From 0260a223fd7e547723111965740c1b7ec9d3e308 Mon Sep 17 00:00:00 2001 From: Tanaka Zakku <71482215+YamatoSecurity@users.noreply.github.com> Date: Mon, 21 Feb 2022 17:07:47 +0900 Subject: [PATCH 1/2] Update config files --- config/eventkey_alias.txt | 9 ++ config/exclude-rules.txt | 25 ++-- config/noisy-rules.txt | 3 +- config/regex/LOLBAS_commands.txt | 116 +++++++++++++++++ config/regex/LOLBAS_paths.txt | 118 ++++++++++++++++++ .../regex/detectlist_suspicous_services.txt | 9 +- 6 files changed, 266 insertions(+), 14 deletions(-) create mode 100644 config/regex/LOLBAS_commands.txt create mode 100644 config/regex/LOLBAS_paths.txt diff --git a/config/eventkey_alias.txt b/config/eventkey_alias.txt index 99a4b293..2a5e4d7f 100644 --- a/config/eventkey_alias.txt +++ b/config/eventkey_alias.txt @@ -62,6 +62,7 @@ ImageLoaded,Event.EventData.ImageLoaded ImagePath,Event.EventData.ImagePath Imphash,Event.EventData.Hashes Initiated,Event.EventData.Initiated +InstanceID,Event.UserData.UMDFHostDeviceArrivalBegin.InstanceId IntegrityLevel,Event.EventData.IntegrityLevel IpAddress,Event.EventData.IpAddress IpPort,Event.EventData.IpPort @@ -85,6 +86,8 @@ NewTemplateContent, Event.EventData.NewTemplateContent NewUacValue,Event.EventData.NewUacValue NewValue,Event.EventData.NewValue New_Value,Event.EventData.New Value +NewProcessName,Event.EventData.NewProcessName +NewProcessId,Event.EventData.NewProcessId ObjectClass,Event.EventData.ObjectClass ObjectName,Event.EventData.ObjectName ObjectServer,Event.EventData.ObjectServer @@ -93,6 +96,11 @@ ObjectValueName,Event.EventData.ObjectValueName OldUacValue,Event.EventData.OldUacValue Origin,Event.EventData.Origin OriginalFilename,Event.EventData.OriginalFileName +param1,Event.EventData.param1 +param2,Event.EventData.param2 +param3,Event.EventData.param3 +param4,Event.EventData.param4 +param5,Event.EventData.param5 ParentCommandLine,Event.EventData.ParentCommandLine ParentImage,Event.EventData.ParentImage ParentIntegrityLevel,Event.EventData.ParentIntegrityLevel @@ -144,6 +152,7 @@ Source_WorkStation,Event.EventData.Source_WorkStation StartAddress,Event.EventData.StartAddress StartFunction,Event.EventData.StartFunction StartModule,Event.EventData.StartModule +StartType,Event.EventData.StartType State,Event.EventData.State Status,Event.EventData.Status SubStatus,Event.EventData.SubStatus diff --git a/config/exclude-rules.txt b/config/exclude-rules.txt index 8191c667..ed1d33a9 100644 --- a/config/exclude-rules.txt +++ b/config/exclude-rules.txt @@ -1,9 +1,18 @@ -4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6 # ./rules/sigma/other/msexchange/win_exchange_transportagent.yml -c92f1896-d1d2-43c3-92d5-7a5b35c217bb # ./rules/sigma/other/msexchange/win_exchange_cve_2021_42321.yml -9f7aa113-9da6-4a8d-907c-5f1a4b908299 # ./rules/sigma/deprecated/powershell_syncappvpublishingserver_exe.yml +# Cannot parse rule or generates errors: +4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6 # "MSExchange Transport Agent Installation" +b20f6158-9438-41be-83da-a5a16ac90c2b # "Rare Scheduled Task Creations" +c92f1896-d1d2-43c3-92d5-7a5b35c217bb # "Possible Exploitation of Exchange RCE CVE-2021-42321" +9f7aa113-9da6-4a8d-907c-5f1a4b908299 # "SyncAppvPublishingServer Execution to Bypass Powershell Restriction" -# Replaced by hayabusa rules -c265cf08-3f99-46c1-8d59-328247057d57 # ./rules/sigma/builtin/security/win_user_added_to_local_administrators.yml -66b6be3d-55d0-4f47-9855-d69df21740ea # ./rules/sigma/builtin/security/win_user_creation.yml -7b449a5e-1db5-4dd0-a2dc-4e3a67282538 # ./rules/sigma/builtin/security/win_hidden_user_creation.yml -b20f6158-9438-41be-83da-a5a16ac90c2b # ./rules/sigma/other/taskscheduler/win_rare_schtask_creation.yml \ No newline at end of file +# Replaced by Hayabusa rules +c265cf08-3f99-46c1-8d59-328247057d57 # "User Added to Local Administrators" +66b6be3d-55d0-4f47-9855-d69df21740ea # "Local User Creation" +7b449a5e-1db5-4dd0-a2dc-4e3a67282538 # "Hidden Local User Creation". + +# Disabled due to too many false positives: +71158e3f-df67-472b-930e-7d287acaa3e1 # "Execution Of Not Existing File" +c09dad97-1c78-4f71-b127-7edb2b8e491a # "Execution Of Other File Type Than .exe". Replaced with Hayabusa rule: 8d1487f1-7664-4bda-83b5-cb2f79491b6a +1a4bd6e3-4c6e-405d-a9a3-53a116e341d4 # "USB Device Plugged" False positives due to not filtering on provider properly. +db809f10-56ce-4420-8c86-d6a7d793c79c # "Raw Disk Access Using Illegitimate Tools" Need to test if false positives lower when filtering on just sysmon logs. +57b649ef-ff42-4fb0-8bf6-62da243a1708 # "Windows Defender Threat Detected" Replaced by Hayabusa rule. +0eb2107b-a596-422e-b123-b389d5594ed7 # "Hurricane Panda Activity" \ No newline at end of file diff --git a/config/noisy-rules.txt b/config/noisy-rules.txt index abadf989..1282e165 100644 --- a/config/noisy-rules.txt +++ b/config/noisy-rules.txt @@ -6,4 +6,5 @@ e98374a6-e2d9-4076-9b5c-11bdb2569995 # ./rules/sigma/builtin/security/win_susp_f 61ab5496-748e-4818-a92f-de78e20fe7f1 # ./rules/sigma/process_creation/win_multiple_suspicious_cli.yml add2ef8d-dc91-4002-9e7e-f2702369f53a # ./rules/sigma/builtin/security/win_susp_failed_remote_logons_single_source.yml 196a29c2-e378-48d8-ba07-8a9e61f7fab9 # ./rules/sigma/builtin/security/win_susp_failed_logons_explicit_credentials.yml -72124974-a68b-4366-b990-d30e0b2a190d # ./rules/sigma/builtin/security/win_metasploit_authentication.yml \ No newline at end of file +72124974-a68b-4366-b990-d30e0b2a190d # ./rules/sigma/builtin/security/win_metasploit_authentication.yml +dae8171c-5ec6-4396-b210-8466585b53e9 # "SCM Database Privileged Operation" Detects unprivelidged users attempting priv'd things. Can possible detect things like psexec but may have false positives and should probably be medium alert instead of critical. \ No newline at end of file diff --git a/config/regex/LOLBAS_commands.txt b/config/regex/LOLBAS_commands.txt new file mode 100644 index 00000000..4a6c3d4a --- /dev/null +++ b/config/regex/LOLBAS_commands.txt @@ -0,0 +1,116 @@ +.*(?i)AppInstaller.* +.*(?i)Aspnet_Compiler.* +.*(?i)At.* +.*(?i)AtBroker.* +.*(?i)Bash.* +.*(?i)BitsAdmin.* +.*(?i)CertOC.* +.*(?i)CertReq.* +.*(?i)CertUtil.* +.*(?i)Cmd.* +.*(?i)Cmdkey.* +.*(?i)cmdl32.* +.*(?i)Cmstp.* +.*(?i)ConfigSecurityPolicy.* +.*(?i)Control.* +.*(?i)Csc.* +.*(?i)Cscript.* +.*(?i)DataSvcUtil.* +.*(?i)DesktopImgDownldr.* +.*(?i)DfSvc.* +.*(?i)Diantz.* +.*(?i)DiskShadow.* +.*(?i)dllhost.* +.*(?i)DnsCmd.* +.*(?i)EsentUtl.* +.*(?i)EventVwr.* +.*(?i)Expand.* +.*(?i)ExtExport.* +.*(?i)Extrac32.* +.*(?i)FindStr.* +.*(?i)Finger.* +.*(?i)FltMC.* +.*(?i)ForFiles.* +.*(?i)FTP.* +.*(?i)GfxDownloadWrapper.* +.*(?i)GpScript.* +.*(?i)HH.* +.*(?i)IMEWDBLD.* +.*(?i)Ie4uInit.* +.*(?i)IeExec.* +.*(?i)ILASM.* +.*(?i)InfDefaultInstall.* +.*(?i)InstallUtil.* +.*(?i)Jsc.* +.*(?i)MakeCab.* +.*(?i)MavInject.* +.*(?i)Microsoft.Workflow.Compiler.* +.*(?i)Mmc.* +.*(?i)MpCmdRun.* +.*(?i)Msbuild.* +.*(?i)MsConfig.* +.*(?i)Msdt.* +.*(?i)Mshta.* +.*(?i)MsiExec.* +.*(?i)NetSh.* +.*(?i)OdbcConf.* +.*(?i)OfflineScannerShell.* +.*(?i)OneDriveStandaloneUpdater.* +.*(?i)Pcalua.* +.*(?i)PcwRun.* +.*(?i)PktMon.* +.*(?i)PnpUtil.* +.*(?i)PresentationHost.* +.*(?i)Print.* +.*(?i)PrintBrm.* +.*(?i)Psr.* +.*(?i)Rasautou.* +.*(?i)Reg.* +.*(?i)Regasm.* +.*(?i)RegEdit.* +.*(?i)RegIni.* +.*(?i)Register-CimProvider.* +.*(?i)RegSvcs.* +.*(?i)RegSvr32.* +.*(?i)Replace.* +.*(?i)RpcPing.* +.*(?i)RunDll32.* +.*(?i)RunOnce.* +.*(?i)RunScriptHelper.* +.*(?i)Sc.* +.*(?i)SchTasks.* +.*(?i)ScriptRunner.* +.*(?i)SettingSyncHost.* +.*(?i)StorDiag.* +.*(?i)SyncAppvPublishingServer.* +.*(?i)TtdInject.* +.*(?i)TtTracer.* +.*(?i)VBC.* +.*(?i)Verclsid.* +.*(?i)ping.* +.*(?i)ipconfig.* +.*(?i)Wab.* +.*(?i)Wmic.* +.*(?i)WorkFolders.* +.*(?i)Wscript.* +.*(?i)WsReset.* +.*(?i)Wuauclt.* +.*(?i)Xwizard.* +.*(?i)ADPlus.* +.*(?i)AgentExecutor.* +.*(?i)Appvlp.* +.*(?i)Bginfo.* +.*(?i)Cdb.* +.*(?i)CoreGen.* +.*(?i)CSI.* +.*(?i)DefaultPack.* +.*(?i)DevtoolsLauncher.* +.*(?i)DNX.* +.*(?i)Dotnet.* +.*(?i)Dxcap.* +.*(?i)NTDSUtil.* +.*(?i)procdump.* +.*(?i)psexec.* +.*(?i)SqlDumper.* +.*(?i)winrm.vbs.* +.*(?i)powershell.* \ No newline at end of file diff --git a/config/regex/LOLBAS_paths.txt b/config/regex/LOLBAS_paths.txt new file mode 100644 index 00000000..bf641bf6 --- /dev/null +++ b/config/regex/LOLBAS_paths.txt @@ -0,0 +1,118 @@ +.*(?i)AppInstaller.exe$ +.*(?i)Aspnet_Compiler.exe$ +.*(?i)At.exe$ +.*(?i)AtBroker.exe$ +.*(?i)Bash.exe$ +.*(?i)BitsAdmin.exe$ +.*(?i)CertOC.exe$ +.*(?i)CertReq.exe$ +.*(?i)CertUtil.exe$ +.*(?i)Cmd.exe$ +.*(?i)Cmdkey.exe$ +.*(?i)cmdl32.exe$ +.*(?i)Cmstp.exe$ +.*(?i)ConfigSecurityPolicy.exe$ +.*(?i)Control.exe$ +.*(?i)Csc.exe$ +.*(?i)Cscript.exe$ +.*(?i)DataSvcUtil.exe$ +.*(?i)DesktopImgDownldr.exe$ +.*(?i)DfSvc.exe$ +.*(?i)Diantz.exe$ +.*(?i)DiskShadow.exe$ +.*(?i)dllhost.exe$ +.*(?i)DnsCmd.exe$ +.*(?i)EsentUtl.exe$ +.*(?i)EventVwr.exe$ +.*(?i)Expand.exe$ +.*(?i)ExtExport.exe$ +.*(?i)Extrac32.exe$ +.*(?i)FindStr.exe$ +.*(?i)Finger.exe$ +.*(?i)FltMC.exe$ +.*(?i)ForFiles.exe$ +.*(?i)FTP.exe$ +.*(?i)GfxDownloadWrapper.exe$ +.*(?i)GpScript.exe$ +.*(?i)HH.exe$ +.*(?i)IMEWDBLD.exe$ +.*(?i)Ie4uInit.exe$ +.*(?i)IeExec.exe$ +.*(?i)ILASM.exe$ +.*(?i)InfDefaultInstall.exe$ +.*(?i)InstallUtil.exe$ +.*(?i)Jsc.exe$ +.*(?i)MakeCab.exe$ +.*(?i)MavInject.exe$ +.*(?i)Microsoft.Workflow.Compiler.exe$ +.*(?i)Mmc.exe$ +.*(?i)MpCmdRun.exe$ +.*(?i)Msbuild.exe$ +.*(?i)MsConfig.exe$ +.*(?i)Msdt.exe$ +.*(?i)Mshta.exe$ +.*(?i)MsiExec.exe$ +.*(?i)NetSh.exe$ +.*(?i)OdbcConf.exe$ +.*(?i)OfflineScannerShell.exe$ +.*(?i)OneDriveStandaloneUpdater.exe$ +.*(?i)Pcalua.exe$ +.*(?i)PcwRun.exe$ +.*(?i)PktMon.exe$ +.*(?i)PnpUtil.exe$ +.*(?i)PresentationHost.exe$ +.*(?i)Print.exe$ +.*(?i)PrintBrm.exe$ +.*(?i)Psr.exe$ +.*(?i)Rasautou.exe$ +.*(?i)Reg.exe$ +.*(?i)Regasm.exe$ +.*(?i)RegEdit.exe$ +.*(?i)RegIni.exe$ +.*(?i)Register-CimProvider.exe$ +.*(?i)RegSvcs.exe$ +.*(?i)RegSvr32.exe$ +.*(?i)Replace.exe$ +.*(?i)RpcPing.exe$ +.*(?i)RunDll32.exe$ +.*(?i)RunOnce.exe$ +.*(?i)RunScriptHelper.exe$ +.*(?i)Sc.exe$ +.*(?i)SchTasks.exe$ +.*(?i)ScriptRunner.exe$ +.*(?i)SettingSyncHost.exe$ +.*(?i)StorDiag.exe$ +.*(?i)SyncAppvPublishingServer.exe$ +.*(?i)TtdInject.exe$ +.*(?i)TtTracer.exe$ +.*(?i)VBC.exe$ +.*(?i)Verclsid.exe$ +.*(?i)ping.exe$ +.*(?i)ipconfig.exe$ +.*(?i)Wab.exe$ +.*(?i)Wmic.exe$ +.*(?i)WorkFolders.exe$ +.*(?i)Wscript.exe$ +.*(?i)WsReset.exe$ +.*(?i)Wuauclt.exe$ +.*(?i)Xwizard.exe$ +.*(?i)ADPlus.exe$ +.*(?i)AgentExecutor.exe$ +.*(?i)Appvlp.exe$ +.*(?i)Bginfo.exe$ +.*(?i)Cdb.exe$ +.*(?i)CoreGen.exe$ +.*(?i)CSI.exe$ +.*(?i)DefaultPack.exe$ +.*(?i)DevtoolsLauncher.exe$ +.*(?i)DNX.exe$ +.*(?i)Dotnet.exe$ +.*(?i)Dxcap.exe$ +.*(?i)NTDSUtil.exe$ +.*(?i)procdump.exe$ +.*(?i)psexec.exe$ +.*(?i)SqlDumper.exe$ +.*(?i)winrm.vbs.exe$ +.*(?i)powershell.exe$ +.*(?i)xcopy.exe$ +.*(?i)RoboCopy.exe$ \ No newline at end of file diff --git a/config/regex/detectlist_suspicous_services.txt b/config/regex/detectlist_suspicous_services.txt index a643b343..1d8f1570 100644 --- a/config/regex/detectlist_suspicous_services.txt +++ b/config/regex/detectlist_suspicous_services.txt @@ -1,16 +1,15 @@ ^cmd.exe /c echo [a-z]{6} > \\\\.\\pipe\\[a-z]{6}$ -^%SYSTEMROOT%\\[a-zA-Z]{8}\.exe$ powershell.*FromBase64String.*IO.Compression.GzipStream DownloadString\(.http -mimikatz +.*(?i)mimikatz.* +.*(?i)mimidvr.* Invoke-Mimikatz.ps PowerSploit.*ps1 -User-Agent [a-zA-Z0-9/+=]{500} -powershell.exe.*Hidden.*Enc +.*(?i)powershell.* +.*(?i)cmd.* \\csc\.exe \\csc\.exe.*\\Appdata\\Local\\Temp\\[a-z0-9]{8}\.cmdline -# Generic cvtres.exe alert \\cvtres\.exe.* \\cvtres\.exe.*\\AppData\\Local\\Temp\\[A-Z0-9]{7}\.tmp ^[a-zA-Z]{22}$ From f9b02a65b69ad6fa93c21ec3cdc510d57f025924 Mon Sep 17 00:00:00 2001 From: Alan Smithee Date: Tue, 22 Feb 2022 08:42:23 +0900 Subject: [PATCH 2/2] fixed test to change regex detectlist_suspicous_services.txt --- src/detections/rule/matchers.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/detections/rule/matchers.rs b/src/detections/rule/matchers.rs index ba4801cf..4a72914c 100644 --- a/src/detections/rule/matchers.rs +++ b/src/detections/rule/matchers.rs @@ -644,13 +644,13 @@ mod tests { // regexes.txtの中身と一致していることを確認 let csvcontent = &ancestor_matcher.regexes; - assert_eq!(csvcontent.len(), 17); + assert_eq!(csvcontent.len(), 16); assert_eq!( csvcontent[0].as_str().to_string(), r"^cmd.exe /c echo [a-z]{6} > \\\\.\\pipe\\[a-z]{6}$" ); assert_eq!( - csvcontent[14].as_str().to_string(), + csvcontent[13].as_str().to_string(), r"\\cvtres\.exe.*\\AppData\\Local\\Temp\\[A-Z0-9]{7}\.tmp" ); }