mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-08 10:13:57 +00:00
commit
e401750c91
@ -323,6 +323,10 @@ These tools are not part of the main toolchain and maintained separately by thei
|
||||
* [TimeSketch](https://github.com/google/timesketch/commit/0c6c4b65a6c0f2051d074e87bbb2da2424fa6c35)
|
||||
* [SIΣGMA](https://github.com/3CORESec/SIEGMA) - SIEM consumable generator that utilizes Sigma for query conversion
|
||||
|
||||
Sigma is available in some Linux distribution repositories:
|
||||
|
||||
[![Packaging status](https://repology.org/badge/vertical-allrepos/sigma.svg)](https://repology.org/project/sigma/versions)
|
||||
|
||||
# Contribution
|
||||
|
||||
If you want to contribute, you are more then welcome. There are numerous ways to help this project.
|
||||
|
37
rules/web/web_cve_2020_3452_cisco_asa_ftd.yml
Normal file
37
rules/web/web_cve_2020_3452_cisco_asa_ftd.yml
Normal file
@ -0,0 +1,37 @@
|
||||
title: Cisco ASA FTD Exploit CVE-2020-3452
|
||||
id: aba47adc-4847-4970-95c1-61dce62a8b29
|
||||
status: experimental
|
||||
description: Detects exploitation attempts on Cisco ASA FTD systems exploiting CVE-2020-3452 with a status code of 200 (sccessful exploitation)
|
||||
author: Florian Roth
|
||||
date: 2021/01/07
|
||||
references:
|
||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3452
|
||||
- https://twitter.com/aboul3la/status/1286012324722155525
|
||||
- https://github.com/darklotuskdb/CISCO-CVE-2020-3452-Scanner-Exploiter
|
||||
logsource:
|
||||
category: webserver
|
||||
detection:
|
||||
selection_endpoint:
|
||||
c-uri|contains:
|
||||
- '+CSCOT+/translation-table'
|
||||
- '+CSCOT+/oem-customization'
|
||||
selection_path_select:
|
||||
c-uri|contains:
|
||||
- '&textdomain=/'
|
||||
- '&textdomain=%'
|
||||
- '&name=/'
|
||||
- '&name=%'
|
||||
select_status_code:
|
||||
sc-status: 200
|
||||
condition: selection_endpoint and selection_path_select and select_status_code
|
||||
fields:
|
||||
- c-ip
|
||||
- c-dns
|
||||
falsepositives:
|
||||
- Unknown
|
||||
level: high
|
||||
tags:
|
||||
- attack.t1100 # an old one
|
||||
- attack.t1190
|
||||
- attack.initial_access
|
||||
- cve.2020-3452
|
29
rules/web/web_cve_2021_2109_weblogic_rce_exploit.yml
Normal file
29
rules/web/web_cve_2021_2109_weblogic_rce_exploit.yml
Normal file
@ -0,0 +1,29 @@
|
||||
title: Oracle WebLogic Exploit CVE-2021-2109
|
||||
id: 687f6504-7f44-4549-91fc-f07bab065821
|
||||
status: experimental
|
||||
description: Detects the exploitation of the WebLogic server vulnerability described in CVE-2021-2109
|
||||
author: Bhabesh Raj
|
||||
date: 2021/01/20
|
||||
references:
|
||||
- https://twitter.com/pyn3rd/status/1351696768065409026
|
||||
- https://mp.weixin.qq.com/s/wX9TMXl1KVWwB_k6EZOklw
|
||||
logsource:
|
||||
category: webserver
|
||||
detection:
|
||||
selection:
|
||||
cs-method: 'GET'
|
||||
c-uri|contains|all:
|
||||
- 'com.bea.console.handles.JndiBindingHandle'
|
||||
- 'ldap://'
|
||||
- 'AdminServer'
|
||||
condition: selection
|
||||
fields:
|
||||
- c-ip
|
||||
- c-dns
|
||||
falsepositives:
|
||||
- Unknown
|
||||
level: critical
|
||||
tags:
|
||||
- attack.t1190
|
||||
- attack.initial_access
|
||||
- cve.2021-2109
|
27
rules/web/web_sonicwall_jarrewrite_exploit.yml
Normal file
27
rules/web/web_sonicwall_jarrewrite_exploit.yml
Normal file
@ -0,0 +1,27 @@
|
||||
title: SonicWall SSL/VPN Jarrewrite Exploit
|
||||
id: 6f55f047-112b-4101-ad32-43913f52db46
|
||||
status: experimental
|
||||
description: Detects exploitation attempts of the SonicWall Jarrewrite Exploit
|
||||
author: Florian Roth
|
||||
date: 2021/01/25
|
||||
tags:
|
||||
- attack.t1190
|
||||
- attack.initial_access
|
||||
references:
|
||||
- https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/
|
||||
logsource:
|
||||
category: webserver
|
||||
detection:
|
||||
selection:
|
||||
c-uri|contains: '/cgi-bin/jarrewrite.sh'
|
||||
c-useragent|contains:
|
||||
- ':;'
|
||||
- '() {'
|
||||
- '/bin/bash -c'
|
||||
condition: selection
|
||||
fields:
|
||||
- c-ip
|
||||
- c-dns
|
||||
falsepositives:
|
||||
- Unknown
|
||||
level: high
|
@ -3,6 +3,7 @@ id: 78bc5783-81d9-4d73-ac97-59f6db4f72a8
|
||||
description: This detection method points out highly relevant Antivirus events
|
||||
author: Florian Roth
|
||||
date: 2017/02/19
|
||||
modified: 2021/01/07
|
||||
logsource:
|
||||
product: windows
|
||||
service: application
|
||||
@ -29,6 +30,8 @@ detection:
|
||||
- "*Xscan*"
|
||||
- "*Clearlog*"
|
||||
- "*ASPXSpy*"
|
||||
- "*Seatbelt*"
|
||||
- "*sbelt*"
|
||||
filters:
|
||||
Message:
|
||||
- "*Keygen*"
|
||||
|
22
rules/windows/builtin/win_ntfs_vuln_exploit.yml
Normal file
22
rules/windows/builtin/win_ntfs_vuln_exploit.yml
Normal file
@ -0,0 +1,22 @@
|
||||
title: NTFS Vulnerability Exploitation
|
||||
id: f14719ce-d3ab-4e25-9ce6-2899092260b0
|
||||
description: This the exploitation of a NTFS vulnerabilty as reported without many details via Twitter
|
||||
author: Florian Roth
|
||||
date: 2021/01/11
|
||||
references:
|
||||
- https://twitter.com/jonasLyk/status/1347900440000811010
|
||||
- https://twitter.com/wdormann/status/1347958161609809921
|
||||
logsource:
|
||||
product: windows
|
||||
service: system
|
||||
detection:
|
||||
selection:
|
||||
EventID: 55
|
||||
Origin: 'File System Driver'
|
||||
Description|contains|all:
|
||||
- 'contains a corrupted file record'
|
||||
- 'The name of the file is "\"'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- Unlikely
|
||||
level: critical
|
26
rules/windows/builtin/win_scheduled_task_deletion.yml
Normal file
26
rules/windows/builtin/win_scheduled_task_deletion.yml
Normal file
@ -0,0 +1,26 @@
|
||||
title: Scheduled Task Deletion
|
||||
id: 4f86b304-3e02-40e3-aa5d-e88a167c9617
|
||||
description: Detects scheduled task deletion events. Scheduled tasks are likely to be deleted if not used for persistence. Malicious Software often creates tasks directly under the root node e.g. \TASKNAME
|
||||
status: experimental
|
||||
author: David Strassegger
|
||||
date: 2021/01/22
|
||||
tags:
|
||||
- attack.execution
|
||||
- attack.privilege_escalation
|
||||
- attack.t1053 # an old one
|
||||
- car.2013-08-001
|
||||
- attack.t1053.005
|
||||
references:
|
||||
- https://twitter.com/matthewdunwoody/status/1352356685982146562
|
||||
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699
|
||||
logsource:
|
||||
product: windows
|
||||
service: security
|
||||
definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.'
|
||||
detection:
|
||||
selection:
|
||||
EventID: 4699
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- Software installation
|
||||
level: medium
|
@ -1,13 +1,13 @@
|
||||
title: Avusing Azure Browser SSO
|
||||
title: Abusing Azure Browser SSO
|
||||
id: 50f852e6-af22-4c78-9ede-42ef36aa3453
|
||||
description: Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser. An attacker can use this to authenticate to Azure AD in a browser as that user.
|
||||
description: Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser. An attacker can use this to authenticate to Azure AD in a browser as that user.
|
||||
author: Den Iuzvyk
|
||||
references:
|
||||
- https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30
|
||||
date: 2020/07/15
|
||||
modified: 2020/08/26
|
||||
modified: 2020/12/23
|
||||
logsource:
|
||||
category: sysmon
|
||||
category: image_load
|
||||
product: windows
|
||||
status: experimental
|
||||
tags:
|
||||
@ -18,7 +18,6 @@ tags:
|
||||
detection:
|
||||
condition: selection_dll and not filter_legit
|
||||
selection_dll:
|
||||
EventID: 7
|
||||
ImageLoaded|endswith: MicrosoftAccountTokenProvider.dll
|
||||
filter_legit:
|
||||
Image|endswith:
|
@ -6,6 +6,7 @@ modified: 2019/10/04
|
||||
author: Florian Roth
|
||||
references:
|
||||
- https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/
|
||||
- https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619/detection
|
||||
tags:
|
||||
- attack.credential_access
|
||||
- attack.t1003
|
||||
@ -25,6 +26,8 @@ detection:
|
||||
- "*PWDump*"
|
||||
- "*SecurityTool*"
|
||||
- "*PShlSpy*"
|
||||
- "*Rubeus*"
|
||||
- "*Kekeo*"
|
||||
condition: selection
|
||||
fields:
|
||||
- FileName
|
||||
|
@ -2,10 +2,13 @@ title: Antivirus Web Shell Detection
|
||||
id: fdf135a2-9241-4f96-a114-bb404948f736
|
||||
description: Detects a highly relevant Antivirus alert that reports a web shell
|
||||
date: 2018/09/09
|
||||
modified: 2019/10/04
|
||||
author: Florian Roth
|
||||
modified: 2001/01/07
|
||||
author: Florian Roth, Arnim Rupp
|
||||
references:
|
||||
- https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/
|
||||
- https://www.nextron-systems.com/2019/10/04/antivirus-event-analysis-cheat-sheet-v1-7-2/
|
||||
- https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection
|
||||
- https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection
|
||||
- https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection
|
||||
tags:
|
||||
- attack.persistence
|
||||
- attack.t1100
|
||||
@ -18,10 +21,22 @@ detection:
|
||||
- "PHP/Backdoor*"
|
||||
- "JSP/Backdoor*"
|
||||
- "ASP/Backdoor*"
|
||||
- "Backdoor.PHP*"
|
||||
- "Backdoor.JSP*"
|
||||
- "Backdoor.ASP*"
|
||||
- "Backdoor?PHP*"
|
||||
- "Backdoor?JSP*"
|
||||
- "Backdoor?ASP*"
|
||||
- "Backdoor?Java*"
|
||||
- "*Webshell*"
|
||||
- "*Chopper*"
|
||||
- "*ASPXSpy*"
|
||||
- "*Aspdoor*"
|
||||
- "*PHP:*"
|
||||
- "*PHPShell*"
|
||||
- "*Trojan.PHP*"
|
||||
- "*Trojan.ASP*"
|
||||
- "*Trojan.JSP*"
|
||||
- "*PHP?Agent*"
|
||||
- "*ASP?Agent*"
|
||||
- "*JSP?Agent*"
|
||||
condition: selection
|
||||
fields:
|
||||
- FileName
|
||||
|
@ -12,7 +12,7 @@ tags:
|
||||
- attack.t1040
|
||||
logsource:
|
||||
product: windows
|
||||
service: system
|
||||
service: security
|
||||
detection:
|
||||
selection:
|
||||
EventID: 4697
|
||||
|
@ -80,7 +80,6 @@ detection:
|
||||
- OUT-DNSTXT
|
||||
- Jitter
|
||||
- ExfilOption
|
||||
- Tamper
|
||||
- DumpCerts
|
||||
- DumpCreds
|
||||
- Shellcode32
|
||||
|
@ -1,6 +1,5 @@
|
||||
action: global
|
||||
title: CMSTP Execution
|
||||
id: 9d26fede-b526-4413-b069-6e24b6d07167
|
||||
title: CMSTP Execution Process Access
|
||||
id: 3b4b232a-af90-427c-a22f-30b0c0837b95
|
||||
status: stable
|
||||
description: Detects various indicators of Microsoft Connection Manager Profile Installer execution
|
||||
tags:
|
||||
@ -15,7 +14,7 @@ tags:
|
||||
- car.2019-04-001
|
||||
author: Nik Seetharaman
|
||||
date: 2018/07/16
|
||||
modified: 2020/08/24
|
||||
modified: 2020/12/23
|
||||
references:
|
||||
- https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
|
||||
fields:
|
||||
@ -25,28 +24,11 @@ fields:
|
||||
falsepositives:
|
||||
- Legitimate CMSTP use (unlikely in modern enterprise environments)
|
||||
level: high
|
||||
---
|
||||
logsource:
|
||||
product: windows
|
||||
category: registry_event
|
||||
category: process_access
|
||||
detection:
|
||||
# Registry Object Add
|
||||
selection2:
|
||||
TargetObject: '*\cmmgr32.exe*'
|
||||
EventType: 'CreateKey'
|
||||
# Registry Object Value Set
|
||||
selection3:
|
||||
TargetObject: '*\cmmgr32.exe*'
|
||||
# Process Access Call Trace
|
||||
selection4:
|
||||
selection:
|
||||
CallTrace: '*cmlua.dll*'
|
||||
condition: 1 of them
|
||||
---
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
detection:
|
||||
# CMSTP Spawning Child Process
|
||||
selection1:
|
||||
ParentImage: '*\cmstp.exe'
|
||||
condition: 1 of them
|
||||
condition: selection
|
||||
|
@ -1,6 +1,5 @@
|
||||
action: global
|
||||
title: CMSTP Execution
|
||||
id: 9d26fede-b526-4413-b069-6e24b6d07167
|
||||
title: CMSTP Execution Process Creation
|
||||
id: 7d4cdc5a-0076-40ca-aac8-f7e714570e47
|
||||
status: stable
|
||||
description: Detects various indicators of Microsoft Connection Manager Profile Installer execution
|
||||
tags:
|
||||
@ -12,11 +11,9 @@ tags:
|
||||
- car.2019-04-001
|
||||
author: Nik Seetharaman
|
||||
date: 2018/07/16
|
||||
modified: 2020/08/28
|
||||
modified: 2020/12/23
|
||||
references:
|
||||
- https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
|
||||
detection:
|
||||
condition: 1 of them
|
||||
fields:
|
||||
- CommandLine
|
||||
- ParentCommandLine
|
||||
@ -24,29 +21,11 @@ fields:
|
||||
falsepositives:
|
||||
- Legitimate CMSTP use (unlikely in modern enterprise environments)
|
||||
level: high
|
||||
---
|
||||
logsource:
|
||||
product: windows
|
||||
service: sysmon
|
||||
detection:
|
||||
# Registry Object Add
|
||||
selection2:
|
||||
EventID: 12
|
||||
TargetObject: '*\cmmgr32.exe*'
|
||||
EventType: 'CreateKey'
|
||||
# Registry Object Value Set
|
||||
selection3:
|
||||
EventID: 13
|
||||
TargetObject: '*\cmmgr32.exe*'
|
||||
# Process Access Call Trace
|
||||
selection4:
|
||||
EventID: 10
|
||||
CallTrace: '*cmlua.dll*'
|
||||
---
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
detection:
|
||||
# CMSTP Spawning Child Process
|
||||
selection1:
|
||||
selection:
|
||||
ParentImage: '*\cmstp.exe'
|
||||
condition: selection
|
@ -0,0 +1,25 @@
|
||||
title: Suspicious Plink Remote Forwarding
|
||||
id: 48a61b29-389f-4032-b317-b30de6b95314
|
||||
status: experimental
|
||||
description: Detects suspicious Plink tunnel remote forarding to a local port
|
||||
references:
|
||||
- https://www.real-sec.com/2019/04/bypassing-network-restrictions-through-rdp-tunneling/
|
||||
- https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d
|
||||
author: Florian Roth
|
||||
date: 2021/01/19
|
||||
tags:
|
||||
- attack.command_and_control
|
||||
- attack.t1572
|
||||
- attack.lateral_movement
|
||||
- attack.t1021.001
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
detection:
|
||||
selection:
|
||||
Description: 'Command-line SSH, Telnet, and Rlogin client'
|
||||
CommandLine|contains: ' -R '
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- Administrative activity using a remote port forwarding to a local port
|
||||
level: high
|
47
rules/windows/process_creation/win_apt_unc2452_cmds.yml
Normal file
47
rules/windows/process_creation/win_apt_unc2452_cmds.yml
Normal file
@ -0,0 +1,47 @@
|
||||
title: UNC2452 Process Creation Patterns
|
||||
id: 9be34ad0-b6a7-4fbd-91cf-fc7ec1047f5f
|
||||
description: Detects a specific process creation patterns as seen used by UNC2452 and provided by Microsoft as Microsoft Defender ATP queries
|
||||
status: experimental
|
||||
references:
|
||||
- https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
|
||||
tags:
|
||||
- attack.execution
|
||||
- attack.t1059.001
|
||||
- sunburst
|
||||
- unc2452
|
||||
author: Florian Roth
|
||||
date: 2021/01/22
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
detection:
|
||||
selection1:
|
||||
CommandLine|contains:
|
||||
- '7z.exe a -v500m -mx9 -r0 -p'
|
||||
selection2:
|
||||
ParentCommandLine|contains|all:
|
||||
- 'wscript.exe'
|
||||
- '.vbs'
|
||||
CommandLine|contains|all:
|
||||
- 'rundll32.exe'
|
||||
- 'C:\Windows'
|
||||
- '.dll,Tk_'
|
||||
selection3:
|
||||
ParentImage|endswith: '\rundll32.exe'
|
||||
ParentCommandLine|contains: 'C:\Windows'
|
||||
CommandLine|contains: 'cmd.exe /C '
|
||||
selection4:
|
||||
CommandLine|contains|all:
|
||||
- 'rundll32 c:\windows\\'
|
||||
- '.dll '
|
||||
specific1:
|
||||
ParentImage|endswith: '\rundll32.exe'
|
||||
Image|endswith: '\dllhost.exe'
|
||||
filter1:
|
||||
CommandLine:
|
||||
- ' '
|
||||
- ''
|
||||
condition: selection1 or selection2 or selection3 or selection4 or ( specific1 and not filter1 )
|
||||
falsepositives:
|
||||
- Unknown
|
||||
level: critical
|
31
rules/windows/process_creation/win_apt_unc2452_ps.yml
Normal file
31
rules/windows/process_creation/win_apt_unc2452_ps.yml
Normal file
@ -0,0 +1,31 @@
|
||||
title: UNC2452 PowerShell Pattern
|
||||
id: b7155193-8a81-4d8f-805d-88de864ca50c
|
||||
description: Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports
|
||||
references:
|
||||
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware
|
||||
- https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md#atomic-test-7---create-a-process-using-wmi-query-and-an-encoded-command
|
||||
tags:
|
||||
- attack.execution
|
||||
- attack.t1059.001
|
||||
- attack.t1047
|
||||
- sunburst
|
||||
author: Florian Roth
|
||||
date: 2021/01/20
|
||||
modified: 2021/01/22
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
detection:
|
||||
selection1:
|
||||
CommandLine|contains|all:
|
||||
- 'Invoke-WMIMethod win32_process -name create -argumentlist'
|
||||
- 'rundll32 c:\windows'
|
||||
selection2:
|
||||
CommandLine|contains|all:
|
||||
- 'wmic /node:'
|
||||
- 'process call create "rundll32 c:\windows'
|
||||
condition: selection1 or selection2
|
||||
falsepositives:
|
||||
- Unknown, unlikely, but possible
|
||||
level: critical
|
@ -4,9 +4,9 @@ description: Detects a command that clears or disables any ETW trace log which c
|
||||
status: experimental
|
||||
references:
|
||||
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
|
||||
- https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_mal_lockergoga.yml
|
||||
- https://abuse.io/lockergoga.txt
|
||||
author: '@neu5ron, Florian Roth'
|
||||
- https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
|
||||
author: '@neu5ron, Florian Roth, Jonhnathan Ribeiro, oscd.community'
|
||||
date: 2019/03/22
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
@ -19,13 +19,39 @@ logsource:
|
||||
product: windows
|
||||
detection:
|
||||
selection_clear_1:
|
||||
CommandLine: '* cl */Trace*'
|
||||
CommandLine|contains|all:
|
||||
- 'cl'
|
||||
- '/Trace'
|
||||
selection_clear_2:
|
||||
CommandLine: '* clear-log */Trace*'
|
||||
CommandLine|contains|all:
|
||||
- 'clear-log'
|
||||
- '/Trace'
|
||||
selection_disable_1:
|
||||
CommandLine: '* sl* /e:false*'
|
||||
CommandLine|contains|all:
|
||||
- 'sl'
|
||||
- '/e:false'
|
||||
selection_disable_2:
|
||||
CommandLine: '* set-log* /e:false*'
|
||||
condition: selection_clear_1 or selection_clear_2 or selection_disable_1 or selection_disable_2
|
||||
CommandLine|contains|all:
|
||||
- 'set-log'
|
||||
- '/e:false'
|
||||
selection_disable_3: #Autologger provider removal
|
||||
Commandline|contains|all:
|
||||
- 'Remove-EtwTraceProvider'
|
||||
- 'EventLog-Microsoft-Windows-WMI-Activity-Trace'
|
||||
- '{1418ef04-b0b4-4623-bf7e-d74ab47bbdaa}'
|
||||
selection_disable_4: #Provider “Enable” property modification
|
||||
Commandline|contains|all:
|
||||
- 'Set-EtwTraceProvider'
|
||||
- '{1418ef04-b0b4-4623-bf7e-d74ab47bbdaa}'
|
||||
- 'EventLog-Microsoft-Windows-WMI-Activity-Trace'
|
||||
- '0x11'
|
||||
selection_disable_5: #ETW provider removal from a trace session
|
||||
Commandline|contains|all:
|
||||
- "logman"
|
||||
- "update"
|
||||
- "trace"
|
||||
- "--p"
|
||||
- "-ets"
|
||||
condition: 1 of them
|
||||
falsepositives:
|
||||
- Unknown
|
||||
|
@ -4,7 +4,7 @@ status: experimental
|
||||
description: Detects QBot like process executions
|
||||
author: Florian Roth
|
||||
date: 2019/10/01
|
||||
modified: 2020/09/01
|
||||
modified: 2021/01/25
|
||||
tags:
|
||||
- attack.execution
|
||||
- attack.t1059.005
|
||||
@ -22,7 +22,12 @@ detection:
|
||||
Image: '*\wscript.exe'
|
||||
selection2:
|
||||
CommandLine: '* /c ping.exe -n 6 127.0.0.1 & type *'
|
||||
condition: selection1 or selection2
|
||||
selection3:
|
||||
CommandLine|contains|all:
|
||||
- 'regsvr32.exe'
|
||||
- 'C:\ProgramData'
|
||||
- '.tmp'
|
||||
condition: selection1 or selection2 or selection3
|
||||
fields:
|
||||
- CommandLine
|
||||
- ParentCommandLine
|
||||
|
@ -9,7 +9,7 @@ tags:
|
||||
- attack.execution
|
||||
- attack.t1204 # an old one
|
||||
- attack.t1204.002
|
||||
author: Michael Haag, Florian Roth, Markus Neis
|
||||
author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team
|
||||
date: 2018/04/06
|
||||
modified: 2020/09/01
|
||||
logsource:
|
||||
@ -24,6 +24,8 @@ detection:
|
||||
- '*\MSPUB.exe'
|
||||
- '*\VISIO.exe'
|
||||
- '*\OUTLOOK.EXE'
|
||||
- '*\MSACCESS.EXE'
|
||||
- '*\EQNEDT32.EXE'
|
||||
Image:
|
||||
- '*\cmd.exe'
|
||||
- '*\powershell.exe'
|
||||
@ -44,6 +46,7 @@ detection:
|
||||
- '*\mftrace.exe'
|
||||
- '*\AppVLP.exe'
|
||||
- '*\svchost.exe' # https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html
|
||||
- '*\msbuild.exe' # https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
|
||||
condition: selection
|
||||
fields:
|
||||
- CommandLine
|
||||
|
@ -0,0 +1,30 @@
|
||||
title: Rundll32 Without Parameters
|
||||
id: 5bb68627-3198-40ca-b458-49f973db8752
|
||||
status: experimental
|
||||
description: Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module
|
||||
author: Bartlomiej Czyz, Relativity
|
||||
date: 2021/01/31
|
||||
references:
|
||||
- https://bczyz1.github.io/2021/01/30/psexec.html
|
||||
tags:
|
||||
- attack.lateral_movement
|
||||
- attack.t1021.002
|
||||
- attack.t1570
|
||||
- attack.execution
|
||||
- attack.t1569.002
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
detection:
|
||||
selection:
|
||||
CommandLine: 'rundll32.exe'
|
||||
condition: selection
|
||||
fields:
|
||||
- ComputerName
|
||||
- SubjectUserName
|
||||
- CommandLine
|
||||
- Image
|
||||
- ParentImage
|
||||
falsepositives:
|
||||
- Unknown
|
||||
level: high
|
@ -9,7 +9,7 @@ references:
|
||||
- https://twitter.com/gN3mes1s/status/1206874118282448897
|
||||
author: Florian Roth
|
||||
date: 2019/08/24
|
||||
modified: 2020/09/05
|
||||
modified: 2021/02/01
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
- attack.t1500 # an old one
|
||||
@ -23,12 +23,15 @@ detection:
|
||||
CommandLine:
|
||||
- '*\AppData\\*'
|
||||
- '*\Windows\Temp\\*'
|
||||
filter:
|
||||
filter1:
|
||||
ParentImage:
|
||||
- 'C:\Program Files*' # https://twitter.com/gN3mes1s/status/1206874118282448897
|
||||
- '*\sdiagnhost.exe' # https://twitter.com/gN3mes1s/status/1206874118282448897
|
||||
- '*\w3wp.exe' # https://twitter.com/gabriele_pippi/status/1206907900268072962
|
||||
condition: selection and not filter
|
||||
filter2:
|
||||
ParentCommandLine|contains:
|
||||
- '\ProgramData\Microsoft\Windows Defender Advanced Threat Protection'
|
||||
condition: selection and not filter1 and not filter2
|
||||
falsepositives:
|
||||
- https://twitter.com/gN3mes1s/status/1206874118282448897
|
||||
- https://twitter.com/gabriele_pippi/status/1206907900268072962
|
||||
|
33
rules/windows/process_creation/win_susp_disable_raccine.yml
Normal file
33
rules/windows/process_creation/win_susp_disable_raccine.yml
Normal file
@ -0,0 +1,33 @@
|
||||
title: Raccine Uninstall
|
||||
id: a31eeaed-3fd5-478e-a8ba-e62c6b3f9ecc
|
||||
status: experimental
|
||||
description: Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.
|
||||
references:
|
||||
- https://github.com/Neo23x0/Raccine
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
- attack.t1562.001
|
||||
author: Florian Roth
|
||||
date: 2021/01/21
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
detection:
|
||||
selection1:
|
||||
CommandLine|contains|all:
|
||||
- 'taskkill '
|
||||
- '/IM RaccineSettings.exe'
|
||||
selection2:
|
||||
CommandLine|contains|all:
|
||||
- 'reg.exe'
|
||||
- 'delete'
|
||||
- 'Raccine Tray'
|
||||
selection3:
|
||||
CommandLine|contains|all:
|
||||
- 'schtasks'
|
||||
- '/DELETE'
|
||||
- 'Raccine Rules Updater'
|
||||
condition: 1 of them
|
||||
falsepositives:
|
||||
- Legitimate deinstallation by administrative staff
|
||||
level: high
|
@ -0,0 +1,28 @@
|
||||
title: Emotet RunDLL32 Process Creation
|
||||
id: 54e57ce3-0672-46eb-a402-2c0948d5e3e9
|
||||
description: Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,#1
|
||||
author: FPT.EagleEye
|
||||
status: experimental
|
||||
date: 2020/12/25
|
||||
references:
|
||||
- https://paste.cryptolaemus.com/emotet/2020/12/22/emotet-malware-IoCs_12-22-20.html
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
- attack.t1218.011
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
detection:
|
||||
selection:
|
||||
Image|endswith:
|
||||
- '\rundll32.exe'
|
||||
CommandLine|endswith:
|
||||
- ',RunDLL'
|
||||
# - ',#1' too generic - function load by ordinal is not Emotet specific
|
||||
filter_ide:
|
||||
ParentImage|endswith:
|
||||
- '\tracker.exe' #When Visual Studio compile NodeJS program, it might use MSBuild to create tracker.exe and then, the tracker.exe fork rundll32.exe
|
||||
condition: selection and not filter_ide
|
||||
falsepositives:
|
||||
- Unknown
|
||||
level: critical
|
25
rules/windows/process_creation/win_susp_volsnap_disable.yml
Normal file
25
rules/windows/process_creation/win_susp_volsnap_disable.yml
Normal file
@ -0,0 +1,25 @@
|
||||
title: Disabled Volume Snapshots
|
||||
id: dee4af55-1f22-4e1d-a9d2-4bdc7ecb472a
|
||||
description: Detects commands that temporarily turn off Volume Snapshots
|
||||
references:
|
||||
- https://twitter.com/0gtweet/status/1354766164166115331
|
||||
date: 2021/01/28
|
||||
status: experimental
|
||||
author: Florian Roth
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
- attack.t1562.001
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
detection:
|
||||
selection:
|
||||
CommandLine|contains|all:
|
||||
- 'reg'
|
||||
- ' add '
|
||||
- '\Services\VSS\Diag'
|
||||
- '/d Disabled'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- Legitimate administration
|
||||
level: high
|
@ -0,0 +1,35 @@
|
||||
title: Wmic Uninstall Security Product
|
||||
id: 847d5ff3-8a31-4737-a970-aeae8fe21765
|
||||
description: Detects deinstallation of security products using WMIC utility
|
||||
references:
|
||||
- https://twitter.com/cglyer/status/1355171195654709249
|
||||
date: 2021/01/30
|
||||
status: experimental
|
||||
author: Florian Roth
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
- attack.t1562.001
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
detection:
|
||||
selection:
|
||||
CommandLine|contains|all:
|
||||
- 'wmic'
|
||||
- 'product where name='
|
||||
- 'call uninstall'
|
||||
- '/nointeractive'
|
||||
selection_product:
|
||||
CommandLine|contains:
|
||||
- 'Antivirus'
|
||||
- 'Endpoint Security'
|
||||
- 'Endpoint Detection'
|
||||
- 'Crowdstrike Sensor'
|
||||
- 'Windows Defender'
|
||||
- 'VirusScan'
|
||||
- 'Threat Protection'
|
||||
- 'Endpoint Sensor'
|
||||
condition: selection and selection_product
|
||||
falsepositives:
|
||||
- Legitimate administration
|
||||
level: medium
|
27
rules/windows/process_creation/win_susp_wuauclt.yml
Normal file
27
rules/windows/process_creation/win_susp_wuauclt.yml
Normal file
@ -0,0 +1,27 @@
|
||||
title: Windows Update Client LOLBIN
|
||||
id: d7825193-b70a-48a4-b992-8b5b3015cc11
|
||||
status: experimental
|
||||
description: Detects code execution via the Windows Update client (wuauclt)
|
||||
references:
|
||||
- https://dtm.uk/wuauclt/
|
||||
author: FPT.EagleEye Team
|
||||
date: 2020/10/17
|
||||
tags:
|
||||
- attack.command_and_control
|
||||
- attack.execution
|
||||
- attack.t1105
|
||||
- attack.t1218
|
||||
logsource:
|
||||
product: windows
|
||||
service: process_creation
|
||||
detection:
|
||||
selection:
|
||||
ProcessCommandline|contains|all:
|
||||
- '/UpdateDeploymentProvider'
|
||||
- '/RunHandlerComServer'
|
||||
Image|endswith:
|
||||
- '\wuauclt.exe'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- Unknown
|
||||
level: high
|
@ -4,11 +4,15 @@ description: Detects certain command line parameters often used during reconnais
|
||||
author: Florian Roth
|
||||
references:
|
||||
- https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html
|
||||
- https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/
|
||||
date: 2017/01/01
|
||||
modified: 2019/10/26
|
||||
modified: 2021/01/11
|
||||
tags:
|
||||
- attack.persistence
|
||||
- attack.t1505.003
|
||||
- attack.t1018
|
||||
- attack.t1033
|
||||
- attack.t1087
|
||||
- attack.privilege_escalation # an old one
|
||||
- attack.t1100 # an old one
|
||||
logsource:
|
||||
@ -26,10 +30,24 @@ detection:
|
||||
CommandLine:
|
||||
- '*whoami*'
|
||||
- '*net user *'
|
||||
- '*net use *'
|
||||
- '*net group *'
|
||||
- '*quser*'
|
||||
- '*ping -n *'
|
||||
- '*systeminfo'
|
||||
- '*&cd&echo*'
|
||||
- '*cd /d*' # https://www.computerhope.com/cdhlp.htm
|
||||
- '*ipconfig*'
|
||||
- '*pathping*'
|
||||
- '*tracert*'
|
||||
- '*netstat*'
|
||||
- '*schtasks*'
|
||||
- '*vssadmin*'
|
||||
- '*wevtutil*'
|
||||
- '*tasklist*'
|
||||
- '*wmic /node:*'
|
||||
- '*Test-NetConnection*'
|
||||
- '*dir \*' # remote dir: dir \<redacted IP #3>\C$:\windows\temp\*.exe
|
||||
condition: selection
|
||||
fields:
|
||||
- CommandLine
|
||||
|
@ -30,7 +30,7 @@ tags:
|
||||
- attack.persistence
|
||||
- attack.t1505.003
|
||||
- attack.privilege_escalation # an old one
|
||||
- attack.t1100 # an old one
|
||||
- attack.t1190
|
||||
falsepositives:
|
||||
- Particular web applications may spawn a shell process legitimately
|
||||
level: high
|
||||
|
@ -1,6 +1,5 @@
|
||||
action: global
|
||||
title: CMSTP Execution
|
||||
id: 9d26fede-b526-4413-b069-6e24b6d07167
|
||||
title: CMSTP Execution Registry Event
|
||||
id: b6d235fc-1d38-4b12-adbe-325f06728f37
|
||||
status: stable
|
||||
description: Detects various indicators of Microsoft Connection Manager Profile Installer execution
|
||||
tags:
|
||||
@ -12,7 +11,7 @@ tags:
|
||||
- car.2019-04-001
|
||||
author: Nik Seetharaman
|
||||
date: 2018/07/16
|
||||
modified: 2020/09/06
|
||||
modified: 2020/12/23
|
||||
references:
|
||||
- https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
|
||||
fields:
|
||||
@ -22,28 +21,15 @@ fields:
|
||||
falsepositives:
|
||||
- Legitimate CMSTP use (unlikely in modern enterprise environments)
|
||||
level: high
|
||||
---
|
||||
logsource:
|
||||
category: process_creation,registry_event
|
||||
category: registry_event
|
||||
product: windows
|
||||
detection:
|
||||
# Registry Object Add
|
||||
selection2:
|
||||
selection1:
|
||||
TargetObject: '*\cmmgr32.exe*'
|
||||
EventType: 'CreateKey'
|
||||
# Registry Object Value Set
|
||||
selection3:
|
||||
selection2:
|
||||
TargetObject: '*\cmmgr32.exe*'
|
||||
# Process Access Call Trace
|
||||
selection4:
|
||||
CallTrace: '*cmlua.dll*'
|
||||
condition: 1 of them
|
||||
---
|
||||
detection:
|
||||
# CMSTP Spawning Child Process
|
||||
selection1:
|
||||
ParentImage: '*\cmstp.exe'
|
||||
condition: 1 of them
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
|
@ -0,0 +1,26 @@
|
||||
title: Stealthy VSTO Persistence
|
||||
id: 9d15044a-7cfe-4d23-8085-6ebc11df7685
|
||||
status: experimental
|
||||
description: Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.
|
||||
references:
|
||||
- https://twitter.com/_vivami/status/1347925307643355138
|
||||
tags:
|
||||
- attack.t1137.006
|
||||
- attack.persistence
|
||||
author: Bhabesh Raj
|
||||
date: 2021/01/10
|
||||
logsource:
|
||||
category: registry_event
|
||||
product: windows
|
||||
detection:
|
||||
selection:
|
||||
TargetObject|contains:
|
||||
- '\Software\Microsoft\Office\Outlook\Addins\'
|
||||
- '\Software\Microsoft\Office\Word\Addins\'
|
||||
- '\Software\Microsoft\Office\Excel\Addins\'
|
||||
- '\Software\Microsoft\Office\Powerpoint\Addins\'
|
||||
- '\Software\Microsoft\VSTO\Security\Inclusion\'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- Unknown
|
||||
level: high
|
@ -76,10 +76,10 @@ logsources:
|
||||
service: applocker
|
||||
conditions:
|
||||
sources:
|
||||
- 'Microsoft-Windows-AppLocker/MSI and Script'
|
||||
- 'Microsoft-Windows-AppLocker/EXE and DLL'
|
||||
- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
|
||||
- 'Microsoft-Windows-AppLocker/Packaged app-Execution'
|
||||
- 'WinEventLog:Microsoft-Windows-AppLocker/MSI and Script'
|
||||
- 'WinEventLog:Microsoft-Windows-AppLocker/EXE and DLL'
|
||||
- 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Deployment'
|
||||
- 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Execution'
|
||||
apache:
|
||||
category: webserver
|
||||
sources:
|
||||
|
@ -355,7 +355,7 @@ class ElasticsearchDSLBackend(DeepFieldMappingMixin, RulenameCommentMixin, Elast
|
||||
raise TypeError("Field mapping must return string or list")
|
||||
|
||||
fields = ",".join(str(x) for x in columns)
|
||||
self.queries[-1]['_source_'] = columns
|
||||
self.queries[-1]['_source'] = columns
|
||||
except KeyError: # no 'fields' attribute
|
||||
mapped = None
|
||||
pass
|
||||
|
@ -80,70 +80,92 @@ class WindowsDefenderATPBackend(SingleTextQueryBackend):
|
||||
"DeviceProcessEvents": {
|
||||
"AccountName": (self.id_mapping, self.default_value_mapping),
|
||||
"CommandLine": ("ProcessCommandLine", self.default_value_mapping),
|
||||
"Command": ("ProcessCommandLine", self.default_value_mapping),
|
||||
"DeviceName": (self.id_mapping, self.default_value_mapping),
|
||||
"EventType": ("ActionType", self.default_value_mapping),
|
||||
"FileName": (self.id_mapping, self.default_value_mapping),
|
||||
"Image": ("FolderPath", self.default_value_mapping),
|
||||
"ImagePath": ("FolderPath", self.default_value_mapping),
|
||||
"ImageLoaded": ("FolderPath", self.default_value_mapping),
|
||||
"LogonType": (self.id_mapping, self.logontype_mapping),
|
||||
"NewProcessName": ("FolderPath", self.default_value_mapping),
|
||||
"ProcessName": ("FileName", self.default_value_mapping),
|
||||
"ParentCommandLine": ("InitiatingProcessCommandLine", self.default_value_mapping),
|
||||
"ParentName": ("InitiatingProcessFileName", self.default_value_mapping),
|
||||
"ParentProcessName": ("InitiatingProcessFileName", self.default_value_mapping),
|
||||
"ParentImage": ("InitiatingProcessFolderPath", self.default_value_mapping),
|
||||
"SourceImage": ("InitiatingProcessFolderPath", self.default_value_mapping),
|
||||
"TargetImage": ("FolderPath", self.default_value_mapping),
|
||||
"ParentCommandLine": ("InitiatingProcessCommandLine", self.default_value_mapping),
|
||||
"User": (self.decompose_user, ),
|
||||
},
|
||||
"DeviceEvents": {
|
||||
"AccountName": (self.id_mapping, self.default_value_mapping),
|
||||
"CommandLine": ("ProcessCommandLine", self.default_value_mapping),
|
||||
"DestinationHostname": ("RemoteUrl", self.default_value_mapping),
|
||||
"DestinationIp": ("RemoteIP", self.default_value_mapping),
|
||||
"DestinationPort": ("RemotePort", self.default_value_mapping),
|
||||
"EventType": ("ActionType", self.default_value_mapping),
|
||||
"FileName": (self.id_mapping, self.default_value_mapping),
|
||||
"ParentCommandLine": ("InitiatingProcessCommandLine", self.default_value_mapping),
|
||||
"ParentProcessName": ("InitiatingProcessParentFileName", self.default_value_mapping),
|
||||
"ProcessName": ("InitiatingProcessFileName", self.default_value_mapping),
|
||||
"SourceIp": ("LocalIP", self.default_value_mapping),
|
||||
"SourcePort": ("LocalPort", self.default_value_mapping),
|
||||
"TargetFilename": ("FolderPath", self.default_value_mapping),
|
||||
"TargetObject": ("RegistryKey", self.default_value_mapping),
|
||||
"TargetImage": ("FolderPath", self.default_value_mapping),
|
||||
|
||||
"Image": ("InitiatingProcessFolderPath", self.default_value_mapping),
|
||||
"User": (self.decompose_user, ),
|
||||
},
|
||||
"DeviceRegistryEvents": {
|
||||
"TargetObject": ("RegistryKey", self.default_value_mapping),
|
||||
"ObjectValueName": ("RegistryValueName", self.default_value_mapping),
|
||||
"DataType": ("RegistryValueType", self.default_value_mapping),
|
||||
"Details": ("RegistryValueData", self.default_value_mapping),
|
||||
"EventType": ("ActionType", self.default_value_mapping),
|
||||
"Image": ("InitiatingProcessFolderPath", self.default_value_mapping),
|
||||
"ObjectValueName": ("RegistryValueName", self.default_value_mapping),
|
||||
"ParentCommandLine": ("InitiatingProcessCommandLine", self.default_value_mapping),
|
||||
"ProcessName": ("InitiatingProcessFileName", self.default_value_mapping),
|
||||
"CommandLine": ("InitiatingProcessCommandLine", self.default_value_mapping),
|
||||
"ParentName": ("InitiatingProcessParentFileName", self.default_value_mapping),
|
||||
"ParentProcessName": ("InitiatingProcessParentFileName", self.default_value_mapping),
|
||||
"TargetObject": ("RegistryKey", self.default_value_mapping),
|
||||
"User": (self.decompose_user, ),
|
||||
},
|
||||
"DeviceFileEvents": {
|
||||
"TargetFilename": ("FolderPath", self.default_value_mapping),
|
||||
"TargetFileName": ("FolderPath", self.default_value_mapping),
|
||||
|
||||
"FileName": (self.id_mapping, self.default_value_mapping),
|
||||
"OriginIp": ("FileOriginIp", self.default_value_mapping),
|
||||
"OriginReferrer": ("FileOriginReferrerUrl", self.default_value_mapping),
|
||||
"OriginUrl": ("FileOriginUrl", self.default_value_mapping),
|
||||
"Image": ("InitiatingProcessFolderPath", self.default_value_mapping),
|
||||
"ParentCommandLine": ("InitiatingProcessCommandLine", self.default_value_mapping),
|
||||
"ProcessName": ("InitiatingProcessFileName", self.default_value_mapping),
|
||||
"CommandLine": ("InitiatingProcessCommandLine", self.default_value_mapping),
|
||||
"ParentName": ("InitiatingProcessParentFileName", self.default_value_mapping),
|
||||
"ParentProcessName": ("InitiatingProcessParentFileName", self.default_value_mapping),
|
||||
"TargetFilename": ("FolderPath", self.default_value_mapping),
|
||||
"User": (self.decompose_user, ),
|
||||
},
|
||||
"DeviceNetworkEvents": {
|
||||
"Initiated": ("RemotePort", self.default_value_mapping),
|
||||
"Protocol": ("RemoteProtocol", self.default_value_mapping),
|
||||
"DestinationPort": ("RemotePort", self.default_value_mapping),
|
||||
"DestinationHostname": ("RemoteUrl", self.default_value_mapping),
|
||||
"DestinationIp": ("RemoteIP", self.default_value_mapping),
|
||||
"DestinationIsIpv6": ("RemoteIP has \":\"", ),
|
||||
"SourcePort": ("LocalPort", self.default_value_mapping),
|
||||
"SourceIp": ("LocalIP", self.default_value_mapping),
|
||||
"DestinationHostname": ("RemoteUrl", self.default_value_mapping),
|
||||
"DestinationPort": ("RemotePort", self.default_value_mapping),
|
||||
"DeviceName": (self.id_mapping, self.default_value_mapping),
|
||||
"EventType": ("ActionType", self.default_value_mapping),
|
||||
"Image": ("InitiatingProcessFolderPath", self.default_value_mapping),
|
||||
"Initiated": ("RemotePort", self.default_value_mapping),
|
||||
"ParentCommandLine": ("InitiatingProcessCommandLine", self.default_value_mapping),
|
||||
"ProcessName": ("InitiatingProcessFileName", self.default_value_mapping),
|
||||
"Protocol": ("RemoteProtocol", self.default_value_mapping),
|
||||
"SourceIp": ("LocalIP", self.default_value_mapping),
|
||||
"SourcePort": ("LocalPort", self.default_value_mapping),
|
||||
"User": (self.decompose_user, ),
|
||||
},
|
||||
"DeviceImageLoadEvents": {
|
||||
"ImageLoaded": ("FolderPath", self.default_value_mapping),
|
||||
"DeviceName": (self.id_mapping, self.default_value_mapping),
|
||||
"EventType": ("ActionType", self.default_value_mapping),
|
||||
"FileName": (self.id_mapping, self.default_value_mapping),
|
||||
"Image": ("InitiatingProcessFolderPath", self.default_value_mapping),
|
||||
"ParentCommandLine": ("InitiatingProcessCommandLine", self.default_value_mapping),
|
||||
"ParentProcessName": ("InitiatingProcessParentFileName", self.default_value_mapping),
|
||||
"ProcessName": ("InitiatingProcessFileName", self.default_value_mapping),
|
||||
"TargetImage": ("FolderPath", self.default_value_mapping),
|
||||
"User": (self.decompose_user, ),
|
||||
}
|
||||
}
|
||||
|
@ -103,7 +103,11 @@ class QRadarBackend(SingleTextQueryBackend):
|
||||
def generateMapItemListNode(self, key, value):
|
||||
itemslist = list()
|
||||
for item in value:
|
||||
if type(item) == str and "*" in item:
|
||||
if item is None:
|
||||
itemslist.append(self.nullExpression % (key))
|
||||
elif type(item) == str and "ip" in key and ("/16" in item or "/24" in item):
|
||||
itemslist.append("INCIDR(%s, %s)" % (self.generateValueNode(item, True), self.cleanKey(key)))
|
||||
elif type(item) == str and "*" in item:
|
||||
item = item.replace("*", "%")
|
||||
itemslist.append('%s ilike %s' % (self.cleanKey(key), self.generateValueNode(item, True)))
|
||||
else:
|
||||
@ -198,16 +202,19 @@ class QRadarBackend(SingleTextQueryBackend):
|
||||
else:
|
||||
aql_database = "events"
|
||||
|
||||
qradarPrefix="SELECT "
|
||||
qradarPrefix="SELECT UTF8(payload) as search_payload"
|
||||
try:
|
||||
mappedFields = []
|
||||
for field in sigmaparser.parsedyaml["fields"]:
|
||||
mapped = sigmaparser.config.get_fieldmapping(field).resolve_fieldname(field, sigmaparser)
|
||||
mappedFields.append(mapped)
|
||||
qradarPrefix += str(mappedFields).strip('[]')
|
||||
if " " in mapped and not "(" in mapped:
|
||||
qradarPrefix += ", \"" + mapped + "\""
|
||||
else:
|
||||
qradarPrefix += ", " + mapped
|
||||
|
||||
except KeyError: # no 'fields' attribute
|
||||
mapped = None
|
||||
qradarPrefix+="UTF8(payload) as search_payload"
|
||||
pass
|
||||
qradarPrefix += " from %s where " % (aql_database)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user