Commit Graph

1255 Commits

Author SHA1 Message Date
megan201296
440b0ddffe
Update sysmon_susp_powershell_parent_combo.yml 2018-10-09 19:11:17 -05:00
megan201296
b0983047eb
Update sysmon_powersploit_schtasks.yml 2018-10-09 19:10:37 -05:00
megan201296
2f533c54b3
Update sysmon_powershell_network_connection.yml 2018-10-09 19:10:17 -05:00
megan201296
1b92a158b5
Add MITRE ATT&CK Tagging 2018-10-09 19:09:19 -05:00
megan201296
ffbb968fcd
Update sysmon_cmstp_com_object_access.yml
Edit tule logic for `and` instead of `or
2018-10-09 19:03:30 -05:00
Florian Roth
182781229c
Merge pull request #184 from megan201296/patch-14
Remove duplicate value
2018-10-09 09:37:54 +02:00
megan201296
7997cb3001
Remove duplicate value 2018-10-08 13:00:59 -05:00
Michael H
bbb67fbba4 Adding support for reading sigma rule from stdin in sigmac 2018-10-07 10:11:47 -05:00
Michael H
aabaa0257b Merge branch 'master' of https://github.com/Neo23x0/sigma 2018-10-06 20:12:15 -05:00
Michael H
4b85a34b34 Added CSV option to powershell backend 2018-10-06 20:08:20 -05:00
Florian Roth
54678fcb36 Rule: CertUtil UA
https://twitter.com/ItsReallyNick/status/1047151134501216258
2018-10-06 16:47:37 +02:00
Thomas Patzke
4eeb07a736
Merge pull request #181 from droe/optimizer-comments
Improve the comments on the optimizer
2018-10-03 23:11:10 +02:00
Daniel Roethlisberger
fc45df144c Improve the comments on the optimizer 2018-10-03 13:44:03 +02:00
Thomas Patzke
143f8644c6
Merge pull request #180 from droe/refactor-optimizer
Move optimizer to sigma.parser.condition to enable it for all backends
2018-10-03 00:34:14 +02:00
Daniel Roethlisberger
87aa1b5521 Move optimizer to sigma.parser.condition to enable it for all backends 2018-10-03 00:24:31 +02:00
Thomas Patzke
2ac19d32a1
Merge pull request #178 from droe/ast_optimizer
Optimize the boolean expressions in the AST before generating output
2018-10-02 23:06:55 +02:00
Daniel Roethlisberger
cd3661b60c Fix optimization of NOT corner cases 2018-10-02 22:48:33 +02:00
Thomas Patzke
14c5dcf413
Merge pull request #179 from droe/tempfile-mktemp
Use mktemp if tempfile is not available, fixes `make` for macOS
2018-10-02 22:44:48 +02:00
Daniel Roethlisberger
85ad10d558 Use mktemp if tempfile is not available, fixes make for macOS 2018-10-02 22:17:03 +02:00
Daniel Roethlisberger
bed88cf813 Make uniq work for lists within definitions 2018-10-02 22:12:54 +02:00
Daniel Roethlisberger
7165128fa5 Remove None from AST - fixes None-related test failures 2018-10-02 21:44:37 +02:00
Daniel Roethlisberger
2242fc5ac8 Optimize the boolean expressions in the AST before generating output
Add code optimizing the boolean expressions in the abstract syntax tree
before generating output using the backend.

The main idea behind optimizing the AST is that less repeated terms is
generally better for backend performance.  This is especially relevant
to backends that do not perform any query language optimization down
the road, such as those that generate code.

The following optimizations are currently performed:

-   Removal of empty OR(), AND()
-   OR(X), AND(X)                 =>  X
-   OR(X, X, ...), AND(X, X, ...) =>  OR(X, ...), AND(X, ...)
-   OR(X, OR(Y))                  =>  OR(X, Y)
-   OR(AND(X, ...), AND(X, ...))  =>  AND(X, OR(AND(...), AND(...)))
-   NOT(NOT(X))                   =>  X

A common example for when these suboptimal rules actually occur in
practice is when a rule has multiple alternative detections that are
OR'ed together in the condition, and all of the detections include a
common element, such as the same EventID.

This implementation is not optimized for performance and will perform
poorly on very large expressions.
2018-10-02 21:14:25 +02:00
Florian Roth
85f0ddd188
Delete win_alert_LSASS_access.yml 2018-10-02 16:48:09 +02:00
Florian Roth
19e2bad96e
Delete sysmon_powershell_DLL_execution.yml 2018-10-02 08:56:09 +02:00
Florian Roth
daddec9217
Delete sysmon_powershell_AMSI_bypass.yml 2018-10-02 08:55:48 +02:00
Florian Roth
aafe9c6dae
Delete sysmon_lethalHTA.yml 2018-10-02 08:55:19 +02:00
Florian Roth
f29ffc0697
Merge pull request #174 from esebese/patch-1
sysmon_susp_run_key_img_folder.yml - Rule simplification
2018-10-01 14:24:54 +02:00
Florian Roth
bbddcd0f9a
Merge pull request #176 from Karneades/fix-missing-list-handling
Add missing event id list handling in PowerShell backend
2018-10-01 14:23:48 +02:00
Karneades
468af42de5 Add missing event id list handling in PowerShell backend 2018-09-29 14:43:28 +02:00
Florian Roth
f2d83a5a00
Merge pull request #175 from Karneades/fix-powershell-backend
Improve default field handling in PowerShell backend
2018-09-29 14:08:30 +02:00
Karneades
c289484c5c Improve default field handling in PowerShell backend 2018-09-29 12:29:44 +02:00
Ensar Şamil
dec7568d4c
Rule simplification
Two selection fields are reduced to one. HKCU and HKLM registry value changes are considered, thus wildcards are added. No change at details.
2018-09-28 10:58:50 +03:00
Florian Roth
1c2431f33b
Merge pull request #169 from Karneades/fix-aggregation-exeption
Add rule filename to "not implemented" exception output
2018-09-26 11:50:25 +02:00
Florian Roth
451c18628d
Merge pull request #170 from Karneades/fix-suspicious-cli
Add group by to windows multiple suspicious cli rule
2018-09-26 11:49:57 +02:00
Florian Roth
38d17e5169
Merge pull request #173 from b2az/patch-1
Missing Character
2018-09-26 11:49:17 +02:00
Florian Roth
a2c6f344ba
Lower case T 2018-09-26 11:44:12 +02:00
Braz
f35308a4d3
Missing Character
Parsed the MITRE ATT&CK informations from the rules. My script crashed because the identifier "T" was missing.
Thanks for your work Flo & Tom!
2018-09-26 11:40:24 +02:00
Florian Roth
815236449b
Added PowerShell as target, updated project list 2018-09-24 13:44:14 +02:00
Florian Roth
d0a527af5e
Merge pull request #172 from Karneades/powershell-backend
Add initial version of the PowerShell backend
2018-09-24 13:30:24 +02:00
Florian Roth
14337a2aac Tests: PowerShell backend tests 2018-09-24 13:23:38 +02:00
Florian Roth
2766d8f881
Merge pull request #171 from Karneades/fix-certutil
Fix CommandLine in rule sysmon_susp_certutil_command
2018-09-24 07:51:07 +02:00
Karneades
c66b00356d Add initial version of PowerShell backend
* Add PowerShell backend
* Add PowerShell config file

State: Work in progress :)

See https://github.com/Neo23x0/sigma/issues/94
2018-09-23 21:41:48 +02:00
Florian Roth
edf8dde958
Include cases in which certutil.exe is used 2018-09-23 20:57:34 +02:00
Karneades
c73a9e4164 Fix CommandLine in rule sysmon/sysmon_susp_certutil_command
Below is an example of a test - the command line does not
include the path nor the .exe. I think this comes from the
initial detection on the Image path and the later switch to
command line.

We could also use both the Image path and the Command Line.

Message     : Process Create:
              Image: C:\Windows\SysWOW64\certutil.exe
              CommandLine: certutil  xx -decode xxx
              Hashes: SHA1=8186D64DD28CD63CA883B1D3CE5F07AEABAD67C0
              ParentImage: C:\Windows\System32\cmd.exe
              ParentCommandLine: "C:\Windows\system32\cmd.exe"
2018-09-23 20:28:56 +02:00
Karneades
cc82207882 Add group by to win multiple suspicious cli rule
* For the detection it's important that these cli
  tools are started on the same machine for alerting.
2018-09-23 19:38:23 +02:00
Karneades
fe6f4c7475 Add rule filename to exception output for unsupported aggregation 2018-09-23 19:12:50 +02:00
Thomas Patzke
81515b530c ATT&CK tagging QA 2018-09-20 12:44:44 +02:00
Thomas Patzke
1d12fc290c Added Winlogbeat configuration 2018-09-20 12:08:11 +02:00
Florian Roth
13276ecf31 Rule: AV alerts - webshells 2018-09-09 11:04:27 +02:00
Florian Roth
e5c7dd18de Rule: AV alerts - relevant files 2018-09-09 11:04:27 +02:00