CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Hotfix/moved rule configs to hayabusa rules repo#409 (#414)

Browse Source 
* fixed target config path #409

* fixed target config file path in test #409

* fixed rules target #409

* Documentation fix, deleted unneeded config files

* added workflow

* changed submodule option

* fixed worksflow to ref submodule

* fixed gitmodules

* fixed workflow

* check code insert

* added update submodules command

* test rules update

* removed test runs

* fixed error

Co-authored-by: Tanaka Zakku <71482215+YamatoSecurity@users.noreply.github.com>
This commit is contained in:
DustInDark
2022-02-26 18:19:19 +09:00
committed by GitHub
parent 02b1d7f07c
commit 92c472d451
19 changed files with 39 additions and 515 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/rust.yml vendored
View File

@@ -15,6 +15,8 @@ jobs:
steps:
- uses: actions/checkout@v2
with:
submodules: recursive
- uses: actions-rs/toolchain@v1
with:
toolchain: nightly

6
README-Japanese.md
View File

@@ -290,7 +290,7 @@ OPTIONS:
.\hayabusa.exe -d .\hayabusa-sample-evtx -r .\rules\sigma -o results.csv
```
* 廃棄(deprecated)されたルール(`status``deprecated`になっているルール)とノイジールール(`.\config\noisy-rules.txt`にルールIDが書かれているルール)を有効にします:
* 廃棄(deprecated)されたルール(`status``deprecated`になっているルール)とノイジールール(`.\rules\config\noisy_rules.txt`にルールIDが書かれているルール)を有効にします:
```bash
.\hayabusa.exe -d .\hayabusa-sample-evtx --enable-deprecated-rules --enable-noisy-rules -o results.csv
@@ -413,9 +413,9 @@ Sigmaルールは、最初にHayabusaルール形式に変換する必要があ
ファイアウォールやIDSと同様に、シグネチャベースのツールは、環境に合わせて調整が必要になるため、特定のルールを永続的または一時的に除外する必要がある場合があります。
ルールID(例: `4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6`) を `config/exclude-rules.txt`に追加すると、不要なルールや利用できないルールを無視することができます。
ルールID(例: `4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6`) を `rules\config\exclude_rules.txt`に追加すると、不要なルールや利用できないルールを無視することができます。
ルールIDを `config/noisy-rules.txt`に追加して、デフォルトでルールを無視することもできますが、` -n`または `--enable-noisy-rules`オプションを指定してルールを使用することもできます。
ルールIDを `rules\config\noisy_rules.txt`に追加して、デフォルトでルールを無視することもできますが、` -n`または `--enable-noisy-rules`オプションを指定してルールを使用することもできます。
## イベントIDフィルタリング

8
README.md
View File

@@ -286,7 +286,7 @@ OPTIONS:
.\hayabusa.exe -d .\hayabusa-sample-evtx -r .\rules\sigma -o results.csv
```
* Enable deprecated rules (those with `status` marked as `deprecated`) and noisy rules (those whose rule ID is listed in `.\config\noisy-rules.txt`):
* Enable deprecated rules (those with `status` marked as `deprecated`) and noisy rules (those whose rule ID is listed in `.\rules\config\noisy_rules.txt`):
```bash
.\hayabusa.exe -d .\hayabusa-sample-evtx --enable-noisy-rules --enable-deprecated-rules -o results.csv
@@ -407,13 +407,13 @@ Sigma rules need to first be converted to hayabusa rule format explained [here](
Like firewalls and IDSes, any signature-based tool will require some tuning to fit your environment so you may need to permanently or temporarily exclude certain rules.
You can add a rule ID (Example: `4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6`) to `config/exclude-rules.txt` in order to ignore any rule that you do not need or cannot be used.
You can add a rule ID (Example: `4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6`) to `rules\config\exclude_rules.txt` in order to ignore any rule that you do not need or cannot be used.
You can also add a rule ID to `config/noisy-rules.txt` in order to ignore the rule by default but still be able to use the rule with the `-n` or `--enable-noisy-rules` option.
You can also add a rule ID to `rules\config\noisy_rules.txt` in order to ignore the rule by default but still be able to use the rule with the `-n` or `--enable-noisy-rules` option.
## Event ID filtering
You can filter on event IDs by placing event ID numbers in `config/target_eventids.txt`.
You can filter on event IDs by placing event ID numbers in `config\target_eventids.txt`.
This will increase performance so it is recommended if you only need to search for certain IDs.
We have provided a sample ID filter list at [`config/target_eventids_sample.txt`](https://github.com/Yamato-Security/hayabusa/blob/main/config/target_eventids_sample.txt) created from the `EventID` fields in all of the rules as well as IDs seen in actual results.

190
config/eventkey_alias.txt
View File

@@ -1,190 +0,0 @@
AccessList,Event.EventData.AccessList
AccessMask,Event.EventData.AccessMask
Accesses,Event.EventData.Accesses
AccountName,Event.EventData.AccountName
Account_Name,Event.EventData.Account_Name
AllowedToDelegateTo,Event.EventData.AllowedToDelegateTo
AttributeLDAPDisplayName,Event.EventData.AttributeLDAPDisplayName
AttributeValue,Event.EventData.AttributeValue
AuditPolicyChanges,Event.EventData.AuditPolicyChanges
AuditSourceName,Event.EventData.AuditSourceName
AuthenticationPackageName,Event.EventData.AuthenticationPackageName
CallTrace,Event.EventData.CallTrace
CallerProcessName,Event.EventData.CallerProcessName
Caller_Process_Name,Event.EventData.Caller_Process_Name
CallingProcessName,Event.EventData.CallingProcessName
CategoryName,Event.EventData.Category Name
CertThumbprint,Event.EventData.CertThumbprint
Channel,Event.System.Channel
ClassName,Event.EventData.ClassName
Client_Address,Event.EventData.Client_Address
CommandLine,Event.EventData.CommandLine
Company,Event.EventData.Company
Computer,Event.System.Computer
ComputerName,Event.System.Computer
ContextInfo,Event.EventData.ContextInfo
CurrentDirectory,Event.EventData.CurrentDirectory
Description,Event.EventData.Description
DestAddress,Event.EventData.DestAddress
DestPort,Event.EventData.DestPort
Destination,Event.EventData.Destination
DestinationAddress,Event.EventData.DestinationAddress
DestinationHostname,Event.EventData.DestinationHostname
DestinationIp,Event.EventData.DestinationIp
DestinationIsIpv6,Event.EventData.DestinationIsIpv6
DestinationPort,Event.EventData.DestinationPort
Details,Event.EventData.Details
DetectionSource,Event.EventData.DetectionSource
DetectionUser,Event.EventData.Detection User
Device,Event.EventData.Device
DeviceClassName,Event.EventData.DeviceClassName
DeviceDescription,Event.EventData.DeviceDescription
DeviceName,Event.EventData.DeviceName
DomainName,Event.EventData.SubjectDomainName
EngineVersion,Event.EventData.EngineVersion
ErrorCode,Event.EventData.ErrorCode
EventID,Event.System.EventID
EventType,Event.EventData.EventType
FailureCode,Event.EventData.FailureCode
FilePath,Event.EventData.FilePath
FileVersion,Event.EventData.FileVersion
Filename,Event.EventData.Filename
GrantedAccess,Event.EventData.GrantedAccess
GroupName,Event.EventData.GroupName
GroupSid,Event.EventData.GroupSid
Hashes,Event.EventData.Hashes
HiveName,Event.EventData.HiveName
HostApplication,Event.EventData.HostApplication
HostName,Event.EventData.HostName
HostVersion,Event.EventData.HostVersion
Image,Event.EventData.Image
ImageLoaded,Event.EventData.ImageLoaded
ImagePath,Event.EventData.ImagePath
Imphash,Event.EventData.Hashes
Initiated,Event.EventData.Initiated
InstanceID,Event.UserData.UMDFHostDeviceArrivalBegin.InstanceId
IntegrityLevel,Event.EventData.IntegrityLevel
IpAddress,Event.EventData.IpAddress
IpPort,Event.EventData.IpPort
JobTitle,Event.EventData.name
KeyLength,Event.EventData.KeyLength
Keywords,Event.System.Keywords
LDAPDisplayName,Event.EventData.LDAPDisplayName
LayerRTID,Event.EventData.LayerRTID
Level,Event.System.Level
LogFileClearedSubjectUserName,Event.UserData.LogFileCleared.SubjectUserName
LogonId,Event.EventData.LogonId
LogonProcessName,Event.EventData.LogonProcessName
LogonType,Event.EventData.LogonType
Logon_Account,Event.EventData.Logon_Account
MachineName,Event.EventData.MachineName
MemberName,Event.EventData.MemberName
MemberSid,Event.EventData.MemberSid
Message,Event.EventData
NewName,Event.EventData.NewName
NewTemplateContent, Event.EventData.NewTemplateContent
NewUacValue,Event.EventData.NewUacValue
NewValue,Event.EventData.NewValue
New_Value,Event.EventData.New Value
NewProcessName,Event.EventData.NewProcessName
NewProcessId,Event.EventData.NewProcessId
ObjectClass,Event.EventData.ObjectClass
ObjectName,Event.EventData.ObjectName
ObjectServer,Event.EventData.ObjectServer
ObjectType,Event.EventData.ObjectType
ObjectValueName,Event.EventData.ObjectValueName
OldUacValue,Event.EventData.OldUacValue
Origin,Event.EventData.Origin
OriginalFileName,Event.EventData.OriginalFileName
param1,Event.EventData.param1
param2,Event.EventData.param2
param3,Event.EventData.param3
param4,Event.EventData.param4
param5,Event.EventData.param5
ParentCommandLine,Event.EventData.ParentCommandLine
ParentImage,Event.EventData.ParentImage
ParentIntegrityLevel,Event.EventData.ParentIntegrityLevel
ParentProcessName,Event.EventData.ParentProcessName
ParentUser,Event.EventData.ParentUser
PasswordLastSet,Event.EventData.PasswordLastSet
Path,Event.EventData.Path
Payload,Event.EventData.Payload
PipeName,Event.EventData.PipeName
PreAuthType,Event.EventData.PreAuthType
PrivilegeList,Event.EventData.PrivilegeList
ProcessCommandLine,Event.EventData.ProcessCommandLine
ProcessId,Event.EventData.ProcessId
ProcessName,Event.EventData.ProcessName
Product,Event.EventData.Product
Properties,Event.EventData.Properties
ProviderName,Event.System.Provider_Name
Provider_Name,Event.System.Provider_Name
QNAME,Event.EventData.QNAME
QueryName,Event.EventData.QueryName
QueryResults,Event.EventData.QueryResults
QueryStatus,Event.EventData.QueryStatus
RelativeTargetName,Event.EventData.RelativeTargetName
RuleName,Event.EventData.RuleName
SAMAccountName,Event.EventData.SamAccountName
ScriptBlockText,Event.EventData.ScriptBlockText
SearchFilter,Event.System.SearchFilter
ServerName,Event.System.ServerName
Service,Event.EventData.Service
ServiceFileName,Event.EventData.ServiceFileName
ServiceName,Event.EventData.ServiceName
ServicePrincipalNames,Event.EventData.ServicePrincipalNames
ServiceStartType,Event.EventData.ServiceStartType
ServiceType,Event.EventData.ServiceType
SeverityName,Event.EventData.Severity Name
ShareLocalPath,Event.EventData.ShareLocalPath
ShareName,Event.EventData.ShareName
SidHistory,Event.EventData.SidHistory
Signature,Event.EventData.Signature
Signed,Event.EventData.Signed
Source,Event.System.Provider_Name
SourceAddress,Event.EventData.SourceAddress
SourceImage,Event.EventData.SourceImage
SourceNetworkAddress,Event.EventData.SourceNetworkAddress
SourcePort,Event.EventData.SourcePort
Source_Name,Event.EventData.Source Name
Source_Network_Address,Event.EventData.Source_Network_Address
Source_WorkStation,Event.EventData.Source_WorkStation
StartAddress,Event.EventData.StartAddress
StartFunction,Event.EventData.StartFunction
StartModule,Event.EventData.StartModule
StartType,Event.EventData.StartType
State,Event.EventData.State
Status,Event.EventData.Status
SubStatus,Event.EventData.SubStatus
SubjectDomainName,Event.EventData.SubjectDomainName
SubjectLogonId,Event.EventData.SubjectLogonId
SubjectUserName,Event.EventData.SubjectUserName
SubjectUserSid,Event.EventData.SubjectUserSid
TargetDomainName,Event.EventData.TargetDomainName
TargetFilename,Event.EventData.TargetFilename
TargetInfo,Event.EventData.TargetInfo
TargetImage,Event.EventData.TargetImage
TargetLogonId,Event.EventData.TargetLogonId
TargetName,Event.EventData.TargetServerName
TargetObject,Event.EventData.TargetObject
TargetProcessAddress,Event.EventData.TargetProcessAddress
TargetServerName,Event.EventData.TargetServerName
TargetSid,Event.EventData.TargetSid
TargetUserName,Event.EventData.TargetUserName
TaskName,Event.EventData.TaskName
TemplateContent,Event.EventData.TemplateContent
ThreatName,Event.EventData.Threat Name
TicketEncryptionType,Event.EventData.TicketEncryptionType
TicketOptions,Event.EventData.TicketOptions
Url,Event.EventData.url
User,Event.EventData.User
UserName,Event.EventData.UserName
Value, Event.EventData.Value
WindowsDefenderProcessName,Event.EventData.Process Name
Workstation,Event.EventData.Workstation
WorkstationName,Event.EventData.WorkstationName
param1,Event.EventData.param1
param2,Event.EventData.param2
provider_Name,Event.EventData.Provider_Name
service,Event.EventData.Service
sha1,Event.EventData.Hashes_sha1

18
config/exclude-rules.txt
View File

@@ -1,18 +0,0 @@
# Cannot parse rule or generates errors:
4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6 # "MSExchange Transport Agent Installation"
b20f6158-9438-41be-83da-a5a16ac90c2b # "Rare Scheduled Task Creations"
c92f1896-d1d2-43c3-92d5-7a5b35c217bb # "Possible Exploitation of Exchange RCE CVE-2021-42321"
9f7aa113-9da6-4a8d-907c-5f1a4b908299 # "SyncAppvPublishingServer Execution to Bypass Powershell Restriction"
# Replaced by Hayabusa rules
c265cf08-3f99-46c1-8d59-328247057d57 # "User Added to Local Administrators"
66b6be3d-55d0-4f47-9855-d69df21740ea # "Local User Creation"
7b449a5e-1db5-4dd0-a2dc-4e3a67282538 # "Hidden Local User Creation".
# Disabled due to too many false positives:
71158e3f-df67-472b-930e-7d287acaa3e1 # "Execution Of Not Existing File"
c09dad97-1c78-4f71-b127-7edb2b8e491a # "Execution Of Other File Type Than .exe". Replaced with Hayabusa rule: 8d1487f1-7664-4bda-83b5-cb2f79491b6a
1a4bd6e3-4c6e-405d-a9a3-53a116e341d4 # "USB Device Plugged" False positives due to not filtering on provider properly.
db809f10-56ce-4420-8c86-d6a7d793c79c # "Raw Disk Access Using Illegitimate Tools" Need to test if false positives lower when filtering on just sysmon logs.
57b649ef-ff42-4fb0-8bf6-62da243a1708 # "Windows Defender Threat Detected" Replaced by Hayabusa rule.
0eb2107b-a596-422e-b123-b389d5594ed7 # "Hurricane Panda Activity"

10
config/noisy-rules.txt
View File

@@ -1,10 +0,0 @@
0f06a3a5-6a09-413f-8743-e6cf35561297 # ./rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml
b0d77106-7bb0-41fe-bd94-d1752164d066 # ./rules/sigma/builtin/security/win_rare_schtasks_creations.yml
66bfef30-22a5-4fcd-ad44-8d81e60922ae # ./rules/sigma/builtin/system/win_rare_service_installs.yml
e98374a6-e2d9-4076-9b5c-11bdb2569995 # ./rules/sigma/builtin/security/win_susp_failed_logons_single_source.yml
6309ffc4-8fa2-47cf-96b8-a2f72e58e538 # ./rules/sigma/builtin/security/win_susp_failed_logons_single_source2.yml
61ab5496-748e-4818-a92f-de78e20fe7f1 # ./rules/sigma/process_creation/win_multiple_suspicious_cli.yml
add2ef8d-dc91-4002-9e7e-f2702369f53a # ./rules/sigma/builtin/security/win_susp_failed_remote_logons_single_source.yml
196a29c2-e378-48d8-ba07-8a9e61f7fab9 # ./rules/sigma/builtin/security/win_susp_failed_logons_explicit_credentials.yml
72124974-a68b-4366-b990-d30e0b2a190d # ./rules/sigma/builtin/security/win_metasploit_authentication.yml
dae8171c-5ec6-4396-b210-8466585b53e9 # "SCM Database Privileged Operation" Detects unprivelidged users attempting priv'd things. Can possible detect things like psexec but may have false positives and should probably be medium alert instead of critical.

116
config/regex/LOLBAS_commands.txt
View File

@@ -1,116 +0,0 @@
.*(?i)AppInstaller.*
.*(?i)Aspnet_Compiler.*
.*(?i)At.*
.*(?i)AtBroker.*
.*(?i)Bash.*
.*(?i)BitsAdmin.*
.*(?i)CertOC.*
.*(?i)CertReq.*
.*(?i)CertUtil.*
.*(?i)Cmd.*
.*(?i)Cmdkey.*
.*(?i)cmdl32.*
.*(?i)Cmstp.*
.*(?i)ConfigSecurityPolicy.*
.*(?i)Control.*
.*(?i)Csc.*
.*(?i)Cscript.*
.*(?i)DataSvcUtil.*
.*(?i)DesktopImgDownldr.*
.*(?i)DfSvc.*
.*(?i)Diantz.*
.*(?i)DiskShadow.*
.*(?i)dllhost.*
.*(?i)DnsCmd.*
.*(?i)EsentUtl.*
.*(?i)EventVwr.*
.*(?i)Expand.*
.*(?i)ExtExport.*
.*(?i)Extrac32.*
.*(?i)FindStr.*
.*(?i)Finger.*
.*(?i)FltMC.*
.*(?i)ForFiles.*
.*(?i)FTP.*
.*(?i)GfxDownloadWrapper.*
.*(?i)GpScript.*
.*(?i)HH.*
.*(?i)IMEWDBLD.*
.*(?i)Ie4uInit.*
.*(?i)IeExec.*
.*(?i)ILASM.*
.*(?i)InfDefaultInstall.*
.*(?i)InstallUtil.*
.*(?i)Jsc.*
.*(?i)MakeCab.*
.*(?i)MavInject.*
.*(?i)Microsoft.Workflow.Compiler.*
.*(?i)Mmc.*
.*(?i)MpCmdRun.*
.*(?i)Msbuild.*
.*(?i)MsConfig.*
.*(?i)Msdt.*
.*(?i)Mshta.*
.*(?i)MsiExec.*
.*(?i)NetSh.*
.*(?i)OdbcConf.*
.*(?i)OfflineScannerShell.*
.*(?i)OneDriveStandaloneUpdater.*
.*(?i)Pcalua.*
.*(?i)PcwRun.*
.*(?i)PktMon.*
.*(?i)PnpUtil.*
.*(?i)PresentationHost.*
.*(?i)Print.*
.*(?i)PrintBrm.*
.*(?i)Psr.*
.*(?i)Rasautou.*
.*(?i)Reg.*
.*(?i)Regasm.*
.*(?i)RegEdit.*
.*(?i)RegIni.*
.*(?i)Register-CimProvider.*
.*(?i)RegSvcs.*
.*(?i)RegSvr32.*
.*(?i)Replace.*
.*(?i)RpcPing.*
.*(?i)RunDll32.*
.*(?i)RunOnce.*
.*(?i)RunScriptHelper.*
.*(?i)Sc.*
.*(?i)SchTasks.*
.*(?i)ScriptRunner.*
.*(?i)SettingSyncHost.*
.*(?i)StorDiag.*
.*(?i)SyncAppvPublishingServer.*
.*(?i)TtdInject.*
.*(?i)TtTracer.*
.*(?i)VBC.*
.*(?i)Verclsid.*
.*(?i)ping.*
.*(?i)ipconfig.*
.*(?i)Wab.*
.*(?i)Wmic.*
.*(?i)WorkFolders.*
.*(?i)Wscript.*
.*(?i)WsReset.*
.*(?i)Wuauclt.*
.*(?i)Xwizard.*
.*(?i)ADPlus.*
.*(?i)AgentExecutor.*
.*(?i)Appvlp.*
.*(?i)Bginfo.*
.*(?i)Cdb.*
.*(?i)CoreGen.*
.*(?i)CSI.*
.*(?i)DefaultPack.*
.*(?i)DevtoolsLauncher.*
.*(?i)DNX.*
.*(?i)Dotnet.*
.*(?i)Dxcap.*
.*(?i)NTDSUtil.*
.*(?i)procdump.*
.*(?i)psexec.*
.*(?i)SqlDumper.*
.*(?i)winrm.vbs.*
.*(?i)powershell.*

118
config/regex/LOLBAS_paths.txt
View File

@@ -1,118 +0,0 @@
.*(?i)AppInstaller.exe$
.*(?i)Aspnet_Compiler.exe$
.*(?i)At.exe$
.*(?i)AtBroker.exe$
.*(?i)Bash.exe$
.*(?i)BitsAdmin.exe$
.*(?i)CertOC.exe$
.*(?i)CertReq.exe$
.*(?i)CertUtil.exe$
.*(?i)Cmd.exe$
.*(?i)Cmdkey.exe$
.*(?i)cmdl32.exe$
.*(?i)Cmstp.exe$
.*(?i)ConfigSecurityPolicy.exe$
.*(?i)Control.exe$
.*(?i)Csc.exe$
.*(?i)Cscript.exe$
.*(?i)DataSvcUtil.exe$
.*(?i)DesktopImgDownldr.exe$
.*(?i)DfSvc.exe$
.*(?i)Diantz.exe$
.*(?i)DiskShadow.exe$
.*(?i)dllhost.exe$
.*(?i)DnsCmd.exe$
.*(?i)EsentUtl.exe$
.*(?i)EventVwr.exe$
.*(?i)Expand.exe$
.*(?i)ExtExport.exe$
.*(?i)Extrac32.exe$
.*(?i)FindStr.exe$
.*(?i)Finger.exe$
.*(?i)FltMC.exe$
.*(?i)ForFiles.exe$
.*(?i)FTP.exe$
.*(?i)GfxDownloadWrapper.exe$
.*(?i)GpScript.exe$
.*(?i)HH.exe$
.*(?i)IMEWDBLD.exe$
.*(?i)Ie4uInit.exe$
.*(?i)IeExec.exe$
.*(?i)ILASM.exe$
.*(?i)InfDefaultInstall.exe$
.*(?i)InstallUtil.exe$
.*(?i)Jsc.exe$
.*(?i)MakeCab.exe$
.*(?i)MavInject.exe$
.*(?i)Microsoft.Workflow.Compiler.exe$
.*(?i)Mmc.exe$
.*(?i)MpCmdRun.exe$
.*(?i)Msbuild.exe$
.*(?i)MsConfig.exe$
.*(?i)Msdt.exe$
.*(?i)Mshta.exe$
.*(?i)MsiExec.exe$
.*(?i)NetSh.exe$
.*(?i)OdbcConf.exe$
.*(?i)OfflineScannerShell.exe$
.*(?i)OneDriveStandaloneUpdater.exe$
.*(?i)Pcalua.exe$
.*(?i)PcwRun.exe$
.*(?i)PktMon.exe$
.*(?i)PnpUtil.exe$
.*(?i)PresentationHost.exe$
.*(?i)Print.exe$
.*(?i)PrintBrm.exe$
.*(?i)Psr.exe$
.*(?i)Rasautou.exe$
.*(?i)Reg.exe$
.*(?i)Regasm.exe$
.*(?i)RegEdit.exe$
.*(?i)RegIni.exe$
.*(?i)Register-CimProvider.exe$
.*(?i)RegSvcs.exe$
.*(?i)RegSvr32.exe$
.*(?i)Replace.exe$
.*(?i)RpcPing.exe$
.*(?i)RunDll32.exe$
.*(?i)RunOnce.exe$
.*(?i)RunScriptHelper.exe$
.*(?i)Sc.exe$
.*(?i)SchTasks.exe$
.*(?i)ScriptRunner.exe$
.*(?i)SettingSyncHost.exe$
.*(?i)StorDiag.exe$
.*(?i)SyncAppvPublishingServer.exe$
.*(?i)TtdInject.exe$
.*(?i)TtTracer.exe$
.*(?i)VBC.exe$
.*(?i)Verclsid.exe$
.*(?i)ping.exe$
.*(?i)ipconfig.exe$
.*(?i)Wab.exe$
.*(?i)Wmic.exe$
.*(?i)WorkFolders.exe$
.*(?i)Wscript.exe$
.*(?i)WsReset.exe$
.*(?i)Wuauclt.exe$
.*(?i)Xwizard.exe$
.*(?i)ADPlus.exe$
.*(?i)AgentExecutor.exe$
.*(?i)Appvlp.exe$
.*(?i)Bginfo.exe$
.*(?i)Cdb.exe$
.*(?i)CoreGen.exe$
.*(?i)CSI.exe$
.*(?i)DefaultPack.exe$
.*(?i)DevtoolsLauncher.exe$
.*(?i)DNX.exe$
.*(?i)Dotnet.exe$
.*(?i)Dxcap.exe$
.*(?i)NTDSUtil.exe$
.*(?i)procdump.exe$
.*(?i)psexec.exe$
.*(?i)SqlDumper.exe$
.*(?i)winrm.vbs.exe$
.*(?i)powershell.exe$
.*(?i)xcopy.exe$
.*(?i)RoboCopy.exe$

2
config/regex/allowlist_legitimate_services.txt
View File

@@ -1,2 +0,0 @@
^"C:\\Program Files\\Google\\Chrome\\Application\\chrome\.exe"
^"C:\\Program Files\\Google\\Update\\GoogleUpdate\.exe"

16
config/regex/detectlist_suspicous_services.txt
View File

@@ -1,16 +0,0 @@
^cmd.exe /c echo [a-z]{6} > \\\\.\\pipe\\[a-z]{6}$
powershell.*FromBase64String.*IO.Compression.GzipStream
DownloadString\(.http
.*(?i)mimikatz.*
.*(?i)mimidvr.*
Invoke-Mimikatz.ps
PowerSploit.*ps1
[a-zA-Z0-9/+=]{500}
.*(?i)powershell.*
.*(?i)cmd.*
\\csc\.exe
\\csc\.exe.*\\Appdata\\Local\\Temp\\[a-z0-9]{8}\.cmdline
\\cvtres\.exe.*
\\cvtres\.exe.*\\AppData\\Local\\Temp\\[A-Z0-9]{7}\.tmp
^[a-zA-Z]{22}$
^[a-zA-Z]{16}$

9
config/regex/record_data_filter.txt
View File

@@ -1,9 +0,0 @@
keyname,regex,replaced_str
AccessMask,"[\r\n\t]+",
Accesses,"[\r\n\t]+",
AuditPolicyChanges,"[\r\n\t]+",
SidHistory,"[\r\n\t]+",
AccessList,"[\r\n\t]+",
Properties,"[\r\n\t]+",
ScriptBlockText,"[\r\n\t]+",
Payload,"[\r\n\t]+",

18
doc/AboutRuleCreation-English.md
View File

@@ -52,7 +52,7 @@ ruletype: Hayabusa
> ## Alert section
* **title [required]**: Rule file title. This will also be the name of the alert that gets displayed so the briefer the better. (Should not be longer than 85 characters.)
* **title_jp** [optional]: The title in Japanese.
* details [optional]: The details of the alert that gets displayed. Please output any fields in the Windows event log that are useful for analysis. Fields are seperated by `" : "` (two spaces on both sides). Field placeholders are enclosed with a `%` (Example: `%MemberName%`) and need to be defined in `config\eventkey_alias.txt`. (Explained below.)
* details [optional]: The details of the alert that gets displayed. Please output any fields in the Windows event log that are useful for analysis. Fields are seperated by `" : "` (two spaces on both sides). Field placeholders are enclosed with a `%` (Example: `%MemberName%`) and need to be defined in `rules\config\eventkey_alias.txt`. (Explained below.)
* **details_jp** [optional]: The details message in Japanese.
* **description** [optional]: A description of the rule. This does not get displayed so you can make this long and detailed.
* **description_jp** [optional]: The description in Japanese.
@@ -153,7 +153,7 @@ The following is an excerpt of a Windows event log, formatted in the original XM
```
#### Eventkey Aliases
Long eventkeys with many `.` seperations are common, so hayabusa will use aliases to make them easier to work with. Aliases are defined in the `config\eventkey_alias.txt` file. This file is a CSV file made up of `alias` and `event_key` mappings. You can rewrite the rule above as shown below with aliases making the rule easier to read.
Long eventkeys with many `.` seperations are common, so hayabusa will use aliases to make them easier to work with. Aliases are defined in the `rules\config\eventkey_alias.txt` file. This file is a CSV file made up of `alias` and `event_key` mappings. You can rewrite the rule above as shown below with aliases making the rule easier to read.
```yaml
detection:
@@ -164,7 +164,7 @@ detection:
```
#### Caution: Undefined Eventkey Aliases
Not all eventkey aliases are defined in `config\eventkey_alias.txt`. If you are not getting the correct data in the `details`(Alert details) message, and instead are getting results like `%EventID%` or if the selection in your detection logic is not working properly, then you need to update `config\eventkey_alias.txt` with a new alias.
Not all eventkey aliases are defined in `rules\config\eventkey_alias.txt`. If you are not getting the correct data in the `details`(Alert details) message, and instead are getting results like `%EventID%` or if the selection in your detection logic is not working properly, then you need to update `rules\config\eventkey_alias.txt` with a new alias.
### How to use XML attributes in conditions
XML elements may have attributes set by adding a space to the element. For example, `Name` in `Provider Name` below is an XML attribute of the `Provider` element.
@@ -313,7 +313,7 @@ About escaping wildcards:
## Nesting keywords inside eventkeys
Eventkeys can be nested with specific keywords.
In the example below, the rule will match if the following are true:
* `ServiceName` is called `malicious-service` or contains a regular expression in `./config/regex/detectlist_suspicous_services.txt`.
* `ServiceName` is called `malicious-service` or contains a regular expression in `./rules/config/regex/detectlist_suspicous_services.txt`.
* `ImagePath` has a minimum of 1000 characters.
* `ImagePath` does not have any matches in the `allowlist`.
@@ -324,10 +324,10 @@ detection:
EventID: 7045
ServiceName:
- value: malicious-service
- regexes: ./config/regex/detectlist_suspicous_services.txt
- regexes: ./rules/config/regex/detectlist_suspicous_services.txt
ImagePath:
min_length: 1000
allowlist: ./config/regex/allowlist_legitimate_services.txt
allowlist: ./rules/config/regex/allowlist_legitimate_services.txt
condition: selection
```
@@ -339,13 +339,13 @@ Currently, the following keywords can be specified:
### regexes and allowlist keywords
Hayabusa has two built-in regular expression files used for the `.\rules\hayabusa\default\alerts\System\7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml` file:
* `./config/regex/detectlist_suspicous_services.txt`: to detect suspicious service names
* `./config/regex/allowlist_legitimate_services.txt`: to allow legitimate services
* `./rules/config/regex/detectlist_suspicous_services.txt`: to detect suspicious service names
* `./rules/config/regex/allowlist_legitimate_services.txt`: to allow legitimate services
Files defined in `regexes` and `allowlist` can be edited to change the behavior of all rules that reference them without having to change any rule file itself.
You can also use different detectlist and allowlist textfiles that you create.
Please refer to the built-in `./config/regex/detectlist_suspicous_services.txt` and `./config/regex/allowlist_legitimate_services.txt` when creating your own.
Please refer to the built-in `./rules/config/regex/detectlist_suspicous_services.txt` and `./rules/config/regex/allowlist_legitimate_services.txt` when creating your own.
## condition
With the notation we explained above, you can express `AND` and `OR` logic but it will be confusing if you are trying to define complex logic.

16
doc/AboutRuleCreation-Japanese.md
View File

@@ -51,7 +51,7 @@ ruletype: Hayabusa
> ## アラートセクション
* **title [必須]**: ルールファイルのタイトル。これは表示されるアラートの名前にもなるので、簡潔であるほどよいです。(85文字以下でなければなりません。)
* **title_jp** [オプション]: 日本語のタイトルです。
* **details** [オプション]: 表示されるアラートの詳細です。Windowsイベントログの中で解析に有効なフィールドがあれば出力してください。フィールドは `" : "` で区切られます両側ともスペース2つ。フィールドのプレースホルダは `%` で囲まれ (例: `%MemberName%`) 、`config_eventkey_alias.txt` で定義する必要があります。(以下で説明します)
* **details** [オプション]: 表示されるアラートの詳細です。Windowsイベントログの中で解析に有効なフィールドがあれば出力してください。フィールドは `" : "` で区切られます両側ともスペース2つ。フィールドのプレースホルダは `%` で囲まれ (例: `%MemberName%`) 、`rules\config\eventkey_alias.txt` で定義する必要があります。(以下で説明します)
* **details_jp** [オプション]: 日本語の出力メッセージ。
* **description** [オプション]: ルールの説明。これは表示されないので、長く詳細に記述することができます。
* **description_jp** [オプション]: 日本語の説明文です。
@@ -157,7 +157,7 @@ WindowsイベントログをXML形式で出力すると下記のようになり
`<Event><System><Channel>System<Channel><System></Event>`
#### イベントキーエイリアス
`.`の区切りが多くて長いイベントキーが一般的であるため、Hayabusaはエイリアスを使って簡単に扱えるようにします。エイリアスは `config\eventkey_alias.txt`ファイルで定義されています。このファイルは `alias``event_key` のマッピングで構成されるCSVファイルです。以下に示すように、エイリアスを使用して上記のルールを書き直し、ルールを読みやすくすることができます。
`.`の区切りが多くて長いイベントキーが一般的であるため、Hayabusaはエイリアスを使って簡単に扱えるようにします。エイリアスは `rules\config\eventkey_alias.txt`ファイルで定義されています。このファイルは `alias``event_key` のマッピングで構成されるCSVファイルです。以下に示すように、エイリアスを使用して上記のルールを書き直し、ルールを読みやすくすることができます。
```yaml
detection:
@@ -168,7 +168,7 @@ detection:
```
#### 注意: 未定義のイベントキーエイリアスについて
すべてのイベントキーエイリアスが `config\eventkey_alias.txt`に定義されているわけではありません。検知するはずのルールが検知しない場合や、`details`(アラートの詳細)メッセージに`%EventID%`のようなプレースホルダーが表示されている場合、`config\eventkey_alias.txt`の設定を確認してください。
すべてのイベントキーエイリアスが `rules\config\eventkey_alias.txt`に定義されているわけではありません。検知するはずのルールが検知しない場合や、`details`(アラートの詳細)メッセージに`%EventID%`のようなプレースホルダーが表示されている場合、`rules\config\eventkey_alias.txt`の設定を確認してください。
### XML属性を条件に使用する方法
XMLのタグにはタグ名とは別に属性を設定できます。例えば、以下の `Provider Name``Name``Provider` タグの属性です。
@@ -325,10 +325,10 @@ detection:
EventID: 7045
ServiceName:
- value: malicious-service
- regexes: ./config/regex/detectlist_suspicous_services.txt
- regexes: ./rules/config/regex/detectlist_suspicous_services.txt
ImagePath:
min_length: 1000
allowlist: ./config/regex/allowlist_legitimate_services.txt
allowlist: ./rules/config/regex/allowlist_legitimate_services.txt
condition: selection
```
@@ -340,13 +340,13 @@ detection:
### regexesとallowlistキーワード
Hayabusaに`.\rules\hayabusa\default\alerts\System\7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml`のルールのために使う2つの正規表現ファイルが用意されています。
* `./config/regex/detectlist_suspicous_services.txt`: 怪しいサービス名を検知するためのものです。
* `./config/regex/allowlist_legitimate_services.txt`: 正規のサービスを許可するためのものです。
* `./rules/config/regex/detectlist_suspicous_services.txt`: 怪しいサービス名を検知するためのものです。
* `./rules/config/regex/allowlist_legitimate_services.txt`: 正規のサービスを許可するためのものです。
`regexes` と `allowlist` で定義されたファイルの正規表現を変更すると、それらを参照するすべてのルールの動作を一度に変更できます。
また、`regexes` と `allowlist` にはユーザーが独自で作成したファイルを指定することも可能です。
デフォルトの `./config/detectlist_suspicous_services.txt` と `./config/allowlist_legitimate_services.txt` を参考にして、独自のファイルを作成してください。
デフォルトの `./rules/config/detectlist_suspicous_services.txt` と `./rules/config/allowlist_legitimate_services.txt` を参考にして、独自のファイルを作成してください。
## condition (条件)
これまで説明した記法では簡単な`AND`や`OR`であれば表現可能ですが、複雑な条件は定義できません。そのような場合、`condition` キーワードを使用します。

2
rules

Submodule rules updated: 6b65c0ad77...6d9781e349

2
src/detections/configs.rs
View File

@@ -19,7 +19,7 @@ lazy_static! {
return levelmap;
};
pub static ref EVENTKEY_ALIAS: EventKeyAliasConfig =
load_eventkey_alias("config/eventkey_alias.txt");
load_eventkey_alias("./rules/config/eventkey_alias.txt");
}
#[derive(Clone)]

10
src/detections/rule/matchers.rs
View File

@@ -504,8 +504,8 @@ mod tests {
- ホスト アプリケーション
ImagePath:
min_length: 1234321
regexes: ./config/regex/detectlist_suspicous_services.txt
allowlist: ./config/regex/allowlist_legitimate_services.txt
regexes: ./rules/config/regex/detectlist_suspicous_services.txt
allowlist: ./rules/config/regex/allowlist_legitimate_services.txt
falsepositives:
- unknown
level: medium
@@ -1092,7 +1092,7 @@ mod tests {
selection:
EventID: 4103
Channel:
- allowlist: ./config/regex/allowlist_legitimate_services.txt
- allowlist: ./rules/config/regex/allowlist_legitimate_services.txt
details: 'command=%CommandLine%'
"#;
@@ -1126,7 +1126,7 @@ mod tests {
selection:
EventID: 4103
Channel:
- allowlist: ./config/regex/allowlist_legitimate_services.txt
- allowlist: ./rules/config/regex/allowlist_legitimate_services.txt
details: 'command=%CommandLine%'
"#;
@@ -1160,7 +1160,7 @@ mod tests {
selection:
EventID: 4103
Channel:
- allowlist: ./config/regex/allowlist_legitimate_services.txt
- allowlist: ./rules/config/regex/allowlist_legitimate_services.txt
details: 'command=%CommandLine%'
"#;

4
src/detections/utils.rs
View File

@@ -267,7 +267,7 @@ mod tests {
#[test]
fn test_check_regex() {
let regexes = utils::read_txt("./config/regex/detectlist_suspicous_services.txt")
let regexes = utils::read_txt("./rules/config/regex/detectlist_suspicous_services.txt")
.unwrap()
.into_iter()
.map(|regex_str| Regex::new(&regex_str).unwrap())
@@ -282,7 +282,7 @@ mod tests {
#[test]
fn test_check_allowlist() {
let commandline = "\"C:\\Program Files\\Google\\Update\\GoogleUpdate.exe\"";
let allowlist = utils::read_txt("./config/regex/allowlist_legitimate_services.txt")
let allowlist = utils::read_txt("./rules/config/regex/allowlist_legitimate_services.txt")
.unwrap()
.into_iter()
.map(|allow_str| Regex::new(&allow_str).unwrap())

6
src/filter.rs
View File

@@ -24,7 +24,7 @@ pub struct DataFilterRule {
}
fn load_record_filters() -> HashMap<String, DataFilterRule> {
let file_path = "config/regex/record_data_filter.txt";
let file_path = "./rules/config/regex/record_data_filter.txt";
let read_result = utils::read_csv(file_path);
let mut ret = HashMap::new();
if read_result.is_err() {
@@ -104,10 +104,10 @@ pub fn exclude_ids() -> RuleExclude {
.args
.is_present("enable-noisy-rules")
{
exclude_ids.insert_ids("config/noisy-rules.txt");
exclude_ids.insert_ids("./rules/config/noisy_rules.txt");
};
exclude_ids.insert_ids("config/exclude-rules.txt");
exclude_ids.insert_ids("./rules/config/exclude_rules.txt");
return exclude_ids;
}

1
src/yaml.rs
View File

@@ -67,6 +67,7 @@ impl ParseYaml {
.unwrap()
.push(format!("[ERROR] {}", errmsg));
}
return io::Result::Ok(String::default());
}
let mut yaml_docs = vec![];
if metadata.unwrap().file_type().is_file() {