Merge pull request #403 from Yamato-Security/enhancement/config-update

Update config files

config/eventkey_alias.txt

@@ -62,6 +62,7 @@ ImageLoaded,Event.EventData.ImageLoaded
 ImagePath,Event.EventData.ImagePath
 Imphash,Event.EventData.Hashes
 Initiated,Event.EventData.Initiated
+InstanceID,Event.UserData.UMDFHostDeviceArrivalBegin.InstanceId
 IntegrityLevel,Event.EventData.IntegrityLevel
 IpAddress,Event.EventData.IpAddress
 IpPort,Event.EventData.IpPort
@@ -85,6 +86,8 @@ NewTemplateContent, Event.EventData.NewTemplateContent
 NewUacValue,Event.EventData.NewUacValue
 NewValue,Event.EventData.NewValue
 New_Value,Event.EventData.New Value
+NewProcessName,Event.EventData.NewProcessName
+NewProcessId,Event.EventData.NewProcessId
 ObjectClass,Event.EventData.ObjectClass
 ObjectName,Event.EventData.ObjectName
 ObjectServer,Event.EventData.ObjectServer
@@ -93,6 +96,11 @@ ObjectValueName,Event.EventData.ObjectValueName
 OldUacValue,Event.EventData.OldUacValue
 Origin,Event.EventData.Origin
 OriginalFilename,Event.EventData.OriginalFileName
+param1,Event.EventData.param1
+param2,Event.EventData.param2
+param3,Event.EventData.param3
+param4,Event.EventData.param4
+param5,Event.EventData.param5
 ParentCommandLine,Event.EventData.ParentCommandLine
 ParentImage,Event.EventData.ParentImage
 ParentIntegrityLevel,Event.EventData.ParentIntegrityLevel
@@ -144,6 +152,7 @@ Source_WorkStation,Event.EventData.Source_WorkStation
 StartAddress,Event.EventData.StartAddress
 StartFunction,Event.EventData.StartFunction
 StartModule,Event.EventData.StartModule
+StartType,Event.EventData.StartType
 State,Event.EventData.State
 Status,Event.EventData.Status
 SubStatus,Event.EventData.SubStatus

config/exclude-rules.txt

@@ -1,9 +1,18 @@
-4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6 # ./rules/sigma/other/msexchange/win_exchange_transportagent.yml
-c92f1896-d1d2-43c3-92d5-7a5b35c217bb # ./rules/sigma/other/msexchange/win_exchange_cve_2021_42321.yml
-9f7aa113-9da6-4a8d-907c-5f1a4b908299 # ./rules/sigma/deprecated/powershell_syncappvpublishingserver_exe.yml
+# Cannot parse rule or generates errors:
+4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6 # "MSExchange Transport Agent Installation"
+b20f6158-9438-41be-83da-a5a16ac90c2b # "Rare Scheduled Task Creations"
+c92f1896-d1d2-43c3-92d5-7a5b35c217bb # "Possible Exploitation of Exchange RCE CVE-2021-42321"
+9f7aa113-9da6-4a8d-907c-5f1a4b908299 # "SyncAppvPublishingServer Execution to Bypass Powershell Restriction"
 
-# Replaced by hayabusa rules
-c265cf08-3f99-46c1-8d59-328247057d57 # ./rules/sigma/builtin/security/win_user_added_to_local_administrators.yml
-66b6be3d-55d0-4f47-9855-d69df21740ea # ./rules/sigma/builtin/security/win_user_creation.yml
-7b449a5e-1db5-4dd0-a2dc-4e3a67282538 # ./rules/sigma/builtin/security/win_hidden_user_creation.yml
-b20f6158-9438-41be-83da-a5a16ac90c2b # ./rules/sigma/other/taskscheduler/win_rare_schtask_creation.yml
+# Replaced by Hayabusa rules
+c265cf08-3f99-46c1-8d59-328247057d57 # "User Added to Local Administrators"
+66b6be3d-55d0-4f47-9855-d69df21740ea # "Local User Creation"
+7b449a5e-1db5-4dd0-a2dc-4e3a67282538 # "Hidden Local User Creation".
+
+# Disabled due to too many false positives:
+71158e3f-df67-472b-930e-7d287acaa3e1 # "Execution Of Not Existing File"
+c09dad97-1c78-4f71-b127-7edb2b8e491a # "Execution Of Other File Type Than .exe". Replaced with Hayabusa rule: 8d1487f1-7664-4bda-83b5-cb2f79491b6a
+1a4bd6e3-4c6e-405d-a9a3-53a116e341d4 # "USB Device Plugged" False positives due to not filtering on provider properly.
+db809f10-56ce-4420-8c86-d6a7d793c79c # "Raw Disk Access Using Illegitimate Tools" Need to test if false positives lower when filtering on just sysmon logs.
+57b649ef-ff42-4fb0-8bf6-62da243a1708 # "Windows Defender Threat Detected" Replaced by Hayabusa rule.
+0eb2107b-a596-422e-b123-b389d5594ed7 # "Hurricane Panda Activity"

config/noisy-rules.txt

@@ -6,4 +6,5 @@ e98374a6-e2d9-4076-9b5c-11bdb2569995 # ./rules/sigma/builtin/security/win_susp_f
 61ab5496-748e-4818-a92f-de78e20fe7f1 # ./rules/sigma/process_creation/win_multiple_suspicious_cli.yml
 add2ef8d-dc91-4002-9e7e-f2702369f53a # ./rules/sigma/builtin/security/win_susp_failed_remote_logons_single_source.yml
 196a29c2-e378-48d8-ba07-8a9e61f7fab9 # ./rules/sigma/builtin/security/win_susp_failed_logons_explicit_credentials.yml
-72124974-a68b-4366-b990-d30e0b2a190d # ./rules/sigma/builtin/security/win_metasploit_authentication.yml
+72124974-a68b-4366-b990-d30e0b2a190d # ./rules/sigma/builtin/security/win_metasploit_authentication.yml
+dae8171c-5ec6-4396-b210-8466585b53e9 # "SCM Database Privileged Operation" Detects unprivelidged users attempting priv'd things. Can possible detect things like psexec but may have false positives and should probably be medium alert instead of critical.

config/regex/LOLBAS_commands.txt

@@ -0,0 +1,116 @@
+.*(?i)AppInstaller.*
+.*(?i)Aspnet_Compiler.*
+.*(?i)At.*
+.*(?i)AtBroker.*
+.*(?i)Bash.*
+.*(?i)BitsAdmin.*
+.*(?i)CertOC.*
+.*(?i)CertReq.*
+.*(?i)CertUtil.*
+.*(?i)Cmd.*
+.*(?i)Cmdkey.*
+.*(?i)cmdl32.*
+.*(?i)Cmstp.*
+.*(?i)ConfigSecurityPolicy.*
+.*(?i)Control.*
+.*(?i)Csc.*
+.*(?i)Cscript.*
+.*(?i)DataSvcUtil.*
+.*(?i)DesktopImgDownldr.*
+.*(?i)DfSvc.*
+.*(?i)Diantz.*
+.*(?i)DiskShadow.*
+.*(?i)dllhost.*
+.*(?i)DnsCmd.*
+.*(?i)EsentUtl.*
+.*(?i)EventVwr.*
+.*(?i)Expand.*
+.*(?i)ExtExport.*
+.*(?i)Extrac32.*
+.*(?i)FindStr.*
+.*(?i)Finger.*
+.*(?i)FltMC.*
+.*(?i)ForFiles.*
+.*(?i)FTP.*
+.*(?i)GfxDownloadWrapper.*
+.*(?i)GpScript.*
+.*(?i)HH.*
+.*(?i)IMEWDBLD.*
+.*(?i)Ie4uInit.*
+.*(?i)IeExec.*
+.*(?i)ILASM.*
+.*(?i)InfDefaultInstall.*
+.*(?i)InstallUtil.*
+.*(?i)Jsc.*
+.*(?i)MakeCab.*
+.*(?i)MavInject.*
+.*(?i)Microsoft.Workflow.Compiler.*
+.*(?i)Mmc.*
+.*(?i)MpCmdRun.*
+.*(?i)Msbuild.*
+.*(?i)MsConfig.*
+.*(?i)Msdt.*
+.*(?i)Mshta.*
+.*(?i)MsiExec.*
+.*(?i)NetSh.*
+.*(?i)OdbcConf.*
+.*(?i)OfflineScannerShell.*
+.*(?i)OneDriveStandaloneUpdater.*
+.*(?i)Pcalua.*
+.*(?i)PcwRun.*
+.*(?i)PktMon.*
+.*(?i)PnpUtil.*
+.*(?i)PresentationHost.*
+.*(?i)Print.*
+.*(?i)PrintBrm.*
+.*(?i)Psr.*
+.*(?i)Rasautou.*
+.*(?i)Reg.*
+.*(?i)Regasm.*
+.*(?i)RegEdit.*
+.*(?i)RegIni.*
+.*(?i)Register-CimProvider.*
+.*(?i)RegSvcs.*
+.*(?i)RegSvr32.*
+.*(?i)Replace.*
+.*(?i)RpcPing.*
+.*(?i)RunDll32.*
+.*(?i)RunOnce.*
+.*(?i)RunScriptHelper.*
+.*(?i)Sc.*
+.*(?i)SchTasks.*
+.*(?i)ScriptRunner.*
+.*(?i)SettingSyncHost.*
+.*(?i)StorDiag.*
+.*(?i)SyncAppvPublishingServer.*
+.*(?i)TtdInject.*
+.*(?i)TtTracer.*
+.*(?i)VBC.*
+.*(?i)Verclsid.*
+.*(?i)ping.*
+.*(?i)ipconfig.*
+.*(?i)Wab.*
+.*(?i)Wmic.*
+.*(?i)WorkFolders.*
+.*(?i)Wscript.*
+.*(?i)WsReset.*
+.*(?i)Wuauclt.*
+.*(?i)Xwizard.*
+.*(?i)ADPlus.*
+.*(?i)AgentExecutor.*
+.*(?i)Appvlp.*
+.*(?i)Bginfo.*
+.*(?i)Cdb.*
+.*(?i)CoreGen.*
+.*(?i)CSI.*
+.*(?i)DefaultPack.*
+.*(?i)DevtoolsLauncher.*
+.*(?i)DNX.*
+.*(?i)Dotnet.*
+.*(?i)Dxcap.*
+.*(?i)NTDSUtil.*
+.*(?i)procdump.*
+.*(?i)psexec.*
+.*(?i)SqlDumper.*
+.*(?i)winrm.vbs.*
+.*(?i)powershell.*

config/regex/LOLBAS_paths.txt

@@ -0,0 +1,118 @@
+.*(?i)AppInstaller.exe$
+.*(?i)Aspnet_Compiler.exe$
+.*(?i)At.exe$
+.*(?i)AtBroker.exe$
+.*(?i)Bash.exe$
+.*(?i)BitsAdmin.exe$
+.*(?i)CertOC.exe$
+.*(?i)CertReq.exe$
+.*(?i)CertUtil.exe$
+.*(?i)Cmd.exe$
+.*(?i)Cmdkey.exe$
+.*(?i)cmdl32.exe$
+.*(?i)Cmstp.exe$
+.*(?i)ConfigSecurityPolicy.exe$
+.*(?i)Control.exe$
+.*(?i)Csc.exe$
+.*(?i)Cscript.exe$
+.*(?i)DataSvcUtil.exe$
+.*(?i)DesktopImgDownldr.exe$
+.*(?i)DfSvc.exe$
+.*(?i)Diantz.exe$
+.*(?i)DiskShadow.exe$
+.*(?i)dllhost.exe$
+.*(?i)DnsCmd.exe$
+.*(?i)EsentUtl.exe$
+.*(?i)EventVwr.exe$
+.*(?i)Expand.exe$
+.*(?i)ExtExport.exe$
+.*(?i)Extrac32.exe$
+.*(?i)FindStr.exe$
+.*(?i)Finger.exe$
+.*(?i)FltMC.exe$
+.*(?i)ForFiles.exe$
+.*(?i)FTP.exe$
+.*(?i)GfxDownloadWrapper.exe$
+.*(?i)GpScript.exe$
+.*(?i)HH.exe$
+.*(?i)IMEWDBLD.exe$
+.*(?i)Ie4uInit.exe$
+.*(?i)IeExec.exe$
+.*(?i)ILASM.exe$
+.*(?i)InfDefaultInstall.exe$
+.*(?i)InstallUtil.exe$
+.*(?i)Jsc.exe$
+.*(?i)MakeCab.exe$
+.*(?i)MavInject.exe$
+.*(?i)Microsoft.Workflow.Compiler.exe$
+.*(?i)Mmc.exe$
+.*(?i)MpCmdRun.exe$
+.*(?i)Msbuild.exe$
+.*(?i)MsConfig.exe$
+.*(?i)Msdt.exe$
+.*(?i)Mshta.exe$
+.*(?i)MsiExec.exe$
+.*(?i)NetSh.exe$
+.*(?i)OdbcConf.exe$
+.*(?i)OfflineScannerShell.exe$
+.*(?i)OneDriveStandaloneUpdater.exe$
+.*(?i)Pcalua.exe$
+.*(?i)PcwRun.exe$
+.*(?i)PktMon.exe$
+.*(?i)PnpUtil.exe$
+.*(?i)PresentationHost.exe$
+.*(?i)Print.exe$
+.*(?i)PrintBrm.exe$
+.*(?i)Psr.exe$
+.*(?i)Rasautou.exe$
+.*(?i)Reg.exe$
+.*(?i)Regasm.exe$
+.*(?i)RegEdit.exe$
+.*(?i)RegIni.exe$
+.*(?i)Register-CimProvider.exe$
+.*(?i)RegSvcs.exe$
+.*(?i)RegSvr32.exe$
+.*(?i)Replace.exe$
+.*(?i)RpcPing.exe$
+.*(?i)RunDll32.exe$
+.*(?i)RunOnce.exe$
+.*(?i)RunScriptHelper.exe$
+.*(?i)Sc.exe$
+.*(?i)SchTasks.exe$
+.*(?i)ScriptRunner.exe$
+.*(?i)SettingSyncHost.exe$
+.*(?i)StorDiag.exe$
+.*(?i)SyncAppvPublishingServer.exe$
+.*(?i)TtdInject.exe$
+.*(?i)TtTracer.exe$
+.*(?i)VBC.exe$
+.*(?i)Verclsid.exe$
+.*(?i)ping.exe$
+.*(?i)ipconfig.exe$
+.*(?i)Wab.exe$
+.*(?i)Wmic.exe$
+.*(?i)WorkFolders.exe$
+.*(?i)Wscript.exe$
+.*(?i)WsReset.exe$
+.*(?i)Wuauclt.exe$
+.*(?i)Xwizard.exe$
+.*(?i)ADPlus.exe$
+.*(?i)AgentExecutor.exe$
+.*(?i)Appvlp.exe$
+.*(?i)Bginfo.exe$
+.*(?i)Cdb.exe$
+.*(?i)CoreGen.exe$
+.*(?i)CSI.exe$
+.*(?i)DefaultPack.exe$
+.*(?i)DevtoolsLauncher.exe$
+.*(?i)DNX.exe$
+.*(?i)Dotnet.exe$
+.*(?i)Dxcap.exe$
+.*(?i)NTDSUtil.exe$
+.*(?i)procdump.exe$
+.*(?i)psexec.exe$
+.*(?i)SqlDumper.exe$
+.*(?i)winrm.vbs.exe$
+.*(?i)powershell.exe$
+.*(?i)xcopy.exe$
+.*(?i)RoboCopy.exe$

config/regex/detectlist_suspicous_services.txt

@@ -1,16 +1,15 @@
 ^cmd.exe /c echo [a-z]{6} > \\\\.\\pipe\\[a-z]{6}$
-^%SYSTEMROOT%\\[a-zA-Z]{8}\.exe$
 powershell.*FromBase64String.*IO.Compression.GzipStream
 DownloadString\(.http
-mimikatz
+.*(?i)mimikatz.*
+.*(?i)mimidvr.*
 Invoke-Mimikatz.ps
 PowerSploit.*ps1
-User-Agent
 [a-zA-Z0-9/+=]{500}
-powershell.exe.*Hidden.*Enc
+.*(?i)powershell.*
+.*(?i)cmd.*
 \\csc\.exe
 \\csc\.exe.*\\Appdata\\Local\\Temp\\[a-z0-9]{8}\.cmdline
-# Generic cvtres.exe alert
 \\cvtres\.exe.*
 \\cvtres\.exe.*\\AppData\\Local\\Temp\\[A-Z0-9]{7}\.tmp
 ^[a-zA-Z]{22}$

src/detections/rule/matchers.rs

@@ -644,13 +644,13 @@ mod tests {
                 // regexes.txtの中身と一致していることを確認
                 let csvcontent = &ancestor_matcher.regexes;
 
-                assert_eq!(csvcontent.len(), 17);
+                assert_eq!(csvcontent.len(), 16);
                 assert_eq!(
                     csvcontent[0].as_str().to_string(),
                     r"^cmd.exe /c echo [a-z]{6} > \\\\.\\pipe\\[a-z]{6}$"
                 );
                 assert_eq!(
-                    csvcontent[14].as_str().to_string(),
+                    csvcontent[13].as_str().to_string(),
                     r"\\cvtres\.exe.*\\AppData\\Local\\Temp\\[A-Z0-9]{7}\.tmp"
                 );
             }