From 37ebb046fa73ebee3f19958c67baa6004bc3bf82 Mon Sep 17 00:00:00 2001 From: DustInDark Date: Thu, 22 Jul 2021 22:47:07 +0900 Subject: [PATCH] Feature/appendalias#124 (#132) * Feature/call error message struct#66 (#69) * change way to use write trait #66 * change call error message struct #66 * erase finished TODO #66 * erase comment in error message format test #66 * resolve conflict #66 * Feature/call error message struct#66 (#71) * change ERROR writeln struct #66 * under constructing * add statistics template * fix * add comment * add condition impl #93 * fix erased get_descendants and remove unnecessaly struct #93 * erased finished TODO comment * erased finished TODO comment * Revert "fix erased get_descendants and remove unnecessaly struct #93" This reverts commit 82e905e04525df7ce5af37272e4d8525c0b2504f. Revert "add condition impl #93" This reverts commit 19ecc87377736c0902a2e07ea798189cc642a620. * add doc comment to rule function * fix and add test doc commet * add doc to AggregaationParseInfo * add struct count in aggregation condition. #93 * add evaluate aggregation condition func provisional architecture. #93 * add countup function #93 * fix key to count hashmap #93 * add judge aggregation condition function #93 * fix error #93 * fix test #93 * share compile error ver * fix detection.rs compile error * fix timeframe parse * add countup process in select * fix select argument * add test countup * add test count judge #93 * add SIGMA windows count field and by keyword #93 * fix reference record in countup/judgecount #93 * add timedata in countup schema #93 * Refact: split code for matcher from rule.rs * Reafact: combine multiple declared functions * Refact: split code for SelectionNode from rule.rs * Refact: mv test code for SelectionNode from rule.rs * Refact: mv condition's code from rule.rs * add count to detection #93 * fix compile error * fix source to test ng. #93 * erase unused variable #93 * fix count architecture #93 * fix comment and compile error * erase dust (response to review) * erase dust (response to review) * reduce calling Rulenode function (response to review) * add aggregation output func * erase dust(response to review) and add agg condition String func * change error output * reduce call RuleNode function(response to review) * To reduce call RuleNode function * fix test name * fix coflicted resolve miss * add code comment in timeframe count. * add sort record timedata in timeframe(response to review) * fix unnecesasry result in ArgResult * add no field and by value count test * create count test no field and by with timeframe * erase duplicated timeframe data in RuleNode * fix test error no field and no by count with timeframe * fix test name * add test case of exist field and by count. * fix by count test and add test count othervalue in timeframe * add test * fix judge_timeframe logic when indexout * fix test name and add count test field and by with timeframe * adjust #120 * move associated count function from rulenode * fix error when resolve conflict * adjust T1197_bitsjob_started * fix no output bug if exist output * add alias to adapt SIGMA Rules #124 * add rule to bitsjob #130 * decilde sha1 is excepted #124 * prepare merge main Co-authored-by: HajimeTakai Co-authored-by: itiB --- config/eventkey_alias.txt | 125 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 125 insertions(+) diff --git a/config/eventkey_alias.txt b/config/eventkey_alias.txt index 5e409da8..d9c80774 100644 --- a/config/eventkey_alias.txt +++ b/config/eventkey_alias.txt @@ -43,5 +43,130 @@ Image,Event.EventData.Image ParentImage,Event.EventData.ParentImage MachineName,Event.EventData.MachineName QueryName,Event.EventData.QueryName +Accesses,Event.EventData.Accesses +AccessList,Event.EventData.AccessList +AccessMask,Event.EventData.AccessMask +AccountName,Event.EventData.AccountName +AllowedToDelegateTo,Event.EventData.AllowedToDelegateTo +AttributeLDAPDisplayName,Event.EventData.AttributeLDAPDisplayName +AttributeValue,Event.EventData.AttributeValue +AuditPolicyChanges,Event.EventData.AuditPolicyChanges +AuditSourceName,Event.EventData.AuditSourceName +AuthenticationPackageName,Event.EventData.AuthenticationPackageName +AuthenticationPackageName,Event.EventData.AuthenticationPackageName +CallingProcessName,Event.EventData.CallingProcessName +CallTrace,Event.EventData.CallTrace +CommandLine,Event.EventData.CommandLine +Company,Event.EventData.Company +ContextInfo,Event.EventData.ContextInfo +CurrentDirectory,Event.EventData.CurrentDirectory +Description,Event.EventData.Description +Destination,Event.EventData.Destination +DestinationAddress,Event.EventData.DestinationAddress +DestinationHostname,Event.EventData.DestinationHostname +DestinationIp,Event.EventData.DestinationIp +DestinationIsIpv6,Event.EventData.DestinationIsIpv6 +DestinationPort,Event.EventData.DestinationPort +DestPort,Event.EventData.DestPort +Details,Event.EventData.Details +DetectionSource,Event.EventData.DetectionSource +Device,Event.EventData.Device +DeviceClassName,Event.EventData.DeviceClassName +DeviceDescription,Event.EventData.DeviceDescription +DeviceName,Event.EventData.DeviceName +EngineVersion,Event.EventData.EngineVersion +EventID,Event.System.EventID +EventType,Event.EventData.EventType +FailureCode,Event.EventData.FailureCode +FileVersion,Event.EventData.FileVersion +GrantedAccess,Event.EventData.GrantedAccess +GroupName,Event.EventData.GroupName +GroupSid,Event.EventData.GroupSid +Hashes,Event.EventData.Hashes +HiveName,Event.EventData.HiveName +HostApplication,Event.EventData.HostApplication +HostName,Event.EventData.HostName +HostVersion,Event.EventData.HostVersion +Image,Event.EventData.Image +ImageLoaded,Event.EventData.ImageLoaded +ImagePath,Event.EventData.ImagePath +Imphash,Event.EventData.Hashes +Initiated,Event.EventData.Initiated +IntegrityLevel,Event.EventData.IntegrityLevel +IpAddress,Event.EventData.IpAddress +KeyLength,Event.EventData.KeyLength +Keywords,Event.System.Keywords +keywords,Event.System.Keywords +LayerRTID,Event.EventData.LayerRTID +LDAPDisplayName,Event.EventData.LDAPDisplayName +Level,Event.System.Level +LogonId,Event.EventData.LogonId +LogonProcessName,Event.EventData.LogonProcessName +LogonType,Event.EventData.LogonType +Message,Event.EventData +NewName,Event.EventData.NewName +NewValue,Event.EventData.NewValue +ObjectClass,Event.EventData.ObjectClass +ObjectName,Event.EventData.ObjectName +ObjectServer,Event.EventData.ObjectServer +ObjectType,Event.EventData.ObjectType +ObjectValueName,Event.EventData.ObjectValueName +Origin,Event.EventData.Origin +OriginalFilename,Event.EventData.OriginalFileName +OriginalFileName,Event.EventData.OriginalFileName +ParentCommandLine,Event.EventData.ParentCommandLine +ParentImage,Event.EventData.ParentImage +ParentIntegrityLevel,Event.EventData.ParentIntegrityLevel +ParentUser,Event.EventData.ParentUser +PasswordLastSet,Event.EventData.PasswordLastSet +Path,Event.EventData.Path +Payload,Event.EventData.Payload +PipeName,Event.EventData.PipeName +PrivilegeList,Event.EventData.PrivilegeList +ProcessCommandLine,Event.EventData.ProcessCommandLine +ProcessName,Event.EventData.ProcessName +Product,Event.EventData.Product +Properties,Event.EventData.Properties +QNAME,Event.EventData.QNAME +QueryName,Event.EventData.QueryName +QueryResults,Event.EventData.QueryResults +QueryStatus,Event.EventData.QueryStatus +RelativeTargetName,Event.EventData.RelativeTargetName +SAMAccountName,Event.EventData.SamAccountName +ScriptBlockText,Event.EventData.ScriptBlockText +service,Event.EventData.Service +Service,Event.EventData.Service +ServiceFileName,Event.EventData.ServiceFileName +ServiceName,Event.EventData.ServiceName +ServicePrincipalNames,Event.EventData.ServicePrincipalNames +ShareName,Event.EventData.ShareName +SidHistory,Event.EventData.SidHistory +Signature,Event.EventData.Signature +Signed,Event.EventData.Signed +Source,Event.System.Provider_Name +SourceAddress,Event.EventData.SourceAddress +SourceImage,Event.EventData.SourceImage +SourceNetworkAddress,Event.EventData.SourceNetworkAddress +SourcePort,Event.EventData.SourcePort +StartFunction,Event.EventData.StartFunction +StartModule,Event.EventData.StartModule +Status,Event.EventData.Status +SubjectDomainName,Event.EventData.SubjectDomainName +SubjectLogonId,Event.EventData.SubjectLogonId +SubjectUserName,Event.EventData.SubjectUserName +SubjectUserSid,Event.EventData.SubjectUserSid +TargetFilename,Event.EventData.TargetFilename +TargetImage,Event.EventData.TargetImage +TargetLogonId,Event.EventData.TargetLogonId +TargetName,Event.EventData.TargetServerName +TargetObject,Event.EventData.TargetObject +TargetProcessAddress,Event.EventData.TargetProcessAddress +TargetUserName,Event.EventData.TargetUserName +TaskName,Event.EventData.TaskName +TicketEncryptionType,Event.EventData.TicketEncryptionType +TicketOptions,Event.EventData.TicketOptions +User,Event.EventData.User +Workstation,Event.EventData.Workstation +WorkstationName,Event.EventData.WorkstationName JobTitle,Event.EventData.name Url,Event.EventData.url