diff --git a/tools/sigmac/hayabusa.py b/tools/sigmac/hayabusa.py index 21c23e10..ae53c407 100644 --- a/tools/sigmac/hayabusa.py +++ b/tools/sigmac/hayabusa.py @@ -204,7 +204,7 @@ class HayabusaBackend(SingleTextQueryBackend): def generateANDNode(self, node): generated = list() for val in node: - if type(val) == str: + if type(val) == str or type(val) == int: # 普通はtupleでkeyとvalueのペアであるが、これはkeyが指定されていないケース # keyが指定されていない場合は、EventLog全体をgrep検索することになっている。(詳細はSigmaルールの仕様書を参照のこと) # 具体的には"all of"とか使うとこの分岐に来る @@ -235,7 +235,7 @@ class HayabusaBackend(SingleTextQueryBackend): generated = list() for val in node: # 普通はtupleでkeyとvalueのペアであるが、これはkeyが指定されていないケース - if type(val) == str: + if type(val) == str or type(val) == int: if name is None: name = self.create_new_selection() self.name_2_selection[name] = list() @@ -270,9 +270,16 @@ class HayabusaBackend(SingleTextQueryBackend): bs.write("title: " + parsed_yaml["title"]+"\n") bs.write("ruletype: SIGMA\n") del parsed_yaml["title"] + + # detectionの部分をクリアする前にtimeflameだけ確保しておく。 + timeflame = None + if "timeflame" in parsed_yaml["detection"]: + timeflame = parsed_yaml["detection"]["timeflame"] # detectionの部分だけ変更して出力する。 parsed_yaml["detection"] = {} + if timeflame is not None and len(timeflame) != 0: + parsed_yaml["detection"]["timeflame"] = timeflame parsed_yaml["detection"]["condition"] = result for key, values in self.name_2_selection.items(): # fieldnameの有無を確認している @@ -290,6 +297,7 @@ class HayabusaBackend(SingleTextQueryBackend): else: ## is_keyword_list() == Falseの場合 parsed_yaml["detection"][key][fieldname] = value + yaml.dump(parsed_yaml, bs, indent=4, default_flow_style=False) ret = bs.getvalue() ret += "---\n" diff --git a/tools/sigmac/test_files/README.md b/tools/sigmac/test_files/README.md new file mode 100644 index 00000000..2acc1f95 --- /dev/null +++ b/tools/sigmac/test_files/README.md @@ -0,0 +1,12 @@ +このフォルダにはテストに必要なファイルが格納されています。 +テストを実行する際には、toos/sigmacにあるファイルに加え、このフォルダのファイルもsigmaディレクトリにコピーしてください。 + +このフォルダにあるファイルについて説明します。 +* test_rules: テスト用のSIGMAルールが格納されたフォルダです。 +* convert_test.sh: テストを実行するためのシェルスクリプトです。test_rulesフォルダ内のSIGMAルールをhayabusaルールに変換し、hayabusa_rules_testフォルダに出力します。 +* expected_rules: test_rulesフォルダ内のルールを正しく変換すると、このフォルダに設置されているhayabusaルールと同じになるはずです。 + +テストは下記のように実行します。 +* convert_test.shを実行する。 +* WinMerge等のツールを利用して、expected_rulesフォルダとhayabusa_rules_testフォルダに差分を確認する。 +* 差分が無ければテストOKです。差分があれば、内容を確認して適宜修正してください。 \ No newline at end of file diff --git a/tools/sigmac/test_files/convert_test.sh b/tools/sigmac/test_files/convert_test.sh new file mode 100644 index 00000000..1577bf98 --- /dev/null +++ b/tools/sigmac/test_files/convert_test.sh @@ -0,0 +1,3 @@ +rm -rf hayabusa_rules +python ./tools/sigmac -t hayabusa --config ./tools/config/generic/sysmon.yml --defer-abort -r test_rules/ > sigma_to_hayabusa.yml +python splitter.py hayabusa_rules_test \ No newline at end of file diff --git a/tools/sigmac/test_files/expected_rules/test_rules/test0001.yml b/tools/sigmac/test_files/expected_rules/test_rules/test0001.yml new file mode 100644 index 00000000..17d7b15b --- /dev/null +++ b/tools/sigmac/test_files/expected_rules/test_rules/test0001.yml @@ -0,0 +1,17 @@ +title: test +ruletype: SIGMA +author: test +date: 2021/12/4 +description: "simple test\n" +detection: + SELECTION_1: + EventID: 4100 + condition: SELECTION_1 +falsepositives: +- Unknown +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +level: medium +logsource: + product: windows + service: security +status: experimental diff --git a/tools/sigmac/test_files/expected_rules/test_rules/test0002.yml b/tools/sigmac/test_files/expected_rules/test_rules/test0002.yml new file mode 100644 index 00000000..0956adc4 --- /dev/null +++ b/tools/sigmac/test_files/expected_rules/test_rules/test0002.yml @@ -0,0 +1,26 @@ + +title: test +ruletype: SIGMA +author: test +date: 2021/12/4 +description: "map test and escape str test and empty string test and null test\n" +detection: + SELECTION_1: + EventID: 4100 + SELECTION_2: + ObjectType: Key + SELECTION_3: + ObjectKey: "aaaValu__-*|3'|e " + SELECTION_4: + Ojb: '' + SELECTION_5: + aaa|re: ^$ + condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5) +falsepositives: +- Unknown +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +level: medium +logsource: + product: windows + service: security +status: experimental diff --git a/tools/sigmac/test_files/expected_rules/test_rules/test0003.yml b/tools/sigmac/test_files/expected_rules/test_rules/test0003.yml new file mode 100644 index 00000000..6384fdea --- /dev/null +++ b/tools/sigmac/test_files/expected_rules/test_rules/test0003.yml @@ -0,0 +1,26 @@ + +title: test +ruletype: SIGMA +author: test +date: 2021/12/4 +description: "list test\n" +detection: + SELECTION_1: + EventID: 4100 + SELECTION_2: + EventID: 9000 + SELECTION_3: + EventID: 8000 + SELECTION_4: + EventID: aaaa + SELECTION_5: + ObjectType: Key + condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4) and SELECTION_5) +falsepositives: +- Unknown +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +level: medium +logsource: + product: windows + service: security +status: experimental diff --git a/tools/sigmac/test_files/expected_rules/test_rules/test0004.yml b/tools/sigmac/test_files/expected_rules/test_rules/test0004.yml new file mode 100644 index 00000000..0b70a617 --- /dev/null +++ b/tools/sigmac/test_files/expected_rules/test_rules/test0004.yml @@ -0,0 +1,24 @@ + +title: test +ruletype: SIGMA +author: test +date: 2021/12/4 +description: "list test\n" +detection: + SELECTION_1: + - 2 + - dee + - testtesttest + SELECTION_2: + EventID: 22 + SELECTION_3: + EventID: 33 + condition: ((SELECTION_1) and (SELECTION_2 or SELECTION_3)) +falsepositives: +- Unknown +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +level: medium +logsource: + product: windows + service: security +status: experimental diff --git a/tools/sigmac/test_files/expected_rules/test_rules/test0005.yml b/tools/sigmac/test_files/expected_rules/test_rules/test0005.yml new file mode 100644 index 00000000..45ff5edd --- /dev/null +++ b/tools/sigmac/test_files/expected_rules/test_rules/test0005.yml @@ -0,0 +1,26 @@ + +title: test +ruletype: SIGMA +author: test +date: 2021/12/4 +description: "all modifier\n" +detection: + SELECTION_1: + - 2 + - dee + - testtesttest + SELECTION_2: + EventID: 22 + SELECTION_3: + EventID: 33 + SELECTION_4: + EventID: hoge + condition: ((SELECTION_1) and (SELECTION_2 and SELECTION_3 and SELECTION_4)) +falsepositives: +- Unknown +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +level: medium +logsource: + product: windows + service: security +status: experimental diff --git a/tools/sigmac/test_files/expected_rules/test_rules/test0006.yml b/tools/sigmac/test_files/expected_rules/test_rules/test0006.yml new file mode 100644 index 00000000..e465f6c2 --- /dev/null +++ b/tools/sigmac/test_files/expected_rules/test_rules/test0006.yml @@ -0,0 +1,20 @@ + +title: test +ruletype: SIGMA +author: test +date: 2021/12/4 +description: "contains modifier\n" +detection: + SELECTION_1: + UserName: '*hogehoge*' + SELECTION_2: + TargetUserName: '*testest2*' + condition: (SELECTION_1 or SELECTION_2) +falsepositives: +- Unknown +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +level: medium +logsource: + product: windows + service: security +status: experimental diff --git a/tools/sigmac/test_files/expected_rules/test_rules/test0007.yml b/tools/sigmac/test_files/expected_rules/test_rules/test0007.yml new file mode 100644 index 00000000..f2e195fe --- /dev/null +++ b/tools/sigmac/test_files/expected_rules/test_rules/test0007.yml @@ -0,0 +1,20 @@ + +title: test +ruletype: SIGMA +author: test +date: 2021/12/4 +description: "endswith pipe modifier and startswith pipe modifier\n" +detection: + SELECTION_1: + UserName: '*hogehoge_end' + SELECTION_2: + TargetUserName: test_start* + condition: (SELECTION_1 or SELECTION_2) +falsepositives: +- Unknown +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +level: medium +logsource: + product: windows + service: security +status: experimental diff --git a/tools/sigmac/test_files/expected_rules/test_rules/test0008.yml b/tools/sigmac/test_files/expected_rules/test_rules/test0008.yml new file mode 100644 index 00000000..528a19ba --- /dev/null +++ b/tools/sigmac/test_files/expected_rules/test_rules/test0008.yml @@ -0,0 +1,20 @@ + +title: test +ruletype: SIGMA +author: test +date: 2021/12/4 +description: "base64 encode modifier\n" +detection: + SELECTION_1: + UserName: YmFzZTY0X2VuY29kZWQ= + SELECTION_2: + TargetUserName: test_start + condition: (SELECTION_1 and SELECTION_2) +falsepositives: +- Unknown +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +level: medium +logsource: + product: windows + service: security +status: experimental diff --git a/tools/sigmac/test_files/expected_rules/test_rules/test0009.yml b/tools/sigmac/test_files/expected_rules/test_rules/test0009.yml new file mode 100644 index 00000000..b2aa7f97 --- /dev/null +++ b/tools/sigmac/test_files/expected_rules/test_rules/test0009.yml @@ -0,0 +1,26 @@ + +title: test +ruletype: SIGMA +author: test +date: 2021/12/4 +description: "re modifier test\n" +detection: + SELECTION_1: + UserName|re: aaa + SELECTION_2: + UserName2|re: .*bbbb$ + SELECTION_3: + UserName3|re: cccc/dd/dd + SELECTION_4: + UserName4|re: cccc"dddd + SELECTION_5: + UserName5|re: cccc"dddd + condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5) +falsepositives: +- Unknown +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +level: medium +logsource: + product: windows + service: security +status: experimental diff --git a/tools/sigmac/test_files/expected_rules/test_rules/test0010.yml b/tools/sigmac/test_files/expected_rules/test_rules/test0010.yml new file mode 100644 index 00000000..cb40bd15 --- /dev/null +++ b/tools/sigmac/test_files/expected_rules/test_rules/test0010.yml @@ -0,0 +1,35 @@ + +title: test +ruletype: SIGMA +author: test +date: 2021/12/4 +description: "all of test\n" +detection: + SELECTION_1: + EventID: 3 + SELECTION_2: + EventID: 7 + SELECTION_3: + EventID: a + SELECTION_4: + UserName: abc + SELECTION_5: + process: nnn + SELECTION_6: + parentprocess: 2 + SELECTION_7: + uuu: zzzz + SELECTION_8: + xxxx: 3 + SELECTION_9: + ppp: iiii + condition: (((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5 + and SELECTION_6 and SELECTION_7 and SELECTION_8) or SELECTION_9) +falsepositives: +- Unknown +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +level: medium +logsource: + product: windows + service: security +status: experimental diff --git a/tools/sigmac/test_files/expected_rules/test_rules/test0011.yml b/tools/sigmac/test_files/expected_rules/test_rules/test0011.yml new file mode 100644 index 00000000..07148a22 --- /dev/null +++ b/tools/sigmac/test_files/expected_rules/test_rules/test0011.yml @@ -0,0 +1,33 @@ + +title: test +ruletype: SIGMA +author: test +date: 2021/12/4 +description: "1 of\n" +detection: + SELECTION_1: + EventID: 3 + SELECTION_2: + EventID: 7 + SELECTION_3: + UserName: abc + SELECTION_4: + process: nnn + SELECTION_5: + parentprocess: sss + SELECTION_6: + uuu: zzzz + SELECTION_7: + xxxx: yyyyy + SELECTION_8: + ppp: iiii + condition: ((((SELECTION_1 or SELECTION_2) and SELECTION_3) or (SELECTION_4 and + SELECTION_5) or (SELECTION_6 and SELECTION_7)) and SELECTION_8) +falsepositives: +- Unknown +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +level: medium +logsource: + product: windows + service: security +status: experimental diff --git a/tools/sigmac/test_files/expected_rules/test_rules/test0012.yml b/tools/sigmac/test_files/expected_rules/test_rules/test0012.yml new file mode 100644 index 00000000..b94ef374 --- /dev/null +++ b/tools/sigmac/test_files/expected_rules/test_rules/test0012.yml @@ -0,0 +1,31 @@ + +title: test +ruletype: SIGMA +author: test +date: 2021/12/4 +description: "all of them\n" +detection: + SELECTION_1: + EventID: 3 + SELECTION_2: + EventID: 7 + SELECTION_3: + UserName: abc + SELECTION_4: + process: nnn + SELECTION_5: + parentprocess: sss + SELECTION_6: + uuu: zzzz + SELECTION_7: + xxxx: yyyyy + condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4 and SELECTION_5 + and SELECTION_6 and SELECTION_7) +falsepositives: +- Unknown +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +level: medium +logsource: + product: windows + service: security +status: experimental diff --git a/tools/sigmac/test_files/expected_rules/test_rules/test0013.yml b/tools/sigmac/test_files/expected_rules/test_rules/test0013.yml new file mode 100644 index 00000000..7e671144 --- /dev/null +++ b/tools/sigmac/test_files/expected_rules/test_rules/test0013.yml @@ -0,0 +1,31 @@ + +title: test +ruletype: SIGMA +author: test +date: 2021/12/4 +description: "1 of them\n" +detection: + SELECTION_1: + EventID: 3 + SELECTION_2: + EventID: 7 + SELECTION_3: + UserName: abc + SELECTION_4: + process: nnn + SELECTION_5: + parentprocess: sss + SELECTION_6: + uuu: zzzz + SELECTION_7: + xxxx: yyyyy + condition: (((SELECTION_1 or SELECTION_2) and SELECTION_3) or (SELECTION_4 and SELECTION_5) + or (SELECTION_6 and SELECTION_7)) +falsepositives: +- Unknown +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +level: medium +logsource: + product: windows + service: security +status: experimental diff --git a/tools/sigmac/test_files/expected_rules/test_rules/test0014.yml b/tools/sigmac/test_files/expected_rules/test_rules/test0014.yml new file mode 100644 index 00000000..7b1a1b91 --- /dev/null +++ b/tools/sigmac/test_files/expected_rules/test_rules/test0014.yml @@ -0,0 +1,19 @@ + +title: test +ruletype: SIGMA +author: test +date: 2021/12/4 +description: "timeflame \n" +detection: + SELECTION_1: + EventID: 3 + condition: SELECTION_1 + timeflame: 2d +falsepositives: +- Unknown +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +level: medium +logsource: + product: windows + service: security +status: experimental diff --git a/tools/sigmac/test_files/expected_rules/test_rules/test0015.yml b/tools/sigmac/test_files/expected_rules/test_rules/test0015.yml new file mode 100644 index 00000000..9704c256 --- /dev/null +++ b/tools/sigmac/test_files/expected_rules/test_rules/test0015.yml @@ -0,0 +1,25 @@ + +title: test +ruletype: SIGMA +author: test +date: 2021/12/4 +description: "condition and or\n" +detection: + SELECTION_1: + EventID: 3 + SELECTION_2: + aaa: bbb + SELECTION_3: + ccc: ddd + SELECTION_4: + eee: fff + condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) + timeflame: 2d +falsepositives: +- Unknown +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +level: medium +logsource: + product: windows + service: security +status: experimental diff --git a/tools/sigmac/test_files/expected_rules/test_rules/test0016.yml b/tools/sigmac/test_files/expected_rules/test_rules/test0016.yml new file mode 100644 index 00000000..9704c256 --- /dev/null +++ b/tools/sigmac/test_files/expected_rules/test_rules/test0016.yml @@ -0,0 +1,25 @@ + +title: test +ruletype: SIGMA +author: test +date: 2021/12/4 +description: "condition and or\n" +detection: + SELECTION_1: + EventID: 3 + SELECTION_2: + aaa: bbb + SELECTION_3: + ccc: ddd + SELECTION_4: + eee: fff + condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) + timeflame: 2d +falsepositives: +- Unknown +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +level: medium +logsource: + product: windows + service: security +status: experimental diff --git a/tools/sigmac/test_files/expected_rules/test_rules/test0017.yml b/tools/sigmac/test_files/expected_rules/test_rules/test0017.yml new file mode 100644 index 00000000..469beb17 --- /dev/null +++ b/tools/sigmac/test_files/expected_rules/test_rules/test0017.yml @@ -0,0 +1,25 @@ + +title: test +ruletype: SIGMA +author: test +date: 2021/12/4 +description: "condition or\n" +detection: + SELECTION_1: + EventID: 3 + SELECTION_2: + aaa: bbb + SELECTION_3: + ccc: ddd + SELECTION_4: + eee: fff + condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4) + timeflame: 2d +falsepositives: +- Unknown +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +level: medium +logsource: + product: windows + service: security +status: experimental diff --git a/tools/sigmac/test_files/expected_rules/test_rules/test0018.yml b/tools/sigmac/test_files/expected_rules/test_rules/test0018.yml new file mode 100644 index 00000000..dca7a7fc --- /dev/null +++ b/tools/sigmac/test_files/expected_rules/test_rules/test0018.yml @@ -0,0 +1,27 @@ + +title: test +ruletype: SIGMA +author: test +date: 2021/12/4 +description: "() \n" +detection: + SELECTION_1: + EventID: 3 + SELECTION_2: + aaa: bbb + SELECTION_3: + ccc: ddd + SELECTION_4: + eee: fff + SELECTION_5: + ggg: hhh + condition: ((SELECTION_1 and (SELECTION_2 or (SELECTION_3 and SELECTION_4))) or + SELECTION_5) +falsepositives: +- Unknown +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +level: medium +logsource: + product: windows + service: security +status: experimental diff --git a/tools/sigmac/test_files/expected_rules/test_rules/test0019.yml b/tools/sigmac/test_files/expected_rules/test_rules/test0019.yml new file mode 100644 index 00000000..e2087c51 --- /dev/null +++ b/tools/sigmac/test_files/expected_rules/test_rules/test0019.yml @@ -0,0 +1,18 @@ + +title: test +ruletype: SIGMA +author: test +date: 2021/12/4 +description: "condition not\n" +detection: + SELECTION_1: + EventID: 3 + condition: ' not (SELECTION_1)' +falsepositives: +- Unknown +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +level: medium +logsource: + product: windows + service: security +status: experimental diff --git a/tools/sigmac/test_files/expected_rules/test_rules/test0020.yml b/tools/sigmac/test_files/expected_rules/test_rules/test0020.yml new file mode 100644 index 00000000..1c35eca0 --- /dev/null +++ b/tools/sigmac/test_files/expected_rules/test_rules/test0020.yml @@ -0,0 +1,27 @@ + +title: test +ruletype: SIGMA +author: test +date: 2021/12/4 +description: "condition not ()\n" +detection: + SELECTION_1: + EventID: 3 + SELECTION_2: + aaa: bbb + SELECTION_3: + ccc: ddd + SELECTION_4: + eee: fff + SELECTION_5: + ggg: hhh + condition: ( not (SELECTION_1) and not ((SELECTION_2 and not ((SELECTION_3 or + SELECTION_4)))) and SELECTION_5) +falsepositives: +- Unknown +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +level: medium +logsource: + product: windows + service: security +status: experimental diff --git a/tools/sigmac/test_files/expected_rules/test_rules/test0021.yml b/tools/sigmac/test_files/expected_rules/test_rules/test0021.yml new file mode 100644 index 00000000..db718506 --- /dev/null +++ b/tools/sigmac/test_files/expected_rules/test_rules/test0021.yml @@ -0,0 +1,20 @@ + +title: test +ruletype: SIGMA +author: test +date: 2021/12/4 +description: "condition count\n" +detection: + SELECTION_1: + EventID: 3 + SELECTION_2: + aaa: bbb + condition: (SELECTION_1 and not (SELECTION_2)) | count() < 3 +falsepositives: +- Unknown +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +level: medium +logsource: + product: windows + service: security +status: experimental diff --git a/tools/sigmac/test_files/expected_rules/test_rules/test0022.yml b/tools/sigmac/test_files/expected_rules/test_rules/test0022.yml new file mode 100644 index 00000000..554b9fc5 --- /dev/null +++ b/tools/sigmac/test_files/expected_rules/test_rules/test0022.yml @@ -0,0 +1,20 @@ + +title: test +ruletype: SIGMA +author: test +date: 2021/12/4 +description: "condition count\n" +detection: + SELECTION_1: + EventID: 3 + SELECTION_2: + aaa: bbb + condition: (SELECTION_1 and not (SELECTION_2)) | count(TEAMNAME) by HOGE < 3 +falsepositives: +- Unknown +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +level: medium +logsource: + product: windows + service: security +status: experimental diff --git a/tools/sigmac/test_files/test_rules/test0001.yml b/tools/sigmac/test_files/test_rules/test0001.yml new file mode 100644 index 00000000..3d233a93 --- /dev/null +++ b/tools/sigmac/test_files/test_rules/test0001.yml @@ -0,0 +1,17 @@ +title: test +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +description: | + simple test +status: experimental +date: 2021/12/4 +author: test +logsource: + product: windows + service: security +detection: + selection: + EventID: 4100 + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/tools/sigmac/test_files/test_rules/test0002.yml b/tools/sigmac/test_files/test_rules/test0002.yml new file mode 100644 index 00000000..8e062ce7 --- /dev/null +++ b/tools/sigmac/test_files/test_rules/test0002.yml @@ -0,0 +1,21 @@ +title: test +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +description: | + map test and escape str test and empty string test and null test +status: experimental +date: 2021/12/4 +author: test +logsource: + product: windows + service: security +detection: + selection: + EventID: 4100 + ObjectType: 'Key' + ObjectKey: 'aaaValu__-*|3''|e ' + Ojb: '' + aaa: null + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/tools/sigmac/test_files/test_rules/test0003.yml b/tools/sigmac/test_files/test_rules/test0003.yml new file mode 100644 index 00000000..ef68446b --- /dev/null +++ b/tools/sigmac/test_files/test_rules/test0003.yml @@ -0,0 +1,22 @@ +title: test +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +description: | + list test +status: experimental +date: 2021/12/4 +author: test +logsource: + product: windows + service: security +detection: + selection: + EventID: + - 4100 + - 9000 + - 8000 + - "aaaa" + ObjectType: 'Key' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/tools/sigmac/test_files/test_rules/test0004.yml b/tools/sigmac/test_files/test_rules/test0004.yml new file mode 100644 index 00000000..c6bb133f --- /dev/null +++ b/tools/sigmac/test_files/test_rules/test0004.yml @@ -0,0 +1,23 @@ +title: test +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +description: | + list test +status: experimental +date: 2021/12/4 +author: test +logsource: + product: windows + service: security +detection: + selection: + - 2 + - dee + - testtesttest + SELECTION_2: + EventID: + - 22 + - 33 + condition: selection and SELECTION_2 +falsepositives: + - Unknown +level: medium diff --git a/tools/sigmac/test_files/test_rules/test0005.yml b/tools/sigmac/test_files/test_rules/test0005.yml new file mode 100644 index 00000000..98ba2fdd --- /dev/null +++ b/tools/sigmac/test_files/test_rules/test0005.yml @@ -0,0 +1,24 @@ +title: test +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +description: | + all modifier +status: experimental +date: 2021/12/4 +author: test +logsource: + product: windows + service: security +detection: + selection: + - 2 + - dee + - testtesttest + SELECTION_2: + EventID|all: + - 22 + - 33 + - hoge + condition: selection and SELECTION_2 +falsepositives: + - Unknown +level: medium diff --git a/tools/sigmac/test_files/test_rules/test0006.yml b/tools/sigmac/test_files/test_rules/test0006.yml new file mode 100644 index 00000000..20733f21 --- /dev/null +++ b/tools/sigmac/test_files/test_rules/test0006.yml @@ -0,0 +1,18 @@ +title: test +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +description: | + contains modifier +status: experimental +date: 2021/12/4 +author: test +logsource: + product: windows + service: security +detection: + selection: + - UserName|contains: hogehoge + - TargetUserName|contains: testest2 + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/tools/sigmac/test_files/test_rules/test0007.yml b/tools/sigmac/test_files/test_rules/test0007.yml new file mode 100644 index 00000000..80cf4554 --- /dev/null +++ b/tools/sigmac/test_files/test_rules/test0007.yml @@ -0,0 +1,18 @@ +title: test +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +description: | + endswith pipe modifier and startswith pipe modifier +status: experimental +date: 2021/12/4 +author: test +logsource: + product: windows + service: security +detection: + selection: + - UserName|endswith: hogehoge_end + - TargetUserName|startswith: test_start + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/tools/sigmac/test_files/test_rules/test0008.yml b/tools/sigmac/test_files/test_rules/test0008.yml new file mode 100644 index 00000000..f9a7dee8 --- /dev/null +++ b/tools/sigmac/test_files/test_rules/test0008.yml @@ -0,0 +1,18 @@ +title: test +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +description: | + base64 encode modifier +status: experimental +date: 2021/12/4 +author: test +logsource: + product: windows + service: security +detection: + selection: + UserName|base64: base64_encoded + TargetUserName: test_start + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/tools/sigmac/test_files/test_rules/test0009.yml b/tools/sigmac/test_files/test_rules/test0009.yml new file mode 100644 index 00000000..42a3bd54 --- /dev/null +++ b/tools/sigmac/test_files/test_rules/test0009.yml @@ -0,0 +1,22 @@ +title: test +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +description: | + re modifier test +status: experimental +date: 2021/12/4 +author: test +logsource: + product: windows + service: security +detection: + selection: + UserName|re: aaa + UserName2|re: .*bbbb$ + UserName3|re: cccc\/dd/\//dd # see hayabusa.py generateMapItemTypedNode() + UserName4|re: cccc\"dd"\""dd # see hayabusa.py generateMapItemTypedNode() + UserName5|re: cccc{{3}0dddd # see hayabusa.py generateMapItemTypedNode() + UserName6|re: cccc{{3}0d{32}dd # see hayabusa.py generateMapItemTypedNode() + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/tools/sigmac/test_files/test_rules/test0010.yml b/tools/sigmac/test_files/test_rules/test0010.yml new file mode 100644 index 00000000..4c2598cb --- /dev/null +++ b/tools/sigmac/test_files/test_rules/test0010.yml @@ -0,0 +1,29 @@ +title: test +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +description: | + all of test +status: experimental +date: 2021/12/4 +author: test +logsource: + product: windows + service: security +detection: + selection1: + EventID: + - 3 + - 7 + - a + UserName: abc + selection2: + process: nnn + parentprocess: 2 + selection3: + uuu: zzzz + xxxx: 3 + another: + ppp: iiii + condition: all of selection* or another +falsepositives: + - Unknown +level: medium diff --git a/tools/sigmac/test_files/test_rules/test0011.yml b/tools/sigmac/test_files/test_rules/test0011.yml new file mode 100644 index 00000000..bdc09249 --- /dev/null +++ b/tools/sigmac/test_files/test_rules/test0011.yml @@ -0,0 +1,28 @@ +title: test +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +description: | + 1 of +status: experimental +date: 2021/12/4 +author: test +logsource: + product: windows + service: security +detection: + selection1: + EventID: + - 3 + - 7 + UserName: abc + selection2: + process: nnn + parentprocess: sss + selection3: + uuu: zzzz + xxxx: yyyyy + another: + ppp: iiii + condition: 1 of selection* and another +falsepositives: + - Unknown +level: medium diff --git a/tools/sigmac/test_files/test_rules/test0012.yml b/tools/sigmac/test_files/test_rules/test0012.yml new file mode 100644 index 00000000..60d4bcb2 --- /dev/null +++ b/tools/sigmac/test_files/test_rules/test0012.yml @@ -0,0 +1,26 @@ +title: test +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +description: | + all of them +status: experimental +date: 2021/12/4 +author: test +logsource: + product: windows + service: security +detection: + selection1: + EventID: + - 3 + - 7 + UserName: abc + selection2: + process: nnn + parentprocess: sss + selection3: + uuu: zzzz + xxxx: yyyyy + condition: all of them +falsepositives: + - Unknown +level: medium diff --git a/tools/sigmac/test_files/test_rules/test0013.yml b/tools/sigmac/test_files/test_rules/test0013.yml new file mode 100644 index 00000000..7a3b8448 --- /dev/null +++ b/tools/sigmac/test_files/test_rules/test0013.yml @@ -0,0 +1,26 @@ +title: test +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +description: | + 1 of them +status: experimental +date: 2021/12/4 +author: test +logsource: + product: windows + service: security +detection: + selection1: + EventID: + - 3 + - 7 + UserName: abc + selection2: + process: nnn + parentprocess: sss + selection3: + uuu: zzzz + xxxx: yyyyy + condition: 1 of them +falsepositives: + - Unknown +level: medium diff --git a/tools/sigmac/test_files/test_rules/test0014.yml b/tools/sigmac/test_files/test_rules/test0014.yml new file mode 100644 index 00000000..1f36774a --- /dev/null +++ b/tools/sigmac/test_files/test_rules/test0014.yml @@ -0,0 +1,18 @@ +title: test +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +description: | + timeflame +status: experimental +date: 2021/12/4 +author: test +logsource: + product: windows + service: security +detection: + selection1: + EventID: 3 + timeflame: 2d + condition: selection1 +falsepositives: + - Unknown +level: medium diff --git a/tools/sigmac/test_files/test_rules/test0015.yml b/tools/sigmac/test_files/test_rules/test0015.yml new file mode 100644 index 00000000..ef674743 --- /dev/null +++ b/tools/sigmac/test_files/test_rules/test0015.yml @@ -0,0 +1,24 @@ +title: test +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +description: | + condition and or +status: experimental +date: 2021/12/4 +author: test +logsource: + product: windows + service: security +detection: + selection1: + EventID: 3 + selection2: + aaa: bbb + selection3: + ccc: ddd + selection4: + eee: fff + timeflame: 2d + condition: selection1 and selection2 and selection3 and selection4 +falsepositives: + - Unknown +level: medium diff --git a/tools/sigmac/test_files/test_rules/test0016.yml b/tools/sigmac/test_files/test_rules/test0016.yml new file mode 100644 index 00000000..a16e3389 --- /dev/null +++ b/tools/sigmac/test_files/test_rules/test0016.yml @@ -0,0 +1,24 @@ +title: test +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +description: | + condition and +status: experimental +date: 2021/12/4 +author: test +logsource: + product: windows + service: security +detection: + selection1: + EventID: 3 + selection2: + aaa: bbb + selection3: + ccc: ddd + selection4: + eee: fff + timeflame: 2d + condition: selection1 and selection2 and selection3 and selection4 +falsepositives: + - Unknown +level: medium diff --git a/tools/sigmac/test_files/test_rules/test0017.yml b/tools/sigmac/test_files/test_rules/test0017.yml new file mode 100644 index 00000000..5ce12de6 --- /dev/null +++ b/tools/sigmac/test_files/test_rules/test0017.yml @@ -0,0 +1,24 @@ +title: test +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +description: | + condition or +status: experimental +date: 2021/12/4 +author: test +logsource: + product: windows + service: security +detection: + selection1: + EventID: 3 + selection2: + aaa: bbb + selection3: + ccc: ddd + selection4: + eee: fff + timeflame: 2d + condition: selection1 or selection2 or selection3 or selection4 +falsepositives: + - Unknown +level: medium diff --git a/tools/sigmac/test_files/test_rules/test0018.yml b/tools/sigmac/test_files/test_rules/test0018.yml new file mode 100644 index 00000000..63747c22 --- /dev/null +++ b/tools/sigmac/test_files/test_rules/test0018.yml @@ -0,0 +1,25 @@ +title: test +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +description: | + () +status: experimental +date: 2021/12/4 +author: test +logsource: + product: windows + service: security +detection: + selection1: + EventID: 3 + selection2: + aaa: bbb + selection3: + ccc: ddd + selection4: + eee: fff + selection5: + ggg: hhh + condition: selection1 and ( selection2 or (selection3 and selection4) ) or selection5 +falsepositives: + - Unknown +level: medium diff --git a/tools/sigmac/test_files/test_rules/test0019.yml b/tools/sigmac/test_files/test_rules/test0019.yml new file mode 100644 index 00000000..95c3abbe --- /dev/null +++ b/tools/sigmac/test_files/test_rules/test0019.yml @@ -0,0 +1,17 @@ +title: test +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +description: | + condition not +status: experimental +date: 2021/12/4 +author: test +logsource: + product: windows + service: security +detection: + selection1: + EventID: 3 + condition: not selection1 +falsepositives: + - Unknown +level: medium diff --git a/tools/sigmac/test_files/test_rules/test0020.yml b/tools/sigmac/test_files/test_rules/test0020.yml new file mode 100644 index 00000000..24eb01dc --- /dev/null +++ b/tools/sigmac/test_files/test_rules/test0020.yml @@ -0,0 +1,25 @@ +title: test +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +description: | + condition not () +status: experimental +date: 2021/12/4 +author: test +logsource: + product: windows + service: security +detection: + selection1: + EventID: 3 + selection2: + aaa: bbb + selection3: + ccc: ddd + selection4: + eee: fff + selection5: + ggg: hhh + condition: not selection1 and not( selection2 and not (selection3 or selection4)) and selection5 +falsepositives: + - Unknown +level: medium diff --git a/tools/sigmac/test_files/test_rules/test0021.yml b/tools/sigmac/test_files/test_rules/test0021.yml new file mode 100644 index 00000000..0a0568dd --- /dev/null +++ b/tools/sigmac/test_files/test_rules/test0021.yml @@ -0,0 +1,19 @@ +title: test +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +description: | + condition count +status: experimental +date: 2021/12/4 +author: test +logsource: + product: windows + service: security +detection: + selection1: + EventID: 3 + selection2: + aaa: bbb + condition: selection1 and not selection2 | count() < 3 +falsepositives: + - Unknown +level: medium diff --git a/tools/sigmac/test_files/test_rules/test0022.yml b/tools/sigmac/test_files/test_rules/test0022.yml new file mode 100644 index 00000000..ec0587a1 --- /dev/null +++ b/tools/sigmac/test_files/test_rules/test0022.yml @@ -0,0 +1,19 @@ +title: test +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +description: | + condition count +status: experimental +date: 2021/12/4 +author: test +logsource: + product: windows + service: security +detection: + selection1: + EventID: 3 + selection2: + aaa: bbb + condition: selection1 and not selection2 | count(TEAMNAME) by HOGE < 3 +falsepositives: + - Unknown +level: medium