mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-07 09:48:58 +00:00
commit
df75bdd3b6
35
rules/network/zeek/zeek-dce_rpc_domain_user_enumeration.yml
Normal file
35
rules/network/zeek/zeek-dce_rpc_domain_user_enumeration.yml
Normal file
@ -0,0 +1,35 @@
|
||||
title: Domain User Enumeration Network Recon 01
|
||||
description: Domain user and group enumeration via network reconnaissance. Seen in APT 29 and other common tactics and actors. Detects a set of RPC (remote procedure calls) used to enumerate a domain controller. The rule was created based off the datasets and hackathon from https://github.com/OTRF/detection-hackathon-apt29
|
||||
id: 66a0bdc6-ee04-441a-9125-99d2eb547942
|
||||
references:
|
||||
- "https://github.com/OTRF/detection-hackathon-apt29"
|
||||
- "https://github.com/OTRF/detection-hackathon-apt29/issues/37"
|
||||
author: 'Nate Guagenti (@neu5ron), Open Threat Research (OTR)'
|
||||
date: 2020/05/03
|
||||
modified: 2020/05/03
|
||||
tags:
|
||||
- attack.discovery
|
||||
- attack.t1087
|
||||
- attack.t1082
|
||||
logsource:
|
||||
product: zeek
|
||||
service: dce_rpc
|
||||
detection:
|
||||
selection:
|
||||
operation:
|
||||
#- LsarEnumerateTrustedDomains #potentially too many FPs, removing. caused by netlogon
|
||||
#- SamrEnumerateDomainsInSamServer #potentially too many FPs, removing. #method obtains a listing of all domains hosted by the server side of this protocol. This value is a cookie that the server can use to continue an enumeration on a subsequent call
|
||||
- LsarLookupNames3 #method translates a batch of security principal names to their SID form
|
||||
- LsarLookupSids3 #translates a batch of security principal SIDs to their name forms
|
||||
- SamrGetGroupsForUser #obtains a listing of groups that a user is a member of
|
||||
- SamrLookupIdsInDomain #method translates a set of RIDs into account names
|
||||
- SamrLookupNamesInDomain #method translates a set of account names into a set of RIDs
|
||||
- SamrQuerySecurityObject #method queries the access control on a server, domain, user, group, or alias object
|
||||
- SamrQueryInformationGroup #obtains attributes from a group object
|
||||
timeframe: 30s
|
||||
condition: selection | count(operation) by src_ip > 4
|
||||
falsepositives:
|
||||
- Devices that may do authentication like a VPN or a firewall that looksup IPs to username
|
||||
- False positives depend on scripts and administrative tools used in the monitored environment
|
||||
level: medium
|
||||
status: experimental
|
@ -1,7 +1,7 @@
|
||||
title: MITRE BZAR Indicators for ATT&CK Execution
|
||||
id: b640c0b8-87f8-4daa-aef8-95a24261dd1d
|
||||
description: 'Windows DCE-RPC functions which indicate an ATT&CK-like Execution techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE.'
|
||||
author: '@neu5ron, @SOC_Prime'
|
||||
author: '@neu5ron, SOC Prime'
|
||||
date: 2020/03/19
|
||||
references:
|
||||
- https://github.com/mitre-attack/bzar#indicators-for-attck-execution
|
||||
|
@ -1,7 +1,7 @@
|
||||
title: MITRE BZAR Indicators for ATT&CK Persistence
|
||||
id: 53389db6-ba46-48e3-a94c-e0f2cefe1583
|
||||
description: 'Windows DCE-RPC functions which indicate an ATT&CK-like Persistence techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE.'
|
||||
author: '@neu5ron, @SOC_Prime'
|
||||
author: '@neu5ron, SOC Prime'
|
||||
date: 2020/03/19
|
||||
references:
|
||||
- https://github.com/mitre-attack/bzar#indicators-for-attck-persistence
|
||||
|
@ -0,0 +1,26 @@
|
||||
title: Executable from Webdav
|
||||
description: "Detects executable access via webdav6. Can be seen in APT 29 such as from the emulated APT 29 hackathon https://github.com/OTRF/detection-hackathon-apt29/"
|
||||
id: aac2fd97-bcba-491b-ad66-a6edf89c71bf
|
||||
author: 'SOC Prime, Adam Swan'
|
||||
references:
|
||||
- http://carnal0wnage.attackresearch.com/2012/06/webdav-server-to-download-custom.html
|
||||
- https://github.com/OTRF/detection-hackathon-apt29
|
||||
tags:
|
||||
- attack.command_and_control
|
||||
- attack.t1043
|
||||
logsource:
|
||||
product: zeek
|
||||
service: http
|
||||
date: 2020/05/01
|
||||
detection:
|
||||
selection_webdav:
|
||||
- c-useragent: '*WebDAV*'
|
||||
- c-uri: '*webdav*'
|
||||
selection_executable:
|
||||
- resp_mime_types: '*dosexec*'
|
||||
- c-uri: '*.exe'
|
||||
condition: selection_webdav AND selection_executable
|
||||
falsepositives:
|
||||
- unknown
|
||||
level: medium
|
||||
status: experimental
|
@ -16,8 +16,8 @@ logsource:
|
||||
service: smb_files
|
||||
detection:
|
||||
selection:
|
||||
name: \\*\IPC$
|
||||
path: atsvc
|
||||
path: \\*\IPC$
|
||||
name: atsvc
|
||||
#Accesses: '*WriteData*'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
|
@ -13,8 +13,8 @@ logsource:
|
||||
service: smb_files
|
||||
detection:
|
||||
selection:
|
||||
name: '\\*ADMIN$'
|
||||
path: '*SYSTEM32\\*.tmp'
|
||||
path: '\\*ADMIN$'
|
||||
name: '*SYSTEM32\\*.tmp'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- 'unknown'
|
||||
|
@ -14,10 +14,10 @@ logsource:
|
||||
service: smb_files
|
||||
detection:
|
||||
selection1:
|
||||
name: \\*\IPC$
|
||||
path: \\*\IPC$
|
||||
selection2:
|
||||
name: \\*\IPC$
|
||||
path:
|
||||
path: \\*\IPC$
|
||||
name:
|
||||
- 'atsvc'
|
||||
- 'samr'
|
||||
- 'lsarpc'
|
||||
|
@ -13,8 +13,8 @@ logsource:
|
||||
service: smb_files
|
||||
detection:
|
||||
selection1:
|
||||
name: \\*\IPC$
|
||||
path:
|
||||
path: \\*\IPC$
|
||||
name:
|
||||
- '*-stdin'
|
||||
- '*-stdout'
|
||||
- '*-stderr'
|
||||
|
@ -11,7 +11,7 @@ logsource:
|
||||
service: smb_files
|
||||
detection:
|
||||
selection:
|
||||
path:
|
||||
name:
|
||||
- '*.pst'
|
||||
- '*.ost'
|
||||
- '*.msg'
|
||||
|
@ -13,7 +13,7 @@ logsource:
|
||||
service: smb_files
|
||||
detection:
|
||||
selection:
|
||||
path:
|
||||
name:
|
||||
- '\mimidrv'
|
||||
- '\lsass'
|
||||
- '\windows\minidump\'
|
||||
|
Loading…
Reference in New Issue
Block a user