Feature/rm submodule (#312)

* rm: submodule * Add: rules * Fix: hayabusa-rules to c9c10a
2021-12-20 21:14:32 +09:00
parent 1aebdca160
commit 83d891b2fa
1196 changed files with 46186 additions and 4 deletions
@@ -0,0 +1,35 @@
+
+title: Suspicious Cobalt Strike DNS Beaconing
+ruletype: Sigma
+author: Florian Roth
+date: 2021/11/09
+description: Detects a program that invoked suspicious DNS queries known from Cobalt
+  Strike beacons
+detection:
+  SELECTION_1:
+    EventID: 22
+  SELECTION_2:
+    QueryName:
+    - aaa.stage.*
+    - post.1*
+  SELECTION_3:
+    QueryName: '*.stage.123456.*'
+  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
+falsepositives:
+- Unknown
+fields:
+- Image
+- CommandLine
+id: f356a9c4-effd-4608-bbf8-408afd5cd006
+level: critical
+logsource:
+  category: dns_query
+  product: windows
+references:
+- https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns
+- https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/
+status: experimental
+tags:
+- attack.command_and_control
+- attack.t1071
+- attack.t1071.004
@@ -0,0 +1,52 @@
+
+title: Suspicious DNS Query for IP Lookup Service APIs
+ruletype: Sigma
+author: Brandon George (blog post), Thomas Patzke (rule)
+date: 2021/07/08
+description: Detects DNS queries for ip lookup services such as api.ipify.org not
+  originating from a browser process.
+detection:
+  SELECTION_1:
+    EventID: 22
+  SELECTION_2:
+    QueryName:
+    - canireachthe.net
+    - ipv4.icanhazip.com
+    - ip.anysrc.net
+    - edns.ip-api.com
+    - wtfismyip.com
+    - checkip.dyndns.org
+    - api.2ip.ua
+    - icanhazip.com
+    - api.ipify.org
+    - ip-api.com
+    - checkip.amazonaws.com
+    - ipecho.net
+    - ipinfo.io
+    - ipv4bot.whatismyipaddress.com
+    - freegeoip.app
+  SELECTION_3:
+    Image:
+    - '*\chrome.exe'
+    - '*\iexplore.exe'
+    - '*\firefox.exe'
+    - '*\brave.exe'
+    - '*\opera.exe'
+    - '*\msedge.exe'
+    - '*\vivaldi.exe'
+  condition: (SELECTION_1 and SELECTION_2 and  not (SELECTION_3))
+falsepositives:
+- Legitimate usage of ip lookup services such as ipify API
+id: ec82e2a5-81ea-4211-a1f8-37a0286df2c2
+level: medium
+logsource:
+  category: dns_query
+  product: windows
+modified: 2021/09/10
+references:
+- https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon
+- https://twitter.com/neonprimetime/status/1436376497980428318
+status: experimental
+tags:
+- attack.reconnaissance
+- attack.t1590
@@ -0,0 +1,29 @@
+
+title: DNS HybridConnectionManager Service Bus
+ruletype: Sigma
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2021/04/12
+description: Detects Azure Hybrid Connection Manager services querying the Azure service
+  bus service
+detection:
+  SELECTION_1:
+    EventID: 22
+  SELECTION_2:
+    QueryName: '*servicebus.windows.net*'
+  SELECTION_3:
+    Image: '*HybridConnectionManager*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Legitimate use of Azure Hybrid Connection Manager and the Azure Service Bus service
+id: 7bd3902d-8b8b-4dd4-838a-c6862d40150d
+level: high
+logsource:
+  category: dns_query
+  product: windows
+modified: 2021/06/10
+references:
+- https://twitter.com/Cyb3rWard0g/status/1381642789369286662
+status: experimental
+tags:
+- attack.persistence
+- attack.t1554
@@ -0,0 +1,25 @@
+
+title: DNS Query for MEGA.io Upload Domain
+ruletype: Sigma
+author: Aaron Greetham (@beardofbinary) - NCC Group
+date: 2021/05/26
+description: Detects DNS queries for subdomains used for upload to MEGA.io
+detection:
+  SELECTION_1:
+    EventID: 22
+  SELECTION_2:
+    QueryName: '*userstorage.mega.co.nz*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legitimate Mega upload
+id: 613c03ba-0779-4a53-8a1f-47f914a4ded3
+level: high
+logsource:
+  category: dns_query
+  product: windows
+references:
+- https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
+status: experimental
+tags:
+- attack.exfiltration
+- attack.t1567.002
@@ -0,0 +1,77 @@
+
+title: Possible DNS Rebinding
+ruletype: Sigma
+author: Ilyas Ochkov, oscd.community
+date: 2019/10/25
+description: Detects several different DNS-answers by one domain with IPs from internal
+  and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved
+  in host cache for a while TTL).
+detection:
+  SELECTION_1:
+    EventID: 22
+  SELECTION_2:
+    QueryName: '*'
+  SELECTION_3:
+    QueryStatus: '0'
+  SELECTION_4:
+    QueryResults:
+    - (::ffff:)?10.*
+    - (::ffff:)?192.168.*
+    - (::ffff:)?172.16.*
+    - (::ffff:)?172.17.*
+    - (::ffff:)?172.18.*
+    - (::ffff:)?172.19.*
+    - (::ffff:)?172.20.*
+    - (::ffff:)?172.21.*
+    - (::ffff:)?172.22.*
+    - (::ffff:)?172.23.*
+    - (::ffff:)?172.24.*
+    - (::ffff:)?172.25.*
+    - (::ffff:)?172.26.*
+    - (::ffff:)?172.27.*
+    - (::ffff:)?172.28.*
+    - (::ffff:)?172.29.*
+    - (::ffff:)?172.30.*
+    - (::ffff:)?172.31.*
+    - (::ffff:)?127.*
+  SELECTION_5:
+    QueryName: '*'
+  SELECTION_6:
+    QueryStatus: '0'
+  SELECTION_7:
+    QueryResults:
+    - (::ffff:)?10.*
+    - (::ffff:)?192.168.*
+    - (::ffff:)?172.16.*
+    - (::ffff:)?172.17.*
+    - (::ffff:)?172.18.*
+    - (::ffff:)?172.19.*
+    - (::ffff:)?172.20.*
+    - (::ffff:)?172.21.*
+    - (::ffff:)?172.22.*
+    - (::ffff:)?172.23.*
+    - (::ffff:)?172.24.*
+    - (::ffff:)?172.25.*
+    - (::ffff:)?172.26.*
+    - (::ffff:)?172.27.*
+    - (::ffff:)?172.28.*
+    - (::ffff:)?172.29.*
+    - (::ffff:)?172.30.*
+    - (::ffff:)?172.31.*
+    - (::ffff:)?127.*
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and (SELECTION_5
+    and SELECTION_6) and  not (SELECTION_7)) | count(QueryName) by ComputerName >
+    3
+  timeframe: 30s
+id: eb07e747-2552-44cd-af36-b659ae0958e4
+level: medium
+logsource:
+  category: dns_query
+  product: windows
+modified: 2021/11/27
+references:
+- https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325
+status: test
+tags:
+- attack.initial_access
+- attack.t1189
@@ -0,0 +1,41 @@
+
+title: Regsvr32 Network Activity
+ruletype: Sigma
+author: Dmitriy Lifanov, oscd.community
+date: 2019/10/25
+description: Detects network connections and DNS queries initiated by Regsvr32.exe
+detection:
+  SELECTION_1:
+    EventID: 22
+  SELECTION_2:
+    Image: '*\regsvr32.exe'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+fields:
+- ComputerName
+- User
+- Image
+- DestinationIp
+- DestinationPort
+id: 36e037c4-c228-4866-b6a3-48eb292b9955
+level: high
+logsource:
+  category: dns_query
+  product: windows
+modified: 2021/09/21
+references:
+- https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/
+- https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md
+related:
+- id: c7e91a02-d771-4a6d-a700-42587e0b1095
+  type: derived
+status: experimental
+tags:
+- attack.execution
+- attack.t1559.001
+- attack.t1175
+- attack.defense_evasion
+- attack.t1218.010
+- attack.t1117
@@ -0,0 +1,29 @@
+
+title: AppInstaller Attempts From URL by DNS
+ruletype: Sigma
+author: frack113
+date: 2021/11/24
+description: AppInstaller.exe is spawned by the default handler for the URI, it attempts
+  to load/install a package from the URL
+detection:
+  SELECTION_1:
+    EventID: 22
+  SELECTION_2:
+    Image: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_*
+  SELECTION_3:
+    Image: '*\AppInstaller.exe'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 7cff77e1-9663-46a3-8260-17f2e1aa9d0a
+level: medium
+logsource:
+  category: dns_query
+  product: windows
+references:
+- https://twitter.com/notwhickey/status/1333900137232523264
+- https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/
+status: experimental
+tags:
+- attack.command_and_control
+- attack.t1105