Merge pull request #779 from neu5ron/rules

Rules: Zeek

rules/network/zeek/zeek-dce_rpc_domain_user_enumeration.yml

@@ -0,0 +1,35 @@
+title: Domain User Enumeration Network Recon 01
+description: Domain user and group enumeration via network reconnaissance. Seen in APT 29 and other common tactics and actors. Detects a set of RPC (remote procedure calls) used to enumerate a domain controller. The rule was created based off the datasets and hackathon from https://github.com/OTRF/detection-hackathon-apt29
+id: 66a0bdc6-ee04-441a-9125-99d2eb547942
+references:
+    - "https://github.com/OTRF/detection-hackathon-apt29"
+    - "https://github.com/OTRF/detection-hackathon-apt29/issues/37"
+author: 'Nate Guagenti (@neu5ron), Open Threat Research (OTR)'
+date: 2020/05/03
+modified: 2020/05/03
+tags:
+    - attack.discovery
+    - attack.t1087
+    - attack.t1082
+logsource:
+    product: zeek
+    service: dce_rpc
+detection:
+    selection:
+        operation:
+            #- LsarEnumerateTrustedDomains #potentially too many FPs, removing. caused by netlogon
+            #- SamrEnumerateDomainsInSamServer #potentially too many FPs, removing. #method obtains a listing of all domains hosted by the server side of this protocol. This value is a cookie that the server can use to continue an enumeration on a subsequent call
+            - LsarLookupNames3 #method translates a batch of security principal names to their SID form  
+            - LsarLookupSids3 #translates a batch of security principal SIDs to their name forms
+            - SamrGetGroupsForUser #obtains a listing of groups that a user is a member of
+            - SamrLookupIdsInDomain #method translates a set of RIDs into account names
+            - SamrLookupNamesInDomain #method translates a set of account names into a set of RIDs
+            - SamrQuerySecurityObject #method queries the access control on a server, domain, user, group, or alias object
+            - SamrQueryInformationGroup #obtains attributes from a group object
+    timeframe: 30s
+    condition: selection | count(operation) by src_ip > 4
+falsepositives:
+    - Devices that may do authentication like a VPN or a firewall that looksup IPs to username
+    - False positives depend on scripts and administrative tools used in the monitored environment
+level: medium
+status: experimental

rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml

@@ -1,7 +1,7 @@
 title: MITRE BZAR Indicators for ATT&CK Execution
 id: b640c0b8-87f8-4daa-aef8-95a24261dd1d
 description: 'Windows DCE-RPC functions which indicate an ATT&CK-like Execution techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE.'
-author: '@neu5ron, @SOC_Prime'
+author: '@neu5ron, SOC Prime'
 date: 2020/03/19
 references:
     - https://github.com/mitre-attack/bzar#indicators-for-attck-execution

rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml

@@ -1,7 +1,7 @@
 title: MITRE BZAR Indicators for ATT&CK Persistence
 id: 53389db6-ba46-48e3-a94c-e0f2cefe1583
 description: 'Windows DCE-RPC functions which indicate an ATT&CK-like Persistence techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE.'
-author: '@neu5ron, @SOC_Prime'
+author: '@neu5ron, SOC Prime'
 date: 2020/03/19
 references:
     - https://github.com/mitre-attack/bzar#indicators-for-attck-persistence

rules/network/zeek/zeek_http_executable_download_from_webdav.yml

@@ -0,0 +1,26 @@
+title: Executable from Webdav
+description: "Detects executable access via webdav6. Can be seen in APT 29 such as from the emulated APT 29 hackathon https://github.com/OTRF/detection-hackathon-apt29/"
+id: aac2fd97-bcba-491b-ad66-a6edf89c71bf
+author: 'SOC Prime, Adam Swan'
+references:
+    - http://carnal0wnage.attackresearch.com/2012/06/webdav-server-to-download-custom.html
+    - https://github.com/OTRF/detection-hackathon-apt29
+tags:
+    - attack.command_and_control
+    - attack.t1043
+logsource:
+  product: zeek
+  service: http
+date: 2020/05/01
+detection:
+    selection_webdav:
+        - c-useragent: '*WebDAV*'
+        - c-uri: '*webdav*'
+    selection_executable:
+        - resp_mime_types: '*dosexec*'
+        - c-uri: '*.exe'
+    condition: selection_webdav AND selection_executable
+falsepositives:
+    - unknown
+level: medium
+status: experimental

rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml

@@ -16,8 +16,8 @@ logsource:
     service: smb_files
 detection:
     selection:
-        name: \\*\IPC$
+        path: \\*\IPC$
-        path: atsvc
+        name: atsvc
         #Accesses: '*WriteData*'
     condition: selection
 falsepositives:

rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml

@@ -13,8 +13,8 @@ logsource:
     service: smb_files
 detection:
   selection:
-    name: '\\*ADMIN$'
+    path: '\\*ADMIN$'
-    path: '*SYSTEM32\\*.tmp'
+    name: '*SYSTEM32\\*.tmp'
   condition: selection
 falsepositives:
     - 'unknown'

rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml

@@ -14,10 +14,10 @@ logsource:
     service: smb_files
 detection:
     selection1:
-        name: \\*\IPC$
+        path: \\*\IPC$
     selection2:
-        name: \\*\IPC$
+        path: \\*\IPC$
-        path:
+        name:
          - 'atsvc'
          - 'samr'
          - 'lsarpc'

rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml

@@ -13,8 +13,8 @@ logsource:
     service: smb_files
 detection:
     selection1:
-        name: \\*\IPC$
+        path: \\*\IPC$
-        path:
+        name:
          - '*-stdin'
          - '*-stdout'
          - '*-stderr'

rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml

@@ -11,7 +11,7 @@ logsource:
   service: smb_files
 detection:
   selection:
-    path:
+    name:
       - '*.pst'
       - '*.ost'
       - '*.msg'

rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml

@@ -13,7 +13,7 @@ logsource:
   service: smb_files
 detection:
   selection:
-    path:
+    name:
       - '\mimidrv'
       - '\lsass'
       - '\windows\minidump\'