Commit Graph

2986 Commits

Author SHA1 Message Date
Thomas Patzke
8c69c7bb02
PyPI deployment via GitHub Actions 2020-03-31 22:36:16 +02:00
Florian Roth
8e39b09ba5
Merge pull request #690 from cnotin/patch-1
Small typo
2020-03-31 16:27:21 +02:00
Clément Notin
18cdddb09e
Small typo 2020-03-31 15:22:00 +02:00
Florian Roth
6a70bdb126
Merge pull request #689 from 0xThiebaut/win_ad_enumeration
Add AD User Enumeration
2020-03-31 10:56:48 +02:00
Maxime Thiebaut
8dcbfd9aca Add AD User Enumeration
When the "Read all properties" permission of a user object is set to be
audited in the AD, an event of ID 4662 (An operation was performed on an
object) is triggered whenever a property is accessed.

This rule detects these events by flagging any non-machine
`SubjectUserName` (i.e. another user) which accesses an object of the
`User` AD schema class.

Advantages of this rule include the detection of insider-enumeration
through automated tools such as BloodHound or manually through the usage
of the PowerShell ActiveDirectory module. Although this rule qualifies
as a medium severity one, this event could be qualified as high/critical
one if flagged on non-used canary user-accounts.

False positives may include administrators performing the initial
configuration of new users.
2020-03-31 09:40:07 +02:00
Florian Roth
f2a2420e24
Merge pull request #687 from Neo23x0/ci-testing
Ci testing
2020-03-29 17:25:28 +02:00
Thomas Patzke
4dbe5e2f17
Moved Elasticsearch dependencies to generic dependencies
Omitting waiting for Elasticsearch as it should be started at this time.
2020-03-29 15:19:13 +02:00
Thomas Patzke
5e258efbe7
Improved Elasticsearch waiting process 2020-03-29 14:57:34 +02:00
Thomas Patzke
d68b900077
Wait for Elasticsearch before running tests 2020-03-29 14:37:27 +02:00
Thomas Patzke
821a631325
Run Elasticsearch installation as root 2020-03-29 14:00:15 +02:00
Thomas Patzke
fbe40bd1e8
Fixed Elasticsearch test
* Splitted into separate action
* Install dependencies
2020-03-29 13:41:03 +02:00
Thomas Patzke
d24c1e2800
CI testing with GitHub Actions 2020-03-29 13:25:04 +02:00
Florian Roth
8ea6b12eed
Merge pull request #670 from 0xThiebaut/sysmon_susp_desktop_ini
Add "Suspicious desktop.ini Action" rule
2020-03-28 13:34:01 +01:00
Florian Roth
fe5b5a7782
Merge pull request #673 from j91321/rules-minor-fixes
Minor fixes to several rules
2020-03-28 13:27:05 +01:00
Florian Roth
5f0250bff5
Merge pull request #669 from 0xThiebaut/winlogbeat-rulename
Add Winlogbeat's RuleName field to mapping
2020-03-28 13:20:08 +01:00
Florian Roth
e2b90220a2
Update sysmon_susp_desktop_ini.yml 2020-03-28 13:19:10 +01:00
Florian Roth
2426b39d83
Merge pull request #678 from justintime/title_collision
Eliminate title collision
2020-03-28 12:57:55 +01:00
Florian Roth
597d914b71
Merge pull request #679 from Iveco/master
add LDAPFragger detections
2020-03-28 12:57:33 +01:00
Iveco
55258e1799
Title capitalized 2020-03-26 17:04:08 +01:00
Iveco
3f577c98e7
Title capalized 2020-03-26 17:03:33 +01:00
Iveco
68c20dca20
Fixed title length 2020-03-26 16:56:46 +01:00
Iveco
39a3af04ce
Fixed title length 2020-03-26 16:56:06 +01:00
Justin Ellison
dabc759136
Eliminate title collision
Fixing the problem described in HELK here: https://github.com/Cyb3rWard0g/HELK/issues/442 where when running sigmac to generate elastalert rules, this rule has a title collision with another rule in the same directory and causes elastalert to fail to start.
2020-03-26 09:13:52 -05:00
iveco
ddacde9e6b add LDAPFragger detections 2020-03-26 15:13:36 +01:00
Florian Roth
0e973d1454
Merge pull request #677 from Neo23x0/devel
Devel
2020-03-25 19:14:03 +01:00
Florian Roth
28953a2942 fix: MITRE tags in rule 2020-03-25 18:11:04 +01:00
Florian Roth
6584729a0d rule: powershell downloadfile 2020-03-25 14:58:14 +01:00
Florian Roth
e206cbda7f
Merge pull request #676 from Neo23x0/devel
Devel
2020-03-25 14:54:56 +01:00
Florian Roth
35e43db7a7 fix: converted CRLF line break to LF 2020-03-25 14:36:34 +01:00
Florian Roth
17297193c7 Merge branch 'master' into devel 2020-03-25 14:18:11 +01:00
Florian Roth
0e1ff440db fix: updated MITRE tags in test 2020-03-25 14:04:22 +01:00
Florian Roth
50b0d04ee8 rule: Exploited CVE-2020-10189 Zoho ManageEngine 2020-03-25 14:02:53 +01:00
Florian Roth
28d8b87a0f rule: extended web shell spawn rule 2020-03-25 14:02:39 +01:00
j91321
1d86e0b4a5 Change falsepositives to array 2020-03-24 19:59:54 +01:00
j91321
c784adb10b Wrong indentation falsepositives 2020-03-24 19:55:41 +01:00
j91321
98a633e54c Add missing status and falsepositives 2020-03-24 19:53:41 +01:00
j91321
3c74d8b87d Add correct Source to detection to avoid FP 2020-03-24 19:49:24 +01:00
j91321
bc442d3021 Add path with lowercase system32 2020-03-24 19:48:24 +01:00
j91321
78bfa950d7 Add WinPrvSE.exe to detection 2020-03-24 19:47:10 +01:00
Thomas Patzke
5ea623506f
Merge pull request #667 from opflep/master
Upgrade CarbonBlack backend
2020-03-22 00:24:57 +01:00
Thomas Patzke
c10332b06c
Merge pull request #663 from neu5ron/updates_sigmac_and_rules
Updates sigmac and rules
2020-03-22 00:22:31 +01:00
Maxime Thiebaut
dce18b23b7 Add "Suspicious desktop.ini Action" rule 2020-03-19 21:43:03 +01:00
Maxime Thiebaut
c5bdd18d8d Add Winlogbeat's RuleName field to mapping
When Sysmon logs a "RegistryEvent" event of ID 13, the event might contain a field named "RuleName" as shown in the following excerpt.

```xml
<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<Events>
	<Event
		xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
		<System>
			<Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/>
			<EventID>13</EventID>
			<Version>2</Version>
			<Level>4</Level>
			<Task>13</Task>
			<Opcode>0</Opcode>
			<Keywords>0x8000000000000000</Keywords>
			<TimeCreated SystemTime='2020-03-18T03:52:07.173448000Z'/>
			<EventRecordID>160631</EventRecordID>
			<Correlation/>
			<Execution ProcessID='2156' ThreadID='3628'/>
			<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
			<Computer>win10.sec699-40.lab</Computer>
			<Security UserID='S-1-5-18'/>
		</System>
		<EventData>
			<Data Name='RuleName'>Context,ProtectedModeExitOrMacrosUsed</Data>
			<Data Name='EventType'>SetValue</Data>
			<Data Name='UtcTime'>2020-03-18 03:52:07.129</Data>
			<Data Name='ProcessGuid'>{36aa6401-9acb-5e71-0000-0010e3ed6803}</Data>
			<Data Name='ProcessId'>5064</Data>
			<Data Name='Image'>C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE</Data>
			<Data Name='TargetObject'>HKU\S-1-5-21-1850752718-2055233276-2633568556-1126\Software\Microsoft\Office\16.0\Word\Security\Trusted Documents\TrustRecords\%USERPROFILE%/Documents/sec699.docm</Data>
			<Data Name='Details'>Binary Data</Data>
		</EventData>
	</Event>
</Events>
```

When used in combination with Elastic's Winlogbeat, the resulting field is named `winlog.event_data.RuleName`.
This commit introduces a mapping between the Sigma `RuleName` field (pre-existing in the `arcsight.yml` config) and Elastic's `winlog.event_data.RuleName`.

The presence of this field could be leveraged to build Sigma rules detecting events such as the above where a malicious macro was executed.
2020-03-19 19:40:18 +01:00
Florian Roth
6040b1f1f8
Merge pull request #668 from Neo23x0/devel
Devel
2020-03-19 18:36:31 +01:00
vunx2
be6519e35d merge 2020-03-19 11:07:39 +07:00
vunx2
1025930e04 merge 2020-03-19 11:05:52 +07:00
vunx2
c627f6b381 merge 2020-03-19 11:02:10 +07:00
vunx2
2107d86900 merge 2020-03-19 10:58:30 +07:00
vunx2
f3e642f340 merge 2020-03-19 10:54:48 +07:00
vunx2
b9e9408d34 Merge branch 'master' of https://github.com/Neo23x0/sigma 2020-03-19 10:51:37 +07:00