Merge branch 'master' into rule-devel

veritasr3x · Sep 2, 2020 · 198469b · 198469b
2 parents 423f81c + bae09e9
commit 198469b
Show file tree

Hide file tree

Showing 35 changed files with 5,241 additions and 4,676 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,37 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html)
 from version 0.14.0.
 
+## 0.18.1 - 2020-08-25
+
+Release created for technical reasons (issues with extended README and PyPI), no real changes done.
+
+## 0.18.0 - 2020-08-25
+
+### Added
+
+* C# backend
+* STIX backend
+* Options to xpack-watcher backend (action_throttle_period, mail_from acaw, mail_profile and other)
+* More generic log sources
+* Windows Defender log sources
+* Generic DNS query log source
+* AppLocker log source
+
+### Changed
+
+* Improved backend and configuration descriptions
+* Microsoft Defender ATP mapping updated
+* Improved handling of wildcards in Elastic backends
+
+### Fixed
+
+* Powershell backend: key name was incorrectly added into regular expression
+* Grouping issue in Carbon Black backend
+* Handling of default field mapping in case field is referenced multiple from a rule
+* Code cleanup and various fixes
+* Log source mappings in configurations
+* Handling of conditional field mappings by Elastic backends
+
 ## 0.17.0 - 2020-06-12
 
 ### Added

diff --git a/README.md b/README.md
@@ -71,6 +71,12 @@ Florian wrote a short [rule creation tutorial](https://www.nextron-systems.com/2
 5. Convert a whole rule directory with `python sigmac -t splunk -r ../rules/proxy/`
 6. Check the `./tools/config` folder and the [wiki](https://github.com/Neo23x0/sigma/wiki/Converter-Tool-Sigmac) if you need custom field or log source mappings in your environment
 
+## Troubles / Troubleshooting / Help
+
+If you need help for a specific supported backend you can use e.g. `sigmac --backend-help elastalert-dsl`. More details on the usage of `sigmac` can be found in the dedicated [README.md](https://github.com/Neo23x0/sigma/blob/master/tools/README.md).
+
+Be sure to checkout the [guidance on backend specific settings](https://github.com/Neo23x0/sigma/blob/master/tools/README.md#choosing-the-right-sigmac) for `sigmac`.
+
 # Examples
 
 Windows 'Security' Eventlog: Access to LSASS Process with Certain Access Mask / Object Type (experimental)
@@ -202,6 +208,7 @@ tools/sigmac -t splunk -c ~/my-splunk-mapping.yml -c tools/config/generic/window
 * [Grep](https://www.gnu.org/software/grep/manual/grep.html) with Perl-compatible regular expression support
 * [LimaCharlie](https://limacharlie.io)
 * [ee-outliers](https://github.com/NVISO-BE/ee-outliers)
+* [Structured Threat Information Expression (STIX)](https://oasis-open.github.io/cti-documentation/stix/intro.html)
 
 Current work-in-progress
 * [Splunk Data Models](https://docs.splunk.com/Documentation/Splunk/7.1.0/Knowledge/Aboutdatamodels)

diff --git a/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml b/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml
@@ -6,11 +6,11 @@ author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.
 date: 2019/10/24
 modified: 2019/11/11
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.yaml
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.yaml
     - https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html
 tags:
     - attack.defense_evasion
-    - attack.t1055
+    - attack.t1574.006
 logsource:
     product: linux
     service: auditd

diff --git a/rules/linux/auditd/lnx_auditd_masquerading_crond.yml b/rules/linux/auditd/lnx_auditd_masquerading_crond.yml
@@ -6,7 +6,10 @@ description: Masquerading occurs when the name or location of an executable, leg
 author: Timur Zinniatullin, oscd.community
 date: 2019/10/21
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.yaml
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.yaml
+tags:
+    - attack.defense_evasion
+    - attack.t1036.003
 logsource:
     product: linux
     service: auditd
@@ -19,6 +22,3 @@ detection:
         a3: '*/crond'
     condition: selection
 level: medium
-tags:
-    - attack.defense_evasion
-    - attack.t1036
diff --git a/rules/linux/auditd/lnx_auditd_susp_cmds.yml b/rules/linux/auditd/lnx_auditd_susp_cmds.yml
@@ -4,6 +4,9 @@ status: experimental
 description: Detects relevant commands often related to malware or hacking activity
 references:
     - Internal Research - mostly derived from exploit code including code in MSF
+tags:
+    - attack.execution
+    - attack.t1059.004
 date: 2017/12/12
 author: Florian Roth
 logsource:

diff --git a/rules/linux/auditd/lnx_auditd_web_rce.yml b/rules/linux/auditd/lnx_auditd_web_rce.yml
@@ -4,7 +4,6 @@ status: experimental
 description: Detects posible command execution by web application/web shell
 tags:
     - attack.persistence
-    - attack.t1100
     - attack.t1505.003
 references:
     - personal experience

diff --git a/rules/linux/auditd/lnx_data_compressed.yml b/rules/linux/auditd/lnx_data_compressed.yml
@@ -6,7 +6,10 @@ author: Timur Zinniatullin, oscd.community
 date: 2019/10/21
 modified: 2019/11/04
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.yaml
+tags:
+    - attack.exfiltration
+    - attack.t1560.001
 logsource:
     product: linux
     service: auditd
@@ -26,7 +29,3 @@ detection:
 falsepositives:
     - Legitimate use of archiving tools by legitimate user
 level: low
-tags:
-    - attack.exfiltration
-    - attack.t1002
-    - attack.t1560
diff --git a/rules/linux/lnx_apt_equationgroup_lnx.yml b/rules/linux/lnx_apt_equationgroup_lnx.yml
@@ -6,7 +6,7 @@ references:
 tags:
     - attack.execution
     - attack.g0020
-    - attack.t1059
+    - attack.t1059.004
 author: Florian Roth
 date: 2017/04/09
 logsource:

diff --git a/rules/linux/lnx_chattr_immutable_removal.yml b/rules/linux/lnx_chattr_immutable_removal.yml
@@ -4,7 +4,7 @@ description: Detects removing immutable file attribute
 status: experimental
 tags:
     - attack.defense_evasion
-    - attack.t1222
+    - attack.t1222.002
 author: Jakob Weinzettl, oscd.community
 date: 2019/09/23
 logsource:
@@ -20,4 +20,4 @@ falsepositives:
     - Administrator interacting with immutable files (for instance backups)
 level: medium
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.yaml
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.yaml
diff --git a/rules/linux/lnx_file_or_folder_permissions.yml b/rules/linux/lnx_file_or_folder_permissions.yml
@@ -1,10 +1,10 @@
 title: File or Folder Permissions Change
-description: Detects 
+description: Detects
 id: 74c01ace-0152-4094-8ae2-6fd776dd43e5
 status: experimental
 tags:
     - attack.defense_evasion
-    - attack.t1222
+    - attack.t1222.002
 author: Jakob Weinzettl, oscd.community
 date: 2019/09/23
 logsource:
@@ -21,4 +21,4 @@ falsepositives:
     - User interracting with files permissions (normal/daily behaviour)
 level: low
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.yaml
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.yaml
diff --git a/rules/linux/lnx_pers_systemd_reload.yml b/rules/linux/lnx_pers_systemd_reload.yml
@@ -4,7 +4,6 @@ description: Detects a reload or a start of a service
 status: experimental
 tags:
     - attack.persistence
-    - attack.t1501
     - attack.t1543.002
 author: Jakob Weinzettl, oscd.community
 date: 2019/09/23
@@ -24,5 +23,5 @@ falsepositives:
     - Legitimate reconfiguration of service
 level: low
 references:
-    - https://attack.mitre.org/techniques/T1501/
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1501/T1501.yaml
+    - https://attack.mitre.org/techniques/T1543/002/
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.yaml
diff --git a/rules/linux/lnx_shell_clear_cmd_history.yml b/rules/linux/lnx_shell_clear_cmd_history.yml
@@ -7,11 +7,11 @@ description: Clear command history in linux which is used for defense evasion.
     # It monitors the size of .bash_history and log the words "empty_bash_history" whenever a previously not empty bash_history becomes empty
     # We define an empty file as a document with 0 or 1 lines (it can be a line with only one space character for example)
     # It has two advantages over the version suggested by Patrick Bareiss  :
-    #   - it is not relative to the exact command used to clear .bash_history : for instance Caldera uses "> .bash_history" to clear the history and this is not one the commands listed here. We can't be exhaustive for all the possibilities ! 
-    #   - the method suggested by Patrick Bareiss logs all the commands entered directly in a bash shell. therefore it may miss some events (for instance it doesn't log the commands launched from a Caldera agent). Here if .bash_history is cleared, it will always be detected 
+    #   - it is not relative to the exact command used to clear .bash_history : for instance Caldera uses "> .bash_history" to clear the history and this is not one the commands listed here. We can't be exhaustive for all the possibilities !
+    #   - the method suggested by Patrick Bareiss logs all the commands entered directly in a bash shell. therefore it may miss some events (for instance it doesn't log the commands launched from a Caldera agent). Here if .bash_history is cleared, it will always be detected
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1146/T1146.yaml
-    - https://attack.mitre.org/techniques/T1146/
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.yaml
+    - https://attack.mitre.org/techniques/T1070/003/
     - https://www.hackers-arise.com/single-post/2016/06/20/Covering-your-BASH-Shell-Tracks-AntiForensics
 author: Patrick Bareiss
 date: 2019/03/24

diff --git a/rules/linux/lnx_shell_priv_esc_prep.yml b/rules/linux/lnx_shell_priv_esc_prep.yml
@@ -8,8 +8,8 @@ references:
 author: Patrick Bareiss
 date: 2019/04/05
 tags:
-    - attack.privilege_escalation
-    - attack.t1068
+    - attack.execution
+    - attack.t1059.004
 level: medium
 logsource:
     product: linux

diff --git a/rules/linux/lnx_shell_susp_commands.yml b/rules/linux/lnx_shell_susp_commands.yml
@@ -6,6 +6,9 @@ references:
     - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb#L121
     - http://pastebin.com/FtygZ1cg
     - https://artkond.com/2017/03/23/pivoting-guide/
+tags:
+    - attack.execution
+    - attack.t1059.004
 author: Florian Roth
 date: 2017/08/21
 modified: 2019/02/05
@@ -24,11 +27,11 @@ detection:
         - 'socat -O /tmp/*'
         - 'socat tcp-connect*'
         - '*echo binary >>*'
-        # Malware 
+        # Malware
         - '*wget *; chmod +x*'
         - '*wget *; chmod 777 *'
         - '*cd /tmp || cd /var/run || cd /mnt*'
-        # Apache Struts in-the-wild exploit codes  
+        # Apache Struts in-the-wild exploit codes
         - '*stop;service iptables stop;*'
         - '*stop;SuSEfirewall2 stop;*'
         - 'chmod 777 2020*'

diff --git a/rules/linux/lnx_shell_susp_rev_shells.yml b/rules/linux/lnx_shell_susp_rev_shells.yml
@@ -4,6 +4,9 @@ status: experimental
 description: Detects suspicious shell commands or program code that may be exected or used in command line to establish a reverse shell
 references:
     - https://alamot.github.io/reverse_shells/
+tags:
+    - attack.execution
+    - attack.t1059.004
 author: Florian Roth
 date: 2019/04/02
 logsource:

diff --git a/rules/linux/lnx_susp_jexboss.yml b/rules/linux/lnx_susp_jexboss.yml
@@ -3,12 +3,15 @@ id: 8ec2c8b4-557a-4121-b87c-5dfb3a602fae
 description: Detects suspicious command sequence that JexBoss
 references:
     - https://www.us-cert.gov/ncas/analysis-reports/AR18-312A
+tags:
+    - attack.execution
+    - attack.t1059.004
 author: Florian Roth
 date: 2017/08/24
 logsource:
     product: linux
 detection:
-    selection1: 
+    selection1:
         - 'bash -c /bin/bash'
     selection2:
         - '&/dev/tcp/'

diff --git a/rules/network/zeek/zeek_rdp_public_listener.yml b/rules/network/zeek/zeek_rdp_public_listener.yml
@@ -0,0 +1,45 @@
+title: Publicly Accessible RDP Service
+id: 1fc0809e-06bf-4de3-ad52-25e5263b7623
+status: experimental
+description: Detects connections from routable IPs to an RDP listener - which is indicative of a publicly-accessible RDP service.
+references:
+    - https://attack.mitre.org/techniques/T1021/001/
+tags:
+    - attack.t1021
+    - attack.t1021.001
+author: 'Josh Brower @DefensiveDepth'
+date: 2020/08/22 
+logsource:
+    product: zeek
+    service: rdp
+detection:
+    selection:
+      src_ip|startswith:
+        - '192.168.'
+        - '10.'
+        - '172.16.'
+        - '172.17.'
+        - '172.18.'
+        - '172.19.'
+        - '172.20.'
+        - '172.21.'
+        - '172.22.'
+        - '172.23.'
+        - '172.24.'
+        - '172.25.'
+        - '172.26.'
+        - '172.27.'
+        - '172.28.'
+        - '172.29.'
+        - '172.30.'
+        - '172.31.'
+    #approved_rdp:
+      #dst_ip:
+        #- x.x.x.x
+    condition: not selection #and not approved_rdp
+fields:
+    - src_ip
+    - dst_ip
+falsepositives:
+    - none
+level: high
diff --git a/rules/windows/file_event/sysmon_wmi_persistence_script_event_consumer_write.yml b/rules/windows/file_event/sysmon_wmi_persistence_script_event_consumer_write.yml
@@ -17,5 +17,5 @@ detection:
         Image: 'C:\WINDOWS\system32\wbem\scrcons.exe'
     condition: selection
 falsepositives: 
-    - Unknown (data set is too small; further testing needed)
+    - Dell Power Manager (C:\Program Files\Dell\PowerManager\DpmPowerPlanSetup.exe)
 level: high
diff --git a/rules/windows/process_creation/win_susp_copy_lateral_movement.yml b/rules/windows/process_creation/win_susp_copy_lateral_movement.yml
@@ -10,7 +10,7 @@ tags:
     - attack.lateral_movement
     - attack.t1077
     - attack.t1105
-    - attack.t1021
+    - attack.t1021.002
 logsource:
     category: process_creation
     product: windows

diff --git a/rules/windows/process_creation/win_susp_rasdial_activity.yml b/rules/windows/process_creation/win_susp_rasdial_activity.yml
@@ -16,8 +16,8 @@ logsource:
     product: windows
 detection:
     selection:
-        CommandLine:
-            - rasdial
+        Image|endswith:
+            - rasdial.exe
     condition: selection
 falsepositives:
     - False positives depend on scripts and administrative tools used in the monitored environment

diff --git a/rules/windows/process_creation/win_wmiprvse_spawning_process.yml b/rules/windows/process_creation/win_wmiprvse_spawning_process.yml
@@ -18,7 +18,7 @@ detection:
         ParentImage|endswith: '\WmiPrvSe.exe'
     filter:
         - LogonId: '0x3e7'  # LUID 999 for SYSTEM
-        - Username: 'NT AUTHORITY\SYSTEM'  # if we don't have LogonId data, fallback on username detection
+        - User: 'NT AUTHORITY\SYSTEM'  # if we don't have LogonId data, fallback on username detection
     condition: selection and not filter
 falsepositives:
     - Unknown

diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml
@@ -8,7 +8,7 @@ tags:
     - attack.persistence
     - attack.t1060
 date: 2019/10/21
-modified: 2019/11/10
+modified: 2020/08/18
 author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community
 logsource:
     category: registry_event
@@ -23,7 +23,12 @@ detection:
             - '\software\Microsoft\Windows\CurrentVersion\RunServicesOnce'
             - '\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit'
             - '\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell'
-            - '\software\Microsoft\Windows NT\CurrentVersion\Windows'
+            - '\software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs'  # Appinit DLL
+            - '\software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs'  # Appinit DLL
+            - '\software\Microsoft\Windows NT\CurrentVersion\Windows\Load'  # WindowsShellLoadAndRun in HKCU
+            - '\software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Load'  # WindowsShellLoadAndRun in HKCU
+            - '\software\Microsoft\Windows NT\CurrentVersion\Windows\Run'  # WindowsShellLoadAndRun in HKCU
+            - '\software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Run'  # WindowsShellLoadAndRun in HKCU
             - '\software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders'
     condition: selection
 falsepositives: