backend")
|
||||
argparser.add_argument("--defer-abort", "-d", action="store_true", help="Don't abort on parse or conversion errors, proceed with next rule. The exit code from the last error is returned")
|
||||
argparser.add_argument("--ignore-backend-errors", "-I", action="store_true", help="Only return error codes for parse errors and ignore errors for rules that cause backend errors. Useful, when you want to get as much queries as possible.")
|
||||
argparser.add_argument("--shoot-yourself-in-the-foot", action="store_true", help=argparse.SUPPRESS)
|
||||
argparser.add_argument("--verbose", "-v", action="store_true", help="Be verbose")
|
||||
argparser.add_argument("--debug", "-D", action="store_true", help="Debugging output")
|
||||
argparser.add_argument("inputs", nargs="*", help="Sigma input files ('-' for stdin)")
|
||||
def set_argparser():
|
||||
"""Sets up and parses the command line arguments for Sigmac.
|
||||
Returns the argparser"""
|
||||
argparser = SigmacArgumentParser(description="Convert Sigma rules into SIEM signatures.")
|
||||
argparser.add_argument("--recurse", "-r", action="store_true", help="Use directory as input (recurse into subdirectories is not implemented yet)")
|
||||
argparser.add_argument("--filter", "-f", help="""
|
||||
Define comma-separated filters that must match (AND-linked) to rule to be processed.
|
||||
Valid filters: level<=x, level>=x, level=x, status=y, logsource=z, tag=t.
|
||||
x is one of: low, medium, high, critical.
|
||||
y is one of: experimental, testing, stable.
|
||||
z is a word appearing in an arbitrary log source attribute.
|
||||
t is a tag that must appear in the rules tag list, case-insensitive matching.
|
||||
Multiple log source specifications are AND linked.
|
||||
""")
|
||||
argparser.add_argument("--target", "-t", choices=backends.getBackendDict().keys(), help="Output target format")
|
||||
argparser.add_argument("--lists", "-l", action="store_true", help="List available output target formats and configurations")
|
||||
argparser.add_argument("--config", "-c", action="append", help="Configurations with field name and index mapping for target environment. Multiple configurations are merged into one. Last config is authorative in case of conflicts.")
|
||||
argparser.add_argument("--output", "-o", default=None, help="Output file or filename prefix if multiple files are generated")
|
||||
argparser.add_argument("--backend-option", "-O", action="append", help="Options and switches that are passed to the backend")
|
||||
argparser.add_argument("--backend-config", "-C", help="Configuration file containing options to pass to the backend")
|
||||
argparser.add_argument("--defer-abort", "-d", action="store_true", help="Don't abort on parse or conversion errors, proceed with next rule. The exit code from the last error is returned")
|
||||
argparser.add_argument("--ignore-backend-errors", "-I", action="store_true", help="Only return error codes for parse errors and ignore errors for rules that cause backend errors. Useful, when you want to get as much queries as possible.")
|
||||
argparser.add_argument("--shoot-yourself-in-the-foot", action="store_true", help=argparse.SUPPRESS)
|
||||
argparser.add_argument("--verbose", "-v", action="store_true", help="Be verbose")
|
||||
argparser.add_argument("--debug", "-D", action="store_true", help="Debugging output")
|
||||
argparser.add_argument("inputs", nargs="*", help="Sigma input files ('-' for stdin)")
|
||||
|
||||
return argparser
|
||||
|
||||
argparser = set_argparser()
|
||||
cmdargs = argparser.parse_args()
|
||||
|
||||
scm = SigmaConfigurationManager()
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
if cmdargs.debug: # pragma: no cover
|
||||
logger.setLevel(logging.DEBUG)
|
||||
|
||||
@ -210,7 +208,7 @@ else:
|
||||
|
||||
error = 0
|
||||
for sigmafile in get_inputs(cmdargs.inputs, cmdargs.recurse):
|
||||
print_verbose("* Processing Sigma input %s" % (sigmafile))
|
||||
logger.debug("* Processing Sigma input %s" % (sigmafile))
|
||||
try:
|
||||
if cmdargs.inputs == ['-']:
|
||||
f = sigmafile
|
||||
|
||||
Loading…
Reference in New Issue
Block a user