From 166ba28775261fa5d319d4be00102f1adb891642 Mon Sep 17 00:00:00 2001 From: DustInDark Date: Wed, 21 Jul 2021 08:57:22 +0900 Subject: [PATCH] Feature/bits job#130 (#131) * Feature/call error message struct#66 (#69) * change way to use write trait #66 * change call error message struct #66 * erase finished TODO #66 * erase comment in error message format test #66 * resolve conflict #66 * Feature/call error message struct#66 (#71) * change ERROR writeln struct #66 * under constructing * add statistics template * fix * add comment * add condition impl #93 * fix erased get_descendants and remove unnecessaly struct #93 * erased finished TODO comment * erased finished TODO comment * Revert "fix erased get_descendants and remove unnecessaly struct #93" This reverts commit 82e905e04525df7ce5af37272e4d8525c0b2504f. Revert "add condition impl #93" This reverts commit 19ecc87377736c0902a2e07ea798189cc642a620. * add doc comment to rule function * fix and add test doc commet * add doc to AggregaationParseInfo * add struct count in aggregation condition. #93 * add evaluate aggregation condition func provisional architecture. #93 * add countup function #93 * fix key to count hashmap #93 * add judge aggregation condition function #93 * fix error #93 * fix test #93 * share compile error ver * fix detection.rs compile error * fix timeframe parse * add countup process in select * fix select argument * add test countup * add test count judge #93 * add SIGMA windows count field and by keyword #93 * fix reference record in countup/judgecount #93 * add timedata in countup schema #93 * Refact: split code for matcher from rule.rs * Reafact: combine multiple declared functions * Refact: split code for SelectionNode from rule.rs * Refact: mv test code for SelectionNode from rule.rs * Refact: mv condition's code from rule.rs * add count to detection #93 * fix compile error * fix source to test ng. #93 * erase unused variable #93 * fix count architecture #93 * fix comment and compile error * erase dust (response to review) * erase dust (response to review) * reduce calling Rulenode function (response to review) * add aggregation output func * erase dust(response to review) and add agg condition String func * change error output * reduce call RuleNode function(response to review) * To reduce call RuleNode function * fix test name * fix coflicted resolve miss * add code comment in timeframe count. * add sort record timedata in timeframe(response to review) * fix unnecesasry result in ArgResult * add no field and by value count test * create count test no field and by with timeframe * erase duplicated timeframe data in RuleNode * fix test error no field and no by count with timeframe * fix test name * add test case of exist field and by count. * fix by count test and add test count othervalue in timeframe * add test * fix judge_timeframe logic when indexout * fix test name and add count test field and by with timeframe * adjust #120 * move associated count function from rulenode * fix error when resolve conflict * adjust T1197_bitsjob_started * fix no output bug if exist output * add rule to bitsjob #130 Co-authored-by: HajimeTakai Co-authored-by: itiB --- config/eventkey_alias.txt | 4 +++- rules/bitsjobs/1197_bitsjob.yaml | 16 ++++++++++++++++ 2 files changed, 19 insertions(+), 1 deletion(-) create mode 100644 rules/bitsjobs/1197_bitsjob.yaml diff --git a/config/eventkey_alias.txt b/config/eventkey_alias.txt index 678c9ac1..5e409da8 100644 --- a/config/eventkey_alias.txt +++ b/config/eventkey_alias.txt @@ -42,4 +42,6 @@ SubjectLogonId,Event.EventData.SubjectLogonId Image,Event.EventData.Image ParentImage,Event.EventData.ParentImage MachineName,Event.EventData.MachineName -QueryName,Event.EventData.QueryName \ No newline at end of file +QueryName,Event.EventData.QueryName +JobTitle,Event.EventData.name +Url,Event.EventData.url diff --git a/rules/bitsjobs/1197_bitsjob.yaml b/rules/bitsjobs/1197_bitsjob.yaml new file mode 100644 index 00000000..09e2a41f --- /dev/null +++ b/rules/bitsjobs/1197_bitsjob.yaml @@ -0,0 +1,16 @@ +title: BitsJob +description: Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. +enabled: true +author: Yea +logsource: + product: windows +detection: + selection: + Channel: Microsoft-Windows-Bits-Client/Operational + EventID: 59 +falsepositives: + - unknown +level: medium +output: 'Started bits job created. JobTitle:%JobTitle% URL:%Url%' +creation_date: 2021/7/15 +updated_date: 2021/7/15