CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fixed test

Browse Source
This commit is contained in:
DustInDark
2022-06-21 15:25:20 +09:00
parent b4ef082525
commit 5a9d33c565
10 changed files with 21 additions and 111 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
test_files/rules/yaml/exclude1.yml
View File

@@ -1,5 +1,5 @@
title: Sysmon Check command lines
id : 4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6
title: Excluded Rule Test 1
id : 00000000-0000-0000-0000-000000000000
description: hogehoge
enabled: true
author: Yea

10
test_files/rules/yaml/exclude2.yml
View File

@@ -1,13 +1,10 @@
title: Possible Exploitation of Exchange RCE CVE-2021-42321
author: Florian Roth, @testanull
title: Excluded Rule 2
date: 2021/11/18
description: Detects log entries that appear in exploitation attempts against MS Exchange
RCE CVE-2021-42321
detection:
condition: 'Cmdlet failed. Cmdlet Get-App, '
falsepositives:
- Unknown, please report false positives via https://github.com/SigmaHQ/sigma/issues
id: c92f1896-d1d2-43c3-92d5-7a5b35c217bb
id: 00000000-0000-0000-0000-000000000000
level: critical
logsource:
product: windows
@@ -15,7 +12,4 @@ logsource:
references:
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42321
status: experimental
tags:
- attack.lateral_movement
- attack.t1210
ruletype: SIGMA

10
test_files/rules/yaml/exclude3.yml
View File

@@ -1,8 +1,5 @@
title: Hidden Local User Creation
author: Christian Burkard
title: Excluded Rule 3
date: 2021/05/03
description: Detects the creation of a local hidden user account which should not
happen for event ID 4720.
detection:
SELECTION_1:
EventID: 4720
@@ -14,7 +11,7 @@ falsepositives:
fields:
- EventCode
- AccountName
id: 7b449a5e-1db5-4dd0-a2dc-4e3a67282538
id: 00000000-0000-0000-0000-000000000000
level: high
logsource:
product: windows
@@ -22,7 +19,4 @@ logsource:
references:
- https://twitter.com/SBousseaden/status/1387743867663958021
status: experimental
tags:
- attack.persistence
- attack.t1136.001
ruletype: SIGMA

14
test_files/rules/yaml/exclude4.yml
View File

@@ -1,8 +1,5 @@
title: User Added to Local Administrators
author: Florian Roth
title: Excluded Rule 4
date: 2017/03/14
description: This rule triggers on user accounts that are added to the local Administrators
group, which could be legitimate activity or a sign of privilege escalation activity
detection:
SELECTION_1:
EventID: 4732
@@ -13,18 +10,11 @@ detection:
SELECTION_4:
SubjectUserName: '*$'
condition: ((SELECTION_1 and (SELECTION_2 or SELECTION_3)) and not (SELECTION_4))
falsepositives:
- Legitimate administrative activity
id: c265cf08-3f99-46c1-8d59-328247057d57
id: 00000000-0000-0000-0000-000000000000
level: medium
logsource:
product: windows
service: security
modified: 2021/07/07
status: stable
tags:
- attack.privilege_escalation
- attack.t1078
- attack.persistence
- attack.t1098
ruletype: SIGMA

12
test_files/rules/yaml/exclude5.yml
View File

@@ -1,9 +1,5 @@
title: Local User Creation
author: Patrick Bareiss
title: Excluded Rule 5
date: 2019/04/18
description: Detects local user creation on windows servers, which shouldn't happen
in an Active Directory environment. Apply this Sigma Use Case on your windows server
logs and not on your DC logs.
detection:
SELECTION_1:
EventID: 4720
@@ -15,7 +11,7 @@ fields:
- EventCode
- AccountName
- AccountDomain
id: 66b6be3d-55d0-4f47-9855-d69df21740ea
id: 00000000-0000-0000-0000-000000000000
level: low
logsource:
product: windows
@@ -24,8 +20,4 @@ modified: 2020/08/23
references:
- https://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/
status: experimental
tags:
- attack.persistence
- attack.t1136
- attack.t1136.001
ruletype: SIGMA

6
test_files/rules/yaml/noisy1.yml
View File

@@ -1,7 +1,5 @@
title: WMI Event Subscription
author: Tom Ueltschi (@c_APT_ure)
title: Noisy Rule Test1
date: 2019/01/12
description: Detects creation of WMI event subscription persistence method
detection:
SELECTION_1:
EventID: 19
@@ -12,7 +10,7 @@ detection:
condition: (SELECTION_1 or SELECTION_2 or SELECTION_3)
falsepositives:
- exclude legitimate (vetted) use of WMI event subscription in your network
id: 0f06a3a5-6a09-413f-8743-e6cf35561297
id: 0090ea60-f4a2-43a8-8657-3a9a4ddcf547
level: high
logsource:
category: wmi_event

24
test_files/rules/yaml/noisy2.yml
View File

@@ -1,9 +1,6 @@
title: Rare Schtasks Creations
author: Florian Roth
title: Noisy Rule Test2
date: 2017/03/23
description: Detects rare scheduled tasks creations that only appear a few times per
time frame and could reveal password dumpers, backdoor installs or other types of
malicious code
description: excluded rule
detection:
SELECTION_1:
EventID: 4698
@@ -11,21 +8,6 @@ detection:
falsepositives:
- Software installation
- Software updates
id: b0d77106-7bb0-41fe-bd94-d1752164d066
id: 8b8db936-172e-4bb7-9f84-ccc954d51d93
level: low
logsource:
definition: The Advanced Audit Policy setting Object Access > Audit Other Object
Access Events has to be configured to allow this detection (not in the baseline
recommendations by Microsoft). We also recommend extracting the Command field
from the embedded XML in the event data.
product: windows
service: security
status: experimental
tags:
- attack.execution
- attack.privilege_escalation
- attack.persistence
- attack.t1053
- car.2013-08-001
- attack.t1053.005
ruletype: SIGMA

17
test_files/rules/yaml/noisy3.yml
View File

@@ -1,26 +1,13 @@
title: Rare Service Installs
author: Florian Roth
title: Noisy Rule Test 3
date: 2017/03/08
description: Detects rare service installs that only appear a few times per time frame
and could reveal password dumpers, backdoor installs or other types of malicious
services
detection:
SELECTION_1:
EventID: 7045
condition: SELECTION_1 | count() by ServiceFileName < 5
falsepositives:
- Software installation
- Software updates
id: 66bfef30-22a5-4fcd-ad44-8d81e60922ae
id: 1703ba97-b2c2-4071-a241-a16d017d25d3
level: low
logsource:
product: windows
service: system
status: experimental
tags:
- attack.persistence
- attack.privilege_escalation
- attack.t1050
- car.2013-09-005
- attack.t1543.003
ruletype: SIGMA

16
test_files/rules/yaml/noisy4.yml
View File

@@ -1,8 +1,5 @@
title: Failed Logins with Different Accounts from Single Source System
author: Florian Roth
title: Noisy Rule Test 4
date: 2017/01/10
description: Detects suspicious failed logins with different user accounts from a
single source system
detection:
SELECTION_1:
EventID: 529
@@ -14,20 +11,11 @@ detection:
WorkstationName: '*'
condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4) | count(TargetUserName)
by WorkstationName > 3
falsepositives:
- Terminal servers
- Jump servers
- Other multiuser systems like Citrix server farms
- Workstations with frequently changing users
id: e98374a6-e2d9-4076-9b5c-11bdb2569995
id: 9f5663ce-6205-4753-b486-fb8498d1fae5
level: medium
logsource:
product: windows
service: security
modified: 2021/09/21
status: experimental
tags:
- attack.persistence
- attack.privilege_escalation
- attack.t1078
ruletype: SIGMA

19
test_files/rules/yaml/noisy5.yml
View File

@@ -1,8 +1,5 @@
title: Failed Logins with Different Accounts from Single Source System
author: Florian Roth
title: Noisy Rule Test 5
date: 2017/01/10
description: Detects suspicious failed logins with different user accounts from a
single source system
detection:
SELECTION_1:
EventID: 4776
@@ -12,23 +9,11 @@ detection:
Workstation: '*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) | count(TargetUserName)
by Workstation > 3
falsepositives:
- Terminal servers
- Jump servers
- Other multiuser systems like Citrix server farms
- Workstations with frequently changing users
id: 6309ffc4-8fa2-47cf-96b8-a2f72e58e538
id: 3546ce10-19b4-4c4c-9658-f4f3b5d27ae9
level: medium
logsource:
product: windows
service: security
modified: 2021/09/21
related:
- id: e98374a6-e2d9-4076-9b5c-11bdb2569995
type: derived
status: experimental
tags:
- attack.persistence
- attack.privilege_escalation
- attack.t1078
ruletype: SIGMA